Professional Documents
Culture Documents
INTRODUCTION
Service providers who want to capture emerging markets for a scalable, applications-aware, and
cost-effective business-grade virtual private network (VPN) services need a highly-secured, highly-
available, reliable, and quality of service-aware networks. These networks must scale to support
thousands of VPNs, and hundreds of thousands of users, along with the millions of Internet users.
They also must be capable of meeting a wide range of customer requirements, including security,
quality of service (QoS), and any-to-any connectivity. They must offer fully managed services to
attract new customers and provide a foundation for delivering a range of emerging value-added
services. Multiprotocol Label Switching (MPLS) rapidly emerged as a core technology for next-
generation networks, in particular, optical networks. MPLS-based VPNs provide the flexible
connectivity and scalability of IP with the privacy and QoS of Frame Relay and ATM. MPLS allows
network services to be delivered over routed networks. Service decisions are made at the network
edge and switched without requiring intermediate preprocessing, providing higher efficiency and
scalability. MPLS-based VPNs also eliminate complex protocol and addressing translations
previously required with Frame Relay and ATM.
MPLS-based VPNs allow service providers to serve a much more diverse base of small and
medium-sized businesses because they save customer from the complexity and the costs of network
operation, administration and maintenance. Rather than setting up and managing individual point-
to-point circuits between each office, businesses need to provide only one connection from their
office router to a service-provider edge router. The service-provider edge router labels the packets
and routes them through its MPLS core to the edge router closest to the destination. With these
technologies, service providers can now offer customers VPNs with multiple business priorities,
managed Internet, intranet, and extranet, packet telephony, and Web hosting without the complexity
that these applications previously required to expand service offerings and generate additional
revenue. This white paper explores how MPLS-based VPN technology works and outlines how
service providers can build VPNs using core and edge routing solutions such as the Cisco 12000
and 7500 Series Internet routers.
VPNs based on Cisco MPLS technology can scale to support tens of thousands of business-quality
VPNs over the same infrastructure. MPLS-based VPN services solve peer adjacency and scalability
issues common to large virtual-circuit (VC) and IP tunnel topologies. Complex permanent virtual
circuit/switched virtual circuit (PVC/SVC) meshes are no longer needed, and providers can use
new, sophisticated traffic-engineering methods to select predetermined paths to sell premium IP
QoS applications and services.
As Internet traffic continues to increase, users are demanding greater speeds and better services. Established and emerging
service providers can address the challenge of seamlessly scaling their IP infrastructure while eliminating barriers to
profitability by deploying Cisco 12000 series Internet routers that increase their value as network requirements grow. Service
providers have tested Cisco MPLS technology extensively on Cisco 12000 series Internet routers and the 7500 series routers,
and they have found these routers to offer the best technology for deploying advanced network services today.
The Cisco 12000 series is the premier platform for IP networking because of its superior distributed system architecture,
which delivers:
• Highest bandwidth scalability—With a dedicated forwarding engine per line card, the Cisco 12000 series offers the
industry’s greatest total system capacity, delivers consistent forwarding performance in increasingly complex Internet
routing environments, and is the only 10 Gbps platform that delivers line-rate performance in a fully loaded system.
• Guaranteed priority packet delivery—The Cisco 12000 series is the only system that delivers priority-based congestion
control, dedicated low-latency queuing, and packet sequence integrity under all conditions required by premium services
such as voice over IP and streaming media.
• Reduced network operations costs—The Cisco 12000 series offers non-service-impacting component insertion and
removal, the only integrated element manager, and the industry’s best investment protection. In addition, the high capacity
of the Cisco 12000 series reduces routing complexity, thus improving point-of-presence (POP) scalability by a factor of 2.
MARKET OVERVIEW
Today, service providers generate a large portion of their revenue from basic transport services such as leased line, Frame
Relay, ATM, and basic connectivity services. However, with margins coming down for these services, they’re looking to
deliver new IP-based services that can generate long-term revenue. VPN-based services that provide connectivity between
groups of users across public and shared infrastructure offer a significant opportunity. VPNs can enable them to meet customer
requirements for any-to-any connectivity, multiple service classes, low-cost managed services, privacy, and seamless
integration with customer intranets/extranets. Grouping of users into intranets and extranets can be done via VPNs.
The Yankee Group predicts that VPNs will be used by 70 percent of all companies for up to 90 percent of their data
communication needs by 2004. This represents a huge revenue opportunity for service providers. They can now move to a
value-added “revenue-generating” service model. Service providers recognize they must differentiate themselves at the
service level instead of the transport level in order to capture this market. This fundamental shift in strategy gives service
providers opportunities for continued growth, increased profitability, and service efficiency.
VPNs also provide a solution that enables service providers to offer VPN services that scale to large numbers of customers.
In addition, these VPN services can be offered to customers with little or no IP routing expertise.
VPNs also impact the bottom line. They are less expensive to operate than private networks from a management, bandwidth,
and capital perspective. Moreover, the payback period for VPN equipment is generally measured in months as opposed to
years. Perhaps the most important benefit of VPNs is in enabling enterprises to focus on their core business objectives instead
of running the corporate network.
VPN is a set of sites that can communicate with each other and belong to a closed user group. VPN is defined with a set of
administrative policies. These policies determine both connectivity and QoS among sites. The policies established by VPN
customers can now be implemented completely by VPN service providers using Border Gateway Protocol (BGP)/MPLS VPN
mechanisms to connect remote and branch offices to the central site. As the term suggests, this solution is based on a
combination of two technologies, BGP and MPLS. VPN customers can migrate to a flexible inter-site connectivity ranging
from complete to partial mesh. These sites may be either within the same (intranet) or in different (extranet) organizations.
VPN customers can also be in more than one VPN and may overlap. Not all sites have to be connected to the same service-
provider VPN. A VPN can span multiple service providers.
VPN A
VPN B
VPN C
VPN C VPN B
VPN A
VPN A
VPN B
VPN C VPN C
VPN B
VPN A
Generic routing encapsulation (GRE) and IP Security (IPSec) tunnels can be used as an alternative to leased-line or enterprise-
owned Frame Relay/ATM networks to inter-connecting routers. However, since GRE and IPSec tunnels act only as
mechanisms to provide point-to-point connectivity among routers, the overall model is unchanged, along with all the problems
associated with the overlay model. The use of GRE and IPSec tunnels for this application has inherent scalability problems.
MPLS-based VPNs instead use the peer model and Layer 3 connectionless architecture to take advantage of a highly scalable
VPN solution. The peer model requires a customer site to “peer” with only one PE router, as opposed to all other CPE or
customer edge (CE) routers in the same VPN. The connectionless architecture allows the creation of VPNs in Layer 3,
eliminating the need for tunnels or VCs, as shown in Figure 2.
VPN A/ Site 2
10.2/16
B/ 1
VPN Site
10.2/16
CE1 CE A2
10.1/16 B1
CEB2
P1 PE2 VPN B/ Site 2
CE2B1
P2
PE3
PE1
CEA1 CEA3
P3
10.3/16
CEB3
10.1/16 VPN A/ Site 3
10.4/16
VPN A/ Site 1
VPN B/ Site 3
MPLS VPN Network Architecture The components that make up an MPLS VPN network are shown in Figure 3. At the edges
of the network are CE routers. CE routers are part of the customer network and are not VPN aware. PE routers are where most
VPN-specific configuration and processing occurs. PE routers receive routes from CE routers and transport them to other PE
routers across a service-provider MPLS backbone. In the middle of the network are provider (P) routers, or label switch routers
(LSRs), which implement a pure Layer 3 MPLS transport service. An important point to note is that P routers in the backbone
are not VPN aware and, therefore, provide much more scalability. Hence, P routers do not have to carry customer routes,
preventing routing tables in P routers from becoming unmanageable. VPN information is required only at PE routers, and it
can be partitioned between PE routers. PE routers need to know VPN routing information only for VPNs in which there are
direct connections.
• VPN route target communities—A VPN route target community is a list of all other members of a VPN community. VPN
route targets need to be configured for each VPN community member.
• Multiprotocol BGP (MP-BGP) peering of VPN community PE routers—MP-BGP propagates VRF reachability
information to all members of a VPN community. MP-BGP peering needs to be configured in all PE routers within a VPN
community.
• MPLS forwarding—MPLS transports all traffic between all VPN community members across a VPN service-provider
network.
By deploying MPLS, the core is effectively transformed into an interface-agnostic layer, a generic IP core that can support
any mix of interfaces. Traffic entering the Internet exchange from different parts of the world can be switched over an MPLS
path using IP-oriented Packet-over-SONET (POS) interfaces of the service-provider network.
The Cisco VPN Solutions Center is a tool that provides management functions to support MPLS VPN services. The objective
is to provide lower-layer service-management functions specified in the TeleManagement Forum l (TMF) Telecom Operation
Process Model.
The Cisco IP Solution Center (ISC) helps service providers improve their time to deploy services, enable error-free
deployment, and reduce operations costs associated with providing VPN services. The Cisco ISC provides:
• Elimination of the need for expert involvement in service creation and configuration
PROVISIONING
The Cisco ISC can provision an MPLS VPN by configuring the PE-to-CE link. It includes the following provisioning features:
• Automatic generation of the PE and CE configurations required to add a new MPLS/VPN service
Conclusion Cisco continues to build on its technical leadership in high-end Internet routing by developing innovative technologies
such as MPLS lambda Switching (MPLS) and the very short reach (VSR-1) optical interface. The Cisco 12000 Series Internet
routers are based on a unique distributed architecture that supports the scalability and service requirements for next-generation
Internet infrastructure and provides extensive hardware and software support for building MPLS-based VPNs. The Cisco 12410
and 12416 are the two highest-capacity Internet routers available at 200 and 320 Gbps, respectively, and they deliver an industry-
leading 25 million packets per second (Mpps) lookup performance per line card slot for both IP forwarding and MPLS switching.
The industry’s most scalable routers and comprehensive MPLS-based VPN capabilities enable service providers to build powerful
next-generation networks and deliver competitive VPN services to grow new revenue.
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the
C i s c o We b s i t e a t w w w. c i s c o . c o m / g o / o f f i c e s
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Cyprus Czech Republic
• Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland Israel • Italy • Japan •
Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland Portugal • Puerto Rico • Romania •
Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden S w i t z e r l a n d • Ta i w a n • T h a i l a n d • Tu r k ey •
U k r a i n e • U n i t e d K i n g d o m • U n i t e d S t a t e s • Ve n e z u e l a • Vi e t n a m • Z i m b a b w e
All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of
Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified
Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step,
GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-
Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems,
Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
(0402R) MC/LW5800 0304