MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service...
Transcript of MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service...
connect • communicate • collaborate
MPLS multi-domain services
MD-VPN service
Xavier Jeannin, RENATER
Tomasz Szewczyk / PSNC
Training and Workshops for
advancing NRENs
8-11 Sept 2014
Chisinau, Moldova
2
connect • communicate • collaborate
MPLS brief overview
• Original purpose: avoid complex and long IP lookup in the router
• Routing by label
– Forwarding based on label
– Distributed label (LDP, MP-BGP,
CR-LDP, RSVP-TE) – Push, Pop, Swap
– Build Label switched path (LSP)
3
connect • communicate • collaborate
MPLS overview
• Topology
– P = Provide router (core) – switch only label
– PE = Provider Edge router
deliver the service to end users
IPv4, IPv6, L2VPN, L3VPN
– CE = Customer Edge Router
• MPLS services
– Transport IPv4 IPv6
– VPN
– L3VPN , L2VPN Point-to-Point,
L2VPN Multi-Point (VPLS)
– Traffic Engineering
– Path selection, QoS, path protection
Fast-ReRoute,
4
connect • communicate • collaborate
MPLS VPN overview
• Double labelling
– VPN Label added
to standard label
5
connect • communicate • collaborate
MPLS VPN overview
L3VPN examples
6
connect • communicate • collaborate
Point-to-Point L2VPN over MPLS
PseudoWire Reference Model over MPLS
• The pseudowire can emulate several service among them, an Ethernet or 802.Q (VLAN)
services
Reference http://www.sanog.org/resources/sanog7/waris-l2vpn-tutorial.pdf
7
connect • communicate • collaborate
VPLS overview
• A Multi-point L2 VPN service
– Architecture built on MPLS networks to provide Layer 2 multi point Ethernet services
– Emulates an Ethernet bridge
– Use MAC to forward, MAC address learning, Flooding mechanism, MAC Forwarding Information
Base named VSI Virtual Switching Instance
• Technical simplification
– Based on a full mesh of pseudowire
(hierarchic VPLS does not require full mesh other architecture)
– Split-horizon to avoid loop (no transmission what you have learnt through a pseudowire)
– Pseudowire signalling can be achieved LDP or MP-BGP
8
connect • communicate • collaborate
MPLS and MD-VPN Deployment
• Widely deployed in European NREN
– In the beginning, MPLS targeted the core of the backbone and now “small MPLS switch”
are now positioned close the end users in order to extend the service up to the end client
• Multi-AS backbone
– Solution A, B and C (RFC4364)
• MD-VPN aim to extend MPLS-VPN service over multi-domain using a hierarchical design
• MD-VPN aim to offer to European scientist community a bundle of new network
services (L2-L3 VPN) with an easy and quick to access
9
connect • communicate • collaborate
GÉANT VPN services
• GÉANT IP
• GÉANT L3VPN
• GÉANT Plus
• GÉANT Lambda
• GÉANT Open
• GÉANT MDVPN
• GÉANT Bandwidth-on-Demand
10
connect • communicate • collaborate
• A joint service provided by the GÉANT
network and NRENs
• A seamless transport infrastructure for
point-to-point or multipoint transmission:
– Multi-domain networking
– Layer3 or Layer2 VPNs
spanning several
domains
MD-VPN provides a seamless, scalable
transport infrastructure
L3VPN
MP L2VPN P2P L2VPN
IPv4 IPv6
11
connect • communicate • collaborate
http://www.scottcochrane.com
What is MD-VPN?
• MD-VPN is based on well known and proven technology
– available right now in almost all boxes
– MPLS and BGP protocols
– No material investment required - only small piece of configuration is needed
• High scalability
– Hierarchical architecture
– Independent signaling for transport paths and services
– Total number of provisioned VPNs has no impact on GEANT and NREN core
– VPNs are multiplexed in the core so the service is provisioned
only on the edge routers
– OPEX reduction for GEANT and NREN
– no capex investment
– Service lead time dramatically reduced
12
connect • communicate • collaborate
What is MD-VPN?
• Added-value service for end-users
– Dedicated virtual network
– Safe infrastructure
– Security opex saved on site
– No firewall needed
Site B Site A
Site C
Safe Inter-university
Research and Educational
Network
(S.I.R.E.N)
13
connect • communicate • collaborate
Configure only
at the edge
VPN multiplexing
Configure only once
An end-to-end
extensible
and
flexible service
High scalability
Lead-time
reduced
Reduced opex
MD-VPN service highly scalable, seamless
transport infrastructure
14
connect • communicate • collaborate
• Underlying principle behind this Multi-Domain VPN technology
– The LSP is extended from a PE up to the remote PE in another domain
– Signaling is split in 2 parts – Signalling for multi-domain MPLS path between PE routers thanks to a BGP peering with labelled unicast SAFI
(internal route)
– Signalling for VPN labels and prefixes exchange between PE routers (external route) thanks to an external BGP VPNv4 family peering
– GEANT implement Carrier of Carriers (CoC) providing transparent transport of VPN traffic (configuration is closed to a simple VRF)
MDVPN technical principle overview
RR RR
ABR
PE
ABR
PE
PE
PE
GEANT
NREN A
NREN BSSP
SSP
VPNproxy
PE
PE
PE
PE
VPN1
VPN1SDP
SDP Multi-hop VPNv4 e-BGP
BGP
Labelled unicast BGP Labelled unicast
label exchange (BGP protocol)
in MDVPN service
for L3VPN and L2VPN (Kompella)
15
connect • communicate • collaborate
• Number of peering BGP reduction VPN Route Reflector (VR)
MDVPN technical principle overview
VPN Route Reflector
P2P L2VPN using LPD (Martini) : The labels is exchanged LDP protocol
RR RR
ABR
PE
ABRPE
PE
PE
GEANT
NREN A
NREN B
SSP
SSP
VPNproxy
PE
PE
PE
PE
VPN1
VPN1SDP
SDPTargeted LDP
BGP Labelled unicast
BGP Labelled unicast
Label exchange in MDVPN service (using LDP protocol for L2 VPN services)
16
connect • communicate • collaborate
• Transparent transport technology
• Scalability in the core
– Label hierarchy and...
– No MAC learning and/or prefixes for end user traffic
– No VLAN ID negotiations between NRENs and GEANT
Carrier of Carrier / hierarchical VPN
17
connect • communicate • collaborate
• VPN-PROXY
– Provide ASBR, PE and VPN route exchange feature
– Use if
– NREN is not MPLS aware
– You want to not extend the service (external partner)
Interoperability with non-MPLS domains
GEANT
AS 2995
AS 1
NREN
not MPLS-aware
• Back-to-back
connection, VRF
BIO, VRF
ASTRO, …
logical router ASBR-GEANT
VPN-Proxy
Play the role of ASBR
+ PE + route exchange
VRR
VPN-Route-Reflector
GEANT
CPE-NRE-A-VPN-ASTRO
Peering BGP VPNv4
CPE-NREN-B-VPN-ASTRO
PE-RENATER
ASBR-1-GEANT
ASBR-NREN-A
ASBR-2-GEANT
ASBR-NREN-B
PE-NREN-B
RR-NREN-B
RR- NREN-A
NREN-A
NREN B
Peering Multi-hop E-BGP VPNv4 (No next-hop self)
Physical connections
Peering labeled-unicast
VRF ASTRO RT:22:30
VRF BIO - RT:22:32
VRF CoC - RT:23:30
VRF md-vpn1 - RT:33:10
VRF md-vpn2 - RT:13092:17
L2Circuit toward AMRES
L2Circuit PE-RENATER - PE-REMOTE-NREN
Detailed design
VPN-Route-
Reflector
Peering Multi-hop E-BGP VPNv4 (No next-hop self)
GEANT
CPE-NRE-A-VPN-ASTRO
Peering BGP VPNv4
CPE-NREN-B-VPN-ASTRO
PE-RENATER
ASBR-1-GEANT
ASBR-NREN-A
ASBR-2-GEANT
ASBR-NREN-B
PE-NREN-B
RR- NREN-A
NREN-A
NREN B
Peering Multi-hop E-BGP VPNv4 (No next-hop self)
Physical connections
Peering labeled-unicast
VRF ASTRO RT:22:30
VRF BIO - RT:22:32
VRF CoC - RT:23:30
VRF md-vpn1 - RT:33:10
VRF md-vpn2 - RT:13092:17
L2Circuit toward AMRES
L2Circuit PE-RENATER - PE-REMOTE-NREN
Alternative design
VPN-Route-
Reflector
VPN is propagated
internally by any other
internal means:
VLAN, dedicated link,
other solutions …
MPLS is enabled only on
the AS Border Router
20
connect • communicate • collaborate
• Test realized by SA3T3 on SA3T3 testbed (CISCO, JUNIPER) full mesh of pseudowire topology
• Security investigation
• Availability
– Bug in JunOS on the VPN-Route-Reflector slow down MD-VPLS roll-out
– Plan to be available in the beginning of GN4
VPLS
Signalling autodiscovery Inter-AS Result Comment
Target-LDP No OK Manual configuration of full
mesh pseudowire
Less scalable
MP-BGP BGP OK Pseudowire automatically
established
Bug discovered – upgrade –
test ongoing
Target-LDP BGP OK Pseudowire automatically
established
Bug discovered, upgrade
version, test ongoing
Intermediate result
21
connect • communicate • collaborate
MD-VPN offers a new way of cooperating
• MD-VPN enables a new way for GÉANT and
NRENs to cooperate, which significantly increases
network scalability from a service point of view
• A collaboration to manage:
– VPN Provisioning
– Monitoring
– Troubleshooting
Ensure Operational
Level Agreements
commitments are
achieved
22
connect • communicate • collaborate
Deployment Status
• Setting-up pilot phase
– Setting-up GÉANT pilot, during 2014
– Feature-proofed on production infrastructure
– 18 NRENs connected
– 3 NRENs committed to connect
• Pilot generalization phase
– Service reliability long-term assessment
– Operation implementation
– Roll-out the 22/07/2014
– Service validation period 01/08/2014 – 31/10/2014
• MD-VPN service in the GÉANT portfolio Q4 Year 1
23
connect • communicate • collaborate
Deployment status
A first scientist project XiFi XIFI is a project of the European
Public-Private-Partnership on
Future Internet (FI-PPP)
programme
http://infographic.lab.fi-ware.org/status
GÉANT
NORDUnet
SUnet DeiC FUnet
Litnet
HEAnet
FCCN
RENATER
RedIRIS
GARR DFN
AMRES
PSNC
CESNET
XiFi
TSSG
XiFi
Sevilla
XiFi
Malaga XiFi
Lannion XiFi
Trento XiFi
Berlin
NREN currently
connected NREN nearly connected
Active XiFi L3 VPN
Future XiFi L3 VPN
XiFi
Com4Innov
GRNET Uni
Thessaly
BELnet
XiFi
Iminds
24
connect • communicate • collaborate
SA3T3 International testbed
15th,June 2013
25
connect • communicate • collaborate
• All scientific projects based on international
collaboration
– LHCONE is an example of successful L3VPN multi-domain
service
– ITER, CONFINE
• Quick P2P connection
– Conference demonstration
– P2P data transport between to sites
• Distributed infrastructure over multi-domain
– Cloud provider
– Grid – HPC center
– Scientific infrastructure: Telescope, sensor network
• …
MD-VPN use cases A wide scope for MD-VPN use
26
connect • communicate • collaborate
MD-VPN use cases A wide scope for MD-VPN use
Optical transport
MD-VPN
Innovation
Users
User Network Interface
• MD-VPN transparent data transport layer for high level
network services like SDN, BoD, … and in general by future
internet project
• Education
– Remote lecture
– E-learning
27
connect • communicate • collaborate
Multi-Domain VPN summary
• An innovative and highly scalable design
– Seamless transport infrastructure
• A bundle of services (IPv4, IPv6, P2P L2VPN, L3VPN) with added value
for our users that is available, VPLS is plan to be available
during GN4
• An original and useful service
unavailable in a commercial NSP portfolio
• Broad European deployment
– 18 connected NRENs, 3 NRENs committed to connect
• A FI-PPP project, XiFi, selected GÉANT’s MD-VPN to provide
its network infrastructure