odc010004 mpls l3 vpn advanced application issue 1_2

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved

www.huawei.com

Internal

ODC010004 MPLS L3 VPN Advanced

ApplicationISSUE 1.2

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

http://www.huawei.com

http://www.pdffactory.com

HUAWEI TECHNOLOGIES CO., LTD. Page 1All rights reserved

Wide application of MPLS technologies allows service providers to provide better extended/value-added services. Therefore, the implementation of MPLS functions can help an equipment vendor gain competitive advantages over other vendors.




References

l VRP5 Operation Manual – VPN

l Technical White Paper for Cross-As

Solutions

l Technical White Paper for HoPE

l RFC 2547，RFC 3107




Upon completion of this course, you will be able to:

[ Learn about cross-AS MPLS VPN, HoPE, Internet access and multi-role host technologies.

[ Understand specifics of the technologies.

[ Understand applications of the technologies.




Chapter 1 Chapter 1 CrossCross--AS SolutionAS Solution

Chapter 2 Chapter 2 HoPEHoPE SolutionSolution

Chapter 3 Chapter 3 Internet Connection SolutionInternet Connection Solution

Chapter 4 Chapter 4 MultiMulti--Role Host TechnologyRole Host Technology





1.1 1.1 CrossCross--AS SolutionAS Solution

1.2 1.2 Carrier's Carrier Solution Carrier's Carrier Solution




Cross-AS MPLS VPN

l In the technical system of MPLS, an MPLS domain and a router AS overlap each other. In actual networking, however, an MPLS domain frequently crosses multiple ASs:

[ The carrier defines one province as one AS of the carrier network but requires to provide cross-province MPLS VPN services.

[ Carriers cooperate with each other (especially with international carriers to provide international services).

l To implement these services, cross-AS MPLS VPN solutions must be applied to solve the following two problems:

[ Technical problem: how can VPN-IPv4 routes and VPN labels be distributed to another AS.

[ Managerial problem: Normally, cross-AS LSPs are not allowed (this is especially important in the case of carrier cooperation).

Origin of crossOrigin of cross--AS VPNAS VPN




Cross-AS MPLS VPN

l Currently three MPLS VPN cross-domain solutions are available:

[VRF-TO-VRF

[MP-eBGP for VPNV4

[Multi-Hop MP-eBGP

Three SolutionsThree Solutions




Cross-AS MPLS VPN

l Different domains or carriers have different ASs.

l One VPN operates in multiple ASs. VPN-A-1

PE-1

VPN-A-2

PE-2

CE-2

Back-to-back VRFs

MP-eBGP for VPNv4

AS #100 AS #200

ASBR-1ASBR-2

CE-1

Multi-hop MP-eBGP

Overview of the SolutionsOverview of the Solutions




Cross-AS solution 1: VRF-to-VRF

l An ASBR considers the peer ASBR its CE, and creates a VRF for each VPN. IP forwarding is applied between the ASBRs and MPLS forwarding is applied within the AS.

l Advantages: Simple with no need of protocol extension or special configuration, natural support; applicable in the case of a small number of cross-domain VPNs.

l Disadvantages: The ASBR must create a VRF for each VPN. To cross multiple domains, large configuration efforts are needed. The scalability is poor.

ASBR-1 ASBR-2

PE ASBR-1 ASBR-2 PE

IP ForwardingVPN-LSP1LSP-1 LSP-2

VPN-LSP2

PE

PE

PE

PE

VPN2-CE2

VPN1-CE2

VPN2-CE1

VPN1-CE1

One VRF and one logical interface are created for

each VPN.

AS#100 AS#200

MP-iBGP

MP-iBGP

MP-iBGP

MP-iBGP

VRFVRF--toto--VRF Overview VRF Overview





BGP, OSPF, RIPv2 161.10.1.0/24,NH=CE-1


ASBR-1 ASBR-2

PE ASBR-1 ASBR-2 PE

IP ForwardingVPN-LSP1

LSP-1 LSP-2

VPN-LSP2

PE-2

PE-1

PE-4

PE-3

VPN2-CE2

VPN1-CE2

VPN2-CE1

VPN1-CE1

AS#100 AS#200

MP-iBGP

MP-iBGP

MP-iBGP

MP-iBGP

Distribution of routing informationDistribution of routing information

VPN-v4 update:RD:1:27:161.10.1.0/24,

NH=PE-1RT=100:1, Label=(L1)

VPN-v4 update:RD:1:27:161.10.1.0/24,


D:161.10.1.0/24NH:ASBR-1

D:161.10.1.0/24NH:ASBR-1

VPN-v4 update:RD:1:27:161.10.1.0/24,

NH=ASBR-2RT=100:1, Label=(L2)

VPN-v4 update:RD:1:27:161.10.1.0/24,

NH=ASBR-2RT=100:1, Label=(L2)

BGP, OSPF, RIPv2 161.10.1.0/24,NH=PE-3






ASBR-1 ASBR-2

PE ASBR-1 ASBR-2 PE

IP ForwardingVPN-LSP1

LSP-1 LSP-2

VPN-LSP2

PE

PE

PE

PE

VPN2-CE2

VPN1-CE2

VPN2-CE1

VPN1-CE1

Create a VRF and a Create a VRF and a logical interface for logical interface for

each VPNeach VPN

AS#100 AS#200

MP-iBGP

MP-iBGP

MP-iBGP

MP-iBGP

Label switching procedureLabel switching procedure

161.10.1.1161.10.1.1L2L2LxLx

161.10.1.1161.10.1.1

161.10.1.1161.10.1.1L1L1LyLy

161.10.1.1161.10.1.1

161.10.1.1161.10.1.1




Cross-AS Solution 2: MP-eBGP for VPNV4

l EBGP is used to advertise VPN-IPv4 routes between ASBRs. 。l Advantages :

[ No need of creating a VRF for each VPN on ASBR.

[ No need of cross-domain extension protocol, easy to manage and configure

l Disadvantages: All VPN routes need be stored on the ASBR. This imposes high requirements on the router so that the ASBR is easier to become faulty. 。

ASBR-1 ASBR-2

PE

PE

PE

PE

VPN2-CE2

VPN1-CE2

VPN2-CE1

VPN1-CE1

AS#100 AS#200MP-EBGP

PE ASBR-1 ASBR-2

VPN-LSP2VPN-LSP1LSP-1 LSP-2

VPN-LSP3

PE

MP-iBGP

MP-iBGP

MP-iBGP

MP-iBGP(VPN-V4)

MPMP--eBGPeBGP for VPNV4 overviewfor VPNV4 overview





ASBR-1 ASBR-2

PE-2

PE-1

PE-4

PE-3

VPN2-CE2

VPN1-CE2

VPN2-CE1

VPN1-CE1

AS#100 AS#200MP-EBGP

PE ASBR-1 ASBR-2

VPN-LSP2VPN-LSP1

LSP-1 LSP-2

VPN-LSP3

PE

MP-iBGP

MP-iBGP

MP-iBGP

MP-iBGP

(VPN-V4)



VPN-v4 update:RD:1:27:161.10.1.0/24,


VPN-v4 update:RD:1:27:161.10.1.0/24,


VPN-v4 update:RD:1:27:161.10.1.0/24,

NH=PE-ASBR-1RT=100:1, Label=(L2)

VPN-v4 update:RD:1:27:161.10.1.0/24,


VPN-v4 update:RD:1:27:161.10.1.0/24,


VPN-v4 update:RD:1:27:161.10.1.0/24,









ASBR-1 ASBR-2

PE-2

PE-1

PE-4

PE-3

VPN2-CE2

VPN1-CE2

VPN2-CE1

VPN1-CE1

AS#100 AS#200MP-EBGPMP-iBGP

MP-iBGP

MP-iBGP

MP-iBGP

(VPN-V4)

161.10.1.1161.10.1.1

L2L2 161.10.1.1161.10.1.1

161.10.1.1161.10.1.1L3L3

161.10.1.1161.10.1.1L1L1161.10.1.1161.10.1.1

161.10.1.1161.10.1.1L3L3LxLx

161.10.1.1161.10.1.1L1L1LyLy





Cross-AS Solution 3: Multi-Hop eBGP

l Establish MP-EBGP peer between PEs and distribute VPN-IPV4 routes using this connection. l Advantages :

[ This is the optimal solution because it meets the structural requirements of MPLS VPN. Only PE knows the VPN routing information. P only concerns the forwarding of packets.

[ The advantage is more notable when a VPN crosses multiple AS. This solution also supports load sharing. l Disadvantages :BGP extensions are needed. The setup of tunnels differs from the common MPLS VPN structure

so that the solution is hard to maintain or understand.

ASBR-1 ASBR-2

PE

PE

PE

PE

Multi-Hop MP-EBGP(VPN V4)

Multi-Hop MP-EBGPVPN2-CE2

VPN1-CE2

VPN2-CE1

VPN1-CE1

AS#100 AS#200EBGP

PE ASBR-1 ASBR-2 PE

VPN-LSP

LSP-1 LSP-2

MultiMulti--Hop Hop eBGPeBGP overviewoverview

BGP 4+





ASBR-1 ASBR-2

PE-3

PE-1

PE-4

PE-2

VPN2-CE2

VPN1-CE2

VPN2-CE1

VPN1-CE1

AS#100 AS#200EBGP

BGP, OSPF, RIPv2 162.11.1.0/24,

NH=CE-1

BGP, OSPF, RIPv2 162.11.1.0/24,

NH=CE-1

VPN-v4 update:RD:1:27:162.11.1.0/24,


VPN-v4 update:RD:1:27:162.11.1.0/24,


Network=PE-1 NH=ASBR-1Label=(L9)




BGP, OSPF, RIPv2 162.11.1.0/24,

NH=PE-2

BGP, OSPF, RIPv2 162.11.1.0/24,

NH=PE-2






ASBR-1 ASBR-2

PE-2

PE-1

PE-4

PE-3

VPN2-CE2

VPN1-CE2

VPN2-CE1

VPN1-CE1

AS#100 AS#200EBGP

161.10.1.1

161.10.1.1161.10.1.1

L3 161.10.1.1L10L3 161.10.1.1

161.10.1.1L3L10Lx

Ly

L3 161.10.1.1

L3

L9






1.1 1.1 CrossCross--AS SolutionAS Solution

1.2 1.2 Carrier's Carrier SolutionCarrier's Carrier Solution




Carrier’s Carrier Solution

Level 1 carrier Level 2 carrier

VPNA VPNBVPNB

MP-IBGP/Romete-Peer LDP

LDP

LDP/BGP IBGP LDP/BGP

L1 PE L1 PE

L1 CEL1 CE

L2 PEL2 PE

Level 2 carrier

LDP LDP

A level 2 carrier can provide L2&L3 VPNsVPNA

CarrierCarrier’’s Carrier Topologys Carrier Topology





l Level 1 carriers use MPLS/BGP VPN technologies.

[Level 2 carriers do not use VPN technologies.

[Level 2 carriers use VPN technologies.

l Level 1 carriers use L2 MPLS VPN technologies.

Three SolutionsThree Solutions





l Level 2 carriers do not provide MPLS/BGP VPN.

l Level 1 carriers do not have IGP routing information of level 2 carriers.

l If traffic flows from CE-1 to CE-2, the LSP starts at CE-1 and ends at PE-2.

Level-1 SPPE-1

Level-2 SPLevel-2 SPPE-2CE-1 CE-2

BGP/LDP BGP/LDP

BGP

MP-IBGP / LDP

Solution 1Solution 1





l Level 2 carriers provide MPLS/BGP VPN

Level-1 SPPE-1


BGP/LDP BGP/LDPLDP LDP

MP-IBGP / Remote Peer LDP

MP-IBGP / LDP

PE-3 PE-4

VPN 1Site 1

VPN 1Site 2

VPN 2Site 1

VPN 2Site 2






l Level 2 carriers provide MPLS L2 VPN

Level-1 SPPE-1


LDP LDP

MP-IBGP / Remote Peer LDP

MP-IBGP / LDP

PE-3 PE-4

VPN 1Site 1

VPN 1Site 2

VPN 2Site 1

VPN 2Site 2






IP encapsulated by MPLS (L2 labels), L2 labels, or MPLS (L1 or L2 labels)

IP encapsulated by MPLS (L2 or L3 labels)

How is encapsulation performed in a level 1 carrier network?

NOYes, multi-instance LDP is

needed.

Does LDP operate between the PE of a level 1 carrier and the CE of a level 2 carrier?

NOStatic or dynamic routing

protocol

Is a routing protocol needed between the PE of a level 1 carrier and the CE of a level 2 carrier?

NOYESDoes a level 1 carrier have the routing information of a level 2 carrier?

Level 1 carrier :

MPLS L2 VPN

Level 1 carrier :

MPLS/BGP VPN

CarrierCarrier‘‘s Carrier Summary s Carrier Summary





2.1 2.1 Background of Background of HoPEHoPE

2.2 2.2 Framework of Framework of HoPEHoPE

2.3 Applications of 2.3 Applications of HoPEHoPE




Background of HoPE

The lower layer the PE is located, the more specific the routes are, and the more routes the PE needs to maintain.

CORE LAYERCORE LAYER

DISTRIBUTION LAYERDISTRIBUTION LAYER

ACCESS LAYERACCESS LAYER

l PE is in an awkward position at different layers:

[ Access layer: unable to support because of small capacity

[ Distribution layer: a large number of interfaces (or subinterfaces) are needed for subscriber identification. The number of subscribers is large but PE provides limited interfaces.

[ Core layer: the number of subscribers is larger, the number of interfaces become more limited, and the bandwidth granularity is larger.

Condition of PECondition of PE




Background of HoPE

l The number of interfaces and storage capacity must increase, finally reaches the equipment limit.

l The growth of network scale and the increase of subscribers in the local and peer sites require the local PE to have larger storage capacity.

l Solution[ Expand and migrate PE[ Add PEs to share the load of the VPN subscribers

ProblemProblem

This is an expensive solution




Background of HoPE

l Large numbers of interfaces are needed to access subscribers. Large amounts of memory and forwarding capability are needed to handle subscriber packets.

l It is hard for a PE to provide large memory and a large number of interfaces at the same time.

l A typical network constitutes of different layers, featuring many edge interfaces and a large core capacity.

l MPLS VPN is flat. The requirement for memory capacity is similar regardless of the position of the PE in the network. When a PE is expanded toward the edge, more memory is required whereas the capacity the network equipment decreases.

Cause Cause

Key point: the model of MPLS VPN differs from the typical network model.




Background of HoPE

l the CE functionality so that it has the VRF function, called Multi-VRF CE (VCE for short). l A VCE can access multiple VPN subscribers and simulate multiple CEs. l The VCE connects with the PE through multiple interfaces (or subinterfaces). l The VCE only needs to maintain routes of the local site. l No changes are needed in the PE.

VCE1

VCE2

PE

VPN1 Site1

VPN1 Site2

VPN2 Site1

VPN2 Site2

MPLS network

MultiMulti--VRF SolutionVRF Solution




Background of HoPE

l Large numbers of interfaces and subinterfaces out of the limited interface resources are needed between PE and VCE.

l Multiple VRFs need be configured at PE and CE. Configuration efforts are large and repetitive.

l The use of dynamic routing protocol for route exchange between PE and VCE requires both PE and VCE to run multiple instances. The use of static routes, however, demands large configuration efforts.

l If PE and CE are not connected directly but through tunnels, each VRF needs a tunnel so that lots of tunnel resources are used.

l VCEs need be interconnected to transfer VPN packets to reduce the load of PE. That means each VRF needs an interface/subinterface.

l The ultimate implementation is a single-layer VPN access. The solution for the access of a separate MPLS VPN is still not provided.

Defects of MultiDefects of Multi--VRF SolutionVRF Solution




Framework of HoPE

l A PE is connected with other PEs to fulfill the functions of a traditional PE together. l The PEs form a hierarchy. A PE that directly accesses VPN subscribers is a UPE (Underlayer PE).

One inside the network is an SPE (Superstratum PE). l A UPE and an SPE can be connected directly or through an IP/MPLS network. l Such a structure is called HoPE (Hierarchy of PE).

UPE1

UPE2

SPE

VPN1 Site1

VPN1 Site2

VPN2 Site1

VPN2 Site2

MPLS network

HOPE

PE

PE

VPN1 Site3

VPN2 Site3

MP-BGP

MPLSnetwork

New Solution—Hierarchy of PE




Framework of HoPE

l The UPE only maintains the routes of the directly connected VPN Site other than the remote VPN Sites. The SPE maintains all routes in the VPN it connects through UPEs, including routes of the local and remote VPN Sites.

l The UPE assigns inner layer labels for routes of the directly connected VPN Site and advertises the routes to the SPE. The SPE only advertises the default VRF route to the UPE with its label.

l Label switching is used between UPE and SPE and therefore only one interface (or subinterface) is needed for their interconnection. If an IP/MPLS network is present between UPE and SPE, GRE/LSP tunnels are used for their interconnection.

Functions of UPE and SPE

A UPE is a traditional PE whereas an SPE requires functional

enhancements to a traditional PE.




Forwarding of Data

Site1 Site2

CE1 UPE SPE1 P PE2 CE2

Dest/MaskDest/Mask, Li0/0, L00/0

Dest/Mask Dest/Mask, L0 Dest/Mask, Li, Lo Dest/Mask, Li Dest/Mask

SPE1 advertises the default route of VPN to the UPE with an inner label.

Forward the packets destined to Site2 from Site1 to the UPE according to the default route.

PE2 assigns an inner label for the route

CE2 advertises a route of Site2

Push the inner layer label and forward the packets to SPE1 according to the default VPN route

POP the inner label of the default route, query the related VRF Route Table and PUSH the inner and outer labels

POP the outer label (PHP)

POP inner lable

UPE advertises the default route to CE1.

Framework of HoPE




Forwarding of Data

Site1 Site2

CE1 UPE SPE1 P PE2 CE2

Dest/MaskDest/Mask, Li2Dest/Mask, Li1Dest/Mask

Dest/Mask Dest/Mask, Li1 Dest/Mask, Li2 Dest/Mask, Li2, Lo Dest/Mask

CE1 advertises a route of Site1.

UPE assigns an inner route label and advertises the route to SPE1

SPE1 replaces the label assigned by UPE with another inner label

PE2 advertises a route to CE2 without a label

POP the inner label and forward the packets to CE1

Pop outer label (PHP)

SWAP inner label

Query VRF Route Table and PUSH inner and outer labels

Query Route Table and forward packets to PE2

Framework of HoPE




Framework of HoPE

l Use MP-BGP to distribute VPN-IPv4 routes [ SPE and UPE belong to a same carrier, MP-iBGP is used and the SPE serves as RR.[ If SPE and UPE belong to different carriers, MP-eBGP is used and the UPE uses the private

AS number. l SPE creates the global import route-target list using the union set of the VRF import route-target

lists of UPE [ UPE transfers import route-target list using the ORF mechanism and SPE generates the

global import route-target list automatically. [ The global import route-target list is created manually on SPE.

VRF1Import route-target 100:1

VRF2Import route-target 200:1

GlobalImport route-target

100:1, 200:1

GlobalImport route-target

100:1, 200:1

UPEUPE SPESPE

VPN route (label) ORF (extended community list)

VRF default route (label)

SPE-UPE Protocol




Framework of HoPE

l Through any form of interface/subinterface

l Through tunnel interface

[ MP-BGP can cross multiple hops.

[ When LSPs are used, LDP/RSVP-TE operates on UPE/SPE

Lease line LSPGRE tunnel

SPE

UPE UPE

One SPE/UPE pair requires only one connection

SPESPE--UPE ConnectionUPE Connection




Framework of HoPE

l PE in a hierarchy serves as UPE (SPE)

to form another PE hierarchy with

another SPE (UPE).

l The middle level PE is called MPE.

l An SPE can connect with a standalone

UPE when connecting with a PE in a

hierarchy.

HoPE Hierarchy

Endless hierarchies

SPE

VPN1Site1

VPN1Site2

VPN2Site1

VPN2Site2

UPEMPE

VPN1Site3

VPN2Site3

UPE UPE

VRF default route

VRF default route

VRF default route

VRF default route




Framework of HoPE

l A UPE connects with multiple SPEs.

l The multiple SPEs all advertise the VRF default routes to the UPE. The UPE selects one default route in preference or selects multiple routes for load sharing.

l The UPE broadcasts its VPN routes to all the multiple SPEs or part of the VPN routes to each of the SPEs for load sharing.

SPE2SPE2

UPEUPE

SPE1SPE1

VPN1Site

VPN2Site

VPN1route

VPN2route

Multi-homed UPE

VRF default routeVRF default route




Framework of HoPE

l an SPE is connected with a UPE, it can still be connected to CEs.

l Sites of a same VPN intercommunicate through SPE

UPEUPE

SPESPE

VPN1Site2

VPN2Site2

CECE

VPN1Site1

SPE Connected with Both UPE and CE




Framework of HoPE

l SPEA back door connection is established between two UPEs. VPN sites intercommunicate directly through this connection without the help of SPE.

l A UPE communicates with the peer and they exchange their routes through MP-BGP.

l UPEs can communicate across a network

UPE2UPE2

SPESPE

VPN1Site2

VPN2Site2

UPE1UPE1

VPN1Site1

VPN2Site1

Back door connection

MP-BGP

Back Door Connection between UPEs




Framework of HoPE

l An SPE and a UPE communicate through only one interface/subinterface, which saves the limited interface resources.

l No need to configure the same VRF in SPE which already configured on UPE, which minimizes the configuration efforts.

l SPE and UPE exchange routes and advertise labels using the dynamic routing protocol MP-BGP. Each UPE only needs to run MP-BGP with one peer so that the protocol overhead is small and the configuration efforts are reduced.

l SPE and UPE can connect with each other through the tunnel interface so that they can communicate across a network. Especially, this can be an MPLS network, which features excellent scalability when MPLS VPNs are deployed in tiers.

l The back door connection between UPEs can reduce the load of SPE. Only one interface/subinterface is needed between UPEs.

Best Solution

BGP/MPLS VPN can be deployed on a tier by tier basis. When the performance of UPE is insufficient, an SPE can be added and the UPE is moved a lower tier. When the access

capability of SPE becomes insufficient, more UPEs can be added.




Applications of HoPE

MPLS backbone

UPE

VPN1Site1

VPN2Site1

MPE

VPN1Site1

VPN2Site1

VPN1Site1

VPN2Site1

VPN1Site1

VPN2Site1

SPEProvince

City

County

SPE SPE

R3680R2630

NE08/NE05R3680

NE80/NE40/NE20/NE20sNE16/08/05

Application in Finance/Government Networks




Insufficient routing capability

Insufficientinterfaces

core

access

distribution(UPE)

core(SPE)

access

NE16/08S8016

C75XXC6509

NE16/08S8016

C75XXC6509

NE16/08S8016

C75XXC6509

NE80

distribution(MPE)

core(SPE)

distribution(SPE)

core

access(UPE)

NE16/08S8016

C75XXC6509

access(UPE)

NE80

NE05R3680

NE05R3680

Application in MANApplications of HoPE

distribution(PE)

Insufficient routing capability

Insufficientinterfaces




MAN AMAN A MAN BMAN B

backbonebackbone

ASBR/RRUPE

NE80/40/20NE16/08

ASBRSPE

All routes in the AS

VRF default route

NE80

Application in Cross-AS MAN-Backbone

Applications of HoPE

VRF default route

All routes in the AS




Three Internet Access Solutions

Internet Connection Solution

l Subscribers of any type of network wish to have access to the Internet, which is an inevitable demand

l In an MPLS VPN, three Internet access solutions are available:

[Through external ISP

[Through static default route

[Through subinterface





l Advantages: All VPN1 sites use CE1 as the egress, convenient for management. This solution is also called centralized access and is widely applied.

l Disadvantages: Multiple default routes may be added to the VRF instances of VPN, which may result in that the packet forwarding of multiple default gateways is not optimal.

Internet Access Through External ISP

MPLS VPN

BACKBONE CE2

VPN1

VPN1

CE3

CE1

EudemonExternal ISP

VPN1

PE1

PE3PE2




MPLS VPN

backbone CE2

VPN1

VPN1

CE3

CE1

External ISP

VPN1

PE1

PE3PE2

Internet Access Through Static Default RouteInternet Access Through Static Default Route

l Advantages: Each VPN site can access Internet though the local PE, which facilitates management. This solution is also called distributed access.

l Disadvantages: The network segment of CE will be broadcasted in a public network. The security cannot be assured. NAT configuration is needed on CE.

61.1.1.0.1 .2






l Features: CE and PE are connected through subinterfaces. One subinterface is responsible for VPN communication and the other is responsible for public network access.

MPLS VPN

CE2

VPN1

VPN1

CE3

CE1

External ISP

VPN1

PE1

PE3PE2

Internet Access Through Internet Access Through SubinterfaceSubinterface

backbone




Multi-Role Host Solution

l Client selection modes

[L2TP accessing PE

[PPPOE accessing PE

[Mapping between 802.1X and VPN

[VLAN+Web

l PE selection modes

[ACL-based VPN identification

Selection ModesSelection Modes




Client Selection ModesClient Selection ModesMulti-Role Host Solution

l Typical application of MPLS VPN access

l L2TP adapter can take place of real network adapter.

l Dynamic VPN selection implemented through L2TP authentication mechanism

PE dynamically imports different VPNs and assigns the IP addresses according to the user name and password

PE dynamically imports different VPNs and assigns the IP addresses according to the user name and password

PE

Multi-role HostVLAN

Radius/CAMS

MPLS VPNL2TP

The host accessed PE through L2TP tunnel

The host accessed PE through L2TP tunnel

LNS




MultiMulti--Purpose ServerPurpose ServerMulti-Role Host Solution

l Multiple VPNs share a server, with a fixed position and fixed role.

l Configure a private VRF for the multi-purpose server to exchange routes with multiple VPNs.

l IP address of the multi-purpose server is globally unique.

l Enhance protection for the server.

Configure VRF for the multi-purpose server. Configure firewall to protect the server.

Configure VRF for the multi-purpose server. Configure firewall to protect the server.

PE

Shared server

MPLS VPN

VRF

Firewall




l Cross-AS, HoPE, Internet access and multi-role host technologies are very useful extensions to MPLS and solve many problems in current networks.

l We must understand these technologies in detail to facilitate future application and troubleshooting.

Summary



www.huawei.com

Thank You


http://www.huawei.com


odc010004 mpls l3 vpn advanced application issue 1_2

Documents

mpls domain

mpls vpn solutions

huawei technologies

technical system of

rights reservedcross

rights reservedchapter

vpn labels

rights reservedwww