Selecting MPLS VPN Services. Chris Lewis. Steve Pickavance. Contributions by: Monique Morrow. John Monaghan. Craig Huegen. Cisco Press. East 96th. Thank you very much for downloading selecting mpls vpn services. search hundreds times for their chosen books like this selecting mpls vpn services, but. select service providers for MPLS-based VPN services are introduced later in this .. terney.info
|Language:||English, Spanish, Dutch|
|Genre:||Academic & Education|
|Distribution:||Free* [*Registration Required]|
Selecting MPLS VPN Services Troubleshooting MPLS VPN Networks (Cisco KnowledgeNet Advanced MPLS VPN Solutions (AMVS) Student Guide. Official (ISC)2 Guide to the CISSP CBK ((ISC)2 Press) Pdf. This article lists all of the issues that have been resolved in R For more information on R ExpressVPN #1 selecting mpls vpn services pdf?VPNapp for Windows 7 selecting mpls vpn services pdf download vpn for pc, selecting mpls.
See, e. Security is discussed in more detail in Section Sites and CEs From the perspective of a particular backbone network, a set of IP systems may be regarded as a "site" if those systems have mutual IP interconnectivity that doesn't require use of the backbone.
In general, a site will consist of a set of systems that are in geographic proximity. However, this is not universally true. If two geographic locations are connected via a leased line, over which Open Shortest Path First OSPF protocol [ OSPFv2 ] is running, and if that line is the preferred way of communicating between the two locations, then the two locations can be regarded as a single site, even if each location has its own CE router.
This notion of "site" is topological, rather than geographical.
If the leased line goes down, or otherwise ceases to be the preferred route, but the two geographic locations can continue to communicate by using the VPN backbone, then one site has become two. A CE device is always regarded as being in a single site though as we shall see in Section 3. A site, however, may belong to multiple VPNs. A CE device may, for robustness, attach to multiple PE routers, of the same or of different service providers. While we speak mostly of "sites" as being the basic unit of interconnection, nothing here prevents a finer degree of granularity in the control of interconnectivity.
However, this might require that the site have two attachment circuits to the backbone, one for the intranet and one for the extranet; it might further require that firewall functionality be applied on the extranet attachment circuit. One of the forwarding tables is the "default forwarding table".
The result of that lookup determines how to route the packet. There is also the notion of a packet's "egress VRF", located at the packet's egress PE; this is discussed in Section 5.
If an IP packet arrives over an attachment circuit that is not associated with any VRF, the packet's destination address is looked up in the default forwarding table, and the packet is routed accordingly. Packets forwarded according to the default forwarding table include packets from neighboring P or PE routers, as well as packets from customer-facing attachment circuits that have not been associated with VRFs.
Intuitively, one can think of the default forwarding table as containing "public routes", and of the VRFs as containing "private routes".
One can similarly think of VRF attachment circuits as being "private", and of non-VRF attachment circuits as being "public". If a particular VRF attachment circuit connects site S to a PE router, then connectivity from S via that attachment circuit can be restricted by controlling the set of routes that gets entered in the corresponding VRF. If there are multiple attachment circuits leading from S to one or more PE routers, then there might be multiple VRFs that could be used to route traffic from S.
To properly restrict S's connectivity, the same set of routes would have to exist in all the VRFs. Alternatively, one could impose different connectivity restrictions over different attachment circuit from S. In that case, some of the VRFs associated with attachment circuits from S would contain different sets of routes than some of the others.
We allow the case in which a single attachment circuit is associated with a set of VRFs, rather than with a single VRF. This can be useful if it is desired to divide a single VPN into several "sub-VPNs", each with different connectivity restrictions, where some characteristic of the customer packets is used to select from among the sub-VPNs.
For simplicity though, we will usually speak of an attachment circuit as being associated with a single VRF. In general, to determine the attachment circuit over which a packet arrived, a PE router takes note of the physical interface over which the packet arrived, and possibly also takes note of some aspect of the packet's layer 2 header.
For example, if a packet's ingress attachment circuit is a Frame Relay VC, the identity of the attachment circuit can be determined from the physical Frame Relay interface over which the packet arrived, together with the Data Link Connection Identifier DLCI field in the packet's Frame Relay header. Although the PE's conclusion that a particular packet arrived on a particular attachment circuit may be partially determined by the packet's layer 2 header, it must be impossible for a customer, by writing the header fields, to fool the SP into thinking that a packet that was received over one attachment circuit really arrived over a different one.
In the example above, although the attachment circuit is determined partially by inspection of the DLCI field in the Frame Relay header, this field cannot be set freely by the customer. In some cases, a particular site may be divided by the customer into several "virtual sites".
The SP may designate a particular set of VRFs to be used for routing packets from that site and may allow the customer to set some characteristic of the packet, which is then used for choosing a particular VRF from the set.
For example, each virtual site might be realized as a VLAN. Another way to accomplish this is to use IP source addresses. In this case, the PE uses the IP source address in a packet received from the CE, along with the interface over which the packet is received, to assign the packet to a particular VRF.
Again, the customer would only be able to select from among the particular set of VRFs that that customer is allowed to use. If it is desired to have a particular host be in multiple virtual sites, then that host must determine, for each packet, which virtual site the packet is associated with.
It can do this, e. When we speak of a PE "learning" routes from a CE, we are not presupposing any particular learning technique. The PE may learn routes by means of a dynamic routing algorithm, but it may also "learn" routes by having those routes configured i. In this case, to say that the PE "learned" the routes from the CE is perhaps to exercise a bit of poetic license. The procedures to be used for populating the VRFs with the proper sets of routes are specified in Section 4.
If there are multiple attachment circuits leading from a particular PE router to a particular site, they might all be mapped to the same forwarding table. But if policy dictates, they could be mapped to different forwarding tables. For instance, the policy might be that a particular attachment circuit from a site is used only for intranet traffic, while another attachment circuit from that site is used only for extranet traffic.
Perhaps, e. In this case, the two attachment circuits would be associated with different VRFs. Note that if two attachment circuits are associated with the same VRF, then packets that the PE receives over one of them will be able to reach exactly the same set of destinations as packets that the PE receives over the other.
If an attachment circuit leads to a site which is in multiple VPNs, the attachment circuit may still associated with a single VRF, in which case the VRF will contain routes from the full set of VPNs of which the site is a member. We allow each VPN to have its own address space, which means that a given address may denote different systems in different VPNs. If two routes to the same IP address prefix are actually routes to different systems, it is important to ensure that BGP not treat them as comparable.
Otherwise, BGP might choose to install only one of them, making the other system unreachable. We meet these goals by the use of a new address family, as specified below. This ensures that if the same address is used in several different VPNs, it is possible for BGP to carry several completely different routes to that address, one for each VPN.
An RD is simply a number, and it does not contain any inherent information; it does not identify the origin of the route or the set of VPNs to which the route is to be distributed. The purpose of the RD is solely to allow one to create distinct routes to a common IPv4 address prefix.
Other means are used to determine where to redistribute the route see Section 4.
The RD can also be used to create multiple different routes to the very same system. We have already discussed a situation in which the route to a particular server should be different for intranet traffic than for extranet traffic. This allows BGP to install multiple different routes to the same system, and allows policy to be used see Section 4.
The RDs are structured so that every Service Provider can administer its own "numbering space" i. An RD consists of three fields: a 2-byte type field, an administrator field, and an assigned number field. The value of the type field determines the lengths of the other two fields, as well as the semantics of the administrator field.
The administrator field identifies an assigned number authority, and the assigned number field contains a number that has been assigned, by the identified authority, for a particular purpose.
For example, one could have an RD whose administrator field contains an Autonomous System number ASN , and whose 4-byte number field contains a number assigned by the SP to whom that ASN belongs having been assigned to that SP by the appropriate authority. However, the structure is not meaningful to BGP; when BGP compares two such address prefixes, it ignores the structure entirely.
The configuration may cause all routes leading to the same CE to be associated with the same RD, or it may cause different routes to be associated with different RDs, even if they lead to the same CE. The RDs are encoded as follows: - Type Field: 2 bytes - Value Field: 6 bytes The interpretation of the Value field depends on the value of the type field. At the present time, three values of the type field are defined: 0, 1, and 2. The Assigned Number subfield contains a number from a numbering space that is administered by the enterprise to which the ASN has been assigned by an appropriate authority.
If this IP address is from the public IP address space, it must have been assigned by an appropriate authority use of addresses from the private IP address space is strongly discouraged. The Assigned Number subfield contains a number from a numbering space which is administered by the enterprise to which the IP address has been assigned.
The Assigned Number subfield contains a number from a numbering space which is administered by the enterprise to which the ASN has been assigned by an appropriate authority. Routes learned from a CE routing peer over a particular attachment circuit may be installed in the VRF associated with that attachment circuit.
Exactly which routes are installed in this manner is determined by the way in which the PE learns routes from the CE. In particular, when the PE and CE are routing protocol peers, this is determined by the decision process of the routing protocol; this is discussed in Section 7.
These are carried in BGP as attributes of the route. Whether it actually gets installed depends upon the outcome of the BGP decision process, and upon the outcome of the decision process of the IGP i. A Route Target attribute can be thought of as identifying a set of sites.
Though it would be more precise to think of it as identifying a set of VRFs. Associating a particular Route Target attribute with a route allows that route to be placed in the VRFs that are used for routing traffic that is received from the corresponding sites. The two sets are distinct, and need not be the same. However, the format of the latter is inadequate for present purposes, since it allows only a 2-byte numbering space.
It is desirable to structure the format, similar to what we have described for RDs see Section 4. They are structured similarly to the RDs. Note that a route can only have one RD, but it can have multiple Route Targets. In BGP, scalability is improved if one has a single route with multiple attributes, as opposed to multiple routes. How does a PE determine which Route Target attributes to associate with a given route?
There are a number of different possible ways. The PE might be configured to associate all routes that lead to a specified site with a specified Route Target.
Or the PE might be configured to associate certain routes leading to a specified site with one Route Target, and certain with another. This gives the customer the freedom to specify in real time, within agreed-upon limits, its route distribution policies. It also assigns and distributes an MPLS label. When the PE processes a received packet that has this label at the top of the stack, the PE will pop the stack, and process the packet appropriately.
Submit Search. Successfully reported this slideshow. We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime. Upcoming SlideShare. Like this presentation? Why not share! Here's a quick guide on what questions to ask Key features to look for from a private cloud provider include interoperability, scalability and how familiar admins are with the Dell and Super Micro timed server upgrades to this week's launch of next-generation Intel Xeon Scalable processors, based on the Partners said the new Anthos technology is a game changer and gives Google a competitive edge over its public cloud rivals; other Managed service provider security is being put to the test as hackers target MSPs with increasing frequency.
Even a relatively Troubles continue for Huawei as new bans and government reports put security into question, but the company is attempting to This was last published in July Telecom trends Who's calling?
Login Forgot your password? Forgot your password? No problem!