Upload
phungngoc
View
261
Download
9
Embed Size (px)
Citation preview
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
MPLS u mrežama poslovnih korisnika
Ivan Zaklanović[email protected]
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Razlozi zbog kojih poslovni korisnici odlučuju za MPLS u okviru svojih internih mreža
Mogućnost delovanja kao interni Service-ProviderSopstvena WAN i MAN infrastrukturaJednostavna integracija svih delova kompanijeBolja zaštita okosnice mreže (HA)Konsolidacija i jednostavna integracija sa Datacenter
okruženjem
Mogućnost jednostavne segmentacije/virtualizacije mreže
Povećana sigurnost mrežeZatvorene grupe korisnika (kroz VPN-ove)Sprečavanja širenja Worm-ova uz pomoć izolacije
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Kupiti VPN servis ili napraviti sopstveni?Market Status 2003 (IDC)
777Source : Cisco Study
Reasons for NOT Out-Tasking a VPN
~ 53% of Enterprises choose for a DIY VPN
888
Reasons for Out-Tasking a VPN
To Gain More Value
Lack of Staff
Lack of In-house Expertise
Expect Cost Savings
Not a Core Business Activity
37%
45%
51%
51%
54%
0 20 40 60
Percent of CIOsSource : Cisco FISH Study
~ 47% of Enterprises choose to BUY a VPN
Kupiti L3, IP VPN servis Kupiti L1 ili L2 VPN Servis
Procenti se menjaju u korist servisa koje nude SP kompanije:64% Mgd-VPN / 36% DIY in 2005 (IDC)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Business aplikacija 1:Konsolidacja mreže i svih njenih delova
Zahtev: Integracija kupljenih kompanija Rešenje: Definisati VPN za svaku od kupljenih kompanija – mogućnost definisanja nezavisnih sigurnosnih polisa, lakse resavanja adresnog i servisnog preklapanja.
CosmeticsFinancial Services
Remote Site 1
Aerospace Financial Services
Remote Site 2
VPN_Fin
VPN_Aero
VPN_Fin
VPN_Cos
MPLS Backbone
VRF instances added for each site of Acquired Company
Acquired Company Site 2
Acquired Company Site 1
VPN_Acq
VPN_Acq
Remote Site 1 & Acquired Company’s Site 2 maybe in the same physical location for reduced access costs
Self Managed
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
Business aplikacija 2:Konsolidacija/Integracija Data Center & servisaZahtev; DataCenter/Application/Services konsolidacijaRešenje: Virtualizacija Front-End (FW, ACE…) + Centralni servis + ekstenzijaVLAN infrastruktura preko WAN-a
CosmeticsFinancial Services
Remote Site 1
Aerospace Financial Services
Remote Site 2
VPN_Fin
VPN_Aero
VPN_Fin
VPN_Cos
MPLS Backbone
VRF instances added for each site of Acquired Company
Acquired Company Site 2
Acquired Company Site 1
VPN_Acq
VPN_Acq
Remote Site 1 & Acquired Company’s Site 2 maybe in the same physical location for reduced access costs
Self Managed
Aerospace Cosmetics Financial Services
Central site - HQ
VPN_Fin
VPN_Cos
VPN_Aero
VFW 11 VFW 21 VFW 31
MSFC
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Outsource transportali zadržati glavne IP servise...?
QoS– Klasifikacija– Kontrola ponašanja– Merenje SLA
IP– Puna kontrola IGP-a– Konvergencija– Redundansa (Više linkova / Više SP)
MulticastSub-VPN
– Virtualizacija– Segmentacija
Enkripcija
...kao što su:
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
Mogući načini definisanja Sub-VPN-ova
– IP VRF
• Multi-VRF CE (VRF-lite)
– MPLS
• CsC (Carrier supporting Carrier)
• eMP-BGP peering (remote-PE)
– Tunneling
• VRF-aware IP tunneling
• MPLS VPN over L2TPv3
– L2VPN
• Point to Point (or Multipoint)
• CE definiše servise
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
Agenda
MPLS osnoveUvod u MPLSKonvergencija u MPLS okruženjuQoS u MPLS mrežamaMPLS aplikacije
L3 MPLS VPNMPLS IP-VPN osnoveMPLS IP-VPN preporukePristup InternetuSigurnost
L2 MPLS VPNTE, Multi-VRF, CsCPrimeri iz prakse
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
MPLS – osnove 1
MPLS: Multi Protocol Label Switching
Procesiranje i slanje paketa se obavlja na osnovu labela (a ne korisćenjem IP adresa)
MPLS koristi FEC (Forwarding Equivalence Class) algoritam, prilikom definisanje labela za određene pakete
Labele se dodeljuju na ulazu u MPLS mrežu (Edge) i to kao rezultat klasifikacije paketa u određene FEC-ove
Klasifikacija moze da se definise u odnosu na različite parametre:destination IP adresa, VPN, QoS, TE, Multicast...
Klasifikacija se obavlja samo na ulazu u mrežu (Edge)
Labele se nalaze izmedju L2 i L3 zaglavlja:
Ethernet HdrEthernet Hdr Shim Header(Label)
Shim HeaderShim Header(Label)(Label) Layer 3 HeaderLayer 3 Header DataData
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
1a. Postojeći ruting protokol (npr. OSPF, IS-IS) definise putanje ka destination mrežama
1b. Label Distribution Protocol (LDP) mapira labele i putanje definisane internim ruting protokolom
2. Ingress Edge LSR (PE node) prihvata pakete, odradjuje definisane L3 servise na njima (QoS, ACL), i ”labeluje” paket u odnosu na definisanu klasifikaciju
3. LSR (P node) prosledjuje paket u odnosu na labelu definisanu LDP protokolom
4. Edge LSR skida lebelu na izlazu i prosleđuje IP paket
MPLS – osnove 2
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
MPLS – osnove 3
Format labele:
Može se koristiti sa različitim L2 tehnologijama: Ethernet, 802.3, PPP links, Frame Relay, ATM PVCs...
Dozvoljena je definicija više od jedne labele:
Label stack: definiše listu labela vezanih za paket
Suština definicije različitih aplikacija u MPLS okruženju (npr. VPNs, Traffic Engineering)
Label = 20 bits Exp = Experimental, 3 bits S = Bottom of stack, 1bitTTL = Time to live, 8 bits
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1Label | Exp|S| TTL
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
MPLS – konvergencija u Core-u
•• CoreCore opcijeopcije::–– ZaZašštita tita P LinkP Linkovaova/Nod/Nodovaova FRRFRR–– ZaZašštita tita PE/PPE/P linklinkova ova IGP + LDPIGP + LDP
•• EdgeEdge::–– PEPE--PE PE iMPiMP--BGP BGP BGP BGP krozkroz RRRR–– CECE--PE PE IGP or BGP / OAMIGP or BGP / OAM
PE2
MPLS Core
PE1P1 P2
P3
RR1
CE1 CE2
PE3
RR2
CE3
PreporuPreporuččene opcije vezane za konvergencijuene opcije vezane za konvergenciju
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
Brza konvergencija Core-a:detekcija problema i proračun alternativne putanje
1. Detekcija prestanka rada linka / noda– Interrupt driven LoS (Loss Of Signal) – <50ms (ali zavisi od HW i
vrste linka)– Carrier Delay sa IP Event Dampening– IGP Fast Hellos – 1s (detekcija prestanka rada noda)– BFD – Bi-Directional Forwarding Detection– RSVP Hellos
2. Definicija/proračun alternativne putanje – IGP flooding / SPF
(sub-second or even 200ms)
– MPLS Fast-ReRoute(sub-100ms/ čak i sub-50ms konvergencija)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
Brza detekcija prestanka rada linka/noda
interface FastEthernet1/1
ip address …
carrier-delay msec 0
ip router isis
isis network point-to-point
ip ospf network point-to-point
dampening
interface FastEthernet1/1
ip address …
ip router isis
isis circuit-type level-1
isis hello-multiplier 10 level-1
isis hello-interval minimal level-1
ip ospf dead-interval minimal hello-multiplier 3
Prestanak rada linka
Prestanak rada susednog noda
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Bi-directional Forwarding Detection
BFDIGP
XAsynchronous BFD control packet
Detect-timerInform BFD client (IGP/BGP)
BFD može da detektuje problem na susednom nodu mnogo brže od IGP Fast Hellos. Dodatno je i standardizovan da radi
sa raznim protokolima preko bilo kog medija.
interface Vlan600
ip address …
bfd interval 100 min_rx 100 multiplier 3
dampening
router ospf 100
bfd all-interfaces
process-max-time
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
Proračun alternativne putanje kroz SPF - OSPF
ip routing protocol purge interface
process-max-time 50
router ospf 100
router-id <lo0 ip address>
network <address> <WM> area 0
timers throttle lsa all 0 20 5000
timers lsa arrival 15
timers pacing flood 15
timers throttle spf 50 50 5000
ispf
Za ubrzavanje RIB update-a
OSPF LSA Throttling:• kontrolise slanje LSA• min int za isti SLA• SLA interpacket spacing
OSPF SPF ThrottlingIncrement SPF
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
MPLS FRR primer:zaštita P-nodova i linkova između njih (više u TE delu)
Primarni tunelBack-up tunel
Core
Site Site
Site Site
Site Site
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
QoS - DiffServ arhitektura u MPLSokruženju
1000’s of flows
• Labela u sebi ima MPLS Exp bite koji se koriste za QoS (interopearbilnost sa CoS, ToS/IP Precedence, DSCP)
• Podsetnik: QoS mora da se definise end-to-end, a ne samo u MPLS delu
• Još jedan podsetnik: QoS je vrlo moćan sigurnosni mehanizam
MPLS:
Dalje obrada u Core-u
Prosledjivanje samo u odnosu na labelu (MPLS Exp biti za QoS)
MPLS:
Dalje obrada u Core-u
Prosledjivanje samo u odnosu na labelu (MPLS Exp biti za QoS)
MPLS:
Agregacija na Edge-u
Paketi se asociraju sa FEC-ovima (koji su markirani labelama)
MPLS:
Agregacija na Edge-u
Paketi se asociraju sa FEC-ovima (koji su markirani labelama)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
MPLS Aplikacije
Provider
Provisioned
VPNs
MPLS
Traffic Engineering IP+ATM
Network Infrastructure
IP+Optical
GMPLS
Any
Transport
Over MPLS
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
Agenda
MPLS osnoveUvod u MPLSKonvergencija u MPLS okruženjuQoS u MPLS mrežamaMPLS aplikacije
L3 MPLS VPNMPLS IP-VPN osnoveMPLS IP-VPN preporukePristup InternetuSigurnost
L2 MPLS VPNTE, Multi-VRF, CsCPrimeri iz prakse
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
VPN A
VPN B
VPN C VPN A VPN BVPN C
VPN A
VPN BVPN CVPN A
VPN C VPN BHosting
Multicast
VoIPIntranet
Extranet
VPN Tehnologije - poređenje
Overlay VPNGura sadržaj van mrežeCena raste eksponencijalnoZavisi od transportne tehnologijeGrupisanje krajnjih uređajaKomplikovana implementacija QoS-a, tunela...E1, FR, ATM, IPSec, GRE, L2TP, PPTP...
MPLS VPN (peer-to-peer) Omogućava nudjenje sadržaja u okviru mreže Bolja kontrola troškovaNezavisna od transportne tehnologijeJednostavno grupisanje korisnika i servisa ka njimaOmogućava definisanje QoS-a u okviru VPN-a
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
PE
CE
VPN-A
VPN-A
CEVPN-B
Global Routing Table
VRF for VPN-B
CE
1. VRF-om postižemo izolaciju među korisnicima2. VRF je u osnovi per-interface ruting tabela (int/subint/SVI...)3. Ne radi se o virtualnim ruterima, već o virtualnom rutiranju i CEF
switching-u
IGP &/or BGP
Paris
London
Munich
VRF for VPN-A
ip vrf gray
Per VPNVirtual Routing TableVirtual Forwarding Table
Definisati VRF - Virtual Routing & Forwarding Instances
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
Global Routing Table
IGP &/or BGP
Per VPNVirtual Routing TableVirtual Forwarding Table
PE
CE
VPN-A
VPN-A
CEVPN-B
CE
Paris
London
Munich
CE-PE interfejs može da bude:• POS, F/R, ATM, PPP, HDLC Ethernet• GRE, L2TP, PPPoX• MLPPP, ISDN• Ne za: (ali moze uz pomoć GRE tunela)
– X25, Token-ring, FDDI
Any CEF interfaces
interface vlan XXXip vrf forwarding gray
VRF for VPN-B
VRF for VPN-A
Povezivanje korisničkog sajta u određeni VRF
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
Definisati ruting protokol izmedju CE-a i VRF
PE
CE
VPN-A
VPN-A
CEVPN-B
CE
Paris
London
Munich
eBGPRiPv2StaticOSPFEIGRP
• VRF se update-uje lokalno kroz PE-CE ruting protokol:RIP Version 2, OSPF, EIGRP, eBGPv4, IS-IS, statičko rutiranje
• Različit ruting kontekst za svaki VRF: moguće definisati različite ruting kontekste u okviru jednog procesa (eBGPv4 & EIGRP & RIP V2) – kroz address-family
• OSPF – različit proces za svaki VRF
Global Routing Table
IGP &/or BGP
Per VPNVirtual Routing TableVirtual Forwarding Table
router …address-family ipv4 vrf gray
VRF for VPN-B
VRF for VPN-A
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
Propagiranje VRF ruta kroz MPLS okosnicu
Distribucija lokalnih VPN ruta izmedju PE rutera, a preko okosnice se obavlja uz pomoć:
korišćenjem MP-iBGP protokola i redistribucijom iz VRF-a (RD)udaljeni PE prosledjuje rute u odredjene VRF-ove (uz pomoć RT-a)
PE PECE Router CE Router
P Router
Site SiteMP-iBGP
Router bgp .address-family vpnv4
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
VPN-IPV4 adresa se sastoji od:•Route Distinguisher (RD): Omogućava da IPv4 ruta bude globalno jedinstvena
•64 bits•RD se konfiguriše na PE-u za svaki VRF•RD može i ne mora da se odnosi na site ili VPN•Preporučeni format:
•AS Number : (Router in AS / VRF in Router)•Jedinstveni RD po VRF-u i PE ruteru omogućava load balancing i bržu konvergenciju
•IPv4 address (32bits)
Extended Community atribute (64 bits)•Site of Origin (SOO): identifikuje mesto na kome je ruta nastala•Route-target (RT): koristi se kao VRF filter:
•RT export: Taguje rute pre njihovog slanja kroy MP-iBGP•RT import: Za selektovanje ruta u određeni VRF
Labela – identifikuje izlazni int na PE ruteru (druga u nizu)Bilo koji drugi standardni BGP atribut (AS-path, Local-pref, Med...)
MP-iBGPRFC2858
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
P Router
VPN AVPN A
VPN A
SITE-2
VPN ASite-1 routes – Lab xxSite-2 routes – Lab yySite-3 routes – Lab zzSite-4 routes – Lab tt
MP-iBGP
Interni VPN ModelAny to any
ip vrf greenrd 500:24route-target export 500:18route-target import 500:18
SITE-1 SITE-3
SITE-4
ip vrf greenrd 500:24route-target export 500:18route-target import 500:18
Site-1 routes – Lab xxSite-2 routes – Lab yySite-3 routes – Lab zzSite-4 routes – Lab tt
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
P Router
SITE-2
ip vrf Remote-greenrd 500:24route-target export 500:99route-target import 500:1
SITE-1
SITE-3
ip vrf Remote-bluerd 12:43route-target export 500:99route-target import 500:1
Site-1 routes – Lab xxSite-2 routes – Lab yy
Site-1 routes – Lab xx
Site-3 routes – Lab zz
ip vrf Centralrd 48:22route-target export 500:1route-target import 500:99
Site-1 routes – Lab xxSite-2 routes – Lab yySite-3 routes – Lab zz
Eksterni VPN ModelCentralni servis / Backup-Server / Centralni NMS / Internet pristup / …
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
Kontrola slanja ruta između VRF-ova
MP-iBGP
ip vrf greenrd 20:1export map test1route-target export 20:1route-target import 20:1!access-list 1 permit 100.21.150.0!route-map test1 permit 10match ip address 1set extcommunity rt 20:50 additive
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30
PE2
PE1
CE1
CE2
P1 P2IGP Label(PE2)Label=(intCE2)
IPpacket
P switch-uje paket u odnosu na IGP labelu(labela sa vrha stack-a)
Label=(intCE2)
IPpacket
Penultimate Hop Popping - PHPP2 skida labelu sa vrha stack-a(Ovaj zahtev je stigao od strane PE2 krozLDP)
IPpacket
PE2 prima paket sa labelom koja ukayuje na izlazni int (VRF)Single lookupLabela se skida i paket se šalje ka CE2IP
packet
IGP Label(PE2)
Rutiranje se radi odnosu naglobalnu tabelu
BGP next-hop (PE2) je dostupan kroz IGP rutu i
asociranu labelu
PE1 prima IP paket. Rutiranjese radi u odnosu na site VRF
Pronalazi se BGP ruta sa NextHop i Labelom
IPpacket
Label=(intCE2)
MPLS VPN Data Plane
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31
Agenda
MPLS osnoveUvod u MPLSKonvergencija u MPLS okruženjuQoS u MPLS mrežamaMPLS aplikacije
L3 MPLS VPNMPLS IP-VPN osnoveMPLS IP-VPN preporukePristup InternetuSigurnost
L2 MPLS VPNTE, Multi-VRF, CsCPrimeri iz prakse
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32
VPN_A
VPN_A
VPN_B10.3.0.0
10.1.0.0
11.5.0.0
P P
PP PE
PE CE
CE
CE
RR RR
Route Reflectors
VPN_A
VPN_B
VPN_B
10.1.0.0
10.2.0.0
11.6.0.0
CEPE1
PE2CE
CE
VPN_A10.2.0.0
CE
Nema potrebe za fully meshed iBGP mrežom:• Koristi Route Reflector (RR)• Lakse dodavanje novih PE-ova / Centralna tačka za kontrolu rutiranja
(sigurnost)• Bolja stabilnost
Dva RR-a (ili tri) su više nego dovoljna
MPLS-VPNBGP/MP-iBGP preporuke
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33
Izbegavanje petlji prilikom rutiranja
MPLS-VPN Backbone
Area 1
Network = Net-1
PE-1
CE-1
Area 2
PE-2
CE-2
PE-3
Izbegavanje petlje:•BGP:
•AS number or Site of Origin route-map
•OSPF:•Down-bit or External Tags
•EIGRP•SoO
…
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34
End-to-end MPLS VPN konvergencija
•• Core optionsCore options::–– P Links/Node protectionP Links/Node protection FRRFRR–– PE/P IGP restorationPE/P IGP restoration Fast IGP + LDPFast IGP + LDP
•• EdgeEdge::–– PEPE--PE PE iMPiMP--BGP BGP BGP BGP prekopreko RRRR–– CECE--PEPE IGP IGP iliili BGP / OAMBGP / OAM
PE2
MPLS Core
PE1P1 P2
P3
RR1
CE1 CE2
PE3
RR2
CE3
PreporuPreporuččeneene opcijeopcije vezanevezane zaza konvergencijukonvergenciju::
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 35
Podrška za Multicast sa MPLS mVPNEnkapsulacija Edge multikasta u per-VRF Core multicast tunele
Red
Blue
Blue
RedCE1CE1
CE3CE3
PE2PE2
CE3CE3
BlueCE2CE2PE3PE3
Red
CE1CE1PE1PE1
CE2CE2
PE4PE4 PIM-SSM
PIM-BIDIRPIM-SM
PIM-SM
PIM-SM
PIM-SM
PIM-SM
PIM-SM
RP
• Svaki korisnik ima svoj Core multicast tree (MDT)
• Korisnički saobraćaj se enkapsulira u GRE (mVRF-MTI-MDT)
• Core je nezavistan od Edge-a• U Core-u je implementiran multicast
RP
RP
RP
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 36
Agenda
MPLS osnoveUvod u MPLSKonvergencija u MPLS okruženjuQoS u MPLS mrežamaMPLS aplikacije
L3 MPLS VPNMPLS IP-VPN osnoveMPLS IP-VPN preporukePristup InternetuSigurnost
L2 MPLS VPNTE, Multi-VRF, CsCPrimeri iz prakse
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 37
MPLS/VPN BackboneVPN A
ExtranetCentral
Site
VPN-IPv4 Update
Net=0.0.0.0/0 RT=17:22
Export VPN A default with RT=17:22 and VPN B default with
RT=17:28
VPN B
VPN A VRF (Import
RT=17:22)
0.0.0.0
0.0.0.0
VPN-IPv4 Update
Net=0.0.0.0/0 RT=17:28
VPN B VRF (Import
RT=17:28)
0.0.0.00.
0.0.
0
Global Internet
MPLS/VPN Internet pristupDynamic Default Route kroz VPN @@
Internet pristup:Globalna ruting tabela:•Paket leaking•Poseban int za VPN i Internet
•Multi-VRFInternet VPN•Okosnica izlovana•Sub-optimal ruting
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 38
Cisco IOSMPLS
PE
Leased Line/Frame Relay/ATM/
DSL Dedicated Access
InternetCable/DSL/ISDN ISP
Local or Direct-
Dial ISP MPLSMPLS
Cisco VPN Client Software Is Tunnel Cisco VPN Client Software Is Tunnel Source for Access VPNs and BranchSource for Access VPNs and Branch--Office; Router Originates SiteOffice; Router Originates Site--toto--Site Site
Tunnel with VPN ConcentratorTunnel with VPN Concentrator
Cisco Router Terminates IPSec Tunnels and Maps Sessions into
MPLS VPNs
21223*228IPSec SessionIPSec SessionIP IPMPLS VPNs VLANsVLANs
Remote Users/ Telecommuters
MPLS CoreCorporate
IntranetBranchOffice
Access/Peering PoPs
MPLS VPNsMPLS VPNs
VLANsVLANsBi-Directional IPSec SessionBi-Directional IPSec Session
VPN Remote-access preko InternetaIPSec + MPLS PE (VRF aware IPSec)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 39
Agenda
MPLS osnoveUvod u MPLSKonvergencija u MPLS okruženjuQoS u MPLS mrežamaMPLS aplikacije
L3 MPLS VPNMPLS IP-VPN osnoveMPLS IP-VPN preporukePristup InternetuSigurnost
L2 MPLS VPNTE, Multi-VRF, CsCPrimeri iz prakse
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 40
VPN A
VPN B
VPN C
MPLS SPMPLS SPCoreCore
VPN A
VPN B
VPN C
IP
VPN label
data
IP data
Corelabel
VPN label IP data
VPN label IP data
IP data
MPMP--iBGPiBGPRD IPv4
Napad na MPLS VPN
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 41
Napad na MPLS VPN
VPN A
VPN B
VPN C
MPLS SPMPLS SPCoreCore
VPN A
VPN B
VPN C
Šta i gde može da se napadne?Razdvajanje adresnih prostora i virtualiyacija rutiranja:
Jedina tačka napada je sam VPN (VRF) na PE ruteruKako?
- Upadima na sam ruter(telnet, SNMP, …, routing protocol)
- (D)DoS
Jedina Jedina ulazna taulazna taččkaka
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 42
Preporuke vezane za sigurnost“draft-behringer-mpls-security-10”
Zaštititi ruting protokole između CE-a i PE-a:– Koristi statičko rutiranje gde god je moguće– Korišćenjem ACL – MD5 autentifikacija– BGP [RFC2385], OSPF [RFC2154], RIP2 [RFC2082], EIGRP– BGP dampening, filtering, maximum-prefix
Zaštiti PE resurse– Limitirati broj ruta u VRF-u (maximum routes limit {warn-threshold | warning-only)– CPP
Validacija CE-CE komunikacije kroz PE rutere– CE može da definiše BGP-Community kojim će se definisati korisnik
MPLS je siguran koliko i Frame/Relay ili ATM(Miercom / Gartner / …)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 43
Agenda
MPLS osnoveUvod u MPLSKonvergencija u MPLS okruženjuQoS u MPLS mrežamaMPLS aplikacije
L3 MPLS VPNMPLS IP-VPN osnoveMPLS IP-VPN preporukePristup InternetuSigurnost
L2 MPLS VPNTE, Multi-VRF, CsCPrimeri iz prakse
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 44
AToM – Any Transport over MPLS
Layer 2 transport preko MPLS-a. Implementira se korišćenjem dve labele između edge PE rutera.
slično RFC2547 (MPLS-VPN)
Labela koja se koristi za rutiranje preko MPLS okosnice između PE rutera se zove “tunnel label”.
Labela koja se koristi za definisanhje izlaznog interfejsa se zove “VC label”.
“Izlazni” PE ruter definiše VC labelu za koju vezuje izlazni L2 interfejs, nakon čega signalizira tu labelu do “ulaznog” PE rutera korišćenjem targeted LDP sesija.
FR/ATM/PPP/HDLC/Eth preko MPLS-a
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 45
Koncept: EoMPLS - Ethernet over MPLS
PE PE
MPLS Network
PE PE
Enterprise LAN
ISP 1
Enterprise LAN
PE PE
ISP 2
ISP A
ISP B
ISP C
interface gigabitethernet X/Yxconnect <remote end PE loopback 0 IP> <VC ID> encap mpls
l2 vfi <l2-vfi-name> manualvpn id 100neighbor X.X.X.X encapsulation mplsneighbor Y.Y.Y.Y encapsulation mpls
interface vlan <number>xconnect vfi <l2-vfi-name>
E-Line
E-LAN
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 46
Access Layer
Distribution or Aggregation Layer
Site AData Center - Primary
Core
Site BData Center - Secondary
Core MAN
Dot1Q
EoMPLS
EoMPLS - VLAN ekstenzija u datacenter okruženju
SIP card
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 47
Agenda
MPLS osnoveUvod u MPLSKonvergencija u MPLS okruženjuQoS u MPLS mrežamaMPLS aplikacije
L3 MPLS VPNMPLS IP-VPN osnoveMPLS IP-VPN preporukePristup InternetuSigurnost
L2 MPLS VPNTE, Multi-VRF, CsCPrimeri iz prakse
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 48
Zašto MPLS TE (Traffic Engineering)?Redukcija i bolja kontrola operativnih troškova kroz efikasnije korišćenje resursa (BW) – optimizacijaBolja (brža) konvergencija kroz korišćenje FRR (Fast ReRoute) mehanizma. Velika prednost TE + FRR je gotovo trenutni prelazak na backup tunel, sto daje dovoljno vremena IGP-u za konvergenciju primarne putanje i prelayak na primarni tunel.FRR omogućava dve vrste zaštite: Link i NodeRSVP Hello za detekciju pada linka tamo gde drugi mehanizmi ne rade ili nisudovoljno dobri.
R8
R2
R6
R3R4
R7
R1 R5
R9
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 49
TE FRR - Link protection - one hop primary tunnelmpls traffic-eng tunnels!router ospf 100mpls traffic-eng router-id Loopback0mpls traffic-eng area 0
! interface Tunnel0description Primary path to XXXip unnumbered Loopback0mpls iptunnel destination <neighbour loopback>tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announcetunnel mpls traffic-eng path-option 1 explicit name primary-to-XXXtunnel mpls traffic-eng fast-reroute
!interface Tunnel1description Backup path to XXXip unnumbered Loopback0tunnel destination <neighbour loopback>tunnel mode mpls traffic-eng no tunnel mpls traffic-eng autoroute announcetunnel mpls traffic-eng path-option 1 explicit name backup-to-XXXtunnel mpls traffic-eng record-route
!interface GigEth X/Ydescription Link to XXXmpls traffic-eng tunnelsmpls traffic-eng backup-path Tunnel1mpls ipip rsvp bandwidth
!ip explicit-path name primary-to-XXX enable next-address <neighbour in subnet a.a.a.a>
!ip explicit-path name backup-to-XXX enable exclude-address <neighbour in subnet a.a.a.a>
Omogućava MPLS TE na globalnom nivou
Definiše OSPF area u kojoj se radi TE
Na svakom interface-u na putanji TE tunela (BW i labela)
Eksplicitne putanje za primarni i bakup tunele
Objavljivanje tunel int u IGP
Definicija backup putanje – Tunel 1
Omogućava primarnom tunelu da koristi backup
Record labele koja se koristi za FRR
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 50
TE FRR - Link protection – AutoTunnel
mpls traffic-eng tunnels!mpls traffic-eng reoptimize events link-up!router ospf 100mpls traffic-eng router-id Loopback0mpls traffic-eng area 0mpls traffic-eng multicast-intact
!mpls traffic-eng auto-tunnel backup nhop-onlympls traffic-eng auto-tunnel backup tunnel-num min 62000 max 62999mpls traffic-eng auto-tunnel backup config unnumbered-interface loop0!mpls traffic-eng auto-tunnel primary onehopmpls traffic-eng auto-tunnel primary tunnel-num min 61000 max 61999mpls traffic-eng auto-tunnel primary config unnumbered-interface loop0mpls traffic-eng auto-tunnel primary config mpls ip
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 51
MPLS Traffic Engineering for a QoS-Optimized Backbone
PE
MPLS Backbone
PE
DiffServ aware TECE CE
DiffServ over IP on Access Links
DiffServ over IP on Access Links
DS-TE + QoS = GB-TE DiffServ o IPDiffServ o IP
Constrained ConstrainedOptimized
Legend
Priority – Voice TrafficPriority – Data TrafficRegular Traffic
DiffServ-aware TE & QoS!
ip rsvp bandwidth interface-kbps single-flow-kbps [sub-pool kbps]
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 52
Multi-VRF CE (VRF-lite)
InternetIP VPN
802.1q!
MPLS!
IPSec/GRE
802.1qVRFVRFVRF
Virtual Routing & Forwarding
hostname MULTI-VRF-CE!ip vrf GREENrd 1:1route-target export 1:1route-target import 1:1!interface Ethernet0/0.1encapsulation dot1q 1ip vrf forwarding GREENip address <ce_multivrf_green>
interface Ethernet1/0.1 encapsulation dot1q 1ip vrf forwarding GREENip address <ce_fw_rgreen>
!ip route vrf RED <sp1_subnet> <pe_vrf_red>
•PE VRF funkcionalnost se proširuje na CE bez potrebe za MP-iBGP i MPLS na CE-PE linkuCE
CE
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 53
Segmentacija u Campus okruženju
Servers
Mainframe
WAN
L3 VRFs
CoreVRF + 802.1Q
or MPLS
Virtualtransparent
Firewalls
Per ServerVLAN
Per user roleL2 VLANs
User identification(per port or 802.1x)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 54
CsC (Carrier-supporting-Carriers)
Carrier Backbone
PE-1
PE-2
CE-1CE-2
ISP Site-2 IGP
I-PE1I-PE2
Network = N
IGP+LDPVPN-IPv4
ISP Site-1 IGP
• VPN korisnik (ISP) može da nudi L3 VPN servis svojim korisnicima• CsC se jos naziva “Hierarchical VPNs”• ISP-CE int ka Carrier-PE je deo okosnice (nema VRF)• Iz perspektive ISP okosnice ISP-CE ruter je samo jošjedan P ruter
• PE-1:• ISP vrf na PE1• eBGP izmedju PE-1 i CE-1 sasend-label
• CE-1: • redistribute IGP u BGP (route-map, lokalne adrese loo)• eBGP ka PE-1 sa send-label• client VRF • MP-iBGP for cust rutedirektno I-PE1 ka I-PE2
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 55
Agenda
MPLS osnoveUvod u MPLSKonvergencija u MPLS okruženjuQoS u MPLS mrežamaMPLS aplikacije
L3 MPLS VPNMPLS IP-VPN osnoveMPLS IP-VPN preporukePristup InternetuSigurnost
L2 MPLS VPNTE, Multi-VRF, CsCPrimeri iz prakse
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 56
WAN Core
Inc North
Inc Central
ABC
Inc South
Inc East
Power Plants
Network Opertations
MAN
IncWest
MPLS/VPN MAN/WAN Korisnik –Elektroprivreda ~20 VRF-ovaTri nivoa mreže:- WAN- MAN- LAN
Infrastruktura okosnice:- 7600-Sup720- fully meshed- OSPF
Osobine MAN-a:- 7600-Sup720- Nema direktnih veza ka drugim
MAN mrežama
Osobine LAN-a:- Redundantna veza ka MAN-u- Nema direktnih veza ka drugim
LAN mrežama
Osobine WAN-a:- Broj ruta po VRF-u: < 5,000
Self Managed
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 57
MPLS/VPN u Campus okruženjuKorisnik: Aerodrom
MPLS/VPN za više RFC1918 mreža
Veća sigurnost uz pomoć L2/L3 separacijeCentralizovani servis VPN-ovi za pristup Internetu & druge servise (Storage, SAP, Mail...)
Centralni FW (virtualizacija)
Visoka dostupnost
P/PE: SUP720
Core Routing: OSPF
VRF#: < 128
Routes per VRF#: ~ 200
Edge routing: directly connected LAN
PE-CE links: GE trunk/channel
PE additional functions: QoS, accounting
Multicast: yes (leaking to GR)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 58
Ne zaboravite da se prijavite na Cisco Networkers 2008!
http://www.cisco.com/web/europe/cisco-networkers/2008/index.html