MPLS Layer 3 VPN
ISELINSTITUTO SUPERIOR DE ENGENHARIA DE LISBOASERVIÇO DE DOCUMENTAÇÃO E PUBLICAÇÕESINSTITUTO SUPERIOR DE ENGENHARIA DE LISBOAÁrea Departamental de Engenharia de Electrónica eTelecomunicações e de ComputadoresMPLS Layer 3 VPNHamid Khanpour(Bachelor’s degree in Electronic and Telecommunication)Trabalho Final de Mestrado para Obtenção do Grau de Mestre em Engenharia deElectrónica e TelecomunicaçõesOrientador:Professor Doutor Mário Pereira VéstiasJúri:Presidente: Professora Doutora Paula Maria Garcia LouroVogais:Professor Doutor Rui Policarpo DuarteProfessor Doutor Mário Pereira VéstiasDecember 2017
ACKNOWLEDGEMENTSFirst and foremost, I wish to express my most sincere gratitude and appreciation to Professor DoutorMário Pereira Véstias for his guidance, patience, encouragement and advice that he has providedthroughout the development of the project and likewise being an extraordinary mentor. This projectwould not be nearly as good without his helps and also Professor Doutor Rui Policarpo Duarte.Second, I would like to thank Professor Doutor Manuel Barata and Professor Doutor EdwardoEusebio for their help and support.I must express my gratitude to my wife, Ukabed has been encouragement and extremely supportiveof me throughout this entire process and has made countless sacrifices to help me get to this point.My parents and Dr. Ahmad Shahsavan (my wife’s father), deserve special thanks for their continuedsupport and encouragement. Without such a team behind me, I doubt that I would be in this placetoday.i
ABSTRACTMultiprotocol Label Switching (MPLS) is the principal technology used in Service ProviderNetworks as this mechanism forwarding packet quickly. MPLS is a new way to increase the speed,capability and service supplying abilities for optimization of transmission resources. Service Providernetworks use this technology to connect different remote sites. MPLS technology provides lowernetwork delay, effective forwarding mechanism, ascendable and predictable performance of theservices which makes it more appropriate for carry out real-time applications such as Voice and video.MPLS can be used to transport any type of data whether it is layer 2 data such as frame relay, Ethernet,ATM data etc. or layer 3 data such as IPV4, IPV6.Keywords: - VPN, MPLS, MPLS VPNs, Layer 3, Layer 2, ATM, IPV4 and IPV6.ii
TABLE OF CONTENTSACKNOWLEDGEMENTS . iABSTRACT . . iiTABLE OF CONTENTS . . iiiLIST OF FIGURES . . vLIST OF TABLE . . viiACRONYMS . viiiCHAPTER ONE1. Introduction . 11.1 Motivation . . 11.2 Outcomes . . 21.3 Scope of the thesis . 2CHAPTER TWO2.1 State of art . 32.1.1 Technology Use Cases . 32.2. MPLS Overview and Architecture 32.3 Virtual Private Network . . 52.3.1 MPLS Layer 2 VPNs . 52.3.2 MPLS Layer 3 VPNs . . 62.4 Criteria for Assessing the Suitability of VPN Solutions . . 7CHAPTER THREE3.1 Network Design and Modelling . . . 93.2 Protocols of the Proposed Networks . . . . . . 93.2.1 Open Shortest Path First (OSPF) . . . . 93.2.2 Border Gateway Protocol (BGP) . . . . . 103.2.3 The Routing Information Protocol (RIP) . . . . . 103.3 Simulation Tools . . 103.4 Network topology . . . . . 103.4.1 GRE Tunnels . . 133.4.2 IP addresses . 143.5 VPN Layer3 implement and Configuration in the ISP Core . 153.5.1 MPLS configuration of the Core ISP (Provider R6, R7 and R8) . . 153.5.2 Create and Assign VRFs on the PE routers (R5 and R9) . . 173.5.3 Configuring the PE and CE Routers . 193.5.3.1 Configuring Multiprotocol BGP on the PE to CE Routers and Route Reflectors . 193.5.3.2 Configuring OSPF on the PE to CE Routers and Route Reflectors 213.5.3.3 Configure Route Redistribution . 233.5.4 Testing and Confirmation . 243.6 VPN Layer2 implement and Configuration . 303.6.1 Network topology . 313.6.2 Testing and Confirmation 32iii
3.7 IP Service Level Agreements (IP SLA) . . 363.7.1 Create SLA . . . 383.7.2 Schedule SLA . . . 383.7.3 Attach SLA with track . . . 383.8 Conclusions for the simulation scenario . . . 42CHAPTER FOUR4. Result and Discussion . . 434.1 Test the network with iperf and jperf tools . 434.1.1 Customer 1 with BGP Protocol (Layer3) . 444.1.2 Customer 2 with RIP Protocol (Layer 2) . 464.1.3 Customer 3 with OSPF Protocol (Layer 3) 474.2 Comparing the Transfer and Bandwidth of throughput 49CHAPTER FIVE5. Conclusion . . 516. References . . . 537. Appendix . . . . 55iv
LIST OF FIGURESFigure 1 - MPLS router types . 4Figure 2 - MPLS label format . . 5Figure 3 - MPLS Layer 3 VPN Component Terminology . 6Figure 4 - Tunnel from X to Z . . 7Figure 5 - MPLS VPNs-Terminology. 11Figure 6 - GRE tunnels . 13Figure 7 - Show mpls interfaces . . 15Figure 8 - Show mpls interfaces . . 15Figure 9 - Show mpls interfaces . . 15Figure 10 - Show mpls ldp neighbor . 16Figure 11 - Show mpls ldp neighbor . 16Figure 12 - Show mpls ldp neighbor . 16Figure 13 - Show ip vrf interface . 17Figure 14 - Show ip vrf interface . 17Figure 15 - VPN Route Distribution . 18Figure 16 - VRF configuration (CUST-A) . 18Figure 17 - VRF configuration (CUST-B) . 18Figure 18 – Show bgp configuration details . 19Figure 19 – Show bgp configuration details . 20Figure 20 – Show bgp vpnv4 unicast all summary . 20Figure 21 – show bgp vpnv4 unicast all summary . . 21Figure 22 – show OSPF configuration details in PE1-R5 and PE2-R9 . 21Figure 23 - VPN Routes of customer A (CUST-A) . 22Figure 24 - VPN Routes of customer B (CUST-B) . 22Figure 25 - VPN Routes of customer A . 23Figure 26 - Routing Table of Customer A (CUST1-R1) . 24Figure 27 - Routing Table of Customer B (CUST2-R4) . 24Figure 28 - HSBC Branch in London can ping the HSBC Branch in Birmingham . . 25Figure 29 - lloyds Branch in Coventry can ping the lloyds Branch in Manchester 25Figure 30 - Traceroute from HSBC Branch in London to HSBC Branch in Birmingham . . 25Figure 31 - CUST2-R2 traceroute CUST2-R4 . 26Figure 32 - CUST1-R1 traceroute CUST1-R3 . 26Figure 33 - CUST1-R1 traceroute CUST1-R3 . 27Figure 34 – CUST2-R2 traceroute CUST2-R4 . 27Figure 35 - CUST2-R2 traceroute CUST2-R4 . 28Figure 36 - LIB table . . 29Figure 37 - LFIB table . . 30Figure 38 - MPLS Layer2 VPN (Customer 2 in the middle) . 31Figure 39 – Show ip route in CUST3-R5 . . 32Figure 40 – Show ip route in CUST3-R6 . . 32Figure 41 – Show mpls l2 in PE1-R5 . . 33Figure 42 – Show mpls l2 in PE2-R9 . . 33Figure 43 – Ping from lloyds Branch in Cardiff (PC5) to lloyds Branch in Blackpool (PC6) . 33Figure 44 – Ping from lloyds Branch in Blackpool (PC6) to lloyds Branch in Cardiff (PC5) . 33v
Figure 45 – traceroute from lloyds Branch in Blackpool to lloyds Branch in Cardiff (PC5) . 34Figure 46 – traceroute from lloyds Branch in Blackpool to lloyds Branch in Cardiff (PC5) . 34Figure 47 – CUST3-R5 traceroute CUST3-R6. .34Figure 48 – CUST3-R5 traceroute CUST3-R6 .35Figure 49 – CUST3-R6 traceroute CUST3-R5 . 35Figure 50 – CUST3-R6 traceroute CUST3-R5 .35Figure 51 – show ip route rip in CUST3-R5 .36Figure 52 – show ip route rip in CUST3-R6 . 36Figure 53 – IP SLA route for the topology . 37Figure 54 – Create IP SLA . . 38Figure 55 – Schedule SLA . . 38Figure 56 - IP of Primary Link is and the IP of Secondary Link display in the Routing table . 39Figure 57 – traceroute from “HSBC Branch in London” to “HSBC Branch in Birmingham” . 39Figure 58 - Reachability is UP . 40Figure 59 – the Primary Link is DOWN . 40Figure 60 - Reachability is Down . 40Figure 61 – The ip address of the Primary Link is removed from the ip route table . 41Figure 62 – the Primary Link is DOWN . 41Figure 63 – traceroute from “HSBC Branch in London” to “HSBC Branch in Birmingham” . 41Figure 64 - diagram of performance of iperf in the network . 43Figure 65 - bandwidth from the server to the client . 44Figure 66 - bandwidth from the client to the server . 44Figure 67 - result of running TCP parameters in client mode . 45Figure 68 - result of running TCP parameters in client mode . 45Figure 69 - bandwidth from the server to the client . 46Figure 70 - bandwidth from the client to the server . 46Figure 71 - result of running TCP parameters in server mode . . 46Figure 72 - result of running TCP parameters in client mode . 47Figure 73 - bandwidth from the server to the client . 47Figure 74 - bandwidth from the client to the server . 47Figure 75 - result of running TCP parameters in server mode . . 48Figure 76 - result of running TCP parameters in client mode . . 48Figure 77 - Comparing Interval, Transfer and Bandwidth of throughput . . 49vi
LIST OF TABLETable 1 - IP addressing scheme of the designed network architectures . 14Table 2 - Results of Interval, Transfer and Bandwidth in iperf software . . . 48vii
IPv4IPv6IS–ISarea border routeraddress family identifierautonomous systemautonomous system numberautonomous system border routerAsynchronous Transfer ModeBinary Coded DecimalBackup Designated RouterBidirectional Forwarding DetectionBorder Gateway ProtocolBottom of Stackconfederated Border Gateway ProtocolCustomer Edge (router)Connectionless Network ProtocolConservation Label Retention ModeCarrier Supporting CarrierDestination Class Usagedesignated intermediate systemDesignated RouterDiffuse Update Algorithmexterior Border Gateway Protocolequal-cost multipathExterior Gateway ProtocolEnhanced Interior Gateway Routing Protocolexternal Labelled BGP, see L-EBGPForwarding Adjacency LSPForwarding Equivalence ClassForwarding Information Base (forwarding table)Generalized Multiprotocol Label SwitchingGraphical Network Simulator-3Generic Routing EncapsulationInternet Assigned Numbers Authorityinterior Border Gateway ProtocolInternet Engineering Task ForceInterior Gateway ProtocolInterior Gateway Routing Protocolinternal Labelled BGP, see L-IBGPInternetworking Operating SystemInternet ProtocolInternet Protocol SecurityInternet Protocol version 4Internet Protocol version 6Intermediate System to Intermediate System routing protocolviii
nternational Standards OrganizationLayer 2 Virtual Private NetworkLayer 3 Virtual Private NetworkLabelled BGPLabelled exterior Border Gateway ProtocolLabelled interior Border Gateway ProtocolLabel Distribution ProtocolLabel Information BaseLabel Forwarding Information BaseLink-State DatabaseLink-State advertisementLabel-Switched Interfacelabel-switched pathLink-State packet or Link-State PDUlabel-switched routerMultiProtocol Border Gateway ProtocolMultiprotocol Label SwitchingMinimum Route Advertisement IntervalMulti-Topology RoutingOpen Shortest Path First routing protocolQuality of ServiceProvider RouterProtocol Data UnitProvider Edge (router)Route DistinguisherRequest for CommentsRouting Information Base (routing table)Routing Information ProtocolRendezvous PointReverse Path ForwardingRemote Performance MeasurementRoute ReflectorRouting RegistryRoute Record ObjectResource Reservation Protocolservice-level agreementSimple Network Management ProtocolShortest Path FirstTraffic EngineeringTraffic-Engineering DatabaseType-Length-ValueTime-To-LiveVirtual Private NetworkVirtual Routing and ForwardingWide Area Networkix
CHAPTER ONE1. Introduction1.1 MotivationCompanies are in a global economy that requires the spread of information across severalgeographical areas. The possibility to exchange information among offices located apart from eachother permits the flat operation of the company. Regional branches transparently communicate withtheir head offices regularly transmitting all kind of data. Customers usually seek for flexible, safe,manageable, scalable, and low-cost networking solutions that allows them to access all informationand services provided by a company.Usually, companies do not have their own global communication network, but obtain communicationservices from service providers. In the past, service providers used leased lines to provide suchnetwork services. However, these leased lines have significant disadvantages. For instance, leasedlines are difficult to scale when there is a large number of branches or branches expand quickly.Besides, leased lines are relatively expensive and difficult to manage. Leased lines were graduallyleft for other technologies, including Asynchronous Transfer Mode (ATM) and Frame Relay (FR),which rely on the concept of virtual circuits.Recently, Multi-Protocol Label Switching (MPLS) was proposed as a way to guarantee an efficientand scalable solution for large networks. It utilizes layer 3 routing protocols besides the widelyobtainable layer 2 transport systems and protocols. The IETF set up the MPLS working group in 1997to improve a standardized approach. The objective of the MPLS working group was to standardizeprotocols which utilized Label Swapping forwarding techniques. The utilization of label swappinghas capable advantages. It separates the routing issue from the forwarding issue.The key component of a MPLS network is the label switching router (LSR), which is accomplishedof understanding and participating in IP routing, and Layer 2 switching. MPLS has supplied importantnew abilities in four areas that have ensured its popularity: QoS (Quality of Service) support, TrafficEngineering, Virtual Private Network, and Multiprotocol Support.With these new technologies, companies were able to establish Layer 3 (L3) network connectionsbased on virtual circuits. However, the virtual circuits only supported point-to-point links, are difficultto configure and maintain. To overcome these problems, IP-based packet switching networks becamepopular. Now, IP-based networks are used almost everywhere in the world. Initially, L3VPNs (L3Virtual Private Networks) were the preferred choice for man
L2VPN Layer 2 Virtual Private Network L3VPN Layer 3 Virtual Private Network L-BGP Labelled BGP L-EBGP Labelled exterior Border Gateway Protocol L-IBGP Labelled interior Border Gateway Protocol LDP Label Distribution Protocol LIB Label Information Base LFIB Label For
VPN Customer Connectivity—MPLS/VPN Design Choices Summary 11. Advanced MPLS/VPN Topologies Intranet and Extranet Integration Central Services Topology MPLS/VPN Hub-and-spoke Topology Summary 12. Advanced MPLS/VPN Topics MPLS/VPN: Scaling the Solution Routing Convergence Within an MPLS-enabled VPN Network Advertisement of Routes Across the .
MPLS VPN or VPN Tunnel VPN or Hybrid VPN MPLS VPN –AT&T VPN Network-based VPN where the VPN is defined by the capability of the MPLS network Connects sites via a private network using MPLS backbone. Attractive to businesses where Private Networking is most important Higher level of technical expertise required
slide series thatdescribe the Multiprotocol Label Switching (MPLS) concept . Layer-3 VPNs Layer-2 VPNs MPLS QoS MPLS TE MPLS OAM/MIBs End-to-end Services MPLS Network Services . §MPLS label forwarding and signaling mechanisms Network Infrastructure MPLS Signaling and Forwarding Layer-3 VPNs Layer-2 VPNs
MPLS-based VPN services: L3 MPLS VPN and L2 MPLS VPN. MPLS L2VPN has two modes: Virtual Private LAN Service (VPLS) and Virtual Leased Line (VLL). VLL applies to point-to-point networking scenarios, while VPLS supports point-to-multipoint and multipoint-to-multipoint networking. From users' point of view, the whole MPLS network is
MPLS L3 VPN Principle [201609] [01] APNIC Technical Workshop . Acknowledgement Cisco Systems. Course Outline MPLS L3 VPN Models L3 VPN Terminologies MPLS VPN Operation - Control Panel - Data Plane - Forwarding function Function of RD and RT Configuration Examples .
SSL VPN Client for Windows/Mac OS ZyWALL 110 VPN Firewall ZyWALL 1100 VPN Firewall USG20W-VPN VPN Firewall ZyWALL 310 VPN Firewall. Datasheet ZyWALL 110/310/1100 and USG20(W)-VPN 5 Model ZyWALL 110 ZyWALL 310 ZyWALL 1100 USG20-VPN USG20W-VPN Prod
Chapter 15 IPsec VPN 423 Chapter 16 Dynamic Multipoint VPN (DMVPN) 469 Chapter 17 Group Encrypted Transport VPN (GET VPN) 503 Chapter 18 Secure Sockets Layer VPN (SSL VPN) 521 Chapter 19 Multiprotocol Label Switching VPN (MPLS VPN) 533 Part IV Security Monitoring 559 Chapter 20 Network Intrusion Prevention 561 Chapter 21 Host Intrusion .
MPLS and VPN Architectures, Volume II, begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
