Introduction to Routing for the Enterprise MPLS VPN


Routing is the cumulative process that discovers paths through the network toward specific destinations, comparing alternative paths and creating a table that contains IP forwarding information.

In a traditional WAN, whether it be Frame Relay, Asynchronous Transfer Mode (ATM), or leased line, the connectivity is typically built on a point-to-point basis with an Interior Gateway Protocol (IGP) or Exterior Gateway Protocol (EGP) providing the necessary routing information to destinations across the WAN.

This changes the any-to-any world of Layer 3 MPLS VPN, because the routing is carried out between the CE and PE. The PE receives from the local CE the route information of the CE connected site and provides route information to the local CE about routes available via the MPLS VPN. This can be achieved in many ways, as covered later in this chapter. These mechanisms are

  • Static routing

  • IGPs

  • Exterior Border Gateway Protocol (eBGP)

Selecting the correct protocol is key. It largely depends on what the enterprise in question uses as its current IGP or what the service provider supports. In most cases, the common approach is to use static routing when a stub site is behind the CE. Then, the static routing information is redistributed at the PE toward the rest of the MPLS/VPN service provider network into Border Gateway Protocol (BGP) for advertisement across the multiprotocol internal BGP (iBGP) session that connects the PE routers or route reflector depending on the service provider network. The service provider will map the static route for each network at the local site, or summary route, to the correct virtual routing/forwarding (VRF) instance on the PE router that connects the site.

This approach has a drawback. Static routing can cause issues when a failure occurs on the CE router or other elements on the forward routing path. The manually created static route has no way of updating itself, unlike dynamic IGPs.

Other options involve the use of dynamic routing protocols, such as BGP, Open Shortest Path First (OSPF), Routing Information Protocol (RIP), or Enhanced Interior Gateway Routing Protocol (EIGRP), between the CE and PE. In this particular case, you will look at gaining additional benefit by using EIGRP between the CE and PE to gain IGP transparency across the service provider network.

Transparency can be important to consider in a large enterprise where the enterprise wants to retain a level of control over internal IGP routes to influence path selection. More importantly, it can greatly ease the migration to a service provider-based MPLS VPN because the redistribution of routing information takes place at the PE and there is no need to introduce BGP onto the CE. Of course, a balanced approach is often called for. You will see some of the trade-offs that need to be made later in this chapter.

Note

BGP/MPLS VPNs are described in detail in RFC 2547. The more current draft-ietf-l3vpn-rfc2547bis-03 describes the method by which a service provider may use an IP backbone to provide IP VPNs for its customers. This method uses a "peer model," in which the CE routers send their routes to the service PE routers. No "overlay" is visible to the customer's routing algorithm, and CE routers at different sites do not peer with each other. Data packets are tunneled through the backbone so that the core routers do not need to know the VPN routes.


It's useful to consider the foundations of routing protocol selection. The design implications of EIGRP, OSPF protocol, and BGP are

  • Fixed network topology

  • Addressing and route summarization

  • Route selection

  • Convergence

  • Network scalability

  • Security

EIGRP, OSPF, and BGP are routing protocols for IP. An introductory section outlines general routing protocol issues. Subsequent discussions focus on design guidelines for the specific implementation considerations.

Implementing Routing Protocols

The following discussion provides an overview of the key decisions you must make when selecting and deploying routing protocols. This discussion lays the foundation for subsequent discussions about specific routing protocols. It also lays the foundation for migrating from traditional network topologies to the Layer 3 IP VPN, as well as the need to understand the fundamental implementation and operation of routing.

Network Topology

An internetwork's physical topology is described by the complete set of routers and the networks that connect them. Networks also have a logical topology. Different routing protocols establish the logical topology in different ways.

Some routing protocols do not use a logical hierarchy. Such protocols use addressing to segregate specific areas or domains within a given internetworking environment, as well as to establish a logical topology. For such nonhierarchical, or flat, protocols, no manual topology creation is required.

Other protocols can support the creation of an explicit hierarchical topology by establishing a backbone and logical areas. The OSPF and Intermediate System-to-Intermediate System (IS-IS) protocols are examples of routing protocols that use a hierarchical structure. A general hierarchical network scheme is illustrated in Figure 4-1.

Figure 4-1. Sample OSPF Hierarchical Scheme


If a hierarchical routing protocol such as OSPF is used, the addressing topology should be assigned to reflect the hierarchy. If a flat routing protocol is used, the addressing implicitly creates the topology. There are two recommended ways to assign addresses in a hierarchical network. The simplest way is to give each area (including the backbone) a unique network address. An alternative is to assign address ranges to each area.

Areas are logical collections of contiguous networks and hosts. Areas also include all the routers that have interfaces on any one of the included networks. Each area runs a separate copy of the basic routing algorithm. Therefore, each area has its own topological database.

Addressing and Route Summarization

Route summarization procedures condense routing information. Without summarization, each router in a network must retain a route to every subnet in the network. With summarization, routers can reduce some sets of routes to a single advertisement, reducing both the load on the router and the network's perceived complexity. The importance of route summarization increases with network size.

Figure 4-2 illustrates route summarization. In this environment, R2 maintains one route for all destination networks beginning with B, and R4 maintains one route for all destination networks beginning with A. This is the essence of route summarization. R1 tracks all routes because it exists on the boundary between A and B.

Figure 4-2. Route Summarization


The reduction in route propagation and routing information overhead can be significant. Figure 4-3 illustrates the potential savings. The vertical axis shows the number of routing table entries. The horizontal axis measures the number of subnets. Without summarization, each router in a network with 1000 subnets must contain 1000 routes. With summarization, the picture changes considerably. If you assume a Site Type B network with 8 bits of subnet address space, each router needs to know all the routes for each subnet in its network number (250 routes, assuming that 1000 subnets fall into four major networks of 250 routers each), plus one route for each of the other networks (three), for a total of 253 routes. This represents a nearly 75 percent reduction in the size of the routing table. If an individual subnet becomes unavailable, that change is not propagated beyond the summarizing router. This prevents subnets from flapping and adversely affecting routing stability.

Figure 4-3. Effects of Route Summarization


The preceding example shows the simplest type of route summarization: collapsing all the subnet routes into a single network route. Some routing protocols also support route summarization at any bit boundary (rather than just at major network number boundaries) in a network address. A routing protocol can summarize on a bit boundary only if it supports variable-length subnet masks (VLSMs).

Some routing protocols summarize automatically. Other routing protocols require manual configuration to support route summarization.

Route Selection

Route selection is trivial when only a single path to the destination exists. However, if any part of that path should fail, there is no way to recover. Therefore, most networks are designed with multiple paths so that there are alternatives in case a failure occurs.

Routing protocols compare route metrics to select the best route from a group of possible routes. Route metrics are computed by assigning a characteristic or set of characteristics to each physical network. The metric for the route is an aggregation of the characteristics of each physical network in the route. Figure 4-4 shows a typical meshed network with metrics assigned to each link and the best route from source to destination identified.

Figure 4-4. Route Metrics


Routing protocols use different techniques to assign metrics to individual networks. Furthermore, each routing protocol forms a metric aggregation in a different way. Most routing protocols can use multiple paths if the paths have an equal cost. Some routing protocols can even use multiple paths when paths have an unequal cost. In either case, load balancing can improve the overall allocation of network bandwidth. Some protocols even support unequal-cost path load balancing, such as EIGRP.

When multiple paths are used, there are several ways to distribute the packets. The two most common mechanisms are per-packet load balancing and per-destination load balancing. Per-packet load balancing distributes the packets across the possible routes in a manner proportional to the route metrics. With equal-cost routes, this is equivalent to a round-robin scheme. One packet or destination (depending on switching mode) is distributed to each possible path. Per-destination load balancing distributes packets across the possible routes based on destination. Each new destination is assigned the next available route. This technique tends to preserve packet order. The Cisco implementation supports source and destination load balancing.

Note

Most TCP implementations can accommodate out-of-order packets. However, out-of-order packets may cause performance degradation.


When fast switching is enabled on a router (the default condition), route selection is done on a per-destination basis. When fast switching is disabled, route selection is done on a per-packet basis. When Cisco Express Forwarding (CEF) is enabled, the default is per-destination.

Convergence

When network topology changes occur, network traffic must reroute quickly. The phrase "convergence time" describes how long it takes a router to start using a new route after a topology changes. Routers must perform three actions after a topology changes:

1.

Detect the change.

2.

Select a new route.

3.

Propagate the changed route information.

Some changes are immediately detectable. For example, a router can immediately detect WAN line failures that involve carrier loss. Other failures are harder to detect. For example, if a serial line becomes unreliable but the carrier is not lost, the unreliable link is not immediately detectable. In addition, some media (Ethernet, for example) do not provide physical indications such as carrier loss. When a router is reset, other routers do not detect this immediately. In general, failure detection depends on the media involved and the routing protocol used.

After a failure has been detected, the routing protocol must select a new route. The mechanisms used to do this are protocol-dependent. All routing protocols must propagate the changed route. The mechanisms used to do this are also protocol-dependent.

Network Scalability

The capability to extend your internetwork is determined, in part, by the scaling characteristics of the routing protocols used and the quality of the network design.

Network scalability is limited by two factors: operational issues and technical issues. Typically, operational issues are more significant than technical issues. Operational scaling concerns encourage the use of large areas or protocols that do not require hierarchical structures. When hierarchical protocols are required, technical enhancements are geared toward optimizing along the lines of greater flexibility through modular design and deterministic failure domains that improve overall scalability. Finding the right balance is the art of network design.

From a technical standpoint, routing protocols scale well if their resource use grows less than linearly with the growth of the network. Routing protocols use three critical resources: memory, CPU, and bandwidth.

Beyond this lies the operational and technical scaling considerations needed when assessing the sizing of the WAN and how this applies to the scalability of the selected design. The number, location, and accessibility of sites, and the number of users and applications required, are all key factors that affect the sizing. This will be discussed more in the case study section near the end of this chapter.

Memory

Routing protocols use memory to store routing tables and topology information. Route summarization cuts memory consumption for all routing protocols. Keeping areas small reduces the memory consumption for hierarchical routing protocols. For example, OSPF, which is a link-state protocol, builds multiple databases of all routes, versus distance vector protocols, such as RIP, which store only received and advertised routes.

CPU

CPU usage is protocol-dependent. Some protocols use CPU cycles to compare new routes to existing routes. Other protocols use CPU cycles to regenerate routing tables after a topology change. In most cases, the latter technique uses more CPU cycles than the former. For link-state protocols, keeping areas small and using summarization reduces CPU requirements by reducing the effect of a topology change and by decreasing the number of routes that must be recomputed after a topology change.

Note

These three issues also affect CPU usage.


Distance vector protocols, such as RIP and Interior Gateway Routing Protocol (IGRP), broadcast their complete routing table periodically, regardless of whether the routing table has changed. When the network is stable, distance vector protocols behave well but waste bandwidth because of the periodic sending of routing table updates, even when no change has occurred. Extensions to RIP, which are detailed in RFC 2091, add triggered RIP updates that were designed to allow RIP to run over lower-speed circuits. Only when a route changes does RIP send a routing update, thereby minimizing the number of calls required to maintain the routing table. When a failure occurs in the network, distance vector protocols do not add excessive load to the network, but they take a long time to reconverge to an alternative path or to flush a bad path from the network. Despite the lack of excessive load by delay variance (DV) protocols, they remain fairly CPU-intensive.

Note

If you're using IGRP in your network, it is advisable to consider changing either to an EGP between you and the service provider or to a supported IGP, such as EIGRP, OSPF, or RIP.


Link-state routing protocols, such as OSPF and IS-IS, were designed to address the limitations of distance vector routing protocols (slow convergence and unnecessary bandwidth usage). Link-state protocols are more complex than distance vector protocols, and running them adds to the router's overhead. The additional overhead (in the form of memory utilization and bandwidth consumption when link-state protocols first start up) constrains the number of neighbors that a router can support and the number of neighbors that can be in an area.

When the network is stable, link-state protocols minimize bandwidth usage by sending updates only when a change occurs. A hello mechanism ascertains neighbors' reachability. When a failure occurs in the network, link-state protocols flood link-state advertisements (LSAs) throughout an area. LSAs cause every router in the failed area to recalculate routes.

EIGRP is an advanced distance vector protocol that has some of the properties of link-state protocols. EIGRP addresses the limitations of conventional distance vector routing protocols, such as slow convergence and high bandwidth consumption in a steady-state network. When the network is stable, EIGRP sends updates only when a change in the network occurs. Like link-state protocols, EIGRP uses a hello mechanism to determine the reachability of neighbors. When a failure occurs in the network, EIGRP looks for feasible successors by sending messages to its neighbors. The search for feasible successors can be aggressive in terms of the traffic it generates (such as updates, queries, and replies) to achieve convergence.

In WANs, consideration of bandwidth is especially critical. For example, Frame Relay, which statistically multiplexes many logical data connections (virtual circuits) over a single physical link, allows the creation of networks that share bandwidth. Public Frame Relay networks use bandwidth sharing at all levels within the network. That is, bandwidth sharing may occur within the Frame Relay network of Enterprise X, as well as between the networks of Enterprise X and Enterprise Y.

Two factors have a substantial effect on the design of public Frame Relay networks:

  • Users are charged for each permanent virtual circuit (PVC), which encourages network designers to minimize the number of PVCs.

  • Public carrier networks sometimes provide incentives to avoid the use of committed information rate (CIR) circuits. Although service providers try to ensure sufficient bandwidth, packets can be dropped.

Overall, WANs can lose packets because of lack of bandwidth. For Frame Relay networks, this possibility is compounded because Frame Relay does not have a broadcast replication facility. So, for every broadcast packet that is sent from a Frame Relay interface, the router must replicate it for each PVC on the interface. This requirement limits the number of PVCs that a router can handle effectively.

Security

Controlling access to network resources is a primary concern. Some routing protocols provide techniques that can be used as part of a security strategy. With some routing protocols, you can insert a filter on the routes being advertised so that certain routes are not advertised in some parts of the network.

Some routing protocols can authenticate routers that run the same protocol. Authentication mechanisms are protocol-specific and generally weak. In spite of this, it is worthwhile to take advantage of existing techniques. Authentication can increase network stability by preventing unauthorized routers or hosts from participating in the routing protocol, whether those devices are attempting to participate accidentally or deliberately.

Although they vary in the strength of the authentication they offer, nearly all routing protocols support some form of message authentication. Two principal types of authentication are used in routing protocols today: plaintext password and Message Digest 5 (MD5).

Plaintext Password Authentication

Plaintext password authentication is just what it sounds like. A password is attached to the routing update and is sent in the clear along with the routing update. The passwords have specific length requirements as defined by the routing protocol in use. Plaintext password authentication should be considered specious security because anyone who sees a single routing update on the wire sees the authentication information if it is in use. From this point on, the attacker can appear to be a member of the trusted routing domain. The plaintext password does offer some benefit in that it prevents routing protocol changes when an invalid router is accidentally introduced into a production routing environment.

MD5 Authentication

MD5 works by creating a 16-byte hash of the routing message combined with a secret key. Therefore, the 16-byte value is message-specific, so if an attacker modifies the message, he or she invalidates the 16-byte digest appended to the message. Without the secret key, which the routing protocol never sends over the wire, the attacker is unable to reconstruct a valid message. It is worth noting that the MD5 option provides authentication and packet integrity, not confidentiality.

MD5 passwords should have the same properties as other critical passwords in your network. They should follow the password-creation guidelines in your security policy. If you choose a weak password, an attacker can use brute-force guessing to determine your digest password, thereby allowing him or her to become a trusted member of the routing domain.




Selecting MPLS VPN Services
Selecting MPLS VPN Services
ISBN: 1587051915
EAN: 2147483647
Year: 2004
Pages: 136

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net