Per-VPN Management


Some of the traditional services supported by enterprise and SP networks include redundancy, security, and IP addressing. These services must be supported in MPLS networks. If an enterprise customer subscribes to services from an MPLS service provider, cohosts services with a service provider, or manages his own MPLS network, the enterprise networks must support the existing IP services seamlessly over the new infrastructure. To facilitate this, some of the services are made MPLS-aware so a single resource can be used to serve multiple VPNs instead of dedicating a resource to a VPN. This reduces equipment investment and operational costs. Several services are made VRF-aware and the portfolio is growing.

The specific types of services that can be VRF-aware are as follows:

  • Redundancy: VRF-aware HSRP

  • IP addressing:

    - NAT-PE: VRF-aware network address translation (NAT)

    - DHCP/ODAP:VRF-aware DHCP and ODAP for IP address assignment and management

  • Security: VRF-aware IPSec

Each of these applications is made VRF-aware by adding an MPLS VPN ID component. Traffic is kept separate using unique VPN IDs, enabling applications to distinguish traffic coming from different VPNs. We discuss VRF-aware DHCP and VRF-aware NAT in this section.

IP Addressing

VRF-aware DHCP IP address assignment and management has been one of the key services required for enterprise networks. Enterprise networks need to support these services in MPLS VPN environments whether MPLS VPNs are deployed locally or the enterprise customer is subscribing to MPLS VPN services from a service provider. The DHCP server needs to be able to distinguish the request coming from hosts located in various VPNs, so that the replies can be sent to the intended host in a VPN. VPN awareness is added to the DHCP applications in the Cisco solution to address the unique needs in an MPLS VPN environment.

Several techniques are available that can be used to assign IP addresses:

  • Local pools on Cisco routers

  • Dedicated RADIUS server

  • Dedicated DHCP server

DHCP can be deployed in various configurations:

  • Centralized DHCP server in the enterprise network

  • A single DHCP server hosts IP subnets for multiple VPN hosts

  • Distributed DHCP servers in the enterprise network

  • Having dedicated DHCP servers per remote site

  • Co-host DHCP with a service provider

  • Outsource DHCP services for all or selected sites

For all three scenarios, a DHCP server can be located in a global table, in a VRF, or in a common VRF. If MPLS VPNs are deployed in an enterprise network and all the services are being managed within this network, having a centralized DHCP server that services hosts within a company's VPNs makes the most sense. This model helps reduce server replications throughout the network, thereby reducing capital and operational expenses; facilitating ease of provisioning, managing, and troubleshooting; and preserving IP address space. The supported VPN topologies are hub and spoke, fully meshed sites, and a hybrid model.

This case does not require VRF-aware DHCP support because DHCP requests and replies do not traverse the MPLS VPN network.

An IP helper address in any case is needed to get the router to forward BOOTP requests. You configure the IP helper address with the VPN option on the PE interface that connects to the clients.

If you have any security concernsfor example, internal or external non-VPN clients reaching the DHCP serveryou can put the PE interface that is connected to the servers in a VRF. Additional IPSec techniques to prevent attacks should be used. Notice that the router sends its own interface IP address as a DHCP server address, so the DHCP server address should not be known to the clients.

To summarize, when using a VRF-aware DHCP, it is advisable to:

  • Size a DHCP server appropriately based on the number of users the DHCP server will support.

  • Make sure overlapping address pools are not used for the hosts in the same VPNs.

  • Make sure the DHCP server supports Option 82 SubOption VPN ID if you are using a third-party DHCP server.

  • If you're using a firewall or are blocking traffic using access lists in the path, allow UDP port 67 and 69 and allow for BOOTP requests.

VRF-Aware Network Address Translation

For VPNs that use private address space, you need to do address translation for the hosts that need access to public domain or shared services segments. Different VPNs commonly use overlapping private address space. Thus, you must do address translation before the traffic can access public domain or shared services located in a shared data center.

If the enterprise is subscribing to VPN services from a service provider and is using private address space, you must do address translation at the CPE. VRF-aware address translation allows the enterprise customers to offload it to their service provider.

Per-VPN self-management complements VRF-aware central services essential to managing these services discreetly.

Supported MIBs

Standard MPLS MIB modules provide standards-based SNMP interfaces for network operators to rely on vendor element management applications, third-party specialized independent software vendors, or home-grown management applications.

Some key MPLS MIB modules supported in Cisco IOS are MPLS-LSR-STD MIB, MPLS-TE-STD MIB, MPLS-FTN-STD MIB, MPLS-LDP-STD MIB, and MPLS-TC-STD MIB.

Figure 12-4 provides an overview of MPLS network and service MIBs.

Figure 12-4. MPLS Network and Services MIB Summary and Concept/Architecture/Dependencies





MPLS and Next-Generation Networks(c) Foundations for NGN and Enterprise Virtualization
MPLS and Next-Generation Networks: Foundations for NGN and Enterprise Virtualization
ISBN: 1587201208
EAN: 2147483647
Year: 2006
Pages: 162

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net