| MPLS VPNs are an ideal way of building scalable corporate intranets. Corporate intranets can span local area networks (LAN) and wide area networks (WAN). They can be built over public or private backbones. In addition, they can have full or partial sites within a VPN and can have remote users over a DSL connection or a dedicated connection. No matter what the connectivity in terms of transport protocol, the intranet must work. These requirements provide several challenges to the network designer. If the corporate intranet is built using MPLS VPNs in the WAN, the MPLS network must support several features. Some of these requirements are as follows: The MPLS network must be capable of supporting all transport types, such as a data linkEthernet, Frame Relay, Point-to-Point (PPP), High-Level Data Link Control (HDLC), Packet over SONET (POS), and ATM. It must be possible to map VLANs in a LAN to MPLS VPNs at the PE or the CE. It must be possible to map remote users and dial-in users to the MPLS VPNs. It must be possible to connect full sites to MPLS VPNs. It must be possible to use either dynamic routing protocol or static routing between the PE and CE. It must be possible to build a corporate intranet across geographic boundaries and across multiple provider networks using MPLS VPNs. This is a generic requirement for the technology and not for an individual corporation. It must be possible to scale the corporate intranet to a large number of sitesmaybe even thousands of sitesin the intranet using MPLS VPNs. Quality of service (QoS) must be supported with MPLS VPNs. It must be possible to physically connect sites in an arbitrary manner, but any-to-any connectivity is required logically. It must be possible to define routing policies to allow partial connectivity. It must be possible to also build hub-and-spoke VPNs.
MPLS VPNs can easily satisfy all the previously listed requirements because of the following reasons: MPLS supports all the data links for L3 VPNs. VLANs can be mapped to VRFs in MPLS VPNs at either the CE or PE. Remote access users can be mapped to MPLS VPNs by terminating the IPSec tunnels either on a dedicated IPSec concentrator or directly on the PE itself. Sites can be connected to multiple VPNs, or all the sites can be connected to a single VPN. The attached customer port (CE) belongs to a VPN site. Any static or dynamic routing protocol (OSPF, IS-IS, RIPv2, eBGP, or EIGRP) can be used between PE and CE. Techniques, such as Inter-AS VPNs or Carrier Supporting Carrier (CSC), can be used to scale VPNs to large networks that span multiple geographies and provider networks. For details on Inter-AS and CSC, please refer to IETF RFC 4364. Because the PE needs only to know information about the attached VPNs, you can scale MPLS VPNs to connect thousands of sites within a VPN and thousands, or even tens of thousands, of VPNs per network. Each device within the network needs to hold information only of the attached VPNs/sites, and more PEs can be added to support more VPNs. Hence, the scalability is not hampered by the scale limitations of a single device. By managing the VPNv4 route advertisements via BGP and appropriate filtering, you can easily build full-mesh or hub-and-spoke VPNs. Corporate intranets can be extended to dedicated sites and remote sites including DSL/cable users and dial-in users by mapping the remote users appropriately to VRFs using a mix of technologies, such as VLAN-to-VRF mapping and VRF-aware AAA.
|
