MPLS over Layer 2 Circuits

Previous page
Table of content
Next page

The simplest deployment model for connecting MANs and campus networks that have been segmented by means of RFC 2547/MPLS VPNs is to use MPLS over Layer 2 circuits. You can also use this method for branch aggregation, however, the use of Layer 2 circuits for branch aggregation is becoming less and less common. The goal is basically to build one large MPLS network in which the WAN simply provides Layer 2 connectivity but does not participate in the IP routing of the enterprise.

This model requires the enterprise to have Layer 2 connectivity between the different sites either via a legacy WAN (Frame Relay/ATM) or via a Layer 2 VPN service from a provider. The solution involves converting the edge devices into provider (P) or provider edge (PE) devices and making the WAN part of the MPLS MAN/campus network. Figure 7-7 shows a legacy Layer 2 WAN service and a Layer2 VPN service. The router roles have been labeled with the prefixes E and P for enterprise and provider, respectively. For example, E-PE is enterprise PE; whereas P-PE is provider PE.

Figure 7-7. Layer 2 WAN Offerings: Legacy and L2VPN


The LANs and MANs to be interconnected are already MPLS enabled and configured with enterprise-deployed RFC 2547 VPNs. As shown in Figure 7-7, the WAN edge router used for interconnecting MANs/LANs plays the role of an E-P device. That is, it is a P router in the enterprise MPLS network.

From a control-plane perspective, the following protocols run over the Layer 2 links:

  • An IGP such as Enhanced Interior Gateway Routing Protocol (EIGRP) or Open Shortest Path First (OSPF) Protocol for MPLS device reachability. This enables the E-PE, E-P, and route reflectors (RRs) to reach each other.

  • Label Distribution Protocol (LDP)

  • Multiprotocol internal Border Gateway Protocol (MP-iBGP) for VPN route and label distribution among the E-PE devices (preferably through an RR).

Configuring this solution simply involves expanding the enterprise core to include the WAN. From the RFC 2547 VPN perspective, the following must be configured on the E-P routers:

  • The IGP must be extended to have the E-P routers peer over the WAN interfaces. This is standard routing protocol configuration.

  • A label distribution protocol must be enabled on each WAN edge (E-P) router. The global configuration must include the following commands:

     ip cef mpls label protocol ldp

  • The E-P WAN interfaces and the interfaces facing the MPLS MAN or campus must be label switched. One of the following commands must be present under the interfaces:

     mpls ip tag-switching ip

From a forwarding perspective, irrespective of the Layer 2 service (legacy or Layer 2 VPN), the enterprise-edge device label switches packets like a normal P router, and the service provider should transparently forward the labeled packets across its network.

When the different MANs or LANs are in different autonomous systems, the extension of MPLS over the WAN is not as straightforward as discussed so far. When faced with multiple autonomous systems, it is necessary to interconnect these autonomous systems appropriately. Generally, you can interconnect separate autonomous systems to support end-to-end VPNs in three ways. The different options are defined in RFC 2547bis and discussed in detail in the MPLS-specific literature; therefore, this text is limited to briefly introducing the different inter-autonomous system models.

VRF-to-VRF Connections at the Autonomous System Border Routers

This model, which is also known as back-to-back VRFs, is equivalent to connecting two totally separate MPLS clouds back to back on a pair of PE routers. This procedure involves two PEs (one from each autonomous system) connected back to back through several subinterfaces (one subinterface per VPN). In this model, the PEs see each other as multi-VRF CEs. External Border Gateway Protocol (eBGP) is used to exchange routing information between one autonomous system and another.

MP-eBGP Exchange of Labeled VPN-IPv4 Routes Between Adjacent ASBRs

In this model, the PE routers use multiprotocol internal BGP (MP-iBGP) to redistribute labeled VPN-IPv4 routes to an Autonomous System Border Router (ASBR) either directly or through an RR. The ASBR then uses multiprotocol external BGP (MP-eBGP) to redistribute those labeled VPN-IPv4 routes to an ASBR in a neighboring autonomous system, which in turn distributes them via MP-iBGP to the PE routers in that autonomous system.

Multihop MP-eBGP Between Remote Autonomous Systems

This model enables the direct multihop MP-eBGP peering of PEs in one autonomous system with PEs in another. Thus, no VPN routes in the ASBRs interconnect the two autonomous systems. The ASBRs still have to exchange labeled VPN-IPv4 routes to provide reachability and label information to the PEs in either autonomous system; however, these updates do not contain VPN-specific routes.

Using MPLS over Layer 2 Circuits for Segmented Branch Aggregation

This model assumes that the enterprise has existing Layer 2 services for connecting branches. MPLS must be enabled over these Layer 2 links to provide segmentation through MPLS VPNs. Because such Layer 2 connectivity is typically hub and spoke or partial mesh, the MPLS overlay also inherits the same connectivity characteristics. Spoke-to-spoke communication then happens through the hub site.

The branch aggregation router becomes an E-P router, as shown in Figure 7-8. The branch routers become E-PE routers with VRF interfaces facing the branch and MPLS-enabled interfaces facing the headend. The E-P router at the headend label switches all interbranch traffic and all traffic between the branches and the MPLS-enabled MAN or campus network.

Figure 7-8. Branch MPLS Segmentation over Layer 2 Circuits


Because the branch routers are converted into E-PE devices, they extend the reach of the campus network/MAN MPLS cloud. As with any PE router, each remote-branch PE router maintains an LDP session and an IGP session with its neighboring P routers (in this case, the headend aggregator). The PEs also maintain MP-iBGP sessions with the RRs (or other PEs), which typically reside behind the headend aggregating device.

The configuration of the headend is identical to that discussed earlier in this section for an E-P router. Because the branch router is an E-PE router, it is configured as follows:

  • The IGP must be extended to have the E-PE routers peer over the WAN interfaces with the E-P at the headend.

  • A label distribution protocol must be enabled on each E-PE access router. The global configuration must include the following commands:

     ip cef mpls label protocol ldp

  • The E-PE WAN interfaces must be label switched. Use the mpls ip command under the WAN interfaces.

  • The necessary VRFs must be configured on the E-PE.

  • MP-iBGP peering with the RR must be configured.

Note

See the section "RFC 2547bis the MPLS way" in Chapter 6 for further information about the last two configuration items.


When segmentation is not required at certain branches, those branch routers do not need to have their WAN connection MPLS enabled. At the headend, this is not a problem when using separate p2p connections for each branch because each interface can be configured independently. When using multipoint connections, it is recommended that different multipoint connections be used for MPLS-enabled and non-MPLS-enabled branches. Note that when non-MPLS enabled branches are present, the headend device must also act as a PE device to terminate the VPNs to which the non-MPLS branches will be connected.

In general, these Layer 2 circuit meshes can be considered private enough to not require encryption. However, if encryption is required, one option is to create an overlay of encrypted GRE tunnels and deploy MPLS on top of these encrypted tunnels. This configuration is necessary because encryption is not natively supported on label switched paths (LSPs).

Benefits and Drawbacks

The decision to deploy MPLS over a Layer 2 infrastructure is largely based on the type of WAN service agreements and circuits the enterprise has in place. The enterprise's relationship with the service providers could determine the enterprise's ability to select a Layer 2 or an IP service. When a choice can be made, it is important to understand the benefits and drawbacks of the different approaches. Benefits of deploying MPLS over a Layer 2 infrastructure include the following:

  • The enterprise has complete control over the IP infrastructure.

  • There is virtually no dependency on provider services for the extension of enterprise VNs or even the enterprise's choice of technology.

Drawbacks include the following:

  • Encryption poses a challenge because it can require a tunnel overlay.

  • Traffic patterns are only as good as the Layer 2 circuit mesh. True any-to-any connectivity requires a full mesh, which tends to be expensive.

  • Service providers are steering away from the Layer 2 type of service and offering more cost-effective services such as IP VPNs. Therefore, it may be hard for the enterprise to benefit from an end-to-end Layer 2 circuit-based WAN.



Previous page
Table of content
Next page
Network Virtualization
Network Virtualization
ISBN: 1587052482
EAN: 2147483647
Year: 2006
Pages: 128
Authors: Victor Moreno, Kumar Reddy
BUY ON AMAZON
Java I/O
Inside Network Security Assessment: Guarding Your IT Infrastructure
The CISSP and CAP Prep Guide: Platinum Edition
Managing Enterprise Systems with the Windows Script Host
MySQL Clustering
Microsoft WSH and VBScript Programming for the Absolute Beginner
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy