You are previewing Selecting MPLS VPN Services.
O'Reilly logo
Selecting MPLS VPN Services

Book Description

A guide to using and defining MPLS VPN services

  • Analyze strengths and weaknesses of TDM and Layer 2 WAN services

  • Understand the primary business and technical issues when evaluating IP/MPLS VPN offerings

  • Describe the IP addressing, routing, load balancing, convergence, and services capabilities of the IP VPN

  • Develop enterprise quality of service (QoS) policies and implementation guidelines

  • Achieve scalable support for multicast services

  • Learn the benefits and drawbacks of various security and encryption mechanisms

  • Ensure proper use of services and plan for future growth with monitoring and reporting services

  • Provide remote access, Internet access, and extranet connectivity to the VPN supported intranet

  • Provide a clear and concise set of steps to plan and execute a network migration from existing ATM/Frame Relay/leased line networks to an IP VPN

  • IP/MPLS VPNs are compelling for many reasons. For enterprises, they enable right-sourcing of WAN services and yield generous operational cost savings. For service providers, they offer a higher level of service to customers and lower costs for service deployment.

    Migration comes with challenges, however. Enterprises must understand key migration issues, what the realistic benefits are, and how to optimize new services. Providers must know what aspects of their services give value to enterprises and how they can provide the best value to customers.

    Selecting MPLS VPN Services helps you analyze migration options, anticipate migration issues, and properly deploy IP/MPLS VPNs. Detailed configurations illustrate effective deployment while case studies present available migration options and walk you through the process of selecting the best option for your network. Part I addresses the business case for moving to an IP/MPLS VPN network, with a chapter devoted to the business and technical issues you should review when evaluating IP/MPLS VPN offerings from major providers. Part II includes detailed deployment guidelines for the technologies used in the IP/MPLS VPN.

    This book is part of the Networking Technology Series from Cisco Press®, which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers.

    Table of Contents

    1. Copyright
      1. Dedications
    2. About the Authors
      1. About the Contributing Authors
      2. About the Technical Reviewer
    3. Acknowledgments
    4. Icons Used in This Book
    5. Command Syntax Conventions
    6. Introduction
      1. Who Should Read This Book?
      2. How This Book Is Organized
    7. I. Business Analysis and Requirements of IP/MPLS VPN
      1. 1. Assessing Enterprise Legacy WANs and IP/VPN Migration
        1. Current State of Enterprise Networks
        2. Evolutionary Change of Enterprise Networks
        3. Acme, a Global Manufacturer
          1. Acme’s Global Span
          2. Business Desires of Acme’s Management
          3. Acme’s IT Applications Base
          4. Acme’s IT Communications Infrastructure
            1. Acme’s Intranet: Backbone WAN
            2. Acme’s Intranet: Regional WANs
        4. New WAN Technologies for Consideration by Acme
          1. Layer 3 IP/MPLS VPN Services
            1. IP/MPLS VPN Service Topologies and Provisioning
            2. IP/MPLS VPN: A Foundation for Network Services
            3. IP/MPLS VPN Transparency
            4. IP/MPLS VPN Network Management and SLAs
            5. Enterprise Vendor Management Approach
            6. Extranet Integration in IP/MPLS VPN Networks
          2. Layer 2 IP/MPLS VPN Services
            1. VPWS
            2. VPLS
        5. Convergence Services
          1. Internet Access
          2. Mobile Access and Teleworker Access
          3. Voice Services: Service Provider Hosted PSTN Gateway
          4. Voice Services: Service Provider Hosted IP Telephony
        6. Summary
      2. 2. Assessing Service Provider WAN Offerings
        1. Enterprise/Service Provider Relationship and Interface
        2. Investigation Required in Selecting a Service Provider
          1. Coverage, Access, and IP
          2. Financial Strength of the Service Provider
          3. Convergence
          4. Transparency
          5. IP Version 6
          6. Provider Cooperation/Tiered Arrangements
          7. Enhanced Service-Level Agreement
          8. Customer Edge Router Management
        3. Service Management
          1. Customer Reports and SLA Validation
        4. Summary
      3. 3. Analyzing Service Requirements
        1. Application/Bandwidth Requirements
        2. Backup and Resiliency
        3. Enterprise Segmentation Requirements
          1. Mapping VLANs to VPNs in the Campus
        4. Access Technologies
          1. Frame Relay
          2. ATM
          3. Dedicated Circuit from CE to PE
          4. ATM PVC from CE to PE
          5. Frame Relay PVC from CE to PE
          6. Metro Ethernet
        5. QoS Requirements
          1. Bandwidth
          2. Packet Delay and Jitter
          3. Packet Loss
          4. Enterprise Loss, Latency, and Jitter Requirements
          5. QoS at Layer 2
        6. Subscriber Network QoS Design
          1. Baseline New Applications
          2. Develop the Network
        7. Security Requirements
          1. Topological and Network Design Considerations
          2. SP-Managed VPNs
        8. Multiprovider Considerations
        9. Extranets
        10. Case Study: Analyzing Service Requirements for Acme, Inc.
          1. Layer 2 Description
          2. Existing Customer Characteristics That Are Required in the New Network
          3. DefenseCo’s Backbone Is a Single Autonomous System
          4. Reasons for Migrating to MPLS
          5. Evaluation Testing Phase
          6. Routing Convergence
          7. Jitter and Delay
          8. Congestion, QoS, and Load Testing
            1. First Scenario
            2. Second Scenario
            3. Third Scenario
            4. Subjective Measures
          9. Vendor Knowledge and Technical Performance
          10. Evaluation Tools
          11. TTCP
          12. Lessons Learned
          13. Transition and Implementation Concerns and Issues
          14. Post-Transition Results
        11. Summary
        12. References
    8. II. Deployment Guidelines
      1. 4. IP Routing with IP/MPLS VPNs
        1. Introduction to Routing for the Enterprise MPLS VPN
          1. Implementing Routing Protocols
          2. Network Topology
          3. Addressing and Route Summarization
          4. Route Selection
          5. Convergence
          6. Network Scalability
          7. Memory
          8. CPU
          9. Security
            1. Plaintext Password Authentication
            2. MD5 Authentication
        2. Site Typifying WAN Access: Impact on Topology
          1. Site Type: Topology
          2. WAN Connectivity Standards
          3. Site Type A Attached Sites: Dual CE and Dual PE
          4. Site Type B/3 Dual-Attached Site—Single CE, Dual PE
          5. Site Type B/3 Dual-Attached Site—Single CE, Single PE
          6. Site Type D Single-Attached Site—Single CE with Backup
          7. Convergence: Optimized Recovery
          8. IP Addressing
          9. Routing Between the Enterprise and the Service Provider
          10. Using EIGRP Between the CE and PE
          11. How EIGRP MPLS VPN PE-to-CE Works
          12. PE Router: Non-EIGRP-Originated Routes
          13. PE Router: EIGRP-Originated Internal Routes
          14. PE Router: EIGRP-Originated External Routes
          15. Multiple VRF Support
          16. Extended Communities Defined for EIGRP VPNv4
          17. Metric Propagation
          18. Configuring EIGRP for CE-to-PE Operation
          19. Using BGP Between the CE and PE
          20. Securing CE-PE Peer Sessions
          21. Improving BGP Convergence
        3. Case Study: BGP and EIGRP Deployment in Acme, Inc.
          1. Small Site—Single-Homed, No Backup
          2. Medium Site—Single-Homed with Backup
          3. Medium Site—Single CE Dual-Homed to a Single PE
          4. Large Site—Dual-Homed (Dual CE, Dual PE)
          5. Load Sharing Across Multiple Connections
          6. Very Large Site/Data Center—Dual Service Provider MPLS VPN
          7. Site Typifying Site Type A Failures
          8. Solutions Assessment
        4. Summary
        5. References
          1. Cisco Press
      2. 5. Implementing Quality of Service
        1. Introduction to QoS
          1. Building a QoS Policy: Framework Considerations
        2. QoS Tool Chest: Understanding the Mechanisms
          1. Classes of Service
            1. IP ToS
          2. Hardware Queuing
          3. Software Queuing
          4. QoS Mechanisms Defined
          5. Pulling It Together: Build the Trust
        3. Building the Policy Framework
          1. Classification and Marking of Traffic
          2. Trusted Edge
          3. Device Trust
          4. Application Trust
          5. CoS and DSCP
          6. Strategy for Classifying Voice Bearer Traffic
          7. QoS on Backup WAN Connections
          8. Shaping/Policing Strategy
          9. Queuing/Link Efficiency Strategy
        4. IP/VPN QoS Strategy
          1. Approaches for QoS Transparency Requirements for the Service Provider Network
            1. Uniform Mode
            2. Pipe Mode
            3. Short-Pipe Mode
          2. QoS CoS Requirements for the SP Network
          3. WRED Implementations
        5. Identification of Traffic
          1. What Would Constitute This Real-Time Traffic?
        6. QoS Requirements for Voice, Video, and Data
          1. QoS Requirements for Voice
            1. Sample Calculation
          2. QoS Requirements for Video
          3. QoS Requirements for Data
        7. The LAN Edge: L2 Configurations
          1. Classifying Voice on the WAN Edge
          2. Classifying Video on the WAN Edge
          3. Classifying Data on the WAN Edge
        8. Case Study: QoS in the Acme, Inc. Network
          1. QoS for Low-Speed Links: 64 kbps to 1024 kbps
            1. Slow-Speed (768-kbps) Leased-Line Recommendation: Use MLP LFI and cRTP
        9. QoS Reporting
        10. Summary
        11. References
      3. 6. Multicast in an MPLS VPN
        1. Introduction to Multicast for the Enterprise MPLS VPN
          1. Multicast Considerations
        2. Mechanics of IP Multicast
          1. RPF
            1. RPF Check
          2. Source Trees Versus Shared Trees
          3. Protocol-Independent Multicast
            1. PIM Dense Mode
            2. PIM Sparse Mode
            3. Bidirectional PIM (Bidir-PIM)
          4. Interdomain Multicast Protocols
            1. Multiprotocol Border Gateway Protocol
            2. Multicast Source Discovery Protocol
          5. Source-Specific Multicast
          6. Multicast Addressing
          7. Administratively Scoped Addresses
          8. Deploying the IP Multicast Service
          9. Default PIM Interface Configuration Mode
          10. Host Signaling
          11. Sourcing
        3. Multicast Deployment Models
          1. Any-Source Multicast
          2. Source-Specific Multicast
          3. Enabling SSM
        4. Multicast in an MPLS VPN Environment: Transparency
          1. Multicast Routing Inside the VPN
        5. Case Study: Implementing Multicast over MPLS for Acme
          1. Multicast Addressing
          2. Multicast Address Management
          3. Predeployment Considerations
          4. MVPN Configuration Needs on the CE
          5. Boundary ACL
          6. Positioning of Multicast Boundaries
          7. Configuration to Apply a Boundary Access List
          8. Rate Limiting
            1. Rate-Limiting Configuration
          9. MVPN Deployment Plan
          10. Preproduction User Test Sequence
        6. What Happens When There Is No MVPN Support?
          1. Other Considerations and Challenges
        7. Summary
        8. References
      4. 7. Enterprise Security in an MPLS VPN Environment
        1. Setting the Playing Field
        2. Comparing MPLS VPN Security to Frame Relay Networks
          1. Security Concerns Specific to MPLS VPNs
        3. Issues for Enterprises to Resolve When Connecting at Layer 3 to Provider Networks
          1. History of IP Network Attacks
          2. Strong Password Protection
          3. Preparing for an Attack
          4. Identifying an Attack
          5. Initial Precautions
            1. Receiving ACLs
            2. Infrastructure ACLs
          6. Basic Attack Mitigation
        4. Basic Security Techniques
          1. Remote-Triggered Black-Hole Filtering
          2. Loose uRPF for Source-Based Filtering
          3. Strict uRPF and Source Address Validation
          4. Sinkholes and Anycast Sinkholes
          5. Backscatter Traceback
          6. Cisco Guard
        5. Distributed DoS, Botnets, and Worms
          1. Anatomy of a DDoS Attack
          2. Botnets
          3. Worm Mitigation
        6. Case Study Selections
        7. Summary
        8. References
          1. Comparing MPLS VPN to Frame Relay Security
          2. ACL Information
          3. Miscellaneous Security Tools
          4. Cisco Reference for MPLS Technology and Operation
          5. Cisco Reference for Cisco Express Forwarding
          6. Public Online ISP Security Bootcamp
          7. Tutorials, Workshops, and Bootcamps
          8. Original Backscatter Traceback and Customer-Triggered Remote-Triggered Black-Hole Techniques
          9. Source for Good Papers on Internet Technologies and Security
          10. Security Work Definitions
          11. NANOG SP Security Seminars and Talks
          12. Birds of a Feather and General Security Discussion Sessions at NANOG
      5. 8. MPLS VPN Network Management
        1. The Enterprise: Evaluating Service Provider Management Capabilities
          1. Provisioning
          2. SLA Monitoring
          3. Fault Management
            1. Handling Reported Faults
            2. Passive Fault Management
              1. Network Events
              2. Customer Traffic Monitoring
              3. Proactive Monitoring
                1. PE-CE
                2. PE-PE
                3. CE-CE
                4. PE-Core-PE-CE
          4. Reporting
          5. Root Cause Analysis
        2. The Enterprise: Managing the VPN
          1. Planning
          2. Ordering
          3. Provisioning
            1. CE Provisioning
            2. CE Management Access
              1. Unmanaged CE Routers
              2. Managed CE Routers
                1. Network Management Configuration Considerations
            3. Acceptance Testing
          4. Monitoring
          5. Optimization
        3. The Service Provider: How to Meet and Exceed Customer Expectations
          1. Provisioning
            1. Zero-Touch Deployment
            2. PE Configuration
          2. Fault Monitoring
            1. MPLS-Related MIBs
              1. MPLS-VPN-MIB
              2. BGPv4-MIB and Vendor BGP MIBs
            2. Resource Monitoring
          3. OAM and Troubleshooting
            1. Proactive Monitoring in Detail
              1. VPN Layer
                1. Off-Box Testing
                2. On-Box Testing
              2. MPLS Layer
                1. LSP Ping/Traceroute
                2. Proactive Monitoring of PE-PE LSPs
            2. Performance Problems
          4. Fault Management
            1. Proactive Fault Management
              1. Case Study: Troubleshooting a Problem with the Acme, Inc. VPN
            2. Reactive Fault Management
          5. SLA Monitoring
            1. Accuracy
            2. Probe Metric Support
            3. QoS Support
            4. Specialized Voice Probes
            5. Threshold Breach Notification
          6. Reporting
        4. Summary
        5. References
      6. 9. Off-Net Access to the VPN
        1. Remote Access
          1. Dial Access via RAS
            1. RAS Configuration
          2. Dial Access via L2TP
            1. L2TP Components
            2. L2TP Call Procedure
            3. Connecting L2TP Solutions to VRFs
          3. DSL Considerations
          4. Cable Considerations
        2. IPsec Access
          1. GRE + IPsec on the CPE
            1. Designing for GRE Resiliency
            2. Configuring GRE Resiliency
          2. CE-to-CE IPsec
            1. DMVPN Overview
            2. mGRE for Tunneling
            3. NHRP for Address Resolution
            4. Routing Protocol Concerns
            5. IPsec Profiles for Data Protection
            6. Summary of DMVPN Operation
          3. The Impact of Transporting Multiservice Traffic over IPsec
          4. Split Tunneling in IPsec
        3. Supporting Internet Access in IP VPNs
        4. Case Study Selections
        5. Summary
        6. References
          1. General PPP Information
          2. Configuring Dial-In Ports
          3. L2TP
          4. Layer 2 Tunnel Protocol Fact Sheet
          5. Layer 2 Tunnel Protocol
          6. VPDN Configuration Guide
          7. VPDN Configuration and Troubleshooting
          8. Security Configuration Guide
          9. RADIUS Configuration Guide
          10. Broadband Aggregation to MPLS VPN
          11. Remote Access to MPLS VPN
          12. Network-Based IPsec VPN Solutions
          13. IPsec
          14. GRE + IPsec
          15. DMVPN
          16. Split Tunneling
          17. Prefragmentation
      7. 10. Migration Strategies
        1. Network Planning
          1. Writing the RFP
          2. Architecture and Design Planning with the Service Providers
          3. Project Management
          4. SLAs with the Service Providers
          5. Network Operations Training
        2. Implementation Planning
          1. Phase 1
          2. Phase 2
          3. Phase 3
          4. Phase 4
        3. On-Site Implementation
        4. Case Study Selections
        5. Summary
    9. III. Appendix
      1. A. Questions to Ask Your Provider Regarding Layer 3 IP/MPLS VPN Capability
        1. Coverage and Topology
        2. Customer Edge Router Management
        3. Network Access, Resiliency, and Load Balancing
        4. QoS Capability
        5. Multicast Capability
        6. Routing Protocol Capability
          1. SLA Measurement and Monitoring Capability
          2. SLA Details
        7. Security
        8. Software Deployment Processes
        9. Inter-Provider IP/VPN
        10. IPv6
        11. MTU Considerations
        12. Hosting Capability
        13. IP Telephony PSTN Integration
        14. IP Telephony Hosted Call Agent
        15. Remote and Dial Access
        16. Internet Access
        17. Other Network Services