Académique Documents
Professionnel Documents
Culture Documents
Virtual Private Networks (VPNs) have been a key application in networking for a long time. A slew of possible solutions have been proposed over the last several years. Driving this need has been the requirement for secure transport of sensitive information, controlling information access to those who need it, etc. In large enterprises, particularly those distributed across disparate locations, sensitivity to information pertinent to a department drives the requirement for an IT manager to logically demarcate information flows to be within that department. The need for privacy is another driver behind deployment of VPN solutions.
What is Multi-VRF?
Central to Multi-VRF is the ability to maintain multiple Virtual Routing and Forwarding (VRF) tables on the same Provider Edge (PE) Router. Multi-VRF uses multiple instances of a routing protocol such as BGP or OSPF to exchange route information for a VPN among peer PE routers. The Multi-VRF capable PE router maps an input customer interface to a unique VPN instance. The router maintains a different VRF table for each VPN instance on that PE router. Multiple input interfaces may also be associated with the same VRF on the router, if they connect to sites belonging to the same VPN. This input interface can be a physical interface or a virtual Ethernet interface on a port. Multi-VRF routers communicate with one another by exchanging route information in the VRF table with the neighboring PE router. This exchange of information among the PE routers is done using BGP or OSPF. The PE routers that communicate with one another should be directly connected at Layer 3. Customers connect to PE routers in the network using Customer Edge (CE) routers as shown in Figure 1. Different routing protocols may be used for exchanging information between the PE-PE routers and between the adjacent PE-CE routers. Further, different PE-CE routing protocols may be used in a VPN to exchange customer routes with the various customer sites in that VPN. The routes learnt from the PE-CE protocol are added to the corresponding VRF instance and redistributed via the PE-PE protocol to the peer router in the backbone network. Figure 1 depicts a network using Multi-VRF to provide connectivity among sites that belong to multiple VPNs. To share the VPN route table information with remote PEs, each PE creates separate virtual interfaces and run different instances of the PE-PE routing protocol for each VRF. Some vendors also use the terminology of MultiVRF CE or VRF-Lite for this technology.
VPN Options
VPN technologies can be broadly classified into 2 typessecure VPNs and trusted VPNs. Secure VPNs require traffic to be encrypted and authenticated and are most important when communication occurs across an infrastructure that is not trusted (e.g. over the public Internet). The most commonly deployed types of secure VPNs are IPSec VPNs and SSL (Secure Sockets Layer) VPNs. Both offer encryption of data streams. While IPSec VPNs operate at the network layer and require special client software, SSL VPNs are more application centric and can generally work with any SSL-enabled browser. On the other hand, trusted VPNs ensure integrity and privacy of the data transfers but do not provide any encryption capabilities. Trusted VPNs are most useful when the goal is to leverage a shared infrastructure to allow virtual networks to be built. Examples of such trusted VPN technologies include IP/MPLS based Layer 2 VPNs (VPLS, VLL), BGP/MPLS VPNs, ATM or Frame Relay circuits, Layer 2 Tunneling Protocol (L2TP), etc. In short, all these technologies allow a shared infrastructure to be used without compromising the privacy needs of different users or user groups.
CE Customer A, Site 1
CE Customer A, Site 1
CE Customer B, Site 1
NE TWORKS
L2 network
NetIron XMR 8000
NE TWORKS
CE
NetIron XMR 8000
Customer B, Site 1
PE
PE
CE Customer A, Site 2
CE Customer A, Site 2
CE Customer B, Site 2
CE Customer B, Site 2
Multi-VRF requires the peering PE routers to be directly connected at Layer 3. A Layer 2 network may however be present between the PE routers. On the other hand, BGP/MPLS VPNs have no such restriction. In BGP/MPLS VPNs, the MPLS network determines the path to the peer router. In order to disambiguate overlapping IP addresses, route targets are used in BGP/MPLS VPNs. Multi-VRF uses the input interface to uniquely identify the associated VPN, which is why the two PE routers should be directly connected at Layer 3. Figure 2 compares Multi-VRF and BGP/MPLS VPNs in more detail.
PE-PE routing protocol PE-CE routing protocol PE-PE router connectivity Determination of VRF instance Number of routing protocol instances
Multi-VRF OSPF or BGP BGP, OSPF, RIP or Static routing PE routers should be directly connected at Layer 3 Based on input interface only Unique routing protocol instance for each VRF instance
BGP/MPLS VPN BGP BGP, OSPF, RIP or Static routing PE routers are interconnected via an IP/MPLS network Based on route target (network interface ) or input interface (CE) Single routing protocol instance
Building trusted VPNs with Multi-VRF Multi-VRF No need for route targets to be used. BGP/MPLS VPN Route targets used to identify the customer VPN in advertised routes. The destination PE filters the routes advertised from a peer PE by comparing the route target with the VPNs maintained locally on that PE. Unique VRF instance for each VPN Yes Highly scalable
Number of VRF instances Overlapping private addresses allowed across VPNs? Scalability
trusted servers should not be allowed to directly communicate at all. The figure only shows some servers; in practice, the number of servers could run into tens or hundreds. A common way to accomplish this is by using Policy Based Routing (PBR). However, PBR becomes very difficult to administer and manage as the network begins to grow, may require frequent configuration changes, and is prone to operator errors. MPLS VPNs can also be used to accomplish this. However, it may be too heavy-weight for what needs to be accomplished in this scenario. In addition, operational staff in enterprise data centers may not always be conversant with administering MPLS. Secure VPN technologies like IP-Sec are not required here because the infrastructure is already secure. Therefore, the overhead of encryption is not needed. Multi-VRF is an ideal solution for such an application. Servers that are allowed to communicate can be placed in the same Multi-VRF instance. If server access is to be controlled at a more granular level (e.g. at the application layer), then traffic from specific applications on that server can be sent on a specific tagged interface to the router in Cluster A. As shown in Figure 3, a highly redundant cluster is achieved by ensuring that no single node becomes a point of failure within this network.
NET WORKS
Router Cluster B
NETWORKS
NET WORKS
NET WORKS
Firewall
NET WORKS
Public network
NETWORKS
NET WORKS
NET WORKS
NET WORKS
CE Customer A, Site 1
E-BG
P
NETWOR KS
CE
OSP
PE
PE
RIP
Customer A, Site 3
CE Customer B, Site 1
CE Customer B, Site 3
CE Customer A, Site 2
CE
N E T W O R K S
25F F Link 26
F a s tIro nE d g eX 4 2 4
1 3 5 7 9 11 13 15 17 1 9 21 23
Static
14 16 18 2 0 22 24
P ow er Co n sole 1F 2F 3 F 4 F
10
12
OSPF
PE
PE
CE Customer B, Site 2
Customer B, Site 4
Foundrys support for Multi-VRF allows unparalleled scalability to be achieved by a service provider. For example, the NetIron XMR series of routers allows up to 2000 VRFs and up to 1 million VPN routes to be maintained in its VRF tables.
Summary
Multi-VRF provides a reliable mechanism for trusted virtual private networks to be built over a shared infrastructure. The ability to maintain multiple virtual routing/forwarding tables allows overlapping private IP addresses to be maintained across VPNs and accomplish goals very similar to those of more complex VPN technologies such as BGP/MPLS VPNs.
Author: Ananda Rajagopal Document version 1.1 Foundry Networks, Inc. Headquarters 4980 Great America Parkway Santa Clara, CA 95054 U.S. and Canada Toll-free: (888) TURBOLAN Direct telephone: +1 408.586.1700 Fax: +1 408.586.1900 Email: info@foundrynet.com Web: http://www.foundrynet.com Foundry Networks, AccessIron, BigIron, EdgeIron, FastIron, IronPoint, IronView, IronWare, JetCore, NetIron, ServerIron, Terathon, TurboIron, and the Iron family of marks are trademarks or registered trademarks of Foundry Networks, Inc. in United States and other countries. All other trademarks are the properties of their respective owners. Although Foundry has attempted to provide accurate information in these materials, Foundry assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Foundry. Please note that Foundry's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. 2006 Foundry Networks, Inc. All Rights Reserved.