At present, IP wide area networks in some industries are in a historical period of transition from private networks in a single industry to unified service platforms in multiple industries, how to provide a logically isolated, secure, and reliable Virtual Private Network for various industries has become a technical problem that must be addressed in network transformation.
Application background
IP Wide Area Network Construction in some industries already has 5 ~ In the past eight years, these networks are currently in a historical period of overall transformation, that is, they provide network interconnection for a single industry, to provide a unified network service platform for multiple related industries. This transformation does not mean creating a basic network. Instead, it is based on the existing public infrastructure and communication facilities to fully integrate and utilize existing resources and build a network platform and service system covering multiple industries, provides the NSP (Network Service Provider) service.
Figure 1 upgrading an IP private network in a single industry to a network service platform in multiple industries
As shown in figure 1, the original IP private network in industry a is transformed and upgraded to become a network service platform, providing network services for multiple industries at the same time. There are similar demands in Politics and Law networks and e-government affairs networks. How to provide a logically isolated, secure, and reliable virtual IP private network for various industries has become a technical problem that must be addressed in network transformation. VPN technology is a technology that provides multiple logical networks in a physical network to isolate businesses in various industries. Currently, the main VPN technologies include L2TP, GRE, mpls vpn, etc, this article describes the solutions of the above technologies.
One of the technical solutions: L2TP
Figure 2 network service platform Deployment Using L2TP VPN
As shown in figure 2, an L2TP VPN is deployed on edge routers for various industries to implement business security isolation between industries.
The L2TP protocol needs to establish a session in point-to-point mode. If n nodes in the network need to establish an L2TP tunnel, the number of sessions in the whole network is n × (N-1)/2, the number of sessions of a single node is N-1, which is called full-Mesh full connection effect. Full-Mesh full connection will cause at least three problems: first, it will increase the burden on the master CPU of the node device, because the node device needs to maintain a large number of sessions, as the number of nodes in the network increases, the CPU usage of the master node will increase. The second is to reduce the bandwidth utilization of the network, and share the bandwidth of the IP network with protocol messages and data packets, the increase of L2TP protocol packets will inevitably reduce the bandwidth available for data packets. Third, poor scalability. Each new node device in the network needs to configure sessions with the original network device, large maintenance workload and poor network stability.
In addition, L2TP technology cannot precisely manage tunnel bandwidth based on the entire network. For example, using a technology similar to te (Traffic Engineering), it defines reserved bandwidth for L2TP tunnels, at the same time, the node, link and tunnel reliability of L2TP tunnels are quickly protected.
In general, there are few application cases of L2TP in IP networks, and the development of L2TP is also stagnant. the enthusiasm of equipment vendors to support L2TP is generally not high. Therefore, it is not recommended to deploy L2TP VPN on a large scale during network transformation, but it can be considered as an application supplement of other VPN technologies.
TechnologySolution 2: GRE
Figure 3 network service platform deployment using GRE VPN
As shown in 3, the network service platform deploys gre vpn on edge routers for various industries to implement security isolation of services between industries.
GRE faces the same problems as L2TP, including full-mesh connection effects and refined tunnel bandwidth management. However, compared with L2TP, the GRE technology is mature, and various equipment manufacturers use GRE as a basic function of the router. Therefore, there is no problem in interconnection between equipment manufacturers. Therefore, deploying gre vpn in a common IP network is a good choice.
Technical solution 3: MPLS VPN
Figure 4 network service platform deployment using MPLS VPN
As shown in figure 4, the network service platform deploys mpls vpn on the edge router to multiple points.
Mpls vpn is divided into MPLS L3 VPN and MPLS L2 VPN, which carry layer-3 services and layer-2 services respectively.
1. MPLS L3 VPN
MPLS l3vpn is a pe-based layer-3 VPN technology in the VPN solution of the service provider. It uses BGP to publish VPN routes on the backbone network of the service provider, and uses MPLS to forward VPN packets on the backbone network of the service provider.
MPLS l3vpn consists of three parts: Ce (customer edge, user network edge device), PE (provider edge, service provider edge router), and p (provider, the backbone router in the network of the service provider ).
2. MPLS L2 VPN
MPLS l2vpn provides a L2 VPN service based on the MPLS (Multiprotocol Label Switching, Multi-Protocol Label Switching) network, so that operators can provide L2 VPN based on different data link layers on a unified MPLS network, including ATM, VLAN, Ethernet, and PPP.
To put it simply, MPLS l2vpn transparently transmits user layer 2 data on the MPLS network. From the user's point of view, the MPLS network is a L2 switching network, which can be used to establish L2 connections between different nodes.
Compared with MPLS l3vpn, MPLS l2vpn has the following advantages:
1) high scalability: MPLS l2vpn only establishes L2 connections, neither introducing nor managing users' route information. This greatly reduces the burden on PE and even the entire Sp (Service Provider) network, enabling service providers to support more VPNs and access more users.
2) reliability and security of the private network are ensured: Because the user's route information is not introduced, MPLS l2vpn cannot obtain and process the user route, thus ensuring the security of the user's VPN route.
3) supports multiple network layer protocols, including IP, IPX, and SNA.
Mpls vpn has a way to deal with problems that cannot be solved in the previous two solutions. Full-Mesh full connection effect is solved by BGP Route reflectors. Refined bandwidth management can be solved through Te technology, that is, the Service SLA provided by MPLS exp, and the high reliability protection of tunnels provided by te FRR (fast re-routing)/LSP backup. Because of the flexible networking mode, good scalability, and complete OAM functions, mpls vpn has become the mainstream technology of VPN and is widely used.
However, mpls vpn has high functional requirements on network devices, and all network devices must support the mpls vpn function. Most early IP private network router devices do not support the mpls vpn function. To integrate the IP private network into a new IP/MPLS private network, you need to upgrade the whole network device, and re-plan the network topology, configuration and routing resources. This method of network integration migration costs a lot, not only affecting the existing IP private network services, but also high costs.
Technical solution 4: mpls vpn over GRE
Figure 5 network service platform deployment using mpls vpn over GRE
As shown in figure 5, the network service platform is deployed on the edge router in the mpls vpn over GRE mode to implement business security isolation.
In this way, mpls vpn packets are encapsulated and transmitted in the GRE message. The PE of mpls vpn is set on the user's egress router, and a gre tunnel is established between the egress router. From the user's perspective, the network is an mpls vpn network that provides key services such as VPN security isolation, inheriting the advantages of flexible and scalable mpls vpn networking. On the network side, the entire network is just a common IP network, and network devices do not need to support the mpls vpn function.
The mpls vpn over GRE scheme has the following advantages:
1) there is no need to make any changes to the existing IP private network business. services between different departments can use the original IP addresses for interconnection. As shown in figure 5, services in the original industry a do not need to be modified in terms of network topology, configuration, and routing, and services continue to adopt IP bearer, which can completely ensure the stability of existing services.
2) The original device does not need to be updated or upgraded, and the transformation cost is low. In Figure 5, for the newly added industry B, IP addresses are used to interconnect the network-side devices, and GRE sessions are established between the two endpoints, enabling the MPLS VPN over GRE function. The mpls vpn over GRE function only requires the support of new industry B devices, and does not require the original IP private network devices.
3) Business isolation between industries can be effectively guaranteed. As shown in figure 5, the private network in industry B is completely logically isolated from industry a by publishing and data forwarding through MPLS VPN.
4) high scalability and ease of management. The Network Administrator only needs to participate in Port allocation, bandwidth allocation, and IP Address allocation. The configurations of mpls vpn over GRE are completely maintained by the internal network administrator of industry B. The management scope and responsibilities are clear, this greatly reduces the complexity of operation management.
Based on the above four solutions, we suggest adopting the mpls vpn technology scheme for the new network based on the technical feasibility and costs. For the need to switch to the IP network service platform based on the IP private network, we recommend that you use the mpls vpn over GRE technical solution.