Technical Analysis of Quidway S8016 MPLS VPN

S8016 high-end vro switches provide VPN services for users based on the operating MPLS network, including layer-2 and layer-3 mpls vpn, and provide complete solutions for enterprise interconnection of different scales and scopes.

I. S8016 L3 VPN Function

1. Overview

MPLS/bgp vpn can provide a network-based VPN for network operators. This VPN is easy to manage, expandable, and can be connected between any node, network users do not have to worry about VPN construction, but are completed by network operators at the network layer. This is especially suitable for the construction of Intranet, exists, and other networks.

2. layer-3 VPN structure of S8016

S8016 supports MPLS/bgp vpn conforming to RFC2547 standards, provides PE device functions for network operators, and can forward VPN packets in autonomous domains as route reflectors, it can also be used as an ASBR to forward VPN messages between autonomous domains. S8016 allows VPN users to access the Internet through ports or VLAN to achieve mutual access between VPN users. It also allows VPN users to access the Internet through the same interface.

In the MPLS/bgp vpn model, the network is composed of the carrier's backbone network and various user sites. VPN is actually the division of Site sets. a VPN corresponds to a collection composed of several sites. If all the sites in a VPN belong to one enterprise, the Intranet is formed. If the site in the VPN belongs to different enterprises, the exists is formed, as shown in VPN Networking Mode 1.

Figure 1 networking mode of S8016 VPN

Where:
CECustom Edge): Edge device directly connected to the service provider in the user Site, generally a router;
PEProvider Edge): Edge device of the carrier's backbone network. It is directly connected to the user's CE device and supports the mpls ler function;
P: a device that is not directly connected to CE in the carrier's backbone network. The mpls lsr function is supported.
The S8016 PE device establishes an LSP tunnel for each VPN. The MP-iBGP is used to spread the VPN route between the PE devices. The BGP/mpls vpn lsp tunnel can be established within the autonomous region, it can also be established across autonomous domains. CE devices can be routers, layer-3 switches, or layer-2 switches. They can be interconnected through different PE devices or the same PE device; only the PE in the backbone network will "perceive" the VPN. The core layer P device does not care about the VPN and is only responsible for label forwarding. Therefore, this configuration method is simple and scalable for carriers.

As the PE device of the carrier, S8016 can maintain separate route tables and forwarding tables for different VPN users, which can easily achieve star-and full-grid connections between user sites, different tags can be attached to different user packets during forwarding, ensuring the privacy and security of user data to a considerable extent. using MPLS network CoS and traffic engineering mechanisms, provides L3 VPN services with QoS Assurance.

3. S8016 layer-3 VPN Performance

Supports 512 VRF configurations;
The number of routes in the route table of all VRF configurations cannot exceed 64 KB;
Forwarding rate: full line speed;
The forwarding latency is <50us, And the latency jitter is <5us.

Ii. layer-2 VPN function of S8016

1. Overview
MPLS L2 VPN can provide users with private L2 network services in the existing MPLS network.

MPLS L2 VPN separates the management responsibilities of the network. The PE device of the service provider is only responsible for the connection and forwarding between user CE devices. The functions above Layer 3 are implemented by the user's CE devices, reduces the management overhead of service providers.

For MPLS L2 VPN, the route information inside the VPN depends on your own configuration and planning, and has outstanding private characteristics. For service providers, neither the PE device nor the P device needs to participate in layer-3 processing, nor need to retain any routing information in the VPN, the MPLS L2 VPN can be unrelated to the user's L3 network protocol, but the link layer between the PE and CE devices in the same VPN must be consistent.
The leased line service in the MPLS L2 VPN is consistent with the traditional L2 VPN based on ATM/FR, which makes it easy for the existing L2 VPN service to switch to the MPLS network.

The MPLS L2 VPN service uses a double-layer label encapsulation in the network. The outer label identifies the shared tunnel between PES, and the inner label identifies the VPC connection between CE. Two-layer connections of different VPNs can reuse the same tunnel LSP between PE devices. The inner layer labels are directly advertised between PE devices, making it easy to configure and expand VPN connections.

MPLS L2 VPN includes two business models: one is the point-to-point leased line service VLL, and the other is the multi-point to multi-point Virtual Private lan cidr Block VPLS ).

2. S8016 L2 VPN Structure

For the point-to-point VLL virtual leased line business model, S8016 uses VLAN or port to connect to the VPN user CE device, and establishes one-to-one virtual connection between the two CE, this is the same as the traditional ATM/FR leased line. Figure 2 shows the implementation of the S8016 VLL service. This structure has the following features:

Point-to-point topology;
Virtual leased line;
The PE device of the service provider uses the connection ID to identify and configure each virtual connection;
The user CE device selects the route for the VPN and sends the data packets to different interfaces and subinterfaces;
Supports multiple link applications, such as POS, Ethernet, and Ethernet VLAN.

Figure 2 VLL Service

For the multi-point to multi-point VPLS business model, the MPLS core network of the service provider is like a huge virtual switch for users, you can configure multiple and peer virtual connections on the same VLAN interface, and configure local two CE pairs to communicate with each other under the same VLAN. Figure 3 shows the implementation of the S8016 VPLS service. This structure has the following features:

Multi-Point to multi-point topology;
Provides the source MAC address learning function;
Provides two-layer forwarding and two-layer tunnel broadcast functions based on VLAN + MAC;
Provides a radio loop avoidance mechanism;
Only user link types of Ethernet and Ethernet VLAN are supported.

Figure 3 VPLS service

The S8016 provides extended LDPCisco) and MP-BGP methods for Juniper) to implement inner-layer label announcement.
Extended LDP Mode
There is no VPN concept. Configuration and connection ID constitute the correspondence between User links;
The PE devices use downstream active tags to advertise the inner layer labels;
LDP remote sessions are used to directly advertise the inner layer label so that the specific vc fec Type = 128 identifies the L2 VPN message.
MP-BGP Mode
Has the concept of VPN, and the CE inside the VPN uses a unique ce id;
MP-BGP protocol in the PE device BGP peer) between the advertised consecutive inner label blocks;
Provides dedicated L2 VPN address families and L2 VPN subaddress families;
You only need to configure the BGP peer. The VPN user will automatically discover and distinguish the VPN using RT.

3. l2 VPN specifications
Supports 512 CE interfaces;
Each interface supports up to 128 virtual connection (VPLS );
The maximum number of connections in the system is 2 K;
Forwarding rate: full line speed;
The forwarding latency is <50us, And the latency jitter is <5us.