Interprovider and Carrier-of-Carriers VPNs
Traditional VPNs, Interprovider VPNs, and Carrier-of-Carriers VPNs
As VPNs are deployed on the Internet, the customer of a VPN service provider might be another service provider rather than an end customer. The customer service provider depends on the VPN service provider to deliver a VPN transport service between the customer service provider’s points of presence (POPs) or regional networks.
If the customer service provider’s sites have different autonomous system (AS) numbers, then the VPN transit service provider supports carrier-of-carrier VPN service for the interprovider VPN service. If the customer service provider’s sites have the same AS number, then the VPN transit service provider delivers a carrier-of-carriers VPN service.
There are several different methods for enabling interprovider
VPNs based on RFC 4364, BGP/MPLS IP Virtual Private Networks
(VPNs)
:
Interprovider Layer 3 VPN Option A—Interprovider VRF-to-VRF connections at the AS boundary routers (ASBR) (not very scalable).
Interprovider Layer 3 VPN Option B—Interprovider EBGP redistribution of labeled VPN-IPv4 routes from AS to neighboring AS (somewhat scalable).
Interprovider Layer 3 VPN Option C—Interprovider multihop EBGP redistribution of labeled VPN-IPv4 routes between source and destination ASs, with EBGP redistribution of labeled IPv4 routes from AS to neighboring AS (very scalable).
In traditional IP routing architectures, there is a clear distinction between internal routes and external routes. From the perspective of an Internet service provider (ISP), internal routes include all the provider’s internal links (including BGP next hops) and loopback interfaces. These internal routes are exchanged with other routing platforms in the ISP’s network by means of an interior gateway protocol (IGP), such as OSPF or IS-IS. All routes learned at Internet peering points or from customer sites are classified as external routes and are distributed by means of an exterior gateway protocol (EGP) such as BGP. In traditional IP routing architectures, the number of internal routes is typically much smaller than the number of external routes.
Understanding Interprovider and Carrier-of-Carriers VPNs
All interprovider and carrier-of-carriers VPNs share the following characteristics:
Each interprovider or carrier-of-carriers VPN customer must distinguish between internal and external customer routes.
Internal customer routes must be maintained by the VPN service provider in its PE routers.
External customer routes are carried only by the customer’s routing platforms, not by the VPN service provider’s routing platforms.
The key difference between interprovider and carrier-of-carriers VPNs is whether the customer sites belong to the same AS or to separate ASs:
Interprovider VPNs—The customer sites belong to different ASs. You need to configure EBGP to exchange the customer’s external routes.
Understanding Carrier-of-Carriers VPNs—The customer sites belong to the same AS. You need to configure IBGP to exchange the customer’s external routes.
In general, each service provider in a VPN hierarchy is required to maintain its own internal routes in its P routers, and the internal routes of its customers in its PE routers. By recursively applying this rule, it is possible to create a hierarchy of VPNs.
The following are definitions of the types of PE routers specific to interprovider and carrier-of-carriers VPNs:
The AS border router is located at the AS border and handles traffic leaving and entering the AS.
The end PE router is the PE router in the customer VPN; it is connected to the CE router at the end customer’s site.
Interprovider and Carrier-of-Carrier VPNs Example Terminology
bgp.l3vpn.0
The
table on the provider edge (PE) router in which the VPN-IPv4 routes
that are received from another PE router are stored. Incoming routes
are checked against the vrf-import
statements from all
the VPNs configured on the PE router. If there is a match, the
VPN–Internet Protocol version 4 (IPv4) route is added to
the bgp.l3vpn.0 table. To view the bgp.l3vpn.0 table, issue the show route table bgp.l3vpn.0
command.
routing-instance-name. inet.0
The routing table for a specific routing instance. For example, a routing instance called VPN-A has a routing table called VPN-A.inet.0. Routes are added to this table in the following ways:
They are sent from a customer edge (CE) router configured within the VPN-A routing instance.
They are advertised from a remote PE router that passes the
vrf-import
policy configured within VPN-A (to view the route, run theshow route
command). IPv4 (not VPN-IPv4) routes are stored in this table.
vrf-import policy-name
An import policy configured on a particular routing instance on a PE router. This policy is required for the configuration of interprovider and carrier-of-carriers VPNs. It is applied to VPN-IPv4 routes learned from another PE router or a route reflector.
vrf-export policy-name
An export policy configured on a particular routing instance on a PE router. It is required for the configuration of interprovider and carrier-of-carriers VPNs. It is applied to VPN-IPv4 routes (originally learned from locally connected CE routers as IPv4 routes), which are advertised to another PE router or route reflector.
MP-EBGP
The multiprotocol
external BGP (MP-EBGP) mechanism is used to export VPN-IPv4 routes
across an autonomous system (AS) boundary. To apply this mechanism,
use the labeled-unicast
statement at the [edit protocols
bgp group group-name family inet]
hierarchy
level.
Supported Carrier-of-Carriers and Interprovider VPN Standards
Junos OS substantially supports the following RFCs, which define standards for carrier-of-carriers and interprovider virtual private networks (VPNs).
RFC 3107, Carrying Label Information in BGP-4
RFC 3916, Requirements for Pseudo-Wire Emulation Edge-to-Edge (PWE3)
Supported on MX Series routers with the Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP.
RFC 3985, Pseudo Wire Emulation Edge-to-Edge (PWE3) Architecture
Supported on MX Series routers with the Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP.
RFC 4364, BGP/MPLS IP Virtual Private Networks (VPNs)
RFC 5601, Pseudowire (PW) Management Information Base (MIB)
RFC 5603, Ethernet Pseudowire (PW) Management Information Base (MIB)
RFC 6368, Internal BGP as the Provider/Customer Edge Protocol for BGP/MPLS IP Virtual Private Networks (VPNs)