FORE School Of Management E-Commerce

FORE School of Management

E-COMMERCE

Assignment-I
MPLS-VPN Technology

Submitted to

Prof. V.M. Mathur

Submitted By:

Mahak Khemka

FMG XIX Section B

191094
Introduction:
Businesses today are looking to the Internet for wide area network (WAN) solutions that in the
recent past they could get only by choo0sing Frame Relay or T1 dedicated links. To achieve the
security that is required for corporate users, virtual private networks (VPNs) can be used to
guarantee that traffic is securely tunneled over the Internet. Up to now, most VPNs have been
provisioned using Layer 2 technologies, such as Frame Relay and asynchronous transfer mode
(ATM). These technologies provided secure tunnels, were resistant to Denial-of-Service (DoS)
and intrusion attacks, and provided address and routing separation. The problem with Layer 2
VPN technology is that it does not scale well. As the network grows, the number of required
virtual circuits achieving optimal routing scales non-linearly. It is also difficult to provide traffic
engineering using a Layer 2 VPN approach.

To solve these scaling problems, a border gateway protocol/multiprotocol label switching

(BGP/MPLS) VPN standard is now being adopted to provide Layer 3 VPN solutions using BGP to
carry route information over a MPLS core. This Layer 3 MPLS-VPN solution achieves all of the
security of the Layer 2 approach, while adding enhanced scalability inherent in the use of Layer
3 routing technology.

The key to this approach is the use of BGP and a set of extensions, known as BGP-VPN, that
allow separate route forwarding information to be maintained for each VPN client. BGP then
carries this separate route forwarding information over MPLS using the label distribution
protocol (LDP). This application note discusses how IP Infusion's ZebOS™ Advanced Routing
Suite (ARS) provides source code MPLS-VPN solutions for provider edge equipment
manufacturers. These provider edge devices can then be used by Service Providers to provision
VPN services directly to customers.

MPLS/BGP-VPN
The people at the Internet Engineering Task Force (IETF) decided something had to be done to
speed up the process of routing packets on the Internet or the whole thing was going to come
to a screeching halt. They developed a new protocol that is called MPLS; it was actually based
on Cisco’s proprietary tag switching protocol. MPLS stands for Multi-Protocol Label Switching. It
was a protocol that was developed to help speed up the process of routing packets on the
Internet In order to achieve the security that is necessary for VPN provisioning over the
Internet.

Using a Layer 3 approach, address and routing separation between customers is required.
This is inherent in a Layer 2 approach, but must be specially designed to work in a Layer 3 based
VPN solution. To solve this problem, draft-ietf-ppvpn-rfc2547bis-00.txt has been developed by a
number of Internet experts (notably from Cisco, Juniper, ATT, Alcatel, Worldcom, and others).
This draft RFC specifically defines how to provide address and routing separation using BGP,
and how to send this information and the VPN traffic itself over a MPLS backbone. The model as
expressed in the draft RFC is that Service Providers (SP) own the backbone and provision VPN
services from Provider Edge (PE) equipment which communicates directly with Customer Edge
(CE) equipment using standard technology such as Frame Relay, ATM, DSL, and T1. At that time,
the customer would purchase VPN services directly from the SP. Then, the SP would provide
the VPN service to multiple customers using a shared PE device. The key to providing security
in the shared PE equipment is made available by the BGP-VPN extensions as defined in the draft
RFC. Each PE router must maintain a number of forwarding tables, each of which map to a
unique VPN class. When a packet is received from the CE equipment, the forwarding table that
is mapped to that site is used to determine the routing for the data. Each VPN has its own
unique forwarding table, known as a VRF (VPN Routing and Forwarding). If a PE device has
multiple connections to the same site, a single VRF can be mapped to all of those connections.
The BGP-VPN extensions for VRF support then allow BGP to send the specific route forwarding
information to the PE router connected to the other end of the VPN. In this approach, route
separation is maintained for each unique VPN customer. In this type of architecture, only PE
routers must carry the VRF information. It is not necessary that the non-edge routers on the SP
backbone know anything about the VRF information. Consequently, this design greatly expands
the scalability of the Layer 3 VPN approach.
MPLS-VPN Architecture:
The MPLS architecture is defined in RFC 3031.

In traditional routing as an IP packet travels from one router to the next, every router makes
it’s own decision on where the packet should go. Each router reads the packet network layer
header, and then runs a routing algorithm against the destination address to determine the
next hop. Every router then chooses its own next hop for the packet based on the packet's
header and the routing algorithm. Routers will assign each packet into a set of "Forwarding
Equivalence Classes (FECs)"(2). They will then map each FEC to a next hop. As far as the router
is concerned there is no difference between packets that get mapped into the same FEC when
its making a forwarding decision for each packet, different packets which get mapped into the
same FEC are indistinguishable. Every packet in the FEC will go to the next hop assigned to that
FEC. As the packet moves from hop to hop across the network each router reexamines the
packet network layer header and assigns it to a FEC and sends it out the corresponding
interface until it reaches its destination.

With MPLS every packet only has its network layer header examined once, when it enters the
MPLS network. After the initial FEC assignment a 32 bit fixed length label is inserted into the
packet that contains the assigned FEC then is sent to the next hop router with the label
attached. The label is of local significance only. When MPLS routers, which are called label
switch routers, are provisioned they will set up a table of label to FEC mappings. Each FEC is
assigned a next hop.

A label distribution protocol is used to exchange label information between label switch routers
that have a direct connection to each other. The protocol usually rides on top of the routing
protocol in use by the use of extensions that have been developed for MPLS. As the packet
goes from hop to hop across the MPLS network the network layer header no longer has to be
examined by every router. Instead, the label is used to determine the next hop and which new
label to use. The old label is replaced with the new label, and the packet is forwarded to its next
hop. With MPLS forwarding, once a packet is assigned to a FEC, subsequent routers do no
further network layer header analysis; the labels drive all forwarding decisions.
When a packet first enters into the MPLS network on an interface of Router A, known as the
edge label switch router, Router A examines the network layer header determines the FEC that
the packet belongs to. Then it checks the label to FEC mapping table to see which label to use. It
then puts Label X into the packet and sends it out the interface that corresponds to the next
hop for the assigned FEC. Router B receives the packet from Router A and reads Label X. Router
B looks in his table and sees that when it receives a Label X from Router A it’s new label for the
packet will be Label Y. It removes Label X, adds Label Y and sends it out the interface to the next
hop that corresponds to the FEC for Label Y. This continues until the packet reaches its
destination. Then the label is stripped from the packet and sent out the interface that the
destination is on.
Forwarding VPN information using MPLS
As stated previously, the intermediate routers in the backbone do not need to maintain any
information about the VPNs. So how are packets forwarded from one VPN to another? The
answer is to use MPLS with a two-level label stack. PE routers insert 32-bit address prefixes into
the Internal Gateway Protocol Routing tables of the backbone. By doing this, MPLS at each
node in the SP backbone can assign a label to the corresponding route in each PE router. To
certify that this is interoperable, LDP (Label Distribution Protocol) is used for setting up the label
switched paths across the SP backbone. A variety of mechanisms can be used for the CE
equipment to deliver routing information to the PE router. This includes the use of static routes
and BGP. BGP has many advantages for CE to PE communications.
Advantages:
This method of packet forwarding has many advantages over traditional network layer
forwarding.

Since a packet is assigned to a FEC when it enters the network, the edge label switch router can
use any information about the packet in determining which FEC to use, even if the information
is not contained in the network layer header. Packets with the same destination arriving on
different ports of the router can be assigned to different FECs. Conventional forwarding, on the
other hand, can only consider information that travels with the packet in the packet header.

A packet that enters the network at a particular router can be labeled differently than the
same packet entering the network at a different router, and as a result forwarding decisions
that depend on the ingress router can be easily made.

The main advantage is that it does not require multiple instances on the PE since it is explicitly
designed for this function.

How does MPLS VPN work??

With the ability to determine the path of the packet through the network, Service Providers
could offer a Virtual Private Network across their backbones that could compete with Frame
Relay and ATM networks. They make it work with the MPLS network.

The service provider will have a customer edge router connect to an interface on the service
providers edge label switch router. Each geographically different site that will belong to the
VPN will connect a customer edge router into a service provider edge label switch router. The
customer edge router will be a routing peer of the service provider’s edge label switch router
and can exchange routing information. Individual customer sites will not be routing peers with
each other and they don’t even have to know about each other. Because of this the customer
does not have to manage the VPN backbone. The service provider will handle all the routing
that happens between the customer’s sites. The customer will not have access to the service
providers edge label switch router and the service provider will not have access to the
customers edge router. The customer will be responsible for maintaining his own sites’ edge
routers. The service providers edge label switch router will maintain a number of different
forwarding tables. An edge label switch router can have multiple customers connecting to it. It
will map each customer’s VPN to its own individual forwarding table. The forwarding table will
only contain routes to the rest of the customer’s sites that belong to the VPN for the customer.
Each forwarding table for each VPN is known as a VPN Routing and Forwarding table. In this
way there can be no communications between customers that do not have any VPN in
common. The edge label switch router can map different sites to the same forwarding table
only if the different sites belong to the same VPN. The forwarding tables get populated with the
BGP routing protocol . The customer has a MPLS VPN with Site 1, Site 2, and Site 3 connected to
service provider Router 1, Router 2, Router 3 respectively. Router 1, Router 2, and Router 3 will
exchange routing information for their respective sites with the use of the BGP routing
protocol.

The service provider edge label switch router will also contain a default forwarding table that
will be populated by the service providers normal routing protocol and will not contain any
MPLS VPN routes. After all this router can stil l be providing Internet access for other
customers.

There is a possibility that different companies are using the same IP address space. They may be
using a RFC 1918 private IP address space and doing network address translation for their
Internet access. In fact this has become very common in today’s networks. This is not a problem
for MPLS VPN, because each VPN uses its own forwarding table you can have overlapping IP
address space between VPNs and not have any routing problems. When the different service
provider edge label switch routers exchange their routing information they maintain the
separate routes for the same IP address space with the use of the BGP Multiprotocol extension.
The extension makes use of a new VPN-IPv4 address. The address is 12 bytes with 8 bytes for
the Route Distinguisher portion of the address and 4 bytes for the actual IP address. When
multiple MPLS VPN use the same IP address space the edge label switch router will translate
the address into the new unique VPN-IPv4 address. This way the routers will populate the
multiple forwarding tables with different routes with the same address space for each MPLS
VPN. The Route Distinguisher portion of the VPNIPv4 address is controlled by the service
provider and structured so there will be no conflict between Route Distinguishers from
different service providers.

If every service provider’s backbone routers had to maintain routing information for every VPN
that the service provider was supporting, sever scalability problems would arise. Because of the
label technology employed in the backbone the routing information only needs to be held by
the edge label switch router that the VPN attaches to. This makes MPLS VPNs very scaleable,
much more so than Frame Relay or ATM networks. The service provider only has to manage its
own backbone and not multiple VPN backbones.

Security of MPLS-VPN:
MPLS VPN security is accomplished by using a data plane and control plane approach for
security. The data plane protects against a packet from within a MPLS VPN from traveling
outside of its VPN boundaries and from packets from outside a MPLS VPN traveling into the
boundaries of a MPLS VPN. The service provider will ensure that routers will drop packets that
do not belong to MPLS VPN by examining the label of the packet. Control plane security ensures
that non-trusted peers can not inject routes into the MPLS VPN. This is accomplished by the use
of the MD5 authentication feature of BGP. Control plane security will also ensure that physical
security of the routers is maintained to eliminate unauthorized access.

Miercom conducted an independent test of MPLS VPN security with Cisco equipment in March
of 2001. The testing took the following considerations for security into account:

· Address and routing separation equivalent to layer 2 models.

· A service provider core network that is not visible to the outside world.

· A network that is resistant to attacks.

To quote from the report:

“The test results show that MPLS-VPNs provide the previous features at or above the level of a
layer 2 VPN such as Frame-Relay or ATM.”

Some providers of MPLS–VPN

The ZebOS MPLS-VPN Solution

The ZebOS MPLS-VPN solution is a portable, platform-independent solution that can be

integrated into PE equipment to deliver secure, peer-to-peer VPN solutions across a MPLS
backbone. A number of components are necessary to provide the full MPLS-VPN solutions. The
ZebOS Advanced Routing Suite provides these solutions and also contains a number of optional
routing components that can be easily added to support additional IPv4 and IPv6 routing
solutions. To fully implement the MPLS-VPN solution into PE equipment, the followingZebOS
modules are required:

• ZebOS Network Services Module

• ZebOS BGP Protocol Module with the optional VPN extensions

• ZebOS MPLS-LDP Module

• ZebOS MPLS Forwarder Module

Together, these modules provide the complete MPLS-VPN solution. The ZebOS Advanced
Routing Suite is being integrated into a number of network processing environments. These
implementations will allow MPLS-VPN to be supported on standard network processors and will
assist equipment manufacturers in quickly getting their products to market.
BSNL:

How Many Place MPLS Service is available?

The BSNL is providing country wide service. The list of the location is location . The service is
available all over India.

 What is the Tariff structure of BSNL’s  MPLS VPN ?

 Tariff of MPLS VPN and IP VPN Services in Rs. :

 

Particular 64 Kbps 128 Kbps 192 Kbps 256 Kbps 384 Kbps 512 Kbps

Gold 63000 105000 138000 178000 221000 301000

Silver 52000 88000 116000 149000 185000 249000

Bronze 43000 72000 95000 122000 162000 219000

IP VPN 35000 60000 79000 102000 137000 186000

             

Particular 768 Kbps 1 Mbps 2 Mbps 8 Mbps 34 Mbps 45 Mbps

Gold 368000 423000 610000 2134000 3902000 4389000

Silver 306000 353000 487000 1706000 3119000 3509000

Bronze 267000 305000 355000 1242000 2272000 2556000

IP VPN 229000 263000 294000 1028000 1880000 2115000

             

Tariff for higher bandwidth i.e 100Mbps, STM1, 1 Gbps and 2.5Gbps
 STM1 (155
Particular 100mbps 1 Gbps 2.5Gbps
Mbps)

Gold 8079500 11770000 56496000 101222000

Silver 6459500 9410000 45168000 80926000

Bronze 4705000 6854000 32899200 58944400

Best Effort 3893500 5672000 27225600 48779200

2. Committed Data Rate in Bronze category - The bandwidth of Bronze category would be
restricted to 50% of bandwidth.   However, the minimum B/W of 25% B/W will be committed to
Bronze customers

3. Discount on MPLS VPN ports - It has been decided to give multiple port discounts on the total
number of ports hired across the country as given below. It may be noted that multiple ports
are not required to be located in a city for offering this discount:

Existed discount on Revised discount on

No. of Ports VPN Ports on Graded VPN Ports on Non-
basis graded basis

1 to 4 ports 0% 0%

5 to 25 ports 10% 5%

26 to 50 ports 15% 10%

51 to 100 ports 20% 10%

101 to 150 ports 20% 15%

More than 150 ports 20% 20%

4. Volume based discount on MPLS VPN Service - Annual volume based discount on graded
basis may be given to all customers as under:

Volume based Discount on Graded

Annual Revenue( in Rs.) on MPLS
basis
 VPN Service per annum

Upto Rs.50 lakhs No discount

Rs.50 lakhs to 1 Crore 5%

Rs.1 Crore to 2 Crore 7.5%

Rs.2 Crore to 5 Crore 10%

More than Rs.5 Crore 15%

5. Shifting charges of MPLS VPN & IP VPN Port - Rs.2000/- per port.

6. Minimum hiring period for MPLS VPN and IP VPN ports - One year.

7. Upgradation of port to higher Bandwidth – No charges to be levied for upgradation to higher

bandwidth. The rent for the lower BW port to be adjusted on pro-rata basis.

Who will Provide the MODEM ?

In case of MLLN, the BSNL will provide MODEM(NTU). 

What is MLLN ?

MLLN stands for Managed Leased Line Network.This is the technologies implemented and

provided by BSNL to extend local lead upto customer premises.The MLLN having the
capabilities to detect the fault, localize the fault, escalate the fault, provide the local loop
from the NOC.

 What type of user equipment is required to connect to MPLS VPN ?

CPE routers are needed to connect user sites to MPLS VPN network.  Any brand or model of
CPE routers that support standard routing protocols can be used.

What  is the fault Escalation Mechanism for MPLS VPN ?

BSNL having a pro-active fault escalation mechanism .MPLS Network Operation Centre(NOC)
is monitor the circuit round the clock 24 X 7. Customer can book the complaint/Fault    at Toll
free No.             1600 44 1957      .
Conclusion:
In summary MPLS VPN offerings are starting to get the attention of enterprise customers as an
alternative to Frame Relay and ATM for connecting their geographically different sites. It has
been tested to show that it is as secure or more secure than Frame Relay and ATM. It has the
ability to scale into very large networks and provide a quality of service. It al lows for the
customer to have control over which type of data he wants to use on his VPN. I think as time
goes by that MPLS VPNs will become the VPN of choice for enterprise customers when deciding
how to connect their geographically different sites.

There are many service providers offering MPLS VPNs services and also all major network
equipment companies build MPLS capable routers