MPLS VPNs vs. IPSec VPNs. The term VPN can be confusing, as it is used to describe a number of technologies. VPNs can be organized into two broad categories:
- Customer-based: the VPN is configured exclusively on customer-located equipment and uses tunneling protocols across the public network, most commonly IPSec.
- Network-based: the VPN is configured on service provider equipment and managed by the provider. MPLS VPNs are an example of network-based VPNs.
IPSec adds secure encryption capabilities to IP. It is typically managed by the end customer, outside of a service provider抯 network, where there is a higher degree of exposure to breaches of data privacy. IPSec is especially useful for securing remote location VPN connections back to the corporate network.
MPLS VPNs are maintained on the service provider抯 equipment, which can provide significant cost savings and increased scalability compared with other VPN technologies. MPLS VPNs keep different customers?traffic separated by uniquely identifying each VPN flow and setting up circuit-like connections. This mechanism provides traffic separation and is transparent to end users within the VPN group. MPLS VPNs provide security inherently, essentially making IP as secure as Frame Relay or ATM, and reducing the need for encryption. Miercom, an independent network consultancy and testing laboratory, tested MPLS VPN security on a network of various routers, and concluded (2001): 揙ur test results have demonstrated that MPLS-based VPN networks offer the same level of security as Frame Relay or ATM.?
L3 VPNs. MPLS VPNs fall into two broad classes ?those that operate at Layer 3 and those that operate at Layer 2. Layer 3 VPNs were first to be investigated and standardized in RFCs. Layer 3 VPNs based on RFC 2547bis have seen the most widespread deployment to date.
RFC 2547bis-based Layer 3 VPNs use extensions to BGP, specifically Multi-Protocol internal BGP (MP-iBGP), to distribute VPN routing information across the provider backbone. Standard MPLS mechanisms (as previously discussed) are used to forward the VPN traffic across the backbone. In an L3 VPN, the CE and PE routers are IP routing peers. The CE router provides the PE router with the routing information for the customer抯 private network behind it. The PE router stores this private routing information in a Virtual Routing and Forwarding (VRF) table; each VRF is essentially a private IP network. The PE router maintains a separate VRF table for each VPN, thereby providing appropriate isolation and security. VPN users have access only to sites or hosts within the same VPN. In addition to the VRF tables, the PE router also stores the normal routing information it needs to send traffic over the public Internet.
Figure 3. Layer 3 VPN MPLS network.
L3 VPNs use a two-level MPLS label stack (see Figure 3). The inner label carries VPN-specific information from PE to PE. The outer label carries the hop-by-hop MPLS forwarding information. The P routers in the MPLS network only read and swap the outer label as the packet passes through the network. They do not read or act upon the inner VPN label ?that information is tunneled across the network.
The L3 VPN approach has several advantages. The customer IP address space is managed by the carrier, significantly simplifying the customer IT role ?as new customer VPN sites are easily connected and managed by the provider. L3 VPNs also have the advantage of supporting auto-discovery by leveraging the dynamic routing capabilities of BGP to distribute VPN routes.
The Layer 3 approach has disadvantages as well. Layer 3 VPNs support only IP or 揑P-encapsulated?customer traffic. Scaling also can be a significant issue with PE routers required to support BGP routing tables that are larger than normal with the addition of the VPN routes.
L2 VPNs. Layer 2 MPLS VPNs have recently generated much interest from carriers and vendors and are beginning to be deployed (2003). Layer 2 MPLS VPN standards are still in the development phase, but the industry has centralized on the IETF Martini drafts, named after primary author Luca Martini. These drafts define a method for setting up L2 VPN tunnels across an MPLS network that can handle all types of Layer 2 traffic, including Ethernet, Frame Relay, ATM, TDM, and PPP/HDLC.
There are two kinds of Layer 2 VPNs that use the Martini methodology:
- Point-to-point: similar to ATM and Frame Relay using fixed, point-to-point connections (LSPs) across the network.
- Multi-point: supporting meshed and hierarchical topologies.
Figure 4. Layer 2 VPN MPLS network.
VPLS (Virtual Private LAN Services) is a multi-point L2 VPN model that has generated significant interest of late. VPLS uses Ethernet as the access technology between the customer and the provider network and enables a private corporate Ethernet network to be extended over a provider-managed MPLS infrastructure. Multiple corporate customer sites can be connected together with all locations appearing to be on the same Layer 3 network, all without the complexity of configuring Layer 3 routers.
文章整理:西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢!
