Definitive MPLS Network Designs [Electronic resources] نسخه متنی

Providing Internet Services to MPLS VPN Customers

Internet access is bundled with Layer 3 MPLS VPN services. Several connectivity options are available, depending on the customer's requirements. Access to Internet services may be obtained via the global routing table at a given Globenet PE router, or it may be via a default route within a specific customer VRF.

Each region in the Globenet worldwide network provides its own Internet access using local peering sessions with other Internet service providers in its region. This means that each region, with the exception of South America, receives an adequate number of routes from its local peering sessions to prevent it from needing any transit services.

Local IPv4 routes received from Globenet customers attached within that region are exchanged across the autonomous system boundaries of the Globenet network. A customer may also get Internet access via its own VRF via a backup default route from other regions. This is leaked across the regional boundaries, but it remains in the customer's VPN context.

Figure 5-17 shows how Internet connectivity is established across the Globenet network. The North America region is used as a transit autonomous system by the South America region. The North America, AsiaPac, and EMEA regions all have direct connectivity between them.

Internet Via the Global or VRF Routing Table

Globenet evaluated whether to carry the Internet routes within the global routing table or within a specific "Internet" VRF.

Carrying routes within a VRF had some attractive properties:

A higher degree of security is provided without the need to deploy access control lists (ACLs). This is because all outside access (except routing protocols) to the PE router from attached customer sites (such as Telnet, Simple Network Management Protocol (SNMP), and so forth) is disabled by default in a VRF.

The core infrastructure is totally isolated and therefore protected from outside intrusion. Furthermore, the edge of the network is also protected from outside intrusion because routes cannot be leaked from a VRF into the global routing table unless explicitly configured.

However, a number of disadvantages were also noted:

Scaling properties are at best a challenge if both Internet and Layer 3 MPLS VPN services are needed at the PE router. Scaling at the PE router is a challenge because of the large number of IPv4 routes that become VPNv4 routes (because they are included in a VRF) and therefore consume more resources such as memory and label space. This leaves little room for additional Layer 3 MPLS VPN attachments on Globenet's older router platforms.

All current and future IP features necessary for Internet traffic need to be supported on a per-VRF basis; in other words, they need to be "VRF-aware."

Consequently, Globenet decided to deploy Internet within the global table and apply the right filters at the edge of its network to help mitigate the risk of intrusion or DoS attacks.

Internet Access Following the Default Route

As mentioned earlier, the typical profile of a customer accessing Globenet Layer 3 MPLS VPN services involves large corporations that have a presence in various regions around the world. These types of customers have tended to follow a hub-and-spoke configuration in the past. This means that they have several central sites/data centers scattered across various regions and a large number of satellite premises.

For VPN connectivity, the any-to-any nature of a Layer 3 MPLS VPN service is very attractive, especially for applications such as voice over IP (VoIP). However, for Internet service it is still typical to access the full set of Internet routes at the central sites and just follow a default route from the satellite sites toward the central site. The central site normally houses Network Address Translation (NAT), caching, and firewall services for the corporation.

A default route may be injected into a particular VPN in a number of ways. In some cases the VPN client receives Internet connectivity from an ISP other than Globenet. In this case the default is advertised as part of the routing information within the VPN context, and therefore to all attached sites in the VPN. This is independent of the Internet services that Globenet provides. The only service Globenet provides to this type of customer is VPN connectivity.

If Globenet provides the Internet access, the customer has various options. The easiest type of access to deal with is the case in which the end customer has registered IP address space or provides its own NAT/firewall services. In this case Globenet doesn't need to provide NAT or firewall services; it only needs to generate a default route for these customers. Figure 5-18 shows a typical topology for this type of customer.

Figure 5-18 shows that the customer central site, from where Internet access is obtained, generates a default route to the VPN. This default is advertised across the Globenet network for import into the VRFs of remote satellite sites. If Globenet manages the customer CE router, it generates a default route on the central site CE router. It points a static route toward the customer's firewall (which typically resides on a local LAN) and uses the default-information originate command within the customer BGP process that faces the Globenet PE router. If the CE router is unmanaged, either the customer generates the default from the CE router, or Globenet generates it from within the VRF at the PE router.

If a customer does not use a central location to provide access to the Internet, and if the customer uses registered IP address space, Globenet provides the facility to access the Internet via one of its Internet gateways using a default route injected into the customer VPN at the PE router closest to this Internet gateway. Figure 5-19 shows an example of this type of connectivity.

Globenet uses the template shown in Example 5-4 to generate a static default route into the customer VRF at the PE router close to one of the Internet exit points.

Example 5-4. Static Default Route Template

ip route vrf customer-vrf-name 0.0.0.0 0.0.0.0 Internet-exit-point-IP-address global
ip route customer-site-IP-addresses netmask outbound-interface-address

Example 5-4 shows that a default is injected into the customer VRF (configured on PE1, PE2, and PE3 in Figure 5-19) with a next hop pointing toward one of the Globenet Internet exit points. The global keyword is used on the static route configuration to indicate that the next hop for this route is held in the PE router's global routing table rather than the VRF itself. The second static route points to a route held within the attached customer site. This configuration is necessary so that these IP subnet addresses can be advertised toward the Internet so that return traffic can be routed back toward the originating VPN site.

Full Internet Access Via the PE-CE Access Link

Globenet also provides Internet services to customers that need to announce and receive routes directly to and from the Internet. An example of this type of customer is one that requires dual attachment with the Internet.

Globenet assessed the possibility of injecting Internet routes into each customer VRF, which requires Internet access. However, this solution was quickly rejected. With more than 150,000 Internet routes injected into each VRF requiring Internet access, it was clear that this was not a scalable solution and that Globenet would very quickly run out of memory at the PE routers.

Instead, Globenet decided to advertise Internet routes to all its P routers in the core network and to any PE routers that require Internet routes. (In other words, Globenet has Internet clients attached, which is not true of all PE routers.) These routes are held in the global routing table of the P/PE routers.

As the Internet routes are held in the global routing table, a separate connection must be provided to each VPN site that wants to advertise and receive Internet routes to and from the PE router. This additional connection is often provided via a Frame Relay PVC between the PE router and CE router. This means that each VPN site (that wants to obtain partial or full Internet routes) has two Frame Relay PVCsone for the VPN service and another for the Internet service.

The PE router is configured to redistribute Internet routes toward the customer CE routers via a BGP-4 session. Conversely, any BGP-4 routes received from an attached CE router are injected into the global routing table at the PE router and are advertised toward the Internet using the IPv4 address family. Figure 5-20 illustrates this solution.

Figure 5-20 shows that the customer CE router can terminate the VPN Frame Relay PVC directly but use frame-switching functionality to offload the Internet PVC to another router in the site. This router then can inject Internet routes into the site via a firewall so that all Internet traffic from the site travels via the firewall and over the Internet PVC to the PE router. This PVC is terminated in the PE router's global table; therefore, the PE router can forward the traffic as normal. The VPN PVC is terminated within a VRF, and the PE router uses the MPLS VPN forwarding mechanisms for any packets received across this connection.

Internet Access Via Globenet NAT/Firewall Services

The entire Internet solution set described so far relies on the end customer providing its own NAT/firewall services. However, many of Globenet's customers do not want to run their own cache engines, firewalls, and NAT services. Instead, they want to obtain these from Globenet.

Globenet provides these services at common gateway points within the Type 1 POPs in each region. Figure 5-21 shows the POP structure.