A virtual private network (VPN) consists of two topologicalareas: the provider’s network and the customer’s network.The customer’s network is commonly located at multiple physicalsites and is also private (non-Internet). A customer site would typicallyconsist of a group of routers or other networking equipment locatedat a single physical location. The provider’s network, whichruns across the public Internet infrastructure, consists of routersthat provide VPN services to a customer’s network as well asrouters that provide other services. The provider’s networkconnects the various customer sites in what appears to the customerand the provider to be a private network.
To ensure that VPNs remain private and isolated from other VPNsand from the public Internet, the provider’s network maintainspolicies that keep routing information from different VPNs separate.A provider can service multiple VPNs as long as its policies keeproutes from different VPNs separate. Similarly, a customer site canbelong to multiple VPNs as long as it keeps routes from the differentVPNs separate.
The Junos® Operating System (Junos OS) providesseveral types of VPNs; you can choose the best solution for your networkenvironment. Each of the following VPNs has different capabilitiesand requires different types of configuration:
- Layer2 VPNs
- Layer3 VPNs
- VPLS
- Virtual-Router Routing Instances
Layer2 VPNs
Implementing a Layer2VPN on a router is similar to implementing a VPN using a Layer2technology such as ATM or Frame Relay. However, for a Layer2VPN on a router, traffic is forwarded to the router in Layer2format. It is carried by MPLS over the service provider’s networkand then converted back to Layer2 format at the receiving site.You can configure different Layer2 formats at the sending andreceiving sites. The security and privacy of an MPLS Layer2VPN are equal to those of an ATM or Frame Relay VPN.
On a Layer2 VPN, routing occurs on the customer’srouters, typically on the CE router. The CE router connected to aservice provider on a Layer2 VPN must select the appropriatecircuit on which to send traffic. The PE router receiving the trafficsends it across the service provider’s network to the PE routerconnected to the receiving site. The PE routers do not need to storeor process the customer’s routes; they only need to be configuredto send data to the appropriate tunnel.
For a Layer2 VPN, customers need to configure their ownrouters to carry all Layer3 traffic. The service provider needsto know only how much traffic the Layer2 VPN needs to carry.The service provider’s routers carry traffic between the customer’ssites using Layer2 VPN interfaces. The VPN topology is determinedby policies configured on the PE routers.
Layer3 VPNs
In a Layer3 VPN, the routingoccurs on the service provider’s routers. Therefore, Layer3VPNs require more configuration on the part of the service provider,because the service provider’s PE routers must store and processthe customer’s routes.
In the Junos OS, Layer3 VPNs are based on RFC 4364, BGP/MPLS IP Virtual Private Networks (VPNs). This RFCdefines a mechanism by which service providers can use their IP backbonesto provide Layer3 VPN services to their customers. The sitesthat make up a Layer3 VPN are connected over a provider’sexisting public Internet backbone.
VPNs based on RFC 4364 are also known as BGP/MPLS VPNs becauseBGP is used to distribute VPN routing information across the provider’sbackbone, and MPLS is used to forward VPN traffic across the backboneto remote VPN sites.
Customer networks, because they are private, can use eitherpublic addresses or private addresses, as defined in RFC1918, Address Allocation for Private Internets. When customernetworks that use private addresses connect to the public Internetinfrastructure, the private addresses might overlap with the privateaddresses used by other network users. BGP/MPLS VPNs solve this problemby prefixing a VPN identifier to each address from a particular VPNsite, thereby creating an address that is unique both within the VPNand within the public Internet. In addition, each VPN has its ownVPN-specific routing table that contains the routing information forthat VPN only.
VPLS
Virtual private LAN service (VPLS) allows you to connectgeographically dispersed customer sites as if they were connectedto the same LAN. In many ways, it works like a Layer2 VPN. VPLSand Layer2 VPNs use the same network topology and function similarly.A packet originating within a customer’s network is sent firstto a CE device. It is then sent to a PE router within the serviceprovider’s network. The packet traverses the service provider’snetwork over an MPLS LSP. It arrives at the egress PE router, whichthen forwards the traffic to the CE device at the destination customersite.
The key difference in VPLS is that packets can traverse theservice provider’s network in a point-to-multipoint fashion,meaning that a packet originating from a CE device can be broadcastto PE routers in the VPLS. In contrast, a Layer2 VPN forwardspackets in a point-to-point fashion only. The destination of a packetreceived from a CE device by a PE router must be known for the Layer2VPN to function properly.
In a Layer3 network only, you can configure virtual privateLAN service (VPLS), to connect geographically dispersed Ethernet localarea networks (LAN) sites to each other across an MPLS backbone. ForISP customers who implement VPLS, all sites appear to be in the sameEthernet LAN even though traffic travels across the service provider'snetwork. VPLS is designed to carry Ethernet traffic across an MPLS-enabledservice provider network. In certain ways, VPLS mimics the behaviorof an Ethernet network. When a PE router configured with a VPLS routinginstance receives a packet from a CE device, it first checks the appropriaterouting table for the destination of the VPLS packet. If the routerhas the destination, it forwards it to the appropriate PE router.If it does not have the destination, it broadcasts the packet to allthe other PE routers that are members of the same VPLS routing instance.The PE routers forward the packet to their CE devices. The CE devicethat is the intended recipient of the packet forwards it to its finaldestination. The other CE devices discard it.
Virtual-Router Routing Instances
A virtual-routerrouting instance, like a VPN routing and forwarding (VRF) routinginstance, maintains separate routing and forwarding tables for eachinstance. However, many configuration steps required for VRF routinginstances are not required for virtual-router routing instances. Specifically,you do not need to configure a route distinguisher, a routing tablepolicy (the vrf-export, vrf-import, and route-distinguisher statements), or MPLS between the P routers.
However, you need to configure separate logical interfaces betweeneach of the service provider routers participating in a virtual-routerrouting instance. You also need to configure separate logical interfacesbetween the service provider routers and the customer routers participatingin each routing instance. Each virtual-router instance requires itsown unique set of logical interfaces to all participating routers.
Figure 1 shows how this works. Theservice provider routers G and H are configured for virtual-routerrouting instances Red and Green. Each service provider router is directlyconnected to two local customer routers, one in each routing instance.The service provider routers are also connected to each other overthe service provider network. These routers need four logical interfaces:a logical interface to each of thelocally connected customer routers and a logical interface to carrytraffic between the two service provider routers for each virtual-routerinstance.
Figure 1: Logical Interface per Router in aVirtual-Router Routing Instance
Layer3 VPNs do not have this configuration requirement.If you configure several Layer3 VPN routing instances on a PErouter, all the instances can use the same logical interface to reachanother PE router. This is possible because Layer3 VPNs useMPLS (VPN) labels that differentiate traffic going to and from variousrouting instances. Without MPLS and VPN labels, as in a virtual-routerrouting instance, you need separate logical interfaces to separatetraffic from different instances.
One method of providing this logical interface between the serviceprovider routers is by configuring tunnels between them. You can configureIP Security (IPsec), generic routing encapsulation (GRE), or IP-IPtunnels between the service provider routers, terminating the tunnelsat the virtual-router instance.
