Está en la página 1de 93

TRNG . KHOA.

-----[\ [\-----

BO CO TT NGHIP
TI:

MPLS V NG DNG

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

M U
Trong nhng nm qua, ngnh cng nghip vin thng v ang tm mt phng thc chuyn mch c th phi hp u im ca IP v ATM p ng nhu c u pht trin c a mng li trong giai on tip theo. c nhiu nghin c u c a ra trong c vic nghin cu cng ngh chuyn mch nhn MPLS. Cng ngh MPLS l kt qu pht trin ca cng ngh chuyn mch IP s dng c ch hon i nhn nh ca ATM tng tc truyn gi tin m khng cn thay i cc giao thc nh tuyn ca IP. MPLS tch chc nng ca IP thnh hai ph n ring bit: chc nng chuyn gi tin v chc nng iu khin. Bn cnh , MPLS cng h tr vic qun l d dng hn. Trong nhng nm gn y, MPLS c la chn n gin ho v tch hp m ng trong m ng li. N cho php cc nh khai thc gim chi ph, n gin ho vic qun l lu lng v h tr cc dch v Internet. Quan trng hn c, n l m t bc tin mi trong vic t mc tiu m ng a dch v v i cc giao thc gm di ng, thoi, d liu Mng ring o VPN l mt trong nhng ng dng rt quan trng trong mng MPLS. Cc cng ty, doanh nghip c bit cc cng ty a quc gia c nhu cu rt ln v loi hnh dch v ny. Vi VPN h hon ton c th s dng cc dch v vin thng, truyn s liu ni b v i chi ph thp, an ninh bo m. y l mt ng dng rt quan trng p ng cc yu cu ca cc mng ring s dng h tng c s thng tin quc gia v i nhng yu cu khc nhau v an ton, bo mt v cht lng dch v . Lun vn c trnh by trong 6 chng v c chia lm hai phn. Phn u tp trung vo tm hiu cng ngh chuyn mch nhn a giao thc. Phn th hai tm hiu v ng dng ca mng ring o trong cng ngh MPLS. Phn u gm c 3 chng.

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Chng 1: Trnh by v cu trc tng quan c a mng MPLS, nhng v n m ang tn ti trong mng IP truyn thng, m t s ng dng c a chuyn mch nhn a giao thc Chng 2: Hot ng ca MPLS ch Frame-mode: Hot ng trn min d liu, qu trnh truyn v kt hp nhn, v x l b nh tuyn cui cng trong qu trnh truyn d liu. Chng 3: Hot ng ca MPLS ch Cell-mode: S kt ni trong vng iu khin qua giao din LC-ATM, s chuyn tip gi tin c gn nhn qua min ATM-LSR, phn phi v phn b nhn qua min ATM-LSR. Phn hai gm 3 chng: Chng 4: T ng quan v m ng ring o VPN: s pht trin ca mng ring o, phn loi v chc nng ca mng ring o, ng hm v m ha, cc giao thc dng cho VPN, m hnh ngang hng v chng ln. Chng 5: M hnh mng MPLS/VPN: M hnh lp 2 (cc thnh phn VPN lp 2, m hnh Martini, thng tin nh tuyn) v lp 3 (BGP/MPLS, cc thnh phn trong VPN lp 3, hot ng c a BGP/MPLS, tn ti v gii php. Chng 6: Vn bo mt v cht lng dch v trong MPLS VPN: Tch bit cc VPN, chng li cc s tn cng, du cu trc mng li, chng li s gi mo, cht lng dch v v xu hng cng nh c hi ca nh cung cp dch v khi trin khai cng ngh MPLS VPN. ti MPLS l mt ti kh v rng, li do trnh v hiu bit cn nhiu hn ch nn lun vn ny khng th trnh khi nhng thi u st, v c nhng phn cn cha th cp ht c. Em rt mong nhn c s ng gp kin ca cc thy c v cc bn sinh vin. Em xin chn thnh cm n

H Ni, nhng ngy thng 6/2008 Sinh vin L Phm Minh Thng

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Phn 1: Chuyn mch nhn a giao thc MPLS Chng 1. Cu trc tng quan ca MPLS.
1. 1. Cc nh cung cp dch v mng [4] Chng ta hy xt cc v d sau thy c cc vn m nh cung cp dch v ang gp phi, qua thy c s cn thit ra i mt cng ngh c kh nng gii quyt tt cc vn ny. Hnh 1.1 gm 4 a im sau: Atlanta, Miami, Orlando v Raleigh. Ti cc a im ny cc router c kt ni ti chuyn mch ATM di dng full mesh, to ra li ca mng cung cp dch v.

Hnh 1. 1: Topo v t l ca nh cung cp dch v

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 1. 2: Topo logic ca nh cung cp dch v Mt cch khc nhn m hnh m ng trn chnh l vic xem cc a im trn kt ni ti m t m my mng (cloud network) nh trn hnh 1. 2 m my mng chnh l s minh ha vn gp phi khi kt ni gia ATM v IP. IP v ATM c pht trin c lp v khng c s lin h gia chng. Chuyn mch ATM ch quan tm ti vic truyn ti lu lng da trn cc gi tr VPI/VCI trong khi cc router l thit b lp 3 quan tm ti vic chuyn tip cc gi tin da trn thng tin cha trong cc gi. 1. 1. 1. Tnh kh chuyn (Scalability) Mt v n m nh cung cp dch v gp phi na l tnh kh chuyn. Tc l m bo vic d phng v ti u trong qu trnh nh tuyn th m hnh full mesh ca cc m ch o (VCs) phi c to ra m kt qu c qu nhiu kt ni.

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 1. 3: Full mesh v i 6 kt ni o V cng nhiu cc a im thm vo mng li th cng cn phi c nhiu kt ni o (VCs) c to ra. iu cng c ngha l cc router s phi trao i c p nht bng thng tin nh tuyn vi nhiu router lin k gy ra mt s lu thng ln trn mng. S qu ti ny cng s lm nh hng ti hiu sut ca router l lm tc x l ca chng gim. 1. 1. 2. iu khin lu lng iu khin lu lng l qu trnh x l m lu lng c v n chuyn mt cch ti u theo yu cu. M c d c hai cng ngh IP v ATM u c nhng r rng IP khng th snh c v i ATM v c tnh ny. ATM v IP l hai cng ngh hon ton tch bit nhau cho nn tht kh kt hp trin khai iu khin lu lng u cui

1. 1. 3. Cht lng ca dch v (QoS) C IP v ATM u c kh nng QoS. Mt s khc nhau gia chng chnh l IP l giao thc khng kt ni (connectionless) cn ATM l giao thc c kt ni (connection-oriented). V v y v n t ra y chnh l cc nh cung cp dch v phi lm th no kt h p c 2 cch trin khai cht lng dch v thnh mt gii php duy nht Chng ta cng c th thy r s bt cp tn ti chuyn tip gi tin lp mng truyn thng(v d chuyn tip gi tin IP qua mng Internet). S chuyn tip gi tin da trn cc thng tin c cung c p bi cc giao thc nh tuyn (v d RIP, OSPF, EIGRP, BGP), hoc nh tuyn tnh a ra quyt nh chuyn tip gi tin ti hop tip theo trong mng. S chuyn tip ny ch duy nht da trn a ch ch. Tt c cc gi tin c cng m t ch n s i theo cng mt con ng nu khng tn ti cc tuyn c cng cost. Trong trng hp ngc li s sinh ra hin tng load balancing (cn bng ti). Cc router (b nh tuyn) a ra quyt nh gi tin s i theo ng no. Cc thit b lp mng thu thp v phn phi cc thng tin lp mng, v thc hin chuyn mch lp 3 da trn da trn cc ni dung c a tiu lp m ng

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

trong m i gi tin. Chng ta c th kt ni cc router trc tip v i nhau qua lin kt point-to-point hoc LAN, c ng c th kt n i chng bng chuyn m ch WAN (v d Frame-relay hoc ATM). Tuy nhin chuyn mch ny li khng c kh nng x l cc thng tin nh tuyn lp 3 hoc chn tuyn cho gi tin thng qua vic phn tch a ch ch. V v y chuyn m ch lp 2 khng th tham gia vo qu trnh a ra quyt nh chuyn tip gi tin lp 3. Trong trng hp mi trng m ng WAN ny, ngi thit k mng phi thit lp cc tuyn lp 2 m t cch th cng qua mng WAN. Cc tuyn sau chuyn tip gi tin lp 3 gia cc router m n c kt ni v t l n mng lp 2. Cc ng dn lp 2 trong m ng LAN thit lp k t ni kh n gin. Tuy nhin thit lp kt ni tuyn lp 2 trong WAN phc tp hn. Cc tuyn lp 2 trong WAN thng da trn kiu point-to-point (v d nh cc mch o trong phn ln cng ngh WAN) v ch c thit lp theo yu cu cu hnh th cng. Bt k thit b nh tuyn no (v d nh nh tuyn u vo) bin ca m ng lp 2 mun chuyn tip cc gi tin lp 3 ti mt thit b nh tuyn khc (nh tuyn u ra) cn hoc l thit lp s kt ni trc tip qua m ng ti thit b u ra hoc gi d liu ti mt thit b khc tryn d liu ti ch.

Hnh 1. 4: Mt v d v m ng IP da trn mng li ATM m bo qu trnh chuyn tip gi tin trong mng l ti u, mt m ch o ATM phi tn ti gia bt k hai router kt ni ti mng li ATM. iu c 6 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

ngha l nu quy m ca mng ln, c n vi chc hoc thm ch hng trm router kt ni v i nhau th xy ra mt v n kh trm trng Ta c th gp cc vn sau: Khi mt router mi c ni vo mng li WAN th mt mch o phi c thit lp Nu mt mng chy giao thc nh tuyn (gi s OSPF hoc ISIS) th mi router s thng bo s thay i trong m ng ti mi router khc cng kt ni ti WAN ng trc, kt qu l c qu nhiu lu lng trong m ng. S dng cc m ch o gia cc router l phc tp bi v tht l kh d on chnh xc lu lng gia bt k hai router trong mng. S thiu thng tin trao i gia cc router v cc chuyn mch WAN khng phi l v n v i mng Internet truyn thng bi chng ch n thun s dng cc router cho nh tuyn, hoc cc dch v WAN(ATM hay Framerelay). Tuy nhin nu c s kt hp gia hai dch v trn th li l vn . V vy yu c u i hi mt kin trc khc cho php trao i thng tin l p mng gia cc router v i cc chuyn mch WAN v cho php cc chuyn m ch tham gia vo qu trnh x l chuyn tip cc gi tin, khi s kt ni gia cc router bin l khng cn thit. 1. 2. Chuy n mch nhn a giao thc l g? Chuyn m ch nhn a giao thc (Multiprotocol Label Switching MPLS) l mt cng ngh c a ra vi m c ch gii quyt nhiu v n ang tn ti lin quan ti chuyn m ch gi trong mi trng kt ni internet. Chuyn m ch nhn a giao thc kt hp gia li ch c a chuyn m ch gi da trn chuyn mch lp 2 v i nh tuyn lp 3. Tng t nh cc mng lp 2 ( Frame relay hay ATM), MPLS l m t phng php ci tin vic chuyn tip gi trn mng bng cch gn nhn cho cc gi IP, t bo ATM hoc frame lp 2. C ch chuyn tip qua mng nh th c gi l i nhn (label swapping), trong cc n v d liu (v d nh gi hoc t bo) mang mt nhn ngn c chiu di c nh ti cc node cc gi c x l v chuyn tip.

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

S khc nhau c bn gia MPLS v cc cng ngh WAN truyn thng chnh l cch m cc nhn c gn v kh nng mang mt ngn xp ca cc nhn (stack of labels) cho m t gi tin. Khi nim ngn xp nhn cho php chng ta c nhiu ng dng m i v d nh iu khin lu lng (Traffic Engineering), Mng ring o (Virtual Private Network VPN ). Chuyn tip cc gi trong MPLS hon ton tng phn v i mi trng khng kt ni hin c, ni m cc gi tin c phn tch trn tng hop mt (router), y chnh l qu trnh kim tra tiu lp 3, v mt quyt nh forward gi tin c tin hnh da trn thut ton nh tuy n lp mng Cu trc ca mt nt MPLS bao gm 2 mt thnh phn:thnh phn chuyn tip (hay cn c gi l mt phng d liu) v thnh phn iu khin (cn c gi l mt phng iu khin). Thnh phn chuyn tip s dng mt c s d liu chuyn tip nhn chuyn tip d liu da trn cc nhn i km vi gi tin. Thnh phn iu khin chu trch nhim to v duy tr cc thng tin chuyn tip nhn (cn c gi l bindings ) gia nhm cc chuyn m ch nhn v i nhau. Tt c cc nt MPLS phi chy m t hoc nhiu giao thc nh tuyn IP (hoc da trn nh tuyn tnh) c th trao i thng tin nh tuyn v i cc nt MPLS khc trn m ng. Theo , mi mt nt MPLS (bao gm c chuyn mch ATM) l mt router trn m t phng iu khin.

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 1. 4: Cu trc c bn ca mt nt MPLS Tng t nh cc router truyn thng, cc giao thc nh tuyn IP s dng xy dng nn bng nh tuyn. Bng nh tuyn IP c s dng forward gi tin. Ti mt nt MPLS, bng nh tuyn c s dng xc nh vic trao i thng tin nhn chuyn tip, ni m cc nt MPLS k c n v i n trao i cc nhn cho cc mng con (subnets) c th c cha trong bng nh tuyn. Cc qu trnh iu khin nh tuyn MPLS IP (MPLS IP Routing Control) s dng cc nhn trao i v i cc nt MPLS c nh n to ra Bng chuyn tip nhn (Label Forwarding Table), bng ny l vng c s d liu c s dng chuyn tip cc gi c gn nhn qua mng MPLS 1.2.1. Kin trc MPLS Trc ht chng ta tm hiu cc khi nim mi trong kin trc MPLS v chc nng ca chng trong min c u to MPLS Thit b u tin l B nh tuyn chuyn nhn (Label Switch RouterLSR). l cc router hoc switch trin khai phn phi nhn v c th chuyn tip cc gi da trn cc nhn. Chc nng c bn ca qu trnh phn phi nhn ny cho php mt LSR phn phi nhn thng tin chuyn tip c a n ti cc LSRs khc trong mng MPLS. C mt vi loi LSR khc nhau v chng c phn bit nh chc nng ca chng trong c s h tng mng. S khc nhau ca cc loi LSR c m t bn trong cu trc ca Edge-LSR, ATM-LSR v ATM edge-LSR. S khc nhau gia cc loi LSR ch l c u trc bi mt loi c th ng nhiu vai tr khc nhau. Chng ta c th tm tt cc chc nng ca cc loi LSR. Ch rng bt k mt thit b trn mng no c th c nhiu hn mt chc nng (mt thit b c th v a l LSR bin va l ATM LSR bin.

Kiu LSR LSR LSR bin

Chc nng Chuyn tip cc gi tin c gn nhn - C th nhn m t gi tin IP, thc hin kim tra lp 3, v gn 9 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

m t ngn xp nhn trc khi chuyn tip gi vo min LSR - C th nhn mt gi IP, thc hin vic kim tra lp 3, chuyn tip gi IP ti im tip theo (next-hop) ATM-LSR - Chy cc giao thc MPLS trong mt phng iu khin to ra cc mch o ATM, v chuyn tip cc t bo t i ATMLSR im tip theo(next-hop)

ATM LSR- - C th nhn 1 gi c gn nhn hoc cha, chia n bin thnh cc t bo ATM v chuyn tip cc t bo ti ATMLSR tip theo - C th nhn cc t bo ATM t mt ATM-LSR k c n, lp ghp cc t bo ny tr li gi tin gc v sau chuyn tip gi tin ny di dng c gn nhn hoc cha.

1. 2. 2. To nhn mng bin Cc gi tin phi c nh nhn trc khi chuyn tip ti min m ng MPLS. thc hin c nhim v ny, LSR bin phi bit ni gi tin c nh tiu , hoc ngn xp nhn, n phi khai bo cho gi tin. chuyn tip IP lp 3 ti hop tip theo, n kim tra trong bng nh tuyn a ch IP ch c cha trong header lp 3 ca gi tin. Sau la chn hop tip theo chuyn tip gi tin. V c nh th cho n khi gi tin i n ch. C 2 cch gi IP ti hop tip theo. Cch th nht l ton b cc gi c coi l nh nhau khi chuyn qua m ng. Cch th hai l nh x tng a ch IP ch ti mt IP ca hop tip theo. Trong mng MPLS cch th nht c gi l nhm chuyn tip tng ng FECs (Forwarding Equivalence Classes). FEC l mt nhm cc gi, nhm cc gi ny chia s cng yu cu trong s chuyn tip chng qua mng. Tt c cc gi trong mt nhm nh vy c cung cp cng cch chn ng ti ch. Khc v i chuyn tip IP truyn thng, trong MPLS vic gn mt gi c th v o mt FEC c th ch c thc hin mt ln khi cc gi v o trong mng. MPLS khng ra quyt nh chuyn tip vi mi datagram lp 3 m s dng khi nim FEC. FEC ph thuc v o mt s cc yu t, t nht l ph thuc vo a ch IP v c th l ph thuc c v o kiu lu lng trong datagram (thoi, d liu, fax). Sau da trn FEC, nhn c tho thun gia cc LSR ln cn t li vo ti li

10

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

ra trong mt vng nh tuyn. Mi LSR xy dng mt bng xc nh xem mt gi phi c chuyn tip nh th no. Bng ny c gi l c s thng tin nhn (LIB: Label Information Base), n l t hp cc rng buc FEC v i nhn (FEC-to-label). V nhn li c s dng chuyn tip lu lng qua m ng. Mt cch phn chia lu lng vo trong cc FEC l to mt FEC ring bit cho mi tin t a ch xut hin trong bng nh tuyn. Cch ny c th to ra m t tp hp cc FEC cho php cng i mt ng ti ch. Theo cch ny th bn trong m t min MPLS, s c nhiu FEC ring bit v nh th s khng hiu qu. Trn thc t MPLS hp nht nhng FEC thnh mt FEC duy nht.
Ingress Node 1 Prefix = 1 FEC

Egress Node

Routing Table 172.16.10.5/16 172.16.17.3/16 172.16.12.8/16 192.168.14.7/24 192.168.14.20/24


Hnh 1. 5: Cc FEC ring bit cho mi tin t a ch

11

L Ph m Minh Thng

Lun vn tt nghip
Ingress Node

MPLS v ng dng MPLS/VPN

n Prefix = 1 FEC

Egress Node

Routing Table 172.16.10.5/16 172.16.17.3/16 172.16.12.8/16 192.168.14.7/24 192.168.14.20/24


Hnh 1. 6: Tng hp cc FEC

Hnh 1. 7: S to nhn MPLS v chuyn tip

12

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Vi c ch chuyn tip IP truyn thng, th mi gi tin c x l ti mt hop trong mng. Tuy nhin v i MPLS, m t gi tin c th c gn ti mt FEC c th, v c thc hin ti thit b mng bin khi m gi tin tham gia vo mng. Nhm chuyn tip tng ng cho mi gi c khai bo sau m ha thnh mt ch s nh dng ngn c chiu di c nh, c gi l nhn. 1. 2. 3. Chuyn tip gi MPLS v ng chuyn mch nhn Mi mt gi tin khi tham gia m ng MPLS ti LSR vo v ra khi m ng MPLS ti mt LSR ra. C ch ny to ra ng chuyn mch nhn Label Switched Path (LSP), c m t nh l mt nhm cc LSRs m cc gi c gn nhn phi i qua ti LSR u ra cho mt FEC c th. LSP ny l theo m t phng hng duy nht, c ngha l mt LSP khc c s dng cho lu lng c th tr v t mt FEC no LSP l mt hng kt ni (connection-oriented) bi v ng dn c to ra trc khi c s v n chuyn lu lng. Tuy nhin, vic thit lp kt ni ny da trn thng tin v m hnh mng hn l yu cu v lung lu lng. Khi gi tin i qua mng MPLS, mi LSR s hon i nhn i vo v i mt nhn i ra cho n LSR cui cng, c bit n l LSR ra. (ging nh c ch c s dng trong mng ATM ni m mt c p VPI/VCI ny c tro i v i mt cp VPI/VCI khc khi ra khi chuyn m ch ATM) 1. 3. Cc ng dng khc ca MPLS

Hnh 1. 8: Cc ng dng khc nhau c a MPLS

13

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

MPLS c to ra kt hp c a nh tuyn truyn thng v chuyn mch ATM trong mt mng li IP thng nht ( IP-ATM c u trc). Tuy nhin u th thc s ca MPLS chnh l cc ng dng khc m n em li, t iu khin lu lng (Traffic Engineering) ti mng ring o (Virtual Private Networks). Tt c cc ng dng ny s dng chc nng min iu khin thit lp mt c s d liu chuyn mch 1. 3. 1. iu khin lu lng: Vn quan trng trong cc mng IP l thiu kh nng iu khin linh hot cc lung lu lng IP s dng hiu qu di thng mng c sn. Do vy, thiu ht ny lin quan n kh nng gi cc lung c chn xung cc ng c ch n v d nh chn cc ng trung k c bo m cho cc l p dch v ring. MPLS s dng cc ng chuyn mch nhn LSP, chnh l mt dng ca lightweight VC m c th c thi t l p trn c ATM v thi t b da trn gi tin. Kh nng k thu t lu lng ca MPLS s dng thit lp cc LSP iu khin m t cch linh hot cc lu ng lu lng IP. 1. 3. 2. Mng ring o VPN (Virtual Private Network) VPN thit lp c s h tng cho mng Intranet v Extranet, l cc mng IP m cc cng ty kinh doanh s thit lp trn c s ton b c u trc kinh doanh ca h. Dch v VPN l dch v mng Intranet v Extranet m cc mng c cung c p bi nh cung cp dch v n nhiu t chc khch hng. MPLS kt hp v i giao thc BGP cho php mt nh cung c p mng h tr hng nghn VPN ca khch hng. Nh vy, mng MPLS cng v i BGP to ra cch thc cung cp dch v VPN trn c ATM v cc thit b da trn gi tin rt linh hot, d m rng quy m v d qun l. Thm ch trn cc mng ca nh cung c p kh nh, kh nng linh hot v d qun l ca cc dch v BGP/MPLS VPN l u im ch yu. 1. 3. 3. Tch hp IP v ATM Do chuyn mch nhn c th thc hin c bi cc chuyn m ch ATM, MPLS l mt phng php tch hp cc dch v IP trc tip trn chuyn mch ATM. S tch hp ny cn phi t nh tuyn IP v phn m m LDP trc tip trn chuyn m ch ATM. Do tch hp hon ton IP trn chuyn m ch

14

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

ATM, MPLS cho php chuyn mch ATM h tr ti u cc dch v IP nh IP a hng (multicast), lp dch v IP, RSVP v m ng ring o VPN 1. 3. 4. H tr cht lng dch v Qos (Quality of Service) Mt thiu st ca m ng IP so v i mng Frame Relay v ATM, l s bt lc ca chng cung cp dch v tho mng nhu cu lu lng. V d lu lng thi gian thc nh voice hay video cn dch v cht lng cao ( tr lung thp, mt lung thp) khi truyn qua m ng. Tng t d liu trong kinh t thng mi phi c u tin qua trnh duyt web thng thng. Kt ni nh hng mang tnh t nhin ca MPLS cung c p khung lm vic hp l m bo cht lng lu lng IP. Trong khi QoS v lp dch v CoS (Class of Service) khng phi l c s c bit c a MPLS, chng c th ng dng trong mng MPLS khi k thut lu lng c s dng. iu ny cho php nh cung cp thit lp hp ng mc dch v SLA (Service Level Agreements) vi khch hng m bo dch v nh rng bng, tr, mc thp thot. Dch v gi tr gia tng c th c phn phi b s ung nh truyn ti d liu c s, tng thu nhp v cui cng cho tin ti mng hi t. Intserv and Diffserv, qua thi gian mt s k thut c pht trin thit lp QoS/CoS trong mt mng. Trong m hnh dch v tch hp Intserv (Integrated Services), RSVP pht trin th tc bo hiu QoS qua mt mng, cho php thit b s p xp v thit lp thng s lu lng m bo nh rng bng v tr u cui - u cui. N s dng ngun ti nguyn ti ch, m bo dch v xung theo lung c s. M hnh dch v khc nhau Diffserv (Differentiated Services) gim bt cng nhc, cung c p phn phi CoS i x nh nhau i v i lp lu lng c m c u tin nh nhau, nhng khng c bo hiu hay m bo dch v u cui u cui. Diffserv nh ngha li kiu dch v ToS (Type of Service) trong tiu gi IP cung c p s phn loi ny. Trong khi Intserv m bo rng bng lu lng, n xc nhn khng th tng hay thc hin hot ng qua mng ln. Khin trc Diffserv, c mt tng lun phin, nhng khng cung cp n bo. IETF kt h p Difserv v k thut lu lng MPLS cung cp QoS m bo trong mng MPLS. Thng tin Diffserv trong tiu gi IP c nh x trong thng tin nhn ca gi MPLS. B nh tuyn MPLS cp nht thng tin u tin truyn tip d liu

15

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

thch hp. Mt s c ch s dng gm chia s lu lng, i, v phn loi gi. QoS thc hin bin ca m my MPLS, ni lu lng phi nhn t mng khch hng i vo mng truyn thng. Ti cng vo ny, lu lng thi gian thc d b nh hng nh lu lng nh dng voice IP hay hi ngh video c th c u tin phn pht qua s chuyn giao d liu ln.

Chng 2. Hot ng ca MPLS ch Frame-mode


Trong Chng 1, chng ta c ci nhn tng quan v kin trc ca MPLS. Trong phn ny chng ta s mt trong nhng ng dng ca n: nh tuyn IP v i a ch ch l unicast trong mi trng n thun cc b nh tuyn. Cng c gi l Frame-mode MPLS, bi v cc nhn c gn c trao i ging nh l cc frames lp 2. phn ny chng ta tp trung trn min d liu (MPLS data plane), gi s rng, bng mt cch no cc nhn c trao i gia cc b nh tuyn. phn tip theo chng ta s gii thch mt cch chnh xc c ch phn phi nhn gia cc router. 2. 1. Hot ng min d liu MPLS ch Frame-mode Trong Chng 1 chng ta hiu mt cch tm tt qu trnh mt gi tin IP i qua mng li MPLS. C 3 bc chnh trong qu trnh ny y l: Mt LSR bin vo nhn mt gi tin IP, phn loi gi tin ny vo mt nhm cc chuyn tip tng ng no (FEC) v gn nhn cho gi tin v i ngn xp nhn ra (outgoing label stack) ph hp v i FEC. nh tuyn da trn a ch ch IP, FEC phi ph hp v i subnet ca a ch ch v vic phn loi gi tin ch l vic kim tra lp 3 da theo bng nh tuyn. Cc LSR li nhn cc gi tin c gn nhn v s dng cc bng chuyn tip nhn trao i nhn i vo trong gi tin vi nhn ra ph hp v i FEC ( trong trng hp ny l IP subnet).

16

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Khi n LSR bin li ra nhn gi tin c gn nhn, n b nhn ny ra v thc hin vic tra cu lp 3 trong gi tin IP . M t cu hi c t ra y l: u nhn c to ra v b nh tuyn nhn c gi tin th l gi tin c gn nhn hay n thun ch l gi tin IP Chng ta xem li m hnh sau:

Hnh 2. 1: M hnh chuyn mch gi tin gia cc b nh tuyn 2. 1. 1. Tiu ngn xp nhn MPLS ( MPLS label stack header) V nhiu l do, m hiu sut chuyn mch l m t trong nhng s , nhn MPLS phi c t trc d liu c dn nhn trong ch frame-mode. V v y nhn MPLS phi c chn vo gia tiu lp 2 v ni dung lp 3 c a frame lp 2.

17

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 2. 2. V tr c a nhn MPLS trong mt Frame lp 2

Theo cch m nhn MPLS c chn vo gia gi tin lp 3 v tiu lp 2, th tiu nhn MPLS c gi l shim header. Mt tiu ca nhn MPLS bao gm: 20 bit nhn MPLS, 3 bit thng tin lp dch v (class-of-service information), 8 bit trng Time-to-live (TTL) dng xc nh d loop ging nh chc nng ca trng TTL trong IP v 1 bit c gi l bit y ca ngn xp (Bottom-of-Stack)

Hnh 2. 3: Tiu ngn xp nhn MPLS Bit y ngn xp nhn ng v ai tr (implement) nh ngn xp nhn MPLS. Chng ta nhc li khi nim ngn xp nhn, n c nh ngha ging nh l mt s kt hp c a hai hoc nhiu tiu nhn nh vo mt gi tin. Trong nh tuyn IP theo a ch unicast th khng s dng ngn xp, nhng v i cc ng dng khc ca MPLS, v d nh MPLS-VPN hay MPLS Traffic Engineering th y l mt yu t rt quan trng Vi tiu ngn xp nhn MPLS c chn vo gia tiu lp 2 v ti trng lp 3 th router gi phi c vi cch thc thng bo v i router nhn rng gi tin ang c truyn khng phi l gi IP n thun m l gi tin c gn nhn. lm c iu mt cch thun li, cc loi giao thc mi c nh ngha trn lp 2: Trong mi trng mng LAN (Local Area Network), cc gi tin c gn nhn mang a ch unicast v multicast lp 3 s dng kiu ethernet c gi tr 8847 v 8848 trong h 16. Nhng gi ca kiu ethernet ny c th c s dng trc tip trong mi trng Ethernet (Fast Ethernet v Gigabit Ethernet) Trong kiu kt ni point-to-point s dng cch thc ng gi PPP, mt giao thc iu khin mng mi (new Network Control 18 L Ph m Minh Thng

Lun vn tt nghip Protocol NCP) c

MPLS v ng dng MPLS/VPN gi l giao thc iu khin

MPLS(MPLSCP) c s dng. Cc gi tin MPLS c nh du bng trng giao thc PPP c gi tr l 8281 trong h 16 Cc gi tin MPLS i qua mt DLCI Frame Relay gia mt cp nh tuyn(router) c nh du bi ch s giao thc lp mng SNP ca Frame Relay(Frame Relay SNAP Network Layer Protocol ID NLPID), theo sau l tiu SNAP v i gi tr ca kiu ethernet l 8847 trong h hex. San Jose router trong hnh 2.1 chn nhn MPLS vo trc gi IP m n nhn c, ng gi gi tin gn nhn trong mt khung PP v i trng giao thc PPP c gi tr l 8281 trong h 16 v chuyn tip khung lp 2 ti router San Francisco. 2. 1. 2. Chuyn mch nhn trong ch Frame-mode Sau khi nhn c frame PPP lp 2 t router San Jose, router San Francisco ngay lp tc xc nh gi tin v a nhn c l mt gi tin c gn nhn da trn gi tr trng giao th c PPP ca n v thc hin tra cu trong c s thng tin chuyn tip nhn (Label Forwarding Information LFIB) Cc gi tin c gn nhn c truyn nh vy cho n ch, n router cui cng th LFIB s thng bo v i router b nhn v chuyn tip gi tin khng gn nhn ny. 2. 1. 3. Chuyn mch nhn MPLS vi ngn xp nhn Hot ng ca chuyn mch nhn c thc hin m khng quan tm ti s lng nhn gn vo gi tin, c th l mt nhn hoc mt ngn xp gm mt s nhn bn trong. Trong c hai trng hp, LSR s ch x l nhn trn cng c a ngn xp, b qua cc nhn khc. Chc nng ny cho php nhiu ng dng cc b nh tuyn bin c th cho php phn loi nhn v kt hp cc nhn (Can agree on packet classification rules and associated labels) m khng cn bit cc b nh tuyn li c a mng. V d, gi s rng router San Joe v router New York trong mng c h tr MPLS/VPN v cng bit mng 10. 1. 0. 0/16, mng ny c th n c thng qua router New York, nhn c khai bo v i gi tr l 73. Cc router trong m ng li (San Francisco v Washington) khng c thng tin v iu ny. gi mt gi tin ti host c a ch l 10. 1. 0. 0/16, router San Jose to ra

19

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

mt ngn xp nhn. Nhn di cng trong ngn xp c khai bo cho router New York cn nhn trn cng c khai bo cho a ch IP c a router New York thng qua router San Francisco. Khi mng chuyn gi tin th nhn trn cng c chuyn mch chnh xc ging nh chuyn tip gi tin IP qua mng ng trc v nhn th 2 trong ngn xp s nguyn v n khi n router New York

Hnh 2. 4: Chuyn mch nhn v i ngn xp 2. 2. Qu trnh truyn v kt hp nhn trong Frame-mode MPLS Phn ny s tp trung vo qu trnh kt hp FEC v i nhn v truyn chng gia cc LSRs qua cc giao din c ng khung. C hai giao thc kt hp nhn c s dng tng hp m t IP mng con (subnet) v i m t s nhn MPLS cho mc ch gi ti a ch ch: Giao thc phn phi th (Tag Distribution Protocol TDP) Giao thc phn phi nhn(Label Distribution Protocol LDP) C TDP v LDP u c chc nng ging nhau v c th c s dng trong m ng, thm ch trn cc interface khc nhau c a cng mt LSR. y chng ta ch cp n TDP 2. 2. 1. Thit lp mt phin LDP/TDP

20

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Khi bt MPLS trn interface ca router, th TDP/LDP c khi to v cu trc c s thng tin nhn(LIB) c to ra. B nh tuyn(router) cng tm cch nhn ra cc LSRs khc trn interface ang chy MPLS thng qua gi tin hello TDP. Cc gi tin hello TDP ny c gi qung b(broadcast) hoc l gi tin UDP multicast(ti mt nhm cc ch), to ra quan h hng xm LSR. Sau khi gi tin hello TDP khm ph ra TDP hng xm th mt phin TDP c thit lp. Cc phin TDP s dng TCP v i cng 711 v LDP s dng TCP cng 646. S dng giao th c TCP em li kh nng ti u trong iu khin lung v tin cy trong vic gii quyt tc nghn lu lng. 2. 2. 2. Phn phi v kt hp nhn Khi c s thng tin nhn (LIB) c to ra trong b nh tuyn, mt nhn c khai bo cho mi FEC bit n b nh tuyn. V nh tuyn da vo a ch ch, FEC tng ng vi m t tin t IGP(Internal Gateway Protocol) trong bng nh tuyn IP. V v y m t nhn c khai bo cho mi tin t trong bng nh tuyn IP v c s nh x hai bng ny c lu tr trong LIB. Bi v LSR khai bo mt nhn cho mi IP prefix trong bng nh tuyn ca n khi m prefix xut hin trong bng nh tuyn v nhn ny c s dng bi cc LSR khc trong vic gi cc gi tin c gn nhn cho LSR, phng php cp v phn phi nhn ny c gi l khai bo nhn iu khin c lp, v i cch phn phi nhn pha sau t nguyn : Vic c p nhn trong cc b nh tuyn c thc hin m khng quan tm ti vic b nh tuyn nhn nhn cho cng prefix t b nh tuyn k cn hay cha. V v y vic c p nhn ny trong cc b nh tuyn c gi l iu khi n c lp(independent control) Phng php phn phi ny l t nguyn(unsolicited) bi v LSR khai bo nhn v qung b s nh x ti cc b nh tuyn hng xm pha sau n(t ch ti ngun) khng quan tm ti vic cc LSR khc cn nhn hay khng. Mt LSR ch khai bo m t nhn cho mt prefix IP v phn phi n cho router pha sau n (t ch ti ngun) khi c yu c u. Phng php phn phi ny l downstream(t pha sau ra pha trc) khi LSR khai bo mt nhn m cc LSR khc(Cc LSR

21

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

pha sau) c th s dng cho chuyn tip cc gi tin c gn nhn v qung b s nh x nhn ny ti cc b nh tuyn lin k. Vic khi to cu trc chuyn mch th cng bao gm c s cung c p cho LSR pha sau nhng c vic trin khai b sung chuyn mch th hin ti v cu trc MPLS khng c n kiu ny cho phng php phn phi nhn. Tt c s kt hp nhn c qung b ngay lp tc n cc b nh tuyn khc thng qua cc phin TDP. Cc b nh tuyn thng bo s kt hp IP prefix-to-label ca n ti tt c cc b nh tuyn k cn m khng quan tm l upstream hay downstream. Thm ch s kt hp ny cng c gi ti cho b nh tuyn tip theo v th s khng c split-horizon trong qu trnh x l TDP hay LDP. Cc LSR nhn bng nh x prefix-to-label, lu chng trong bng c s thng tin nhn (LIB) v s dng chng trong c s thng tin chuyn tip nhn (LFIB) nu bng nh x nhn c t router pha trc, chnh l router tip theo. Phng php lu gi ny c gi l kiu ghi nh t do (liberal retention mode) tri ngc v i kiu ghi nh bo th (conservative retention mode), tc l cc LSR ch gi li cc nhn c khai bo cho mt prefix bi cc b nh tuyn pha trc hin ti ca n, ni m LSR ch lu gi cc nhn c khai bo ti mt prefix bi cc router pha trc. Mt b nh tuyn c th nhn c nhiu s kt hp TDP t cc b nh tuyn k cn, nhng ch s dng m t vi trong s chuyn tip cc bng nh sau : S kt hp nhn t b nh tuyn tip theo c xem xt cho ph hp v i u vo FIB. Nu b nh tuyn khng nhn s kt hp nhn t b nh tuyn k tip th u vo FIB xc nhn cc gi tin n ch m khng c gn nhn. Nu b nh tuyn nhn mt s kt hp nhn t b nh tuyn k tip, th nhn hin ti b nh tuyn v nhn tip theo b nh tuyn k tip c lu li trong LFIB. N u b nh tuyn k tip khng khai bo nhn ph hp v i prefix th gi tin khng c gn nhn 2. 2. 3. Hi t trong mng MPLS ch Frame-mode 22 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Mt trong nhng yu t quan trng trong vic thit k mng MPLS chnh l thi gian hi t c a m ng. Mt s ng dng c a MPLS (v d nh :MPLS/VPN hay thit k BGP da trn MPLS) s khng hot ng chnh xc tr khi mt gi tin c gn nhn c gi qua tt c cc ng dn t u vo LSR bin n LSR bin u ra. Trong cc ng dng ny thi gian hi t c th tng ln bi do tr truyn Trong mng MPLS ch Frame-mode, s dng kiu lu gi t do (liberal retention mode) kt hp v i iu khin nhn c lp(independent label control) v phn phi nhn lung xung t nguyn(unsolicited downstream label distribution) s lm gim thiu thi gian hi t TDP/LDP. M i b nh tuyn s dng kiu lu gi t do lun c nhn khai bo cho m t prefix a ra t tt c cc b nh tuyn hng xm s dng TDP/LDP, v vy n lun lun tm thy mt nhn i ra ngoi trong bng nh tuyn ph h p m khng cn hi b nh tuyn k tip cho vic khai bo nhn. 2. 3. X l b nh tuyn cui cng (Penultimate Hop Popping) LSR bin u ra trong mg MPLS th phi tin hnh hai tra cu: Mt l gi tin nhn c t mt MPLS k c n, hai l ch n cho mt subnet bn ngoi mng MPLS. N phi kim tra nhn trong tiu ngn xp nhn v thc hin kim tra nhn bit rng nhn c y vo v di s kim sot ca gi tin IP

Hnh 2. 5: Hai qu trnh tra cu b nh tuyn cui New York

23

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Vic thc hin hai qu trnh tra c u router New York c th lm gim hiu sut ca node mng. Hn na trong mi trng m MPLS v chuyn mch IP c thc hin bi phn c ng th tra c u hai ln lm tng phc tp ca vic trin khai cc thit b phn cng ln rt nhiu. gii quyt v n ny ngi ta s dng Penultimate Hop Popping(PHP). Phng php ny ch c p dng trc tip cho nhng subnet(mng con) kt ni trc tip hoc tp hp cc ng dn (aggregate routes). Trong trng hp l giao din l kt ni trc tip, th vic thc hin tra c u lp 3 l cn thit c c cc thng tin chnh xc cho vic gi mt gi tin n ch c kt ni trc tip. Nu prefix l m t s tp hp th vic tra c u lp 3 cng cn thit tm ra ng i c th sau c s dng gi tin i n ch chnh xc. Trong cc trng hp cn li, th thng tin i ra ngoi ca gi tin lp 2 c trong LFIB v v vy vic tra c u lp 3 l khng cn thit. Vi phng php ny, LSR bin c th yu cu mt nhn t router pha sau k c n v i n.

Hnh 2. 6: Penultimate Hop Popping trong mng MPLS Hnh 2. 6 router Washington ly nhn t gi tin v gi gi tin IP n thun ti router New York. Sau router New York thc hin vic tra cu lp 3 v chuyn tip gi tin ti ch cui cng.

24

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Tm li ch hot ng khung xut hin khi s dng MLS trong mi trng cc b nh tuyn thun nht nh tuyn cc gi tin IP im-im. Cc gi tin gn nhn c chuyn tip trn c s khung lp 2. Qu trnh chuyn tip mt gi tin IP qua mng MPLS thc hin thng qua mt s bc sau: LSR bin li vo nhn gi tin IP, phn loi gi vo nhm chuyn tip tng ng FEC v gn nhn cho gi v i ngn xp nhn tng ng FEC c xc nh. Nu nh tuyn mt a ch ch(unicast), FEC s tng ng v i m ng con ch v vic phn loi gi tin s c thc hin bng cch tra cu bng nh tuyn lp 3 truyn thng. LSR li nhn gi tin c gn nhn v s dng bng chuyn tip nhn thay i nhn ni vng trong gi n v i nhn ngoi vng tng ng cng v i vng FEC(trong trng h p ny l mng con IP) Khi LSR bin li ra ca vng FEC ny nhn c gi c nhn, n loi b nhn v thc hin vic chuyn tip gi tin IP theo bng nh tuyn lp 3 truyn thng.

Chng 3: Hot ng ca MPLS ch Cell-mode


Trong chng 2 chng ta tm hiu cch MPLS hot ng gia thit b chuyn m ch lp 3 (router) ch Frame-mode. Cc b nh tuyn trao i cc gi tin IP n thun (cho cc giao thc iu khin) cng nh cc gi tin IP c gn nhn qua cng m t link lin kt. Cc b nh tuyn c ng thc hin chuyn m ch nhn bng cch xc nh tiu nhn trc mi gi tin IP Khi thc hin trin khai MPLS qua cng ngh ATM cn phi gii quyt mt s kh khn sau: Khng c c ch trao i cc gi tin IP mt cch trc tip gia 2 node MPLS k nhau qua giao din ATM. Tt c cc d liu trao i qua giao din ATM phi c thc hin qua knh o(virtual circuit VC) Chuyn m ch ATM khng th thc hin vic kim tra nhn hay tra cu lp 3. Kh nng duy nht ca mt chuyn mch ATM l chuyn i VC u vo thnh VC u ra ca giao din ra. 25 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Cng ngh MPLS a ra mt s cc gii php m bo vic thc hin trin khai MPLS qua ATM: Cc gi tin IP trong vng iu khin khng th trao i mt cch trc tip qua giao din ATM. Mt VC iu khin phi c thit lp gia cc node MPLS k nhau c th trao i cc gi tin trong vng iu khin Chuyn mch ATM khng th thc hin vic tra c u nhn. Khi nhn trn cng trong ngn xp nhn phi c chuyn i sang gi tr VPI/VCI Chng ta nhc n mt s khi nim c dng trong vic trin khai MPLS qua mi trng ATM Giao din ATM c iu khin chuyn mch nhn (Label Switching Controlled ATM interface LC-ATM interface) l mt giao din trn router hoc trn chuyn mch ATM m trong gi tr VPI/VCI c khai bo thng qua cc giao thc iu khin MPLS (TDP hoc LDP) ATM-LSR l mt chuyn m ch ATM chy cc giao thc MPLS trong min iu khin v thc hin chuyn tip MPLS gia cc giao din LCATM trong min d liu bng cc chuyn mch t bo ATM truyn thng Frame-based LSR l mt LSR thc hin vic chuyn tip cc frame gia cc giao din. Mt v d in hnh ca mt Frame-based LSR chnh l router. Mt Frame-based LSR c th c nhiu giao din LCATM, nhng n ch thc hin chuyn mch nhn Frame-based trn ngn xp nhn m khng thc hin chuyn mch t bo ging nh mt ATM-LSR ATM-LSR domain l mt nhm cc ATM-LSR c kt ni v i nhau qua giao din LC-ATM ATM LSR bin l mt Frame-based LSR v i t nht mt giao di n LCATM

26

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 3. 1: M hnh trin khai ATM trong mng 3. 1. S kt ni trong vng iu khin qua giao din LC-ATM

Hnh 3. 2: Trao i thng tin gia cc LSR k cn Cu trc ca mng MPLS yu cu vng iu khin c a cc LSR k cn phi c s kt ni thun IP trao i lin kt nhn cng nh cc gi iu khin khc(v d nh gi tin hello v gi tin update) Trong ch MPLS Frame-mode th yu c u ny l n gin bi v cc b nh tuyn c th gi v nhn cc gi tin IP cng nh cc gi tin c gn nhn qua b t k giao din Frame-mode no, bt k l mng LAN hay WAN. Tuy nhin cc chuyn mch ATM khng c kh nng ny C hai cch m bo cho s kt ni cc gi tin thun IP gia cc ATM-LSR, l:

27

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Thng qua mt kt ni bn ngoi v d nh s kt ni Ethernet gia cc chuyn mch Thng qua mt m ch o (VC) kim sot bn trong tng t nh cch m cc giao thc ATM Forum thc hin (User-Network Interface UNI hoc Intergrated Local Management Interface ILMI ):

ATM-LSR Vng k MPLS trong chuyn mch ATM

ATM-LSR Vng k MPLS trong chuyn mch ATM

ATM LSR bin(router) Min iu khin MPLS

Ma trn chuyn mch Vng d ATM liu ATM

Ma trn chuyn mch Vng d ATM liu ATM

ATM LSR bin(router)

Min iu khin MPLS

Hnh 3. 3: C ch thit lp knh o iu khin MPLS

3. 2. S chuyn tip gi tin c gn nhn qua min ATM-LSR Vic chuyn tip mt gi tin c gn nhn qua min ATM-LSR c thc hin qua ba bc sau: ATM LSR bin li vo nhn m t gi tin c gn nhn hoc cha, thc hin vic kim tra trn C s thng tin chuyn tip (FIB) hoc C s thng tin chuyn tip nhn (LFIB), tm kim mt gi tr VPI/VCI u ra, gi tr ny s c n s dng ging nh l nhn li ra. Cc gi tin c nhn c chia nh thnh cc t bo

28

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

ATM v c gi ti ATM-LSR tip theo. Gi tr VPI/VCI tm thy trong qu trnh kim tra nhn c t vo tiu t bo ATM ca tng t bo. Ch :K t y cho n khi gi tin c nhn ra khi min ATMLSR, vic kim tra nhn ch thc hin da trn cc gi tr VPI/VCI m khng phi l tiu nhn MPLS. Tuy nhin, tiu MPLS v n tn ti trong gi tin gn nhn bi v n c n thit lu gi cc trng tiu thm vo, v d nh ngn xp y, thi gian sng (Time-tolive TTL) Cc ATM-LSR t bo chuyn mch da trn gi tr VPI/VCI trong tiu t bo ATM theo c ch chuyn mch t bo truyn thng, v c ch phn phi v phn b nhn ny phi ph hp v i vic thit lp s chuyn i gi tr VPI/VCI ni vng v ngoi vng l chnh xc. ATM LSR bin u ra sp xp li cc t bo tr thnh gi tin c gn nhn, thc hin vic kim tra nhn v chuyn tip chng cho LSR tip theo. Vic kim tra da trn gi tr VPI/VCI ca cc t bo n m khng da trn nhn trn cng ca ngn xp trong tiu nhn MPLS. l bi v cc ATM-LSR gia cc min bin ca min LSR ch thay i gi tr VPI/VCI ch khng thay i cc nhn bn trong cc t bo ATM. Chng ta nu ra s khc nhau chnh gia chuyn mch nhn Framebased v chuyn m ch nhn Cell-based: Vic kim tra trong chuyn tip nhn ch khung (Framebased) c thc hin da trn nhn trn cng ca ngn xp nhn trong tiu nhn MPLS. Trong chuyn tip t bo (Cellbased), vic kim tra li c thc hin da trn cc gi tr VPI/VCI trong cc tiu t bo ATM C ch chuyn mch trong chuyn mch t bo l chuyn m ch t bo ATM truyn thng da trn cc gi tr VPI/VCI trong cc tiu t bo. Ngn xp nhn hon ton b b qua bi cc ATMLSR Bi v nhn trn cng trong ngn xp nhn khng c s dng bi ATM-LSR bin u ra, nn n c t v 0 bi ATM LSR 29 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

bin u vo trc khi cc gi tin c nhn c chia nh thnh cc t bo ATM. 3. 3. Phn phi v phn b nhn qua min ATM-LSR Phn phi v phn b nhn qua min ATM-LSR c th s dng cch thc ging nh trong min MPLS ch hot ng khung. Tuy nhin, nu trin khai nh vy s dn n mt lot cc hn ch bi m i loi nhn c gn qua mt giao din LC-ATM s ph hp v i mt ATM VC. M i nhn c duy nht mt gi tr VPI/VCI v mi gi tr VPI/VCI xc nh mt ATM VC c lp. Do s lng cc knh o ATM c h tr qua giao din ATM l nh nn cn hn ch s lng VC phn b qua giao din LC-ATM mc thp nht. thc hin c iu , cc LSR pha sau s m nhn trch nhim yu cu phn b v phn phi nhn qua giao din LC-ATM. LSR pha sau cn nhn gi gi n node tip theo phi yu cu nhn t LSR pha trc n. Thng thng cc nhn c yu cu da trn ni dung b ng nh tuyn m khng da vo lung d liu, iu i hi nhn cho mi ch trong phm vi ca node k tip qua giao din LC-ATM. LSR pha trc c th n gin phn b nhn v tr li yu cu cho LSR pha sau v i bn tin tr li tng ng. Trong mt s trng hp, LSR pha trc c th phi c kh nng kim tra a ch lp 3 (nu n khng cn nhn pha trc yu c u cho ch). i vi chuyn mch ATM, yu cu nh vy s khng c tr li bi ch khi no n c nhn c phn b cho ch pha trc th n mi tr li yu cu. Nu ATM-LSR khng c nhn pha trc p ng yu cu c a LSR pha sau th n s yu cu nhn t LSR pha trc n v ch tr li khi nhn c nhn t LSR pha trc n. Vic phn phi v phn b nhn qua min ATM-LSR c cc c im sau: Vic cp nhn trong cc thit b c kh nng kim tra lp 3(router) c thc hin m khng quan tm ti vic router nhn nhn cho cng prefix (same prefix) trong router k tip hay cha. V th vic cp nhn trong cc router c gi l iu khin c lp Cp nhn trong cc thit b m khng c kh nng kim tra lp 3 (chuyn mch ATM) s c thc hin nu mt nhn pha trc

30

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

ph hp cp. V th c p nhn trong chuyn m ch ATM c gi l iu khin th t (ordered control) Phng php phn phi qua giao din LC-ATM l downstream on demand bi v mt LSR khai bo nhn qua LC-ATM ch khi nhn ny xc nh c yu cu bi LSR pha sau.

Hnh 3. 4: Cp nhn trong min ATM-LSR Xem m hnh miu t phn phi v cp nhn. ch l X, ch ny c th n thng qua router New York POP trong mng. Cc bc phn phi v cp nhn nh sau: Router San Jose cn mt nhn n ch X. Bng nh tuyn ca n ch ra rng ch ny n c thng qua mt giao din LC-ATM, v th n yu c u mt nhn t ATM-LSR pha trc San Francisco ATM-LSR l m t chuyn mch ATM truyn thng hot ng theo th t mode iu khin, v th n yu c u mt nhn t chuyn m ch ATM Washington. Tng t nh th, chuyn mch ATM Washington yu c u mt nhn t router New York. Router New York hot ng trong mode iu khin ng lp v ngay lp tc c th cp mt nhn cho yu cu . Nu router New York c mt nhn pha trc cho ch X, n s c nhp vo bng nh x gia c p VPI/VCI cp v i nhn pha trc trong bng C s thng tin chuyn tip nhn (LFIB). Ngc

31

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

li, n kt h p mt hot ng pop v i cp VPI/VCI c cp. Cp VPI/VCI ny c gi tr li cho chuyn mch Washington ATM trong mt gi tin tr li TDP/LDP. Sau khi nhn c nhn t LSR pha trc, chuyn m ch Washington ATM cp mt nhn cho LSR pha sau v nhp s nh x gia cp VPI/VCI m i c c p v i cp VPI/VCI m n nhn c t router New York trong ma trn chuyn m ch ATM ca n. Gi tr cp VPI/VCI mi ny (1/241) c gi li cho chuyn mch ATM San Francisco trong mt gi tin tr li TDP/LDP Chuyn mch ATM San Francisco thc hin cc hot ng tng t, cp gi tr VPI/VCI khc (1/85) v gi c p ny ging nh l nhn n ch X cho router San Jose Sau khi nhn mt gi tin tr li yu cu cp nhn, router San Jose c th nhp gi tr VPI/VCI nhn c t chuyn mch San Francisco vo C s thng tin chuyn tip (FIB) v C s thng tin chuyn tip nhn (LFIB) Hp nht VC Da trn cc quy tc phn phi v cp nhn cc phn trc, chng ta phi cn nhc ti u vic s dng nhn qua min ATM-LSR. V d, nu mt ATM-LSR nhn mt nhn n mt ch no t hng xm pha trc (next hop) th n cng c th ti s dng nhn khi c mt LSR pha trc hi nhn n cng ch ny. Hnh di y hai router bn tri s c cung cp cng mt nhn n ch 171.68. 0.0/16

Hnh 3. 5: Ti u ha kh nng ca cp nhn ATM 32 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Tuy nhin, nu cc t bo n ng thi cng m t lc t nhiu ngun khc nhau th vic s dng chung mt gi tr VC cho cng mt ch th dn ti khng c kh nng phn bit gi no thuc lung vo no v cc LSR pha trc s khng c kh nng ti to li t bo. Vn ny c gi l xen k t bo. trnh trng hp ny, ATM-LSR phi yu c u LSR pha trc n nhn mi mi khi LSR pha sau n i hi nhn n bt k ch no, k c n nhn c nhn cho chnh ch .

Hnh 3. 6: Lung cc t bo v i vic khai bo nhn cho cng mt ch

Vi mt s thay i nh, mt s chuyn m ch ATM c th m bo rng hai lung t bo cng chim mt VC s khng bao gi xen k nhau. Cc chuyn mch s lu cc t bo ATM trong vng m cho n khi n nhn c mt t bo c bit kt thc khung c t trong tiu t bo ATM. Sau ton b cc t bo ny c truyn qua knh VC. Nh vy b m trong cc tng i ny phi tng thm v mt vn ny sinh l tr qua chuyn mch s tng ln. Qu trnh gi lin tip cc t bo ra mt knh o n VC c gi l hp nht knh o (VC merg) v n cho php cc ATM-LSR c th s dng cng mt nhn cho cc gi tin n t nhiu LSR pha sau khc nhau cho cng mt ch n. Chc nng ca s hp nht nhn gim ng k vic cp nhn qua min ATM-LSR.

33

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Phn 2: ng dng mng ring o VPN trn mng MPLS


Mng ring o VPN (Virtual Private Network) l mt trong nhng ng dng rt quan trng trong mng MPLS. Cc cng ty, doanh nghip c bit cc cng ty a quc gia c nhu cu rt ln v loi hnh dch v ny. Vi VPN h hon ton c th s dng cc dch v vin thng, truyn s liu ni b v i chi ph thp, an ninh bo m. Nh c c ch bo mt v cung cp lp dch v (QoS) theo yu cu m MPLS l mt cng ngh rt ph hp cho mng ring o VPN. phn ny chng ta s tm hiu v m hnh mng ring o trn mng MPLS. y l mt ng dng rt quan trng p ng cc yu cu ca cc m ng ring s dng h tng c s thng tin quc gia v i nhng yu cu khc nhau v an ton, bo mt v cht lng dch v . An ninh mng khng ch quan trng i v i cc nh cung cp dch v ISP m cn c ngha quyt nh i v i cc c quan chnh ph v cc doanh nghip. Cc gii php cho h thng WAN nh s dng ng dy thu ring, Frame-relay khng c s mm do linh ho t v mt kt ni, m rng mng cng nh an ton thng tin, hn na chi ph li cao. Cc gii php v tng la c ng ch m bo chng li c cc cuc tn cng t pha ngoi vo trong mng ti im ca ng vo mng m thi, nguy c b tn cng l rt cao. Do khi a ra gii php an ninh bo mt ton din cho mt h thng mng khng th khng k n gii php m ng ring o VPN.

Chng 4: Tng quan v cng ngh mng ring o VPN


4. 1. Gii thiu v mng ring o (Virtual Private Network VPN ). Mng ring o ( Virtual Private Network) c nh ngha l mng m khch hng c th kt ni nhiu v tr c trin khai trn trn mt nn tng c

34

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

s h tng chia s v i cng mt m c truy cp (same access) hoc chnh sch bo mt (security policies). Mng ring o hot ng trn nn giao thc IP ang ngy cng tr nn ph bin. Cng ngh ny cho php to ra mt mng ring thng qua c s h tng chung ca nh cung cp dch v Internet (ISP). Cc k thut m bo an ninh khc nhau c p dng bo v thng tin ca ngi s dng khi trao i trong mt mi trng chia s nh Internet.

Mng ring o VPN l m t mi trng thng tin vic truy c p c kim sot v ch cho php thc hin kt ni thuc phm vi c xc nh trc. VPN c xy dng thng qua vic chia s cc phng tin, mi trng truyn thng chung. Vic cung cp cc dch v cho mng ring c thc hin thng qua cc phng tin, mi trng ny Mt cch miu t n gin hn l: Mng ring o VPN l mt mng ring c xy dng trn c s h tng ca m ng chung, v d nh mng Internet. 4. 2. S pht trin ca VPN. Ban u cc mng my tnh c trin khai v i hai cng ngh chnh: leased-lines cho cc kt ni lu di v dial-up lines cho cc kt ni khng lin tc, ch khi c yu cu.

Hnh 4. 1: M ng my tnh in hnh cch y 15 nm 35 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Ban u mng my tnh c trin khai cho khch hng v i tnh bo mt kh tt, nhng gi c li kh cao bi hai l do sau: Lu lng trao i gia hai vng trong mng thay i theo tng thi im trong ngy, tng ngy trong thng, thm ch l theo ma (v d, lu lng trong t c s kin quan trng tng ln ng k) Ngi s dng u cui lun lun yu cu c p ng nhanh, kt qu l yu c u bng thng cao gia cc site, nhng bng thng thu ch c s dng trong mt khong thi gian khi cc users trng thi active. Hai l do trn thc y cc nh cung cp dch v pht trin v trin khai mt cng ngh cung cp cho khch hng v i cht lng dch v tng ng vi ng lised lines. Cng ngh mng ring o u tin da trn cc cng ngh nh X. 25 v Frame-relay, sau ny c SMDS v ATM.

Hnh 4. 2: Mng Frame-relay c trng Gii php VPN bao gm cc yu t sau: Nh cung cp dch v l mt t chc s hu c s h tng (Cc thit b v mi trng truyn) cung cp ng leased line cho khch hng. Theo kiu ny th nh cung cp dch v gii thiu ti khch hang mt Dch v mng ring o (Virtual Private Network Service) Khch hng kt ni ti nh cung c p dch v qua thit b CPE (Customer Premises Equipment). CPE thng l m t thit b cung c p kt ni u cui, c th l m t bridge hoc m t router. Thit b CPE i lc c gi l thi t b Khch hng bin (Customer Edge)

36

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Thit b CPE c kt ni qua mi trng truyn (thng l leased line, nhng khng th l kt n i dial-up) ti thit b ca nh cung cp dch v , c th l X. 25, Frame-relay hoc chuyn m ch ATM, hoc thm ch l router. Thit b c a nh cung c p dch v bin ny i khi c gi l thit b Cung cp dch v bin (Provider Edge) Nh cung cp dch v thng c thm cc thit b trong mng li (cng c gi l P-network). Cc thit b ny c gi l thit b P (P-devices) v d nh: P-switches hoc P-router. Mt mng lin tc no y c a khch hng c gi l site. Mt site c th kt ni ti P-network thng qua mt hoc nhiu c truyn, s dng mt hoc nhiu thit b CPE hoc PE Nh cung c p dch v c th tnh tin thng qua hoc l t l c nh cho dch v VPN, thng da trn bng thng cung cp cho khch hng, hoc l t l s dng, thng da vo dung lng ca d liu c trao i hoc thi gian trao i d liu 4. 3. Phn loi VPN C 3 loi mng ring o, l: Intranet VPN: VPN kt ni hai mng v i nhau (site-to-site). c s dng kt ni cc vn phng, chi nhnh trong mt cng ty. Vi loi ny th ngi dng ni b c tin cy hn nn s c mc bo mt thp hn, ngha l s c truy c p vo nhiu ngun ti nguyn mng hn. Extranet VPN: c s dng khi c nhu cu trao i thng tin gia mng ca cng ty v i mng ca cc i tc bn ngoi. Vi loi m hnh ny i hi cc chnh sch bo mt phi tt hn so v i intranet hn ch vic truy cp vo cc ngun ti nguyn ca cng ty.

37

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 4. 3: M hnh mng Extranet Remote acces VPN (VPN truy cp t xa): c dng cho nhng ngi lm vic di ng, cn phi truy c p an ton v i mng ti mng ring ca cng ty t bt k v tr a l no thng qua mt mi trng chia s (nh mng in thoi cng cng). Mt s vn phng nh cng c th s dng kiu truy cp ny ni v i mng ring c a cng ty mnh.

Thc t, ngi dng t xa s kt ni ti nh cung c p dch v Internet (ISP) v ISP s thit lp kt ni ti mng ring c a cng ty. Sau khi to c kt ni gia hai my tnh ca ngi dng xa v i mng ring ca cng ty, mt ng hm s c thit lp gia hai u cui v d liu c trao i qua ng hm . 4. 4. Chc nng ca VPN VPN c cc chc nng c bn sau: S tin cy: Ngi gi c th m ha cc gi d liu trc khi chng c truyn qua mng. Bng cch ny th ngi khc khng th truy c p thng tin m khng c s cho php. Nu c ly c th cng khng c c Tnh ton v n: Ngi nhn c th kim tra rng d liu c truyn qua m ng Internet m khng c s thay i no Xc thc ngun gc: Ngi nh n c th xc thc ngun gc ca gi d liu, m bo v xc thc ngun thng tin. 4. 5. ng hm v m ha

38

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Chc nng ca VPN l cung cp s bo mt bng cch m ha qua mt ng hm. ng hm (Tunnel) cung cp cc kt ni logic, im ti im qua mng IP khng hng kt ni. iu ny gip cho vic s dng cc u im, cc tnh nng bo m t. Cc gii php ng hm cho VPN l s dng m ha bo v d liu khng b xem trm bi bt k ai khng c php v thc hin ng gi a giao thc nu cn thit. M ha (encryption) dng m bo d liu khng c c v i bt k ai, nhng c th c c bi ngi nhn. Khi m c nhiu thng tin lu thng trn m ng th s cn thit i v i vic m ha thng tin cng tr nn quan trng. M ha s bin i ni dung tin thnh dng v ngha trong dng mt m ca n. Ti ngi nhn s s dng chc nng gii m c cung c p gii m ni dung c a thng ip. 4. 6. Cc giao thc dng cho VPN C 3 giao thc to ng hm chnh to nn mt VPN 4. 6. 1. Giao thc ng hm lp 2 L2TP Thng 8/1999, Cisco cho ra i giao thc to ng hm c quyn L2F (Layer 2 Forwarding) trc khi chun L2TP ra i. L2F dng bt k c ch thm nh quyn truy c p no c PPP h tr PPTP(Point-to-Point Tunneling Protocol) c PPTP Forum pht trin. Giao thc ny h tr m ha 40 bit v 128 bit, dng bt k c ch thm nh quyn truy cp no c PPP h tr L2TP l d n k t hp ca Cisco L2F v Microsoft PPTP. Kt hp cc tnh nng c a c PPTP v L2F, L2TP cng h tr y IPSec. L2TP c th c s dng lm giao thc Tunneling cho mng VPN point-to-point (Intranet VPN v Extranet VPN) v VPN truy cp t xa ( Remote Access VPN). Trn thc t, L2TP c th to ra mt tunnel gia my khch v router, NAS v router (NAS - Network Access Server L thit b qun l RAS (Remote Access Server) cho php khch hng thc hin cuc gi, thc hin qu trnh khi to s xc nhn v chuyn tip cuc gi (qua L2F hoc L2TP) ti gateway ca khch hng) v gia router v i router. So v i PPTP th L2TP c nhiu c tnh mnh v an ton hn.

39

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

L2TP c s dng to ra mt mi trng c lp, m ng quay s ring o VPDN ( Virtual Private Dial Network). L2TP cho php ngi dng yu cu mt chnh sch bo mt tng th qua bt k m t tuyn VPN hay VPDN no ging nh l mt s m rng m ng ni b ca h. L2TP khng cung cp s m ha v c th c gim st thng qua cng c phn tch giao thc Ging nh PPTP, L2F s dng giao thc PPP cung c p mt kt ni truy c p t xa v kt ni ny c th c i qua mt ng hm thng qua Internet n ch. Tuy nhin L2TP nh ngha giao thc to ng hm ring ca n da trn c cu c a L2F. C cu ny cho php trin khai ng hm L2TP khng ch trn mng IP m cn trn cc mng chuyn mch gi khc nh X25, Frame Relay v ATM. L2TP s dng PPP thit lp kt ni v t l. Khi PPP thit lp kt ni xong, u tin L2TP s xc nh xem my phc v mng ti pha cng ty c nhn ra ngi s dng u cui hay khng v c sn sng phc v nh l mt im u cui ca ng hm hay khng. Nu ng hm c th c to ra L2TP s thc hin vai tr ng gi cc gi tin truyn i. Khi L2TP to ra cc ng hm gia b tp trung truy cp mng ca ISP v my phc v mng pha cng ty, n c th gn m t hoc nhiu phin lm vic trong mt ng hm. L2TP to ra mt s nhn dng cuc gi (call ID) v chn Call ID ny vo phn u ca L2TP trong m i mt gi tin ch ra gi tin thuc phin lm vic no.

L2TP cho php gim lu lng mng v cho php cc my phc v iu khin vic tc nghn ng truyn bng cch thc hin c ch iu khin lung gia my phc v truy c p mng ca ISP , cn c gi l b tp trung truy cp L2TP (L2TP Access Connector LAC), v my phc v mng pha cng ty, cn c gi l my phc v mng L2TP (L2TP Network Server LNS). Cc bn tin iu khin c s dng xc nh t l ng truy n v cc thng s b m iu khin lung cc gi tin PPP ca m t phin lm vic trong mt ng hm. 4. 6. 2. Giao thc ng gi nh tuy n chung GRE

40

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Trong VPN loi ny, giao thc ng gi nh tuyn chung GRE cung cp c cu ng gi giao thc gi tin (Passenger Protocol) truyn i trn giao thc truyn ti (Carrier Protocol). N bao gm thng tin v v loi gi tin m bn ang m ha v thng tin v kt ni gia my ch v my khch. Giao thc ny ng gi IP, CLNP v bt k cc gi d liu giao thc khc vo bn trong cc ng hm IP. Vi GRE, mt router Cisco mi im s ng gi cc gi d li u ca mt giao thc c th vo trong mt tiu IP, to ra mt ng kt ni o point-to-point ti cc router Cisco cc a im khc trong mt m my mng IP, ti tiu IP c g b. Bng cch kt ni cc mng con a giao thc trong mt mi trng ng trc (backbone) n gin, ng hm IP cho php m rng mng qua mt mi trng xng sng n giao thc. GRE khng cung cp s m ha v c th c gim st bng mt cng c phn tch giao thc 4. 6. 3. Giao thc bo mt IP (IP Security Protocol) Giao thc bo mt IPSec cung cp nhng tnh nng bo mt cao cp nh cc thut ton m ha tt hn, qu trnh thm nh quyn ng nh p ton din hn. IPSec hot ng tt trn c hai loi mng VPN l VPN truy cp t xa v VPN kt ni point-to-point (Intranet VPN v Extranet VPN). Tt nhin, n phi c h tr c hai giao din Tunnel. IPSec c hai c ch m ha l Tunnel v Transport. Tunnel m ha tiu v kch thc ca mi gi tin, cn Transport ch m ha kch thc. Ch nhng h thng no h tr giao thc IPSec mi c th tn dng c giao thc ny. Ngoi ra, tt c cc thit b phi s dng m t m kha chung v cc tng la trn m i h thng phi c cc thit lp bo mt ging nhau. IPSec c th m ha d liu gia nhiu thit b khc nhau nh router vi router, PC v i router, PC v i my ch hoc gia cc firewall v i nhau. IPSec cung c p cc dch v bo m t bng cch s dng IKE (Internet Key Exchange) iu khin s tha thun ca cc giao thc v cc thut ton trn c s cc chnh sch bo mt cc b v to ra s m ha v cc kha xc nhn c s dng bi IPSec. IPSec hot ng lp 3, v vy n ch truyn c gi tin IP. Trong khi L2TP hot ng lp 2 (trong m hnh 7 lp) nn c th truyn cc gi ca 41 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

nhiu giao th khc nhau nh IP, IPX hoc NETBEUI. Giao thc L2TP c th c h tr bi giao thc IPSec tng cng tnh bo mt khi truyn qua mng. Tip theo ta s tm hiu k hn v IPSec. IPSec l giao thc hot ng lp 3, t mt nhm cc giao thc v cc cng ngh nh AH (Authentication Header AH ), ESP (Encapsulating Security Payload), IKE (Internet Key Exchange), DES (Data Encryption Standard), AES (Advanced Encryption Standard) v cc k thut khc vo trong h thng m bo cung cp m t phng php xc thc tin c y v an ton cho gi tin IP. IPSec c dng cho c IPv4 v IPv6. L mt tiu chun m, IPSec cho php hot ng c v i cc thit b ca nhiu nh sn xut khc nhau v c s dng v i nhiu loi VPN khc nhau. Mc d IPSec c trin khai ch yu cho s m rng WAN trong mi trng cng cng chia s , tuy nhin giao thc ny c th c s dng cho vic m ha v m bo an ninh trong LAN, mng campus hoc thm ch l Intranet VPN. Theo IETF RFC 2401, IPSec c thit k cung c p kh nng c th hot ng lin kt, cht lng cao cho IPv4 v IPv6. Cc dch v v bo mt bao g m iu khin truy cp, tnh ton v n khng kt ni, xc thc d liu gc, m ha v bo m t lung d liu. N c cc c im sau: 4. 6. 3. 1. m bo tnh ton v n ca d liu: IPSec m bo tnh bo m t cho lung IP bng cch thm IPSec tiu vo gi IP gc. y l nhng tiu IPSec mi, v d nh AH v ESP, c th c s dng tch bit nhau hoc kt hp v i nhau tuy thuc vo mc yu cu c a bo mt. V bn cht, cc tiu c thm vo gi IP gc nhm mc ch xc thc gi tin hoc m ha bo v d liu hoc c hai.

S kt hp bo mt (Security Association SAs) l mt phn quan trng ca qu trnh x l IPSec khi chng c nh ngha mt m c bo mt gia hai thit b trong quan h ngang hng (peer-to-peer relationship). Bng cc SA, m t thit b c th p dng cc chnh sch bo mt s c s dng v n nhn ra SA bi mt a ch IP, mt ch s nh dng giao thc bo mt v m t gi tr thng s bo mt duy nht. C hai loi SA. Trao i kha SA l dng u tin, dng nhn thc gia cc thit b ngang hng, trao i kha, 42 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

v kim sot kha sau . Dng th hai l IPSec SA c dng m phn v thit lp, mi mt thit b s dng mt phng thc xc thc, mt thut ton hashing v mt phng php m ha. 4. 6. 3. 1. 1. Xc thc tiu (Authentication Header AH) AH s dng mt chc nng bm nh key (keyed-hash), s dng tc mch tch hp cho cc ng dng c bit (Application-specific intergrated circuits ASICs) thc hin chc nng xc thc v ton v n truyn d liu. AH xc thc host khi to v i host ch trong sut qu trnh thit lp ca s trao i xc nhn key. C nhiu phng php xc thc key, sau y ta lit k m t vi trong s : IKE da trn ISAKMP/OAKLEY: IKE l giao thc trao i key lai (hybrid), n s dng mt phn ca Oakley v mt phn giao thc khc c gi l SKEME bn trong ISA(Internet Security Association) v KMP (Key Management Protocol). Cc kha c chia s trc mt cch th cng hoc thng qua s y quyn, v s trao i kha cng nh chp nhn c thc hin bi IKE. Mt mt im xc thc im khc da trn qu trnh x l IKE v a ra mt SA. Qu trnh ny xy ra trc khi bt k mt IPSec SA no m phn v trc khi d liu c th i qua ng link c thit lp. Perfect Forward Secrecy (PFS) rekeying: Phng php ny c tnh bo mt cao hn thm ch ngay c khi kha b ph b i nhng k ph hoi. N tch bit IKE ban u t qu trnh x l c s dng to kha cho IPSec SA. V th khi kha IKE SA c th b ph nhng n s khng b l kha b mt. N cho php kha ny thay i lin tc trong khi phin lm vic vn c duy tr m bo tnh ton v n cho d liu khi i qua mng cng cng, AH s dng cc thut ton bm v d nh Message Digest 5(MD5). N p dng trn tiu ca gi tin IP ban u, n s giu cc thng tin v a ch IP thc v cc thng s khc khi i qua mng cng cng. Khi n ch tiu gi tin IP s c khi phc v c nh tuyn bn trong subnet ca mng ch. 4. 3. 1. 1. 2. ng gi bo mt vng ti trng ESP

43

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

iu quan trng l phi bo mt c vng d liu, v th m ha d liu l c n thit. Trong trng hp ny, mt tiu ESP v thut ton m ha v d nh DES (3DES) c thm vo lm tng thm tnh bo m t cho d liu. Kt qu l, ESP ng gi hon ton d liu ngi dng. ESP c th c s dng kt hp v i AH, nhng ESP bao gm c s xc thc d liu gc v c ch antireplay c trong AH. V th ESP c th s dng cng k thut trao i kha c s dng cho AH. N cho php ESP ch c s dng cho lu lng IPSec khi mc bo mt cao. M t v d l s dng c tiu AH v ASP khi chng ta mun c n bo mt mnh nht (ESP) v s xc nhn mnh nht (AH), bi v AH c thm chc nng bo v trng tiu IP m i trong khi ESP th khng c tnh nng ny. AH dng xc thc cn ESP dng m ha v xc thc. ESP khc v i AH hai im sau: ESP m ha d liu trc khi gi i, do v y n m bo c tnh b mt ca d liu. AH th ton b gi tin c xc thc nhng khng c m ha nn c th c c khi qua mng ESP ch xc thc ni dung c a gi tin IP ch khng xc thc ton b gi tin IP. 4. 6. 3. 2. Cc mode chuyn tip d liu trong IPSec IPSec a ra hai phng php chuyn tip d liu qua m ng cho c hai giao thc AH v ESP: l Tunnel mode (kiu ng hm) v Transport mode(kiu giao v n) C hai kiu ny trn thc t l hai kiu khc nhau ca SA. Mt SA c nh ngha nh l s kt ni n gin, n cho php p dng cc dch v bo mt cho lu lng bn trong SA. Kiu ng hm c s dng cho bo mt gia nhiu host v i nhiu host, trong khi kiu giao v n li c s dng cho tng IP host ny ti tng IP host khc hoc khi cc dch v mng v d nh QoS phi c bo v trong tiu IP gc.

4. 6. 3. 2. 1. Tunnel mode C AH v ESP hot ng Tunnel mode. Mt ng hm cung cp mt ng dn qua mng chia s cng cng cho cc host hoc cc u cui

44

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

ng hm c th giao tip. Cc ng hm ny l ng logic ging nh mch o VC, c c u hnh trn cng v t l. IPSec Tunnel Mode c th ng gi v bo v ni dng c a ton b gi tin IP bao gm c tiu gc. N thm vo 20 byte tiu IP cho m i gi tin. Hai m hnh sau s m t s thm tiu IPSec c IPSec Tunnel Mode AH v IPSec Tunnel Mode ASP.

Hnh 4. 4: ng dng c a tiu IPSec AH ti gi tin IP trong mode ng hm

Hnh 4. 5: ng dng ca IPSec ESP ti gi tin IP mode ng hm 4. 6. 3. 2. 2. Transport mode ( mode giao vn) C AH v ESP c th hot ng mode giao v n. Kiu giao v n c s dng cho ng gi giao thc vng ti trng lp trn hoc bn trn lp IP. Thng l lp 4 hoc cc vng ti trng lp cao v d nh TCP, UDP, BGP N khng s dng cc tiu lp 3 bi v n c th cn cho cc dch v m ng khc, v d nh cc ng dng cn s dng QoS ( M ha tiu gi tin IP gc c th khng c s dng cho cc ng dng QoS). Mode giao v n AH c s dng cho cc ng dng m tiu gi tin IP gc c gi 45 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

nguyn v ch cn xc thc tnh ton v n ca d liu gi tin. Mode giao vn ESP c s dng cho cc ng dng duy tr tiu gi tin IP gc nhng cng mun m ha phn cn lai ca vng ti trng.

Hnh 4. 6: IPSec mode giao v n s dng AH

Hnh 4. 7: IPSec mode giao v n s dng ESP 4. 6. 3. 3. Qu trnh hot ng c a IPSec. Qu trnh hot ng c chia thnh 5 bc: 4. 6. 3. 3. 1. Bc 1: Xc nh lung lu lng quan tm (interesting traffic)

Hnh 4. 8: Xc nh lung traffic

46

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Vic xc nh lung d liu no cn c bo v c thc hin nh l mt phn trong vic tnh ton mt chnh sch bo mt cho vic s dng ca mt VPN. Chnh sch c s dng xc nh lung traffic no cn bo v v lung traffic no c th gi dng clear text. i v i mi gi d liu u vo v u ra, s c ba la chn: Dng IPSec, cho qua IPSec, hoc hu gi d liu. i v i mi gi d liu c bo v bi IPSec, ngi qun tr h thng cn ch r cc dch v bo m t c s dng cho gi d liu. Cc c s d liu chnh sch bo m t ch r cc giao thc IPSec, cc mode, v cc thut ton c s dng cho lung traffic. Cc dch v ny sau c s dng cho lung traffic dnh cho mi Peer IPSec c th. Vi VPN Client, bn s dng cc ca s thc n chn cc kt ni m bn mun bo mt bi IPSec. Khi cc lung d liu mong mun truyn ti IPSec Client, client khi to sang bc tip theo trong qu trnh: Tho thun mt s trao i bc 1 IKE. 4. 6. 3. 3. 2. Bc 2: Pha IKE th nht (IKE Phase 1)

Hnh 4. 9: Pha IKE th nh t. Mc ch c bn ca pha IKE th nht l tho thun cc tp chnh sch IKE, xc thc cc i tng ngang hng, v thit lp mt knh bo mt gia cc i tng ngang hng. Pha IKE th nht xut hin trong hai mode: Main mode v Aggressive mode. Main mode c ba qu trnh trao i hai chiu gia ni khi to v ni nhn: Qu trnh trao i u tin:

47

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 4. 10: Qu trnh trao i u tin

Trong sut qu trnh trao i u tin cc thut ton v cc hash c s dng bo mt s trao i thng tin IKE c tho thun v c ng gia cc i tng ngang hng. Trong khi c gng to ra mt kt ni bo m t gia my A v my B qua Internet, cc k hoch bo mt IKE c trao i gia Router A v B. Cc k hoch bo v nh ngha giao thc IPSec hin ti c tho thun (v d ESP). Di mi k hoch, ngi khi to cn phc ho nhng thut ton no c s dng trong chnh sch (v d DES v i MD5). y khng phi l tho thun m i thut ton mt cch ring bit, m l cc thut ton c nhm trong cc tp, mt tp chnh sch IKE. Mt tp chnh sch m t thut ton m ho no, thut ton xc thc no, mode, v chiu di kho. Nhng k hoch IKE v nhng tp chnh sch ny c trao i trong sut qu trnh trao i u tin trong ch main mode. Nu mt tp chnh sch tng thch c tm thy gia hai i tng ngang hng, main mode tip tc. Nu khng mt tp chnh sch tng thch no c tm thy, tunnel l b loi b. Trong v d trong hnh trn, RouterA gi cc tp chnh sch IKE 10 v 20 ti RouterB. RouterB so snh tp chnh sch ca n, tp chnh sch 15, v i nhng tp chnh sch nhn c t RouterA. Trong trng hp ny, c mt ci tng thch: l tp chnh sch 10 ca Router A tng thch vi tp chnh sch 15 c a Router B. Qu trnh trao i th hai S dng mt s trao i DH to ra cc kho m t m chia s v qua qu trnh ny cc s ngu nhin gi ti cc i tc khc, signed, v ly li xc

48

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

thc nh ngha ca chng. Kho mt m chia s c s dng to ra tt c cc kho xc thc v m ho khc. Khi bc ny hon thnh, cc i tng ngang hng c cng m t mt m chia s nhng cc i tng ngang hng khng c xc thc. Qu trnh ny din ra bc th 3 ca bc 1 IKE, qu trnh xc thc c tnh ca i tng ngang hng. Qu trnh th ba xc thc c tnh i tng ngang hng:

Hnh 4. 11: Qu trnh trao i th 3 Cc phng thc xc thc ngang hng:

Bc th ba v cng l bc trao i cui cng c s dng xc thc cc i tng ngang hng xa. Kt qu chnh ca main mode l mt tuyn ng trao i thng tin bo mt cho cc qu trnh trao i tip theo gia cc i tng ngang hng c to ra. C ba phng thc xc thc ngun gc d liu: Cc kho pre-shared: Mt gi tr kho m t m c nhp vo bng tay c a mi i tng ngang hng c s dng xc thc i tng ngang hng. RSA encryption nonces: Nonces (mt s ngu nhin c to ra bi mi i tng ngang hng) c m ho v sau c trao i gia cc i tng ngang hng. Hai nonce c s dng trong sut qu trnh xc thc i tng ngang hng Trong aggressive mode, cc trao i l t hn vi t gi d liu hn. Mi th u c trao i trong qu trnh trao i u tin: S tho thun tp 49 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

chnh sch IKE, s to ra kho chung DH, mt nonce. Trong aggressive mode nhanh hn main mode.

4. 6. 3. 3. 3. Bc 3: Pha IKE th 2

Hnh 4. 12: Pha IKE th 2 Mc ch ca bc 2 IKE l tho thun cc thng s bo mt IPSec c s dng bo mt ng hm IPSec. Bc 2 IKE thc hin cc chc nng di y: Tho thun cc thng s bo mt, cc tp transform IPSec Thit lp cc SA IPSec Tho thun li theo chu k cc SA IPSec chc chn bo m t. C th thc hin thm mt s trao i DH

Trong pha IKE th 2 ch c m t mode, gi l Quick mode. Quick mode xut hin sau khi IKE c thit lp ng hm bo mt trong pha IKE th nht. N tho thun mt transform IPSec chia s, v thit lp cc SA IPSec. Quick mode trao i cc nonce m c s dng to ra kho m t m chia s m i v ngn cn cc tn cng replay t vic to ra cc SA khng c tht. Quick mode cng c s dng tho thun li mt SA IPSec mi khi thi gian s ng ca SA IPSec ht. Quick mode c s dng np li keying material c s dng to ra kha m t m chia s trn c s keying material ly t trao i DH trong bc 1. Cc tp Transform IPSec Kt qu cui cng ca pha IKE th 2 l thit lp mt phin IPSec bo mt gia cc im u cui. Trc khi iu ny c th x y ra, mi c p ca cc im u cui tho thun m c bo mt yu cu (v d, cc thut ton xc thc v m ho cho m t phin). Khng nhng l tho thu n nhng giao thc 50 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

ring bit, cc giao thc c nhm vo trong cc tp, mt tp transform IPSec. Cc tp transform IPSec c trao i gia cc peer trong sut qu trnh quick mode. Nu mt c s tng thch c tm thy gia cc tp, phin thit lp IPSec s tip tc. Nu ngc li th phin s b hu b.

Hnh 4. 13: m phn tp chuyn i. Trong v d hnh trn, RouterA gi cc tp transform IPSec 30 v 40 n RouterB. RouterB so snh tp transform ca n v i nhng ci nhn c t RouterA. Trong v d ny, c mt ci match. Tp transform 30 ca RouterA tng thch vi tp transform 55 c a RouterB. Cc thut ton m ho v xc thc c dng mt SA(Security Association). Mt SA l mt kt ni logic mt chiu, cung cp s bo mt cho tt c traffic i qua kt ni. Bi v hu ht traffic l hai chiu, do v y phi cn hai SA: mt cho u vo v mt cho u ra. Khi m cc dch v bo mt c ng gia cc peer, m i thit b ngang hng VPN a thng tin vo trong mt SPD (Security Policy Database). Thng tin ny bao gm thut ton xc thc, m ho, a ch IP ch, mode truyn dn, thi gian sng ca kho . v. v. Nhng thng tin ny c coi nh l m t SA.

51

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Thit b VPN gn cho SA mt s th t, gi l SPI (Security Parameter Index). Khi gi cc thng s ring bit c a SA ca qua ng hm, Gateway, hoc Host chn SPI vo trong tiu ESP. Khi m i tng ngang hng IPSec nhn c gi d liu, n nhn vo a ch IP ch, giao thc IPSec, v SPI trong SAD (Security Association Database) ca n, v sau x l gi d liu theo cc thut ton c ch ra trong SPD.

Hnh 4. 14: Cc thng s c a SA (Security Asscociation) IPSec SA l m t s t hp ca SAD v SPD. SAD c s dng nh ngha a ch IP ch SA, giao thc IPSec, v s SPI. SPD nh ngha cc dch v bo mt c s dng cho SA, cc thut ton m ho v xc thc, mode, v thi gian sng ca kho. V d, trong kt ni t tng cng ty n nh bng, chnh sch bo mt cung c p mt vi ng hm bo m t s dng 3DES, SHA, mode tunnel, v thi gian sng ca kho l 28800. Gi tr SAD l 192. 168. 2. 1, ESD, v SPI l 12. 4. 6. 3. 3. 4. Bc 4: Phin APSec

52

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 4. 15: Mt phin IPSec Sau khi bc 2 IKE hon thnh v quick mode c thit lp, traffic s c trao i gia my A v my B qua mt ng hm bo mt. Traffic mong mun c m ho v gii m theo cc dch v bo m t c ch ra trong SA IPSec.

4. 6. 3. 3. 5. Bc 5: Kt thc ng hm

Hnh 4. 16 : Kt thc mt phin IPSec Cc SA IPSec kt thc thng qua vic xo hay bng timing out. M t SA c th time out khi lng thi gian c ch ra l ht hoc khi s byte c ch ra qua ht ng hm. Khi cc SA kt thc, cc kho cng b hu. Khi cc SA IPSec tip theo cn cho mt lung, IKE thc hin m t bc 2 m i, v nu cn thit, mt s tho thun mi trong bc 1 IKE. Mt s tho thun thnh cng s to ra cc SA v cc kho mi. Cc SA m i thng c thit lp trc khi cc SA ang tn ti ht gi tr.

53

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

4. 7. M hnh ngang hng v chng ln [5] C hai kiu VPN c trin khai ph bin, l: Kiu chng ln (Overlay), theo kiu ny, cc nh cung cp dch v cung c p ng leased line cho khch hng M hnh ngang hng (peer-to-peer), theo kiu ny nh cung cp dch v trao i thng nh tuyn l p 3 v i khch hng v nh cung c p truyn d liu gia cc site c a khch hng theo con ng ti u gia cc site. Theo m hnh ny, th b nh tuyn ca khch hng c ni trc tip v i b nh tuy n ca nh cung cp dch v. 4. 7. 1. VPN kiu chng lp (overlay VNP model) Kiu chng lp c trin khai qua trung k ring trn h tng mng chung ca nh cung cp dch v VPN ny c th thc hin ti lp 1 s dng knh thu ring hoc ng quay s; ti lp 2 s dng X. 25, Frame Relay hay knh o ATM; ti lp 3 s dng ng hm IP. Trong m hnh ny chc nng ca khch hng v nh cung c p dch v nh sau: Nh cung cp dch v cung cp cho khch hng ng leased line. Cc ng leased line ny c gi l cc VCs, chng c th l kt ni lin tc PVC hoc c thit lp khi c yu c u. Hnh sau m t m hnh mng VPN kiu chng lp v cc VC c s dng trong

54

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 4. 17: V d n gin mng VPN kiu chng lp Khch hng thit lp kt ni router ti router gia cc thit b CPE ( Customer Premises Equipment) qua cc knh o VC c cung cp bi nh cung c p dch v . Giao thc nh tuyn lun lun c trao i gia cc thit b ca khch hng v nh cung cp dch v khng quan tm ti c u trc bn trong ca m ng khch hng. Mc d m kiu VPN ny c nhng hn ch sau: Mi m t VPN c nhiu site, m t site c mt vi b nh tuyn cho mc ch d phng, tuy nhin m ng tr nn kh kim sot v phi trin khai di dng full-mesh ca cc kt ni point-to-point hay cc knh o trn mng trc ca nh cung c p dch v ti u ng truyn. Hn na do khch hng phi t thit k v v n hnh m ng trc o ca ring mnh. M khch hng i khi khng c trnh v kinh nghim. gii quyt v n ny, nh cung cp dch v s phi m nhn nhim v thit k v v n hnh mng trc o ( Virtual Backbone Network) cho tng khch hng, iu ny s rt phc tp khi s lng khch hng ln. Nu mi khch hng c mng VPN v i hng trm site th s lng kt ni l v cng ln. iu ny nh hng n kh nng m rng h thng mng Khi s lng kt ni ln th vic thm bt cc site trn mng s gy ra nh hng ln do phi cu hnh li cc thit b nh tuyn Rt kh nh gi ln ca dung lng cc kt ni gia cc im 4. 7. 2. M hnh VPN ngang hng ( Peer-to-peer VPN model) M hnh VPN ngang hng khc phc c nhng tn ti ca m hnh VNP chng lp. Trong m hnh ny thit b bin ca nh cung cp dch v (Provider Edge PE ) l mt router trao i thng tin nh tuyn trc tip vi CPE router.

55

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 4. 18: M hnh VPN ngang hng M hnh VPN ngang hng c mt s u im vt tri hn so vi m hnh VPN chng lp: nh tuyn tr nn tr nn cc k n gin, khi m router ca khch hng ch trao i thng tin nh tuyn v i m t hoc mt vi PE-router, trong khi m hnh chng l p, do kt ni theo kiu dng full-mesh nn s lng cc router c quan h hng xm c th tr nn rt ln nh tuyn gia cc site c a khch hng lun lun ti u , khi router c a nh cung cp bit m hnh m ng c a khch hng v v vy c th nh tuyn gia cc site v i nhau mt cch tt nht S cung cp bng thng cng n gin hn bi v khch hng phi ch r bng thng inbound v outbound cho mi site ca mnh. Vic thm mt site mi cng n gin hn bi v nh cung cp dch v ch thm site vo v ch thay i cu hnh trn router m site mi kt ni n. Trong khi m hnh chng lp th nh cung c p phi a ra cc kt ni ti tt c cc site khc trong mng VPN ca khch hng

56

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Trc khi mt VPN trn MPLS th c hai s la chn sau cho m hnh VPN ngang hng: Chia s b nh tuyn, khi mt vi VPN s chia s cng router PE Dng router ring, khi cc khch hng s dng VPN c router PE c a ring mnh 4. 7. 2. 1. M hnh VPN ngang hng chia s router PE Trong m hnh ny, mt vi khch hng s dng dch v VPN c th s dng chung mt router PE. Access list phi c cu hnh trn tt c cc giao din PE-CE trn cc router PE m bo rng c s tch bit gia cc VPN khch hng, cng ngn chn khng cho VPN c a khch hng ny lm nh hng c ng nh xm nhp vo VPN khch hng khc

Hnh 4. 19: M hnh VPN ngang hng: Chia s router PE 4. 7. 2. 2. M hnh mng VPN ngang hng s dng router PE ring Trong m hnh ny mi mt VPN c a cc khch hng c ring router PE v th ch c th truy cp ti cc tuyn c cha trong bng nh tuyn ca router PE y thi

57

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 4. 20: M hnh VPN ngang hng: C router PE ring Trong m hnh c router PE ring th cc giao thc nh tuyn to ra tng bng nh tuyn ring cho tng VPN trn cc router PE. Cc bng nh tuyn trn cc router PE ny ch cha cc tuyn c qung b bi VPN c a khch hng kt ni trc tip ti chng, kt qu l c s tch bit r rng gia cc VPN ca cc khch hng khc nhau (Gi s rng nh tuyn IP ngun b kha). nh tuyn bn m hnh ny c th c thc hin nh sau: Bt k giao thc nh tuyn no chy gia router PE v router CE BGP chy gia router PE v router P Router PE phn phi li (redistribute) cc tuyn nhn c t router CE ra min BGP, nh du bng ch s khch hng v truyn cc tuyn ny ti router P. V v y router P cha tt c cc tuyn ca tt c cc VPN c a cc khch hng khc nhau. Router P ch truyn cc tuyn v i BGP thch hp ti cc router PE. V v y router PE ch nhn cc tuyn c bt ngun t router CE trong min VPN c a n 4. 7. 2. 3. So snh cc kiu VPN ngang hng Ta c th thy m hnh ngang hng chia s router PE rt kh duy tr bi v n i hi s trin khai phc tp cng nh vic t Access list trn tt c cc router l rc ri. M hnh dng ring router PE m c d l n gin hn trong cu hnh cng nh duy tr nhng li tr nn kh tn km cho nh cung cp dch v khi m h phi phi p ng cho mt s lng ln khch hng v i cc site ri rc trn nhiu vng a l khc nhau. C hai m hnh ny cng c nhng hn ch sau:

58

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Tt c cc khch hng chia s cng mt di IP, n c n tr cc khch hng s dng a ch private. Cc khch hng hoc phi s dng a ch IP public hoc a ch private c cp bi nh cung cp dch v Khch hng c ng khng th chn thm default route vo m ng VPN ca h. S hn ch ny ngn cn s ti u trong nh tuyn v hn ch khch hng truy cp Internet t nh cung cp dch v khc. Tm li, VPN c th phn loi theo nhiu cch khc nhau. Cch ph bin nht l da trn cch m thng tin nh tuyn c trao i trn VPN. Trong m hnh VPN ngang hng, thng tin nh tuyn ca khch hng c trao i gia router ca khch hng v i router c a nh cung cp dch v. Trong m hnh VPN chng lp, nh cung cp dch v ch cung cp cc knh o VC v thng tin nh tuyn c trao i trc tip gia cc router bin ca khch hng. Hai m hnh trn c th kt hp v i nhau trong mng c a nh cung c p dch v ln: M hnh ngang hng c th c s dng trong m hnh VPN chng lp ( v d kt ni cc khch hng ti cc router bin ca nh cung cp dch v qua Frame Relay) hoc trong mng li ca n (v d, lin kt cc router c a nh cung cp dch v qua ATM). M hnh VPN chng lp c th trin khai v i k thut chuyn mch WAN lp 2 (X. 25, Frame Relay, SMDS hoc ATM) hoc k thut ng hm lp 3 ( IP-over-IP hay IPSec). M hnh VPN ngang hng c th trin khai v i cc cng ngh truyn thng v i cc phng php nh tuyn phc tp hoc s dng Access lists (ACLs). Tip theo y chng ta s tm hiu v s trin khai ca cng ngh VPN trn nn tng MPLS, n s khc phc c nhng hn ch c a cc cng ngh VPN ngang hng khc, cho php nh cung cp dch v kt hp cc li ch c a m hnh ngang hng (nh tuyn n gin, d trin khai theo yu cu ca khch hng) v i s bo mt v tch bit r rng v i so v i cc tn ti v n c c a m hnh VPN chng lp

59

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 4. 21: Phn loi VPN da theo cng ngh

Chng 5: M hnh mng MPLS/VPN


chng trc chng ta tm hiu v mng ring o VPN, v i hai kiu VPN l VPN dng chng lp v VPN ngang hng v cc cng ngh chnh c s dng trin khai trn c hai loi VPN M hnh VPN dng chng lp thng c s dng trong m ng ca nh cung cp dch v , vic thit k v cung cp cc mch o qua m ng trc phi c thit lp trc khi c bt k lung lu lng no trn mng. Trong trng hp mng IP, iu c ngha l ngay c khi cng ngh l connectionless th n v n yu c u mt connection-oriented cung cp cho dch v ny. T gc ca nh cung cp dch v , v i m hnh VPN chng lp rt kh kim sot mt s lng ln cc knh o/ng hm gia cc thit b ca khch hng. V thit k IGP (Interior Gateway Protocol) l c c k phc tp v kh kim sot Trong khi , m hnh VPN ngang hng n li c hn ch l thiu s cch ly gia cc khch hng v i nhau. Vi cng ngh chuyn mch nhn a giao thc MPLS, y l s kt hp cc u im ca chuyn mch lp 2 v i nh tuyn v chuyn m ch lp 3, n c th cho php chng ta xy dng nn mt cng ngh m i kt hp cc li ch c a m hnh VPN chng lp (v d nh tnh bo mt v s tch bit gia cc khch hng) v i u im ca vic nh tuyn n gin trong m hnh VPN ngang hng. Cng ngh mi ny c gi MPLS/VPN tc l trin khai VPN trn cng ngh MPLS, n em li s nh tuyn n gin cho khch hng v nh cung cp dch v c ng n gin hn. nh tuyn IP (connnectionless) c thm tnh nng connection-oriented) ca MPLS, bng cch thit lp cc ng chuyn mch nhn (Label-Switched Paths LSP).

60

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

M hnh MPLS/VPN c hai m hnh chnh l MPLS/VPN lp 2 v MPLS/VPN lp 3 (BGP/MPLS VPN) MPLS/VPN lp 2: To ra s m rng kt ni lp 2 ca khch hng qua c s h tng l mng MPLS. M hnh ny c gi l VPN Martini. VNP lp 2 m rng h tr dch v LAN ring o (Virtual Private LAN Service). MPLS/VPN lp 3 dng m rng giao thc nh tuyn Internet BGP ti v tr kt ni t xa

5. 1. M hnh MPLS/VPN lp 2 [7] RFC 2547 cung c p mt khung mng ti u cho VPN trong mng IP. Mc d IP l giao thc tri, n khng ch s dng giao thc c chun ho . Mt s khch hng, c th trong mi trng mi nc nhiu yu cu m rng c s h tng truyn thng lp 2 (Frame realy, ATM, Ehernet, VLAN, TDM, dch v LAN trong sut), mt s nh cung cp dch v phi cung cp dung lng vt qu trong mng li IP ang tn ti c a h do h cn s dng yu t gip dch v lp 2 nh Frame Relay hay ATM. VPN lp 3 IP s khng tho mn th tc ny, thay vo cho gii php lp 2 c yu cu. Mt s xut khc h tr VPN c cung c p bi nh cung cp MPLS/VPN lp 2 (MPLS-based VPN). Internet trng hp n gin nht, xut ny nh ngha mt phng thc mt nhn ti mt PDU lp 2 v khi chuyn tip gi qua mng mng ng trc MPLS. 5. 4. 1. Thnh phn VPN lp 2. xut c s dng nhiu nht l c a Martini. N c xy dng t mt s khi nim khi u kt h p v i RFC 2547 VPN. B nh tuyn nh cung cp ging nh m hnh RFC 2547 s khng quan tm ti VPN. N s tip tc chuyn tip gi tin qua LSP thit lp trc y. Tng t b nh tuyn bin khch hng CE s hot ng khng bit tnh trng mng MPLS VPN. VPN Martini l hon ton da vo thit b nh tuyn bin nh cung cp dch v PE. Gii php lp 2 khng nh RFC 2547 khng l mng tuyn ring o VPRN (Virtual Private Routed Networks). B nh tuyn PE khng tham gia vo gii thut nh tuyn ca ngi dng u cui v y khng c th tc

61

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

xy dng v duy tr bng nh tuyn v chuyn tip VRF (VPN Routing and Forwarding Table) 5. 4. 2. M hnh Martini Miu t mt phng thc tm lc cc kiu khc nhau cho giao thc lp 2 trong khung MPLS. M t MPLS LSP c s dng nh mt m ch o VC hay ng hm qua Internet. Giao thc lp 2 (Ethernet) c s dng u cui ca VC. PDU lp 2 chuyn giao qua Martini VC v phn pht nguyn vn li ra ca m ng. Thm ch qua Internet c mt IP tn ti, cng ngh Martini cho php n s dng kt ni lp 2 gi. xut Martini nh RFC 2547 thit lp ng hm gia nhng b nh tuyn PE. ng hm ny c gn mt nhn dng knh o 32 bit (VC-ID). M i mch o trong m t mng ca nh cung cp dch v s c VC-ID duy nht c a chng. LSP c a mng ng trc c xy dng kt ni tt c mch o gia c p PE. M t nhm ID c th c ng c s dng kt hp VC. iu ny c li cho wildcard hot ng nh loi b m t s lng ln VC hay tm li nh tuyn gi i sau mt tht bi.

Hnh 5. 1: ng hm LSP gia nhng PE 5. 4. 3. Thng tin nh tuyn B nh tuyn bin nh cung cp tham gia trong VPN Martini s dng giao thc phn phi nhn LDP trao i thng tin lin lc VPN. Tuy nhin n ni ting iu khng ng LDP l cn thit trong giao thc nh tuyn bo hiu cho mng MPLS. K hoch bo hiu v iu khin MPLS l phn cch hon ton k ho ch iu khin VPN. Ch l LDP l giao thc phin nh hng. iu ny c ngha l hai LDP s thit lp m t phin truyn thng (TCP based). Mt phin c thit lp, d liu VC-ID c th tro i v mi ng hm Martini cn thit c 62 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

xy dng. D liu cha trong gi LDP gm VC-ID, nhm ID, kiu VC, tham s giao din VC v mt thng bo t iu khin. Tham s giao din s cha thng tin c th v kh nng ca mt c ng ring, nh kch c MTU, s lng t bo ATM, v c trng tu chn c th c h tr. Thng bo t iu khin l m t bit n, n cho bit s c m t hay khng c a t iu khin Martini. T iu kin khi c s dng, mang thng tin ring cho ng gi ca mt kiu giao thc lp 2. Kt qu l a ch bi t iu khin gm sp xp gi, gi nh nht phi yu c u m khi truyn ti qua mt s mi trng v bt k bit iu khin giao thc lp lp 2 khc. Cui cng, LDP s dng thng bo, hu v duy tr hiu chnh kt ni nhn cho mt mch o Martini mi. 5. 4. 4. Lu lng d li u Quy tc c bn lu lng d liu ging nh kt h p v i RFC 2547 VPN lp 3. Gi d liu c truyn ti v i hai nhn. Nhn nh nhn dng ch b nh tuyn t xa. Nhn ny s dng b i LSR trung gian truy n tip gi tin qua m ng MPLS. B nh tuyn PE t xa s dng nhn di phn pht gi tin ti u cui ngi dng chnh xc (b nh tuyn CE) v i s ng gi lp 2 tho ng. Kh khn thc t gn v i h tr nhng VPN lp 2, y c nhiu giao thc lp 2 mi giao thc c th tc c lp c a n. M i giao thc lp 2 h tr c gn mt nhn dng kiu VC c lp. Nhng kiu phi nht qun v i mt VC. VPN Martini s khng cu ni gia hai giao thc lp 2 khc nhau. Nu cng vo l Ethernet cng ra khng th l ATM. Tuy nhin thit k sau ny ca xut Martini c th cho php cu ni gia kiu ng gi khc nhau 5. 2. M hnh MPLS/VPN lp 3 (BGP/MPLS VPN) [7] Hin nay, cng ngh VPN lp 3 c s dng rng ri nht l IPSec v MPLS/BGP. Nhng cng ngh ny c th c cc ng dng nh Intranet, Extranet v truy cp Internet (Internet Access) m bo cho s kt ni cc site khc nhau ca nh cung c p dch v Trc ht ta tm hiu v BGP. Giao thc cng bin BGP l chun nh tuyn hin ti. BGP c thit k thay th giao thc cng ngoi EGP n c mt s gii hn. EGP to nn mng ng trc dng cy n khng thc s hu ch vi Internet. Cng khng phi BGP gip tng trng Internet 5. 2. 1. Mng ring o BGP/MPLS 63 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

RFC 2547 a ra nh ngha mt k thut n cho php nh cung cp s dng mng ng trc MPLS cung cp dch v VPN ti khch hng. Nhng RFC 2547 VPN cng hiu l BGP/MPLS VPN bi v BGP c s dng phn pht thng tin nh tuyn VPN qua m ng ng trc c a nh cung cp v bi v MPLS c s dng cho chuyn tip lu lng VPN t mt site VPN ti site khc. Mc ch quan trng nht ca phng php ny nh sau: To dch v rt n gin cho khc hng s dng nh nhau nu h thiu kinh nghim trong nh tuyn IP. To ra dch v rt tin tin v mm do thun tin trin khai quy m rng ln. Cho php nhng gii php c s dng to ra mt VPN c thc thi bi m t nh cung cp dch v , hay cng vic nh cung c p dch v cng nh khch hng. Cho php nh cung cp dch v m dch v gi tr gia tng tho mn khch hng 5. 2. 1. 1. Cc thnh phn mng BGP/MPLS Trong phm vi RFC 2547, m t mng ring o l s hi t ca cc chnh sch, cc chnh sch ny kim sot s lin kt gia cc site. Mt site ca khch hng c kt ni ti nh cung cp dch v thng qua mt hoc nhiu cng, ni m nh cung cp dch v lin kt mi c ng vo ca mnh v i mt bng nh tuyn. Trong RFC 2547, mi bng nh tuyn mng ring o (VPN Routing Table) c gi l m t bng nh tuyn chuyn tip mng ring o ( VPN Routing and Forwarding).

64

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 5. 2: Thnh phn mng RFC 2547 [2] CE: Customer Edge B nh tuyn bin khch hng P: Provider Router B nh tuyn ca nh cung c p PE: Provider Edge B nh tuyn bin nh cung cp 5. 2. 1. 1. 1. B nh tuyn bin ca khch hng (CE). Mt thit b nh tuyn bin khch hng (Customer Edge Device CE) cung cp cho khch hng truy cp m ng nh cung cp dch v qua m t kt ni d liu ti mt hay nhiu b nh tuyn bin nh cung cp. Trong khi thit b CE c th l m t tng i (host) hay mt chuyn m ch lp 2, kiu thit b CE l mt b nh tuy n IP n thit lp mt kt ni trc tip v i b nh tuyn PE k n. Sau khi thit lp, b nh tuyn CE thng bo tuyn VPN cc b ca site ti b nh tuyn PE c a nh cung cp dch v v ly cc thng tin v cc tuyn ng c a mng ring o t xa t cc PE. 5. 2. 1. 1. 2. B nh tuyn bin ca nh cung cp dch v (PE) Cc PE trao i thng tin nh tuyn v i b nh tuyn CE thng qua cc giao thc nh tuyn ng RIPv2, OSPF hay EIGRP. Cc PE ch lu gi cc thng tin v cc tuyn ca mng ring o m n trc tip kt ni. Vi thit k ny nng cao kh nng ca m hnh RFC 2547 bi v b loi b s cn thit duy tr tt c cc tuyn VPN ca b nh tuyn PE, gip tng kh nng m rng c a BGP/MPLS. Mi b nh tuyn PE duy tr mt VRF cho mi site kt ni trc tip. Mi kt ni khch hng (nh Frame Relay PVC, ATM PVC, v VLAN) c nh x ti mt VRF c th. V v y, m i kt ni c mt cng trong mt b nh tuyn PE v khng mt site no c kt hp v i VRF . Ch , nhiu cng trong mt b nh tuyn PE c th c kt hp v i v i m t VRF n l. l kh nng ca b nh tuyn PE duy tr a bng chuyn tip n h tr s chia s thng tin nh tuyn VPN. Sau khi bit tuyn VPN cc b t b nh tuyn CE, b nh tuyn PE trao i thng tin nh tuyn VPN v i b nh tuyn PE khc s dng IBGP. B nh tuyn PE c th duy tr phin IBGP ti b qun l tuyn (route reflectors) khi la chn phin IBGP li. S trin khai b qun l tuyn nng cao kh nng ca m hnh RFC 2547 bi v n loi b s cn thit thnh cc phn mng n l duy tr tt c tuyn VPN.

65

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Cui cng, khi s dng MPLS chuyn tip lu lng d liu VPN qua mng ng trc nh cung c p dch v, b nh tuyn PE li vo c chc nng nh LSR li vo v b nh tuyn PE li ra c chc nng nh LSR li ra 5. 2. 1. 1. 3. B nh tuyn nh cung cp Cc b nh tuyn nh cung c p (k hiu l P) l b nh tuyn bt k no nm trong mng ca nh cung cp dch v . N khng gn v i thit b CE. Trong mng MPLS th chnh l cc LSR, c chc nng chuyn tip lu lng d liu VPN gia cc b nh tuyn PE. Sau lu lng c chuyn tip qua mng ng trc MPLS s dng ngn xp nhn l p 2. Router P ch c nhim v duy tr thng tin nh tuyn VPN r rng cho mi site c a khch hng. 5. 2. 1. 2. Hot ng c a BGP/MPLS Trong ton b qu trnh hot ng, c hai dng lu lng chnh xut hin trong mng ring o BGP/MPLS l: Mt dng iu khin (Control Flow) c s dng trong mng truyn ti cc thng tin nh tuyn trn mng ring o, ng thi xc nh ng chuyn mch nhn (Label-Switched Paths) trong m ng c a nh cung cp Mt lung d liu c s dng chuyn tip d liu khch hng.

Ta gii thch c ch hot ng thng qua m hnh sau:

Hnh 5. 2: M hnh hot ng ca BGP/MPLS

66

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Trong m hnh trn, cc host trong site1 c th lin lc v i cc host trong site2 v ngc li. Cc host trong site3 c th lin lc v i cc host trong site4 v ngc li 5. 2. 1. 2. 1. Lung iu khin Trong m ng BGP/MPLS, lung iu khin gm hai lung chnh: Lung iu khin th nht c trch nhim trao i thng tin nh tuyn gia CE v PE nhng bin ca m ng ng trc nh cung c p v gia b nh tuyn PE qua mng ng trc ca nh cung c p Lung iu khin th hai c trch nhim thit lp LSP gia cc PE c a nh cung cp sau khi c c cc thng tin nh tuyn v cc thng tin t lung d liu m khch hng yu c u chuyn tip Thit lp ng chuyn mch nhn c th s dng c VPN trong cng ngh MPLS chuyn tip d liu qua mng ca nh cung c p dch v th cc LSP phi c thit lp gia cc PE trc khi v n chuyn qua h thng m ng. LSP c th c thit lp v duy tr qua mng ca nh cung cp dch v bng cch s dng giao thc phn phi nhn ( Label Distribution Protocol LDP) hoc giao thc dnh trc ti nguyn RSVP (Resource Reservation Protocol)

Hnh 5. 3: ng chuyn m ch nhn trong mng nh cung cp

67

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Nh cung c p s dng LDP nu n cn thit lp LSP c ngn ti a gia hai b nh tuyn PE. Trong trng hp ny, LSP nh tuyn lu lng ti a. Nh cung cp s dng RSVP nu cn gn bng thng ti LSP hay s dng k thut lu lng TE (Traffice Engineering) la chn mt ng c th (Explicit Path) cho LSP. LSP v i giao thc RSVP h tr m bo cht lng dch v QoS c th v k thut lu lng C th c m t hoc nhiu LSP song song (v i kh nng v dch v khc nhau) c thit lp gia cc PE. Mt b phn tuyn (Router Reflect) hot ng nh mt my ch, n phn x cc tuyn t mt PE vo (Ingress) ti cc PE u ra (Engress). Nu mt nh cung cp s dng phn x tuyn th v n phi thit lp LSP gia cc PE bi v cc b phn x tuyn khng phi l thnh phn thit yu ca ng chuyn ti p gia cc PE. 5. 2. 1. 2. 2. Lung d liu (Data flow) Ta hy xt s di chuyn d liu trong BGP/MPLS, trong m hnh di y mt host t site2 cn lin lc v i server t site1. Host c a ch l 10. 2. 3. 4 v server c a ch l 10. 1. 3. 8.

Hnh 5. 3: Lung d liu trong BGP/MPLS Host 10. 2. 3. 4 chuyn tip tt c cc gi d liu ti my ch c a ch IP 10. 1. 3. 8 thng qua c ng mc nh ca n. Khi mt gi n CE2, n thc hin tm kim tuyn tha mn nht (Longest-match route) v chuyn tip gi IP ti PE2, th c hin tm kim trong VRF A v thu nhp cc thng tin sau: Nhn MPLS c thng bo bi PE1 v i tuyn (gi s c nhn 222) im tip theo BGP cho tuyn (a ch loopback PE1) Giao din gi i LSP t PE2 ti PE1 Nhn ban u c a LSP t PE2 ti PE1 68 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Lu lng ca ngi s dng c truyn trc tip t PE2 ti PE1 bng cch s dng MPLS v i mt ngn xp nhn cha hai nhn. Lu lng d liu ny, PE2 c LSR li vo ca LSP v PE1 c LSR li ra ca LSP. Trc khi truyn mt gi tin, PE2 y nhn 222 vo trong ngn x p nhn to ln nhn di. Nhn ny u tin c thit lp trong VRF A khi PE2 nhn IBGP ca PE1 thng bo tuy n 10. 1/16. Tip theo, PE2 y nhn kt hp v i LSP s dng LDP hay RSVP ti PE1 (tuyn BGP tip) trong ngn xp nhn to ln nhn nh. Sau khi to ngn xp nhn, PE2 chuyn tip gi MPLS trn giao din li ra ti b nh tuyn P u tin ca LSP t PE2 ti PE1. B nh tuyn P chuyn mch gi qua li mng ng trc c a nh cung cp dch v trn nhn nh. B nh tuyn PE1 cui loi b nhn nh (l ra nhn di hay nhn ni) v chuyn tip gi tin ti PE1. Khi PE1 nhn gi tin, n loi b nhn to ra m t gi IP ban u. PE1 s dng nhn 222 di nhn dng CE c gn trc tip n c chng tip 10. 1/16. Cui cng, PE1 chuyn tip gi IP cui cng ti CE1, CE1 chuyn tip gi ti server 10. 1. 3. 8 site1. 5. 2. 1. 3. u im c a BGP/MPLS VPN u im ln nht c a MPLS/VPN l lm n gin qu trnh v n hnh ca mng cho khch hng trong khi cho php nh cung cp dch v tng cc dch v, m i cho cc dch v gia tng, c li nhun. C th cc li ch m mng BGP/MPLS VPN em li nh sau: Khng c s rng buc trong vic nh a ch c s dng bi mi khch hng. Khch hng c th s dng a ch public hoc private. T gc c a nh cung cp dch v , cc khch hng khc nhau c th c khng gian a ch ging nhau (overlapping address spaces) nh tuyn bin m i site khch hng CE khng trc tip trc tip trao i thng tin nh tuyn v i cc b nh tuyn bin ca khch hng khc. Khch hng cng khng cn quan tm ti v n nh tuy n gia cc site v i nhau, bi v l trch nhim ca nh cung c p dch v

69

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Khch hng VPN khng phi qun l mt m ng trc hay mt mng trc o. Do vy khch hng khng cn iu khin truy cp ti b nh tuyn PE hay P Nh cung cp khng dch v khng phi qun l m t mng ng trc hay m t mng trc o tch bit cho tng khch hng VPN. Do v y nh cung cp khng c n qun l truy cp ti b nh tuyn bin ca khch hng CE. Cc chnh sch xc nh mt site no c l thnh vin ca mt mng ring o no hay khng l do chnh sch ca khch hng. M hnh qun l RFC 2547 VPN cho php chnh sch ca khch hng c thc hin bi mt mnh nh cung c p hoc bi nh cung c p dch v vi khch hng. VPN c th m rng nhiu nh cung cp dch v . Khng phi dng n k thut mt m, bi v bo mt tng ng c h tr bi mng mng ng trc lp 2 (ATM hay Frame relay) Nh cung cp dch v c th dng c s h tn thng thng phn pht c dch v kt ni Internet v VPN Cht lng dch v mm do cho dch v khch hng VPN c h tr qua s dng bit th nghim trong tiu MPLS hoc thng k thut lu lng LSP (bo hiu RSVP) M hnh RFC 2547 c lp v i lp lin kt (lp 2). 5. 2. 2. Tn ti v gii php M hnh RFC 2547 s dng nhiu gii php lm tng tnh m ca khch hng tip cn v gii quyt mt s v n c a mng ring o. Nhng tn ti gm c: H tr khng gian a ch dng chung ca khch hng (overlapping) Kt ni mng cng bc Duy tr c p nht thng tin nh tuyn mng ring o m bo rng bng thng mng ng trc v ti nguyn x l gi tin b nh tuyn bin nh cung cp PE

70

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Trong phm vi lun vn ny, chng ta ch cp n khng gian a ch dng chung ca khch hng H tr vic vic dng chung khng gian a ch BGP, theo nh dng tiu chun, ch c th x l cc tuyn c a ch IPv4 32 bit. Trong cu trc MPLS/VPN, bi v mi mt VPN phi c kh nng s dng cng tin t IP ging nh cc VPN khc (khi chng khng lin lc v i nhau), cho nn cn thit phi c phn bit tuyn v i IPv4.Nn c n phi m rng giao thc BGP thng tin VPN l duy nht trong min ng trc MPLS/VPN. Multiprotocol (MP-BGP) v thng tin nh tuyn VPN-IPv4 cung cp kh nng m rng ny. Mc d MP-BGP cung c p kh nng xc nh v truyn cc thng tin nh tuyn khng phi IPv4, nhng trc ht chng ta tm hiu cc tuyn VPN c phn bit nh th no v quyt nh chn tuyn ra sao gia nhiu tuyn khc nhau ca khch hng. Ci ny l rt cn thit v vy cc qu trnh quyt nh trn b nh tuyn nh cung cp PE c th gi c cc thng tin VPN khch hng mt cch ring bit nhau. Chng ta v a mi tha nhn v i nhau rng trong cu trc ca MPLS/VPN th tt c cc khch hng phi c nh danh v i tuyn l duy nht trong mn ng trc nhng khng bt buc trong vic s dng a ch private. Cc tuyn l duy nht v th MP-BGP mi c th x l cng tin t t hai VPN khc nhau l khng ging nhau. Ta xt m hnh sau, v n t ra l khi b nh tuyn bin ca nh cung cp dch v New York nhn c hai thng tin update IPv4 ging ht nhau. Trong trng hp ny, b nh tuyn PE chn ra tuyn tt nht gia hai tuyn va mi nhn c da trn tiu chun x l BGP. iu ny c ngha l cn thit c m t c ch MP-BGP khng phi quan tm ti cc tuyn ging nhau thuc v cc VPN khc nhau.

71

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 5. 4: B nh tuyn PE so snh cc tuyn BGP C ch ny bao gm mt chui 61 bit trc a ch IPv4, a ch IPv4 ny cha trong thng tin c p nht MP-BGP. Chui cc bit ny c gi l phn bit tuyn (route distinguisher) v n l khc nhau cho mi VPN (hoc cho mi subnet ca cc site trong mt VPN) v v vy cc a ch cha trong tt c cc VPN l duy nht trong mng ng trc MPLS/VPN. BGP phn bit m t a ch IPv4 ny vi mt a ch IPv4 khc l khng ging nhau nu phn bit tuyn l khc nhau. VPN-IPv4 (hoc VPNv4) l s kt hp c a a ch IPv4 v i phn bit tuyn. S kt hp ny lm cho tuyn IPv4 l duy nht ton c c trn m ng MPLS/VPN. Hnh sau m t b nh tuyn PE c th phn bit hai tuyn IPv4 ging nhau v c th x l chng ging nh cc thc th tch bit v thuc v cc VPN khc nhau

72

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 5. 5: B nh tuyn PE so snh cc tuyn VPN-IP v4 Trn hnh khi b nh tuyn PE ti New York nhn mt thng tin cp nht v 10.2.1.0/24 t b nh tuyn ti PE ti San Jose v Paris, cc thng tin cp nht ny by gi l khng ging nhau bi v cc phn bit tuyn l khc nhau. Thng tin c p nht t San Jose s l 100:26:10.2.1.0/24 v thng tin cp nht t Paris l 100:27:10.2.1. 0/24. Mc d c ch phn bit tuyn cho php chng ta gii quyt c v n cc khch hng VPN c th s dng cng mt gii a ch private, nhng n khng khc phc c v n nhiu khch hng bn trong cng mt VPN s dng cng mt lc a ch bn trong cc site ca h. hiu ti sao li nh vy, chng ta cng xt v d sau:

Hnh 5. 6: S dng cng mt a ch Private bn trong m t VPN Trn hnh b nh tuyn bin ca nh cung cp dch v ti New York nhn m t thng tin update MP-BGP cho subnet 10.2.1.0/24 t hai VPN khc nhau, trong trng hp ny l t EuroBank v FastFood VPN. VPN EuroBank c cu hnh nhn tt c cc tuyn cha ch n l 100:26 hoc 100:27. iu c ngha l n nhn tt c cc tuyn t cc thnh vin ca VPN EuroBank hoc FastFoods khi chng a ra ch c s dng cc tuyn ch trn. Khi b nh tuyn ti New York so snh hai tuyn xc nh tuyn no nhp vo Bng chuyn tip v nh tuyn (VRF) ca VPN EuroBank; ty thuc 73 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

vo tuyn no c chn, th s kt ni ti VPN site khc s khng thc hin c. V d, nu router New York xc nh MP-BGP thng tin nh tuyn cho 10.2.1.0/24 nhn c t b nh tuyn ti Paris l tuyn tt nht, th s kt ni t site ti EuroBank ti NewYork ti ch bn trong subnet 10.2.1.0/24 trong site EuroBank San Francisco s khng thc hin c. V l do ny m khi thit k MPLS/VPN phi hn ch s s dng a ch chng lp v i VPN m khng lin lc v i VPN khc qua min MPLS ng trc nu chia s cng di a ch bn trong cc site .

Chng 6: Vn bo mt v cht lng dch v MPLS/VPN


Trong chng ny chng ta s tm hiu v : MPLS cung c p gii php an ninh nh th no (s chia ct cc VPN, chng li cc cuc tn cng, du li v bo v s gi mo) Nhng c ch bo mt no m cu trc MPLS khng cung cp So snh m c bo m t gia MPLS/VPN v i ATM hoc Frame Relay VPN Cc ngi s dng VPN mun nh cung cp dch v bo m v an ton v mang tnh ring t. Hay ni cch khc, h mun VPN c a mnh c lp nhng vn c c tnh kh chuyn, linh ng trong vic chia s mt nn tng c s h tng chung. Chng ny xc nh yu c u m bo tnh bo mt cho mt VPN, v lm th no MPLS c th thc hin c iu . Bo bo cho mt VPN cn yu cu: Tch bit VPN (nh a ch v lu lng) Chng li c cc cuc tn cng

74

L Ph m Minh Thng

Lun vn tt nghip Du c c u trc mng li Chng li c s gi m o 6. 1. Vn bo mt trong MPLS VPN 6. 1. 1. Tch bit cc VPN

MPLS v ng dng MPLS/VPN

iu quan trng trong v n bo m t cho cc ngi s dng VPN l lung lu lng c a h phi c gi tch bit v i cc lung lu lng VPN khc v lung lu lng trn mng li. iu c ngha l cc lu lng VPN khc c ng nh lu lng li khng th thm nhp vo VPN c a h. Mt yu cu khc l mi VPN c kh nng s dng mt di a ch IP m khng nh hng hoc b nh hng bi cc VPN khc hoc l mng li. Chng ta s phn tch ti sao tiu chun RFC 2547 bits p ng c yu cu ny. Trc ht l c th c c di a ch tch bit nhau, v phn sau l lung d liu v iu khin c phn bit r rng gia cc VPN c ng nh gia m t VPN v i mng li. 6. 1. 1. 1. Tch bit khng gian a ch. c th phn bit cc a ch khc nhau gia cc VPN khc nhau, RFC 2547 bit khng hiu tiu chun a ch IPv4 (hoc IPv6) trn min iu khin ca cc VPN trn mng li. Thay vo , tiu chun ny a ra khi nim a ch VPN-IPv4 hoc VPN-VPNv6. Mt a ch VPN-IPv4 bao gm 8 byte phn bit tuyn RD (route distinguisher) theo sau l 4 byte a ch IPv4, ging nh hnh 6.1. Tng t, mt a ch VPN-IPv6 bao gm 8 byte RD, theo sau l 16 byte a ch IPv6.

Hnh 6. 1: Cu to ca m t a ch VPN-IPv4 Mc ch ca mt RD l n cho php ton b khng gian a ch IPv4 c s dng trong hon cnh khc ( y l cho cc VPN). Trn mt b nh tuyn, mt RD c th xc nh mt chuyn tip v nh tuyn VPN (VRF), trong ton b a ch IPv4 c th c s dng c lp. C ngha l RD s

75

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

lm cho cc tuyn s dng a ch IPv4 ca mt VPN l duy nht trn mng li MPLS/VPN Bi v trong cu trc ca MPLS/VPN ch c cc b nh tuyn c a nh cung c p dch v PE phi bit cc tuyn VPN. Bi v b nh tuyn PE s dng a ch VPN-IPv4 cho cc VPN, khng gian a ch l tch bit gia cc VPN. Hn th na vic s dng IPv4 bn trong m ng li, l cc a ch khc v i a ch VPN-IPv4, v th mng li cng c khng gian a ch c lp v i cc VPN khc nhau. Vic cung cp ny to ra s khc nhau r rng gia cc VPN c ng nh gia cc VPN v i mng li.

Hnh 6. 2: Mt phng a ch trong mng MPLS/VPN 6. 1. 1. 2. Tch bit v lu lng Lu lng VPN bao gm lung lu lng VPN trn min d liu v min iu khin. Ngi s dng VPN i hi lu lng ca h khng b trn ln v i lu lng VPN khc hoc v i lu lng li, tc l cc gi tin khng b gi ti mt VPN khc v ngc li. Trn mng ca nh cung c p dch v , th yu c u ny cng r rng bi v lu lng s phi c chuyn qua mng li MPLS. y chng ta phn bit lu lng min iu khin v min d liu. Min iu khin l ni lu lng khi u v kt thc bn trong m ng li, min d liu bao gm lu lng t cc VPN khc nhau. Lung lu lng VPN ny c ng gi, thng l LSP, v c gi i t PE ti PE. Bi v qu trnh ng gi ny m mng li s khng bao gi thy c lung lu lng VPN.

76

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 6. 3: Tch bit lu lng 6. 1. 2. Chng li cc s tn cng Trong nhng nm v a qua, s lng cc cuc tn cng khng ch nhm vo cc ng dng m cn tn cng trc tip vo c s h tng mng. V th nh cung cp dch v phi ch trng ti v n bo mt cho mng li. Tn cng t chi dch v l mt v d, nhng trn mi trng mng MPLS/VPN th n cng nguy him hn: nu k tn cng (tm gi l hacker) c th nm quyn kim sot thit b PE, th bo mt ca bt k VPN trn mng MPLS li no c ng c th b tn hi, d kt ni ti PE ny hay khng. 6. 1. 2. 1. Ni mt mng li MPLS c th b tn cng Nh cp n phn trc, cc VPN c tch bit v i nhau v v i mng li. cng l m t hn ch kh nng tn cng cc im: hnh sau m t rng, ch interface ni m mt VPN c th thy c mng li v v gi cc gi tin ti mt thit b ca mng li: l b nh tuyn PE bi v mch kt ni gia cc b nh tuyn CE v PE thuc v VPN. V th, ch c cc im tn cng nhn thy t mt VPN l: tt c cc interface c a b nh tuyn PE kt ni ti b nh tuyn CE ca khch hng. Trong hnh, VPN1 ch c th thy interface PE n kt ni ti v khng th v i cc interface trn PE khc. Ch rng c m t im tn cng cho m t kt ni CE-PE, v th tt c interface c a PE ny phi c bo v cho ton khng gian VPN.

77

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 6. 4: Di a ch c th nhn ra t VPN Ch l b nh tuyn CE lun lun khng tin cy, thm ch nu mt b nh tuyn CE c kim sot bi nh cung cp dch v. L do l bi v CE lun c t pha khch hng v c th thay th bi cc b nh tuyn khc hoc thm ch, trong m t s trng hp, thay bi m t my trm. Trong khi , m t b nh tuyn PE lun phi ng tin cy, v phi t c iu , bi v m t k thm nhp trn b nh tuy n PE c th lm nguy hi ti tt c cc VPN khc. iu ny c ngha l b nh tuyn PE phi lun lun trong mi trng an ton. 6. 1. 2. 2. M ng li MPLS b tn cng nh th no Theo l thuyt, mt b nh tuyn PE c th b tn cng hoc bi mt lung lu lng chuyn tip (c ngha l m c ch lu lng c a n mt PE khc) hoc chnh bi lung lu lng m ch l PE ny. Lung lu lng chuyn tip thng t nh hng bi v cc b nh tuyn c thit k chuyn tip gi tin m t cch nhanh nht. D nhin, mt b nh tuyn phi c c kh nng kim sot lung lu lng chuyn tip. Tuy nhin, c mt s dng gi tin khng th kim sot bi phn cng v c th lm tng ti trn tuyn. V th, nu c nhiu gi tin kiu th ny c th dn n tnh hung DoS trn tuyn . Cc gi tin v i la chn IP (IP options) l mt v d. Mt gi tin v i la chn IP c di tiu thay i v v th khng th tra cu trn ASICs (microchips). C ngha l cc gi tin vi la chn IP c th c chuyn m ch bng phn mm, iu ny lm cho hiu sut ca b nh tuyn gim i.

78

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Vi lung lu lng nhn c, tc l ch n chnh l PE ny, th cn phi quan tm hn bi v n nh hng trc tip ln PE. C hai dng tn cng l : DoS Trong trng hp ny, hacker c gng s dng ht tt c ti nguyn trn b nh tuyn PE. iu ny c th thc hin c bng cch gi nhiu gi tin update cho b nh tuyn, cc b nh s b s dng ht. Intrusion Hacker th s dng mt knh hp l cu hnh b nh tuyn PE. V d dng telnet hoc SSH port hoc SNMP cu hnh ln b nh tuyn 6. 1. 2. 3. M ng li c bo v nh th no Tt c cc kh nng tn cng u c th kim sot c bng cch cu hnh chnh xc. Chng ta c th dng Access control list (ACL) cho tt c cc interface ca b nh tuyn PE. Nu nh tuyn c yu c u th cng nh tuyn phi khng c kha bi ACL. By gi mt hacker ch c th tn cng trc tip vo giao thc nh tuyn. T phn tch trn, b nh tuyn PE s nhn cc gi tin trn cng cho giao thc nh tuyn v c bo m. Bt k gi tin no khc ti PE s b drop bi ACL. Trong cu trc MPLS VPN, n cung cp tnh bo mt cao hn. Trc tin l giao din vo m ng li b gii hn v ch l ra a ch IP c a b nh tuyn PE nh th c ngha l tnh an ton s cao hn. Bng cch ny, mt mng li MPLS VPN t b l ra c th tn cng t bn ngoi hn so vi cng ngh IP truyn thng, ni m cc giao din trn tt c cc b nh tuyn li c th mc tiu cho cc cuc tn cng mng. Tip , m t u im na ca MPLS l n dng b nh tuyn bin ti bn ngoi nn lm cho n d c bo m hn. So snh v i mng li IP truyn thng, theo mc nh th kh l m, mi mt thnh phn c a mng c th n c (reachable) t bn ngoi m ng. iu ny c th c hn ch bng nhiu cch, nh dng ACL hoc m t s k thut du cu trc mng li. Nhng vi mng li MPLS th do cu trc nn phn ln cc thit b trong li ny l khng th t ti c. Ch rng, ty thuc vo cch nh tuyn trn mng Internet c thc hin nh th no:

79

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

nu bng nh tuyn ton c c (global table) th nguy c b tn cng cng cao. Vi li MPLS th n c c im l hn ch s truy cp ti bng nh tuyn ton cc (global routing table) t bn ngoi, iu ny lm cho MPLS mang tnh bo mt cao hn. 6. 1. 3. Du cu trc mng li Trong cng ngh VNP lp 2, nh Frame Relay hoc ATM c c tnh l ngi s dng VPN khng th thy kin trc ca li. l bi v ngi s dng kt ni mt thit b lp 3 ti mng lp 2, v vy nn tng mng l p 2 s b du i v i ngi dng. Mng MPLS VPN du i c s h tng mng do c u trc ca n. Nh va cp trn, ch c a ch PE ngang hng (peering PE address) l l ra v i ngi s dng, cn cc b nh tuyn P hon ton c du i. iu ny l rt quan trng hiu vic du mng li khng phi bi v ACL m bn cht l vic tch bit cc di a ch trn mng li MPLS: thm ch nu m t a ch ca m t b nh tuyn P no y b l ra bn ngoi th do a ch ny khng thuc v di a ch c a ngi s dng nn khng th n c (unreachable). Ch c mt ngoi l l a ch ngang hng ca b nh tuyn PE. Tuy nhin, di a ch ca kt ni CE-PE thuc v VPN, khng phi l m ng li. Trn thc t, cc di a ch ging nhau c th c s dng trn m t vi VPN khc nhau m khng s b xung t (conflict). V th, mc d mt a ch PE c th nhn thy t VPN th ni ng ra khng c bt k thng tin bi l ra bn ngoi bi v a ch ny l di a ch VPN. Tuy nhin, c m t cch du hon ton b nh tuy n PE v i ngi dng VPN l: s dng s dng di a ch khng nh s v nh tuyn tnh gia PE v CE. 6. 1. 4. Bo v chng li s gi mo Spoofing (gi m o) L mt dng vi phm an ton trong hacker di danh ngha mt user hp php truy nhp vo h thng my tnh mt cch bt hp php. Dng n gin nht ca spoofing l ly c tn v mt khu ca ngi dng truy cp. Mt cch khc l dng thit b khc nh b phn tch mng theo di v nm c lung giao thng trn mng, sau chn cc gi d liu gi vo dng d liu

80

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Trc y, khi Internet giai on u, a ch ngun ca gi tin c dng chng t rng gi tin c gi t chnh a ch IP ny. Ngy nay, s gi mo a ch IP l mt s kin xy ra hng ngy nhiu dng tn cng khc nhau. Khi MPLS l mt cng ngh lp 3, ngi s dng lo lng v vn gi mo trn m ng, c m c IP ln s dng nhn bi cc giao thc MPLS. Cu hi c t ra Mt ngi s dng VPN khc c th gi mo a ch IP ca ti truy cp vo VPN ca ti? v Mt ngi khc c th gi mo nhn VPN xm nhp vo VPN ca ti? . Nhng cu hi ny d dng c tr li nh sau: Gi mo a ch IP Ta bit mt VPN c th s dng ton b di a ch IP, t 0.0.0.0 ti 255.255.255.255. Mt site VPN hoc mt host no c th gi mo a ch IP nhng a ch gi mo ny v n l a ch local i v i VPN kia. y chnh l im mnh ca kin trc MPLS VPN: ngi s dng VPN c th s dng ton b di a ch, gm c a ch gi mo kia, v VPN s ging nh l mt m ng v t l i v i ngi s dng VPN kia. iu l c th bi v cc b nh tuyn PE gi tt c cc gi tin bn trong VRF (VPN Routing and Forwarding), v th ngay c gi tin gi mo kia cng khng thot ra c VPN.V th a ch IP gi mo trong mt VPN khng nh hng ti VPN khc. Gi mo nhn Bn trong mt m ng li MPLS, cc gi tin khc nhau c phn bit bi DE (phn bit tuyn). Mt ngi s dng VPN xu tnh no y c th to cc gi tin v i nhn gi v chn vo mng li MPLS, c gng a cc gi tin ny vo cc VPN khc. iu ny l khng th thc hin c bi v cc b nh tuyn PE khng chp nhn cc gi tin c gn nhn t cc b nh ca khch hng. V th mt gi tin gi s b drop bi PE. 6. 1. 5. So snh tnh bo mt vi ATM/Frame Relay Rt nhiu cng ty ang s dng dch v VPN da trn cng ngh ATM hoc Frame Relay trc y ang chuyn sang s dng dch v MPLS VPN. Nhng ngi m i s dng MPLS thng lo lng v thc t rng mt dch v MPLS VPN c m t vng iu khin lp 3. Tuy nhin, nh bit t 81 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

trc, cc dch v lp 3 ny c th c m bo an ton v ph hp v i s cung cp cc dch v VPN. ATM/Frame Relay c th nhn ra l an ton hn bi v chng khng b tn thng vi cc tn cng lp 3 (hn na chuyn mch ATM/FR c min iu khin lp 3, v d nh telnet). Tuy nhin, bo m t l p 2 trong cc cng ngh ny thng khng t c nh mong i. Chng ta s tho lun cc v n ny v so snh chng. S tch bit VPN Mt ngi s dng VPN yu cu VPN ca h phi tch bit v i cc VPN khc v vi mng li. Trong cng ngh lp 2, iu ny hon ton t c bng cch chia lp: mng li dnh ring s dng lp 2, v th thng tin lp 3 ca m t VPN c tch nhau ra. Trong cng ngh MPLS VPN, s tch bit ny t c l logic v bng cch duy tr cc mi trng tch bit nhau trn mt b nh tuyn ca nh cung cp dch v. Hai cng ngh l khc nhau nhng cng em li mt kt qu: m i VPN c th s dng ton b di a ch trong VPN ca h v n khng th gi cc gi tin ti cc VPN khc trong cng mt m ng li. Chng li cc cuc tn cng Ngi dng VPN yu c u mt dch v n nh v cc dch v khng b tn cng t bn ngoi. Vi nhiu ngi s dng VPN, tht l khng th chp nhn c nu mt dch v VPN b nh hng bi tn cng DoS t bn ngoi. Ti t hn, mt hacker c quyn kim sot mt thnh phn m ng c th kim sot bt k VPN no. V th cng ngh VPN phi chng li c cc cuc tn cng. MPLS VPN thng xuyn c th truy cp t Internet. Nh th mt hacker gii nu c thi gian c th truy cp vo b nh tuyn PE qua mi trng Internet. Trong phn trc, phn li c mt s im giao din ni ti phn ngoi. Mt MPLS li khng th so snh v i m ng li IP truyn thng, ni m mi b nh tuyn c th truy c p ti (gi s rng li MPLS khng c giao din global v i bn ngoi, ch c cc giao din VRF). Hn th na, ch c cc interface n l c th truy c p c v chng c bo m tt. V th, tht l kh tn cng m ng MPLS mt cch trc tip. 82 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Mng ATM hoc Frame Relay cng chng li c cc cuc tn cng. Tuy nhin, cc chuyn mch ATM hoc Frame Relay cng c min iu khin lp 3 (v d telnet) v c th b tn cng nu khng c bo v tt. Nhng nu c ai dng ny ca VPN nu c cu hnh chnh xc th chng d tn cng. Du c s h tng mng li Vi m ng lp 2 th mng li c du i bi ngi s dng VPN lm vic trn lp 3. Li MPLS VPN cng du i v i ngi s dng VPN, mc d s dng mt phng php khc: phn ln cc a ch c du i bi cu trc ca n; ch c mt phn c nhn thy l a ch PE ngang hng (peering PE address). Tuy nhin, a ch ny l mt phn ca di a ch VPN, v th trn thc t s khng c thng tin v mng li i v i ngi dng t bn ngoi. Khng c s gi mo VPN Ta bit khng th gi mo VPN khc hoc mng li. ATM v Frame Relay c ng th, khng c cch no gi mo c ch bo hiu nh Virtual Path Identifier/Circuit Identifier (VPI/VCI) c th gi mo mt VPN khc. CE-CE visibility C mt u im m dch v kt ni point-to-point ATM/FR hn so vi MPLS VPN l: do thc hin cc dch v lp 2, cc CE c th thit lp trc tip m i quan h hng xm lp 3 v c th thy cc CE khc. V d, Cisco Discovery Protocol (CDP) c th c s dng tm hiu cc c tnh c bn c a mt b nh tuyn hng xm. N bao gm c a ch lin kt lp 3, v th mt b nh tuyn khch hng c th xc nh mt mc no b nh tuyn CE u kia ca kt ni point-to-point. i v i kin trc MPLS th khng th thc hin c iu , mt b nh tuyn CE khng th nhn trc tip ti cc CE khc trong VPN ca mnh. l bi v kiu kt ni ca kin trc MPLS VPN: MPLS VPN cung c p kt ni t mt CE ti mt m my mng. iu ny trnh c s chng lp trong vic thit lp thit lp ng hm ti tt c cc CE khc, nhng cng v th m n s khng c c thng tin trc tip ca CE hng xm So snh tnh bo mt ca MPLS vi ATM/Frame Relay

83

L Ph m Minh Thng

Lun vn tt nghip MPLS Tch bit VPN Chng li s tn cng Du kin trc mng li Khng th gi m o VPN Thng tin CE-CE C C C C Khng

MPLS v ng dng MPLS/VPN ATM/Frame Relay C C C C C

MPLS VPN ch c th bo mt tt nu n c c u hnh v hot ng tt. 6. 2. Cht lng dch v ca m ng MPLS VPN i v i Cht lng c a dch v QoS, th cc c ch c s dng phi m m do h tr nhiu loi khch hng VPN khc nhau, ng thi chng phi c kh nng m rng c th h tr mt s lng ln khch hng VPN. V nh nh cung cp dch v phi cung cp cho cc khch hng VPN v i nhiu m c dch v (CoS) khc nhau cho mi VPN, trong cc ng dng khc nhau trong cng m t VPN c th c mt CoS khc nhau. Theo cch ny, dch v email c th c mt CoS trong khi mt s ng dng thi gian thc khc c th c CoS khc. Hn na, CoS m mt ng dng nhn c trong mt VPN c th khc so vi CoS m vn ng dng ny c th nhn c VPN khc. Tc l cc c ch h tr QoS cho php quyt nh loi d liu nhn CoS no ph hp cho tng VPN. Hn na, khng phi tt c cc VPN phi s dng tt c cc CoS m m t nh cung cp dch v VPN a ra. Do , mt tp cc c ch h tr QoS cho php quyt nh loi CoS no c s dng to c s cho VPN Lp dch v (Class of Service) CoS y QoS lin quan ti ton b cht lng dch v pht sinh hin ti qua mng, lp dch v CoS nh ngha mc ring ca dch v cn cho mt kiu lu lng: voice, video, hay d liu. Nhiu nh doanh nghip yu cu m bo, hi t c s hn tng, nh cung c p dch v c n gip nhiu lp dch v h tr ng dng nhim v then cht. K thut QoS trong VPN phn bit gia cc kiu lu lng v gn u tin ti mhim v then cht hay lu lng nhy c m tr nh voice v video. K thut QoS cng cho php VPN qun l tt nghn qua tc rng bng thng thay i. Nh cung cp dch 84 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

v a ra cc kiu lp dch v : lp u cho iu khin tr, lp hai cho iu khin ti v lp ba cho h tr ti a. Cng vic kinh doanh yu cu lp dch v nhiu hn, gm: Mc 4: thi gian thc (voice, video) Mc 3: tng tc cc cng ty (bo hiu cuc gi, cu trc mng h thng SNA, tin cy) Mc 2: thi gian thc (dng video, qun l mng) Mc 1: khinh doanh LAN-to-LAN (Internet Web, IBM Lotus Workplace) Mc 0: d liu c ngn ti a (giao thc truyn ti Mail, FTP, Internet Web) Mi CoS, nh cung cp phi c thuc tnh tiu chun r rng tr thch hp, an ton v mt gi tin trong tho thun mc dch v (SLA), v gi tr thc hin v kt hp bo co QoS ph hp v i CoS cung cp. Trc khi i vo cc c ch h tr QoS c s dng trong VPN da trn BGP/MPLS, chng ta xem xt hai m hnh c s dng biu din QoS trong VPN l m hnh ng v m hnh vi. Trong m hnh ng, m t nh cung cp dch v VPN cung cp cho mt khch hng VPN mt QoS m bo cho d liu i t mt b nh tuyn CE ca khch hng ti cc b nh tuyn CE khc. V hnh thc ta c th hnh dung m hnh ny nh mt ng ng kt ni hai b nh tuyn v i nhau, v lu lng gia hai b nh tuyn trong ng ng ny m bo QoS xc nh. V d v m t loi m bo QoS c th c cung c p trong m hnh ng l n bo gi tr bng thng nh nht gia hai site. Ta c th ci tin m hnh ng bng vic ch cho php mt s loi lu lng (ng v i mt s ng dng) t mt CE ti cc CE khc c th s dng ng ng. Quy nh lu lng no c th s dng ng ng c xc nh ti b nh tuyn PE pha u ng. Ch l m hnh ng kh ging v i m hnh QoS m cc khch hng VPN c c hin nay v i cc gii php da trn chuyn tip khung hoc ATM. im khc nhau cn bn l v i ATM hay chuyn tip khung th cc kt ni l song cng trong khi m hnh ng ch cung c p kt ni m bo theo mt hng. c im mt hng ny ca m hnh ng ch cho php thit lp cc kt ni cho cc ng dng s dng lung lu lng khng i xng,

85

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

trong lu lng t mt site ti site khc c th khc v i lu lng theo hng ngc li. M hnh th hai l m hnh vi. Trong m hnh ny nh cung cp dch v VPN cung c p cho khch hng s m bo cho lu lng m b nh tuyn CE ca khch hng gi i v nhn v t cc b nh tuyn CE khc trong cng VPN. Nu khng th khch hng phi ch nh cch phn phi lu lng ti cc B nh tuyn CE khc. Kt qu l ngc v i m hnh ng, m hnh vi khng i hi khch hng bit ma trn lu lng v nh gim bt gnh nng i bi cc khch hng mun s dng dch v VPN. M hnh vi s dng hai tham s ICR v ECR. Trong ICR l tng lu lng m mt CE c th gi ti cc CE khc v ECR l tng lu lng m mt CE c th nhn t cc CE khc. Ni cch khc ICR i din cho tng lu lng t mt CE c th, cn ECR i din cho tng lu lng ti mt CE c th. Lu rng i v i CE khng nht thi t ICR phi bng ECR. M hnh vi h tr nhiu mc CoS ng v i cc dch v c tham s khac nhau; v d m t dch v c th yu cu tham s my gi tin t hn so vi dch v khc. Vi cc dch v i hi phi c s m bo ln (nh m bo v bng thng), th m hnh ng ph hp hn. M hnh ng v vi khng phi l cc m hnh i ngc nhau. Ngha l, mt nh cung cp dch v c th cung cp cho khch hng VPN mt m hnh kt hp gia cc m hnh ng v vi gip khch hng quyt nh mua loi dch v no ng v i mc CoS no. i v i mng VPN da trn BGP/MPLS, h tr m hnh ng chng ta s dng cc LSP m bo bng thng. Nhng LSP ny bt u v kt thc ti cc b nh tuyn PE v c s dng cung c p bng thng m bo cho tt c cc ng t mt PE n cc PE khc. C ngha l ng v i mt cp b nh tuyn PE c nhiu b nh tuyn CE ni trc tip m gia chng c cc ng ng, thay v s dng mt LSP bng thng m bo cho mi ng ta s dng mt LSP m bo bng thng cho tt c cc ng. S dng mt LSP bng thng m bo mang nhiu ng ng gia mt c p b nh tuyn PE cho php tng kh nng mi rng c a m hnh ny. Vi m hnh ny s LSP m nh cung c p dch v phi thit lp v duy tr ph

86

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

thuc vo s cp b nh tuyn PE c a nh cung c p dch v ch khng ph thuc vo s ng ng ca khch hng VPN m nh cung cp c th c. h tr CoS trong m hnh vi, nh cung c p dch v s dng thuc tnh h tr Diff-serv c a MPLS. Nh cung cp dch v cng c th s dng chc nng qun l lu lng c i thin kh dng c a mng trong khi vn t c nhng m c tiu v cht lng nh mong mun. Cc th tc b nh tuyn PE li vo xc nh li lu lng no ng v i CoS no khng ph thuc vo l m hnh ng hay m hnh vi m hon ton mang tnh cc b i v i b nh tuyn PE. Nhng th tc ny c th xem xt cc yu t nh giao din li vo, a ch IP ngun v ch, s c ng TCP, hoc s kt hp ca nhng yu t trn. iu ny mang li cho nh cung cp dch v s mm do v kha cnh iu khin xem loi lu lng no nhn ci no. Mc d trong hp ng gia khch hng v nh cung cp dch v ch ra bng thng v CoS c th, nhng khch hng vn c th gi lu lng vt qua bng thng ng k . xc nh xem lu lng c nm trong bn thng tho thun, nh cung c p d ch v s dng cc chnh sch ti b nh tuyn PE li vo. i v i lu lng vt qu bng thng tho thun, nh cung cp c hai kh nng la chn: hoc l li b lu lng vt qu ny ngay lp tc ti b nh tuy n PE li vo hoc gi i nhng nh du n khc v i cc lu lng nm trong bng thng tho thun. Vi la chn th hai, gim vic truyn cc thng tin khng ng th t, c lu lng nm trong hoc vt khi hp ng u c gi theo cng mt LSP. Lu lng vt hp ng s c nh du v n s loi b gi tin trong trng hp c tc nghn. 6. 3. Xu hng v c hi Khi trin khai cng ngh MPLS VPN, nh cung cp dch v khi trin khai MPLS VPN c nhng c hi sau: Khch hng m rng s dng v tng thun li bng cch tng li nhun v mm do dch v VPN trn IP v MPLS MPLS VPN gip dch v IP qun l bun bn trong b xung truy cp, tng gii hn thu n li

87

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Kh nng dch v VPN khch hng cho m i khch hng kinh doanh, tng s khc bit v b xung gi tr qua dch v gi d liu, video, voice, bo m t mng, truy cp khng dy v tu chn khc Tng li nhun qua gim gi cung cp dch v VPN v iu hnh mng, cng nh qun l n gin hn cho mt mng n Mm do thay i c u trc m ng ni s dng ti nguyn hiu qu. MPLS h tr m ng kh nng phn phi khch hng ring, dch v yu cu

KT LUN
Sau mt thi gian tm hiu v cng ngh chuyn mch nhn a giao thc MPLS v tm hiu ng dng ca MPLS VPN, sinh vin thu c nhng kt qu nh sau: Hiu c nhng kh khn v tn ti hin c ca cc cng ngh chuyn mch truyn thng v s c n thit phi ra i cng ngh MPLS. Hiu c kin trc mt m ng MPLS, qu trnh chuyn 88 L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

mch nhn, to nhn. Cc ch hot ng khc nhau ca MPLS. Cc mode hot ng khc nhau ca MPLS, cc ng dng ca chuyn mch nhn a giao thc, trong ni bt l ng dng VPN trong MPLS Hiu v cng ngh VPN, cc giao thc dng trong VPN, tm hiu v IPSec, cc bc hot ng ca IPSec. Hiu c v m hnh m ng MPLS VPN, m hnh MPLS VPN lp 2 v MPLS VPN lp 3, u im cng nh nhng tn ti ca chng. Nm bt c v n bo mt trong MPLS VPN v cht lng dch v , nhng nguy c m mt m hnh MPLS VPN gp phi. C hi v xu hng c a nh cung cp dch v khi trin khai MPLS VPN Nhn thy, MPLS VPN l mt cng ngh c nhiu u im v chc chn s cng ngy c nhiu doanh nghip la chn trin khai, MPLS VPN s c mt th trng rng ln. Tuy nhin, y l mt ti ln, i hi s hiu bit su rng, c ng nh thi gian tm hiu lu di. Do chc chn khng trnh khi thiu st trong khun kh lun vn ny, rt mong c s gp t pha cc thy c v bn b. Xin chn thnh cm n!

TI LIU THAM KHO


[1] Cisco System, Inc Advanced MPLS VPN Solution 2000

89

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

[2] Chuck Semeria RFC 2547 bis: BGP/MPLS VPN Fundamentals Jupiter Networks, Inc. [3] Eric Osborne, Ajay Simha Traffic Engineering with MPLS Cisco Press, July 17, 2002. [4] James Reagan MPLS Study Guide - Sybex Press, 2002 [5] Jim, Guichard, Ivan - MPLS and VPN Architectures Cisco Press, 2000. [6] Michael H.Behringer, Monique J. Morrow MPLS VPN Security- Cisco Press, June 08 2005 [7] Wey Luo Layer 2 VPN Architecture Cisco Press, March 10, 2005

MC LC

90

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

M U ............................................................................................................ 1 Phn 1: Chuyn mch nhn a giao thc MPLS .......................................... 3 Chng 1. Cu trc tng quan ca MPLS. .................................................. 3 1. 1. 1. Tnh kh chuyn (Scalability) .................................................... 4 1. 1. 2. iu khin lu lng ................................................................. 5 1. 1. 3. Cht lng ca dch v (QoS) ................................................... 5 1. 2. Chuyn mch nhn a giao thc l g? ............................................ 7 1. 2. 2. To nhn mng bin ............................................................. 10 1. 2. 3. Chuyn tip gi MPLS v ng chuyn mch nhn .......... 13 1. 3. Cc ng dng khc ca MPLS ........................................................ 13 1. 3. 1. iu khin lu lng: .............................................................. 14 1. 3. 2. Mng ring o VPN (Virtual Private Network) ....................... 14 1. 3. 3. Tch hp IP v ATM .................................................................. 14 2. 1. Hot ng mi n d liu MPLS ch Frame-mode .................. 16 2. 1. 1. Tiu ngn xp nhn MPLS ( MPLS label stack header) ... 17 2. 1. 3. Chuyn mch nhn MPLS vi ngn xp nhn ....................... 19 2. 2. Qu trnh truyn v kt hp nhn trong Frame-mode MPLS ....... 20 2. 2. 2. Phn phi v kt hp nhn ...................................................... 21 2. 2. 3. Hi t trong mng MPLS ch Frame-mode ................... 22 2. 3. X l b nh tuy n cui cng (Penultimate Hop Popping) ..... 23 3. 1. S kt ni trong vng iu khin qua giao di n LC-ATM............. 27 3. 2. S chuyn tip gi tin c gn nhn qua min ATM-LSR ... 28 3. 3. Phn phi v phn b nhn qua min ATM-LSR ........................... 30 Phn 2: ng dng mng ring o VPN trn mng MPLS .......................... 34 4. 1. Gii thiu v mng ring o (Virtual Private Network VPN ). .... 34 4. 2. S pht trin ca VPN. ..................................................................... 35 4. 3. Phn loi VPN.................................................................................... 37 4. 4. Chc nng ca VPN .......................................................................... 38 4. 5. ng hm v m ha ..................................................................... 38 4. 6. Cc giao thc dng cho VPN ........................................................... 39 4. 6. 1. Giao thc ng hm lp 2 L2TP .......................................... 39 4. 6. 2. Giao thc ng gi nh tuy n chung GRE ........................... 40 4. 6. 3. Giao thc bo mt IP (IP Security Protocol) .......................... 41 4. 3. 1. 1. 2. ng gi bo mt vng ti trng ESP...................... 43 4. 6. 3. 2. Cc mode chuyn tip d liu trong IPSec ........................ 44 4. 6. 3. 2. 1. Tunnel mode................................................................... 44 4. 6. 3. 2. 2. Transport mode ( mode giao vn) ................................ 45 4. 6. 3. 3. Qu trnh hot ng c a IPSec............................................ 46 4. 6. 3. 3. 1. Bc 1: Xc nh lung lu lng quan tm (interesting traffic) ........................................................................... 46 4. 6. 3. 3. 2. Bc 2: Pha IKE th nht (IKE Phase 1) ................. 47 4. 6. 3. 3. 3. Bc 3: Pha IKE th 2 ............................................... 50 4. 6. 3. 3. 4. Bc 4: Phin APSec ................................................ 52 4. 6. 3. 3. 5. Bc 5: Kt thc ng hm ................................... 53 4. 7. 1. VPN kiu chng lp (overlay VNP model) .............................. 54

91

L Ph m Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

4. 7. 2. M hnh VPN ngang hng ( Peer-to-peer VPN model)........... 55 4. 7. 2. 1. M hnh VPN ngang hng chia s router PE ................... 57 4. 7. 2. 2. M hnh m ng VPN ngang hng s dng router PE ring .............................................................................................................. 57 4. 7. 2. 3. So snh cc kiu VPN ngang hng .................................. 58 Chng 5: M hnh mng MPLS/VPN ......................................................... 60 5. 4. 1. Thnh ph n VPN lp 2. ............................................................ 61 5. 4. 2. M hnh Martini ......................................................................... 62 5. 4. 3. Thng tin nh tuyn ................................................................ 62 5. 4. 4. Lu lng d liu .................................................................... 63 5. 2. 1. Mng ring o BGP/MPLS ........................................................ 63 5. 2. 1. 1. Cc thnh phn mng BGP/MPLS ................................... 64 5. 2. 1. 1. 1. B nh tuyn bin ca khch hng (CE). ............... 65 5. 2. 1. 1. 2. B nh tuyn bin ca nh cung cp dch v (PE) 65 5. 2. 1. 1. 3. B nh tuyn nh cung cp ..................................... 66 5. 2. 1. 2. Hot ng ca BGP/MPLS ................................................ 66 5. 2. 1. 2. 1. Lung iu khin........................................................ 67 5. 2. 1. 2. 2. Lung d liu (Data flow) .......................................... 68 5. 2. 1. 3. u im ca BGP/MPLS VPN ........................................... 69 5. 2. 2. Tn ti v gii php .................................................................. 70 Chng 6: Vn bo mt v cht lng dch v MPLS/VPN ................ 74 6. 1. Vn bo mt trong MPLS VPN .................................................... 75 6. 1. 1. Tch bit cc VPN ..................................................................... 75 6. 1. 1. 1. Tch bit khng gian a ch. ........................................... 75 6. 1. 1. 2. Tch bit v lu lng ...................................................... 76 6. 1. 2. Chng li cc s tn cng ....................................................... 77 6. 1. 2. 1. Ni mt mng li MPLS c th b tn cng .................... 77 6. 1. 2. 2. Mng li MPLS b tn cng nh th no ......................... 78 6. 1. 2. 3. Mng li c bo v nh th no .................................. 79 6. 1. 3. Du cu trc mng li .............................................................. 80 6. 1. 4. Bo v chng li s gi mo ................................................... 80 6. 1. 5. So snh tnh bo mt vi ATM/Frame Relay .......................... 81 6. 2. Cht lng dch v c a mng MPLS VPN ..................................... 84 6. 3. Xu hng v c hi .......................................................................... 87 KT LUN ....................................................................................................... 88 TI LIU THAM KHO ................................................................................... 89

92

L Ph m Minh Thng