Está en la página 1de 7

So snh VPN truyn thng v MPLS-VPN Bi bo ny so snh cc mng VPN truyn thng vi cc mng VPN ng dng cng ngh

chuyn mch nhn a giao thc (MPLS). Trc tin, xem xt nhng kh nng cng nh nhng hn ch ca cc VPN truyn thng, sau s s qua v kin trc cng nh hot ng ca cc MPLS-VPN lm r thm nhng u im ca VPN khi ng dng cng ngh MPLS. KS. NGUYN TRNG HIP KS. LM VN ThS. NGUYN HONG HI Tng quan v mng VPN truyn thng Cc mng VPN truyn thng s dng cc chc nng bo mt nh: to ng hm (Tunneling), m ho d liu (Encription), nhn thc (Authentication) vi mc ch t c kh nng bo mt khi truyn d liu gia hai u cui. C rt nhiu cc giao thc khc nhau c s dng cho cc mng VPN ny nh: GRE, PPTP, L2TP, v IPSec. Chng u da trn hot ng to ng truyn dn ring v s dng cc thut ton m ha d liu. Bi vit ny ch tp trung nghin cu giao thc IPSec v hin nay n c s dng rng ri cho cc mng VPN v cc giao thc trn u c nhng hn ch so vi IPSec. Xt mt v d n gin v mt ng hm IPSec gia hai Site trong mng VPN. Site A ni vi site B thng qua mng ca nh cung cp dch v hoc mng Internet cng cng s dng giao thc IPSec vi m ha 3DES (Hnh1).

Hnh 1. Kt ni gia my tnh A v my tnh B trong mng VPN Hn ch u tin v cng l d nhn thy nht IPSec l lm gim hiu nng ca mng. Khi xt ng i ca mt gi tin c gi t my tnh A trong mng A n my tnh B trong mng B. Gi tin t my tnh A s c gi n CPE (Customer Premise Equipment) A. CPE-A s kim tra gi tin xem liu n c cn thit phi chuyn n CPEB hay khng. Trong mt mi trng mng khng c VPN th gi tin s c truyn ngay n CPE-B. Tuy nhin, vi giao thc IPSec, CPE-A phi thc hin mt s thao tc trc khi gi gi tin i. u tin, gi tin c m ha, sau ng gi vo cc gi IP, hot ng ny tiu tn thi gian v gy tr cho gi tin. Tip theo gi tin s c a vo trong

mng ca nh cung cp dch v. Lc ny, nu gi tin mi c to thnh c kch thc ln hn kch thc ti a cho php truyn (MTU-Maximum Transmission Unit) trn bt c mt lin kt no gia CPE-A v CPE-B th gi tin s cn phi c phn mnh thnh hai hay nhiu gi tin nh hn. iu ny ch xy ra trong trng hp bit DF (Don't Fragment) khng c thit lp, cn trong trng hp bit DF c thit lp th gi tin s b mt v mt bn tin ICMP (Internet Control Message Protocol) s c gi li pha pht. Khi gi tin n c CPE-B, n s c m gi v gii m, hai hot ng ny tip tc lm tr gi tin trong mng. Cui cng, CPE-B s chuyn tip gi tin n my tnh B. Thi gian tr trong mng s ph thuc vo phc tp v tc x l ca cc CPE. Cc thit b CPE cht lng thp thng phi thc hin hu ht cc chc nng IPSec bng phn mm khin tr trong mng ln. Cc thit b CPE vi kh nng thc hin cc chc nng IPSec bng phn cng c th tng tc x l gi tin ln rt nhiu nhng chi ph cho cc thit b ny l rt t. iu ny dn n chi ph trin khai mt mng IPSec VPN l rt tn km. T v d trn, ta d dng nhn thy cc mng IPSec VPN l mng lp trn ca mng IP v s trao i thng tin trong mng c thc hin bng cch thit lp cc ng hm gia cc site. iu ny s to nn nhng cu hnh mng khng ti u. r hn v vn ny, ta s xt hai cu hnh mng, cu hnh hnh sao v cu hnh mng li (full mesh). Cu hnh mng hnh sao bao gm mt site trung tm (hub) c ni vi rt cc site xa (spoke) khc. Trong cu hnh ny, CPE ca site trung tm thng l mt thit b rt t tin v ph thuc vo s lng spoke cn kt ni n. V mi mt spoke ny s thit lp mt ng hm IPSec (IPSec tunnel) n site trung tm. Cu hnh mng ny khng ph hp cho truyn thng gia cc site nhnh (spoke) vi nhau v gi tin t spoke ny n spoke kia phi i qua site trung tm v ti site trung tm ny s lp li cc tc v nh ng m gi tin, xc nh ng chuyn tip, m ha v gii m i vi mi gi tin i qua n. C ngha l mi gi tin s phi i qua hai ng hm IPSec dn n tr x l cho mi gi tin s tng gp i so vi trng hp hai spoke c th trao i thng tin trc tip vi nhau. Gii php duy nht khc phc hin tng trn l thit lp mt mng mt li (fully meshed network). Tuy nhin, cu hnh ny c rt nhiu hn ch, v im hn ch ln nht l kh nng m rng mng. S lng cc tunnel cn thit h tr mt mng mt li IPSec v phng din hnh hc s tng cng vi s lng site. V d mt mng vi 20 site s cn 210 ng hm IPSec v mi mt site cn c thit b CPE c kh nng kt cui vi 210 ng hm IPSec. Mt cu hnh mng nh vy s phi i hi mi site phi c mt CPE phc tp v t tin. Thm ch trong mt s trng hp, vic thit lp mt cu hnh mng full mesh l khng th, ta hy tng tng mt mng 100 site VPN vi yu cu 4,950 ng hm! Mt im chng ta cn phi cn nhc khi trin khai cc mng VPN l cc thit b CPE. Mi nh cung cp cn phi chc chn rng tt c cc CPE s hot ng tng thch vi nhau. Gii php n gin v v hiu qu nht l s dng cng mt loi CPE trong mi vng, tuy nhin, iu ny khng phi bao gi cng thc hin c do nhiu yu t

khc nhau. Tuy ngy nay s tng thch khng phi l mt vn ln nhng n vn cn phi c quan tm khi hoch nh mt gii php mng IPSec VPN. Mi mt CPE phi ng vai tr nh l mt router v c kh nng h tr tunneling. Nhng CPE vi chc nng b sung ny i c gi thnh rt cao nn cch duy nht trin khai IPSec trong mt mch cu l ti cc phn mm IPSec client vo tt c cc PC pha sau cu. Gii php ny i hi s h tr khch hng cao dn n nhng kh khn trong qun l mng. Khai thc v bo dng cng l mt vn na ca cc mng IPSec VPN v mi mt ng hm IPSec u phi c thit lp bng tay. Cu hnh cho mt ng hm IPSec n l khng phi l vn th nhng thi gian thit lp v duy tr mt mng VPN vi nhiu site s tng ln ng k khi kch thc mng c m rng. c bit l vi mng VPN c cu hnh full mesh th cc nh cung cp dch v s gp nhiu kh khn trong h tr v x l s c k thut. Vn bo mt cng cn c quan tm trong cc mng VPN. Mi CPE c th truy nhp vo mng Internet cng cng nhng tin tc vn cn c bo mt trong qu trnh truyn gia cc site. V vy, mi thit b CPE phi c bin php bo mt nht nh (nh Firewall). V s qun l cc firewall ny s tr nn rt kh khn nht l khi kch thc ca mng rt ln. Vi mt mng VPN khong 100 nt mng, s cn 100 firewall v mi khi cn mt s thay i nh trong chnh sch (policy) ca firewall, chng ta phi tip cn c 100 firewall ny trong mng. R rng y l mt im hn ch ln ca cc mng IPSec VPN v kha cnh bo mt. MPLS-VPN Khng ging nh cc mng VPN truyn thng, cc mng MPLS VPN khng s dng hot ng ng gi v m ha gi tin t c mc bo mt cao. MPLS VPN s dng bng chuyn tip v cc nhn tags to nn tnh bo mt cho mng VPN. Kin trc mng loi ny s dng cc tuyn mng xc nh phn phi cc dch v VPN, v cc c ch x l thng minh ca MPLS VPN lc ny nm hon ton trong phn li ca mng. Trc tin, ta hy xem xt mt s thut ng c dng trong mng MPLS VPN. Thit b CPE trong MPLS-VPN chnh l cc CE (Customer Edge) router v cc CE router ny c ni vi mng ca nh cung cp dch v thng qua cc PE (Provider Edge) router. Mt mng VPN s bao gm mt nhm cc CE router kt ni vi cc PE router ca nh cung cp dch v. Tuy nhin, ch nhng PE router mi c khi nim v VPN, cn cc CE router th khng nhn thy nhng g ang din ra bn trong mng ca nh cung cp dch v v s coi nh chng ang c kt ni vi nhau thng qua mt mng ring. Mi VPN c kt hp vi mt bng nh tuyn - chuyn tip VPN (VRF) ring bit. VRF cung cp cc thng tin v mi quan h trong VPN ca mt site khch hng khi c ni vi PE router. Bng VRF bao gm thng tin bng nh tuyn IP (IP routing table), bng CEF (Cisco Express Forwarding), cc giao din ca bng nh tuyn; cc quy tc,

cc tham s ca giao thc nh tuyn... Mi site ch c th kt hp vi mt v ch mt VRF. Cc VRF ca site khch hng mang ton b thng tin v cc tuyn c sn t site ti VPN m n l thnh vin. i vi mi VRF, thng tin s dng chuyn tip cc gi tin c lu trong cc bng nh tuyn IP v bng CEF. Cc bng ny c duy tr ring r cho tng VRF nn n ngn chn c hin tng thng tin b chuyn tip ra ngoi mng VPN cng nh ngn chn cc gi tin bn ngoi mng VPN chuyn tip vo cc router bn trong mng VPN. y chnh l c ch bo mt ca MPLS VPN. Bn trong mi mt MPLS VPN, c th kt ni bt k hai im no vi nhau v cc site c th gi thng tin trc tip cho nhau m khng cn thng qua site trung tm. Tham s phn bit tuyn RD (Route Distinguisher) gip nhn bit cc a ch IP thuc VPN ring bit no. Xt m hnh mng nh hnh 2, c 3 VPN khc nhau v c xc nh bi cc RD: 10, 20 v 30. Mt mng MPLS c th h tr hng trm n hng nghn VPN. Phn bn trong ca kin trc mng MPLS VPN c kt cu bi cc thit b ca nh cung cp. Nhng thit b ny hnh thnh mng li (core) MPLS v khng c ni trc tip n cc CE router. Cc chc nng VPN ca mt mng MPLS-VPN s c thc hin bi cc PE router bao quanh mng li ny. C P router v PE router u l cc b nh tuyn chuyn mch nhn LSR (Label Switch Router) trong mng MPLS. Cc site khch hng c th c kt ni vi cc PE router bng nhiu cch khc nhau nh T1, Frame Relay, DSL, ATM, v.v...

Hnh 2. M hnh mng MPLS Trong mt mng MPLS VPN, site pha khch hng s s dng IP thng thng m khng cn bit n MPLS, IPSec hay bt c mt chc nng VPN c bit no. Ti cc PE router, mt cp VRF v RD s tng ng vi mi lin kt n site ca khch hng (customer site). Lin kt ny c th l mt lin kt vt l T1, Frame Relay hay ATM VC, DSL... Gi tr RD s hon ton n v s khng c cu hnh ti cc thit b ca khch hng.

Sau y chng ta s xem xt mt v d c th ng i ca mt gi tin trong mng VPN ca khch hng t PC A thuc site A ti PC B thuc site B thng qua mng MPLS. - Gi tin n t site A ca PE router R1 nh mt gi IP thng thng vi a ch ch 10.2.1.100. Site ny thuc mng VPN vi RD:10. - R1 s tra cu bng chuyn tip VPN ca n v da vo bng ny gn nhn cho gi tin, trong trng hp ny l nhn 56. Nhn ny mang thng tin v ch n ca gi tin trong mng VPN vi RD:10 RD Prefix 10 10.1.0.0/16 10 10.2.0.0/16 10 10.3.0.0/16 Destination PE Label 216.70.128.21 318 6 216.70.128.19 56 2 216.70.128.13 32 3

10 10.4.0.0/16 216.70.128.60 210 10 10.5.0.0/16 216.70.128.84 109 - R1 chuyn tip gi tin da vo a ch PE ch trong bng FIB (Label Forwarding Information Base). Khi gi tin ny c chuyn i, n s c gn mt nhn MPLS trong bng LIB. Nhn ny (188) tng ng vi nhn c yu cu chuyn tip gi tin n R2, c a ch IP l 216.70.128.192. - LSR1 tip nhn gi tin v thc hin hot ng chuyn mch nhn thng thng. Trong v d ny, LSR1 tro i nhn 188 vi nhn 62, sau chuyn tip gi tin n LSR2. - LSR2 tip nhn gi tin v thc hin chc nng Penultimate Hop Popping bi v y l chng cui cng trc khi gi tin n PE ch, LSR2 s loi b nhn (62) v gi gi tin ti R2 vi nhn 56. - Sau khi R2 tip nhn gi tin, n s tra nhn 56 trong bng chuyn tip VPN, trong trng hp ny, nhn s tng ng vi RD:10. Sau , R2 tham chiu a ch IP trong gi tin xc nh ra ch n l RD:10 vi a ch IP 10.2.1.100. R2 xc nh RD:10 v a ch IP:10.2.1.100 l thuc site c lin kt trc tip vi R2 bi mt lin kt IP thng thng nn n s loi b nhn v chuyn tip gi IP ti site . RD Prefix 10 10.1.0.0/16 Destination PE Label 216.70.128.21 318 6

10 10.2.0.0/16 10 10.3.0.0/16

216.70.128.19 56 2 216.70.128.13 32 3

10 10.4.0.0/16 216.70.128.60 210 10 10.5.0.0/16 216.70.128.84 109 Ch rng a ch IP 10.2.1.100 v 216.70.128.192 khc nhau v phm vi, a ch IP 10.2.1.100 thuc mng VPN vi RD:10 v ch nhng gi tin bn trong VPN ny mi c th n c a ch ny. C th c mt a ch IP 10.2.1.100 khc cc VPN khc, nhng chng c c trng bi nhng RD khc nhau. a ch 216.70.128.192 thuc mng ng trc v n khng thuc mt VPN no. Mt trong nhng u im ln nht ca cc MPLS VPN l khng i hi cc thit b CPE thng minh bi v ton b cc chc nng VPN c thc hin pha trong mng li ca nh cung cp dch v v hon ton trong sut i vi cc CPE. Cc CPE khng i hi chc nng VPN v h tr IPSec. iu ny c ngha l khch hng khng phi chi ph qu cao cho cc thit b CPE. Tr trong mng c gi mc thp nht v cc gi tin lu chuyn trong mng khng phi thng qua cc hot ng nh ng gi v m ha. S d khng cn chc nng m ha l v MPLS VPN to nn mt mng ring. Phng php bo mt ny gn ging nh bo mt trong mng Frame Relay. Thm ch tr trong MPLS VPN cn thp hn l trong mng MPLS IP s dng chuyn mch nhn Vic to mt mng y (full mesh) VPN l hon ton n gin v cc MPLS VPN khng s dng c ch to ng hm. V vy, cu hnh mc nh cho cc mng MPLS VPN l full mesh, trong cc site c ni trc tip vi PE v vy cc site bt k c th trao i thng tin vi nhau trong VPN. V thm ch, nu site trung tm gp trc trc, cc spoke site vn c th lin lc vi nhau. Hot ng khai thc v bo dng cng n gin hn trong mng MPLS-VPN. Hot ng ny ch cn thc hin ti cc thit b bn trong mng core m khng cn phi tip xc n cc CPE. Mt khi mt site c cu hnh xong, ta khng cn ng chm n n na cho d nu mun thm mt site mi vo mng v nhng thay i v cu hnh lc ny ch cn thc hin ti PE m n ni ti. Vn bo mt thm ch cn n gin hn nhiu khi trin khai trong cc mng MPLS VPN v mt VPN khp kn bn thn n t c s an ton thng tin do khng c kt ni vi mng Internet cng cng. Nu c nhu cu truy nhp Internet, mt tuyn s c thit lp cung cp kh nng truy nhp. Lc ny, mt firewall s c s dng trn tuyn ny m bo mt kt ni bo mt cho ton b mng VPN. C ch hot ng ny r rng d dng hn nhiu cho hot ng qun l mng v ch cn duy tr cc chnh sch bo mt cho mt firewall duy nht m vn m bo an ton cho ton b VPN

Mt u im na ca cc mng MPLS VPN l ch cn mt kt ni duy nht cho mi remote site. So snh vi mng Frame Relay truyn thng c 1 nt trung tm v 10 remote site (mi mt remote site s cn mt Frame Relay PVC) th ti nt trung tm (hub) s cn 10 PVCs. Trong khi bn trong mt mng MPLS VPN ch cn duy nht mt PVC ti v tr hub trung tm nn chi ph mng s gim ng k. Kt lun Nh vy, c th thy rng MPLS-VPN p ng c nhng yu cu t ra ca mt mng VPN, ng thi gii quyt c mt cch trit nhng hn ch ca cc mng VPN truyn thng da trn cng ngh ATM, Frame Relay v ng hm IP. Ngy nay, tuy VPN vn ang cn l mt cng ngh mi m Vit nam, nhng vic u t nghin cu chn gii php ti u cng l iu nn lm i vi cc nh cung cp dch v mng./.