Está en la página 1de 91

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

M U
Trong nhng nm qua, ngnh cng nghip vin thng v ang tm mt phng thc chuyn mch c th phi hp u im ca IP v ATM p ng nhu cu pht trin ca mng li trong giai on tip theo. c nhiu nghin cu c a ra trong c vic nghin cu cng ngh chuyn mch nhn MPLS. Cng ngh MPLS l kt qu pht trin ca cng ngh chuyn mch IP s dng c ch hon i nhn nh ca ATM tng tc truyn gi tin m khng cn thay i cc giao thc nh tuyn ca IP. MPLS tch chc nng ca IP thnh hai phn ring bit: chc nng chuyn gi tin v chc nng iu khin. Bn cnh , MPLS cng h tr vic qun l d dng hn. Trong nhng nm gn y, MPLS c la chn n gin ho v tch hp mng trong mng li. N cho php cc nh khai thc gim chi ph, n gin ho vic qun l lu lng v h tr cc dch v Internet. Quan trng hn c, n l mt bc tin mi trong vic t mc tiu mng a dch v vi cc giao thc gm di ng, thoi, d liu Mng ring o VPN l mt trong nhng ng dng rt quan trng trong mng MPLS. Cc cng ty, doanh nghip c bit cc cng ty a quc gia c nhu cu rt ln v loi hnh dch v ny. Vi VPN h hon ton c th s dng cc dch v vin thng, truyn s liu ni b vi chi ph thp, an ninh bo m. y l mt ng dng rt quan trng p ng cc yu cu ca cc mng ring s dng h tng c s thng tin quc gia vi nhng yu cu khc nhau v an ton, bo mt v cht lng dch v. Lun vn c trnh by trong 6 chng v c chia lm hai phn. Phn u tp trung vo tm hiu cng ngh chuyn mch nhn a giao thc. Phn th hai tm hiu v ng dng ca mng ring o trong cng ngh MPLS. Phn u gm c 3 chng.

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Chng 1: Trnh by v cu trc tng quan ca mng MPLS, nhng vn m ang tn ti trong mng IP truyn thng, mt s ng dng ca chuyn mch nhn a giao thc Chng 2: Hot ng ca MPLS ch Frame-mode: Hot ng trn min d liu, qu trnh truyn v kt hp nhn, v x l b nh tuyn cui cng trong qu trnh truyn d liu. Chng 3: Hot ng ca MPLS ch Cell-mode: S kt ni trong vng iu khin qua giao din LC-ATM, s chuyn tip gi tin c gn nhn qua min ATM-LSR, phn phi v phn b nhn qua min ATM-LSR. Phn hai gm 3 chng: Chng 4: Tng quan v mng ring o VPN: s pht trin ca mng ring o, phn loi v chc nng ca mng ring o, ng hm v m ha, cc giao thc dng cho VPN, m hnh ngang hng v chng ln. Chng 5: M hnh mng MPLS/VPN: M hnh lp 2 (cc thnh phn VPN lp 2, m hnh Martini, thng tin nh tuyn) v lp 3 (BGP/MPLS, cc thnh phn trong VPN lp 3, hot ng ca BGP/MPLS, tn ti v gii php. Chng 6: Vn bo mt v cht lng dch v trong MPLS VPN: Tch bit cc VPN, chng li cc s tn cng, du cu trc mng li, chng li s gi mo, cht lng dch v v xu hng cng nh c hi ca nh cung cp dch v khi trin khai cng ngh MPLS VPN. ti MPLS l mt ti kh v rng, li do trnh v hiu bit cn nhiu hn ch nn lun vn ny khng th trnh khi nhng thiu st, v c nhng phn cn cha th cp ht c. Em rt mong nhn c s ng gp kin ca cc thy c v cc bn sinh vin. Em xin chn thnh cm n

H Ni, nhng ngy thng 6/2008 Sinh vin L Phm Minh Thng

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Phn 1: Chuyn mch nhn a giao thc MPLS Chng 1. Cu trc tng quan ca MPLS.
1. 1. Cc nh cung cp dch v mng [4] Chng ta hy xt cc v d sau thy c cc vn m nh cung cp dch v ang gp phi, qua thy c s cn thit ra i mt cng ngh c kh nng gii quyt tt cc vn ny. Hnh 1.1 gm 4 a im sau: Atlanta, Miami, Orlando v Raleigh. Ti cc a im ny cc router c kt ni ti chuyn mch ATM di dng full mesh, to ra li ca mng cung cp dch v.

Hnh 1. 1: Topo vt l ca nh cung cp dch v

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 1. 2: Topo logic ca nh cung cp dch v Mt cch khc nhn m hnh mng trn chnh l vic xem cc a im trn kt ni ti mt m my mng (cloud network) nh trn hnh 1. 2 m my mng chnh l s minh ha vn gp phi khi kt ni gia ATM v IP. IP v ATM c pht trin c lp v khng c s lin h gia chng. Chuyn mch ATM ch quan tm ti vic truyn ti lu lng da trn cc gi tr VPI/VCI trong khi cc router l thit b lp 3 quan tm ti vic chuyn tip cc gi tin da trn thng tin cha trong cc gi. 1. 1. 1. Tnh kh chuyn (Scalability) Mt vn m nh cung cp dch v gp phi na l tnh kh chuyn. Tc l m bo vic d phng v ti u trong qu trnh nh tuyn th m hnh full mesh ca cc mch o (VCs) phi c to ra m kt qu c qu nhiu kt ni.

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 1. 3: Full mesh vi 6 kt ni o V cng nhiu cc a im thm vo mng li th cng cn phi c nhiu kt ni o (VCs) c to ra. iu cng c ngha l cc router s phi trao i cp nht bng thng tin nh tuyn vi nhiu router lin k gy ra mt s lu thng ln trn mng. S qu ti ny cng s lm nh hng ti hiu sut ca router l lm tc x l ca chng gim. 1. 1. 2. iu khin lu lng iu khin lu lng l qu trnh x l m lu lng c vn chuyn mt cch ti u theo yu cu. Mc d c hai cng ngh IP v ATM u c nhng r rng IP khng th snh c vi ATM v c tnh ny. ATM v IP l hai cng ngh hon ton tch bit nhau cho nn tht kh kt hp trin khai iu khin lu lng u cui

1. 1. 3. Cht lng ca dch v (QoS) C IP v ATM u c kh nng QoS. Mt s khc nhau gia chng chnh l IP l giao thc khng kt ni (connectionless) cn ATM l giao thc c kt ni (connection-oriented). V vy vn t ra y chnh l cc nh cung cp dch v phi lm th no kt hp c 2 cch trin khai cht lng dch v thnh mt gii php duy nht Chng ta cng c th thy r s bt cp tn ti chuyn tip gi tin lp mng truyn thng(v d chuyn tip gi tin IP qua mng Internet). S chuyn tip gi tin da trn cc thng tin c cung cp bi cc giao thc nh tuyn (v d RIP, OSPF, EIGRP, BGP), hoc nh tuyn tnh a ra quyt nh chuyn tip gi tin ti hop tip theo trong mng. S chuyn tip ny ch duy nht da trn a ch ch. Tt c cc gi tin c cng mt ch n s i theo cng mt con ng nu khng tn ti cc tuyn c cng cost. Trong trng hp ngc li s sinh ra hin tng load balancing (cn bng ti). Cc router (b nh tuyn) a ra quyt nh gi tin s i theo ng no. Cc thit b lp mng thu thp v phn phi cc thng tin lp mng, v thc hin chuyn mch lp 3 da trn da trn cc ni dung ca tiu lp 5 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

mng trong mi gi tin. Chng ta c th kt ni cc router trc tip vi nhau qua lin kt point-to-point hoc LAN, cng c th kt ni chng bng chuyn mch WAN (v d Frame-relay hoc ATM). Tuy nhin chuyn mch ny li khng c kh nng x l cc thng tin nh tuyn lp 3 hoc chn tuyn cho gi tin thng qua vic phn tch a ch ch. V vy chuyn mch lp 2 khng th tham gia vo qu trnh a ra quyt nh chuyn tip gi tin lp 3. Trong trng hp mi trng mng WAN ny, ngi thit k mng phi thit lp cc tuyn lp 2 mt cch th cng qua mng WAN. Cc tuyn sau chuyn tip gi tin lp 3 gia cc router m n c kt ni vt l n mng lp 2. Cc ng dn lp 2 trong mng LAN thit lp kt ni kh n gin. Tuy nhin thit lp kt ni tuyn lp 2 trong WAN phc tp hn. Cc tuyn lp 2 trong WAN thng da trn kiu point-to-point (v d nh cc mch o trong phn ln cng ngh WAN) v ch c thit lp theo yu cu cu hnh th cng. Bt k thit b nh tuyn no (v d nh nh tuyn u vo) bin ca mng lp 2 mun chuyn tip cc gi tin lp 3 ti mt thit b nh tuyn khc (nh tuyn u ra) cn hoc l thit lp s kt ni trc tip qua mng ti thit b u ra hoc gi d liu ti mt thit b khc tryn d liu ti ch.

Hnh 1. 4: Mt v d v mng IP da trn mng li ATM m bo qu trnh chuyn tip gi tin trong mng l ti u, mt mch o ATM phi tn ti gia bt k hai router kt ni ti mng li ATM. iu c 6 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

ngha l nu quy m ca mng ln, c n vi chc hoc thm ch hng trm router kt ni vi nhau th xy ra mt vn kh trm trng Ta c th gp cc vn sau: Khi mt router mi c ni vo mng li WAN th mt mch o phi c thit lp Nu mt mng chy giao thc nh tuyn (gi s OSPF hoc ISIS) th mi router s thng bo s thay i trong mng ti mi router khc cng kt ni ti WAN ng trc, kt qu l c qu nhiu lu lng trong mng. S dng cc mch o gia cc router l phc tp bi v tht l kh d on chnh xc lu lng gia bt k hai router trong mng. S thiu thng tin trao i gia cc router v cc chuyn mch WAN khng phi l vn vi mng Internet truyn thng bi chng ch n thun s dng cc router cho nh tuyn, hoc cc dch v WAN(ATM hay Framerelay). Tuy nhin nu c s kt hp gia hai dch v trn th li l vn . V vy yu cu i hi mt kin trc khc cho php trao i thng tin lp mng gia cc router vi cc chuyn mch WAN v cho php cc chuyn mch tham gia vo qu trnh x l chuyn tip cc gi tin, khi s kt ni gia cc router bin l khng cn thit. 1. 2. Chuyn mch nhn a giao thc l g? Chuyn mch nhn a giao thc (Multiprotocol Label Switching MPLS) l mt cng ngh c a ra vi mc ch gii quyt nhiu vn ang tn ti lin quan ti chuyn mch gi trong mi trng kt ni internet. Chuyn mch nhn a giao thc kt hp gia li ch ca chuyn mch gi da trn chuyn mch lp 2 vi nh tuyn lp 3. Tng t nh cc mng lp 2 ( Frame relay hay ATM), MPLS l mt phng php ci tin vic chuyn tip gi trn mng bng cch gn nhn cho cc gi IP, t bo ATM hoc frame lp 2. C ch chuyn tip qua mng nh th c gi l i nhn (label swapping), trong cc n v d liu (v d nh gi hoc t bo) mang mt nhn ngn c chiu di c nh ti cc node cc gi c x l v chuyn tip.

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

S khc nhau c bn gia MPLS v cc cng ngh WAN truyn thng chnh l cch m cc nhn c gn v kh nng mang mt ngn xp ca cc nhn (stack of labels) cho mt gi tin. Khi nim ngn xp nhn cho php chng ta c nhiu ng dng mi v d nh iu khin lu lng (Traffic Engineering), Mng ring o (Virtual Private Network VPN ). Chuyn tip cc gi trong MPLS hon ton tng phn vi mi trng khng kt ni hin c, ni m cc gi tin c phn tch trn tng hop mt (router), y chnh l qu trnh kim tra tiu lp 3, v mt quyt nh forward gi tin c tin hnh da trn thut ton nh tuyn lp mng Cu trc ca mt nt MPLS bao gm 2 mt thnh phn:thnh phn chuyn tip (hay cn c gi l mt phng d liu) v thnh phn iu khin (cn c gi l mt phng iu khin). Thnh phn chuyn tip s dng mt c s d liu chuyn tip nhn chuyn tip d liu da trn cc nhn i km vi gi tin. Thnh phn iu khin chu trch nhim to v duy tr cc thng tin chuyn tip nhn (cn c gi l bindings ) gia nhm cc chuyn mch nhn vi nhau. Tt c cc nt MPLS phi chy mt hoc nhiu giao thc nh tuyn IP (hoc da trn nh tuyn tnh) c th trao i thng tin nh tuyn vi cc nt MPLS khc trn mng. Theo , mi mt nt MPLS (bao gm c chuyn mch ATM) l mt router trn mt phng iu khin.

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 1. 4: Cu trc c bn ca mt nt MPLS Tng t nh cc router truyn thng, cc giao thc nh tuyn IP s dng xy dng nn bng nh tuyn. Bng nh tuyn IP c s dng forward gi tin. Ti mt nt MPLS, bng nh tuyn c s dng xc nh vic trao i thng tin nhn chuyn tip, ni m cc nt MPLS k cn vi n trao i cc nhn cho cc mng con (subnets) c th c cha trong bng nh tuyn. Cc qu trnh iu khin nh tuyn MPLS IP (MPLS IP Routing Control) s dng cc nhn trao i vi cc nt MPLS cnh n to ra Bng chuyn tip nhn (Label Forwarding Table), bng ny l vng c s d liu c s dng chuyn tip cc gi c gn nhn qua mng MPLS 1.2.1. Kin trc MPLS Trc ht chng ta tm hiu cc khi nim mi trong kin trc MPLS v chc nng ca chng trong min cu to MPLS Thit b u tin l B nh tuyn chuyn nhn (Label Switch RouterLSR). l cc router hoc switch trin khai phn phi nhn v c th chuyn tip cc gi da trn cc nhn. Chc nng c bn ca qu trnh phn phi nhn ny cho php mt LSR phn phi nhn thng tin chuyn tip ca n ti cc LSRs khc trong mng MPLS. C mt vi loi LSR khc nhau v chng c phn bit nh chc nng ca chng trong c s h tng mng. S khc nhau ca cc loi LSR c m t bn trong cu trc ca Edge-LSR, ATM-LSR v ATM edge-LSR. S khc nhau gia cc loi LSR ch l cu trc bi mt loi c th ng nhiu vai tr khc nhau. Chng ta c th tm tt cc chc nng ca cc loi LSR. Ch rng bt k mt thit b trn mng no c th c nhiu hn mt chc nng (mt thit b c th va l LSR bin va l ATM LSR bin.

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Kiu LSR LSR LSR bin

Chc nng Chuyn tip cc gi tin c gn nhn - C th nhn mt gi tin IP, thc hin kim tra lp 3, v gn mt ngn xp nhn trc khi chuyn tip gi vo min LSR - C th nhn mt gi IP, thc hin vic kim tra lp 3, chuyn tip gi IP ti im tip theo (next-hop) ATM-LSR - Chy cc giao thc MPLS trong mt phng iu khin to ra cc mch o ATM, v chuyn tip cc t bo ti ATMLSR im tip theo(next-hop) ATM LSR- - C th nhn 1 gi c gn nhn hoc cha, chia n bin thnh cc t bo ATM v chuyn tip cc t bo ti ATMLSR tip theo - C th nhn cc t bo ATM t mt ATM-LSR k cn, lp ghp cc t bo ny tr li gi tin gc v sau chuyn tip gi tin ny di dng c gn nhn hoc cha. 1. 2. 2. To nhn mng bin Cc gi tin phi c nh nhn trc khi chuyn tip ti min mng MPLS. thc hin c nhim v ny, LSR bin phi bit ni gi tin c nh tiu , hoc ngn xp nhn, n phi khai bo cho gi tin. chuyn tip IP lp 3 ti hop tip theo, n kim tra trong bng nh tuyn a ch IP ch c cha trong header lp 3 ca gi tin. Sau la chn hop tip theo chuyn tip gi tin. V c nh th cho n khi gi tin i n ch. C 2 cch gi IP ti hop tip theo. Cch th nht l ton b cc gi c coi l nh nhau khi chuyn qua mng. Cch th hai l nh x tng a ch IP ch ti mt IP ca hop tip theo. Trong mng MPLS cch th nht c gi l nhm chuyn tip tng ng FECs (Forwarding Equivalence Classes). FEC l mt nhm cc gi, nhm cc gi ny chia s cng yu cu trong s chuyn tip chng qua mng. Tt c cc gi trong mt nhm nh vy c cung cp cng cch chn ng ti ch. Khc vi chuyn tip IP truyn thng, trong MPLS vic gn mt gi c th vo mt FEC c th ch c thc hin mt ln khi cc gi vo trong mng. MPLS khng ra quyt nh chuyn tip vi mi datagram lp 3 m s dng khi nim FEC. FEC ph thuc vo mt s cc yu t, t nht l ph thuc vo a ch IP v c th l 10 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

ph thuc c vo kiu lu lng trong datagram (thoi, d liu, fax). Sau da trn FEC, nhn c tho thun gia cc LSR ln cn t li vo ti li ra trong mt vng nh tuyn. Mi LSR xy dng mt bng xc nh xem mt gi phi c chuyn tip nh th no. Bng ny c gi l c s thng tin nhn (LIB: Label Information Base), n l t hp cc rng buc FEC vi nhn (FEC-to-label). V nhn li c s dng chuyn tip lu lng qua mng. Mt cch phn chia lu lng vo trong cc FEC l to mt FEC ring bit cho mi tin t a ch xut hin trong bng nh tuyn. Cch ny c th to ra mt tp hp cc FEC cho php cng i mt ng ti ch. Theo cch ny th bn trong mt min MPLS, s c nhiu FEC ring bit v nh th s khng hiu qu. Trn thc t MPLS hp nht nhng FEC thnh mt FEC duy nht.
Ingress Node 1 Prefix = 1 FEC

Routing Table 172.16.10.5/16 172.16.17.3/16 172.16.12.8/16 192.168.14.7/24 192.168.14.20/24

Egress Node

Hnh 1. 5: Cc FEC ring bit cho mi tin t a ch

11

L Phm Minh Thng

Lun vn tt nghip
Ingress Node

MPLS v ng dng MPLS/VPN

n Prefix = 1 FEC

Routing Table 172.16.10.5/16 172.16.17.3/16 172.16.12.8/16 192.168.14.7/24 192.168.14.20/24


Hnh 1. 6: Tng hp cc FEC

Egress Node

Hnh 1. 7: S to nhn MPLS v chuyn tip

12

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Vi c ch chuyn tip IP truyn thng, th mi gi tin c x l ti mt hop trong mng. Tuy nhin vi MPLS, mt gi tin c th c gn ti mt FEC c th, v c thc hin ti thit b mng bin khi m gi tin tham gia vo mng. Nhm chuyn tip tng ng cho mi gi c khai bo sau m ha thnh mt ch s nh dng ngn c chiu di c nh, c gi l nhn. 1. 2. 3. Chuyn tip gi MPLS v ng chuyn mch nhn Mi mt gi tin khi tham gia mng MPLS ti LSR vo v ra khi mng MPLS ti mt LSR ra. C ch ny to ra ng chuyn mch nhn Label Switched Path (LSP), c m t nh l mt nhm cc LSRs m cc gi c gn nhn phi i qua ti LSR u ra cho mt FEC c th. LSP ny l theo mt phng hng duy nht, c ngha l mt LSP khc c s dng cho lu lng c th tr v t mt FEC no LSP l mt hng kt ni (connection-oriented) bi v ng dn c to ra trc khi c s vn chuyn lu lng. Tuy nhin, vic thit lp kt ni ny da trn thng tin v m hnh mng hn l yu cu v lung lu lng. Khi gi tin i qua mng MPLS, mi LSR s hon i nhn i vo vi mt nhn i ra cho n LSR cui cng, c bit n l LSR ra. (ging nh c ch c s dng trong mng ATM ni m mt cp VPI/VCI ny c tro i vi mt cp VPI/VCI khc khi ra khi chuyn mch ATM) 1. 3. Cc ng dng khc ca MPLS

Hnh 1. 8: Cc ng dng khc nhau ca MPLS

13

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

MPLS c to ra kt hp ca nh tuyn truyn thng v chuyn mch ATM trong mt mng li IP thng nht ( IP-ATM cu trc). Tuy nhin u th thc s ca MPLS chnh l cc ng dng khc m n em li, t iu khin lu lng (Traffic Engineering) ti mng ring o (Virtual Private Networks). Tt c cc ng dng ny s dng chc nng min iu khin thit lp mt c s d liu chuyn mch 1. 3. 1. iu khin lu lng: Vn quan trng trong cc mng IP l thiu kh nng iu khin linh hot cc lung lu lng IP s dng hiu qu di thng mng c sn. Do vy, thiu ht ny lin quan n kh nng gi cc lung c chn xung cc ng c chn v d nh chn cc ng trung k c bo m cho cc lp dch v ring. MPLS s dng cc ng chuyn mch nhn LSP, chnh l mt dng ca lightweight VC m c th c thit lp trn c ATM v thit b da trn gi tin. Kh nng k thut lu lng ca MPLS s dng thit lp cc LSP iu khin mt cch linh hot cc lung lu lng IP. 1. 3. 2. Mng ring o VPN (Virtual Private Network) VPN thit lp c s h tng cho mng Intranet v Extranet, l cc mng IP m cc cng ty kinh doanh s thit lp trn c s ton b cu trc kinh doanh ca h. Dch v VPN l dch v mng Intranet v Extranet m cc mng c cung cp bi nh cung cp dch v n nhiu t chc khch hng. MPLS kt hp vi giao thc BGP cho php mt nh cung cp mng h tr hng nghn VPN ca khch hng. Nh vy, mng MPLS cng vi BGP to ra cch thc cung cp dch v VPN trn c ATM v cc thit b da trn gi tin rt linh hot, d m rng quy m v d qun l. Thm ch trn cc mng ca nh cung cp kh nh, kh nng linh hot v d qun l ca cc dch v BGP/MPLS VPN l u im ch yu. 1. 3. 3. Tch hp IP v ATM Do chuyn mch nhn c th thc hin c bi cc chuyn mch ATM, MPLS l mt phng php tch hp cc dch v IP trc tip trn chuyn mch ATM. S tch hp ny cn phi t nh tuyn IP v phn mm LDP trc tip trn chuyn mch ATM. Do tch hp hon ton IP trn chuyn mch

14

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

ATM, MPLS cho php chuyn mch ATM h tr ti u cc dch v IP nh IP a hng (multicast), lp dch v IP, RSVP v mng ring o VPN 1. 3. 4. H tr cht lng dch v Qos (Quality of Service) Mt thiu st ca mng IP so vi mng Frame Relay v ATM, l s bt lc ca chng cung cp dch v tho mng nhu cu lu lng. V d lu lng thi gian thc nh voice hay video cn dch v cht lng cao ( tr lung thp, mt lung thp) khi truyn qua mng. Tng t d liu trong kinh t thng mi phi c u tin qua trnh duyt web thng thng. Kt ni nh hng mang tnh t nhin ca MPLS cung cp khung lm vic hp l m bo cht lng lu lng IP. Trong khi QoS v lp dch v CoS (Class of Service) khng phi l c s c bit ca MPLS, chng c th ng dng trong mng MPLS khi k thut lu lng c s dng. iu ny cho php nh cung cp thit lp hp ng mc dch v SLA (Service Level Agreements) vi khch hng m bo dch v nh rng bng, tr, mc thp thot. Dch v gi tr gia tng c th c phn phi b sung nh truyn ti d liu c s, tng thu nhp v cui cng cho tin ti mng hi t. Intserv and Diffserv, qua thi gian mt s k thut c pht trin thit lp QoS/CoS trong mt mng. Trong m hnh dch v tch hp Intserv (Integrated Services), RSVP pht trin th tc bo hiu QoS qua mt mng, cho php thit b sp xp v thit lp thng s lu lng m bo nh rng bng v tr u cui - u cui. N s dng ngun ti nguyn ti ch, m bo dch v xung theo lung c s. M hnh dch v khc nhau Diffserv (Differentiated Services) gim bt cng nhc, cung cp phn phi CoS i x nh nhau i vi lp lu lng c mc u tin nh nhau, nhng khng c bo hiu hay m bo dch v u cui u cui. Diffserv nh ngha li kiu dch v ToS (Type of Service) trong tiu gi IP cung cp s phn loi ny. Trong khi Intserv m bo rng bng lu lng, n xc nhn khng th tng hay thc hin hot ng qua mng ln. Khin trc Diffserv, c mt tng lun phin, nhng khng cung cp n bo. IETF kt hp Difserv v k thut lu lng MPLS cung cp QoS m bo trong mng MPLS. Thng tin Diffserv trong tiu gi IP c nh x trong thng tin nhn ca gi MPLS. B nh tuyn MPLS cp nht thng tin u tin truyn tip d liu

15

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

thch hp. Mt s c ch s dng gm chia s lu lng, i, v phn loi gi. QoS thc hin bin ca m my MPLS, ni lu lng phi nhn t mng khch hng i vo mng truyn thng. Ti cng vo ny, lu lng thi gian thc d b nh hng nh lu lng nh dng voice IP hay hi ngh video c th c u tin phn pht qua s chuyn giao d liu ln.

Chng 2. Hot ng ca MPLS ch Frame-mode


Trong Chng 1, chng ta c ci nhn tng quan v kin trc ca MPLS. Trong phn ny chng ta s mt trong nhng ng dng ca n: nh tuyn IP vi a ch ch l unicast trong mi trng n thun cc b nh tuyn. Cng c gi l Frame-mode MPLS, bi v cc nhn c gn c trao i ging nh l cc frames lp 2. phn ny chng ta tp trung trn min d liu (MPLS data plane), gi s rng, bng mt cch no cc nhn c trao i gia cc b nh tuyn. phn tip theo chng ta s gii thch mt cch chnh xc c ch phn phi nhn gia cc router. 2. 1. Hot ng min d liu MPLS ch Frame-mode Trong Chng 1 chng ta hiu mt cch tm tt qu trnh mt gi tin IP i qua mng li MPLS. C 3 bc chnh trong qu trnh ny y l: Mt LSR bin vo nhn mt gi tin IP, phn loi gi tin ny vo mt nhm cc chuyn tip tng ng no (FEC) v gn nhn cho gi tin vi ngn xp nhn ra (outgoing label stack) ph hp vi FEC. nh tuyn da trn a ch ch IP, FEC phi ph hp vi subnet ca a ch ch v vic phn loi gi tin ch l vic kim tra lp 3 da theo bng nh tuyn. Cc LSR li nhn cc gi tin c gn nhn v s dng cc bng chuyn tip nhn trao i nhn i vo trong gi tin vi nhn ra ph hp vi FEC ( trong trng hp ny l IP subnet).

16

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Khi n LSR bin li ra nhn gi tin c gn nhn, n b nhn ny ra v thc hin vic tra cu lp 3 trong gi tin IP . Mt cu hi c t ra y l: u nhn c to ra v b nh tuyn nhn c gi tin th l gi tin c gn nhn hay n thun ch l gi tin IP Chng ta xem li m hnh sau:

Hnh 2. 1: M hnh chuyn mch gi tin gia cc b nh tuyn 2. 1. 1. Tiu ngn xp nhn MPLS ( MPLS label stack header) V nhiu l do, m hiu sut chuyn mch l mt trong nhng s , nhn MPLS phi c t trc d liu c dn nhn trong ch frame-mode. V vy nhn MPLS phi c chn vo gia tiu lp 2 v ni dung lp 3 ca frame lp 2.

17

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 2. 2. V tr ca nhn MPLS trong mt Frame lp 2 Theo cch m nhn MPLS c chn vo gia gi tin lp 3 v tiu lp 2, th tiu nhn MPLS c gi l shim header. Mt tiu ca nhn MPLS bao gm: 20 bit nhn MPLS, 3 bit thng tin lp dch v (class-of-service information), 8 bit trng Time-to-live (TTL) dng xc nh d loop ging nh chc nng ca trng TTL trong IP v 1 bit c gi l bit y ca ngn xp (Bottom-of-Stack)

Hnh 2. 3: Tiu ngn xp nhn MPLS Bit y ngn xp nhn ng vai tr (implement) nh ngn xp nhn MPLS. Chng ta nhc li khi nim ngn xp nhn, n c nh ngha ging nh l mt s kt hp ca hai hoc nhiu tiu nhn nh vo mt gi tin. Trong nh tuyn IP theo a ch unicast th khng s dng ngn xp, nhng vi cc ng dng khc ca MPLS, v d nh MPLS-VPN hay MPLS Traffic Engineering th y l mt yu t rt quan trng Vi tiu ngn xp nhn MPLS c chn vo gia tiu lp 2 v ti trng lp 3 th router gi phi c vi cch thc thng bo vi router nhn rng gi tin ang c truyn khng phi l gi IP n thun m l gi tin c gn nhn. lm c iu mt cch thun li, cc loi giao thc mi c nh ngha trn lp 2: Trong mi trng mng LAN (Local Area Network), cc gi tin c gn nhn mang a ch unicast v multicast lp 3 s dng kiu ethernet c gi tr 8847 v 8848 trong h 16. Nhng gi ca kiu ethernet ny c th c s dng trc tip trong mi trng Ethernet (Fast Ethernet v Gigabit Ethernet) Trong kiu kt ni point-to-point s dng cch thc ng gi PPP, mt giao thc iu khin mng mi (new Network Control 18 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Protocol NCP) c gi l giao thc iu khin MPLS(MPLSCP) c s dng. Cc gi tin MPLS c nh du bng trng giao thc PPP c gi tr l 8281 trong h 16 Cc gi tin MPLS i qua mt DLCI Frame Relay gia mt cp nh tuyn(router) c nh du bi ch s giao thc lp mng SNP ca Frame Relay(Frame Relay SNAP Network Layer Protocol ID NLPID), theo sau l tiu SNAP vi gi tr ca kiu ethernet l 8847 trong h hex. San Jose router trong hnh 2.1 chn nhn MPLS vo trc gi IP m n nhn c, ng gi gi tin gn nhn trong mt khung PP vi trng giao thc PPP c gi tr l 8281 trong h 16 v chuyn tip khung lp 2 ti router San Francisco. 2. 1. 2. Chuyn mch nhn trong ch Frame-mode Sau khi nhn c frame PPP lp 2 t router San Jose, router San Francisco ngay lp tc xc nh gi tin va nhn c l mt gi tin c gn nhn da trn gi tr trng giao thc PPP ca n v thc hin tra cu trong c s thng tin chuyn tip nhn (Label Forwarding Information LFIB) Cc gi tin c gn nhn c truyn nh vy cho n ch, n router cui cng th LFIB s thng bo vi router b nhn v chuyn tip gi tin khng gn nhn ny. 2. 1. 3. Chuyn mch nhn MPLS vi ngn xp nhn Hot ng ca chuyn mch nhn c thc hin m khng quan tm ti s lng nhn gn vo gi tin, c th l mt nhn hoc mt ngn xp gm mt s nhn bn trong. Trong c hai trng hp, LSR s ch x l nhn trn cng ca ngn xp, b qua cc nhn khc. Chc nng ny cho php nhiu ng dng cc b nh tuyn bin c th cho php phn loi nhn v kt hp cc nhn (Can agree on packet classification rules and associated labels) m khng cn bit cc b nh tuyn li ca mng. V d, gi s rng router San Joe v router New York trong mng c h tr MPLS/VPN v cng bit mng 10. 1. 0. 0/16, mng ny c th n c thng qua router New York, nhn c khai bo vi gi tr l 73. Cc router trong mng li (San Francisco v Washington) khng c thng tin v iu ny. gi mt gi tin ti host c a ch l 10. 1. 0. 0/16, router San Jose to ra 19 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

mt ngn xp nhn. Nhn di cng trong ngn xp c khai bo cho router New York cn nhn trn cng c khai bo cho a ch IP ca router New York thng qua router San Francisco. Khi mng chuyn gi tin th nhn trn cng c chuyn mch chnh xc ging nh chuyn tip gi tin IP qua mng ng trc v nhn th 2 trong ngn xp s nguyn vn khi n router New York

Hnh 2. 4: Chuyn mch nhn vi ngn xp 2. 2. Qu trnh truyn v kt hp nhn trong Frame-mode MPLS Phn ny s tp trung vo qu trnh kt hp FEC vi nhn v truyn chng gia cc LSRs qua cc giao din c ng khung. C hai giao thc kt hp nhn c s dng tng hp mt IP mng con (subnet) vi mt s nhn MPLS cho mc ch gi ti a ch ch: Giao thc phn phi th (Tag Distribution Protocol TDP) Giao thc phn phi nhn(Label Distribution Protocol LDP) C TDP v LDP u c chc nng ging nhau v c th c s dng trong mng, thm ch trn cc interface khc nhau ca cng mt LSR. y chng ta ch cp n TDP 2. 2. 1. Thit lp mt phin LDP/TDP 20 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Khi bt MPLS trn interface ca router, th TDP/LDP c khi to v cu trc c s thng tin nhn(LIB) c to ra. B nh tuyn(router) cng tm cch nhn ra cc LSRs khc trn interface ang chy MPLS thng qua gi tin hello TDP. Cc gi tin hello TDP ny c gi qung b(broadcast) hoc l gi tin UDP multicast(ti mt nhm cc ch), to ra quan h hng xm LSR. Sau khi gi tin hello TDP khm ph ra TDP hng xm th mt phin TDP c thit lp. Cc phin TDP s dng TCP vi cng 711 v LDP s dng TCP cng 646. S dng giao thc TCP em li kh nng ti u trong iu khin lung v tin cy trong vic gii quyt tc nghn lu lng. 2. 2. 2. Phn phi v kt hp nhn Khi c s thng tin nhn (LIB) c to ra trong b nh tuyn, mt nhn c khai bo cho mi FEC bit n b nh tuyn. V nh tuyn da vo a ch ch, FEC tng ng vi mt tin t IGP(Internal Gateway Protocol) trong bng nh tuyn IP. V vy mt nhn c khai bo cho mi tin t trong bng nh tuyn IP v c s nh x hai bng ny c lu tr trong LIB. Bi v LSR khai bo mt nhn cho mi IP prefix trong bng nh tuyn ca n khi m prefix xut hin trong bng nh tuyn v nhn ny c s dng bi cc LSR khc trong vic gi cc gi tin c gn nhn cho LSR, phng php cp v phn phi nhn ny c gi l khai bo nhn iu khin c lp, vi cch phn phi nhn pha sau t nguyn : Vic cp nhn trong cc b nh tuyn c thc hin m khng quan tm ti vic b nh tuyn nhn nhn cho cng prefix t b nh tuyn k cn hay cha. V vy vic cp nhn ny trong cc b nh tuyn c gi l iu khin c lp(independent control) Phng php phn phi ny l t nguyn(unsolicited) bi v LSR khai bo nhn v qung b s nh x ti cc b nh tuyn hng xm pha sau n(t ch ti ngun) khng quan tm ti vic cc LSR khc cn nhn hay khng. Mt LSR ch khai bo mt nhn cho mt prefix IP v phn phi n cho router pha sau n (t ch ti ngun) khi c yu cu. Phng php phn phi ny l downstream(t pha sau ra pha trc) khi LSR khai bo mt nhn m cc LSR khc(Cc LSR

21

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

pha sau) c th s dng cho chuyn tip cc gi tin c gn nhn v qung b s nh x nhn ny ti cc b nh tuyn lin k. Vic khi to cu trc chuyn mch th cng bao gm c s cung cp cho LSR pha sau nhng c vic trin khai b sung chuyn mch th hin ti v cu trc MPLS khng cn kiu ny cho phng php phn phi nhn. Tt c s kt hp nhn c qung b ngay lp tc n cc b nh tuyn khc thng qua cc phin TDP. Cc b nh tuyn thng bo s kt hp IP prefix-to-label ca n ti tt c cc b nh tuyn k cn m khng quan tm l upstream hay downstream. Thm ch s kt hp ny cng c gi ti cho b nh tuyn tip theo v th s khng c split-horizon trong qu trnh x l TDP hay LDP. Cc LSR nhn bng nh x prefix-to-label, lu chng trong bng c s thng tin nhn (LIB) v s dng chng trong c s thng tin chuyn tip nhn (LFIB) nu bng nh x nhn c t router pha trc, chnh l router tip theo. Phng php lu gi ny c gi l kiu ghi nh t do (liberal retention mode) tri ngc vi kiu ghi nh bo th (conservative retention mode), tc l cc LSR ch gi li cc nhn c khai bo cho mt prefix bi cc b nh tuyn pha trc hin ti ca n, ni m LSR ch lu gi cc nhn c khai bo ti mt prefix bi cc router pha trc. Mt b nh tuyn c th nhn c nhiu s kt hp TDP t cc b nh tuyn k cn, nhng ch s dng mt vi trong s chuyn tip cc bng nh sau : S kt hp nhn t b nh tuyn tip theo c xem xt cho ph hp vi u vo FIB. Nu b nh tuyn khng nhn s kt hp nhn t b nh tuyn k tip th u vo FIB xc nhn cc gi tin n ch m khng c gn nhn. Nu b nh tuyn nhn mt s kt hp nhn t b nh tuyn k tip, th nhn hin ti b nh tuyn v nhn tip theo b nh tuyn k tip c lu li trong LFIB. Nu b nh tuyn k tip khng khai bo nhn ph hp vi prefix th gi tin khng c gn nhn

22

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

2. 2. 3. Hi t trong mng MPLS ch Frame-mode Mt trong nhng yu t quan trng trong vic thit k mng MPLS chnh l thi gian hi t ca mng. Mt s ng dng ca MPLS (v d nh :MPLS/VPN hay thit k BGP da trn MPLS) s khng hot ng chnh xc tr khi mt gi tin c gn nhn c gi qua tt c cc ng dn t u vo LSR bin n LSR bin u ra. Trong cc ng dng ny thi gian hi t c th tng ln bi do tr truyn Trong mng MPLS ch Frame-mode, s dng kiu lu gi t do (liberal retention mode) kt hp vi iu khin nhn c lp(independent label control) v phn phi nhn lung xung t nguyn(unsolicited downstream label distribution) s lm gim thiu thi gian hi t TDP/LDP. Mi b nh tuyn s dng kiu lu gi t do lun c nhn khai bo cho mt prefix a ra t tt c cc b nh tuyn hng xm s dng TDP/LDP, v vy n lun lun tm thy mt nhn i ra ngoi trong bng nh tuyn ph hp m khng cn hi b nh tuyn k tip cho vic khai bo nhn. 2. 3. X l b nh tuyn cui cng (Penultimate Hop Popping) LSR bin u ra trong mg MPLS th phi tin hnh hai tra cu: Mt l gi tin nhn c t mt MPLS k cn, hai l ch n cho mt subnet bn ngoi mng MPLS. N phi kim tra nhn trong tiu ngn xp nhn v thc hin kim tra nhn bit rng nhn c y vo v di s kim sot ca gi tin IP

23

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 2. 5: Hai qu trnh tra cu b nh tuyn cui New York Vic thc hin hai qu trnh tra cu router New York c th lm gim hiu sut ca node mng. Hn na trong mi trng m MPLS v chuyn mch IP c thc hin bi phn cng th tra cu hai ln lm tng phc tp ca vic trin khai cc thit b phn cng ln rt nhiu. gii quyt vn ny ngi ta s dng Penultimate Hop Popping(PHP). Phng php ny ch c p dng trc tip cho nhng subnet(mng con) kt ni trc tip hoc tp hp cc ng dn (aggregate routes). Trong trng hp l giao din l kt ni trc tip, th vic thc hin tra cu lp 3 l cn thit c c cc thng tin chnh xc cho vic gi mt gi tin n ch c kt ni trc tip. Nu prefix l mt s tp hp th vic tra cu lp 3 cng cn thit tm ra ng i c th sau c s dng gi tin i n ch chnh xc. Trong cc trng hp cn li, th thng tin i ra ngoi ca gi tin lp 2 c trong LFIB v v vy vic tra cu lp 3 l khng cn thit. Vi phng php ny, LSR bin c th yu cu mt nhn t router pha sau k cn vi n.

Hnh 2. 6: Penultimate Hop Popping trong mng MPLS Hnh 2. 6 router Washington ly nhn t gi tin v gi gi tin IP n thun ti router New York. Sau router New York thc hin vic tra cu lp 3 v chuyn tip gi tin ti ch cui cng. 24 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Tm li ch hot ng khung xut hin khi s dng MLS trong mi trng cc b nh tuyn thun nht nh tuyn cc gi tin IP im-im. Cc gi tin gn nhn c chuyn tip trn c s khung lp 2. Qu trnh chuyn tip mt gi tin IP qua mng MPLS thc hin thng qua mt s bc sau: LSR bin li vo nhn gi tin IP, phn loi gi vo nhm chuyn tip tng ng FEC v gn nhn cho gi vi ngn xp nhn tng ng FEC c xc nh. Nu nh tuyn mt a ch ch(unicast), FEC s tng ng vi mng con ch v vic phn loi gi tin s c thc hin bng cch tra cu bng nh tuyn lp 3 truyn thng. LSR li nhn gi tin c gn nhn v s dng bng chuyn tip nhn thay i nhn ni vng trong gi n vi nhn ngoi vng tng ng cng vi vng FEC(trong trng hp ny l mng con IP) Khi LSR bin li ra ca vng FEC ny nhn c gi c nhn, n loi b nhn v thc hin vic chuyn tip gi tin IP theo bng nh tuyn lp 3 truyn thng.

Chng 3: Hot ng ca MPLS ch Cell-mode


Trong chng 2 chng ta tm hiu cch MPLS hot ng gia thit b chuyn mch lp 3 (router) ch Frame-mode. Cc b nh tuyn trao i cc gi tin IP n thun (cho cc giao thc iu khin) cng nh cc gi tin IP c gn nhn qua cng mt link lin kt. Cc b nh tuyn cng thc hin chuyn mch nhn bng cch xc nh tiu nhn trc mi gi tin IP Khi thc hin trin khai MPLS qua cng ngh ATM cn phi gii quyt mt s kh khn sau: Khng c c ch trao i cc gi tin IP mt cch trc tip gia 2 node MPLS k nhau qua giao din ATM. Tt c cc d liu trao i qua giao din ATM phi c thc hin qua knh o(virtual circuit VC)

25

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Chuyn mch ATM khng th thc hin vic kim tra nhn hay tra cu lp 3. Kh nng duy nht ca mt chuyn mch ATM l chuyn i VC u vo thnh VC u ra ca giao din ra. Cng ngh MPLS a ra mt s cc gii php m bo vic thc hin trin khai MPLS qua ATM: Cc gi tin IP trong vng iu khin khng th trao i mt cch trc tip qua giao din ATM. Mt VC iu khin phi c thit lp gia cc node MPLS k nhau c th trao i cc gi tin trong vng iu khin Chuyn mch ATM khng th thc hin vic tra cu nhn. Khi nhn trn cng trong ngn xp nhn phi c chuyn i sang gi tr VPI/VCI Chng ta nhc n mt s khi nim c dng trong vic trin khai MPLS qua mi trng ATM Giao din ATM c iu khin chuyn mch nhn (Label Switching Controlled ATM interface LC-ATM interface) l mt giao din trn router hoc trn chuyn mch ATM m trong gi tr VPI/VCI c khai bo thng qua cc giao thc iu khin MPLS (TDP hoc LDP) ATM-LSR l mt chuyn mch ATM chy cc giao thc MPLS trong min iu khin v thc hin chuyn tip MPLS gia cc giao din LCATM trong min d liu bng cc chuyn mch t bo ATM truyn thng Frame-based LSR l mt LSR thc hin vic chuyn tip cc frame gia cc giao din. Mt v d in hnh ca mt Frame-based LSR chnh l router. Mt Frame-based LSR c th c nhiu giao din LCATM, nhng n ch thc hin chuyn mch nhn Frame-based trn ngn xp nhn m khng thc hin chuyn mch t bo ging nh mt ATM-LSR ATM-LSR domain l mt nhm cc ATM-LSR c kt ni vi nhau qua giao din LC-ATM ATM LSR bin l mt Frame-based LSR vi t nht mt giao din LCATM

26

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 3. 1: M hnh trin khai ATM trong mng 3. 1. S kt ni trong vng iu khin qua giao din LC-ATM

Hnh 3. 2: Trao i thng tin gia cc LSR k cn Cu trc ca mng MPLS yu cu vng iu khin ca cc LSR k cn phi c s kt ni thun IP trao i lin kt nhn cng nh cc gi iu khin khc(v d nh gi tin hello v gi tin update) Trong ch MPLS Frame-mode th yu cu ny l n gin bi v cc b nh tuyn c th gi v nhn cc gi tin IP cng nh cc gi tin c gn nhn qua bt k giao din Frame-mode no, bt k l mng LAN hay WAN. Tuy nhin cc chuyn mch ATM khng c kh nng ny C hai cch m bo cho s kt ni cc gi tin thun IP gia cc ATM-LSR, l: L Phm Minh Thng

27

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Thng qua mt kt ni bn ngoi v d nh s kt ni Ethernet gia cc chuyn mch Thng qua mt mch o (VC) kim sot bn trong tng t nh cch m cc giao thc ATM Forum thc hin (User-Network Interface UNI hoc Intergrated Local Management Interface ILMI ):

ATM-LSR Vng k MPLS trong chuyn mch ATM

ATM-LSR Vng k MPLS trong chuyn mch ATM

ATM LSR bin(router) Min iu khin MPLS

Ma trn chuyn mch Vng d ATM liu ATM

Ma trn chuyn mch Vng d ATM liu ATM

ATM LSR bin(router)

Min iu khin MPLS

Hnh 3. 3: C ch thit lp knh o iu khin MPLS

3. 2. S chuyn tip gi tin c gn nhn qua min ATM-LSR Vic chuyn tip mt gi tin c gn nhn qua min ATM-LSR c thc hin qua ba bc sau: ATM LSR bin li vo nhn mt gi tin c gn nhn hoc cha, thc hin vic kim tra trn C s thng tin chuyn tip (FIB) hoc C s thng tin chuyn tip nhn (LFIB), tm kim mt gi tr VPI/VCI u ra, gi tr ny s c n s dng ging nh l nhn li ra. Cc gi tin c nhn c chia nh thnh cc t bo 28 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

ATM v c gi ti ATM-LSR tip theo. Gi tr VPI/VCI tm thy trong qu trnh kim tra nhn c t vo tiu t bo ATM ca tng t bo. Ch :K t y cho n khi gi tin c nhn ra khi min ATMLSR, vic kim tra nhn ch thc hin da trn cc gi tr VPI/VCI m khng phi l tiu nhn MPLS. Tuy nhin, tiu MPLS vn tn ti trong gi tin gn nhn bi v n cn thit lu gi cc trng tiu thm vo, v d nh ngn xp y, thi gian sng (Time-to-live TTL) Cc ATM-LSR t bo chuyn mch da trn gi tr VPI/VCI trong tiu t bo ATM theo c ch chuyn mch t bo truyn thng, v c ch phn phi v phn b nhn ny phi ph hp vi vic thit lp s chuyn i gi tr VPI/VCI ni vng v ngoi vng l chnh xc. ATM LSR bin u ra sp xp li cc t bo tr thnh gi tin c gn nhn, thc hin vic kim tra nhn v chuyn tip chng cho LSR tip theo. Vic kim tra da trn gi tr VPI/VCI ca cc t bo n m khng da trn nhn trn cng ca ngn xp trong tiu nhn MPLS. l bi v cc ATM-LSR gia cc min bin ca min LSR ch thay i gi tr VPI/VCI ch khng thay i cc nhn bn trong cc t bo ATM. Chng ta nu ra s khc nhau chnh gia chuyn mch nhn Framebased v chuyn mch nhn Cell-based: Vic kim tra trong chuyn tip nhn ch khung (Framebased) c thc hin da trn nhn trn cng ca ngn xp nhn trong tiu nhn MPLS. Trong chuyn tip t bo (Cellbased), vic kim tra li c thc hin da trn cc gi tr VPI/VCI trong cc tiu t bo ATM C ch chuyn mch trong chuyn mch t bo l chuyn mch t bo ATM truyn thng da trn cc gi tr VPI/VCI trong cc tiu t bo. Ngn xp nhn hon ton b b qua bi cc ATMLSR

29

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Bi v nhn trn cng trong ngn xp nhn khng c s dng bi ATM-LSR bin u ra, nn n c t v 0 bi ATM LSR bin u vo trc khi cc gi tin c nhn c chia nh thnh cc t bo ATM. 3. 3. Phn phi v phn b nhn qua min ATM-LSR Phn phi v phn b nhn qua min ATM-LSR c th s dng cch thc ging nh trong min MPLS ch hot ng khung. Tuy nhin, nu trin khai nh vy s dn n mt lot cc hn ch bi mi loi nhn c gn qua mt giao din LC-ATM s ph hp vi mt ATM VC. Mi nhn c duy nht mt gi tr VPI/VCI v mi gi tr VPI/VCI xc nh mt ATM VC c lp. Do s lng cc knh o ATM c h tr qua giao din ATM l nh nn cn hn ch s lng VC phn b qua giao din LC-ATM mc thp nht. thc hin c iu , cc LSR pha sau s m nhn trch nhim yu cu phn b v phn phi nhn qua giao din LC-ATM. LSR pha sau cn nhn gi gi n node tip theo phi yu cu nhn t LSR pha trc n. Thng thng cc nhn c yu cu da trn ni dung bng nh tuyn m khng da vo lung d liu, iu i hi nhn cho mi ch trong phm vi ca node k tip qua giao din LC-ATM. LSR pha trc c th n gin phn b nhn v tr li yu cu cho LSR pha sau vi bn tin tr li tng ng. Trong mt s trng hp, LSR pha trc c th phi c kh nng kim tra a ch lp 3 (nu n khng cn nhn pha trc yu cu cho ch). i vi chuyn mch ATM, yu cu nh vy s khng c tr li bi ch khi no n c nhn c phn b cho ch pha trc th n mi tr li yu cu. Nu ATM-LSR khng c nhn pha trc p ng yu cu ca LSR pha sau th n s yu cu nhn t LSR pha trc n v ch tr li khi nhn c nhn t LSR pha trc n. Vic phn phi v phn b nhn qua min ATM-LSR c cc c im sau: Vic cp nhn trong cc thit b c kh nng kim tra lp 3(router) c thc hin m khng quan tm ti vic router nhn nhn cho cng prefix (same prefix) trong router k tip hay cha. V th vic cp nhn trong cc router c gi l iu khin c lp

30

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Cp nhn trong cc thit b m khng c kh nng kim tra lp 3 (chuyn mch ATM) s c thc hin nu mt nhn pha trc ph hp cp. V th cp nhn trong chuyn mch ATM c gi l iu khin th t (ordered control) Phng php phn phi qua giao din LC-ATM l downstream on demand bi v mt LSR khai bo nhn qua LC-ATM ch khi nhn ny xc nh c yu cu bi LSR pha sau.

Hnh 3. 4: Cp nhn trong min ATM-LSR Xem m hnh miu t phn phi v cp nhn. ch l X, ch ny c th n thng qua router New York POP trong mng. Cc bc phn phi v cp nhn nh sau: Router San Jose cn mt nhn n ch X. Bng nh tuyn ca n ch ra rng ch ny n c thng qua mt giao din LC-ATM, v th n yu cu mt nhn t ATM-LSR pha trc San Francisco ATM-LSR l mt chuyn mch ATM truyn thng hot ng theo th t mode iu khin, v th n yu cu mt nhn t chuyn mch ATM Washington. Tng t nh th, chuyn mch ATM Washington yu cu mt nhn t router New York. Router New York hot ng trong mode iu khin ng lp v ngay lp tc c th cp mt nhn cho yu cu . Nu router New York c mt nhn pha trc cho ch X, n s c 31 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

nhp vo bng nh x gia cp VPI/VCI cp vi nhn pha trc trong bng C s thng tin chuyn tip nhn (LFIB). Ngc li, n kt hp mt hot ng pop vi cp VPI/VCI c cp. Cp VPI/VCI ny c gi tr li cho chuyn mch Washington ATM trong mt gi tin tr li TDP/LDP. Sau khi nhn c nhn t LSR pha trc, chuyn mch Washington ATM cp mt nhn cho LSR pha sau v nhp s nh x gia cp VPI/VCI mi c cp vi cp VPI/VCI m n nhn c t router New York trong ma trn chuyn mch ATM ca n. Gi tr cp VPI/VCI mi ny (1/241) c gi li cho chuyn mch ATM San Francisco trong mt gi tin tr li TDP/LDP Chuyn mch ATM San Francisco thc hin cc hot ng tng t, cp gi tr VPI/VCI khc (1/85) v gi cp ny ging nh l nhn n ch X cho router San Jose Sau khi nhn mt gi tin tr li yu cu cp nhn, router San Jose c th nhp gi tr VPI/VCI nhn c t chuyn mch San Francisco vo C s thng tin chuyn tip (FIB) v C s thng tin chuyn tip nhn (LFIB) Hp nht VC Da trn cc quy tc phn phi v cp nhn cc phn trc, chng ta phi cn nhc ti u vic s dng nhn qua min ATM-LSR. V d, nu mt ATM-LSR nhn mt nhn n mt ch no t hng xm pha trc (next hop) th n cng c th ti s dng nhn khi c mt LSR pha trc hi nhn n cng ch ny. Hnh di y hai router bn tri s c cung cp cng mt nhn n ch 171.68. 0.0/16

32

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 3. 5: Ti u ha kh nng ca cp nhn ATM

Tuy nhin, nu cc t bo n ng thi cng mt lc t nhiu ngun khc nhau th vic s dng chung mt gi tr VC cho cng mt ch th dn ti khng c kh nng phn bit gi no thuc lung vo no v cc LSR pha trc s khng c kh nng ti to li t bo. Vn ny c gi l xen k t bo. trnh trng hp ny, ATM-LSR phi yu cu LSR pha trc n nhn mi mi khi LSR pha sau n i hi nhn n bt k ch no, k c n nhn c nhn cho chnh ch .

Hnh 3. 6: Lung cc t bo vi vic khai bo nhn cho cng mt ch Vi mt s thay i nh, mt s chuyn mch ATM c th m bo rng hai lung t bo cng chim mt VC s khng bao gi xen k nhau. Cc chuyn mch s lu cc t bo ATM trong vng m cho n khi n nhn c mt t bo c bit kt thc khung c t trong tiu t bo ATM. Sau 33 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

ton b cc t bo ny c truyn qua knh VC. Nh vy b m trong cc tng i ny phi tng thm v mt vn ny sinh l tr qua chuyn mch s tng ln. Qu trnh gi lin tip cc t bo ra mt knh o n VC c gi l hp nht knh o (VC merg) v n cho php cc ATM-LSR c th s dng cng mt nhn cho cc gi tin n t nhiu LSR pha sau khc nhau cho cng mt ch n. Chc nng ca s hp nht nhn gim ng k vic cp nhn qua min ATM-LSR.

Phn 2: ng dng mng ring o VPN trn mng MPLS


Mng ring o VPN (Virtual Private Network) l mt trong nhng ng dng rt quan trng trong mng MPLS. Cc cng ty, doanh nghip c bit cc cng ty a quc gia c nhu cu rt ln v loi hnh dch v ny. Vi VPN h hon ton c th s dng cc dch v vin thng, truyn s liu ni b vi chi ph thp, an ninh bo m. Nh c c ch bo mt v cung cp lp dch v (QoS) theo yu cu m MPLS l mt cng ngh rt ph hp cho mng ring o VPN. phn ny chng ta s tm hiu v m hnh mng ring o trn mng MPLS. y l mt ng dng rt quan trng p ng cc yu cu ca cc mng ring s dng h tng c s thng tin quc gia vi nhng yu cu khc nhau v an ton, bo mt v cht lng dch v. An ninh mng khng ch quan trng i vi cc nh cung cp dch v ISP m cn c ngha quyt nh i vi cc c quan chnh ph v cc doanh nghip. Cc gii php cho h thng WAN nh s dng ng dy thu ring, Frame-relay khng c s mm do linh hot v mt kt ni, m rng mng cng nh an ton thng tin, hn na chi ph li cao. Cc gii php v tng la cng ch m bo chng li c cc cuc tn cng t pha ngoi vo trong mng ti im ca ng vo mng m thi, nguy c b tn cng l rt cao. Do khi a ra gii php an ninh bo mt ton din cho mt h thng mng khng th khng k n gii php mng ring o VPN.

34

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Chng 4: Tng quan v cng ngh mng ring o VPN


4. 1. Gii thiu v mng ring o (Virtual Private Network VPN ). Mng ring o ( Virtual Private Network) c nh ngha l mng m khch hng c th kt ni nhiu v tr c trin khai trn trn mt nn tng c s h tng chia s vi cng mt mc truy cp (same access) hoc chnh sch bo mt (security policies). Mng ring o hot ng trn nn giao thc IP ang ngy cng tr nn ph bin. Cng ngh ny cho php to ra mt mng ring thng qua c s h tng chung ca nh cung cp dch v Internet (ISP). Cc k thut m bo an ninh khc nhau c p dng bo v thng tin ca ngi s dng khi trao i trong mt mi trng chia s nh Internet.

Mng ring o VPN l mt mi trng thng tin vic truy cp c kim sot v ch cho php thc hin kt ni thuc phm vi c xc nh trc. VPN c xy dng thng qua vic chia s cc phng tin, mi trng truyn thng chung. Vic cung cp cc dch v cho mng ring c thc hin thng qua cc phng tin, mi trng ny Mt cch miu t n gin hn l: Mng ring o VPN l mt mng ring c xy dng trn c s h tng ca mng chung, v d nh mng Internet. 4. 2. S pht trin ca VPN. Ban u cc mng my tnh c trin khai vi hai cng ngh chnh: leased-lines cho cc kt ni lu di v dial-up lines cho cc kt ni khng lin tc, ch khi c yu cu.

35

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 4. 1: Mng my tnh in hnh cch y 15 nm Ban u mng my tnh c trin khai cho khch hng vi tnh bo mt kh tt, nhng gi c li kh cao bi hai l do sau: Lu lng trao i gia hai vng trong mng thay i theo tng thi im trong ngy, tng ngy trong thng, thm ch l theo ma (v d, lu lng trong t c s kin quan trng tng ln ng k) Ngi s dng u cui lun lun yu cu c p ng nhanh, kt qu l yu cu bng thng cao gia cc site, nhng bng thng thu ch c s dng trong mt khong thi gian khi cc users trng thi active. Hai l do trn thc y cc nh cung cp dch v pht trin v trin khai mt cng ngh cung cp cho khch hng vi cht lng dch v tng ng vi ng lised lines. Cng ngh mng ring o u tin da trn cc cng ngh nh X. 25 v Frame-relay, sau ny c SMDS v ATM.

36

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 4. 2: Mng Frame-relay c trng Gii php VPN bao gm cc yu t sau: Nh cung cp dch v l mt t chc s hu c s h tng (Cc thit b v mi trng truyn) cung cp ng leased line cho khch hng. Theo kiu ny th nh cung cp dch v gii thiu ti khch hang mt Dch v mng ring o (Virtual Private Network Service) Khch hng kt ni ti nh cung cp dch v qua thit b CPE (Customer Premises Equipment). CPE thng l mt thit b cung cp kt ni u cui, c th l mt bridge hoc mt router. Thit b CPE i lc c gi l thit b Khch hng bin (Customer Edge) Thit b CPE c kt ni qua mi trng truyn (thng l leased line, nhng khng th l kt ni dial-up) ti thit b ca nh cung cp dch v, c th l X. 25, Frame-relay hoc chuyn mch ATM, hoc thm ch l router. Thit b ca nh cung cp dch v bin ny i khi c gi l thit b Cung cp dch v bin (Provider Edge) Nh cung cp dch v thng c thm cc thit b trong mng li (cng c gi l P-network). Cc thit b ny c gi l thit b P (P-devices) v d nh: P-switches hoc P-router. Mt mng lin tc no y ca khch hng c gi l site. Mt site c th kt ni ti P-network thng qua mt hoc nhiu c truyn, s dng mt hoc nhiu thit b CPE hoc PE Nh cung cp dch v c th tnh tin thng qua hoc l t l c nh cho dch v VPN, thng da trn bng thng cung cp cho

37

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

khch hng, hoc l t l s dng, thng da vo dung lng ca d liu c trao i hoc thi gian trao i d liu 4. 3. Phn loi VPN C 3 loi mng ring o, l: Intranet VPN: VPN kt ni hai mng vi nhau (site-to-site). c s dng kt ni cc vn phng, chi nhnh trong mt cng ty. Vi loi ny th ngi dng ni b c tin cy hn nn s c mc bo mt thp hn, ngha l s c truy cp vo nhiu ngun ti nguyn mng hn. Extranet VPN: c s dng khi c nhu cu trao i thng tin gia mng ca cng ty vi mng ca cc i tc bn ngoi. Vi loi m hnh ny i hi cc chnh sch bo mt phi tt hn so vi intranet hn ch vic truy cp vo cc ngun ti nguyn ca cng ty.

Hnh 4. 3: M hnh mng Extranet Remote acces VPN (VPN truy cp t xa): c dng cho nhng ngi lm vic di ng, cn phi truy cp an ton vi mng ti mng ring ca cng ty t bt k v tr a l no thng qua mt mi trng chia s (nh mng in thoi cng cng). Mt s vn phng nh cng c th s dng kiu truy cp ny ni vi mng ring ca cng ty mnh.

38

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Thc t, ngi dng t xa s kt ni ti nh cung cp dch v Internet (ISP) v ISP s thit lp kt ni ti mng ring ca cng ty. Sau khi to c kt ni gia hai my tnh ca ngi dng xa vi mng ring ca cng ty, mt ng hm s c thit lp gia hai u cui v d liu c trao i qua ng hm . 4. 4. Chc nng ca VPN VPN c cc chc nng c bn sau: S tin cy: Ngi gi c th m ha cc gi d liu trc khi chng c truyn qua mng. Bng cch ny th ngi khc khng th truy cp thng tin m khng c s cho php. Nu c ly c th cng khng c c Tnh ton vn: Ngi nhn c th kim tra rng d liu c truyn qua mng Internet m khng c s thay i no Xc thc ngun gc: Ngi nhn c th xc thc ngun gc ca gi d liu, m bo v xc thc ngun thng tin. 4. 5. ng hm v m ha Chc nng ca VPN l cung cp s bo mt bng cch m ha qua mt ng hm. ng hm (Tunnel) cung cp cc kt ni logic, im ti im qua mng IP khng hng kt ni. iu ny gip cho vic s dng cc u im, cc tnh nng bo mt. Cc gii php ng hm cho VPN l s dng m ha bo v d liu khng b xem trm bi bt k ai khng c php v thc hin ng gi a giao thc nu cn thit. M ha (encryption) dng m bo d liu khng c c vi bt k ai, nhng c th c c bi ngi nhn. Khi m c nhiu thng tin lu thng trn mng th s cn thit i vi vic m ha thng tin cng tr nn quan trng. M ha s bin i ni dung tin thnh dng v ngha trong dng mt m ca n. Ti ngi nhn s s dng chc nng gii m c cung cp gii m ni dung ca thng ip. 4. 6. Cc giao thc dng cho VPN C 3 giao thc to ng hm chnh to nn mt VPN 4. 6. 1. Giao thc ng hm lp 2 L2TP Thng 8/1999, Cisco cho ra i giao thc to ng hm c quyn L2F (Layer 2 Forwarding) trc khi chun L2TP ra i. 39 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

L2F dng bt k c ch thm nh quyn truy cp no c PPP h tr PPTP(Point-to-Point Tunneling Protocol) c PPTP Forum pht trin. Giao thc ny h tr m ha 40 bit v 128 bit, dng bt k c ch thm nh quyn truy cp no c PPP h tr L2TP l d n kt hp ca Cisco L2F v Microsoft PPTP. Kt hp cc tnh nng ca c PPTP v L2F, L2TP cng h tr y IPSec. L2TP c th c s dng lm giao thc Tunneling cho mng VPN point-to-point (Intranet VPN v Extranet VPN) v VPN truy cp t xa ( Remote Access VPN). Trn thc t, L2TP c th to ra mt tunnel gia my khch v router, NAS v router (NAS - Network Access Server L thit b qun l RAS (Remote Access Server) cho php khch hng thc hin cuc gi, thc hin qu trnh khi to s xc nhn v chuyn tip cuc gi (qua L2F hoc L2TP) ti gateway ca khch hng) v gia router vi router. So vi PPTP th L2TP c nhiu c tnh mnh v an ton hn. L2TP c s dng to ra mt mi trng c lp, mng quay s ring o VPDN ( Virtual Private Dial Network). L2TP cho php ngi dng yu cu mt chnh sch bo mt tng th qua bt k mt tuyn VPN hay VPDN no ging nh l mt s m rng mng ni b ca h. L2TP khng cung cp s m ha v c th c gim st thng qua cng c phn tch giao thc Ging nh PPTP, L2F s dng giao thc PPP cung cp mt kt ni truy cp t xa v kt ni ny c th c i qua mt ng hm thng qua Internet n ch. Tuy nhin L2TP nh ngha giao thc to ng hm ring ca n da trn c cu ca L2F. C cu ny cho php trin khai ng hm L2TP khng ch trn mng IP m cn trn cc mng chuyn mch gi khc nh X25, Frame Relay v ATM. L2TP s dng PPP thit lp kt ni vt l. Khi PPP thit lp kt ni xong, u tin L2TP s xc nh xem my phc v mng ti pha cng ty c nhn ra ngi s dng u cui hay khng v c sn sng phc v nh l

40

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

mt im u cui ca ng hm hay khng. Nu ng hm c th c to ra L2TP s thc hin vai tr ng gi cc gi tin truyn i. Khi L2TP to ra cc ng hm gia b tp trung truy cp mng ca ISP v my phc v mng pha cng ty, n c th gn mt hoc nhiu phin lm vic trong mt ng hm. L2TP to ra mt s nhn dng cuc gi (call ID) v chn Call ID ny vo phn u ca L2TP trong mi mt gi tin ch ra gi tin thuc phin lm vic no.

L2TP cho php gim lu lng mng v cho php cc my phc v iu khin vic tc nghn ng truyn bng cch thc hin c ch iu khin lung gia my phc v truy cp mng ca ISP , cn c gi l b tp trung truy cp L2TP (L2TP Access Connector LAC), v my phc v mng pha cng ty, cn c gi l my phc v mng L2TP (L2TP Network Server LNS). Cc bn tin iu khin c s dng xc nh t l ng truyn v cc thng s b m iu khin lung cc gi tin PPP ca mt phin lm vic trong mt ng hm. 4. 6. 2. Giao thc ng gi nh tuyn chung GRE Trong VPN loi ny, giao thc ng gi nh tuyn chung GRE cung cp c cu ng gi giao thc gi tin (Passenger Protocol) truyn i trn giao thc truyn ti (Carrier Protocol). N bao gm thng tin v v loi gi tin m bn ang m ha v thng tin v kt ni gia my ch v my khch. Giao thc ny ng gi IP, CLNP v bt k cc gi d liu giao thc khc vo bn trong cc ng hm IP. Vi GRE, mt router Cisco mi im s ng gi cc gi d liu ca mt giao thc c th vo trong mt tiu IP, to ra mt ng kt ni o point-to-point ti cc router Cisco cc a im khc trong mt m my mng IP, ti tiu IP c g b. Bng cch kt ni cc mng con a giao thc trong mt mi trng ng trc (backbone) n gin, ng hm IP cho php m rng mng qua mt mi trng xng sng n giao thc. GRE khng cung cp s m ha v c th c gim st bng mt cng c phn tch giao thc 4. 6. 3. Giao thc bo mt IP (IP Security Protocol)

41

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Giao thc bo mt IPSec cung cp nhng tnh nng bo mt cao cp nh cc thut ton m ha tt hn, qu trnh thm nh quyn ng nhp ton din hn. IPSec hot ng tt trn c hai loi mng VPN l VPN truy cp t xa v VPN kt ni point-to-point (Intranet VPN v Extranet VPN). Tt nhin, n phi c h tr c hai giao din Tunnel. IPSec c hai c ch m ha l Tunnel v Transport. Tunnel m ha tiu v kch thc ca mi gi tin, cn Transport ch m ha kch thc. Ch nhng h thng no h tr giao thc IPSec mi c th tn dng c giao thc ny. Ngoi ra, tt c cc thit b phi s dng mt m kha chung v cc tng la trn mi h thng phi c cc thit lp bo mt ging nhau. IPSec c th m ha d liu gia nhiu thit b khc nhau nh router vi router, PC vi router, PC vi my ch hoc gia cc firewall vi nhau. IPSec cung cp cc dch v bo mt bng cch s dng IKE (Internet Key Exchange) iu khin s tha thun ca cc giao thc v cc thut ton trn c s cc chnh sch bo mt cc b v to ra s m ha v cc kha xc nhn c s dng bi IPSec. IPSec hot ng lp 3, v vy n ch truyn c gi tin IP. Trong khi L2TP hot ng lp 2 (trong m hnh 7 lp) nn c th truyn cc gi ca nhiu giao th khc nhau nh IP, IPX hoc NETBEUI. Giao thc L2TP c th c h tr bi giao thc IPSec tng cng tnh bo mt khi truyn qua mng. Tip theo ta s tm hiu k hn v IPSec. IPSec l giao thc hot ng lp 3, t mt nhm cc giao thc v cc cng ngh nh AH (Authentication Header AH ), ESP (Encapsulating Security Payload), IKE (Internet Key Exchange), DES (Data Encryption Standard), AES (Advanced Encryption Standard) v cc k thut khc vo trong h thng m bo cung cp mt phng php xc thc tin cy v an ton cho gi tin IP. IPSec c dng cho c IPv4 v IPv6. L mt tiu chun m, IPSec cho php hot ng c vi cc thit b ca nhiu nh sn xut khc nhau v c s dng vi nhiu loi VPN khc nhau. Mc d IPSec c trin khai ch yu cho s m rng WAN trong mi trng cng cng chia s, tuy nhin giao thc ny c th c s dng cho vic m ha v m bo an ninh trong LAN, mng campus hoc thm ch l 42 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Intranet VPN. Theo IETF RFC 2401, IPSec c thit k cung cp kh nng c th hot ng lin kt, cht lng cao cho IPv4 v IPv6. Cc dch v v bo mt bao gm iu khin truy cp, tnh ton vn khng kt ni, xc thc d liu gc, m ha v bo mt lung d liu. N c cc c im sau: 4. 6. 3. 1. m bo tnh ton vn ca d liu: IPSec m bo tnh bo mt cho lung IP bng cch thm IPSec tiu vo gi IP gc. y l nhng tiu IPSec mi, v d nh AH v ESP, c th c s dng tch bit nhau hoc kt hp vi nhau tuy thuc vo mc yu cu ca bo mt. V bn cht, cc tiu c thm vo gi IP gc nhm mc ch xc thc gi tin hoc m ha bo v d liu hoc c hai.

S kt hp bo mt (Security Association SAs) l mt phn quan trng ca qu trnh x l IPSec khi chng c nh ngha mt mc bo mt gia hai thit b trong quan h ngang hng (peer-to-peer relationship). Bng cc SA, mt thit b c th p dng cc chnh sch bo mt s c s dng v n nhn ra SA bi mt a ch IP, mt ch s nh dng giao thc bo mt v mt gi tr thng s bo mt duy nht. C hai loi SA. Trao i kha SA l dng u tin, dng nhn thc gia cc thit b ngang hng, trao i kha, v kim sot kha sau . Dng th hai l IPSec SA c dng m phn v thit lp, mi mt thit b s dng mt phng thc xc thc, mt thut ton hashing v mt phng php m ha. 4. 6. 3. 1. 1. Xc thc tiu (Authentication Header AH) AH s dng mt chc nng bm nh key (keyed-hash), s dng tc mch tch hp cho cc ng dng c bit (Application-specific intergrated circuits ASICs) thc hin chc nng xc thc v ton vn truyn d liu. AH xc thc host khi to vi host ch trong sut qu trnh thit lp ca s trao i xc nhn key. C nhiu phng php xc thc key, sau y ta lit k mt vi trong s : IKE da trn ISAKMP/OAKLEY: IKE l giao thc trao i key lai (hybrid), n s dng mt phn ca Oakley v mt phn giao thc khc c gi l SKEME bn trong ISA(Internet Security Association) v KMP (Key Management Protocol). Cc kha c chia s trc mt cch th cng hoc thng qua s y 43 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

quyn, v s trao i kha cng nh chp nhn c thc hin bi IKE. Mt mt im xc thc im khc da trn qu trnh x l IKE v a ra mt SA. Qu trnh ny xy ra trc khi bt k mt IPSec SA no m phn v trc khi d liu c th i qua ng link c thit lp. Perfect Forward Secrecy (PFS) rekeying: Phng php ny c tnh bo mt cao hn thm ch ngay c khi kha b ph bi nhng k ph hoi. N tch bit IKE ban u t qu trnh x l c s dng to kha cho IPSec SA. V th khi kha IKE SA c th b ph nhng n s khng b l kha b mt. N cho php kha ny thay i lin tc trong khi phin lm vic vn c duy tr m bo tnh ton vn cho d liu khi i qua mng cng cng, AH s dng cc thut ton bm v d nh Message Digest 5(MD5). N p dng trn tiu ca gi tin IP ban u, n s giu cc thng tin v a ch IP thc v cc thng s khc khi i qua mng cng cng. Khi n ch tiu gi tin IP s c khi phc v c nh tuyn bn trong subnet ca mng ch. 4. 3. 1. 1. 2. ng gi bo mt vng ti trng ESP iu quan trng l phi bo mt c vng d liu, v th m ha d liu l cn thit. Trong trng hp ny, mt tiu ESP v thut ton m ha v d nh DES (3DES) c thm vo lm tng thm tnh bo mt cho d liu. Kt qu l, ESP ng gi hon ton d liu ngi dng. ESP c th c s dng kt hp vi AH, nhng ESP bao gm c s xc thc d liu gc v c ch antireplay c trong AH. V th ESP c th s dng cng k thut trao i kha c s dng cho AH. N cho php ESP ch c s dng cho lu lng IPSec khi mc bo mt cao. Mt v d l s dng c tiu AH v ASP khi chng ta mun cn bo mt mnh nht (ESP) v s xc nhn mnh nht (AH), bi v AH c thm chc nng bo v trng tiu IP mi trong khi ESP th khng c tnh nng ny. AH dng xc thc cn ESP dng m ha v xc thc. ESP khc vi AH hai im sau: ESP m ha d liu trc khi gi i, do vy n m bo c tnh b mt ca d liu. AH th ton b gi tin c xc thc nhng khng c m ha nn c th c c khi qua mng 44 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

ESP ch xc thc ni dung ca gi tin IP ch khng xc thc ton b gi tin IP. 4. 6. 3. 2. Cc mode chuyn tip d liu trong IPSec IPSec a ra hai phng php chuyn tip d liu qua mng cho c hai giao thc AH v ESP: l Tunnel mode (kiu ng hm) v Transport mode(kiu giao vn) C hai kiu ny trn thc t l hai kiu khc nhau ca SA. Mt SA c nh ngha nh l s kt ni n gin, n cho php p dng cc dch v bo mt cho lu lng bn trong SA. Kiu ng hm c s dng cho bo mt gia nhiu host vi nhiu host, trong khi kiu giao vn li c s dng cho tng IP host ny ti tng IP host khc hoc khi cc dch v mng v d nh QoS phi c bo v trong tiu IP gc.

4. 6. 3. 2. 1. Tunnel mode C AH v ESP hot ng Tunnel mode. Mt ng hm cung cp mt ng dn qua mng chia s cng cng cho cc host hoc cc u cui ng hm c th giao tip. Cc ng hm ny l ng logic ging nh mch o VC, c cu hnh trn cng vt l. IPSec Tunnel Mode c th ng gi v bo v ni dng ca ton b gi tin IP bao gm c tiu gc. N thm vo 20 byte tiu IP cho mi gi tin. Hai m hnh sau s m t s thm tiu IPSec c IPSec Tunnel Mode AH v IPSec Tunnel Mode ASP.

Hnh 4. 4: ng dng ca tiu IPSec AH ti gi tin IP trong mode ng hm 45 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 4. 5: ng dng ca IPSec ESP ti gi tin IP mode ng hm 4. 6. 3. 2. 2. Transport mode ( mode giao vn) C AH v ESP c th hot ng mode giao vn. Kiu giao vn c s dng cho ng gi giao thc vng ti trng lp trn hoc bn trn lp IP. Thng l lp 4 hoc cc vng ti trng lp cao v d nh TCP, UDP, BGP N khng s dng cc tiu lp 3 bi v n c th cn cho cc dch v mng khc, v d nh cc ng dng cn s dng QoS ( M ha tiu gi tin IP gc c th khng c s dng cho cc ng dng QoS). Mode giao vn AH c s dng cho cc ng dng m tiu gi tin IP gc c gi nguyn v ch cn xc thc tnh ton vn ca d liu gi tin. Mode giao vn ESP c s dng cho cc ng dng duy tr tiu gi tin IP gc nhng cng mun m ha phn cn lai ca vng ti trng.

Hnh 4. 6: IPSec mode giao vn s dng AH

46

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 4. 7: IPSec mode giao vn s dng ESP 4. 6. 3. 3. Qu trnh hot ng ca IPSec. Qu trnh hot ng c chia thnh 5 bc: 4. 6. 3. 3. 1. Bc 1: Xc nh lung lu lng quan tm (interesting traffic)

Hnh 4. 8: Xc nh lung traffic Vic xc nh lung d liu no cn c bo v c thc hin nh l mt phn trong vic tnh ton mt chnh sch bo mt cho vic s dng ca mt VPN. Chnh sch c s dng xc nh lung traffic no cn bo v v lung traffic no c th gi dng clear text. i vi mi gi d liu u vo v u ra, s c ba la chn: Dng IPSec, cho qua IPSec, hoc hu gi d liu. i vi mi gi d liu c bo v bi IPSec, ngi qun tr h thng cn ch r cc dch v bo mt c s dng cho gi d liu. Cc c s d liu chnh sch bo mt ch r cc giao thc IPSec, cc mode, v cc thut ton c s dng cho lung traffic. Cc dch v ny sau c s dng cho lung traffic dnh cho mi Peer IPSec c th. Vi VPN Client, bn s dng cc ca s thc n chn cc kt ni m bn mun bo mt bi IPSec. Khi cc lung d liu mong mun truyn ti IPSec Client, client khi to sang bc tip theo trong qu trnh: Tho thun mt s trao i bc 1 IKE. 4. 6. 3. 3. 2. Bc 2: Pha IKE th nht (IKE Phase 1)

47

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 4. 9: Pha IKE th nht. Mc ch c bn ca pha IKE th nht l tho thun cc tp chnh sch IKE, xc thc cc i tng ngang hng, v thit lp mt knh bo mt gia cc i tng ngang hng. Pha IKE th nht xut hin trong hai mode: Main mode v Aggressive mode. Main mode c ba qu trnh trao i hai chiu gia ni khi to v ni nhn: Qu trnh trao i u tin:

Hnh 4. 10: Qu trnh trao i u tin

Trong sut qu trnh trao i u tin cc thut ton v cc hash c s dng bo mt s trao i thng tin IKE c tho thun v c

48

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

ng gia cc i tng ngang hng. Trong khi c gng to ra mt kt ni bo mt gia my A v my B qua Internet, cc k hoch bo mt IKE c trao i gia Router A v B. Cc k hoch bo v nh ngha giao thc IPSec hin ti c tho thun (v d ESP). Di mi k hoch, ngi khi to cn phc ho nhng thut ton no c s dng trong chnh sch (v d DES vi MD5). y khng phi l tho thun mi thut ton mt cch ring bit, m l cc thut ton c nhm trong cc tp, mt tp chnh sch IKE. Mt tp chnh sch m t thut ton m ho no, thut ton xc thc no, mode, v chiu di kho. Nhng k hoch IKE v nhng tp chnh sch ny c trao i trong sut qu trnh trao i u tin trong ch main mode. Nu mt tp chnh sch tng thch c tm thy gia hai i tng ngang hng, main mode tip tc. Nu khng mt tp chnh sch tng thch no c tm thy, tunnel l b loi b. Trong v d trong hnh trn, RouterA gi cc tp chnh sch IKE 10 v 20 ti RouterB. RouterB so snh tp chnh sch ca n, tp chnh sch 15, vi nhng tp chnh sch nhn c t RouterA. Trong trng hp ny, c mt ci tng thch: l tp chnh sch 10 ca Router A tng thch vi tp chnh sch 15 ca Router B. Qu trnh trao i th hai S dng mt s trao i DH to ra cc kho mt m chia s v qua qu trnh ny cc s ngu nhin gi ti cc i tc khc, signed, v ly li xc thc nh ngha ca chng. Kho mt m chia s c s dng to ra tt c cc kho xc thc v m ho khc. Khi bc ny hon thnh, cc i tng ngang hng c cng mt mt m chia s nhng cc i tng ngang hng khng c xc thc. Qu trnh ny din ra bc th 3 ca bc 1 IKE, qu trnh xc thc c tnh ca i tng ngang hng. Qu trnh th ba xc thc c tnh i tng ngang hng:

49

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN Hnh 4. 11: Qu trnh trao i th 3

Cc phng thc xc thc ngang hng:

Bc th ba v cng l bc trao i cui cng c s dng xc thc cc i tng ngang hng xa. Kt qu chnh ca main mode l mt tuyn ng trao i thng tin bo mt cho cc qu trnh trao i tip theo gia cc i tng ngang hng c to ra. C ba phng thc xc thc ngun gc d liu: Cc kho pre-shared: Mt gi tr kho mt m c nhp vo bng tay ca mi i tng ngang hng c s dng xc thc i tng ngang hng. RSA encryption nonces: Nonces (mt s ngu nhin c to ra bi mi i tng ngang hng) c m ho v sau c trao i gia cc i tng ngang hng. Hai nonce c s dng trong sut qu trnh xc thc i tng ngang hng Trong aggressive mode, cc trao i l t hn vi t gi d liu hn. Mi th u c trao i trong qu trnh trao i u tin: S tho thun tp chnh sch IKE, s to ra kho chung DH, mt nonce. Trong aggressive mode nhanh hn main mode.

4. 6. 3. 3. 3. Bc 3: Pha IKE th 2

Hnh 4. 12: Pha IKE th 2

50

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Mc ch ca bc 2 IKE l tho thun cc thng s bo mt IPSec c s dng bo mt ng hm IPSec. Bc 2 IKE thc hin cc chc nng di y: Tho thun cc thng s bo mt, cc tp transform IPSec Thit lp cc SA IPSec Tho thun li theo chu k cc SA IPSec chc chn bo mt. C th thc hin thm mt s trao i DH Trong pha IKE th 2 ch c mt mode, gi l Quick mode. Quick mode xut hin sau khi IKE c thit lp ng hm bo mt trong pha IKE th nht. N tho thun mt transform IPSec chia s, v thit lp cc SA IPSec. Quick mode trao i cc nonce m c s dng to ra kho mt m chia s mi v ngn cn cc tn cng replay t vic to ra cc SA khng c tht. Quick mode cng c s dng tho thun li mt SA IPSec mi khi thi gian sng ca SA IPSec ht. Quick mode c s dng np li keying material c s dng to ra kha mt m chia s trn c s keying material ly t trao i DH trong bc 1. Cc tp Transform IPSec Kt qu cui cng ca pha IKE th 2 l thit lp mt phin IPSec bo mt gia cc im u cui. Trc khi iu ny c th xy ra, mi cp ca cc im u cui tho thun mc bo mt yu cu (v d, cc thut ton xc thc v m ho cho mt phin). Khng nhng l tho thun nhng giao thc ring bit, cc giao thc c nhm vo trong cc tp, mt tp transform IPSec. Cc tp transform IPSec c trao i gia cc peer trong sut qu trnh quick mode. Nu mt c s tng thch c tm thy gia cc tp, phin thit lp IPSec s tip tc. Nu ngc li th phin s b hu b.

51

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 4. 13: m phn tp chuyn i. Trong v d hnh trn, RouterA gi cc tp transform IPSec 30 v 40 n RouterB. RouterB so snh tp transform ca n vi nhng ci nhn c t RouterA. Trong v d ny, c mt ci match. Tp transform 30 ca RouterA tng thch vi tp transform 55 ca RouterB. Cc thut ton m ho v xc thc c dng mt SA(Security Association). Mt SA l mt kt ni logic mt chiu, cung cp s bo mt cho tt c traffic i qua kt ni. Bi v hu ht traffic l hai chiu, do vy phi cn hai SA: mt cho u vo v mt cho u ra. Khi m cc dch v bo mt c ng gia cc peer, mi thit b ngang hng VPN a thng tin vo trong mt SPD (Security Policy Database). Thng tin ny bao gm thut ton xc thc, m ho, a ch IP ch, mode truyn dn, thi gian sng ca kho . v. v. Nhng thng tin ny c coi nh l mt SA. Thit b VPN gn cho SA mt s th t, gi l SPI (Security Parameter Index). Khi gi cc thng s ring bit ca SA ca qua ng hm, Gateway, hoc Host chn SPI vo trong tiu ESP. Khi m i tng ngang hng IPSec nhn c gi d liu, n nhn vo a ch IP ch, giao thc IPSec, v SPI trong SAD (Security Association Database) ca n, v sau x l gi d liu theo cc thut ton c ch ra trong SPD. 52 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 4. 14: Cc thng s ca SA (Security Asscociation) IPSec SA l mt s t hp ca SAD v SPD. SAD c s dng nh ngha a ch IP ch SA, giao thc IPSec, v s SPI. SPD nh ngha cc dch v bo mt c s dng cho SA, cc thut ton m ho v xc thc, mode, v thi gian sng ca kho. V d, trong kt ni t tng cng ty n nh bng, chnh sch bo mt cung cp mt vi ng hm bo mt s dng 3DES, SHA, mode tunnel, v thi gian sng ca kho l 28800. Gi tr SAD l 192. 168. 2. 1, ESD, v SPI l 12. 4. 6. 3. 3. 4. Bc 4: Phin APSec

Hnh 4. 15: Mt phin IPSec Sau khi bc 2 IKE hon thnh v quick mode c thit lp, traffic s c trao i gia my A v my B qua mt ng hm bo mt. Traffic mong mun c m ho v gii m theo cc dch v bo mt c ch ra trong SA IPSec. 53 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

4. 6. 3. 3. 5. Bc 5: Kt thc ng hm

Hnh 4. 16 : Kt thc mt phin IPSec Cc SA IPSec kt thc thng qua vic xo hay bng timing out. Mt SA c th time out khi lng thi gian c ch ra l ht hoc khi s byte c ch ra qua ht ng hm. Khi cc SA kt thc, cc kho cng b hu. Khi cc SA IPSec tip theo cn cho mt lung, IKE thc hin mt bc 2 mi, v nu cn thit, mt s tho thun mi trong bc 1 IKE. Mt s tho thun thnh cng s to ra cc SA v cc kho mi. Cc SA mi thng c thit lp trc khi cc SA ang tn ti ht gi tr. 4. 7. M hnh ngang hng v chng ln [5] C hai kiu VPN c trin khai ph bin, l: Kiu chng ln (Overlay), theo kiu ny, cc nh cung cp dch v cung cp ng leased line cho khch hng M hnh ngang hng (peer-to-peer), theo kiu ny nh cung cp dch v trao i thng nh tuyn lp 3 vi khch hng v nh cung cp truyn d liu gia cc site ca khch hng theo con ng ti u gia cc site. Theo m hnh ny, th b nh tuyn ca khch hng c ni trc tip vi b nh tuyn ca nh cung cp dch v. 4. 7. 1. VPN kiu chng lp (overlay VNP model) Kiu chng lp c trin khai qua trung k ring trn h tng mng chung ca nh cung cp dch v 54 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

VPN ny c th thc hin ti lp 1 s dng knh thu ring hoc ng quay s; ti lp 2 s dng X. 25, Frame Relay hay knh o ATM; ti lp 3 s dng ng hm IP. Trong m hnh ny chc nng ca khch hng v nh cung cp dch v nh sau: Nh cung cp dch v cung cp cho khch hng ng leased line. Cc ng leased line ny c gi l cc VCs, chng c th l kt ni lin tc PVC hoc c thit lp khi c yu cu. Hnh sau m t m hnh mng VPN kiu chng lp v cc VC c s dng trong

Hnh 4. 17: V d n gin mng VPN kiu chng lp Khch hng thit lp kt ni router ti router gia cc thit b CPE ( Customer Premises Equipment) qua cc knh o VC c cung cp bi nh cung cp dch v. Giao thc nh tuyn lun lun c trao i gia cc thit b ca khch hng v nh cung cp dch v khng quan tm ti cu trc bn trong ca mng khch hng. Mc d m kiu VPN ny c nhng hn ch sau: Mi mt VPN c nhiu site, mt site c mt vi b nh tuyn cho mc ch d phng, tuy nhin mng tr nn kh kim sot v phi trin khai di dng full-mesh ca cc kt ni point-to-point hay cc knh o trn mng trc ca nh cung cp dch v ti u ng truyn. Hn na do khch hng phi t thit k v vn

55

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

hnh mng trc o ca ring mnh. M khch hng i khi khng c trnh v kinh nghim. gii quyt vn ny, nh cung cp dch v s phi m nhn nhim v thit k v vn hnh mng trc o ( Virtual Backbone Network) cho tng khch hng, iu ny s rt phc tp khi s lng khch hng ln. Nu mi khch hng c mng VPN vi hng trm site th s lng kt ni l v cng ln. iu ny nh hng n kh nng m rng h thng mng Khi s lng kt ni ln th vic thm bt cc site trn mng s gy ra nh hng ln do phi cu hnh li cc thit b nh tuyn Rt kh nh gi ln ca dung lng cc kt ni gia cc im 4. 7. 2. M hnh VPN ngang hng ( Peer-to-peer VPN model) M hnh VPN ngang hng khc phc c nhng tn ti ca m hnh VNP chng lp. Trong m hnh ny thit b bin ca nh cung cp dch v (Provider Edge PE ) l mt router trao i thng tin nh tuyn trc tip vi CPE router.

Hnh 4. 18: M hnh VPN ngang hng

56

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

M hnh VPN ngang hng c mt s u im vt tri hn so vi m hnh VPN chng lp: nh tuyn tr nn tr nn cc k n gin, khi m router ca khch hng ch trao i thng tin nh tuyn vi mt hoc mt vi PE-router, trong khi m hnh chng lp, do kt ni theo kiu dng full-mesh nn s lng cc router c quan h hng xm c th tr nn rt ln nh tuyn gia cc site ca khch hng lun lun ti u , khi router ca nh cung cp bit m hnh mng ca khch hng v v vy c th nh tuyn gia cc site vi nhau mt cch tt nht S cung cp bng thng cng n gin hn bi v khch hng phi ch r bng thng inbound v outbound cho mi site ca mnh. Vic thm mt site mi cng n gin hn bi v nh cung cp dch v ch thm site vo v ch thay i cu hnh trn router m site mi kt ni n. Trong khi m hnh chng lp th nh cung cp phi a ra cc kt ni ti tt c cc site khc trong mng VPN ca khch hng Trc khi mt VPN trn MPLS th c hai s la chn sau cho m hnh VPN ngang hng: Chia s b nh tuyn, khi mt vi VPN s chia s cng router PE Dng router ring, khi cc khch hng s dng VPN c router PE ca ring mnh 4. 7. 2. 1. M hnh VPN ngang hng chia s router PE Trong m hnh ny, mt vi khch hng s dng dch v VPN c th s dng chung mt router PE. Access list phi c cu hnh trn tt c cc giao din PE-CE trn cc router PE m bo rng c s tch bit gia cc VPN khch hng, cng ngn chn khng cho VPN ca khch hng ny lm nh hng cng nh xm nhp vo VPN khch hng khc

57

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 4. 19: M hnh VPN ngang hng: Chia s router PE 4. 7. 2. 2. M hnh mng VPN ngang hng s dng router PE ring Trong m hnh ny mi mt VPN ca cc khch hng c ring router PE v th ch c th truy cp ti cc tuyn c cha trong bng nh tuyn ca router PE y thi

Hnh 4. 20: M hnh VPN ngang hng: C router PE ring Trong m hnh c router PE ring th cc giao thc nh tuyn to ra tng bng nh tuyn ring cho tng VPN trn cc router PE. Cc bng nh tuyn trn cc router PE ny ch cha cc tuyn c qung b bi VPN ca khch

58

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

hng kt ni trc tip ti chng, kt qu l c s tch bit r rng gia cc VPN ca cc khch hng khc nhau (Gi s rng nh tuyn IP ngun b kha). nh tuyn bn m hnh ny c th c thc hin nh sau: Bt k giao thc nh tuyn no chy gia router PE v router CE BGP chy gia router PE v router P Router PE phn phi li (redistribute) cc tuyn nhn c t router CE ra min BGP, nh du bng ch s khch hng v truyn cc tuyn ny ti router P. V vy router P cha tt c cc tuyn ca tt c cc VPN ca cc khch hng khc nhau. Router P ch truyn cc tuyn vi BGP thch hp ti cc router PE. V vy router PE ch nhn cc tuyn c bt ngun t router CE trong min VPN ca n 4. 7. 2. 3. So snh cc kiu VPN ngang hng Ta c th thy m hnh ngang hng chia s router PE rt kh duy tr bi v n i hi s trin khai phc tp cng nh vic t Access list trn tt c cc router l rc ri. M hnh dng ring router PE mc d l n gin hn trong cu hnh cng nh duy tr nhng li tr nn kh tn km cho nh cung cp dch v khi m h phi phi p ng cho mt s lng ln khch hng vi cc site ri rc trn nhiu vng a l khc nhau. C hai m hnh ny cng c nhng hn ch sau: Tt c cc khch hng chia s cng mt di IP, n cn tr cc khch hng s dng a ch private. Cc khch hng hoc phi s dng a ch IP public hoc a ch private c cp bi nh cung cp dch v Khch hng cng khng th chn thm default route vo mng VPN ca h. S hn ch ny ngn cn s ti u trong nh tuyn v hn ch khch hng truy cp Internet t nh cung cp dch v khc. Tm li, VPN c th phn loi theo nhiu cch khc nhau. Cch ph bin nht l da trn cch m thng tin nh tuyn c trao i trn VPN. Trong m hnh VPN ngang hng, thng tin nh tuyn ca khch hng c trao i gia router ca khch hng vi router ca nh cung cp dch v. Trong m hnh VPN chng lp, nh cung cp dch v ch cung cp cc knh o VC v thng tin nh tuyn c trao i trc tip gia cc router bin ca khch hng. Hai m hnh trn c th kt hp vi nhau trong mng ca nh 59 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

cung cp dch v ln: M hnh ngang hng c th c s dng trong m hnh VPN chng lp ( v d kt ni cc khch hng ti cc router bin ca nh cung cp dch v qua Frame Relay) hoc trong mng li ca n (v d, lin kt cc router ca nh cung cp dch v qua ATM). M hnh VPN chng lp c th trin khai vi k thut chuyn mch WAN lp 2 (X. 25, Frame Relay, SMDS hoc ATM) hoc k thut ng hm lp 3 ( IP-over-IP hay IPSec). M hnh VPN ngang hng c th trin khai vi cc cng ngh truyn thng vi cc phng php nh tuyn phc tp hoc s dng Access lists (ACLs). Tip theo y chng ta s tm hiu v s trin khai ca cng ngh VPN trn nn tng MPLS, n s khc phc c nhng hn ch ca cc cng ngh VPN ngang hng khc, cho php nh cung cp dch v kt hp cc li ch ca m hnh ngang hng (nh tuyn n gin, d trin khai theo yu cu ca khch hng) vi s bo mt v tch bit r rng vi so vi cc tn ti vn c ca m hnh VPN chng lp

Hnh 4. 21: Phn loi VPN da theo cng ngh

Chng 5: M hnh mng MPLS/VPN


chng trc chng ta tm hiu v mng ring o VPN, vi hai kiu VPN l VPN dng chng lp v VPN ngang hng v cc cng ngh chnh c s dng trin khai trn c hai loi VPN M hnh VPN dng chng lp thng c s dng trong mng ca nh cung cp dch v, vic thit k v cung cp cc mch o qua mng trc phi c thit lp trc khi c bt k lung lu lng no trn mng. Trong

60

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

trng hp mng IP, iu c ngha l ngay c khi cng ngh l connectionless th n vn yu cu mt connection-oriented cung cp cho dch v ny. T gc ca nh cung cp dch v, vi m hnh VPN chng lp rt kh kim sot mt s lng ln cc knh o/ng hm gia cc thit b ca khch hng. V thit k IGP (Interior Gateway Protocol) l cc k phc tp v kh kim sot Trong khi , m hnh VPN ngang hng n li c hn ch l thiu s cch ly gia cc khch hng vi nhau. Vi cng ngh chuyn mch nhn a giao thc MPLS, y l s kt hp cc u im ca chuyn mch lp 2 vi nh tuyn v chuyn mch lp 3, n c th cho php chng ta xy dng nn mt cng ngh mi kt hp cc li ch ca m hnh VPN chng lp (v d nh tnh bo mt v s tch bit gia cc khch hng) vi u im ca vic nh tuyn n gin trong m hnh VPN ngang hng. Cng ngh mi ny c gi MPLS/VPN tc l trin khai VPN trn cng ngh MPLS, n em li s nh tuyn n gin cho khch hng v nh cung cp dch v cng n gin hn. nh tuyn IP (connnectionless) c thm tnh nng connection-oriented) ca MPLS, bng cch thit lp cc ng chuyn mch nhn (Label-Switched Paths LSP). M hnh MPLS/VPN c hai m hnh chnh l MPLS/VPN lp 2 v MPLS/VPN lp 3 (BGP/MPLS VPN) MPLS/VPN lp 2: To ra s m rng kt ni lp 2 ca khch hng qua c s h tng l mng MPLS. M hnh ny c gi l VPN Martini. VNP lp 2 m rng h tr dch v LAN ring o (Virtual Private LAN Service). MPLS/VPN lp 3 dng m rng giao thc nh tuyn Internet BGP ti v tr kt ni t xa 5. 1. M hnh MPLS/VPN lp 2 [7] RFC 2547 cung cp mt khung mng ti u cho VPN trong mng IP. Mc d IP l giao thc tri, n khng ch s dng giao thc c chun ho . Mt s khch hng, c th trong mi trng mi nc nhiu yu cu m rng c s h tng truyn thng lp 2 (Frame realy, ATM, Ehernet, VLAN,

61

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

TDM, dch v LAN trong sut), mt s nh cung cp dch v phi cung cp dung lng vt qu trong mng li IP ang tn ti ca h do h cn s dng yu t gip dch v lp 2 nh Frame Relay hay ATM. VPN lp 3 IP s khng tho mn th tc ny, thay vo cho gii php lp 2 c yu cu. Mt s xut khc h tr VPN c cung cp bi nh cung cp MPLS/VPN lp 2 (MPLS-based VPN). Internet trng hp n gin nht, xut ny nh ngha mt phng thc mt nhn ti mt PDU lp 2 v khi chuyn tip gi qua mng mng ng trc MPLS. 5. 4. 1. Thnh phn VPN lp 2. xut c s dng nhiu nht l ca Martini. N c xy dng t mt s khi nim khi u kt hp vi RFC 2547 VPN. B nh tuyn nh cung cp ging nh m hnh RFC 2547 s khng quan tm ti VPN. N s tip tc chuyn tip gi tin qua LSP thit lp trc y. Tng t b nh tuyn bin khch hng CE s hot ng khng bit tnh trng mng MPLS VPN. VPN Martini l hon ton da vo thit b nh tuyn bin nh cung cp dch v PE. Gii php lp 2 khng nh RFC 2547 khng l mng tuyn ring o VPRN (Virtual Private Routed Networks). B nh tuyn PE khng tham gia vo gii thut nh tuyn ca ngi dng u cui v y khng c th tc xy dng v duy tr bng nh tuyn v chuyn tip VRF (VPN Routing and Forwarding Table) 5. 4. 2. M hnh Martini Miu t mt phng thc tm lc cc kiu khc nhau cho giao thc lp 2 trong khung MPLS. Mt MPLS LSP c s dng nh mt mch o VC hay ng hm qua Internet. Giao thc lp 2 (Ethernet) c s dng u cui ca VC. PDU lp 2 chuyn giao qua Martini VC v phn pht nguyn vn li ra ca mng. Thm ch qua Internet c mt IP tn ti, cng ngh Martini cho php n s dng kt ni lp 2 gi. xut Martini nh RFC 2547 thit lp ng hm gia nhng b nh tuyn PE. ng hm ny c gn mt nhn dng knh o 32 bit (VC-ID). Mi mch o trong mt mng ca nh cung cp dch v s c VC-ID duy nht ca chng. LSP ca mng ng trc c xy dng kt ni tt c mch o gia cp PE. Mt nhm ID c th cng

62

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

c s dng kt hp VC. iu ny c li cho wildcard hot ng nh loi b mt s lng ln VC hay tm li nh tuyn gi i sau mt tht bi.

Hnh 5. 1: ng hm LSP gia nhng PE 5. 4. 3. Thng tin nh tuyn B nh tuyn bin nh cung cp tham gia trong VPN Martini s dng giao thc phn phi nhn LDP trao i thng tin lin lc VPN. Tuy nhin n ni ting iu khng ng LDP l cn thit trong giao thc nh tuyn bo hiu cho mng MPLS. K hoch bo hiu v iu khin MPLS l phn cch hon ton k hoch iu khin VPN. Ch l LDP l giao thc phin nh hng. iu ny c ngha l hai LDP s thit lp mt phin truyn thng (TCP based). Mt phin c thit lp, d liu VC-ID c th tro i v mi ng hm Martini cn thit c xy dng. D liu cha trong gi LDP gm VC-ID, nhm ID, kiu VC, tham s giao din VC v mt thng bo t iu khin. Tham s giao din s cha thng tin c th v kh nng ca mt cng ring, nh kch c MTU, s lng t bo ATM, v c trng tu chn c th c h tr. Thng bo t iu khin l mt bit n, n cho bit s c mt hay khng ca t iu khin Martini. T iu kin khi c s dng, mang thng tin ring cho ng gi ca mt kiu giao thc lp 2. Kt qu l a ch bi t iu khin gm sp xp gi, gi nh nht phi yu cu m khi truyn ti qua mt s mi trng v bt k bit iu khin giao thc lp lp 2 khc. Cui cng, LDP s dng thng bo, hu v duy tr hiu chnh kt ni nhn cho mt mch o Martini mi. 5. 4. 4. Lu lng d liu Quy tc c bn lu lng d liu ging nh kt hp vi RFC 2547 VPN lp 3. Gi d liu c truyn ti vi hai nhn. Nhn nh nhn dng ch b 63 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

nh tuyn t xa. Nhn ny s dng bi LSR trung gian truyn tip gi tin qua mng MPLS. B nh tuyn PE t xa s dng nhn di phn pht gi tin ti u cui ngi dng chnh xc (b nh tuyn CE) vi s ng gi lp 2 tho ng. Kh khn thc t gn vi h tr nhng VPN lp 2, y c nhiu giao thc lp 2 mi giao thc c th tc c lp ca n. Mi giao thc lp 2 h tr c gn mt nhn dng kiu VC c lp. Nhng kiu phi nht qun vi mt VC. VPN Martini s khng cu ni gia hai giao thc lp 2 khc nhau. Nu cng vo l Ethernet cng ra khng th l ATM. Tuy nhin thit k sau ny ca xut Martini c th cho php cu ni gia kiu ng gi khc nhau 5. 2. M hnh MPLS/VPN lp 3 (BGP/MPLS VPN) [7] Hin nay, cng ngh VPN lp 3 c s dng rng ri nht l IPSec v MPLS/BGP. Nhng cng ngh ny c th c cc ng dng nh Intranet, Extranet v truy cp Internet (Internet Access) m bo cho s kt ni cc site khc nhau ca nh cung cp dch v Trc ht ta tm hiu v BGP. Giao thc cng bin BGP l chun nh tuyn hin ti. BGP c thit k thay th giao thc cng ngoi EGP n c mt s gii hn. EGP to nn mng ng trc dng cy n khng thc s hu ch vi Internet. Cng khng phi BGP gip tng trng Internet 5. 2. 1. Mng ring o BGP/MPLS RFC 2547 a ra nh ngha mt k thut n cho php nh cung cp s dng mng ng trc MPLS cung cp dch v VPN ti khch hng. Nhng RFC 2547 VPN cng hiu l BGP/MPLS VPN bi v BGP c s dng phn pht thng tin nh tuyn VPN qua mng ng trc ca nh cung cp v bi v MPLS c s dng cho chuyn tip lu lng VPN t mt site VPN ti site khc. Mc ch quan trng nht ca phng php ny nh sau: To dch v rt n gin cho khc hng s dng nh nhau nu h thiu kinh nghim trong nh tuyn IP. To ra dch v rt tin tin v mm do thun tin trin khai quy m rng ln.

64

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Cho php nhng gii php c s dng to ra mt VPN c thc thi bi mt nh cung cp dch v, hay cng vic nh cung cp dch v cng nh khch hng. Cho php nh cung cp dch v m dch v gi tr gia tng tho mn khch hng 5. 2. 1. 1. Cc thnh phn mng BGP/MPLS Trong phm vi RFC 2547, mt mng ring o l s hi t ca cc chnh sch, cc chnh sch ny kim sot s lin kt gia cc site. Mt site ca khch hng c kt ni ti nh cung cp dch v thng qua mt hoc nhiu cng, ni m nh cung cp dch v lin kt mi cng vo ca mnh vi mt bng nh tuyn. Trong RFC 2547, mi bng nh tuyn mng ring o (VPN Routing Table) c gi l mt bng nh tuyn chuyn tip mng ring o ( VPN Routing and Forwarding).

Hnh 5. 2: Thnh phn mng RFC 2547 [2] CE: Customer Edge B nh tuyn bin khch hng P: Provider Router B nh tuyn ca nh cung cp PE: Provider Edge B nh tuyn bin nh cung cp 5. 2. 1. 1. 1. B nh tuyn bin ca khch hng (CE). Mt thit b nh tuyn bin khch hng (Customer Edge Device CE) cung cp cho khch hng truy cp mng nh cung cp dch v qua mt kt ni d liu ti mt hay nhiu b nh tuyn bin nh cung cp. Trong khi thit b CE c th l mt tng i (host) hay mt chuyn mch lp 2, kiu thit b CE l mt b nh tuyn IP n thit lp mt kt ni trc tip vi b nh tuyn PE k n. Sau khi thit lp, b nh tuyn CE thng bo tuyn VPN cc b ca 65 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

site ti b nh tuyn PE ca nh cung cp dch v v ly cc thng tin v cc tuyn ng ca mng ring o t xa t cc PE. 5. 2. 1. 1. 2. B nh tuyn bin ca nh cung cp dch v (PE) Cc PE trao i thng tin nh tuyn vi b nh tuyn CE thng qua cc giao thc nh tuyn ng RIPv2, OSPF hay EIGRP. Cc PE ch lu gi cc thng tin v cc tuyn ca mng ring o m n trc tip kt ni. Vi thit k ny nng cao kh nng ca m hnh RFC 2547 bi v b loi b s cn thit duy tr tt c cc tuyn VPN ca b nh tuyn PE, gip tng kh nng m rng ca BGP/MPLS. Mi b nh tuyn PE duy tr mt VRF cho mi site kt ni trc tip. Mi kt ni khch hng (nh Frame Relay PVC, ATM PVC, v VLAN) c nh x ti mt VRF c th. V vy, mi kt ni c mt cng trong mt b nh tuyn PE v khng mt site no c kt hp vi VRF . Ch , nhiu cng trong mt b nh tuyn PE c th c kt hp vi vi mt VRF n l. l kh nng ca b nh tuyn PE duy tr a bng chuyn tip n h tr s chia s thng tin nh tuyn VPN. Sau khi bit tuyn VPN cc b t b nh tuyn CE, b nh tuyn PE trao i thng tin nh tuyn VPN vi b nh tuyn PE khc s dng IBGP. B nh tuyn PE c th duy tr phin IBGP ti b qun l tuyn (route reflectors) khi la chn phin IBGP li. S trin khai b qun l tuyn nng cao kh nng ca m hnh RFC 2547 bi v n loi b s cn thit thnh cc phn mng n l duy tr tt c tuyn VPN. Cui cng, khi s dng MPLS chuyn tip lu lng d liu VPN qua mng ng trc nh cung cp dch v, b nh tuyn PE li vo c chc nng nh LSR li vo v b nh tuyn PE li ra c chc nng nh LSR li ra 5. 2. 1. 1. 3. B nh tuyn nh cung cp Cc b nh tuyn nh cung cp (k hiu l P) l b nh tuyn bt k no nm trong mng ca nh cung cp dch v. N khng gn vi thit b CE. Trong mng MPLS th chnh l cc LSR, c chc nng chuyn tip lu lng d liu VPN gia cc b nh tuyn PE. Sau lu lng c chuyn tip qua mng ng trc MPLS s dng ngn xp nhn lp 2. Router P ch c nhim v duy tr thng tin nh tuyn VPN r rng cho mi site ca khch hng. 66 L Phm Minh Thng

Lun vn tt nghip 5. 2. 1. 2. Hot ng ca BGP/MPLS

MPLS v ng dng MPLS/VPN

Trong ton b qu trnh hot ng, c hai dng lu lng chnh xut hin trong mng ring o BGP/MPLS l: Mt dng iu khin (Control Flow) c s dng trong mng truyn ti cc thng tin nh tuyn trn mng ring o, ng thi xc nh ng chuyn mch nhn (Label-Switched Paths) trong mng ca nh cung cp Mt lung d liu c s dng chuyn tip d liu khch hng.

Ta gii thch c ch hot ng thng qua m hnh sau:

Hnh 5. 2: M hnh hot ng ca BGP/MPLS Trong m hnh trn, cc host trong site1 c th lin lc vi cc host trong site2 v ngc li. Cc host trong site3 c th lin lc vi cc host trong site4 v ngc li 5. 2. 1. 2. 1. Lung iu khin Trong mng BGP/MPLS, lung iu khin gm hai lung chnh: Lung iu khin th nht c trch nhim trao i thng tin nh tuyn gia CE v PE nhng bin ca mng ng trc nh cung cp v gia b nh tuyn PE qua mng ng trc ca nh cung cp Lung iu khin th hai c trch nhim thit lp LSP gia cc PE ca nh cung cp sau khi c c cc thng tin nh tuyn 67 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

v cc thng tin t lung d liu m khch hng yu cu chuyn tip Thit lp ng chuyn mch nhn c th s dng c VPN trong cng ngh MPLS chuyn tip d liu qua mng ca nh cung cp dch v th cc LSP phi c thit lp gia cc PE trc khi vn chuyn qua h thng mng. LSP c th c thit lp v duy tr qua mng ca nh cung cp dch v bng cch s dng giao thc phn phi nhn ( Label Distribution Protocol LDP) hoc giao thc dnh trc ti nguyn RSVP (Resource Reservation Protocol)

Hnh 5. 3: ng chuyn mch nhn trong mng nh cung cp Nh cung cp s dng LDP nu n cn thit lp LSP c ngn ti a gia hai b nh tuyn PE. Trong trng hp ny, LSP nh tuyn lu lng ti a. Nh cung cp s dng RSVP nu cn gn bng thng ti LSP hay s dng k thut lu lng TE (Traffice Engineering) la chn mt ng c th (Explicit Path) cho LSP. LSP vi giao thc RSVP h tr m bo cht lng dch v QoS c th v k thut lu lng C th c mt hoc nhiu LSP song song (vi kh nng v dch v khc nhau) c thit lp gia cc PE. Mt b phn tuyn (Router Reflect) hot ng nh mt my ch, n phn x cc tuyn t mt PE vo (Ingress) ti cc PE u ra (Engress). Nu mt nh cung cp s dng phn x tuyn th vn phi thit lp LSP gia cc PE bi v cc b phn x tuyn khng phi l thnh phn thit yu ca ng chuyn tip gia cc PE. 5. 2. 1. 2. 2. Lung d liu (Data flow) 68 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Ta hy xt s di chuyn d liu trong BGP/MPLS, trong m hnh di y mt host t site2 cn lin lc vi server t site1. Host c a ch l 10. 2. 3. 4 v server c a ch l 10. 1. 3. 8.

Hnh 5. 3: Lung d liu trong BGP/MPLS Host 10. 2. 3. 4 chuyn tip tt c cc gi d liu ti my ch c a ch IP 10. 1. 3. 8 thng qua cng mc nh ca n. Khi mt gi n CE2, n thc hin tm kim tuyn tha mn nht (Longest-match route) v chuyn tip gi IP ti PE2, thc hin tm kim trong VRF A v thu nhp cc thng tin sau: Nhn MPLS c thng bo bi PE1 vi tuyn (gi s c nhn 222) im tip theo BGP cho tuyn (a ch loopback PE1) Giao din gi i LSP t PE2 ti PE1 Nhn ban u ca LSP t PE2 ti PE1 Lu lng ca ngi s dng c truyn trc tip t PE2 ti PE1 bng cch s dng MPLS vi mt ngn xp nhn cha hai nhn. Lu lng d liu ny, PE2 c LSR li vo ca LSP v PE1 c LSR li ra ca LSP. Trc khi truyn mt gi tin, PE2 y nhn 222 vo trong ngn xp nhn to ln nhn di. Nhn ny u tin c thit lp trong VRF A khi PE2 nhn IBGP ca PE1 thng bo tuyn 10. 1/16. Tip theo, PE2 y nhn kt hp vi LSP s dng LDP hay RSVP ti PE1 (tuyn BGP tip) trong ngn xp nhn to ln nhn nh. Sau khi to ngn xp nhn, PE2 chuyn tip gi MPLS trn giao din li ra ti b nh tuyn P u tin ca LSP t PE2 ti PE1. B nh tuyn P chuyn mch gi qua li mng ng trc ca nh cung cp dch v trn nhn nh. B nh tuyn PE1 cui loi b nhn nh (l ra nhn di hay nhn ni) v chuyn tip gi tin ti PE1. 69 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Khi PE1 nhn gi tin, n loi b nhn to ra mt gi IP ban u. PE1 s dng nhn 222 di nhn dng CE c gn trc tip n c chng tip 10. 1/16. Cui cng, PE1 chuyn tip gi IP cui cng ti CE1, CE1 chuyn tip gi ti server 10. 1. 3. 8 site1. 5. 2. 1. 3. u im ca BGP/MPLS VPN u im ln nht ca MPLS/VPN l lm n gin qu trnh vn hnh ca mng cho khch hng trong khi cho php nh cung cp dch v tng cc dch v, mi cho cc dch v gia tng, c li nhun. C th cc li ch m mng BGP/MPLS VPN em li nh sau: Khng c s rng buc trong vic nh a ch c s dng bi mi khch hng. Khch hng c th s dng a ch public hoc private. T gc ca nh cung cp dch v, cc khch hng khc nhau c th c khng gian a ch ging nhau (overlapping address spaces) nh tuyn bin mi site khch hng CE khng trc tip trc tip trao i thng tin nh tuyn vi cc b nh tuyn bin ca khch hng khc. Khch hng cng khng cn quan tm ti vn nh tuyn gia cc site vi nhau, bi v l trch nhim ca nh cung cp dch v Khch hng VPN khng phi qun l mt mng trc hay mt mng trc o. Do vy khch hng khng cn iu khin truy cp ti b nh tuyn PE hay P Nh cung cp khng dch v khng phi qun l mt mng ng trc hay mt mng trc o tch bit cho tng khch hng VPN. Do vy nh cung cp khng cn qun l truy cp ti b nh tuyn bin ca khch hng CE. Cc chnh sch xc nh mt site no c l thnh vin ca mt mng ring o no hay khng l do chnh sch ca khch hng. M hnh qun l RFC 2547 VPN cho php chnh sch ca khch hng c thc hin bi mt mnh nh cung cp hoc bi nh cung cp dch v vi khch hng. VPN c th m rng nhiu nh cung cp dch v.

70

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Khng phi dng n k thut mt m, bi v bo mt tng ng c h tr bi mng mng ng trc lp 2 (ATM hay Frame relay) Nh cung cp dch v c th dng c s h tn thng thng phn pht c dch v kt ni Internet v VPN Cht lng dch v mm do cho dch v khch hng VPN c h tr qua s dng bit th nghim trong tiu MPLS hoc thng k thut lu lng LSP (bo hiu RSVP) M hnh RFC 2547 c lp vi lp lin kt (lp 2). 5. 2. 2. Tn ti v gii php M hnh RFC 2547 s dng nhiu gii php lm tng tnh m ca khch hng tip cn v gii quyt mt s vn ca mng ring o. Nhng tn ti gm c: H tr khng gian a ch dng chung ca khch hng (overlapping) Kt ni mng cng bc Duy tr cp nht thng tin nh tuyn mng ring o m bo rng bng thng mng ng trc v ti nguyn x l gi tin b nh tuyn bin nh cung cp PE Trong phm vi lun vn ny, chng ta ch cp n khng gian a ch dng chung ca khch hng H tr vic vic dng chung khng gian a ch BGP, theo nh dng tiu chun, ch c th x l cc tuyn c a ch IPv4 32 bit. Trong cu trc MPLS/VPN, bi v mi mt VPN phi c kh nng s dng cng tin t IP ging nh cc VPN khc (khi chng khng lin lc vi nhau), cho nn cn thit phi c phn bit tuyn vi IPv4.Nn cn phi m rng giao thc BGP thng tin VPN l duy nht trong min ng trc MPLS/VPN. Multiprotocol (MP-BGP) v thng tin nh tuyn VPN-IPv4 cung cp kh nng m rng ny. Mc d MP-BGP cung cp kh nng xc nh v truyn cc thng tin nh tuyn khng phi IPv4, nhng trc ht chng ta tm hiu cc tuyn VPN c phn bit nh th no v quyt nh chn tuyn ra sao gia nhiu tuyn 71 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

khc nhau ca khch hng. Ci ny l rt cn thit v vy cc qu trnh quyt nh trn b nh tuyn nh cung cp PE c th gi c cc thng tin VPN khch hng mt cch ring bit nhau. Chng ta va mi tha nhn vi nhau rng trong cu trc ca MPLS/VPN th tt c cc khch hng phi c nh danh vi tuyn l duy nht trong mn ng trc nhng khng bt buc trong vic s dng a ch private. Cc tuyn l duy nht v th MP-BGP mi c th x l cng tin t t hai VPN khc nhau l khng ging nhau. Ta xt m hnh sau, vn t ra l khi b nh tuyn bin ca nh cung cp dch v New York nhn c hai thng tin update IPv4 ging ht nhau. Trong trng hp ny, b nh tuyn PE chn ra tuyn tt nht gia hai tuyn va mi nhn c da trn tiu chun x l BGP. iu ny c ngha l cn thit c mt c ch MP-BGP khng phi quan tm ti cc tuyn ging nhau thuc v cc VPN khc nhau.

Hnh 5. 4: B nh tuyn PE so snh cc tuyn BGP C ch ny bao gm mt chui 61 bit trc a ch IPv4, a ch IPv4 ny cha trong thng tin cp nht MP-BGP. Chui cc bit ny c gi l phn bit tuyn (route distinguisher) v n l khc nhau cho mi VPN (hoc cho mi subnet ca cc site trong mt VPN) v v vy cc a ch cha trong tt c cc VPN l duy nht trong mng ng trc MPLS/VPN. BGP phn bit mt a ch IPv4 ny vi mt a ch IPv4 khc l khng ging nhau nu phn bit tuyn l khc nhau. VPN-IPv4 (hoc VPNv4) l s kt hp ca a ch IPv4 vi phn bit tuyn. 72 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

S kt hp ny lm cho tuyn IPv4 l duy nht ton cc trn mng MPLS/VPN. Hnh sau m t b nh tuyn PE c th phn bit hai tuyn IPv4 ging nhau v c th x l chng ging nh cc thc th tch bit v thuc v cc VPN khc nhau

Hnh 5. 5: B nh tuyn PE so snh cc tuyn VPN-IP v4 Trn hnh khi b nh tuyn PE ti New York nhn mt thng tin cp nht v 10.2.1.0/24 t b nh tuyn ti PE ti San Jose v Paris, cc thng tin cp nht ny by gi l khng ging nhau bi v cc phn bit tuyn l khc nhau. Thng tin cp nht t San Jose s l 100:26:10.2.1.0/24 v thng tin cp nht t Paris l 100:27:10.2.1. 0/24. Mc d c ch phn bit tuyn cho php chng ta gii quyt c vn cc khch hng VPN c th s dng cng mt gii a ch private, nhng n khng khc phc c vn nhiu khch hng bn trong cng mt VPN s dng cng mt lc a ch bn trong cc site ca h. hiu ti sao li nh vy, chng ta cng xt v d sau:

73

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 5. 6: S dng cng mt a ch Private bn trong mt VPN Trn hnh b nh tuyn bin ca nh cung cp dch v ti New York nhn mt thng tin update MP-BGP cho subnet 10.2.1.0/24 t hai VPN khc nhau, trong trng hp ny l t EuroBank v FastFood VPN. VPN EuroBank c cu hnh nhn tt c cc tuyn cha ch n l 100:26 hoc 100:27. iu c ngha l n nhn tt c cc tuyn t cc thnh vin ca VPN EuroBank hoc FastFoods khi chng a ra ch c s dng cc tuyn ch trn. Khi b nh tuyn ti New York so snh hai tuyn xc nh tuyn no nhp vo Bng chuyn tip v nh tuyn (VRF) ca VPN EuroBank; ty thuc vo tuyn no c chn, th s kt ni ti VPN site khc s khng thc hin c. V d, nu router New York xc nh MP-BGP thng tin nh tuyn cho 10.2.1.0/24 nhn c t b nh tuyn ti Paris l tuyn tt nht, th s kt ni t site ti EuroBank ti NewYork ti ch bn trong subnet 10.2.1.0/24 trong site EuroBank San Francisco s khng thc hin c. V l do ny m khi thit k MPLS/VPN phi hn ch s s dng a ch chng lp vi VPN m khng lin lc vi VPN khc qua min MPLS ng trc nu chia s cng di a ch bn trong cc site .

74

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Chng 6: Vn bo mt v cht lng dch v MPLS/VPN


Trong chng ny chng ta s tm hiu v: MPLS cung cp gii php an ninh nh th no (s chia ct cc VPN, chng li cc cuc tn cng, du li v bo v s gi mo) Nhng c ch bo mt no m cu trc MPLS khng cung cp So snh mc bo mt gia MPLS/VPN vi ATM hoc Frame Relay VPN Cc ngi s dng VPN mun nh cung cp dch v bo m v an ton v mang tnh ring t. Hay ni cch khc, h mun VPN ca mnh c lp nhng vn c c tnh kh chuyn, linh ng trong vic chia s mt nn tng c s h tng chung. Chng ny xc nh yu cu m bo tnh bo mt cho mt VPN, v lm th no MPLS c th thc hin c iu . Bo bo cho mt VPN cn yu cu: Tch bit VPN (nh a ch v lu lng) Chng li c cc cuc tn cng Du c cu trc mng li Chng li c s gi mo 6. 1. Vn bo mt trong MPLS VPN 6. 1. 1. Tch bit cc VPN iu quan trng trong vn bo mt cho cc ngi s dng VPN l lung lu lng ca h phi c gi tch bit vi cc lung lu lng VPN khc v lung lu lng trn mng li. iu c ngha l cc lu lng VPN khc cng nh lu lng li khng th thm nhp vo VPN ca h. Mt yu cu khc l mi VPN c kh nng s dng mt di a ch IP m khng nh hng hoc b nh hng bi cc VPN khc hoc l mng li.

75

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Chng ta s phn tch ti sao tiu chun RFC 2547 bits p ng c yu cu ny. Trc ht l c th c c di a ch tch bit nhau, v phn sau l lung d liu v iu khin c phn bit r rng gia cc VPN cng nh gia mt VPN vi mng li. 6. 1. 1. 1. Tch bit khng gian a ch. c th phn bit cc a ch khc nhau gia cc VPN khc nhau, RFC 2547 bit khng hiu tiu chun a ch IPv4 (hoc IPv6) trn min iu khin ca cc VPN trn mng li. Thay vo , tiu chun ny a ra khi nim a ch VPN-IPv4 hoc VPN-VPNv6. Mt a ch VPN-IPv4 bao gm 8 byte phn bit tuyn RD (route distinguisher) theo sau l 4 byte a ch IPv4, ging nh hnh 6.1. Tng t, mt a ch VPN-IPv6 bao gm 8 byte RD, theo sau l 16 byte a ch IPv6.

Hnh 6. 1: Cu to ca mt a ch VPN-IPv4 Mc ch ca mt RD l n cho php ton b khng gian a ch IPv4 c s dng trong hon cnh khc ( y l cho cc VPN). Trn mt b nh tuyn, mt RD c th xc nh mt chuyn tip v nh tuyn VPN (VRF), trong ton b a ch IPv4 c th c s dng c lp. C ngha l RD s lm cho cc tuyn s dng a ch IPv4 ca mt VPN l duy nht trn mng li MPLS/VPN Bi v trong cu trc ca MPLS/VPN ch c cc b nh tuyn ca nh cung cp dch v PE phi bit cc tuyn VPN. Bi v b nh tuyn PE s dng a ch VPN-IPv4 cho cc VPN, khng gian a ch l tch bit gia cc VPN. Hn th na vic s dng IPv4 bn trong mng li, l cc a ch khc vi a ch VPN-IPv4, v th mng li cng c khng gian a ch c lp vi cc VPN khc nhau. Vic cung cp ny to ra s khc nhau r rng gia cc VPN cng nh gia cc VPN vi mng li.

76

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Hnh 6. 2: Mt phng a ch trong mng MPLS/VPN 6. 1. 1. 2. Tch bit v lu lng Lu lng VPN bao gm lung lu lng VPN trn min d liu v min iu khin. Ngi s dng VPN i hi lu lng ca h khng b trn ln vi lu lng VPN khc hoc vi lu lng li, tc l cc gi tin khng b gi ti mt VPN khc v ngc li. Trn mng ca nh cung cp dch v, th yu cu ny cng r rng bi v lu lng s phi c chuyn qua mng li MPLS. y chng ta phn bit lu lng min iu khin v min d liu. Min iu khin l ni lu lng khi u v kt thc bn trong mng li, min d liu bao gm lu lng t cc VPN khc nhau. Lung lu lng VPN ny c ng gi, thng l LSP, v c gi i t PE ti PE. Bi v qu trnh ng gi ny m mng li s khng bao gi thy c lung lu lng VPN.

Hnh 6. 3: Tch bit lu lng 6. 1. 2. Chng li cc s tn cng 77 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Trong nhng nm va qua, s lng cc cuc tn cng khng ch nhm vo cc ng dng m cn tn cng trc tip vo c s h tng mng. V th nh cung cp dch v phi ch trng ti vn bo mt cho mng li. Tn cng t chi dch v l mt v d, nhng trn mi trng mng MPLS/VPN th n cng nguy him hn: nu k tn cng (tm gi l hacker) c th nm quyn kim sot thit b PE, th bo mt ca bt k VPN trn mng MPLS li no cng c th b tn hi, d kt ni ti PE ny hay khng. 6. 1. 2. 1. Ni mt mng li MPLS c th b tn cng Nh cp n phn trc, cc VPN c tch bit vi nhau v vi mng li. cng l mt hn ch kh nng tn cng cc im: hnh sau m t rng, ch interface ni m mt VPN c th thy c mng li v v gi cc gi tin ti mt thit b ca mng li: l b nh tuyn PE bi v mch kt ni gia cc b nh tuyn CE v PE thuc v VPN. V th, ch c cc im tn cng nhn thy t mt VPN l: tt c cc interface ca b nh tuyn PE kt ni ti b nh tuyn CE ca khch hng. Trong hnh, VPN1 ch c th thy interface PE n kt ni ti v khng th vi cc interface trn PE khc. Ch rng c mt im tn cng cho mt kt ni CE-PE, v th tt c interface ca PE ny phi c bo v cho ton khng gian VPN.

Hnh 6. 4: Di a ch c th nhn ra t VPN Ch l b nh tuyn CE lun lun khng tin cy, thm ch nu mt b nh tuyn CE c kim sot bi nh cung cp dch v. L do l bi v CE lun c t pha khch hng v c th thay th bi cc b nh tuyn khc hoc thm ch, trong mt s trng hp, thay bi mt my trm. Trong khi , mt b nh tuyn PE lun phi ng tin cy, v phi t c iu , bi v mt k thm nhp trn b nh tuyn PE c th lm nguy hi ti tt c 78 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

cc VPN khc. iu ny c ngha l b nh tuyn PE phi lun lun trong mi trng an ton. 6. 1. 2. 2. Mng li MPLS b tn cng nh th no Theo l thuyt, mt b nh tuyn PE c th b tn cng hoc bi mt lung lu lng chuyn tip (c ngha l mc ch lu lng c a n mt PE khc) hoc chnh bi lung lu lng m ch l PE ny. Lung lu lng chuyn tip thng t nh hng bi v cc b nh tuyn c thit k chuyn tip gi tin mt cch nhanh nht. D nhin, mt b nh tuyn phi c c kh nng kim sot lung lu lng chuyn tip. Tuy nhin, c mt s dng gi tin khng th kim sot bi phn cng v c th lm tng ti trn tuyn. V th, nu c nhiu gi tin kiu th ny c th dn n tnh hung DoS trn tuyn . Cc gi tin vi la chn IP (IP options) l mt v d. Mt gi tin vi la chn IP c di tiu thay i v v th khng th tra cu trn ASICs (microchips). C ngha l cc gi tin vi la chn IP c th c chuyn mch bng phn mm, iu ny lm cho hiu sut ca b nh tuyn gim i. Vi lung lu lng nhn c, tc l ch n chnh l PE ny, th cn phi quan tm hn bi v n nh hng trc tip ln PE. C hai dng tn cng l : DoS Trong trng hp ny, hacker c gng s dng ht tt c ti nguyn trn b nh tuyn PE. iu ny c th thc hin c bng cch gi nhiu gi tin update cho b nh tuyn, cc b nh s b s dng ht. Intrusion Hacker th s dng mt knh hp l cu hnh b nh tuyn PE. V d dng telnet hoc SSH port hoc SNMP cu hnh ln b nh tuyn 6. 1. 2. 3. Mng li c bo v nh th no Tt c cc kh nng tn cng u c th kim sot c bng cch cu hnh chnh xc. Chng ta c th dng Access control list (ACL) cho tt c cc interface ca b nh tuyn PE. Nu nh tuyn c yu cu th cng nh tuyn phi khng c kha bi ACL. By gi mt hacker ch c th tn cng trc tip vo giao thc nh tuyn.

79

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

T phn tch trn, b nh tuyn PE s nhn cc gi tin trn cng cho giao thc nh tuyn v c bo m. Bt k gi tin no khc ti PE s b drop bi ACL. Trong cu trc MPLS VPN, n cung cp tnh bo mt cao hn. Trc tin l giao din vo mng li b gii hn v ch l ra a ch IP ca b nh tuyn PE nh th c ngha l tnh an ton s cao hn. Bng cch ny, mt mng li MPLS VPN t b l ra c th tn cng t bn ngoi hn so vi cng ngh IP truyn thng, ni m cc giao din trn tt c cc b nh tuyn li c th mc tiu cho cc cuc tn cng mng. Tip , mt u im na ca MPLS l n dng b nh tuyn bin ti bn ngoi nn lm cho n d c bo m hn. So snh vi mng li IP truyn thng, theo mc nh th kh l m, mi mt thnh phn ca mng c th n c (reachable) t bn ngoi mng. iu ny c th c hn ch bng nhiu cch, nh dng ACL hoc mt s k thut du cu trc mng li. Nhng vi mng li MPLS th do cu trc nn phn ln cc thit b trong li ny l khng th t ti c. Ch rng, ty thuc vo cch nh tuyn trn mng Internet c thc hin nh th no: nu bng nh tuyn ton cc (global table) th nguy c b tn cng cng cao. Vi li MPLS th n c c im l hn ch s truy cp ti bng nh tuyn ton cc (global routing table) t bn ngoi, iu ny lm cho MPLS mang tnh bo mt cao hn. 6. 1. 3. Du cu trc mng li Trong cng ngh VNP lp 2, nh Frame Relay hoc ATM c c tnh l ngi s dng VPN khng th thy kin trc ca li. l bi v ngi s dng kt ni mt thit b lp 3 ti mng lp 2, v vy nn tng mng lp 2 s b du i vi ngi dng. Mng MPLS VPN du i c s h tng mng do cu trc ca n. Nh va cp trn, ch c a ch PE ngang hng (peering PE address) l l ra vi ngi s dng, cn cc b nh tuyn P hon ton c du i. iu ny l rt quan trng hiu vic du mng li khng phi bi v ACL m bn cht l vic tch bit cc di a ch trn mng li MPLS: thm ch nu mt a ch ca mt b nh tuyn P no y b l ra bn ngoi th do a ch ny khng thuc v di a ch ca ngi s dng nn khng th n c (unreachable). 80 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Ch c mt ngoi l l a ch ngang hng ca b nh tuyn PE. Tuy nhin, di a ch ca kt ni CE-PE thuc v VPN, khng phi l mng li. Trn thc t, cc di a ch ging nhau c th c s dng trn mt vi VPN khc nhau m khng s b xung t (conflict). V th, mc d mt a ch PE c th nhn thy t VPN th ni ng ra khng c bt k thng tin bi l ra bn ngoi bi v a ch ny l di a ch VPN. Tuy nhin, c mt cch du hon ton b nh tuyn PE vi ngi dng VPN l: s dng s dng di a ch khng nh s v nh tuyn tnh gia PE v CE. 6. 1. 4. Bo v chng li s gi mo Spoofing (gi mo) L mt dang vi pham an toan trong o hacker di danh nghia mt user hp phap truy nhp vao h thng may tinh mt cach bt hp phap. Dang n gian nht cua spoofing la ly c tn va mt khu cua ngi dung truy cp. Mt cach khac la dung thit bi khac nh b phn tich mang theo doi va nm c lung giao thng trn mang, sau o chen cac goi d liu gia vao dong d liu Trc y, khi Internet giai on u, a ch ngun ca gi tin c dng chng t rng gi tin c gi t chnh a ch IP ny. Ngy nay, s gi mo a ch IP l mt s kin xy ra hng ngy nhiu dng tn cng khc nhau. Khi MPLS l mt cng ngh lp 3, ngi s dng lo lng v vn gi mo trn mng, c mc IP ln s dng nhn bi cc giao thc MPLS. Cu hi c t ra Mt ngi s dng VPN khc c th gi mo a ch IP ca ti truy cp vo VPN ca ti? v Mt ngi khc c th gi mo nhn VPN xm nhp vo VPN ca ti? . Nhng cu hi ny d dng c tr li nh sau: Gi mo a ch IP Ta bit mt VPN c th s dng ton b di a ch IP, t 0.0.0.0 ti 255.255.255.255. Mt site VPN hoc mt host no c th gi mo a ch IP nhng a ch gi mo ny vn l a ch local i vi VPN kia. y chnh l im mnh ca kin trc MPLS VPN: ngi s dng VPN c th s dng ton b di a ch, gm c a ch gi mo kia, v VPN s ging nh l mt mng vt l i vi ngi s dng VPN kia. iu l c th bi v cc b nh tuyn PE gi tt c cc gi tin bn trong 81 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

VRF (VPN Routing and Forwarding), v th ngay c gi tin gi mo kia cng khng thot ra c VPN.V th a ch IP gi mo trong mt VPN khng nh hng ti VPN khc. Gi mo nhn Bn trong mt mng li MPLS, cc gi tin khc nhau c phn bit bi DE (phn bit tuyn). Mt ngi s dng VPN xu tnh no y c th to cc gi tin vi nhn gi v chn vo mng li MPLS, c gng a cc gi tin ny vo cc VPN khc. iu ny l khng th thc hin c bi v cc b nh tuyn PE khng chp nhn cc gi tin c gn nhn t cc b nh ca khch hng. V th mt gi tin gi s b drop bi PE. 6. 1. 5. So snh tnh bo mt vi ATM/Frame Relay Rt nhiu cng ty ang s dng dch v VPN da trn cng ngh ATM hoc Frame Relay trc y ang chuyn sang s dng dch v MPLS VPN. Nhng ngi mi s dng MPLS thng lo lng v thc t rng mt dch v MPLS VPN c mt vng iu khin lp 3. Tuy nhin, nh bit t trc, cc dch v lp 3 ny c th c m bo an ton v ph hp vi s cung cp cc dch v VPN. ATM/Frame Relay c th nhn ra l an ton hn bi v chng khng b tn thng vi cc tn cng lp 3 (hn na chuyn mch ATM/FR c min iu khin lp 3, v d nh telnet). Tuy nhin, bo mt lp 2 trong cc cng ngh ny thng khng t c nh mong i. Chng ta s tho lun cc vn ny v so snh chng. S tch bit VPN Mt ngi s dng VPN yu cu VPN ca h phi tch bit vi cc VPN khc v vi mng li. Trong cng ngh lp 2, iu ny hon ton t c bng cch chia lp: mng li dnh ring s dng lp 2, v th thng tin lp 3 ca mt VPN c tch nhau ra. Trong cng ngh MPLS VPN, s tch bit ny t c l logic v bng cch duy tr cc mi trng tch bit nhau trn mt b nh tuyn ca nh cung cp dch v. Hai cng ngh l khc nhau nhng cng em li mt kt qu: mi VPN c th s dng ton b di a ch trong VPN ca h v n khng th gi cc gi tin ti cc VPN khc trong cng mt mng li.

82

L Phm Minh Thng

Lun vn tt nghip Chng li cc cuc tn cng

MPLS v ng dng MPLS/VPN

Ngi dng VPN yu cu mt dch v n nh v cc dch v khng b tn cng t bn ngoi. Vi nhiu ngi s dng VPN, tht l khng th chp nhn c nu mt dch v VPN b nh hng bi tn cng DoS t bn ngoi. Ti t hn, mt hacker c quyn kim sot mt thnh phn mng c th kim sot bt k VPN no. V th cng ngh VPN phi chng li c cc cuc tn cng. MPLS VPN thng xuyn c th truy cp t Internet. Nh th mt hacker gii nu c thi gian c th truy cp vo b nh tuyn PE qua mi trng Internet. Trong phn trc, phn li c mt s im giao din ni ti phn ngoi. Mt MPLS li khng th so snh vi mng li IP truyn thng, ni m mi b nh tuyn c th truy cp ti (gi s rng li MPLS khng c giao din global vi bn ngoi, ch c cc giao din VRF). Hn th na, ch c cc interface n l c th truy cp c v chng c bo m tt. V th, tht l kh tn cng mng MPLS mt cch trc tip. Mng ATM hoc Frame Relay cng chng li c cc cuc tn cng. Tuy nhin, cc chuyn mch ATM hoc Frame Relay cng c min iu khin lp 3 (v d telnet) v c th b tn cng nu khng c bo v tt. Nhng nu c ai dng ny ca VPN nu c cu hnh chnh xc th chng d tn cng. Du c s h tng mng li Vi mng lp 2 th mng li c du i bi ngi s dng VPN lm vic trn lp 3. Li MPLS VPN cng du i vi ngi s dng VPN, mc d s dng mt phng php khc: phn ln cc a ch c du i bi cu trc ca n; ch c mt phn c nhn thy l a ch PE ngang hng (peering PE address). Tuy nhin, a ch ny l mt phn ca di a ch VPN, v th trn thc t s khng c thng tin v mng li i vi ngi dng t bn ngoi. Khng c s gi mo VPN

83

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Ta bit khng th gi mo VPN khc hoc mng li. ATM v Frame Relay cng th, khng c cch no gi mo c ch bo hiu nh Virtual Path Identifier/Circuit Identifier (VPI/VCI) c th gi mo mt VPN khc. CE-CE visibility C mt u im m dch v kt ni point-to-point ATM/FR hn so vi MPLS VPN l: do thc hin cc dch v lp 2, cc CE c th thit lp trc tip mi quan h hng xm lp 3 v c th thy cc CE khc. V d, Cisco Discovery Protocol (CDP) c th c s dng tm hiu cc c tnh c bn ca mt b nh tuyn hng xm. N bao gm c a ch lin kt lp 3, v th mt b nh tuyn khch hng c th xc nh mt mc no b nh tuyn CE u kia ca kt ni point-to-point. i vi kin trc MPLS th khng th thc hin c iu , mt b nh tuyn CE khng th nhn trc tip ti cc CE khc trong VPN ca mnh. l bi v kiu kt ni ca kin trc MPLS VPN: MPLS VPN cung cp kt ni t mt CE ti mt m my mng. iu ny trnh c s chng lp trong vic thit lp thit lp ng hm ti tt c cc CE khc, nhng cng v th m n s khng c c thng tin trc tip ca CE hng xm So snh tnh bo mt ca MPLS vi ATM/Frame Relay Tch bit VPN Chng li s tn cng Du kin trc mng li Khng th gi mo VPN Thng tin CE-CE MPLS C C C C Khng ATM/Frame Relay C C C C C

MPLS VPN ch c th bo mt tt nu n c cu hnh v hot ng tt. 6. 2. Cht lng dch v ca mng MPLS VPN i vi Cht lng ca dch v QoS, th cc c ch c s dng phi mm do h tr nhiu loi khch hng VPN khc nhau, ng thi chng phi c kh nng m rng c th h tr mt s lng ln khch hng VPN. V nh nh cung cp dch v phi cung cp cho cc khch hng VPN vi nhiu mc dch v (CoS) khc nhau cho mi VPN, trong cc ng

84

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

dng khc nhau trong cng mt VPN c th c mt CoS khc nhau. Theo cch ny, dch v email c th c mt CoS trong khi mt s ng dng thi gian thc khc c th c CoS khc. Hn na, CoS m mt ng dng nhn c trong mt VPN c th khc so vi CoS m vn ng dng ny c th nhn c VPN khc. Tc l cc c ch h tr QoS cho php quyt nh loi d liu nhn CoS no ph hp cho tng VPN. Hn na, khng phi tt c cc VPN phi s dng tt c cc CoS m mt nh cung cp dch v VPN a ra. Do , mt tp cc c ch h tr QoS cho php quyt nh loi CoS no c s dng to c s cho VPN Lp dch v (Class of Service) CoS y QoS lin quan ti ton b cht lng dch v pht sinh hin ti qua mng, lp dch v CoS nh ngha mc ring ca dch v cn cho mt kiu lu lng: voice, video, hay d liu. Nhiu nh doanh nghip yu cu m bo, hi t c s hn tng, nh cung cp dch v cn gip nhiu lp dch v h tr ng dng nhim v then cht. K thut QoS trong VPN phn bit gia cc kiu lu lng v gn u tin ti mhim v then cht hay lu lng nhy cm tr nh voice v video. K thut QoS cng cho php VPN qun l tt nghn qua tc rng bng thng thay i. Nh cung cp dch v a ra cc kiu lp dch v: lp u cho iu khin tr, lp hai cho iu khin ti v lp ba cho h tr ti a. Cng vic kinh doanh yu cu lp dch v nhiu hn, gm: Mc 4: thi gian thc (voice, video) Mc 3: tng tc cc cng ty (bo hiu cuc gi, cu trc mng h thng SNA, tin cy) Mc 2: thi gian thc (dng video, qun l mng) Mc 1: khinh doanh LAN-to-LAN (Internet Web, IBM Lotus Workplace) Mc 0: d liu c ngn ti a (giao thc truyn ti Mail, FTP, Internet Web) Mi CoS, nh cung cp phi c thuc tnh tiu chun r rng tr thch hp, an ton v mt gi tin trong tho thun mc dch v (SLA), v gi tr thc hin v kt hp bo co QoS ph hp vi CoS cung cp. Trc khi i vo cc c ch h tr QoS c s dng trong VPN da trn BGP/MPLS, chng ta xem xt hai m hnh c s dng biu din QoS trong VPN l m hnh ng v m hnh vi.

85

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Trong m hnh ng, mt nh cung cp dch v VPN cung cp cho mt khch hng VPN mt QoS m bo cho d liu i t mt b nh tuyn CE ca khch hng ti cc b nh tuyn CE khc. V hnh thc ta c th hnh dung m hnh ny nh mt ng ng kt ni hai b nh tuyn vi nhau, v lu lng gia hai b nh tuyn trong ng ng ny m bo QoS xc nh. V d v mt loi m bo QoS c th c cung cp trong m hnh ng l n bo gi tr bng thng nh nht gia hai site. Ta c th ci tin m hnh ng bng vic ch cho php mt s loi lu lng (ng vi mt s ng dng) t mt CE ti cc CE khc c th s dng ng ng. Quy nh lu lng no c th s dng ng ng c xc nh ti b nh tuyn PE pha u ng. Ch l m hnh ng kh ging vi m hnh QoS m cc khch hng VPN c c hin nay vi cc gii php da trn chuyn tip khung hoc ATM. im khc nhau cn bn l vi ATM hay chuyn tip khung th cc kt ni l song cng trong khi m hnh ng ch cung cp kt ni m bo theo mt hng. c im mt hng ny ca m hnh ng ch cho php thit lp cc kt ni cho cc ng dng s dng lung lu lng khng i xng, trong lu lng t mt site ti site khc c th khc vi lu lng theo hng ngc li. M hnh th hai l m hnh vi. Trong m hnh ny nh cung cp dch v VPN cung cp cho khch hng s m bo cho lu lng m b nh tuyn CE ca khch hng gi i v nhn v t cc b nh tuyn CE khc trong cng VPN. Nu khng th khch hng phi ch nh cch phn phi lu lng ti cc B nh tuyn CE khc. Kt qu l ngc vi m hnh ng, m hnh vi khng i hi khch hng bit ma trn lu lng v nh gim bt gnh nng i bi cc khch hng mun s dng dch v VPN. M hnh vi s dng hai tham s ICR v ECR. Trong ICR l tng lu lng m mt CE c th gi ti cc CE khc v ECR l tng lu lng m mt CE c th nhn t cc CE khc. Ni cch khc ICR i din cho tng lu lng t mt CE c th, cn ECR i din cho tng lu lng ti mt CE c th. Lu rng i vi CE khng nht thit ICR phi bng ECR. M hnh vi h tr nhiu mc CoS ng vi cc dch v c tham s khac nhau; v d mt dch v c th yu cu tham s my gi tin t hn so vi dch

86

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

v khc. Vi cc dch v i hi phi c s m bo ln (nh m bo v bng thng), th m hnh ng ph hp hn. M hnh ng v vi khng phi l cc m hnh i ngc nhau. Ngha l, mt nh cung cp dch v c th cung cp cho khch hng VPN mt m hnh kt hp gia cc m hnh ng v vi gip khch hng quyt nh mua loi dch v no ng vi mc CoS no. i vi mng VPN da trn BGP/MPLS, h tr m hnh ng chng ta s dng cc LSP m bo bng thng. Nhng LSP ny bt u v kt thc ti cc b nh tuyn PE v c s dng cung cp bng thng m bo cho tt c cc ng t mt PE n cc PE khc. C ngha l ng vi mt cp b nh tuyn PE c nhiu b nh tuyn CE ni trc tip m gia chng c cc ng ng, thay v s dng mt LSP bng thng m bo cho mi ng ta s dng mt LSP m bo bng thng cho tt c cc ng. S dng mt LSP bng thng m bo mang nhiu ng ng gia mt cp b nh tuyn PE cho php tng kh nng mi rng ca m hnh ny. Vi m hnh ny s LSP m nh cung cp dch v phi thit lp v duy tr ph thuc vo s cp b nh tuyn PE ca nh cung cp dch v ch khng ph thuc vo s ng ng ca khch hng VPN m nh cung cp c th c. h tr CoS trong m hnh vi, nh cung cp dch v s dng thuc tnh h tr Diff-serv ca MPLS. Nh cung cp dch v cng c th s dng chc nng qun l lu lng ci thin kh dng ca mng trong khi vn t c nhng mc tiu v cht lng nh mong mun. Cc th tc b nh tuyn PE li vo xc nh li lu lng no ng vi CoS no khng ph thuc vo l m hnh ng hay m hnh vi m hon ton mang tnh cc b i vi b nh tuyn PE. Nhng th tc ny c th xem xt cc yu t nh giao din li vo, a ch IP ngun v ch, s cng TCP, hoc s kt hp ca nhng yu t trn. iu ny mang li cho nh cung cp dch v s mm do v kha cnh iu khin xem loi lu lng no nhn ci no. Mc d trong hp ng gia khch hng v nh cung cp dch v ch ra bng thng v CoS c th, nhng khch hng vn c th gi lu lng vt qua bng thng ng k. xc nh xem lu lng c nm trong bn thng tho thun, nh cung cp dch v s dng cc chnh sch ti b 87 L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

nh tuyn PE li vo. i vi lu lng vt qu bng thng tho thun, nh cung cp c hai kh nng la chn: hoc l li b lu lng vt qu ny ngay lp tc ti b nh tuyn PE li vo hoc gi i nhng nh du n khc vi cc lu lng nm trong bng thng tho thun. Vi la chn th hai, gim vic truyn cc thng tin khng ng th t, c lu lng nm trong hoc vt khi hp ng u c gi theo cng mt LSP. Lu lng vt hp ng s c nh du v n s loi b gi tin trong trng hp c tc nghn. 6. 3. Xu hng v c hi Khi trin khai cng ngh MPLS VPN, nh cung cp dch v khi trin khai MPLS VPN c nhng c hi sau: Khch hng m rng s dng v tng thun li bng cch tng li nhun v mm do dch v VPN trn IP v MPLS MPLS VPN gip dch v IP qun l bun bn trong b xung truy cp, tng gii hn thun li Kh nng dch v VPN khch hng cho mi khch hng kinh doanh, tng s khc bit v b xung gi tr qua dch v gi d liu, video, voice, bo mt mng, truy cp khng dy v tu chn khc Tng li nhun qua gim gi cung cp dch v VPN v iu hnh mng, cng nh qun l n gin hn cho mt mng n Mm do thay i cu trc mng ni s dng ti nguyn hiu qu. MPLS h tr mng kh nng phn phi khch hng ring, dch v yu cu

88

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

KT LUN
Sau mt thi gian tm hiu v cng ngh chuyn mch nhn a giao thc MPLS v tm hiu ng dng ca MPLS VPN, sinh vin thu c nhng kt qu nh sau: Hiu c nhng kh khn v tn ti hin c ca cc cng ngh chuyn mch truyn thng v s cn thit phi ra i cng ngh MPLS. Hiu c kin trc mt mng MPLS, qu trnh chuyn mch nhn, to nhn. Cc ch hot ng khc nhau ca MPLS. Cc mode hot ng khc nhau ca MPLS, cc ng dng ca chuyn mch nhn a giao thc, trong ni bt l ng dng VPN trong MPLS Hiu v cng ngh VPN, cc giao thc dng trong VPN, tm hiu v IPSec, cc bc hot ng ca IPSec. Hiu c v m hnh mng MPLS VPN, m hnh MPLS VPN lp 2 v MPLS VPN lp 3, u im cng nh nhng tn ti ca chng. Nm bt c vn bo mt trong MPLS VPN v cht lng dch v, nhng nguy c m mt m hnh MPLS VPN gp phi. C hi v xu hng ca nh cung cp dch v khi trin khai MPLS VPN Nhn thy, MPLS VPN l mt cng ngh c nhiu u im v chc chn s cng ngy c nhiu doanh nghip la chn trin khai, MPLS VPN s c mt th trng rng ln.

89

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

Tuy nhin, y l mt ti ln, i hi s hiu bit su rng, cng nh thi gian tm hiu lu di. Do chc chn khng trnh khi thiu st trong khun kh lun vn ny, rt mong c s gp t pha cc thy c v bn b. Xin chn thnh cm n!

TI LIU THAM KHO


[1] Cisco System, Inc Advanced MPLS VPN Solution 2000 [2] Chuck Semeria RFC 2547 bis: BGP/MPLS VPN Fundamentals Jupiter Networks, Inc. [3] Eric Osborne, Ajay Simha Traffic Engineering with MPLS Cisco Press, July 17, 2002. [4] James Reagan MPLS Study Guide - Sybex Press, 2002 [5] Jim, Guichard, Ivan - MPLS and VPN Architectures Cisco Press, 2000. [6] Michael H.Behringer, Monique J. Morrow MPLS VPN Security- Cisco Press, June 08 2005 [7] Wey Luo Layer 2 VPN Architecture Cisco Press, March 10, 2005

90

L Phm Minh Thng

Lun vn tt nghip

MPLS v ng dng MPLS/VPN

MC LC

91

L Phm Minh Thng