CRNET与城域网建设技术交流.ppt

CRNET与城域网建设技术交流,思科北京公司喻超CCIE#5329,CRNET网络概况及建网思路和原则MPLS VPN的业务及关键技术L2 二层VPN的应用,汇报提纲,广东省在CRNET 骨干网网络的位置,CRNET 建网思路和城域网建设指导原则,CRNET坚持全程全网，统一管理初期不建设独立的省网，城域网和CRNET直接相连各城域网为CRNET密不可分的组成部分，城域网是骨干网业务在城域的无缝延伸在CRNET的基础上，提供全国范围的MPLS VPN服务将CRNET扩展成可提供综合多业务的数据平台CRNET部分权力将下放到分公司，总部保留相对全力和监管能力,广州铁通网络与CRNET 骨干网,A1类（上海、广州）节点结构图,ATM/FR,DNS/NTP/CACHE,NETFOLW,宽带接入,拨号接入,VLAN2-VLANn,HSRP,其它A类,B类,A1-CR1,A1-CR2,dGR,AR2-1,SW2,MPLS PE,带外管理,电源,控制口,以太,IP Phone,ChinaNet,/GBN,UUNET/AT&T,/.,POS155,AR1,VPN用户接入,AR2-2,GE,CH3,GE,iGR,GE,CH4,CH4,GE,GE,GE,GE,CH4,CH4,CH4,CH4,CH4,GE,CH1,高速,接入/.,B类节点结构图（深圳）,带外管理,电源,控制口,以太,深圳 CR-B,拨号接入,专线接入（64K-8M）,FR 接入,IP Phone,城域网,业务类型：,以太接入/宽带接入,DNS,FR/DDN/,专线接入/.,Cache/,Netflow,城域网/,宽带接入,MPLS,PE,VPN,用户接入,深圳AR1,AR4,SW1,SW3,DLCI,subinterface,IP Phone,北京,1G ethernet,622M STM-4,100BaseT,2M/V.35,图例：,B-CR,GSR12406,AR1,GSR12406,AR4,SW1,说明：,1.图中实线框内设备为既有。,2.图中虚框内设备不在本工程内提供。,3.至C类节点通道采用STM-1或捆绑2M。,Cisco7200,Siwtch,拨号接入,NAS,AS 5300,B类节点拓扑结构图,CH3,GE,155M STM-1,FE,CH4,CH3,GE,CH4,FE,GE,FE,FE,FE,说明：,图中虚框内设备不在本工程内提供。,图例：,带外管理,电源,控制口,以太,1G ethernet,C类节点网络拓扑图,CH4,GE,FE,GE,FE,FE,CH4,AR5,CH4,其他C类节点结构图,城域网建设的服务模式综合多业务服务,话音业务 200-300元/电话（企业）100 元/电话（个人）internet接入 100元/家庭1000元/企业VPN业务1000-2000元/节点Video业务60元/小时/节点 内容提供业务视内容来确定,提高在单一数据线路上的业务收入来源/ARPU,电话,传真,单一数据线接入,视频会议终端,IP电话,个人用户/网上游戏服务,一线通,多业务服务平台,VPN业务/互联网业务数据存储/信息共享,综合多业务服务是电信网络的必然之路,杭州CNC案例,杭州CNC网络状况,开展的业务企业虚拟专用内部网/虚拟专用外部网因特网访问主机托管/虚拟主机VOD/远程教育/交互式电视/远程医疗呼叫中心IP电话/可视IP电话电子抄表家庭保安远程监控网上游戏/网上炒股信息点播（气象/交通/旅游/新闻）,用户情况有线电视用户150万。市区46万目前上网人数：6万多户 3000多企业虚拟网接入节点内容服务，IDC数据中心服务IP电话超市盈利 10万/天绑定销售/销售电脑赠宽带目前1000万/月的盈利,CNC Connect案例,城域网建设的服务模式多业务服务,城域网建设的服务模式多业务服务,全业务提供铁通城域网,从接入层到骨干网,业务汇聚点,IP 语音,数据专线,互联网接入,内容推送,铁通城域网,DSL无线帧中继ATM专线以太网,接入层,长途多业务平台长途波分ATM,CRNET核心数据网,集成的模型专注于业务开展,城域 DWDM城域DPTSDH多业务平台以太网MSTP,全国范围的MPLS VPN服务业务,目标市场高端企业用户（ARPU值）MPLS VPN作为接入的手段基于MPLS VPN的增值服务是源源不断的利润来源具有铁通优势和特点的全国MPLS VPN服务是制胜的关键有针对性的扩大覆盖面，逐步实施,基于CRNET全国范围的MPLS VPN业务,CRNET 宽带数据网,铁道部 北京VPN,北京总部,铁道部 上海VPN,上海分部,吉林分部,武汉分部,广州分部,铁道部 成都VPN,MPLS VPN业务及相关技术,多业务服务的具体实现,MPLS VPN的安全性,互联网,大楼A,小区B,Internet 高速接入业务,铁通IP宽带城域网络,企业C,学校D,互联网,FE/GE,LRE/ADSL,Wireless,HFC,端口带宽,用户端设备,用户端设备,A用户1,A用户2,使用原有私有地址宽带互连10/100M以太网，低成本，高带宽,MPLS VPN 企业内联网用户内部网络互连,增加虚拟专用网A的路由,IP宽带城域网络平,同时可轻松提供针对不同业务的多VPN服务如语音，视频，财务，人事等,互联网,A用户1,A用户2,虚拟专用网A路由,增加互联网访问路由,互联网访问,IP宽带城域网络,用户端设备,用户端设备,在提供企业内联网业务基础上，利用同一线路，统一的IP宽带网络平台提供互联网访问业务。,同时可轻松提供针对不同业务的VPN服务如语音，视频，财务，人事等,MPLS VPN 企业内联网用户内部网络互连同一线路访问互联网,Classical Internet Access Addressing,The Customer can use private address space.The firewall provides Network Address Translation(NAT)between the private address space and the small portion of public address space assigned to the customer.,Internet Access from Every SiteAddressing,Two addressing options:Every CE router performs NAT functionalitya small part of the public address space has to be assigned to each CE router.The customer uses only public IP addresses in the private networknot realistic for many customers.,Central Firewall ServiceTraffic Flow,Internet,Internet Access VPN,VPN,Customer A,CE-A1,CE-A2,VPN,Customer B,CE-B1,CE-B2,Central,Firewall,Traffic between sites of one customer should flow inside the VPN.,Combining Internet Access with VPN Services,Two major design models:Internet access offered through yet another VPNInternet access offered through global routing on the PE routers,Internet Access in a VPN,Benefits:The provider backbone is isolated from the Internet;increased security is realized.Drawbacks:All Internet routes are carried as VPN routes;full Internet routing cannot be implemented because of scalability problems.,Internet Access Through Global Routing,Two implementation options:Internet access is implemented via separate interfaces that are not placed in any VPN routing/forwarding instance(VRF)(traditional Internet access setup).Packet leaking between a VRF and the global table is achieved through special configuration commands.,Internet Access Through Packet Leaking,Benefits:This method can be implemented over any WAN or LAN media.Drawbacks:Internet and VPN traffic is mixed over the same link;security issues arise.More complex Internet connectivity options(for example,full Internet routing for customers)are hard to implement.,Packet Leaking in Action,PE,PE,Internet,Site-1,PE-IG,Site-2,Network 171.68.0.0/16,Serial0,192.168.1.1,192.168.1.2,VPN-A VRF0.0.0.0/0 192.168.1.1(global)Site-1 routesSite-2 routes,Global Table and FIB192.168.1.1/32 Label=3192.168.1.2/32 Label=5.,IP packetD=,IP packetD=,Internet Access Through a Dedicated SubinterfaceTraffic Flow,PE,PE,Site-1,PE-IG,Site-2,Network 171.68.0.0/16,Serial0.1,192.168.1.1,192.168.1.2,Serial0.2,Serial0.1,Serial0.2,CE routing tableSite-2 routes-Serial0.1Internet routes-Serial0.2,IP packetD=,PE Global TableInternet routes-192.168.1.1192.168.1.1,Label=3,Internet,IP packetD=,互联网,A用户1,A用户2,虚拟专用网路由互联网访问路由,增加虚拟专用网B的部分路由,互联网访问,B用户1,增加虚拟专用网A的部分路由,用户端设备,用户端设备,用户端设备,在提供企业内联网，互联网访问业务基础上，利用同一线路，统一的IP宽带网络平台提供企业外联网业务。,IP宽带网络平台,MPLS VPN 企业外联网外部网互连,运营商之运营商业务,运营商之运营商Customer-ISP 不运行 MPLS,CRNET,PE-1,PE-2,CE-1,CE-2,中经网 沈阳 IGP,中经网 北京 IGP,ISP customers,ASBR-1,ASBR-2,ISP customers,Network=N,IPDest=N,IPDest=N,IPDest=N,IPDest=N,IPDest=N,Carrier Backbone,PE-1,PE-2,CE-1,CE-2,ISP customers,ASBR-1,ASBR-2,ISP customers,Network=N,IPDest=N,IPDest=N,IPDest=N,运营商之运营商Customer-ISP 运行 MPLS,中竟网 沈阳 IGP,中经网 北京 IGP,运营商之运营商Customer-ISP 运行MPLS-VPN,Carrier Backbone,PE-1,PE-2,CE-1,CE-2,I-PE1,I-PE2,Network=N,IPDest=N,IPDest=N,中竟网 沈阳 IGP,中经网 北京 IGP,网际MPLS VPN 业务,CATV/CNC,CRNET,网际 MPLS VPN,PE-1,PE-ASBR1,CE-1,CE-2,P1,Network=N,PE-ASBR2,PE-2,P2,IPDest=N,IPDest=N,A用户1,A用户2,虚拟专用网A路由互联网访问路由虚拟专用网B的部分路由,增加话音VPN 的部分路由,B用户1,IP电话 通道,网关,PSTN/GSM,国家级长途VOIP,智能软交换关守,IP电话,传统电话,（铁通号码）,（铁通号码）,互联网,互联网访问,电视会议,用户端设备,IP宽带网络平台,MPLS VPN语音/电视会议专用VPN,电视会议,与广电基于Voice Over Cable的合作,HFC,Gatekeeper,PSTN,CATV IP MAN,IP电话 VPN,铁通城域IP网络,IP电话 VPN,智能软交换,智能软交换,CMTS,Cable Modem,成本投入:SoftSwitch 每线的成本 10-20$所有的用户接入的电话Cable Modem由CATV投资,收入:15-20￥/每月/用户市话收费一年内即可通过市话费收回投资，以后的收入即纯利润用户的长途话务可通过铁通的PSTN长途骨干或VoIP骨干，假设30￥/每月/用户，2000用户可每年给铁通带来额外的 2000*30*12=72万￥,卖点:CATV 在提供数据的同时，为用户提供话音，帮铁通放号铁通在最小的成本情况下，扩大铁通的用户覆盖范围用户在享受数据，语音，是铁通，广电，用户三赢的局面,城域MPLS VPN网吧联盟,CRNET骨干,PE,PE,P,P,铁通城域网,PE,话音VPN,Site 1,Site 2,Site 3,Site 4,Site 5,Site 6,普通上网,Site 7，8,网吧间共享资源/联网游戏/VoIP通话/可视聊天,铁通城域网,企业具体业务分析,城域宽带IP网络平台,以太网交换机,互联网,某企业分部/某大楼,MPLS VPN连接本部和分部,电视会议,企业A,MPLS VPN连接本部和分部,IDC数据中心,主机托管二级运营商/内容提供商网上教学/学习内部信息共享视频点播,互联网,用户端设备,银行证券公司金融用户,透明传送业务高带宽，高安全性连接用户的以太接口为二层接口，无IP地址Ethernet,ATM,Frame Relay etc,同一网段,同一局域网,银行证券公司金融用户,用户端设备,IP宽带网络平台,L2 VPN服务,L2 VPN 安全、透明网络通道传输业务,A用户1,A用户2,L2 VPN业务及技术,AToML2TP,IP VPN技术,Complete L2 and L3 VPN Solutions for both IP and MPLS,Any Transport over MPLS(AToM),Provides ability to transport layer 2 traffic across MPLS packet-based core networks,extending the richness of MPLS capabilities to L2 VPNsA scalable architecture that supports the multiplexing of subscriber connectionsA standards based(draft-martini)open architecture allows extensibility to many transport typesDesigned for Any-to-Any connectivitySP does not participate in customer routing,MPLS Core,AToM,Frame RelayATMLeased LineEthernet,Frame RelayATMLeased LineEthernet,Allows SPs to combine with Cisco IOS QoS and MPLS Traffic Engineering to provide“Virtual leased line”like services,AToM 数据流程,PE1,MPLS Backbone,PE2,Any Transport over MPLS(AToM)Tunnel,MPLS LSP,Frame Relay,CPE Router,FRAD,DLCI 101,CPE Router,FRAD,Frame Relay,DLCI 201,Directed LDPLabel Exchange for VC1 Label 10Label Exchange for VC2 Label 21,VC1 Connects DLCI 101 to DLCI 201VC2 Connects DLCI 102 to DLCI 202,DLCI 202,DLCI 102,Neighbor LDP Label 50,Neighbor LDP Label 90,IETF 标准化,IETF working group PWE3 Pseudo Wire Emulation Edge to Edge;Requirements detailed in draft-ietf-pwe3-requirements Develop standards for the encapsulation&service emulation of“pseudo wires”Across a packet switched backboneFocused on Point-to-Point circuit emulationPSN tunnel-GRE,MPLS,L2TPService-Ethernet,ATM,PPP,FR,HDLC and so on.,L2TP 协议参考模型,L2TPv2,L2TPv3,CE,CE,PE1,PE2,CE,CE,Provider Edge,SP IP Core,Provider Edge,LNS ISP 1,LAC,Dial User,DSL User,LNS ISP 2,Ethernet,Ethernet,Frame Relay,Frame Relay,SP IP Core,L2TPv3 for customers that prefer a native IP network Provides ability to transport layer 2 traffic across IP packet-based core networks Based on a well-established lineage of protocols:L2TPv2 and pre-standards Cisco innovation Universal Transport Interface(UTI)A standards based open architecture allows extensibility to many transport types,Layer 2 Tunneling Protocol-version 3,Efficient header for high performance decapsulationConfiguration on Edge routers only,L2TPv3 包的封装,Delivery header-The delivery header is the header needed to carry the L2TPv3 packet across the delivery network.This is an IPv4 header.The delivery header is 20 bytes.L2TPv3 header-The L2TPv3 payload independent header contains the necessary and sufficient information needed to uniquely identify the tunnel context at the de-encapsulation point.The payload independent header is 12 bytes.Payload-Payload to be transported by L2TPv3.It may be a link layer frame or a network layer packet.,Delivery Header20 Bytes,L2TPv3 Header 12 Bytes,Payload,Tunnel Identifier 4 Bytes,Tunnel Cookie8 Bytes,L2TPv3 数据包的流程,Description:Two Ethernet Segments are joined over an IP core viaL2TPv3.To end user devices,the two physical Ethernet networks appear as a single segment.,R2,R1,L2TPv3 Tunnel,Ethernet,Ethernet,IP,L2TP,Ethernet,Server B,Workstation A,Step#2 R1 takes Ethernet frame and encapsulates it in L2TP and routes it to tunnel destination,IETF 标准化,L2TPv3 is currently an IETF standards track draft document.See draft-ietf-l2tpext-l2tp-base-01.txtL2TPv3 has been presented at the IETF meetings in London(August 2001)and Salt Lake City(December 2001).It was warmly received at both venues.We are continuing the standards push at the IETF meeting in Minneapolis,MN(March 2002)We anticipate standards ratification by Q1 of 2003.,统一化VPN 的好处,Decreased CostDecreased CAPEX&OPEX:Simplify core,maintain L2 revenue streams&operate fewer networks Increased utilization of Packet Networks,Efficient Global ReachLeverage a MPLS/IP backbone for global reach Does not require complexity of multiple expensive partnerships to deliver global service,Faster Time to Service Less complex circuit provisioning times,Service Providers:,Decreased CostIf in-sourced decreased CAPEX&OPEX to maintain&operate fewer VPNs If out-sourced wider selection of Service Providers offering access services,Efficient Global ReachMay work with single Service Provider to obtain global VPN services,Flexible DemarcationsSelectively retain control or outsource their networks,Enterprise,