Specifications
Page 109 /148
While most vendors implement 2547 according to the specification and offer
the same value propositions, Juniper Networks leverages current strengths
and provide a unique solution. The model of 2547 is based on simple CE
routers with most of the routing intelligence residing in the PE routers. In
addition to providing basic PE functions, Juniper Networks differentiates its
solution by adding QoS and filtering functions that would enable ISPs to sell
more services at the edge.
VPN Access Policy
Access policies can be applied to a flow, logical, or physical interface. This is
useful for end users managing their own private network, however, for
service providers managing multiple VPNs with each PE router, they need
policies that are VPN aware. VPN access policy defines access control on a
per VPN basis for intranet and extranet VPNs. This function is achieved with
packet filtering configured on inbound and/or outbound traffic on a per VPN
basis. The match options are be the same as those offered by the Internet
Processor II ASIC. The action upon matching should be to discard or
forward.
While access policies can be configured on a CE router, the Juniper PE
router can perform these functions with more granularity and without
performance impact. Moving this function to the PE router also allows end
users to outsource the management of policies such as defining the filter
syntax (source/destination prefixes, source/destination ports, etc.) and
verifying that the policies work as intended.
Intranet VPN Access Policy
This function allows VPN end users to control access to their network
resources and services such as servers or applications within a VPN.
Extranet VPN Access Policies
This function allows a VPN end user to control access to network resources
and services from sources outside the VPN. With increasing e-Commerce
and on-line supply chain management, companies are relying more and
more on extranets as an effective way of sharing information with partners
and suppliers. Today, users manage these extranets by setting up extranet
servers in DMZs with firewalls.
With RFC 2547, users can augment the current solution with access policies
implemented on a PE router. A PE router will provide services to many
companies. Each site may subscribe to different bandwidths, however, all CE
traffic aggregated at the PE router are treated equally unless class of service
is used.
Today, ISPs either lease the CE router to the end user as part of a bundled
service or let the end user buy/manage the CE router. In the leased model,
the ISP has full control of the CE router. In the user-managed model, the ISP
has limited control. A technically savvy user may turn on DS on the CE router
and receive premium services without paying. To prevent this, an ingress PE
router should be able to disable or enable DSCP and IP precedence (DS)
handling on a per VPN basis.
Once a VPN has DS enabled, the PE router should forward packets based
on DS priority or set the DS priority according to configuration. The DS
assignment may be based on multiple parameters such as SA/DA pair,
source/destination ports, and/or logical interfaces. Basically, the terms can
be anything supported by the ingress PE router. The egress PE router
should be able to forward a DS marked packet as is or reset a DS marked
packet before forwarding. Setting the DSCP/IP precedence bits on IPSec
traffic should have no impact since (1)IPSec transport mode does not use
the DS for cryptographic calculation, and (2) IPSec tunnel mode only has DS
changed in the new tunnel header – the inner header DS remains in tact.
With this design, the PE router becomes a QoS gateway for the attached CE
routers. The CE routers may send traffic with or without DS. Once the PE
router forwards the traffic to the core, the P routers will prioritize the traffic
according to the assigned QoS until it reaches the egress PE router.