Packet backbone network

Data centers in DT Cloud Services’s NFVI are connected through a IP/MPLS packet backbone network (PBN) based on optical fiber and peering routers at the data center demarcation points.

Contents

The PBN is designed with resilience, so that no single point of failure isolates a data center, and the LSP capacity are dimensioned to reflect traffic demand. Mainly 10G or 100G interfaces are used to carry the aggregated traffic in the PBN.

Two types of peering routers are used for internal peering solutions within the DT Cloud Services and peering to external networks. Peering solutions are technically interconnection of VPNs, and so IP harmonization always needs to be verified. The architecture supports geo-redundant peering.

The implementation is based on Inter-AS option 10A method (RF 4364), also known as back-to-back VRF, for connecting Inter-AS MPLS VPNs between peering routers.

Routing between the peering points use eBGP with dynamic routing with fast-reroute. The dynamic rerouting feature of the protocol ensures that in case of route failure a new network path is automatically determined and the traffic is rerouted onto this new path. The fast reroute (FFR) uses a predefined alternative route should rerouting be necessary. The solution requires separate eBGP sessions per VRF and offers good scaling, policy and security properties.

Virtual private networks

Separate networks are implemented as MPLS L3 VPNs preventing traffic leaking. The design principle is that merging VPNs is easier than splitting them. When merging VPNs, a harmonization of the IP address spaces needs to be performed to avoid address collisions.

Two architectures are possible and must be decided upon in the design:

  • Any-to-any VPN - all participating sites have the same role in the topology, and communication is enabled directly between any pair of sites

  • Hub and spoke VPN - a central hub site communicates directly with all other (spoke) sites, and these sites can only communicate between each other through the hub site

VPN types

Internal VPN

Internal VPNs are used for data center interconnection on a per service basis. It provides connectivity between different components of the same service VNF in different data centers. It is characterized by

  • The VNF can use its own private or public IPv4/IPv6 addresses inside the VPN

  • The VPN connects tenants from the same VNF in the DT Cloud Services data centers and is not connected to any other peering point

  • No cross VPN leaking is allowed.

  • The internal (isolated) VPN type cannot be changed - it can be only be removed from the network.

Figure 1. Internal VPN.

External VPN

External isolated VPNs interconnect the tenants of a particular VNF to a single external customer network (for example NatCo) in a peering solution (Figure 2). After agreement between the customer and DT Cloud Servicesto use private or public IPv4/IPv6 addresses inside the VPN. It is characterized by

  • Since the VPN is going to be inter-connected with one external network only, the IP addresses can be selected by customer

  • Supported topologies

    • Any-to-any: direct communication from external to VNF and from external to external communication is allowed

    • Hub and spoke: direct communication from external to VNF is allowed but from external to external is blocked

  • No cross VPN leaking is allowed.

  • The internal (isolated) VPN type cannot be changed - it can be only be removed from the network.

Figure 2. External isolated VPN.

External shared VPN

External shared VPNs are used to interconnect the tenants of a particular VNF to more than one external network (Figure 3). It is characterized by

  • The IP addressing should be agreed between the parties whether to use private or public IPv4/IPv6 addresses inside the VPN. Possible scenarios include

    • The IP address pool is selected and controlled by DT Cloud Services

    • The IP address pool is jointly selected and harmonized between the parties

  • The VPN connects tenants from multiple VNFs in DT Cloud Services's data centers

  • The VPN is connected to other networks using MPLS VPN Inter-AS option 10A

  • Supported topologies

    • Any-to-any: direct communication from external to VNF and from external to external communication is allowed

    • Hub and spoke: direct communication from external to VNF is allowed but from external to external is blocked

  • No cross VPN leaking is allowed.

  • The internal (isolated) VPN type cannot be changed - it can be only be removed from the network.

Figure 3. External shared VPN.

Search