MPLS VPN

Printer-friendly version

VPN (Virtual Private Network): virtual private network that connects the institutions to the system. VPN is similar in function to a leased line star topology network, where the centre is the NIIF building in Victor Hugo street and the end points are the institutions that are connected to the system. In the planned system every institution connects to the nearest reagional centre through MLLN line or sometimes on high-speed fibre connection. VPN functions are realized in the routers that form the HBONE core so that the only those computers can reach the central system in Victor Hugo Street that are part of the VPN. The central cannot be reached from the Internet or other computers because the applied IP package forwarding algorithms are closed so no information gets outside about the whereabouts of the VPN central. This method means stronger security for the VPN network than a physically separated private network.

In the Cisco terminology the Internet Service Provider is shortened to Provider and the clients are called Customers. The Customer Network connects to the Provider Network through the CE (Customer Edge) router (IP package forwarding tool) which is placed at the customer. There is no need for the use of MPLS inside the customer’s network and in the CE – PE router connection, the ordinary IP package forwarding technology is sufficient which forwards the IP packages according to the destination address to the sorrect direction. The VPN requirements have to be taken into consideration during the CE router configuration, but we only use ordinary (non MPLS) Cisco IOS functions.

The realization of the MPLS-VPN takes place inside the HBONE core.

The VPN usually has to have the following features:

• The members of the VPN (henceforth: Institutions) can see their network closed just like a local private network and the directional rules inside the network should match the directional rules of a private network.
• The VPN provides that the forwarded information cannot be accessible from the public network (e.g. from the Internet or the NIIF network).

The following VPNs are realized in the HBONE at present:

• PIR VPN: the virtual private network Ministry of National Cultural Heritage.
• GRID VPN: the virtual private network NIIF GRID project.
• LIB VPN: the virtual private network of about 300 libraries, public institutions.
• LDAP VPN: the virtual private network NIIF LDAP project.
• BER VPN: the virtual private network of the payroll procedure of MTA (not used).
• HEA VPN: the virtual private network of the Human Resources Foundation.
• CLMAN VPN: the virtual private network NIIF CISCO Call Manager.
• HIK_CM VPN: the virtual private network HIK CISCO Call Manager.
• Kozgaz_CM VPN: the virtual private network BKAE CISCO Call Manager.
• Szupergep VPN: the virtual private network NIIF Supercomputer.

There are 10 working MPLS VPNs in HBONE now. The routers process and maintain separate routing tables for every VPN in order to register routes inside the VPN. The VPN routings consist of two parts: at the border of the VPN (LER) we use static router registry with the respective vrf interface. The static routes created by the process and the connected interfaces are redistributed to BGP which is distributed in the network by iBGP.