Application Note

Personalized VPNs in Broadband

Cellular Networks

Robert Haim
Senior Product Marketing Manager

Redback Networks Inc. 100 Headquarters Drive, San Jose, CA 95134 / T 1.408.750.5000 / www.redback.com
Table of Contents
Introduction .........................................................................................................................................................2
Wireless VPN ........................................................................................................................................................2
SmartEdge: Virtual Context ...................................................................................................................................3
Wireless VPN Details with Virtual Contexts.............................................................................................. 4
Concluding Remarks..............................................................................................................................................6
Glossary of Terms .................................................................................................................................................7
FOR FURTHER INFORMATION.................................................................................................................................8

1 Copyright © 2006, Redback Networks

All Rights Reserved.
INTRODUCTION

The use of Virtual Private Networking (VPN) has become the preferred method in providing secure
connectivity for businesses with nomadic employees. Enterprises are mandating that their employees use
VPNs for remote access to corporate information. A variety of tunneling mechanisms enable these
employees to access sensitive data, e.g., FTP servers, company directory, internal file folders, etc., from
anywhere with access to Internet. The use of VPNs in wireless networks is a natural extension of this
application. In GPRS and 3G networks, this service requires the establishment of a secure end to end tunnel
for the mobile user, including through the air interface. Features such as compression, and traffic
prioritization are required to ensure a good experience for the user.

As the number of mobile subscribers who use the broadband cellular networks for VPN access grows, the
management of the VPN becomes a major task for the nodes in the wireless IP backbone. This is especially
true for GGSN which will have to support large routing tables or MAC addresses. In order to scale the
wireless backbone, the task of establishment and maintenance of VPNs can be offloaded to edge routers.
But this could prove a costly approach as the number of routers increase.

By deploying the Redback Networks SmartEdge Multi-Service Edge Routers (MSER) mobile operators can
take advantage of powerful features that can reduce the cost of their operational as well as capital
expenditure. The Virtual Context feature in the SmartEdge MSERs provides thousands of logical routers
within one platform. These virtual independent routers provide the same functionality of physical routers but
with the added advantage of shared resources such as physical interfaces, CPU cycles, memory, etc.
Each virtual router can be provisioned to be a part of a separate VPN for the enterprises that wish to provide
intranet access to their nomadic employees.

WIRELESS VPN

With the progression of bandwidth and QoS in broadband cellular networks, enterprises and service
providers have begun to clearly see the value of wireless virtual private networking as a method of providing
secure access to nomadic users. As download speed approaches 1Mbps and beyond with EV-DO Rev A. or
HSDP A (2008 estimated for availability), tunnel and packet overhead required for establishing VPNs become
less of an issue since protocols to establish VPNs were not initially designed with mobility in mind.

Using remote-access VPN with a wireless network ensures that no data is sent in the clear from the user to
the enterprises’ network. User data may travel through the Internet after leaving the operator’s own Public
Land Mobile Network (PLMN) to get to the enterprises’ network. Establishing the VPN alleviates all the
security issues that may occur between the user and its intended destination.

The 3G operator can enhance the customer experience (and therefore charge a premium) and offer direct
links to the enterprise’s network to establish customer-specific VPNs. With the advent of IP/MPLS as the
backbone for broadband cellular networks, it is now possible to establish customer specific L2/L3VPNs using
VPLS or BGP/RFC 2547bis. This is shown in figure 1, where a GGSN is acting as a Providers Edge (PE) router
capable of MPLS-based L2/L3 VPN. The mobile user’s Access Point Name (APN) can be used to directly map
to the destination VPN. Logically, the APN can be mapped to a Virtual Routing and Forwarding (VRF) table
that specifies the egress physical interface that connects to the destination enterprise network (the
destination network can also be another ISP).

2 Copyright © 2006, Redback Networks

All Rights Reserved.
 Figure 1. MPLS GGSN Establishing L3 or L2 VPNs

The network in figure 1 suffers from scalability problems. As the number of users increase the excessive
load on the GGSN becomes unattainable: consider hundreds of thousands of users which a GGSN will have
to terminate, translating into millions of routes. The network in figure 2 can alleviate this issue where the
termination is now handled by separate Provider Edge routers (PE). The 3G specific tunnels, i.e. GPRS
Tunnel Protocols (GTP) are terminated at the GGSN. Each ingress port to the PE can be mapped to a
destination network. Each PE can be designated to support multiple VPNs (multiple enterprises, multiple
VRFs), in which case the users’ streams can be identified by a VLAN tag setup on the Gi interface. It is also
feasible to designate a PE to peer to a specific Mobile Virtual Network Operators (MVNO) autonomous
system to establish VPNs or other services for the targeted ISP’s customers. For example, an ISP may be
serving multiple enterprises and provide VPNs to them.

Figure 2. PE Routers Establishing L3 or L2 VPNs

The architecture of figure 2, while scalable, can become expensive as the network scales. Clearly, as the
number of edge routers increase, CAPEX will increase per increased real estate, HVAC requirements, and
port count.
To address the shortcomings of the architecture in figure 2, SmartEdge’s powerful virtual context feature
can be utilized.

SMARTEDGE: VIRTUAL CONTEXT

Virtual Context is an innovative, powerful feature implemented in SmartEdge MSER to provide the flexibility
of deploying “virtually” thousands of routers in a single network. This feature allows the SmartEdge to
function as multiple logical routers with all the features and functionality of a physical router. It is similar to
having thousands of routers operating independently. A change in configuration of one virtual router will not
3 Copyright © 2006, Redback Networks
All Rights Reserved.
affect another. Each context includes its own instance of all routing and signaling protocols, e.g., OSPF,
ISIS, LDP and forwarding information base. Each context’s BGP has its own autonomous system number
(ASN), policies, and import/export properties. Each context also includes its own management domain, and
authentication, authorization and accounting (AAA) name space. Importantly, if one context crashes, it does
not affect other running contexts and can be brought down (or up) independent of other contexts. This is
possible with Redback’s advanced In System Service Upgrade (ISSU) feature.

Overall, it is possible to configure up to 3000 virtual contexts in a single SmartEdge MSER, sharing physical
resources such as CPU cycles, ports, memory.

Specifically for wireless VPN application, SmartEdge’s virtual context can be applied to replace the edge
routers in figure 2. Each context can be viewed as a super-set of a VRF instance as all SmartEdge operating
system features can be applied to a context, such as SNMP commands, CLI commands, and trouble shooting
features (ping and trace). Therefore, it is possible to establish thousands of independent VPNs each with its
own private FIB, and IP address space. Different IP VPN solutions are possible running in conjunction with a
virtual context, e.g., GRE based tunnels, L2 or L3 VPNs, BGP/MPLS 2547bis, VPLS. Therefore, the edge
routers shown in figure 2 can be replaced by a single SmartEdge running multiple instances of virtual
contexts. Figure 3 shows this efficient deployment. Immediate economic advantages can be obtained in the
network architecture in figure 3. Dramatic reduction in Real estate, power consumption, HVAC, and port
count requirement is gained by deploying a single SmartEdge MSER in place of multiple physical PEs.

Figure 3. SmartEdge Virtual Context Routers Establishing L3 or L2 VPNs

Wireless VPN Details with Virtual Contexts

Similar to figure 2, the 3G-specific tunnels are terminated at GGSN, and user data can be delivered to the
SmartEdge via IP. Per figure 3, each APN is mapped to a specific Gi (and ingress port to the SmartEdge).
Note that it is possible to have a single physical interface between the GGSN and the SmartEdge and
multiplex all users’ data via VLAN tags. For example, these tags can be mapped to an MPLS label. Each
virtual context can be designated to support a VPN. Every context has a separate, private forwarding tables
so that overlapping IP addresses can be used among the contexts with no conflicts. Using the SmartEdge

4 Copyright © 2006, Redback Networks

All Rights Reserved.
virtual contexts a variety of VPN schemes can be used to delivery the mobile user’s data in a highly secure
fashion. These schemes include L2 or L3 IP VPNs as well as VPLS, or BGP/MPLS 2547bis.

VPNs over an IP Network

The SmartEdge MSER can be deployed as the edge router for the wireless backbone and used to establish
VPN connectivity with the IP network that the customer is connected to. For example, in the IP Network 1 as
shown in figure 3, a single virtual context from the SmartEdge can establish a GRE tunnel to the other edge
router in the “IP Network 2” for delivery of data to the user’s company network. If multiple VPNs are setup
between the SmartEdge and the edge routers, shown in the IP networks of figure 3, a single GRE tunnel can
connect the routers. In that case, a dedicated tunnel key, to de-multiplex the VPNs, can be used. The
advantage of using GRE as the tunneling mechanism is that the IP network can be used to support customer
VPNs without any modifications. Additionally, using tunnel keys minimizes the number of required IP
interfaces and saves IP addresses.

SmartEdge’s GRE implementation provides the following additional flexibilities:

 Support for hub-and-spoke and partial or full mesh topologies

 Each GRE circuit can be bound to an interface in any virtual context
 The DSCP field value can be copied from the payload header or statically set for each tunnel key
 Access Control Lists (ACLs) can be applied to tunnel interfaces
 GRE tunnels support multicast traffic
 Reverse Path Forwarding (RPF) can be used to detect spoofing of GRE packets

Layer 3 VPNs in an IP/MPLS network

The SmartEdge virtual context can act as a PE in an IP/MPLS network (per figure 3) and establish a Layer 3
VPN based on BGP/MPLS VPNs per RFC 2547bis. VPN Routing and Forwarding (VRF) instances exist within
dedicated VPN contexts. It is also possible to create context based L3 VPNs using no VRFs, since the context
itself includes all the necessary information that is stored in a VRF. This provides for a very simple
configuration as all configurations can be performed under a context defined by a single Route Distinguisher
(RD).

Layer 2 VPNs in an IP/MPLS network

Virtual Private LAN Services – VPLS – can be used to establish Layer 2 VPNs for the customer with each
virtual context that is a PE in an IP/MPLS network. VPLS provides the formation of L2 Based VPNS. It
provides multi-site Ethernet connectivity to emulate a Local Area Network over the Metro Ethernet Network.
In this case, LDP signaling is used for establishing a mesh of pseudo-wires between the SmartEdge virtual
context and the destination PE.
Some of the advanced capabilities of the SmartEdge in offering VPLS are:

 Carrier-class modular operating system that protects the system from going down when
individual task crash – provides process restart without the need for rebooting the system
 Support up to 1,000,000 MAC Entries
 Advanced Bridging Features including Broadcast Rate Limiting for flooding control, restricted BFE,
configurable limit on the number of MAC Entries per Circuit
 Graceful Restart for OSFP, BGP, IS-IS, LDP, and RSVP-TE
 Advanced QoS Capabilities. For example support for propagating QoS Bits to and from the 802.1p
field in the 802.1q header
 Support for multiple access methods (VLAN, S-VLAN, ATM, Frame-Relay)
 Networks High Density Ethernet Aggregation Capabilities
5 Copyright © 2006, Redback Networks
All Rights Reserved.
CONCLUDING REMARKS

As the popularity of establishing VPNs using broadband cellular networks increase, the load on the wireless
IP backbone increases to a point where GGSNs will not be able to accommodate the management of these
VPNs. To scale the backbone, new edge routers can be introduced to alleviate the pressure on the GGSN.
But this could prove to be a costly approach. The use of SmartEdge MSER’s virtual context feature
effectively provides the services of thousands of routers while reducing the cost of capital and operational
expenditure.

Virtual Context can provide any number of secure VPNs operating either in a pure IP network or an IP/MPLS
network. GRE tunnels, L2/L3 MPLS-based VPNs are all supported by each virtual context. The carrier-class
operating system of the SmartEdge MSER ensures that the virtual contexts are completely independent and
the faults that may occur in one will not affect the operation of other context or the system in general. Each
context can be rebooted separately from others while the system is operational. The wireless operator
benefits from owning a robust system with minimal or no downtime in its network and can expect minimal
or no disruption in services given to its customers.

6 Copyright © 2006, Redback Networks

All Rights Reserved.
GLOSSARY OF TERMS

ACL Access Control List

APN Access Point Name
ASN Autonomous System Number
ATM Asynchronous Transfer Mode
BGP Border Gateway Protocol
CLI Command Line Interface
CPU Central Processing Unit
DSCP Differentiated Services Code Point
EV-DO Evolution – Data Only
FTP File Transfer Protocol
GPRS General Packet Radio Service
GGSN Gateway GPRS Support Node
GRE Generic Routing Encapsulation
GTP GPRS Tunnel Protocol
ISIS Intermediate System-Intermediate
System
ISP Internet Service Provider
HSDP High Speed Downlink Packet
HVAC Heating, Ventilating, and Air Conditioning
L2/3 Layer 2 / Layer 3
LDP Label Distribution Protocol
LSP Label Switched Path
MPLS Multi-protocol Label Switching
MSER Multi-Service Edge Router
MVNO Mobile Virtual Network Operator
OSPF Open Shortest Path First
PE Provider’s Edge router
PLMN Public Land Mobile Network
PPP Point to Point Protocol
QoS Quality of Service
RPF Reverse Path Forwarding
RSVP Resource Reservation Protocol
SNMP Simple Network Management Protocol
S-VLAN Service Virtual Local Area Network
VRF Virtual Routing and Forwarding
VLAN Virtual Local Area Network
VPLS Virtual Private LAN Service
VPN Virtual Private Network

7 Copyright © 2006, Redback Networks

All Rights Reserved.
FOR FURTHER INFORMATION
Redback Networks Inc.
[email protected]
www.redback.com

Product Specifications are subject to change without notice. Redback Networks assumes no responsibility for
any inaccuracies in this document and reserves the right to change, modify, transfer, or otherwise revise this
publication without notice.

REDBACK and SmartEdge are trademar ks registered at the U.S. Patent & Trademark Office and in other
countries. SMS and NetOp are trademarks or service marks of Redback Networks Inc. All other products or
services mentioned are the trademark, service marks, registered trademarks or registere d service marks of
their respective owners.

8 Copyright © 2006, Redback Networks

All Rights Reserved.