MEN Part 2

50467565

Network Learning Centre 1

Proprietary & Confidential 1

1
 Agenda

Day3

Module 3
o L3 VPN

Network Learning Centre 2

Proprietary & Confidential 2
 Module 3

L3 VPN

Network Learning Centre 3

Proprietary & Confidential 3

3
 VPN Classification

VPN: Virtual Private Network

VPN

IP-VPN

CPE-Based VPN Network-Based VPN

VLL VPRN VPDN VPLS

MPLS/BGP VPN VR-VPN

Network
Page 4 Learning Centre 4
Proprietary & Confidential 4

VPN is a virtual private communication network built over public

networks with the cooperation of Internet Service Provider (ISP) and
Network Service Provider (NSP). For VPN users, they cannot sense
any difference from using traditional private networks.
Here we just introduce IP network based VPN.
By operation mode, VPNs can be classified as Customer
Premises Equipment based VPN (CPE-Based VPN), and Network-
based VPN (NBIP-VPN)
CPE-Based VPN
In this mode, users need to build, manage and maintain VPNs.
VPN tunneling protocols such as IPSec, GRE, L2TP and PPTP should
be configured on the user device. Networking in this way features high
complexity and low scalability
NBIP-VPN
In this mode, ISPs build, manage and maintain VPNs. ISPs may
allow users to conduct part of service management and control.
Function features are mainly implemented on the device at network
side; only the support of internetworking is required on the device at
user side. In NBIP-VPN, there have many VPN types such as VLL,
VPRN, VPDN and VPLS, this slide we will mainly introduce MPLS/BGP
VPN, one type of VPRN.
NBIP-VPN mode can reduce users investment, improve the
flexibility and scalability of services, and bring new incomes to carriers.

4
 VPN Tunnel

• Tunnel: It is a technology that uses a type of

protocol to transmit another type of protocol.
Mainly the tunnel protocol serves to implement
this function.
• The tunnel technology involves three types of
protocols:
– protocol borne on the tunnel protocol,
– tunneling protocol, and
– bearer protocol under the tunnel protocol.
Network
Page 5 Learning Centre 5
Proprietary & Confidential 5

The principle of VPN is to encapsulate data with certain kinds of

tunneling protocol and use the existing public networks (Internet, PSTN or
ISDN) to establish a specific data transmission channel. Then, data can be
transported transparently.
The mechanism of tunnel is to use one protocol to encapsulate
packets of another protocol, and the encapsulation protocol itself can be
encapsulated or carried by other protocols. The tunnel technology involves
three types of protocols: tunneling protocol, bearer protocol under the tunnel
protocol, and the protocol borne on the tunnel protocol.
While setting up the tunnel, there have several technologies,

5
 VPN Type (1)
• Virtual Leased Line (VLL): It provides point-to-
point connection service between two pieces of
CPE equipment for the user via the edge node
of the operator.

• Virtual Private Dial Network (VPDN): The remote

user dials to the public IP network via
PSTN/ISDN, and the data packet passes
through the public network via a tunnel for the
destination network.
Network
Page 6 Learning Centre 6
Proprietary & Confidential 6

VLL
VLL is an emulation of the traditional leased line. By emulating
the leased line through IP network, it provides asymmetric, low cost
"DDN" service. For users at both VLL ends, VLL is similar to traditional
leased line.
VPDN
VPDN realizes VPNs by employing the dial-up function of public
networks (such as ISDN and PSTN) and access networks. VPDN is
often used to provide access service for enterprises, small ISPs, and
mobile workforce.

6
 VPN Type (2)

• Virtual Private LAN Service (VPLS): VPLS is a

“virtual” method to establish LAN via the public IP
resources. The networking is based on the MAC
layer forwarding, and it is completely transparent to
the network layer protocol. It is a L2 VPN.

• Virtual Private Routed Network (VPRN): VPRN is

defined as a kind of emulation for multi-site wide
area route network services via the public IP
network, and the data packet of VPN is forwarded at
the
Page 7 network
Network Learning Centrelayer.
Proprietary & Confidential 7
7

VPLS
VPLS connects LANs together through a virtual private network
segment in the IP public network. It is an extension of LANs in IP public
network.
VPRN
VPRN connects headquarters, branches and remote offices together
through network management virtual router in the IP public network. There
are two ways to implement VPRN services. One way is through traditional
VPN protocols (such as IPSec and GRE) and another is through MPLS.

7
 Example: Constructing VPN via GRE
Tunnel (Generic Routing Encapsulation)
10.0.1.2/24
10.0.1.1/24
10.0.0.0/24 GRE tunnel 129.0.2.2/30
129.0.0.2/30
129.0.2.1/30
129.0.0.1/30 HQ1
Public IP 129.0.3.1/30
129.0.1.1/30 network
Rt1 Rt2
129.0.1.2/30 129.0.3.2/30
GRE tunnel
10.0.0.0/24 10.0.1.1/24 10.0.1.2/24
HQ2

• To construct such a network, just make configuration on the access

router of each network.
• It is unnecessary for the operator network to know the internal route
of VPN.
• Different VPNs can employ the same address space.
Network
Page 8 Learning Centre 8
•Proprietary
The forwarding 8
& Confidential efficiency is low because GRE header is added.

This slide give us an example of using GRE tunnel to construct VPN,

GRE means Generic Routing Encapsulation. GRE is layer 3 VPN. GRE
encapsulates datagram of some network layer protocols like IP and IPX and
transmits them by using another network layer protocol like IP.
The entire encapsulated packet would have the form .
------------------------
| Delivery Header |
----------------------------
| GRE Header |
----------------------------
| Payload packet |
----------------------------
Each VPN has its characters, GRE as a VPN technology, its
configuration is simple relatively, and the configuration only on the access
router, different VPNs can employ the same address space, while GRE’s
forwarding efficiency is low, because it add a GRE header, for more detail
please refer to RFC 1701.

8
 MPLS VPN Network Structure

VPN_A iBGP sessions VPN_A

10.2.0.0 11.5.0.0
CE
CE
VPN_B VPN_A
10.2.0.0 CE P P PE CE 10.1.0.0
PE
VPN_A
11.6.0.0 P P
CE VPN_B
PE CE 10.3.0.0
VPN_B PE
10.1.0.0 CE

z CE (Custom Edge Router): The user equipment directly connected with the service
provider.
z PE (Provider Edge Router): The edge router on the backbone network, connected with CE
and mainly responsible for access of the VPN service.
z P (Provider Router): The core router on the backbone network, mainly responsible for the
routing and fast forwarding functions.
Network
Page 9 Learning Centre 9
Proprietary & Confidential 9

Let’s have a look at MPLS VPN network structure, we give terms to

different location routers, as follows:
CE (Custom Edge): Custom Edge Router, the user equipment directly
connected with the service provider, distributing customer network routes
PE (Provider Edge Router): The edge router on the backbone network,
connected with CE, storing VRF (Virtual Routing Forwarding Instance) and
processing VPN-IPv4 route, the major realize of MPLS layer3 VPN, most of
the VPN configuration is on PE.
P (Provider Router): The core router on the backbone network, mainly
responsible for the routing and fast forwarding functions.
•In this network structure, service providers provide VPN services for users,
who do not feel existence of the public network as if they have separate
network resources.
•P router is only responsible for data transmission inside the backbone
network, unnecessary to know existence of VPN. However, it must be able
to support and enable the MPLS protocol.
•All the construction, connection and management work of VPN is
implemented on PE.
•Network configuration is simple.
•The existing routing protocol can be directly used without any change.
•MPLS VPN network features good expandability.
•VPN with QOS and TE can be implemented.

9
 Relationship Between PE and CE

C
CE

VPNA Site - 1 PE

VRF for VPNA

EBGP, RIP, Static
CE
Global route
VRF for VPNB
VPNB Site - 2

• PE and CE routers exchange information via the EBGP, RIP or static route. CE runs the
standard routing protocol.
• PE maintains separate routing tables of the public network and private network.
– Routing table of public network, including the routes of all PE and P routers, generated by
the backbone network IGP of VPN.
– VRF (VPN routing & forwarding), including tables of routing & forwarding to one or
multiple directly connected CEs.
Network
Page 10 Learning Centre 10
Proprietary & Confidential 10

In basic BGP/MPLS IP VPN networking, the P router only maintains the

routes of the backbone network and does not need to know any VPN
routing information. The PE router only maintains the VPN route directly
connected to it, but not all VPN routes.
When establishing an adjacency with the directly connected PE, the
CE advertises VPN routes in the local site to the PE. we can use static
route, RIP, OSPF, BGP between a CE and a PE. No matter which routing
protocol is used, the CE always advertises standard IPv4 routes to PE.
Remember the question? PE connect with several CEs belong to
different VPNs, how to identify each CE’s information such as routing
information? We just choose VRF.
VRF: Virtual Routing Forwarding Table. It consists of a route table
related to site, a forwarding table, interfaces (sub-interfaces), routing
instances and the routing strategy. On PE devices, physical or logical ports
belonging to the same VPN correspond to a VRF.
Any way, we can easily take for that VRF means one virtual router,
provide service for one VPN independently. The detailed explanation about
VRF please refer to next slide.

10
 VRF Detail

• VRF can be regarded as a virtual router

• PE maintains a separate forwarding table for each site.

• Each site has a unique VRF.

• If (and only if) two sites have identical forwarding table, they share a VRF.

• The interface/sub-interface connected with CE is mapped to VRF.

• The routes in VRF will be distributed to the sites (usually connected on other PEs)
belonging to the same VPN.

Network
Page 11 Learning Centre 11
Proprietary & Confidential 11

1. It is associated with some interfaces and has a forwarding table based

on these interfaces.
2. A set of rules is available to control import of the route into VPN or
export of the route from VPN.
3. The route can be redistributed to the routing table (static route, RIP
instance, BGP) via some routing protocols.
4. VRF is configured on PE and exchange the route with CE. The route
independently exists in the VRF routing table (routing table of the private
network).
Notes:
routing protocol between PE and CE, up to now we can’t choose IS-
IS, others such as RIP, OSPF and BGP is OK.

11
 Distribution of VRF Routes

P Router

CE Route
r PE CE Router
PE

Site iBGP
Site

• The PE router distributes the local VPN route information via the
backbone network. the transmitting via BGP

Network
Page 12 Learning Centre 12
Proprietary & Confidential 12

When PE distribute the VRF VPN route information with IBGP, there
have a question?
PE and PE set up IBGP session and exchange routing information,
while some VPN may have the same private IP address space, when BGP
transfer the routing information on the public network, there get address
overlapped problem, how to solve it?
By adding a prefix to the IP address to uniquely identify the IP address,
just like to extend IP address length 32 bits to longer, here the prefix we
called RD. and so the new IP address family we called IP VPNv4 address
family.
The RD does not by itself impose any semantics; it contains no
information about the origin of the route or about the set of VPNs to which
the route is to be distributed. The purpose of the RD is solely to allow one to
create distinct routes to a common IPv4 address prefix。

12
 VPNv4 and IPv4 Address Families

VPNV4 ad
dress stru
cture:

Route Distinguishe IPv4 address

r (8 bytes)

RD struc
ture:

TYPE Assigned
(2-byte) Administrator Field Number Field

2-byte
0 ASN 4-byte assigned number

4-byte IP 2-byte assigned

Network
Page 13 Learning Centre
1 address number 13
Proprietary & Confidential 13

To enable different VPNs to use the same address space, a new

address family, i.e. VPNv4, is introduced. The original standard address
family is called IPv4.
1. VPNv4 address family mainly serves to transfer VPN routes between PE
routers.
2. RD is unique among different VPNs. If two VPNs use the same IP
address, PE router will add different RDs for them and convert the
address into a unique VPN-v4 address without causing conflict of the
address space.
3. The standard route received by PE from CE is the IPv4 route.
4. To import VRF routing tables and distribute them to other routers, RD is
needed. It is suggested that the RDs of the same VPN be configured the
same.
RD format: there have two types.
• 16-bit Autonomous System Number (ASN): 32-bit user-defined number,
e.g. 100:1
• 32-bit IP address: 16-bit customized number, e.g. 172.1.1.1:1
Usually, each site is assigned with a unique RD, which is the identifier
of VRF.Difference between the routing table of public network and the
routing table of private network:
• The routing table of public network is generated by the IGP routes,
which may include the BGP-4 (IPv4) route, but not the VPN route.
• VRF routing table includes the specific VPN routes. It may include the
routes redistributed from MP-iBGP route to VRF, or the route obtained 13
from CE by the VRF route instance
 Question

• Two PEs set up IBGP session and exchange

routing information by BGP, by adding RD
prefix, now the VPN’s address is VPNv4
address family, BGP-4 only supports IPv4,
BGP can’t recognize such routing information,
how to solve it?

Network
Page 14 Learning Centre 14
Proprietary & Confidential 14

14
 MBGP

• MBGP (Multiprotocol Extensions for BGP-4 )

– BGP-4 only supports IPv4, and is extended to MBGP
to transfer the route information of more protocols
(IPv6, IPX,etc).

– To maintain compatibility, only two BGP attributes are

added for MBGP: MP_REACH_NLRI and
MP_UNREACH_NLRI. The two attributes can be
used in the BGP Update message to notify or cancel
the network reachability information.

Network
Page 15 Learning Centre 15
Proprietary & Confidential 15

The only three pieces of information carried by BGP-4 that are IPv4
specific are the NEXT_HOP attribute (expressed as an IPv4 address),
AGGREGATOR (contains an IPv4 address), and NLRI (expressed as IPv4
address prefixes). This document assumes that any BGP speaker has to
have an IPv4 address Therefore, to enable BGP-4 to support routing for
multiple Network Layer protocols the only two things that have to be added
to BGP-4 are the ability to associate a particular Network Layer protocol
with the next hop information, and the ability to associated a particular
Network Layer protocol with NLRI.
The first one (MP_REACH_NLRI) is used to carry the set of reachable
destinations together with the next hop information to be used for forwarding
to these destinations. The second one (MP_UNREACH_NLRI) is used to
carry the set of unreachable destinations. Both of these attributes are
optional and non- transitive. This way a BGP speaker that doesn't support
the multiprotocol capabilities will just ignore the information carried in these
attributes, and will not pass it to other BGP speakers
MP_REACH_NLRI: Multiprotocol Reachable Network Layer
Reachability Information
MP_UNREACH_NLRI: Multiprotocol Unreachable Network Layer
Reachability Information

15
 MBGP: MP_REACH_NLRI

Network
Page 16 Learning Centre 16
Proprietary & Confidential 16

MP_REACH_NLRI offering the following functions:

Send routes reachable to the new protocol.
Send the next hop information about the new protocol with the same
coding mode as that of NLRI.
Enable the router to report part of or all Sub-network Points of
Attachment (SNPA) in the local system.
The use and meaning of these fields are as follows:
Address Family Identifier: This field carries the identity of the Network Layer
protocol associated with the Network Address that follows. Presently
defined values for this field are specified in RFC1700
Subsequent Address Family Identifier: This field provides additional
information about the type of the Network Layer Reachability Information
carried in the attribute.
AFI as 1 and SAFI as 128 indicate that the subsequently notified information
will be the VPN-IPV4 reachability information and the binding MPLS tag
Length of Next Hop Network Address: A 1 octet field whose value
expresses the length of the "Network Address of Next Hop" field as
measured in octets
Network Address of Next Hop: A variable length field that contains the
Network Address of the next router on the path to the destination system
Number of SNPAs: A 1 octet field which contains the number of distinct
SNPAs to be listed in the following fields. The value 0 may be used to
indicate that no SNPAs are listed in this attribute. (SNPA: Sub-network
Points of Attachment ) 16
 MBGP: MP_UNREACH_NLRI

• Used for withdrawing one or multiple

unfeasible routes
• An UPDATE packet that contains the
MP_UNREACH_NLRI does not carry
any other path attributes
Network
Page 17 Learning Centre 17
Proprietary & Confidential 17

The MP_UNREACH_NLRI can be used for withdrawing one or multiple

unfeasible routes from service, an UPDATE packet that contains the
MP_UNREACH_NLRI does not carry any other path attributes
The use and the meaning of these fields are as follows:
Address Family Identifier and Subsequent Address Family Identifier
are the same with MP_REACH_NLRI.
Withdrawn Routes: A variable length field that lists NLRI for the routes
that are being withdrawn from service. When the Subsequent Address
Family Identifier field is set to one of the values defined in this document,
each NLRI is encoded as specified in the "NLRI encoding" section of this
document. An UPDATE message that contains the MP_UNREACH_NLRI is
not required to carry any other path attributes.

17
 Question

• When PE received the routing information from

other PEs carried by MBGP, how PE will
separate the routing information which belongs
to different VPN?
Remember RD? Can we use it?

Network
Page 18 Learning Centre 18
Proprietary & Confidential 18

RD just used to uniquely identify the IP routing information when

transmitting the routing information through the public network. We suggest
that the RD of the same VPN to be configured the same, while people could
configure different RD on different PE in a same VPN, so the receiving PE
can’t separate the routing information with RD, in order to solve this
question, we need another parameter: RT (Route Target).

18
 Route Target

• Route Target attribute (RT) is one of the MBGP

extension community attributes
• There are two types of RT, the values of the type field
are 0x0002 or 0x0102.
RT structure:

TYPE(2 bytes） Administrator Field Assigned Number Field

0x0002 AS number(2bytes) Assigned Number (4 bytes)

0x0102 IP address(4 bytes) Assigned Number(2 bytes)

Network
Page 19 Learning Centre 19
Proprietary & Confidential 19

The function performed by the Route Target attribute is similar to that

performed by the BGP Communities Attribute. However, the format of the
latter is inadequate, since it allows only a two-byte numbering space. It would
be fairly straightforward to extend the BGP Communities Attribute to provide
a larger numbering space. It should also be possible to structure the format,
similar to what we have described for RDs , so that a type field defines the
length of an administrator field, and the remainder of the attribute is a
number from the specified administrator's numbering space.
RT have two type structures:0x0001 or 0x0102, the total length also is 8
bytes, same as RD’s structure.

19
 Route Target

• RT is used to separate VPN routing information

advertisement
• There are two sets of Route Target attributes: Export
Targets and Import Targets
– Export Targets is added to the route received from
a direct-connected Site in advertising local routes to
remote PE routers.
– Import Targets is used to decide which routes can
be imported into the routing table of this Site in
receiving routes from remote PE routers.

Network
Page 20 Learning Centre 20
Proprietary & Confidential 20

As we know, RT is used by PE to separate the received routing

information. How it works? there are two sets of RT attributes, one is Export
Targets, the other is Import Targets.
For example, PE1’s VPNA sends routing information to PE2, each
route item information carries VPNA’s Export Target attributes, there could
be one or more as it just like BGP’s extend community attribute. When PE2
receives such routing information, use the route information’s carried export
target attribute to match each VPN’s Import Target attributes, for VPNA, if
they matched, the routing information will be accepted by VPNA and be
stored in VPNA’s VRF.

20
 Typical Network Topology-1

Each site only belongs to one VPN: Intranet

site10

site1 site3

site20 site30

site2

Network
Page 21 Learning Centre 21
Proprietary & Confidential 21

As to real network topology or the real organization structure, there

may have two types: intranet and extranet.
A site is a group of IP systems with IP connectivity. the classification of
a site depends on the topology relationship, not on the geographical
positions of devices, even if the devices in a site are adjacent to each other.
The devices in a site can belong to multiple VPNs. In other words, a
site can belong to multiple VPNs.
A site is connected to the provider network through CE. A site can
contain many CEs, but a CE only belongs to a site. If all the sites in a VPN
are owned by the same enterprise, the VPN may be thought of as a
corporate "intranet".

21
 Typical Network Topology-2

Site may belongs to multiple VPNs: Extranet

site4
site1
Intranet

site5

site2 site3

Extranet
Network
Page 22 Learning Centre 22
Proprietary & Confidential 22

If the various sites in a VPN are owned by different enterprises, the

VPN may be thought of as an "extranet". A site can be in more than one
VPN; e.g., in an intranet and in several extranets. In general, when we use
the term "VPN" we will not be distinguishing between intranets and
extranets.
MPLS/BGP VPN can easily handle such requirement by using its RT
attribute, the job need to do is design RT import and export attributes.

22
 Application of RT

• RT Export Target and import Target can be

configured with several attributes
b
im:a
im:b a
im:a ex:a
ex:a
ex:b
Trandition Mode
a

Hub-spoke mode im:a

a
c ex:a
im:b
ex:c
im:a,c
b ex:a,b

Extranet

Network
Page 23 Learning Centre 23
Proprietary & Confidential 23

Think about that import attribute and export attribute just used to control
the route import and export, some like route policy, then it is easy to
understand it.
Hub-spoke mode: as for Hub node, import Hub attribute and export
spoke attribute, as for spoke node, import spoke attribute and export Hub
attribute.
Tradition mode: the import attribute and export attribute is the same.
Other modes: just the compound usage of import and export attributes,
export target and import target can be configured with several attributes.

23
 Function of RT

VPN A MPLS/VPN Backbone

VPN A
Site-1routes RT=VPN A Site-3routes RT=VPN A
SITE-
SITE-1 Site-2routes RT=VPN B Site-4routes RT=VPN B SITE-
SITE-3
MP-iBGP

P Router

SITE-
SITE-2 SITE-
SITE-4
Site1-routes VPNA
Site1-routes VPNA
VPN B Site3-routes VPN B
Site3-routes

Site2-routes VPNB
Site2-routes VPNB
Site4-routes
Site4-routes

Network
Page 24 Learning Centre 24
Proprietary & Confidential 24

From the previous slides we have got that RT used to separate the
route information and control the route distribution. RT have two types:
import RT and export RT. From the distribution of VRF routing information
procedure we get that when PE getting the local VRF routing information
and sending them out to PE neighbors, the routing information will carry the
export RT attributes, and the receiving PE will use each VPN’s import RT to
match the received routing information’s export RT attributes, if they
matched, the routing information will be accepted and be stored in the
related VPN VRF table. If not matched, it will be discarded.

24
 Question
• After the completion of exchanging routing information between PEs,
now site3 want to access site1, the right PE look for the VRF table and
find out the nexthop－left PE, forward the packet to the left PE using
MPLS. When the packet arrived the left PE, the public MPLS label is
removed, which VPN the packet belongs to? And how to get the correct
nexthop?

VPN A
VPN A
SITE-
SITE-1 SITE-
SITE-3

P Router

SITE-
SITE-2 Site1-routes VPNA Site1-routes SITE-
SITE-4
Site3-routes VPNA
Site3-routes
VPN B VPN B
Site2-routes Site2-routes
Site4-routes VPNB Site4-routes VPNB

Network
Page 25 Learning Centre 25
Proprietary & Confidential 25

25
 Private Label

• Multiple labels can be attached. The first 20 bits of each label refer to the label
domain, while of the last 4 bits, the first three refer to the EXP domain and the last
one indicates whether it is the stack base.
• Note that this label must be assigned by the LSR referred to in the Next-Hop of the
MP_REACH_NLRI attribute.
• There are two methods to cancel the route information (meanwhile to release label
binding).
– Re-distribute a different route (and a new Label) for the same destination.
– Use the Withdraw message to include the destination in MP_UNREACH_NLRI.

Network
Page 26 Learning Centre 26
Proprietary & Confidential 26

The solution is by using private label.

When PE distributing routing information, MP_REACH_NLRI will carry
the network layer reachability information, in the NLRI there have labels
which generated by MBGP for each VPN’s route item. when PE distributing
the private route item, each item carry such a label. The receiving PE will
keep the private label. when sending packets to this address it will carry the
private label, because the label space is platform-wide, it is unique, So the
private label implicitly identify the VPN it belong to, and with the private
label, PE can find out the output interface and nexthop address.
The private label is like MPLS label but without TTL portion. The
private label must be assigned by the LSR referred to in the Next-Hop of the
MP_REACH_NLRI attribute.

26
 Network Layer Reachability Information

• NLRI（ Network Layer Reachability Information, include address

family, private label and RT )
MP_REACH_NLRI：
address－family ： VPN-IPV4 address family
next-hop: PE’s ipv4 address，usually is loopback address
NLRI:
lable： 24 bits，like MPLS label but without TTL portion
prefix： RD:64bit＋IP prefix

• Followed is RT list：
Extended_Communities（RT1）
Extended_Communities（RT2）

……

Network
Page 27 Learning Centre 27
Proprietary & Confidential 27

As MP_REACH_NLRI structure, the last part is NLRI, it include label, prefix

and RT attributes. the label is generated by MBGP, 24 bits，like MPLS label but
without TTL portion, and prefix is RD+IP prefix. the carried RT attributes are
export attributes, one or more, it is a list.

27
 VRF Route Distribute
Step 1: Importing VRF Routes to MP-iBGP

MP-iBGP
PE-1
PE-2
VPN-v4 update:
RD:1:27:149.27.2.0/24,
BGP, RIPv2 update Next-hop=PE-1
for 149.27.2.0/24,NH=CE-1 RT=VPN-A
Label=( 28)

CE-1 CE-2

Site-1 Site-2

• Importing VRF route to MP-iBGP: PE router converts the route (in the VRF
routing table) received from CE into the VPN-V4 route; labels it with RD
and RT based on the configuration; changes the next hop as PE itself
(loopback); assigns the label based on the interface; finally sends the MP-
iBGP update packet to all PE neighbors.
Network
Page 28 Learning Centre 28
Proprietary & Confidential 28

The detailed procedure of import VRF routes to MBGP is as follows:

1.Add RD prefix to change IPv4 address to VPNv4 address
2.Change nexthop address to PE’s address, usually is Loopback
interface address.
3.Add private label (generated by MBGP randomly)
4.Add RT export attributes
5.Send the update packets to all PE neighbors.

28
 VRF Route Distribute
Step 2: Importing MP-iBGP Routes to VRF

MP-iBGP
PE-1 PE-2 ip vrf VPN-A
VPN-v4 update:
RD:1:27:149.27.2.0/24, vpn -target import VPN-A
Next-hop=PE-1
RT=VPN-A
Label=(28)

PE receives the update packet, converts

VPN-v4 into the IPv4 address, and
CE-1 distributes it to VRF VPN-A (RT=VPN-A) CE-2
routing table, then transmit it to CE with
route protocol between PE and CE.

Site-1 Site-2

• Each VRF has configurations of import route-target and export route-target.

• When the transmitting PE sends MP-iBGP updates, the export attribute is attached in
the packet.
• When receiving MP-iBGP updates of VPN-IPv4, the receiving PE will judge whether
the received export is equal to the import of the local VRF. If yes, it will be added to
the corresponding VRF routing table; otherwise, it will be discarded.

Network
Page 29 Learning Centre 29
Proprietary & Confidential 29

When receiving MP-iBGP updates of VPN-IPv4, the receiving PE will judge

whether the received export is equal to the import of the local VRF. If yes, it will
be added to the corresponding VRF routing table, and also the private label will be
kept, when forwarding packets, the private label will be carried; otherwise, it will
be discarded

29
 Basic Intranet Model

VPN A MPLS/VPN Backbone

VPN A
Site-
Site-1 & Site-
Site-2 routes Site-
Site-3 & Site-
Site-4 routes
SITE-
SITE-1 RT=VPN -A RT=VPN-
RT=VPN-A SITE-
SITE-3
MP-iBGP

P Router

SITE-
SITE-2 Site-
Site-1 routes Site-
Site-1 routes SITE-
SITE-4
Site-
Site-2 routes Site-
Site-2 routes
VPN A Site-
Site-3 routes Site-
Site-3 routes VPN A
Site-
Site-4 routes Site-
Site-4 routes

Network
Page 30 Learning Centre 30
Proprietary & Confidential 30

As mentioned before, by using the same import RT and export RT, it can
construct the typical network model: intranet. All the site can access each other in
the same VPN.

30
 MPLS/VPN Label Distribution

In Label FEC Out Label In Label FEC Out Label In Label FEC Out Label

- 197.26.15.1/32 - 41 197.26.15.1/32 POP - 197.26.15.1/32 41

PE-1

P router

Use label implicit-nullfor Use label 41for destination

destination 197.26.15.1/32 197.26.15.1/32

VPN-v4 update:
RD:1:27 :149.27.2.0/24,
Site-1
NH= 197.26.15.1
149.27.2.0/24 Site-2
RT=VPN-A -
Label=(28)

Network
Page 31 Learning Centre 31
Proprietary & Confidential 31

1. PE and P routers are provided with the reachability to the next hop of BGP via
the backbone network IGP.
2. Run IGP and LDP to distribute the label and establish LSP, and obtain the LSP
channel to the next hop of BGP.
3. The label stack is for packet forwarding. The external layer label indicates how
to reach the next hop of BGP, and the internal layer label indicates the outgoing
interface of the packet or the home VRF (home VPN).
4. MPLS node forwarding is based on the external layer label regardless of the
internal layer label.

31
 MPLS/VPN Packet Forwarding-1

In Label FEC Out Label

- 197.26.15.1/32 41

VPN-A VRF
149.27.2.0/24,
NH=197.26.15.1
PE-1 Label=(28)

41 28 149.27.2.27
149.27.2.27

Site-1
149.27.2.0/24 Site-2

Network
Page 32 Learning Centre 32
Proprietary & Confidential 32

When the ingress PE receives an ordinary IP packet from CE, PE adds

it to the corresponding VPN forwarding table based on the VRF to which the
ingress interface belongs, and get the private label and the public network
NH 197.26.15.1.
The packet encapsulation like:
-------------------------------------------------------------
|layer 2 |public label | private label | IP layer | data |
-------------------------------------------------------------
In the public network only use MPLS forwarding.
Notes: IP layer’s information encapsulates private source IP and private
destination IP, PE’s loopback IP address is not included.

32
 MPLS/VPN Packet Forwarding-2

In Label FEC Out Label In Label FEC Out Label

28(V) 149.27.2.0/24 -
41 197.26.15.1/32 POP
VPN-A VRF
VPN-A VRF 149.27.2.0/24,
149.27.2.0/24, NH=197.26.15.1
NH=Site-1 PE-1 Label=(28)

28 149.27.2.27 41 28 149.27.2.27
149.27.2.27
149.27.2.27

Site-1 Site-2
149.27.2.0/24

Network
Page 33 Learning Centre 33
Proprietary & Confidential 33

1. The second last hop router pops up the external layer label and sends it to the
egress PE according to the next hop.
2. The egress PE router judges the CE that the packet will go to based on the
internal layer label.
3. Pop up the internal layer label and forward the packet to the destination CE as
an ordinary IP packet.

Question: VPN packets from Site-2 to Site-1, when arrived PE-1, how PE-1 know
that the MPLS label is private label and need to execute private label
forwarding?
Answer: system only have one label forwarding table, as the labels distributed are
platform-wide, it is uniquely whether public or private label, by using a label
can find out the corresponding output interface and next-hop, PE no need to
separate the label is private or public.

33
 Demo- Private Label Distribution
MP-BGP
IBGP Peer
VPN-v4 update:
CE A2 CE B2
RD:1:27:149.27.2.0/24,
Next-hop=PE-C
RT=VPN-A, Label=(28)
PE－A
149.27.2.0/24 Out 28 NH: PE-C

BGP, OSPF, RIPv2 update

for 149.27.2.0/24,NH=CE-A2
MPLS

BGP, OSPF, RIPv2 update

for 149.27.2.0/24,NH=PE-A P－B

IN 28 149.27.2.0/24 NH: CE A2

PE－C VPN-v4 update:

RD:1:27:149.27.2.0/24,
CE A1 CE B1 Next-hop=PE-C
RT=VPN-A, Label=(28)

Network
Page 34 Learning Centre 34
Proprietary & Confidential 34

Process steps:
1. CE A2 send a update route item to PE-C with route protocol.
2. PE-C received the update route item and store it in the corresponding VRF
3. PE-C redistribute the VRF route into MP-BGP, add RD, change the next hop to
itself, usually use the loopback address, add RT list and generate a private label
for it. Via MP-BGP transmit the route item to all its neighbors.
4. The neighbor PE-A receive the route item and judge whether the received
export is equal to the import of the local VRF. If yes, it will be added to the
corresponding VRF routing table, and also the private label will be kept;
otherwise, it will be discarded
5.PE-A corresponding VRF update the route item to CE A1 with route protocol.
From CE A1 to CE A2, the process vice versa.

34
 Demo- Public Label Distribution

• The loopback IP address of PE-C is 1.1.1.1/32

MPLS
20
PE－A
IGP
1.1.1.1/32 3
Out 20 P－B
149.27.2.0/24 Out 28 NH: PE-C IGP
In 20 1.1.1.1/32 PE－C
out 3

1.1.1.1/32
IN 28 149.27.2.0/24 NH: CE A2

Network
Page 35 Learning Centre 35
Proprietary & Confidential 35

Suppose Label Allocation Mode is DU

PE-C generate a label for route item 1.1.1.1/32, because it is PE-C’s loopback
address, by using PHP, generate label 3 for it.
PE-B generate a label 20 for the route item. By following this to setup the
public LSP.

35
 Demo- Packet Forwarding

20 28
CE A2 CE B2
PE－A

1.1.1.1/32 out 20 3
MPLS
149.27.2.0/24 Out 28 NH: PE-C

BGP, OSPF, RIPv2 update

for 149.27.2.0/24,NH=PE-A
P－B
In 20
1.1.1.1/3
Ping 149.27 2 out 3
.2.1

PE－C
CE A1 1.1.1.1/3
CE B1 2

IN 28 149.27.2.0/24 NH: CE A2
Network
Page 36 Learning Centre 36
Proprietary & Confidential 36

Packet forwarding steps:

1.CE A1 send a ping packet to destination 149.27.2.1
2.PE-A received this packet, looking for the binding VRF table, find out the private
label(28) which distributed by PE-C and the public network IP next-hop 1.1.1.1, and
get 1.1.1.1’s public label 20, encapsulate the packet with 2 labels. In the public
MPLS network, using public label to execute label forwarding. When packets
received PE-C, using the inner private label to find out the output interface and
next-hop (CE A2).
3.The reply packet from CE A2 to CE A1 is similar.

36
 MPLS L3 VPN Configuration Steps
IP address, IGP,
make sure that PE-PE
IP reachable

Basic Configuration
Eanble MPLS with
system and interface

MPLS Function
Enable LDP with
system and interface
LDP Function
VPN name and RD，
RT, bind to interface
Define VPN
BGP Peer, Active
remote PE and route
PE-PE MP-BGP Function import

Static, EBGP, OSPF,

or RIP
PE-CE Routing Protocol
Network
Page 37 Learning Centre 37
Proprietary & Confidential 37

37
 Cross-AS MPLS VPN

Origin of cross-
cross-AS VPN
• In the technical system of MPLS, an MPLS domain and a router AS
overlap each other. In actual networking, however, an MPLS domain
frequently crosses multiple ASs:
– The carrier defines one province as one AS of the carrier network but
requires to provide cross-province MPLS VPN services.
– Carriers cooperate with each other (especially with international
carriers to provide international services).
• To implement these services, cross-AS MPLS VPN solutions must be
applied to solve the following two problems:
– Technical problem: how can VPN-IPv4 routes and VPN labels be
distributed to another AS.
– Managerial problem: Normally, cross-AS LSPs are not allowed (this
is especially important in the case of carrier cooperation).

Network
Page 38 Learning Centre 38
Proprietary & Confidential 38

zFirst review the technical uses of MPLS VPN. Then introduce the application
scenarios of cross-domain solutions. As MPLS VPN solutions become more and
more popular, the end user scale and scope are increasing. More and more VPN
sites are built in an enterprise network. The possibility of connection with another
SP at certain points becomes clearer and clearer. For example, MANs or backbone
networks of different carriers are in bad need of service provisioning across
autonomous systems. All these require an interconnection model different from the
basic MPLS VPN structure, the cross-domain MPLS VPN. To enable inter-SP
VPN route information exchange, a new mechanism is needed so that route
prefixes and labels can be broadcast over the inter-SP links. As a traditional MPLS
VPN usually operates within an AS, any VPN route information can be distributed
in the one AS as requested. However, the traditional MPLS VPN solution does not
support the distribution of VPN route information to the AS of another SP.
Therefore, to support cross-domain VPN, extensions must be included to the
current protocol framework and modifications must be introduced to the MPLS
VPN system framework.

38
 Cross-AS MPLS VPN

Three Solutions

• Currently three MPLS VPN cross-

domain solutions are available:
– VRF-TO-VRF
– MP-eBGP for VPNV4
– Multi-Hop MP-eBGP

Network
Page 39 Learning Centre 39
Proprietary & Confidential 39
 Cross-AS MPLS VPN

Overview of the Solutions

Back-to-back VRFs ASBR-2
ASBR-1
MP-eBGP for VPNv4

Multi-hop MP-eBGP
PE-1
AS #100 AS #200 PE-2

CE-1 CE-2

• Different domains or carriers

VPN-A-1 VPN-A-2
have different ASs.
• One VPN operates in multiple
Network
Page 40 Learning Centre
Proprietary & Confidential
ASs. 40
40
 Cross-AS solution 1: VRF-to-VRF
VRF-
VRF-to-
to-VRF Overview

VPN1-CE1 VPN1-CE2
ASBR-1 ASBR-2 MP-iBGP
MP-iBGP
PE PE
AS#100 AS#200
PE
PE MP-iBGP MP-iBGP
VPN2-CE1 One VRF and one VPN2-CE2
logical interface
are created for
VPN-LSP1 each VPN. VPN-LSP2
LSP-1 LSP-2
IP Forwarding
PE ASBR-1 ASBR-2 PE
• An ASBR considers the peer ASBR its CE, and creates a VRF for each VPN. IP forwarding
is applied between the ASBRs and MPLS forwarding is applied within the AS.
• Advantages: Simple with no need of protocol extension or special configuration, natural
support; applicable in the case of a small number of cross-domain VPNs.
• Disadvantages: The ASBR must create a VRF for each VPN. To cross multiple domains,
large configuration efforts are needed. The scalability is poor.
Network
Page 41 Learning Centre 41
Proprietary & Confidential 41

zFor a VPN with cross-domain requirements, VPN1, a same VPN need be

configured in the ASBR of its local AS. As shown in the figure, VPN1 is
configured at both ASBR-1 and ASBR-2. Then a logical link (or physical link) is
configured at the two ASBRs and VPN1 is associated to this link. This application
actually takes the ASBR as a PE, on which a same VPN is created. This PE
considers the peer ASBR its CE. Thus, MPLS VPN service operation in these two
ASs similar to MPLS VPN service operation within one AS. VPN information is
first distributed to ASBR (as a PE) and then to the peer ASBR (as a CE). The peer
ASBR (as the PE of the other AS) then distributes the VPN information to the PE
of the peer AS. The peer PE forwards the VPN information to its CE. Thus, VPN
route information can be exchanged across two ASs. To enable interoperability
between VPNs of different ASs, a same VPN must be configured at the peer
ASBR. To cross more ASs, lots of configuration efforts are needed and the
intermediate AS will be greatly affected. The intermediate AS must support VPN.
Besides, in the case of a large number of VPNs, great configuration efforts will be
required at each ASBR. However, this solution is very easy to be applied. No
protocol extension or special configuration is needed. It is a natural support. When
the number of VPNs is small, this solution can be considered. It is easy and
practical.

41
 Cross-AS solution 1: VRF-to-VRF

Distribution of routing information

BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2 BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2
161.10.1.0/24,NH=CE-1
161.10.1.0/24,NH=CE-1 161.10.1.0/24,NH=PE-3
161.10.1.0/24,NH=PE-3

VPN-v4
VPN-v4 update:
update: VPN-v4
VPN-v4 update:
update:
RD:1:27:161.10.1.0/24,
RD:1:27:161.10.1.0/24, RD:1:27:161.10.1.0/24,
RD:1:27:161.10.1.0/24,
VPN1-CE1 NH=PE-1
NH=PE-1 NH=ASBR-2
NH=ASBR-2 VPN1-CE2
RT=100:1,
RT=100:1, Label=(L1)
Label=(L1) RT=100:1,
RT=100:1, Label=(L2)
Label=(L2)

MP-iBGPASBR-1 ASBR-2 MP-iBGP

PE-1 PE-3
AS#100 AS#200
PE-4
PE-2
VPN2-CE1 MP-iBGP MP-iBGP VPN2-CE2
D:161.10.1.0/24
D:161.10.1.0/24
NH:ASBR-1
NH:ASBR-1

VPN-LSP1 VPN-LSP2
IP Forwarding
LSP-1 LSP-2

PE ASBR-1 ASBR-2 PE
Network
Page 42 Learning Centre 42
Proprietary & Confidential 42

zControl signaling: MP-IBGP still operates between PE and ASBR. An ordinary

PE–CE routing protocol can be applied between the VPNs of two ASBRs. BGP or
static routing protocol is recommended because this is for the signaling exchange
between two ASBRs. The signaling is the same as that used in the MPLS VPN in
one AS. Therefore, no protocol extensions and no special processing flows are
needed. Therefore, this solution is naturally supported. Note the label switching.
Because the next hop changes, the private network label changes from L1 to L2.
Every time the next hop changes, the private network label will change
automatically.

42
 Cross-AS solution 1: VRF-to-VRF

Label switching procedure

161.10.1.1
161.10.1.1
VPN1-CE1 161.10.1.1
161.10.1.1 VPN1-CE2
MP-iBGP ASBR-1 ASBR-2 MP-iBGP
Lx L2 161.10.1.1
PE Ly
Ly L1
L1 161.10.1.1
161.10.1.1
Lx L2 161.10.1.1PE

AS#100 AS#200
PE
PE 161.10.1.1
161.10.1.1
VPN2-CE1 MP-iBGP
Create a VRF and a
MP-iBGP VPN2-CE2
logical interface for
each VPN
VPN-LSP1 VPN-LSP2
IP Forwarding
LSP-1 LSP-2

PE ASBR-1 ASBR-2 PE

Network
Page 43 Learning Centre 43
Proprietary & Confidential 43

LX and LY are public network labels. L1 and L2 are private network labels.

43
 Cross-AS Solution 2: MP-eBGP for
VPNV4
MP-
MP-eBGP for VPNV4 overview

VPN1-CE1 VPN1-CE2
ASBR-1 ASBR-2 MP-iBGP
MP-iBGP
PE PE
AS#100 MP-EBGP AS#200
(VPN-V4) PE
PE MP-iBGP MP-iBGP
VPN2-CE1 VPN2-CE2

VPN-LSP1 VPN-LSP2 VPN-LSP3

LSP-1 LSP-2

PE ASBR-1 ASBR-2 PE
• EBGP is used to advertise VPN-IPv4 routes between ASBRs. 。
• Advantages :
– No need of creating a VRF for each VPN on ASBR.
– No need of cross-domain extension protocol, easy to manage and configure
• Disadvantages: All VPN routes need be stored on the ASBR. This imposes high requirements on the
router

Network
Page 44 Learning Centre 44
Proprietary & Confidential 44

MP-
MP-EBGP runs between two ASBRs to transfer the VPN information of one one AS to
the other AS. The private network route and label information is transferred. The
peer ASBR receives the VPN routing information from MP- MP-EBGP and stores it
locally. Then it distributes the information to the PEs in its domain.
domain. When this
ASBR broadcasts routes to MP- MP-IBGP neighbors in its domain, it can choose not to
change the next hop or change the next hop to itself. If the next
next hop is changed, as
the label assignment rules introduced previously, new labels needneed be assigned to
the VPN routes. Thus local label switching operations are performed.
performed. When
packets are forwarded, a label switching is needed for the VPN LSP LSP at both
ASBRs. In this solution, the ASBR receives all VPN route information
information sent from
inside and outside the local domain and then distributes the VPN routes. However,
as required by the MPLS VPN structure, a VPN route is saved only when a VPN
that matches the VPN route is configured on the PE. Therefore, special
special
configurations must be so made (because no VPN is configured on the ASBR) as to
enable the ASBR to save all VPN routes received regardless of the the presence of a
matched local VPN.
As this solution requires the ASBR to save all VPN routes, high
high requirements are
imposed on the router itself and the ASBR is therefore easier to become faulty.
However, if the number of VPN routes is small, this solution can still be a simple
and practical choice.

44
 Cross-AS Solution 2: MP-eBGP for
VPNV4
Distribution of routing information
BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2
BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2 161.10.1.0/24,NH=PE-3
161.10.1.0/24,NH=PE-3
161.10.1.0/24,NH=CE-1
161.10.1.0/24,NH=CE-1

VPN-v4
VPN-v4 update:
update: VPN-v4
VPN-v4 update:
update:
RD:1:27:161.10.1.0/24,
RD:1:27:161.10.1.0/24, RD:1:27:161.10.1.0/24,
VPN1-CE1 NH=PE-1
NH=PE-1
RD:1:27:161.10.1.0/24,
NH=PE-ASBR-2
NH=PE-ASBR-2
VPN1-CE2
RT=100:1,
RT=100:1, Label=(L1)
Label=(L1) RT=100:1,
RT=100:1, Label=(L3)
Label=(L3)

PE-1 MP-iBGP ASBR-1 ASBR-2 MP-iBGP PE-3

AS#100 MP-EBGP AS#200
(VPN-V4) PE-4
PE-2 VPN-v4
VPN-v4 update:
update:
VPN2-CE1 MP-iBGP RD:1:27:161.10.1.0/24,
RD:1:27:161.10.1.0/24,
MP-iBGP VPN2-CE2
NH=PE-ASBR-1
NH=PE-ASBR-1
RT=100:1,
RT=100:1, Label=(L2)
Label=(L2)

VPN-LSP1 VPN-LSP2 VPN-LSP3

LSP-1 LSP-2

PE ASBR-1 ASBR-2 PE
Network
Page 45 Learning Centre 45
Proprietary & Confidential 45

45
 Cross-AS Solution 2: MP-eBGP for
VPNV4
Label switching procedure

VPN1-CE1 VPN1-CE2
161.10.1.1
161.10.1.1
161.10.1.1
161.10.1.1 Lx
Lx L3
L3 161.10.1.1
161.10.1.1
L1
L1 161.10.1.1
161.10.1.1
PE-3
PE-1
L3
L3 161.10.1.1
161.10.1.1
Ly
Ly L1
L1 161.10.1.1
161.10.1.1
MP-iBGP
MP-iBGP ASBR-1 ASBR-2
AS#100 MP-EBGP AS#200
(VPN-V4) PE-4
PE-2
VPN2-CE1 MP-iBGP L2
L2 161.10.1.1
161.10.1.1
MP-iBGP
VPN2-CE2

Network
Page 46 Learning Centre 46
Proprietary & Confidential 46

Lx and Ly are public network labels. L1, L2, and L3 are private network labels.

46
 Cross-AS Solution 3: Multi-Hop eBGP
Multi-
Multi-Hop eBGP overview
Multi-Hop MP-EBGP(VPN V4)

VPN1-CE1 ASBR-1 ASBR-2 VPN1-CE2

PE PE
AS#100 EBGP AS#200
PE
PE
VPN2-CE1 VPN2-CE2
Multi-Hop MP-EBGP
VPN-LSP
BGP 4+
LSP-1 LSP-2
PE ASBR-1 ASBR-2 PE
• Establish MP-EBGP peer between PEs and distribute VPN-IPV4 routes using this connection.
• Advantages :
– This is the optimal solution because it meets the structural requirements of MPLS VPN. Only PE knows the
VPN routing information. P only concerns the forwarding of packets.
– The advantage is more notable when a VPN crosses multiple AS. This solution also supports load sharing.
• Disadvantages :BGP extensions are needed. The setup of tunnels differs from the common MPLS VPN structure
so that the solution is hard to maintain or understand.
Network
Page 47 Learning Centre 47
Proprietary & Confidential 47

Here, we must note: 1) private labels are assigned by the VPN-LSP. This is easy. 2)
BGP labels are assigned by the BGP-LSP, which mainly functions to exchange
loopback information between two PEs. The BGP-LSP consists of two parts: MP-
IBGP and BGP4+. MP-IBGP is used inside an AS. Between ASBRs runs the
ordinary EBGP: BGP4+ (which functions to transfer labels between the ASBRs).
3) Another layer is the public label. This is also easy. Please note, if BGP-LSP is
established from the left PE to the right PE, the BGP-LSP is made up of BGP4+
and the MP-IBGP in AS200. In AS100, common LDP LSP is used. If from the
right PE to the left, the opposite applies. That is why this figure distinguishes
between real lines and broken lines.

47
 Cross-AS Solution 3: Multi-Hop eBGP

Distribution of routing information

VPN-v4
VPN-v4 update:
update:
RD:1:27:162.11.1.0/24,
VPN1-CE1 RD:1:27:162.11.1.0/24,
NH=PE-1
NH=PE-1 VPN1-CE2
RT=100:1,
RT=100:1, Label=(L3)
Label=(L3)

Network=PE-1
Network=PE-1
NH=ASBR-2
NH=ASBR-2 BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2
BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2 Label=(L10)
Label=(L10) 162.11.1.0/24,
162.11.1.0/24,
162.11.1.0/24,
162.11.1.0/24, NH=PE-2
NH=PE-2
NH=CE-1
NH=CE-1
PE-1 ASBR-1 ASBR-2 PE-2
AS#100 EBGP AS#200
PE-4
PE-3 Network=PE-1
Network=PE-1
VPN2-CE1 NH=ASBR-1
NH=ASBR-1 VPN2-CE2
Label=(L9)
Label=(L9)

Network
Page 48 Learning Centre 48
Proprietary & Confidential 48

zPrivate network labels are unchangeable because remote peers are established
between PE-1 and PE-2. MP-BGP runs between the peers. L10 and L9 are BGP-
LSP labels. The BGP-LSP consists of two parts: MP-IBGP and BGP4+.

48
 Cross-AS Solution 3: Multi-Hop eBGP

Label switching procedure

VPN1-CE1 VPN1-CE2

161.10.1.1
161.10.1.1
Lx L10 L3 161.10.1.1
L3 161.10.1.1
PE-3
PE-1
L10 L3 161.10.1.1
Ly L3 161.10.1.1

ASBR-1 ASBR-2
AS#100 EBGP AS#200
PE-4
PE-2 L9 L3 161.10.1.1
VPN2-CE1 VPN2-CE2

Network
Page 49 Learning Centre 49
Proprietary & Confidential 49

zLx and Ly are public network labels. L10 and L9 are BGP LSP labels. L3 is a
VPN label. BGP-LSP has no next hop concept. Therefore label switching must be
carried out on ASBR-2 so that ASBR-1 pops the BGP-LSP labels.

49
 ThankYou

Network Learning Centre 50

Proprietary & Confidential 50