Mpls10s07-Mpls VPN Technology

Module 7
MPLS VPN
Technology
© 2001, Cisco Systems, Inc.
Objectives
Upon completion of this lesson, you

will be able to perform the following
tasks:
• Identify major Virtual Private network
topologies, their characteristics and usage
scenarios
• Describe the differences between overlay
VPN and peer-to-peer VPN
• List major technologies supporting overlay
VPNs and peer-to-peer VPNs
• Position MPLS VPN in comparison with
other peer-to-peer VPN implementations
• Describe major architectural blocks of
MPLS VPN
© 2001, Cisco Systems, Inc. MPLS v1.0—7-2
Introduction to
Virtual Private
Networks

Objectives
Upon completion of this section,

you will be able to perform the
following tasks:
• Describe the concept of VPN
• Explain VPN terminology as defined by
MPLS VPN architecture

Traditional Router-Based
Networks
Site B
Site A
Site C
Site D
Traditional router-based networks

connect customer sites through routers
connected via dedicated point-to-point
links.
Virtual Private Networks
Virtual Circuit (VC) #1
PE Device
CPE Router
Customer Site
Provider Core
Device Other
CPE Router Customer
Customer Premises Provider Edge Device PE Device Routers
Router (CPE) (Frame Relay Switch) Large Customer Site
Virtual Circuit (VC) #2

Service Provider Network
•Virtual Private Networks (VPNs) replace

dedicated point-to-point links with emulated
point-to-point links sharing common
infrastructure.
•Customers use VPNs primarily to reduce their
operational costs.
VPN Terminology
Customer Site
Large Customer Site
Provider network (P-network): the

service provider infrastructure
used to provide VPN services
Customer network (C-network): the part
of the network still under customer
control
Customer Site: a contiguous part of the
customer network (can encompass many
physical locations)
VPN Terminology
Customer Site
Large Customer Site

Provider edge (PE) device: the

device in the P-network to which
the CE devices are connected
Provider (P) device: the Customer edge (CE) device: the

device in the P-network device in the C-network that links to
with no customer into P-network; also called customer
connectivity premises equipment (CPE)

VPN Terminology
Specific to Switched WANs
VC #1
PE Device
CPE Router
Customer Site
P
Device Other
CPE Router Customer
CPE PE Device PE Device Routers
Router (Frame Relay switch) Large Customer Site
VC #2
Virtual Circuit (VC): emulated
point-to-point link established
across shared Layer 2
infrastructure
• A permanent virtual circuit (PVC) is established through out-of-
band means (network management) and is always active.
• A switched virtual circuit (SVC) is established through CE-PE
signaling on demand from the CE device.
Summary
After completing this section, you

should be able to perform the
following tasks:
• Describe the concept of VPN
• Explain VPN terminology as defined by
MPLS VPN architecture

Review Questions
• Why are customers interested in

Virtual
Private Networks?
• What is the main role of a VPN?
• What is a C-network?
• What is a customer site?
• What is a CE-router?
• What is a P-network?
• What is the difference between a
PE-device and a P-device?
Overlay and
Peer-to-Peer VPN

Objectives

following tasks:
• Describe the differences between
overlay and peer-to-peer VPN
• Describe the benefits and drawbacks
of each VPN implementation option
• List major technologies supporting
overlay VPNs
• Describe traditional peer-to-peer VPN
implementation options
VPN Implementation
Technologies
VPN services can be offered based

on two major paradigms:
• Overlay VPNs, in which the service
provider provides virtual point-to-point
links between customer sites
• Peer-to-Peer VPNS, in which the
service provider participates in the
customer routing

Overlay VPN Implementation
(Frame Relay Example)
Customer Site VC #2 Customer Site
Router A Router C
PE Device Frame Relay
VC #1 (Frame Relay Switch) Edge Switch
Customer Site Customer Site
Router B Router D
Frame Relay Frame Relay
Edge Switch Edge Switch
VC #3

Layer 3 Routing in Overlay
VPN Implementation
Router A
Router B Router C Router D
• Service provider infrastructure appears as

point-to-point links to customer routes.
• Routing protocols run directly between
customer routers.
• Service provider does not see customer routes
and is responsible only for providing point-to-
point transport of customer data.
Overlay VPN
Layer 1 Implementation
IP
PPP HDLC
ISDN E1, T1, DS0 SDH, SONET
This is the traditional TDM solution:

Service provider establishes physical-layer
connectivity between customer sites.
Customer takes responsibility for all higher
layers.
Overlay VPN
Layer 2 Implementation
IP
X.25 Frame Relay ATM
This is the traditional switched WAN

solution:
Service provider establishes Layer 2 virtual
circuits between customer sites.
Customer takes responsibility for all higher
layers.
Overlay VPN
IP Tunneling
IP
Generic Route
IP Security (IPSec)
Encapsulation (GRE)
IP
VPN is implemented with IP-over-IP

tunnels:
Tunnels are established with GRE or
IPSec.
GRE is simpler (and quicker); IPSec
provides authentication and security.
Overlay VPN
Layer 2 Forwarding
IP
PPP
Layer 2
Point-to-Point
Layer 2 Tunnel Forwarding
Tunneling Protocol
Protocol (L2TP) Protocol (L2F
(PPTP)
Protocol)
IP
VPN is implemented with PPP-over-IP

tunnels:
Usually used in access environments (dialup,
digital subscriber line)
Peer-to-Peer VPN Concept
Routing information is exchanged
between CE and PE routers.
Service Provider Network Customer Site
Customer Site
Router A Router C
PE
PE Router
Router Customer Site
Customer Site
Router B Router D
PE Router PE Router
PE routers exchange
customer routes through
the core network.
Finally, the customer routes
propagated through the PE network
are sent to other CE routers.

Peer-to-Peer VPN with
Packet Filters
Customer A Service provider network

Site #1
Point of Presence (POP)
Shared Router
Customer A
Site #2 POP router carries
all customer
routes.
Isolation between
customers is
Customer B achieved with packet
Site #1 filters on PE-CE
interfaces.

Peer-to-Peer VPN with
Controlled Route Distribution
Customer A Service provider network The P-router contains

Site #1
all customer routes.
Point of Presence (POP)
Uplink
PE Router
Customer A Customer A
P Router
Site #2
PE Router
Customer B
Customer B
Site #1
Each customer has a
dedicated PE router
that carries only its
routes.
Customer isolation is
achieved through lack of
routing information on the
© 2001, Cisco Systems, Inc.
PE router. MPLS v1.0—7-23
Benefits of Various VPN
Implementations
Overlay VPN: Peer-to-peer VPN:

• Well-known and easy • Guarantees optimum
to implement. routing between
• Service provider does customer sites.
not participate in • Easier to provision an
customer routing. additional VPN.
• Customer network • Only the sites are
and service provider provisioned, not the
network are well links between them.
isolated.

Drawbacks of Various VPN
Implementations
Overlay VPN: Peer-to-peer VPN:
• Implementing • Service provider
optimum routing participates in
requires full mesh of customer routing.
virtual circuits. • Service provider
• Virtual circuits have becomes responsible
to be provisioned for customer
manually. convergence.
• Bandwidth must be • PE routers carry all
provisioned on a site- routes from all
to-site basis. customers.
• Overlay VPNs always • Service provider
incur encapsulation needs detailed IP
overhead. routing knowledge.
Drawbacks of Traditional
Peer-to-Peer VPNs
Shared PE router: Dedicated PE
• All customers share router:
the same (provider-
assigned or public) • All customers share
address space. the same address
space.
• High maintenance
costs are associated • Each customer
with packet filters. requires a dedicated
• Performance is lower router at each POP.
— each packet has to
pass a packet filter.

VPN Taxonomy
Virtual Networks
Virtual Private Virtual Dialup Networks Virtual LANs
Networks
Overlay VPN Peer-to-Peer VPN
Layer 2 VPN Layer 3 VPN Access Lists

(Shared Router)
X.25
GRE
Split Routing
Frame Relay (Dedicated Router)
IPSec
ATM
MPLS VPN

Summary

following tasks:
• Describe the differences between
overlay and peer-to-peer VPN
• Describe the benefits and drawbacks
of each VPN implementation option
• List major technologies supporting
overlay VPNs
• Describe traditional peer-to-peer VPN
implementation options
Review Questions
• What is an overlay VPN?

• Which routing protocol runs between the
customer and the service provider in an overlay
VPN?
• Which routers are routing protocol neighbors of
a
CE-router in overlay VPN?
• List three IP-based overlay VPN technologies.
• What is the major benefit of peer-to-peer VPN
as compared to overlay VPN?
• List two traditional peer-to-peer VPN
implementations.
• What is the drawback of all traditional peer-to-
Major VPN
Topologies

Objectives

following tasks:
• Identify major VPN topologies
• Describe the implications of using
overlay VPN or peer-to-peer VPN
approach with each topology
• List sample usage scenarios for each
topology

VPN Topology Categorization
Overlay VPNs are categorized

based on the topology of the virtual
circuits:
• (Redundant) Hub and spoke topology
• Partial mesh topology
• Full mesh topology
• Multilevel topology—combines several
levels of overlay VPN topologies

Overlay VPN
Hub-and-Spoke Topology
Remote Site (Spoke)
Central Site Remote Site (Spoke)

(Hub)
Central Site
Router Remote Site (Spoke)
Remote Site (Spoke)

Overlay VPN Redundant Hub
and Spoke Topology
Remote Site (Spoke)
Central Site
(Hub)
Service Provider Network Remote Site (Spoke)
Redundant
Central Site Remote Site (Spoke)
Router
Redundant
Remote Site (Spoke)
Central Site
Router

Overlay VPN
Partial Mesh
Guam New York
Virtual circuits (Frame Relay Data-

Moscow Link Connection Identifier) Hong Kong
Berlin Sydney

Overlay VPN Multilevel
Hub-and-Spoke
Distribution Site
Remote Site (Spoke)
Distribution-Layer
Router
Central Site (Hub) Remote Site (Spoke)
Redundant Central
Site Router
Service Provider Network Remote Site (Spoke)
Redundant Central
Site Router
Remote Site (Spoke)

Distribution-layer
router
Distribution site

VPN Business Categorization
VPNs can be categorized on the

business needs they fulfill:
• Intranet VPN—connects sites within
an organization.
• Extranet VPN—connects different
organizations in a secure way.
• Access VPN — VPDN provides dialup
access into a customer network.

Extranet VPN—Overlay
VPN Implementation
Frame Relay VCs

(DLCI)
GlobalMotors Provider IP Backbone
Firewall BoltsAndNuts
Frame Relay
Switch
Firewall Firewall
Frame Relay
Switch
AirFilters Inc. SuperBrakes Inc.
Firewall Frame Relay Frame Relay Firewall

Switch Switch

Extranet VPN—Peer-to-Peer
VPN Implementation
GlobalMotors Provider IP Backbone
PE Router BoltsAndNuts
Firewall PE Router Firewall

PE Router
AirFilters Inc. SuperBrakes Inc.
Firewall PE Router PE Router Firewall

VPN Connectivity
Categorization
VPNs can also be categorized by

the connectivity required between
sites:
• Simple VPN—every site can communicate
with every other site.
• Overlapping VPN—some sites participate
in more than one simple VPN.
• Central Services VPN—all sites can
communicate with central servers, but
not with each other.
• Managed Network—a dedicated VPN is
established to manage CE routers.
Central Services Extranet
Amsterdam Service Provider Extranet Customer A

Infrastructure
VoIP Gateway
London Customer B
VoIP Gateway
Paris Customer C
VoIP Gateway

Central Services Extranet—Hybrid
(Overlay + Peer-to-Peer)
Implementation
Amsterdam Service Provider Frame Customer A

Extranet Infrastructure Relay
Infrastructure
VoIP Gateway
PE Router
Frame Relay
PE Router Edge Switch
London Customer B
VoIP Gateway PE Router

Frame Relay
Edge Switch
Paris PE Router Customer C
PE Router Frame Relay

Edge Switch
VoIP Gateway
Service Provider Network Frame Relay VC

Managed Network
Overlay VPN Implementation
Service provider network Remote Site (Spoke)
Central Site (Hub) Remote Site (Spoke)
Redundant Central
Site Router
Remote Site (Spoke)
Redundant Central
Site Router
Dedicated virtual
circuits are used
Network Management Center for network
management.

Summary

should be able to perform the following
tasks:
• Identify major VPN topologies
• Describe the implications of using
overlay VPN or peer-to-peer VPN
approach with each topology
• List sample usage scenarios for each
topology
Review Questions
• What are the major Overlay VPN

topologies?
• Why would the customers prefer
partial mesh over full mesh topology?
• What is the difference between an
Intranet and an Extranet?
• What is the difference between a
simple VPN and a Central Services
VPN?
• What are the connectivity
requirements of a Central Services
MPLS VPN
Architecture

Objectives
Upon completion of this section, you

tasks:
• Describe the difference between
traditional peer-to-peer models and
MPLS VPN
• List the benefits of MPLS VPN
MPLS VPN
• Explain the need for route
distinguisher and route target
MPLS VPN Architecture
MPLS VPN combines the best

features of overlay VPN and peer-
to-peer VPN:
• PE routers participate in customer
routing, guaranteeing optimum
routing between sites and easy
provisioning.
• PE routers carry a separate set of
routes for each customer (similar to
the dedicated PE router approach).
• Customers can use overlapping
addresses.
MPLS VPN Terminology
Customer A
Site #1
Remote
Office
Site #1
P-Network Customer A
Remote CE router Site #4
Office
Customer B
Customer A PE Router P Router PE Router
Site #2
Site #2 POP-X POP-Y
Customer B
Customer A Site #3
Site #3
Customer B
Customer B Site #4
Site #1

PE Router Architecture
Virtual Router for Global IP Router

Customer A
Customer A
Site #1
Virtual IP Routing Global IP

P Router
Customer A Table for Customer A Routing Table
Site #2
Virtual Router for MPLS VPN architecture is very similar

Customer A Customer B to the dedicated PE router peer-to-peer
Site #3
model, but the dedicated per-customer
routers are implemented as virtual
Customer B routing tables within the PE router.
Virtual IP Routing
Site #1 Table for Customer B
PE Router

Routing Information
Propagation Across the P-
Network
IGP for Customer A IGP for Customer A
Customer A IGP for Customer B IGP for Customer B Customer B

IGP for Customer C IGP for Customer C
Customer B Customer C
PE Router X P Router PE Router Y
P-Network
Customer C Customer A
Q: How will PE routers exchange customer routing information?

A1: Run a dedicated Interior Gateway Protocol (IGP) for each
customer across P-network.
Wrong answer:
• The solution does not scale.
• P routers carry all customer routers.
Routing Information
Network (cont.)
A dedicated routing protocol used
to carry customer routes
Customer A Customer B
P-Network

: Run a single routing protocol that will carry all customer routes
inside the provider backbone.
Better answer, but still not good enough:
• P routers carry all customer routers.

Routing Information
Network (cont.)
to carry customer routes between PE routers
P-Network

3: Run a single routing protocol that will carry all customer routes
between PE routers. Use MPLS labels to exchange packets between
PE routers.
he best answer:
P routers do not carry customer routes; the solution is scalable.
Routing Information
Network (cont.)
P-Network
: Which protocol can be used to carry customer routes between PE route

A: The number of customer routes can be very large. BGP is the only
routing protocol that can scale to a very large number of routes.
onclusion:
BGP is used to exchange customer routes directly between PE routers.
Routing Information
Network (cont.)
P-Network
Q: Customers can have overlapping address spaces. How will

information about the same subnet of two customers be
propagated via a single routing protocol?
A: Customer addresses are extended with a 64-bit prefix (route
distinguisher—RD) to make them unique. Unique 96-bit
addresses are exchanged between PE routers.

Route Distinguisher
• The RD is a 64-bit quantity prepended to

an IP version 4 (IPv4) address to make
it globally unique.
• The resulting 96-bit address is called a
VPNv4 address.
• VPNv4 addresses are exchanged only
via BGP between PE routers.
• BGP that supports address families
other than IPv4 addresses is called
multiprotocol BGP (MP-BGP).

Route Distinguisher Usage in
an MPLS VPN
A 64-bit Route Distinguisher
is prepended to the
customer IPv4 prefix to
make it globally unique,
resulting in 96-bit VPNv4
prefix.
A 96-bit VPNv4 prefix is
propagated via BGP to the
P-Network other PE router.
PE 1 PE 2
Customer B Customer B
The CE-router sends an IPv4
routing update to the PE-
router.
an MPLS VPN
The RD is removed from the

VPNv4 prefix, resulting in a 32-
bit IPv4 prefix.
P-Network
PE 1 PE 2
The PE router sends the
resulting IPv4 prefix to the
CE router.
an MPLS VPN
• The RD has no special meaning—it is

used only to make potentially
overlapping IPv4 addresses globally
unique.
• Simple VPN topologies require one The
RD per customer.
• The RD could serve as a VPN identifier
for simple VPN topologies, but this
design could not support all topologies
required by the customers.
Complex VPN—Sample VoIP
Service
Central Site PE Router X P Router PE Router Y Site 2
Site 2 Central Site
Customer A VoIP VoIP Customer B

Site 1 Gateway P-Network Gateway Site 1
equirements:
All sites of one customer need to communicate.
Central sites of both customers need to communicate with VoIP gateway
and other central sites.
Other sites from different customers do not communicate with each othe

Sample VoIP Service
Connectivity Requirements
VOIP VPN
Customer A
Central Site A Site A-1 Site A-2
POP-X
VoIP
Gateway
POP-Y
VoIP
Gateway
Customer B
Central Site B Site B-1 Site B-2

Route Targets
• Some sites have to participate in more

than one VPN—RD cannot identify
participation in more than one VPN.
• A different method is needed in which a
set of identifiers can be attached to a
route.
• RDs were introduced in the MPLS VPN
architecture to support complex VPN
topologies.

What Are Route Targets?
• Route targets (RTs) are additional

attributes attached to VPNv4 BGP
routes to indicate VPN membership.
• Extended BGP communities are used to
encode these attributes.
• Extended communities carry the meaning of
the attribute together with its value.
• Any number of RTs can be attached to a
single route.

How Do Route Targets Work?
• Export RTs identifying VPN membership

are appended to the customer route
when it is converted into a VPNv4
route.
• Each virtual routing table has a set of
associated import RTs that select
routes to be inserted into the virtual
routing table.
• Route targets usually identify VPN
membership, but they can also be used
in more complex scenarios.
Virtual Private Networks
Redefined
With the support of complex VPN

topologies, VPNs have to be
redefined
• A VPN is a collection of sites
sharing common routing
information.
• A site can be part of different
VPNs.
• A VPN can be seen as a community
of interest (closed user group—
CUG).
Impact of Complex VPN
Topologies on Virtual Routing
Tables
• A virtual routing table in a PE router can

be used only for sites with identical
connectivity requirements.
• Complex VPN topologies require more
than one virtual routing table per VPN.
• As each virtual routing table requires a
distinct RD value, the number of RDs in
the MPLS VPN network increases.

Sample VoIP Service
Virtual Routing Tables
Site A-1 and A-2 can
share the same routing
VoiceIP VPN
table.
Customer A
Central Site A Site A-1 Site A-2
Central Site A needs
POP-X its own routing table.
VoIP
Gateway Voice gateways can
POP-Y share routing tables.
VoIP
Gateway Central Site B needs
its own routing table.
Central Site B Site B-1 Site B-2

Site B-1 and B-2 can
Customer B
share the same routing
table.
Benefits of MPLS VPN
Technology
MPLS VPN technology has all the

benefits of
peer-to-peer VPN technology:
• Easy provisioning
• Optimal routing
It also bypasses most drawbacks of
traditional peer-to-peer VPN
technologies:
• RDs enable overlapping customer address
spaces.
• RTs enable topologies that were hard to
implement with other VPN technologies.
Summary

tasks:
• Describe the difference between
traditional peer-to-peer models and MPLS
VPN
• List the benefits of MPLS VPN
MPLS VPN
• Explain the need for route distinguishers
and route targets
Review Questions
• How does MPLS VPN support overlapping

customer address spaces?
• How are customer routes exchanged across
the P-network?
• What is a route distinguisher?
• Why is the RD not usable as VPN identifier?
• What is a route target?
• Why were the route targets introduced in MPLS
VPN architecture?
• How are route targets used to build virtual
routing tables in the PE routers?
• What is the impact of complex VPN topologies
on virtual routing tables in the PE routers?
MPLS VPN Routing
Model

Objectives

tasks:
• Describe the routing model of MPLS
VPN
• Describe the MPLS VPN routing model
from customer and provider
perspectives
• Identify the routing requirements of CE-
routers, PE-routers and P-routers

MPLS VPN Routing
Requirements
• Customer routers (CE routers) have to

run standard IP routing software.
• Provider core routers (P routers) have
no VPN routes.
• Provider edge routers (PE routers) have
to support MPLS VPN and Internet
routing.

MPLS VPN Routing—
CE Router Perspective
MPLS VPN Backbone

CE router
PE router
CE router
The CE routers run standard IP routing

software and exchange routing updates with
the PE router.
• External BGP (EBGP), Open Shortest Path First
(OSPF), RIP version 2 (RIPv2), and static routes
are supported.
The PE router appears as another router in the
MPLS VPN Routing—
Overall Customer
Perspective
BGP Backbone
PE router PE router
CE router
Site IGP Site IGP Site IGP
To the customer, the PE routers appear as core

routers connected via a BGP backbone.
The usual BGP and IGP design rules apply.
The P routers are hidden from the customer.

MPLS VPN Routing—
P Router Perspective
MPLS VPN Backbone
PE router P router PE router
•P routers do not participate in MPLS VPN

routing and do not carry VPN routes.
•P routers run backbone IGP with the PE routers
and exchange information about global subnets
(core links and loopbacks).

MPLS VPN Routing—
PE Router Perspective
MPLS VPN Backbone
CE Router MP-BGP CE Router
VPN Routing VPN Routing

PE Router P Router PE Router
Core IGP Core IGP
CE Router CE Router
PE routers:
• Exchange VPN routes with CE routers via per-VPN
routing protocols
• Exchange core routes with P routers and PE-
routers via core IGP
• Exchange VPNv4 routes with other PE routers via
MP- IBGP sessions

MPLS VPN Support for
Internet Routing
MPLS VPN Backbone
CE router IPv4 BGP for Internet CE Router

Core IGP Core IGP
CE Router CE Router
PE routers can run standard IPv4 BGP in the global

routing table:
• PE routers exchange Internet routes with other PE
routers.
• CE routers do not participate in Internet routing.
• P routers do not need to participate in Internet routing.

Routing Tables on PE Routers
MPLS VPN Backbone

VPN routing
CE Router MP-BGP VPN routing CE Router

Core IGP Core IGP
CE Router CE Router
IPv4 BGP for Internet
PE routers contain a number of routing tables:

• Global routing table that contains core routes (filled with
core IGP) and Internet routes (filled with IPv4 BGP).
• VRF tables for sets of sites with identical routing
requirements.
• VRFs filled with information from CE routers and MP-BGP
information from other PE routers.

MPLS VPN End-to-End
Routing Information Flow
(1/3)
MPLS VPN Backbone
CE Router CE Router
IPv4 Update
CE Router CE Router
PE routers receive IPv4 routing updates

from CE routers and install them in the
appropriate VRF table.

MPLS VPN End-to-End
(2/3)
MPLS VPN Backbone
CE Router CE Router
IPv4 Update MP-BGP Update

CE Router CE Router
• PE routers export VPN routes from VRF tables

into MP-BGP and propagate them as VPNv4
routes to other PE routers.
• A full mesh of MP-IBGP sessions is needed
between PE routers.

MP-BGP Update
An MP-BGP update contains:

• VPNv4 address
• Extended communities
(route targets, optionally Site-of-
Origin, or SOO)
• Label used for VPN packet forwarding
• Any other BGP attribute (for example,
AS path, local preference, multi-exit
discriminator (MED), standard
community)

MP-BGP Update—
VPNv4 Address
A VPN IPv4 address contains:

• RD
• 64 bits
• Makes the IPv4 route globally unique
• RD is configured in the PE for each
VRF
• RD may or may not be related to a site
or a VPN
• IPv4 address (32 bits)

MP-BGP Update—
Extended Communities
64-bit attribute attached to a route
Set of communities can be attached to a
single route
High-order 16 bits identify extended
community type
• RT: identifies the set of sites to which
the route must be advertised
• SOO: identifies the originating site
• OSPF route type: identifies the link-
state advertisement (LSA) type of OSPF
route redistributed into MP-BGP
Extended BGP Community
Display Format
Two display formats are

supported:
• <16bits type>:<ASN>:<32 bit
number>
-Uses registered AS number
• <16bits type>:<IP address>:<16
bit number>
-Uses registered IP address

MPLS VPN End-to-End
(3/3)
MPLS VPN Backbone
CE Router CE Router
MP-BGP Update
CE Router CE Router
• Receiving PE router imports incoming VPNv4

routes into the appropriate VRF based on
route targets attached to the routes
• Routes installed in VRF are propagated to CE
routers

Route Distribution to
CE Routers
Route distribution to sites is driven

by the SOO and RT EBGP
communities.
A route is installed in the site VRF
that matches the RT attribute.
• A PE router that connects sites
belonging to multiple VPNs will
install the route into the site VRF if
the RT attribute contains one or
more VPNs to which the site is
associated.
Summary

tasks:
• Describe the routing model of MPLS
VPN
• Describe the MPLS VPN routing model
from customer and provider
perspective
• Identify the routing requirements of
CE-routers, PE-routers and P-routers
Review Questions
• What is the impact of MPLS VPN on CE-

routers?
• What is the customer’s perception of end-to-
end MPLS VPN routing?
• What is the P-router perception of end-to-end
MPLS VPN routing?
• How many routing tables does a PE-router
have?
• How many routing tables reside on a P-
router?
• Which routing protocols fill the global routing
table of a PE-router?
• Which routing protocols fill the Virtual
More Review Questions
• How is the Internet routing supported by

MPLS VPN architecture?
• How is the VPN routing information
exchanged between the PE-routers?
• Which attributes are always present in a
MP-BGP update?
• Which attributes can be optionally present
in a MP-BGP update?
• Which BGP attributes drive the import of
VPNv4 route into a VRF?
• Which BGP attributes control the VPN route
distribution toward CE-routers?
MPLS VPN Packet
Forwarding

Objectives

tasks:
• Describe the MPLS VPN forwarding
mechanisms
• Describe the VPN and backbone label
propagation
• Explain the need for end-to-end LSP
between PE routers
• Explain the implications of BGP next-hop
on MPLS VPN forwarding

VPN Packet Forwarding
Across an MPLS VPN
Backbone
MPLS VPN Backbone
CE Router IP CE Router
IP
Ingress PE P Router P Router Egress
Router PE
Router
CE Router CE Router
Q: How will the PE routers forward the VPN packets across the
MPLS VPN backbone?
A1: They will forward pure IP packets.
Wrong answers:
P routers do not have VPN routes; the packet is dropped on IP lookup.
How about using MPLS for packet propagation across the backbone?

Across an MPLS VPN
Backbone
MPLS VPN Backbone
IP L1 IP L2 IP L3
CE Router CE Router
IP
Ingress P Router P Router Egress
PE PE
Router Router
CE Router CE Router
Q: How will the PE routers forward the VPN packets across the MPLS
VPN backbone?
A2: They will label the VPN packets with a label distribution protocol (LDP)
label for the egress PE router and forward the labeled packets across
the MPLS backbone.
Better answers:
The P routers perform the label switching and the packet reaches the
egress PE router.
However, the egress PE router does not know which VRF to use for packet
switching, so the packet is dropped.
How about using a label stack?
Across an MPLS VPN
Backbone
MPLS VPN Backbone
IP V L1 IP V L2 IP V L3
CE Router CE Router
IP
IP
PE PE
Router Router
CE Router CE Router
: How will the PE routers forward the VPN packets across the MPLS VPN backbon
3: They will label the VPN packets with a label stack, using the LDP label for the
egress PE router as the top label and the VPN label assigned by the egress PE
router as the second label in the stack.
orrect answers:
The P routers perform label switching and the packet reaches the egress
PE router.
The egress PE router performs a lookup on the VPN label and forwards the packet
toward the CE router.
VPN Packet Forwarding—
Penultimate Hop Popping
MPLS VPN Backbone
IP V L1 IP V L2 IP V
CE Router CE Router
IP
IP
PE PE
Router Router
CE Router CE Router
• Penultimate hop popping on the LDP label can be

performed on the last P router.
The egress PE router performs label lookup only on the
VPN label, resulting in faster and simpler label lookup.
• IP lookup is performed only once—in the ingress PE
router.
VPN Label Propagation
MPLS VPN Backbone

CE Router CE Router

PE PE
Router Router
CE Router CE Router
: How will the ingress PE router get the second label in the label stack
from the egress PE router?
A: Labels are propagated in MP BGP VPNv4 routing updates.

MPLS VPN Backbone

CE Router CE Router

PE PE
Router Router
CE Router CE Router
Step #1: A VPN label is assigned to every VPN route by the egress
PE router.
Egress-PE#show tag-switching forwarding vrf SiteA2

Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
26 Aggregate 150.1.31.36/30[V] 0
37 Untagged 203.1.2.1/32[V] 0 Se1/0.20 point2point
38 Untagged 203.1.20.0/24[V] 0 Se1/0.20 point2point

MPLS VPN Backbone

CE Router CE Router

PE PE
Router Router
CE Router CE Router
Step #2: The VPN label is advertised to all other PE routers in an MP-BGP
update.
Ingress-PE#show ip bgp vpnv4 all tags

Network Next Hop In tag/Out tag
Route Distinguisher: 100:1 (vrf1)
12.0.0.0 10.20.0.60 26/notag
10.20.0.60 26/notag
203.1.20.0 10.15.0.15 notag/38

MPLS VPN Backbone

CE Router CE Router

PE PE
Router Router
CE Router CE Router
Step #3: A label stack is built in VFR table.

Ingress-PE#show ip cef vrf Vrf1 203.1.20.0 detail
203.1.20.0/24, version 57, cached adjacency to Serial1/0.2
0 packets, 0 bytes
tag information set
local tag: VPN-route-head
fast tag rewrite with Se1/0.2, point2point, tags imposed: {26 38}
via 192.168.3.103, 0 dependencies, recursive
next hop 192.168.3.10, Serial1/0.2 via 192.168.3.103/32
valid cached adjacency
tag rewrite with Se1/0.2, point2point, tags imposed: {26 38}

Effects of MPLS VPN Label
Propagation
The VPN label must be assigned by the BGP
next hop.
The BGP next hop should not be changed in the
MP-IBGP update propagation.
• Do not use next-hop-self on confederation
boundaries.
The PE router must be the BGP next hop.
• Use next-hop-self on the PE router.
The label must be reoriginated if the next hop is
changed.
• A new label is assigned every time the MP-BGP
update crosses the AS boundary where the next
hop is changed.
• This functionality is supported by Cisco IOS
Effects of MPLS VPN Packet
Forwarding
The VPN label is understood only by the

egress PE router.
An end-to-end LSP tunnel is required
between the ingress and egress PE
routers.
BGP next hops must not be announced
as BGP routes.
LDP labels are not assigned to BGP
routes.
BGP next hops announced in IGP must
not be summarized in the core network.
•
with Summarization in the Core
P router is faced with
P router performs a VPN label it does not
penultimate hop understand
popping
MPLS VPN Backbone
IP V L1 IP V
CE Router CE Router
IP
Ingress P Router P Router Egress PE
PE P router
Router summarizes PE
CE Router CE-router
loopback
Penultimate hop
popping is requested
through LDP
PE router builds a label stack and
forwards labeled packet toward
egress PE router
Summary

following tasks:
• Describe the MPLS VPN forwarding
mechanisms
• Describe the VPN and backbone label
propagation
• Explain the need for end-to-end LSP
between PE routers
• Explain the implications of BGP next-
hop on MPLS VPN forwarding
Review Questions
• How are VPN packets propagated across MPLS

VPN backbone?
• How can P-routers forward VPN packets if they
don’t have VPN routes?
• How is the VPN label propagated between PE-
routers?
• Which router assigns the VPN label?
• How is the VPN label used on other PE-routers?
• What is the impact of changing BGP next-hop
on MP-BGP update?
• How are MP-BGP updates propagated across
AS boundary?
• What is the impact of BGP next-hop
summarization in the network core?
Summary
After completing this lesson, you should be

able to perform the following tasks:
• Identify major Virtual Private network
topologies, their characteristics and usage
scenarios
• Describe the differences between overlay VPN
and peer-to-peer VPN
• List major technologies supporting overlay
VPNs and peer-to-peer VPNs
• Position MPLS VPN in comparison with other
peer-to-peer VPN implementations
• Describe major architectural blocks of MPLS
VPN
• Describe MPLS VPN routing model and packet
© 2000, Cisco Systems, Inc. www.cisco.co Chapter#-107
Blank for Pagination

Mpls10s07-Mpls VPN Technology

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mpls10s07-Mpls VPN Technology

Uploaded by

Copyright:

Available Formats

Module 7

Upon completion of this lesson, you

© 2001, Cisco Systems, Inc. MPLS v1.0—7-3

Upon completion of this section,

© 2001, Cisco Systems, Inc. MPLS v1.0—7-4

Traditional router-based networks

Virtual Circuit (VC) #1

Virtual Circuit (VC) #2

•Virtual Private Networks (VPNs) replace

Large Customer Site

Provider network (P-network): the

Large Customer Site

Provider edge (PE) device: the

Provider (P) device: the Customer edge (CE) device: the

© 2001, Cisco Systems, Inc. MPLS v1.0—7-8

After completing this section, you

© 2001, Cisco Systems, Inc. MPLS v1.0—7-10

• Why are customers interested in

© 2001, Cisco Systems, Inc. MPLS v1.0—7-12

Upon completion of this section,

VPN services can be offered based

© 2001, Cisco Systems, Inc. MPLS v1.0—7-14

Customer Site VC #2 Customer Site

Service Provider Network

© 2001, Cisco Systems, Inc. MPLS v1.0—7-15

Router B Router C Router D

• Service provider infrastructure appears as

ISDN E1, T1, DS0 SDH, SONET

This is the traditional TDM solution:

X.25 Frame Relay ATM

This is the traditional switched WAN

VPN is implemented with IP-over-IP

VPN is implemented with PPP-over-IP

© 2001, Cisco Systems, Inc. MPLS v1.0—7-21

Customer A Service provider network

© 2001, Cisco Systems, Inc. MPLS v1.0—7-22

Customer A Service provider network The P-router contains

Overlay VPN: Peer-to-peer VPN:

© 2001, Cisco Systems, Inc. MPLS v1.0—7-24

© 2001, Cisco Systems, Inc. MPLS v1.0—7-26

Overlay VPN Peer-to-Peer VPN

Layer 2 VPN Layer 3 VPN Access Lists

© 2001, Cisco Systems, Inc. MPLS v1.0—7-27

After completing this section, you

• What is an overlay VPN?

© 2001, Cisco Systems, Inc. MPLS v1.0—7-30

Upon completion of this section,

© 2001, Cisco Systems, Inc. MPLS v1.0—7-31

Overlay VPNs are categorized

© 2001, Cisco Systems, Inc. MPLS v1.0—7-32

Central Site Remote Site (Spoke)

Service Provider Network

Remote Site (Spoke)

© 2001, Cisco Systems, Inc. MPLS v1.0—7-33

© 2001, Cisco Systems, Inc. MPLS v1.0—7-34

Guam New York

Virtual circuits (Frame Relay Data-

© 2001, Cisco Systems, Inc. MPLS v1.0—7-35

Central Site (Hub) Remote Site (Spoke)

Remote Site (Spoke)

© 2001, Cisco Systems, Inc. MPLS v1.0—7-36

VPNs can be categorized on the

© 2001, Cisco Systems, Inc. MPLS v1.0—7-37