Professional Documents
Culture Documents
MPLS VPN
Technology
© 2001, Cisco Systems, Inc.
Objectives
Site C
Site D
PE Device
CPE Router
Customer Site
Provider Core
Device Other
CPE Router Customer
Customer Premises Provider Edge Device PE Device Routers
Router (CPE) (Frame Relay Switch) Large Customer Site
Customer Site
Customer Site
PE Device
CPE Router
Customer Site
P
Device Other
CPE Router Customer
CPE PE Device PE Device Routers
Router (Frame Relay switch) Large Customer Site
VC #2
Service Provider Network
Virtual Circuit (VC): emulated
point-to-point link established
across shared Layer 2
infrastructure
• A permanent virtual circuit (PVC) is established through out-of-
band means (network management) and is always active.
• A switched virtual circuit (SVC) is established through CE-PE
signaling on demand from the CE device.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-9
Summary
Router A Router C
PE Device Frame Relay
VC #1 (Frame Relay Switch) Edge Switch
Customer Site Customer Site
Router B Router D
Frame Relay Frame Relay
Edge Switch Edge Switch
VC #3
Router A
IP
PPP HDLC
IP
IP
Generic Route
IP Security (IPSec)
Encapsulation (GRE)
IP
IP
PPP
Layer 2
Point-to-Point
Layer 2 Tunnel Forwarding
Tunneling Protocol
Protocol (L2TP) Protocol (L2F
(PPTP)
Protocol)
IP
Router A Router C
PE
PE Router
Router Customer Site
Customer Site
Router B Router D
PE Router PE Router
PE routers exchange
customer routes through
the core network.
Finally, the customer routes
propagated through the PE network
are sent to other CE routers.
Shared Router
Customer A
Site #2 POP router carries
all customer
routes.
Isolation between
customers is
Customer B achieved with packet
Site #1 filters on PE-CE
interfaces.
Uplink
PE Router
Customer A Customer A
P Router
Site #2
PE Router
Customer B
Customer B
Site #1
Each customer has a
dedicated PE router
that carries only its
routes.
Customer isolation is
achieved through lack of
routing information on the
© 2001, Cisco Systems, Inc.
PE router. MPLS v1.0—7-23
Benefits of Various VPN
Implementations
Virtual Networks
Virtual Private Virtual Dialup Networks Virtual LANs
Networks
Central Site
Router Remote Site (Spoke)
Central Site
(Hub)
Service Provider Network Remote Site (Spoke)
Redundant
Central Site Remote Site (Spoke)
Router
Redundant
Remote Site (Spoke)
Central Site
Router
Berlin Sydney
Redundant Central
Site Router
Service Provider Network Remote Site (Spoke)
Redundant Central
Site Router
Firewall BoltsAndNuts
Frame Relay
Switch
Firewall Firewall
Frame Relay
Switch
PE Router BoltsAndNuts
VoIP Gateway
London Customer B
VoIP Gateway
Paris Customer C
VoIP Gateway
Frame Relay
PE Router Edge Switch
London Customer B
Redundant Central
Site Router
Remote Site (Spoke)
Redundant Central
Site Router
Dedicated virtual
circuits are used
Network Management Center for network
management.
Customer A
Site #1
Remote
Office
Site #1
P-Network Customer A
Remote CE router Site #4
Office
Customer B
Customer A PE Router P Router PE Router
Site #2
Site #2 POP-X POP-Y
Customer B
Customer A Site #3
Site #3
Customer B
Customer B Site #4
Site #1
PE Router
Customer B Customer C
PE Router X P Router PE Router Y
P-Network
Customer C Customer A
Customer B Customer C
PE Router X P Router PE Router Y
P-Network
Customer C Customer A
Customer B Customer C
PE Router X P Router PE Router Y
P-Network
Customer C Customer A
Customer B Customer C
PE Router X P Router PE Router Y
P-Network
Customer C Customer A
onclusion:
BGP is used to exchange customer routes directly between PE routers.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-54
Routing Information
Propagation Across the P-
Network (cont.)
A dedicated routing protocol used
to carry customer routes between PE routers
Customer A Customer B
Customer B Customer C
PE Router X P Router PE Router Y
P-Network
Customer C Customer A
Customer A Customer A
PE 1 PE 2
Customer B Customer B
The CE-router sends an IPv4
routing update to the PE-
router.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-57
Route Distinguisher Usage in
an MPLS VPN
P-Network
Customer A Customer A
PE 1 PE 2
Customer B Customer B
The PE router sends the
resulting IPv4 prefix to the
CE router.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-58
Route Distinguisher Usage in
an MPLS VPN
Customer A Customer A
Central Site PE Router X P Router PE Router Y Site 2
Customer B Customer B
Site 2 Central Site
equirements:
All sites of one customer need to communicate.
Central sites of both customers need to communicate with VoIP gateway
and other central sites.
Other sites from different customers do not communicate with each othe
VOIP VPN
Customer A
Central Site A Site A-1 Site A-2
POP-X
VoIP
Gateway
POP-Y
VoIP
Gateway
Customer B
Central Site B Site B-1 Site B-2
PE router
CE router
PE router PE router
CE router
Site IGP Site IGP Site IGP
PE routers:
• Exchange VPN routes with CE routers via per-VPN
routing protocols
• Exchange core routes with P routers and PE-
routers via core IGP
• Exchange VPNv4 routes with other PE routers via
MP- IBGP sessions
IPv4 Update
PE Router P Router PE Router
CE Router CE Router
CE Router CE Router
MP-BGP Update
PE Router P Router PE Router
CE Router CE Router
IP
Ingress PE P Router P Router Egress
Router PE
Router
CE Router CE Router
Q: How will the PE routers forward the VPN packets across the
MPLS VPN backbone?
A1: They will forward pure IP packets.
Wrong answers:
P routers do not have VPN routes; the packet is dropped on IP lookup.
How about using MPLS for packet propagation across the backbone?
IP
Ingress P Router P Router Egress
PE PE
Router Router
CE Router CE Router
Q: How will the PE routers forward the VPN packets across the MPLS
VPN backbone?
A2: They will label the VPN packets with a label distribution protocol (LDP)
label for the egress PE router and forward the labeled packets across
the MPLS backbone.
Better answers:
The P routers perform the label switching and the packet reaches the
egress PE router.
However, the egress PE router does not know which VRF to use for packet
switching, so the packet is dropped.
How about using a label stack?
© 2001, Cisco Systems, Inc. MPLS v1.0—7-94
VPN Packet Forwarding
Across an MPLS VPN
Backbone
MPLS VPN Backbone
IP V L1 IP V L2 IP V L3
CE Router CE Router
IP
IP
Ingress P Router P Router Egress
PE PE
Router Router
CE Router CE Router
: How will the PE routers forward the VPN packets across the MPLS VPN backbon
3: They will label the VPN packets with a label stack, using the LDP label for the
egress PE router as the top label and the VPN label assigned by the egress PE
router as the second label in the stack.
orrect answers:
The P routers perform label switching and the packet reaches the egress
PE router.
The egress PE router performs a lookup on the VPN label and forwards the packet
toward the CE router.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-95
VPN Packet Forwarding—
Penultimate Hop Popping
MPLS VPN Backbone
IP V L1 IP V L2 IP V
CE Router CE Router
IP
IP
Ingress P Router P Router Egress
PE PE
Router Router
CE Router CE Router
: How will the ingress PE router get the second label in the label stack
from the egress PE router?
Step #1: A VPN label is assigned to every VPN route by the egress
PE router.
Step #2: The VPN label is advertised to all other PE routers in an MP-BGP
update.
IP
Ingress P Router P Router Egress PE
PE P router
Router summarizes PE
CE Router CE-router
loopback
Penultimate hop
popping is requested
through LDP
PE router builds a label stack and
forwards labeled packet toward
egress PE router
© 2001, Cisco Systems, Inc. MPLS v1.0—7-103
Summary