MPLS-VPN Overview
Virtual Private Networks (VPNs) have become increasingly important as more and more businesses are connecting to a Service Provider’s network. Keeping data private as it travels across a Service Provider’s network is the ultimate concern for both the Service provider providing the VPN service as well as the companies sending the data.
While deploying a single VPN service model would simplify network operations, this approach cannot satisfy diverse customer requirements because each subscriber (company) is unique. To satisfy a broad range of customer requirements, service providers must offer subscribers a portfolio that contains a number of different VPN service delivery models. A number of VPN models have been proposed.
Traditional VPNs
• Frame Relay (Layer 2)
• ATM (Layer 2)
CPE-based VPNs
• L2TP and PPTP (Layer 2)
• IPSec (Layer 3)
Provider Provisioned VPNS
• MPLS-based Layer 2 VPNs
• MPLS-VPNs based on RFC2547bis (Layer 3)
Service providers are already generating a tremendous amount of interest in MPLS-VPNs as a mechanism to simplify WAN operations for a diverse set of customers. As a result of this surge of interest in service provider-based MPLS-VPNs, a new feature has been developed to extend the MPLS-VPNs to the branch office. This new feature is called Multi-VRF CE.
This paper focuses on first establishing a basic understanding of MPLS-VPNs and then developing a detailed understanding of Multi-VRF CE, including the requirements needed and a configuration example.
Before discussing Multi-VRF CE, a basic understanding of MPLS-VPNs is necessary as Multi-VRF CE extends the functionality of the current MPLS-VPN model out to the branch office. MPLS-VPNs define a mechanism that allows service providers to use their IP backbone to provide VPN services to their customers. This model can also be termed BGP/MPLS-VPNs because BGP is used to distribute VPN routing information across the provider’s backbone and because MPLS is used to forward VPN traffic from one VPN site to another. An MPLS-based VPN network has three major components:
- VPN route target communities—A VPN route target community is a list of all other members of a VPN community. VPN route targets need to be configured for each VPN community member.
- Multiprotocol BGP (MP-BGP) peering of VPN community PE routers—MP-BGP propagates VRF reachability information to all members of a VPN community. MP-BGP peering needs to be configured in all PE routers within a VPN community.
- MPLS forwarding—MPLS transports all traffic between all VPN community members across a VPN service-provider network.
In the MPLS-VPN model a VPN is defined as a collection of sites sharing a common routing table. A customer site is connected to the service provider network by one or more interfaces, where the service provider associates each interface with a VPN routing table. A VPN routing table is called a VPN routing and forwarding (VRF) table. Figure 1 illustrates the fundamental building blocks of an MPLS-VPN.
Customer Edge Devices
A customer edge (CE) device provides a customer access to the service provider network over a data link to one or more provider edge (PE) routers. The CE device is an IP router that establishes an adjacency with its directly connected PE routers.
After the adjacency is established, the CE router advertises the site’s local VPN routes to the PE router and learns remote VPN routes from the PE router. Any router in Cisco’s portfolio can act as a CE router as the CE router only exchanges routing information to the PE router. Typically in a branch office, the Cisco 2600 series serves as the CE router.
Provider Edge Routers
PE routers exchange routing information with CE routers using static routing, RIPv2, OSPF, or EIGRP. While a PE router maintains VPN routing information, it is only required to maintain VPN routes for those VPNs to which it is directly attached. This design eliminates the need for PE routers to maintain all of the service provider’s VPN routes. Each PE router maintains a VRF for each of its directly connected sites. Multiple interfaces on a PE router can be associated with a single VRF if these sites all participate in the same VPN. Each VPN is mapped to a specific VRF, i.e., an interface on the PE router and a site is not associated with a VRF. The PE router is able to maintain multiple forwarding tables that support the per-VPN segregation of routing information. After learning local VPN routes from CE routers, a PE router exchanges VPN routing information with other PE routers using IBGP. Only the routes pertinent to the PE router’s VRFs are exchanged.
The following is a list of router platforms supported at the provider edge.
• Cisco 3640 series
• Cisco 3660 series
• Cisco 3700 Series
• Cisco 7200 series
• Cisco 7500 series
• Cisco 10000 series
• Cisco 10720 series
• Cisco 12000 series
Provider Routers
A provider (P) router is any router in the provider’s network that does not attach to CE devices. P routers function as MPLS transit LSRs when forwarding VPN data traffic between PE routers. Since traffic is forwarded across the MPLS backbone using a two layer label stack, P routers are only required to maintain routes to the provider’s PE routers; they are not required to maintain a specific VPN routing information for each customer site.
The following is a list of router platforms supported at the provider core.
• Cisco 3600 series
• Cisco 7200 series
• Cisco 7500 series
• Cisco 8540 series
• Cisco 8800 series
• Cisco 12000 series
A customer edge (CE) device provides a customer access to the service provider network over a data link to one or more provider edge (PE) routers. The CE device is an IP router that establishes an adjacency with its directly connected PE routers.
After the adjacency is established, the CE router advertises the site’s local VPN routes to the PE router and learns remote VPN routes from the PE router. Any router in Cisco’s portfolio can act as a CE router as the CE router only exchanges routing information to the PE router. Typically in a branch office, the Cisco 2600 series serves as the CE router.
Provider Edge Routers
PE routers exchange routing information with CE routers using static routing, RIPv2, OSPF, or EIGRP. While a PE router maintains VPN routing information, it is only required to maintain VPN routes for those VPNs to which it is directly attached. This design eliminates the need for PE routers to maintain all of the service provider’s VPN routes. Each PE router maintains a VRF for each of its directly connected sites. Multiple interfaces on a PE router can be associated with a single VRF if these sites all participate in the same VPN. Each VPN is mapped to a specific VRF, i.e., an interface on the PE router and a site is not associated with a VRF. The PE router is able to maintain multiple forwarding tables that support the per-VPN segregation of routing information. After learning local VPN routes from CE routers, a PE router exchanges VPN routing information with other PE routers using IBGP. Only the routes pertinent to the PE router’s VRFs are exchanged.
The following is a list of router platforms supported at the provider edge.
• Cisco 3640 series
• Cisco 3660 series
• Cisco 3700 Series
• Cisco 7200 series
• Cisco 7500 series
• Cisco 10000 series
• Cisco 10720 series
• Cisco 12000 series
Provider Routers
A provider (P) router is any router in the provider’s network that does not attach to CE devices. P routers function as MPLS transit LSRs when forwarding VPN data traffic between PE routers. Since traffic is forwarded across the MPLS backbone using a two layer label stack, P routers are only required to maintain routes to the provider’s PE routers; they are not required to maintain a specific VPN routing information for each customer site.
The following is a list of router platforms supported at the provider core.
• Cisco 3600 series
• Cisco 7200 series
• Cisco 7500 series
• Cisco 8540 series
• Cisco 8800 series
• Cisco 12000 series
