34-4
Cisco ME 3800X and 3600X Switch Software Configuration Guide
OL-23400-01
Chapter 34 Configuring MPLS, MPLS VPN, MPLS OAM, and EoMPLS
Understanding MPLS VPNs
Understanding MPLS VPNs
Using MPLS virtual private networks (VPNs) provides the capability to deploy and administer scalable
Layer 3 VPN backbone services to business customers. A VPN is a secure IP-based network that shares
resources on one or more physical networks. A VPN contains geographically dispersed sites that can
communicate securely over a shared backbone.
VPN routes are distributed over the MPLS network by using multiprotocol BGP (MP-BGP), which also
distributes the labels associated with each VPN route. MPLS VPN depends on VPN routing and
forwarding (VRF) support to isolate the routing domains from each other. When routes are learned over
an MPLS VPN, the switch learns the new route as a normal VRF route, except that the destination MAC
address for the next hop is not the real address, but a specially formed address that contains an identifier
that is allocated for the route. When an MPLS-VPN packet is received on a port, the switch looks up the
labels in the routing table to determine what to do with the packet.
Each VPN is associated with one or more VPN VRF instances. A VRF includes routing and forwarding
tables and rules that define the VPN membership of customer devices attached to the customer-edge
(CE) device. A customer site can be a member of multiple VPNs; however, a site can associate with only
one VRF. A VRF has these elements:
•
An IP routing table
•
A Cisco Express Forwarding table
•
A set of interfaces that use the forwarding table
•
A set of rules and routing protocol parameters to control the information in the routing tables
A customer-site VRF contains all the routes available to the site from the VPNs to which it belongs. VPN
routing information is stored in the IP routing table and the Cisco Express Forwarding table for each
VRF. A separate set of tables is maintained for each VRF, which prevents information from being
forwarded outside a VPN and prevents packets that are outside a VPN from being forwarded to a router
within the VPN. Based on the routing information stored in the VRF IP routing table and the VRF Cisco
Express Forwarding table, packets are forwarded to their destinations.
A provider-edge router binds a label to each customer prefix that is learned from a CE device and
includes the label in the network reachability information for the prefix that it advertises to other (PE)
routers. When a PE router forwards a packet that is received from a CE device across the provider
network, it labels the packet with the label learned from the destination PE router. When the destination
PE router receives the labeled packet, it examines the label and uses it to direct the packet to the correct
CE device.
A customer data-packet carries two levels of labels when traversing the backbone:
•
The top label directs the packet to the correct PE router.
•
The second label defines how that PE router should forward the packet to the CE device.
VPN Benefits
MPLS VPNs allow service providers to deploy scalable VPNs and build the foundation to deliver
value-added services, including:
•
Connectionless service—MPLS VPNs are connectionless, which means that no prior action is
required to establish communication between hosts. A connectionless VPN does not require tunnels
and encryption for network privacy.
•
Centralized service—MPLS VPNs are seen as private intranets, which allows delivery of targeted
IP services to a group of users represented by a VPN.