212
routing loop, you can configure a routing policy on PE2 to add the SoO attribute to route updates
received from CE 2 and CE 3 so that PE 2 will not advertise route updates from CE 3 to CE 2.
Multi-VPN-instance CE
Using tunnels, MPLS L3VPN implements private network data transmission over the public network.
However, the traditional MPLS L3VPN architecture requires that each VPN instance exclusively use a CE
to connect with a PE, as shown in
For better services and higher security, a private network is usually divided into multiple VPNs to isolate
services. To meet the requirements, you can configure a CE for each VPN, which increases users’ device
expenses and maintenance costs. Or, you can configure multiple VPNs to use the same CE and the same
routing table, which cannot ensure the data security.
Using the Multi-VPN-Instance CE (MCE) function of the Ethernet switches, you can remove the
contradiction of low cost and high security in multi-VPN networks. With MCE configured, a CE can bind
each VPN in a network with a VLAN interface on the CE, and create and maintain a separate routing
table (multi-VRF) for each VPN. This separates the forwarding paths of packets of different VPNs and, in
conjunction with the PE, can correctly advertise the routes of each VPN to the peer PE, ensuring the
normal transmission of VPN packets over the public network.
The following takes the networking illustrated in
as an example to introduce how an MCE
maintains the routing entries of multiple VPNs and how an MCE exchanges VPN routes with PEs.
Figure 65
Network diagram for the MCE function
As shown in
, on the left-side network, there are two VPN sites, both of which are connected to
the MPLS backbone through the MCE. VPN 1 and VPN 2 on the left-side network need to establish a
tunnel with VPN 1 and VPN 2 on the right-side network respectively.
With the MCE function, you can create a routing table for VPN 1 and VPN 2 respectively on the MCE,
and bind VLAN-interface 2 with VPN 1 and VLAN-interface 3 with VPN 2. When receiving a routing
message, the MCE can determine the source of the routing information according to the inbound
interface, and then update the routing table of the corresponding VPN.
In addition, you need to perform configurations on PE 1 to bind the interface connected to the MCE with
the VPNs in the same way as you do on the MCE. The MCE device and PE 1 must be connected through
a trunk link to allow packets of VLAN 2 and VLAN 3 to pass through with tags carried. In this way, when
receiving a packet, PE 1 can determine which VPN the packet belongs to and then passes the packet to
the right tunnel.