top of page
Search

An Introduction to MPLS Layer 3 VPN

  • Writer: Francisco Augusto Nascimento Antonio
    Francisco Augusto Nascimento Antonio
  • Oct 10, 2020
  • 3 min read

Updated: Oct 24, 2020



MPLS Layer 3 VPNs provide peer-to-peer connectivity between private customer sites across a shared network.

In an MPLS Layer 3 VPN architecture, customer routers are known as CE (customer edge) routers, and they do not run MPLS.

The CE routers connect to the PE (provider edge) router of the MPLS domain.

The goal is to have customer sites exchange their local routing information over the MPLS domain and then forward traffic as needed from site to site over the MPLS domain. The same would be true for other customers sharing the MPLS domain.

Due to the nature of the MPLS Layer 3 VPN, overlapping address spaces between customers is of no concern. Therefore Customer A and Customer B can be using the same private IP addresses space.

In order to support multiple customers, the PE routers need to use VRF instances, to isolate customer information and traffic from other customers. A different VRF instance needs to be created for each customer, and the interface that connects to the customer's CE router needs to be associated with the VRF. The CE router and the PE router exchange IPv4 routes using a routing protocol such as RIP (Routing Information Protocol), OSPF (Open Shortest Path First), EIGRP (Enhanced Interior Gateway Routing Protocol), or BGP (Border Gateway Protocol), and the routers are placed in the customer-specific VRF table on the PE router. Therefore, from the customer's perspective, the PE router is simply another router in the customer's network but it is under the control of the provider. However, note that all routers are hidden from the customer.


Once the PE routers learn routes from the CE routers, the PE routers redistribute the routes into MP-BGP so they can be exchanged with other PE routers. When another PE router receives the routes, they are redistributed into an IGP and placed in the correct customer VRF instance so they can be exchanged with the CE router, have in mind that the P routers don't participate in BGP only the PE routers do.

They are forming an MP-IBGP (Multiprotocol-Interior Border Gateway Protocol) neighborship with each other and exchanging the routes using the underlying network that is built with an IGP (Interior Gateway Protocol) such as OSPF or IS-IS (Intermediate System to Intermediate System). The PE routers and P routers are using a dynamic routing protocol to learn about all the destinations in the P network, and only the PE routers are using MP-IBGP on top of that to exchange the customer routes.


MPLS Layers 3 VPNv4 address


When all customer routers are being redistributed into MP-BGP, it uses a route distinguished (RD) to expand the customer's IP prefix so that it including the unique value that distinguishes it from the other identical prefix. Being that the RD is generated and used by PE routers on a per-customer VRF instance basis, and to keep things simple, the RD is used regardless of whether there are overlapping address spaces, so the RD is used all the time.


PE Routers Exchanging VPNv4 Routes.


Step 1. The CE router and PE router exchanges routes using a dynamic routing protocol such as OSPF or EIGRP.


Step 2. The PE router places the customer-specific routes in the customer-specif VRF table.


Step 3. The routes in customer's VRF table are redistributed into MP-BGP as VPNv4 routes.


Step 4. The PE routers exchange VPNv4 routes over their MP-IBGP peering.


Step 5. The PE router redistributes the VPSv4 routes as OSPF, EIGRP, and so on routes into the customer-specific VRF table.


Step 6. The PE router and CE router exchange routes using a dynamic routing protocol such as OSPF or EIGRP.


MPLS Layers 3 VPN Label Stack

For the MPLS domain to forward traffic, a label stack is required. Two labels are required for traffic to be successfully forwarded through the MPLS domain.

The first label that is attached to the packet is a VPN, and the second label that is attached is the LDP label.

How does it work?

When the IP packet arrives at the ingress PE router, the PE router attaches both labels. The egress router uses the VPN label to determine customer specifics about the packet and what should be done with it.

The LDP label is used for switching from PE to PE in the MPLS domain, VPN labels are learned from PE routers over the PL-IBGP peering.


References:

Official Cert Guide

Advanced your IT career with hands-on learning CCBP Enterprise Advanced Routing ENARSI Authors: Raymond Lacoste & Brad Edgeworth

 
 
 

Recent Posts

See All

Comments

Post: Blog2_Post

Subscribe Form

©2020 by Compute Science - Network Routing, Switching & Storage. Proudly created with Wix.com

bottom of page