A Guide to MPLS VPN Fundamentals

Following our blog on MPLS basics, here is a look at the fundamentals of MPLS VPN and some of the most frequently used MPLS VPN terminology.

To start, Multi-Protocol Label Switching (MPLS) is a switching technique where packets are forwarded from a source to destination using labels rather than using hop-by-hop IP based forwarding. The label-based forwarding technique of MPLS is leveraged by network operators, service providers, enterprises, and even data centers to provide services such as VPN (VPLS, Layer 3 VPN, MVPN, etc.), traffic engineering (MPLS-TE, RSVP-TE), and protection (FRR).

MPLS-based Virtual Private Network (VPN)

Before MPLS VPN, organizations requiring VPN connectivity used VPN models that were expensive and complex. These models also could not isolate customers and had scaling issues when having to manage a large number of tunnels. But the advent of MPLS made it possible to run VPN services over MPLS, giving it a few advantages over the traditional VPN models that were widely in use.

MPLS VPN allows for the creation of virtual private networks using MPLS. There are three types of MPLS VPNs that are in use:

  1. Point-to-Point (Pseudowire)
  2. Layer 2 MPLS VPN or VPLS
  3. Layer 3 MPLS VPN

Before we look at what each of the VPN types are, let us look at some of the frequently used terminology related to MPLS VPN.

MPLS Router Roles

The routers that are part of an MPLS network have different roles that are important to understand when describing MPLS VPN services. Let us look what these roles are.

MPLS router roles explained

P (Provider Router): A core router that is part of the service provider MPLS network and forms a label switched path (LSP).

PE (Provider Edge Router): These are devices that sit at the edge of the MPLS network and connect the MPLS network to the customer’s edge routers known as the CE router.

CE (Customer Edge Router): These devices sit at the edge of the customer network and connect to the MPLS network over the PE device. CE devices are part of a VRF (see below) on the PE device.

VRF (Virtual Routing and Forwarding)

A technology that allows multiple routing and forwarding tables to exist on a device. This allows a PE router to appear as multiple routers to CE routers. The PE router maintains a distinct routing table within the specific VRF of each CE router that is connected to it, allowing IP address space to be reused among multiple domains or customers.

Route Distinguisher

While VRFs allow for the same IP space to be reused by distinct routing domains, it is the route distinguisher (RD) that distinguishes a set of routes that are part of one VRF from another. An RD is a unique number that is added to each route within a VRF, which helps other routers to identify the routes as belonging to that specific VRF or customer.

Route Target

Route Targets are identifiers added to routes to enable a router to know which routes must be inserted into which VRFs. A route target allows the router to control the import and export of routes among different VRFs.

Other terminologies such as LSP, LER, LSR, and LDP, which we covered in the MPLS Fundamentals blog, also apply to MPLS VPN. And now let’s get back to the different types of MPLS VPNs.

Point-to-Point (Pseudowire)

Pseudowire is a term used to describe an emulated layer 2 point-to-point connection delivered over MPLS using LDP as its signaling mechanism. Pseudowire is also referred to as AToM (Any Transport over MPLS) by Cisco. This VPN service uses virtual leased lines (VLL) to provide layer 2 point-to-point connectivity between two sites to carry Ethernet, frame relay or ATM data, and can even interconnect two different types of media – say, Ethernet and Frame Relay.

VPLS

Virtual Private LAN Service or VPLS is an Ethernet based point-to-multipoint Layer 2 VPN. It allows a service provider to connect geographically spread LAN networks to each other over its MPLS core. For a customer who uses a VPLS service from a provider, all these sites appear as part of the same Ethernet LAN. In fact, many service providers call their Layer 2 MPLS VPN an Enterprise Virtual Private LAN service.

In VPLS, data from a customer is first sent to the CE router and then to the PE router connected to it. The packet then traverses the MPLS core over an MPLS LSP and arrives at the egress node. From there it is sent to its destination over the CE router at the destination. Layer 2 VPNs have had two different methods for signaling – the LDP-based method from Cisco, which is simpler and more commonly implemented, and the BGP-signaled method from Juniper that is complex but supports auto discovery of new PEs.

MPLS Pseudowire VLL vs MPLS L2 VPN VPLS

MPLS Layer 3 VPN

When service providers mention MPLS VPN, a majority usually mean Layer 3 MPLS VPN services. MPLS Layer 3 VPN is one of the most widely used services leveraged on MPLS.

With Layer 3 MPLS VPN, providers create VRFs on their PE routers. Customers connecting from different CE routers are then placed within a VRF on the same PE, after which they exchange routes with the PE using BGP or IGP.

MPLS Layer 3 VPN works on the concept of label switching (also covered in the MPLS fundamentals blog). Here, LDP signals and creates an LSP between a source and destination pair of routers. The customer then sends a route update that is advertised from the CE to the PE and then across the MPLS networks to other PEs. After a path has been established, the customer sends packets along the LSP to its destination.

MPLS VPN Fundamentals

Basic MPLS Layer 3 VPN Topology

For more detailed design examples of MPLS Layer 3 VPNs, check out this article: https://routingnull0.com/2015/12/14/mpls-l3vpns-part-2/

With that, we hope you are ready to explore more of MPLS VPN world. And after you are done implementing your MPLS VPN network, don’t forget to add MPLS monitoring to ensure the performance of your MPLS VPN.

Explorer Suite for VPNs | More Resources | Request Demo | Follow us on Twitter