Chapter 4: MPLS VPN Architecture
Explore the powerful world of MPLS VPNs, including Layer 3 VPN architecture, VRF technology, Route Distinguishers, Route Targets, and the integration with MP-BGP for scalable enterprise networking.
Layer 3 VPNs
MPLS Layer 3 VPNs provide secure, scalable connectivity for enterprise networks by creating separate routing instances for each customer while sharing the same physical infrastructure.
L3VPN Benefits
L3VPNs offer complete routing isolation, scalability, and quality of service while reducing complexity for enterprise customers.
Customer Benefits
- Any-to-any connectivity
- QoS and SLA guarantees
- Outsourced routing management
- Seamless site addition
- Hub-and-spoke or mesh topologies
Service Provider Benefits
- Infrastructure sharing
- Scalable service delivery
- Automated provisioning
- Multiple service offerings
- Enhanced revenue opportunities
| VPN Model | Customer Equipment | Provider Responsibility | Routing Control |
|---|---|---|---|
| Peer-to-Peer | CE router only | Full network management | Service provider |
| Overlay | Customer premises equipment | Transport only | Customer |
| Dedicated | Varies | Physical infrastructure | Customer |
VRF Technology
Virtual Routing and Forwarding (VRF) creates multiple virtual routing instances within a single physical router, enabling customer isolation and overlapping address spaces.
VRF Components
- Routing Table: Separate RIB per VRF
- Forwarding Table: Separate FIB per VRF
- Interfaces: Assigned to specific VRF
- Routing Protocols: VRF-aware instances
VRF Benefits
- Isolation: Complete traffic separation
- Address Overlap: Reuse IP space
- Security: Network segmentation
- Scalability: Multiple customers per router
VRF Operation
Each VRF maintains its own routing and forwarding tables. Packets are forwarded based only on routes within the specific VRF context.
RD & RT Concepts
Route Distinguishers (RD) and Route Targets (RT) are essential mechanisms for maintaining customer separation and controlling route distribution in MPLS VPN networks.
Route Distinguisher (RD)
Purpose: Makes IPv4 routes globally unique
Format: ASN:Value or IP:Value
Length: 64 bits (8 bytes)
Scope: Local to PE router
Function: Creates VPNv4 address
- 100:1 (Type 0)
- 192.168.1.1:1 (Type 1)
- 65001:100 (Type 2)
Route Target (RT)
Purpose: Controls route import/export
Format: Same as RD format
Length: 64 bits (8 bytes)
Scope: Network-wide significance
Function: Policy control mechanism
- Export RT: Attached to routes
- Import RT: Determines acceptance
| VPN Topology | RT Configuration | Route Flow | Use Case |
|---|---|---|---|
| Simple VPN | Import RT = Export RT | Any-to-any | Full mesh connectivity |
| Hub and Spoke | Hub imports all, spokes import hub only | Through hub | Centralized services |
| Extranet | Shared RT for common resources | Selective sharing | Partner connectivity |
MP-BGP Integration
Multi-Protocol BGP (MP-BGP) extends BGP to carry VPN routing information, enabling scalable distribution of VPN routes across the MPLS network backbone.
MP-BGP Extensions
MP-BGP introduces new address families and NLRI formats to support VPNv4 routes with embedded RD and RT information.
VPNv4 Address Family
- AFI: 1 (IPv4)
- SAFI: 128 (VPN)
- NLRI: RD + IPv4 prefix
- Total: 12 bytes + prefix
Extended Communities
- Route Target (RT)
- Site of Origin (SoO)
- Link Bandwidth
- OSPF Domain ID
Label Information
- VPN label in NLRI
- Transport label from LDP
- Two-level label stack
- Hierarchical forwarding
| BGP Attribute | Type | VPN Usage | Description |
|---|---|---|---|
| MP_REACH_NLRI | Optional Non-transitive | Route advertisement | Carries VPNv4 prefixes and next-hop |
| MP_UNREACH_NLRI | Optional Non-transitive | Route withdrawal | Withdraws VPNv4 prefixes |
| Extended Communities | Optional Transitive | RT, SoO, others | Carries VPN policy information |
PE-CE Relationships
The Provider Edge to Customer Edge (PE-CE) relationship is crucial for MPLS VPN operation, defining how customer routes are learned and distributed within the VPN.
Static Routing
Simplest option for small sites
- Simple configuration
- No protocol overhead
- Predictable routing
- Manual configuration
- No automatic failover
BGP PE-CE
Most scalable and feature-rich
- Excellent scalability
- Rich policy control
- Loop prevention (SoO)
- Complex configuration
- BGP knowledge required
OSPF PE-CE
Preserves OSPF characteristics
- Preserves LSA types
- Maintains area concept
- Familiar to enterprises
- Sham-link complexity
- Domain ID management
| PE-CE Protocol | Best Use Case | Key Considerations | Loop Prevention |
|---|---|---|---|
| Static | Small single-homed sites | Manual configuration required | Not applicable |
| RIP | Legacy environments only | Limited scalability | Site of Origin (SoO) |
| EIGRP | Cisco-only environments | Preserves EIGRP attributes | Site of Origin (SoO) |
| OSPF | Enterprise OSPF networks | Domain ID and sham-links | Domain ID comparison |
| BGP | Large, complex networks | AS number configuration | Site of Origin (SoO) |
Next Steps
Now that you understand MPLS VPN architecture, continue to Chapter 5: Configuration & Implementation to learn how to configure and deploy MPLS networks.