One of the most compelling drivers for MPLS in service provider networks is its support for Virtual Private Networks VPNs, in which the provider’s customers can connect geographically di
Trang 1pdfcrowd.com open in browser customize free license
Jeff Doyle on IP Routing Jeff Doy le
Select Cisco Subnet Blog Understanding MPLS VPNs, Part I
By jdoyle on Wed, 02/06/08 - 9:57pm.
<! StartFragment >
<! StartFragment >
One of the most compelling drivers for MPLS in service provider networks is its support for Virtual
Private Networks (VPNs), in which the provider’s customers can connect geographically diverse sites
across the provider’s network
There are three kinds of MPLS-based VPN:
- Layer 3 VPNs: With L3 VPNs the service provider participates in the customer’s Layer 3
routing. The customer’s CE router at each of his sites speaks a routing protocol such as
BGP or OSPF to the provider’s PE router, and the IP prefixes advertised at each customer
site are carried across the provider network. L3 VPNs are attractive to customers who want
to leverage the service provider’s technical expertise to insure efficient site-to-site routing
Email Comments (6) Print
Welcome, visitor. Register Log in
Tests White Papers Webcasts Solution Centers
New s Blogs & Columns Subscriptions Videos Events More
Trang 2- Layer 2 VPNs: The provider interconnects the customer sites via the Layer 2 technology –
usually ATM, Frame Relay, or Ethernet – of the customer’s choosing. The customer
implements whatever Layer 3 protocol he wants to run, with no participation by the service
provider at that level. L2 VPNs are attractive to customers who want complete control of their
own routing; they are attractive to service providers because they can serve up whatever
connectivity the customer wants simply by adding the appropriate interface in the PE router
- Virtual Private LAN Service: VPLS makes the service provider’s network look like a single
Ethernet switch from the customer’s viewpoint. The attraction of VPLS to customers is that
they can make their WAN look just like their local campus- or building-scope networks, using
a single technology (Ethernet) that is cheap and well understood. Unlike traditional Metro
Ethernet services built around actual Ethernet switches, service providers can connect VPLS
customers from regional all the way up to global scales. So a customer with sites in London,
Dubai, Bangalore, Hong Kong, Los Angeles, and New York can connect all his sites with
what appears to be a single Ethernet switch
The “Virtual” in VPN is that the individual services have the appearance of being distinct, but are in
fact built on a single shared infrastructure – the MPLS network. The advantage to the service provider
is that he can build a portfolio of services to attract a range of customers, without significantly
increasing his capital investment or operational expenses
But it’s the “Private” part of VPN that I want to discuss. Not only must services remain distinct even
though they are supported over a single MPLS network, but individual customer’s networks must
remain securely separated from each other:
- Customer A and customer B, both using L3 VPNs, must not see each other’s IP prefixes. In
fact their respective address spaces can overlap; for instance, both can address their
networks using the same 10.0.0.0 addresses, and the service provider network keeps the
customer’s prefixes separate
- Customer C and customer D, using L2 VPNs, must not see each other’s Layer 2 addresses or
any sort of connection other than to their own sites
- VPLS customers E and F, while both “seeing” the provider’s network as a single Ethernet
switch, must not have the appearance of being connected to the same Ethernet switch. That
is, the virtual Ethernet switch interconnecting customer E’s sites must not be the same
virtual Ethernet switch interconnecting customer F’s sites
Figure 1 (click here to view Figure 1) shows the key elements for creating privacy between VPNs:
Individual information tables for each customer and each customer site, interconnected by individual
Contact Requires Login
Archives
March 2011 February 2011 January 2011 October 2010 October 2009 September 2009 June 2009 May 2009 April 2009 March 2009 January 2009 December 2008
Categories
Business IT Alignnment CGN Cisco
DS Lite Deploying IPv6 Netw orks Dual-Stack Lite IPv6
LANs / WANs LSN
NAT
About Jeff Doyle on IP Routing
Jeff Doyle is president of Jeff Doyle and Associates, an IP network consultancy. Jeff is the author of Routing TCP/IP, Volumes I (read an excerpt) and II and of OSPF and IS-IS:
Choosing an IGP for Large-Scale Networks. He is a frequent speaker on IPv6, MPLS, and large-scale routing
Contact him
Trang 3pdfcrowd.com open in browser customize free license
MPLS LSPs (MPLS virtual circuits). What the information table contains depends on the type of VPN
the table supports:
- The information tables for L3 VPNs contain IP prefixes and are called Virtual Routing and
Forwarding Tables (VRF). VRFs are simply dedicated routing tables
- The information tables for L2 VPNs, called Virtual Forwarding Tables (VFT), contain the Layer
2 addresses of whatever L2 technology it supports; Frame Relay DLCIs, for example
- The information tables for VPLS contain Ethernet MAC addresses and, if VLANS are being
used, VLAN IDs, mapped either to local ports or to LSPs leading to other sites. These tables
serve the same role as the MAC tables in Ethernet switches
The VPN network of Figure 1 is simplistic; it only depicts three customers with two or three sites
each. A production MPLS VPN network is likely to have at least hundreds of customers and
thousands of information tables. Keeping a basic LSP structure like the one in Figure 1 would quickly
lead to scaling limitations
So rather than switch each table-specific LSP individually in the MPLS core network, LSPs are
created between each of the PEs, and shown in Figure 2 (click here to view Figure 2
). The table-specific LSPs are then tunneled within these PE-to-PE LSPs, permitting much better scaling in the
core; switching only must occur among these much fewer tunnel LSPs
And that is the reason for emphasizing label stacking in the last post: It is an essential function for
MPLS VPN scaling. When a PE receives an IP packet or a Layer 2 frame from a locally connected
CE, it does a lookup in the local information table. If the destination of the packet or frame is to a CE
at another site, it is encapsulated behind an MPLS header with the correct label for the LSP
connecting to the remote information table. The resulting MPLS packet is then encapsulated behind
another MPLS header, with the outgoing label of the tunnel LSP connecting to the remote PE in
which the remote information table resides
At the remote PE the outer header is popped, and the label of the inner header is examined. That
label tells the PE what local information table to consult. The inner header can then be popped, and
the decapsulated packet or frame can be forwarded to the locally connected CE as specified by the
correct information table
That gives you the basics of how forwarding is accomplished for MPLS VPNs. In Part II, I’ll discuss
how the reachability information contained in the various information tables is signaled across the
MPLS core to remote PEs
<! EndFragment >
December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 May 2008 April 2008 March 2008 February 2008 January 2008 December 2007 November 2007 See all
NAT NAT444 NAT464 NAT64 Netw ork Design business intelligence carrier grade NAT carrier-grade NAT dual stack large scale NAT measurement netw ork architecture service providers
Trang 4<! EndFragment >
Tags
MPLS VPN
wht an explanation
By Zeeshan0987 (not verified) on Sat, 02/09/2008 - 7:07am.
Gr8 work jeff !!! i have read many explanations regarding mpls VPN but this one was superb
Cisco Press plz let him write a book on mpls !!!
Finally! I now know how
By Anonymous (not verified) on Mon, 02/11/2008 - 6:12pm.
Finally! I now know how label stacking is useful. Every other explanation I've read goes into how it
is done, but until now, I haven't understood why you would want to do this
Given that, if the table-specific label is stacked under the SP's own label(s), would each PE in the
Core LSP use the same outer label, or would it be swapped at each PE in the LSP?
I do have one other question for you, Jeff. Why are labels locally significant, rather than globally
for a LSP? It seems that this creates more work in the LSP that could be removed and instead
be done with LDP, using some sort of syncronization of label-to-prefix advertisements as in
OSPF. Then each LSR would use a single label for the path, like in Frame or ATM
Thanks for your help. I'm really hoping you get a chance to shed some light on this
Re: Finally
By jdoyle on Wed, 02/13/2008 - 11:37pm.
Hi,
Trang 5pdfcrowd.com open in browser customize free license
Regarding your first question:
Each PE would use its own outer label, according to what is assigned by the next downstream LSR along the LSP, and that is then swapped under normal MPLS switching procedures
Regarding the second question, labels are locally significant partly because each downstream router is responsible for distributing labels that have meaning to their own switching tables to upstream routers; there's no way to more broadly predict what labels a local router would want to use. The other reason is scalability: Labels are 20-bits long, so there are only a little over a million label values. By giving them a local scope rather than a network-wide scope, those million values are available on each link rather than across the entire network
Jeff
a positive delight
By netyourlife2007 on Thu, 07/31/2008 - 2:38am.
HI,Jeff
It was a positive delight to reading your article so beautifully
It help me to further understand MPLS vpn globally
Three kinds of MPLS-based VPN,L3/L2/VPLS,and,their characteristics
yes,i got it,it's need to emphasize label stacking,it's the essential to understand MPLS
VPN,especially you face product MPLS VPN service networks
Thanks & BG
Jason
-Welcome to
http://www.netyourlife.net
MPLS L3VPN question
Trang 6Sponsored Links Resource Center
By Rakesh (not verified) on Thu, 09/18/2008 - 10:09am.
Hi Jeff,
I was a delight reading your article related to MPLS. I am new to MPLS. I have certain confusion
related to 2447bis
a) Why do we required 2 label for L3VPN
b) How does Layer 2 VPN works. Any link that could help me to better understand it
Thanks & Regards
rakesh
2 labels for L3VPN
By Shankar (not verified) on Sat, 10/04/2008 - 3:13pm.
Rakesh, Your name is an anagram of my brother's name Shekar :-) a) We require 2 labels for L3VPN because the inner label is the label expected by the egress
PE router
The outer label is used for switching the packet through the core router
b) Layer 2 VPN is very much like L3VPN except that the CE router keeps its routing table separate from the PE routers. Much like a switching table cam, the frames are switched mapping a particular DLCI or a mac address for example to a label value for at the ingree PE
Trang 7pdfcrowd.com open in browser customize free license
Cisco's Unified Fabric delivers resiliency for optimal
performance. Learn More - Cisco
Choosing the Right Metropolitan Ring For Your Business
-AT&T
Comparing Private Line, Frame Relay, ATM, Ethernet and
IP VPNs - AT&T
Firew all podcast Q&As - AT&T
IPv6: Complete these 5 Steps to Prepare - AT&T
Keep Your Enemies Closer: Get Proactive about Security
-AT&T
Maximizing Business Application Functionality - AT&T
Mobility Applications Before and After - AT&T
Transform w ith Mobile Apps - AT&T
Virtela manages, secures and accelerates global
netw orks from the cloud - Virtela Technology Services
Incorporated
Sprint Global MPLS. The best foundation for your
converged netw ork needs - Sprint
Take Control of Virtualization & Cloud w ith Zyrion Service
Monitoring SW - Zyrion
Get Application Performance Monitoring best practices in
this eBook series - Quest Softw are
Enter to w in a Polycom CX5000 360 degree unified
conference station - Polycom
White Paper: Going Green With Physical Layer
Components - Belden
New HP 3PAR Storage System pow ered by Intel® Xeon®
processors - HP - Cupertino
Don't pay for server virtualization. XenServer is
enterprise-class, cloud-proven and FREE - Citrix
Entrust - Strong authentication, most authenticators, one
platform - Entrust
FREE Data Leakage for Dummies Book from Sophos
-Sophos, Inc.
Introducing the 2nd Generation Intel® Core™ vPro™
processor family - Intel Corporation
Are you maximizing IT efficiency? Learn how to boost efficiency today - NetApp
Managed Hosting Services Backed by the Pow er of Fanatical Support - Rackspace
Monitor Physical, Virtual and Cloud Infrastructure w ith Ease - Try Applications Manager! - Zoho
Just Released! Diskeeper 2011 Optimum system performance. Alw ays. FREE 30-day trial - Diskeeper
Quest Softw are, Inc - Quest Softw are
Understand the real need for security solutions that can address the reality of expanding virtualization. Read more - HP
Most virtualized w orkloads are being deployed in an insecure manner. Read more - HP
Protect your data now and dow n the road. Use LTO-5 Tape! - Ultrium
Context-aw are netw ork access. It's about w
ho you are -no matter w here you are, w hat device you use or how you connect - Aruba Netw orks
HP ProLiant FlexFabric enabled server pow ered by Intel®
Xeon® - HP
HP BladeSystem pow ered by AMD Opteron™ 6100 Series processors - HP
Application Delivery Controllers: The Next Generation of Load Balancing - Coyote Point Systems
Unleash the Pow er and Performance of Physical and Virtual Desktops - Trend Micro
Introducing the Cisco Data Center Business Advantage -Cisco
With Xerox, you'll be ready for real business. Find out how > - Xerox
Cisco w hitepaper on the benefits and challenges of migrating to the cloud - Cisco Systems
HP StorageWorks D2D2500 Backup System w ith Intel®
Xeon® 5500 series - HP
BlackBerry World™ Conference, May 3-5. Register Now
& Save! - BlackBerry World
Systems Management Software
Softw are Deployment, Patch Mgmt, Asset Mgmt, Remote Control & more. Starts@ $545
Zyrion Data Center Monitoring software
For Enterprise Data Centers and MSPs. Dow nload A Free Evaluation.
iPhone Enterprise Management Service
Best Practices Guide For Supporting iPhones & iPads In
An Enterprise.
Network Bandwidth Monitoring Software
Monitor Bandw idth, Netw ork Traffic using Netflow Get Reports,Alerts,Emails.Try
Server Monitoring Suite - Award Winning
Deep, Easy, Complete Server & Application Monitoring.
Dow nload Free 30-Day Trial
Unified to Virtualize: Insight and Cisco
Insight is proud to be one of Cisco’s strategic data center partners. Learn More
Buy a link now
Trang 8Trend Micro™ & VMw are®: Partnering for Your
Protection - Trend Micro
See how migrating to a private cloud cut Suncorp's IT
costs by 30% - NetApp
Get Proof. Not Promises! Take the Netezza TestDrive -Netezza
HP StorageWorks P4300 G2 SAN Solution pow ered by Intel® Xeon® 5520 processor series - HP
Entrust - Strong authentication, most authenticators, one platform - Entrust, INC
Signup
Network World's Daily
Newsletter
Stay up to date with the most important
tech news
About Us Jobs @ NWW Contact Us Subscribe to Network World Magazine
Newsletter Subscriptions Advertise Reprints & Links Partnerships AdChoices
Network World, Inc
The Connected Enterprise
CFOworld CIO Computerworld CSO
DEMO GamePro Games.net
IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures InfoWorld ITwhitepapers
ITworld JavaWorld LinuxWorld MacWorld Network World
PC World Other IDG Sites
Copyright © 1994 - 2011 Netw ork World, Inc. All rights reserved Terms of Service