Introduction
This chapter includes the following topics:
VPN Routing and Forwarding Tables
Overlapping Virtual Private Networks
Route Targets
Propagation of VPN Routing Information in the Provider Network
VPN Packet Forwarding
In the previous chapter, you learned about Virtual Private Network (VPN) evolution; two major VPN models, overlay VPN and peer-to-peer VPN; and the major technologies used to implement both VPN models.
The overlay VPN model, most commonly used in a service provider network, dictates that the design and provisioning of virtual circuits across the backbone must be complete prior to any traffic flow. In the case of an IP network, this means that even though the underlying technology is connectionless, it requires a connection-oriented approach to provision the service.
From a service provider's point of view, the scaling issues of an overlay VPN model are felt most when having to manage and provision a large number of circuits/tunnels between customer devices. From a customer's point of view, the Interior Gateway Protocol design is typically extremely complex and also difficult to manage.
On the other hand, the peer-to-peer VPN model suffers from lack of isolation between the customers and the need for coordinated IP address space between them.
With the introduction of Multiprotocol Label Switching (MPLS), which combines the benefits of Layer 2 switching with Layer 3 routing and switching, it became possible to construct a technology that combines the benefits of an overlay VPN (such as security and isolation among customers) with the benefits of simplified routing that a peer-to-peer VPN implementation brings. The new technology, called MPLS/VPN, results in simpler customer routing and somewhat simpler service provider provisioning, and makes possible a number of topologies that are hard to implement in either the overlay or peer-to-peer VPN models. MPLS also adds the benefits of a connection-oriented approach to the IP routing paradigm, through the establishment of label-switched paths, which are created based on topology information rather than traffic flow.
NOTE
This introduction might lead you to believe that any overlay VPN implementation can be replaced with an MPLS/VPN implementation. Unfortunately, that is not true. MPLS/VPN currently supports only IP as the Layer 3 protocol. Other protocols, such as IPX and AppleTalk, still must be tunneled across an IP backbone.
The MPLS/VPN architecture provides the capability to commission an IP network infrastructure that delivers private network services over a shared infrastructure. This is the same type of service that has already been described in the previous chapter. However, the mechanisms used to provision the service are different. The MPLS/VPN technology is quite complex in itself and will be covered in a series of chapters. In this chapter, you'll see the basic MPLS/VPN concepts without going into too many details that would clutter the overall picture. In the next chapter, the detailed operation of MPLS/VPN is explained, along with the relevant configuration information to be able to provision a simple Intranet topology based on the MPLS/VPN architecture.
Case Study: Virtual Private Networks in SuperCom Service Provider Network
As with all complex topics, the MPLS/VPN concepts are best explained through use of a case study. Imagine a service provider (let's call it SuperCom) that is offering VPN services based on MPLS/VPN technologies. The service provider has two points of presence (POP), a U.S. POP in the San Jose area and a French POP in the Paris area. The POPs are linked through a core router located in Washington, D.C.
The service provider has two customers: FastFood, with headquarters in San Jose and branch offices in Santa Clara, Redwood, and Lyon; and EuroBank, with headquarters in Paris and branch offices in Chartres, Nantres, and San Francisco. The FastFood company has a number of other branch offices (for example, in Santa Cruz and Monterey) that are linked directly with the FastFood central site. The whole network is shown in Figure 9-1.
)
Figure 9-1 SuperCom Network and Its Customers
According to the terminology introduced in Chapter 8, "Virtual Private Network (VPN) Implementation Options," the routers in Figure 9-1 have the following roles:
San Jose and Paris routers link the SuperCom network with its customers; they are thus provider edge (PE) routers.
The Washington router does not have any customer connection; therefore, it's a provider (P) router.
Customer routers connected to the SuperCom network—FastFood routers in San Jose, Santa Clara, and Lyon, as well as EuroBank routers in San Francisco, Paris, and Chartres—are customer edge (CE) routers.
The FastFood routers in Santa Cruz and Monterey have no connection to the SuperCom network; they are customer (C) routers. All the networks connected directly to the FastFood San Jose site (Santa Cruz and Monterey networks) form a customer network (C-network) and represent a single site to the SuperCom network. The service provider does not care (and does not need to know) about the internal structure of that site.
Let's assume that both companies, FastFood and EuroBank, follow the same addressing convention—the central sites use public IP addresses, whereas all the remote sites use private IP address space (network 10.0.0.0).
NOTE
The addressing scheme used by these corporations is seen more often in real customer networks, more so in cases in which the customer didn't acquire a significant portion of public IP address space several years ago.
The IP addresses used by these two companies are summarized in Table 9-1.
Table 9-1 Address Space of FastFood and EuroBank
|
Company |
Site |
Subnet |
|
FastFood |
San Jose |
195.12.2.0/24 |
|
|
Santa Clara |
10.1.1.0/24 |
|
|
Redwood |
10.1.2.0/24 |
|
|
Santa Cruz |
10.1.3.0/24 |
|
|
Monterey |
10.1.4.0/24 |
|
|
Lyon |
10.2.1.0/24 |
|
EuroBank |
Paris |
196.7.25.0/24 |
|
|
Chartres |
10.2.1.0/24 |
|
|
Nantes |
10.2.2.0/24 |
|
|
San Francisco |
10.1.1.0/24 |
The SuperCom service provider would like to offer IP-based VPN service based on the peer-to-peer model (not a number of IP-over-IP tunnels), but it cannot do so easily because the address space of sites connected to the same router overlap.
NOTE
The service provider would encounter a similar (but not so obvious) problem if the address space overlap occurred between customers connected to different POPs. The traditional peer-to-peer model requires strict uniqueness of IP address space.
SuperCom can traditionally solve the overlapping addresses issue in three ways:
It can persuade the customers to renumber their networks. Most customers would not be willing to do that and would rather find another service provider.
It can implement the VPN service with IP-over-IP tunnels, where the customer IP addresses are hidden from the service provider routers.
It can implement a complex network address translation (NAT) scheme that would translate customer addresses into a different (but unique) set of addresses at the provider edge router and then translate those addresses back to the customer addresses before the packet would be sent from the egress PE router to the CE router. Although such a solution is technically feasible, the administrative overhead is prohibitively large and difficult to troubleshoot.
VPN Routing and Forwarding Tables
The overlapping addresses, usually resulting from usage of private IP addresses in customer networks, are one of the major obstacles to successful deployment of peer-to-peer VPN implementations. The MPLS/VPN technology provides an elegant solution to the dilemma: Each VPN has its own routing and forwarding table in the router, so any customer or site that belongs to that VPN is provided access only to the set of routes contained within that table. Any PE router in an MPLS/VPN network thus contains a number of per-VPN routing tables and a global routing table that is used to reach other routers in the provider network, as well as external globally reachable destinations (for example, the rest of the Internet). Effectively, a number of virtual routers are created in a single physical router, as displayed in Figure 9-2, for the case of San Jose router of SuperCom network.
)
Figure 9-2 Virtual Routers Created in a PE Router
NOTE
The relationship between Virtual Private Networks and VPN routing and forwarding tables as explained in the previous paragraph is a slight simplification of the actual relationship between these two concepts. Nevertheless, it is true in cases where each site (or customer) belongs only to one VPN. The additional complexity introduced by overlapping VPNs or sites belonging to more than one VPN is explained in the section "Overlapping Virtual Private Networks," later in this chapter.
The concept of virtual routers allows the customers to use either global or private IP address space in each VPN. Each customer site belongs to a particular VPN, so the only requirement is that the address space be unique within that VPN. Uniqueness of addresses is not required among VPNs except where two VPNs that share the same private address space want to communicate.
More structures are associated with each virtual router than just the virtual IP routing table:
A forwarding table that is derived from the routing table and is based on CEF technology.
A set of interfaces that use the derived forwarding table.
Rules that control the import and export of routes from and into the VPN routing table. These rules were introduced to support overlapping VPNs and are explained later in this chapter.
A set of routing protocols/peers, which inject information into the VPN routing table. This includes static routing.
Router variables associated with the routing protocol that is used to populate the VPN routing table.
The usage of these structures is explained in the rest of this chapter, and the detailed operation of each of them is explained in the next chapters.
The combination of the VPN IP routing table and associated VPN IP forwarding table is called VPN routing and forwarding instance (VRF).
NOTE
You might think that there is no difference between an IP routing table and an IP forwarding table—and usually that's true. In an MPLS environment, the only minor difference between them is the fact that the IP forwarding table also contains MPLS encapsulation information.
A major difference between the two tables arises in cases where an IP route refers to a next hop that is not directly connected. In that case, the routing table will contain the next-hop information, but not the outgoing interface or the IP address of the downstream router. The forwarding table will contain all the information needed to forward the packet toward the destination. For example, with the configuration in Example 9-1, the routing table lists the next hop for network 10.0.0.0/8 as 1.0.0.1 (as shown in Example 9-2), while the forwarding table contains the real next hop (the IP address of the downstream router), as shown in Example 9-3.
Example 9-1 Sample Configuration with Recursive IP Routing
ip route 10.0.0.0 255.0.0.0 1.0.0.1 ip route 1.0.0.1 255.255.255.255 2.0.0.2 ! interface serial 0 ip address 2.0.0.1 255.0.0.0
Example 9-2 IP Routing Table for the Recursive IP Routing Example
mpls router# show ip route
...
1.0.0.0/32 is subnetted, 1 subnets
S 1.0.0.1 [1/0] via 2.0.0.2
C 2.0.0.0/8 is directly connected, Serial0
S 10.0.0.0/8 [1/0] via 1.0.0.1
...
Example 9-3 CEF Forwarding Table Entry for Recursive IP Routing Example
mpls router# show ip cef 10.0.0.0
10.0.0.0/8, version 87
0 packets, 0 bytes
via 1.0.0.1, 0 dependencies, recursive
next hop 2.0.0.2, Serial0 via 1.0.0.1/32
In the SuperCom case, the San Jose router contains three IP routing and forwarding tables—one table per customer and a global table used to forward non-VPN IP packets and to route VPN packets between PE routers.
Overlapping Virtual Private Networks
The SuperCom example might lead you to believe that a VPN is associated with a single VRF in a PE router. Although that would be true in the case where the VPN customer needs no connectivity with other VPN customers, the situation might become more complex and require more than one VRF per VPN customer.
Imagine that SuperCom wants to extend its service offering with a Voice over IP (VoIP) service with gateways to the public voice network located in San Jose and Paris, as shown in Figure 9-3. The VoIP gateways were placed in a separate VPN to enhance the security of the newly created service. The IP addresses of these gateways are shown in Table 9-2.
)
Figure 9-3 VoIP Gateways in SuperCom Network
Table 9-2 IP Addresses of VoIP Gateways in SuperCom Network
|
VoIP Gateway Location |
VoIP Gateway IP Address |
|
San Jose |
212.15.23.12 |
|
Paris |
212.15.27.35 |
Both EuroBank and FastFood decided to use the service, but only from their central sites—the branch offices have no need for international voice connectivity. This requirement leads to an interesting problem: The central sites of both organizations need to be in two VPNs: the corporate VPN to reach their remote sites and the VoIP VPN to reach the VoIP gateways. The connectivity requirements are illustrated in Figure 9-4.
)
Figure 9-4 VPN Connectivity Requirements in SuperCom
Network
NOTE
The connectivity requirements in Figure 9-4 are a simplification of the requirements that you would encounter in a real service provider network. Most often, for security reasons, the customers using a common service (for example, VoIP gateways) will not see each other, but only the gateways or servers providing the service that they are using.
To support connectivity requirements similar to those in Figure 9-4, the MPLS/VPN architecture supports the concept of sites, where a VPN is made up of one or multiple sites. A VPN is essentially a collection of sites sharing common routing information, which means that a site may belong to more than one VPN if it holds routes from separate VPNs. This provides the capability to build intranets and extranets, as well as any other topology described in Chapter 8. A VPN in the MPLS/VPN architecture can therefore be pictured as a community of interest or a closed user group, which is dictated by the routing visibility that the site will have.
The VRF concept introduced in the previous section must be modified to support the concept of sites that can reside in more than one VPN. For example, the central site of FastFood and EuroBank cannot use the same VRF as all other FastFood or EuroBank sites connected to the same PE router. The central site of EuroBank, for example, needs to access the VoIP gateways, so the routes toward these gateways must be in the VRF for that site, whereas the same routes will not be in the Chartres' site VRF. Therefore, the MPLS/VPN architecture unbundles the concept of VRF from the concept of VPN. The VRF is simply a collection of routes that should be available to a particular site (or set of sites) connected to a PE router. These routes can belong to more than one VPN.
NOTE
You might be inclined at this moment to jump from a one-VPN-one-VRF model to the other extreme: one-site-one-VRF model. Although that model is theoretically correct and supports any VPN topology, it leads to more complex configurations of the PE routers that are harder to maintain and that also use more memory. Therefore, it is recommended to keep the number of VRFs to a minimum (for example, one VRF for the customer's central site and another VRF for all remote offices connected to the same PE router).
The relationship between the VPNs, sites, and VRFs can be summarized in the following rule, which should be used as the basis for any VRF definition in an MPLS/VPN network.
NOTE
All sites that share the same routing information (usually this means that they belong to the same set of VPNs), that are allowed to communicate directly with each other, and that are connected to the same PE router can be placed in a common VRF.
Using this rule, the minimum set of VRFs in the SuperCom network is the one outlined in Table 9-3.
Table 9-3 VRFs in the PE Routers in the SuperCom Network
|
PE-router |
VRF |
Sites in the VRF |
VRF Belongs to VPNs |
|
San Jose |
FastFood_Central |
FastFood SanJose site |
FastFood, VoIP |
|
|
FastFood |
FastFood Santa Clara site FastFood Redwood site |
FastFood |
|
|
EuroBank |
EuroBank San Francisco site |
EuroBank |
|
|
VoIP |
San Jose VoIP gateway |
VoIP |
|
Paris |
FastFood |
FastFood Lyon site |
FastFood |
|
|
EuroBank_Central |
EuroBank Paris site |
EuroBank, VoIP |
|
|
EuroBank |
EuroBank Chartres site EuroBank Nantes site |
EuroBank |
|
|
VoIP |
Paris VoIP gateway |
VoIP |
Route Targets
A careful reader might start asking an interesting question: If there is no one-to-one mapping between VPN and VRF, how does the router know which routes need to be inserted into which VRF? This dilemma is solved by the introduction of another concept in the MPLS/VPN architecture: the route target. Every VPN route is tagged with one or more route targets when it is exported from a VRF (to be offered to other VRFs). You can also associate a set of route targets with a VRF, and all routes tagged with at least one of those route targets will be inserted into the VRF.
NOTE
The route target is the closest approximation to a VPN identifier in the MPLS/VPN architecture. In most VPN topologies, you can equate them, but in other topologies (usually a central services topology), a single VPN might need more than one route target for successful implementation.
The route target is a 64-bit quantity, the format of which is explained in the next chapter. For simplicity reasons, we will use names for route targets in this chapter.
The SuperCom network contains three VPNs and thus requires three route targets. The association between route targets and VRFs in the SuperCom network is outlined in Table 9-4.
Table 9-4 Correspondence Between VRFs and Route Targets in SuperCom Network
|
PE Router |
VRF |
Sites in the VRF |
Route Target Attached to Exported Routes |
Import Route Targets |
|
San Jose |
FastFood_ Central |
FastFood SanJose site |
FastFood, VoIP |
FastFood, VoIP |
|
|
FastFood |
FastFood Santa Clara site FastFood Redwood site |
FastFood |
FastFood |
|
|
EuroBank |
EuroBank San Francisco site |
EuroBank |
EuroBank |
|
|
VoIP |
San Jose VoIP gateway |
VoIP |
VoIP |
|
Paris |
FastFood |
FastFood Lyon site |
FastFood |
FastFood |
|
|
EuroBank_ Central |
EuroBank Paris site |
EuroBank, VoIP |
EuroBank, VoIP |
|
|
EuroBank |
EuroBank Chartres site EuroBank Nantes site |
EuroBank |
EuroBank |
|
|
VoIP |
Paris VoIP gateway |
VoIP |
VoIP |
NOTE
Based on Table 9-4, you might assume that the route targets attached to routes exported from a VRF always match the set of import route targets of a VRF. Although that's certainly true in simpler VPN topologies, there are widespread VPN topologies (for example, central services VPN) in which this assumption is not true.
Propagation of VPN Routing Information in the Provider Network
The previous sections have explained MPLS/VPN architecture from a single PE router standpoint. Two issues have yet to be addressed:
How will the PE routers exchange information about VPN customers and VPN routes between themselves?
How will the PE routers forward packets originated in customer VPNs?
This section addresses inter-PE routing; the next section briefly describes the forwarding mechanism.
Two fundamentally different ways exist for approaching the VPN route exchange between PE routers:
The PE routers could run a different routing algorithm for each VPN. For example, a copy of OSPF or EIGRP could be run for each VPN. This solution would face serious scalability problems in service provider networks with a large number of VPNs. It would also face interesting design challenges when asked to provide support for overlapping VPNs.
The PE routers run a single routing protocol to exchange all VPN routes. To support overlapping address spaces of VPN customers, the IP addresses used by the VPN customers must be augmented with additional information to make them unique.
NOTE
To illustrate the scalability issues that might arise from deploying one routing algorithm per VPN, consider the case where the SuperCom network would have to support more than 100 VPN customers connected to the San Jose and Paris routers with OSPF as the routing protocol. The PE routers in the SuperCom network would run more than 100 independent copies of OSPF routing process (if that were technically possible), with each copy sending hello packets and periodic refreshments over the network. Because you cannot run more than one copy of OSPF over the same link, you would have to configure per-VPN subinterfaces (for example, using Frame Relay encapsulation) on the link between San Jose (or Paris) and Washington, resulting in an extremely complex network similar to the one shown in Figure 9-5. You would also have to run 100 different SPF algorithms and maintain 100 separate topology databases in the service provider routers.
)
Figure 9-5 SuperCom Network with One IGP per VPN
The second approach was chosen as the building block of MPLS/VPN technology. IP subnets advertised by the CE routers to the PE routers are augmented with a 64-bit prefix called a route distinguisher to make them unique. The resulting 96-bit addresses are then exchanged between the PE routers using a special address family of Multiprotocol BGP (hereby referred to as MP-BGP). There were several reasons for choosing BGP as the routing protocol used to transport VPN routes:
The number of VPN routes in a network can become very large. BGP is the only routing protocol that can support a very large number of routes.
BGP, EIGRP, and IS-IS are the only routing protocols that are multiprotocol by design. (All of them can carry routing information for a number of different address families.) IS-IS and EIGRP, however, do not scale to the same number of routes as BGP, which is also designed to exchange information between routers that are not directly connected. This BGP feature supports keeping VPN routing information out of the provider core routers (P routers).
BGP can carry any information attached to a route as an optional BGP attribute. What's more, you can define additional attributes that will be transparently forwarded by any BGP router that does not understand them. This property of BGP makes propagation of route targets between PE routers extremely simple.
Multiprotocol BGP in the SuperCom Network
To illustrate the interaction of per-VPN routing protocols with the MP-BGP used in the service provider network core, consider the case of the FastFood customer in the SuperCom network. Let's assume that the San Jose site is using OSPF to interact with the SuperCom backbone, the Lyon and Santa Clara sites are using RIP, and the Redwood site is using no routing protocol—there is a static route configured on the San Jose PE router and the default route configured on the Redwood router. The routing protocols used in FastFood VPN are shown in Figure 9-6.
)
Figure 9-6 Routing Protocols Used in FastFood VPN
NOTE
The Washington router (the P router in the SuperCom network) is not involved in the MP-BGP. As you'll see in the next section, the forwarding model used in MPLS/VPN does not require the P routers to make any routing decisions based on VPN addresses; they just forward packets based on the label value attached to the packet. The P routers, therefore, do not need to carry the VPN routes, resulting in even better scalability.
The San Jose PE router collects routing information from the San Jose site using a per-VPN OSPF process. Similarly, the information from the Santa Clara site is collected using a per-VPN RIP process. This process is marked as Step 1 in Figure 9-7.
)
Figure 9-7 Routing Protocol Operation in SuperCom Network
NOTE
The routing protocol used within a VPN network must be limited to the VPN in question. If the same routing protocol would be used in different VPNs, the possibility of using overlapping IP addresses between VPNs would be lost, and there would be potential route leakage between VPNs.
To support overlapping VPNs, the routing protocol must be limited to a single VPN routing and forwarding (VRF) table. Each PE router must be configured so that any routing information learned from an interface can be associated with a particular VRF. This is done through the standard routing protocol process and is known as the routing context. A separate routing context is used per VRF.
Some routing protocols (for example, RIP) support several instances (or routing contexts) of the same protocol, with each instance running in a different VRF. Other protocols (for example, OSPF) require a separate copy of the routing protocol process for each VRF.
The information gathered by various routing protocols in the San Jose PE router, as well as the static routes configured on the San Jose router, is redistributed into MP-BGP. VPN addresses are augmented with the route distinguishers at the moment of redistribution. The route export route target specified in the originating VRF is also attached to the route. The resulting 96-bit routing information is propagated by MP-BGP to the Paris router (Step 2 in Figure 9-7).
WARNING
The redistribution of the per-VPN routing information into MP-BGP is not automatic and must be manually configured on the router for each VRF (see Chapter 10, "MPLS/VPN Architecture Operation," for further details of this configuration), unless this information was learned from the customer through BGP. The omission of manual redistribution into MP-BGP is one of the most common configuration errors in MPLS/VPN deployment.
The Paris router, after receiving MP-BGP routes, inserts the received routes into various VRF tables based on the route target attribute attached to each individual route. The route distinguisher is dropped from the 96-bit route when the route is inserted into the VRF, resulting yet again in a traditional IP route. Finally, the routing information received through BGP is redistributed into the RIP process and is passed on to the Lyon site through RIP updates (Step 3 in Figure 9-7).
WARNING
Similar to the redistribution of VRF routes into MP-BGP, the redistribution of routes received over the service provider backbone back into the per-VRF routing process is not automatic, unless this process is BGP; it must be manually configured if the redistribution is required by the routing design.
Contrary to the traditional BGP operation in which the internal BGP routes are not allowed to be redistributed into other routing protocols, this restriction is lifted in the MPLS/VPN environment. The VPN routes received by a PE router through an internal MP-BGP session from another PE router can be redistributed into other routing protocols.
VPN Packet Forwarding
In the previous section, you saw that the IP addresses used within a VPN must be prepended with a 64-bit prefix called a route distinguisher (RD) to make them unique.
Similarly, when the VPN-originated IP packets are forwarded across the service provider backbone (the P network), they must be augmented to make them uniquely recognizable. Yet again, several technology options are possible:
The IP packet is rewritten to include 96-bit addresses in the packet header. This operation would be slow and complex.
The IP packet is tunneled across the network in VPN-over-IP tunnels. This choice would make MPLS/VPN as complex as traditional IP-over-IP VPN solutions using the overlay VPN model.
With the introduction of MPLS, a third technology option was made possible: Each VPN packet is labeled by the ingress PE router with a label uniquely identifying the egress PE router, and is sent across the network. All the routers in the network subsequently switch labels without having to look into the packet itself. The preparatory steps for this process are illustrated in Figure 9-8.
)
Figure 9-8 VPN Packet Forwarding—Preparatory Steps
Each PE router needs a unique identifier (a host route—usually the loopback IP address is used), which is then propagated throughout the P network using the usual IGP (Step 1). This IP address is also used as the BGP next-hop attribute of all VPN routes announced by the PE router. A label is assigned in each P router for that host route and is propagated to each of its neighbors (Step 2). Finally, all other PE routers receive a label associated with the egress PE router through an MPLS label distribution process (Step 3). After the label for the egress PE router is received by the ingress PE router, the VPN packet exchange can start.
However, when the egress PE router receives the VPN packet, it has no information to tell it which VPN the packet is destined for. To make the communication between VPN sites unique, a second set of labels is introduced, as illustrated in Figure 9-9.
)
Figure 9-9 VPN Label Allocation
Each PE router allocates a unique label for each route in each VPN routing and forwarding (VRF) instance (Step 1). These labels are propagated together with the corresponding routes through MP-BGP to all other PE routers (Step 2). The PE routers receiving the MP-BGP update and installing the received routes in their VRF tables (see Figure 9-7 for additional details) also install the label assigned by the egress router in their VRF tables. The MPLS/VPN network is now ready to forward VPN packets.
When a VPN packet is received by the ingress PE router, the corresponding VRF is examined, and the label associated with the destination address by the egress PE router is fetched. Another label, pointing toward the egress PE router, is obtained from the global forwarding table. Both labels are combined into an MPLS label stack, are attached in front of the VPN packet, and are sent toward the egress PE router.
All the P routers in the network switch the VPN packet based only on the top label in the stack, which points toward the egress PE router. Because of the normal MPLS forwarding rules, the P routers never look beyond the first label and are thus completely unaware of the second label or the VPN packet carried across the network.
The egress PE router receives the labeled packet, drops the first label, and performs a lookup on the second label, which uniquely identifies the target VRF and sometimes even the outgoing interface on the PE router. A lookup is performed in the target VRF (if needed), and the packet is sent toward the proper CE router.
NOTE
The egress PE router assigns labels to VPN routes in such a way that the need for additional Layer 3 lookup in the target VRF is minimized. The additional Layer 3 lookup is needed only for summary VPN routes advertised between the PE routers.
The router just before the egress PE router might also remove the first label in the label stack through a mechanism called penultimate hop popping. Refer to Chapter 2, "Frame-mode MPLS Operation," for a detailed description of this mechanism.
In the best case (no summary VPN routes and network topology that supports penultimate hop popping), the egress PE router would perform only a single label lookup, resulting in maximum forwarding performance.
Summary
Virtual Private Networks (VPNs) based on Multiprotocol Label Switching (MPLS) combine the benefits of the overlay VPN model, such as isolation and security, with the benefits of the peer-to-peer VPN model, such as simplified routing, easier provisioning, and better scalability. A number of mechanisms are needed to successfully meet all these goals:
Each VPN needs a separate VPN routing and forwarding instance (VRF) in each PE router to guarantee isolation and enable usage of uncoordinated private IP addresses.
To support overlapping VPN topologies, the VRFs can be more granular than the VPNs and can participate in more than one VPN at a time. An attribute called a route target is needed to identify the set of VPNs in which a particular VRF participates. For maximum flexibility, a set of route targets can be associated with a VRF or attached to a VPN route.
VPN IP addresses are prepended with 64-bit route distinguishers to make VPN addresses globally unique. These 96-bit addresses are exchanged between the PE routers through MP-BGP, which also carries additional route attributes (for example, the route target) by means of optional BGP route attributes, called extended communities.
Each PE router needs a unique router ID (host route—usually the loopback address) that is used to allocate a label and enable VPN packet forwarding across the backbone.
Each PE router allocates a unique label to each route in each VRF (even if they have the same next hop) and propagates these labels together with 96-bit VPN addresses through MP-BGP.
Ingress PE routers use a two-level MPLS label stack to label the VPN packets with a VPN label assigned by the egress PE router and an IGP label identifying the PE router assigned through the regular MPLS label distribution mechanisms. The label stack is prepended to the VPN packet, and the resulting MPLS packet is forwarded across the P network.