This document discusses MPLS VPN and its three main types: point-to-point VPNs using pseudowires to encapsulate traffic between two sites; layer 2 VPNs called VPLS that provide switched VLAN services across sites; and layer 3 VPNs known as VPRN that utilize VRF tables to segment routing for each customer using BGP. It describes how MPLS VPN works using CE, PE, and P routers to forward labeled packets through the provider network and pop the label at the destination PE to deliver the packet. Finally, it provides additional resources for learning more about MPLS VPN technologies.

1. MPLS VPN
Network Security Presentation
By Shahzeb Mahesar

2. Contents
• Introduction
• Point-to-point (pseudowire)
• Layer 2 VPN (VPLS)
• Layer 2 VPN (VPLS)
• How Does MPLS VPN Work?
• Resources

3. Introduction
• MPLS VPN is a family of methods for using multiprotocol
label switching (MPLS) to create virtual private networks
(VPNs).
• MPLS VPN is a flexible method to transport and route
several types of network traffic using an MPLS backbone.
• There are three types of MPLS VPNs deployed in networks
today:
1. Point-to-point (Pseudowire)
2. Layer 2 (VPLS)
3. Layer 3 (VPRN)

4. Point-to-point (pseudowire)
• Point-to-point MPLS VPNs employ VLL (virtual leased lines)
for providing Layer2 point-to-point connectivity between two
sites.
• Ethernet, TDM, and ATM frames can be encapsulated within
these VLLs.
• Some examples of how point-to-point VPNs might be used
by utilities include:
• encapsulating TDM T1 circuits attached to Remote Terminal Units
• forwarding non-routed DNP3 traffic across the backbone network
to the SCADA master controller.

5. Point-to-point (pseudowire)

6. Layer 2 VPN (VPLS)
• Layer 2 MPLS VPNs, or VPLS (virtual private LAN service),
offers a “switch in the cloud” style service.
• VPLS provides the ability to span VLANs between sites.
• L2 VPNs are typically used to route voice, video, and AMI
traffic between substation and data center locations.

7. Layer 2 VPN (VPLS)

8. Layer 3 VPN (VPRN)
• Layer 3, or VPRN (virtual private routed network), utilizes
layer 3 VRF (VPN/virtual routing and forwarding) to segment
routing tables for each customer utilizing the service.
• The customer peers with the service provider router and the
two exchange routes, which are placed into a routing table
specific to the customer.

9. Layer 3 VPN (VPRN)
• Multiprotocol BGP (MP-BGP) is required in the cloud to
utilize the service, which increases complexity of design and
implementation.
• L3 VPNs are typically not deployed on utility networks due to
their complexity; however, a L3 VPN could be used to route
traffic between corporate or datacenter locations.

10. Layer 3 VPN (VPRN)

11. How Does MPLS VPN Work?
• In order to understand how MPLS VPN works, we need to
be aware of the equipment involved.
• Typically, in an MPLS network, there will be:
1. Customer Edge (CE) routers
2. Provider Edge (PE) routers
3. Provider (P) routers

12. How Does MPLS VPN Work?
1. Initially, the routing information and data packet are passed
from CE to PE using static routes or a routing protocol such as
Border Gateway Protocol (BGP).
2. Based on the routing information, PE devices attach a label to
the data packet and forward it to the provider core network, i.e.
the P router.
3. The P router in the provider network forwards the packet to the
right PE device on the other side of the network, based on the
label.
4. When the destination PE receives the labeled packet, it pops
the label and uses it to direct the packet to the right
(destination) CE device.

13. Resources
• https://en.wikipedia.org/wiki/MPLS_VPN
• https://www.cisco.com/c/en/us/support/docs/multiprotocol-
label-switching-mpls/mpls/13733-mpls-vpn-basic.html
• https://www.tpx.com/learn/how-does-mpls-vpn-work
• http://www.firewall.cx/networking-topics/wan-
technologies/821-mpls-ip-vpn-security.html
• https://help.uis.cam.ac.uk/service/network-
services/datanetwork/mpls-vpn