1) The document defines several types of VPNs including IP-VPN, network-based IP-VPN, VLL, VPDN, VPLS, and VPRN. 2) MPLS VPN uses MPLS to create private networks over a public IP network. It establishes VPNs by using tunneling protocols and assigning unique routing identifiers to each VPN. 3) MPLS VPN provides isolation and security for each VPN by maintaining separate forwarding tables and using route distinguishers, route targets, and MPLS labels to direct traffic to the correct VPNs.

1. ISSUE
Fixed Network Curriculum
Development Section
ODA000017 MPLS VPN(L3)
2.0

2. VPN Classification
CPE-Based VPN Network-Based VPN
VLL VPRN VPDN VPLS
MPLS/BGP VPN
IP-VPN
VPN
VR-VPN
VPN: Virtual Private Network

3. VPN Definitions (1)
 IP-VPN: Service emulation implemented for dedicated line services (such as
remote dial-up and DDN) of dedicated LAN equipment via the IP facilities
(including the public Internet and private IP backbone network, etc.).
 Network-Based IP-VPN: It refers to the case where the VPN-related
maintenance is contracted out to the operator (the user is also allowed to
perform certain service management and control) and the functional features
are implemented at the network side equipment in the centralized way.
 Tunnel: It is a technology that uses a type of protocol to transmit another
type of protocol. Mainly the tunnel protocol serves to implement this function.
The tunnel technology involves three types of protocols: tunneling protocol,
bearer protocol under the tunnel protocol, and the protocol borne on the
tunnel protocol.

4. VPN Definitions (2)
 Virtual Leased Line (VLL): It provides point-to-point connection service
between two pieces of CPE equipment for the user via the edge node of
the operator.
 Virtual Private Dial Network (VPDN): The remote user dials to the public IP
network via PSTN/ISDN, and the data packet passes through the public
network via a tunnel for the destination network.
 Virtual Private LAN Segments (VPLS): VPLS is a “virtual” method to
establish LAN via the public IP resources. The networking is based on the
MAC layer forwarding, and it is completely transparent to the network layer
protocol. It is a L2 VPN.
 Virtual Private Routed Network (VPRN): VPRN is defined as a kind of
emulation for multi-site wide area route network services via the public IP
network, and the data packet of VPN is forwarded at the network layer.

5. Constructing VPN via GRE
10.0.1.1/24
10.0.0.0/24
10.0.0.0/24
129.0.0.2/30
129.0.0.1/30
129.0.1.1/30
129.0.1.2/30
Public IP
network
129.0.2.2/30
129.0.2.1/30
129.0.3.1/30
129.0.3.2/30
GRE tunnel
GRE tunnel
10.0.1.1/24
10.0.1.2/24
10.0.1.2/24
Rt1 Rt2
HQ1
HQ2
 To construct such a network, just make configuration on the access router
of each network.
 It is unnecessary for the operator network to know the internal route of VPN.
 Different VPNs can employ the same address space.
 The forwarding efficiency is low.

6. MPLS VPN Network Structure
VPN_A
VPN_A
VPN_B
10.3.0.0
10.1.0.0
11.5.0.0
CE
CE
CE
VPN_A
VPN_B
VPN_B
10.1.0.0
10.2.0.0
11.6.0.0
CE
PE
PE
CE
CE
VPN_A
10.2.0.0
CE
VPN_A
VPN_B
VPN_B
10.1.0.0
10.2.0.0
11.6.0.0
CE
PE
PE
CE
CE
VPN_A
10.2.0.0
CE
VPN_A
10.2.0.0
CE
iBGP sessions
P
P
P
P
PE
PE
 CE (Custom Edge): The user equipment directly connected with the service
provider.
 PE (Provider Edge Router): The edge router on the backbone network, connected
with CE and mainly responsible for access of the VPN service.
 P (Provider Router): The core router on the backbone network, mainly responsible
for the routing and fast forwarding functions.

7. Network Topology-1
Each site only belongs to one VPN: Intranet
site1 site3
site2
site10
site20 site30

8. Network Topology-2
site1
site4
site5
stie2 stie3
Intranet
Extranet
Each site may belong to
multiple VPNs.

9. Characteristics of MPLS VPN
 In this network structure, service providers provide VPN services for users,
who do not feel existence of the public network as if they have separate
network resources.
 P router is only responsible for data transmission inside the backbone
network, unnecessary to know existence of VPN. However, it must be
able to support and enable the MPLS protocol.
 All the construction, connection and management work of VPN is
implemented on PE.
 Network configuration is simple.
 The existing routing protocol can be directly used without any change.
 MPLS VPN network features good expandability.
 VPN with QOS and TE can be implemented.

10. Relationship Between PE and CE
PE
C
PE
CE
CE
Site - 2
Site - 2
Site - 1
Site - 1
EBGP, RIP, Static
 PE and CE routers exchange information via the EBGP, RIP and static route. CE
runs the standard routing protocol.
 PE maintains separate routing tables of the public network and private network.
 Routing table of public network, including the routes of all PE and P routers, generated by
the backbone network IGP of VPN.
 VRF (VPN routing & forwarding), including tables of routing & forwarding to one or multiple
directly connected CEs. VRF can be bound with any types of interfaces. If the directly
connected sites belong to the same VPN, these interfaces can use the same VRF.
VPNA
VPNB
VRF for VPNA
VRF for VPNB
Global route

11. VRF
 VRF can be regarded as a virtual router structured as follows:
 It is associated with some interfaces and has a forwarding table based on these
interfaces.
 A set of rules is available to control import of the route into VPN or export of the
route from VPN.
 The route can be redistributed to the routing table (static route, RIP instance,
BGP) via some routing protocols.
 VRF is configured on PE and exchange the route with CE. The route
independently exists in the VRF routing table (routing table of the private
network).
 PE maintains a separate forwarding table for each site.
 Each site has a unique VRF.
 If (and only if) two sites have identical forwarding table, they share a VRF.
 The interface/sub-interface connected with CE is mapped to VRF.
 The routes in VRF will be distributed to the sites (usually connected on
other PEs) belonging to the same VPN.

12. Distribution of VRF Routes
PE PE
CE Router CE Router
P Router
Site Site
MP-iBGP
 The PE router distributes the local VPN route information via the
MPLS/VPN backbone network.
 The transmitting PE exports the local VRF routes via MP-iBGP
(with the export-target attribute).
 The receiving PE imports the route to the VRF where it belongs
(with the matched import-target attribute).

13. MBGP
 MBGP (Multiprotocol Extensions for BGP-4 )
 BGP-4 only supports IPv4, and is extended to MBGP to
transfer the route information of more protocols (IPv6,
IPX,etc.).
 To maintain compatibility, only two BGP attributes are added
for MBGP: MP_REACH_NLRI and MP_UNREACH_NLRI. The
two attributes can be used in the BGP Update message to
notify or cancel the network reachability information.

14. MBGP: MP_REACH_NLRI

15. MBGP: MP_UNREACH_NLRI
 The label mapping information is carried in the MP_REACH_NLRI attribute.
 Address Family Identifier and Subsequent Address Family Identifier are
used together to indicate the address family that the reachability
information, notified by this attribute, belongs to. AFI as 1 and SAFI as 128
indicate that the subsequently notified information will be the VPN-IPV4
reachability information and the bound MPLS tag.
 Length of Nexthop Network Address and Network Address of Nexthop
refer to the next hop of the route information. The rule to determine the
next hop obeys the usual next hop rule of BGP.

16. VPNv4 and IPv4 Address Families
 To enable different VPNs to use the same address space, a new
address family, i.e. VPNv4, is introduced. The original standard
address family is called IPv4.
 VPNv4 address family mainly serves to transfer VPN routes between
PE routers.
 RD is unique among different VPNs. If two VPNs use the same IP
address, PE router will add different RDs for them and convert the
address into a unique VPN-v4 address without causing conflict of the
address space.
 The standard route received by PE from CE is the IPv4 route. To
import VRF routing tables and distribute them to other routers, a RD is
needed. It is suggested that the RDs of the same VPN be configured
the same.
Route Distinguisher (8 bytes) IPv4 address
VPNV4 address structure:

17. MPLS/VPN RD
 RD format:
 16-bit Autonomous System Number (ASN): 32-bit user-defined number, e.g. 100:1
 32-bit IP address: 16-bit customized number, e.g. 172.1.1.1:1
 Usually, each site is assigned with a unique RD, which is the identifier of VRF.
 Difference between the routing table of public network and the routing table
of private network:
 The routing table of public network is generated by the IGP routes, which may
include the BGP-4 (IPv4) route, but not the VPN route.
 VRF routing table includes the specific VPN routes. It may include the routes
redistributed from MP-iBGP route to VRF, or the route obtained from CE by the vrf
route instance.
TYPE (2-byte) Administrator Field Assigned Number Field
0 2-byte ASN 4-byte assigned number
1 4-byte IP address 2-byte assigned number
RD structure:

18. Mapping Message of the Attached Label
 Multiple labels can be attached. The first 20 bits of each label refer to the
label domain, while of the last 4 bits, the first three refer to the EXP domain
and the last one indicates whether it is the stack base.
 Note that this label must be assigned by the LSR referred to in the Next-
Hop of the MP_REACH_NLRI attribute.
 There are two methods to cancel the route information (meanwhile to
release label binding).
 Re-distribute a different route (and a new Label) for the same destination.
 Use the Withdraw message to include the destination in MP_UNREACH_NLRI.
Network Layer Reachability Information:

19. Importing VRF Routes to MP-iBGP
PE
CE-1
MP-iBGP
PE
BGP, RIPv2 update
for 149.27.2.0/24,NH=CE-1
VPN-v4 update:
RD:1:27:149.27.2.0/24,
Next-hop=PE-1
RT=VPN-A -
Label=(28)
CE-2
Beijing Shanghai
 Importing VRF route to MP-iBGP: PE router converts the route (in
the VRF routing table) received from CE into the VPN-V4 route;
labels it with RD and RT based on the configuration; changes the
next hop as PE itself (loopback); assigns the label based on the
interface; finally sends the MP-iBGP update packet to all PE
neighbors.

20. Importing MP-iBGP Routes to VRF
 Each VRF has configurations of import route-target and export route-target.
 When the transmitting PE sends MP-iBGP updates, the export attribute is
attached in the packet.
 When receiving MP-iBGP updates of VPN-IPv4, the receiving PE will judge
whether the received export is equal to the import of the local VRF. If yes, it will be
added to the corresponding VRF routing table; otherwise, it will be discarded.
PE
CE-1
MP-iBGP
PE
VPN-v4 update:
RD:1:27:149.27.2.0/24,
Next-hop=PE-1
RT=VPN -A,
Label=(28)
CE-2
PE receives the update packet, converts
VPN-v4 into the IPv4 address, and
distributes it to VFR VPN-A (RT=VPN-A)
routing table, then broadcasts it to CE.
Beijing Shanghai
ip vrf VPN-B
vpn -target import VPN
-A

21. Basic Intranet Model
P Router
P Router
MPLS/VPN Backbone
MPLS/VPN Backbone
VPN A
VPN A
VPN A
SITE
SITE-
-2
2
VPN A
Site
Site-
-1 routes
1 routes
Site
Site-
-2 routes
2 routes
Site
Site-
-3 routes
3 routes
Site
Site-
-4 routes
4 routes
MP-iBGP
Site
Site-
-3 & Site
3 & Site-
-4 routes
4 routes
RT=VPN
RT=VPN-
-A
A
Site
Site-
-1 & Site
1 & Site-
-2 routes
2 routes
RT=VPN
RT=VPN-
-A
A
Site
Site-
-1 routes
1 routes
Site
Site-
-2 routes
2 routes
Site
Site-
-3 routes
3 routes
Site
Site-
-4 routes
4 routes
SITE
SITE-
-1
1 SITE
SITE-
-3
3
SITE
SITE-
-4
4

22. MPLS/VPN Label Distribution
P router
P router
In Label FEC Out Label
- 197.26.15.1/32 -
In Label FEC Out Label
41 197.26.15.1/32 POP
In Label FEC Out Label
- 197.26.15.1/32 41
Use label implicit-null for
destination 197.26.15.1/32
Use label 41 for destination
197.26.15.0/24
VPN-v4 update:
RD:1:27:149.27.2.0/24,
NH=197.26.15.1
RT=VPN-A -
Label=(28)
PE-1
Shanghai
 PE and P routers are provided with the reachability to the next hop of bgp via the backbone
network IGP.
 Run IGP and LDP to distribute the label and establish LSP, and obtain the LSP channel to the next
hop of BGP.
 The label stack is for packet forwarding. The external layer label indicates how to reach the next
hop of BGP, and the internal layer label indicates the outgoing interface of the packet or the home
VRF (home VPN).
 MPLS node forwarding is based on the external layer label regardless of the internal layer label.
Beijing
149.27.2.0/24

23. MPLS/VPN Packet Forwarding-1
In Label FEC Out Label
- 197.26.15.1/32 41
149.27.2.27
PE-1
149.27.2.27
28
41
VPN-A VRF
149.27.2.0/24,
NH=197.26.15.1
Label=(28)
Shanghai
Beijing
149.27.2.0/24
When the ingress PE receives an ordinary IP packet from CE, PE adds it
to the corresponding VPN forwarding table based on the VRF to which
the ingress interface belongs, and searches for the next hop and label.

24. MPLS/VPN Packet Forwarding-2
In Label FEC Out Label
41 197.26.15.1/32 POP
Beijing
149.27.2.27
PE-1
Shanghai
149.27.2.0/24
149.27.2.27
28
41
VPN-A VRF
149.27.2.0/24,
NH=197.26.15.1
Label=(28)
149.27.2.27
28
In Label FEC Out Label
28(V) 149.27.2.0/24 -
VPN-A VRF
149.27.2.0/24,
NH=beijign
149.27.2.27
 The second last hop router pops up the external layer label and
sends it to the egress PE according to the next hop.
 The egress PE router judges the CE that the packet will go to
based on the internal layer label.
 Pop up the internal layer label and forward the packet to the
destination CE as an ordinary IP packet.

25. Cross-AS MPLS/VPN (1)
Site1
Site2
Site4
Site3
VPN-A
VPN-B
VPN-A
VPN-B
PE
PE PE
PE
ASBR
MPLS LDP
ASBR
MP EBGP

26. Cross-AS MPLS/VPN (2)
Site1
Site2
Site4
Site3
VPN-A
VPN-B
VPN-A
VPN-B
PE
PE PE
PE
PE/CE PE/CE
VRF to VRF
172.1.1.0/24
18 172.1.1.1
10
172.1.1.1
172.1.1.1
CE
20
30 172.1.1.1
172.1.1.1
AS100 AS200

27. Cross-AS MPLS/VPN (3)
Site1
Site2
VPN-A
VPN-A
PE
PE
200 172.1.1.1
10
172.1.1.1
CE
200
20 172.1.1.1
172.1.1.1
MP-EBGP
PE PE
CE
P P
MPLS LDP MPLS LDP
MP-IBGP
200
100
172.1.1.1
30 100
300
MP-IBGP
300
40 172.1.1.1
300 172.1.1.1
50
172.1.1.0/24
AS100 AS200

28. MPLS/VPN Internet Connection
 In MPLS VPN, some sites require access to the Internet.
 To access the Internet, the following conditions must be met:
 Route is available to access the Internet.
 Any place of the Internet site is reachable.
 Ensure security of the VPN network.
 Access mode:
 Configure the static route
 Configure the interface not connected

29. MPLS VPN Internet Access (Configure
the Static Default Route-PE)
PE
PE
Internet
Site-1
PE-IG
Site-2
Network 171.68.0.0/16
Serial0
192.168.1.1
192.168.1.2
ip route-static 171.68.0.0 255.255.0.0 Serial0
ip route-static vpn-instance VPN-A 0.0.0.0 0.0.0.0
192.168.1.1 public
BGP-4
MP-BGP

30. PE
PE
Internet
Site-1
PE-IG
Site-2
Network 171.68.0.0/16
Serial0
192.168.1.1
192.168.1.2
Site-2 VRF
0.0.0.0/0 192.168.1.1
(public)
Site-1 routes
Site-2 routes
Global Table and LFIB
192.168.1.1/32 Label=3
192.168.1.2/32 Label=5
...
IP packet
D=huawei.c
om
Label = 3
IP packet
D=huawei.c
om
IP packet
D=huawei.c
om
MPLS/VPN Internet Connection
(Configure the Static Default Route –CE)

31. MPLS VPN Internet Access (Configure the
Sub-interface)
PE
PE
Internet
Site-1
PE-IG
Site-2
Network 171.68.0.0/16
Serial0.1
192.168.1.1
192.168.1.2
Serial0.2
Serial0.1
Serial0.2
CE routing table
Site-2 routes ----> Serial0.1
Internet routes ---> Serial0.2
IP packet
D=huawei.c
om
PE Global Table
Internet routes --->
192.168.1.1
192.168.1.1, Label=3
Label = 3
IP packet
D=huawei.c
om
IP packet
D=huawei.c
om

32. Summary
 Understand VPN classification
 Master MPLS L3 VPN forwarding process
 Master MPLS L3 VPN configurations
 Know implementation of the cross-AS MPLS L3 VPN
 Master the Internet access of MPLS L3 VPN