Layer 3 MPLS VPNs

A look at some of the details of Layer 3 MPLS VPNs.

In the previous two tips, I discussed traditional VPNs and CPE based VPNs utilizing IPsec and compared some of the features of each with MPLS VPNs. The remainder of the tips that I write will focus on MPLS exclusively. MPLS is often called a provider-provisioned VPN and can support both Layer 3 and Layer 2 VPNs over an IP backbone. This article focuses on the Layer 3 VPNs.

Layer 3 MPLS VPNs are based on RFC 2547 and 2547bis. RFC 2547 is an IETF informational document only and RFC 2547bis is an internet draft. Neither of the two RFCs are standards; however, the majority of the L3 MPLS vendors use these.

The basic components of a Layer 3 VPN are the P, PE and CE routers. The PE router sits at the edge of the provider's network and provides the interface between the customer edge (CE) router and the MPLS backbone. MPLS routers in the core are called Provider (P) routers, and they interconnect the PE routers at the edge. The CE routers exchange their routing tables with the PE routers via standard routing protocols (RIP, OSPF, EIGRP and BGP).

The PE routers store the routing updates from each customer's CE router in a virtual router field or VRF. Each CE router has its own VRF on the PE. The customer then advertises all routes associated with that location to the PE. Once all the PE routers that connect to a particular customer have the customers routing information in a VRF, the PE routers exchange information using multiprotocol BGP. These routes and the corresponding VRFs make up the customer VPN.

To the customer, from a routing perspective, the CE routers appear as if connected via a traditional VPN. The customer can view the routing table on the CE router and see routes to remote sites just as they would with a traditional VPN. However, there are none of the complexities associated with a traditional VPN, such as the hassle of managing complex PVC meshing and routing protocol adjacencies. The routing adjacencies formed are between the CE and PE, not CE to CE. The CE has one interface to the MPLS cloud, and the MPLS provides full or partial meshing between the customer CEs attached to the network. This is one of the true benefits of Layer 3 MPLS VPNs. The provider handles all of the meshing and can provide any-to-any connectivity over a multitude of interface types. Previously, if a customer wanted to mesh their remote locations, they had to purchase leased lines and build a mesh of PVCs. The routing architecture and propagation of routes was up to the customer; the provider only ensured connectivity. With Layer 3 MPLS VPNs, all that is required is the advertisement of the routes to the PE. The provider handles the rest.

Layer 3 MPLS VPNs provide any to any connectivity for a customer with distributed geographic locations. The connectivity to the MPLS cloud is interface-agnostic and does not require the customer to provision and manage complex PVC meshing. In addition, the routing architecture is simplified immensely as the customer only has to ensure that the CE routes are propagated to the PE router. The provider handles all the route propagation between the customer CE routers attached to the core. The only drawback to this solution is that the provider may not have the geographic footprint to reach all the customer locations. This can be cost prohibitive if the customer has to purchase a local loop to the nearest PE router in the provider's POP. This is a limiting factor with MPLS deployment, especially for organizations that have international locations.

The next tip will discuss how multiprotocol BGP is used to propagate CE routes between PE routers, and how MPLS allows for customers with overlapping address space.

Robbie Harrell (CCIE#3873) is the National Practice Lead for Advanced Infrastructure Solutions for SBC Communications. He has over 10 years of experience providing strategic, business, and technical consulting services to clients. Robbie resides in Atlanta, and is a graduate of Clemson University. His background includes positions as a Principal Architect at International Network Services, Lucent, Frontway and Callisma.

Dig Deeper on Network security

Unified Communications
Mobile Computing
Data Center