Regional Telecom Training Centre

Trivandrum

Summer Training Programme

MPLS VPN

1
 Chapter 1

MPLS Overview
1.Introduction

The exponential growth of the Internet over the past several years has placed a
tremendous strain on the service provider networks. Not only has there been an
increase in the number of users but there has been a multifold increase in connection
speeds, backbone traffic and newer applications. Initially ordinary data applications
required only store and forward capability in a best effort manner. The newer
applications like voice, multimedia traffic and real-time e-commerce applications are
pushing towards higher bandwidth and better guarantees, irrespective of the dynamic
changes or interruptions in the network.
To honour the service level guarantees, the service providers not only have to
provide large data pipes (which are also costlier), but also look for architectures
which can provide & guarantee QoS guarantees and optimal performance with
minimal increase in the cost of network resources.

MPLS technology enables Service Providers to offer additional services for their
customers, scale their current offerings, and exercise more control over their growing
networks by using its traffic engineering capabilities.

IP routing and MPLS

In conventional IP forwarding, a particular router will typically consider two packets

to be in the same FEC( Forwarding Equivalence Class) if there is some address prefix X
in that router's routing tables such that X is the "longest match" for each packet's
destination address. As the packet traverses the network, each hop in turn
reexamines the packet and assigns it to a FEC.

On the other hand, in MPLS, the assignment of a particular packet to a particular

FEC is done just once, as the packet enters the network. The FEC to which the packet
is assigned is encoded as a label. When a packet is forwarded to its next hop, the
label is sent along with it. At subsequent hops, there is no further analysis of the
packet's network layer header. Rather, the label is used as an index into a table which

2
specifies the next hop, and a new label. The old label is replaced with the new label,
and the packet is forwarded to its next hop.

2.MPLS terminology

IP-based networks typically lack the quality-of-service features available in circuit-

based networks, such as Frame Relay and ATM. MPLS brings the sophistication of a
connection-oriented protocol to the connectionless IP world. Based on simple
improvements in basic IP routing, MPLS brings performance enhancements and service
creation capabilities to the network.
MPLS stands for Multiprotocol Label Switching; multiprotocol because its techniques
are applicable to ANY network layer protocol, of which IP is the most popular.
Before explaining MPLS, here are some of the terms which are used extensively in
MPLS jargon:

1. Forwarding Equivalence Class (FEC): a group of IP packets which are forwarded in

the same manner (e.g., over the same path, with the same forwarding treatment).

2. MPLS header: The 32-bit MPLS header contains the following fields:

i. The label field (20-bits) carries the actual value of the MPLS label.

ii. The Class of Service (CoS) field (3-bits) can affect the queuing and discard
algorithms applied to the packet as it is transmitted through the network. Since the
CoS field has 3 bits, therefore 8 distinct service classes can be maintained.

iii. The Stack (S) field (1-bit) supports a hierarchical label stack. Although MPLS
supports a stack, the processing of a labeled packet is always based on the top label,
without regard for the possibility that some of other labels may have been above it in
the past, or that some number of other labels may be below it at present. Value 1
refers to the label of bottom layer.

iv. The TTL (time-to-live) field (8-bits) provides conventional IP TTL functionality.

Fig. MPLS Header

3
3. The MPLS label is encapsulated in a standardized MPLS header that is inserted
between the Layer 2 and IP headers.

Fig. L2, MPLS, L3 headers

4. MPLS label: is a short fixed length physically contiguous identifier which is used to
identify a FEC, usually of local significance.

5. In the MPLS architecture, the device that participates the packet forwarding is
called Label Switching Router (LSR).

6. Label Switched Path (LSP): The path through one or more LSRs at one level of the
hierarchy which is followed by packets in a particular FEC.

3.MPLS Network Structure

As shown in Fig, the basic composing unit of MPLS network is LSR, and the
network consisting of LSRs is called MPLS domain. The LSR that is located at the edge
of the domain and connected with other customer network is called Label Edge
Router (LER). The LSR located inside the domain is called core LSR. The labeled
packets are transmitted along the LSP composed of a series of LSRs. Among them, the
import LSR is called Ingress, and the export LSR is called Egress.

LSP
Ingress

Egress

MP LScore LSR

MP LSLER

Fig. MPLS architecture

4
4. MPLS operations

Label push , label swap and label pop

PUSH:
A new label is pushed on top of the packet, effectively "encapsulating" the original IP
packet in a layer of MPLS.
SWAP:
Every incoming label is replaced by a new outgoing label (As per the path to be
followed) and the packet is forwarded along the path associated with the new label.
POP:
The label is removed from the packet effectively "de-encapsulating". If the popped
label was the last on the label stack, the packet "leaves" the MPLS tunnel

Fig. MPLS operations

Fig. Above shows the LSP,the path from source to destination for a data packet
through an MPLS-enabled network. LSPs are unidirectional in nature. The LSP is
usually derived from IGP routing information but can diverge from the IGP's preferred
path to the destination. Fig. Shows the LSP for network 172.16.10.0/24 from R4 is R4-
R3-R2-R1.

As shown in fig., the following process takes place in the data forwarding path from
R4 to R1:

1. R4 receives a data packet for network 172.16.10.0 and identifies that the path to

5
 the destination is MPLS enabled. Therefore, R4 forwards the packet to next-hop
Router R3 after applying a label L3 (from downstream Router R3) on the packet
and forwards the labeled packet to R3.

2. R3 receives the labeled packet with label L3 and swaps the label L3 with L2 and
forwards the packet to R2.

3. R2 receives the labeled packet with label L2 and swaps the label L2 with L1 and
forwards the packet to R1.

4. R1 is the border router between the IP and MPLS domains; therefore, R1 removes
the labels on the data packet and forwards the IP packet to destination network
172.16.10.0.
5. MPLS Applications
MPLS-Based VPN

For traditional VPN, the transmission of the data flow between private
networks on the public packet switched network is usually realized via such
tunneling protocols as GRE, L2TP and PPTP, and LSP itself is the tunnel on the
public network. The realization of VPN using MPLS is of natural advantages. The
MPLS-based VPN connects the geographically different branches of the private
network by using LSP, forming a united network.

Fig .MPLS-based VPN

The basic structure of MPLS-based VPN is shown in Fig. CE is the customer edge
device, and it may either be a router or a switch, or perhaps a host. PE is a service
provider edge router, which is located on the edge of the backbone network. PE is
responsible for managing VPN customers, establishing LSP connection between
various PEs and route allocation among different branches of the same VPN.

6
MPLS-Based Traffic Engineering

Network congestion is the main problem affecting the backbone network

performance. Usually the network is congested due to insufficient network
resources or unbalanced network resources, which causes partial congestion.
Traffic engineering is used to solve the congestion due to unbalanced load. Through
monitoring network traffic and load on network element dynamically, then
adjusting traffic management parameters and routing parameters as well as
resource constraining parameters in real time, traffic engineering optimizes the
network resources and prevents the network congestion accordingly.

The existing IGPs are all driven by the topology, and only the static connection
of the network is taken into account. However, such dynamic status as bandwidth
and traffic characteristics cannot be reflected. This is just the main reason
resulting in unbalanced network load. MPLS, which is different from those of IGP,
just satisfies the requirement of traffic engineering. MPLS supports the explicit LSP
routing that is different from routing protocol path. Compared with traditional
single IP packet forwarding, LSP is more convenient for management and
maintenance.

MPLS QoS

QoS represents the set of techniques necessary to manage network bandwidth,

delay, jitter, and packet loss. From a business perspective, it is essential to assure
that the critical applications are guaranteed the network resources they need,
despite varying network traffic load.

Service providers offering MPLS VPN and traffic engineering (TE) services can
now differentiate themselves by providing varying levels of QoS for different types
of network traffic. For example, voice-over-IP (VoIP) traffic receives service with
assured minimums of delay and bandwidth, while e-commerce traffic might receive
a minimum bandwidth guarantee (but not a delay guarantee). DiffServ is one of the
QoS architectures for IP networks defined by the IETF. Cisco IOS MPLS supports the
IETF DiffServ architecture by making the rich set of Cisco QoS functions MPLS
aware, and by enabling the features to act on the MPLS packets.

7
 Chapter 2

MPLS VPN
1. VPN Overview

MPLS technology is being widely adopted by service providers worldwide to implement

VPNs to connect geographically separated customer sites. The following session
presents the terminology and operation of various devices in an MPLS network used to
provide VPN services to customers.

VPNs were originally introduced to enable service providers to use common physical
infrastructure to implement emulated point-to-point links between customer sites. A
customer network implemented with any VPN technology would contain distinct
regions under the customer's control called the customer sites connected to each
other via the service provider (SP) network. In traditional router-based networks,
different sites belonging to the same customer were connected to each other using
dedicated point-to-point links. The cost of implementation depended on the number
of customer sites to be connected with these dedicated links. A full mesh of
connected sites would consequently imply an exponential increase in the cost
associated.

Frame Relay and ATM were the first technologies widely adopted to implement VPNs.
These networks consisted of various devices, belonging to either the customer or the
service provider, that were components of the VPN solution. Generically, the VPN
realm would consist of the following regions:

• Customer network— Consisted of the routers at the various customer sites.

The routers connecting individual customers' sites to the service provider
network were called customer edge (CE) routers.
• Provider network— Used by the service provider to offer dedicated point-to-
point links over infrastructure owned by the service provider. Service provider
devices to which the CE routers were directly attached were called provider
edge (PE) routers. In addition, the service provider network might consist of
devices used for forwarding data in the SP backbone called provider (P)
routers.

8
2. MPLS VPNs
Fig. below shows the MPLS VPN architecture.

Figure . MPLS VPN Network Architecture

In the MPLS VPN architecture, the edge routers carry customer routing information,
providing optimal routing for traffic belonging to the customer for inter-site traffic.
The MPLS-based VPN model also accommodates customers using overlapping address
spaces, unlike the traditional peer-to-peer model in which optimal routing of
customer traffic required the provider to assign IP addresses to each of its customers
(or the customer to implement NAT) to avoid overlapping address spaces. MPLS VPN is
an implementation of the peer-to-peer model; the MPLS VPN backbone and customer
sites exchange Layer 3 customer routing information, and data is forwarded between
customer sites using the MPLS-enabled SP IP backbone.

The MPLS VPN domain, like the traditional VPN, consists of the customer network and
the provider network. The MPLS VPN model is very similar to the dedicated PE router
model in a peer-to-peer VPN implementation. However, instead of deploying a
dedicated PE router per customer, customer traffic is isolated on the same PE router
that provides connectivity into the service provider's network for multiple customers.

3.MPLS VPN components

The main components of MPLS VPN architecture are

9
 • Customer network, which is usually a customer-controlled domain consisting
of devices or routers spanning multiple sites belonging to the customer. In fig.,
the customer network for Customer A consists of the routers CE1-A and CE2-A
along with devices in the Customer A sites 1 and 2.
• CE routers, which are routers in the customer network that interface with the
service provider network. In fig., the CE routers for Customer A are CE1-A and
CE2-A, and the CE routers for Customer B are CE1-B and CE2-B.
• Provider network, which is the provider-controlled domain consisting of
provider edge and provider core routers that connect sites belonging to the
customer on a shared infrastructure. The provider network controls the traffic
routing between sites belonging to a customer along with customer traffic
isolation. In fig., the provider network consists of the routers PE1, PE2, P1, P2,
P3, and P4.
• PE routers, which are routers in the provider network that interface or
connect to the customer edge routers in the customer network. PE1 and PE2
are the provider edge routers in the MPLS VPN domain for customers A and B in
fig.
• P routers, which are routers in the core of the provider network that interface
with either other provider core routers or provider edge routers. Routers P1,
P2, P3, and P4 are the provider routers in fig.

4. L3 and L2 MPLS VPNs

Layer 3 VPNs: With L3 VPNs the service provider participates in the customer’s Layer
3 routing. The customer’s CE router at each of his sites speaks a routing protocol such
as BGP or OSPF to the provider’s PE router, and the IP prefixes advertised at each
customer site are carried across the provider network. L3 VPNs are attractive to
customers who want to leverage the service provider’s technical expertise to insure
efficient site-to-site routing.

Layer 2 VPNs: The provider interconnects the customer sites via the Layer 2
technology – usually ATM, Frame Relay, or Ethernet – of the customer’s choosing. The
customer implements whatever Layer 3 protocol he wants to run, with no
participation by the service provider at that level. L2 VPNs are attractive to
customers who want complete control of their own routing; they are attractive to
service providers because they can serve up whatever connectivity the customer
wants simply by adding the appropriate interface in the PE router.

10
5. L3 MPLS VPN Routing Model

An MPLS VPN implementation is very similar to a dedicated router peer-to-peer model

implementation. From a CE router's perspective, only IPv4 updates, as well as data,
are forwarded to the PE router. The CE router does not need any specific
configuration to enable it to be a part of a MPLS VPN domain. The only requirement
on the CE router is a routing protocol (or a static/default route) that enables the
router to exchange IPv4 routing information with the connected PE router.

In the MPLS VPN implementation, the PE router performs multiple functions. The PE
router must first be capable of isolating customer traffic if more than one customer is
connected to the PE router. Each customer, therefore, is assigned an independent
routing table similar to a dedicated PE router in the initial peer-to-peer discussion.
Routing across the SP backbone is performed using a routing process in the global
routing table. P routers provide label switching between provider edge routers and
are unaware of VPN routes. CE routers in the customer network are not aware of the
P routers and, thus, the internal topology of the SP network is transparent to the
customer. Fig. below depicts the PE router's functionality.

Figure. MPLS VPN routing model

The P routers are only responsible for label switching of packets. They do not carry
VPN routes and do not participate in MPLS VPN routing. The PE routers exchange IPv4
routes with connected CE routers using individual routing protocol contexts. To
enable scaling the network to large number of customer VPNs, multiprotocol BGP is
configured between PE routers to carry customer routes.

11
VRF: Virtual Routing and Forwarding Table

Customer isolation is achieved on the PE router by the use of virtual routing tables or
instances, also called virtual routing and forwarding tables/instances (VRFs). In
essence, it is similar to maintaining multiple dedicated routers for customers
connecting into the provider network. The function of a VRF is similar to a global
routing table, except that it contains all routes pertaining to a specific VPN versus the
global routing table. The VRF also contains a VRF-specific CEF (Cisco Express
Forwarding) forwarding table analogous to the global CEF table and defines the
connectivity requirements and protocols for each customer site on a single PE router.
The VRF defines routing protocol contexts that are part of a specific VPN as well as
the interfaces on the local PE router that are part of a specific VPN and, hence, use
the VRF. The interface that is part of the VRF must support CEF switching. The
number of interfaces that can be bound to a VRF is only limited by the number of
interfaces on the router, and a single interface (logical or physical) can be associated
with only one VRF.

The VRF contains an IP routing table analogous to the global IP routing table, a CEF
table, list of interfaces that are part of the VRF, and a set of rules defining routing
protocol exchange with attached CE routers (routing protocol contexts). In addition,
the VRF also contains VPN identifiers as well as VPN membership information (RD and
RT are covered in the next section). Fig. shows the function of a VRF on a PE router to
implement customer routing isolation.

Figure . VRF Implementation on PE Router

12
As shown in fig., Cisco IOS supports a variety of routing protocols as well as individual
routing processes (OSPF, EIGRP, etc.) per router. However, for some routing
protocols, such as RIP and BGP, IOS supports only a single instance of the routing
protocol. Therefore, to implement per VRF routing using these protocols that are
completely isolated from other VRFs, which might use the same PE-CE routing
protocols, the concept of routing context was developed.

Routing contexts were designed to support isolated copies of the same VPN PE-CE
routing protocols. These routing contexts can be implemented as either separated
processes, as in the case of OSPF, or as multiple instances of the same routing
protocol (in BGP, RIP, etc.). If multiple instances of the same routing protocol are in
use, each instance has its own set of parameters.

Cisco IOS currently supports either RIPv2 (multiple contexts), EIGRP (multiple
contexts), OSPFv2 (multiple processes), and BGPv4 (multiple contexts) as routing
protocols that can be used per VRF to exchange customer routing information
between CE and PE.

Note that the VRF interfaces can be either logical or physical, but each interface can
be assigned to only one VRF.

13
 Chapter 3

FAQs
1.MPLS

Q What is Multi-Protocol Label Switching (MPLS)?

A. MPLS is a packet-forwarding technology which uses labels to make

data forwarding decisions. With MPLS, the Layer 3 header analysis is done just
once (when the packet enters the MPLS domain). Label inspection drives
subsequent packet forwarding. MPLS provides these beneficial applications:

• Virtual Private Networking (VPN)

• Traffic Engineering (TE)
• Quality of Service (QoS)

Additionally, it decreases the forwarding overhead on the core routers. MPLS

technologies are applicable to any network layer protocol.
Q. What is a label? What is the structure of the label?

A. A label is a short, four-byte, fixed-length, locally-significant identifier

which is used to identify a Forwarding Equivalence Class (FEC). The label
which is put on a particular packet represents the FEC to which that packet is
assigned.

• Label—Label Value (Unstructured), 20 bits

• Exp—Experimental Use, 3 bits; currently used as a Class of
Service (CoS) field.
• S—Bottom of Stack, 1 bit
• TTL—Time to Live, 8 bits

Q. Where will the label be imposed in a packet?

A. The label is imposed between the data link layer (Layer 2) header
and network layer (Layer 3) header. The top of the label stack appears first in

14
the packet, and the bottom appears last. The network layer packet
immediately follows the last label in the label stack.

Q. What is a Forwarding Equivalence Class (FEC)?

A. FEC is a group of IP packets which are forwarded in the same

manner, over the same path, and with the same forwarding treatment. An
FEC might correspond to a destination IP subnet, but it also might correspond
to any traffic class that the Edge-LSR considers significant.

Q. How does the LSR know which is the top label, bottom label, and a middle
label of the label stack?
A. The label immediately after the Layer 2 header is the top label, and the label with
the S bit set to 1 is the bottom label. No application requires LSR to read/identify the
middle labels. However, a label will be a middle label if it is not at the top of the
stack and the S bit is set to 0.
2. MPLS VPN

Q What is IP VPN Service?

VPN is an acronym for Virtual Private Network. An IP VPN Service offers exclusive
and private interconnectivity using Internet protocol to computers or Local Area
Networks (LANs) across the country.
Q. How can the IP VPN service benefit businesses?
Business companies can extend their LANs and computers at various locations across
the country so as to interconnect them over an IP VPN thereby enabling online
communication, which can enhance business efficiency.
Q.Why do enterprises need VPN?
Some of the important reasons why enterprises need VPN are:

High Cost & Complexity of Private Networks on leased line deployment,

maintenance, upgradation & expansion. These investments divert the main focus
from the core business areas of the enterprise.

Increasingly dispersed mobile workforce requires constant contact with the

enterprise LAN. This is possible through Dial-VPN service, which is a small value
added service over the VPN platform.

Flexible reconfiguration allows instantaneous addition/deletion of connections

15
 without any major investment.

Rise in Internet based applications & continually evolving technology allows the
enterprise to avail of several value-added services that will be offered by the Service
Provider in future over the same IP network infrastructure in a cost effective
manner. Examples are bandwidth on demand, VoIP, multicasting, & interactive
applications.
Yes, a dial customer can be provided access to a VPN through what is known as an
L2TP (Layer 2 Tunneling protocol)tunnel.
Q.How secure is IP VPN service?
A VPN by itself is an isolated entity and therefore has no possibility of outside
intrusion. The security in case of interconnection with other networks will be the
customer's responsibility.
Q. What are the two types of MPLS VPNs? What is the difference between them?
Layer 2 VPNs and Layer 3 VPNs. In L2 VPN, the Customer routing information is not
communicated to the Service Provider whereas in L3 VPN, the Customer Routing
updates are sent to Provider router.

Q. What alternatives are there for implementing VPNs over MPLS?

There are multiple proposals for using MPLS to provision IP-based VPNs. One
proposal (MPLS/BGP VPNs) enabled MPLS-VPNs via extensions to Border Gateway
Protocol (BGP). In this approach, BGP propagates VPN-IPv4 information using the BGP
multiprotocol extensions (MP-BGP) for handling these extended addresses. It
propagates reachability information (VPN-IPv4 addresses) among Edge Label Switch
Routers (Provider Edge router). The reachability information for a given VPN is
propagated only to other members of that VPN. The BGP multiprotocol extensions
identify the valid recipients for VPN routing information. All the members of the VPN
learn routes to other members.

Another proposal for using MPLS to create IP-VPN's is based on the idea of
maintaining separate routing tables for various virtual private networks and does not
involve BGP.

16