Tutorial

Virtual Private Networks

RFC2547bis: BGP/MPLS VPN

Hadi A. HMIDA PhD

R&D, STC- Sept. 2003

Abstract __ This document describes IP-VPN fundamentals defined in RFC 2547Bis. This method provides Layer
3 VPN (IP/MPLS VPN) mainly to business customers over IP/MPLS backbone. The customer site is connected to
the backbone through routers: the customer edge router (CE) at the customer site and the provider edge router
(PE) at the network site. Both CE and PE routers can be attached to each other, or to end systems, in a variety
of different ways: PPP connections, ATM VCs, Frame Relay DLCIs, Ethernet interfaces, VLANs on Ethernet
interfaces, L2TP tunnels, IPSec tunnels. Sometimes a Layer 2 switch is physically attached to the PE router. In
this case the layer 2 switch is NOT the CE devise. The CE devises are the hosts and routers that communicate
with the PE router through the layer 2 switches (which are supposed transparent). Each CE router sends its
routes to the PE router. BGP is used to exchange routes of a particular VPN among the PE routers that are
attached to that VPN. Routes from different VPNs remain distinct and separate even if address spaces are
overlapping. All this aspects are discussed below.

1. Virtual Private Networks (VPNs) Virtual Networks

VPN general concept (in terms of privacy, and

security) is considered as an old concept Virtual Private Virtual Dial up
Virtual LAN
initially introduced in the traditional public Networks networks
networks (PSTN, PSN) to communicate data,
in a private way, between limited groups of
users (i.e., closer user group (CUG), bilateral Overlay VPN Peer-to- Peer VPN
CUG, and CUG with outgoing Access…). The
emergence of multitude of community interests,
companies with many branches, and
Layer 2 VPN Layer 3 VPN Layer 3 VPN
networking technologies development drive to
expanding the VPN concept to cover voice,
data, and video. There are three types of
Virtual Networks see Fig. (1). First, traditional X25/FR/ATM IPSec MPLS VPN

remote-access VPNs allow home workers

using dial-up, DSL or wireless (virtual Dial-up
networks) to access their corporate data Fig. (1): VPN Classification Based on underlined technologies
networks, VLAN used to built LANs, and VPNs.
The last one, site-to-site VPNs use the public
If all the sites in a VPN are owned by the same
network infrastructure, Internet and provider’s enterprise, the VPN is a corporate “intranet”. If
network, to provide to remote branch offices or the various sites in a VPN are owned by different
individual users private communication with
enterprises, the VPN is an “extranet”.
secure access to their organization's network.
Their implementation can be either overlay or This document describes the processing
pee r-to-peer model. The overlay VPN Model
mechanism of BGP/MPLS VPN between the
(the easiest), where the service provider
customers and the backbone. In order to
provides emulated leased lines to the customer
understand it better the communication protocol
(VCs, PVCs or SVCs). The peer-to-peer VPN
between layer 1 to layer 3 in the OSI reference
model was introduced to alleviate the
model and MPLS protocol are first discussed
drawbacks of the overlay model. The service
briefly.
provider and the customer use the same layers
(L2 or L3) to exchange information:
 2. Peer-To-Peer Communications Concept Let’s suppose switches SW3 and SW4 both of
them are ATM L2 switches. I n ATM data
In networking, the dialogue between devices
communication is enabled using Virtual Circuits
follows a peer-to-peer communication model in
(VC). IP Data from router R1 is encapsulated in
which each party has the same capabilities and
ATM format by the ATM switch SW3 then
either party can initiate a communication
forwarded to the next ATM switch SW4 which
session. The examples below demonstrate this
decapsulates and re -encapsulates the packets
concept. Routers use Network layers to again and forward them to the router R4. The
communicate peer to peer (L3 to L3) through R4 network layer decapsulate the packets as it
Data Link and Physical layers see Fig. (1). In
comes from the R1network layer and process
networking diagrams, physical connections of the packets according to information found in
devices materialized by a link represent the each field of the received frames. The same
physical layer. In some cases these links may
process is valid for Frame Relay (FR), Ethernet,
have another meaning called logical connection and any other network technology.
which is associated to the data link layer and
means the physical connection does not exist R1 SW1 SW2 R2
directly between the two devices but it is through
an intermediary device. Routers R1 and R2 can
be connected via ATM, DSL, FR, X25, and
leased line. It is an example of virtual connection
associated to Data Link layer called (logical Decap/Enc Decap/Enc Network
Network
connection).
Data Link Data Link Data Link Data Link

R1 R2 Physical Physical Physical Physical

Network Network

Fig.(4): Layer 3 to Layer 3 communication using layer 2 switches

Network
Network

Data Link Data Link

Physical Physical
Fig.(2): Layer 3 to Layer 3 communication
The technology used between two devices must
support a specific protocol that permits to
encapsulate the data coming from upper layers.
Routers R3 and R4 in Fig.(3) are connected
through L2 switches SW3 and SW 4. R3 sends
data after encapsulation in L2 to the first switch
SW3. The L2 switch SW3 decapsulates the frame
and re -encapsulates it again using its proper
protocol and resends it to the L2 switch SW 4.
3 Multiprotocol Label Switching (MPLS)
MPLS concept combines the benefits of packet
forwarding based on layer 2 switching layer 3
routing. It assigns label or label stack (suitable
for VPN application) to packets for transport
across packet- or cell-based networks. The
forwarding mechanism throughout the network is
label swapping, in which packets carry a short
fixed-length identifier (label) telling the switching
nodes along the packet path how to process and
forward the data.
Label over Frame Relay
FR Header Label L3 Header Data

Again SW4 repeats the same operation as SW3

and resends the frame to the router R4 which Label over ATM PVCs
decapsulates the frame and process again
according to the R1 process and forwards it to Ethernet Header Label L3 Header Data

the next device in the core.

Label over Ethernet

ATM Header Label L3 Header Data

SW1 SW2
Network Network

Label Exp S TTL

Data Link Data Link Label (20bits): Label

TTL(8bits): Bit Time to Live
Physical Physical Exp(3bits): class of service information)
S(1bit): Bottom of stack

Fig.(3): Layer 2 to Layer 2 communication Fig.(5-b): MPLS label stack header

2
The label (20 bits) is inserted between the layer
2 header and the layer 3 payload in the layer 2
frame as depicted in fig. (4).
Frame Relay (FR), Ethernet, and any other
network technology. The propagation of an IP
packet across the MPLS backbone is performed
in three steps:
1. When an IP packet reaches the PE
(Ingress Edge -LSR) it is immediately
classified into a Forwarding Equivalence
Class (FEC), and it is labeled with the
outgoing label stack corresponding to
the FEC (describing a group of IP
packets that are forwarded in the same
manner, over the same path, with the
same forwarding treatment: layer 3
lookup in the forwarding table).
2. At the core LSR the label in the inbound
packet is removed and replaced by the
outbound label corresponding to the
same FEC (IP subnet).
3. When the (PE) at the end side (Egress
Edge -LSR) receives the IP labeled
packet, it performs a label lookup, pops
the label and perform a layer 3 lookup
and forward the IP packet to the CE.
BGP MPLS VPN
It is a Peer-to-Peer (layer 3 VPN) defined by
RFC 2547Bis. The architecture basically
comprises an IP/MPLS backbone (provider
network such as STC) and the customers sites
as depicted in Fig.(7).
Customer Edge Device [2]
At each customer site, there are one or more
Customer Edge (CE) devices, each of which is
attached via a data link (e.g. PPP, Frame Relay,
ATM, Ethernet, etc.) to one or more Provider
Edge (PE) routers.
In particular site the CE device may be:
1. A single host
2. A switch (site has single subnet)
3. Router (in general)
When the CE device is a router, it is a routing
peer of the PE(s) to which it is attached, but not
a routing peer of CE routers at other sites.
Routers at different sites do not exchange
information with each other.
Exclusively the SP administrates PE’s and P.
The customer manages the CE device.
Provider Edge Router

IP packet coming from CE 1 destined to customer
address 210.12.41.23 arrives at PE1 (Riyadh
POP router). This router does layer 3 lookup,
prepends label stack (52,21), and forward the
packet toward Riyadh core router. There the
router does label lookup, swaps top label (52,43)
and forwards the packet toward the Jeddah core
router. The same process is repeated until the
packet reaches the correct destination Jeddah-1
POP router. The router pops the label, does
label lookup and forwards the packet toward the
CE2 to its final destination.
Each PE router needs to maintain a number of
separate forwarding tables (called VRF VPN
Routing and Forwarding Table); and every site to
which is attached the PE (via data link laye r: FR
PVC, ATM PVC, and VLAN) must be mapped to
one of those forwarding table. Each PE
exchanges routing information with CE routers
using static routing, RIPv2, OSPF, or EBGP.
After learning VRF tables from CEs, each PE
exchanges VPN routing information with other
PE routers in the autonomous System using
IBGP.

IP Packet Madinah
52 21 Core
Dest > 210.12.41.25 IP Packet IP Packet
Dest > 210.12.41.25
52 45 PE2 Dest > 210.12.41.25

IP Packet
Dest > 210.12.41.25 Jeddah 1
PE1 IP/MPLS CE2
Network POP
P E3
Riyadh Malaz Riyadh
CE1 POP Core Jeddah
IP Packet Core Jeddah 2
52 63 POP
Dest > 210.12.41.25

Fig.(6): Label Switching with the MPLS Label Stack

3
When a PE receives a packet from a particular
site, the correspondent forwarding table is
consulted in order to determine the route to take
by the packet. Only the routes leading to the
sites associated to common VPN populate the
forwarding table, which increases security and
allows overlapping address spaces between
different VPN.
The ingress PE and Egress PE routers are
ingress LSR and egress LRS respectively.
Provider Routers
Provider (P) routers constitute the IP/MPLS core
network. Their functions are as an MPLS transit
LSRs when forwarding VPN data traffic between
PE routers.
4.1 Routing Information Exchange – VRF
Configuration
The first step in provisioning a VPN service is to
define and configure a VRF. PE1 is configured to
associate VRF1 to CE 11 interface or sub-interface
(VC or VLAN). As seen before each CE is
attached to PE (or PEs) using data link through
an interface or sub-interface over which the PE
can learn routes from CE see fig. (7).
1. When CE11 advertises route for prefix 10.1/16
to PE 1, PE 1 installs a local route to prefix
10.1/16 in VRF1
2. PE 1 selects MPLS label assigns it to the route
(for next hop) and advertises the route to the
PE 2, PE 3, and PE 4 using IBGP.

Site 32

CE32
Site 21
Site 22
CE21
P E5 CE22
Madinah

PE2
P1 P3 P4
CE11 P E1 Jed-1
STC IP/MPLS CE12
Riyadh Network
Site 11 Riyadh Jeddah Jed-2 Site12
P2
PE3
PE4
Dammam
CE14 CE23 CE13
CE31
Site 31 Site 13
Site 14 Site 23

Fig. (7): Configuration of VRFs

3. When PE2, PE 3, and PE 4 receives PE 1’s route

4. VPN Provisioning over IP/MPLS Backbone advertisement, each of them installs a route to
prefix 10.1/16 into VRF1 and advertise CE 12,
VPN services provisioning follows these steps: CE 13, and CE 14
Each PE router should be attached to VPNs
1- Define and configure the VRFs sites. PE1, PE2, PE3, and PE4 must have the
2- Define and configure the route relevant VRF configuration of each VPN using
distinguishers the ip vrf vrf-name command:
3- Define and configure import & export
policies Olaya (config)# ip vrf VPN-A
4- Distribution of VPN Routing information Olaya (config-vrf)#
5- Associate the CE interfaces to the VRFs !
6- Configure the Multiprotocol BGP Olaya (config)# ip vrf VPN-B
Olaya (config-vrf)#

4
This command creates VPN-A and VPN-B VRF In order to allow overlapping addresses between
tables. The VRFs are not fully provisioned yet. VPNs it is necessary to prepending route
Each VRF table must contain the routes and distinguisher to the IPv4 address to provide
associated labels. When you enter ip vrf vrf- VPN-IPv4 address in BGP extended community
name command. The router moves into the vrf see figure (8). VPN-IP addresses are distributed
configuration sub-mode, and all parameters by MP-iBGP. Tw o type field are defined type 0
(routes, import, and export target) can be and 1:
introduced:
8 Bytes Route Distinguisher
hostname Olaya PE
! Type Administrator Assig. Nb IP-Address
ip vrf VPN-A
>{Sub-mode to introduce parameters} Fig.(8): VPN-IPv4 address Format using distinguisher
ip vrf VPN-B
>{Sub-mode to introduce parameters}
hostname jeddah-1 PE § Type 0 :
! Administrator field = 2 Bytes
ip vrf VPN-A Assigned Number field = 4 Bytes
>{Sub-mode to introduce parameters}
ip vrf VPN-B The administrative field contains an
>{Sub-mode to introduce parameters} autonomous System Number (ASN) from
Etc… IANA (IANA: Internet Assigned Numbers
Authority)
4.2 VPN-IPv4 Address Family The assigned number field is a number
assigned by service provider.
BGP in its standard format can handle only
IPv4 routes. § Type 1
Administrator field = 4 Bytes
Assigned Number field = 2 Bytes

The administrative field contains an IP address

assigned by IANA

Site 32
10.2/16 CE
3
Site 21 VPN-C
10.1/16
CE2 Site 22
VPN-B 10.3/16
CE22
PE5 VRF VPN-B
Madinah
VRF
Site 11 VRF P E2
P1 P3 P4
10.1/16 CE11 VRF Site12
P E1 STC IP/MPLS VRF
VPN-A 10.3/16
Olaya Network Jeddah
Riyadh CE12 VPN-A
VRF P2 P E3

Dammam VRF

Site 31 VRF VRF Site 13

10.1/16 PE4 10.4/16
VPN-C CE31 CE13 VPN-A
Site 14 Site 23
10.5/16 10.5/16
VPN-A CE14 CE2 VPN-B

Fig.(7): VRF Configuration

5
The assigned number field is a number assigned rd 155:46
by service provider !
hostname Jeddah-1
The structure of this value can be either ASN:nn !
or IP -address:nn. It is recommended to use the ip vrf VPN-A (SBANK)
ASN:nn rd 155:44
!
Extended IP Address Example: ip vrf VPN-B (SGE)
In the examples we have only one SP its ASN is rd 155:46
supposed to be defined (by the IANA) as 155. !
The SP assigns the value of the second portion hostname Jeddah-1
to each VPN customer (i.e., VPN-A [RD]=44, !
VPN-B [RD]=46, and VPN-C [RD]=45). ip vrf VPN-A (SBANK)
rd 155:44
VPN-A Site 11à Ext. IP add. 155:44:10.1.1/16
VPN-B Site 21à Ext. IP add. 155:46:10.1.1/16
VPN-C Site 31à Ext. IP add. 155:45:10.1.1/16 Site 32
By this way the VPN-IPv4 address become 10.2/16 V P N-C
distinct and an overlapping address space is not
a restriction. Madinah PE router CE32
receives two updates
for 10.1/16. But one Madinah
Route Distinguisher Configuration route is PE5
Each VRF needs to be associated to a route 155:44.10.1/16 and
the other is
distinguisher (RD). To configure the route 155:45.10.1/16. The
distinguisher for the VRF we use the command two routes are
vrf configuration and rd ASN:nn : distinct. P3
MP-iBGP Update P1 MP-iBGP Update
Riyadh (config)#ip vrf SBANK RD: 155:45 RD: 155:44
Riyadh (config-VRF)#rd 155:44 Sub net I 10.1/16 Sub net: 10.1/16
Riyadh (config)# From Riyadh PE Riyadh From Riyadh PE

Each IPv4 address added to the forwarding table

is converted to VPN-IPv4 address (Extended IP PE1
address) and installed into the MP-BGP. CE31 CE11
Site 31 Site 11
The same configuration is necessary for the 10.1/16 V P N-A
Riyadh, Jeddah, Dammam, and Madinah PEs: 10.1/16 VPN-C

hostname Riyadh Fig.(9): Same private address usage within a VPN

!
ip vrf VPN-A (SBANK)
rd 155:44
! 4.3 Route Target BGP Extended Community
ip vrf VPN-B (SGE) Attributes
rd 155:46
! The route distribution is controlled by BGP
ip vrf VPN-C (Sogetel) extended community attributes which includes
rd 155:45 two new items:
! § Route Target: identifies a set of sites to
hostname Madinah which a PE router distributes routes.
! This mechanism is specified by import
ip vrf VPN-C (Sogetel) and export route commands.
rd 155:45
! § Route Origin: identifies the site from
hostname Dammam which the PE router learns a route. To
! prevents routing loops between sites.
ip vrf VPN-A (SBANK)
rd 155:44 Assume an SBANK Company VPN-A supports
! full-mesh site connectivity; each of the SBANK
ip vrf VPN-B (SGE) sites in the VPN-A is associated with a VRF-A

6
in its PE router. A single unique route target VPN
community (i.e., RT 155:44) is configured for CE to PE Link Configuration
each VRF as import target and export target. 4.5 Association of interface to VRF
This route target is not assigned to any other
After defining all relevant VRFs on the PE router,
VRF outside the community.
we must indicate to the PE router, the mapping
between the interfaces and the VRF. Which
Assume SGE company VPN-B supports hub -
and-spoke VPN topology. It uses two globally interfaces deal with which VRF. More than one
unique route target (RT: hub, and RT: Spoke). interface can belong to the same VRF.
The hub site (SGE HQ) VRF is configured with Example: Association of interface to VRFs
route targ et = Hub, and import target= Spoke. It
means that the VRF at the SGE HQ site (Hub) Hostname Olaya
will permit to the spokes to import its routes with !
hub attribute, and imports all remote routes with interface serial0
spoke attribute. description ** interface to site 11**
The VRF at each spoke site (site 22,23 ) is ip vrf forwarding VPN-A site 11
configured with an export target=spoke and ip address 10.1.1…
import target=hub. In this way the hub site is !
allowed to import the routes and dropped by interface serial1
other spokes. The attribute import is assigned to description **interface to site 31**
the hub only. Example of configuration: ip vrf forwarding VPN-B site 31
ip address 10.1.2…
Riyadh PE router Configuration
Hostname Riyadh
! 5. Case Study:
ip vrf SBANK
rd 155:45 Assume that STC IP/MPLS backbone delivers
route-target export 155:45 VPN services to business customers such as
route-target import 155:45 SBANK, CGE, and Sogetel virtual companies
! (Figure 8). We assume that the service provider
ip vrf SGE (Hub) uses RSVP or LDP signaling to establish LSP
rd 155:46 (Paths) between PEs.
route-target export 155:46
route target import 155:46
Assume that STC IP/MPLS backbone delivers
!
VPN services to business customers such as
ip vrf Sogetel
SBANK, CGE, and Sogetel virtual companies
rd 155:44
see Figure (10). SGE VPN is Hub-and-Spoke
route-target export 155:44 topology. We assume the service provider uses
route target import 155:44
RSVP/LDP signaling to establish LSP (paths)
between PEs.
Dammam PE router Configuration
Hostname Dammam
!
ip vrf SBANK Company Sites Subnet
rd 155:45
route-target export 155:45 Riyadh 10.1/16
route-target import 155:45 Jeddah 1 10.3/16
SBANK
Jeddah 2 10.4/16
!
Dammam 10.5/16
ip vrf SGE (Spoke)
SGE Riyadh (Hub) 10.1/16
rd 155:46 Jeddah 1 (Spoke) 10.3/16
route-target export 155:46 Dammam (Spoke) 10.5/16
! Sogetel Riyadh 10.1/16
Madinah 10.2/16
4.4 Distribution of VPN Routing information
Table: Assigned IP Addresses

7
 Fig. (10): IP/MPLS VPN Network
VPN-A sites 11, 12, 13, and 14
VPN-B sites 21, 22, and 23
VPN-C sites 31and 32

Sogetel B1

Site 32
SGE HQ
155:45.10.2/16
VPN-C SGE B2
Site 21 CE32
155:46.10.1/16Hub Site 22
MD P E5 155:46.10.3/16
VPN-B Spoke
CE21 VRF
11 CE22 VPN-B

SBANK HQ VRF
STC Network P E2
Site 11 VRF 55 Jed-1
155:44.10.1/16 CE 66 22 Site
11 VRF P E1 LSPs VRF CE12 155:45.10.3/16
VPN-A
77 VRF VPN-A
VRF RY
88 33 SBANK B3
PE3 Jed-2
44 DM
Site 31 CE31 VRF VRF Site 13
155:45.10.1/16 155:45.10.4/16
PE4
VPN-C CE13 VPN-A
CE14
Sogetel HQ Site 14 Spoke Site 23
155:46.10.5/16 SBANK B2
155:45.10.5/16
VPN-A CE23 VPN-B
SBANK B1 SGE B1

References

Rosen, et al. Internet Draft draft-ietf-ppvpn-

rfc2547bis-04.txt May 2003

Glossary
PSTN: Public Switching Telephone Network
ATM : Asynchronous Transfer Mode PVC: Permanent Virtual Circuit
BGP : Border Gateway Protocol POP: Point of Presence
DSL: Digital Subscriber Network RD: Route Distinguisher
FEC: Forwarding Equivalence Class RSVP: Resource Reservation Protocol
LDP: Label Distribution Protocol SVC: Switched Virtual Network
LSR: Label Switching Router VRF: VPN Routing and Forwarding
LSP: Label Switched Path VLAN : Virtual Local Area Network
PSN: Packet switching Network VC: Virtual Circuit