WHITE PAPER

BUILDING MPLS-BASED VIRTUAL PRIVATE NETWORKS AND SERVICES

FOR SERVICE PROVIDER IP NETWORKS

INTRODUCTION
Service providers who want to capture emerging markets for a scalable, applications-aware, and
cost-effective business-grade virtual private network (VPN) services need a highly-secured, highly-
available, reliable, and quality of service-aware networks. These networks must scale to support
thousands of VPNs, and hundreds of thousands of users, along with the millions of Internet users.
They also must be capable of meeting a wide range of customer requirements, including security,
quality of service (QoS), and any-to-any connectivity. They must offer fully managed services to
attract new customers and provide a foundation for delivering a range of emerging value-added
services. Multiprotocol Label Switching (MPLS) rapidly emerged as a core technology for next-
generation networks, in particular, optical networks. MPLS-based VPNs provide the flexible
connectivity and scalability of IP with the privacy and QoS of Frame Relay and ATM. MPLS allows
network services to be delivered over routed networks. Service decisions are made at the network
edge and switched without requiring intermediate preprocessing, providing higher efficiency and
scalability. MPLS-based VPNs also eliminate complex protocol and addressing translations
previously required with Frame Relay and ATM.

MPLS-based VPNs allow service providers to serve a much more diverse base of small and
medium-sized businesses because they save customer from the complexity and the costs of network
operation, administration and maintenance. Rather than setting up and managing individual point-
to-point circuits between each office, businesses need to provide only one connection from their
office router to a service-provider edge router. The service-provider edge router labels the packets
and routes them through its MPLS core to the edge router closest to the destination. With these
technologies, service providers can now offer customers VPNs with multiple business priorities,
managed Internet, intranet, and extranet, packet telephony, and Web hosting without the complexity
that these applications previously required to expand service offerings and generate additional
revenue. This white paper explores how MPLS-based VPN technology works and outlines how
service providers can build VPNs using core and edge routing solutions such as the Cisco 12000
and 7500 Series Internet routers.

VPNs based on Cisco MPLS technology can scale to support tens of thousands of business-quality
VPNs over the same infrastructure. MPLS-based VPN services solve peer adjacency and scalability
issues common to large virtual-circuit (VC) and IP tunnel topologies. Complex permanent virtual
circuit/switched virtual circuit (PVC/SVC) meshes are no longer needed, and providers can use
new, sophisticated traffic-engineering methods to select predetermined paths to sell premium IP
QoS applications and services.

Cisco Systems, Inc.

All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 1 of 8
 MPLS-based intranet and extranet VPN services from Cisco simplify service provisioning. Managed customer premises
equipment (CPE) communicates only with an MPLS-aware provider edge (PE) device using standards-based protocols, thus
protecting the customer’s investment in CPE routers.

As Internet traffic continues to increase, users are demanding greater speeds and better services. Established and emerging
service providers can address the challenge of seamlessly scaling their IP infrastructure while eliminating barriers to
profitability by deploying Cisco 12000 series Internet routers that increase their value as network requirements grow. Service
providers have tested Cisco MPLS technology extensively on Cisco 12000 series Internet routers and the 7500 series routers,
and they have found these routers to offer the best technology for deploying advanced network services today.

The Cisco 12000 series is the premier platform for IP networking because of its superior distributed system architecture,
which delivers:

• Highest bandwidth scalability—With a dedicated forwarding engine per line card, the Cisco 12000 series offers the
industry’s greatest total system capacity, delivers consistent forwarding performance in increasingly complex Internet
routing environments, and is the only 10 Gbps platform that delivers line-rate performance in a fully loaded system.

• Guaranteed priority packet delivery—The Cisco 12000 series is the only system that delivers priority-based congestion
control, dedicated low-latency queuing, and packet sequence integrity under all conditions required by premium services
such as voice over IP and streaming media.

• Reduced network operations costs—The Cisco 12000 series offers non-service-impacting component insertion and
removal, the only integrated element manager, and the industry’s best investment protection. In addition, the high capacity
of the Cisco 12000 series reduces routing complexity, thus improving point-of-presence (POP) scalability by a factor of 2.

MARKET OVERVIEW
Today, service providers generate a large portion of their revenue from basic transport services such as leased line, Frame
Relay, ATM, and basic connectivity services. However, with margins coming down for these services, they’re looking to
deliver new IP-based services that can generate long-term revenue. VPN-based services that provide connectivity between
groups of users across public and shared infrastructure offer a significant opportunity. VPNs can enable them to meet customer
requirements for any-to-any connectivity, multiple service classes, low-cost managed services, privacy, and seamless
integration with customer intranets/extranets. Grouping of users into intranets and extranets can be done via VPNs.

The Yankee Group predicts that VPNs will be used by 70 percent of all companies for up to 90 percent of their data
communication needs by 2004. This represents a huge revenue opportunity for service providers. They can now move to a
value-added “revenue-generating” service model. Service providers recognize they must differentiate themselves at the
service level instead of the transport level in order to capture this market. This fundamental shift in strategy gives service
providers opportunities for continued growth, increased profitability, and service efficiency.

VPNs also provide a solution that enables service providers to offer VPN services that scale to large numbers of customers.
In addition, these VPN services can be offered to customers with little or no IP routing expertise.

VPNs also impact the bottom line. They are less expensive to operate than private networks from a management, bandwidth,
and capital perspective. Moreover, the payback period for VPN equipment is generally measured in months as opposed to
years. Perhaps the most important benefit of VPNs is in enabling enterprises to focus on their core business objectives instead
of running the corporate network.

Cisco Systems, Inc.

All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 2 of 8
 Delivering bundled IP network services over a shared infrastructure is the key to achieving New World economics for service
providers. The Cisco 12000 series Internet routers offer MPLS VPN with provisioning capabilities brought to you by the Cisco
VPN Solution Center (VPNSC). Network architecture flexibility and ubiquity make Cisco Systems uniquely positioned as the
guide to the New World of VPNs.

WHAT IS VIRTUAL PRIVATE NETWORKING?

There is a great deal of confusion as to what VPN really is. Simply defined, a VPN is an autonomous network deployed as an
alternative to the wide-area network (WAN) infrastructure to replace or augment existing private networks, employing the
same security, management, and throughput policies as leased-line or enterprise-owned Frame Relay/ATM networks.

VPN is a set of sites that can communicate with each other and belong to a closed user group. VPN is defined with a set of
administrative policies. These policies determine both connectivity and QoS among sites. The policies established by VPN
customers can now be implemented completely by VPN service providers using Border Gateway Protocol (BGP)/MPLS VPN
mechanisms to connect remote and branch offices to the central site. As the term suggests, this solution is based on a
combination of two technologies, BGP and MPLS. VPN customers can migrate to a flexible inter-site connectivity ranging
from complete to partial mesh. These sites may be either within the same (intranet) or in different (extranet) organizations.
VPN customers can also be in more than one VPN and may overlap. Not all sites have to be connected to the same service-
provider VPN. A VPN can span multiple service providers.

THE NEW PARADIGM FOR VPN

BGP/MPLS VPNs use the “peer” model, which will eventually replace the “overlay” model (Figure 1). Although VPN
solutions based on the overlay model are common today, these types of solutions have several major problems that limit large-
scale VPN service deployment. Overlay model VPNs are based on creating connections and not networks. Each site has a
router that is connected via point-to-point links to routers in other sites. This increases the amount of configuration changes
required when adding a new site to an existing VPN. For VPNs that require full-mesh connectivity among sites, it involves
changes to the configuration on all the existing sites, because each one needs an additional point-to-point connection to the
new site and an additional routing peer with the router in the new site. VPNs built on connection-oriented, point-to-point
overlays, Frame Relay, or ATM virtual connections (VCs) without fully meshed connections between customer sites simply
do not scale well.

Cisco Systems, Inc.

All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 3 of 8
 Figure 1
VPN Overlay Network

VPN A
VPN B
VPN C
VPN C VPN B

VPN A

VPN A

VPN B

VPN C VPN C
VPN B
VPN A

Generic routing encapsulation (GRE) and IP Security (IPSec) tunnels can be used as an alternative to leased-line or enterprise-
owned Frame Relay/ATM networks to inter-connecting routers. However, since GRE and IPSec tunnels act only as
mechanisms to provide point-to-point connectivity among routers, the overall model is unchanged, along with all the problems
associated with the overlay model. The use of GRE and IPSec tunnels for this application has inherent scalability problems.

MPLS-based VPNs instead use the peer model and Layer 3 connectionless architecture to take advantage of a highly scalable
VPN solution. The peer model requires a customer site to “peer” with only one PE router, as opposed to all other CPE or
customer edge (CE) routers in the same VPN. The connectionless architecture allows the creation of VPNs in Layer 3,
eliminating the need for tunnels or VCs, as shown in Figure 2.

Cisco Systems, Inc.

All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 4 of 8
 Figure 2
BGP/MPLS VPN Peer Model

VPN A/ Site 2

10.2/16
B/ 1
VPN Site
10.2/16
CE1 CE A2
10.1/16 B1
CEB2
P1 PE2 VPN B/ Site 2
CE2B1
P2
PE3
PE1
CEA1 CEA3
P3
10.3/16
CEB3
10.1/16 VPN A/ Site 3
10.4/16
VPN A/ Site 1
VPN B/ Site 3

MPLS VPN Network Architecture The components that make up an MPLS VPN network are shown in Figure 3. At the edges
of the network are CE routers. CE routers are part of the customer network and are not VPN aware. PE routers are where most
VPN-specific configuration and processing occurs. PE routers receive routes from CE routers and transport them to other PE
routers across a service-provider MPLS backbone. In the middle of the network are provider (P) routers, or label switch routers
(LSRs), which implement a pure Layer 3 MPLS transport service. An important point to note is that P routers in the backbone
are not VPN aware and, therefore, provide much more scalability. Hence, P routers do not have to carry customer routes,
preventing routing tables in P routers from becoming unmanageable. VPN information is required only at PE routers, and it
can be partitioned between PE routers. PE routers need to know VPN routing information only for VPNs in which there are
direct connections.

Cisco Systems, Inc.

All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 5 of 8
 Figure 3
MPLS VPN Network

“Provider Edge” (PE) LSRs

Customer Edge (CE) Customer Edge (CE)

Layer 3 MPLS Backbone

“Provider” (P) LSRs

BUILDING VPN WITH MPLS

A one-to-one relationship does not necessarily exist between customer sites and VPNs. A given site can be a member of
multiple VPNs. However, a site can associate with only one VPN routing/forwarding instances (VRF). A customer-site VRF
contains all the routes available to the site from the VPNs of which it is a member.

An MPLS-based VPN network has three major components:

• VPN route target communities—A VPN route target community is a list of all other members of a VPN community. VPN
route targets need to be configured for each VPN community member.

• Multiprotocol BGP (MP-BGP) peering of VPN community PE routers—MP-BGP propagates VRF reachability
information to all members of a VPN community. MP-BGP peering needs to be configured in all PE routers within a VPN
community.

• MPLS forwarding—MPLS transports all traffic between all VPN community members across a VPN service-provider
network.

USING CISCO 12000 SERIES INTERNET ROUTERS TO CAPITALIZE ON MPLS/VPN BENEFITS

Cisco 12000 Series Internet routers have been largely deployed in service-provider core networks for IP transport. Their
extensive support for MPLS switching, traffic engineering and class of service (CoS) has positioned them at the core
performing basic MPLS switching. Recently the 12000 Series Internet routers have also been deployed at the service-provider
network edge, performing most of the MPLS edge and traffic adaptation functions.

By deploying MPLS, the core is effectively transformed into an interface-agnostic layer, a generic IP core that can support
any mix of interfaces. Traffic entering the Internet exchange from different parts of the world can be switched over an MPLS
path using IP-oriented Packet-over-SONET (POS) interfaces of the service-provider network.

Cisco Systems, Inc.

All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 6 of 8
 With service providers requesting higher performance and port densities of edge network equipment, Cisco 12000 Series
Internet routers are now also being used at the network edge, taking advantage of its many MPLS PE features. The Cisco
12000 Series delivers features for intranet and extranet VPNs. Cisco product-based VPNs not only provide immediate
business benefits for service providers, but also pave the way for providing added services such as personalized Internet
access, application hosting, and packet telephony.

REDUCING OPERATIONS COSTS WITH THE CISCO VPN SOLUTION CENTER

Operations expense typically consumes from 40 to 60 percent of total network expenditures; hence, VPN service providers
need sophisticated management solutions to minimize operation cost and increase competitiveness.

The Cisco VPN Solutions Center is a tool that provides management functions to support MPLS VPN services. The objective
is to provide lower-layer service-management functions specified in the TeleManagement Forum l (TMF) Telecom Operation
Process Model.
The Cisco IP Solution Center (ISC) helps service providers improve their time to deploy services, enable error-free
deployment, and reduce operations costs associated with providing VPN services. The Cisco ISC provides:

• Easy-to-use Wizard-based setup and administration of VPNs and VPN memberships

• Enhanced confidence in deployment of VPNs through pre- and post-activation testing

• Elimination of the need for expert involvement in service creation and configuration

• Reduction of errors in service setup and data inconsistency checking

• Web-based access for near-real-time information

• Visibility into service usage and service-level performance

• Unified control, tracking, and management throughout service life cycle

PROVISIONING
The Cisco ISC can provision an MPLS VPN by configuring the PE-to-CE link. It includes the following provisioning features:

• Automatic generation of the PE and CE configurations required to add a new MPLS/VPN service

• Scheduling of provisioning tasks

• Auditing of provisioned MPLS/VPN services

SLA MONITORING AND REPORTING

The Cisco VPNSC can monitor service-level agreements (SLAs) for round-trip time, availability, and usage by taking
advantage of agents provided in existing Cisco devices. Thresholds are configurable to enable reporting of violations.

PERFORMANCE REPORTING AND ACCOUNTING

The Cisco VPNSC provides performance reporting based on NetFlow data stored in the NetFlow collector. The Cisco VPNSC
collects data available in the NetFlow collector, correlates that information with its own VPN service inventory, and processes
per-VPN usage data sets. That information can also be extracted, using accounting- and usage-based billing application
programming interfaces (APIs).

Cisco Systems, Inc.

All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 7 of 8
 SERVICE AUDITING
The Cisco VPNSC generates reports on the status of service requests (pending or deployed). When scheduled, the solution reads
current router configuration files, analyzes service histories, and generates reports based on the current status of service deployment.

Conclusion Cisco continues to build on its technical leadership in high-end Internet routing by developing innovative technologies
such as MPLS lambda Switching (MPLS) and the very short reach (VSR-1) optical interface. The Cisco 12000 Series Internet
routers are based on a unique distributed architecture that supports the scalability and service requirements for next-generation
Internet infrastructure and provides extensive hardware and software support for building MPLS-based VPNs. The Cisco 12410
and 12416 are the two highest-capacity Internet routers available at 200 and 320 Gbps, respectively, and they deliver an industry-
leading 25 million packets per second (Mpps) lookup performance per line card slot for both IP forwarding and MPLS switching.
The industry’s most scalable routers and comprehensive MPLS-based VPN capabilities enable service providers to build powerful
next-generation networks and deliver competitive VPN services to grow new revenue.

Corporate Headquarters European Headquarters Americas Headquarters Asia Pacific Headquarters

Cisco Systems, Inc. Cisco Systems International BV Cisco Systems, Inc. Cisco Systems, Inc.
170 West Tasman Drive Haarlerbergpark 170 West Tasman Drive 168 Robinson Road
San Jose, CA 95134-1706 Haarlerbergweg 13-19 San Jose, CA 95134-1706 #28-01 Capital Tower
USA 1101 CH Amsterdam USA Singapore 068912
www.cisco.com The Netherlands www.cisco.com www.cisco.com
Tel: 408 526-4000 www-europe.cisco.com Tel: 408 526-7660 Tel: +65 6317 7777
800 553-NETS (6387) Tel: 31 0 20 357 1000 Fax: 408 527-0883 Fax: +65 6317 7799
Fax: 408 526-4100 Fax: 31 0 20 357 1100

Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the
C i s c o We b s i t e a t w w w. c i s c o . c o m / g o / o f f i c e s
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Cyprus Czech Republic
• Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland Israel • Italy • Japan •
Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland Portugal • Puerto Rico • Romania •
Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden S w i t z e r l a n d • Ta i w a n • T h a i l a n d • Tu r k ey •
U k r a i n e • U n i t e d K i n g d o m • U n i t e d S t a t e s • Ve n e z u e l a • Vi e t n a m • Z i m b a b w e

All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of
Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified
Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step,
GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-
Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems,
Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
(0402R) MC/LW5800 0304