MPLS Layer 3 VPN
Service providers (SPs) offer a managed networking solution called a Layer 3 MPLS VPN (Multiprotocol Label Switching Virtual Private Network), which safely connects several client locations over a common MPLS core network. A Virtual Private Routed Network (VPRN) is another name for it.
The primary feature of a Layer 3 VPN is the active involvement of the service provider in the Layer 3 (IP) routing of the client. The SP network manages all routing between customer locations and needs to know the customer’s IP address.
You can also read What is Extranet VPN, Intranet VPN, Purpose & How They Work
Key Components and Roles
Layer 3 MPLS VPNs rely on specific device roles and control mechanisms implemented primarily on the provider’s edge devices:
| Component | Description |
| Customer Edge (CE) Router | Router at the customer site. It connects to the Provider Edge (PE) router and typically exchanges IP routes (via static routes, BGP, OSPF, etc.) with the PE. It has no VPN awareness. |
| Provider Edge (PE) Router | Router at the service provider’s edge that connects directly to one or more CE routers. The PE router is VPN-aware and handles all the complex logic to separate and transport customer traffic. |
| Provider (P) Router | Core router in the service provider’s MPLS backbone. P routers only perform MPLS Label Switching and are not VPN-aware. They simply forward labeled packets along a Label Switched Path (LSP). |
| Virtual Routing and Forwarding (VRF) | A separate, independent routing and forwarding table maintained on the PE routers for each customer VPN. It is the primary mechanism for isolating customer routing information. |
| Route Distinguisher (RD) | A 64-bit value is prefixed to a customer’s IP address (prefix) to create a globally unique address called a VPNv4 or VPNv6 route. This is essential for handling duplicate IP subnets among different customers. |
| Route Target (RT) | A BGP extended community attribute used to control the distribution and exchange of VPNv4/v6 routes between PE routers. It dictates which routes are exported from a VRF on one PE and imported into a VRF on another PE. |
| Multi-Protocol BGP (MP-BGP) | Used between PE routers in the provider’s core network (often using Internal BGP – iBGP) to distribute the unique VPNv4/v6 routes. |
Core Separation and Control Plane Mechanisms
Even while using the same infrastructure, client traffic is logically isolated (securely divided) by the Layer 3 VPN design. Several crucial ideas that are controlled by the PE routers enable this isolation:
- Virtual Routing and Forwarding (VRF): For every client or VPN, a PE router keeps an independent, separate routing and forwarding table (the VRF). Different clients can use overlapping private IP address spaces without encountering any issues because to this division.
- Route Distinguisher (RD): An 8-byte (64-bit) value prefixed to a customer’s IP route (prefix) to make it globally unique within the SP network, as many VRFs may have the same private IP subnet (e.g., 192.168.1.0/24). A VPNv4 or VPNv6 route is the combination of the RD and the IP prefix.
- Multi-Protocol BGP (MP-BGP): MP-BGP distributes the distinct VPNv4/v6 routes throughout the service provider core by running between the PE routers (often utilizing Internal BGP iBGP). The mapping of distant VPN sites to Label Switched Path (LSP) forwarding following hops is automated using MP-BGP signaling.
- Route Target (RT): The VPNv4/v6 routes carry the RT, an 8-byte BGP extended community attribute. On a receiving PE router, it regulates which VPN routes are imported into a particular VRF. For proper route exchange, PE devices sharing a VPN must have matching route targets configured.
You can also read Intrusion Detection System IDS Importance & IDS vs Firewall
Data Plane Operation (Label Stacking)
MPLS, sometimes referred to as a “Layer 2.5” technology, is essential to data forwarding. The PE router uses a two-level label stack to encapsulate packets when they enter the SP network:
- Inner Label (VPN Label): On the egress PE router, this label indicates which VPN/VRF the packet is associated with. MP-BGP is used to advertise the VPN label in addition to the VPNv4/v6 route.
- Outer Label (Transport Label): The packet must reach the designated egress PE router, which is indicated by the outer label (also known as the transport label). Along a Label Switched Path (LSP), this label is utilized for regular MPLS label switching between the core P routers.
Forwarding Steps:
- After the CE sends an IP packet to the ingress PE, the PE looks for the relevant VPN and transport labels in the VRF and applies the two-level label stack.
- Unaware of the customer or VPN information in the inner label, P routers in the core merely change the outer label in accordance with the standard MPLS forwarding table.
- The Outer Label (Penultimate Hop Popping) is often removed by the penultimate P router.
- The packet, which now just includes the Inner (VPN) Label, is sent to the egress PE. After determining the right VRF using this label, it takes the label off and sends the original IP packet to the CE router.
Benefits
For service providers and their clients, Layer 3 MPLS VPNs provide a number of noteworthy benefits:
- Scalability: The design supports hundreds of VPNs over a single MPLS network and scales well since the edge PE routers are the only ones with complexity, and the central P routers do not keep VPN state.
- Security/Isolation: By using VRFs to logically separate customer traffic, security is ensured by preventing the mixing of data streams from various customers. The network relies on isolation for privacy and does not, by default, offer encryption.
- QoS (Quality of Service): The MPLS backbone enables superior QoS capabilities, which allow the service provider to use marks like DSCP to prioritize certain types of traffic (like VoIP).
- Simplified Customer Routing: By contracting with the SP to handle routing complexities, customers can streamline their network administration. To peer with the PE devices, customer devices (CEs) just require the minimum setups for their interface and routing protocol.
You can also read Components of Digital Certificate, How it Works and Benefits