MPLS VPN Technical Overview

MPLS IP-VPN is a service provider-based Layer 3 VPN technology for secure overlay VPN solutions. It uses BGP to advertise VPN routes across the Vostron network and uses MPLS to forward VPN packets across service provider backbones. MPLS IP-VPN provides flexible networking modes, excellent scalability, and convenient support for Quality of Service and traffic engineering.

Network diagram for the a basic MPLS Layer 3 VPN
Fig 1: Network diagram for the a basic MPLS Layer 3 VPN

Technology

The MPLS IP-VPN model consists of three kinds of devices:

  • Customer edge device (CE) - A CE resides on a customer network and has one or more interfaces directly connected with Vostron's core network via a PE device. It neither can "sense" the existence of any VPN nor needs to support MPLS.
  • Provider edge router (PE) - A PE resides on a service provider network and connects one or more CEs to the network. On an MPLS network, all VPN processing occurs on the PEs.
  • Provider (P) router - A P router is a backbone router on a service provider network. It is not directly connected with any CE. It only needs to be equipped with basic MPLS forwarding capability.

Figure 1 shows the MPLS IP-VPN model.

The CE marks the boundary between Vostron and the customer. The CE is usually a Vostron-managed router.

After a CE establishes adjacency with a directly connected PE, it advertises its VPN routes to the PE and learns remote VPN routes from the PE. A CE and a PE use a routing protocol such as BGP, OSPF or RIP to exchange routing information. You can also configure static routes between them.

After a PE learns the VPN routing information of a CE, it uses BGP to exchange VPN routing information with other PEs. A PE maintains routing information about only VPNs that are directly connected, rather than all VPN routing information on the provider network.

A P router maintains only routes to PEs. It does not need to know anything about VPN routing information as it is forwarding traffic based purely on the MPLS label indicating the PE router the traffic is destined for.

When VPN traffic travels over the MPLS backbone, the ingress PE functions as the ingress LSR (Label Switch Router), the egress PE functions as the egress LSR, while P routers function as the transit LSRs.

Example MPLS VPN
Fig 2 : Example MPLS VPN

Deployment Example

In our example deployment we have 4 geographically disparate sites connected via 3 PE routers with one of the sites having connections to two different PE routers.

As you can see from the diagram in Figure 2, an MPLS IP-VPN has been created across the Vostron MPLS network to provide the customer with an Virtual Private Network overlayed across the Vostron network.

The Layer 3 VPN allows each site to access the resources of any of the other sites at the full speeds of each link, as there is no central 'hub' site to act as bottleneck. It is also possible to configure access policies at each CE device to restrict the traffic that can flow between sites, if required.

Site 3, the organisation's HQ, has been provisioned with two links to the Vostron network. This provides both increased capacity and connectivity redundancy to the site. If either of these links goes down, traffic will be automatically rerouted to use the remaining link.

Where two dedicated connections to the Vostron network can't be justified ADSL can be utilised to provide a backup service for the primary connection. When using ADSL the backup link is idle unless the primary link has failed, in which case traffic is rerouted to use the ADSL connection.

Image
Fig 3 : Best-path routing

Because the VPN is a full overlay VPN which shares the topology of Vostron's MPLS network, the VPN benefits from proper best-path routing. As shown in Figure 3, traffic will take the best path across Vostron's network, increasing performance and delivering much lower latencies than a Hub and Spoke-based SSL or IPSEC VPN.

As Site 3 has two connections to the network, traffic will be split across them based upon the best path. For example, traffic to and from Site 1 utilises the first link and traffic to and crom sites 4 and 2 utilise the second link. This provides a form of load-balancing using the two connections.

Additional Services

The flexibility, performance and security aspects of the Layer 3 VPN makes it the ideal platform to build a complete corporate network. By extending the VPN to a Vostron datacentre, all of the customer's internal server hosting requirements can be handled in a secure, controlled environment without additional leased lines or complex firewalling.

Image
Fig 4 : Additional Services via MPLS VPN

It's beneficial from both a performance and cost perspective to locate any services which are shared by all sites within the VPN at a neutral Vostron datacentre where they won't use valuble leased line resources. Service performance should also increase as bandwidth within the MPLS core network is uncontended.

Services which are commonly centrally located include company Intranets, Email and Calendaring services, Backup servers, Database servers and File servers.

The VPN is also the ideal place to provide centrally controlled internet connectivity to all sites from one location. This allows the customer to more easily manage their Internet connectivity as well as centrally apply any filtering or monitoring policies operated by the customer.

As we saw with the ADSL backup connections, it's possible to connect broadband connections to the IP-VPN. This enables home-workers and executives to have direct connectivity to the company network from their home broadband, removing the need for complicated SSL or IPSEC configuration and management. By providing a central point of internet breakout for your entire IP-VPN, you can even monitor and manage the usage of any broadband connections provided to staff members at home.