MPLS Virtual Private Network

Virtual Private Network (VPN) is configured on service provider equipment and managed by provider. MPLS label loading is the key operation to implement VPN tunnels over MPLS network. This loading/stacking is provided for hierarchical networks. An outer transport label establishes bulk transport LSPs (tunnels) between the Provider Edge (PE) devices in a service provider’s network. These labels manage separate traffic for each VPN and protects without encryption. This can also be done based on application requirement. These solutions are highly scalable as there are only a single set of transport tunnels that establish between the PE routers.

Packet Forwarding in a VPN Setup

At ingress PE router, two labels are pushed into a packet. Label1 is marked for VPN to decide corresponding egress PE router as packet receiver. Then, label2 is pushed to top of that label to determine LSR router for the next-hop in a typical LSP. This top label varies through each router as it passes through the path. Finally, the router that is second to last of egress PE pops it. With only VPN label left, the packet is passed to egress PE router, then the label is popped off and packet is routed via IP to corresponding customer edge (CE) router. Any Provider (P) router that exists in LSP should not read customer routes/VPN labels that are ‘tunneling’ between PE devices. This is considered vital, as configurations can be erroneous when a P router receives a labeled packet destined for a customer’s virtual network. Because this router does not have any information for further operations, the packet in the VPN is dropped. In addition, Border Gateway Protocol (BGP) helps in route exchange within the virtual networks.

Request for a free white paper on “VPN over MPLS & IP Networks”