Customer Service and Booking Hotline: +44 (0) 845 672 0175


MPLS Virtual Private Networks (VPNs)

MPLS VPNs are a key service for telecoms providers to offer across their converged NGN network, and provide a native IP service from a customer perspective...

MPLS VPNs operate from a service perspective at the IP layer, and classify routers in the customer and service provider network into one of four types, as shown in the diagram opposite. Customer Edge (CE) and Provider Edge (PE) routers operate at the boundary of the customer and service provider networks respectively.

Unlike the L2 VPN model of Frame Relay, the CE and PE routers are peers from a routing perspective. The VPN functionality is centred on the PE router. The CE router typically requires no VPN-specific configuration, simply treating the PE router as the next hop router in a “private” network. The Provider routers (P) in the service provider core also have no knowledge of the VPN addresses or routing information, and simply provide transport across the core network. The Customer (C) routers are conventional enterprise routers, with no special relationship to the VPN service.

MPLS VPNs assume that the service provider operates an MPLS core between PE routers to which customers attach, and that this core has mechanisms for the establishment of LSPs between these edge routers. The MPLS core LSPs may have been manually provisioned, or may have been established by one of the other MPLS control plane mechanisms. All of this is independent of the MPLS VPN service, but this infrastructure is required for the MPLS VPN model of RFC 2457 to operate.

This separation of the core routing from the VPN functionality that MPLS VPNs achieve is possible because the MPLS VPN architecture uses label stacking to tunnel a customer’s VPN traffic across the MPLS core. Decisions about how to switch the traffic are made at the originating PE router, which understands both the customer VPN locations and the LSPs in place across the core. Therefore it can apply a pair of labels as traffic enters the network from customer sites;

  • The inner label is a VPN label, and allows the traffic to be routed to the correct customer site at the destination PE router. This label is not examined or changed by the core routers
  • The outer label is a conventional Label Switched Path (LSP) label, which allows the packet to be switched across a trunk LSP through the network core which joins the PE routers. This label is examined and modified at the core routers, and operates like a conventional virtual circuit identifier.

To set up an MPLS VPN, a service provider provisions the service at the PE routers serving that customer’s sites only. No configuration of non-serving PE routers, or of the core routers, is required. Conventional Interior Gateway Protocols (IGPs) running between Provider and Provider Edge routers propagate reachability within the service provider core, and conventional MPLS techniques are used to establish the trunk LSPs between PE routers. All of this is independent of the VPN service.

The VPN service itself is controlled by a routing overlay that does not interact with the core network routing and switching.

  • Once the VPN sites have been configured within the PE routers, the PE routers learn which customer networks are reachable at the directly connected customer site. These customer routes may be statically configured by the service provider, or learnt through a conventional routing protocol running between the PE and CE routers. This information is stored in what are logically per-VPN routing tables, by attaching a VPN Identifier to the routing entries that is unique to each customer VPN.
  • The per-VPN routing table entries held in the PE routers are propagated between all PE routers in the service provider network using Multi-protocol Border Gateway Protocol (MP-BGP). The PE routers therefore operate rather like conventional iBGP peers by advertising external reachability. As the number of PE routers and customer sites grows, scalability of the MPLS/VPN approach can be improved by normal BGP mechanisms, such as the use of BGP route reflectors.
  • Traffic is forwarded between PE routers serving different sites of a VPN by MPLS label stacking: The originating PE router attaches a label for the destination IP address within the relevant VPN, followed by a label for the LSP across the core to the relevant PE router. The outer label is used to switch the packet across the service provider core without the core network needing any awareness of customer VPN routing. Subsequently at the destination PE router, the VPN-specific label is used to direct the packet to the appropriate local VPN site.
  • Moves and changes to sites on an existing VPN are automatically propagated once the PE router serving the affected sites has been configured.

Bookmark this article

Share this article using the following sites:

Courses by category...

Glossary Search

Newsletter Sign-up

Our RSS Feeds...