What are MPLS virtual private networks (VPNs), and how are they used in enterprise WANs? This MPLS VPN tutorial will help you brush up on the basics.
What are MPLS
Multiprotocol Label Switching (MPLS) networks are the next generation of networks designed to allow enterprises to create end-to-end circuits across any type of transport medium using any available wide area network (WAN) technology. Until recent years, enterprises with the need to connect remote offices in locations across the country were restricted to the limited WAN options that service providers offered—usually frame relay or T1/E1 dedicated links. The problem with these WAN technologies is that they are usually very expensive and complex to manage, as well as inflexible, making them a headache for both enterprises and service providers. Worst of all, as the distance between a company’s endpoints increase, so do monthly bills.
How MPLS networks work
MPLS works by tagging the traffic entering the MPLS network. An identifier (label) is used to help distinguish the Label Switched Path (LSP) to be used to route the packet to its correct destination. Once the best LSP is identified by the router, the packet is forwarded to the next-hop router. A different label is used for every hop, and the label is selected by the router (or switch) that is performing the forwarding operation.
Take for example the diagram below. It exemplifies a simple MPLS network where the central server is sending packets to two remote hosts.
Enlarge MPLS network diagram.
The ingress router (LSR1) accepts packets from the server and selects the best LSP based on its destination IP address. It then selects an initial label (local significance) for each packet and then forwards the packets using MPLS. When Router2 receives the packets, it uses these labels to identify the LSPs from where it selects the next hops (R3 and R4) and labels (43 and 12). At the end of the path, the egress routers (R3 and R4) remove the final label and send the packet out to the local network.
One of the great advantages offered by MPLS networks is the built-in Quality of Service (QoS) mechanisms. MPLS service providers usually offer an end-to-end QoS policy to ensure their enterprise MPLS networks have guaranteed QoS through the MPLS network backbone. This allows delay-sensitive services such as VoIP to be implemented with guaranteed bandwidth between the endpoints.
There really is no limitation to the type of services that can be run over an MPLS network. The QoS mechanisms and prioritization services allow the quick and effective forwarding of traffic between network endpoints.
Understanding MPLS VPN basics
MPLS VPNs combine the power of MPLS and the Border Gateway Protocol (BGP) routing protocol. MPLS is used to forward packets over the provider’s network backbone, and BGP is used for distributing routes over the backbone.
An MPLS virtual private network (VPN) is compromised of the following equipment:
- Customer Edge (CE) routers. These are placed on site and are usually owned by the enterprise customer. Some service providers also supply the CE equipment for a small rental fee.
- Provider Edge (PE) routers. These are the provider’s edge routers to which the CE routers connect to. The PE routers are always owned by the service provider.
- Provider (P) routers. These routers are commonly referred to as "transit routers" and are located in the service provider’s core network.
Routing information is passed from the CE router to the PE router using either static routes or a routing protocol such as BGP. The PE router keeps a per-site forwarding table, also known as a virtual routing and forwarding table (VRF). At the PE router, each VRF serves a particular interface—or set of interfaces—that belongs to each individual VPN. Each PE router is configured by the service provider with its own VRF that is unique. Routers within the MPLS VPN network do not share VRF information directly.
The diagram below illustrates a typical network where VRFs are unique for each VPN connected to a particular PE router.
Enlarge MPLS VPN network diagram.
What’s important about MPLS VPN services is that there is no boundary to the type of WAN technology used. This means you can run MPLS over ATM (also known as MPLS IP VPN over ADSL), leased lines, satellite links, wireless links and much more. This flexibility makes MPLS networks a preferred method of connecting offices to each other. The Internet service provider (ISP) provides the interface to which the local network is connected—usually a router with a LAN interface. All that’s required is to connect the provided interface to the local network, set the necessary equipment to use the new gateway (MPLS CE router) and everything magically works.
For more information on networking, VPN security and firewalls, visit Firewall.cx, one of the few websites recommended by Cisco Systems in its world class Cisco Academy program.
Internet access is also possible through the MPLS IP VPN service where the service provider typically announces the routes of customers that require direct access to the Internet, without affecting the performance of their intrasite VPN links. For example, this means that it’s possible to have a 1024 Kbps MPLS link to your ISP, which splits to a 512 Kbps MPLS IP VPN link to your remote site and a further 512 Kbps link to the Internet. The ISP completely separates these two virtual links, even though they run through the same interface. The link providing Internet access makes use of Network Address Translation (NAT) to translate the private network address space from the enterprise’s network. In this case, the enterprise reveals no more information to the Internet than it would with any normal connection to the Internet.
→ Continue reading this MPLS VPN tutorial to learn about MPLS IP VPN encryption.
This was first published in June 2011