Cisco Systems OL-4344-01 Intranets and Extranets

1-15

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

OL-4344-01

Chapter1 About Cisco IP Solution Center

About MPLS VPNs

MPLS VPNs have the following characteristics:

•Multiprotocol Border Gateway Protocol-Multiprotocol (MP-BGP) extensions are used to encode

customer IPv4 address prefixes into unique VPN-IPv4 Network Layer Reachability Information

(NLRI) values.

NLRI refers to a destination address in MP-BGP, so NLRI is considered “one routing unit.” In the

context of IPv4 MP-BGP, NLRI refers to a network prefix/prefix length pair that is carried in the

BGP4 routing updates.

•Extended MP-BGP community attributes are used to control the distribution of customer routes.

•Each customer route is associated with an MPLS label, which is assigned by the provider edge router

that originates the route. The label is then employed to direct data packets to the correct egress

customer edge router.

When a data packet is forwarded across the provider backbone, two labels are used. The first label

directs the packet to the appropriate egress PE; the second label indicates how that egress PE should

forward the packet.

•Cisco MPLS CoS and QoS mechanisms provide service differentiation among customer data

packets.

•The link between the PE and CE routers uses standard IP forwarding.

The PE associates each CE with a per-site forwarding table that contains only the set of routes

available to that CE.

There are four principal technologies that make it possible to build MPLS-based VPNs:

•Multiprotocol Border Gateway Protocol (MP-BGP) between PEs carries CE routing information

•Route filtering based on the VPN route target extended MP-BGP community attribute

•MPLS forwarding carries packets between PEs (across the service provider backbone)

•Each PE has multiple VPN routing and forwarding instances (VRFs)

Intranets and Extranets

If all the sites in a VPN are owned by the same enterprise, the VPN is a corporate intranet. If the various

sites in a VPN are owned by different enterprises, the VPN is an extranet. A site can be in more than one

VPN. Both intranets and extranets are regarded as VPNs.

While the basic unit of interconnection is the site, the MPLS VPN architecture allows a finer degree of

granularity in the control of interconnectivity. For example, at a given site, it may be desirable to allow

only certain specified systems to connect to certain other sites. That is, certain systems at a site may be

members of an intranet as well as members of one or more extranets, while other systems at the same

site may be restricted to being members of the intranet only.

A CE router can be in multiple VPNs, although it can only be in a single site. When a CE router is in

multiple VPNs, one of these VPNs is considered its primary VPN. In general, a CE router’s primary VPN

is the intranet that includes the CE router’s site. A PE router may attach to CE routers in any number of

different sites, whether those CE routers are in the same or in different VPNs. A CE router may, for

robustness, attach to multiple PE routers. A PE router attaches to a particular VPN if it is a router

adjacent to a CE router that is in that VPN.