MPLS VPN terminology

From CT3

Jump to: navigation, search

By Ivan Pepelnjak

MPLS VPN provides end-to-end layer-3 VPN transport over a shared IP infrastructure. It’s address-agnostic (customers can use their own IP address space) and routing-protocol-agnostic (the customers can use most routing protocols supported by Cisco IOS). In a typical MPLS VPN solution, a large number of customer sites connect to a common Service Provider network (see Figure 1).

Figure 1: Typical MPLS VPN network
Backdoor link
A backup link between two customer sites that should be used only if the MPLS VPN network fails. From the MPLS VPN perspective, a backdoor link converts two separate customer sites into a single multihomed site. Special precautions (see sham link) usually have to be taken to ensure that the traffic flows over the MPLS VPN network and not over the backdoor link.
BGP community
Attribute attached to BGP (or MP-BGP) route. BGP communities might be used to signal routing policies, tag routes or transport extra attributes not defined in BGP across BGP network. BGP community is a 32-bit value. High-order 16 bits should contain the AS number of the organization defining the community and the low-order 16 bits have local significance.
You must use the ip bgp-community new-format global configuration command to display BGP communities on a Cisco router in the format conforming to RFC 1997. Without this command the router displays BGP communities as 32-bit decimal numbers.
Customer network(s). In a typical scenario, numerous customer networks connect to the same provider network (see P-network).
Customer edge router. A router in the customer network connected to the provider network.
Customer site
A contiguous part of a customer network.
Whenever two IP subnets can exchange traffic solely through routers and links belonging to the C-network, they belong to the same site, even though that might not have been the customer’s intention (see also backdoor link).
Extended BGP community
64-bit BGP communities defined in RFC 4360. The first 16 bits define the meaning of the community. The low-order 48 bits contain a globally-unique identifier (for example, 16-bit AS number or 32-bit global IP address) and a locally-significant part defined by the MPLS VPN provider. Extended BGP communities are used to indicate route import/export policies, customer site identifier or OSPF/EIGRP attributes transported across the MP-BGP.
Extranet VPN
See overlapping VPN.
Hub-and-spoke VPN
A VPN topology that emulates hub-and-spoke Frame Relay (or ATM) networks. The traffic between spoke sites in a hub-and-spoke VPN always traverses one of the hub sites. Hub-and-spoke VPNs are commonly used in security-conscious environments where the traffic between spoke sites has to be filtered or inspected by the hub site(s). A customer might also require hub-and-spoke VPN to retain the network model and traffic flow from the Frame Relay environment.
Label Distribution Protocol. The protocol used between routers in the provider network to establish end-to-end MPLS label switched paths across the provider network.
Multi-protocol Border Gateway Protocol (BGP). Extensions (defined in RFC 2283) to the core BGP protocol (RFC 1771) that allow BGP to transport multiple address families, including IP Multicast, IPv6, VPNv4 and VPNv6
Multi-protocol label switching. A layer 2½ technology that is used by MPLS VPN technology to transport customer IP datagrams across the P-network.
Layer-2 VPN technologies (for example, Any Transport over MPLS; AToM) using MPLS as the underlying transport mechanism. The term MPLS VPN is usually reserved for layer-3 (IP) VPN implementation.
Multihomed site
A customer site connected to the P-network with more than one PE-CE link.
A solution (formerly known as VRF-Lite) where multiple VRFs are configured on a CE-router to connect multiple customers to the same router without deploying the PE-functionality. The CE-router does not need MPLS VPN functionality, MPLS-enabled interfaces or MP-BGP. A CE-router using VRF-lite needs multiple uplinks to PE-router, one for each VRF. These uplinks could be implemented with subinterfaces, VLANs or GRE tunnels.
Overlapping VPN
A solution where a single customer site belongs to multiple VPNs. Overlapping VPNs might be used to connect central sites of several organizations into an extranet. This topology is called Extranet VPN in some documentation.
The Service Provider network providing edge-to-edge layer-3 transport.
A core router in the provider network that is not connected to any customer site.
PE-CE link
A link between a PE-router and a CE-router.
An edge router in the provider network, connected to other P- or PE-routers as well as at least one CE-router.
Route distinguisher. A 64-bit quantity prepended to customer’s IPv4 or IPv6 addresses to make them globally unique.
The original RFC describing MPLS VPN functionality. The actual implementation of MPLS VPN in Cisco’s and Juniper’s routers departed from the RFC (see RFC2547bis).
The name of the RFC draft that documented the actual implementation of MPLS VPN technology. Now published as RFC 4364.
Extended BGP community attached to VPNv4 MP-BGP routes. The route targets are used to indicate import/export policies of MPLS VPN topologies. In the simple VPN case, a single RT identical to RD is attached to the VPNv4 routes and all VRFs in the VPN import the routes tagged with RT.
Sham link
A virtual OSPF link created between two PE-routers in the context of customer’s OSPF routing process. The sham link is used to establish a lower-cost path (over MPLS VPN network) between two customers sites connected with a backdoor link.
Simple VPN
A VPN providing any-to-any connectivity to multiple customer sites. The traffic flow in a simple VPN is optimal; the customer IP datagrams are transported on the shortest path between the ingress and egress PE-router.
Site-of-origin. An extended BGP community indicating the customer site from which an IPv4 route (translated into a VPNv4 route) has been received. SOO is applicable to all non-link-state PE-CE routing protocols (EIGRP, BGP, RIP) and can be used to detect redistribution loops in multihomed scenarios (see multihomed site).
Tag Distribution Protocol. A Cisco proprietary LDP-like protocol that predates LDP.
96-bit address used in MPLS VPN networks to make customer IPv4 addresses globally unique. It’s composed of a 64-bit RD and 32-bit customer’s IP address.
192-bit address (defined in RFC 4659) used in MPLS VPN networks to make customer IPv6 addresses globally unique. It begins with 64-bit RD and ends with 128-bit IPv6 address.
See VPNv6.
Virtual Routing and Forwarding table. A virtual routing table in the PE-router used to forward customer’s packets. Using a unique VRF per customer allows the Service Provider to offer VPN services over MPLS VPN infrastructure. Multiple VRFs might be used for the same customer to implement complex topologies (see hub-and-spoke topology). A VRF contains IP routing table, Cisco Express Forwarding (CEF) table, a set of routing protocols (including static routes) and a set of PE-CE interfaces.
Multi-VRF before it was renamed by Cisco’s marketing department.

Additional Resources  

Implementing Cisco MPLS (MPLS) course:

Configuring BGP on Cisco Routers (BGP) course:

Other links

Did you know?

  • NIL developed the first commercially available MPLS/VPN traning.
  • This training was for several years the only course available to Cisco's internal audiences and its Service Provider customers in Europe.
  • The MPLS/VPN course developed by NIL later became part of Cisco's Service Provider training curriculum and the basis for the Implementing Cisco MPLS (MPLS) course that is part of the CCIP curriculum.
  • NIL's experts have worked as part of Cisco's Professional Services team supporting early adopters of MPLS VPN technology in Europe.
  • NIL has provided several large Service Providers with MPLS/VPN design and deployment support.
Personal tools


Main menu