Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN/MP-BGP

Please can you tell me for what reason we will use VPN in MP-BGP ?

7 REPLIES
Silver

VPN/MP-BGP

Do you mean the address-family vpnv4? That is used to propagate MPLS VPN routes through MPBGP.

Daniel Dib
CCIE #37149

Daniel Dib CCIE #37149 Please rate helpful posts.
New Member

VPN/MP-BGP

Dear

Actually am Confused why we will use VPN with MPLS , why we should make address-family vpnv4 in PE routers ?

could you please classify it that vpn in PE router do what ?

we use MPLS for fast Forwarding

we use IGP between MPLS-domain for delivering the label

we use BGP bexause it can forword packet over non-directly connected neighbor

we use Routing Protocol  between CE and PE for advertiseing CE route to PE route

but i dont know why we use VPN ,

any of my misunderstand in the above please correct to me

Hall of Fame Super Blue

Re: VPN/MP-BGP

You use VPNs to keep traffic separate from one another. So lets says a SP (Service Provider) has an MPLS network and they have multiple customers connecting to that network. They must have a way of keeping the traffic separate so that the customer only sees their traffic and not any other traffic. In addition multiple customers could be using the same address ranges within their networks so you cannot simply use the IP addressing to distinguish between customers.

The way this is done with MPLS is to use VPN labels. When a customers traffic is received by the SP at the edge of the MPLS network the ingress PE router adds a VPN label to the packets that is specific to that customer. The traffic can then traverse the MPLS network via the P routers to other PE routers where the customer also has connectivity. When the egress PE router receives the packet it must have a way to tell which customer that packet is to be sent to because the PE router could have many customers connecting to it. The VPN label is what tells the PE which customer to send the traffic to.

MP-BGP is used to exchange VPN information between the PE routers.

Jon

New Member

VPN/MP-BGP

Dear you mean , it make VPN tunnel between Customers that has connectivity ?

but what about VRF ,because when Ingrees PE router recieve packet from customer A , the router send it to VRF of Customer A and assign Route Target  to this route , and in the another side ( Egrees PE router ) that customer A has connectivity with recognize this route  from Route Target and send out to that VRF Customer A ,,

Right ? so where is VPN ?

VPN/MP-BGP

The VPN is related to the fact that communication between customers on VRFs A will flow only through their links.

It means that users on VRF B cannot eavesdrop or send traffic over that other VRF because there is  a VPN between Sites A.

Normally people get confused when they think about this because there is no encryption being used but remember that encryption is just one of the many benefits of a VPN tunnel.

What we really look for within a VPN is to make sure that traffic between Officess within the VPN can flow securely over the internet without anyone else being able to see that traffic!

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Hall of Fame Super Blue

Re: VPN/MP-BGP

You are not creating a tunnel as such,and not using encryption either, it is just keeping the traffic separate. A bit more detail might help.

cs1/A -> CE1 -> PE1 -> P1 -> P2  -> PE2 -> CE2 -> cs1/B

in the above cs1 is the customer and has 2 sites A and B.  So cs1/A sends a packet cs1/B. CE1 forwards the packet to PE1.

PE1 then looks at the destinstion IP and sees that it is reachable via PE2.

The interface PE1 received packet is in vrf cs1. So it's adds a VPN label of cs1.

PE1 then does another lookup to see how to get to PE2 (here the lookup is done by consulting the label table). To get to PE2 it needs to send the packet to P1.

PE1 adds another label to the header and sends it to P1.

P1 only looks at the top label. It never needs to look at the VPN label because only PE routers understand the VPN label.

P1 consults it's label table and adds the correct label to get to P2.

P2 does the same but because the next hop is a PE router it does not add another label, it just sends the packet as is ie. only the VPN label is left. ( this is known as Penultimate Hop Popping ie. if the next hop is  a PE router don't botther adding another label)

PE2 receives the packet, examines the VPN label, sees it is for cs1/B, removes the label and sends it via the interface in vrf cs1 which is the interface connected to CE2.

CE2 forwards it to cs1/B

Hope that makes sense.

Jon

Re: VPN/MP-BGP

Hello Rawa,

I would explain it as simple as possible:

This VPN address family will be used in order to separate the networks in place at both ends of the VPN.

As simple as that : To segregate and make sure Customer A can only talk to Customer A!!

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
159
Views
19
Helpful
7
Replies
CreatePlease to create content