VPN Packet Forwarding
In the previous section, you saw that the IP addresses used within a VPN must be prepended with a 64-bit prefix called a route distinguisher (RD) to make them unique.
Similarly, when the VPN-originated IP packets are forwarded across the service provider backbone (the P network), they must be augmented to make them uniquely recognizable. Yet again, several technology options are possible:
The IP packet is rewritten to include 96-bit addresses in the packet header. This operation would be slow and complex.
The IP packet is tunneled across the network in VPN-over-IP tunnels. This choice would make MPLS/VPN as complex as traditional IP-over-IP VPN solutions using the overlay VPN model.
With the introduction of MPLS, a third technology option was made possible: Each VPN packet is labeled by the ingress PE router with a label uniquely identifying the egress PE router, and is sent across the network. All the routers in the network subsequently switch labels without having to look into the packet itself. The preparatory steps for this process are illustrated in Figure 9-8.
Figure 9-8 VPN Packet ForwardingPreparatory Steps
Each PE router needs a unique identifier (a host routeusually the loopback IP address is used), which is then propagated throughout the P network using the usual IGP (Step 1). This IP address is also used as the BGP next-hop attribute of all VPN routes announced by the PE router. A label is assigned in each P router for that host route and is propagated to each of its neighbors (Step 2). Finally, all other PE routers receive a label associated with the egress PE router through an MPLS label distribution process (Step 3). After the label for the egress PE router is received by the ingress PE router, the VPN packet exchange can start.
However, when the egress PE router receives the VPN packet, it has no information to tell it which VPN the packet is destined for. To make the communication between VPN sites unique, a second set of labels is introduced, as illustrated in Figure 9-9.
Figure 9-9 VPN Label Allocation
Each PE router allocates a unique label for each route in each VPN routing and forwarding (VRF) instance (Step 1). These labels are propagated together with the corresponding routes through MP-BGP to all other PE routers (Step 2). The PE routers receiving the MP-BGP update and installing the received routes in their VRF tables (see Figure 9-7 for additional details) also install the label assigned by the egress router in their VRF tables. The MPLS/VPN network is now ready to forward VPN packets.
When a VPN packet is received by the ingress PE router, the corresponding VRF is examined, and the label associated with the destination address by the egress PE router is fetched. Another label, pointing toward the egress PE router, is obtained from the global forwarding table. Both labels are combined into an MPLS label stack, are attached in front of the VPN packet, and are sent toward the egress PE router.
All the P routers in the network switch the VPN packet based only on the top label in the stack, which points toward the egress PE router. Because of the normal MPLS forwarding rules, the P routers never look beyond the first label and are thus completely unaware of the second label or the VPN packet carried across the network.
The egress PE router receives the labeled packet, drops the first label, and performs a lookup on the second label, which uniquely identifies the target VRF and sometimes even the outgoing interface on the PE router. A lookup is performed in the target VRF (if needed), and the packet is sent toward the proper CE router.
The egress PE router assigns labels to VPN routes in such a way that the need for additional Layer 3 lookup in the target VRF is minimized. The additional Layer 3 lookup is needed only for summary VPN routes advertised between the PE routers.
The router just before the egress PE router might also remove the first label in the label stack through a mechanism called penultimate hop popping. Refer to Chapter 2, "Frame-mode MPLS Operation," for a detailed description of this mechanism.
In the best case (no summary VPN routes and network topology that supports penultimate hop popping), the egress PE router would perform only a single label lookup, resulting in maximum forwarding performance.