Layer 3 VPN (L3VPN)

Layer 3 VPN (L3VPN) over MPLS is one of the most widely deployed MPLS applications in service provider and large-scale enterprise networks.

Cisco IOS Software supports L3VPN architecture that uses the RFC 2547 standard implementation to provide a secure and robust VPN solution offering any-to-any connectivity that can be implemented over MPLS or IP network infrastructure.

L3VPN architecture leverages Multiprotocol Border Gateway Protocol (MP-BGP) and Virtual Routing and Forwarding (VRF) instances to constitute a peer-to-peer VPN framework via the IP/MPLS core network. This model allows enterprise networks to outsource routing table information to service providers.

L3VPN allows service providers to offer additional value-add services to the customers, such as QoS, Traffic Engineering (TE), and Fast Reroute services, thereby reducing operational costs and complexity, and increasing network performance and convergence.

Components of L3VPN

There are three major components in an L3VPN network:

• VPN Route Target Communities: This consists of a list of all members of the VPN community. VPN route targets need to be configured for each VPN community member.

• Multiprotocol BGP (MP-BGP) Peering: This is configured between all PE routers within a VPN community. MP-BGP is used to propagate VRF reachability information to all members of a VPN community.

• MPLS Forwarding: MPLS core transports all traffic between all VPN community members across a VPN service-provider core network.

As mentioned earlier, MPLS VPN is a connection-less technology; hence, it does not require a one-to-one relationship between customer sites and VPNs. A given customer site can be a member of multiple VPNs. However, each site can associate with only one VRF. VRF ensures a customer site gets all the routes pertaining to the site from the VPNs of which it is a member.

How L3VPN Implementation Works

L3VPN is implemented at the edge of an MPLS core network on the PE (provider's edge) router. The PE router is responsible for the following:

• Exchange routing updates with the CE (Customer's Edge) router

• Translate the CE routing information into VPNv4 routes

• Exchange VPNv4 routes with other PE routers via the MP-BGP through the MPLS core

How VRF Tables Work

Virtual Routing and Forwarding (VRF) constitutes the VPN membership of a customer site that is attached to a PE router. Each VPN can be associated with one or more VRF instances. A VRF consists of the following components:

• IP routing table

• Derived CEF table

• Set of interfaces that use the forwarding table

• Set of rules and routing protocol parameters that control the information that is included in the routing table

VRF tables are used to forward packets within a VPN. Each VRF instance maintains a separate set of routing and CEF tables. This segregation prevents leaking of routes outside a VPN and ensures that packets outside a VPN are not forwarded to any router within the VPN.

VPN routing information is distributed through the MPLS core using VPN route target communities that are implemented by MP-BGP extended communities.