中文网站
  Advanced Search
Read the latest Blogs from IT professionals in the field. Read and write community created documents. Need IT help? Ask our staff. Connect with your peers. Check our Tech Shop for posters, books and software tools. Home
HomeInformation, Computer and Network SecurityBasic Security Technologies

Layer 2/3 MPLS VPN based on BGP/MPLS

The border gateway protocol/multiprotocol label switching (BGP/MPLS) VPN standard is defined in the IETF RFC 2547bis to provide Layer 3 VPN solutions using BGP to carry route information over a MPLS core. This Layer 3 MPLS-VPN solution achieves all of the security of the Layer 2 approach, while adding enhanced scalability inherent in the use of Layer 3 routing technology. The BGP/MPLS VPN is the choice of service providers due t o its scal ability, comparing with the traditional VPN technologies such as ATM and Frame Relay. In addition, the MPLS VPN, a connectionless VPN, is fully compatible with the TCP/IP technologies and the Internet world, which has significantly lower cost of deployment and operations.

MPLS VPNs offer the same level of security as connection-oriented VPNs. Packets from one VPN do not inadvertently go to another VPN. Security is provided :

  • At the edge of a provider network, ensuring packets received from a customer are placed on the correct VPN.
  • At the backbone, VPN traffic is kept separate. Malicious spoofing , or attempt to gain access to a PE router , is nearly impossible

The key to providing security in the shared PE equipment is made available

by the BGP-VPN extensions. Each PE router must maintain a number of forwarding tables, each of which map to a unique VPN class. When a packet is received from the CE equipment, the forwarding table that is mapped to that site is used to determine the routing for the data. Each VPN has its own unique forwarding table, known as a VRF (VPN Routing and Forwarding). If a PE device has multiple connections to the same site, a single VRF can be mapped to all of those connections. The BGP-VPN extensions for VRF support then allow BGP to send the specific route forwarding information to the PE router connected to the other end of the VPN. In this approach, route separation is maintained for each unique VPN customer. The BGP-VPN extensions allow route distribution policies to be configured for the proper distribution of VPN route information. PE routers can also auto-discover the other PE device attached to the same VPN. This eliminates the need to reconfigure both PE devices when reconfiguring or initially configuring the VPN.

MPLS VPN supports integrated IP Class of Service (CoS). Network traffic is classified and labeled at the edge of the network before traffic is aggregated according to policies defined by subscribers and implemented by the provider and transported across the provider core. Traffic at the edge and core of the network can then be differentiated into different classes by drop probability or delay.

It provides the ability to address two fundamental VPN requirements:

  • Predictable performance and policy implementation
  • Support for multiple levels of service in a MPLS VPN

Layer 2/3 MPLS VPN based on BGP/MPLS

Layer 2/3 MPLS VPN based on BGP/MPLS

Related Terms: BGP/MPLS VPN, BGP, MPLS, Tunneling, Encryption, Encapsulation , MPLS VPN, IPsec VPN, SSL VPN

‹ L2TP / PPTP Virtual Private Network (VPN)upPacket Filtering ›