MPLS L3VPN Networking Schemes

In MPLS L3VPNs, VPN target attributes are used to control the advertisement and reception of VPN routes between sites. They work independently and can be configured with multiple values to support flexible VPN access control and implement multiple types of VPN networking schemes.

I. Basic VPN networking scheme

In the simplest case, all users in a VPN form a closed user group. They can forward traffic to each other but cannot communicate with any user outside the VPN.

For this networking scheme, the basic VPN networking scheme, you need to assign a VPN target to each VPN for identifying the export target attribute and import target attribute of the VPN. Moreover, this VPN target cannot be used by any other VPNs.


                                    Network diagram for basic VPN networking scheme.

The VPN target for VPN 1 is 100:1 on the PEs, while that for VPN 2 is 200:1. The two VPN 1 sites can communicate with each other, and the two VPN 2 sites can communicate with each other. However, the VPN 1 sites cannot communicate with the VPN 2 sites.

II. Hub and spoke networking scheme

For a VPN where a central access control device is required and all users must communicate with each other through the access control device, the hub and spoke networking scheme can be used to implement the monitoring and filtering of user communications.

This networking scheme requires two VPN targets: one for the "hub" and the other for the "spoke".

The VPN target setting rules for VPN instances of all sites on PEs are as follows:

• On spoke PEs (that is, the PEs connected with spoke sites), set the export target attribute to Spoke and the import target attribute to Hub.
• On the hub PE (that is, the PE connected to the hub site), specify two interfaces or sub-interfaces, one for receiving routes from spoke PEs, and the other for advertising routes to spoke PEs. Set the import target attribute of the VPN instance for the former to Spoke, and the export target attribute of the VPN instance for the latter to Hub.

Network diagram for hub and spoke networking scheme.

The spoke sites communicate with each other through the hub site. The arrows in the figure indicate the advertising path of routes from Site 2 to Site 1:

•  The hub PE can receive all the VPN-IPv4 routes advertised by spoke PEs.
• All spoke PEs can receive the VPN-IPv4 routes advertised by the hub PE.
• The hub PE advertises the routes learnt from a spoke PE to the other spoke PEs. Thus, the spoke sites can communicate with each other through the hub site.
• The import target attribute of any spoke PE is distinct from the export VPN targets of the other spoke PEs. Therefore, any two spoke PEs can neither directly advertise VPN-IPv4 routes to each other nor directly access each other.

III. Extranet networking scheme

The extranet networking scheme can be used when some resources in a VPN are to be accessed by users that are not in the VPN.

In this kind of networking scheme, if a VPN needs to access a shared site, the export target attribute and the import target attribute of the VPN must be contained respectively in the import target attribute and the export target attribute of the VPN instance of the shared site.

Network diagram for extranet networking scheme.

VPN 1 and VPN 2 can access Site 3 of VPN 1.

• PE 3 can receive the VPN-IPv4 routes advertised by PE 1 and PE 2.
• PE 1 and PE 2 can receive the VPN-IPv4 routes advertised by PE 3.
• Based on the above, Site 1 and Site 3 of VPN 1 can communicate with each other, and Site 2 of VPN 2 and Site 3 of VPN 1 can communicate with each other.
• PE 3 advertises neither the VPN-IPv4 routes received from PE 1 to PE 2, nor the VPN-IPv4 routes received from PE 2 to PE 1 (that is, routes learned from an IBGP neighbor will not be advertised to any other IBGP neighbor). Therefore, Site 1 of VPN 1 and Site 2 of VPN 2 cannot communicate with each other.