I. Background
In an MPLS L3VPN network, generally a service provider runs an MPLS L3VPN backbone and provides VPN services through PEs. VPN users access the MPLS L3VPN network through CEs, which are connected with PEs to allow VPN users at different sites to communicate with each other. In this scenario, users are on ordinary IP networks and all VPN users at a site belong to the same VPN.However, in actual applications, VPN user networks can be dramatically different in form and complexity, and a VPN user network may need to use VPNs to further group its users. The traditional solution to this request is to implement internal VPN configuration on the service provider’s PEs. This solution is easy to deploy, but it increases the network operation cost and brings issues on management and security because:
- The number of VPNs that PEs must support will increase sharply.
- Any modification of an internal VPN must be done through the service provider.
Network diagram for nested VPN
II. Propagation of routing information
In a nested VPN network, routing information is propagated in the following process:-1) A provider PE and its CEs exchange VPNv4 routes, which carry information about users’ internal VPNs.
2) After receiving a VPNv4 route, a provider PE keeps the user’s internal VPN information unchanged, and appends the user’s MPLS VPN attributes on the service provider network. It replaces the RD of the VPNv4 route with the RD of the service provider VPN where the user resides and adds the export target attribute of the service provider VPN to the extended community attribute list of the route. The internal VPN information of the user is maintained on the provider PE.
3) The provider PE advertises VPN routes which carry the comprehensive VPN information to the other provider PEs.
4) After another provider PE receives the VPNv4 routes, it matches the VPNv4 routes based on its local VPNs. Each local VPN accepts routes of its own and advertises them to its connected CEs. For a CE connected through IPv4, the PE advertises IPv4 routes; for a CE connected through VPNv4, the PE advertises VPNv4 routes because the CE is in an MPLS VPN.
III. Benefits
The nested VPN technology features the following main benefits:- Support for VPN aggregation. It can aggregate a user’s internal VPNs into one VPN on the service provider’s MPLS VPN network.
- Support for both symmetric networking and asymmetric networking. It allows sites of the same VPN to have different numbers of internal VPNs.
- Support for multiple levels of nesting.
Multi-Role Host:-
The VPN attributes of the packets forwarded from a CE to a PE depend on the VPN instance bound to the inbound interface. Therefore, all CEs whose packets are forwarded through the same inbound interface of a PE must belong to the same VPN.In a real networking environment, however, a CE may need to access multiple VPNs through a single physical interface. In this case, you can set multiple logical interfaces to satisfy the requirement. But this needs extra configurations and brings limitations to the application.
Using multi-role host, you can configure policy routing on the PE to allow packets from the CE to access multiple VPNs.
To allow information from other VPNs to reach the CE from the PE, you must configure static routes on other VPNs that take the interface connected to the CE as the next hop.
- Note:
All IP addresses associated with the PE must be unique to implement the multi-role host feature.In practice, you are recommended to centralize the addresses of each VPN to improve the forwarding efficiency.
Goghost VPN (Virtual Exclusive Network) can be a high-tech encryption program on many personal computers, notebooks, Smartphone's and also drugs. free vpn sites
ReplyDelete