Problem solve Get help with specific problems with your technologies, process and projects.

L3 VPNs - Building the mesh

A review of the technical aspects of how VPN-IPv4 route attributes can be used to build full and partial mesh VPN topologies.

The previous tech tip provided an overview of multi-protocol BGP and how it is used to establish Layer 3 (L3) VPNs. This tip will review the technical aspects of how VPN-IPv4 route attributes can be used to build full and partial mesh VPN topologies.

As we discussed in the last article multiprotocol BGP is used to carry VPN-IPv4 routes between the PE routers that sit at the edge of the MPLS cloud. VPN-IPv4 routes are normal IP routes with a route distinguisher RD appended to them. The route distinguisher contains no information regarding the origin of the route, nor does it indicate the set of VPNs the routes are distributed to. It does allow for customers to have overlapping address space. Each customer is a member of a VPN whose routing information is contained in a virtual routing field (VRF) on the PE router.

The control and distribution of the VPN-IPv4 routes between the PE routers and ultimately the CE routers can be used to create full and partial mesh topologies. When a VPN-IPv4 route is created in the PE router it is assigned to a VRF. The VRF and the VPN-IPv4 route are then associated with one or more "route target" attributes. Route targets are used to decide which routes to import or add to the VRF and which routes to export or send from the VRF. Each route is put into a VRF based on the interface it was received on. The PE will tag the VPN routes with one or more route targets when it is exported from the VRF. Once tagged and exported it can be offered to other VRF. In addition route targets can be associated with the VRF itself. Any routes that share the route target assigned to the VRF can be installed in the VRF.

The PE router attaches a route target attribute called "export target" to the routes learned from the customer. Routes learned from other PEs are assigned a route target attribute called "import target".

So let's say for example that you want a full mesh VPN. Every VRF that is a part of that VPN will have their import and export targets set as the same value. If you have 3 sites on a VPN and the import and export targets are set to "one", we will call this VPN one. Every PE will assign export targets of "one" to the incoming routes from the customer. The VRFs are all assigned the route target of one and the PEs will receive "import targets" of one. All routes are installed in all the VRFs that are assigned a one.

To form a partial mesh you only need to modify what routes you import and export to the appropriate VRFs. Say for example that you want to build a VPN that has one hub site and 4 spoke sites. The hub sites will import all routes from the spokes and export its directly connected routes to the spokes. The spoke sites will export all their routes, however the spoke sites will only import routes from the hub into the VRF. This allows the route propagation to be controlled from the hub site. This is useful when the spokes have routes that do not need to be advertised to other spoke sites. This is especially useful when you have extranet sites that you only want a subset of the members of the VPN to have access to. The next tip will discuss layer 2 MPLS VPNs and how they are different from Layer 3 MPLS VPNs.

Robbie Harrell (CCIE#3873) is the National Practice Lead for Advanced Infrastructure Solutions for SBC Communications. He has over 10 years of experience providing strategic, business, and technical consulting services to clients. Robbie resides in Atlanta, and is a graduate of Clemson University. His background includes positions as a Principal Architect at International Network Services, Lucent, Frontway and Callisma.

This was last published in May 2004

Dig Deeper on WAN optimization and performance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.