Network Sales and Services Handbook (Cisco Press Networking Technology)
A VPN emulates a private wide area network (WAN) over the public network, namely the Internet. In offering VPN services to customers, a network service provider must solve the issues of data privacy and the use of non-unique, private IP addresses within a VPN. MPLS provides solutions to both these issues because MPLS makes forwarding decisions based on labels, not destination addresses.
NOTE
RFC 2547 (www.ietf.org/rfc/rfc2547.txt?number=2547) provides the following definition of a VPN, an intranet, and an extranet: "If all the sites in a VPN are owned by the same enterprise, the VPN is a corporate 'intranet.' If the various sites in a VPN are owned by different enterprises, the VPN is an 'extranet.' A site can be in more than one VPN; e.g., in an intranet and several extranets. We regard both intranets and extranets as VPNs. In general, when we use the term VPN we will not be distinguishing between intranets and extranets." |
VPNs are constructed using four fundamental building blocks:
Firewalls Protect each user/customer site and provide a secure interface to the Internet
Authentication Verifies that each customer site exchanges data only with validated remote sites
Encryption Protects data from examination or manipulation as it is transported
Tunneling Encapsulation provides multiprotocol transport services and enables the use of private IP address space within the VPN
NOTE
Because IP addressing needs to be unique in order to communicate across an IP network, overlapping of IP address space can prevent communication between networks and their associated devices. |
MPLS enables network service providers to offer VPN services by providing a VPN tunneling mechanism across the network backbone, as illustrated in Figure 21-5.
Figure 21-5. MPLS VPN Tunnels
The following process describes how network service providers (NSPs) build and maintain MPLS-based VPNs:
A network service provider can deploy VPNs by provisioning a set of LSPs providing connectivity among different VPN sites.
Each VPN site advertises, or announces, to the network service provider a set of network prefixes for which the local site is responsible.
The network service provider's routing protocol(s) distributes this information by either piggybacking labels in routing protocol updates or using a LDP.
VPN Identifiers enable a single routing system to support multiple VPNs whose internal address spaces overlap with each other.
Each ingress LSR places traffic into LSPs based on the packet's destination address and VPN membership information.