How to Use Layer 3 VPN in Your Network

The Layer 3 Virtual Private Network (L3 VPN) extends a private data network using a public IP infrastructure as a conduit for connecting sites by means of Native MPLS, L3 tunneling or SPBV. L3 VPN uses internal multi-protocol BGP (MP-iBGP) to carry VPN routes and labels. Forwarding between VPN sites is done using Native MPLS, MPLS in IP tunneling, GRE encapsulation, or SPBV methods for both IPv4 and IPv6 VPN address families. Public infrastructure is defined as a single backbone core enterprise network connecting various businesses such as airport services or stores within a shopping mall.

VPN services are based upon the L3 VPN open standard RFC 4364, BGP/MPLS IP Virtual Private Networks (VPNs).

A L3 VPN can be established directly between VRFs across a campus LAN. This is referred to as the VRF-lite model. In this model no additional encapsulation is required. Scaling is limited in this model to 16 IGP protocol VRF instances and a total of 128 VRFs per router. A VLAN interface is assigned to a single VRF. Internet access and services can be either separate or shared using the global VRF router instance. In a VRF-lite model, all routers in the routing domain must be VRF aware of each endpoint VRF that will use the router. Core routers in the domain quickly use up the 16 IGP protocol maximum allowed. Limited scaling makes the VRF-lite model only viable for small enterprise networks.

The scaling issue inherent in the VRF-lite model can be overcome using L3 tunneling, Native MPLS, or SPBV between the global VRFs of Provider Edge (PE) routers at the edge of the enterprise core. The remainder of the discussion in this chapter relates to L3 VPNs using L3 tunnels, Native MPLS, or SPBV.