L3 VPN, VRFs, VRF-Lite, Shadow Routers, and Route Targets
In a Multi-Protocol Label Switching network (MPLS network), Provider Edge (PE) routers communicate with each other by using the label-switched paths. Each PE router maintains a Virtual Routing and Forwarding (VRF) table to transfer traffic towards the correct Customer Edge (CE) router or on correct Label Switched Path (LSP). An L3 VPN is formed by a set of VRFs. A VRF can communicate with other VRFs on the network based on the Route Targets (RTs). All the VRFs that can communicate with each other, form an L3 VPN.
A Route Target (RT) identifies route import and export within VRFs that helps in routing traffic. Every VPN route is associated with one or more than one RT that is exported or imported from other VRFs.
A VRF-Lite router is a traffic classifier that is achieved on the CE by defining multiple VRFs. With VRF-Lite, multiple customers or different departments within the same organization, can share one CE, but only one physical link exists between the CE and the PE. The shared CE maintains separate VRF tables for each VPN. VRF- Lite extends limited PE functionality to a CE device by giving the CE the ability to maintain separate VRF tables.
A shadow router is a low-end router that offloads router testing work from the PE router. Like VRF-Lite, shadow routers extend PE functionality by giving limited workload capabilities to the shadow router connected to the PE.
VRFs Grouping for an L3 VPN
Each VRF includes a list of import and export route targets that determine connection with other VRFs on the network. The NNM iSPI for MPLS reads the route targets from the import and export list to identify groups of VRF neighbors. A VRF exports its route targets to one or more VRFs in the L3 VPN. Similarly, another VRF imports route targets from other VRFs in the L3 VPN. The import/export relationship creates the logical VRF-VRF neighbor adjacency relationship.
The VRFs that can be linked directly or indirectly by their neighbor relationships are in the same VPN. With this approach, the NNM iSPI for MPLS correctly discovers simple network topologies that are fully meshed as well as complex network topologies such as hub and spoke VPN.
You can opt to ignore the Route Targets by using the MPLS Configuration workspace. This results in regrouping of VRFs to form an L3 VPN in the next discovery cycle. In addition, the status of the L3 VPN is recomputed based on participating VRFs.
L3 VPN Topology
The L3 VPN topology covers different types of VPNs on the network. The NNM iSPI for MPLS shows the following types of L3 VPN topologies:
- Full-Mesh - Full Mesh VPN is formed if all participating VRFs communicate with each other. This is achieved by each VRF exporting its route targets that are in turn, imported by all the other VRFs in same L3 VPN.
- Isolated - An isolated VPN has a single VRF participating to form an L3 VPN, in other words, Route Target (RT) exported by this VRF is not imported by any other VRFs neither does this VRF import any RTs from other VRFs participating to form the L3 VPN.
- Hub and Spoke - A hub and spoke VPN is a star-shaped topology where the Hub VRF is in the center. In a Hub and Spoke VPN, all spoke VRFs can only communicate with Hub-VRF directly.
- Other - Any VPN that does not match the above mentioned types is shown as 'Other'. For example, a hybrid topology.
L3 VPN Naming
The NNM iSPI for MPLS uses the internal system naming convention to provide the L3 VPN names.
The VRF grouping relationships results in the system-generated L3 VPN names. The NNM iSPI for MPLS assigns a L3 VPN name to each discovered VRF group according to the specific rules.
The rules used by the system-generated L3 VPN name:
- The common VRF name is used to name the L3 VPN. If the name is already used by one of the VPNs, the system-generated name is the common VRF name appended with the Id
- If there is no common VRF name, the NNM iSPI for MPLS creates a new L3 VPN name based on the following rules:
- If at least 65 percent of the VRFs in the group have the same name and the name is a unique L3 VPN name, assign that text string as the L3 VPN name for the VRF group
- If at least 65 percent of the VRFs in the group have the same name and the name is already a L3 VPN name for another VRF list, assign the L3 VPN name as the VRF name appended with an underscore followed by the VPN internal identification number for the VRF group
- If at least the first three characters of each name in the VRF group matches, set the L3 VPN name to the initial matching characters
- The name of the isolated L3 VPN is same as the isolated VRF name
| VRFs in the VPN | Selected L3 VPN Name | Explanation |
|---|---|---|
|
VRF 1- Blue VRF 2- Blue |
Blue | Same VRF name. |
|
VRF 1- Blue VRF 2- Green VRF 3- Green VRF 4- Green |
Green | Select the majority name. |
|
Red_East Red_West |
Red | The common initial characters. |
You can use the MPLS views to update the system-generated L3 VPN name.
To update the L3 VPN name, folow these steps:
- Open the L3 VPN Form and update the system-populated name.
- Click
(the Save and Close icon). The new name appears in the L3 VPN inventory.
VPWS VPN and VPLS VPN
The L2 VPN topology includes the VPLS VPNs and VPWS VPNs on the network.
The VPLS VPNs are associated within one L2 VPN if the VPN ID is same for all the PseudoWire VCs participating to form a VPLS VPN.
The VPWS VPNs are associated within one VPN if the VC_id is same for all the PseudoWire VCs participating to form a VPWS VPN. To configure the VPWS VPNs, use the MPLS Configuration workspace.
L2 VPN Renaming
The iSPI for MPLS assigns a meaningful VPLS VPN name to each discovered VPLS by appending the VPLS name with unique VPN ID. For example, VPLS_VPN ID.
To configure the VPWS, type the VPWS name from the MPLS Configuration workspace. If any PseudoWire VC is not participating to form a VPLS or a VPWS, it appears under the Default Group.