MPLS L3VPN packet forwarding
In a basic MPLS L3VPN (within a single AS), a PE adds the following information into VPN packets:
Outer tag—Identifies the public tunnel from the local PE to the remote PE. The public tunnel can be an LSP, or an MPLS TE tunnel. Based on the outer tag, a VPN packet can be forwarded along the public tunnel to the remote PE. For an LSP or MPLS TE tunnel, the outer tag is an MPLS label.
Inner label—Identifies the remote VPN site. The remote PE uses the inner label to forward packets to the target VPN site. MP-BGP advertises inner labels for VPN routes among PEs.
Figure 34: VPN packet forwarding
As shown in Figure 34, a VPN packet is forwarded from Site 1 to Site 2 by using the following process:
Site 1 sends an IP packet with the destination address 1.1.1.2. CE 1 transmits the packet to PE 1.
PE 1 finds the matching VPN route based on the inbound interface and destination address of the packet, labels the packet with both the inner label and the outer tag, and forwards the packet to the public tunnel.
P devices forward the packet to PE 2 by the outer tag. If the outer tag is an MPLS label, the label is removed from the packet at the penultimate hop.
PE 2 finds the matching VPN route according to the inner label and destination address of the packet, and then forwards the packet out of the interface to CE 2.
CE 2 transmits the packet to the destination through IP forwarding.
When two sites of a VPN are connected to the same PE, the PE directly forwards packets between the two sites through the VPN routing table without adding any tag or label.