1

MPLS VPN Topologies

Simple VPN with Optimal Intra-VPN Routing

Review Questions
Answer the following questions
n

What are the basic requirements for simple VPN service?

Any site can talk to any other site and optimal routing is provided across
the backbone.

What are the routing requirements for simple VPN service?

The usage of traditional routing protocols such as: static routing, RIPv2,
OSPF or BGP to advertise customer networks between the PE-routers
and the CE-routers.

Which PE-CE routing protocol would you use for simple VPN service?
RIP version 2.

How many VRFs per PE-router do you need to implement simple VPN
service?
One for all sites in the simple VPN.

How do you integrate RIP running between PE and CE with MP-BGP running
in the MPLS VPN backbone?
RIPv2 routes from CE site are redistributed into MP-BGP, transported
across backbone and redistributed back into PE-CE routing protocol
(RIPv2).

When would you use static routing between PE and CE routers?

For single-connection sites with one IP prefix.

When would you be able to use default routing from PE toward CE?
Usually, when the CE routers has one single connection to the MPLS
VPN backbone (stub sites).

When would you use OSPF between PE and CE routers?

For large VPN customers where the customer insists on using OSPF for
migration or intra-site routing purposes.

What are the drawbacks of offering OSPF as the PE-CE routing protocol to
your customers?
The number of VRFs that can support OSPF on a single PE-router is
limited by the overall process number (32).

1-2

MPLS VPN Topologies

Copyright 2000, Cisco Systems, Inc.

Using BGP as the PE-CE Routing Protocol

Review Questions
Answer the following questions
n

When would you use BGP as the PE-CE routing protocol?

When a site has more than one connection into the MPLS backbone.
When a customer has a large number of sites (appx. more than 100).
If the customer is also an ISP with its own AS number.

When would you use the same AS number for several sites?
If there is a large number of sites and there are not enough private AS
numbers available.
If the customer is an ISP with its own AS number.

When would you use a different AS number for every site?

If VPNs do not overlap and do not have more than 1024 sites.

Which BGP features would you use to support the customers that use the
same AS number at multiple sites?
"AllowAS-in" for multihomed sites using a hub-and-spoke topology.
"AS-override" to be able to propagate routes from one site to another
site.

Copyright 2000, Cisco Systems, Inc.

Release Date: August 2000

1-3

Overlapping Virtual Private Networks

Review Questions
Answer the following questions
n

What are the typical usages for overlapping Virtual Private Networks?
Separating an enterprise network into VPNs, which have access only to
the central VPN.
Interconnecting two or more enterprise networks by using an extranet
VPN.

What are the connectivity requirements for overlapping VPNs?

An additional VPN for overlapping sites.

What is the expected data flow within overlapping VPNs?

Routing for data flow between any pair of sites (if permitted) is still
optimal.
Data flow between two sites is permitted if they are part of the same
VPN.

How many VRFs do you need to implement three partially overlapping VPNs?
How many route distinguishers? How many route targets?
One VRF per set of sites with the same VPN membership per PE
router; one RD per VRF (three); at least two route targets.

How would you select a routing protocol to use in an overlapping VPN

solution?
Overlapping VPN topology does not influence the design criteria for
selecting the IGP.

1-4

MPLS VPN Topologies

Copyright 2000, Cisco Systems, Inc.

Central Services VPN Solutions

Review Questions
Answer the following questions
n

What are the typical usages for central services VPN topology?
Extranets interconnecting enterprise networks by using central (proxy)
servers
Intranet with separated departments having access to the central servers

What is the connectivity model for central services VPN topology?

All clients have access to the central VPN but not to each other

How do you implement central services VPN topology?

A separate VRF for each client (ClientVPN) and one VRF per PE
router connecting a server site (CentralVPN).
One RT for CentralVPN->ClientVPN route propagation and another RT
for all ClientVPN->CentralVPN.

How many route targets do you need for a central services VPN solution with
two server sites and 50 client sites? How many route distinguishers?
52 route targets and 51 route distinguishers

How do you combine central services VPN topology with simple VPN
topology?
We need one VRF per VPN for sites that have access to other sites in
the customer VPN, but no access to the Central Services VPN, one
VRF per VPN for sites that have access to Central Services VPN, and
one VRF for the Central Services VPN .

Copyright 2000, Cisco Systems, Inc.

Release Date: August 2000

1-5

Hub-and-Spoke VPN Solutions

Review Questions
Answer the following questions
n

When would you deploy hub-and-spoke VPN topology?

When the customer wants all packets to flow through the central site.

What is the main difference between central services VPN topology and huband-spoke VPN topology?
Central services VPN does not forward packets between client sites.

What is the main difference between simple VPN topology and hub-and-spoke
VPN topology?
Simple VPN have optimal routing between sites.

Describe the routing information flow in hub-and-spoke topology.

Spoke sites can only exchange routing information through the hub site.
Spoke routes are imported into hub VRF on the PE router.
Spoke routes are announced to the hub site and announced over a
different hub router and PE-CE interface to PE.
Spoke routes from hub site are imported into spoke VRF on the
hub site.
Spoke routes are announced to other spokes and imported into
spoke VRFs.

Describe the packet forwarding in hub-and-spoke topology.

The traffic exchanged between individual spoke sites flows through the
central hub site.

How many PE-CE links do you need at the spoke sites?

One.

How many PE-CE links do you need at the hub sites?

Two.

Do you need two CE routers at the hub site?

No.

Do you need two PE routers to connect the hub site?

No.

Which routing protocol would you use between the P-network and the hub
site?
BGP.

1-6

MPLS VPN Topologies

Copyright 2000, Cisco Systems, Inc.

n
n
n

Which BGP features are necessary to support BGP as the routing protocol at
the hub site?
Allowas-in on the eBGP session at the PE router connecting the hub site;
only standard features at the hub CE routers.

Which BGP features are necessary to support BGP as the routing protocol at
the spoke site if all sites use the same AS number?
As-override feature on all eBGP sessions between PE and CE spoke
routers (also applies to the hub site); only standard features at the spoke
CE routers.

Copyright 2000, Cisco Systems, Inc.

Release Date: August 2000

1-7

Managed CE-Router Service

Review Questions
Answer the following questions
n

When would you need managed CE router service?

When the service provider manages CE routers and needs access to all
of them from a single point.

How do you implement managed CE router service?

Central Services model is used except that only loopback address are
imported into the CS-VPN.

Whats the main difference between managed CE router service and usual
central services VPN topology?
Export maps are used to tag loopback addresses to be imported into the
Management VPN.

1-8

MPLS VPN Topologies

Copyright 2000, Cisco Systems, Inc.