Connecting CE Devices to an MPLS VPN
The MPLS VPN solution provides better services than the traditional IP VPN solution. Therefore, MPLS VPN technology is the preferred VPN technology. However, since the Internet is IP based, a large number of backbone networks still use IP technology.
In the MPLS VPN solution, a customer edge (CE) device must have a direct physical link to a provider edge (PE) device on the MPLS backbone network to connect to the VPN. That is, the CE and PE devices must be on the same network. In this case, you must associate the VPN instance with the PE device's physical interface connected to the CE device.
CE and PE devices may not be directly connected by physical links. For example, the CE devices of multiple organizations that are connected to the Internet or an IP-based backbone network may be far away from the PE devices on the MPLS backbone network; therefore, they cannot be connected directly. These organizations cannot directly connect to the internal sites of the MPLS VPN through the Internet or the IP backbone network.
To connect a CE device to an MPLS VPN backbone network, create a logical direct connection between the CE and PE devices. You can connect the CE and PE devices using a public or private network, and create a GRE tunnel between the two. Then, the CE and PE devices can communicate as if they were directly connected, and the GRE tunnel can be associated with the VPN as a physical interface.
A GRE tunnel can be set up in the following ways to connect CE devices to an MPLS VPN network:
Over a public network
The GRE tunnel is associated with a VPN instance. However, the source address and destination address of the GRE tunnel are public IP addresses and do not belong to the VPN instance.
Over a VPN
The GRE tunnel is associated with a VPN instance (such as VPN1), while the source interface of the GRE tunnel is bound to another VPN instance (such as VPN2). The GRE tunnel traverses VPN2.
Over a private network
The GRE tunnel is associated with a VPN instance. The source interface (or the source address) and the destination address of the GRE tunnel belong to this VPN instance.
GRE Tunnel over a Public Network
In this example, the CE and PE devices must have one interface using a public IP address. The CE and PE devices must have a route to each other in their public network routing tables.
GRE Tunnel over a VPN
GRE tunnel over a VPN differs from a GRE tunnel over a public network in that the CE device is connected to the PE device across a VPN but not a public network. In the example shown in Figure 3, both the outbound interface of the private data from the CE device and the PE device belong to VPN2.
PE1 and PE2 are the edge devices of the first carrier on the MPLS backbone network. VPN2 is a VPN of a second carrier network. CE1 and CE2 are customer devices.
To deploy a VPN (VPN1 in this example) based on the MPLS network, you can set up a GRE tunnel between PE1 and CE1 across VPN2. CE1 and PE1 then are directly connected through the GRE tunnel.
GRE Tunnel over a Private Network
In this example, the source address and the destination address of the GRE tunnel belong to the private network. However, a tunnel on a private network serves no purpose; therefore, this networking is not recommended. As shown in Figure 4, R1 can be used as a CE device so no GRE tunnel is required.
