H3C S9500 Series Operation Manual page 4

Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches
operations when required by a user to adjust the relation between the user's internal
VPNs. These disadvantages not only increase the network operating cost, but also
bring relevant management and security issues.
The nested VPN is a better solution. Its main idea is to transfer VPNv4 route between
PE and CE of common MPLS L3VPN such that user themselves can manage their
internal VPN division, and the service provider can be saved from participating into
users' internal VPN management.
The following figure shows the network model for nested VPN:
VPN3
VPN1
Figure 1-2 Network model for nested MPLS L3VPN
III. Basic concepts in MPLS L3VPN
1) VPN-instance
VPN-instance is an important concept in VPN routing in MPLS. In an MPLS VPN
implementation, each site corresponds to a specific VPN-instance on PE (their
association is implemented by binding VPN-instance to the VLAN interface). If
subscribers on one site belong to multiple VPNs, then the corresponding VPN-instance
includes information about all these VPNs.
Specifically, such information should be included in VPN-instance: label forwarding
table, IP routing table, the interfaces bound with VPN-instance, and the management
information (RD, route filtering policy, member interface list, and so on). It includes the
VPN membership and routing rules of this site.
PE is responsible for updating and maintaining the relationship between VPN-instance
and VPN. To avoid data leakage from the VPN and illegal data entering into the VPN,
CE5
VPN1
CE7
VPN
PE
CE1
VPN2
Chapter 1 MPLS L3VPN Configuration
PE
PE
P
CE2
CE3
VPN1
1-3
CE6
VPN2
VPN
PE
CE4
VPN3