Having looked at the “big picture” when it comes to MPLS, we now need to focus our attention on what happens when a data packet traverses an MPLS cloud.
As you can see, this time we have three customers, A, B and C. Customers A and B each have three sites, and Customer C has two sites. Let’s imagine that Customer A wants to send a data packet from the A2 site to the A3 site.
The unlabeled data packet leaves CE-A2 and arrives at PE2 (the ingress PE), which looks the packet up in the Customer A VRF. The VRF tells PE2 that to get the packet to CE-A3, it should forward it towards PE4. The question is, “To which router should PE2 forward the packet, P1 or P2?” Let’s assume that the provider is running OSPF as its IGP, and that the OSPF cost of all links within the provider’s cloud is the same. In this case, the best (lowest-cost) path from PE2 to PE4 is via P2, so PE2 pushes a label onto the packet, and then forwards the packet to P2.
When the labeled packet reaches P2, a label swap is performed, and the packet is forwarded to P4. When the packet reaches P4, another swap is performed, and the packet is forwarded to PE4. So far, so good … we’ve gotten the data packet to the far side (egress) PE.
Upon receipt of the packet, PE4 pops the label, and then says to itself “Now, to which customer does this data packet belong … A or C?” To be a little more precise, the question is, “In which VRF should PE4 do the packet lookup, VRF A or VRF C?” Since PE4 doesn’t know, it will drop the packet. Big problem!
It appears that we need some mechanism by which the ingress PE can tell the egress PE which VRF to use for a particular data packet. Well, believe it or not, there is such a mechanism, and it’s called “MP-BGP” (Multi-Protocol BGP). Basically, the way it works is that when PE4 (the egress PE) advertises a prefix (IP route) it learned from CE-A3 over to PE2 (the ingress PE), the MP-BGP update includes a label along with the prefix. Now, when PE2 wants a data packet to be looked up in PE3’s VRF A, it simply includes that label with the data packet, so that PE3 knows what to do.
But wait, didn’t PE2 already push a label onto the data packet? Yes, so when forwarding a data packet into the MPLS cloud, what PE2 has to do is push two labels: an LSP label that is used by the P routers to get the packet to the egress PE, and a VPN label that is used by the egress PE to determine which VRF is applicable.
Next time, we’ll take a closer look at how this dual-label business works.