Specifications
10-28
Cisco IGX 8400 Series Provisioning Guide, Release 9.3.3 and Later Releases
OL-1166-04
Chapter 10 Cisco IGX 8400 Series IP Service
IP Service—Functional Overview
Additional security is assured because all traffic is forwarded using LSPs, which define a specific path
through the network that cannot be altered. This label-based paradigm is the same property that assures
privacy in Frame Relay and ATM connections.
Figure 10-13 VPN with Service Provider Backbone
The provider, not the customer, associates a specific VPN with each interface when the VPN is
provisioned. Within the provider network, RDs are associated with every packet, so VPNs cannot be
penetrated by attempting to “spoof” a flow or packet. Users can participate in an intranet or extranet only
if they reside on the correct physical port and have the proper RD. This setup makes Cisco
MPLS-enabled VPNs difficult to enter, and provides the same security levels users are accustomed to in
a Frame Relay, leased-line, or ATM service.
VPN-IP forwarding tables contain labels that correspond to VPN-IP addresses. These labels route traffic
to each site in a VPN (see Figure 10-14).
Because labels are used instead of IP addresses, customers can keep their private addressing schemes,
within the corporate Internet, without requiring Network Address Translation (NAT) to pass traffic
through the provider network. Traffic is separated between VPNs using a logically distinct forwarding
table for each VPN. Based on the incoming interface, the switch selects a specific forwarding table,
which only lists valid destinations in the VPN, as specified by BGP. To create extranets, a provider
explicitly configures reachability between VPNs. NAT configurations may be required.
25097
Edge LSR
PE
Edge LSR
PE
Service provider network
VPN B
CE
Site 3
Site 4
Edge LSR
PE
Edge LSR
PE
BGP
VPN A
CE
Site 1
Site 2
VPN A
CE
Site 4
Site 3
VPN B
CE
Site 2
Site 1