A network corresponds to an interconnection of two or more computer systems. For example, one type of network is a home network. A home network may include two or more personal computers that can exchange data with each other and the Internet. Different types of networks exist throughout society. For example, large organizations often have data centers, servers, and various personal computer systems to exchange information between users, and to provide processing power to a single user.
Each large organization may have one or more locations. The locations may be interconnected using, for example, a virtual private network (VPN). A VPN is a secure tunnel over a shared network (e.g., the Internet) into a private network.
One method for implementing a VPN is using a multi-protocol label switching (MPLS) network (MPLS/VPN network). In an MPLS network, customer edges, belonging to an organization or business for which the VPN is provided, transfer frames within the VPN. Typically, a customer edge is only aware of the single VPN. In order to transfer frames, each customer edge is connected to a VRF instance on a provider edge router. The provider edge routers are configured to attach and remove labels as required to route the frame.
Typically, a frame is transferred with an inner label and an outer label. The inner label is assigned by an ingress provider edge router to identify a VRF instance on an egress provider edge router. The ingress provider edge router is the incoming router that receives the frame into the MPLS/VPN network. The egress provider edge router is the last MPLS router that the packet traverses before exiting the MPLS network. Thus, the ingress provider edge router has the VRF instance connected to the customer edge that sends the frame. The egress provider edge router is the router that has the VRF instance connected to the customer edge that receives the frame. The inner label typically does not change as the frame traverses the MPLS/VPN network.
In contrast, the outer label is used to let any MPLS router (e.g., provider router or provider edge router) know the next MPLS router that should be sent the frame. The outer label may be changed at each hop through the MPLS network.
In order to ensure the security of the VPN, MPLS requires each provider edge router to have a separate Virtual Routing and Forwarding (VRF) instance for each VPN that uses the provider edge router. The VRF instance identifies which label should be added to the frame based on the destination of the frame. Because the VRF instances are established on a per VPN basis, frames received by the VRF instance will typically have a label that is unique for the VPN on the provider edge router. Once the proper label is identified using the VRF instance, the label is attached to the frame and the frame is forwarded as discussed above.
In certain cases, two customer edges in different VPNs may require communication. In such cases, communication may be allowed by specifying in the VRF instances for both customer edges that communication may be sent to and received from the other VRF instance. When communication is allowed between two VRF instances, regardless of whether the VRF instances are in the same VPN, a logical communication channel is considered to exist between the two VRF instances. The collection of logical communication channels forms a network topology.