Using MPLS VPN
technology, service providers can create scalable and efficient private
networks using a shared hybrid fiber coaxial (HFC) network and Internet
protocol (IP) infrastructure.
The cable MPLS VPN
network consists of:
- The Multiple Service
Operator (MSO) or cable company that owns the physical infrastructure and
builds VPNs for the Internet Service Providers (ISPs) to move traffic over the
cable and IP backbone.
- ISPs that use the HFC
network and IP infrastructure to supply Internet service to cable customers.
Each ISP moves
traffic to and from a subscriber's PC, through the MSO's physical network
infrastructure, to the ISP's network. MPLS VPNs, created in Layer 3, provide
privacy and security by constraining the distribution of a VPN’s routes only to
the routers that belong to its network. Thus, each ISP's VPN is insulated from
other ISPs that use the same MSO infrastructure.
An MPLS VPN assigns
a unique VPN Routing/Forwarding (VRF) instance to each VPN. A VRF instance
consists of an IP routing table, a derived forwarding table, a set of
interfaces that use the forwarding table, and a set of rules and routing
protocols that determine the contents of the forwarding table.
Each PE router
maintains one or more VRF tables. It looks up a packet’s IP destination address
in the appropriate VRF table, only if the packet arrived directly through an
interface associated with that table.
MPLS VPNs use a
combination of BGP and IP address resolution to ensure security. See
Multiprotocol Label Switching.
The table shows a
cable MPLS VPN network. The routers in the network are:
- Provider (P)
router—Routers in the core of the provider network. P routers run MPLS
switching, and do not attach VPN labels (MPLS label in each route assigned by
the PE router) to routed packets. VPN labels are used to direct data packets to
the correct egress router.
- Provider Edge (PE) router—
Router that adds the VPN label to incoming packets based on the interface or
subinterface on which they are received. A PE router attaches directly to a CE
router. In the MPLS-VPN approach, each Cisco CMTS router acts as a PE router.
- Customer (C) router—Router
in the ISP or enterprise network.
- Customer Edge (CE)
router—Edge router on the ISP’s network that connects to the PE router on the
MSO’s network. A CE router must interface with a PE router.
The MPLS network
has a unique VPN that exclusively manages the MSOs devices called the
management VPN. It contains servers and devices that other VPNs can access. The
management VPN connects the Cisco CMTS router to a PE router, which connects to
management servers such as Cisco Network Registrar (CNR) and Time of Day (ToD)
servers. A PE router connects to management servers and is a part of the
management VPN. Regardless of the ISP they belong to, the management servers
serve the Dynamic Host Configuration Protocol (DHCP), DNS (Domain Name System),
and TOD requests coming from PCs or cable modems.
Figure 1. MPLS VPN Network
MPLS VPNs, you must configure the first subinterface created as a part of the
configuration involves an:
- MSO domain that requires a
direct peering link to each enterprise network (ISP), provisioning servers for
residential and commercial subscribers, and dynamic DNS for commercial users.
The MSO manages cable interface IP addressing, Data-over-Cable Service
Interface Specifications (DOCSIS) provisioning, CM hostnames, routing
modifications, privilege levels, and usernames and passwords.
- ISP or enterprise domain
that includes the DHCP server for subscriber or telecommuter host devices,
enterprise gateway within the MSO address space, and static routes back to the
that the MSO assign all addresses to the end user devices and gateway
interfaces. The MSO can also use split management to let the ISP configure
tunnels and security.
In an MPLS VPN
configuration, the MSO must configure the following:
- P routers
- PE routers
- CE routers
- One VPN per ISP
DOCSIS servers for all cable modem customers. The MSO must attach DOCSIS
servers to the management VPN, and make them visible.
The MSO must
configure the Cisco CMTS routers that serve the ISP, and remote PE routers
connecting to the ISP, as PE routers in the VPN.
The MSO must
determine the primary IP address range for all cable modems.
The ISP must
determine the secondary IP address range for subscriber PCs.
To reduce security
breaches and differentiate DHCP requests from cable modems in VPNs or under
specific ISP management, MSOs can use the
command in Cisco IOS software. The MSO can specify the host IP
address to be accessible only in the ISP’s VPN. This lets the ISP use its DHCP
server to allocate IP addresses. Cable modem IP address must be accessible from
the management VPN.
The MPLS VPN
approach of creating VPNs for individual ISPs or customers requires
subinterfaces to be configured on the virtual bundle interface. Each ISP
requires one subinterface. The subinterfaces are tied to the VPN
Routing/Forwarding (VRF) tables for their respective ISPs. The first
subinterface must be created on the cable interface bound to the management
To route a reply
from the CNR back to the cable modem, the PE router that connects to the CNR
must import the routes of the ISP VPN into the management VPN. Similarly, to
forward management requests (such as DHCP renewal to CNR) to the cable modems,
the ISP VPN must export and import the appropriate management VPN routes.
You can group all
of the cable interfaces on a Cisco CMTS router into a single bundle so that
only one subnet is required for each router. When you group cable interfaces,
no separate IP subnet or each individual cable interface is required. This
grouping avoids the performance, memory, and security problems in using a
bridging solution to manage subnets, especially for a large number of
traffic to be differentiated on a single physical interface, and assigned to
multiple VPNs. You can configure multiple subinterfaces, and associate an MPLS
VPN with each subinterface. You can split a single physical interface (the
cable plant) into multiple subinterfaces, where each subinterface is associated
with a specific VPN. Each ISP requires access on a physical interface and is
given its own subinterface. Create a management subinterface to support cable
modem initialization from an ISP.
subinterface associated with a specific VPN (and therefore, ISP) subscribers
connect to a logical subinterface, which reflects the ISP that provides their
subscribed services. When properly configured, subscriber traffic enters the
appropriate subinterface and VPN.