used for a number of VPNs. As described above,
a PE router maintains a forwarding table per
VPN it takes part in. If a packet arrives contain-
ing an IP destination address not matching an
entry in the forwarding table, the packet could
be forwarded on the “public Internet” if external
access is allowed for that VPN (implying that
the “public Internet” forwarding table is exam-
ined). To keep VPNs isolated only packets/
labels belonging to a given VPN must be
accepted and forwarded according to that VPN’s
rules.
A two-level MPLS label stack is used in the
backbone, see Figure 21. When a PE receives a
packet from a CE it selects the appropriate for-
warding table to use (based on knowledge of the
VPN in question). If the packet is to be forward-
ed to another router in the backbone, a label is
attached according to the BGP Next Hop infor-
mation (commonly to reach the PE on the egress
side as part of that VPN). This label can be
called the “bottom label”. Then the PE looks
into the “ordinary” IGP routing and finds the
IGP next hop as well as the label to assign to
reach that node. This can be referred to as the
“top label”. In case the IGP and BGP next hops
are the same a single label may suffice. BGP can
then be used between the PE routers taking care
of routing related to each of the VPNs, while
IGP is used between the backbone routers as
before.
The packet is then carried through the backbone
where a P router looks at the labels to find the
next hop and label to be used as explained for
MPLS in [Jens01]. At the egress PE the labels
are removed (even the bottom label), as the CE
will only see an ordinary IP packet.
The two-level labelling allows all P routers to be
unaware of the VPNs, thus supporting simplicity
and scalability for those routers.
BGP-MPLS VPNs can also be applied to pro-
vide the VPN service to customers having IPv6
as outlined in [ID_BVIPv6]. Then MPLS is used
to forward packets and BGP is enhanced for dis-
tribution of VPN routers.
7.2.3 Dialling up to VPNs
A dialling up feature allows a user to connect to
a VPN through an ad hoc tunnel, e.g. running in
PSTN/ISDN. Hence the user might get the
impression to be directly connected to that VPN
(although the bit rate may well be a bit lower).
Accessing by use of a public network, user
authentication is naturally a main requirement.
This is a common solution for home-office
accessing a LAN at the office buildings. Then
a Point-to-Point Protocol (PPP) connection is
often used between the user and the Network
Access Server (NAS). In the NAS the user is
authenticated, e.g. using the Radius protocol.
However, the authentication may also be done
by the corporate network side. Two examples
are depicted in Figure 22.7.3 WWW
The World Wide Web (WWW) can be seen as
a framework for accessing linked documents
stored on various servers. Its steadily growing
popularity may stem from the fact that easy to
use interfaces (browser programs) are available
and that a huge amount of information is stored
also including colourful illustrations. WWW
is basically a client – server system where the
client requests information from the server. A
document is commonly called a page, where
each page may contain links to other pages,
possibly located at other servers. By using a
browser, links at the page can be clicked on
which then results in downloading the requestedFigure 21 Illustration of
two-level labelCE
devicePE
routerP
routerP
routerP
routerPE
routerCE
deviceIP-packetbottom
labeltop
labelFigure 22 Examples of dial up
configurations: compulsory
configuration (upper) and
optional configurations
(lower)terminalLevel 2 tunnelNAS GWPSTN/ISDN
dial upIP network Corporate networkLAC LNSPPP sessionGW = Gateway
LAC = Level 2 tunnel Access Concentrator
LNS = Level 2 tunnel Network Server
NAS = Network Access ServiceterminalLevel 2 tunnel with PPP sessionNAS GWPSTN/ISDN
dial upIP network Corporate networkLAC LNSor IPsec tunnelLAC