231MPLS L3VPN packet forwardingFor basic MPLS L3VPN applications in a single AS, VPN packets are forwarded with the following layersof labels:• Layer 1 labels—Outer labels, used for label switching inside the backbone. They indicate LSPs fromthe local PEs to the remote PEs. Based on Layer 1 labels, VPN packets can be label switched alongthe LSPs to the remote PEs.• Layer 2 labels—Inner labels, used for forwarding packets from the remote PEs to the CEs. An innerlabel indicates to which site, or more precisely, to which CE the packet should be sent. A PE findsthe interface for forwarding a packet according to the inner label.If two sites (CEs) belong to the same VPN and are connected to the same PE, each CE only needs to knowhow to reach the other CE.Figure 60 VPN packet forwardingA VPN packet is forwarded in the following procedure:1. Site 1 sends an IP packet with the destination address of 1.1.1.2. CE 1 transmits the packet to PE1.2. PE 1 searches VPN instance entries based on the inbound interface and destination address of thepacket. Once finding a matching entry, PE 1 labels the packet with both inner and outer labels andforwards the packet out.3. The MPLS backbone transmits the packet to PE 2 by outer label. The outer label is removed fromthe packet at the penultimate hop.4. PE 2 searches VPN instance entries according to the inner label and destination address of thepacket to determine the outbound interface and then forwards the packet out the interface to CE 2.5. CE 2 transmits the packet to the destination by IP forwarding.MPLS L3VPN networking schemesIn MPLS L3VPNs, route target attributes are used to control the advertisement and reception of VPNroutes between sites. They work independently and can be configured with multiple values to supportflexible VPN access control and implement multiple types of VPN networking schemes.Basic VPN networking schemeIn the simplest case, all users in a VPN form a closed user group. They can forward traffic to each otherbut cannot communicate with any user outside the VPN.CE 1Site 1PE 1P PPE 2CE 2 Site 22.1.1.1/24 1.1.1.2/241.1.1.21.1.1.2Layer2Layer11.1.1.2Layer21.1.1.2
