Operation Manual – MPLSH3C S9500 Series Routing Switches Chapter 3 BGP/MPLS VPN Configuration3-3VPNs. These disadvantages not only increase the network operating cost, but alsobring relevant management and security issues.The nested VPN is a better solution. Its main idea is to transfer VPNv4 route betweenPE and CE of common BGP MPLS/VPN such that user themselves can manage theirinternal VPN division, and the service provider can be saved from participating intousers' internal VPN management.The following figure shows the network model for nested VPN:VPN3VPN2VPN1VPN1provider PE provider PEcustomer PECE1 CE2 CE3 CE4VPN2VPN1CE5VPN3CE6customer VPNCE7Pcustomer PEcustomer VPNFigure 3-2 Network model for nested BGP/MPLS VPNIII. Basic concepts in BGP/MPLS VPN1) VPN-instanceVPN-instance is an important concept in VPN routing in MPLS. In an MPLS VPNimplementation, each site corresponds to a specific VPN-instance on PE (theirassociation is implemented by binding VPN-instance to the VALN interface). Ifsubscribers on one site belong to multiple VPNs, then the corresponding VPN-instanceincludes information about all these VPNs.Specifically, such information should be included in VPN-instance: label forwardingtable, IP routing table, the interfaces bound with VPN-instance, and the managementinformation (RD, route filtering policy, member interface list, and so on). It includes theVPN membership and routing rules of this site.PE is responsible for updating and maintaining the relationship between VPN-instanceand VPN. To avoid data leakage from the VPN and illegal data entering into the VPN,each VPN-instance on the PE has an independent set of routing table and labelforwarding table, in which the forwarding information of the message is saved
