Multi-VPN-Instance CE
Birth of the Multi-VPN-Instance CE
Traditional routers cannot completely separate different services. Currently, the separation of different services is realized through the VLAN function of a switch, but the routing function of a switch is relatively poor. Thus, to ensure the secure isolation and improve the routing capability of LANs, both routers and switches are required, making small networks uneconomical.
To solve this problem, you can run multiple OSPF processes on one router and bind different processes to various VPN instances, which is similar to using OSPF multi-instances on PEs. After the OSPF instance is established for each service on the CE, it is as if various services adopt different virtual CEs. Thereby, the separation of different services can be realized with low costs, thus ensuring the security of each service.
OSPF multi-instance usually runs on the PE. The device running OSPF multi-instance within the LAN is called the Multi-VPN-Instance CE, namely, the MCE. Different from the OSPF multi-instance on the PE, the MCE does not need to support BGP/OSPF interaction.
The MCE mainly ensures the security of the LAN with low costs.
Principles
The implementation principle of the MCE is to realize different OSPF multi-instances on one CE or PE, which is simple. The key is to directly calculate routes without loop detection.
In normal cases, if OSPF is running between a PE and a CE, the PE checks the DN of the received Summary LSA to prevent that the PE learns the LSA from the CE again, which may cause loops. On a non-PE device running OSPF VPN multi-instance, however, loop detection cannot assist correct routing.
As shown in Figure 1, since PE2 adopts OSPF multi-instance to advertise the OSPF Type3 LSA to the MCE. The DN of the OSPF Type3 LSA is specified. When receiving the LSA, the MCE identifies the specified DN and therefore ignores the LSA. In this case, the MCE does not have any reachable route to CE1.
If loop detection is disabled on the MCE, PE2 adopts Type3 LSA to calculate routes regardless of whether the DN is set. In this way, the MCE can correctly receive routes from CE1.