VRF is something that runs on top of MPLS, just like VLL and VPLS.
It allows for a more robust and variable network, at a much more expensive cost.
Wouldn’t the cost actually be cheaper, since you’re basically segmenting the same equipment instead of buying multiple pieces of equipment?
Thank you for your explanation though!
Thank you very much for this explanation! This is exactly what I’m looking for.
Edit: grammar
Assuming the carrier network is set up like he one I work on, the internals are transparent to the CEs (other than the fact that if you trace route between the CEs, their adjacent PEs look to be directly connected).
As such if you want encryption between your CEs, spin up your encrypted tunnel of choice.
There are a lot of advantages, but let’s look at each option an enterprise has when trying to make a private network between branches:
- Direct/dedicated connections
An enterprise may purchase unlit fiber or similar dedicated service. This gives dedicated bandwidth, direct routing but also the highest cost.
- MPLS
Purchasing MPLS gives the enterprise the direct routing while keeping cost some what lower than having a direct leased line. Higher speed may be available, as well as negotiable service levels as per what the SP provides. The circuits can be purchased with a minimum uptime percentage (in the 99.something per cent level).
- IPSec VPN
The enterprise may run their own VPN on top of an internet service. This may provide greater bandwidth but at the cost of any guarantees of service or reliability. As the connection runs over public internet, direct routing between branches is not available, making critical service such as VoIP very unreliable. The tunnel is kept entirely by software. Software that has a tendency to fail once in a while.
In conclusion, I’d say that MPLS connections are the most effective way of connecting offices together in a private network, as guarantees in bandwidth and reliability are available.
Mostly it is due to having a smaller look up table. Which means you can get away with a smaller TCAM, which leads to a smaller heat load, which leads to greater port density / throughput / cheaper.
As I understand it (and I really don’t), MPLS labels are exact-match whereas IP routing is longest-prefix. Even though modern routers don’t have much trouble with it, IPv4 is still harder than MPLS and IPv6 is awkward due to the sheer number of bits that need checking.
For a router to route (normal destination-based routing), it has to pick out the destination IPv4 address in the packet. It’s at a standard offset – simple for an ASIC to do. Now have that same router support IPv6 as well. Now it has to classify the packet and look at the particular offset, depending on the packet.
Now take that same IPv4 packet and slap on the 32bit MPLS label. The router looks at offset 0. Stack on a second label – still offset 0. Encapsulate an IPv6 packet, and it’s still at offset 0.
Make sense? That’s how I think about it (not being an EE and never having designed router hardware)
If you have any specific questions let me know. I think ISIS or I.S,I.S is fine, actually the latter sounds a little pretentious even if its correct 
The RFCs are usually less snore-inducing than the Cisco Press books.
+1 for that book. I used it as well during my studies and found it to be a great resource.
You are 100% correct, however, RFCs are reference documents and are entirely too obtuse for someone hoping to learn a technology.
I’ve never thought of reading the RFC, but, having read a lot on MPLS and labbed it a bit, it is definitely nice to go back to the source and see where the gaps are in my knowledge.
VRFs can be used independently of MPLS. See VRF-lite (essentially just multiple independent routing tables)
MPLS can also be used without VRFs too.
This. MPLS is the concept of forwarding packets based on a Label, and not performing a lookup in the RIB, for every packet.
You’re right, I was just trying to keep things as simple as possible while trying to explain the big topic, and depending on what environment they’ve got running. I’ve edited it to try and give a bit more context.
Yes and no–it…depends. For example, in almost all of my buildings, I run Catalyst 6509s. To get the routing tables I want in some of them, we have to get supervisor blades that are way more expensive because of the needed memory. If I want the Internet Routing table to exist on some of them (our arena, for example, because vendors bring in things that they don’t want sitting behind my firewall), it gets even more expensive.
Also, some routers aren’t MPLS capable, like an 1841. So you’d have to replace them, or put in a layer three link from that router to an MPLS router and redistribute routes accordingly.
In short, it’s a licensing cost and a change in hardware. A 2960 running fiber back from an ASA costs significantly less (depending on how far back the line has to go) than the upgrade to the 6509.
As other people in the thread have said, and will say, there is MUCH MORE TO MPLS than what I’ve said. Read the books, learn about how the labels work, how things like redundant links will affect the MPLS network, check out the RFC Standard (what better way to get information than to read the standard it comes from?), etc. etc… My overview was a very, very, very, very basic one.
Right, that’s fine and what I was already thinking. I’m just stuck on the tunnel aspect of it. Assuming I wanted to have full-mesh rather than hub-and-spoke communication, how would I configure the tunnel? Would it be some point-to-point (and I’d need to make lots of them), point-to-multipoint, or is there some better way?
I can imagine running something like an encrypted DMVPN on top of the MPLS connection but maybe there’s a better way?
You could also mention resiliency - a connection implemented over MPLS is likely to have multiple physical paths between the LERs involved in the VPN, whereas a dedicated bit of fibre has a single point of failure, and can be cut. Even a setup with primary/secondary fibre paths has two points of failure.