(There's no such thing)
To some the term "MPLS VPN" is really confusing because it reads that an MPLS VPN is somehow something additional to MPLS itself when in fact the very process of configuring MPLS results in the creations of virtual private routes for different customers. It's not like you have to 'activate', 'add' or 'configure' an "MPLS VPN" after doing your MPLS configuration. There's no such thing.
The different customers are already represented in Virtual Route Forwarding (VRF) Tables which allows the distinct (and private) separation of this traffic. As the Cisco docs point out:
"Each VPN is associated with one or more VPN routing or forwarding instances (VRFs). A VRF consists of an IP routing table, a derived Cisco express forwarding (CEF) table, and a set of interfaces that use this forwarding table."
- Cisco, Configuring a Basic MPLS VPN (Introduction)
That's cool, so we basically have distinct virtual routing tables and it's the fact that these VRF tables separate routes from each other that we can call them MPLS 'virtual' and 'private' 'networks'. But how are these so-called VPNs distinguished? How can I name them? What makes then identifiable?!
"An MPLS VPN assigns a unique VRF instance to each VPN. A VRF instance consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine the contents of the forwarding table."
- Cisco MPLS Oviewview, section: MPLS VPN Cable Interfaces
Membership of these VPNs is controlled by whether you import routes into a certain Virtual Route Forwarding (VRF) Table. The Cisco docs explain that as follows:
"The import list defines route target extended community attributes that a route must have in order for the route to be imported into the VRF. For example, if the import list for a particular VRF includes route target extended communities A, B, and C, then any VPN route that carries any of those route target extended communities—A, B, or C—is imported into the VRF."
- Cisco Multiprotocol Label Switching Overview Section Distribution of VPN Routing Information
Where do I configure MPLS VPNS?
On the Provider Edge (PE) routers. Why? Because:
- Provider Edge (PE) routers must maintain VPN routes for those VPNs that are members.
- Provider (P) routers do not maintain any VPN routes.
This increases the scalability of the provider's core and ensures that no one device is a scalability bottleneck.
Source: Cisco MPLS Overview See section: 'Benefits' then Scalability & Security.
Useful points taken distilled from Cisco's MPLS Overview
- "Only the Provider Edge (PE) routers are aware of the VPNs. Provider routers (P) don't 'see' this information as they only inspect labels."
- "A site can only associate with one (and only one) VRF. A customer's site VRF contains all the routes available to the site from the VPNs of which it is a member."
There's some history here, traditionally VPNS would would over connection orientated, full overlay networks would have to be created atop of an existing one (with inefficient routing) whereas an MPLS VPN network isn't connection oriented and doesn't require these routes to be set-up ahead of time (it's just label switching the VPN). This might be another reason for the confusion (using the same term to describe the same things, which are implemented in different ways).
- What is the difference between VLAN, VPN, MPLS and MPLS-VPN?
- VPN Operation Cisco Guide See section titled "VPN Operation"