Extending MPLS/VPN to Customer Sites

Erich has encountered a familiar MPLS/VPN design challenge:

We have Cisco's 2901s with the data license running MPLS/VPN on customer site (the classical PE is at the customer site). Should we use eBGP between CPE router and network edge router, some sort of iBGP route reflector design, or something completely different?

The “it depends” answer depends primarily on how much you can trust the routers installed at the customer site (CPE routers).

CPE router is managed by the service provider

If the service provider considers the CPE routers trustworthy enough to be part of the MPLS/VPN backbone, we’re dealing with a traditional MPLS/VPN network (admittedly an order of magnitude bigger than usual).

If you don’t want to extend IGP to customer sites for scalability or performance reasons, use Inter-AS MPLS/VPN (Option B) between the CPE routers and network edge routers. If you’re running out of private AS numbers, put all CPE routers in the same autonomous system (obviously you’d have to configure allowas-in on them).

CPE router is managed by the customer

A router you don’t trust should never become part of your MPLS/VPN backbone (it can easily pollute your VPNv4 tables); I would also have qualms running Inter-AS MPLS/VPN with it ... or use heavy inbound filters should someone force this design on me.

The ideal solution would be Carrier’s Carrier (CsC) architecture – it was designed to address exactly this type of requirements.

Need more details?

No problem: all the designs mentioned above are described in my MPLS/VPN Architectures, Volume II, RFC 4364 is not a bad read either, and I’m always available for short consulting engagements.


  1. Hi Ivan,

    I would like to extend MPLS to CPE for the below reasons. Let me know please your thought on this.

    1. Plug and Play type of service.
    2. Provision L2 (P2P) and L3 vpn quickly.
    3. Different CPE port for different services.

    There will be maximum 500 CPE. I am thinking of creating different ospf leaf areas and in one area to keep the CPE number below 40. Routing table size is not a issue as well (2k routes)

    From security point of view, I am planning to ue MACSEC between PE (new P) and CE(new PE) link.

    The stability of the CPE link is not a concern.

    Any advice will be great.
Add comment