The key requirements for a VPN solution are to:
- isolate the traffic of the company from the traffic of others, for security and confidentiality reasons.
- provide quality of service, so that the performance of the communications among the sites be good.
A picture can help. Let's consider two companies, "company A" and "company B". They use the same internet service provider to connect their remote sites.
The routers at the edge of every site is called the Customer Edge (CE). It's directly connected to a router of the ISP, named a Provider Edge (PE) router. The core routers of the ISP are called Provider (P) routers.
So, the role of the VPNs are to connect all the sites of a given company, for instance through the paths in Orange below for company A.
The classical mechanism to isolate the traffic and provide QoS is to set a tunnel between the PEs Company A and reserve ressources for that tunnel. MPLS-TE is the perfect architecture for doing this.
With MPLS, for company A, the ISP will have to configure forwarding equivalence classes (FECs) on the PEs to define which traffic must be tunneled and to which PE.
It will be clearer with a picture: PE1 is configured to recognize the packets whose destination is in CE 5's network. This set of packets is called a Forwarding Equivalence Class (FEC). When PE1 sees such packet, it encapsulates it in an MPLS packet whose label points to PE4.
When PE4 receives such packet, it sees that it must pop the label and look at the IP header to route the packet to CE5.
That's for the principles. All the configuration of the label switched paths can be done manually but you can imagine the complexity... So, there are protocols to do that for us. I'll try to explain how they work in a subsequent post.