Professional Documents
Culture Documents
MPLS Layer 3 VPN Explained
MPLS Layer 3 VPN Explained
Get Full Access to our 731 Cisco Lessons Now Start $1 Trial
Search …
In previous lessons I explained the basics of MPLS: VRFs (Virtual Routing and Forwarding)
Above we have two customers connected to a service provider network. Customer A and
B each have two sites and you can see that they are using the same IP ranges.
Customer A might use OSPF between their sites and customer B could use EIGRP
between their sites. Everything from these customers is completely separated by the
service provider.
https://networklessons.com/mpls/mpls-layer-3-vpn-explained 1/6
7/26/2021 MPLS Layer 3 VPN Explained
In this lesson you will learn everything that is required to build a MPLS L3 VPN network.
Let’s get started! Get Full Access to our 731 Cisco Lessons Now Start $1 Trial
Above we have our PE1 router with the two customer sites. Each customer will use a
different VRF so the overlapping address space is no problem. Now you might be
wondering, why don’t we use VRFs everywhere instead of MPLS? We could but there’s
one downside to using VRFs. Take a look at the following picture:
The problem with VRFs is that you have to create them everywhere. When our goal is to
have connectivity between CE1 and CE3 then we will have to add a VRF on the PE1, P and
PE2 router. Also, all the service provider routes will have to participate with routing. For
example, when customer A wants to run OSPF between their two sites then it means
that we have to configure OSPF on the PE1, P and PE2 router of the service provider for
their VRF.
When customer B wants to run EIGRP between their sites, we have to participate…we’ll
have to configure EIGRP on all service provider routers for the VRF of customer B.
This is not a scalable solution so it’s not going to happen. Instead, we will configure the
VRFs only on the PE routers. The core of the service provider network (P router) will
only do switching based on labels.
https://networklessons.com/mpls/mpls-layer-3-vpn-explained 2/6
7/26/2021 MPLS Layer 3 VPN Explained
One of the CE routers advertises something to the PE router, this can be done
through OSPF, EIGRP, BGP or any other routing protocol (static routing is also
possible).
The PE router uses a VRF for the customer so it will store everything it learns in the
routing table of the customer’s VRF.
The PE router will then redistribute everything in BGP.
The PE router will advertise to to the other PE router through iBGP.
There’s a couple of problems though. First of all, our two customers are using
overlapping address space. Let’s say that our PE1 router is advertising 192.168.1.0 /24
from customer A to the PE2 router on the other side. Here’s what happens:
The PE2 router will learn 192.168.1.0 /24 from the PE1 router but it has no clue to what
customer it will belong. There is no way to differentiate if something belongs to
customer A or B.
The RD is a 8 byte (64 bit) field. You can use any value you want but typically we use the
ASN:NN format where ASN is the service provider’s AS number and NN is a number we
pick that identifies the site of the customer.
https://networklessons.com/mpls/mpls-layer-3-vpn-explained 3/6
7/26/2021 MPLS Layer 3 VPN Explained
The RD and the prefix combined is what we call a VPNv4 route. We now have a method
Get Full
to differentiate between the different Access
prefixes of to
ourour 731 Cisco
customers. Lessons
Here’s Now
an example: Start $1 Trial
Let’s say that we use RD 123:10 for customer A and RD 123:20 for customer B. By adding
these values, we have unique VPNv4 routes.
How do we advertise these VPNv4 routes? That’s what we need MP-BGP for.
MP-BGP supports IPv4 unicast/multicast, IPv6 unicast/multicast and it has support for
VPNv4 routes. To exchange VPNv4 routes, MP-BGP uses a new NLRI (Network Layer
Reachability Information) format that has the following attributes:
RD (Route Distinguisher)
IPv4 prefix
Next Hop
VPN Label
This is how PE routers exchange VPNv4 routes with each other. This NRLI also has an
attribute called the VPN label, we’ll get back to this one later in this lesson.
Our PE2 router has learned the two VPNv4 routes, one for each customer. You might
think that the PE2 router will automatically export each VPNv4 route in the correct
customer VRF but that’s not going to happen.
https://networklessons.com/mpls/mpls-layer-3-vpn-explained 4/6
7/26/2021 MPLS Layer 3 VPN Explained
Get Full Access to our 731 Cisco Lessons Now Start $1 Trial
We're Sorry, Full Content Access is for Members Only...
If you like to keep on reading, Become a Member Now! Here is why:
Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
Full Access to our 731 Lessons. More Lessons Added Every Week!
Content created by Rene Molenaar (CCIE #41726)
No Questions Asked!
« Previous Lesson
Forum Replies
kazan55
Hi Rene, Andrew
I am afraid I still don’t understand one thing- why do we need vpn label if we have both RD and RT’s ?
It was said the router wouldn’t know what VRF the route belongs to… well:
When PE1 advertises the route to PE2 , this route is unique for BGP because of RD and PE2 also knows in what VRF to install it thanks to Route Target
value.
So the MPLS VPN label seems to be redundant as the BGP can figure the VRF out based solely on the Route Targets …
Edit- ok, I think I mix up the control and data plane again
Jon
Hi @kumaracp10,
Many thanks for your excellent question. If you are referring to MPLS labels, this is primarily used as a method to quickly switch IP packets within the
MPLS core. This is the most basic feature of MPLS so it is used in all MPLS networks even if there is no VPN overlay. The 1st MPLS tag exists only to enable
MPLS forwarding plane operations.
**If we decide to operate a VPN over MPLS, a second MPLS tag is added** to allow PEs to know how to efficiently forward incoming packets.
In MPLS there are two basic rules that help us unpick the architec
https://networklessons.com/mpls/mpls-layer-3-vpn-explained 5/6
7/26/2021 MPLS Layer 3 VPN Explained
ReneMolenaar
Get Full Access to our 731 Cisco Lessons Now Start $1 Trial
Hello Sudip,
To understand this, you need to think about the difference between the control plane and data plane.
Control plane:
A VRF helps to differentiate the routing table but this only works on the local router. We don’t exchange VRF information between routers. Imagine we
have a PE router with a VRF called “red” and a VRF called “blue”.
In each VRF, we have network 5.5.5.5/32. Thanks to our VRFs, we can have the same network in two different VRFs.
lagapides
Hello Fabrice
The use of a VPN ID is not mandatory. It is just an additional method by which VPNs can be identified.
You can read more about this feature in the following Cisco document which includes various benefits of using it:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_vpn.html#wp1015331
Laz
lagapides
Hello Fabrice
Benefits
Remote access applications, such as the Remote Authentication Dial-In User Service (RADIUS) and Dynamic Host Configuration Protocol (DHCP),
can use the MPLS VPN ID feature to identify a VPN. RADIUS can use the VPN ID to assign dial-in users to the proper VPN, based on each user’s
authentication information.
A VPN is private and uses a private address space that might also be used by another VPN or by the Internet. T
172 more replies! Ask a question or join the discussion by visiting our Community Forum
https://networklessons.com/mpls/mpls-layer-3-vpn-explained 6/6