7/26/2021 MPLS Layer 3 VPN Explained

Get Full Access to our 731 Cisco Lessons Now Start $1 Trial

Search … 

You are here: Home » MPLS

MPLS Layer 3 VPN Explained 

Lesson Contents Course Contents

1. VRF (Virtual Routing and Forwarding) MPLS

2. MP-BGP (Multi Protocol BGP)

2.1. RD (Route Distinguisher)  Unit 1: Introduction

2.2. RT (Route Target)  Unit 2: LDP (Label Distribution Protocol)

 Unit 3: MPLS VPN

In previous lessons I explained the basics of MPLS: VRFs (Virtual Routing and Forwarding)

MPLS L3 VPN Explained

Introduction to MPLS MPLS L3 VPN Configuration
MPLS Labels and Devices MPLS L3 VPN BGP Allow AS in
MPLS LDP MPLS L3 VPN BGP AS Override
VRF MPLS L3 VPN PE-CE RIP

MPLS L3 VPN PE-CE EIGRP

In this lesson we will look at MPLS L3 VPNs and we will build upon the things you learned
MPLS L3 VPN PE-CE OSPF
in previous lessons. By now you should know what MPLS is about. What about the L3
MPLS L3 VPN PE-CE OSPF Default Route
VPN part? Here’s what it is about:
MPLS L3 VPN PE-CE OSPF Global Default
Route
Layer 3: the service provider will participate in routing with the customer. The MPLS L3 VPN PE-CE OSPF Sham Link
customer will run OSPF, EIGRP,  BGP or any other routing protocol with the service VRF Lite Route Leaking
provider, these routes can be shared with other sites of the customer. MPLS VPN Extranet Route Leaking
VPN: routing information from one customer is completely separated from other
MPLS VPN VRF Export Map
customers and tunneled over the service provider MPLS network.
MPLS VPN VRF Import Map

MPLS over FlexVPN

Let’s look at an example:
 Unit 4: MPLS L2 Encapsulation

 Unit 5: IPv6 MPLS

Above we have two customers connected to a service provider network. Customer A and
B each have two sites and you can see that they are using the same IP ranges.

Customer A might use OSPF between their sites and customer B could use EIGRP
between their sites. Everything from these customers is completely separated by the
service provider.

https://networklessons.com/mpls/mpls-layer-3-vpn-explained 1/6
7/26/2021 MPLS Layer 3 VPN Explained

In this lesson you will learn everything that is required to build a MPLS L3 VPN network.
Let’s get started! Get Full Access to our 731 Cisco Lessons Now Start $1 Trial

1. VRF (Virtual Routing and Forwarding)

Let’s start with VRFs. This is the first step in separating traffic from different customers.
Instead of using a single global routing table, we use multiple routing tables. Each
customer of the service provider will use a different VRF. Let’s take a closer look:

Above we have our PE1 router with the two customer sites. Each customer will use a
different VRF so the overlapping address space is no problem. Now you might be
wondering, why don’t we use VRFs everywhere instead of MPLS? We could but there’s
one downside to using VRFs. Take a look at the following picture:

The problem with VRFs is that you have to create them everywhere. When our goal is to
have connectivity between CE1 and CE3 then we will have to add a VRF on the PE1, P and
PE2 router. Also, all the service provider routes will have to participate with routing. For
example, when customer A wants to run OSPF between their two sites then it means
that we have to configure OSPF on the PE1, P and PE2 router of the service provider for
their VRF.

When customer B wants to run EIGRP between their sites, we have to participate…we’ll
have to configure EIGRP on all service provider routers for the VRF of customer B.

This is not a scalable solution so it’s not going to happen. Instead, we will configure the
VRFs only on the PE routers. The core of the service provider network (P router) will
only do switching based on labels.

https://networklessons.com/mpls/mpls-layer-3-vpn-explained 2/6
7/26/2021 MPLS Layer 3 VPN Explained

To share information about VRFs between PE routers, we will use BGP.

Get Full Access to our 731 Cisco Lessons Now Start $1 Trial
2. MP-BGP (Multi Protocol BGP)
We will use BGP between the PE routers so that they can share information from the
VRFs. Here’s how it works:

One of the CE routers advertises something to the PE router, this can be done
through OSPF, EIGRP, BGP or any other routing protocol (static routing is also
possible).
The PE router uses a VRF for the customer so it will store everything it learns in the
routing table of the customer’s VRF.
The PE router will then redistribute everything in BGP.
The PE router will advertise to to the other PE router through iBGP.

There’s a couple of problems though. First of all, our two customers are using
overlapping address space. Let’s say that our PE1 router is advertising 192.168.1.0 /24
from customer A to the PE2 router on the other side. Here’s what happens:

The PE2 router will learn 192.168.1.0 /24 from the PE1 router but it has no clue to what
customer it will belong. There is no way to differentiate if something belongs to
customer A or B.

What we need is something to make all prefixes that we learn unique.

2.1. RD (Route Distinguisher)

To fix this issue, we will use a RD (Route Distinguisher). We will add something to the
prefix of the customer so that it will become unique:

The RD is a 8 byte (64 bit) field. You can use any value you want but typically we use the
ASN:NN format where ASN is the service provider’s AS number and NN is a number we
pick that identifies the site of the customer.

https://networklessons.com/mpls/mpls-layer-3-vpn-explained 3/6
7/26/2021 MPLS Layer 3 VPN Explained

The RD and the prefix combined is what we call a VPNv4 route. We now have a method
Get Full
to differentiate between the different Access
prefixes of to
ourour 731 Cisco
customers. Lessons
Here’s Now
an example: Start $1 Trial

Let’s say that we use RD 123:10 for customer A and RD 123:20 for customer B. By adding
these values, we have unique VPNv4 routes.

How do we advertise these VPNv4 routes? That’s what we need MP-BGP for.

MP-BGP supports IPv4 unicast/multicast, IPv6 unicast/multicast and it has support for
VPNv4 routes. To exchange VPNv4 routes, MP-BGP uses a new NLRI (Network Layer
Reachability Information) format that has the following attributes:

RD (Route Distinguisher)
IPv4 prefix
Next Hop
VPN Label

This is how PE routers exchange VPNv4 routes with each other. This NRLI also has an
attribute called the VPN label, we’ll get back to this one later in this lesson.

2.2. RT (Route Target)

When a PE router learns these VPNv4 routes, what will it do with it? Take a look at the
picture below:

Our PE2 router has learned the two VPNv4 routes, one for each customer. You might
think that the PE2 router will automatically export each VPNv4 route in the correct
customer VRF but that’s not going to happen.

https://networklessons.com/mpls/mpls-layer-3-vpn-explained 4/6
7/26/2021 MPLS Layer 3 VPN Explained

Get Full Access to our 731 Cisco Lessons Now Start $1 Trial
We're Sorry, Full Content Access is for Members Only...
If you like to keep on reading, Become a Member Now! Here is why:

 Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
 Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
 Full Access to our 731 Lessons. More Lessons Added Every Week!
 Content created by Rene Molenaar (CCIE #41726)

Give Membership a try - it's just $1 ►

491 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!

You may cancel your monthly membership at any time.

No Questions Asked!

« Previous Lesson

VRFs (Virtual Routing and

Forwarding)
Next Lesson
MPLS L3 VPN Configuration »
 Tags: LDP, MP-BGP, VRF

Forum Replies

kazan55

Hi Rene, Andrew

I am afraid I still don’t understand one thing- why do we need vpn label if we have both RD and RT’s ?

It was said the router wouldn’t know what VRF the route belongs to… well:

When PE1 advertises the route to PE2 , this route is unique for BGP because of RD and PE2 also knows in what VRF to install it thanks to Route Target
value.

So the MPLS VPN label seems to be redundant as the BGP can figure the VRF out based solely on the Route Targets …

What am I missing in this puzzle

Thank you

Edit- ok, I think I mix up the control and data plane again

... Continue reading in our forum

Jon

Hi @kumaracp10,

Many thanks for your excellent question. If you are referring to MPLS labels, this is primarily used as a method to quickly switch IP packets within the
MPLS core. This is the most basic feature of MPLS so it is used in all MPLS networks even if there is no VPN overlay. The 1st MPLS tag exists only to enable
MPLS forwarding plane operations.

**If we decide to operate a VPN over MPLS, a second MPLS tag is added** to allow PEs to know how to efficiently forward incoming packets.

In MPLS there are two basic rules that help us unpick the architec

... Continue reading in our forum

https://networklessons.com/mpls/mpls-layer-3-vpn-explained 5/6
7/26/2021 MPLS Layer 3 VPN Explained

ReneMolenaar
Get Full Access to our 731 Cisco Lessons Now Start $1 Trial

Hello Sudip,

Sorry for the delay, let me answer your question.

To understand this, you need to think about the difference between the control plane and data plane.

Control plane:

A VRF helps to differentiate the routing table but this only works on the local router. We don’t exchange VRF information between routers. Imagine we
have a PE router with a VRF called “red” and a VRF called “blue”.

In each VRF, we have network 5.5.5.5/32. Thanks to our VRFs, we can have the same network in two different VRFs.

Now we want to advertise both networks to another PE router

... Continue reading in our forum

lagapides

Hello Fabrice

The use of a VPN ID is not mandatory. It is just an additional method by which VPNs can be identified.

You can read more about this feature in the following Cisco document which includes various benefits of using it:

https://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_vpn.html#wp1015331

I hope this has been helpful!

Laz

lagapides

Hello Fabrice

The specific benefits as described by Cisco are the following:

Benefits

The MPLS VPN ID feature provides the following benefits:

Remote access applications, such as the Remote Authentication Dial-In User Service (RADIUS) and Dynamic Host Configuration Protocol (DHCP),
can use the MPLS VPN ID feature to identify a VPN. RADIUS can use the VPN ID to assign dial-in users to the proper VPN, based on each user’s
authentication information.

A VPN is private and uses a private address space that might also be used by another VPN or by the Internet. T

... Continue reading in our forum

 172 more replies! Ask a question or join the discussion by visiting our Community Forum

© 2013 - 2021 NetworkLessons.com Disclaimer Privacy Policy Support About

https://networklessons.com/mpls/mpls-layer-3-vpn-explained 6/6