MPLS Layer 3 VPN Explained

In previous lessons I explained the basics of MPLS:

In this lesson we will look at MPLS L3 VPNs and we will build upon the things you learned in previous lessons. By now you should know what MPLS is about. What about the L3 VPN part? Here’s what it is about:

  • Layer 3: the service provider will participate in routing with the customer. The customer will run OSPF, EIGRP,  BGP or any other routing protocol with the service provider, these routes can be shared with other sites of the customer.
  • VPN: routing information from one customer is completely separated from other customers and tunneled over the service provider MPLS network.

Let’s look at an example:

MPLS Layer three VPN Topology

Above we have two customers connected to a service provider network. Customer A and B each have two sites and you can see that they are using the same IP ranges.

Customer A might use OSPF between their sites and customer B could use EIGRP between their sites. Everything from these customers is completely separated by the service provider.

In this lesson you will learn everything that is required to build a MPLS L3 VPN network. Let’s get started!

VRF (Virtual Routing and Forwarding)

Let’s start with VRFs. This is the first step in separating traffic from different customers. Instead of using a single global routing table, we use multiple routing tables. Each customer of the service provider will use a different VRF. Let’s take a closer look:

CE1 CE2 PE1 VRFs

Above we have our PE1 router with the two customer sites. Each customer will use a different VRF so the overlapping address space is no problem. Now you might be wondering, why don’t we use VRFs everywhere instead of MPLS? We could but there’s one downside to using VRFs. Take a look at the following picture:

SP PE CE VRFs

The problem with VRFs is that you have to create them everywhere. When our goal is to have connectivity between CE1 and CE3 then we will have to add a VRF on the PE1, P and PE2 router. Also, all the service provider routes will have to participate with routing. For example, when customer A wants to run OSPF between their two sites then it means that we have to configure OSPF on the PE1, P and PE2 router of the service provider for their VRF.

When customer B wants to run EIGRP between their sites, we have to participate…we’ll have to configure EIGRP on all service provider routers for the VRF of customer B.

This is not a scalable solution so it’s not going to happen. Instead, we will configure the VRFs only on the PE routers. The core of the service provider network (P router) will only do switching based on labels.

To share information about VRFs between PE routers, we will use BGP.

MP-BGP (Multi Protocol BGP)

We will use BGP between the PE routers so that they can share information from the VRFs. Here’s how it works:

  • One of the CE routers advertises something to the PE router, this can be done through OSPF, EIGRP, BGP or any other routing protocol (static routing is also possible).
  • The PE router uses a VRF for the customer so it will store everything it learns in the routing table of the customer’s VRF.
  • The PE router will then redistribute everything in BGP.
  • The PE router will advertise to to the other PE router through iBGP.

MPLS VPN BGP PE routers

There’s a couple of problems though. First of all, our two customers are using overlapping address space. Let’s say that our PE1 router is advertising 192.168.1.0 /24 from customer A to the PE2 router on the other side. Here’s what happens:

MPLS VPN BGP Without Route Distinguisher

The PE2 router will learn 192.168.1.0 /24 from the PE1 router but it has no clue to what customer it will belong. There is no way to differentiate if something belongs to customer A or B.

What we need is something to make all prefixes that we learn unique.

RD (Route Distinguisher)

To fix this issue, we will use a RD (Route Distinguisher). We will add something to the prefix of the customer so that it will become unique:

route distinguisher 96 bit

The RD is a 8 byte (64 bit) field. You can use any value you want but typically we use the ASN:NN format where ASN is the service provider’s AS number and NN is a number we pick that identifies the site of the customer.

The RD and the prefix combined is what we call a VPNv4 route. We now have a method to differentiate between the different prefixes of our customers. Here’s an example:

PE advertise VPNv4 routes

Let’s say that we use RD 123:10 for customer A and RD 123:20 for customer B. By adding these values, we have unique VPNv4 routes.

How do we advertise these VPNv4 routes? That’s what we need MP-BGP for.

MP-BGP supports IPv4 unicast/multicast, IPv6 unicast/multicast and it has support for VPNv4 routes. To exchange VPNv4 routes, MP-BGP uses a new NLRI (Network Layer Reachability Information) format that has the following attributes:

  • RD (Route Distinguisher)
  • IPv4 prefix
  • Next Hop
  • VPN Label

This is how PE routers exchange VPNv4 routes with each other. This NRL also has an attribute called the VPN label, we’ll get back to this one later in this lesson.

RT (Route Target)

When a PE router learns these VPNv4 routes, what will it do with it? Take a look at the picture below:

MPLS VPN route target

Our PE2 router has learned the two VPNv4 routes, one for each customer. You might think that the PE2 router will automatically export each VPNv4 route in the correct customer VRF but that’s not going to happen.

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 662 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

501 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. René,

    Congrats for share this excellent explanation!!! I’m from Brazil and I don’t have a good English, but I can understand each word, sentence that you used in this article. I never had understood about this subject, maybe because I really didn’t study it with attention and deeply. I’m a beginner Network Admin and when I saw this article in my feed I started to read it and understand it and I’m amazing how you can teach it like this way.

    But I have a doubt where I can’t see in examples above. Using this topology, if tomorrow for any reason Blue and Red make a

    ... Continue reading in our forum

  2. Hi Azm,

    Let me jump in on Cisco VIRL. I can highly recommend to run it in VMWare ESXi, it’s free and saves you the hassle of messing with network interfaces etc. Although I really like VIRL, I had some issues with updates that went wrong and deploying a new OVA template in ESXi is much easier than reinstalling a physical box.

    Look on eBay for an older server that has plenty of RAM and 2x CPUs or something like that.

    I still use an HP proliant DL360 G7 with 96GB of RAM which is great for Cisco VIRL:

    ... Continue reading in our forum

  3. Hi,
    i’m bulding a lab for a POC and need some advise.

    Topology:

                           --------------------------
                           -                              -
                           -        Firewall        -         
                           -                              - 
                           --------------------------
                                         |         int E0/0 (192.168.2.1/24)
                                         |
                                         |
                            --------------------------
                           |     
    ... Continue reading in our forum

  4. Hello,
    thank you for replying.
    I found a way around. Simillar to this: https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/200158-Configure-Route-Leaking-between-Global-a.html
    However this isn’t really a good approach and only a workaround.

    Intial the approach with MP-MGP didn’t come to my attention as wasn’t planning to use BGP in the network.
    What i overlooked is that you don’t need any BGP neighbors !
    I managed to use MP-MGP now, which i ways easiers and my lab is working now.

    Many thanks,
    Oliver

66 more replies! Ask a question or join the discussion by visiting our Community Forum