MPLS Layer 3 VPN Configuration

Hello David

A VPN is a technology that creates a secure and encrypted connection over a less secure network, such as the Internet. It’s like a protected tunnel through which your online traffic can pass undisturbed, away from the prying eyes of hackers, your ISP, the government, and even the websites you visit. VPNs can be deployed in various forms, such as site-to-site, host-based, or even via a subscription-based VPN provider, which creates a VPN between your device and its servers, which then act as a proxy for your communications.

In the context of MPLS, a VPN can be thought of as a ‘pseudo-wire’ that exists in an MPLS network. This pseudo-wire is able to transport payload traffic of various types and segments, each isolated from each other. This is where your understanding of a VPN as a network/connection running over a tunnel comes in.

The mpls ip command simply enables MPLS on the interface, but does not make it a VPN. The VPN comes into play when we start using VRFs and RDs/RTs. These are used to segregate customer traffic, making each customer’s traffic private from others - hence the term VPN.

In a normal MPLS network without VRFs, RDs/RTs, all customer traffic would indeed be in the same routing instance, which would not provide the necessary separation and isolation for it to be considered a VPN.

So, to answer your question, yes, pure MPLS without any VRFs, RDs/RTs is not a tunneling mechanism. But when we add these configurations, we gain the path abstraction and traffic isolation you mentioned, effectively turning it into a VPN.

The two main components that create a tunnel, as you correctly identified, are encapsulation and path abstraction/traffic isolation.

However, there are two additional pieces of information that must be addressed:

First, such a VPN in the context of MPLS does not apply any form of security, which is traditionally associated with VPNs. If you want to ensure an encrypted MPLS L3 VPN implementation, you can use an option such as MPLS over FlexVPN, but there are others.

The second is that MPLS L3 VPNs use what are known as VPNv4 and VPNv6 routes. In the context of BGP and MPLS these terms refer to the BGP address family used to carry IPv4 and IPv6 prefixes over MPLS-based VPNs. So the term VPN in this context is a well-defined terminology for MPLS and means something very specific.

I hope this has been helpful!