MPLS Layer 3 VPN Configuration

Hello Mohammad.

Hmm, that may be a typo. I will get @ReneMolenaar to look at that…



@Zaman.rubd @lagapides

The output is correct, keep in mind that MPLS traceroute works a bit different than regular IP traceroute:

I think they show the IP address of the remote PE router in the VRF on purpose, instead of the interface that connects to the P router. The IP address of the PE router in the VRF is reachable from the CE1 router, making it useful for troubleshooting.

Hi. Thanks for the lesson. It helped me learn something about MPLS.
One question though. What if I want to connect another 2 CE routers, and wants to add more VRF? I’ve tried adding new address-family ipv4 vrf to existing BGP process in PE1 and PE2, and redistribute the new routing protocol by adding it to address-family ipv4 vrf and all just like in the lesson, but to no success. The new router still can’t ping successfully.

What’s needed to add new networks to the MPLS VPN? I maybe haven’t understood it all completely.

Hello Evan,

If you want to add a second customer that is separated from the first one then you need to add:

  • second VRF
  • second RD
  • second IGP process for the VRF
  • second BGP address-family for the VRF

Take a look at the startup configurations in this lesson. That’s exactly what you are looking for:

It’s MPLS VPN with two customers in two VRFs.

Hope this helps!


Hi. I’m really helped with this topic. Thanks a lot. Now a new question popped up in my mind.
How if I want to have redundancy in the MPLS? I mean, if one of the line in the MPLS backbone is down, the whole CE traffic is down too. If I must add a new node to the MPLS backbone, how would the configuration be so it has redundant links?
I appreciate for the help. Thanks.

Hello Ivan,

You could use a topology like this:

In that example, I have redundant P and PE routers but I didn’t use MPLS there. What you need for MPLS VPN is:

  • The P routers only run an IGP and MPLS on the interfaces so that’s straight-forward.
  • The PE routers require a full mesh of iBGP for the VPN routes but you could also use a route-reflector instead. Both interfaces that connect to the customer are in the same VRF.

If you can configure a MPLS VPN topology without redundancy then it’s easy to add redundancy, there are no extra commands. If you have trouble with this, let me know and I’ll share the configs when I get back from my holiday (next Wednesday) :slight_smile:


1 Like

Thanks for the answer, Rene. I’ll look to that and try the configuration in the meantime.
Anyway, is there any chance of using protocols like VRRP, GLBP, or FHRP in MPLS?

Hello Ivan.

According to Cisco:

VRRP is supported on Ethernet, Fast Ethernet, Bridge Group Virtual Interface (BVI), and Gigabit Ethernet interfaces, and on Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs), VRF-aware MPLS VPNs, and VLANs.

Similarly, GLBP can also be used for MPLS implementations as well.

HSRP, FRRP and GLBP are all protocols that fall into the category of First Hop Redundancy Protocols (FHRP).

I hope this has been helpful!


1 Like

I’ve got another question. Besides using the configuration from the lesson you shared, is there any other strategies to have redundancy on MPLS backbone? Like using BFD or any other strategies?

Hi Ivan,

There are a couple of things. In MPLS VPN, you have to think of:

  • IGP
  • LDP
  • BGP

For your IGP, you can use BFD but also something like fast reroute:

For BGP, there are a couple of things you can do. For example:

Hope this helps :slight_smile:


Hi, Thanks again, Rene. By the way. Is the fast reroute you shared above is the same with MPLS Traffic Engineering fast reroute or is it different?

I’m also facing trouble with the BGP PIC config. Really hope for you to share the configs you mentioned above. Thanks in advance.

Anyway, I also noticed that the OSPF LFA you shared above is only available to a few high end routers… Is there an alternative to that other than BFD?

I just found that in the lesson we can only ping from the loopback interface? I wanted to add new networks to the CE routers and see if they can ping each other. Is it just me or am I missing some configuration? Thanks.

Hello Ivan,

OSPF fast reroute is different from MPLS TE Fast Reroute. The idea is kinda the same but with MPLS TE fast reroute, we have a backup LSP.

BFD helps to quickly detect loss of an OSPF neighbor and LFA/FRR helps a lot when you lose a route. Some other things you can do to improve convergence times are playing with the different SPF/LSA timers. For example:

Incremental SPF is nice:

What issue do you have with the BGP PIC configs?


Hi Evan,

The CE routers in this example are using eBGP so if you add a new network on your CE routers and advertise it in BGP, you will be able to ping between the two CE routers.


Hi I’m having difficulties. My PE routers does not show anything when I tried the command show bgp ip because it only uses BGP for the VRF route unlike the examples in the BGP PIC lesson. And in the BGP PIC lesson there is no VRF. How can I use the BGP PIC with VRF?

Hello Ivan,

Where exactly do you want to use it? In the BGP examples I have shown, we use BGP PIC for failures in the core where PE routers have to find a different path to another PE router for the iBGP peering, or when a PE router fails.

When you use MP-BGP between PE-CE then you could use BGP PIC when the CE router is multihomed. Is that what you are looking for?




How the CE routes change to VPNV4 when we redistribute them under address family IPV4 ?

Why we are not redistributing under address family VPNv4 ?

In case if we use static routing between PE and CE and if I want to advertise CE loopbacks

In my PE should I need to include network statement under address family ipv4 or vpnv4 ?

Hi Devaprem,

In this lesson:

We do two-way redistribution:

PE1 & PE2
(config)#router bgp 234
(config-router)#address-family ipv4 vrf CUSTOMER
(config-router-af)#redistribute ospf 2
PE1 & PE2
(config)#router ospf 2
(config-router)#redistribute bgp 234 subnets

From OSPF into the correct MP-BGP address family, that’s how these routes become VPN routes. The router knows which RD to use for the VRF we specify.

If you want to add a static route, you can configure it with the ip route vrf command on the PE router and then redistribute it into the correct MP-BGP address- family, just like the OSPF example above.


Thanks Rene

Understand, so address family VPNv4 only used to activate MPBGP neighbor but all the prefixes will still be advertised under address family ipv4 vrf

I have another question , what will happen if VRF CUSTOMER configured with different RD value in PE2 but i still have Import RT statement to import CUSTOMER routes like below

PE2(config)#ip vrf CUSTOMER2
PE2(config-vrf)#rd 1:2
PE2(config-vrf)#route-target export 1:2
PE2(config-vrf)#route-target import 1:1

If this is the case, what is the behavior in control plane ? and what is the behavior in Data plane ?

Thanks again for your support , This blog is one of the best explanation i have ever seen for MPLS Layer 3 VPN and you keeping things very simple.