MPLS Layer 3 VPN Configuration

(Rene Molenaar) #21

Hi Siva,

You should use a /32 subnet mask on your loopback interfaces yes:


(Ersin E) #22

Hello Rene,

If a layer 3 vpn customer has 3 different locations and each locations terminate on different PE Router, What happens if the ip addresses for 2 different locations are the same but rd is different? So vpnv4 Route will be unique but 3rd location send a packet to an ip address on other locations, What we should expect technically? Which RD will be added to the destination ip prefix?

(Rene Molenaar) #23

Hi Ersin,

You will run into issues. The RD is used to create unique VPN routes in the MPLS “domain”. The customers are using regular IP so you will have the same problems there as without MPLS, overlapping subnets and duplicate IP addresses.


(NAFEEZ I) #24

Hi Rene,
Looking forward to your lessons on VPLS :slight_smile:

(amy c) #25

It’s very good clear article. My questions is that whether the VPN label always with the “bottom of stack : 1” instead of 0? What’s the difference when router assign the VPN label and Transport label?
BTW, Can you please add the lecture about “CSC”, carrier support carrier?

(amy c) #26


I am also very interested into the topic of MPLS -TE.

Thank you in advance.

(Andrew P) #27

The VPN label will always be at the bottom of the stack. The top label will always be the transport label. The reason for this is an order of operations issue. The BGP VPNV4 (or VPNV6) process has its own label that is tagged first, then it is encapsulated within MPLS in order for the packet to traverse the MPLS LSP (label switch path).

As the packet is moving across the LSP, the MPLS routers will perform label switching on the Transport (top) label until the packet reaches the next to last router (the router right before the Provider Edge). This router will perform the “PHP” (penultimate hop pop) to remove the Transport label.

Once the Transport label is removed, the only label left is now the VPNV4 (or VPNV6) label which is presented to the MPLS PE. Since it is acting as the MPLS L3 VPN tunnel endpoint, it will process that VPNV4 (or 6) label to ensure it gets to the correct VRF, and ultimately, the customer on the other end.

(Ahmad D) #28

Hi Rent,

This is amazing posting. One question: why the prefix did not show up in the output of this command:

PE1#show bgp vpnv4 unicast vrf CUSTOMER summary

However it showed up in the output of this command:

PE1#show bgp vpnv4 unicast vrf CUSTOMER

and vice versa for this prefix

May be because the output is truncated !!



(Andrew P) #29

The difference is the “summary” keyword. When you use the summary, the output shows you general statics about routes received from a VPNV4 neighbor for the VRF, not the details of each route received. When you leave off the “summary” each individual route learned within the VRF specified is listed.

(ASWIN S) #30


Have a quick question on those TTL values on MPLS header, I know that in the ingress node TTL will be copied from IP to MPLS header. My question is will it be copied in MPLS header that carries VPN label ?

Though copying it to VPN label is no use here, but my actual question is if I have label stack of multiple labels for transport, Will the TTL value in all those MPLS header decrements in each node ?


(Andrew P) #31

Hi Aswin,
I just tested this in the lab, and here are the results:

From the source PE, the bottom and top label start off with the same TTL - 255 or 254 (depending on where you are looking), and as the packet moves across the network, only the top label (the MPLS transport label) decrements. The bottom label’s TTL does NOT change.

(Abhishek D) #32

thx a ton. it clarifies.
btw what is the meaning of “Normally when you use iBGP between two routers, the next hop address does not change automatically”.


(Rene Molenaar) #33

Hi Abhishek,

Some routing protocols change the next hop IP address of a prefix to their own IP address when they advertise it to another router. iBGP doesn’t do this.


(Thomas H) #34

Hey Rene,

When i issue the command show mpls interfaces i don’t get the (ldp) as you do in the lab.
its the same on any router, PE1,P and PE2 did i forget something

Interface              IP            Tunnel   BGP Static Operational
FastEthernet0/0        Yes           No       No  No     Yes        
FastEthernet0/1        Yes           No       No  No     Yes
Interface              IP            Tunnel   BGP Static Operational
FastEthernet0/0        Yes (ldp)     No       No  No     Yes        
FastEthernet0/1        Yes (ldp)     No       No  No     Yes

(Paul L) #35

Wow - Great Lesson : setup a similar lab tonight and everything worked! It’s amazing how the Route-Targets act like gates allowing you to control where traffic flows across the Provider network. One note I found, because I had several PE’s in my configuration, I had to turn off console logging until I deactivated ipv4 on all PE’s. Once I deactivated all neighbors on the PE’s, I was able to enable logging and move through the lesson.

(Paul L) #36

Attached is my Lab

(Rene Molenaar) #37

@Thomas what IOS version are you using? I believe I used IOS 15.x for these examples. It might be different for 12.4.

@Paul seems you forgot the attachment :slight_smile:


(Adrian T) #38

Thank you for this tutorial :slight_smile:

Looking forward for inter AS MPLS L3 VPN

(Networklessons Admin) split this topic #39

19 posts were merged into an existing topic: MPLS Layer 3 VPN Configuration

(Marek O) #40

Hi Rene,
First of all- thank you for your amazing job !!!
I just started working for a service provider and I am trying to figure out how MPLS VPN’s work, I have a problem understanding a (probably basic for you) concept :
- Is the VPN label created based on the Route Targets or on VRF’s ? -I mean -if the customer wants to have some routes to be kept within their network and some to be shared with other customers, then he would use the same Route Distinguisher but different Route Targets ? - is that correct?
Wouldn’t you have to have something like ‘VPN label to Route Target’ table on the router ?
Thank you