MPLS Layer 3 VPN Explained

Hello Pradyumna

These are different processes that don’t have an order of operations. RDs and RTs are information that is exchanged between PE routers. RDs are used to maintain uniqueness among identical prefixes in different VRFs, while RTs are used to control the import and export of routes between VRFs. This is info exchanged between BGP routers. All of this takes place on the control plane, that is, an exchange of information between routers so they are sufficiently informed to route traffic correctly.

The VPN label however is something that is added to the actual data being sent on the data plane and is described thoroughly in this section of the lesson.

So RT and RD are pieces of information exchanged between PE routers (control plane), and the VPN label is something added to the actual traffic (data plane).

I hope this has been helpful!


Hello Min

RT and RD values do not have to be the same. They are two independent parameters, but they do use the same format. In general however, it is best practice to use the same values to simplify configuration and understanding, but this is not a requirement for correct functionality and operation.’

I hope this has been helpful!


Hi Laz,

1)I am still confused that why VPN label is required b/c as per RT route will be imported/exported in to correct vrf post that a/c to routing table information route ip packet will be forwarded to customer? please clarify this.

  1. I am also confused regarding at what end route will be imported and exported in to
    correct vrf as per our mentioned topology?

Hello Pradyumna

The RT is used to import and export a route. This has to do with the sharing of routes between the PE and CE routers, and is strictly on the control plane. The purpose and need of the VPN label is clearly stated in section 3. Transport and VPN Label of the lesson. There Rene states:

In the header of this IP packet, there’s nothing that will help PE2 decide where to forward it to.

… and he is referring to when PE2 receives an IP packet for when this network exists on multiple customers. This is why the VPN label is needed, and this is a function of the data plane.

Routes will be imported and exported at the PE routers.

I hope this has been helpful!


Hello, I need some clarification on a couple of things related to route targets (RTs).

First, I’m not 100% clear on the concept of importing and exporting RTs. Is that always from the perspective of the PE?

For example, using you’re diagram, we have CustA and CustB attached to PE1 and PE2. When PE1 receives a packet from CustA, when it attaches a RT to that packet, is that considered an import or export action? Likewise, when PE2 receives that packet from PE1 and sends it on to the CustA router that its attached to, is that an import or export action?

My second question is this:

I’ve read the route-distinguishers have local significance only but the RTs are unique. Must the same RT be used everywhere for a given VRF (or I guess more specifically, a given VPNv4 route)?

Let’s say I configure a RT of 100:100 on PE1 for the CustA router attached to it:

vrf definition CustA 
 route-target both 100:100

If the customer also had routers in the same VRF attached to PE2-PE5, must I also use this same RT in those PE routers in order for all CustA routers to be able to communicate?

vrf definition CustA 
 route-target both 100:100

Related to the above questions, I was doing some labbing and found that I can assign the same RT to multiple RDs. In this “article” (MPLS Layer 3 VPN Explained), it showed how PE1 added the RT on a packet coming in from CustA, sent it to PE2 which then looked at the RT to export it to the CustA router. During this process, would it distinguish between identical route tags by also looking at the RD contained in the NLRI? Is that the reason the same RT can be associated with multiple RDs?

Hello Buck

The importing and exporting of routes is not part of the routing process of actual packets, but is involved in the advertising of prefixes. In other words, the import and export actions don’t take place on the data plane, as your post suggests, but on the control plane. The import and export actions are taken by the PE routers.

For example, PE1 adds, 123:1 to routes from Customer A on the left, then when PE2 checks the vpnv4 BGP table it can choose to pick out, or IMPORT routes that have this 123:1 value and put them into a separate VRF table for Customer A. So importing involves using the RT to place the VPNv4 route in the appropriate VRF.

Exporting is the opposite, when a PE router receives a route from a CE router on a particular VRF, it uses that VRF to assign an RT before sending the advertisement to other PE routers.

Remember, importing and exporting involves only the route advertisements in order to correctly populate BGP/routing tables.

It’s important to understand the role of each one in order to understand the scope of each. RDs are used purely for the purpose of ensuring routes are unique per VPN. The routes found within the BGP VPNv4 unicast table on a particular PE should be unique, and that’s what the RD does. They must be unique for different VRFs on the same PE, but for two corresponding VRFs on two different PEs, they may or may not be the same, it does not really matter.

The route-target on the other hand is used to identify a subset of routes within the BGP vpnv4 unicast table that should be used in a VRF for a particular customer. So on a per-customer basis, the RTs should be unique across all PEs serving a particular customer.

Again, in this case, we’re not talking about operations that take place on the data plane, but on the control plane. Also, we don’t assign RTs to RDs, but RDs are assigned to prefixes, while RTs identify which VRF prefixes belong to. Looking at it from this context may change your question somewhat.

This post was a little long-winded, but I hope it was useful for you. If you need any additional clarifications, please don’t hesitate to ask!

I hope this has been helpful!


How does the Label switch router know it is the penultimate hop?


Hello Nihar

Each PE will know what prefixes belong to which customer routers that are directly connected to it. For these prefixes, the PE router will advertise an implicit null label to its P neighbor. This indicates to the P neighbor router (which is the penultimate hop router for those customer networks) that for that particular prefix, penultimate hop popping should take place before sending the packet to the PE router.

I hope this has been helpful!


I understand following:
RD is a part of Control plane, and it makes prefix unique.
RT is a part of Control plane.
VPN label is a part of Data plane, responsible for packet forwarding.
I cant understand difference between RT (control plane) and VPN label (data plane).
Can you explain me the sentence:The VPN label is attached to a VRF because of route targets.?
I found this, too:
On the control plane, we use route-targets to define where to import/export a route to. It’s nice that the router knows what to do when it receives a packet, but we still need to get that packet to that router…
Thanks in advance,

Hello Marina

The RT is related to the VPN label in the following way. An RT is used to let the PE router know to which customer, or more specifically to which VRF a particular route belongs. Take a look at the following diagram:

Both PE1 and PE2 have been configured with a VRF that corresponds to Customer A. This means that routes advertised from CE1 to PE1 will have an RT of 123:1, which corresponds to VRF CustA. When such a route is advertised across the MPLS network and it reaches PE2, it needs to export this route. It is exported to the VRF that corresponds with the configured RT. It will probably make more sense if you configure it yourself and see it in action. In the 1.2 VRF on the PE routers section of the MPLS Layer 3 VPN Configuration lesson, you will see that the RT is actually configured in the VRF configuration mode like so:

PE1(config)#ip vrf CustA
PE1(config-vrf)#route-target both 1:1

More detail about this command can be found in the lesson link above.

And this is what is meant by the phrase: “The VPN label is attached to a VRF because of route targets.” The RT corresponds to a particular VRF so that PE routers know to which VRF, and thus to which customer routes should be imported/exported to/from.

I hope this has been helpful!


Can we use different RD for same customer or is there any rule to use same RD to connect all sites of customer with same RD ?WHY

Hello Pradnesh

You must configure an RD per VRF, and you can only configure one VRF per interface that connects to a customer router. So if you want to configure more than one RD on a particular customer you must have more than one interface on a PE router connecting to a particular customer premises.

Having said that, what is it that you want to achieve? By assigning different RDs to the same customer, what do you actually want to do? If you let us know that, we may be able to suggest something else that is more suitable…

I hope this has been helpful!


Hey rene,

During the lesson you keep writing about prefix.
Is a prefix consists the IP address which is 32 bits long or both the IP address and the subnet mask which are 64 bits long combined.

At first place I assumed you meant just the IP address portion but after i saw your diagram I got a bit confused.

Can you please clarify it to me?

Hello Dor

The prefix is the destination network and is denoted using the network address. In the context of MPLS, but also when referring to routing protocols and routing tables, the word prefix is almost always used to describe the destination network. You can find prefixes in the routing table, the BGP table, the MPLS forwarding table, and you can also find them in the routing updates sent by dynamic routing protocols.

For example, in the lesson, is a prefix that is shared among routers on the network using MPLS.

I hope this has been helpful!


Hello Rene,

First of all thanks for the content.

Not really sure, but ins’t an error on the example 2.2 RT (Route Target)

CE advertise prefix PE1 tag the route with the rt I will tent to say this is the export isn’t it ? Then PE2 receives the prefix then import into the vrf and advertise to CE2 instead of exporting, could you please clarify?


Hey Laz,

Thank you for the quick respone.

Following your answer, reffering to MPLS, for example - (prefix), then how is the prefix 32 bit long if only the ip address (excluding the CIDR) is already 32 bits long?

Hello Luis

The terms import and export have to do with the specific commands placed within the VRF used for the particular customer connected to that PE router. The route-target export command is used to export routes from the CE into the PE router and the MPLS domain. The route-target import command is used to import routes into the CE from the PE.

Now because often the same RT is used for both import and export, this is hard to see. Take a look at the following lesson:

In it, different RTs are used for import and export. You will notice that PE1 uses the 1:1 route target to export prefixes from CE1, and when PE2 receives these, they are indeed appended to RT 1:1 (and not to 2:2 which is the RT for the import command).

I hope this has been helpful!


Hello Dor

The VPNv4 Address is something that contains the RD (64 bits) and the IPv4 Prefix (32 bits). This refers to a particular prefix from a customer. The VPNv4 addresses are advertised between PE routers. Now it is confusing how this VPNv4 address contains information about the prefix length since it is 96 bits in length, there doesn’t seem to be any room for the prefix length information. If you take a look at the BGP prefix within the NLRI in a Wireshark capture, you’ll see that the Prefix Length is one of the parameters there.

For example, take a look at this NLRI information:

The prefix length includes the size of the label as well, which is 24 bits.

So for the first BGP prefix, we have with a prefix length of 120:

  • label = 24 bits
  • RD = 64 bits
  • IPv4 prefix = 32
  • total = 120

For the second BGP prefix, we have with a prefix length of 112:

  • label = 24 bits
  • RD = 64 bits
  • IPv4 prefix = 24
  • total = 112

Why is the IPv4 prefix 24? Well, it’s, which means the last 8 bits are zeros, which means the prefix ends there.

I hope this has been helpful!


Hey lagapides,

Thank you for the detailed response.

The 32 bit prefix has confused me a lot, so i hope Rene would fix it.

As i see it, the RD is just to make the prefix unique whereas the RT is added to make the prefix exchangeable between the PE’s in the same VRF,
Am I right?

Hello Laz,

Thanks for tour feedback, I got the points about the RT, but if we refer to image below for me is kind of fuzzy:

The step 2 talks about exporting the rt 123:1 on PE2 into vrf CustA, isn’t PE1 already doing this and PE2 importing it, to then advertise prefixes to CE router.