MPLS Layer 3 VPN Explained


one question regarding import/export of routes. In the article you are saying that “PE2 is configured to export all VPNv4 routes that use RT 123:1 into VRF CustA”. Here you are saying ‘export’ and on the second illustration in the Section 2.2 there’s an ‘import’ tag under the arrow so I am little confused how this actually works.

Does this mean that the import/export sequence actually looks like this:

PE1: Imports routes from Customer A site 1 with the ‘export’ tag into the shared VRF and advertise them to PE2.
PE2: Exports received routes from the shared VRF with the ‘import’ tag into the routing table of Customer A site 2

Is my understanding correct?

Hello Ivan

Take a look at this post:

If you have any further questions, feel free to let us know!!

I hope this has been helpful!


Hi , i have a question , RD is to locally distinguish the same routes from two different customers on local PE router , then why we need to send the RD in VPNV4 NLRI to the far END PE router as far END PE router will check the RT value and install the route in the related VRF where this RT is imported. In simple way why the far end PE routers need the RD value.

Hello Masaud

Take a look at this post:

I hope this has been helpful!


which one will be checked and popped first RT or VPN Label ?
please explain this.

Hello Ali

When PE2 receives the packet, it examines the VPN label. Using the configured route targets, it “attaches” that VPN to the VRF. Once that is known, the VPN label is popped, and the next hop router (customer router) is determined via the VRF, and the packet is forwarded.

I hope this has been helpful!



I might still not understand the difference between RD and RT.

We want to make sure that the routes are unique. So, we use different RDs for each customer.

So why did you say we still need RT? Do we need RT because each customer may have different VRFs? Or even if each of our customers has one VRF, we still need RT?

Hello Part

The difference between the RD and RT can be confusing, and it is a common issue required to get your head around.

In an MPLS Layer 3 VPN environment, both the RD and the RT are used to facilitate the exchange of routing information between different VPNs and customers across a shared MPLS network. Each one serves a different purpose:

The RD is a unique identifier added to the customer’s prefix to create a unique VPNv4 address. This address is used to differentiate between routes from different VPNs or customers with overlapping IP address space. RDs ensure that the MPLS network can distinguish between routes from different customers even if they use the same IP address prefixes.

For example, when you see the VPNv4 address of 123:10, it is unique within the whole MPLS topology, and PE routers know to which customer it belongs.

Now an RT on the other hand is actually a BGP extended community attribute that is used to control the distribution of VPN routing information between PE routers. The RT acts as a tag for VPN routes, and it is attached to the BGP update messages. There are two types of Route Targets: import RT and export RT.

  • Import RT: A PE router imports VPN routes with an import RT that matches the import RT specified in its VRF table. In this way, the import RT controls which routes are imported into a specific VRF.
  • Export RT: A PE router exports VPN routes by attaching an export RT to them. The export RT controls which routes are shared with other PE routers.

So the RT is involved in corresponding the VPNv4 addresses with the appropriate VRF, allowing the import and export of those routes to the appropriate VRF.

So then an RD is used to create unique VPNv4 addresses to differentiate overlapping routes from different customers, while the RTs are used to control the distribution of VPN routes to the appropriate VRFs between PE routers.

I hope this has been helpful!


Hello Rene,
You did very good Excellent the explanations but i think when you do explanation with real lab i mean configuration then it will be very perfect.

Hello Mohamad

I’d like to thank you on behalf of Rene for your kind words. This particular lesson is used just to introduce the concept of MPLS Layer 3 VPNs. In the very next lesson, you will see this feature being configured on a topology with configurations. You can take a look at that lesson at the following link:

And in many subsequent lessons after that, you will see how MPLS L3 VPN can be configured with various other scenarios, including using multiple routing protocols between the PE and CE devices.

I hope this has been helpful!


Hi Laz,

In the statement “Do you want to give customer B access to the networks behind CE3 of customer A? Just import and export some RTs and it’s done.” How it is configured?


Hello Ariel

This particular lesson describes the MPLS Layer 3 VPN configuration in theory. If you want to see how it can practically be implemented, take a look at the very next lesson in the series:

There you will get the answer to your question, and a whole lot more. The subsequent lessons further describe how to configure MPLS L3 VPN with various routing scenarios and options.

I hope this has been helpful!


Hello, everyone!

I’ve gone over this article several times and I am kind of still confused… :smiley: Especially when it comes to RDs and RTs.

Following this topology

PE1 advertises the prefixes to PE2 and PE2 has no clue to which customer this is destined for. Rene then said that RDs can be used to create unique prefixes.

Yet after creating unique prefixes PE2 still doesn’t know which customer to send it to, so we need RT?

This is the part that confuses me. Why is both RT and RD needed? Why can’t we just use one that will be able to tell the router which VRF the prefix is destined for?

Why couldn’t we just say
“Hey, everything identified by RD 113:10 should be sent to VRF-A”.

I’ve gone through a lot of explanations on the internet and it still confuses me a bit because I’m having trouble visualizing it. Could someone explain this to me?

Thank you in advance.


Hello David

Indeed, the roles of RTs and RDs and the difference between them is not that simple to understand.

Route Distinguishers are used to allow PE routers to determine to which customer a particular prefix belongs.

Route Targets are used to allow PE routers to control the distribution of VPN routes to the appropriate VRF.

Take a look at the following NetworkLessons notes for more details, and if you have further questions feel free to ask!

This post may also be useful:

I hope this has been helpful!


Hi Rene,

I am having trouble understanding the difference between RT and VPN label. The lesson mentions: “We use something called a RT (Route Target) to decide in which VRF we import and export VPNv4 routes.”

If we have RT, why do we need a VPN label? If both RT and VPN labels are advertised from PE1 to PE2, why do we need VPN label?

Hello Janhavi

The concept of RTs and VPN labels can get confusing. The distinction between the roles of VPN labels and RTs in MPLS L3 VPNs essentially boils down to the separation of control plane and data plane functionalities.

  • VPN Labels are used in MPLS to forward data packets over an MPLS network and to which VPN the packet belongs. As such, VPN labels operate in the data plane. They involve the forwarding of the actual user data across the network.
  • Route Targets (RTs) control the import and export of VPN routes between PE routers. As such, RTs operate on the control plane. An RT can be thought of as a tag or a stamp that is attached to a VPN route when it is exported from a VRF on a PE router. Other PE routers will use this RT to determine if they should import the route into one of their VRFs. This process has to do with the exchange of routes to populate the correct routing table in the correct VRF.

While it might seem redundant to have both VPN labels and RTs, this separation provides robustness, flexibility, and scalability to MPLS L3 VPNs. Does that make sense?

I hope this has been helpful!



Why P Route changed Label to 16 and not 19?

Hello Karen

Labels in an MPLS topology are assigned dynamically using LDP. There is no specific meaning to each label, however, the labels have only a local significance. So if during a label swap, a particular number is used instead of another, it really makes no difference.

I was looking at the lesson and I was unable to find the instance where a label of 16 was assigned instead of 19. If I have not sufficiently answered your question, can you clarify what particular situation in the lesson you are referring to?

I hope this has been helpful!


Thanks Lazaros for response,

So when you say dynamically - you imply that number of label can be random? it could be 19 or it could be 25?
I just though that it starts with 16 and is always swamped with next digit for example 16 , then 17 , then 18 . 19 etc…

Hello Karen

Well, it’s not quite random, but it is definitely not sequential. Label swapping is a fundamental part of MPLS operation, but the label numbers used in this process are determined by each router independently and are based on their local label information base (LIB), rather than following a sequential order.

Keep in mind that each router in the network independently assigns labels for the routes it knows about. This assignment is based on the router’s local policies and the label space available to it.
As a result, the label numbers assigned by different routers for the same destination are usually different and do not follow a sequential pattern.

As a packet traverses an MPLS network, each router along its path swaps the incoming label with a new label before forwarding the packet to the next router. This swapping process is based on the router’s label forwarding information base (LFIB), which contains mappings of incoming labels to outgoing labels and next hops. The outgoing label is chosen by the router to ensure proper forwarding along the predetermined path, but it is not related to the incoming label in a sequential manner.

I hope this has been helpful!