MPLS Layer 3 VPN Explained

19 posts were merged into an existing topic: MPLS Layer 3 VPN Explained

Hi, I too have the same doubt. But I heard somewhere that , nexthop will be but interface will be some “magic interface”. And transmit function of that “magic interface” will give it to the chip (MPLS L3VPN aware chip) (after adding transport and VPN label , I don’t know) and then chip will forward it. Means after PE1 (VRF 1), packet will travel in data plane and it will not come to the Kernel for forwarding. So after PE1 (VRF 1), we will not refer to Kernel routing table till PE2 (VRF 1).

Hope my explanation is clear. Rene to confirm the same ?

Hi Rene, please tell some use cases to explain, when to go with MPLS L2 VPN and when to go with MPLS L3 VPN.

Hello Harmeet

In essence, MPLS L2 and L3 VPNs will be used depending on the needs of the application. The needs in this case don’t depend so much on the actual protocols, but on whether you require a separate subnet for each remote site or if you require two or more sites to be on the same subnet.

It’s always a good idea to separate subnets and not to span them over WAN links, however, if the needs of the applications you are running require this, it can be done. It all depends on your requirements.

I hope this has been helpful!


Thanks Rene for the great article.

So VPN label only comes into picture when we use VRFs in PE routers? Please clarify.

By using RTs, it will place customer routes into respective RIB of VRFs, and then LIB will be derived from it. Now if we don’t have VPN label attached to the packet then it will not be part of MPLS forwarding table of that particular VRF and it doesn’t get the out going interface details so it doesn’t know where to send this packet!. Is my understanding correct?


Hi @kumaracp10,

Many thanks for your excellent question. If you are referring to MPLS labels, this is primarily used as a method to quickly switch IP packets within the MPLS core. This is the most basic feature of MPLS so it is used in all MPLS networks even if there is no VPN overlay. The 1st MPLS tag exists only to enable MPLS forwarding plane operations.

**If we decide to operate a VPN over MPLS, a second MPLS tag is added** to allow PEs to know how to efficiently forward incoming packets.

In MPLS there are two basic rules that help us unpick the architecture:

  1. Separate the control plane from the forwarding plane:
    Control plane: routes being shared between CE<==any routing protocol==>PE and PE<==BGP==>PE)
    Forwarding plane: MPLS labels applied to real customer packets full of customer data, to forward them efficiently.

  2. Always remember, packets with routes go one way, packet with useful customer data go the other way. “We send routes in order to receive data”.

I hope that helps a little to clarify. Kind regards,

Hi Rene,

I have couple of doubts.

  1. Why we need RD? We have for example VRF Red or VRF Blue which is separate from each other so why we are using RD to make the prefix unique.
  2. After using RD, PE Router will come to know which prefix will be import to which CE Router but again we are using RT here for import and export though we have RD.


Hello Manami

It is true that there is a VRF for each customer at each PE router. In the example in the lesson, Customer A sends a routing update to PE1. PE1 knows that this route belongs to customer A because it has come in on the interface connected to customer A. It is then placed in the appropriate routing table.

However, when PE1 redistributes this route to PE2, there is no way to distinguish which customer it belongs to. Both Customer A and B routing updates will go to PE2 via the same interface. So the RD is required so the PE router will know to which customer the routes belong.

Once the PE receives these routes, it knows to which customer they belong, however, it does not know what to do with it. The router will NOT automatically export each route to the correct customer VRF. This is why the RT is required.

Essentially, the RD makes the route unique (even if the same IP ranges are used) and the RT, by being added to all routes for the Customer A VRF, allow the routers to know which VRF to import and export to.

I hope this has been helpful!


Hi Laz,

Thank you. Awesome explanation.

I have one more doubt.

Why we are saying MPLS SP network to BGP Free Core? We are running iBGP in MPLS Network?

Can you please help me to understand.


Hi Manami,

We run iBGP but only on the PE (Provider Edge) routers. The P routers form the core, and those don’t run BGP.


Awesome simplified lessons here! I did not know forum has such in depth explanations too! Any plans for half duplex VRF explanation?

Glad to hear you like it :smile:

I might add something on half duplex VRF. I still have MPLS VPN hub and spoke on the list, adding half duplex to it shouldn’t be much work.

The Conclusion says “In the next lesson I will show you the configuration of everything that I explained above …”. The next lesson I see is “DMVPN”.

Hello Maodo.

The next lesson I see in the series is MPLS L3 VPN Configuration.
See the bottom right of the screenshot below:


If you see something different, let us know and we can look further into the problem.

I hope this has been helpful!


Hi lagapides,

I send you the printscreen of what I see at the bottom of the page displayed by the link :slight_smile:

Hello Maodo

Hmmm, that is strange. I’ll get @ReneMolenaar to take a look…



@kayoutoure @lagapides

Depending on the course category, you get to see a different menu. For example:

This is the same lesson but it belongs to both the “mpls” and “ccnp route” category. Depending on the category, you get a different menu. It is a bit confusing that the one in CCNP route says “in the next lesson…” and then it jumps to DMVPN so I changed the wording in the conclusion a bit. I didn’t add those extra MPLS VPN lessons in CCNP route since there isn’t much MPLS on the CCNP ROUTE blueprint. This is something I’ll keep an eye on in the future :smile:

Hi Guys,

Is the transport label part of the MPLS header or the IP header?

Is the VPN label part of the MPLS header or the IP header?

Just wanted to clarify,



Hello Gareth

Terminology can get a little hazy when talking about headers and labels and fields etc. I will attempt to clarify.

When an IP packet is recieved by a PE, a transport label, or MPLS label is added in front of the IP header (between the datalink and IP headers). This transport label can be considered an MPLS header which contains the label value, QoS markings, a Bottom of Stack flag and a TTL. This is not part of the IP header, but it is actually the MPLS header or label itself.

When MPLS VPN is used, an additional header/label is added. This is the VPN label. This is not part of the IP header or the MPLS header but it is an independant entity.

Essentially, when using MPLS, (depending on what text you read and who you ask), these labels may or may not be considered headers. Labels would probably be the best characterization, and it is the most often used term because they basically add a bit of information that allows MPLS and MPLS VPN to function.

I hope this has been helpful!


Thanks Rene,

Hi Rene,
I am afraid I still don’t understand one thing- why do we need vpn label if we have RT’s ?

It was said the router wouldn’t know what VRF the route belongs to… well:
When PE1 advertises the route to PE2 , PE2 knows what VRF to install it thanks to Route Target value.
So the MPLS VPN label seems to be redundant as the BGP can figure the VRF out based solely on the Route Targets …

( I know I am confused in Data and Control Plane, so if you can please give a detailed explanation for the reason why we require VPN Label though we have RT’s )
Thank you.