MPLS Layer 3 VPN Explained

Hello Ali

When PE2 receives the packet, it examines the VPN label. Using the configured route targets, it “attaches” that VPN to the VRF. Once that is known, the VPN label is popped, and the next hop router (customer router) is determined via the VRF, and the packet is forwarded.

I hope this has been helpful!



I might still not understand the difference between RD and RT.

We want to make sure that the routes are unique. So, we use different RDs for each customer.

So why did you say we still need RT? Do we need RT because each customer may have different VRFs? Or even if each of our customers has one VRF, we still need RT?

Hello Part

The difference between the RD and RT can be confusing, and it is a common issue required to get your head around.

In an MPLS Layer 3 VPN environment, both the RD and the RT are used to facilitate the exchange of routing information between different VPNs and customers across a shared MPLS network. Each one serves a different purpose:

The RD is a unique identifier added to the customer’s prefix to create a unique VPNv4 address. This address is used to differentiate between routes from different VPNs or customers with overlapping IP address space. RDs ensure that the MPLS network can distinguish between routes from different customers even if they use the same IP address prefixes.

For example, when you see the VPNv4 address of 123:10, it is unique within the whole MPLS topology, and PE routers know to which customer it belongs.

Now an RT on the other hand is actually a BGP extended community attribute that is used to control the distribution of VPN routing information between PE routers. The RT acts as a tag for VPN routes, and it is attached to the BGP update messages. There are two types of Route Targets: import RT and export RT.

  • Import RT: A PE router imports VPN routes with an import RT that matches the import RT specified in its VRF table. In this way, the import RT controls which routes are imported into a specific VRF.
  • Export RT: A PE router exports VPN routes by attaching an export RT to them. The export RT controls which routes are shared with other PE routers.

So the RT is involved in corresponding the VPNv4 addresses with the appropriate VRF, allowing the import and export of those routes to the appropriate VRF.

So then an RD is used to create unique VPNv4 addresses to differentiate overlapping routes from different customers, while the RTs are used to control the distribution of VPN routes to the appropriate VRFs between PE routers.

I hope this has been helpful!


Hello Rene,
You did very good Excellent the explanations but i think when you do explanation with real lab i mean configuration then it will be very perfect.

Hello Mohamad

I’d like to thank you on behalf of Rene for your kind words. This particular lesson is used just to introduce the concept of MPLS Layer 3 VPNs. In the very next lesson, you will see this feature being configured on a topology with configurations. You can take a look at that lesson at the following link:

And in many subsequent lessons after that, you will see how MPLS L3 VPN can be configured with various other scenarios, including using multiple routing protocols between the PE and CE devices.

I hope this has been helpful!


Hi Laz,

In the statement “Do you want to give customer B access to the networks behind CE3 of customer A? Just import and export some RTs and it’s done.” How it is configured?


Hello Ariel

This particular lesson describes the MPLS Layer 3 VPN configuration in theory. If you want to see how it can practically be implemented, take a look at the very next lesson in the series:

There you will get the answer to your question, and a whole lot more. The subsequent lessons further describe how to configure MPLS L3 VPN with various routing scenarios and options.

I hope this has been helpful!