MPLS Layer 3 VPN Explained

Hi Rene,

I have couple of doubts.

  1. Why we need RD? We have for example VRF Red or VRF Blue which is separate from each other so why we are using RD to make the prefix unique.
  2. After using RD, PE Router will come to know which prefix will be import to which CE Router but again we are using RT here for import and export though we have RD.

Thanks,
Manami

Hello Manami

It is true that there is a VRF for each customer at each PE router. In the example in the lesson, Customer A sends a routing update to PE1. PE1 knows that this route belongs to customer A because it has come in on the interface connected to customer A. It is then placed in the appropriate routing table.

However, when PE1 redistributes this route to PE2, there is no way to distinguish which customer it belongs to. Both Customer A and B routing updates will go to PE2 via the same interface. So the RD is required so the PE router will know to which customer the routes belong.

Once the PE receives these routes, it knows to which customer they belong, however, it does not know what to do with it. The router will NOT automatically export each route to the correct customer VRF. This is why the RT is required.

Essentially, the RD makes the route unique (even if the same IP ranges are used) and the RT, by being added to all routes for the Customer A VRF, allow the routers to know which VRF to import and export to.

I hope this has been helpful!

Laz

1 Like

Hi Laz,

Thank you. Awesome explanation.

I have one more doubt.

Why we are saying MPLS SP network to BGP Free Core? We are running iBGP in MPLS Network?

Can you please help me to understand.

Thanks,
Manami

Hi Manami,

We run iBGP but only on the PE (Provider Edge) routers. The P routers form the core, and those don’t run BGP.

Rene

Awesome simplified lessons here! I did not know forum has such in depth explanations too! Any plans for half duplex VRF explanation?

Glad to hear you like it :smile:

I might add something on half duplex VRF. I still have MPLS VPN hub and spoke on the list, adding half duplex to it shouldn’t be much work.

The Conclusion says “In the next lesson I will show you the configuration of everything that I explained above 
”. The next lesson I see is “DMVPN”.

Hello Maodo.

The next lesson I see in the series is MPLS L3 VPN Configuration.
See the bottom right of the screenshot below:

image

If you see something different, let us know and we can look further into the problem.

I hope this has been helpful!

Laz

Hi lagapides,

I send you the printscreen of what I see at the bottom of the page displayed by the link :slight_smile:https://networklessons.com/cisco/ccnp-route/mpls-layer-3-vpn-explained/MPLS_NetworkLessons

Hello Maodo

Hmmm, that is strange. I’ll get @ReneMolenaar to take a look


Thanks!

Laz

@kayoutoure @lagapidis

Depending on the course category, you get to see a different menu. For example:


This is the same lesson but it belongs to both the “mpls” and “ccnp route” category. Depending on the category, you get a different menu. It is a bit confusing that the one in CCNP route says “in the next lesson
” and then it jumps to DMVPN so I changed the wording in the conclusion a bit. I didn’t add those extra MPLS VPN lessons in CCNP route since there isn’t much MPLS on the CCNP ROUTE blueprint. This is something I’ll keep an eye on in the future :smile:

Hi Guys,

Is the transport label part of the MPLS header or the IP header?

Is the VPN label part of the MPLS header or the IP header?

Just wanted to clarify,

Thanks,

Gareth.

Hello Gareth

Terminology can get a little hazy when talking about headers and labels and fields etc. I will attempt to clarify.

When an IP packet is recieved by a PE, a transport label, or MPLS label is added in front of the IP header (between the datalink and IP headers). This transport label can be considered an MPLS header which contains the label value, QoS markings, a Bottom of Stack flag and a TTL. This is not part of the IP header, but it is actually the MPLS header or label itself.

When MPLS VPN is used, an additional header/label is added. This is the VPN label. This is not part of the IP header or the MPLS header but it is an independant entity.

Essentially, when using MPLS, (depending on what text you read and who you ask), these labels may or may not be considered headers. Labels would probably be the best characterization, and it is the most often used term because they basically add a bit of information that allows MPLS and MPLS VPN to function.

I hope this has been helpful!

Laz

Thanks Rene,

Hi Rene,
I am afraid I still don’t understand one thing- why do we need vpn label if we have RT’s ?

It was said the router wouldn’t know what VRF the route belongs to
 well:
When PE1 advertises the route to PE2 , PE2 knows what VRF to install it thanks to Route Target value.
So the MPLS VPN label seems to be redundant as the BGP can figure the VRF out based solely on the Route Targets 


( I know I am confused in Data and Control Plane, so if you can please give a detailed explanation for the reason why we require VPN Label though we have RT’s )
Thank you.

Hi Guys,

To encrypt traffic passing through the service provider, can we implement IPSec on MPLS VPN network at the CE routers Since MPLS does not offer confidentiality.
Does the CE require to route data identified to be encrypted through the service provider in a virtual tunnel.

Thanks.

Simple, thorough and to the point. Wonderful. Been looking for this. Thanks Rene. Tom

1 Like

René,

I don’t understand this topic BGP extended community value.
Please can u explain it in detail?

Hi Samil,

To understand this, you need to have a clear understanding of the difference between the control and data plane. Simplified, the control plane is for “routing” or “forwarding” decisions, the data plane is where the actual forwarding happens.

On the control plane, we use route-targets to define where to import/export a route to. It’s nice that the router knows what to do when it receives a packet, but we still need to get that packet to that router


For the actual forwarding (data plane), we use labels to “switch” a packet from one router to another. It is explained in detail here:

Look for the “Transport and VPN label” section.

Rene

Hi Faisal,

MPLS is just a transport mechanism so when it comes to VPNs, it doesn’t matter much if you run it over MPLS or something else. You can either use a site-to-site VPN between two routers or use DMVPN.

Rene

Hi Djan,

Here’s a basic overview of BGP communities:

For MPLS VPN, we use the extended community to add the route-target to a prefix.

Rene