MPLS Layer 3 VPN Explained

Dear Rene,

What are the differences between vpnv4 and ipv4 address families? I know where it is used but its bit confusing specially when we use things like ip bgp vpnv4 vrf command for ipv4 address families.

Hello Roshan

IPv4 address family is for advertising IPv4 NLRI or in other words, regular IPv4 networks. This primarily involves routes that are being exchanged between CEs and PE devices. Separate VRFs in the IPv4 address family are used for this.

But to provide reachability between the customer networks, PEs must exchange these routes between each other, but they must also advertise additional information such as RD, RT, and VPN labels. The RD is prepended to the IPv4 route to make it unique, so these are no longer normal IPv4 routes, but they are VPNv4 routes. This is why peering between PEs are under a VPNv4 address family.

Note that VPNv4 routes are only exchanged between PE routers, while IPv4 are exchanged between PE and CE devices.

I hope this has been helpful!

Laz

1 Like

Hello Laz,

I see route-target option under vrf as well as under address-family.
What is the difference between 2 options ?

Thanks,
Sachin

Hello Sachin

I was unable to find the route-target option under the BGP Address-Family configuration mode. (related Cisco documentation on this mode.) I only found it under the vrf configuration. But there is an address-family option under the vrf configuration mode, is that what you meant?

Can you clarify where you found the route-target option? Let us know more details so we can respond to your question.

Thanks!

Laz

Hi Guys,

I am currently simulating a lab for MPLS L3VPN with multiple P and PE.

You may refer to network core that I created.

Planning to have an IGP of OSPF within the MPLS cloud and form LDP adjancencies.
My question is in regards to MP-BGP, I plan to activate multiple MP-BGP between PE Routers.

Kindly advise if there is a best practice to transit VRF across MP-BGP, as of now, I will do a full mesh MP-BGP.

Do you have an idea

Hello Dan

You can use MP-BGP to create a full mesh between PE routers. In any case, all PE routers belong to the same AS and iBGP requires a full mesh of peers. However, the PE routers are only configured with the VRFs that correspond to the networks of the customers that are directly connected to them. This means that PE1 and PE4 may or may not share some of the same VRFs. That’s one of the main advantages of using MPLS. So each PE will share differing VRFs but using MP-BGP with all other PE routers in the area.

If you go through this lesson, as well as the one below, it will give you a clearer understanding of both the concepts and the configuration of your topology…


I hope this has been helpful!

Laz

Hello everybody,

I made a MPLS VPN lab and I noticed something that after thinking about it - it makes no sense:

each PE router advertise his VPN label for each of his networks, even though if they’re sitting behind the same VRF statement!

Why is that necessary? after all the destination IP is part of the IP packet, so the routers only have to create each VPN label per VRF, why would they create each label per network? it makes no sense as you will have more memory consumption and also it is very confusing to have a lot of different labels and its harder to troubleshoot.

Thanks you very much!!

Hello Nitay

This is an excellent question. Routing functionality traditionally revolves around the prefix. You have a prefix, where do you route it to? It is with this logic that the routing information (whether IGP, BGP, MPLS labels or MPLS VPN labels) is provided and exchanged based on the routing prefix.

As you describe in your post, for some implementations such as MPLS VPN, this can be somewhat inefficient especially if you have many prefixes per VRF and many VRFs in your MPLS network. It is for this reason that Cisco introduced the MPLS VPN Per VRF Label feature. This feature allows you to configure a single VPN label for all local routes in an entire VPN VRF.

This feature is essentially enabled using the following command:

mpls label mode {vrf vrf-name | all-vrfs} protocol bgp-vpnv4 {per-prefix | per-vrf}

You can find out more information about this feature and how to implement it at the following Cisco documentation:

I hope this has been helpful!

Laz

1 Like

Thanks you Laz,
You really helped me here!

It’s really interesting feature - it can’t work with ECMP neither CsC which seems odd, and it makes the whole network to converge again for the new labels which is an important fact to know about.

1 Like

I have 2 theoretical questions regarding the things that must be configured:

Configure IBGP between PE routers.

  • When you talk about IBGP, do you mean MP-BGP? If not, how is IBGP different from MP-BGP?

Configure BGP between PE and CE routers.

  • Why do you need this configuration?

Hello Alex

When configuring MPLS VPN, one of the features that allows this to function is BGP. iBGP is what is used to allow PE routers to share routes between them on the MPLS carrier network. iBGP simply means that BGP is configured between routers in the same AS.

Now the term MP-BGP can be used for both iBGP and eBGP, and it simply means that information about more than a single protocol is being exchanged using BGP. MP-BGP simply means that we are activating a particular functionality of BGP, which is necessary for MPLS VPN, in order to include information about multiple protocols. Specifically, MP-BGP allows the use of NLRIs which include information necessary for MPLS VPN to function.

So MP-BGP and iBGP are not mutually exclusive, but actually indicate a different aspect of the BGP protocol.

Because iBGP is being used to exchange routes between PE routers, the PE routers themselves must learn the routes of the customers they serve. Because the CE routers exist outside of the MPLS AS, the routes must be learned via eBGP. eBGP peerings are defined as BGP peering between routers in different Autonomous Systems. So eBGP is configured between PE and CE routers so that CE routes can be made known to the PE routers, and can thus be propagated throughout the MPLS network.

I hope this has been helpful!

Laz

1 Like

Hello Rene & Team,

Can you please explain more about VPN label ? where we can find it and how PE takes routing decision on the basis of VPN label.

Hello Aniket

MPLS Layer 3 VPN combines many different features in order to allow the whole to function. In order to understand where the VPN label comes it, we must understand what features function in the control plane, and which function in the data plane.

The control plane is the “realm” in which prefixes of particular networks are shared. That’s where IGPs such as OSPF and EIGRP function, where BGP resides, and where VRFs are created. This is also where RDs and RTs are used to correctly understand which prefixes belong to which customers. User data is not exchanged on the control plane, only data between the networking devices to allow the network to operate. VPN labels do not play a role on the control plane. In other words, an MPLS L3 VPN network can be converged (all routes and prefixes learned) without the use of the VPN label.

On the data plane however, which is where user data is exchanged, the VPN label is vital. Packets sent over the MPLS network use labels so that they can reach the appropriate PE. However, with penultimate hop popping, the packet arrives at the destination PE. However, there is no information in the IP packet concerning which CE device to send the packet to. To fix this problem, a VPN label is added by the original PE router to the packet. Along with the RT (for the control plane) the originating PE router will also advertise a VPN label to the other PE routers, so that CEs of the same customer will use this label.

In short, the VPN label is used by the PE devices so they know to which CE they must send a particular packet, because otherwise, on the data plane, there is no other indication of this.

In the lesson, under the Transport and VPN Label section, Rene has a detailed explanation of where the VPN label is placed, and what its importance is.

I hope this has been helpful!

Laz

Hi Rene/Team,
Could you clarify why is the need of VPN Label if we already have RT to forward the packet where we want to ?

Hello Pradyumna

It is important here to distinguish between the use of RT and the use of the VPN label.

The RT is used to decide in which VRF we import and export VPNv4 routes. This only applies to the exchange of routing information and not the routing of the user data itself. So the RT is used so that the appropriate prefixes are advertised to the appropriate VRFs and customer routers. In other words, the RT functions on the control plane.

The VPN label is used to help PE routers decide to which customer routers user data traffic should be forwarded. The only information the PE router has is the destination IP, and that doesn’t give us enough information to determine to which customer it should be sent. That’s why the VPN label is necessary. The VPN label solves the routing problem on the data plane. This is explained in detail in the Transport and VPN Label section of this lesson:

I hope this has been helpful!

Laz

thanks for clearing my doubt

Hi Laz,

One more doubt is that why are we not performing redistribution b/w IGP and IBGP whether we are using Either BGP or any other IGP for connectivity b/w PE and CE ?

Hello Pradyumna

This question has been responded to at this post.

Laz

Hi Laz,

same topology i use in my lab but i am unable to get pinging customer to customer on GNS3 besides i am getting every output same as you getting ?, Is it due to GNS3 problem ?

Hello Pradyumna

This lesson doesn’t include a lab section with configurations. I suggest you take a look at the following lesson which includes step by step configuration instructions.


This, and all other MPLS VPN labs in Unit 3 of the course do get quite complex, so you will have to check your configuration details quite thoroughly. I can’t say if the problem is with GNS3, even though it has been known to cause problems, but it is more likely a misconfiguration that, through troubleshooting, you should be able to identify and correct.

I hope this has been helpful!

Laz