MPLS Layer 3 VPN Explained

Hey Rene.
What is the difference between normal VPN and the MPLS VPN?

Hello Venkata

A normal VPN is a feature that allows you to connect remote clients or remote offices to the corporate network, and have them behave as if they are physically on the same network, with internal addresses and security parameters. This is achieved using various tunnelling and encryption mechanisms. A VPN can either be a site-to-site VPN, that interconnects remote networks, or a client VPN that connects single users. More information about VPNs can be found here:


Now MPLS is a technology that is used by an ISP to be able to interconnect multiple customers with multiple remote sites. Now an ISP can do this using conventional VPN technologies, but as an ISP network grows, creating individual VPNs (using GRE, IPSec, or even DMVPN) is not scalable. ISPs need an infrastructure where they can have:
  • multiple customers with multiple sites
  • interconnection of the multiple sites of each customer
  • the isolation of each customer’s traffic from that of other customers
  • routing information from one customer must remain completely separate from that of other customers (customer IP address ranges may overlap)

In order to achieve all of the above, MPLS VPN is used. All of this is further described in detail in the following lesson:

I hope this has been helpful!

Laz

Hi Laz,

If customer having no of sites than how do we assign RD, RT and VPN label by PE rouer?

Hello Pradyumna

Within the following lesson you will see how the RD, RT and the VPN label are configured and assigned to the sites of each customer. The lesson includes a practical example of the configuration of these concepts:

I hope this has been helpful!

Laz

Hi Laz,

Could you explain the full process in order form receiving routes from customer in their VRF to send in corresponding VRF.

Mean just explain what will happen first like post receiving route in vrf then RT assigned or RD or label(VPN or Transport) like this whole process send route from Cust A or B to receiving in corresponding vrf with each and every step including route advertisement by MP-BGP and redistribution( VRF to MP-BGP and vice-versa) until it is received by same customer.

Hello Pradyumna

I believe that the process is described quite clearly and quite well by Rene in this lesson, I don’t think that I could describe it more clearly :slight_smile:. He goes through it step by step. You can also take a look at the rest of the MPLS VPN lessons that cover each aspect thoroughly:

If you have more specific questions, please don’t hesitate to ask!

I hope this has been helpful!

Laz

Hi Laz,

My question is here that what is happening first and in order like RD assigning first or RT, VPN label and transport lable assigned when route is vpnV4 or earlier and it’s all having before VRF redistributed in to MPBGP or later?

If you understand now then please let me know otherwise no issue.

Hi Rene,
I had configured as your instructions and found out different RT and RD value didn’t work. Should RT and Rd values be same ?

Hello Pradyumna

These are different processes that don’t have an order of operations. RDs and RTs are information that is exchanged between PE routers. RDs are used to maintain uniqueness among identical prefixes in different VRFs, while RTs are used to control the import and export of routes between VRFs. This is info exchanged between BGP routers. All of this takes place on the control plane, that is, an exchange of information between routers so they are sufficiently informed to route traffic correctly.

The VPN label however is something that is added to the actual data being sent on the data plane and is described thoroughly in this section of the lesson.

So RT and RD are pieces of information exchanged between PE routers (control plane), and the VPN label is something added to the actual traffic (data plane).

I hope this has been helpful!

Laz

Hello Min

RT and RD values do not have to be the same. They are two independent parameters, but they do use the same format. In general however, it is best practice to use the same values to simplify configuration and understanding, but this is not a requirement for correct functionality and operation.’

I hope this has been helpful!

Laz

Hi Laz,

1)I am still confused that why VPN label is required b/c as per RT route will be imported/exported in to correct vrf post that a/c to routing table information route ip packet will be forwarded to customer? please clarify this.

  1. I am also confused regarding at what end route will be imported and exported in to
    correct vrf as per our mentioned topology?

Hello Pradyumna

The RT is used to import and export a route. This has to do with the sharing of routes between the PE and CE routers, and is strictly on the control plane. The purpose and need of the VPN label is clearly stated in section 3. Transport and VPN Label of the lesson. There Rene states:

In the header of this IP packet, there’s nothing that will help PE2 decide where to forward it to.

… and he is referring to when PE2 receives an IP packet for 192.168.2.2 when this network exists on multiple customers. This is why the VPN label is needed, and this is a function of the data plane.

Routes will be imported and exported at the PE routers.

I hope this has been helpful!

Laz

Hello, I need some clarification on a couple of things related to route targets (RTs).

First, I’m not 100% clear on the concept of importing and exporting RTs. Is that always from the perspective of the PE?

For example, using you’re diagram, we have CustA and CustB attached to PE1 and PE2. When PE1 receives a packet from CustA, when it attaches a RT to that packet, is that considered an import or export action? Likewise, when PE2 receives that packet from PE1 and sends it on to the CustA router that its attached to, is that an import or export action?


My second question is this:

I’ve read the route-distinguishers have local significance only but the RTs are unique. Must the same RT be used everywhere for a given VRF (or I guess more specifically, a given VPNv4 route)?

Let’s say I configure a RT of 100:100 on PE1 for the CustA router attached to it:

vrf definition CustA 
 route-target both 100:100

If the customer also had routers in the same VRF attached to PE2-PE5, must I also use this same RT in those PE routers in order for all CustA routers to be able to communicate?

vrf definition CustA 
 route-target both 100:100

Related to the above questions, I was doing some labbing and found that I can assign the same RT to multiple RDs. In this “article” (MPLS Layer 3 VPN Explained), it showed how PE1 added the RT on a packet coming in from CustA, sent it to PE2 which then looked at the RT to export it to the CustA router. During this process, would it distinguish between identical route tags by also looking at the RD contained in the NLRI? Is that the reason the same RT can be associated with multiple RDs?

Hello Buck

The importing and exporting of routes is not part of the routing process of actual packets, but is involved in the advertising of prefixes. In other words, the import and export actions don’t take place on the data plane, as your post suggests, but on the control plane. The import and export actions are taken by the PE routers.

For example, PE1 adds, 123:1 to routes from Customer A on the left, then when PE2 checks the vpnv4 BGP table it can choose to pick out, or IMPORT routes that have this 123:1 value and put them into a separate VRF table for Customer A. So importing involves using the RT to place the VPNv4 route in the appropriate VRF.

Exporting is the opposite, when a PE router receives a route from a CE router on a particular VRF, it uses that VRF to assign an RT before sending the advertisement to other PE routers.

Remember, importing and exporting involves only the route advertisements in order to correctly populate BGP/routing tables.

It’s important to understand the role of each one in order to understand the scope of each. RDs are used purely for the purpose of ensuring routes are unique per VPN. The routes found within the BGP VPNv4 unicast table on a particular PE should be unique, and that’s what the RD does. They must be unique for different VRFs on the same PE, but for two corresponding VRFs on two different PEs, they may or may not be the same, it does not really matter.

The route-target on the other hand is used to identify a subset of routes within the BGP vpnv4 unicast table that should be used in a VRF for a particular customer. So on a per-customer basis, the RTs should be unique across all PEs serving a particular customer.

Again, in this case, we’re not talking about operations that take place on the data plane, but on the control plane. Also, we don’t assign RTs to RDs, but RDs are assigned to prefixes, while RTs identify which VRF prefixes belong to. Looking at it from this context may change your question somewhat.

This post was a little long-winded, but I hope it was useful for you. If you need any additional clarifications, please don’t hesitate to ask!

I hope this has been helpful!

Laz

How does the Label switch router know it is the penultimate hop?

Thanks
Nihar

Hello Nihar

Each PE will know what prefixes belong to which customer routers that are directly connected to it. For these prefixes, the PE router will advertise an implicit null label to its P neighbor. This indicates to the P neighbor router (which is the penultimate hop router for those customer networks) that for that particular prefix, penultimate hop popping should take place before sending the packet to the PE router.

I hope this has been helpful!

Laz

Hello,
I understand following:
RD is a part of Control plane, and it makes prefix unique.
RT is a part of Control plane.
VPN label is a part of Data plane, responsible for packet forwarding.
I cant understand difference between RT (control plane) and VPN label (data plane).
Can you explain me the sentence:The VPN label is attached to a VRF because of route targets.?
I found this, too:
On the control plane, we use route-targets to define where to import/export a route to. It’s nice that the router knows what to do when it receives a packet, but we still need to get that packet to that router…
Thanks in advance,
Marina

Hello Marina

The RT is related to the VPN label in the following way. An RT is used to let the PE router know to which customer, or more specifically to which VRF a particular route belongs. Take a look at the following diagram:


Both PE1 and PE2 have been configured with a VRF that corresponds to Customer A. This means that routes advertised from CE1 to PE1 will have an RT of 123:1, which corresponds to VRF CustA. When such a route is advertised across the MPLS network and it reaches PE2, it needs to export this route. It is exported to the VRF that corresponds with the configured RT. It will probably make more sense if you configure it yourself and see it in action. In the 1.2 VRF on the PE routers section of the MPLS Layer 3 VPN Configuration lesson, you will see that the RT is actually configured in the VRF configuration mode like so:

PE1(config)#ip vrf CustA
PE1(config-vrf)#route-target both 1:1

More detail about this command can be found in the lesson link above.

And this is what is meant by the phrase: “The VPN label is attached to a VRF because of route targets.” The RT corresponds to a particular VRF so that PE routers know to which VRF, and thus to which customer routes should be imported/exported to/from.

I hope this has been helpful!

Laz

Can we use different RD for same customer or is there any rule to use same RD to connect all sites of customer with same RD ?WHY

Hello Pradnesh

You must configure an RD per VRF, and you can only configure one VRF per interface that connects to a customer router. So if you want to configure more than one RD on a particular customer you must have more than one interface on a PE router connecting to a particular customer premises.

Having said that, what is it that you want to achieve? By assigning different RDs to the same customer, what do you actually want to do? If you let us know that, we may be able to suggest something else that is more suitable…

I hope this has been helpful!

Laz