MPLS Technology Basics

  • P (Provider) router = Label Switching Router (LSR)
    • Runs an IGP and LDP
  • PE (Provider Edge) router = edge router (LER)
    • Imposes and removes MPLS labels
    • Runs an IGP, LDP and MP-BGP
  • CE (Customer Edge) router
    • Not required
  • Label Distribution Protocol
    • UDP/TCP port 646 (multicast/unicast)
    • IGP to label binding
  • Multi-Protocol BGP
    • Address-family support (IPv4, IPv6, multicast, EVPN etc…)
    • Used for VRF / VPN route exchange

MPLS Labels

  • Labels used for making forwarding decision
  • Outer label always used for switching MPLS packets in network
  • Inner labels usually used for services (e.g. L2/L3 VPN)

MPLS Label Operations

  • Label imposition (Push)
    • By ingress PE router; classify and label packets
  • Label swapping or switching
    • By P router; forward packets using labels; indicates service class & destination
  • Label disposition (PoP)
    • By egress PE router; remove label and forward original packet to destination CE

IP Routing

  • Exchange of IP routes for Loopback Reachability
  • iBGP neighbor peering over IGP transport
  • Route towards BGP NextHop

MPLS Label Switched Path (LSP) Setup with LDP

Assignment of Remote Labels

  • Local label mappings are sent to connected nodes
  • Receiving nodes update forwarding table
    • Out label
  • LDP label advertisement happens in parallel (downstream unsolicited)

MPLS Traffic Forwarding with LDP

Hop-by-hop Traffic Forwarding Using Labels

  • Ingress PE node adds label to packet (push)
    • Via MPLS forwarding table
  • Downstream P node uses label for forwarding decision (swap)
    • Outgoing interface
    • Out label
  • Egress PE removes label and forwards original packet (pop)

MPLS Layer 3 VPN

  • VPN Policies
    • Separation of customer routing via VRF
    • In PE router, customer interfaces are connected to VRFs
  • VPN Signaling
    • Between PE routers: customer routes exchanged via BGP (MP-BGP)
  • VPN traffic forwarding
    • Separation of customer VPN traffic via additional VPN label
    • VPN label used by receiving PE to identify VPN routing table
  • PE-CE link
    • CE configured to route IP traffic to/from adjacent PE router
    • Variety of routing options; static routes, eBGP, OSPF, IS-IS

VPN Control Plane Processing

Exchange of routing information

  • Make customer routes unique:
    • Route Distinguisher (RD):
      • 8-byte field, VRF parameters; unique value to make VPN IP routes unique
      • VPNv4 address: RD + VPN IP prefix
  • Selective distribute VPN routes:
    • Route Target (RT):
      • 8-byte field, VRF parameter, unique value to define the import/export
        rules for VPNv4 routes
      • MP-iBGP: advertises VPNv4 prefixes + labels

Why an RD and VPNv4 Address?

  1. PE routers service multiple customers
  2. Once PE redistributes customer routes into MP-BGP, they must be unique
  3. RD is prepended to each prefix to make routes unique

VPNv4 prefixes are the combination of a 64-bit RD and a 32-bit IPv4 prefix. VPNv4 prefixes are 96-bits in length

Why are Route Targets Important?

  1. Route Targets dictate which VRF will receive what routes.
  2. Can be used to allow specific sites access to centralized services.
  3. Cust A Site 2, Site 3 and Site 4 will not be able to exchange routes with each other.

Route Targets are a 64-bit value and are carried in BGP as an extended community

VPN Control Plane Processing

Interactions Between VRF and BGP VPN Signaling

  1. CE1 redistribute IPv4 route to PE1 via eBGP
  2. PE1 allocates VPN label for prefix learnt from CE1 and append the RD to the IPv4 Address to create unique VPNv4 prefix
  3. PE1 redistributes VPNv4 route into MP-iBGP, it sets itself as a next hop and relays VPN site routes to PE2
  4. PE2 receives VPNv4 route and, via processing in local VRF (blue), it redistributes original IPv4 route to CE2

VPN Forwarding Plane Processing

Forwarding of Layer-3 MPLS VPN Packets

  1. CE2 forwards IPv4 packet to PE2
  2. PE2 imposes pre-allocated VPN label to IPv4 packet received from CE2
    • Learned via MP-IBGP
  3. PE2 imposes outer IGP label A (learned via LDP) and forwards labeled packet to nexthop P-router P2
  4. P-routers P1 and P2 swap router IGP label and forward label packet to PE1
    1. A->B (P2) and B->C (P1)
  5. PE1 strips VPN label and IGP labels and forwards IPv4 packet to CE1


  • MPLS Layer-3 VPNs provide IP connectivity among CE sites
    • MPLS VPNs enable full-mesh, hub-and-spoke, and hybrid IP connectivity
  • CE sites connect to the MPLS network via IP peering across PE-CE links
  • MPLS Layer-3 VPNs are implemented via VRFs on PE edge nodes
    • VRFs providing customer routing and forwarding segmentation
  • BGP used for signaling customer VPN (VPNv4) routes between PE nodes
  • To ensure traffic separation, customer traffic is encapsulated in an additional VPN
    label when forwarded in MPLS network

PE Routers

  • Edge routers
  • Use MPLS with P routers
  • Uses IP with CE routers
  • Connects to both CE and P routers.
  • Distribute VPN information through MP-BGP to other PE router with VPNv4 prefixes, extended community and label

P Routers

  • P routers are in the core of the MPLS cloud
  • P routers do not need to run BGP and doesn’t need to have any VPN knowledge
  • Forward packets by looking at labels
  • P and PE routers share a common IGP

How will PE routers exchange customer routing information?

Run a single routing protocol that will carry all customer routes between PE routers. Use MPLS labels to exchange packets btween PE routers.

P routers do not carry customer routes; the solution is scalable.

Which protocol can be used to carry customer routes between PE routers?

The number of customer routes can be very large. BGP is the only routing protocol that can scale to a very large number of routes.

BGP is used to exchange customer routes directly between PE routers.

How will information about the overlapping subnets of two customers be propagated via a single routing protocol?

Extend the customer addresses to make them unique.

Route Distinguishers

  • The 64-bit route distinguisher (RD) is prepended (front) to an IPv4 address to make it globally unique.
  • Allows for multiple customers (if not all) to use RFC 1918 addresses.
  • The resulting address is a VPNv4 address.
  • VPNv4 addresses are exchanged between PE routers via BGP.
    • BGP that supports address families other than IPv4 addresses is called Multiprotocol BGP (MP-BGP).
    • Creates a 96 bit address

MPLS VPN Control Plane - MP-BGP Update Components: VPNv4 Address, Route Target and Label


  • To convert an IPv4 address into a VPNv4 address, RD is appended to the IPv4 address i.e. 1:1:
    • Makes the customer’s IPv4 route globally unique
  • Each VRF must be configured with an RD at the PE
    • RD is what that defines the VRF
  • Although not necessary, having the same RD throughout a VPN is better for operational efficiency.


  • Route-target (RT): Identifies the VRF for the received VPNv4 prefix. It is an 8-byte extended community (a BGP attribute).
  • Each VRF is configured with RT(s) at the PE.
  1. PE1 receives an IPv4 update (eBGP,OSPF,EIGRP)
  2. PE1 translates it into VPNv4 address
    • Assigns an RT per VRF configuration
    • Rewrites next-hop attribute to itself
    • Assigns a label based on VRF and/or interface
  3. PE1 sends MP-iBGP update to other PE routers
  4. PE2 receives and checks whether the RT=green is locally configured within any VRF, if yes, then…
    • PE2 translates VPNv4 prefix back into IPv4 prefix
      • Installs the prefix into the VRF routing table
      • Updates the VRF CEF table with label=100 for
      • Advertise this IPv4 prefix to CE2 (EBGP, OSPF, EIGRP)

How will the PE routers forward the VPN packets across the MPLS VPN backbone?

They will label the VPN packets with an LDP label for the egress PE router and forward the labeled packets across the MPLS backbone.

  • The P routers perform the label switching, and the packet reaches the egress PE router.
  • However, the egress PE router does not know which VRF to use for packet switching, so the packet is dropped.
  • How about using a label stack?

They will label the VPN packets with a label stack, using:

  1. the LDP label for the egress PE router as the top label, and
  2. the VPN label assigned by the egress PE router as the second label in the stack.


  1. The P routers perform label switching, and the packet reaches the egress
    PE router.
  2. The egress PE router performs a lookup on the VPN label and forwards the packet toward the CE router.

VPN Penultimate Hop Popping

  • Penultimate hop popping on the LDP label can be performed on the last P router.
  • The egress PE router performs label lookup only on the VPN label, resulting in faster and simpler label lookup.
  • IP lookup is performed only once, in the ingress PE router.

Leave a Reply

Related Post

MPLS OverviewMPLS Overview

Unicast IP Forwarding in Traditional IP Networks In traditional IP networks, routing protocols are used to distribute Layer 3 routing information. Regardless of the routing protocol, packet forwarding is based