MPLS Vpn Working Principle



Configure MPLS L3VPN and understand it’s working. Currently PE1 & PE2 running iBGP under AS 100.PE1, P1, P2 & PE2 running OSPF as IGP. MPLS backbone running LDP for label distribution, LDP neighbor ship has been established among PE1, P1,P2 and PE2.CE1/CE11 using default routing towards PE1/PE2 respectively.

MPLS VPN used two control plane protocols: LDP and MP-BGP to accomplish MPLS VPN communication.

LDP used for signaling and responsible for distributing label among LSR, however LDP rely on IGP for choosing the best path.MPLS unicast ip forwarding is purely based on IGP and LDP.

VRF CE1 has been created for Customer CE1 and CE11 on PE1 &PE2.

For each VRF/Customer MP-BGP create one VPN/Inner label, which can be decoded only on PE.P routers are not aware about inner label , as they performed transitioned based on outer/transport label only.

Lets go through some terminology for MPLS VPN, which will help us to understand its working principle.

LDP:Used for signaling/control plane. It is responsible for outer label distribution.Label are locally significant.

Outer Label/ Transport label: Generated by LDP, used for MPLS unicast IP forwarding. It is of 20 bits

Inner/VPN Label: Generated by MP-BGP when we inject vrf into BGP and redistributed the routes. Redistribution not required when CE running bgp.

Route-Distingusher(RD): RD used to make IPv4 prefixes globally unique , by tagging 8-byte RD value to prefixes.

Route-Target: It defines which prefixes need to import in which vrf. It is of 8-bytes

Let’s inject created CE1 vrf into BGP on PE1 and redistributes the routes for vrf.

As soon as we injected CE1 vrf into BGP on PE1 and redistributed the static routes, BGP has sent update to PE2.

Basically PE1 will send two attributes for MP-BGP under path attribute in update message.

  • Extended Community

Extended community holds only Route-Target information, which defines which prefixes need to import/export in which vrf/customer.

On the other hand MP_REACH_NLRI attribute accommodate the following information with its own.AFI, SAFI , next-Hop-network Address & Network layer reachability information.When a PE router distributes a VPN-IPv4 route via BGP, it uses its own address as the “BGP next hop” .Here PE1 using its own address as next-hop , to make PE2 understand that in order to reach the prefix use next hop as my address.

This address is encoded as a VPN-IPv4 address with an RD of 0.  MP-BGP requires that the next   hop address be in the same address family as the NLRI.  It also assigns and distributes an MPLS label.  (Essentially, PE routers distribute not VPN-IPv4 routes, but Labeled VPN-IPv4 routes.  When the PE2 processes a received packet that has this label at the top of the stack, the PE will pop the stack, and process the packet appropriately.Address family <AFI 1, SAFI 128> indicates that each NLRI in an MP-REACH-NLRI or MP-UNREACH-NLRI attribute consists of three parts:

  1.  An MPLS label stack
  2.  A route distinguisher
  3.  An IPv4 prefix

Since [MP-BGP] requires that the NEXT-HOP field in an MP-REACH-NLRI be encoding in the same address family as the NLRI, it follows that the NEXT-HOP must also consist of:

  1. An MPLS label stack
  2. A route distinguisher
  3. An IPv4 prefix

Labels for PE-to-PE LSPs are assigned using some MPLS signaling protocol (e.g. LDP or RSVP) and only have local significance for a given core link. Therefore, it makes no sense to put a label value in the NEXT-HOP field and ideally we should use some well-defined value which means “no label stack” here.

Finally NLRI consists of the prefixes that MP-BGP have advertised with some additional information like VPN_label/Bottom stack, RD, RT & Prefixes.

Working Principle

Control plane:PE2 will impose implicit null( label 3) for route , and forwards it to P2.P2 then update its RIB with remote label for prefix as implicit null and assigned one random label to this prefixes and distributes to its peer. Here P2 assign local label 18 to prefix

P1 in turn update its RIB with remote label as 18 and assigned one local label for prefix

It assigns local label 19 and forward further to PE1. When PE1 receive the prefix with label 19, it update its RIB with remote label as 19 and assigned one local label 17.

Forwarding/Data plane: When Packet from customer CE1 of PE1 comes from source for destination

Then PE1 check the vpnv4 routes for per the output PE1 learning label 22 VPN label for route , in order to reach it must reach via next hop sending VPN label 22 with next hop towards PE1.For reaching its uses remote label as 19,when packet reach to P1 label 19 will be swap with local label as 19 and remote as 18.When packet reach to P2 its will see the remote bindings which is implicit null. Then it will simply pop the outer label and send the packet to PE2.PE2 will inspect the bottom/VPN  label and will send the packet on next hop f0/1 unlabeled removing the mpls header.


  • RT,LDP,IGP all use for control plane in MPLS VPN.
  • Data Plane used label/VPN.
  • VPN/Inner label is created by MP-BGP not LDP.
  • Outer/Transport LAbel is created by LDP/RSVP.
  • VPN Label used for routing lookup on PE since we can have same prefixes from multiple PE.
  • Route-Target used for control plane reachability and defined in which vrf prefixes need to import/export.
  • RD serve only one purpose to make prefix unique in entire VPN solution.