MPLS VPN

Layer 3 VPNs using MPLS: VRF, RD, RT, and PE-CE routing.

Introduction: The Challenge of a Shared World

Imagine a large corporation, "GlobalTech Inc.", with offices in New York and London. Each office has its own private, internal computer network. For GlobalTech to function, the employees in New York need to seamlessly and securely access servers and files located in the London office, and vice-versa. The vast public internet lies between them, a chaotic space filled with traffic from millions of other companies and individuals. How can GlobalTech create a single, unified, and private network for itself over this shared public infrastructure?

This is the fundamental problem that a Virtual Private Network (VPN) solves. A VPN is a technology that creates a secure, encrypted tunnel over a public network, like the internet, to connect remote users or sites. From the perspective of the users at GlobalTech, it feels like their London and New York offices are connected by a single, private cable, even though their data is actually traveling across dozens of routers and systems belonging to various Internet Service Providers (ISPs).

While there are many ways to create VPNs (like IPsec tunnels), they can become incredibly complex for a service provider to manage when serving hundreds or thousands of corporate customers. This is where MPLS shines. MPLS Layer 3 VPN is a highly scalable, flexible, and efficient solution offered by service providers that allows them to use their single, shared MPLS network to create logically separate, private networks for each of their customers.

The Core Problem: Overlapping IP Addresses

The biggest technical hurdle for a service provider offering VPN services is the issue of overlapping address space. To save on costs and simplify internal management, the vast majority of companies use private IP address ranges defined in RFC 1918 (e.g., $192.168.1.0/24$ , $10.0.0.0/8$ ).

Now, consider the ISP's challenge.

Their customer, GlobalTech Inc., uses the $192.168.1.0/24$ network in their offices.
Their other customer, "Innovate Solutions", also uses the $192.168.1.0/24$ network in their offices.

Both customers connect to the same ISP network. When a packet from GlobalTech arrives with a destination of $192.168.1.50$ , and another packet from Innovate Solutions arrives with the exact same destination address, how can the ISP's routers possibly know which customer's network to send it to? A standard router can only have one entry for $192.168.1.0/24$ in its global routing table. This ambiguity makes it impossible to provide separate VPNs using traditional routing. MPLS VPN technology was created specifically to solve this problem with an elegant set of "magic tricks".

Trick 1: The VRF - A Virtual Router for Each Customer

The first part of the solution is to isolate each customer's routing information from the others on the Provider Edge (PE) router. MPLS achieves this using a feature called Virtual Routing and Forwarding (VRF).

Analogy: The Multi-Tenant Office Mailroom. Imagine a mailroom in a large office building that serves dozens of different companies. To avoid mixing up the mail, the mailroom clerk doesn't just have one big pile. Instead, they have a separate, labeled set of mail slots and a separate address directory for each company. Company A's mail goes into Company A's slots, and Company B's mail into Company B's slots.

A is exactly this: a virtual mailroom inside the router. When an ISP onboards a new VPN customer, they create a dedicated VRF for them on the PE routers where the customer connects.

Each VRF has its own completely independent routing table and forwarding table.
The physical interface connecting to the customer's site (the CE router) is assigned to that customer's VRF.
Routing updates received from the customer's CE router are only installed into that specific VRF's routing table.

This elegantly solves the overlapping address problem locally. The PE router can now happily have a route for $192.168.1.0/24$ in the "GlobalTech_VRF" and another, completely separate route for $192.168.1.0/24$ in the "Innovate_VRF". The routes are isolated and do not conflict.

Trick 2: The Route Distinguisher (RD) - Creating Unique Global Addresses

VRFs solve the problem on a single router. But how does that router advertise these overlapping routes to other PE routers across the ISP's core network? The core BGP process still cannot handle two identical $192.168.1.0/24$ prefixes.

The solution is to make each customer's route globally unique. This is done by adding a "tag" or an "account number" to the route prefix. This tag is called the Route Distinguisher (RD).

An RD is a 64-bit number that the PE router prepends to the customer's 32-bit IPv4 prefix. The result is a brand new, 96-bit address that is guaranteed to be unique across the entire network. This new address is called a VPNv4 address.

Example: Making Prefixes Unique

For the GlobalTech VRF, the administrator configures an RD of $65000:100$ . When the PE learns the route $192.168.1.0/24$ from GlobalTech, it converts it into the VPNv4 prefix: $65000:100:192.168.1.0/24$ .
For the Innovate Solutions VRF, the administrator configures a different RD of $65000:200$ . When the PE learns the same route from them, it converts it into the VPNv4 prefix: $65000:200:192.168.1.0/24$ .

From the perspective of BGP running in the ISP's core, these are now two completely different and unique network prefixes. It can advertise them, process them, and store them without any confusion or conflict. The RD's only job is to ensure uniqueness; it is not used for forwarding decisions.

Trick 3: Route Targets (RT) - Building the Virtual Private Network

We now have unique routes being advertised across the provider network. The final question is: how does a receiving PE router know which VPN (which VRF) a specific route belongs to? Just because it receives a unique VPNv4 route doesn't mean it should be available to every customer.

This is controlled by another BGP attribute called the Route Target (RT). An RT is a BGP Extended Community attribute that acts like a tag or a mailing list identifier. It controls the import and export of routes between BGP and a VRF.

The Export and Import Process

The process is like a sophisticated mail sorting system based on subscription lists:

Export RT: When a PE router learns a route from a customer CE and converts it to a VPNv4 prefix, it attaches one or more Export Route Targets to it before advertising it to other PEs. This is like putting a "mailing-list-A" sticker on an outgoing letter.
Import RT: Each VRF on a PE router is configured with one or more Import Route Targets. This is the VRF's "subscription list".
The Matching Rule: When a PE router receives a VPNv4 route from another PE, it looks at the Export RTs attached to the route. It then checks the Import RT configuration of all its local VRFs. A route will only be installed into the routing table of a VRF if the route's Export RT matches one of the VRF's Import RTs.

Example: Building the VPN

The PE router connected to GlobalTech's New York office is configured so that its VRF exports routes with $RT=65000:100$ and imports routes tagged with $RT=65000:100$ .

The PE router connected to GlobalTech's London office has the exact same VRF configuration.

Meanwhile, the VRFs for Innovate Solutions are configured with $RT=65000:200$ .

When the New York PE advertises GlobalTech's routes, they carry the `Export RT 65000:100`. The London PE receives this. Because its GlobalTech VRF is configured to `Import RT 65000:100`, the route is accepted and installed. The PE routers serving Innovate Solutions also see this advertisement, but because their VRFs do not import this RT, they simply ignore and discard it. This is what creates the "Private" in Virtual Private Network.

The Data Plane: The Two-Label Stack

We've now built the control plane: VRFs provide local isolation, RDs provide global uniqueness, and RTs build the VPN policies. But how does a packet actually get forwarded? The answer lies in a two-label stack.

The Inner (VPN) Label:
When the PE routers exchange VPNv4 routes via BGP, they also exchange a special label for each route. This inner label is called the VPN label. Its job is to tell the final, Egress PE router exactly which customer VRF and which outgoing interface the packet should be forwarded to. It's the local delivery instruction.
The Outer (Transport) Label:
This is the standard MPLS label we've discussed before. Its only purpose is to get the packet from the Ingress PE to the Egress PE. The core routers (P-routers) in the ISP network only ever look at this outer label. They have no idea about VPNs or customer routes; their only job is to swap the outer label and forward the packet towards the Egress PE identified in their regular IGP routing table.

Packet Journey Revisited

Let's follow a packet from GlobalTech's New York PC to its London server:

The IP packet arrives at the NYC Ingress PE router. The router does a lookup in the GlobalTech_VRF.
It finds a match and determines the Egress PE router (the one in London) and the VPN label that router advertised.
It pushes the inner VPN label onto the packet.
It then does a lookup for the Egress PE's address in its main table and finds the outer transport label for the LSP leading to London.
It pushes the outer transport label onto the packet.
The packet now has two labels and is sent into the MPLS core.
Core routers swap only the outer label at each hop. They never see the inner label.
The router just before the Egress PE (the penultimate hop) pops the outer label.
The Egress PE in London receives the packet with only the inner VPN label. It looks at this label, which tells it "This packet belongs to the GlobalTech_VRF and should be sent out the interface to their London office."
The Egress PE pops the VPN label, and the original IP packet is sent to the London CE router. The mission is complete, and no core router ever had to know anything about GlobalTech's private network.