📘CCNP Enterprise – ENARSI (300-410)
1. What Is an MPLS Layer 3 VPN?
An MPLS Layer 3 VPN (L3VPN) is a service provider technology that allows multiple customers to connect their private IP networks over a shared MPLS backbone, while keeping their routing information completely separate and secure.
- Routing happens at Layer 3 (IP layer)
- The service provider manages routing
- Customers do not see each other’s routes
- MPLS labels are used to forward traffic efficiently
👉 For the exam:
MPLS L3 VPN = Private routed networks over a shared MPLS core
2. Why MPLS Layer 3 VPN Is Needed
Without MPLS L3 VPN:
- Customers need complex tunneling (GRE, IPsec)
- Service provider must build separate networks
- Scalability becomes difficult
With MPLS L3 VPN:
- One shared backbone
- Thousands of customers
- Each customer has its own routing table
- Easy to scale and manage
👉 For ENARSI:
Main purpose = scalable, secure, multi-customer routing over MPLS
3. Key Devices in MPLS Layer 3 VPN
3.1 CE Router (Customer Edge)
- Located at customer site
- Connects customer network to provider
- Does NOT run MPLS
- Exchanges routes with PE router
CE routers can use:
- Static routing
- OSPF
- EIGRP
- BGP
👉 Exam point:
CE routers are unaware of MPLS and VPNs
3.2 PE Router (Provider Edge)
- Connects customers to MPLS backbone
- Runs MPLS
- Maintains separate routing tables per customer
- Uses VRF
PE routers:
- Add VPN labels
- Exchange VPN routes using MP-BGP
👉 Exam point:
PE router is the most important device in MPLS L3 VPN
3.3 P Router (Provider/Core Router)
- Inside the service provider core
- Only switches MPLS labels
- Does NOT know customer routes
- Does NOT use VRF
👉 Exam point:
P routers only forward labels, no customer awareness
4. VRF (Virtual Routing and Forwarding)
4.1 What Is a VRF?
A VRF is a separate routing table on a PE router.
Each customer:
- Has its own VRF
- Can use overlapping IP addresses
- Is fully isolated from other customers
Example concept:
- Customer A: 10.0.0.0/8
- Customer B: 10.0.0.0/8
- Both coexist because they are in different VRFs
👉 Exam keyword:
VRF = multiple virtual routers on one physical router
4.2 Components of a VRF
Each VRF contains:
- Routing table
- CEF table
- Interfaces assigned to that VRF
- Route Distinguisher (RD)
- Route Targets (RT)
5. Route Distinguisher (RD)
5.1 What Is an RD?
An RD is a value added to an IPv4 route to make it globally unique.
- Converts IPv4 routes into VPNv4 routes
- Used only for uniqueness
- Not used for route filtering
Format:
RD:IPv4-prefix
Example:
100:1 + 10.1.1.0/24 → VPNv4 route
👉 Exam point:
- RD ensures uniqueness
- RD does NOT control route import/export
6. Route Target (RT)
6.1 What Is a Route Target?
A Route Target (RT) is a BGP extended community used to:
- Control which routes are imported or exported
- Decide who can see whose routes
RTs are used for VPN membership
6.2 Import and Export RTs
- Export RT: attached to routes when advertised
- Import RT: determines which routes are accepted
For two sites to communicate:
- Export RT of Site A must match Import RT of Site B
👉 Exam point:
RT controls VPN connectivity
7. MP-BGP (Multiprotocol BGP)
7.1 Why MP-BGP Is Required
Normal BGP cannot carry:
- VPN labels
- VRF information
- Route Targets
MP-BGP is used to:
- Exchange VPNv4 routes between PE routers
- Carry:
- Customer IP prefix
- RD
- RT
- MPLS VPN label
👉 Exam fact:
MPLS L3 VPN relies on MP-BGP
7.2 VPNv4 Address Family
- Used only between PE routers
- Contains:
- IPv4 prefix
- RD
- RT
- Label
P routers do not participate in MP-BGP VPNv4.
8. Label Stack in MPLS L3 VPN
MPLS L3 VPN uses two labels:
8.1 Outer Label (Transport Label)
- Used to reach the egress PE
- Distributed by:
- LDP or RSVP
- Switched by P routers
8.2 Inner Label (VPN Label)
- Identifies the VRF
- Assigned by the egress PE
- Used only at the final PE router
👉 Exam point:
MPLS L3 VPN uses a two-label stack
9. Packet Flow (High-Level)
- CE sends IP packet to PE
- PE:
- Looks up VRF
- Adds VPN label
- Adds transport label
- P routers:
- Switch only outer label
- Egress PE:
- Removes outer label
- Uses inner label to select VRF
- Packet forwarded to destination CE
👉 Important:
P routers never see customer IP addresses
10. PE–CE Routing Options
Common routing methods:
- Static routing
- OSPF
- EIGRP
- eBGP
Exam focus:
- BGP is preferred for scalability
- OSPF/EIGRP require special handling (domain separation)
11. Benefits of MPLS Layer 3 VPN (Exam View)
- Scalable
- Secure
- Supports overlapping IP addresses
- Centralized routing by provider
- Efficient forwarding using MPLS labels
12. MPLS L3 VPN vs VRF-Lite (Exam Comparison)
| Feature | MPLS L3 VPN | VRF-Lite |
|---|---|---|
| MPLS used | Yes | No |
| MP-BGP | Yes | No |
| Provider core | Yes | No |
| Scalability | Very high | Limited |
| Use case | Service provider | Enterprise internal |
13. Key Exam Takeaways (Very Important)
For ENARSI 300-410, remember:
- MPLS L3 VPN = Provider-managed routed VPN
- VRF = Separate routing table
- RD = Uniqueness
- RT = Route control
- MP-BGP = VPN route exchange
- Two MPLS labels are used
- P routers do not know customer routes
- CE routers are MPLS-unaware
14. One-Line Summary for Exam
MPLS Layer 3 VPN uses VRFs, MP-BGP, RDs, RTs, and MPLS labels to securely provide scalable routed VPN services over a shared provider backbone.
