# Module 4: L3VPN — Customer Isolation with VRFs > **Course**: [ISP Backbone Lab Course](../README.md) > **Previous**: [Module 3: iBGP](03-ibgp.md) > **Next**: [Module 5: eBGP](05-ebgp.md) --- ## Network Diagram ![L3VPN End-to-End Flow](../diagrams/Module4_L3VPN_Flow.png) *L3VPN end-to-end flow — CE→PE→MPLS Core→PE→CE with VRF isolation and dual label stack* --- ## The Business Problem You're an ISP. Customer A and Customer B both use `10.0.0.0/8` internally (because of course they do). If you put both their routes in your global routing table, they collide. **VRFs solve this.** ## What Is a VRF? A **VRF (Virtual Routing and Forwarding)** instance is a completely separate routing table on the same physical router. Think of it as running multiple virtual routers on one box. Each VRF has: - **Name** — just a label (e.g., "CUST_A") - **Route Distinguisher (RD)** — Makes routes globally unique. 65000:100 + 10.0.0.0/8 becomes a unique VPNv4 route - **Route Targets (RT)** — Controls which VRFs import/export routes. This is the magic that connects customer sites across the MPLS core ## How L3VPN Works End-to-End 1. **CE-CUST1** advertises `192.168.100.0/24` via eBGP to **PE-EDGE2** 2. **PE-EDGE2** puts this route into VRF `CUST_A`, adds RD `65000:100`, and exports with RT `65000:100` 3. The route is carried via **MP-BGP (VPNv4 address family)** to the Route Reflector 4. **P-CORE (RR)** reflects it to **PE-EDGE4** 5. **PE-EDGE4** sees RT `65000:100`, checks its VRF import policy, and imports it into VRF `CUST_A` 6. **CE-CUST2** now sees `192.168.100.0/24` and can reach Customer A's other site 7. **All transit through the core is MPLS-labeled** — P routers never see customer routes ## Lab 4 Config: L3VPN **PE-EDGE2 (Customer A facing):** ``` ! Create VRF vrf definition CUST_A rd 65000:100 address-family ipv4 route-target export 65000:100 route-target import 65000:100 exit-address-family ! ! Assign customer-facing interface to VRF interface GigabitEthernet0/4 description TO CE-CUST1 vrf forwarding CUST_A ip address 10.100.0.1 255.255.255.252 no shutdown ! ! BGP config for VRF router bgp 65000 address-family ipv4 vrf CUST_A neighbor 10.100.0.2 remote-as 65001 neighbor 10.100.0.2 activate exit-address-family ``` **CE-CUST1 (Customer A):** ``` hostname CE-CUST1 ! interface Loopback0 ip address 192.168.100.1 255.255.255.255 ! interface GigabitEthernet0/0 description TO PE-EDGE2 ip address 10.100.0.2 255.255.255.252 no shutdown ! router bgp 65001 bgp router-id 192.168.100.1 network 192.168.100.0 mask 255.255.255.0 neighbor 10.100.0.1 remote-as 65000 ``` **PE-EDGE4 (Customer B / also imports CUST_A routes):** ``` vrf definition CUST_A rd 65000:100 address-family ipv4 route-target export 65000:100 route-target import 65000:100 exit-address-family ! interface GigabitEthernet0/4 description TO CE-CUST2 vrf forwarding CUST_A ip address 10.100.1.1 255.255.255.252 no shutdown ! router bgp 65000 address-family ipv4 vrf CUST_A neighbor 10.100.1.2 remote-as 65002 neighbor 10.100.1.2 activate exit-address-family ``` ## Verification ``` show vrf ! VRFs configured show ip route vrf CUST_A ! Customer A's routing table show bgp vpnv4 unicast all ! All VPN routes across the core show bgp vpnv4 unicast vrf CUST_A ! VPN routes for this specific customer ping vrf CUST_A 192.168.100.1 source 10.100.1.1 ! Cross-core VPN connectivity traceroute vrf CUST_A 192.168.100.1 ! Should show MPLS labels through core ``` ## Understanding Check 1. What's the difference between RD and RT? (Common interview question!) 2. If Customer B also uses `192.168.100.0/24`, why doesn't it conflict? 3. What MPLS labels are used for VPN forwarding? (Hint: there are TWO labels — why?) 4. How would you give Customer A internet access in addition to their VPN? --- > **Next Module**: [Module 5: eBGP — Peering with the World →](05-ebgp.md)