isp-backbone-course/modules/04-l3vpn.md

Module 4: L3VPN — Customer Isolation with VRFs

Course: ISP Backbone Lab Course Previous: Module 3: iBGP Next: Module 5: eBGP

---

Network Diagram

L3VPN end-to-end flow — CE→PE→MPLS Core→PE→CE with VRF isolation and dual label stack

---

The Business Problem

You're an ISP. Customer A and Customer B both use 10.0.0.0/8 internally (because of course they do). If you put both their routes in your global routing table, they collide. VRFs solve this.

What Is a VRF?

A VRF (Virtual Routing and Forwarding) instance is a completely separate routing table on the same physical router. Think of it as running multiple virtual routers on one box.

Each VRF has:

• Name — just a label (e.g., "CUST_A")
• Route Distinguisher (RD) — Makes routes globally unique. 65000:100 + 10.0.0.0/8 becomes a unique VPNv4 route
• Route Targets (RT) — Controls which VRFs import/export routes. This is the magic that connects customer sites across the MPLS core

How L3VPN Works End-to-End

1. CE-CUST1 advertises 192.168.100.0/24 via eBGP to PE-EDGE2
2. PE-EDGE2 puts this route into VRF CUST_A, adds RD 65000:100, and exports with RT 65000:100
3. The route is carried via MP-BGP (VPNv4 address family) to the Route Reflector
4. P-CORE (RR) reflects it to PE-EDGE4
5. PE-EDGE4 sees RT 65000:100, checks its VRF import policy, and imports it into VRF CUST_A
6. CE-CUST2 now sees 192.168.100.0/24 and can reach Customer A's other site
7. All transit through the core is MPLS-labeled — P routers never see customer routes

Lab 4 Config: L3VPN

PE-EDGE2 (Customer A facing):

! Create VRF
vrf definition CUST_A
 rd 65000:100
 address-family ipv4
  route-target export 65000:100
  route-target import 65000:100
 exit-address-family
!
! Assign customer-facing interface to VRF
interface GigabitEthernet0/4
 description TO CE-CUST1
 vrf forwarding CUST_A
 ip address 10.100.0.1 255.255.255.252
 no shutdown
!
! BGP config for VRF
router bgp 65000
 address-family ipv4 vrf CUST_A
  neighbor 10.100.0.2 remote-as 65001
  neighbor 10.100.0.2 activate
 exit-address-family

CE-CUST1 (Customer A):

hostname CE-CUST1
!
interface Loopback0
 ip address 192.168.100.1 255.255.255.255
!
interface GigabitEthernet0/0
 description TO PE-EDGE2
 ip address 10.100.0.2 255.255.255.252
 no shutdown
!
router bgp 65001
 bgp router-id 192.168.100.1
 network 192.168.100.0 mask 255.255.255.0
 neighbor 10.100.0.1 remote-as 65000

PE-EDGE4 (Customer B / also imports CUST_A routes):

vrf definition CUST_A
 rd 65000:100
 address-family ipv4
  route-target export 65000:100
  route-target import 65000:100
 exit-address-family
!
interface GigabitEthernet0/4
 description TO CE-CUST2
 vrf forwarding CUST_A
 ip address 10.100.1.1 255.255.255.252
 no shutdown
!
router bgp 65000
 address-family ipv4 vrf CUST_A
  neighbor 10.100.1.2 remote-as 65002
  neighbor 10.100.1.2 activate
 exit-address-family

Verification

show vrf                                    ! VRFs configured
show ip route vrf CUST_A                    ! Customer A's routing table
show bgp vpnv4 unicast all                 ! All VPN routes across the core
show bgp vpnv4 unicast vrf CUST_A          ! VPN routes for this specific customer
ping vrf CUST_A 192.168.100.1 source 10.100.1.1  ! Cross-core VPN connectivity
traceroute vrf CUST_A 192.168.100.1        ! Should show MPLS labels through core

Understanding Check

1. What's the difference between RD and RT? (Common interview question!)
2. If Customer B also uses 192.168.100.0/24, why doesn't it conflict?
3. What MPLS labels are used for VPN forwarding? (Hint: there are TWO labels — why?)
4. How would you give Customer A internet access in addition to their VPN?

---

Next Module: Module 5: eBGP — Peering with the World →