isp-backbone-course/modules/04-l3vpn.md

# Module 4: L3VPN — Customer Isolation with VRFs

> **Course**: [ISP Backbone Lab Course](../README.md)
> **Previous**: [Module 3: iBGP](03-ibgp.md)
> **Next**: [Module 5: eBGP](05-ebgp.md)

---

## Network Diagram

![L3VPN End-to-End Flow](../diagrams/Module4_L3VPN_Flow.png)
*L3VPN end-to-end flow — CE→PE→MPLS Core→PE→CE with VRF isolation and dual label stack*

---

## The Business Problem

You're an ISP. Customer A and Customer B both use `10.0.0.0/8` internally (because of course they do). If you put both their routes in your global routing table, they collide. **VRFs solve this.**

## What Is a VRF?

A **VRF (Virtual Routing and Forwarding)** instance is a completely separate routing table on the same physical router. Think of it as running multiple virtual routers on one box.

Each VRF has:
- **Name** — just a label (e.g., "CUST_A")
- **Route Distinguisher (RD)** — Makes routes globally unique. 65000:100 + 10.0.0.0/8 becomes a unique VPNv4 route
- **Route Targets (RT)** — Controls which VRFs import/export routes. This is the magic that connects customer sites across the MPLS core

## How L3VPN Works End-to-End

1. **CE-CUST1** advertises `192.168.100.0/24` via eBGP to **PE-EDGE2**
2. **PE-EDGE2** puts this route into VRF `CUST_A`, adds RD `65000:100`, and exports with RT `65000:100`
3. The route is carried via **MP-BGP (VPNv4 address family)** to the Route Reflector
4. **P-CORE (RR)** reflects it to **PE-EDGE4**
5. **PE-EDGE4** sees RT `65000:100`, checks its VRF import policy, and imports it into VRF `CUST_A`
6. **CE-CUST2** now sees `192.168.100.0/24` and can reach Customer A's other site
7. **All transit through the core is MPLS-labeled** — P routers never see customer routes

## Lab 4 Config: L3VPN

**PE-EDGE2 (Customer A facing):**

```
! Create VRF
vrf definition CUST_A
 rd 65000:100
 address-family ipv4
  route-target export 65000:100
  route-target import 65000:100
 exit-address-family
!
! Assign customer-facing interface to VRF
interface GigabitEthernet0/4
 description TO CE-CUST1
 vrf forwarding CUST_A
 ip address 10.100.0.1 255.255.255.252
 no shutdown
!
! BGP config for VRF
router bgp 65000
 address-family ipv4 vrf CUST_A
  neighbor 10.100.0.2 remote-as 65001
  neighbor 10.100.0.2 activate
 exit-address-family
```

**CE-CUST1 (Customer A):**

```
hostname CE-CUST1
!
interface Loopback0
 ip address 192.168.100.1 255.255.255.255
!
interface GigabitEthernet0/0
 description TO PE-EDGE2
 ip address 10.100.0.2 255.255.255.252
 no shutdown
!
router bgp 65001
 bgp router-id 192.168.100.1
 network 192.168.100.0 mask 255.255.255.0
 neighbor 10.100.0.1 remote-as 65000
```

**PE-EDGE4 (Customer B / also imports CUST_A routes):**

```
vrf definition CUST_A
 rd 65000:100
 address-family ipv4
  route-target export 65000:100
  route-target import 65000:100
 exit-address-family
!
interface GigabitEthernet0/4
 description TO CE-CUST2
 vrf forwarding CUST_A
 ip address 10.100.1.1 255.255.255.252
 no shutdown
!
router bgp 65000
 address-family ipv4 vrf CUST_A
  neighbor 10.100.1.2 remote-as 65002
  neighbor 10.100.1.2 activate
 exit-address-family
```

## Verification

```
show vrf                                    ! VRFs configured
show ip route vrf CUST_A                    ! Customer A's routing table
show bgp vpnv4 unicast all                 ! All VPN routes across the core
show bgp vpnv4 unicast vrf CUST_A          ! VPN routes for this specific customer
ping vrf CUST_A 192.168.100.1 source 10.100.1.1  ! Cross-core VPN connectivity
traceroute vrf CUST_A 192.168.100.1        ! Should show MPLS labels through core
```

## Understanding Check

1. What's the difference between RD and RT? (Common interview question!)
2. If Customer B also uses `192.168.100.0/24`, why doesn't it conflict?
3. What MPLS labels are used for VPN forwarding? (Hint: there are TWO labels — why?)
4. How would you give Customer A internet access in addition to their VPN?

---

> **Next Module**: [Module 5: eBGP — Peering with the World →](05-ebgp.md)