L3VPN: MPLS VPN for Multi-Site Connectivity

January 30, 2026 · 7 min read

Each customer needs their own routing table. Their addresses might overlap with other customers. They need to reach their own sites but not others. Managing separate physical infrastructure doesn’t scale.

MPLS L3VPN (Layer 3 VPN) solves this. Each customer gets a Virtual Routing and Forwarding (VRF) instance. Customer routes are distinguished by Route Distinguisher. Route Targets control which VRFs import which routes. The MPLS backbone carries traffic with label stacks identifying VPN and destination.

L3VPN provides scalable multi-tenant connectivity over shared infrastructure.

L3VPN Concepts

Key Components

PE (Provider Edge): Has VRFs, connects to customers
P (Provider): Core router, just MPLS forwarding
CE (Customer Edge): Customer router, no VPN awareness

[CE1] ─── [PE1] ═══ MPLS ═══ [PE2] ─── [CE2]
  Site A           Backbone           Site B

VRF (Virtual Routing and Forwarding)

Separate routing table per customer:

VRF CustomerA: 10.0.0.0/8 → Site A
VRF CustomerB: 10.0.0.0/8 → Site B  (same addresses, different VRF)
Global: Provider infrastructure only

Route Distinguisher (RD)

Makes routes unique in BGP (not for forwarding):

Without RD: 10.0.0.0/8 from Customer A
            10.0.0.0/8 from Customer B  ← Collision!

With RD: 65000:1:10.0.0.0/8 from Customer A
         65000:2:10.0.0.0/8 from Customer B  ← Unique

Route Target (RT)

Controls route import/export between VRFs:

Export RT: "Tag this route for customers who want it"
Import RT: "Import routes with this tag"

CustomerA-VRF exports: 65000:100
CustomerA-VRF imports: 65000:100  (import own routes at other sites)

Basic L3VPN Configuration

PE Router Setup

configure

# Create VRF for customer
set vrf name CUSTOMER-A table 10
set vrf name CUSTOMER-A description "Customer A VPN"

# Route Distinguisher (unique per VRF)
set vrf name CUSTOMER-A protocols bgp address-family ipv4-unicast rd 65000:1

# Route Targets
set vrf name CUSTOMER-A protocols bgp address-family ipv4-unicast route-target export 65000:100
set vrf name CUSTOMER-A protocols bgp address-family ipv4-unicast route-target import 65000:100

# Assign interface to VRF
set interfaces ethernet eth1 vrf CUSTOMER-A
set interfaces ethernet eth1 address 192.168.1.1/24

commit

Enable VPNv4 Address Family

configure

# BGP configuration
set protocols bgp system-as 65000
set protocols bgp router-id 10.255.0.1

# VPNv4 address family with PE peers
set protocols bgp neighbor 10.255.0.2 remote-as 65000
set protocols bgp neighbor 10.255.0.2 update-source lo
set protocols bgp neighbor 10.255.0.2 address-family ipv4-vpn

commit

Redistribute Customer Routes

configure

# In the VRF context
set vrf name CUSTOMER-A protocols bgp system-as 65000
set vrf name CUSTOMER-A protocols bgp address-family ipv4-unicast redistribute connected

# Or with static routes from CE
set vrf name CUSTOMER-A protocols static route 10.1.0.0/16 next-hop 192.168.1.2

commit

PE-CE Routing

Static Routing

configure

# Static routes from CE
set vrf name CUSTOMER-A protocols static route 10.1.0.0/16 next-hop 192.168.1.2
set vrf name CUSTOMER-A protocols static route 10.2.0.0/16 next-hop 192.168.1.2

commit

eBGP PE-CE

configure

# BGP session with CE router
set vrf name CUSTOMER-A protocols bgp neighbor 192.168.1.2 remote-as 65100
set vrf name CUSTOMER-A protocols bgp neighbor 192.168.1.2 address-family ipv4-unicast

commit

OSPF PE-CE

configure

# OSPF with CE
set vrf name CUSTOMER-A protocols ospf interface eth1
set vrf name CUSTOMER-A protocols ospf redistribute bgp

commit

Complete L3VPN Example

Topology

Customer A Site 1          Provider Backbone          Customer A Site 2
[CE1] ─── [PE1] ═══════════════════════════════ [PE2] ─── [CE2]
10.1.0.0/16    VRF:CUST-A                         VRF:CUST-A    10.2.0.0/16
               RD 65000:1                         RD 65000:1
               RT 65000:100                       RT 65000:100

PE1 Configuration

configure

# Loopback for BGP
set interfaces loopback lo address 10.255.0.1/32

# VRF
set vrf name CUST-A table 10
set vrf name CUST-A protocols bgp address-family ipv4-unicast rd 65000:1
set vrf name CUST-A protocols bgp address-family ipv4-unicast route-target export 65000:100
set vrf name CUST-A protocols bgp address-family ipv4-unicast route-target import 65000:100

# Customer interface
set interfaces ethernet eth1 vrf CUST-A
set interfaces ethernet eth1 address 192.168.1.1/24

# Core interface
set interfaces ethernet eth0 address 10.0.0.1/30

# MPLS LDP
set protocols mpls ldp router-id 10.255.0.1
set protocols mpls ldp interface eth0

# OSPF for backbone
set protocols ospf area 0 network 10.255.0.1/32
set protocols ospf area 0 network 10.0.0.0/30

# BGP
set protocols bgp system-as 65000
set protocols bgp router-id 10.255.0.1
set protocols bgp neighbor 10.255.0.2 remote-as 65000
set protocols bgp neighbor 10.255.0.2 update-source lo
set protocols bgp neighbor 10.255.0.2 address-family ipv4-vpn

# VRF BGP
set vrf name CUST-A protocols bgp system-as 65000
set vrf name CUST-A protocols bgp neighbor 192.168.1.2 remote-as 65100
set vrf name CUST-A protocols bgp neighbor 192.168.1.2 address-family ipv4-unicast

commit

PE2 Configuration

configure

# Loopback
set interfaces loopback lo address 10.255.0.2/32

# VRF (same RT for same customer)
set vrf name CUST-A table 10
set vrf name CUST-A protocols bgp address-family ipv4-unicast rd 65000:1
set vrf name CUST-A protocols bgp address-family ipv4-unicast route-target export 65000:100
set vrf name CUST-A protocols bgp address-family ipv4-unicast route-target import 65000:100

# Customer interface
set interfaces ethernet eth1 vrf CUST-A
set interfaces ethernet eth1 address 192.168.2.1/24

# Core interface
set interfaces ethernet eth0 address 10.0.0.2/30

# MPLS LDP
set protocols mpls ldp router-id 10.255.0.2
set protocols mpls ldp interface eth0

# OSPF
set protocols ospf area 0 network 10.255.0.2/32
set protocols ospf area 0 network 10.0.0.0/30

# BGP
set protocols bgp system-as 65000
set protocols bgp router-id 10.255.0.2
set protocols bgp neighbor 10.255.0.1 remote-as 65000
set protocols bgp neighbor 10.255.0.1 update-source lo
set protocols bgp neighbor 10.255.0.1 address-family ipv4-vpn

# VRF BGP
set vrf name CUST-A protocols bgp system-as 65000
set vrf name CUST-A protocols bgp neighbor 192.168.2.2 remote-as 65100
set vrf name CUST-A protocols bgp neighbor 192.168.2.2 address-family ipv4-unicast

commit

Viewing L3VPN State

Show VPN Routes

# Show VPNv4 routes
show bgp ipv4 vpn

# Output:
# Route Distinguisher: 65000:1
# *>  10.1.0.0/16      192.168.1.2     0   0    65100 i
# *>  10.2.0.0/16      10.255.0.2      0   0    65100 i

# Show specific VRF routes
show ip route vrf CUST-A

Show Labels

# Show VPN labels
show bgp ipv4 vpn labels

# Show MPLS forwarding table
show mpls table

Verify Connectivity

# Ping within VRF
ping 10.2.0.1 vrf CUST-A

# Traceroute within VRF
traceroute 10.2.0.1 vrf CUST-A

Route Target Patterns

Hub-and-Spoke

# Hub imports all, spokes import only from hub
# Hub VRF:
set vrf name HUB protocols bgp address-family ipv4-unicast route-target export 65000:1
set vrf name HUB protocols bgp address-family ipv4-unicast route-target import 65000:2

# Spoke VRF:
set vrf name SPOKE1 protocols bgp address-family ipv4-unicast route-target export 65000:2
set vrf name SPOKE1 protocols bgp address-family ipv4-unicast route-target import 65000:1

# Traffic: Spoke → Hub → Spoke (forced through hub)

Full Mesh

# All sites import from all sites
set vrf name SITE protocols bgp address-family ipv4-unicast route-target export 65000:100
set vrf name SITE protocols bgp address-family ipv4-unicast route-target import 65000:100

# Any-to-any connectivity

Extranet

# Customer A can reach shared services
# Customer A VRF:
set vrf name CUST-A protocols bgp address-family ipv4-unicast route-target import 65000:999  # Shared services RT

# Shared Services VRF:
set vrf name SHARED protocols bgp address-family ipv4-unicast route-target export 65000:999

Troubleshooting L3VPN

Routes Not Exchanged

# Check VPNv4 session
show bgp ipv4 vpn summary

# Check RT configuration
show vrf CUST-A

# Verify import/export RT match between sites

MPLS Labels Not Working

# Check MPLS is enabled on core interfaces
show interfaces ethernet eth0

# Check LDP neighbor
show mpls ldp neighbor

# Check MPLS table
show mpls table

Traffic Not Flowing

# Verify VRF routing table
show ip route vrf CUST-A

# Check label stack
show bgp ipv4 vpn 10.2.0.0/16

# Trace path
traceroute 10.2.0.1 vrf CUST-A

The Lesson

L3VPN provides scalable multi-tenant connectivity over shared infrastructure.

Without L3VPN:

Separate physical networks per customer
Address overlap impossible
Doesn’t scale

With L3VPN:

Single MPLS backbone serves all customers
VRFs provide isolation
Overlapping addresses supported (different RDs)
Route Targets control connectivity

Key concepts:

VRF: Separate routing table per customer
RD: Makes routes globally unique
RT: Controls import/export between VRFs
VPNv4: BGP carrying VPN routes with labels

VyOS L3VPN support requires MPLS. Verify feature support in your version before production deployment.