• Originally created to enable faster routing/switching of packets, but today's hardware/wire-speed routers make this benefit redundant.
  • MPLS header -- 4 bytes:
    • 20 bits: label
    • 3 bits: experimental (used for QoS)
    • 1 bit: bottom of label stack
    • 8 bits: TTL

Router Types

  • P = LSR = label switch router
  • PE = LER = label edge router


  • When an unlabelled packet arrives, the PE router determines the FEC and assigns a label before forwarding.
  • When a labelled packet arrives, either:
    • swap
    • push (add label, i.e. encapsulate/stack)
    • pop
  • FEC = forwarding equivalence class:
    • typically based on the destination IP + QoS.
    • usually corresponds to an LSP.
  • PHP = penultimate hop popping: "implicit null" label = 3


  • RFC 2547bis → RFC 4364
  • Define VRF and add interfaces to the VRF.
  • Each VRF has its own FIB (in addition to the main FIB).
  • Each prefix is tagged with the RD for that VRF (to maintain address space separation):
    • uses extended communities (RT = route target).
  • Layer 2 VPNs
  • Layer 3 VPNs
  • Layer 2 VPNs compared to Layer 3 VPNs


There are advantages and disadvantages for each approach, so one needs to consider those in addition to:
  • The current/future requirements of the service.
  • The existing provider infrastructure.
  • Cost.

Type of Traffic

  • L3: IP only.
  • L2: multiple protocols (IPv4, IPv6, IPX, DECnet, OSI, etc.).

Connectivity Scenarios

  1. Point-to-point
  2. Hub and spoke
  3. Partial mesh
  4. Full mesh
  5. Overlapping VPNs
  • L3: does 1, 4, 5 well (2 and 3 are more complex).
  • L2: does 1, 2, 3, 4 well (5 more complex).


  • Both: maximum number of LSPs and/or VCs supported on a PE router.
  • Both: maximum configuration file size:
    • L3: VRF, RD, extended communities, filtering policies.
    • L2: VPN peer PEs, ports associated with VPNs.
  • L3: maximum number of routs (use summarisation).
  • L2: maximum number of layer 2 forwarding table entries (require that CE be a router to limit the number of MACs per VPN).


  • L3:
    • usually require large PE routers.
    • BGP knowledge/expertise.
    • possible Route Reflector change to avoid overload.
    • confederations require inter-AS VPNs.
  • L2:
    • simpler PE routers.
    • no BGP.


  • L3:
    • design routing for VPN topology.
    • assign RDs and RT communities (and configure).
    • CE → PE peering configuration.
  • L2:
    • PE → PE in a VPN to establish VCs.
    • assign CE interfaces to VPN.

Management / Maintenance

  • L3:
    • BGP peering sessions.
    • BGP routes with different extended communities (multiple tables/VRF).
    • BGP route propagation and selection.
    • CE peering.
    • potentially large configuration files.
  • L2:
    • no BGP peering (unless used for VPN signalling).
    • no customer routes.
    • VCs that make up the VPN.
    • ports assigned to a VPN.
    • VFI MAC tables.


  • L3:
    • probably a bit more expensive for deployment (higher hardware demands).
    • higher management/maintenance costs.

IOS Configuration Example

ip vrf <vrf-name>
  rd xxx:yyy
  route-target export aaa:bbb
  route-target import aaa:bbb

mpls label protocol ldp
mpls ldp neighbor x.x.x.x password <...>

interface <...>
  description <...>
  mtu 1530
  ip address x.x.x.x
  ip ospf message-digest-key <...>
  ip ospf network point-to-point
  ip ospf cost <...>
  tag-switching ip

router bgp
  <...>        ! all the usual stuff here
  address-family ipv4 vrf <vrf-name>
    redistribute connected
    max-paths 2
    no auto-summary
    no synchronization

JUNOS Configuration Example

    preference <...>
    interface <...>

    interface <...>
      unit <...>
        family mpls

    instance-type vrf
    interface <...>
    route-distinguisher xxx:yyy
        <...>        ! all the usual stuff here

Useful Articles