• Originally created to enable faster routing/switching of packets, but today's hardware/wire-speed routers make this benefit redundant.

  • MPLS header -- 4 bytes:

    • 20 bits: label

    • 3 bits: experimental (used for QoS)

    • 1 bit: bottom of label stack

    • 8 bits: TTL

Router Types

  • P = LSR = label switch router

  • PE = LER = label edge router


  • When an unlabelled packet arrives, the PE router determines the FEC and assigns a label before forwarding.

  • When a labelled packet arrives, either:

    • swap

    • push (add label, i.e. encapsulate/stack)

    • pop

  • FEC = forwarding equivalence class:

    • typically based on the destination IP + QoS.

    • usually corresponds to an LSP.

  • PHP = penultimate hop popping: "implicit null" label = 3


  • RFC 2547bis → RFC 4364

  • Define VRF and add interfaces to the VRF.

  • Each VRF has its own FIB (in addition to the main FIB).

  • Each prefix is tagged with the RD for that VRF (to maintain address space separation):

    • uses extended communities (RT = route target).

  • Layer 2 VPNs

  • Layer 3 VPNs


There are advantages and disadvantages for each approach, so one needs to consider those in addition to:

    • The current/future requirements of the service.

    • The existing provider infrastructure.

    • Cost.

Type of Traffic

    • L3: IP only.

    • L2: multiple protocols (IPv4, IPv6, IPX, DECnet, OSI, etc.).

Connectivity Scenarios

  1. Point-to-point

  2. Hub and spoke

  3. Partial mesh

  4. Full mesh

  5. Overlapping VPNs

    • L3: does 1, 4, 5 well (2 and 3 are more complex).

    • L2: does 1, 2, 3, 4 well (5 more complex).


  • Both: maximum number of LSPs and/or VCs supported on a PE router.

  • Both: maximum configuration file size:

    • L3: VRF, RD, extended communities, filtering policies.

    • L2: VPN peer PEs, ports associated with VPNs.

  • L3: maximum number of routs (use summarisation).

  • L2: maximum number of layer 2 forwarding table entries (require that CE be a router to limit the number of MACs per VPN).


  • L3:

    • usually require large PE routers.

    • BGP knowledge/expertise.

    • possible Route Reflector change to avoid overload.

    • confederations require inter-AS VPNs.

  • L2:

    • simpler PE routers.

    • no BGP.


  • L3:

    • design routing for VPN topology.

    • assign RDs and RT communities (and configure).

    • CE → PE peering configuration.

  • L2:

    • PE → PE in a VPN to establish VCs.

    • assign CE interfaces to VPN.

Management / Maintenance

  • L3:

    • BGP peering sessions.

    • BGP routes with different extended communities (multiple tables/VRF).

    • BGP route propagation and selection.

    • CE peering.

    • potentially large configuration files.

  • L2:

    • no BGP peering (unless used for VPN signalling).

    • no customer routes.

    • VCs that make up the VPN.

    • ports assigned to a VPN.

    • VFI MAC tables.


  • L3:

    • probably a bit more expensive for deployment (higher hardware demands).

    • higher management/maintenance costs.

Useful Articles

IOS Configuration Example

ip vrf <vrf-name>

rd xxx:yyy

route-target export aaa:bbb

route-target import aaa:bbb

mpls label protocol ldp

mpls ldp neighbor x.x.x.x password <...>

interface <...>

description <...>

mtu 1530

ip address x.x.x.x

ip ospf message-digest-key <...>

ip ospf network point-to-point

ip ospf cost <...>

tag-switching ip

router bgp

<...> ! all the usual stuff here

address-family ipv4 vrf <vrf-name>

redistribute connected

max-paths 2

no auto-summary

no synchronization

JUNOS Configuration Example





preference <...>

interface <...>







interface <...>

unit <...>

family mpls



instance-type vrf

interface <...>

route-distinguisher xxx:yyy



<...> ! all the usual stuff here



© Robert Larsen. All rights reserved.