Complete Cisco IOS XR MPLS L3VPN Configuration Guide Part 2 | VRF, Route Targets, PE-CE BGP & VPNv4

Complete Cisco IOS XR MPLS L3VPN Configuration Guide Part 2

Welcome to Part 2 of the Cisco IOS XR MPLS L3VPN series.

In Part 1, we built the MPLS underlay using:

• OSPF
• ISIS
• MPLS LDP
• MP-iBGP
• VPNv4 Route Reflectors

Now in Part 2, we move into the real MPLS Layer 3 VPN implementation where customer routes are transported across the provider backbone using VRFs and MP-BGP VPNv4 routing.

🎯 What You Will Learn in Part 2

• VRF configuration in IOS XR
• Route Distinguisher concepts
• Route Target import/export logic
• PE-CE BGP configuration
• Customer route advertisement
• VPNv4 route propagation
• MPLS Layer 3 VPN operation
• End-to-end customer connectivity
• Verification and troubleshooting

Table of Contents

• 1. MPLS L3VPN Overview
• 2. Understanding VRFs
• 3. Route Distinguisher Deep Dive
• 4. Route Target Deep Dive
• 5. AS100 Customer VPN Configuration
• 6. R1 VRF Configuration
• 7. R2 VRF Configuration
• 8. PE-CE BGP Configuration AS100
• 9. CE Router Configuration AS100
• 10. AS200 Customer VPN Configuration
• 11. R5 VRF Configuration
• 12. R6 VRF Configuration
• 13. PE-CE BGP Configuration AS200
• 14. CE Router Configuration AS200
• 15. Verification Commands
• 16. Troubleshooting
• 17. MPLS VPN Mathematics
• 18. Related Articles

1. MPLS Layer 3 VPN Overview

MPLS Layer 3 VPN allows multiple customers to share the same provider infrastructure while maintaining isolated routing tables.

The Provider Edge routers maintain separate VRFs for each customer.

Customer routes are exchanged using MP-BGP VPNv4 routes.

MPLS VPN Formula

$$ VPNv4\\ Route = RD + IPv4\\ Prefix + RT $$

Where:

• RD = Route Distinguisher
• RT = Route Target
• VPNv4 = Extended VPN route format

2. Understanding VRFs

VRF stands for Virtual Routing and Forwarding.

VRFs create isolated routing tables inside the same router.

Different customers can even use overlapping IP addressing.

VRF Isolation Logic

$$ CustomerA\\ Routing\\ Table \neq CustomerB\\ Routing\\ Table $$

💡 Why VRFs Are Important

• Customer isolation
• Overlapping IP support
• Security separation
• Scalable MPLS VPN architecture

3. Route Distinguisher Deep Dive

Route Distinguishers make customer routes globally unique inside the MPLS cloud.

RD Formula

$$ VPNv4 = RD + IPv4\\ Prefix $$

Example:

$$ 100:1 + 10.9.9.0/24 $$

Result:

$$ 100:1:10.9.9.0/24 $$

4. Route Target Deep Dive

Route Targets control route import and export policies.

If two VRFs share the same Route Target, routes can be exchanged between them.

Route Import Formula

$$ Import\\ Allowed = \begin{cases} TRUE, & RT_{export}=RT_{import} \\\\ FALSE, & otherwise \end{cases} $$

5. AS100 Customer VPN Configuration

AS100 contains:

• R1 and R2 as PE routers
• R9 and R10 as CE routers

Customer routes are exchanged using MP-BGP VPNv4.

6. R1 VRF Configuration

Code Example

vrf Cust-A

This creates the VRF instance.

R1

vrf Cust-A

 address-family ipv4 unicast

  import route-target
   100:1
  exit

  export route-target
   100:1
  exit

 commit

interface gig0/0/0/2
 vrf Cust-A
 ip address 192.1.10.1 255.255.255.0
 no shut

commit

Detailed Explanation

The VRF Cust-A is created with Route Target 100:1.

Import Route Target determines which routes are imported into the VRF.

Export Route Target determines which routes are exported from the VRF.

The interface connected to the CE router is assigned into the VRF.

7. R2 VRF Configuration

R2

vrf Cust-A

 address-family ipv4 unicast

  import route-target
   100:1
  exit

  export route-target
   100:1
  exit

 commit

interface gig0/0/0/2
 vrf Cust-A
 ip address 192.1.20.2 255.255.255.0
 no shut

commit

Route Exchange Logic

$$ RT_{R1}=100:1 $$ $$ RT_{R2}=100:1 $$

Therefore:

$$ VPN\\ Route\\ Exchange = Allowed $$

8. PE-CE BGP Configuration for AS100

PE-CE BGP exchanges customer routes between the CE router and PE router.

R1 PE-CE BGP Configuration

R1

route-policy PASSALL
 pass
exit

router bgp 100

 address-family ipv4 unicast
 exit

 vrf CUST-A

  rd 100:1

  address-family ipv4 unicast
  exit

  neighbor 192.1.10.9
   remote-as 65009

   address-family ipv4 unicast
    route-policy PASSALL in
    route-policy PASSALL out

commit

Why Use Route Policies?

IOS XR uses route-policies instead of route-maps.

The PASSALL route-policy permits all routes.

In production networks, route-policies provide:

• Security filtering
• Traffic engineering
• Route manipulation
• Prefix filtering

R2 PE-CE BGP Configuration

R2

route-policy PASSALL
 pass
exit

router bgp 100

 address-family ipv4 unicast
 exit

 vrf CUST-A

  rd 100:1

  address-family ipv4 unicast
  exit

  neighbor 192.1.20.10
   remote-as 65010

   address-family ipv4 unicast
    route-policy PASSALL in
    route-policy PASSALL out

commit

BGP Path Selection Simplified

$$ Best\\ Path = Highest\\ Preference + Lowest\\ Metric $$

9. CE Router Configuration for AS100

R9 Configuration

R9

interface Loopback0
 ip address 10.9.9.9 255.255.255.0

interface E0/0
 ip address 192.1.10.9 255.255.255.0
 no shut

router bgp 65009
 network 10.9.9.0 mask 255.255.255.0
 neighbor 192.1.10.1 remote-as 100

R10 Configuration

R10

interface Loopback0
 ip address 10.10.10.10 255.255.255.0

interface E0/0
 ip address 192.1.20.10 255.255.255.0
 no shut

router bgp 65010
 network 10.10.10.0 mask 255.255.255.0
 neighbor 192.1.20.2 remote-as 100

Customer Route Advertisement

The network command advertises customer loopback routes into BGP.

These routes are then:

• Learned by the PE router
• Converted into VPNv4 routes
• Advertised across the MPLS core
• Imported into remote VRFs

10. AS200 Customer VPN Configuration

AS200 contains:

• R5 and R6 as PE routers
• R11 and R12 as CE routers

11. R5 VRF Configuration

R5

vrf CUST-A

 address-family ipv4 unicast

  import route-target
   200:1
  exit

  export route-target
   200:1
  exit

 commit

interface gig0/0/0/2
 vrf CUST-A
 ip address 192.1.50.5 255.255.255.0
 no shut

commit

12. R6 VRF Configuration

R6

vrf CUST-A

 address-family ipv4 unicast

  import route-target
   200:1
  exit

  export route-target
   200:1
  exit

 commit

interface gig0/0/0/2
 vrf CUST-A
 ip address 192.1.60.6 255.255.255.0
 no shut

commit

VPN Membership Formula

$$ VPN\\ Membership = Shared\\ Route\\ Target $$

13. PE-CE BGP Configuration for AS200

R5 Configuration

R5

route-policy PASSALL
 pass
exit

router bgp 200

 address-family ipv4 unicast
 exit

 vrf CUST-A

  rd 200:1

  address-family ipv4 unicast
  exit

  neighbor 192.1.50.11
   remote-as 65011

   address-family ipv4 unicast
    route-policy PASSALL in
    route-policy PASSALL out

commit

R6 Configuration

R6

route-policy PASSALL
 pass
exit

router bgp 200

 address-family ipv4 unicast
 exit

 vrf CUST-A

  rd 200:1

  address-family ipv4 unicast
  exit

  neighbor 192.1.60.12
   remote-as 65012

   address-family ipv4 unicast
    route-policy PASSALL in
    route-policy PASSALL out

commit

14. CE Router Configuration for AS200

R11 Configuration

R11

interface Loopback0
 ip address 10.11.11.11 255.255.255.0

interface E0/0
 ip address 192.1.50.11 255.255.255.0
 no shut

router bgp 65011
 network 10.11.11.0 mask 255.255.255.0
 neighbor 192.1.50.5 remote-as 200

R12 Configuration

R12

interface Loopback0
 ip address 10.12.12.12 255.255.255.0

interface E0/0
 ip address 192.1.60.12 255.255.255.0
 no shut

router bgp 65012
 network 10.12.12.0 mask 255.255.255.0
 neighbor 192.1.60.6 remote-as 200

15. Verification Commands

Verify VRF Routing Table

show route vrf CUST-A

Verify VPNv4 Routes

show bgp vpnv4 unicast

Verify PE-CE BGP

show bgp vrf CUST-A summary

Verify Connectivity

ping 10.10.10.10
ping 10.12.12.12

Expected VPNv4 Output

R1#show bgp vpnv4 unicast

Route Distinguisher: 100:1

*>i10.10.10.0/24
    2.2.2.2

💡 Connectivity Verification

• R9 should reach R10 in AS100
• R11 should reach R12 in AS200
• VPNv4 routes should appear in BGP
• VRF routing tables should contain remote customer prefixes

16. MPLS L3VPN Troubleshooting

Problem	Cause	Solution
VRF routes missing	Incorrect RT	Verify import/export RT
BGP CE session down	AS mismatch	Check remote-as
VPNv4 routes absent	MP-BGP issue	Verify vpnv4 AF
No customer connectivity	MPLS labels missing	Verify LDP neighbors
Loopback not advertised	Network statement issue	Verify exact mask

17. MPLS VPN Mathematics and Logic

VPN Route Propagation

$$ CE \rightarrow PE \rightarrow MPBGP \rightarrow PE \rightarrow CE $$

Route Uniqueness Formula

$$ Unique\\ Route = RD + IPv4\\ Prefix $$

Label Stack Logic

$$ Packet = Transport\\ Label + VPN\\ Label + Payload $$

BGP Scalability Formula

$$ Sessions = \frac{n(n-1)}{2} $$

Route Reflectors reduce full mesh scaling issues.

MPLS Forwarding Equation

$$ Forwarding = Label\\ Swap + LFIB\\ Lookup $$

💡 Key Takeaways

• VRFs isolate customer routing tables
• Route Distinguishers create unique VPN routes
• Route Targets control VPN membership
• MP-BGP distributes VPNv4 routes
• PE-CE BGP exchanges customer routes
• MPLS labels transport traffic across the provider backbone

18. Related Articles

• Complete Cisco IOS XR MPLS L3VPN Part 1
• Part 3 - Complete Cisco IOS XR MPLS L3VPN Inter-AS Option B Configuration Guide

Final Conclusion

In this Part 2 MPLS L3VPN guide, we configured full customer VPN connectivity using VRFs and MP-BGP VPNv4 routing.

We successfully implemented:

• VRF creation
• Route Distinguishers
• Route Targets
• PE-CE BGP
• Customer route advertisement
• VPNv4 propagation
• End-to-end VPN connectivity

At this stage, the MPLS Layer 3 VPN service is fully operational.

Customer traffic is isolated while securely transported across the provider MPLS backbone.