MPLS VPNS

ok everyone, i am just finishing my section review on MPLS, and its time to move on to IPSEC VPNS, but before i do , i want to make sure i have this down packed.

The CE router will send a regular IP routing update, and the PE router will assign a RD to the packet and optionally a export RT. at the same time it adds the update to the specific VRF table. Then the ingress PE will add another label on top of the VPN label (VPNv4address) that is the LDP label, which gets is quickly to the EGRESS PE router. The inside P routers will not see the VPN label, but will only see the LDP label, and will label switch the packet quickly to the destined Egress PE router. Once the egress PE router gets the label stacked packert, it will perform a LDP lookup and determines the label needs to be popped, and then it will look at the VPN label, and it will install the update based on import RT, and then it will pop off the VPN label, and all is left is a regular IP routing update packet that needs to be sent to the remote site.... The last PE has to perform two label look-ups, unless the LAST P router PHP's the ldp label before sending it to the egress PE router..

does this sound right.. Do i have to down pretty well ?

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

redwarrior

I just took the ISCW and that sounds right to me. I think it's most important to know the differences between some of the more complex MPLS terms, such as what is an RT vs. and RD. Also, be sure to take a look at some of the whitepapers so you can recognize a route with the RD added. Also understand how routes are propigated through the MPLS VPN.

From my understanding, the RD applies to the route itself, not the packet and helps to make the route unique in the ISP's network even if several customers are using similar IP schemes for their networks. Then, the RT is what helps differentiate the different routing tables for each customer. This way, a router getting the routing update for the customer's network both knows that this is actually an update even if another customer appears to have the same route and then knows what VRF to assign this route to.

Of course, I could be off here, as my Christmas leftovers are still settling. I do know that the study section of the CCNP site on Cisco has a very nice whitepaper that I read a few times that seemed to help with this.

Good luck! (Isn't Penultimate Hop Popping a great term?)

lildeezul

haha.. yeah i found that to be pretty funny.
along with the BS bit on the MPLS frame.

kpjungle

Also studying this, and so far, It would seem that the RD is used to tag routes like redwarrior said, and provide somewhat of a reference to the VRF. the combined route and RD makes a vpn4 address, which is what the MP-BGP "session" uses between PE routers.

From my studies (without looking at my lab notes), the RT is used on what to import/export. You match the RD (from the vpn4 address) with the VRF's RT and make a determination on whether or not you want to import this route into the VRF in question.

I think one of the examples was a route that you wanted to share among multiple VPN customers. Ie an address of an internet facing router, or I believe Jeremy (CBT) used a call manager express as an example.

My 2 cents worth at least

lildeezul

Thanks everyone.

At first, i thought this was going to be hard, but it is actually pretty simple, once you think about it.
MPLS was easy, and easy to configure..
then i read MPLS VPNS, and had some trouble understanding how it all worked. But i kept reading, and those CISCO DOCS are the bomb... thanks... i understand this very well now.

thanks everyone.. time to move on to part 3 of the ISCW exam book (ip sec VPNS)

kpjungle

lildeezul wrote:

Thanks everyone.

At first, i thought this was going to be hard, but it is actually pretty simple, once you think about it.
MPLS was easy, and easy to configure..
then i read MPLS VPNS, and had some trouble understanding how it all worked. But i kept reading, and those CISCO DOCS are the bomb... thanks... i understand this very well now.

thanks everyone.. time to move on to part 3 of the ISCW exam book (ip sec VPNS)

Make sure you have your favorite caffeine beverage at hand, lots of terms and concepts

tomset

Just read that whitepaper, it's quite good at explaining route propagation. This is good supplemental info to the study guide. However, I was kind of annoyed at how many times the author wrote "router" when he meant to say "route".

This little paragraph from the whitepaper had 2 errors.........

"To address customer isolation, each of the customer’s routes is tagged with a unique export Router Target (RT). The RT is carried in the BGP community field of the update. This tag will be used at the remote PE to determine into which VRF the router is imported."