Categories R&S

VPN technologies – MPLS-L3VPN – PE-CE routing

In this post I will add a customer to the MPLS-VPN network.

Customer1 will have a router connected to R5 (CE11) and a second router (CE12) connected to R6.


MPLS-L3VPN – PE-CE routing


VPN technologies – MPLS-L3VPN – PE-CE routing – configuration:


VRF configuration:

First we need to configured a VRF for our customer on all the PE routers.

This is done by configuring a route distinguisher and a route target for this customer.

R5(config)#vrf definition CUST1
R5(config-vrf)#address-family ipv4
R5(config-vrf)#rd 65101:1
R5(config-vrf)#route-target both 65101:1


Now we assign the interface of the PE that face CE11 and CE12 in the VRF and we define an IP address for this interface.

R5(config)#int Ethernet1/0
R5(config-if)#vrf forwarding CUST1
R5(config-if)#ip add


I use the same configuration for the interface between R6 and CE12.


PE-CE routing protocol configuration:

It’s time to configure the connectivity between the two CE router.

For this, we need to configure a routing protocol between the CE and the PE.


For Customer 1, we will use BGP as the PE-CE protocol.

Here is the configuration on R5. Note that the as-override command is important, without it, it won’t work.

R5(config)#router bgp 65010
R5(config-router)#address-family ipv4 unicast vrf CUST1
R5(config-router-af)#neighbor remote-as 65101
R5(config-router-af)#neighbor as-override


On CE11, we configure BGP. I’m also advertising CE11 loopback into BGP.

CE11(config)#router bgp 65101
CE11(config-router)#network mask
CE11(config-router)#neigh remote-as 65010


Configuration is the same on R6 and CE12.


And there it is, from CE11 we can ping the loopback interface of CE12.

Traceroute is showing that we go through the MPLS network.

CE11#ping so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Packet sent with a source address of
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

CE11#traceroute so lo0
Type escape sequence to abort.
Tracing the route to
VRF info: (vrf in name/id, vrf out name/id)
  1 1 msec 0 msec 0 msec
  2 [MPLS: Labels 25/16 Exp 0] 1 msec 1 msec 0 msec
  3 [MPLS: Labels 16/16 Exp 0] 0 msec 1 msec 1 msec
  4 [MPLS: Label 16 Exp 0] 1 msec 0 msec 1 msec
  5 1 msec *  1 msec


It’s cool for the traceroute command to show the MPLS network.

However that’s not really something that you want in a production environment.

With this your customer is able to see your internal IPs and the number of hop within your MPLS network.

This can be hide by using the command ‘no mpls ip propagate-ttl’ on all the MPLS routers.

CE11#traceroute so lo0
Type escape sequence to abort.
Tracing the route to
VRF info: (vrf in name/id, vrf out name/id)
  1 2 msec 0 msec 0 msec
  2 [MPLS: Label 16 Exp 0] 0 msec 5 msec 2 msec
  3 1 msec *  1 msec


It’s pretty cool to have a MPLS-L3VPN network working.

Even so there is more stuff that can be configured, I think that’s a good start.


In the next post, we will add a second customer to our MPLS-L3VPN network and use a different PE-CE protocol.



Thank you for reading.


Have a look at my previous VPN technologies posts :

VPN technologies – MPLS – Label Distribution Protocol

VPN technologies – MPLS-L3VPN – MP-BGP



VPN technologies – MPLS-L3VPN – PE-CE routing

Leave a Reply

Your email address will not be published.