MPLS Layer 3 VPN communication between CE and PE routers

When configuring MPLS Layer 3 VPNs direct communication between the customer networks on the CE and the PE is not possible. Similarly to direct CE to CE communication, direct communication between the CE and PE routers is not possible. Indeed it is undesirable. Take a look at this diagram:


The PE routers don’t need to be able to reach the loopback of the CE routers. They don’t need that information in their routing tables because you will never have direct communication between a PE router and the customer network. However, PE routers must be able to direct transient traffic (traffic that doesn’t originate from themselves) to the intended destination, and this is achieved using the BGP VPN table.

We can see this in the BGP VPNv4 table like so:

PE1#show ip bgp vpnv4 all BGP table version is 4, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, t secondary path, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 1:1 (default for vrf CUSTOMER) *> 0 0 12 i *>i 0 100 0 12 i PE1#

Here, you can see that PE1 has a next hop assigned for both the and the networks, which route traffic to their intended destinations. However, these networks do not appear in the routing table of the PE1 router, thus they are not directly reachable from the PE1 router.