MPLS - VPN label

In the context of MPLS when VPNs are implemented, there are several components that work together to enable the operation of MPLS Layer 3 VPNs.

One of these is the VPN label. The VPN label, sometimes referred to as the "inner label" plays an essential role in this service.

What is a VPN Label?

When a packet is forwarded within an MPLS network, it's labeled with one or more labels. In the context of MPLS L3 VPNs, there are usually two labels:

  • *Outer Label: This is the transport label that is used for forwarding the packet across the service provider's core network. This label ensures that the packet reaches the correct egress router.
  • Inner Label or VPN Label: This is the label that's specific to a particular VPN. It's used by the egress router to determine the correct VPN to which the packet belongs and the next hop within that VPN.

Use of VPN Label:

  1. VPN Segregation: The VPN label helps in differentiating traffic from different VPNs. Even if two customers use the same IPv4 or IPv6 address range, their traffic remains isolated because the VPN labels are different.
  2. Routing: The VPN label is used to look up the next hop for a packet when it reaches the egress PE (Provider Edge) router. This ensures that the packet is correctly forwarded to its destination within the VPN.

Operation of VPN Label:

  1. Assignment: When a PE router learns a route from a VPN, it assigns a unique VPN label to that route. This label assignment is then communicated to other PE routers using MP-BGP (Multiprotocol Border Gateway Protocol).
  2. Encapsulation: When a packet from a VPN customer enters the MPLS network at a PE router, the router pushes two labels onto the packet. The inner VPN label identifies the destination VPN route, and the outer label identifies the egress PE router.
  3. Transit: As the packet travels across the MPLS core (P routers), only the outer label is considered. The P routers simply swap or pop the outer label based on their MPLS forwarding tables, but they remain unaware of the VPN label.
  4. Decapsulation at Egress PE: Once the packet reaches the egress PE router, the outer label has served its purpose and is removed. The egress PE router now looks at the VPN label to determine the appropriate VPN next hop and any additional forwarding treatment. After this decision, the VPN label is removed, and the packet is forwarded toward its final destination within the VPN.

The VPN label in MPLS L3 VPN ensures traffic segregation and correct forwarding for individual VPNs. It allows multiple customers with potentially overlapping IP addresses to coexist within a single MPLS network without any IP address conflicts. The MPLS core remains agnostic to the customer's individual routes, ensuring scalability and simplicity.