MPLS L3VPN Best Practices: PE/CE Routing, VPNv4, and Troubleshooting

March 10, 2026·9 min read

Overview

MPLS L3VPN (RFC 4364) is the backbone technology for most service provider WAN offerings and many large enterprise networks. It combines MPLS label switching for efficient forwarding with MP-BGP VPNv4 for per-customer route separation, allowing thousands of customers with overlapping IP spaces to share the same physical infrastructure without any traffic leakage. Understanding the label stack, VRF design, and VPNv4 BGP is essential for anyone responsible for carrier-grade infrastructure.

// MPLS L3VPN — PE/P/CE Architecture and Label Stack

Part 1 — MPLS L3VPN Architecture

1.1 — The Three Router Roles

CE (Customer Edge) — the customer's router. Has no knowledge of MPLS. Runs a standard routing protocol (BGP, OSPF, EIGRP, or static) toward the PE. The CE sees only its own VPN routes.
PE (Provider Edge) — the most complex role. Maintains per-customer VRF instances, runs PE-CE routing, redistributes customer routes into VPNv4 BGP, and imposes/disposes the MPLS label stack.
P (Provider Core) — pure label-switching routers. They see only transport labels, never VPN labels or customer IP addresses. P routers run IGP (IS-IS or OSPF) and LDP/RSVP for label distribution.

1.2 — The Label Stack

Every MPLS L3VPN packet carries two labels when traversing the core:

Top label (transport label) — assigned by LDP/RSVP, used by P routers to switch the packet hop-by-hop toward the egress PE. This label is swapped at every P router.
Bottom label (VPN label) — assigned by the egress PE, identifies which VRF to deliver the packet into upon arrival. P routers never look at this label.

At the penultimate hop (the P router directly connected to the egress PE), the transport label is popped (PHP — Penultimate Hop Popping), leaving only the VPN label. The egress PE uses the VPN label to identify the VRF and forwards into the correct customer routing table.

Part 2 — PE Configuration

Step 1 — Enable MPLS in the Core

# Enable CEF (required for MPLS)
PE1(config)# ip cef

# Enable MPLS on core-facing interfaces
PE1(config)# interface GigabitEthernet0/1
PE1(config-if)#  mpls ip
PE1(config-if)#  no shutdown

# Verify LDP neighbors and label bindings
PE1# show mpls ldp neighbor
PE1# show mpls ldp bindings
PE1# show mpls forwarding-table

Step 2 — VRF and Route Distinguisher

# Define VRF with RD and route targets
PE1(config)# vrf definition CUST-ACME
PE1(config-vrf)#  rd 65001:100
PE1(config-vrf)#  address-family ipv4
PE1(config-vrf-af)#   route-target export 65001:100
PE1(config-vrf-af)#   route-target import 65001:100

# Bind CE-facing interface to VRF
PE1(config)# interface GigabitEthernet0/0
PE1(config-if)#  vrf forwarding CUST-ACME
PE1(config-if)#  ip address 10.1.0.1 255.255.255.252

Step 3 — VPNv4 BGP Between PEs

PE1(config)# router bgp 65001
PE1(config-router)#  bgp router-id 1.1.1.1
PE1(config-router)#  no bgp default ipv4-unicast

# iBGP session to PE2 (via Route Reflector in large networks)
PE1(config-router)#  neighbor 2.2.2.2 remote-as 65001
PE1(config-router)#  neighbor 2.2.2.2 update-source Loopback0

# Enable VPNv4 address family
PE1(config-router)#  address-family vpnv4
PE1(config-router-af)#   neighbor 2.2.2.2 activate
PE1(config-router-af)#   neighbor 2.2.2.2 send-community extended

# PE-CE BGP (customer routing)
PE1(config-router)#  address-family ipv4 vrf CUST-ACME
PE1(config-router-af)#   neighbor 10.1.0.2 remote-as 65100
PE1(config-router-af)#   neighbor 10.1.0.2 activate
PE1(config-router-af)#   neighbor 10.1.0.2 as-override
# as-override replaces CE AS in BGP path — needed when all CE sites use same AS

Part 3 — PE-CE Routing Protocol Options

Protocol	Best For	Key Consideration
BGP	Large enterprise, full control over route policy	Use `as-override` or `allowas-in` when CE sites share same AS
OSPF	Customers requiring OSPF end-to-end, sham-link needed for backdoors	Requires sham-link to prevent intra-area routes from preferring backdoor links
EIGRP	Cisco-only customer environments, existing EIGRP deployments	Site-of-origin extended community prevents routing loops
Static	Simple sites, single-prefix customers	Add `redistribute static` under VRF BGP, use BFD for failover detection

Part 4 — Troubleshooting MPLS L3VPN

Step 1 — Verify the Control Plane

# Check VPNv4 BGP session status
PE1# show bgp vpnv4 unicast all summary

# Check VPNv4 routes for a specific VRF
PE1# show bgp vpnv4 unicast vrf CUST-ACME
PE1# show bgp vpnv4 unicast vrf CUST-ACME 192.168.2.0

# Verify route targets are correct — missing RT = routes not imported
PE1# show bgp vpnv4 unicast all 192.168.2.0/24 | include RT

# Check VRF routing table
PE1# show ip route vrf CUST-ACME
PE1# show ip route vrf CUST-ACME 192.168.2.0

PE1# show bgp vpnv4 unicast all summary

BGP router identifier 1.1.1.1, local AS number 65001 BGP table version is 18, main routing table version 18 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 2.2.2.2 4 65001 1482 1479 18 0 0 1d02h 4 PE1# show bgp vpnv4 unicast vrf CUST-ACME BGP table version is 18, local router ID is 1.1.1.1 Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:100 (default for vrf CUST-ACME) *> 192.168.1.0/24 0.0.0.0 0 32768 ? *>i192.168.2.0/24 2.2.2.2 0 100 0 ? Extended Community: RT:65001:100 PE1# show ip route vrf CUST-ACME 192.168.2.0 B 192.168.2.0/24 [200/0] via 2.2.2.2, 1d02h MPLS label 18 (transport: 302)

Step 2 — Verify the Data Plane

# Check MPLS forwarding table (transport labels)
PE1# show mpls forwarding-table
PE1# show mpls forwarding-table vrf CUST-ACME

# Check CEF for VRF (must have a valid next-hop with label)
PE1# show ip cef vrf CUST-ACME 192.168.2.0 detail

# Trace the MPLS path — shows label stack at each hop
PE1# traceroute mpls ipv4 192.168.2.0/24 source 1.1.1.1
PE1# ping vrf CUST-ACME 192.168.2.1 source 192.168.1.1

Step 3 — Common Issues

# Route in VPNv4 table but not in VRF routing table?
# → Route target import mismatch
PE1# show vrf detail CUST-ACME | include import|export

# VPNv4 BGP session down?
# → Check loopback reachability and IGP
PE1# ping 2.2.2.2 source Loopback0
PE1# show ip route 2.2.2.2

# Traffic drops in core — check label switching
P1# show mpls forwarding-table
P1# show mpls ldp bindings 2.2.2.2 32 detail

MPLS L3VPN Hardening Checklist

All PE loopbacks are reachable via IGP before MPLS is configured
LDP Router-ID is set to a stable loopback (mpls ldp router-id Loopback0 force)
VPNv4 BGP uses loopback as update-source — never a physical interface
Route Reflectors are used in large networks — never full-mesh iBGP beyond 5 PEs
Route targets follow a documented scheme: ASN:customer-id
send-community extended is configured on all VPNv4 BGP neighbors
PHP (penultimate hop popping) is verified — egress PE should receive only VPN label
as-override or allowas-in is explicitly documented per customer where used
CEF is verified on all PE and P routers — MPLS requires CEF