MPLS – Multiprotocol Label Switching

1. What Is MPLS and Why Was It Created?

MPLS (Multiprotocol Label Switching) is a high-performance packet-forwarding technology used predominantly in service provider networks. Instead of forwarding packets by performing a routing table (IP longest-prefix match) lookup at every hop, MPLS forwards packets based on a short fixed-length label prepended to the packet. Label lookups are performed in a simple table and are far faster than recursive IP routing table lookups — particularly on older hardware.

MPLS was originally developed in the late 1990s to solve a speed problem: early IP routers performed software-based routing lookups that could not keep up with the rapidly growing Internet. MPLS moved forwarding decisions to hardware-based label switching. While modern routers use hardware ASICs for IP lookups (largely eliminating the speed advantage), MPLS remains essential in service provider networks for a different set of capabilities it uniquely enables: traffic engineering, VPN services, and service differentiation.

Capability	Traditional IP Routing	MPLS
Forwarding decision	Destination IP longest-prefix match in routing table at every hop	Simple label lookup in Label Forwarding Information Base (LFIB) — no IP lookup in the core
Traffic engineering	Limited — traffic follows IGP shortest path; no ability to direct specific flows onto specific paths	Full TE — LSPs (Label Switched Paths) can be explicitly routed across any path, bypassing IGP shortest path
VPN services	Complex — requires GRE/IPsec overlay per customer	Native — MPLS L3VPN and L2VPN provide scalable, elegant multi-customer VPN services
Protocol independence	IPv4 and IPv6 require separate forwarding planes	Multiprotocol — same label infrastructure carries IPv4, IPv6, Ethernet, ATM, Frame Relay payloads
QoS and CoS	Per-hop DSCP marking and queuing	EXP/TC bits in label allow end-to-end QoS class marking across the MPLS domain

2. The MPLS Label — Structure and Fields

The MPLS label is a 32-bit (4-byte) header inserted between the Layer 2 (Data Link) header and the Layer 3 (IP) header. This position — between Layer 2 and Layer 3 — is why MPLS is often called a "Layer 2.5" protocol. The label can be stacked: multiple labels can be placed one on top of another, forming a label stack, which is how MPLS VPNs work.

  MPLS label position in a frame:

  ┌─────────────────┬──────────────┬───────────────────────┬──────────────┐
  │  Layer 2 Header │  MPLS Label  │  Layer 3 (IP Header)  │   Payload    │
  │ (Ethernet, etc) │   32 bits    │    (IPv4 / IPv6)      │  (TCP/UDP…)  │
  └─────────────────┴──────────────┴───────────────────────┴──────────────┘
                         ▲
                    "Layer 2.5" — between L2 and L3

  MPLS label field breakdown (32 bits total):
  ┌───────────────────────────────┬─────────┬───┬────────────┐
  │        Label Value            │   EXP   │ S │    TTL     │
  │          20 bits              │  3 bits │1b │  8 bits    │
  └───────────────────────────────┴─────────┴───┴────────────┘

  Label Value (20 bits):
    The forwarding identifier — 0 to 1,048,575 possible values
    Used to look up the next action in the LFIB
    Values 0–15 are reserved (special labels)

  EXP / TC bits (3 bits):
    Originally called EXP (Experimental), now called TC (Traffic Class)
    Used for QoS — carries Class of Service (CoS) value 0–7
    Mapped to DSCP on ingress/egress for end-to-end QoS

  S — Bottom of Stack bit (1 bit):
    S = 1 → this label is the LAST (innermost) label in the stack
    S = 0 → more labels exist below this one in the stack
    The receiving router knows to look at the IP header when S = 1

  TTL (8 bits):
    Time-to-Live — decremented at each LSR hop (like IP TTL)
    Prevents infinite loops in the MPLS domain
    Typically initialised from the IP TTL at ingress

Reserved Label Values

Label Value	Name	Purpose
0	IPv4 Explicit NULL	Signals the egress LER to pop the label and forward the packet as plain IPv4 using the IP header
1	Router Alert Label	Signals special processing required at each hop (e.g., OAM operations)
2	IPv6 Explicit NULL	Same as label 0 but for IPv6 payloads
3	Implicit NULL	Used in Penultimate Hop Popping (PHP) — instructs the second-to-last router to pop the label before forwarding to the egress LER
4–15	Reserved	Reserved by IANA — not used in normal forwarding

3. MPLS Roles — LER and LSR

Routers in an MPLS network have different roles depending on their position in the network. The two fundamental roles are LER (Label Edge Router) and LSR (Label Switching Router).

3.1 LER — Label Edge Router

An LER sits at the edge of the MPLS domain — between the customer network and the service provider MPLS core. LERs are the routers that impose (push) labels onto packets entering the MPLS domain and remove (pop) labels from packets leaving the domain. There are two types:

LER Type	Also Called	Function
Ingress LER	PE router (Provider Edge), ingress PE	Receives an unlabelled IP packet from the customer network. Classifies the packet into a Forwarding Equivalence Class (FEC). Pushes (imposes) one or more MPLS labels. Forwards the labelled packet into the MPLS core.
Egress LER	PE router (Provider Edge), egress PE	Receives a labelled packet from the MPLS core at the far end. Pops (removes) the label(s). Forwards the unlabelled IP packet to the customer network at the destination.

3.2 LSR — Label Switching Router

An LSR is a router inside the MPLS core — it never touches unlabelled IP packets in normal operation. An LSR receives a labelled packet, looks up the incoming label in its LFIB (Label Forwarding Information Base), swaps the label for a new outgoing label, and forwards the packet. No IP routing table lookup is performed — the entire forwarding decision is based on the label alone.

  MPLS domain topology:

  [Customer A site 1] ─── [Ingress LER / PE1] ─── [LSR1] ─── [LSR2] ─── [Egress LER / PE2] ─── [Customer A site 2]

  Role at each hop:

  PE1 (Ingress LER):
  - Receives IP packet from Customer A
  - Classifies: destination 10.10.10.0/24 → FEC 1 → label 100
  - PUSHES label 100 onto packet
  - Forwards labelled packet to LSR1

  LSR1 (transit core router):
  - Receives packet with label 100
  - LFIB lookup: incoming label 100 → SWAP to label 200, forward to LSR2
  - Forwards packet to LSR2

  LSR2 (transit core router):
  - Receives packet with label 200
  - LFIB lookup: incoming label 200 → SWAP to label 300, forward to PE2
  (or: SWAP to label 3 implicit null → PHP → forward without label)

  PE2 (Egress LER):
  - Receives packet (label may already be popped by PHP)
  - POPS remaining labels
  - Forwards unlabelled IP packet to Customer A site 2

Three MPLS Forwarding Operations

Operation	Where It Happens	Description
PUSH (Impose)	Ingress LER	Add one or more labels to an incoming unlabelled packet. Turns a plain IP packet into an MPLS-labelled packet.
SWAP	LSR (transit)	Replace the top label with a new label. The packet continues through the core with the new label identifying the next hop.
POP (Dispose)	Egress LER (or penultimate LSR with PHP)	Remove the top label. If this reveals another label below (label stack), continue label forwarding. If S=1 (bottom of stack), forward as plain IP.

4. Forwarding Equivalence Class (FEC)

A Forwarding Equivalence Class (FEC) is a group of packets that will all be forwarded in the same way through the MPLS domain — same path, same treatment. At the ingress LER, each incoming packet is classified into exactly one FEC, and a label is assigned to that FEC. All packets in the same FEC receive the same label and follow the same Label Switched Path (LSP) through the network.

  FEC examples:

  FEC 1: All packets destined for 192.168.10.0/24  → label 100
  FEC 2: All packets destined for 10.0.0.0/8       → label 101
  FEC 3: BGP route 203.0.113.0/24 with community X → label 102
  FEC 4: Customer VPN (VRF) A traffic              → label 103

  Any criterion can define an FEC:
  - Destination IP prefix (most common)
  - BGP next-hop
  - VRF (VPN Routing and Forwarding instance)
  - Explicit path for traffic engineering

  All packets matching an FEC get the same label at ingress.
  All packets with the same label follow the same LSP through the core.
  The FEC-to-label binding is distributed by LDP or RSVP-TE.

5. Label Distribution — LDP and RSVP-TE

Labels are not statically configured — they are distributed dynamically between MPLS routers using a label distribution protocol. The two main protocols are LDP and RSVP-TE.

5.1 LDP — Label Distribution Protocol

LDP (Label Distribution Protocol) is the standard protocol for distributing labels in an MPLS network. Every LSR and LER running LDP advertises a label binding for each prefix in its routing table to all neighbouring MPLS routers. LDP follows the IGP topology — it creates LSPs that mirror the IGP shortest path.

  LDP operation:

  Step 1 — LDP discovery: routers send LDP Hello messages on UDP 646
           (multicast 224.0.0.2) to discover LDP neighbours on each link.

  Step 2 — LDP session: TCP session established on port 646 between
           LDP neighbours for reliable label advertisement.

  Step 3 — Label advertisement: each router advertises a label binding
           for every prefix in its IP routing table:
           "To reach 10.10.10.0/24 via me, use incoming label 200"

  Step 4 — LSP formed: neighbours chain these bindings to create a
           complete end-to-end Label Switched Path from ingress to egress.

  LDP characteristics:
  - Follows the IGP shortest path (OSPF/IS-IS determined)
  - No explicit path specification — cannot deviate from IGP topology
  - Simple to deploy — just enable LDP on interfaces
  - Used for basic MPLS forwarding and MPLS VPN services
  - Does not support bandwidth reservation or constraint-based routing

5.2 RSVP-TE — Resource Reservation Protocol with Traffic Engineering

RSVP-TE (Resource Reservation Protocol – Traffic Engineering) extends the original RSVP signalling protocol to establish explicit LSPs that can follow any path through the network — not just the IGP shortest path. RSVP-TE enables MPLS Traffic Engineering (MPLS-TE).

  RSVP-TE operation:

  Step 1 — Traffic Engineering Database (TED): the IGP (IS-IS or OSPF-TE)
           floods link-state information including bandwidth, delay, and
           administrative costs across the network.

  Step 2 — Path computation: CSPF (Constrained Shortest Path First) algorithm
           computes an explicit path that meets required constraints:
           - Available bandwidth ≥ requested bandwidth
           - Link attributes (colour/affinity) match policy
           - Explicit path specified by administrator (optional)

  Step 3 — RSVP PATH message: sent hop-by-hop along the computed path,
           reserving bandwidth at each router along the way.

  Step 4 — RSVP RESV message: sent back from egress to ingress, confirming
           bandwidth reservation and distributing labels along the path.

  Step 5 — LSP established: an explicit path LSP with guaranteed bandwidth
           is now active. Traffic mapped to this LSP follows the explicit path
           regardless of IGP shortest path.

  RSVP-TE enables:
  - Explicit path routing (bypass congested links)
  - Bandwidth reservation per LSP
  - Fast Reroute (FRR) — pre-computed backup paths for sub-50ms failover
  - Link/node protection — bypass tunnels around failed elements

LDP vs RSVP-TE Comparison

Feature	LDP	RSVP-TE
Path selection	Follows IGP shortest path — no deviation	Explicit path — can route around congestion or failures
Bandwidth reservation	No	Yes — per-LSP bandwidth guarantee
Fast Reroute (FRR)	No (relies on IGP reconvergence)	Yes — pre-provisioned backup paths, <50 ms failover
Configuration complexity	Low — enable per interface	High — requires OSPF-TE/IS-IS-TE, CSPF, tunnel config
Use case	Basic MPLS forwarding, MPLS L3VPN	Traffic engineering, bandwidth-sensitive applications, fast failover requirements
Protocol / port	UDP/TCP 646	IP protocol 46 (RSVP)

6. Label Switched Path (LSP) and LFIB

A Label Switched Path (LSP) is the end-to-end path through the MPLS domain that a specific FEC's traffic follows. An LSP is unidirectional — traffic in each direction follows a separate LSP. The LFIB (Label Forwarding Information Base) is the forwarding table each LSR uses to make label-switching decisions.

  LFIB structure on an LSR:

  Incoming Interface | Incoming Label | Operation | Outgoing Label | Outgoing Interface
  ─────────────────────────────────────────────────────────────────────────────────────
  Gi0/0             |      100       |   SWAP    |      200       |      Gi0/1
  Gi0/0             |      101       |   SWAP    |      201       |      Gi0/2
  Gi0/1             |      300       |   POP     |       -        |      Gi0/0   ← egress
  Gi0/2             |      400       |   PUSH    |   400 over 500 |      Gi0/1   ← VPN (2 labels)

  How the LFIB is built:
  1. IGP (OSPF/IS-IS) builds IP routing table
  2. LDP or RSVP-TE distributes label bindings
  3. LIB (Label Information Base) stores all received label bindings
  4. Best binding (from best next-hop) is selected for the LFIB
  5. LFIB entries are programmed into hardware for fast forwarding

  On an LSR, the IP routing table is NOT used for packet forwarding.
  Packets with labels are forwarded entirely from the LFIB.
  Only the ingress LER uses the IP routing table (to classify into FEC).

7. Penultimate Hop Popping (PHP)

Penultimate Hop Popping (PHP) is a standard MPLS optimisation. Without PHP, the egress LER (PE router) would need to perform two lookups for every arriving packet: first look up the label in the LFIB (to confirm it is the egress), then look up the destination IP in the routing table to forward the packet. PHP eliminates one of these lookups by having the second-to-last router (the penultimate hop) pop the label before forwarding to the egress LER.

  Without PHP (two lookups at egress LER):

  [LSR2] ──label 300──► [Egress LER / PE2]
                               │
                         Step 1: LFIB lookup (label 300 → pop, I am egress)
                         Step 2: IP routing table lookup (destination IP → forward)
                         Two table lookups per packet at the egress

  With PHP (one lookup at egress LER):

  [LSR2] receives packet with label 300
  LSR2's LFIB: incoming 300 → outgoing label = IMPLICIT NULL (label 3)
  LSR2 POPS the label before forwarding → sends UNLABELLED packet to PE2

  [Unlabelled IP packet] ──────────────────► [Egress LER / PE2]
                                                    │
                                        Step 1: IP routing table lookup only
                                        No LFIB lookup needed (no label present)

  PHP reduces CPU load on the egress LER.
  LDP signals PHP by advertising label 3 (Implicit NULL) to the penultimate hop.
  The penultimate hop pops the label — it does NOT forward label 3.

  In MPLS VPNs (label stack), PHP applies to the outer (transport) label only.
  The inner (VPN) label is still present when the packet arrives at the egress PE.

8. MPLS VPNs — Overview

MPLS VPNs are the most commercially significant application of MPLS. They allow a single shared service provider MPLS network to carry completely isolated traffic for multiple customers simultaneously — each customer sees a private network with no awareness of other customers' traffic. MPLS VPNs come in two major variants: Layer 3 VPN (L3VPN) and Layer 2 VPN (L2VPN).

Feature	MPLS L3VPN	MPLS L2VPN
OSI layer	Layer 3 — SP participates in customer routing	Layer 2 — SP is transparent; customer controls routing
Routing relationship	PE router peers with CE router using BGP, OSPF, EIGRP, or static routes	No routing relationship — SP forwards Layer 2 frames
Customer sees	A routed IP network with PE routers as next-hops	A transparent Layer 2 circuit — as if directly connected
Scalability	Highly scalable — SP uses MP-BGP to carry VPN routes	More complex at scale — each circuit requires provisioning
Use case	Enterprise WAN connectivity — replace Frame Relay/ATM	Metro Ethernet, circuit emulation, legacy WAN replacement
Technology examples	RFC 4364 (BGP/MPLS IP VPN)	VPLS (Virtual Private LAN Service), VPWS (Virtual Private Wire Service), AToM (Any Transport over MPLS)

9. MPLS L3VPN — How It Works

MPLS L3VPN (RFC 4364) is the most widely deployed MPLS VPN service. The service provider participates in customer routing: each PE router maintains a separate routing table per customer called a VRF (VPN Routing and Forwarding) instance. Customer routes are distributed between PE routers using MP-BGP (Multiprotocol BGP) with a special address family. A two-label stack carries traffic through the core.

Key Components

Component	Role
CE (Customer Edge) router	Customer's router at the site edge. Peers with the PE router using a routing protocol (BGP, OSPF, EIGRP, or static). Has no knowledge of MPLS — sees a normal IP routing peering.
PE (Provider Edge) router	Service provider router at the edge of the MPLS core. Maintains a VRF per customer. Exchanges customer routes with CE via CE–PE routing protocol. Distributes VPN routes to remote PEs via MP-BGP. Imposes/removes the VPN label stack.
P (Provider) router	Core LSR — has no awareness of customer VPNs or VRFs. Only swaps transport labels. Does not participate in MP-BGP.
VRF	Virtual Routing and Forwarding — a separate routing table and forwarding table instance on the PE router, one per customer. Provides complete Layer 3 isolation between customers even if they use overlapping IP address spaces.
Route Distinguisher (RD)	64-bit value prepended to customer IPv4 prefixes to make them globally unique across all VPNs in the MP-BGP infrastructure (VPNv4 address = RD + IPv4 prefix). Allows overlapping customer address spaces.
Route Target (RT)	BGP extended community attached to VPN routes that controls which VRFs import and export which routes — defines the VPN topology (hub-and-spoke, full-mesh, etc.).
MP-BGP	Multiprotocol BGP — carries VPN route information (VPNv4 prefixes + VPN labels) between PE routers across the core. P routers do not participate in MP-BGP.

MPLS L3VPN Label Stack — Two Labels

  MPLS L3VPN uses a two-label stack on every packet:

  ┌──────────────────┬──────────────────┬────────────────────────┐
  │  Transport Label │    VPN Label     │   IP Packet (customer) │
  │ (outer / top)    │  (inner / bottom)│                        │
  │  Label = 200     │  Label = 500     │  src 10.1.1.1          │
  │  S = 0           │  S = 1           │  dst 10.2.2.2          │
  └──────────────────┴──────────────────┴────────────────────────┘

  Transport label (outer):
  - Pushed by ingress PE (LDP label from PE1 to PE2)
  - Swapped by P routers through the core
  - Identifies the path through the MPLS backbone to the egress PE
  - Popped by PHP at the penultimate P router

  VPN label (inner):
  - Pushed by ingress PE (MP-BGP VPN label advertised by egress PE)
  - NOT touched by P routers (they only see/swap the outer label)
  - Popped by egress PE to identify which VRF and CE to forward to
  - The VPN label alone tells the egress PE which customer this packet belongs to

  End-to-end flow:
  CE1 → PE1: plain IP packet arrives, PE1 classifies into VRF A
  PE1 → P1:  pushes VPN label (500) + transport label (200) → two-label stack
  P1 → P2:   swaps transport label 200 → 300 (VPN label 500 unchanged)
  P2 → PE2:  PHP: pops transport label → only VPN label 500 remains
  PE2 → CE2: pops VPN label 500 → looks up VRF A → forwards to CE2

10. MPLS L2VPN — VPLS and VPWS

MPLS L2VPN services carry Layer 2 frames across the MPLS core — the service provider transports Ethernet, Frame Relay, ATM, or other Layer 2 frames transparently between customer sites. The customer retains full control of routing; the SP is simply a transparent wire. Two primary L2VPN technologies are VPLS and VPWS.

VPWS — Virtual Private Wire Service (Point-to-Point)

  VPWS (also called Pseudowire or AToM — Any Transport over MPLS):
  Provides a point-to-point Layer 2 circuit between two customer sites.

  [Customer Site A] ──Ethernet──► [PE1] ─── MPLS core ─── [PE2] ──Ethernet──► [Customer Site B]

  From the customer's perspective: a direct Layer 2 link between sites.
  Frames injected at Site A emerge unchanged at Site B.

  Use cases:
  - Replace leased lines or Frame Relay point-to-point circuits
  - Connect two customer Ethernet sites as if directly patched
  - Extend a Layer 2 segment across a WAN (e.g., stretch a VLAN)

  Label stack: [Transport label | Pseudowire label | L2 frame]
  The pseudowire label identifies which L2 circuit the frame belongs to.

VPLS — Virtual Private LAN Service (Multipoint)

  VPLS: provides multipoint-to-multipoint Layer 2 connectivity.
  All customer sites appear to be on the same Ethernet LAN (same broadcast domain).

  Customer Site A ──► [PE1] ─┐
  Customer Site B ──► [PE2] ─┤─── MPLS core ─── Virtual Ethernet "switch" (VPLS)
  Customer Site C ──► [PE3] ─┘

  Frames from Site A can reach Sites B and C.
  Broadcast frames from Site A are replicated to Sites B and C.
  Each PE acts as a virtual Ethernet switch for the VPLS domain.

  Use cases:
  - Connect multiple enterprise sites as a single Layer 2 domain
  - Metro Ethernet services
  - Data centre interconnect (DCI) — stretch VLANs between data centres

  Customer controls: routing, IP addressing — SP provides the Layer 2 fabric only.

  Limitation vs L3VPN: VPLS must handle broadcast storms and MAC table flooding
  across the MPLS core — scalability challenges in large deployments.

11. MPLS Traffic Engineering (MPLS-TE)

MPLS Traffic Engineering uses RSVP-TE to create explicit LSPs that route traffic along paths that are not necessarily the IGP shortest path. This allows service providers to distribute load across their network and ensure certain traffic classes get guaranteed bandwidth — capabilities that plain IP routing cannot provide.

Why Traffic Engineering Is Needed

  Problem with IGP-only routing:

  Network topology:
                    ─── Link A (10 Gbps, short path) ───
  [Ingress PE] ─┤                                          ├─ [Egress PE]
                    ─── Link B (10 Gbps, longer path) ──

  IGP selects Link A (shortest path) for ALL traffic.
  Link A: utilisation 95% → congested → packet drops, latency spikes
  Link B: utilisation 5%  → idle → wasted capacity

  With MPLS-TE:
  Flow 1 (best-effort):  → Link A (IGP shortest path)
  Flow 2 (critical app): → Link B (explicit path via RSVP-TE)
                           bandwidth 2 Gbps reserved for this LSP

  Result: critical traffic avoids the congested link;
          Link B capacity is utilised; overall network efficiency improves.

MPLS-TE Key Features

Feature	Description
Explicit routing	TE tunnels specify the exact sequence of hops an LSP must follow — completely independent of IGP shortest path
Bandwidth reservation	RSVP-TE reserves bandwidth at each hop along the TE tunnel — provides a guaranteed bandwidth pipe end-to-end
Fast Reroute (FRR)	Pre-computed backup paths are provisioned alongside the primary LSP. On link or node failure, traffic switches to the backup path in under 50 ms — much faster than IGP reconvergence (seconds)
Constraint-based routing	CSPF algorithm selects paths based on constraints: available bandwidth, administrative colour/affinity (avoid certain links), explicit hop list, shared risk link groups (SRLG)
Autoroute	TE tunnels can be announced into the IGP so normal traffic is automatically steered into the tunnel by the IGP without per-flow policy configuration

MPLS-TE vs Plain IP Routing

  Plain IP routing: all paths follow IGP metric. Traffic distributes only along
  equal-cost paths. No bandwidth reservation. Failover relies on IGP reconvergence
  (typically 1–30 seconds for large networks).

  MPLS-TE: paths explicitly routed anywhere. Bandwidth reserved per tunnel.
  Fast Reroute provides sub-50 ms failover. Network operator has full control
  over how traffic is distributed across all available capacity.

  Who uses MPLS-TE:
  - Tier 1 and Tier 2 service providers with complex backbone topologies
  - Enterprises with critical real-time applications (trading, voice, video)
  - Data centre operators requiring predictable inter-DC bandwidth

12. Why Service Providers Use MPLS — Commercial Value

MPLS is the backbone technology for the majority of global service provider networks. Its commercial appeal comes from the ability to deliver multiple services — Internet transit, enterprise VPNs, voice, and video — all on the same shared physical infrastructure with strong isolation and quality guarantees.

Business Need	How MPLS Addresses It
Multi-customer isolation	MPLS L3VPN with VRFs completely isolates each customer's traffic — even if they use identical IP address ranges. One physical network serves hundreds of enterprise customers.
Scalable VPN services	Adding a new customer site only requires configuring a new VRF on the PE router and a BGP route-target — no per-site tunnels or encryption keys to manage (unlike IPsec overlays).
Traffic engineering for SLAs	Service providers sell SLAs (Service Level Agreements) with guaranteed bandwidth and latency. MPLS-TE reserves bandwidth per customer class and provides fast failover to meet uptime commitments.
QoS differentiation	MPLS EXP/TC bits carry CoS marking across the entire SP backbone — voice gets absolute priority, video gets bandwidth guarantee, bulk traffic gets best effort — all on one network.
Layer 2 transport services	VPLS and VPWS allow SPs to sell Metro Ethernet and leased-line replacement services without deploying separate physical infrastructure for each customer.
Network utilisation	MPLS-TE distributes load across all available links — not just IGP shortest paths. Better utilisation means more revenue per dollar of infrastructure investment.

13. MPLS Summary — Key Facts

Topic	Key Fact
MPLS position	Layer 2.5 — between Layer 2 (Ethernet) and Layer 3 (IP)
Label size	32 bits: 20-bit label value, 3-bit EXP/TC (QoS), 1-bit S (bottom of stack), 8-bit TTL
LER	Label Edge Router — pushes labels at ingress, pops labels at egress; also called PE router in VPN context
LSR	Label Switching Router — swaps labels in the core; no IP routing table lookup; only uses LFIB
Three operations	PUSH (ingress), SWAP (transit), POP (egress)
FEC	Forwarding Equivalence Class — group of packets treated identically; one label per FEC at ingress
LDP	Label Distribution Protocol — UDP/TCP 646; distributes labels following IGP path; no TE capability
RSVP-TE	Distributes labels for explicit paths; enables bandwidth reservation and Fast Reroute (<50 ms failover)
PHP	Penultimate Hop Popping — second-to-last router pops label; reduces egress PE processing; uses implicit null label (3)
MPLS L3VPN	Two-label stack (transport + VPN); VRF per customer; MP-BGP carries VPN routes; RD makes prefixes unique; RT controls route import/export
MPLS L2VPN	VPWS = point-to-point pseudowire; VPLS = multipoint Layer 2 LAN service; SP is transparent to customer routing
MPLS-TE benefit	Routes traffic onto explicit paths; reserves bandwidth; Fast Reroute for <50 ms failover; optimises network utilisation

14. MPLS Quiz

1. What are the four fields in an MPLS label, and how many bits does each occupy?

A. Label (16 bits), EXP (4 bits), S (4 bits), TTL (8 bits) B. Label (24 bits), EXP (4 bits), S (4 bits) — total 32 bits, no TTL field C. Label Value (20 bits), EXP/TC (3 bits), S — Bottom of Stack (1 bit), TTL (8 bits) — total 32 bits D. Label (20 bits), DSCP (6 bits), S (2 bits), TTL (4 bits)

Correct answer is C. The MPLS label is exactly 32 bits (4 bytes). It consists of four fields: the Label Value (20 bits, values 0–1,048,575, used as the forwarding key in the LFIB), EXP/TC (3 bits, Traffic Class for QoS CoS values 0–7), S — Bottom of Stack (1 bit, S=1 means this is the innermost/last label, S=0 means more labels exist below), and TTL (8 bits, decremented at each hop to prevent loops). The label is inserted between the Layer 2 and Layer 3 headers — this is why MPLS is called "Layer 2.5."

2. What is the difference between an LER and an LSR in an MPLS network, and what forwarding table does each use?

A. An LER is a core router that swaps labels; an LSR is an edge router that pushes and pops labels B. An LER (Label Edge Router) is at the MPLS domain boundary — it pushes labels onto incoming IP packets (ingress) and pops labels to deliver plain IP packets (egress), using both the IP routing table and LFIB. An LSR (Label Switching Router) is in the core — it only swaps labels, never touches unlabelled packets, and uses only the LFIB for all forwarding decisions. C. LER and LSR are the same device — the names just indicate whether the router is currently pushing or swapping a label D. An LSR uses the IP routing table; an LER uses only the LFIB

Correct answer is B. LERs and LSRs have fundamentally different roles. The LER (also called PE — Provider Edge — in VPN context) sits at the boundary between the customer IP network and the MPLS core. The ingress LER receives a plain IP packet, classifies it into an FEC, pushes labels, and sends it into the MPLS core using both the IP routing table (for FEC classification) and LFIB (for label forwarding). The egress LER pops labels and delivers plain IP to the customer. Core LSRs (P routers in VPN context) only ever see labelled packets — they look up the incoming label in the LFIB, swap it for an outgoing label, and forward. They never consult the IP routing table during normal operation.

3. What is Penultimate Hop Popping (PHP), which label value signals it, and what benefit does it provide?

A. PHP is when the first (ingress) router pops the label immediately after pushing it; uses label value 0 B. PHP is when the egress LER pops two labels simultaneously; uses label value 1 C. PHP is the process of popping labels at the first hop; no special label value is used D. PHP is when the second-to-last (penultimate) router pops the outer label before forwarding to the egress LER. It is signalled by LDP advertising the Implicit NULL label (label value 3) to the penultimate hop. The benefit is that the egress LER only needs one table lookup (IP routing) instead of two (LFIB + IP routing), reducing processing overhead.

Correct answer is D. PHP is a standard MPLS optimisation. Without PHP, when a labelled packet arrives at the egress LER, the router must first look up the label in its LFIB (discovering it is the egress and should pop the label) and then look up the destination IP in its routing table to determine where to forward the unlabelled packet — two lookups. PHP eliminates the first lookup: the egress LER advertises label 3 (Implicit NULL) to its upstream neighbour (the penultimate hop). When the penultimate router sees it should advertise label 3 to forward to the egress PE, it instead pops the label. The egress LER receives an unlabelled (or partially unlabelled in VPN case) packet and performs only one IP routing lookup. PHP is the default LDP behaviour.

4. How does MPLS L3VPN use a two-label stack, and what is the purpose of each label?

A. The outer (transport) label carries the packet through the MPLS core from ingress PE to egress PE — it is swapped by P routers. The inner (VPN) label identifies which customer VRF and CE to deliver the packet to at the egress PE — it is not touched by P routers. PHP typically removes the outer label at the penultimate P router. B. The first label identifies the customer; the second label identifies the source site of the packet C. Both labels are transport labels — the second is used as a backup if the first label is not recognised D. The inner label is the IP destination address encoded in binary; the outer label is a CRC checksum

Correct answer is A. MPLS L3VPN packets carry two labels. The outer transport label (also called the tunnel label) is distributed by LDP between P and PE routers. It tells each LSR in the core how to forward the packet toward the egress PE — P routers swap this label at every hop. The inner VPN label is distributed by MP-BGP between PE routers. It identifies which customer VRF the packet belongs to at the egress PE, enabling the egress PE to look up the VRF routing table and forward to the correct CE router. P routers never look at the VPN label — they only process the outer transport label, which is why P routers have no knowledge of customer VPN configurations.

5. What is the difference between LDP and RSVP-TE as label distribution protocols, and when would a service provider choose RSVP-TE over LDP?

A. LDP is used for IPv6; RSVP-TE is used for IPv4 only. A service provider uses RSVP-TE when carrying IPv4 traffic. B. LDP is for core routers; RSVP-TE is for edge routers only C. LDP distributes labels that strictly follow the IGP shortest path — no bandwidth reservation, no explicit routing. RSVP-TE creates explicit LSPs that can follow any path, reserves bandwidth per tunnel, and enables Fast Reroute (<50 ms). A provider chooses RSVP-TE when it needs traffic engineering, bandwidth SLAs, or sub-50 ms failover capabilities. D. They are identical protocols — the names are regional naming conventions for the same technology

Correct answer is C. LDP is the simpler of the two protocols — it automatically distributes labels for all prefixes in the routing table, following whatever paths the IGP has computed. LDP is easy to deploy and sufficient for basic MPLS forwarding and MPLS VPN services. RSVP-TE is far more sophisticated: it uses CSPF to compute constraint-based paths (considering available bandwidth, link colours, and explicit hops), signals those paths using RSVP PATH and RESV messages, and reserves bandwidth at each hop. RSVP-TE also pre-provisions backup paths for Fast Reroute — when a link or node fails, traffic switches to the backup path in under 50 milliseconds, far faster than the seconds it takes for IGP reconvergence. Service providers with SLA commitments for latency, bandwidth, and uptime typically deploy RSVP-TE.

6. What is a VRF, and why is it essential for MPLS L3VPN?

A. A VRF is a backup routing table used when the primary BGP table is unavailable B. A VRF (VPN Routing and Forwarding) is a separate, isolated routing and forwarding table instance on a PE router — one per customer. It is essential because it provides complete Layer 3 isolation between customers, even if they use overlapping IP address spaces. The PE router has one global table plus one VRF per customer. C. A VRF is a Cisco proprietary encryption mechanism used to protect customer data within the MPLS core D. A VRF is the MPLS equivalent of a VLAN — it segments Layer 2 domains on PE routers

Correct answer is B. A VRF is a virtualised routing table — essentially a router-within-a-router. On a single physical PE router, multiple VRFs can exist simultaneously, each with completely isolated routing tables, forwarding tables, and interfaces. This is critical for MPLS L3VPN because different enterprise customers may use the same private IP address space (e.g., two customers both using 192.168.1.0/24). Without VRFs, these overlapping routes would conflict in a single routing table. With VRFs, Customer A's 192.168.1.0/24 is in VRF_A and Customer B's 192.168.1.0/24 is in VRF_B — they never interact. The PE router knows which VRF to use based on the incoming interface or the VPN label on arriving MPLS packets.

7. What is the role of the Route Distinguisher (RD) and Route Target (RT) in MPLS L3VPN, and how do they differ?

A. RD and RT are the same thing — both are used to make VPN prefixes unique in MP-BGP B. RD controls which VRFs receive routes; RT makes prefixes unique in the BGP table C. RD is the router's BGP identifier; RT is the customer's autonomous system number D. The RD (Route Distinguisher) is prepended to a VPN IPv4 prefix to create a globally unique VPNv4 address in MP-BGP — it solves the overlapping address problem but does NOT control which VRFs receive the route. The RT (Route Target) is a BGP extended community that controls which VRFs export (advertise) and import (receive) which routes — it defines the VPN topology.

Correct answer is D. RD and RT serve different purposes and are frequently confused. The Route Distinguisher is a 64-bit value prepended to an IPv4 prefix to create a 96-bit VPNv4 address that is unique across all VPNs in the MP-BGP infrastructure — even if two customers use the same IPv4 address. RD = "make this prefix unique in the BGP table." The Route Target is a BGP extended community attached to VPN routes that acts as a tag. Each VRF has export-RT (tags outgoing routes) and import-RT (accepts routes matching this tag). RT = "control who receives this route." A hub-and-spoke VPN topology is built by having spoke VRFs export with RT-spoke and import RT-hub; the hub VRF exports RT-hub and imports RT-spoke.

8. What is the fundamental difference between MPLS VPWS and VPLS, and which provides a LAN-like multipoint service?

A. VPWS (Virtual Private Wire Service) provides a point-to-point Layer 2 pseudowire between exactly two sites — like a dedicated leased line replacement. VPLS (Virtual Private LAN Service) provides multipoint-to-multipoint Layer 2 connectivity — all customer sites share the same broadcast domain as if on one Ethernet LAN. VPLS provides the LAN-like service. B. VPWS provides Layer 3 routing between sites; VPLS provides Layer 2 switching C. VPLS is point-to-point; VPWS is multipoint D. Both VPWS and VPLS are multipoint — the difference is the encryption method used

Correct answer is A. VPWS (also called pseudowire or AToM — Any Transport over MPLS) connects exactly two customer sites with a transparent Layer 2 circuit. It is the MPLS replacement for a leased line or Frame Relay PVC — one end in, one end out, Layer 2 frames pass transparently. VPLS connects multiple (three or more) customer sites so they all share one virtual Ethernet switch — frames from any site can reach any other site, broadcasts are replicated to all sites, and all sites are in the same broadcast domain. VPLS is appropriate for enterprises that need to stretch a Layer 2 domain across multiple sites (e.g., data centre interconnect, Metro Ethernet).

9. A service provider backbone has two parallel paths between two PE routers. Path A carries 95% utilisation; Path B is idle at 5%. Plain OSPF routing sends all traffic down Path A. What MPLS feature can solve this problem, and how?

A. MPLS LDP — configure higher LDP weights on Path A to force traffic to Path B B. MPLS L3VPN — configure a separate VRF for each path to split the traffic C. MPLS Traffic Engineering (MPLS-TE) using RSVP-TE — create an explicit TE tunnel across Path B with a bandwidth reservation. Map specific traffic classes onto this tunnel using autoroute or policy. Path B carries its assigned traffic regardless of OSPF shortest path. D. PHP — configure penultimate hop popping on Path A to redirect excess traffic to Path B

Correct answer is C. This is the classic MPLS Traffic Engineering use case. OSPF selects the shortest path (Path A by metric) and sends all traffic down it — regardless of congestion. MPLS-TE with RSVP-TE breaks this constraint: the network operator creates an explicit RSVP-TE tunnel across Path B with a bandwidth reservation (e.g., 5 Gbps reserved for critical customer traffic). Traffic mapped to this TE tunnel follows Path B — bypassing OSPF's decision entirely. Path A still handles other traffic. The result: both paths carry load, SLAs are met, and the network's total capacity is better utilised. LDP (option A) follows the IGP path and cannot deviate — it would not help here.

10. In MPLS L3VPN, which routers have knowledge of customer VPN routes and VRF configurations, and which routers do not?

A. All routers in the MPLS domain maintain VRF tables and full knowledge of all customer routes B. Only PE (Provider Edge / LER) routers have VRF tables and VPN route knowledge. They peer with CE routers via a routing protocol and distribute VPN routes to each other via MP-BGP. P (Provider / LSR) core routers have NO knowledge of customer VPNs, VRFs, or VPN routes — they only swap transport labels. C. Only P (core) routers have VRF tables; PE routers only handle label operations D. CE routers maintain VRF tables; PE and P routers are transparent to VPN routes

Correct answer is B. This is one of the most elegant design aspects of MPLS L3VPN. PE routers are VPN-aware: they maintain one VRF per customer, peer with CE routers using standard routing protocols (BGP, OSPF, EIGRP), and exchange VPN routes with remote PE routers using MP-BGP. PE routers also impose the two-label stack (transport + VPN label) and remove it at egress. P routers (core LSRs) are completely VPN-unaware: they see only the outer transport label, swap it, and forward. They do not participate in MP-BGP, have no VRF tables, and carry no customer route information. This separation is why MPLS L3VPN scales so well — adding a new customer site only adds state to two PE routers, not to every P router in the core. See: BGP Overview

← Back to Home