Multiprotocol Label Switching (MPLS) is a foundational technology in service provider networks, enabling the delivery of highly scalable, secure, and efficient Layer 3 VPNs. However, the inner workings of MPLS can seem overwhelming due to the number of components and protocols involved. In this article, we’ll simplify some of the most important MPLS concepts: Route Distinguishers (RDs), Route Targets (RTs), and VPNv4 routes, and how they all work together to allow multiple customers to use overlapping IP addresses while sharing the same MPLS core.

The Role of VRFs in MPLS VPNs

To understand RDs, RTs, and VPNv4 routes, we need to start with Virtual Routing and Forwarding instances (VRFs). VRFs are configured on Provider Edge (PE) routers to logically separate routing tables for different customers. This segmentation allows multiple customers to use the same private IP address ranges (e.g., 10.0.0.0/8) without conflict. Each VRF is essentially an isolated routing domain on a PE router.

For example, if PE1 connects to two different customers—Customer A and Customer B—it can have two separate VRFs: VRF-A and VRF-B. Each VRF contains its own set of routes, interfaces, and routing protocols. While this solves local route separation on the PE, MPLS networks often involve multiple PE routers. So how does PE1 distinguish between Customer A’s 10.10.20.0/24 route and Customer B’s identical prefix coming from PE2?

The Problem with Overlapping IP Address Spaces

When PE routers exchange customer routes over the MPLS network, they use iBGP (internal BGP). This is a critical piece of the MPLS control plane. But here’s the challenge: if multiple customers are using the same IP address ranges, BGP alone cannot distinguish between them. If both Customer A and Customer B are using 10.10.20.0/24, a standard BGP advertisement would not know which route belongs to whom.

This is where Route Distinguishers (RDs) come in.

What Are Route Distinguishers (RDs)?

Route Distinguishers (RDs) are 64-bit values used to make customer routes unique within the MPLS network. By prepending an RD to a customer’s IP prefix, the PE router creates a new type of route called a VPNv4 route.

Format and Configuration

RDs are typically written in the format ASN:nn (e.g., 100:20), where:

• ASN is the Autonomous System Number (typically of the BGP instance).
• nn is an arbitrary number to distinguish between VRFs.

Although the ASN-based format is a convention, the value itself can be any 64-bit number as long as it is unique across VRFs.

Example

Let’s say Customer A is using VRF BLUE on PE2 and has the IP subnet 10.10.20.0/24. PE2 assigns the RD 100:20 to this VRF. When PE2 receives the route from CE3 (Customer A’s device), it prepends the RD to the prefix, resulting in a VPNv4 route:

makefileCopyEditRD:Prefix = 100:20:10.10.20.0/24

This unique route is then advertised to PE1 using MP-BGP (Multiprotocol BGP).

VPNv4 Routes: Combining RDs and IP Prefixes

A VPNv4 route is the combination of an RD and an IPv4 prefix. This format ensures global uniqueness within the MPLS domain. It allows different customers to use overlapping IP spaces without any routing ambiguity.

When PE1 receives the VPNv4 route from PE2, it also learns:

• The next-hop IP (e.g., PE2’s IP address),
• The RD+Prefix combination,
• And the VPN label.

This forms the foundation for both control-plane learning and future data-plane packet forwarding.

Introducing the VPN Label

The VPN label is an MPLS label that identifies the VRF on the egress PE router. It is not directly seen by end-users or even by applications; it exists entirely within the control and forwarding logic of MPLS routers.

When PE1 receives the iBGP update from PE2, the update includes:

• The VPNv4 route (100:20:10.10.20.0/24)
• The next-hop IP (PE2’s loopback)
• The VPN label (e.g., 19)

This information tells PE1 exactly how to forward packets to reach CE3 through PE2. The label switching mechanism in the MPLS core uses the outer labels for routing between PEs and the VPN label to forward traffic within the correct VRF on the egress router.

The Role of Route Targets (RTs)

While RDs make prefixes unique, they do not determine which VPNv4 routes belong to which VRFs on the receiving PE. That responsibility falls to Route Targets (RTs).

What Are Route Targets?

RTs are also 64-bit values written in the same format as RDs (e.g., 100:30), but they serve a different function: they control route import and export policies between VRFs across different PE routers.

RTs are carried in BGP updates as extended community attributes. This allows each PE router to decide:

• Which VPNv4 routes to export (attach RTs)
• Which VPNv4 routes to import (filter using matching RTs)

How RTs Work in Practice

Continuing our example, suppose:

• VRF BLUE on PE2 has an RT of 100:30
• When PE2 advertises the VPNv4 route for 10.10.20.0/24, it attaches the RT 100:30 as an extended BGP community
• PE1, which also has a VRF BLUE, is configured to import routes with RT 100:30

Thus, PE1 will correctly associate the received VPNv4 route with its own VRF BLUE, and forward the routing update to CE1, the local customer router.

This mechanism allows complete control over route visibility. If you want to isolate customer routes further or allow shared access between different VPNs, you simply adjust the import/export RTs accordingly.

Summary: How It All Fits Together

Here’s a step-by-step flow of how RDs, RTs, and VPNv4 routes operate together in an MPLS network:

1. Customer route arrives at PE2 (e.g., 10.10.20.0/24 from CE3).
2. PE2 identifies the VRF (e.g., VRF BLUE) and the configured RD (100:20).
3. PE2 creates a VPNv4 route by prepending the RD to the IPv4 prefix (100:20:10.10.20.0/24).
4. PE2 attaches a Route Target (e.g., 100:30) as a BGP extended community.
5. PE2 advertises the route to PE1 over MP-BGP, including the next-hop IP and VPN label (e.g., 19).
6. PE1 receives the VPNv4 route, verifies the RT, and checks if it matches any import policy.
7. PE1 associates the route with the correct VRF (VRF BLUE) and installs it in the routing table.
8. Traffic from CE1 to 10.10.20.0/24 is now routed via PE1, across the MPLS core, and exits through PE2 to reach CE3.

Conclusion

MPLS VPNs are a powerful way to provide isolated, scalable IP connectivity to multiple customers over a shared backbone. But to make this work, MPLS uses several advanced concepts:

• VRFs to isolate customer routing tables,
• Route Distinguishers (RDs) to create globally unique VPNv4 routes,
• Route Targets (RTs) to manage route import/export policies,
• VPN Labels to enable efficient forwarding of user data.

All of this is orchestrated using MP-BGP, making MPLS one of the most robust networking technologies in use today.

Understanding these components—especially RDs, RTs, and VPNv4 routes—is crucial for any network engineer working with service provider technologies or large-scale enterprise MPLS deployments.

Also read: BGP – What Are iBGP Route Reflectors?

About:

Welcome to telecomTech, where telecom and networking technologies… are simply explained! I’m Lazarus, a telecom professional with over 25 years of experience in network design, architecture, and telecom technologies. Over my career, I’ve led major projects, trained professionals, and helped countless individuals earn certifications and advance their careers.  

My goal is to make networking and telecom concepts clear, practical, and engaging—the way I wish they were taught when I started learning!

Whether you’re a student, a professional growing your skills, or preparing for certifications like Cisco, telecomTech is here to guide you.
Join me as we explore telecom and networking as a lifelong passion, not just a job. Let’s make this journey of growth and discovery together!