layer3 mpls vpn is a way to provide separated routing instances (called vrfs) for the customers
where overlapping address spaces could be used between the customers. control plane achieved by
extending bgp with labeled vpn afi. the address space separation achieved by
prepending route distringuisher specfic to the vpn before the prefix,
making the resulting rd+prefix unique within the labeled vpn afi. the rd does not need to match
between the particpating pe routers and you can choose between as:vpnid
or loopback:vpnid format.
prefixes within the labeled vpn afi should carry at least one route target extended community which
could be used to specify the visibility of the prefix. it is sticked to the prefix on the
originating pe with export config statements and referred on the
other pe routers with the import config statement. a full mesh vpn could
use a single rt importing and exporting it on every participating pe routers.
a hub-and-spoke vpn could use one rt for hub to spoke direction and another
rt for spoke to hub direction, in this way two spoke servicing pe routers won't
import each other's spoke routes, just the hub's ones. since you can import and export more rts
in a given vrf, you can do much more, for example introduce common services to vpns
or use default-only routing on constrained pe routers if you have at least one
pe with full visibility and legitimate default origination possibility.
the data plane is quiet simple, once a packet arrives on an interface beloging to a vrf,
the pe router looks the longest matching prefix in the vrf's routing table,
from this info it places the inner, service label advertised by the
remote pe in bgp labeled vpn afi. then it looks up
the remote pe in it's global table for an appropirate lsp,
and uses that info as the outer transport label on the packet.
since the control plane is labeled vpn afi, you always have to consider the label
allocating scheme within the vrf.
between the pe and the customer edge router nearly any routing protocol could
be used, or simply they could point to each other by static routes. if bgp
is chosen, plain unicast afi is used on the pe-ce bgp session,
and the pe translates the routes between the core's labeled vpn afi and the ce's unicast afi.