Inter-provider MPLS VPN lets multiple service providers connect their MPLS networks so customers can have one VPN across different carriers. With Back-to-Back VRF (Option A), the simplest inter-provider MPLS VPN method, each provider terminates the VPN on its ASBR, uses a dedicated VRF for the customer, and exchanges plain IP routes (no labels) over a direct interface or sub-interface.
Inter-Provider MPLS VPN
Inter-Provider MPLS VPN Overview
Inter-Provider MPLS VPN (also called Multi-AS MPLS VPN) allows multiple service providers (SPs) to interconnect their MPLS networks so that a customer can have a single, seamless Layer 3 VPN spanning different providers. The goal is to provide end-to-end VPN connectivity while keeping each provider’s network independent and secure.
The challenge is that MPLS and VRFs are local to each provider, so special mechanisms are needed to exchange VPN routes across provider boundaries.
1. Back-to-Back VRF (Option A): Each provider terminates the customer’s VPN on its ASBR using a dedicated VRF, and plain IP routes are exchanged directly over a point-to-point interface or sub-interface between ASBRs. This method is simple to configure and suitable for small deployments but does not scale well, as each customer requires a separate VRF and direct connection.
2. MP-eBGP Between ASBRs (Option B): Providers establish MP-BGP sessions between their ASBRs to exchange labeled VPN routes, allowing customer traffic to traverse multiple networks while maintaining VPN separation. This approach is more scalable than Option A and supports many customers without requiring individual physical or logical links.
3. Multi-Hop MP-eBGP Between Route Reflectors (Option C): Instead of direct ASBR-to-ASBR BGP sessions, providers use route reflectors to propagate VPN routes across multiple ASBRs via multi-hop MP-BGP. This reduces the number of BGP sessions and simplifies large-scale deployments, making it ideal for networks with many providers and numerous customers.
4. Non-VPN Transit Provider: In this method, multiple MPLS VPN providers interconnect using a third MPLS-enabled provider purely as a transit backbone. Multi-hop MP-BGP sessions are established between the providers’ route reflectors, while the transit provider only forwards labeled packets without participating in the VPN. BGP next hops are propagated and an end-to-end LSP is maintained, enabling VPN extension across regions without exposing customer routes and ensuring scalability and operational simplicity. This is especially useful in scenarios where providers operate in different regions or countries and want to extend VPN reach without exposing customer routes or negotiating complex VPN agreements with the transit network.
Customer A Customer B
| |
v v
1️⃣ Back-to-Back VRF (Option A)
+----------------+ +----------------+
| Provider1 ASBR |-------| Provider2 ASBR |
| (VRF-CustA) | Plain | (VRF-CustA) |
+----------------+ IP +----------------+
2️⃣ MP-eBGP Between ASBRs (Option B)
+----------------+ +----------------+
| Provider1 ASBR |<----->| Provider2 ASBR |
| | MP-BGP| |
+----------------+ +----------------+
3️⃣ Multi-Hop MP-eBGP via Route Reflectors (Option C)
+----------------+ +----------------+
| Provider1 ASBR | | Provider2 ASBR |
+----------------+ +----------------+
| ^
| |
v |
+----------------+ +----------------+
| RR-Provider1 |<----->| RR-Provider2 |
+----------------+ +----------------+
^ |
|-------------------------|
Multi-hop MP-BGP
4️⃣ Non-VPN Transit Provider
+----------------+ +----------------+
| Provider1 ASBR | | Provider2 ASBR |
+----------------+ +----------------+
| ^
| |
v |
+-----------------------------+
| Transit Provider MPLS |
| (forwards labeled packets) |
+-----------------------------+
In this lesson, we will focus on and demonstrate only the Back-to-Back VRF method. The other methods will be covered in the following lessons in sequence.
Inter-Provider MPLS VPN using Back-to-Back VRF
The Back-to-Back VRF method is the simplest approach to inter-provider MPLS VPNs. In this method, each service provider terminates the customer’s VPN on its Autonomous System Border Router (ASBR) using a dedicated VRF (Virtual Routing and Forwarding) instance. The ASBRs of the two providers are connected directly via a point-to-point interface or sub-interface, over which they exchange plain IP routes for the customer.
This is the topology example I have prepared to demonstrate how Inter-Provider MPLS VPN works using the Back-to-Back VRF method.
We have two different MPLS VPN service providers, AS 1 and AS 2, each with their own customers. Some customers are shared between the service providers, meaning that some sites of a customer are connected to the first provider, while other sites are connected to the second provider.
In this example, we have two customers, A and B, each with one site connected to Provider 1 and another site connected to Provider 2.
In the Back-to-Back VRF method, there must be direct physical connectivity between the two providers using routers called ASBRs (Autonomous System Border Routers). For each customer shared between providers, a dedicated physical or logical link (such as a sub-interface) is created for that customer.
In this topology, the two providers are connected via ASBR11 (Provider 1) and ASBR21 (Provider 2) using a dedicated link on interface eth0/1. On this interface, we create two sub-interfaces:
eth0/1.11dedicated for Customer A (VRF A)eth0/1.12dedicated for Customer B (VRF B)
Each provider sees each customer extended to the other provider as if it were a normal VPN service between customer sites, with a dedicated link per customer on the ASBRs.
Traffic within each provider’s network is forwarded as standard MPLS VPN traffic. Between the two providers, traffic is forwarded as plain IP traffic over the dedicated links. Once it reaches the second provider, it is again forwarded as normal MPLS VPN traffic to the respective customer site.
Between the ASBRs and also between the PE and CE routers, any IP routing protocol can be used as discussed in the previous lesson. For simplicity in this demonstration, we are using static routes.
## ASBR11 interface eth0/1 no shutdown ! interface eth0/1.11 encapsulation dot1Q 11 ip vrf forwarding A ip address 10.12.1.1 255.255.255.0 ! interface eth0/1.12 encapsulation dot1Q 12 ip vrf forwarding B ip address 10.12.2.1 255.255.255.0 ! ip route vrf A 192.168.2.0 255.255.255.0 eth0/1.11 10.12.1.2 ip route vrf B 192.168.2.0 255.255.255.0 eth0/1.12 10.12.2.2
## ASBR21 interface eth0/1 no shutdown ! interface eth0/1.11 encapsulation dot1Q 11 ip vrf forwarding A ip address 10.12.1.2 255.255.255.0 ! interface eth0/1.12 encapsulation dot1Q 12 ip vrf forwarding B ip address 10.12.2.2 255.255.255.0 ! ip route vrf A 192.168.1.0 255.255.255.0 eth0/1.11 10.12.1.1 ip route vrf B 192.168.1.0 255.255.255.0 eth0/1.12 10.12.2.1
Control Plane (Back-to-Back VRF) Verification
To verify the control plane, I checked the VPNv4 BGP table for the routes of Customers A and B. As shown, routes for the same customer connected to the other service provider are also received via BGP, advertised by the ASBR.
On PE11, we can see:
192.168.1.0/24– the subnet for both Customers A and B connected to this PE.192.168.2.0/24– the subnet for the same customers at PE21 in the second service provider.
This confirms that all remote and local routes are properly learned and installed in the VRFs, ensuring full end-to-end VPN connectivity.
BGP table version is 17, local router ID is 10.10.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 1:100 (default for vrf A) *>i 10.12.1.0/24 10.10.1.2 0 100 0 ? *> 172.16.11.0/24 0.0.0.0 0 32768 ? *> 192.168.1.0 172.16.11.2 0 32768 ? *>i 192.168.2.0 10.10.1.2 0 100 0 ? Route Distinguisher: 1:200 (default for vrf B) *>i 10.12.2.0/24 10.10.1.2 0 100 0 ? *> 172.16.12.0/24 0.0.0.0 0 32768 ? *> 192.168.1.0 172.16.12.2 0 32768 ? *>i 192.168.2.0 10.10.1.2 0 100 0 ?
Data Plane Verification
To better understand how Inter-Provider MPLS VPN works using the Back-to-Back VRF method, I sent traffic from Customer A site 1 (A1) connected to Provider 1 to Customer A site 2 (A2) connected to Provider 2.
Using traceroute, the traffic flows as follows:
A1 → PE1 (Provider 1): Enters VRF A.
PE1 → MPLS Core (Provider 1): Forwarded with MPLS labels.
ASBR11 → ASBR21: Crosses the dedicated Back-to-Back link as plain IP traffic.
PE2 → MPLS Core (Provider 2) → A2: Labels are applied again, and traffic reaches Customer A site 2.
Key points:
Between providers, traffic is forwarded as plain IP over a dedicated link per customer.
Within each provider, MPLS VPN forwarding is handled normally.
A1#traceroute 192.168.2.1 source loopback 0 Type escape sequence to abort. Tracing the route to 192.168.2.1 VRF info: (vrf in name/id, vrf out name/id) 1 172.16.11.1 2 msec 5 msec 5 msec 2 10.1.1.1 [MPLS: Labels 19/21 Exp 0] 3 msec 1 msec 1 msec 3 10.12.1.1 [MPLS: Label 21 Exp 0] 0 msec 6 msec 2 msec 4 10.12.1.2 5 msec 7 msec 3 msec 5 10.2.2.1 [MPLS: Labels 18/16 Exp 0] 7 msec 3 msec 5 msec 6 172.16.21.1 [MPLS: Label 16 Exp 0] 2 msec 1 msec 2 msec 7 172.16.21.2 6 msec 2 msec 6 msec
Final Device Configurations
This section presents the complete configuration of all devices related to the topology, including PE routers, customer edge devices, and ASBRs.
## P11 interface loopback 0 ip address 10.10.1.11 255.255.255.255 ! interface eth0/0 no shutdown ip address 10.1.1.1 255.255.255.0 mpls ip ! interface eth0/1 no shutdown ip address 10.1.2.1 255.255.255.0 mpls ip ! router ospf 1 network 10.0.0.0 0.255.255.255 area 0 ! mpls label protocol ldp mpls ldp router-id Loopback0
## P12 interface loopback 0 ip address 10.10.2.11 255.255.255.255 ! interface eth0/0 no shutdown ip address 10.2.2.1 255.255.255.0 mpls ip ! interface eth0/1 no shutdown ip address 10.2.1.1 255.255.255.0 mpls ip ! router ospf 1 network 10.0.0.0 0.255.255.255 area 0 ! mpls label protocol ldp mpls ldp router-id Loopback0
## PE11 interface loopback 0 ip address 10.10.1.1 255.255.255.255 ! interface eth0/0 no shutdown ip address 10.1.1.2 255.255.255.0 mpls ip ! router ospf 1 network 10.0.0.0 0.255.255.255 area 0 ! mpls label protocol ldp mpls ldp router-id Loopback0 ! ip vrf A rd 1:100 route-target export 1:100 route-target import 1:100 ! ip vrf B rd 1:200 route-target export 1:200 route-target import 1:200 ! interface eth0/1 no shutdown ip vrf forwarding A ip address 172.16.11.1 255.255.255.0 ! interface eth0/2 no shutdown ip vrf forwarding B ip address 172.16.12.1 255.255.255.0 ! router bgp 65001 no synchronization bgp log-neighbor-changes neighbor 10.10.1.2 remote-as 65001 neighbor 10.10.1.2 update-source Loopback0 ! address-family vpnv4 neighbor 10.10.1.2 activate neighbor 10.10.1.2 send-community both neighbor 10.10.1.2 next-hop-self exit-address-family ! address-family ipv4 vrf A redistribute connected redistribute static exit-address-family ! address-family ipv4 vrf B redistribute connected redistribute static exit-address-family ! ip route vrf A 192.168.1.0 255.255.255.0 eth0/1 172.16.11.2 ip route vrf B 192.168.1.0 255.255.255.0 eth0/2 172.16.12.2
## PE21 interface loopback 0 ip address 10.10.2.1 255.255.255.255 ! interface eth0/0 no shutdown ip address 10.2.1.2 255.255.255.0 mpls ip ! router ospf 1 network 10.0.0.0 0.255.255.255 area 0 ! mpls label protocol ldp mpls ldp router-id Loopback0 ! ip vrf A rd 1:10 route-target export 1:10 route-target import 1:10 ! ip vrf B rd 1:200 route-target export 1:20 route-target import 1:20 ! interface eth0/1 no shutdown ip vrf forwarding A ip address 172.16.21.1 255.255.255.0 ! interface eth0/2 no shutdown ip vrf forwarding B ip address 172.16.22.1 255.255.255.0 ! router bgp 65002 no synchronization bgp log-neighbor-changes neighbor 10.10.2.2 remote-as 65002 neighbor 10.10.2.2 update-source Loopback0 ! address-family vpnv4 neighbor 10.10.2.2 activate neighbor 10.10.2.2 send-community both neighbor 10.10.2.2 next-hop-self exit-address-family ! address-family ipv4 vrf A redistribute connected redistribute static exit-address-family ! address-family ipv4 vrf B redistribute connected redistribute static exit-address-family ! ip route vrf A 192.168.2.0 255.255.255.0 eth0/1 172.16.21.2 ip route vrf B 192.168.2.0 255.255.255.0 eth0/2 172.16.22.2
## ASBR11 interface loopback 0 ip address 10.10.1.2 255.255.255.255 ! interface eth0/0 no shutdown ip address 10.1.2.2 255.255.255.0 mpls ip ! router ospf 1 network 10.0.0.0 0.255.255.255 area 0 ! mpls label protocol ldp mpls ldp router-id Loopback0 ! ip vrf A rd 1:100 route-target export 1:100 route-target import 1:100 ! ip vrf B rd 1:200 route-target export 1:200 route-target import 1:200 ! interface eth0/1 no shutdown ! interface eth0/1.11 encapsulation dot1Q 11 ip vrf forwarding A ip address 10.12.1.1 255.255.255.0 ! interface eth0/1.12 encapsulation dot1Q 12 ip vrf forwarding B ip address 10.12.2.1 255.255.255.0 ! router bgp 65001 no synchronization bgp log-neighbor-changes neighbor 10.10.1.1 remote-as 65001 neighbor 10.10.1.1 update-source Loopback0 ! address-family vpnv4 neighbor 10.10.1.1 activate neighbor 10.10.1.1 send-community both neighbor 10.10.1.1 next-hop-self exit-address-family ! address-family ipv4 vrf A redistribute connected redistribute static exit-address-family ! address-family ipv4 vrf B redistribute connected redistribute static exit-address-family ! ip route vrf A 192.168.2.0 255.255.255.0 eth0/1.11 10.12.1.2 ip route vrf B 192.168.2.0 255.255.255.0 eth0/1.12 10.12.2.2
## ASBR21 interface loopback 0 ip address 10.10.2.2 255.255.255.255 ! interface eth0/0 no shutdown ip address 10.2.2.2 255.255.255.0 mpls ip ! router ospf 1 network 10.0.0.0 0.255.255.255 area 0 ! mpls label protocol ldp mpls ldp router-id Loopback0 ! ip vrf A rd 1:100 route-target export 1:10 route-target import 1:10 ! ip vrf B rd 1:200 route-target export 1:20 route-target import 1:20 ! interface eth0/1 no shutdown ! interface eth0/1.11 encapsulation dot1Q 11 ip vrf forwarding A ip address 10.12.1.2 255.255.255.0 ! interface eth0/1.12 encapsulation dot1Q 12 ip vrf forwarding B ip address 10.12.2.2 255.255.255.0 ! router bgp 65002 no synchronization bgp log-neighbor-changes neighbor 10.10.2.1 remote-as 65002 neighbor 10.10.2.1 update-source Loopback0 ! address-family vpnv4 neighbor 10.10.2.1 activate neighbor 10.10.2.1 send-community both neighbor 10.10.2.1 next-hop-self exit-address-family ! address-family ipv4 vrf A redistribute connected redistribute static exit-address-family ! address-family ipv4 vrf B redistribute connected redistribute static exit-address-family ! ip route vrf A 192.168.1.0 255.255.255.0 eth0/1.11 10.12.1.1 ip route vrf B 192.168.1.0 255.255.255.0 eth0/1.12 10.12.2.1
## A1 interface loopback 0 ip address 192.168.1.1 255.255.255.0 ! interface eth 0/0 no shutdown ip address 172.16.11.2 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 172.16.11.1
## B1 interface loopback 0 ip address 192.168.1.1 255.255.255.0 ! interface eth 0/0 no shutdown ip address 172.16.12.2 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 172.16.12.1
## A2 interface loopback 0 ip address 192.168.2.1 255.255.255.0 ! interface eth 0/0 no shutdown ip address 172.16.21.2 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 172.16.21.1
## B2 interface loopback 0 ip address 192.168.2.1 255.255.255.0 ! interface eth 0/0 no shutdown ip address 172.16.22.2 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 172.16.22.1