This feature provides a mechanism to connect private IPV4 and IPV6 data networks over a public IPV4 network using MPLS tunnel mechanism.
L3 packets are encapsulated with L3VPN label and are sent over MPLS tunnel in the ingress node. In the L3VPN ingress node, VRF is identified from the incoming L3 interface. Packets undergo route lookup to identify the route to forward the packet. Based on the route information, outgoing L3VPN label is decided. Out Label information is obtained as part of the BGP route exchange.
Note
ECMP for L3VPN is supported along with other native property of underlying MPLS tunnel.Extreme devices support uniform and pipe mode. Short-pipe mode is not supported. For single hop MPLS tunnels, in Pipe mode, QoS parameters are propagated to MPLS header.
In Layer 3 VPN, tunnel termination occurs at egress node.
L3 VPN packets at egress node come with the header that must have L3VPN label (MPLS), and the DA Mac must be the incoming interface (physical or Virtual Ethernet) MAC address.
On egress node, the L3VPN label is terminated, and the VRF-id is be derived to initiate the IP lookup with the VRF-ID and in case of matching DIP entry, traffic forwarding is processed.
Incoming packets on egress node are processed in different ways depending on different modes configured (RFC 3270) on the device. Extreme devices support uniform and pipe mode. Short-pipe mode is not supported.
Packets with L3VPN label TTL=1 and TTL=0 are trapped to CPU and they are dropped. If a tunnel termination occurs, the packet size is reduced. If the outgoing port MTU configured size is lesser than this outgoing packet size, packets are sent to CPU for fragmentation depending on DF bit setting. Extreme SLX-OS supports tunnel-termination statistics per VPN label
Tunnel termination happens at egress node. The L3VPN packet at egress node comes withL3VPN label (MPLS) and the DA Mac is the incoming interface MAC address. On egress node, the L3VPN label is terminated and the vrf-id is derived from the label value. After the label termination, IP lookup is launched with the derived vrf-id and in case of matching DIP entry, traffic forwarding happens. The outgoing packet from this node is the regular L3 packet.
Note
Currently, support is only for PHP. MPLS Tunnel Label is terminated at PHP node. Egress PE will always receive packet with only L3VPN label.After the L3VPN label termination, IP lookup is launched based on packet header's next nibble field after the L3VPN Label. If it is 4, IPv4 route lookup is launched. If it is 6, IPv6 lookup is launched.
Note
IPv4/IPV6 lookup is not dependent on VRF address-family configuration. If DA MAC is not MyMAC (incoming interface MAC), regular L2 flooding happens.