Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Layer 3 VPNs for IPv4 and IPv6 Overview


A Layer 3 virtual private network (VPN) routing instance is a collection of routing tables, interfaces, and routing protocol parameters. The interfaces belong to the routing tables, and the routing protocol parameters control the information in the routing tables. In the case of MPLS VPNs, each VPN has a VPN routing and forwarding (VRF) routing instance.

A VRF routing instance consists of one or more routing tables, a derived forwarding table, the interfaces that use the forwarding table, and the policies and routing protocols that determine what goes into the forwarding table. Because each instance is configured for a particular VPN, each VPN has separate tables, rules, and policies that control its operation. A separate VRF table is created for each VPN that has a connection to a customer edge (CE) router. The VRF table is populated with routes received from directly connected CE sites associated with the VRF routing instance, and with routes received from other provider edge (PE) routers in the same VPN.

The standard or the global instance is called as the default routing instance. By default, all interfaces are associated with the default routing instance and default routing information base (RIB) (inet0). Routing options and routing policies supported on the default routing instance are also applicable to other routing instances.

A VRF routing instance is a BGP and MPLS VPN environment in which BGP is used to exchange IP VPN routes and discover the remote site, and in which VPN traffic traverses an MPLS tunnel in an IP and MPLS backbone. You can enable an ACX Series router to function as a PE router by configuring VRF routing instances.

You can configure routing instances on ACX Series routers at the [edit routing-instances routing-instance-name protocols] hierarchy level for unicast IPv4, multicast IPv4, unicast IPv6, and multicast IPv6 address families. If you do not explicitly specify the address family in an IPv4 or an IPv6 environment, the router is configured to exchange unicast IPv4 or unicast IPv6 addresses by default. You can also configure the router to exchange unicast IPv4 and unicast IPv6 routes in a specified VRF routing instance. If you specify the multicast IPv4 or multicast IPv6 address family in the configuration, you can use BGP to exchange routing information about how packets reach a multicast source, instead of a unicast destination, for transmission to endpoints.


Only the forwarding and virtual router routing instances support unicast IPv6 and multicast IPv6 address families. Unicast IPv6 and multicast IPv6 address families are not supported for VRF routing instances.

You can configure the following types of Layer 3 routing instances on ACX Series routers:

  • Forwarding—Use this routing instance type for filter-based forwarding applications. For this instance type, there is no one-to-one mapping between an interface and a routing instance. All interfaces belong to the default instance inet.0. There are multiple forwarding tables and the selection of a table depends on the filter applied on the interface.

  • Virtual router—A virtual router routing instance is similar to a VRF instance type, but is used for non-VPN-related applications. There are no VRF import, VRF export, VRF target, or route distinguisher requirements for this instance type. For this instance type, there is a one-to-one mapping between an interface and a routing instance. This routing instance type is used for routing and forwarding virtualization without VPNs (which is achieved by using the VRF-Lite application).

  • VRF—Use the VRF routing instance type for Layer 3 VPN implementations. This routing instance type has a VPN routing table as well as a corresponding VPN forwarding table. For this instance type, there is a one-to-one mapping between an interface and a routing instance. Each VRF routing instance corresponds with a forwarding table. The routes for each interface are installed in the forwarding table that is associated with the VRF routing instance. This routing instance type is used to implement BGP or MPLS VPNs in service provider networks or in big enterprise topologies.

Consider a sample VRF configuration scenario in which you want to configure two virtual routers, one to transmit voice and data traffic and another to carry management traffic. With such a configuration, the user and management networks are virtually separated, although the physical infrastructure is unified and cohesive. Virtual router routing instances enable you to isolate traffic without using multiple devices to segment your networks. The virtual routers do not create IP, MPLS, or GRE tunnels, and automatic discovery of remote sites that belong to the same network is not available. You must configure interfaces that are part of a virtual network in a streamlined manner to suit your topology requirements.

The following limitations apply to VRF routing instances that you configure on ACX Series routers:

  • You cannot establish a communication between two virtual routing instances that are connected by external loopback.

  • You cannot add a GRE or an MPLS tunnel to a virtual router.

In the Layer 3 lookup, up to 128 VRF tables are supported. Virtual routers without routing protocols enabled (based on static routes) support 64 VRF tables and virtual routers with all functions enabled within the routing instances support 16 VRF tables. When you enable VRF table labels and you do not explicitly apply a classifier configuration to the routing instance, the default MPLS EXP classifier is applied to the routing instance. You can override the default MPLS EXP classifier and apply a custom classifier to the routing instance. To perform this operation, you can filter the packets based on the IP header, choose the VRF, and based on the selected VRF, create an EXP classifier and associate it with the routing instance.