Home > BGP + MPLS 642-691 Exam > MPLS VPN Questions

MPLS VPN Questions

Here you will find answers to MPLS VPN Questions – Part 1

Question 1

Refer to the diagram. What problem can be caused by the second P router summarizing the loopback address of the egress PE router?


A. The first P router will be faced with a VPN label which it does not understand.
B. The second P router will be faced with a VPN label which it does not understand.
C. The egress PE router will not be able to establish a label switch path (LSP) to the ingress PE router.
D. A label switch path (LSP) will be established from the ingress PE router to the egress PE router, an event that is not desirable.
E. The ingress PE router will not be able to receive the VPN label from the egress PE router via MP-IBGP.


Answer: B


When running MPLS VPN, there is a feature called penultimate hop popping (PHP). The “penultimate hop” is not the last LSR to process a labeled packet but the second-to-last LSR to process a labeled packet (which means the nearest router to the egress LSR). With this feature, the egress LSR does not have to perform two label lookups as PHP causes the penultimate hop to pop the MPLS label; leaving only VPN label for the egress LSR to proceed.

In this question, if the second P router summarizes the loopback IP address of the egress PE router then the Label Switch Path (LSP) tunnel will be broken.To understand why, let’s assume that the loopback address of the egress PE is and the second P router summaries it as The second P router has both networks in the routing table as below:
+ (the original network)
+ (the summary network)

The second P router only sends the summary network to the first P router and ingress PE router. Also, the second P router thinks it is the last hop of the summary network (because other routers don’t have information about this summary network) so it sends a pop label for this network to “First P router”. It also sends a label (7, for example) for the original netwok to “First P router”.


As the “Second P router” only sends summary network, “First P router” will understand that it needs to pop (remove) the label destined for this network, according to the PHP feature. It then sends this packet to the “second P router”. Therefore the “second P router” will get a VPN label which it cannot understand and the packet will be dropped.

Notice that in MPLS VPN, the next-hop label mapping to the downstream PE router’s loopback is used to forward the packet through the MPLS domain so the loopback address of the egress PE router is very important.

Some other useful information about MPLS VPN:

The VPN label of the BGP route is recognized only by the egress PE router, and will not be understood by any other router (core routers). At the egress PE router, that prefix  is associated with an outgoing interface belonging to a specific VRF on the router depending on the value in the VPN label. The VPN label is never touched until it reaches the egress PE router.

Aggregation should not be used where end-to-end LSPs are required, such as with:
– MPLS-enabled ATM network
– Transit BGP where core routers are not running BGP

Question 2

On a dedicated subinterface implementation, PE-2 must establish an address-family vrf IPv4 BGP neighbor relationship with which router?

Internet Access Through a Dedicated Subinterface


A. CE-1
B. CE-2
C. PE-1
E. CE-1 and CE-2
F. PE-1 and PE-IG


Answer: B


PE router needs to learn IP prefix from customer edge (CE) router so it must establish neighbor relationship with CE. The IP prefix is a member of IPv4 address family. After learning it, the PE converts it into a VPN-IPv4 prefix which is a member of VPN-IPv4 address family. It specifies the customer address uniquely even if the customer site uses private IP address.


You always have to configure a BGP address family for each VRF and configure route redistribution into BGP for each VRF, even if you do not use BGP as the PE-CE routing protocol.

(Reference: MPLS Student Guide)

Question 3

What are three drawbacks of a peer-to-peer VPN using a shared provider edge (PE) router? (Choose three)

A. A full mesh of virtual circuits is required between the customer sites.
B. All the customers have to share a common IP address space.
C. Optimal routing between customer sites cannot be guaranteed.
D. The shared PE router has to know all routes for all customers.
E. Packet filters are required on the PE routers.


Answer: B D E

Question 4

What is the difference in implementation between a managed CE services MPLS VPN and a central services MPLS VPN?

A. RD assignment
B. selective routes export
C. selective routes import
D. MP-BGP route redistribution filtering
E. CE-PE routing process
F. none


Answer: B

Question 5

What benefit does AToM provide to the service provider’s customers?

A. By supporting Layer 2 VPNs, customers maintain control of their site-to-site routings over the WAN.
B. By supporting Layer 3 VPNs, a full mesh of virtual circuits will not be required between the different customer sites to enable optimal routing. 
C. By supporting secured Layer 3 VPNs, customers do not have to deal with the complexity of configuring IPSec. 
D. By supporting MPLS traffic engineering over ATM, customers can better utilize their WAN link. 
E. By supporting Diff-Serv QoS, ATOM allows customers to deploy voice/video applications across the WAN.


Answer: A

Question 6

What is the purpose of the global configuration command, ip dhcp relay information option vpn?

A. enables the DHCP relay agent to insert the VPN suboptions to the BOOTP request
B. enables the DHCP relay agent to convert the broadcast DHCP request to a unicast DHCP request to a shared DHCP server 
C. enables the DHCP relay agent to perform VRF-aware NAT before forwarding the DHCP request to a shared DHCP server 
D. enables ODAP (On-Demand Address Pool) on the DHCP relay agent


Answer: A

Question 7

With MPLS VPN-aware NAT, what additional information is tracked inside the NAT translation table?

A. RD information 
B. RT information 
C. VRF information 
D. Multi-protocol BGP prefixes 
E. MPLS Labels


Answer: C

Question 8

Which of the following could be called a VPN identifier in the MPLS/VPN architecture?

A. route target 
B. route distinguisher 
D. VPN IPv4 address
E. BGP site-of-origin (SOO) extended community attribute


Answer: A


The Route Distinguisher (RD) number is used to prefix the IP addresses for the site. This gives us a way to distinguish duplicate private addresses. For example, subnet for VPN 16 is different than subnet for VPN 20. From the MPLS VPN provider’s point of view they are 16: and 20:, which are different. The RD is configured on the interface (or subinterface) connecting to the site.

But the RD cannot indicate that a site participates in more than one VPN. Therefore, route target (RT) were introduced in the MPLS VPN architecture to support complex VPN topologies. The RT indicates the VPN membership of a route and allows VPN routes to be imported or exported into or out of your VRFs. Similar to RDs, the RTs can be specified in one of these two formats:
* 16-bit AS number followed by a 32-bit decimal number (ASN:nn). For example, 15:3
* 32-bit IP address followed by a 16-bit decimal number (A.B.C.D:nn). For example,

Notice that while a particular prefix can have only one RD, that same prefix can have one or more RTs assigned to it.

Note: The route target can be considered a VPN identifier but route target is the closest approximation to a VPN identifier in the MPLS/VPN architecture.

Question 9

MPLS_VPN_neighbor.jpgRefer to the exhibit. The MPLS VPN Customer A is using a separate interface for Internet access. However, with the current configurations shown, the CE router is not receiving any Internet routes from the PE router. Which two additional configuration commands can resolve the Internet connectivity issue? (Choose two)

A. At the CE router, under router bgp 50101, add the neighbor remote-as 50102 command.
B. At the CE router, under router bgp 50101, add the network command.
C. At the CE router, under router bgp 50101, add the ip route command.
D. At the PE router, under address-family ipv4 vrf Customer_A, add the neighbor remote-as 50101 command.
E. At the PE router, under address-family ipv4 vrf Customer_A, add the neighbor default-originate command.
F. At the PE router, under router bgp 50102, add the neighbor remote-as 50101 command


Answer: A F

Question 10

Refer to the exhibit and the following connectivity requirements. How many different VRFs are required?

MPLS_VRF.jpgSites CE1A, CE1B, CE1C, and CE1D require connectivity among them.
Sites CE2A and CE2B require connectivity between them.
Site CE12A requires connectivity to sites CE1A, CE1B, CE1C, CE1D, and CE12B.
Site CE12B requires connectivity to sites CE2A, CE2B, and CE12A.

A. 2 VRFs 
B. 3 VRFs 
C. 4 VRFs 
D. 6 VRFs 
E. 8 VRFs 
F. 10 VRFs


Answer: C

Categories: BGP + MPLS 642-691 Exam Tags:
  1. No comments yet.
  1. No trackbacks yet.