VRF Lite and L3VPN in Stingray SG

May 24, 2023
VRF Lite and L3VPN in Stingray SG
L3VPN and L2VPN are popular services among telecom operators, and are a decisive factor in choosing an Internet provider for legal entities.

When implementing a provider VPN, the provider offers the client several access points and creates channels between them within its network, which they pay for.

What is the peculiarity of a provider VPN compared to a client one? The fact that the provider undertakes obligations to provide a certain quality of services (acceptable level of latency, jitter, percentage of packet loss, maximum services unavailability period, etc.) and security guarantees.


The use of L2 and L3VPN has its own specifics: L2VPN is used more often if there is a task to ensure connectivity between hosts in the same broadcast domain with redundancy, and L3VPN is to provide different services (L3VPN + Internet, VRF-Aware NAT, etc.). L3VPN is gaining more and more popularity, and in the 13th version of Stingray SG, VRF Lite support been added, which allows to implement one of L3VPN options.

VRF Principles

The same virtual routers principle is called differently by different vendors: VRF in Cisco, VPN-instance in Huawei and Routing Instance in Juniper. All of them are virtual machines that are essentially created on the same physical router and are separate VPNs, with individual routing tables, FIB and interface lists.

Each VRF is isolated from the other VRFs and from the physical router itself. A VRF is local to one router, does not exist outside of it, and is not connected to a VRF on another one. However, as with virtual servers, communication is possible between them.

VRF Lite

At the first stage VRF lite was implemented in the Stingray SG. The lite prefix means that the Stingray SG only separates the routing tables, but does not put the traffic of a separate VRF into a unique tunnel (MPLS, VXLAN). VRF lite allows to isolate the services provided among themselves and optimize routing when using different channels.

VRF lite

Isolation of services using VRF involves placing routing rules from different subscriber or device types in different tables to set a specific route. An example is the allocation of traffic from an IPTV set-top box, which is also located in the L2 domain with BRAS, as well as CPE. The IPTV set-top box gets access only to local resources, the CPE gets access to the Internet.


The VRF implementation in the Stingray SG is performed using a Soft-Router, which builds a RIB table and interacts with the main Stingray SG process (fastDPI). fastDPI provides the FIB table construction. This separation allows for high performance with a slight increase in the use of server RAM in the case when a Full View is received in each VRF.

The implementation of L3VPN using VRF lite is possible in two ways.

  • The first option is to put the traffic of a certain VRF into a GRE tunnel. This method is used to build L3VPN through the Internet. This functionality is already available in Stingray SG.
  • The second option assumes that the points to be connected are located inside the operator network. Then we recommend using MPLS or VXLAN. This approach may be implemented by connecting Stingray SG to an MPLS-enabled router, which will add tags for certain VRFs. Support for full-fledged MPLS in Stingray SG is in the development plans.
We use cookies to optimize site functionality and give you the best possible experience. To learn more about the cookies we use, please visit our Cookies Policy. By clicking ‘Okay’, you agree to our use of cookies. Learn more.