CCIE chapter 19 MPLS
Resources used:
sybex - cisco ccip mpls study guide
CCIE Routing and SwitchingExamCertification Guide 3rd Edition
MPLS, as a technology, evolvedfrom early attempts to glue the IP world and ATM world together.
Data plane and forwarding plane are the same thing
LSR = label switches router, all active interfaces have mpls enabled (normally a P router)
Edge LSR = router that forwards data that is labeled out to routers that aren’t running
LDP = Label distribution protocol
TE = traffic engineering
LSP = label switch path
PHP = penultimate hop popping
MPLS ( eg Edge LSR = PE, other router = CE). Some interfaces are mpls enabled
LDP hello = 224.0.0.2, unicast tcp/udp 646
VPN types:
Overlay: like frame relay, PE not in CE routing. GRE from CE to CE etc
Peer-to-peer: PE in CE routing, shared routing space for all customer CE.
Simple: every site can talk to every site
Overlapping: some sites are in more then one simple vpn
Central services: all sites comms with central site but no other
Managed network: a dedication VPN to manage CE routers
Peer to peer external: extranet in simple vpn form.
In larger MPLS networks only the PE routers does routing lookups (+ a label lookup) and the core just does a very fast label lookup
A FEC ( forward equivalence class) is a group of packets forwarded:
In the same manner
Over the same path
With the same forwarding treatment ( QOS etc)
Eg:
A subnet (123.123.0.0/16 with a TOS 1 is a FEC)
A subnet (123.123.0.0/16 with a TOS 2 is a Different FEC)
A FEC for multicast is a destination unicast address
MPLS packet forwarding consists of:
Assigning a FEC
Finding next hop of each FEC
MPLS label insertion:
Inbetween L2 and L3 headers over frame based encapsulation ( Ethernet , frame relay , etc)
Cellmode ( MPLS over ATM) – fields already in ATM header are used for label ( the VPI/VCI fields)
MPLS ethertypes ( PID):
0X0800 regular IP
0X8847 unicast with 1 or more labels
0X8848 multicast with one or more labels
Mpls supports unequal cost load balancing.
Mpls builds unidirectional tunnels from edge PR to edge PR.
Two types of MPLS, frame ( header inbetween layer 2 and layer 3) or ATM where the label is mapped into the VCI/VPI.
Labels are next hop specific, this means that within a MPLS network one destination prefix will take different MPLS label values along each hop.
Label, a 20 bit field uses to distinguish packets at layer 2 from each other.
Experimental, 3 bits used to map IP ToS into MPLS header for COS.
S, stack, MPLS headers can be stacked upon one another this field the bottom/last label of the stack.
TTL, the ip TTL of the packet is decremented by one and added to the Label. When the label is finally removed the TTL is copied back to the IP header. A tracert will see each MPLS hop as a layer 3 hop.
This TTL copy can be disabled a ttl in the label is set to 255 and the TTL in the IP header is left alone. A tracert wont see this and will see the entire MPLS cloud traversal as one hop.
A router can be configured so that self generated packets get a TTL field that is decremented so tracerts from the router itself work but forwarded frames get the 255 header. (no mpls ttl-propagation [local | forwarded])
MPLS label operations
Insert one or mores label (impose or push) on ingress of a edge LSR
Swap a label in the core
Remove ( pop) a label on egress of a edge LSR
The MPLS label stack is sometimes referred to as ashimheaderbecause of how it is placed between the Layer 2 header and theLayer 3 payload.
in MPLS, IP traffic isswitchedinstead of routed.
Labels are bound toroutes in the routing table.
MPLS Architecture
Control
Router need to exchange labels between other MPLS routers, IOS supports two methods for this
TDP
TheTag Distribution Protocol (TDP)
is Cisco’s proprietary protocolthat is used to bind tags (which are the same as MPLS labels) tonetwork routes in the routing table.
LDP
TheLabel Distribution Protocol (LDP)
is the IETF version ofCisco’s TDP. LDP is used to bind labels to network routes. The
labelinformation base (LIB)is a mapping of incoming labels to outboundlabels, along with outbound interface and link information. LDP is used to exchange the layer 2 mappings found in the LFIB.
Frame mode mpls uses liberal label retention which means it keeps a copy of all labels received in the LIB and only the label that matches the entry in the routing table gets copied to the LFIB.
LDP uses a Hello feature to discover LDP neighbors
LDP multicasts the Hellos to IP address 224.0.0.2, usingUDP port number 646
Hello is every 5 seconds
If a LDP enabled router hears a Hello it will setup a tcp connection to source on port 646 if it has the highest IP address ( lo then physical).
For non adjacent routers a hello can be configured as unicast to a destination ( command: mpls ldp neigbor vrf *name* *ip address* targetted
The Hellos list each LSR’s LDP ID(LID) which is a 32-bit dotted-decimal number and a 2-byte label space number. (Forframe-based MPLS, the label space number is 0.)
optionally list a transport address, use for any LDP TCPconnections, if no transport address the routers use the first address in the LID.
After neighbours are found a unicast tcp connection is established on port 646.
LSRs can have more then one LDP session if they use multiple label spaces.
Two types of label space
Per platform or per interface.
Per platform one label is assigned for a destination network and then sent to all LDP peers. The label can be used on any MPLS incoming interface. This minimizes the amount of LDP sessions needed. This is also less secure then per interface.
Labels are not created for BGP routes in the routing table.
Label space negotiation:
LDP ID set to ipaddress:0 for per—platform
LDP session neg:
Establish TCP
Exchange initialization messages
Exchange keepalives.
LDP relies on IGP for loop detection, the label header does have a TTL and that will stop looping forever, TTL can be copied from the label to the IP header at the edge LSR
Cisco routers have TTL propagation enabled by default.
Labels and link failures.
The LIB holds a copy of all labels ( not just best path) when the IGP detects that the link is down it looks to find a new path. As soon as the IGP populates the RIB with a new next hop the corresponding label is taken from the LIB and added to the LFIB.
On restoration of the failed link there is a time when LDP needs to renegotiate between the two routers at this time you are reliant upon routing.
unsolicited labels : Frame mode mpls uses unsolicited labels when updating adjacent routers labels aren’tsent in in any particular order.
Independent control mode : a router might receive a label for which it has no outgoing label, this would require a layer 3 lookup, this mode can only be run on routers that have edge LSR functionality ( customer & internal routes + mpls)
There are 4 label distribution praraters:
Label space ( per interface or per router)
Label distribution ( unsolicited)
Label allocation (independent control
Label retention ( liberal label retention)
Forwarding Equivalence Class (FEC)
Labels are bound to FEC’s , FEC are destinations that should be treated the same ( a subnet).
A MPLS router switches packets instead of routing ( layer 2 headers duh)
The forwarding component of the MPLS architecture (knownas theforwarding plane
Ordata plane)
The routing table is built inthe control plane and cached in the forwarding plane.
Thelabel forwarding information base (LFIB) is a subset of the LIB. The LIB is in the control plane and LFIB is in the forwarding plan. The FIB is also located in the forwarding plane and is needed for the LIB, the RIB is needed for FIB, because MPLS needs FIB , CEF must be enabled.
The LIB (label information base) contains all known labels it then sends a copy of only the best path labels to the LFIB. The LSR relies on the IGP to make the decision on the best path.
For each route in the routing table, find the corresponding label information in the LIB,
based on the outgoing interface and next-hop router listed in the route. Add the
corresponding label information to the FIB and LIB.
The FIB is used to forward unlabeled packets, a label is added and packet is sent out an interface to a next hop address.
If a labeled packet is received that there isn’t a matching entry for in the LFIB then the frame is dropped..
The control plane comprisesthe following:
Routing protocol
Routing table
LDP ), resulting in the labelinformation base (LIB)
The forwarding plane is made up of:
FIB
label forwarding information base (LFIB)
LSR A label switch router (LSR) is a Cisco IOS router/switch that iscapable of forwarding packets based on labels.’
LSR’s require both a routing protocol and a label protocol running, if the LSR doesn’t have enough routing information it might not be able to forward unlabeled packets.
Edge-LSR An edge label switch router (edge-LSR) is a more specific
term for the PE routers ( provider Edge router) there routers take normal ip traffic and add the MPLS label.
Pop means forward but remove the MPLS label ( a layer 3 lookup needs to be done next hop)
The “outside label” is changed on a hop by hop basis because MPLS labels are only locally significant.
Label-Switched Paths
Now let’s take a look at the label-switched paths. A label-switched path (LSP)
is a unidirectional set of LSRs that the labeled packet must flow through in
order to get to a particular destination.
How a edge LSR forwards data:
First it does a routing lookup
If the outgoing interface is mpls enabled a label based off the FEC is added
The ethertype field is changed to show this is a labelled packet
Packet gets sent
Basic MPLS issues:
A received labelled packet is dropped if the label is not found in the LFIB even if there is a destination in the FIB/RIB
A reviced IP packet is dropped if the destination is not found in the FIB/RIB even if there is a entry in the LIB/LFIB.
Note: LFIB and FIB are what the packets are tested against, they are built off the RIB/FIB
Label stack
A label stack is 2 or more labels in a frame. Outer label is one closest the L2 header inner label is closest the L3 header. Outer is read first, inner ignored my intermediary routers.
MPLS VPN: outside label is the FEC , inside label is the VPN identifer
MPLS traffic engineering(TE): first label points to a TE endpoint second to the FEC
MPLS + TE = 3 or more labels.
MPLS VPNs
Uses MP-BGP, this allows BGP to over come multiple customer conflicts ( 2 customers have same ip range etc).
MPLS VPN RFCs define the conceptof using multiple routing tables, called Virtual Routing and Forwarding (VRF) tables.
MPLS VPN use MP-BGP to propergate labels not LDP or TDP
Three types of router in a MPLS VPN setup
Customer edge (CE)—A router that has no knowledge of MPLS protocols and does not sendany labeled packets but is directly connected to an LSR (PE) in the MPLS VPN.
Provider edge (PE)—An LSR that shares a link with at least one CE router, thereby
providing function particular to the edge of the MPLS VPN, including IBGP and VRF tables
■ Provider (P)—An LSR that does not have a direct link to a CE router, which allows the routerto just forward labeled packets, and allows the LSR to ignore customer VPNs’ routes.
PE’s learn customer routes and put each customers routes into a separate table. They then use IBGP to send the routes to other PE routers. the PE router add two labels to a frame:
The outer has the label to get the frame switched through the MPLS network
The inner has a label that identifies the VRF that the frame is for and the out going interface for the destination, it also has its S-bit set to 1.
Label switch Path (LSP)
A LSP is a sequence of LSR’s for a FEC. IGP’s a run within a MPLS cloud, these IGP routes are used to build the LSP. MPLS TS can choose different LSP’s for a packet
MPLS Traffic engineering
Uses RSVP to create label switched path (LSP) tunnels, these tunnels are given there own label.
Requires the use of either OSPF or IS-IS and must hold the entire P network topology in there routing tables.
Uses special extensions in OSPF and IS-IS to show remaining bandwidth on a link.
Requirements:
Every LSR needs either OSPF or IS-IS with a full topology table.
Extensions to OSPF or IS-IS propagate available resources and constraints
Any Transport over MPLS (ATOM)
Is used to transport any layer 2 frame over MPLS, Ethernet, frame relay, PPP , HDLC etc.
ATOM uses 2 labels
ATOM can use TE etc
A unicast LDP session is creased between edge LSRs
The first label forwards packets over the mpls backbone
The second label called VC label determines the egress interface
EoMPLS (Ethernet over )uses ATOM
Doesn’t do any mac learning forwards all Ethernet frames over the backbone,
Two main deployment methods:
TLS (transparent tunnel services) for between two customer sites
VPLS (virtual private Lan services) for a bridge between many sites
For frame relay over MPLS
FECN, BECNDE are carried across the mpls network.
Virtual Routing and Forwarding
Has an ip routing table (RIB)
A CEF FIB , populated by the above RIB
A single BGP instance on the router to exchange routes with other BGP routers, uses a Route distinguisher to determine which VRF the route is in.
VRF uses IBGP to exchange routes, but normal BGP V4 cant handle overlapping addresses, to fix this an RFC (4760) was created to allow more data to be entered in the NLRI ( route prefix) . it added a extra 64bit field called RouteDistinguisher (RD).
So long as the 64bit number is unique to each customer NLRI are no longer overlapping.
The RouteDistinguisheris 8 bytes, the first 2 bytes are used to tell what format the RouteDistinguisher is using:
2-byte-integer:4-byte-integer
4-byte-integer:2-byte-integer
4-byte-dotted-decimal:2-byte-integer
The first entry should be a ip V4 address or a ASN, the second can be anything.
Route Targets (RT)
MPLS uses Route Targets to determine into which VRFs a PE places IBGP-learned
routes.
RT’s are carried in the Extended Community path attributes with BGP. It is used to the destination BGP router knows what VRF’s to place the route in. RT;s use the same basic formay of RD’s.
Destination router
1. Process the incoming packet using the VRF associated with the incoming interface (staticallyconfigured).
2. Forward the packet using that VRF’s FIB.
The outer label is based on the LIB entry, specifically for the LIB entry for the prefix that
matches the BGP-learned next-hop IP address—not the packet’s destination IP address.
The inner label is based on the BGP table entry for the route in the VRF that matches thepacket’s destination address.
VRF’s
Only 1 very per interface
Many interfaces per VRF
VRF’s have there own RIB/FIB
There is no separate per VRF BGP tables
Advanced import, for a route to enter using a route map it must also match one of the configured RT’s on the VRF.
Advanced export, is a RT is set via a route map both to configured RT for the VRF and the RT in the route map are assigned to matching routes.
Penultimate Hop Popping
To reduce the work load on the PE routers, the second last ( router before the PE) will remove the outer label so the PE only has to process 1 label not two.
Disable PHP:
A LSR tells neighbor LSR’s if they want them to do PHP for them, to disable PHP you must disable it on the router that would receive the popped frame not the router doing the popping.
Multicast MPLS
Uses PIM V2 + an extension for MPLS support.
MPLS VPN
Customer routes are leant from IGP/static from customers and M-BGP from other P/PE routers.
Mpls VPN uses 2 labels one for the destination FEC and the other for the destination VPN.
MP-BGP in MPLS VPN
There is only 1 MB-BGP table for all VPN’s , routes are made unique with RD’s, RT’s which are a extended community attribute map routes into a VRF. Each VPN can have more then one VRF.
PE to PE routers need to source from loopbacks
For VPN4 PE routers send-community extended is auto set, if normal communities also need to be used need to manually set that.
No bgp default ipv4-unicast stops a bgp process learning normal internet BGP routes
Central Services
Central services uses different import ant export RT’s to allow for export of CE routes and import of those routing into the Central services VRF and export of the central services VRF routing into CE vrfs but wont allow CE to CE vrf exchange.