MPLS

=MultiProtocol Label Switching (MPLS)= toc


 * instead of forwarding packets based on destination address, forwards based on MPLS label
 * forwarding decisions based on other factors
 * traffic engineering
 * QoS requirements
 * privacy requirements for multiple customers on the same network
 * ===__Unicast IP Forwarding__===
 * forwarding logic is based on labels
 * choosing the interface to forward out out, MPLS considers unicast IP routing table
 * requires the use of control plane protocols (OSPF, LDP) to learn labels
 * ====**Data Plane**====
 * routers, no hosts, add and remove labels
 * =====**Cisco Express Forwarding (CEF)**=====
 * Routing Information Base (RIB)
 * routing protocols
 * static routes
 * connected routes
 * Forwarding Information Base (FIB)
 * entry for each destination IP prefix in routing table
 * next hop
 * out-going interface
 * Adjacency Table
 * lists new data-link header
 * compares destination IP to FIB, ignores IP routing table
 * FIB entry points to Adjacency Table entry
 * =====**Process**=====
 * Host A generates and sends unlabeled packet
 * next hop router which is not configured for MPLS receives and forwards packet to destination IP
 * next hop router which is running MPLS receives and imposes (pushes) a new label into the packet and forwards
 * next router receives labeled packet, swaps the label for a new one and forwards
 * next router receives, removed (pops) the label and forwards
 * non-mpls router receives unlabeled packet, forwards it off to destination IP
 * =====**LSR Types**=====
 * Label Switch Router (LSR) - router that pushes, pops or forwards labeled packets
 * Edge LSR (E-LSR) - both labeled and unlabeled packets
 * Ingress E-LSR - receives unlabeled, pushes label
 * Egress E-LSR - received labeled, pops label
 * ATM-LSR - forwards labeled packets as ATM cells
 * ATM-E-LSR - performs ATM Segmentation and Reassembly (SAR) function
 * =====**Using FIB and LFIB**=====
 * LSRs use both CEF FIB and MPLS LFIB when forwarding
 * FIB - incoming unlabeled packets; matches destination IP with entry
 * LFIB - incoming labeled packets; matches label with entry
 * =====**Header and Label**=====
 * 4-byte header
 * Fields
 * Label - 20 bits; identifies portion of Label Switch Patch (LSP)
 * Experimental - 3 bits; QoS marking
 * Bottom-of-Stack - 1 bit; value of 1 means this label is immediately preceding IP header
 * Time-to-Live - 8 bits; same purpose as IP TTL field
 * =====**TTL Field and Propagation**=====
 * MPLS has own TTL so it can completely ignore the IP header
 * LSRs decrement TTL field
 * Ingress E-LSRs decrement IP TTL, pushes label, copies IP TTL into MPLS header
 * LSRs swap a label, decrement MPLS TTL
 * Egress E-LSRs decrements MPLS TTL, pops label and copies MPLS TTL into IP header
 * if propagation is disabled, MPLS TTL is set to 255, IP TTL is never touched
 * MPLS cloud appears as single hop
 * config# no mpls ip ttl-propagation [local | forwarded]
 * ====**Control Plane**====
 * uses control plane protocols
 * routing protocols
 * populates IP routing table and CEF FIB
 * learns which MPLS labels reach which IP prefix
 * populates FFIB and LFIB with correct labels
 * =====**Label Distribution Protocol (LDP)**=====
 * advertises labels for each prefix listed in the routing table
 * advertizements are triggered by a new IP route appearing in the unicast IP routing table
 * Process
 * LSR learns new unicast IP route
 * allocates new "local label" which is a label not currently advertised
 * advertises to neighbors
 * uses Hello messages to disvocer neighbors
 * multicasts 224.0.0.2
 * UDP port 646 (TDP uses 711)
 * forms TCP connection to each neighbor
 * advertises all of its bindings of local labels and prefixes
 * highest LDP ID initiated TCP connection
 * LDP ID determined by
 * configuration
 * highest IP of up/up loopback when LDP comes up
 * highest IP of up/up non-loopback when LDP comes up
 * =====**Label Information Base (LIB)**=====
 * data structure that stores labels and related information
 * FIB and FLIB contains labels only for currently used best LSP segments
 * LIB contains all known labels
 * for each route in the routing table that has a label in the LIB, add the label to FIB and LFIB
 * Configuration
 * config# ip cef
 * config# mpls ip
 * config# mpls label protocol ldp (TDP is default)
 * config-if# mpls ip
 * ===__Virtual Private Networks (VPNs)__===
 * ====**Virtual Routing and Forwarding (VRF) tables**====
 * concept of using multiple routing tables
 * separates customer's routes
 * ====**Roles**====
 * Customer Edge (CE) - does not send labeled packets; directly connected to LSR (PE)
 * Provider Edge (PE) - shares links with at least one CE
 * Provider - does not have a direct link to a CE; forwards labeled packets
 * PE routers store routes in separate per-customer tables
 * PE routers user IBGP to exchange customers routes with other PEs
 * never advertise to P routers
 * ====**Ingress PE labels**====
 * outer MPLS header (S-bit = 0); causes packet to be label-switched to egress PE
 * inner MPLS header (S-bit = 1); identifies egress VRF
 * ====**Process**====
 * CE1 forwards unlabled packet to PE1
 * PE1 receives, the receiving interface is matched to a VRF
 * compares destination IP with VRF's CEF FIB
 * CEF FIB is based on VRF's routing table
 * adds two labels based on FIB and then forwards the packet
 * P1 processes the received labeled packet using FLIB
 * swaps label and forwards
 * PE2 receives the packet and the LFIB lists pop as the action for the outer header
 * removes the outer label
 * LFIB lists pop as the action and the outgoing interface for the inner header
 * forwards unlabeled to CE2
 * ====**VPN Control Plane**====
 * =====**Virtual Routing and Forwarding Table Components**=====
 * IP Routing Table (RIB)
 * CEF FIB - populated based on VRF's RIB
 * separate instance/process of routing protocol
 * exchanges routes with CEs that need to be supported by a VRF
 * =====**MultiProtocol BGP (MP-BGP) and Route Distinguishers**=====
 * MPLS adds another number in front of the original BGP NRLI (prefix)
 * each number can represent a different customer
 * MP-BGP allows redefinition of NRLI field in updates
 * allows for additional variable-length number called "address family"
 * new address family called Route Distinguishers (RDs)
 * VPN-V4 - new NRLI format
 * 64 bit RD
 * 32 bit IPv4 prefix
 * Process
 * PE2 redistributes from each VRF routing protocol into BGP
 * redistribution process pulls RD from VRF and includes it with redistributed routes
 * PE2 uses iBGP to advertise to PE1
 * every VRF must be configured with a RD
 * =====**Route Targets (RTs)**=====
 * allows for overlapping VPNs
 * advertised by PEs in BGP updates as BGP Extended Community attribute
 * used to determine into which VRFs a PE places iBGP-learned routes
 * Process
 * VRFs on PE2 configured with export RT value
 * redistribution out of VRF into BGP
 * sets appropriate RT values in PE2's BGP table
 * PE2 advertises routes with iBGP
 * PE1 examines new BGP table entries
 * compares RT values to configures import values
 * PE1 redistributes routes into VRFs who have the import RT configured
 * =====**Overlapping VPNs**=====
 * occurs when at least one CE site needs to be reachable by CEs in different VPNs
 * RT concept allows MPLS network to leak routes from multiple VPNs into a VRF
 * BGP supports addition of multiple Extended Community PAs to each BGP table entry
 * Central Services VPN
 * customer A cannot talk to B
 * but CE-A1 and CE-B2 can talk to CE-Server
 * =====**Configuration**=====
 * VRF and Associated Interfaces
 * VRF Cust-A, RD 1:111, RT 1:100
 * VRF Cust-B, RD 2:222, RT 2:200
 * config# ip vrf Cust-A
 * config-vrf# rd 1:111
 * config-vrf# route-target import 1:100
 * config-vrf# route-target export 1:100
 * config-if# ip vrf forwarding Cust-A (removes any configured IP address, needs to be re-added)
 * IGP Between PE and CE
 * config# router eigrp 1
 * config-router# network 192.168.15.0
 * config-router# no auto-summary
 * config# router eigrp 65001
 * config-router# address-family ipv4 vrf Cust-A
 * config-router-af# autonomous-system 1
 * config-router-af# network 192.168.15.1 0.0.0.0
 * config-router-af# no auto-summary
 * Redistribution Between PE-CE IGP and MP-BGP
 * config# router bgp 65001
 * config-router# address-family ipv4 Cust-A
 * config-router-af# redistribute eigrp 1
 * config# router eigrp 65001
 * config-router# address-family ipv4 vrf Cust-A
 * config-router-af# redistribute bgp 65001 metric 10000 1000 255 1 1500
 * MP-BGP Between PEs
 * config# router bgp 65001
 * config-router# neighbor 3.3.3.3 remote-as 65001
 * config-router# neighbor 3.3.3.3 update-source lookback0
 * config-router# address-family vpnv4
 * config-router-af# neighbor 3.3.3.3 activate
 * config-router-af# neighbor 3.3.3.3 send-community
 * ====**VPN Data Plane**====
 * PEs need appropriate FIB entries
 * Ps and PEs need appropriate LFIB entries
 * =====**Process**=====
 * unlabeled packet arrives on interface assigned to VRF-A
 * causes ingress PE1 to use VRF-A's FIB for forwarding
 * ingress PE1's VRF-A FIB entry lists outgoing interface
 * also lists inner and outer labels
 * PE1 forwards packets with two labels pushed on front of the IP header
 * P1 uses LFIB entry for incoming (local) label, swaps outer label
 * PE2 does two LFIB lookups
 * finds outer label and pops it off
 * finds inner label and outgoing interface then pops it off
 * forwards the unlabeled packet
 * =====**Inner (VPN) Label**=====
 * identifies outgoing interface
 * the PE needs to allocate a new local label
 * associate the label with the prefix
 * store this information in the LFIB
 * Process
 * after adding a route to VRF-A the LSA allocates a local label which is associated with the route
 * stores the local label, the next-hop and the outgoing interface into the LIB and FLIB
 * adds the local labels to the BGP table entry for routes learned when redistributing into BGP
 * uses iBGP to advertise BGP Update messages that include the VPN label
 * =====**LFIB Entries to Forward Packets in the Egress PE**=====
 * outer label defines LSP from the ingress PE to the egress PE
 * defines an LSP used to forward packets to the BGP next-hop address
 * the ingress PE adds the outer label to make a request to the core of the MPLS network to deliver this packet to the egress PE
 * Process
 * PE2 learns route for prefix 3.3.3.3/32 and allocates a Local Label of 2222
 * PE2 updates the LFIB for the local label with the pop action
 * PE2 advertises to LDP neighbors the label binding of prefix 3.3.3.3 with label 2222
 * P1 and P2 learn route using IGP
 * they allocate new local labels for themselves
 * they store their new (in) label and the old (out) label in their own FLIBs
 * P1 and P2 advertises binding of 3.3.3.3/32 with own local labels
 * =====**VRF FIB Entries for the Ingress PE**=====
 * ingress PE learns the outer and inner labels
 * outer label based on the LIB entry
 * specifically for the prefix that matches the BGP-learned next-hop
 * not packet's destination IP
 * inner label based on the BGP table entry for the route in the VRF that matches the destination
 * Process
 * PE1 redistributes route from BGP into VRF-A routing table
 * based on the import RT
 * PE1 builds a VRF-A FIB entry for the route
 * this new FIB entry includes the VPN Label from the BGP table entry
 * also includes the outer label for reaching the BGP next-hop
 * looks in the main LIB for best entry for next-hop and extracts the label
 * Ingress PE1 inserts MPLS header
 * =====**Penultimate Hop Popping (PHP)**=====
 * the process on the egress PE can be inefficient
 * egress PE must do two lookups in LFIB after receiving a packet with two labels
 * Example
 * PE1 pushes label 1111 and 3333 into the packet and sends it
 * P1 receives the packet and swaps the label 1111 with 2222 and sends it
 * PE2 receives the packet and pops label 2222 and 3333 off then forwards the unlabeled packet
 * avoids extra work on the very last LSR (ultimate)
 * penultimate - "1 less than ultimate"
 * penultimate LSR pops outer label before the ultimate LSR receives it
 * Example
 * PE1 puses 1111 and 3333 and sends
 * P1 pops 1111 and sends it
 * PE2 receives and pops 3333 and forwards the unlabeled packet
 * ===__Other MPLS Applications__===
 * ====**Forwarding Equivalence Class (FEC)**====
 * set of packets that receives the same forwarding treatment by a single LSR
 * for simple MPLS unicast forwarding each IPv4 prefix is an FEC
 * for MPLS VPNs each prefix in each VRF is an FEC
 * ===__VRF Lite__===
 * known as Multi-VRF CE
 * provides multiple instances of IP routing tables in a single router
 * associates each interface/subinterface with one of several VRF instances
 * creates layer 3 separation
 * engineers can create internetworks that allow overlapping IP address spaces
 * without requiring NAT
 * without MPLS
 * separate IP internetworks into different domains/groupings
 * ====**Configuration**====
 * config# ip cef
 * config# ip vrf WORD1
 * config-vrf# rd 11:11
 * config-vrf# route-target both 11:11
 * config# interface serial 0/0/0
 * config-if# encapsulation frame-relay
 * config-if# clock rate 1536000
 * config# interface serial 0/0/0.101 point-to-point
 * config-if# frame-relay interface-dlci 101
 * config-if# ip address 192.168.1.1
 * config-if# ip vrf forwarding WORD1
 * config# interface fa0/0.1
 * config-if# encapsulation dot1q 102
 * config-if# ip vrf forwarding WORD1
 * config-if# ip address 192.168.1.2
 * config# router eigrp 65001
 * config-router# address-family ipv4 vrf WORD1
 * config-router-af# autonomous-system 1
 * config-router-af# network 192.168.0.0
 * config-router-af# no auto-summary