CCIE chapter 19 MPLS..

advertisement
CCIE chapter 19 MPLS
Resources used:
sybex - cisco ccip mpls study guide
CCIE Routing and Switching Exam Certification Guide 3rd Edition
MPLS, as a technology, evolved from early attempts to glue the IP world and ATM
world together.
Data plane and forwarding plane are the same thing
LSR = label switches router, all active interfaces have mpls enabled (normally a P router)
Edge LSR = router that forwards data that is labeled out to routers that aren’t running
LDP = Label distribution protocol
TE = traffic engineering
LSP = label switch path
PHP = penultimate hop popping
MPLS ( eg Edge LSR = PE, other router = CE). Some interfaces are mpls enabled
LDP hello = 224.0.0.2, unicast tcp/udp 646
VPN types:
Overlay: like frame relay, PE not in CE routing. GRE from CE to CE etc
Peer-to-peer: PE in CE routing, shared routing space for all customer CE.
Simple: every site can talk to every site
Overlapping: some sites are in more then one simple vpn
Central services: all sites comms with central site but no other
Managed network: a dedication VPN to manage CE routers
Peer to peer external: extranet in simple vpn form.
In larger MPLS networks only the PE routers does routing lookups (+ a label lookup) and
the core just does a very fast label lookup
A FEC ( forward equivalence class) is a group of packets forwarded:
In the same manner
Over the same path
With the same forwarding treatment ( QOS etc)
Eg:
A subnet (123.123.0.0/16 with a TOS 1 is a FEC)
A subnet (123.123.0.0/16 with a TOS 2 is a Different FEC)
A FEC for multicast is a destination unicast address
MPLS packet forwarding consists of:
Assigning a FEC
Finding next hop of each FEC
MPLS label insertion:
Inbetween L2 and L3 headers over frame based encapsulation ( Ethernet , frame
relay , etc)
Cellmode ( MPLS over ATM) – fields already in ATM header are used for label (
the VPI/VCI fields)
MPLS ethertypes ( PID):
0X0800 regular IP
0X8847 unicast with 1 or more labels
0X8848 multicast with one or more labels
Mpls supports unequal cost load balancing.
Mpls builds unidirectional tunnels from edge PR to edge PR.
Two types of MPLS, frame ( header inbetween layer 2 and layer 3) or ATM where the
label is mapped into the VCI/VPI.
Labels are next hop specific, this means that within a MPLS network one destination
prefix will take different MPLS label values along each hop.
Label, a 20 bit field uses to distinguish packets at layer 2 from each other.
Experimental, 3 bits used to map IP ToS into MPLS header for COS.
S, stack, MPLS headers can be stacked upon one another this field the bottom/last label
of the stack.
TTL, the ip TTL of the packet is decremented by one and added to the Label. When the
label is finally removed the TTL is copied back to the IP header. A tracert will see each
MPLS hop as a layer 3 hop.
This TTL copy can be disabled a ttl in the label is set to 255 and the TTL in the IP header
is left alone. A tracert wont see this and will see the entire MPLS cloud traversal as one
hop.
A router can be configured so that self generated packets get a TTL field that is
decremented so tracerts from the router itself work but forwarded frames get the 255
header. (no mpls ttl-propagation [local | forwarded])
MPLS label operations
Insert one or mores label (impose or push) on ingress of a edge LSR
Swap a label in the core
Remove ( pop) a label on egress of a edge LSR
The MPLS label stack is sometimes referred to as a shim header because of how it is
placed between the Layer 2 header and the Layer 3 payload.
in MPLS, IP traffic is switched instead of routed.
Labels are bound to routes in the routing table.
MPLS Architecture
Control
Router need to exchange labels between other MPLS routers, IOS supports two methods
for this
TDP
The Tag Distribution Protocol (TDP)
is Cisco’s proprietary protocol that is used to bind tags (which are the same as MPLS
labels) to network routes in the routing table.
LDP
The Label Distribution Protocol (LDP)
is the IETF version of Cisco’s TDP. LDP is used to bind labels to network routes. The
label information base (LIB) is a mapping of incoming labels to outbound labels, along
with outbound interface and link information. LDP is used to exchange the layer 2
mappings found in the LFIB.
Frame mode mpls uses liberal label retention which means it keeps a copy of all labels
received in the LIB and only the label that matches the entry in the routing table gets
copied to the LFIB.
LDP uses a Hello feature to discover LDP neighbors
LDP multicasts the Hellos to IP address 224.0.0.2, using UDP port number 646
Hello is every 5 seconds
If a LDP enabled router hears a Hello it will setup a tcp connection to source on port 646
if it has the highest IP address ( lo then physical).
For non adjacent routers a hello can be configured as unicast to a destination ( command:
mpls ldp neigbor vrf *name* *ip address* targetted
The Hellos list each LSR’s LDP ID (LID) which is a 32-bit dotted-decimal number and a
2-byte label space number. (For frame-based MPLS, the label space number is 0.)
optionally list a transport address, use for any LDP TCP connections, if no transport
address the routers use the first address in the LID.
After neighbours are found a unicast tcp connection is established on port 646.
LSRs can have more then one LDP session if they use multiple label spaces.
Two types of label space
Per platform or per interface.
Per platform one label is assigned for a destination network and then sent to all LDP
peers. The label can be used on any MPLS incoming interface. This minimizes the
amount of LDP sessions needed. This is also less secure then per interface.
Labels are not created for BGP routes in the routing table.
Label space negotiation:
LDP ID set to ipaddress:0 for per—platform
LDP session neg:
Establish TCP
Exchange initialization messages
Exchange keepalives.
LDP relies on IGP for loop detection, the label header does have a TTL and that will stop
looping forever, TTL can be copied from the label to the IP header at the edge LSR
Cisco routers have TTL propagation enabled by default.
Labels and link failures.
The LIB holds a copy of all labels ( not just best path) when the IGP detects that the link
is down it looks to find a new path. As soon as the IGP populates the RIB with a new
next hop the corresponding label is taken from the LIB and added to the LFIB.
On restoration of the failed link there is a time when LDP needs to renegotiate between
the two routers at this time you are reliant upon routing.
unsolicited labels : Frame mode mpls uses unsolicited labels when updating adjacent
routers labels aren’tsent in in any particular order.
Independent control mode : a router might receive a label for which it has no outgoing
label, this would require a layer 3 lookup, this mode can only be run on routers that have
edge LSR functionality ( customer & internal routes + mpls)
There are 4 label distribution praraters:
Label space ( per interface or per router)
Label distribution ( unsolicited)
Label allocation (independent control
Label retention ( liberal label retention)
Forwarding Equivalence Class (FEC)
Labels are bound to FEC’s , FEC are destinations that should be treated the same ( a
subnet).
A MPLS router switches packets instead of routing ( layer 2 headers duh)
The forwarding component of the MPLS architecture (known as the forwarding plane
Or data plane )
The routing table is built in the control plane and cached in the forwarding plane.
The label forwarding information base (LFIB) is a subset of the LIB. The LIB is in the
control plane and LFIB is in the forwarding plan. The FIB is also located in the
forwarding plane and is needed for the LIB, the RIB is needed for FIB, because MPLS
needs FIB , CEF must be enabled.
The LIB (label information base) contains all known labels it then sends a copy of only
the best path labels to the LFIB. The LSR relies on the IGP to make the decision on the
best path.
For each route in the routing table, find the corresponding label information in the LIB,
based on the outgoing interface and next-hop router listed in the route. Add the
corresponding label information to the FIB and LIB.
The FIB is used to forward unlabeled packets, a label is added and packet is sent out an
interface to a next hop address.
If a labeled packet is received that there isn’t a matching entry for in the LFIB then the
frame is dropped..
The control plane comprises the following:
Routing protocol
Routing table
LDP ), resulting in the label information base (LIB)
The forwarding plane is made up of:
FIB
label forwarding information base (LFIB)
LSR A label switch router (LSR) is a Cisco IOS router/switch that is capable of
forwarding packets based on labels.’
LSR’s require both a routing protocol and a label protocol running, if the LSR doesn’t
have enough routing information it might not be able to forward unlabeled packets.
Edge-LSR An edge label switch router (edge-LSR) is a more specific
term for the PE routers ( provider Edge router) there routers take normal ip traffic and
add the MPLS label.
Pop means forward but remove the MPLS label ( a layer 3 lookup needs to be done next
hop)
The “outside label” is changed on a hop by hop basis because MPLS labels are only
locally significant.
Label-Switched Paths
Now let’s take a look at the label-switched paths. A label-switched path (LSP)
is a unidirectional set of LSRs that the labeled packet must flow through in
order to get to a particular destination.
How a edge LSR forwards data:
First it does a routing lookup
If the outgoing interface is mpls enabled a label based off the FEC is added
The ethertype field is changed to show this is a labelled packet
Packet gets sent
Basic MPLS issues:
A received labelled packet is dropped if the label is not found in the LFIB even if there is
a destination in the FIB/RIB
A reviced IP packet is dropped if the destination is not found in the FIB/RIB even if there
is a entry in the LIB/LFIB.
Note: LFIB and FIB are what the packets are tested against, they are built off the
RIB/FIB
Label stack
A label stack is 2 or more labels in a frame. Outer label is one closest the L2 header inner
label is closest the L3 header. Outer is read first, inner ignored my intermediary routers.
MPLS VPN: outside label is the FEC , inside label is the VPN identifer
MPLS traffic engineering(TE): first label points to a TE endpoint second to the FEC
MPLS + TE = 3 or more labels.
MPLS VPNs
Uses MP-BGP, this allows BGP to over come multiple customer conflicts ( 2 customers
have same ip range etc).
MPLS VPN RFCs define the concept of using multiple routing tables, called Virtual
Routing and Forwarding (VRF) tables.
MPLS VPN use MP-BGP to propergate labels not LDP or TDP
Three types of router in a MPLS VPN setup
Customer edge (CE)—A router that has no knowledge of MPLS protocols and does not
send any labeled packets but is directly connected to an LSR (PE) in the MPLS VPN.
Provider edge (PE)—An LSR that shares a link with at least one CE router, thereby
providing function particular to the edge of the MPLS VPN, including IBGP and VRF
tables
■ Provider (P)—An LSR that does not have a direct link to a CE router, which allows
the router to just forward labeled packets, and allows the LSR to ignore customer VPNs’
routes.
PE’s learn customer routes and put each customers routes into a separate table. They then
use IBGP to send the routes to other PE routers. the PE router add two labels to a frame:
The outer has the label to get the frame switched through the MPLS network
The inner has a label that identifies the VRF that the frame is for and the out going
interface for the destination, it also has its S-bit set to 1.
Label switch Path (LSP)
A LSP is a sequence of LSR’s for a FEC. IGP’s a run within a MPLS cloud, these IGP
routes are used to build the LSP. MPLS TS can choose different LSP’s for a packet
MPLS Traffic engineering
Uses RSVP to create label switched path (LSP) tunnels, these tunnels are given there own
label.
Requires the use of either OSPF or IS-IS and must hold the entire P network topology in
there routing tables.
Uses special extensions in OSPF and IS-IS to show remaining bandwidth on a link.
Requirements:
Every LSR needs either OSPF or IS-IS with a full topology table.
Extensions to OSPF or IS-IS propagate available resources and constraints
Any Transport over MPLS (ATOM)
Is used to transport any layer 2 frame over MPLS, Ethernet, frame relay, PPP , HDLC
etc.
ATOM uses 2 labels
ATOM can use TE etc
A unicast LDP session is creased between edge LSRs
The first label forwards packets over the mpls backbone
The second label called VC label determines the egress interface
EoMPLS (Ethernet over )uses ATOM
Doesn’t do any mac learning forwards all Ethernet frames over the backbone,
Two main deployment methods:
TLS (transparent tunnel services) for between two customer sites
VPLS (virtual private Lan services) for a bridge between many sites
For frame relay over MPLS
FECN, BECN DE are carried across the mpls network.
Virtual Routing and Forwarding
Has an ip routing table (RIB)
A CEF FIB , populated by the above RIB
A single BGP instance on the router to exchange routes with other BGP routers, uses a
Route distinguisher to determine which VRF the route is in.
VRF uses IBGP to exchange routes, but normal BGP V4 cant handle overlapping
addresses, to fix this an RFC (4760) was created to allow more data to be entered in the
NLRI ( route prefix) . it added a extra 64bit field called RouteDistinguisher (RD).
So long as the 64bit number is unique to each customer NLRI are no longer overlapping.
The RouteDistinguisher is 8 bytes, the first 2 bytes are used to tell what format the
RouteDistinguisher is using:
2-byte-integer:4-byte-integer
4-byte-integer:2-byte-integer
4-byte-dotted-decimal:2-byte-integer
The first entry should be a ip V4 address or a ASN, the second can be anything.
Route Targets (RT)
MPLS uses Route Targets to determine into which VRFs a PE places IBGP-learned
routes.
RT’s are carried in the Extended Community path attributes with BGP. It is used to the
destination BGP router knows what VRF’s to place the route in. RT;s use the same basic
formay of RD’s.
Destination router
1. Process the incoming packet using the VRF associated with the incoming interface
(statically configured).
2. Forward the packet using that VRF’s FIB.
The outer label is based on the LIB entry, specifically for the LIB entry for the prefix that
matches the BGP-learned next-hop IP address—not the packet’s destination IP address.
The inner label is based on the BGP table entry for the route in the VRF that matches the
packet’s destination address.
VRF’s
Only 1 very per interface
Many interfaces per VRF
VRF’s have there own RIB/FIB
There is no separate per VRF BGP tables
Advanced import, for a route to enter using a route map it must also match one of the
configured RT’s on the VRF.
Advanced export, is a RT is set via a route map both to configured RT for the VRF and
the RT in the route map are assigned to matching routes.
Penultimate Hop Popping
To reduce the work load on the PE routers, the second last ( router before the PE) will
remove the outer label so the PE only has to process 1 label not two.
Disable PHP:
A LSR tells neighbor LSR’s if they want them to do PHP for them, to disable PHP you
must disable it on the router that would receive the popped frame not the router doing the
popping.
Multicast MPLS
Uses PIM V2 + an extension for MPLS support.
MPLS VPN
Customer routes are leant from IGP/static from customers and M-BGP from other P/PE
routers.
Mpls VPN uses 2 labels one for the destination FEC and the other for the destination
VPN.
MP-BGP in MPLS VPN
There is only 1 MB-BGP table for all VPN’s , routes are made unique with RD’s, RT’s
which are a extended community attribute map routes into a VRF. Each VPN can have
more then one VRF.
PE to PE routers need to source from loopbacks
For VPN4 PE routers send-community extended is auto set, if normal communities also
need to be used need to manually set that.
No bgp default ipv4-unicast stops a bgp process learning normal internet BGP routes
Central Services
Central services uses different import ant export RT’s to allow for export of CE routes
and import of those routing into the Central services VRF and export of the central
services VRF routing into CE vrfs but wont allow CE to CE vrf exchange.
IGP route aggregation
Summary routing causes at the point of summary another routing table tookup to be done
so the new correct Label can be found, summary of addresses in an MPLS network is not
recommended.
OSPF as CE-PE
Sham links: are used if there are two sites running the same area with a backup link not
via the MPLS network. A SHAM link runs between the PE’s and allows the CE’s at each
site to form a neighbor relationship, by adjusting the cost of the SHAM link you can
manipulate traffic flow.
The sham link requires its allow loopback attached to the customer VRF and advertised
under M-BGP vrf for the customer (address-family ipv4 vrf *customer * )
Then on the PE issues area *1* sham-link blah blah blah
MPLS/MBGP will redistribute routes as the LSA type they where received as unless in
the redistribute statement you set the metric-type statement.
BGP as CE-PE
If the CE at different sites use the same ASN then AS-override can be used on the PE to
replace the last ASN ( multiple if prepending) to the ASN of the service provider
network. Removal of the as path check on the CE is another possibility but if the site is
multihomed to the MPLS WAN this could cause routing issues.
Usefull commands:
CEF:
Show ip cef
Show ip cef unresolved
Show ip cef summary
Int *
No ip route-cache cef
ip route-cache cef
MPLS
Mpls ldp routr-id interface [forced]
Mpls ip
Mpls label procol [ tcp | ldp | both] (can be done global or per interface)
Int *
Mpls ip
Mpls mtu *bytes*
No mpls ip propagate-ttl [forward |local}
Selectively control label distribution
Mpls ldp advertise-labels for prefix-list to prefix-list
SHOW:
Show mpls ldp parameters
Show mpls interfaces
Show mpls ldp discovery
Show mpls ldp neighbor
Show mpls ldp bindings
Show mpls forwarding-table ( shows lFIB)
Disable PHP:
Do this on the PE router that receives the poped frames
mpls ldp explicit-null
steps to setup a VRF:
create new VRF
assign an RD
specify import and export RT’s
assign interfaces to VRF’s
create VRF assign RD
ip vrf name
rd ASN:nn or A.B.C.D
assign interface to VRF
int *
ip vrf forwarding *vrf*
export & import RT ( route targets)
ip vrf name
route-target export *RT* (sets RT)
route-target import *RT* ( filters all but that RT)
VPN ID (optional)
Ip vrf *name*
Vpn id oui:vpn-index
MB-BGP
Router bgp AS
Neighbor *PE routers*
Address-family vpn4
Neighbor *PE routers* active
Address-family ipv4 vrf *name*
Neighbor *CE routers* active
MPLS TE
Needs to be enabled on all PE and P and there interconnecting interfaces. TE tunnels are
only configured on the ingress PE router.
Enable TE on router
Ip cef
Mpls ip
Mpls traffic-engineering tunnels
Enable TE on ospf
Router ospf 1
Mpls traffic-engineering area 0
Mpls traffic-engineering router-id lo0
Enable TE on interface
Int fas blah
Mpls traffic-engineering tunnels
Ip rsvp bandwidth *bandwidth*
Make TE tunnel
Int tunnel blah
Tunnel destination *dest router-id/ldp id etc*
Ip unnumbered
Tunnel mode mpls
Make a predefined explicit path
Ip explicit-path name *name* enable
Next address: *hop*
Next address: *hop*
Next address: *hop* etc
Assign explicit path to TE tunnel
Int tunnel blah
tunnel mpls traffic-eng path-option 1(prefrenence) explicit name *name*
use tunnels is local routing calculations
int tun
tunnel mpls traffic-eng autoroute announce
Download