CCIE chapter 19 MPLS Resources used: sybex - cisco ccip mpls study guide CCIE Routing and Switching Exam Certification Guide 3rd Edition MPLS, as a technology, evolved from early attempts to glue the IP world and ATM world together. Data plane and forwarding plane are the same thing LSR = label switches router, all active interfaces have mpls enabled (normally a P router) Edge LSR = router that forwards data that is labeled out to routers that aren’t running LDP = Label distribution protocol TE = traffic engineering LSP = label switch path PHP = penultimate hop popping MPLS ( eg Edge LSR = PE, other router = CE). Some interfaces are mpls enabled LDP hello = 224.0.0.2, unicast tcp/udp 646 VPN types: Overlay: like frame relay, PE not in CE routing. GRE from CE to CE etc Peer-to-peer: PE in CE routing, shared routing space for all customer CE. Simple: every site can talk to every site Overlapping: some sites are in more then one simple vpn Central services: all sites comms with central site but no other Managed network: a dedication VPN to manage CE routers Peer to peer external: extranet in simple vpn form. In larger MPLS networks only the PE routers does routing lookups (+ a label lookup) and the core just does a very fast label lookup A FEC ( forward equivalence class) is a group of packets forwarded: In the same manner Over the same path With the same forwarding treatment ( QOS etc) Eg: A subnet (123.123.0.0/16 with a TOS 1 is a FEC) A subnet (123.123.0.0/16 with a TOS 2 is a Different FEC) A FEC for multicast is a destination unicast address MPLS packet forwarding consists of: Assigning a FEC Finding next hop of each FEC MPLS label insertion: Inbetween L2 and L3 headers over frame based encapsulation ( Ethernet , frame relay , etc) Cellmode ( MPLS over ATM) – fields already in ATM header are used for label ( the VPI/VCI fields) MPLS ethertypes ( PID): 0X0800 regular IP 0X8847 unicast with 1 or more labels 0X8848 multicast with one or more labels Mpls supports unequal cost load balancing. Mpls builds unidirectional tunnels from edge PR to edge PR. Two types of MPLS, frame ( header inbetween layer 2 and layer 3) or ATM where the label is mapped into the VCI/VPI. Labels are next hop specific, this means that within a MPLS network one destination prefix will take different MPLS label values along each hop. Label, a 20 bit field uses to distinguish packets at layer 2 from each other. Experimental, 3 bits used to map IP ToS into MPLS header for COS. S, stack, MPLS headers can be stacked upon one another this field the bottom/last label of the stack. TTL, the ip TTL of the packet is decremented by one and added to the Label. When the label is finally removed the TTL is copied back to the IP header. A tracert will see each MPLS hop as a layer 3 hop. This TTL copy can be disabled a ttl in the label is set to 255 and the TTL in the IP header is left alone. A tracert wont see this and will see the entire MPLS cloud traversal as one hop. A router can be configured so that self generated packets get a TTL field that is decremented so tracerts from the router itself work but forwarded frames get the 255 header. (no mpls ttl-propagation [local | forwarded]) MPLS label operations Insert one or mores label (impose or push) on ingress of a edge LSR Swap a label in the core Remove ( pop) a label on egress of a edge LSR The MPLS label stack is sometimes referred to as a shim header because of how it is placed between the Layer 2 header and the Layer 3 payload. in MPLS, IP traffic is switched instead of routed. Labels are bound to routes in the routing table. MPLS Architecture Control Router need to exchange labels between other MPLS routers, IOS supports two methods for this TDP The Tag Distribution Protocol (TDP) is Cisco’s proprietary protocol that is used to bind tags (which are the same as MPLS labels) to network routes in the routing table. LDP The Label Distribution Protocol (LDP) is the IETF version of Cisco’s TDP. LDP is used to bind labels to network routes. The label information base (LIB) is a mapping of incoming labels to outbound labels, along with outbound interface and link information. LDP is used to exchange the layer 2 mappings found in the LFIB. Frame mode mpls uses liberal label retention which means it keeps a copy of all labels received in the LIB and only the label that matches the entry in the routing table gets copied to the LFIB. LDP uses a Hello feature to discover LDP neighbors LDP multicasts the Hellos to IP address 224.0.0.2, using UDP port number 646 Hello is every 5 seconds If a LDP enabled router hears a Hello it will setup a tcp connection to source on port 646 if it has the highest IP address ( lo then physical). For non adjacent routers a hello can be configured as unicast to a destination ( command: mpls ldp neigbor vrf *name* *ip address* targetted The Hellos list each LSR’s LDP ID (LID) which is a 32-bit dotted-decimal number and a 2-byte label space number. (For frame-based MPLS, the label space number is 0.) optionally list a transport address, use for any LDP TCP connections, if no transport address the routers use the first address in the LID. After neighbours are found a unicast tcp connection is established on port 646. LSRs can have more then one LDP session if they use multiple label spaces. Two types of label space Per platform or per interface. Per platform one label is assigned for a destination network and then sent to all LDP peers. The label can be used on any MPLS incoming interface. This minimizes the amount of LDP sessions needed. This is also less secure then per interface. Labels are not created for BGP routes in the routing table. Label space negotiation: LDP ID set to ipaddress:0 for per—platform LDP session neg: Establish TCP Exchange initialization messages Exchange keepalives. LDP relies on IGP for loop detection, the label header does have a TTL and that will stop looping forever, TTL can be copied from the label to the IP header at the edge LSR Cisco routers have TTL propagation enabled by default. Labels and link failures. The LIB holds a copy of all labels ( not just best path) when the IGP detects that the link is down it looks to find a new path. As soon as the IGP populates the RIB with a new next hop the corresponding label is taken from the LIB and added to the LFIB. On restoration of the failed link there is a time when LDP needs to renegotiate between the two routers at this time you are reliant upon routing. unsolicited labels : Frame mode mpls uses unsolicited labels when updating adjacent routers labels aren’tsent in in any particular order. Independent control mode : a router might receive a label for which it has no outgoing label, this would require a layer 3 lookup, this mode can only be run on routers that have edge LSR functionality ( customer & internal routes + mpls) There are 4 label distribution praraters: Label space ( per interface or per router) Label distribution ( unsolicited) Label allocation (independent control Label retention ( liberal label retention) Forwarding Equivalence Class (FEC) Labels are bound to FEC’s , FEC are destinations that should be treated the same ( a subnet). A MPLS router switches packets instead of routing ( layer 2 headers duh) The forwarding component of the MPLS architecture (known as the forwarding plane Or data plane ) The routing table is built in the control plane and cached in the forwarding plane. The label forwarding information base (LFIB) is a subset of the LIB. The LIB is in the control plane and LFIB is in the forwarding plan. The FIB is also located in the forwarding plane and is needed for the LIB, the RIB is needed for FIB, because MPLS needs FIB , CEF must be enabled. The LIB (label information base) contains all known labels it then sends a copy of only the best path labels to the LFIB. The LSR relies on the IGP to make the decision on the best path. For each route in the routing table, find the corresponding label information in the LIB, based on the outgoing interface and next-hop router listed in the route. Add the corresponding label information to the FIB and LIB. The FIB is used to forward unlabeled packets, a label is added and packet is sent out an interface to a next hop address. If a labeled packet is received that there isn’t a matching entry for in the LFIB then the frame is dropped.. The control plane comprises the following: Routing protocol Routing table LDP ), resulting in the label information base (LIB) The forwarding plane is made up of: FIB label forwarding information base (LFIB) LSR A label switch router (LSR) is a Cisco IOS router/switch that is capable of forwarding packets based on labels.’ LSR’s require both a routing protocol and a label protocol running, if the LSR doesn’t have enough routing information it might not be able to forward unlabeled packets. Edge-LSR An edge label switch router (edge-LSR) is a more specific term for the PE routers ( provider Edge router) there routers take normal ip traffic and add the MPLS label. Pop means forward but remove the MPLS label ( a layer 3 lookup needs to be done next hop) The “outside label” is changed on a hop by hop basis because MPLS labels are only locally significant. Label-Switched Paths Now let’s take a look at the label-switched paths. A label-switched path (LSP) is a unidirectional set of LSRs that the labeled packet must flow through in order to get to a particular destination. How a edge LSR forwards data: First it does a routing lookup If the outgoing interface is mpls enabled a label based off the FEC is added The ethertype field is changed to show this is a labelled packet Packet gets sent Basic MPLS issues: A received labelled packet is dropped if the label is not found in the LFIB even if there is a destination in the FIB/RIB A reviced IP packet is dropped if the destination is not found in the FIB/RIB even if there is a entry in the LIB/LFIB. Note: LFIB and FIB are what the packets are tested against, they are built off the RIB/FIB Label stack A label stack is 2 or more labels in a frame. Outer label is one closest the L2 header inner label is closest the L3 header. Outer is read first, inner ignored my intermediary routers. MPLS VPN: outside label is the FEC , inside label is the VPN identifer MPLS traffic engineering(TE): first label points to a TE endpoint second to the FEC MPLS + TE = 3 or more labels. MPLS VPNs Uses MP-BGP, this allows BGP to over come multiple customer conflicts ( 2 customers have same ip range etc). MPLS VPN RFCs define the concept of using multiple routing tables, called Virtual Routing and Forwarding (VRF) tables. MPLS VPN use MP-BGP to propergate labels not LDP or TDP Three types of router in a MPLS VPN setup Customer edge (CE)—A router that has no knowledge of MPLS protocols and does not send any labeled packets but is directly connected to an LSR (PE) in the MPLS VPN. Provider edge (PE)—An LSR that shares a link with at least one CE router, thereby providing function particular to the edge of the MPLS VPN, including IBGP and VRF tables ■ Provider (P)—An LSR that does not have a direct link to a CE router, which allows the router to just forward labeled packets, and allows the LSR to ignore customer VPNs’ routes. PE’s learn customer routes and put each customers routes into a separate table. They then use IBGP to send the routes to other PE routers. the PE router add two labels to a frame: The outer has the label to get the frame switched through the MPLS network The inner has a label that identifies the VRF that the frame is for and the out going interface for the destination, it also has its S-bit set to 1. Label switch Path (LSP) A LSP is a sequence of LSR’s for a FEC. IGP’s a run within a MPLS cloud, these IGP routes are used to build the LSP. MPLS TS can choose different LSP’s for a packet MPLS Traffic engineering Uses RSVP to create label switched path (LSP) tunnels, these tunnels are given there own label. Requires the use of either OSPF or IS-IS and must hold the entire P network topology in there routing tables. Uses special extensions in OSPF and IS-IS to show remaining bandwidth on a link. Requirements: Every LSR needs either OSPF or IS-IS with a full topology table. Extensions to OSPF or IS-IS propagate available resources and constraints Any Transport over MPLS (ATOM) Is used to transport any layer 2 frame over MPLS, Ethernet, frame relay, PPP , HDLC etc. ATOM uses 2 labels ATOM can use TE etc A unicast LDP session is creased between edge LSRs The first label forwards packets over the mpls backbone The second label called VC label determines the egress interface EoMPLS (Ethernet over )uses ATOM Doesn’t do any mac learning forwards all Ethernet frames over the backbone, Two main deployment methods: TLS (transparent tunnel services) for between two customer sites VPLS (virtual private Lan services) for a bridge between many sites For frame relay over MPLS FECN, BECN DE are carried across the mpls network. Virtual Routing and Forwarding Has an ip routing table (RIB) A CEF FIB , populated by the above RIB A single BGP instance on the router to exchange routes with other BGP routers, uses a Route distinguisher to determine which VRF the route is in. VRF uses IBGP to exchange routes, but normal BGP V4 cant handle overlapping addresses, to fix this an RFC (4760) was created to allow more data to be entered in the NLRI ( route prefix) . it added a extra 64bit field called RouteDistinguisher (RD). So long as the 64bit number is unique to each customer NLRI are no longer overlapping. The RouteDistinguisher is 8 bytes, the first 2 bytes are used to tell what format the RouteDistinguisher is using: 2-byte-integer:4-byte-integer 4-byte-integer:2-byte-integer 4-byte-dotted-decimal:2-byte-integer The first entry should be a ip V4 address or a ASN, the second can be anything. Route Targets (RT) MPLS uses Route Targets to determine into which VRFs a PE places IBGP-learned routes. RT’s are carried in the Extended Community path attributes with BGP. It is used to the destination BGP router knows what VRF’s to place the route in. RT;s use the same basic formay of RD’s. Destination router 1. Process the incoming packet using the VRF associated with the incoming interface (statically configured). 2. Forward the packet using that VRF’s FIB. The outer label is based on the LIB entry, specifically for the LIB entry for the prefix that matches the BGP-learned next-hop IP address—not the packet’s destination IP address. The inner label is based on the BGP table entry for the route in the VRF that matches the packet’s destination address. VRF’s Only 1 very per interface Many interfaces per VRF VRF’s have there own RIB/FIB There is no separate per VRF BGP tables Advanced import, for a route to enter using a route map it must also match one of the configured RT’s on the VRF. Advanced export, is a RT is set via a route map both to configured RT for the VRF and the RT in the route map are assigned to matching routes. Penultimate Hop Popping To reduce the work load on the PE routers, the second last ( router before the PE) will remove the outer label so the PE only has to process 1 label not two. Disable PHP: A LSR tells neighbor LSR’s if they want them to do PHP for them, to disable PHP you must disable it on the router that would receive the popped frame not the router doing the popping. Multicast MPLS Uses PIM V2 + an extension for MPLS support. MPLS VPN Customer routes are leant from IGP/static from customers and M-BGP from other P/PE routers. Mpls VPN uses 2 labels one for the destination FEC and the other for the destination VPN. MP-BGP in MPLS VPN There is only 1 MB-BGP table for all VPN’s , routes are made unique with RD’s, RT’s which are a extended community attribute map routes into a VRF. Each VPN can have more then one VRF. PE to PE routers need to source from loopbacks For VPN4 PE routers send-community extended is auto set, if normal communities also need to be used need to manually set that. No bgp default ipv4-unicast stops a bgp process learning normal internet BGP routes Central Services Central services uses different import ant export RT’s to allow for export of CE routes and import of those routing into the Central services VRF and export of the central services VRF routing into CE vrfs but wont allow CE to CE vrf exchange. IGP route aggregation Summary routing causes at the point of summary another routing table tookup to be done so the new correct Label can be found, summary of addresses in an MPLS network is not recommended. OSPF as CE-PE Sham links: are used if there are two sites running the same area with a backup link not via the MPLS network. A SHAM link runs between the PE’s and allows the CE’s at each site to form a neighbor relationship, by adjusting the cost of the SHAM link you can manipulate traffic flow. The sham link requires its allow loopback attached to the customer VRF and advertised under M-BGP vrf for the customer (address-family ipv4 vrf *customer * ) Then on the PE issues area *1* sham-link blah blah blah MPLS/MBGP will redistribute routes as the LSA type they where received as unless in the redistribute statement you set the metric-type statement. BGP as CE-PE If the CE at different sites use the same ASN then AS-override can be used on the PE to replace the last ASN ( multiple if prepending) to the ASN of the service provider network. Removal of the as path check on the CE is another possibility but if the site is multihomed to the MPLS WAN this could cause routing issues. Usefull commands: CEF: Show ip cef Show ip cef unresolved Show ip cef summary Int * No ip route-cache cef ip route-cache cef MPLS Mpls ldp routr-id interface [forced] Mpls ip Mpls label procol [ tcp | ldp | both] (can be done global or per interface) Int * Mpls ip Mpls mtu *bytes* No mpls ip propagate-ttl [forward |local} Selectively control label distribution Mpls ldp advertise-labels for prefix-list to prefix-list SHOW: Show mpls ldp parameters Show mpls interfaces Show mpls ldp discovery Show mpls ldp neighbor Show mpls ldp bindings Show mpls forwarding-table ( shows lFIB) Disable PHP: Do this on the PE router that receives the poped frames mpls ldp explicit-null steps to setup a VRF: create new VRF assign an RD specify import and export RT’s assign interfaces to VRF’s create VRF assign RD ip vrf name rd ASN:nn or A.B.C.D assign interface to VRF int * ip vrf forwarding *vrf* export & import RT ( route targets) ip vrf name route-target export *RT* (sets RT) route-target import *RT* ( filters all but that RT) VPN ID (optional) Ip vrf *name* Vpn id oui:vpn-index MB-BGP Router bgp AS Neighbor *PE routers* Address-family vpn4 Neighbor *PE routers* active Address-family ipv4 vrf *name* Neighbor *CE routers* active MPLS TE Needs to be enabled on all PE and P and there interconnecting interfaces. TE tunnels are only configured on the ingress PE router. Enable TE on router Ip cef Mpls ip Mpls traffic-engineering tunnels Enable TE on ospf Router ospf 1 Mpls traffic-engineering area 0 Mpls traffic-engineering router-id lo0 Enable TE on interface Int fas blah Mpls traffic-engineering tunnels Ip rsvp bandwidth *bandwidth* Make TE tunnel Int tunnel blah Tunnel destination *dest router-id/ldp id etc* Ip unnumbered Tunnel mode mpls Make a predefined explicit path Ip explicit-path name *name* enable Next address: *hop* Next address: *hop* Next address: *hop* etc Assign explicit path to TE tunnel Int tunnel blah tunnel mpls traffic-eng path-option 1(prefrenence) explicit name *name* use tunnels is local routing calculations int tun tunnel mpls traffic-eng autoroute announce