Multiprotocol Label Switching (MPLS) is widely used in many large enterprise networks and as with all networking technologies it is the concepts which are important to remember and understand. Thus the following is just some general information about MPLS rather than configuration examples, which are easy to find on the interweb.
Unlike a traditional IP network which perform routing lookup based on IP addresses to determine the next hop, MPLS does label switching instead. Basically instead of looking up the next hop based on the IP address it finds the destination router, which is based on a predefined label to destination network association, and applies the appropriate label(s) to get to that router via a pre-determined path. Once the traffic reaches the destination router (PE) the label is removed (or via the penultimate P router if penultimate hop popping is enabled, which in most deployments it is) and the packets are delivered locally via normal IP routing.
A typical example of this is when a tenant advertises its IP subnet (pick your favorite routing protocol) associated with its VRF to the PE router which will associate that subnet to a label. The PE then exports those tenant routes from the tenant’s VRF into MPLS and transmits them across the cloud / backbone, to their destination. Those routes are then imported back into the destination VRF and locally advertised by a routing protocol, thus creating a virtual private network. Note: Private in this instance does not imply any encryption but rather segregation of information from other tenants.
Because the PE associated the tenants IP subnet to a label and those labels are communicated via the control plane to all MPLS participating PE devices as an MP-BGP extended attribute, other PE’s know what label to associate to get back to that tenants IP subnet. When the traffic is sent across the MPLS core the PE adds the destinations PE label, which it already knows via the control plane learning and then if required also adds an additional label for the next router in the predefined path towards the destination.
This pre-determined path or label-switched paths (LSP) is established via the Label Distribution Protocol (LDP) which creates a unidirectional tunnel between the PE routers.
MPLS is typically deployed in an Enterprise as a method to connect tenant environments across a shared backbone and/or to segregate tenants across a shared backbone from each other. Whilst there is some perception that MPLS is faster than performing an IP route lookup, and this is likely true, for the most part given today’s router processing speeds, for all but the largest networks, this is of negligible benefit.
For pure IP routing to work the router must use control plane protocols, like OSPF, to first populate the IP routing table and then populate the CEF Forwarding Information Base (FIB).
Similarly, for MPLS forwarding to work, MPLS relies on control plane protocols to learn which MPLS labels to use to reach each IP prefix, and then populate both the FIB & LFIB with the correct labels.
A diagram I find useful is as follows:
The LFIB resides in the data plane and contains a local label to next-hop label mapping along with the outgoing interface, which is used to forward labeled packets.
A unique MPLS label is allocated for each VPNv4 prefix which is inserted between the L2 and L3 header. Multiple labels can be inserted, in fact this is how the MPLS VPNs work, by stacking multiple labels.
For example, the ingress PE will place two labels on the packet, label 1 (L1) is the path label (provided by LDP), and label 2 L2 is the VPN label (provided by BGP).
Thus, as per the following example, the mpls will populate the LFIB with labels associated with prefixes and the outgoing interface / next hop. Also if this router is the last MPLS hop for a destination prefix the label is removed, or ‘popped off’ before sending the packets to the local VRF (VRF-BLUE).
router1#sho mpls forwarding-table Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 16 Pop Label IPv4 VRF[V] 2941227361 aggregate/VRF-BLUE 17 No Label 10.0.42.0/24[V] 496031973389 Vl3500 172.16.50.70 18 157 172.16.6.24/30 0 Po101 172.16.51.17
Virtual Routing and Forwarding (VRF)
VRFs can be used to store routes separately for different tenets (customers, groups, domains). Each VRF has three main components:
- An IP routing table (RIB)
- A CEF FIB, populated based on the VRFs RIB
- A separate instance or process of the routing protocol used to exchange routes.
Route Distinguisher (RD) : = 96 bit VPNv4
RDs allow BGP to advertise and distinguish between duplicate IPv4 prefixes. It does this by adding the RD to the IPv4 prefix, creating what is called a VPNv4, which is comprised of two parts:
- A 64-bit RD
- A 32-bit IPv4 prefix
Route Targets (RT) :
PE routers advertise RTs in BGP updates as BGP extended community path attributes (PA). MPLS uses RTs to determine into which VRF a PE places iBGP learned prefixes.
NOTE: RD & RT are separate, independent values. While a particular prefix can have only one RD, it can have one or more RTs assigned to it.
Misc
- Labels are locally significant (similar to frame-relay DLCI, or VLANs)
- MPLS is based, not tied to the routing table!
- Always ensure basic connectivity and routing is functioning correctly before implementing MPLS
The capability vrf-lite command disables the DN-bit (down bit) and domain-tag checks in OSPF. Since the CE router acts as the PE router in VRF-lite, these checks should be disabled, because the PE routers advertise VPN routes with DN-bit set to the CE routers
When VPN routing and forward (VRF) is used on a router that is not a PE (that is, one that is not running BGP), the checks can be turned off to allow for correct population of the VRF routing table with routes to IP prefixes.
