Operations
3.1.a MPLS header (not on blueprint)
Multi Protocol Label Switching
// Graphic missing - Coming soon //
MPLS header fields:
- Label (20 bits): Contains the actual MPLS label.
- EXP (3 bits): Used by Cisco for QoS purposes (CoS/IP Precedence).
- S (1 bit): If set to 1, the label is the last (bottom label) of the packet.
- TTL (8 bits): Same purpose as IP header TTL.
3.1.a i Label stack, LSR, LSP
Label Stack
General information on “MPLS Label Stack”:
- MPLS labels are 4 byte
- Inserted between OSI layer 2 and OSI layer 3
- Therefor MPLS is often referred to as layer 2.5 protocol
- Instead of doing classical destination-based routing, MPLS uses labels to switch the packets
- This results in advantages like speed (not relevant nowadays anymore) and the switching paths can be pre-defined
- The FEC (Forwarding Equivalent Class) is only determined once at the ingress LSR and defines which path to the egress LSR a set of packets with the same characteristics (eg. next-hop, outgoing interface, forwarding treatment, same prefix, …) should take
- LIB (Label Information Base) is the table where the labels are stored
- LFIB (Label Forwarding Information Base) is the table where the forwarding decisions based on the labels are made
Different MPLS Labels:
- Transport/Path (outer) Label: Used for switching the traffic within the MPLS core until the destination PE
- VPN (inner) Label: Used for switching the traffic to the appropriate customer at the destination PE
LSR
Label Switch Router
General information on “MPLS LSR”:
- Also known as Transit-, Core- or P-router
- Router within the MPLS Core which does packet forwarding only based on MPLS Transport labels
- Also exchanges MPLS labels because they’re only valid between 2 routers
LER (Not on blueprint)
Label Edge Router
General information on “MPLS LER”:
- Also known as Edge- or PE-router
- Acts as entry/exit point of the MPLS network
- Pushes MPLS labels on ingress packets entering the MPLS network
- Pops MPLS labels of egress packets leaving the MPLS network
- Adds two MPLS labels: Transport (outer label) and VPN (inner label)
LSP
Label Switched Path
General information on “MPLS LSP”:
- Path through an MPLS network
- Can be defined manually or setup completely automatically
- Path begins at the source LER, goes through the LSR and ends at the destination LER
- A LSP can be seen as one virtual circuit between the ingress LSR and egress LSR
PHP (not on blueprint)
Penultimate Hop Popping
General information on “MPLS PHP”:
- If a LSR is the last P-router before reaching the LER, it removes (pops) the Transport/Path label of the packet
- It improves the efficiency of MPLS, so that the last-hop MPLS router (egress LER) only has to do one lookup (inner label) instead of two lookups (outer and inner label)
- For PHP to work, the egress LSR sends a special null label to the next-to-last LSR:
- Implicit Null: The default null label. Has a header value of 3 (for IPv4). If the next-to-last LSRs receives this label for a prefix, it ALWAYS pops the Transport/Path (outer) label for the specific prefix.
- Explicit Null: Alternative null label. Has a header value of 0 (for IPv4). Used if the EXP field in the MPLS header is used for QoS. If the next-to-last LSRs receives this label for a prefix, it NEVER pops the Transport/Path (outer) label for the specific prefix.
3.1.a ii LDP
Label Distribution Protocol
General information on “LDP”:
- Used to distribute the inner label (VPN) and outer label (Transport/Path) in MPLS
- LDP is an IGP-based protocol (= for every IGP route there’ll be a equivalent MPLS label)
- LDP uses tcp/646 (session) and udp/646 (discovery)
- LDP requires an already established underlay network (IGP) in order to forward packets
- LDP is automatically enabled when enabling MPLS on an interface
- Two modes of LDP:
- Default: LDP uses multicast to discover neighbors at 224.0.0.2
- Targeted: LDP uses unicast to directly connect to neighbors, needs to be explicitly configured and therefor can connect neighbors not directly connected between each other
- LDP discovery packets include a transport address (= router ID by default) which is used to form the neighbor adjacency
- LDP requires a router ID which is either manually configured or uses automatically highest loopback (if configured) or highest operational IP (if configured)
- The LDP RID needs to be reachable (eg. advertised via the IDP, static route, …) in order for LDP to work
- LDP sessions can be password authenticated, which is defined on a per-neighbor basis and with the required keyword every neighbor needs to have a password
LDP-IGP synchronization:
- LDP-IGP synchronization is only supported by OSPF
- With LDP-IGP synchronization, a link within the IGP won’t forward traffic when the LDP session across the specific link is broken or not synchronized (= label bindings not (fully) exchanged)
- When there’s no synchronization between the IGP and LDP, OSPF will announce the specific link with the maximum metric (65536)
- The link won’t be used until it’s the only available path
- OSPF won’t even establish an adjacency (doesnât send out OSPF HELLOs) across the link if the LDP session is not synchronized or the LDP hold-down timer expired (only if LDP was configured before OSPF)
LDP session protection:
- When a link in a network flaps and the LDP/IGP session goes down, this affects the whole network and forwarding path because the LDP has to rebuild its label binding table and the IGP has the re-converge
- With LDP session protection, the LDP session is kept up as long as an alternative path between the LSRs exist
- This is done by establishing a targeted connection (in additional to the neighbor discovery connection if the LSRs are directly connected)
- Needs to be enabled on both LSRs to work
LDP graceful restart:
- Comparable to EIGRP/OSPF/BGP graceful restart which means the forwarding plane will stay active even if the control plane is going to be restarted
- Needs to be enabled explicitly and only protects LDP connections which are established after the feature is enabled
“LDP” CLI configuration commands:
## Enabling LDP for each interface manually
Router(config)# interface <if>
Router(config-if)# mpls ip
## Enabling LDP for each OSPF-enabled interface automatically
Router(config)# router ospf <pid>
Router(config-router)# mpls ldp autoconfig area <id>
## Enabling LDP-IGP synchronization
Router(config-router)# mpls ldp sync
Router(config)# interface <if>
Router(config-if)# no mpls ldp igp sync
Router(config)# mpls ldp igp sync holddown <msec>
## Configuring a LDP neighbor manually (targeted session)
Router(config)# mpls ldp neighbor <ip> targeted
Router(config)# mpls ldp discovery targeted-hello accept from [ACL]
## Configuring LDP RID manually
Router(config)# mpls ldp router-id <if> force
## Configuring LDP transport address manually
Router(config)# mpls ldp discovery transport-address <ip>
## Configuring LDP authentication
Router(config)# mpls ldp neighbor <ip> password <TEXT>
Router(config)# mpls ldp password required
## Filtering LDP label advertisement OUTBOUND
Router(config)# no mpls ldp advertise-labels
Router(config)# mpls ldp advertise-labels for [ACL] to [ACL]
## Filtering LDP label advertisement INBOUND
Router(config)# mpls ldp neighbor <ip> labels accept [ACL]
## Configuring LDP session protection
Router(config)# mpls ldp session protection for [ACL] duration <seconds>
## Configuring LDP graceful restart
Router(config)# mpls ldp graceful-restart
“LDP” CLI show commands:
## Showing MPLS LDP neighbors, bindings, ...
Router# show mpls ldp [OPTIONS]
3.1.a iii MPLS ping, MPLS traceroute
MPLS ping
General information on “MPLS ping”:
- Used to detect data plane failure in a MPLS LSP
“MPLS ping” CLI show commands:
## Doing/sending a MPLS ping
Router# ping mpls [OPTIONS]
MPLS traceroute
General information on “MPLS traceroute”:
- Used to validate MPLS end-to-end connectivity
- Best practice is to traceroute from one PE to another PE using the loopback interfaces as destination/source
- Should always be done in both directions
- Every hop except the last on should show [MPLS: Label xxx]
- If that isn’t the case, there’s a misconfiguration at the specific hop
“MPLS traceroute” CLI show commands:
## Doing/sending a MPLS traceroute
Router# traceroute mpls [OPTIONS]
3.1.a x MPLS IP TTL Propagation (not on blueprint)
General information on “MPLS IP TTL Propagation”:
- By default, MPLS copies the TTL value of the IP header into the MPLS header
- This results in a full disclosure of the MPLS core network if a traceroute is done on a CE router
- To avoid this, IP TTL propagation can be disabled for MPLS
- When IP TTL propagation disabled, the TTL value of the IP header won’t be copied into the MPLS header anymore, but instead the MPLS header uses a fixed TTL start value of 255 which doesn’t get copied back into the IP header once it leaves the LSP
“MPLS IP TTL Propagation” CLI configuration commands:
## Enabling/disabling MPLS IP TTL Propagation
Router(config)# [no] mpls ip propagate-ttl