Skip to main content

MPLS - Key concepts

 MPLS Overview

MPLS (Multiprotocol Label Switching) is a transport technology that efficiently forwards packets using labels rather than traditional IP-based routing. MPLS is integral to modern VPNs and service provider networks, enabling more efficient routing and scalability.

MPLS VPNs

MPLS VPNs use PE (Provider Edge) routers to manage customer routes and VRFs (Virtual Routing and Forwarding) to store customer routing tables. Each customer’s routes are isolated in separate VRFs to handle overlapping IP prefixes.

  • PE routers exchange routes with CE (Customer Edge) routers using external protocols like BGP, RIP, OSPF, or EIGRP.
  • Label Stack: MPLS packets carry two labels:
    • Outer label directs the packet to the egress PE.
    • Inner label directs the packet to the correct VRF.

Technical Tip: Use the mpls ip command to enable MPLS label forwarding on interfaces.

VPN Types

MPLS VPN supports several types of VPNs:

  1. Remote Access VPN: Connects a single endpoint to a remote network.
  2. Site-to-Site VPN: Connects two or more networks together.

MPLS Label Stack, LSR, and LDP

Label Switch Routers (LSRs) are responsible for forwarding packets based on MPLS labels. LSRs rely on LDP (Label Distribution Protocol) to exchange labels and form Label-Switched Paths (LSPs) for packet forwarding.

Penultimate Hop Popping (PHP):

  • PHP removes the outer MPLS label at the second-to-last hop (penultimate router) to allow the final router to perform a single IP lookup, optimizing forwarding.

Label Information Base (LIB) and LFIB

LSRs store all possible labels in the LIB (Label Information Base). The LFIB (Label Forwarding Information Base) only holds the best labels for forwarding packets. The LFIB and FIB are populated based on routing protocol decisions.

Technical Tip: MPLS relies on CEF (Cisco Express Forwarding) to forward IP packets along MPLS paths. Ensure that CEF is enabled globally and on each interface.

MPLS Ping and Traceroute

MPLS supports TTL Propagation to hide internal MPLS hops from customer networks during traceroutes. By disabling TTL propagation, the MPLS network appears as a single hop to the customer, enhancing security.

Technical Tip: Use the no mpls ip propagate-ttl command to disable TTL propagation for customer packets.

LDP (Label Distribution Protocol)

LDP is essential for MPLS label distribution. LSRs use LDP to send IP prefix and label mappings to neighbors. LDP sessions are established using hello messages sent over UDP port 646, and TCP sessions are used to exchange label information.

  • Types of LDP Neighbor Discovery:
    1. Basic: Discovers directly connected neighbors.
    2. Extended: Discovers non-directly connected neighbors using targeted hellos.

Technical Tip: Use the mpls ldp router-id command to set a stable LDP router ID, ensuring stable label distribution across LSRs.

L3VPN and MP-BGP

MPLS L3VPNs use MP-BGP (Multiprotocol BGP) to carry VPN routes between PE routers. Each customer’s routes are made unique with Route Distinguishers (RDs), which ensure that overlapping prefixes from different customers remain separate.

  • Route Targets (RTs) control which routes are imported and exported between VRFs. RTs act like BGP communities, enabling more granular control over VPN topology.

Technical Tip: RDs and RTs are critical for managing customer routes in MPLS VPNs, ensuring that routes are imported into the correct VRF and exported to the appropriate remote sites.

Label Switch Path (LSP) Establishment

An LSP is established by advertising labels using LDP. The LSP creates a path from the ingress PE to the egress PE, allowing packets to be forwarded based on labels rather than IP addresses.

MPLS Configuration and Verification

  • Enable MPLS: MPLS must be enabled globally (mpls ip) and on individual interfaces.
  • Configure LDP: Set up LDP to distribute labels, ensuring neighbors are discovered and labels are exchanged.

Technical Tip: Use commands like show mpls ip binding and show mpls forwarding-table to verify MPLS label bindings and forwarding decisions.

PE-CE Routing

In MPLS L3VPN, PE routers establish routing sessions with CE routers using various routing protocols (e.g., BGP, OSPF). Each VRF on the PE corresponds to a different customer and maintains a separate routing table.

  • Redistribution: PE routers may need to redistribute routes between the CE and the MPLS core.

Technical Tip: Be cautious with redistribution between VRFs and global routing tables to avoid routing loops. Always redistribute in one direction and verify before redistributing in the opposite direction.

MPLS Route Targets and VRFs

VRFs isolate customer routes, and RTs control route imports and exports between VRFs. VRFs are akin to Layer 3 VLANs, segregating customer routes while enabling overlapping prefixes.

  • Route Targets enable advanced VPN topologies, such as overlapping VPNs, where some sites may belong to multiple VPNs.

Technical Tip: Think of VRFs as Layer 3 VLANs, where routes are isolated but can be selectively shared using RTs.

MPLS LDP and Label Space

LDP uses different types of label spaces:

  1. Platform-wide label space: Labels are unique across the entire platform.
  2. Per-interface label space: Labels are unique per interface.

Technical Tip: Always configure LDP RIDs to ensure stable LDP sessions. Labels begin at 16 and can go up to 1048575.

MP-BGP VPNv4 and VPNv6

MPLS supports VPNv4 and VPNv6 address families using MP-BGP. The RD makes customer routes unique, while RTs control which VRF the routes are injected into. The 64-bit RD is split into 32-bit ASNs and customer identifiers.

Technical Tip: When configuring MPLS VPNs, ensure that RDs and RTs are correctly configured for each customer to avoid route overlap and misdirection.

Route Leaking and Extranet

MPLS supports route leaking between VRFs, enabling certain routes to be shared between isolated VRFs. This is useful for extranets where different companies or departments share some network resources.

Conclusion

MPLS is a powerful technology that simplifies packet forwarding and enables scalable VPN solutions for service providers. Key components like LDP, MP-BGP, RDs, and RTs allow networks to support complex topologies while maintaining route isolation.

Technical Tip: Regularly verify MPLS labels and paths using show mpls ip binding and show mpls forwarding-table.

 

Labels:

Comments

Post a Comment

Popular posts from this blog

How to import Putty Saved Connections to mRemoteNG

Just started using mRemoteNG and its being very cool to connect to different remote connection with different protocols e.g Window Remote Desktop, VNC to Linux, SSH, HTTP connection etc. from a single application. As new user I configured some remote desktop connection which was quite easy to figure out. But when I wanted to add SSH connections, it came in my mind to import all of the saved connections in the putty. But I couldn't figure it out how can it be done, though it was quite easy and here are the steps. Open your mRemoteNG Create a folder if you want segregation of multiple networks Create a new connection Enter the IP address of remote server under connection in Config pane Under the config pane, select protocol " SSH version 2 ".  Once you select protocol to SSH version 2 you are given option to import putty sessions, as shown in the snap below. In the above snap, I have imported CSR-AWS session from my saved sessions in Putty.
1 comment
Read more

Authoritative DNS Servers Delegation and Internal DNS Explained

DNS (Domain Name System) plays a critical role in how users and systems find resources on the internet or within internal networks. Whether it's managing an internal domain in an enterprise or delegating parts of a domain for traffic distribution, DNS setups vary widely depending on needs. In this blog post, we’ll break down the different types of DNS setups, including authoritative DNS servers, DNS delegation, and how internal DNS functions within organizations. 1. Authoritative DNS Server An Authoritative DNS server is the final source of truth for a specific domain. When someone queries a domain (e.g., example.com ), the authoritative DNS server for that domain holds the DNS records (A records, CNAME, MX, etc.) and responds with the corresponding IP address. Key Points: Who can host it? Authoritative DNS servers are often hosted by domain registrars (e.g., GoDaddy, Namecheap) or cloud DNS providers (e.g., AWS Route 53, Cloudflare). However, organizations can also host their ...
Post a Comment
Read more

BGP MED: Managing Inbound Traffic with Multi-Exit Discriminator

The Multi-Exit Discriminator (MED) is used in BGP to control inbound traffic into your AS. It tells a neighboring AS which entry point into your network it should prefer when there are multiple links between your AS and the neighboring AS. The lower the MED value , the more preferred the path. MED is only honored between the same neighboring AS . Example Scenario : You are connected to ISP1 via two routers, CE1 and CE2 , and want to control which router ISP1 uses to send traffic into your AS. Network Topology : CE1 (connected to ISP1): 10.0.1.1/30 CE2 (connected to ISP1): 10.0.2.1/30 iBGP Router (Internal) connected to both CE1 (10.0.1.2/30) and CE2 (10.0.2.2/30). Configuration on CE1 (Lower MED, More Preferred) : Create a route map to set the MED to 50 for CE1: route-map SET_MED permit 10 set metric 50 Apply this route map to the neighbor in the BGP configuration for CE1: router bgp 65001 neighbor 10.0.1.1 remote-as 65000 neighbor 10.0.1.1 route-map SET_MED out Configuratio...
Post a Comment
Read more