mpls cisco

5/22/2018 MPLS Cisco

1/155

1 2001, Cisco Systems, Inc. All rights reserved.

Session Number

Presentation_ID

MPLS Introduction


2/155

222 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID 2

Agenda

Introduction to MPLS

LDP

MPLS VPN

Monitoring MPLS


3/155


MPLS Concept

In Core:

Forward using labels(as opposed to IPaddr)

Label indicates serviceclass and destination

Label SwitchRouter (LSR)

Router

ATM switch +Tag SwitchController

Label DistributionProtocol (LDP)

Edge LabelSwitchRouter(ATM Switch orRouter)

At Edge:

Classify packets

Label them


4/155444 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID 4

MPLS concept

MPLS: Multi Protocol Label Switching

Packet forwarding is done based on Labels.

Labels are assigned when the packet enters intothe network.

Labels are on top of the packet.

MPLS nodes forward packets/cells based on thelabel value (not on the IP information).



MPLS concept

MPLS allows:

Packet classification only where the packet

enters the network.

The packet classification is encoded as a label.

In the core, packets are forwarded without

having to re-classify them.

- No further packet analysis

- Label swapping



MPLS Operation

1a. Existing routing protocols (e.g. OSPF, IS-IS)establish reachability to destination networks.

1b. Label Distribution Protocol (LDP)

establishes label to destination

network mappings.

2. Ingress Edge LSR receives packet,

performs Layer 3 value-added

services, and labels(PUSH) packets.

3. LSR switches packets using

label swapping(SWAP) .

4. Edge LSR at egressremoves(POP) label

and delivers packet.



Label Switch Path (LSP)

LSPs are derived from IGP routing information

LSPs may diverge from IGP shortest path

LSPs are unidirectional

Return traffic takes another LSP

LSP follows IGP shortest path LSP diverges from IGP shortest path

IGP domain with a label

distribution protocol





Encapsulations

Label HeaderPPP Header Layer 3 HeaderPPP Header

(Packet over SONET/SDH)

ATM Cell Header HEC

Label

DATACLPPTIVCIGFC VPI

Label HeaderMAC Header Layer 3 HeaderLAN MAC Label Header



Label Header

Header= 4 bytes, Label = 20 bits. Can be used over Ethernet, 802.3, or PPP links Contains everything needed at forwarding time

Label = 20 bits EXP = Class of Service, 3 bits

S = Bottom of Stack, 1 bit TTL = Time to Live, 8 bits

0 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Label EXP S TTL



Loops and TTL

In IP networks TTL is used to prevent packetsto travel indefinitely in the network

MPLS mayuse same mechanism as IP, but noton all encapsulations

TTL is present in the label header for PPP and LAN

headers (shim headers)

ATM cell header does not have TTL



Loops and TTL

TTL is decremented prior to enter the non-TTL capableLSP

If TTL is 0 the packet is discarded at the ingress point

TTL is examined at the LSP exit



LSR-1

LSR-2

LSR-4 LSR-5

LSR-

3

LSR-6

Egress

IP packetTTL = 6

Label = 25

IP packetTTL = 6

IP packetTTL = 10

LSR-6 --> 25Hops=4

IP packet

TTL = 6

Label = 39

IP packetTTL = 6

Label = 21



Label Assignment and Distribution

Labels have link-local significance:

Each LSR binds his own label mappings

Each LSR assign labels to his FECs

Labels are assigned and exchanged

between adjacent neighboring LSR



Label Assignment and Distribution

Rtr-C is the downstream neighbor of Rtr-B for destination171.68.10/24

Rtr-B is the downstream neighbor of Rtr-A for destination

171.68.10/24

LSRs know their downstream neighbors through the IP routingprotocol

Next-hop address is the downstream neighbor

171.68.10/24

Rtr-BRtr-A Rtr-C

171.68.40/24

Upstream and Downstream LSRs



Unsolicited Downstream Distribution

LSRs distribute labels to the upstream neighbors

171.68.10/24

Rtr-BRtr-A Rtr-C

171.68.40/24

Next-Hop

InLab

-

...

AddressPrefix

171.68.10

...

OutI/F

1

...

OutLab

30

...

InI/F

0

... Next-Hop

InLab

30

...

AddressPrefix

171.68.10

...

OutI/F

1

...

OutLab

40

...

InI/F

0

...

Next-Hop

In

Lab

40

...

Address

Prefix

171.68.10

...

Out

I/F

1

...

Out

Lab

-

...

In

I/F

0

...

Use label 40for destination171.68.10/24


IGP derived routes



On-Demand Downstream Distribution

Upstream LSRs request labels to downstream neighbors

Downstream LSRs distribute labels upon request

171.68.10/24

Rtr-BRtr-A Rtr-C171.68.40/24



Request label fordestination 171.68.10/24

Request label fordestination 171.68.10/24



Liberal retention mode

LSR retains labels from all neighbors

Improve convergence time, when next-hop is again available

after IP convergence

Require more memory and label space

Conservative retention mode

LSR retains labels only from next-hops neighborsLSR discards all labels for FECs without next-hop

Free memory and label space

Label Retention Modes



Independent LSP control

LSR binds a Label to a FEC independently, whether or not the LSR hasreceived a Label the next-hop for the FEC

The LSR then advertises the Label to its neighbor

Ordered LSP control

LSR only binds and advertise a label for a particular FEC if:

it is the egress LSR for that FEC or

it has already received a label binding from its next-hop

Label Distribution Modes



Router Example: Forwarding Packets

0

171.69Packets Forwarded

Based on IP Address

Data

AddressPrefix

128.89

171.69

1

1

I/F

AddressPrefix

128.89

171.69

0

1

01

I/F

128.890

1

128.89.25.4 Data

AddressPrefix

128.89 0

I/F

Data Data128.89.25.4128.89.25.4

128.89.25.4



MPLS Example: Routing Information

128.89

1

01

0

Routing Updates

(OSPF, EIGRP, )

You Can Reach 128.89 and171.69 Thru Me

You Can Reach 171.69 ThruMe

You Can Reach 128.89 ThruMe

InLabel

AddressPrefix

128.89

171.69

1

1

OutIface

OutLabel

InLabel

AddressPrefix

128.89

171.69

0

1

OutIface

OutLabel

InLabel

AddressPrefix

128.89 0

OutIface

OutLabel

171.69



MPLS Example: Assigning Labels

128.89

1

01

0

Label Distribution

Protocol (LDP)

(downstream allocation)

Use Label 4 for 128.89 andUse Label 5 for 171.69

Use Label 7 for 171.69

Use Label 9 for 128.89

InLabel

AddressPrefix

128.89

171.69

1

1

OutIface

OutLabel

InLabel

AddressPrefix

128.89

171.69

0

1

OutIface

OutLabel

InLabel

AddressPrefix

128.89 0

OutIface

OutLabel

-9

9

7

4

5

4

5

-

-

171.69



InLabel

AddressPrefix

128.89

171.69

1

1

OutIface

OutLabel

4

5

-

-

MPLS Example: Forwarding Packets

Label Switch Forwards

Based on Label

InLabel

AddressPrefix

128.89

171.69

0

1

OutIface

OutLabel

9

7

4

5

InLabel

AddressPrefix

128.89 0

OutIface

OutLabel

-9

Data 128.89.25.4 Data

128.89.25.4 Data

128.89.25.4 Data

128.89

1

01

0

128.89.25.4 4

9


22/155


Agenda


LDP

MPLS VPN

Monitoring MPLS


23/155


MPLS Unicast IP Routing

MPLS introduces a new field that is used forforwarding decisions.

Although labels are locally significant, they have tobe advertised to directly reachable peers.

One option would be to include this parameter intoexisting IP routing protocols.

The other option is to create a new protocol to exchangelabels.

The second option has been used because there aretoo many existing IP routing protocols that wouldhave to be modified to carry labels.


24/155


Label Distribution Protocol

Defined in RFC 3036 and 3037

Used to distribute labels in a MPLS network

Forwarding equivalence class

How packets are mapped to LSPs (LabelSwitched Paths)

Advertise labels per FEC

Reach destination a.b.c.d with label x

Neighbor discovery

Basic and extended discovery


25/155


MPLS Unicast IP Routing Architecture

LSR

Control plane

Data plane

Routing protocol

Label distribution protocol

Label forwarding table

IP routing table

Exchange ofrouting information

Exchange oflabels

Incominglabeled packets

Outgoinglabeled packets

IP forwarding table

Incoming

IP packets

Outgoing

IP packets


26/155


MPLS Unicast IP Routing: Example

LSR

Control plane

Data plane

OSPF:

RT:

LIB:

FIB:

LFIB:

OSPF: 10.0.0.0/810.0.0.0/8 1.2.3.4

10.0.0.0/8 1.2.3.4

10.0.0.0/8 1.2.3.4

L=5 10.1.1.1

10.1.1.1 10.1.1.1


27/155


MPLS Unicast IP Routing: Example

LSR

Control plane

Data plane

OSPF:

RT:

LIB:

FIB:

LFIB:

OSPF: 10.0.0.0/810.0.0.0/8 1.2.3.4

10.0.0.0/8 1.2.3.4

10.0.0.0/8 1.2.3.410.1.1.1

LDP: 10.0.0.0/8, L=3

L=5 10.1.1.1

10.0.0.0/8 Next-hop L=3, Local L=5LDP: 10.0.0.0/8, L=5

L=3 10.1.1.1

L=3 10.1.1.1L=5 L=3

, L=3


28/155


Label Allocation in Packet-Mode MPLSEnvironment

Label allocation and distribution in packet-mode MPLSenvironment follows these steps:

1. IP routing protocols build the IP routing table.2. Each LSR assigns a label to every destination in the IP

routing table independently.

3. LSRs announce their assigned labels to all other LSRs.

4. Every LSR builds its LIB, LFIB data structures based onreceived labels.


29/155


Building the IP Routing Table

IP routing protocols are used to build IP routing tables on allLSRs.

Forwarding tables (FIB) are built based on IP routing tableswith no labeling information.

A B C D

E

Network X

Network Next-hop

X B

Routing table of A

Network Next-hop

X C

Routing table of B

Network Next-hop

X D

Routing table of C

Network Next-hop

X C

Routing table of ENetwork Next hop Label

X B

FIB on A


30/155


Allocating Labels

Every LSR allocates a label for every destination in the IProuting table.

Labels have local significance.

Label allocations are asynchronous.

A B C D

E

Network X

Network Next-hop

X C

Routing table of BRouter B assigns label 25 todestination X.


31/155


LIB and LFIB Set-up

LIB and LFIB structures have to be initialized on the LSRallocating the label.

A B C D

E

Network X

Network Next-hop

X C

Routing table of BRouter B assigns label 25 todestination X.

Label Action Next hop

25 pop C

LFIB on B

Outgoing action is POP as Bhas received no label for Xfrom C.

Network LSR label

X local 25

LIB on B Local label is stored in LIB.


32/155


Label Distribution

The allocated label is advertised to all neighbor LSRs,regardless of whether the neighbors are upstream ordownstream LSRs for the destination.

A B C D

E

Network X

Network LSR label

X local 25

LIB on B

X = 25X = 25


33/155


Receiving Label Advertisement

Every LSR stores the received label in its LIB.

Edge LSRs that receive the label from their next-hop also storethe label information in the FIB.

A B C D

E

Network X

X = 25X = 25

Network LSR label

X B 25

LIB on A

Network LSR label

X B 25

LIB on C

Network LSR label

X B 25

LIB on E

Network Next hop Label

X B 25

FIB on A


34/155


Interim Packet Propagation

Forwarded IP packets are labeled only on the path segmentswhere the labels have already been assigned.

A B C

E

IP: X Lab: 25 IP: X


X B 25

FIB on A

IP lookup is performed inFIB, packet is labeled.


25 pop C

LFIB on B

Label lookup is performedin LFIB, label is removed.


35/155


Further Label Allocation

Every LSR will eventually assign a label for every destination.

A B C D

E

Network X

Router C assigns label47 to destination X.

X = 47

Network LSR label

X B 25

local 47

LIB on C

Label Action Next hop47 pop D

LFIB on C


36/155


Receiving Label Advertisement

Every LSR stores received information in its LIB. LSRs that receive their label from their next-hop LSR will also

populate the IP forwarding table (FIB).

A B C D

E

Network X

X = 47

Network LSR labelX B 25

C 47

LIB on E

Network LSR label

X local 25

C 47

LIB on BNetwork Next hop Label

X C 47

FIB on B

Network Next hop LabelX C 47

FIB on E


37/155


Populating LFIB

Router B has already assigned label to X and created an entryin LFIB.

Outgoing label is inserted in LFIB after the label is receivedfrom the next-hop LSR.

A B C D

E

Network X

X = 47

Network LSR label

X local 25

C 47

LIB on BNetwork Next hop Label

X C 47

FIB on B


25 47 C

LFIB on B


38/155


Packet Propagation Across MPLS Network

A B C

E

IP: X Lab: 25 Lab: 47


X B 25

FIB on A

IP lookup is performed inFIB, packet is labeled.


25 47 C

LFIB on B

Label lookup is performedin LFIB, label is switched.


47 pop D

LFIB on C

Label lookup is performedin LFIB, label is removed.

IP: X

Ingress LSR Egress LSR


39/155


Steady State Description

After the LSRs have exchanged the labels, LIB, LFIB and FIBdata structures are completely populated.

A B C D

E

Network X

Network Next-hop

X C

Routing table of BNetwork Next hop Label

X C 47

FIB on B

Network LSR label

X local 25

C 47

E 75

LIB on B


25 47 C

LFIB on B

Convergence in Packet-mode MPLS


40/155


Link Failure Actions

Routing protocol neighbors andLDP neighbors are lost after alink failure.

Entries are removed fromvarious data structures.

A B C D

E

Network X

Network Next-hop

X C

Routing table of BNetwork Next hop Label

X C 47

FIB on B

Network LSR label

X local 25

C 47

E 75

LIB on B


25 47 C

LFIB on B


41/155


Routing Protocol Convergence

Routing protocols rebuild the IProuting table and the IPforwarding table.

A B C D

E

Network XNetwork LSR label

X local 25

C 47

E 75

LIB on B


25 47 C

LFIB on B


X E

FIB on B

Network Next-hop

X E

Routing table of B


42/155


MPLS Convergence

LFIB and labeling information inFIB are rebuilt immediately afterthe routing protocol convergence,based on labels stored in LIB.

A B C D

E


X local 25

C 47

E 75

LIB on B

Network Next-hop

X E

Routing table of B


25 75 E

LFIB on B


X E 75

FIB on B


43/155


MPLS Convergence After a Link Failure

MPLS convergence in packet-mode MPLSdoes not impact the overall convergencetime.

MPLS convergence occurs immediately afterthe routing protocol convergence, based on

labels already stored in LIB.


44/155


Link Recovery Actions

Routing protocol neighbors arediscovered after link recovery.

A B C D

E


X local 25

C 47

E 75

LIB on B

Network Next-hop

X E

Routing table of B


25 75 E

LFIB on B


X E 75

FIB on B

IP Routing Convergence After Link


45/155


IP Routing Convergence After LinkRecovery

IP routing protocols rebuild the IProuting table.

FIB and LFIB are also rebuilt, butthe label information might belacking.

A B C D

E


X local 25

C 47

E 75

LIB on B


25 75 E

LFIB on B


X E 75

FIB on B

Network Next-hop

X E

Routing table of B

C C

pop C


46/155


MPLS Convergence After a Link Recovery

Routing protocol convergence optimizes the forwardingpath after a link recovery.

LIB might not contain the label from the new next-hop bythe time the IP convergence is complete.

End-to-end MPLS connectivity might be intermittentlybroken after link recovery.

Use MPLS Traffic Engineering for make-before-breakrecovery.


47/155


LDP Session Establishment

LDP and TDP use a similar process to establish a session:

Hello messages are periodically sent on all interfaces enabled forMPLS.

If there is another router on that interface it will respond by tryingto establish a session with the source of the hello messages.

UDP is used for hello messages. It is targeted at all routers onthis subnetmulticast address (224.0.0.2).

TCP is used to establish the session.

Both TCP and UDP use well-known LDP port number 646 (711for TDP).


48/155


LDP Neighbor Discovery

1.0.0.1 1.0.0.3

MPLS_A NO_MPLS_C

1.0.0.4

MPLS_D

1.0.0.2

MPLS_B

UDP: Hello(1.0.0.1:1050 224.0.0.2:646)

UDP: Hello(1.0.0.4:1033 224.0.0.2:646)

UDP: Hello(1.0.0.2:1064 224.0.0.2:646)

UDP: Hello(1.0.0.1:1051 224.0.0.2:646)

UDP: Hello(1.0.0.4:1034 224.0.0.2:646)

UDP: Hello(1.0.0.2:1065 224.0.0.2:646)

UDP: Hello(1.0.0.1:1052 224.0.0.2:646)

UDP: Hello(1.0.0.4:1035 224.0.0.2:646)

UDP: Hello(1.0.0.2:1066 224.0.0.2:646)

LDP Session is established from the router with higher IPaddress.


49/155


LDP Session Negotiation

Peers first exchange initialization messages.

The session is ready to exchange label mappingsafter receiving the first keepalive.

1.0.0.1

MPLS_A

1.0.0.2

MPLS_B

Initialization message

Establish TCP session

Initialization message

Keepalive

Keepalive


50/155


MPLS Domain

Double Lookup Scenario

Double lookup is not an optimal way offorwarding labeled packets.

A label can be removed one hop earlier.

10.0.0.0/8L=19

10.0.0.0/8L=18

10.0.0.0/8L=17

LFIB18 19

FIB10/8 NH, 19

LFIB17 18

FIB10/8 NH, 18

LFIB35 17

FIB10/8 NH, 17

LFIB19 untagged

FIB10/8 NH

10.1.1.117 10.1.1.118 10.1.1.119 10.1.1.1

Double lookup is needed:1. LFIB: remove the label.2. FIB: forward the IP

packet based on IP next-hop address.

10.0.0.0/8


51/155


Penultimate Hop Popping

MPLS Domain

A label is removed on the router before thelast hop within an MPLS domain.

10.0.0.0/8L=pop

10.0.0.0/8L=18

10.0.0.0/8L=17

LFIB18 pop

FIB10/8 NH, 19

LFIB17 18

FIB10/8 NH, 18

LFIB35 17

FIB10/8 NH, 17

LFIB

FIB10/8 NH

10.1.1.117 10.1.1.118 10.1.1.1 10.1.1.1

One single lookup.

10.0.0.0/8

Popor implicit nulllabel is adveritsed.


52/155



Penultimate hop popping optimizes MPLSperformace (one less LFIB lookup).

PHP does not work on ATM (VPI/VCI cannotbe removed).

Pop or implicit null label uses value 3 whenbeing advertised to a neighbor.


53/155


LDP Messages

Discovery messages

Used to discover and maintain the presence of

new peers

Hello packets (UDP) sent to all-routers multicastaddress

Once neighbor is discovered, the LDP session is

established over TCP


54/155


LDP Messages

Session messages

Establish, maintain and terminate LDP sessions

Advertisement messages

Create, modify, delete label mappings

Notification messages

Error signalling


55/155


Agenda


LDP

MPLS VPN

Monitoring MPLS


56/155


What Is a VPN?

VPN is a set of sites which are allowed tocommunicate with each other.

VPN is defined by a set of administrative policies

Policies determine both connectivity and QoSamong sites.

Policies established by VPN customers.

Policies could be implemented completely by VPN service

providers.

Using BGP/MPLS VPN mechanisms


57/155


What Is a VPN? (Cont.)

Flexible inter-site connectivity

Ranging from complete to partial mesh

Sites may be either within the same or in different

organizationsVPN can be either intranet or extranet

Site may be in more than one VPN

VPNs may overlap

Not all sites have to be connected to the same serviceprovider

VPN can span multiple providers


58/155


IP VPN Taxonomy

Client-Initiated

NAS-Initiated

IPTunnel

VirtualCircuit

Network-Based VPNs

SecurityAppliance

Router FR ATM

IP VPNs

DIAL DEDICATED

RFC 2547 VirtualRouter


59/155


MPLS-VPN Terminology

Provider Network (P-Network)

The backbone under control of a Service Provider

Customer Network (C-Network)Network under customer control

CE router

Customer Edge router. Part of the C-network andinterfaces to a PE router


60/155



SiteSet of (sub)networks part of the C-network and co-

located

A site is connected to the VPN backbone through oneor more PE/CE links

PE router

Provider Edge router. Part of the P-Network andinterfaces to CE routers

P routerProvider (core) router, without knowledge of VPN


61/155



Route-Target

64 bits identifying routers that should receive theroute

Route DistinguisherAttributes of each route used to uniquely identify

prefixes among VPNs (64 bits)

VRF based (not VPN based)

VPN-IPv4 addresses

Address including the 64 bits Route Distinguisherand the 32 bits IP address


62/155



VRF

VPN Routing and Forwarding Instance

Routing table and FIB tablePopulated by routing protocol contexts

VPN-Aware network

A provider backbone where MPLS-VPN isdeployed


63/155


MPLS VPN Connection Model

A VPN is a collection of sites sharing acommon routing information (routing table)

A site can be part of different VPNs A VPN has to be seen as a community of

interest (or Closed User Group)

Multiple Routing/Forwarding instances(VRF) on PE routers


64/155



A site belonging to different VPNs may orMAY NOT be used as a transit point betweenVPNs

If two or more VPNs have a common site,address space must be unique among theseVPNs

Site-1

Site-3

Site-4

Site-2

VPN-A

VPN-C

VPN-B


65/155



The VPN backbone is composed by MPLS LSRs

PE routers (edge LSRs)

P routers (core LSRs)

PE routers are faced to CE routers and distributeVPN information throughMP-BGP to other PE routers

VPN-IPv4 addresses, Extended Community,

Label

P routers do not run BGP and do not have any VPNknowledge


66/155



VPN_A

VPN_A

VPN_B10.3.0.0

10.1.0.0

11.5.0.0

P P

PP PE

PE CE

CE

CE

VPN_A

VPN_B

VPN_B

10.1.0.0

10.2.0.0

11.6.0.0

CE

PE

PECE

CE

VPN_A10.2.0.0

CE

iBGP sessions

P routers (LSRs) are in the core of the MPLS cloud

PE routers use MPLS with the core and plain IP withCE routers

P and PE routers share a common IGP

PE router are MP-iBGP fully meshed


67/155



PE and CE routers exchange routinginformation through:

EBGP, OSPF , RIPv2, Static routing

CE router run standard routing software

PE

CE

CE

Site-2

Site-1

EBGP,OSPF, RIPv2,Static


68/155



PE routers maintain separate routing tables

The global routing table

With all PE and P routesPopulated by the VPN backbone IGP (ISIS or OSPF)

VRF (VPN Routing and Forwarding)

Routing and Forwarding table associated with one or more directlyconnected sites (CEs)

VRF are associated to (sub/virtual/tunnel)interfaces

Interfaces may share the same VRF if the connected sites may sharethe same routing information

PE

CE

C

E

Site-2

Site-1

VPN Backbone IGP (OSPF, ISIS)EBGP,OSPF, RIPv2,Static


69/155



The routes the PE receives from CE routers areinstalled in the appropriate VRF

The routes the PE receives through the backbone IGPare installed in the global routing table

By using separate VRFs, addresses need NOT to beunique among VPNs

PE

CE

CE

Site-2

Site-1

VPN Backbone IGPEBGP,OSPF, RIPv2,Static


70/155



The Global Routing Table is populated byIGP protocols.

In PE routers it may contain the BGPInternet routes (standard BGP-4 routes)

BGP-4 (IPv4) routes go into global routingtable

MP-BGP (VPN-IPv4) routes go into VRFs


71/155



PE

VPN Backbone IGP

iBGP session

PE

P P

P P

PE and P routers share a common IGP (ISIS or OSPF)

PEs establish MP-iBGP sessions between them

PEs use MP-BGP to exchange routing informationrelated to the connected sites and VPNs

VPN-IPv4 addresses, Extended Community, Label


72/155



PE-1

VPN Backbone IGP

PE-2

P P

P P

PE routers receive IPv4 updates (EBGP, RIPv2, Static)

PE routers translate into VPN-IPv4

Assign a SOO and RT based on configuration

Re-write Next-Hop attribute

Assign a label based on VRF and/or interface

Send MP-iBGP update to all PE neighbors

BGP,RIPv2 updatefor Net1,Next-Hop=CE-1

VPN-IPv4 update:RD:Net1, Next-hop=PE-1SOO=Site1, RT=Green,Label=(intCE1)

CE-1

Site-2

VPN-IPv4 update is translatedinto IPv4 address (Net1) putinto VRF green since RT=Greenand advertised to CE-2

Site-1

CE-2


73/155



Receiving PEs translate to IPv4

Insert the route into the VRF identified by theRT attribute (based on PE configuration)

The label associated to the VPN-IPv4 address will beset on packet forwarded towards the destination

PE-1

VPN Backbone IGP

PE-2

P P

P PBGP,OSPF, RIPv2update for Net1Next-Hop=CE-1

VPN-IPv4 update:RD:Net1, Next-hop=PE-1SOO=Site1, RT=Green,Label=(intCE1)

CE-1

Site-2

VPN-IPv4 update is translatedinto IPv4 address (Net1) putinto VRF green since RT=Greenand advertised to CE-2

Site-1

CE-2


74/155



Route distribution to sites is driven by the Site ofOrigin (SOO) and Route-target attributes

BGP Extended Community attribute

A route is installed in the site VRF corresponding tothe Route-target attribute

Driven by PE configuration

A PE which connects sites belonging to multiple

VPNs will install the route into the site VRF if theRoute-target attribute contains one or more VPNs towhich the site is associated



75/155


MP-BGP Update

VPN-IPV4 address

Route Distinguisher

64 bits

Makes the IPv4 route globally unique

RD is configured in the PE for each VRF

RD may or may not be related to a site or a VPN

IPv4 address (32bits)

Extended Community attribute (64 bits)

Site of Origin (SOO): identifies the originating site

Route-target (RT): identifies the set of sites the route has tobe advertised to



76/155


MP-BGP Update

Any other standard BGP attributeLocal PreferenceMEDNext-hop

AS_PATH

Standard Community...

A Label identifying:

The outgoing interface

The VRF where a lookup has to be done

The BGP label will be the second label in thelabel stack of packets travelling in the core



77/155


MP-BGP Update - Extended community

BGP extended community attribute

Structured, to support multiple applications

64 bits for increased range

General form

::

Registered AS number::

Registered IP address



78/155


MPLS VPN Connection ModelMP-BGP Update - Extended community

The Extended Community is used to:

Identify one or more routers where the route hasbeen originated (site)

Site of Origin (SOO)

Selects sites which should receive the route

Route-Target



79/155


MP-BGP Update

The Label can be assigned only by the router whichaddress is the Next-Hop attribute

PE routers re-write the Next-Hop with their ownaddress (loopback interface address)

Next-Hop-Self BGP command towards iBGPneighborsLoopback addresses are advertised into thebackbone IGP

PE addresses used as BGP Next-Hop must beuniquely known in the backbone IGP

No summarisation of loopback addresses in the core

MPLS Forwarding


80/155


gPacket forwarding

PE and P routers have BGP next-hopreachability through the backbone IGP

Labels are distributed through LDP (hop-by-hop)corresponding to BGP Next-Hops

Label Stack is used for packet forwarding

Top label indicates BGP Next-Hop (interiorlabel)

Second level label indicates outgoing interfaceor VRF (exterior label)

MPLS Forwarding


81/155



PE2

PE1

CE1

CE2

P1 P2

IGPLabel(PE2)

VPN LabelIP

packet

PE1 receives IP packet

Lookup is done on site VRF

BGP route with Next-Hop andLabel is found

BGP next-hop (PE2) is reachablethrough IGP route withassociated label

IGP

Label(PE2)

VPN LabelIP

packet

P routers switch the

packets based on the IGPlabel (label on top of thestack)

VPN Label

IP

packet

Penultimate HopPopping

P2 is the penultimatehop for the BGP next-hop

P2 remove the top label

This has beenrequested through LDPby PE2

IP

packet

PE2 receives the packets

with the labelcorresponding to theoutgoing interface (VRF)

One single lookup

Label is popped and packetsent to IP neighbor

IP

packet

CE3


82/155


T1 T7T2 T8T3 T9T4 T7

T5 TBT6 TBT7 T8

Packet Forwarding Example 1

VPN_A

VPN_A

VPN_B

10.3.0.0

10.1.0.0

11.5.0.0

P P

PP PE

CE

CE

CE

Data

, iBGP next hop PE1

, iBGP next hop PE2

, iBGP next hop PE3

, iBGP next hop PE1

, iBGP next hop PE4

, iBGP next hop PE4

, iBGP next hop PE2

, iBGP NH= PE2 , T2 T8 Ingress PE receives normal IPPackets from CE router

PE router does IP Longest Matchfrom VPN_B FIB, find iBGP nexthop PE2and impose a stack oflabels:exterior Label T2 + Interior Label

T8

DataT8T2

VPN_A

VPN_B

VPN_B

10.1.0.0

10.2.0.0

11.6.0.0

CE

PE1

PE2CE

CE

VPN_A10.2.0.0

CE

P k t F di E l 1 ( t )


83/155


Packet Forwarding Example 1 (cont.)

VPN_A

VPN_A

VPN_B10.3.0.0

10.1.0.0

11.5.0.0

P P

PP PE

CE

CE

CE

T7T8T9TaTb

TuTwTxTyTz

T8,TA

T2 DataT8Data

T2 DataTB

outin /

All Subsequent P routers do switch the packetSolely on Interior Label

Egress PE router, removes Interior Label

Egress PE uses Exterior Label to select which VPN/CEto forward the packet to.

Exterior Label is removed and packet routed to CE router

VPN_A

VPN_B

VPN_B

10.1.0.0

10.2.0.0

11.6.0.0

CE

PE1

PE2CE

CE

VPN_A

10.2.0.0

CE T2 DataData

TAT2

P k t F di E l 2


84/155


Packet Forwarding Example 2

In VPN 12, host 130.130.10.1 sends a packet withdestination 130.130.11.3

Customer sites are attached to ProviderEdge (PE) routers A & B.

130.130.10.1

130.130.11.3

12

12

A

B



85/155


VPN-ID

VPN Site

Address

Provider Edge

Router Address

VPN Site

Label

PE

Label

12 130.130.10.0/24 172.68.1.11/3226 42

12 130.130.11.0/24 172.68.1.2/32989 101

... ... ...... ...

2. PE router A selects the

correct VPN forwarding table

based on the links VPN ID (12).


12

1. Packet arrives on VPN 12

link on PE router A.

A



86/155



130.130.11.3 Rest of IP packet

VPN-ID

VPN Site

Address

Provider Edge

Router Address

VPN Site

Label

PE

Label

12 130.130.10.0/24 172.68.1.11/3226 42

12 130.130.11.0/24 172.68.1.2/32989 101

... ... ...... ...

12

A

3. PE router A matches

the incoming packets

destination address

with VPN 12s

forwarding table.

989101

4. PE router A adds twolabels to the packet: one

identifying the destination

PE, and one identifying the

destination VPN site.

P k F di E l 2 ( )


87/155



A

B

5. Packet is label-switched from PE router A to PE B based onthe top label, using normal MPLS.

The network core knows nothing about VPNs and sites: it

only knows how to get packets from A to B using MPLS.



88/155



B 12

6. PE router B identifies the correctsite in VPN 12 from the inner label.

130.130.11.3

7. PE router B removes the labels

and forwards the IP packet to the

correct VPN 12 site.

MPLS VPN mechanisms


89/155


VRF and Multiple Routing Instances

VRF: VPN Routing and Forwarding Instance

VRF Routing Protocol Context

VRF Routing Tables

VRF CEF Forwarding Tables

MPLS VPN mechanisms


90/155



VRF Routing table contains routes which should beavailable to a particular set of sites

Analogous to standard IOS routing table, supportsthe same set of mechanisms

Interfaces (sites) are assigned to VRFs

One VRF per interface (sub-interface, tunnel or virtual-template)

Possible many interfaces per VRF

MPLS VPN mechanismsd l l


91/155



StaticBGP RIPRoutingprocesse

s

Routing

contexts

VRF Routing tables

VRF Forwarding

tables

Routing processes runwithin specific routing

contexts Populate specific VPN

routing table and FIBs(VRF)

Interfaces are assigned toVRFs

MPLS VPN mechanismsd l l


92/155



Site-1 Site-2 Site-3 Site-4

Logical view

Routing view

VRFfor site-1

Site-1

routesSite-2routes

VRFfor site-4

Site-3 routesSite-4 routes

VRFfor site-2

Site-1routes

Site-2routesSite-3routes

VRFfor site-3

Site-2 routes

Site-3routesSite-4 routes

Site-1

Site-3

Site-4

Site-2

VPN-A

VPN-C

VPN-B

PE PE

PP

Multihop MP-iBGP

MPLS VPN Topologies


93/155


MPLS VPN Topologies

VPN_A

VPN_A

VPN_B10.3.0.0

10.1.0.0

11.5.0.0

P P

PP PE

PE CE

CE

CE

VPN_A

VPN_B

VPN_B

10.1.0.0

10.2.0.0

11.6.0.0

CE

PE

PECE

CE

VPN_A

10.2.0.0

CE

VPN-IPv4 address are propagated together with the associatedlabel in BGP Multiprotocol extension

Extended Community attribute (route-target) is associated toeach VPN-IPv4 address, to populate the site VRF

iBGP sessions

MPLS VPN Topologies


94/155


VPN sites with optimal intra-VPN routing

Each site has full routing knowledge of allother sites (of same VPN)

Each CE announces his own address space

MP-BGP VPN-IPv4 updates are propagatedbetween PEs

Routing is optimal in the backbone

Each route has the BGP Next-Hop closest tothe destination

No site is used as central point for connectivity

MPLS VPN Topologies


95/155


VPN sites with optimal intra-VPN routing

Site-1

VRFfor site-1

N1,NH=CE1N2,NH=PE2N3,NH=PE

3

PE1

PE3

PE2

N1

Site-3

N3

N2

VPN-IPv4 updates exchanged betweenPEs

RD:N1, NH=PE1,Label=IntCE1, RT=BlueRD:N2, NH=PE2,Label=IntCE2, RT=BlueRD:N3, NH=PE3,Label=IntCE3, RT=Blue

IntCE1

IntCE3

N1NH=CE1

Routing Table onCE1

N1, LocalN2, PE1N3, PE1

EBGP/RIP/Static

VRFfor site-3

N1,NH=PE1N2,NH=PE2N3,NH=CE3

Routing Table onCE3

N1, PE3N2, PE3N3, Local

N3NH=CE3

EBGP/RIP/Static

Site-2

IntCE2

Routing Table on

CE2N1,NH=PE2N2,LocalN3,NH=PE2

N2,NH=CE2

EBGP/RIP/Static

VRFfor site-2

N1,NH=PE1

N2,NH=CE

2N3,NH=PE3

MPLS VPN Topologiesh b & S k


96/155


VPN sites with Hub & Spoke routing

One central site has full routing knowledge ofall other sites (of same VPN)

Hub-Site

Other sites will send traffic to Hub-Site for anydestination

Spoke-Sites

Hub-Site is the central transit point betweenSpoke-Sites

Use of central services at Hub-Site

MPLS VPN TopologiesVPN i i h H b & S k i


97/155



PE2

PE1

PE3

Site-1

N1

N3

VPN-IPv4 updates advertised by PE3

RD:N1, NH=PE3,Label=IntCE3-Spoke,RT=SpokeRD:N2, NH=PE3,Label=IntCE3-Spoke,RT=Spoke

RD:N3, NH=PE3,Label=IntCE3-Spoke,RT=Spoke

Site-3

Site-2

N2

IntCE3-SpokeVRF(Export

RT=Spoke)N1,NH=CE3-SpokeN2,NH=CE3-SpokeN3,NH=CE3-Spoke

CE1

CE3-Spoke

CE2

CE3-Hub

IntCE3-Hub VRF(Import RT=Hub)

N1,NH=PE1N2,NH=PE2

VPN-IPv4 update advertised by PE1RD:N1, NH=PE1,Label=IntCE1,RT=Hub

VPN-IPv4 update advertised by PE2RD:N2, NH=PE2,Label=IntCE2,RT=Hub

IntCE2 VRF(Import RT=Spoke)(Export RT=Hub)

N1,NH=PE3 (imported)N2,NH=CE2 (exported)N3,NH=PE3 (imported)


N1,NH=CE1 (exported)N2,NH=PE3 (imported)N3,NH=PE3 (imported

BGP/RIPv2

BGP/RIPv2

Routes are imported/exported into VRFs based on RT valueof the VPN-IPv4 updates

PE3 uses 2 (sub)interfaces with two different VRFs

MPLS VPN TopologiesVPN it ith H b & S k ti


98/155



PE2

PE1

PE3

Site-1

N1

N3

Site-3

Site-2

N2

IntCE3-Spoke

VRF(ExportRT=Spoke)

N1,NH=CE3-SpokeN2,NH=CE3-SpokeN3,NH=CE3-Spoke

CE1

CE3-Spoke

CE2

CE3-Hub

IntCE3-Hub VRF(Import RT=Hub)

N1,NH=PE1N2,NH=PE2


N1,NH=PE3 (imported)N2,NH=CE2 (exported)N3,NH=PE3 (imported)


N1,NH=CE1 (exported)N2,NH=PE3 (imported)N3,NH=PE3 (imported

BGP/RIPv2

BGP/RIPv2

Traffic from one spoke to another will travel across the hub site

Hub site may host central services

Security, NAT, centralised Internet access

MPLS VPN Internet Routing


99/155


MPLS VPN Internet Routing

In a VPN, sites may need to have Internetconnectivity

Connectivity to the Internet means:

Being able to reach Internet destinationsBeing able to be reachable from any Internet source

The Internet routing table is treated separately

In the VPN backbone the Internet routes are inthe Global routing table of PE routers

Labels are not assigned to external (BGP) routes

MPLS VPN Internet routingVRF specific default route


100/155


VRF specific default route

A default route is installed into the siteVRF and pointing to a Internet Gateway

The default route is NOT part of any VPNA single label is used for packets forwarded

according to the default route

The label is the IGP label corresponding to the

IP address of the Internet gatewayKnown in the IGP



101/155



PE router originates CE routes for the Internet

Customer (site) routes are known in the site VRF

Not in the global table

The PE/CE interface is NOT known in the global table.

However:

A static route for customer routes and pointing to thePE/CE interface is installed in the global table

This static route is redistributed into BGP-4 global table

and advertised to the Internet Gateway

The Internet gateway knows customer routes and withthe PE address as next-hop



102/155



The Internet Gateway specified in thedefault route (into the VRF) need NOT tobe directly connected

Different Internet gateways can be usedfor different VRFs

Using default route for Internet routingdoes NOT allow any other default route for

intra-VPN routingAs in any other routing scheme



103/155



PE

PE

Internet

Site-1

PE-IG

Site-2

Network 171.68.0.0/16

Serial0

192.168.1.1

192.168.1.2

ip vrf VPN-A

rd 100:1route-target both 100:1

!

Interface Serial0

ip address 192.168.10.1 255.255.255.0

ip vrf forwarding VPN-A

!

Router bgp 100

no bgp default ipv4-unicast

network 171.68.0.0 mask 255.255.0.0

neighbor 192.168.1.1 remote 100

neighbor 192.168.1.1 activate

neighbor 192.168.1.1 next-hop-self

neighbor 192.168.1.1 update-source loopback0!address-family ipv4 vrf VPN-Aneighbor 192.168.10.2 remote-as 65502neighbor 192.168.10.2 activateexit-address-family

!

address-family vpnv4neighbor 192.168.1.2 activateexit-address-family

!

ip route 171.68.0.0 255.255.0.0 Serial0

ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 glob

BGP-4

MP-BGP



104/155



PE

PE

Internet

Site-1

PE-IG

Site-2

Network 171.68.0.0/16

Serial0

192.168.1.1

192.168.1.2

Site-2 VRF

0.0.0.0/0 192.168.1.1(global)


Global Table and LFIB

192.168.1.1/32 Label=3

192.168.1.2/32 Label=5

...

IP packetD=cisco.co

m

Label = 3

IP packetD=cisco.com

IP packetD=cisco.co

m



105/155



PE routers need not to hold the Internettable

PE routers will use BGP-4 sessions to

originate customer routes

Packet forwarding is done with a singlelabel identifying the Internet Gateway IP

addressMore labels if Traffic Engineering is used

MPLS VPN Internet RoutingSeparated (sub)interfaces


106/155


p ( )

If CE wishes to receive and announce routesfrom/to the Internet

A dedicated BGP session is used over a separate (sub)interface

The PE imports CE routes into the global routing tableand advertise them to the Internet

The interface is not part of any VPN and does not useany VRF

Default route or Internet routes are exported to the CEPE needs to have Internet routing table



107/155


p ( )

The PE uses separate (sub)interfaces withthe CE

One (sub)interface for VPN routing

associated to a VRFCan be a tunnel interface

One (sub)interface for Internet routingAssociated to the global routing table



108/155


p ( )

PE

PE

Internet

Site-1

PE-IG

Site-2

Network 171.68.0.0/16

Serial0.1

192.168.1.1

192.168.1.2

ip vrf VPN-A

rd 100:1

route-target both 100:1

!Interface Serial0

no ip address

!

Interface Serial0.1

ip address 192.168.10.1 255.255.255.0

ip vrf forwarding VPN-A

!

Interface Serial0.2

ip address 171.68.10.1 255.255.255.0!

Router bgp 100





neighbor 192.168.1.1 update-source loopback0


!address-family ipv4 vrf VPN-Aneighbor 192.168.10.2 remote-as 502neighbor 192.168.10.2 activateexit-address-family

!

address-family vpnv4neighbor 192.168.1.2 activateexit-address-family

BGP-4

MP-BGP

Serial0.2

BGP-4



109/155


p ( )

PE

PE

Internet

Site-1

PE-IG

Site-2

Network 171.68.0.0/16

Serial0.1

192.168.1.1

192.168.1.2

Serial0.2

Serial0.1 Serial0.2 CE routing table

Site-2 routes ---->Serial0.1

Internet routes --->Serial0.2

IP packetD=cisco.com

PE Global Table

Internet routes --->

192.168.1.1192.168.1.1, Label=3

Label = 3

IP packetD=cisco.co

m

IP packetD=cisco.co

m

Scaling


110/155


Scaling

Existing BGP techniques can be used to scalethe route distribution: route reflectors

Each edge router needs only the informationfor the VPNs it supports

Directly connected VPNs

RRs are used to distribute VPN routinginformation

MPLS-VPNScaling BGP


111/155


Scaling BGP

VPN_A

VPN_A

VPN_B

10.3.0.0

10.1.0.0

11.5.0.0

P P

PP PE

PE CE

CE

CE

RR RR

Route Reflectors

VPN_A

VPN_B

VPN_B

10.1.0.0

10.2.0.0

11.6.0.0

CE PE1

PE2CE

CE

VPN_A10.2.0.0

CE

Route Reflectors may be partitioned

Each RR store routes for a set of VPNs

Thus, no BGP router needs to store ALL VPNsinformation

PEs will peer to RRs according to the VPNs theydirectly connect

MPLS-VPN ScalingBGP updates filtering


112/155


BGP updates filtering

iBGP full mesh between PEs results in flooding allVPNs routes to all PEs

Scaling problems when large amount of routes. Inaddition PEs need only routes for attached VRFs

Therefore each PE will discard any VPN-IPv4 routethat hasnt a route-target configured to be importedin any of the attached VRFs

This reduces significantly the amount of information

each PE has to storeVolume of BGP table is equivalent of volume of

attached VRFs (nothing more)

MPLS-VPN ScalingBGP updates filtering


113/155


G updates te g

Each VRF has an importand exportpolicy configured

Policies use route-targetattribute (extended community)

PE receives MP-iBGP updates for VPN-IPv4 routesIf route-target is equal to any of the import values

configured in the PE, the update is accepted

Otherwise it is silently discarded

PE

MP-iBGP sessions

VRFs for VPNsyellowgreen

VPN-IPv4 update:RD:Net1, Next-hop=PE-XSOO=Site1, RT=Green,Label=XYZ

VPN-IPv4 update:RD:Net1, Next-hop=PE-XSOO=Site1, RT=Red,Label=XYZ

Import RT=yellow

Import RT=green

MPLS-VPN ScalingRoute Refresh


114/155


Route Refresh

Policy may change in the PE if VRF modifications are done

New VRFs, removal of VRFs

However, the PE may not have stored routing informationwhich become useful after a change

PE request a re-transmission of updates to neighbors

Route-Refresh

PE



Import RT=yellow

Import RT=green

Import RT=red1. PE doesnt have redroutes (previously filteredout)

2. PE issue a Route-Refresh to all neighborsin order to ask for re-transmission

3. Neighbors re-sendupdates and redroute-target is nowaccepted

MPLS-VPN ScalingOutbound Route Filters - ORF


115/155


Outbound Route Filters ORF

PE router will discard update with unused route-target

Optimization requires these updates NOT to be sentOutbound Route Filter (ORF) allows a router to tell its

neighbors which filter to use prior to propagate BGPupdates

PE



Import RT=yellow

Import RT=green

1. PE doesnt need

red routes

2. PE issue a ORFmessage to all neighborsin order not to receive redroutes

3. Neighborsdynamically configurethe outbound filter andsend updatesaccordingly

MPLS VPN - Configuration


116/155


MPLS VPN Configuration

VPN knowledge is on PE routers

PE router have to be configured for

VRF and Route Distinguisher

VRF import/export policies (based on Route-target)

Routing protocol used with CEs

MP-BGP between PE routers

BGP for Internet routers

With other PE routers

With CE routers

MPLS VPN - ConfigurationVRF and Route Distinguisher


117/155


g

RD is configured on PE routers (for each VRF) VRFs are associated to RDs in each PE

Common (good) practice is to use the same RD forthe same VPN in all PEs

But not mandatory

VRF configuration command

ip vrf rd route-target import route-target export

CLI - VRF configuration


118/155



VRFfor site-1(100:1)





Site-1 routesSite-2 routesSite-3 routes

VRFfor site-3

(100:3)


PE1 PE2

PP

Multihop MP-iBGP

ip vrf site1

rd 100:1

route-target export

100:1

route-target import

100:1

ip vrf site2

rd 100:2

route-target export

100:2

route-target import

100:2route-target import

100:1

route-target export

100:1

ip vrf site3

rd 100:3

route-target export 100:2

route-target import 100:2



ip vrf site-4

rd 100:4

route-target export 100:3route-target import 100:3

Site-1

Site-3

Site-4

Site-2

VPN-A VPN-C

VPN-B

MPLS VPN - ConfigurationPE/CE routing protocols


119/155


/ g p

PE/CE may use BGP, RIPv2 or Static routes

A routing context is used for each VRF

Routing contexts are defined within the routing

protocol instanceAddress-family router sub-command

Router ripversion 2

address-family ipv4 vrf

any common router sub-command

MPLS VPN - ConfigurationPE/CE routing protocols


120/155


/ g p

BGP uses same address-family commandRouter BGP

...address-family ipv4 vrf any common router BGP sub-command

Static routes are configured per VRFip route vrf

MPLS VPN - ConfigurationPE router commands


121/155


All show commands are VRF basedShow ip route vrf ...

Show ip protocol vrf

Show ip cef

PING and Telnet commands are VRF based

telnet /vrf

ping vrf

MPLS VPN - ConfigurationPE/CE routing protocolsip vrf site1


122/155



PE1

PE2

PP

Multihop MP-iBGP

Site-1

Site-3

Site-4

Site-2

VPN-AVPN-C

VPN-B





VRF

for site-2(100:2)



Site-2routesSite-3routesSite-4routes

ip vrf site3

rd 100:3





ip vrf site-4

rd 100:4



!

interface Serial4/6ip vrf forwarding site3

ip address 192.168.73.7

255.255.255.0

encapsulation ppp

!

interface Serial4/7

ip vrf forwarding site4

ip address 192.168.74.7

255.255.255.0encapsulation ppp

rd 100:1



ip vrf site2

rd 100:2route-target export 100:12




!

interface Serial3/6


ip address 192.168.61.6

255.255.255.0encapsulation ppp

!

interface Serial3/7


ip address 192.168.62.6

255.255.255.0

encapsulation ppp

MPLS VPN - ConfigurationPE/CE routing protocols router bgp 100

b d f l i 4 irouter bgp 100


123/155



PE1

PE2

PP

Multihop MP-iBGP

Site-1

Site-3

Site-4

Site-2

VPN-AVPN-C

VPN-B

VRF

for site-1(100:1)




VRF

for site-2(100:2)



Site-2routesSite-3routesSite-4routes


neighbor 6.6.6.6 remote-as 100

neighbor 6.6.6.6 update-source

Loop0

!address-family ipv4 vrf site4

neighbor 192.168.74.4 remote-as

65504


exit-address-family

!

address-family ipv4 vrf site3


65503neighbor 192.168.73.3 activate

exit-address-family

!

address-family vpnv4



exit-address-family

gp


neighbor 7.7.7.7 remote-as 100

neighbor 7.7.7.7 update-source

Loop0

!



65502


exit-address-family

!



65501


exit-address-family

!

address-family vpnv4



exit-address-family

Summary


124/155


Supports large scale VPN services

Increases value add by the VPN Service Provider

Decreases Service Providers cost of providing VPNservices

Mechanisms are general enough to enable VPNService Provider to support a wide range of VPN

customers See RFC2547

Point-to-point connections vsBGP/MPLS VPNs: routing peering


125/155


Amount of routing peering

maintained by CE is O(1)- CE peersonly with directly attached PE

independent of the total numberof sites within a VPN

scales to VPNs with large

number of sites (100s - 1000ssites per VPN)

/ g p g

Mesh of point-to-pointconnections requires each

(virtual) router to maintain O(n)

peering (where nis the number

of sites)

does not scale to VPNs with

large number of sites (due to

the properties of existing

routing protocols)

Site All other sites

CE PERouting peering

Point-to-point connections vs BGP/MPLSVPNs: provisioning


126/155


Amount of configuration changesneeded to add a new site (new CE)is O(1):

need to configure only thedirectly attached PE

independent of the total numberof sites within a VPN

p g

All other sites

CE PE

Config

change

Mesh of point-to-point

connections requires O(n)

configuration changes (where n

is the number of sites) when

adding a new site

New

Site

Config

change

New

Site

Agenda


127/155



LDP MPLS VPN

Monitoring MPLS

Basic MPLS Monitoring Commands


128/155


show tag-switching tdp parametersrouter(config)#

Displays TDP parameters on the local router.

show tag-switching interface

show mpls interface 12.1(3)T

router(config)#

Displays MPLS status on individual interfaces.

show tag-switching tdp discovery

router(config)#

Displays all discovered TDP neighbors.

show tag-switching tdp parameters


129/155


Router#show tag-switching tdp parametersProtocol version: 1

No tag pool for downstream tag distributionSession hold time: 180 sec; keep alive interval: 60

secDiscovery hello: holdtime: 15 sec; interval: 5 secDiscovery directed hello: holdtime: 180 sec;

interval: 5 sec

show tag-switching interface


130/155


Router#show tag-switching interface detailInterface Serial1/0.1:

IP tagging enabledTSP Tunnel tagging not enabled

Tagging operationalMTU = 1500Interface Serial1/0.2:

IP tagging enabledTSP Tunnel tagging not enabledTagging operational

MTU = 1500

show tag-switching tdp discovery


131/155


Router#show tag-switching tdp discoveryLocal TDP Identifier:

192.168.3.102:0TDP Discovery Sources:

Interfaces:Serial1/0.1: xmit/recvTDP Id: 192.168.3.101:0

Serial1/0.2: xmit/recvTDP Id: 192.168.3.100:0

More TDP Monitoring Commands


132/155


show tag-switching tdp neighborrouter(config)#

Displays individual TDP neighbors.

show tag-switching tdp neighbor detail

router(config)#

Displays more details about TDP neighbors.

show tag-switching tdp bindings

router(config)#

Displays Tag Information Base (TIB).

show tag tdp neighbor


133/155


Router#show tag-switching tdp neighborsPeer TDP Ident: 192.168.3.100:0; Local TDP Ident192.168.3.102:0

TCP connection: 192.168.3.100.711 - 192.168.3.102.11000State: Oper; PIEs sent/rcvd: 55/53; ; Downstream

Up time: 00:43:26TDP discovery sources:Serial1/0.2

Addresses bound to peer TDP Ident:192.168.3.10 192.168.3.14 192.168.3.100

show tag tdp neighbor detail


134/155


Router#show tag-switching tdp neighbors detailPeer TDP Ident: 192.168.3.100:0; Local TDP Ident 192.168.3.102:0

TCP connection: 192.168.3.100.711 - 192.168.3.102.11000State: Oper; PIEs sent/rcvd: 55/54; ; Downstream; Last TIB

rev sent 26

UID: 1; Up time: 00:44:01TDP discovery sources:Serial1/0.2; holdtime: 15000 ms, hello interval: 5000 ms

Addresses bound to peer TDP Ident:192.168.3.10 192.168.3.14 192.168.3.100

Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state:estab

show tag tdp bindings


135/155


Router#show tag tdp bindingstib entry: 192.168.3.1/32, rev 9

local binding: tag: 28remote binding: tsr: 19.16.3.3:0, tag: 28

tib entry: 192.168.3.2/32, rev 8local binding: tag: 27remote binding: tsr: 19.16.3.3:0, tag: 27

tib entry: 192.168.3.3/32, rev 7local binding: tag: 26remote binding: tsr: 19.16.3.3:0, tag: imp-null(1)

tib entry: 192.168.3.10/32, rev 6local binding: tag: imp-null(1)remote binding: tsr: 19.16.3.3:0, tag: 26

Monitoring Label Switching


136/155


show tag-switching forwarding-table

show mpls forwarding-table

router(config)#

Displays contents of Label Forwarding InformationBase.

show ip cef detail

router(config)#

Displays label(s) attached to a packet during label

imposition on edge LSR.

Monitoring Label SwitchingMonitoring LFIB


137/155


Router#show tag-switching forwarding-table ?A.B.C.D Destination prefixdetail Detailed informationinterface Match outgoing interface

next-hop Match next hop neighbortags Match tag valuestsp-tunnel TSP Tunnel id| Output modifiers

show tag-switching forwarding-table


138/155


Router#show tag-switching forwarding-table detailLocal Outgoing Prefix Bytes tag Outgoing Next Hoptag tag or VC or Tunnel Id switched interface26 Untagged 192.168.3.3/32 0 Se1/0.3 point2point

MAC/Encaps=0/0, MTU=1504, Tag Stack{}27 Pop tag 192.168.3.4/32 0 Se0/0.4 point2point

MAC/Encaps=4/4, MTU=1504, Tag Stack{}20618847

28 29 192.168.3.4/32 0 Se1/0.3 point2pointMAC/Encaps=4/8, MTU=1500, Tag Stack{29}18718847 0001D000

show ip cef detail


139/155


Router#show ip cef 192.168.20.0 detail192.168.20.0/24, version 23, cached adjacency to Serial1/0.20 packets, 0 bytestag information set

local tag: 33

fast tag rewrite with Se1/0.2, point2point, tags imposed: {32}via 192.168.3.10, Serial1/0.2, 0 dependencies

next hop 192.168.3.10, Serial1/0.2valid cached adjacencytag rewrite with Se1/0.2, point2point, tags imposed: {32}

Debugging Label Switching and TDP


140/155


debug tag-switching tdp ...

router(config)#

Debugs TDP adjacencies, session establishment,and label bindings exchange.

debug tag-switching tfib ...debug mpls lfib 12.1(3)T

router(config)#

Debugs Tag Forwarding Information Base events:

label creations, removals, rewrites.

debug tag-switching packets [ interface ]

debug mpls packets [ interface ] 12.1(3)T

router(config)#

Debugs labeled packets switched by the router.

Disables fast or distributed tag switching.

Common Frame-Mode MPLS Symptoms


141/155


TDP/LDP session does not start.

Labels are not allocated or distributed.

Packets are not labeled although the labels havebeen distributed.

MPLS intermittently breaks after an interface failure.

Large packets are not propagated across thenetwork.

TDP Session Startup Issues: 1/4


142/155


Symptom

TDP neighbors are not discovered.

show tag tdp discovery does not display expected TDP neighbors.

Diagnosis

MPLS is not enabled on adjacent router.Verification

Verify with show tag interface on the adjacent router.



143/155


Symptom


DiagnosisLabel distribution protocol mismatch - TDP on one end,

LDP on the other end.Verification

Verify with show tag interface detail on both routers.



144/155


Symptom


Diagnosis

Packet filter drops TDP/LDP neighbor discovery packets.

Verification

Verify access-list presence with show ip interface.

Verify access-list contents with show access-list.



145/155


Symptom

TDP neighbors discovered, TDP session is not established.

show tdp neighbor does not display a neighbor in Operstate.

Diagnosis

Connectivity between loopback interfaces is broken - TDPsession is usually established between loopbackinterfaces of adjacent LSRs.

Verification

Verify connectivity with extended ping command.

Label Allocation Issues


146/155


Symptom

Labels are not allocated for local routes.

show tag-switching forwarding-table does not display any labels

Diagnosis

CEF is not enabled.Verification

Verify with show ip cef.

Label Distribution Issues


147/155


SymptomLabels are allocated, but not distributed.

show tag-switching tdp bindings on adjacent LSR does not display labelsfrom this LSR

DiagnosisProblems with conditional label distribution.

Verification

Debug label distribution with debug tag tdp advertisement.Examine the neighbor TDP router IDP with show tag tdp discovery.

Verify that the neighbor TDP router ID is matched by the access listspecified in tag advertise command.

Packet Labeling


148/155


Symptom

Labels are distributed, packets are not labeled.

show interface statistic does not labeled packets being sent

Diagnosis

CEF is not enabled on input interface (potentially due to conflictingfeature being configured).

Verification

Verify with show cef interface.

show cef interface


149/155


Router#show cef interfaceSerial1/0.1 is up (if_number 15)Internet address is 192.168.3.5/30ICMP redirects are always sentPer packet loadbalancing is disabledIP unicast RPF check is disabledInbound access list is not set

Outbound access list is not setIP policy routing is disabledInterface is marked as point to point interfaceHardware idb is Serial1/0Fast switching type 5, interface type 64IP CEF switching enabledIP CEF VPN Fast switching turbo vector

Input fast flags 0x1000, Output fast flags 0x0ifindex 3(3)Slot 1 Slot unit 0 VC -1Transmit limit accumulator 0x0 (0x0)IP MTU 1500

Intermittent MPLS Failures afterInterface Failure


150/155


Symptom

Overall MPLS connectivity in a router intermittently breaks after aninterface failure.

Diagnosis

IP address of a physical interface is used for TDP/LDP identifier.Configure a loopback interface on the router.

Verification

Verify local TDP identifier with show tag-switching tdp neighbors.

Packet Propagation


151/155


Symptom

Large packets are not propagated across the network.

Extended ping with varying packet sizes fails for packet sizes close to 1500

In some cases, MPLS might work, but MPLS/VPN will fail.

Diagnosis

Tag MTU issues or switches with no support for jumbo frames in theforwarding path.

Verification

Trace the forwarding path; identify all LAN segments in the path.Verify Tag MTU setting on routers attached to LAN segments.

Check for low-end switches in the transit path.

Summary


152/155


y

After completing this lesson, you will be able toperform the following tasks:

Describe procedures for monitoring MPLS on IOS

platforms.List the debugging commands associated with label

switching, LDP and TDP.

Identify common configuration or design errors.

Use the available debugging commands in real-lifetroubleshooting scenarios.


154/155


Americas EMEA APT/Japan


155/155

Thank you.

mpls cisco

Documents