Du-MPLS

(1)

MPLS Training - Basic Cisco Confidential 1

Introduction to MPLS

(2)

Business Drivers for MPLS

2 2 2

(3)

3 MPLS Training - Basic

Old World New World

Changing Telecom Landscape

Infrastructure Traffic Services Focus Private Networks Business Networks OSS In-House FR-Based VPNs Voice-Centric Transport Circuit-Switched Network-Based Service-Based Outsourced IP Value-Added IP-Based VPNs Data-Centric Packet-Switched

(4)

Customer Requirements

Customers Suppliers Partners Telecommuters Mobile Users Remote Offices IP Intranet IP Extranet

(5)

Service Provider Requirements

Multimedia Content Hosting Service Portfolio Managed Intranets Private Voice Networks

(6)

The Barriers

•  Carriers’ customers want IP services:

They need connectionless IP services

They need more flexible IP quality of service

guarantees

They need more privacy than the Internet provides

•  Frame Relay and ATM services are available:

They provide connection-oriented service

They have inflexible point-to-point bandwidth guarantees But they have good privacy

(7)

The Solution - MPLS

•  MULTI-PROTOCOL LABEL SWITCHING

•  A mechanism that delivers the best of both worlds:

PRIVACY and QOS of ATM, Frame Relay FLEXIBILITY and SCALABILITY of IP

•  Foundation for IP business services

Flexible grouping of users and value-added services

•  Low cost managed IP services

(8)

MPLS Concepts

8 8 8

(9)

MPLS concepts

•  Packet forwarding is done based on labels

•  Labels assigned when the packet enters the network

•  Labels inserted between layer 2 and layer 3 headers

•  MPLS nodes forward packets based on the label

•  Separates ROUTING from FORWARDING

Routing uses IP addresses Forwarding uses Labels

(10)

MPLS Capabilities

10 10 10

(11)

Relevant MPLS Capabilities

•  The ability to FORWARD on and STACK LABELS

allows MPLS to provide some useful features including:

•  IP+ATM Integration

Provides Layer 3 intelligence in ATM switches

•  Virtual Private Networks

Layer 3 – Provider has knowledge of customer routing Layer 2 – Provider has no knowledge of customer routing

•  Traffic Engineering

(12)

•  Put routers around the edge of an ATM network

•  Connect routers using Permanent Virtual Circuits

•  This does not provide optimal integration of IP and

ATM

(13)

MPLS VPN – Layer 3

•  Private, connectionless IP VPNs

•  Outstanding scalability

•  Customer IP addressing freedom

•  Multiple QoS classes

•  Secure support for intranets and extranets

•  Easy to provide Intranet/Extranet/ 3rd_{Party ASP}

•  Support over any access or backbone technology VPN C VPN A VPN B VPN C VPN A VPN B VPN C VPN A VPN B VPN C VPN A VPN B Connection-Oriented VPN Topology VPN C VPN A VPN B VPN C VPN A VPN B VPN C VPN A VPN B VPN C VPN A VPN B Connectionless VPN Topology

IP Packet _LabelVPN _LabelIGP

Determines PE Router

Determines VPN on PE Router

(14)

14 MPLS Training - Basic vs

Build once,

Sell once

Build once,

Sell many

Why Providers like MPLS VPN…

MPLS VPN Network

(15)

MPLS VPN – Layer 2

Attachment Circuit Attachment Circuit L2 Frames L2 Pseudowire/Emulated VC •  Additional Capabilities:

Virtual leased line service

Offer “PVC-like” Layer 2-based service

•  Reduced cost—consolidate multiple core technologies into a single packet-based network infrastructure

•  Simpler provisioning of L2 services

•  Attractive to Enterprise that wish keep routing private

L2 Frame _LabelVC Tunnel _Label

Determines PE Router end point Determines VC inside

(16)

Traffic Engineering

Route chosen by IP routing protocol Route specified by traffic engineering

•  Why traffic engineer? Optimise link utilisation

Specific paths by customer or class Balance traffic load

•  Traffic follows pre-specified path

•  Path differs from normally routed path

•  Controls packet flows across a L2 or L3 network

IP Packet _LabelVPN _LabelIGP _LabelTE

Determines LSP next hop contrary to IGP

(17)

MPLS Components

17 17 17

(18)

MPLS Components

•  Edge Label Switching Routers (ELSR or PE)

Label previously unlabeled packets - at the beginning of a Label Switched Path (LSP)

Strip labels from labeled packets - at the end of an LSP

•  Label Switching Routers (LSR or P)

Forward labeled packets based on the information carried by labels

(19)

MPLS Components

LSR LSR LSR LSR ELSR ELSR P Network (Provider Control) PE CE PE _CE ELSR ELSR C Network (Customer Control) C Network (Customer Control) P

(20)

Functional Components

•  Forwarding component:

Uses label information carried in a packet and label binding information maintained by a Label Switching Router to

forward the packet

•  Control component:

Responsible for maintaining correct label binding information among Label Switching Routers

(21)

Forwarding Component

•  Label Forwarding Information Base (LFIB)

•  Each entry consists of:

incoming label outgoing label

outgoing interface

outgoing MAC address

•  LFIB is indexed by incoming label

•  LFIB could be either per Label Switching Router or

(22)

Forwarding Component

•  IOS Label Forwarding Code is based on Cisco

Express Forwarding (CEF)

Maintenance of label rewrite structures in LFIB Recursive route resolution

(23)

Forwarding Component

•  Forwarding algorithm:

Extract label from a packet

Find an entry in the LFIB with the INCOMING LABEL equal to the label in the packet

Replace the label in the packet with the OUTGOING LABEL (from the found entry)

Send the packet on the outgoing interface (from the found entry)

(24)

Label Header (Shim)

Label 1 2 3 4 5 6 7 8 EXP S TTL Bit 2 3 4 1 B yte Label EXP S TTL

Label Value (20 bits) Class of Service (3 bits) Bottom of Stack (1 bit) Time to Live

• Can be used over Ethernet, 802.3, or PPP links • Ethertype 0x8847

(25)

25 MPLS Training - Basic Label PPP Ethernet Frame Relay Label IP header Label Label IP Header IP Header Data ATM Header Label

IP Header

Data ATM Header

Packet over SONET/SDH

Ethernet Frame Relay PVC ATM PVC’s Subsequent cells Data Data Data

GFC VPI VCI PTI CLP HEC Data

IP Header

GFC VPI VCI PTI CLP HEC Data Label

Subsequent cells ATM label switching

F R A M E C E L L

Label Encapsulation

(26)

Control Component

•  Labels can be distributed by several protocols

TDP/LDP – from IGP routes

RSVP – for traffic engineering paths BGP – for VPN routes

•  Responsible for binding between labels and routes:

Create label binding (local)

Distributing label binding information among Label Switching Routers

(27)

MPLS Forwarding Decisions

•  Packets are forwarded based on the label value

•  IP header and forwarding decision have been

de-coupled for better flexibility

•  No need to strictly follow unicast destination based

routing

•  Allows to have distinct forwarding decision based

on different control component

Destination unicast routing, Traffic Engineering Multicast, VPN, QoS

(28)

Basic MPLS Forwarding

28 28 28

(29)

(30)

MPLS: Forwarding

(31)

MPLS: Forwarding

Label Distribution Protocol (e.g., LDP) establishes label to routes mappings

(32)

MPLS: Forwarding

Label Distribution Protocol (e.g., LDP) creates LFIB entries on LSRs

IN OUT I/F MAC Null - E0/0 aa-00-bb Null - E0/1 aa-00-cc IN OUT I/F MAC

16 32 S0/0 aa-00-bb 18 27 S0/0 aa-00-cc

IN OUT I/F MAC 32 64 S0/0 aa-00-bb

27 18 S0/1 aa-00-cc IN OUT I/F MAC 64 POP S0/0 aa-00-bb 65 POP S0/1 aa-00-cc

(33)

MPLS: Forwarding

Ingress edge LSR receives packet, performs Layer 3 value-added services, and “label” packets

16 32 S0/0 aa-00-bb 18 27 S0/0 aa-00-cc

(34)

MPLS: Forwarding

LSRs forward labelled packets using label swapping

16 32 S0/0 aa-00-bb 18 27 S0/0 aa-00-cc

(35)

MPLS: Forwarding

Edge LSR at egress removes remaining label*_{and delivers}

packet

* Pentulimate hop popping actually occurs. There may may not necessarily be a label in the packet at the ultimate or egress LSR.

16 32 S0/0 aa-00-bb 18 27 S0/0 aa-00-cc

(36)

Basic Application

Framed Based MPLS

36 36 36

(37)

Traditional Routing

Route Distribution 0 0 Routing Updates (OSPF, EIGRP…)

You Can Reach 128.89 and 171.69 thru me

You Can Reach 128.89 thru Me

You Can Reach 171.69 thru Me

1

128.89

171.69 1

(38)

Traditional Routing

Packet Routing 2 0 0 1 128.89 Packets Forwarded Based on IP Address 1 171.69 Data | 128.89.25.4 Data | 128.89.25.4 Data | 128.89.25.4 Data | 128.89.25.4

(39)

Out Label

MPLS Forwarding

In/Out Label Fields

2 0 0 1 128.89 1 Out Label 171.69 Out Label

(40)

40 MPLS Training - Basic 171.69 Out Label

Frame Based MPLS

Assigning Labels 2 0 0 1 128.89 1 Out Label

Pop Label for 128.89

Use Label 22 for 171.69 Use Label 27 for 128.89

Use Label 29 for 171.69

Unsolicited Downstream Label Allocation

Out Label

(41)

41 MPLS Training - Basic 171.69 Out Label

Frame Based MPLS

Packet Forwarding 2 0 0 1 128.89 1 Out Label 128.89.25.4 Data

Data 171.69.21.7 29 Penultimate Hop _{(Pop the label)}

Data 128.89.25.4 27 128.89.25.4 Data 171.69.21.7 Data Data 171.69.21.7 22 Out Label 128.89.25.4 Data

(42)

Hierarchical Routing

42 42 42

(43)

Internet Scalability

2 0 1 128.89 136.50 156.50 119.10 1 171.69 127.18 204.162 Out Label EBGP EBGP Loopback 150.10.1.1 Loopback 150.10.1.2 Out Label Out Label I can reach… 128.89,136.50 156.50,119.10 via the BGP next hop 150.10.1.1 using only

label 18!

(44)

Cell Based MPLS (IP+ATM)

44 44 44

(45)

MPLS and ATM

•  Label Switching Steps:

Make forwarding decision using fixed-length Label Rewrite label with new value

Similar to ATM cell switching

•  Key differences:

Label set up: LDP vs ATM Forum Signaling Label granularity: Per-prefix

(46)

MPLS and ATM

•  Common forwarding paradigm

label swapping = ATM switching

•  Use ATM user plane

use VPI/VCI for labels

Label is applied to each cell, not whole packet

•  Replace ATM Forum control plane with the MPLS

control component:

Network Layer routing protocols (e.g., OSPF, BGP, PIM) + Label Distribution Protocol (e.g., LDP)

(47)

Label Distribution for ATM

•  Uses LDP in “Downstream on Demand” mode

•  Referred to as Cell Based MPLS (rather than Frame Based MPLS)

•  Label Virtual Circuit (LVC) labels are requested when topology changes

•  Precedence can be associated with Label Virtual Circuit (LVC)

•  Some LDP extensions for negotiation of ATM specific parameters

(48)

Summary and Benefits

48 48 48

(49)

Summary

•  MPLS allows flexible packet classification and

network resources optimisation

•  Labels are distributed by different protocols

LDP, RSVP, BGP

•  Different distribution protocols may co-exist in the

same LSR

•  Labels have local (LSR) significance

No need for global (domain) wide label allocation/ numbering

(50)

Benefits of MPLS

•  De-couples IP packet forwarding from the

information carried in the IP header of the packet

•  Provides multiple routing paradigms (e.g.,

destination-based, explicit routing, VPN, multicast, CoS, etc…) over a common forwarding algorithm (label swapping)

•  Facilitates integration of ATM and IP - from control

plane point of view an MPLS-capable ATM switch looks like a router

(51)

LDP

51 51 51

(52)

LDP

52 52 52

(53)

Label Distribution Protocol (LDP)

•  The fundamental concept in MPLS based networks

is the meaning of the label

•  The Label Distribution Protocol (LDP) provides a

set of methods that allow an Label Switch Router (LSR) to share a particular label and its association with other LSRs

(54)

LDP Overview

•  IETF standard protocol RFC 3036

Distributes <label, prefix> bindings for MPLS forwarding along normally routed paths

•  Runs in parallel with routing protocols

•  Neighbor discovery with UDP (646)

•  Incremental updates over TCP (646)

•  Other label distribution mechanisms can run in

parallel

•  Descendent of Cisco proprietary Tag Distribution

(55)

LDP Introduction

•  LDP is not the only protocol that can share

knowledge about labels:

TDP (Cisco specific)

•  And other protocols have been extended to support

label distribution:

BGP (rfc3107)

RSVP (draft-ietf-mpls-rsvp-lsp-tunnel-09.txt )

(56)

Terminology – Upstream and Downstream

Label Switch Path (LSP) direction!

(Packet flow)!

Label binding {Label, IP-Prefix}! Upstream! platform! Downstream! platform! Destination IP-Prefix Source

(57)

Terminology

•  Label Information Base (LIB)

A data structure that holds locally assigned labels and labels learned from LDP peers

•  Label Forwarding Information Base (LFIB)

A data structure and way of managing forwarding in which destinations and incoming labels are associated with

outgoing interfaces and labels. The LFIB can be updated by routing changes and label advertisements from peers

•  Forwarding Equivalence Class (FEC)

Groups of packets that are forwarded over the same Label Switch Path

(58)

156.50.20.0

LIB and LFIB structures

Label Information Base (LIB)!

Label Forwarding Information Base (LFIB)!

Destination In Label Out Label Interface

156.50.20.0/24 27 85 S0/0 Destination In Label (Peer, Out Label)

156.50.20.0/24 27 (R2:0, 32), (R3:0, 56), (R4:0, 85) 156.50.20.0 156.50.20.0 Label  Distribution! Label  Distribution! Label  Distribution! Destination Interface 156.50.20.0/24 S0/0

Routing Information Base (RIB)!

S0/0! S0/2!

(59)

59 MPLS Training - Basic ip cef mpls ip mpls label protocol ldp mpls ldp router-id loopback0 interface e0/0 ip address 10.10.20.0 255.255.255.0 mpls ip

Basic Configuration

Enables LDP on this interface

Use loopback when

establishing LDP session Use LDP protocol as opposed to TDP

(60)

Label Space

60 60 60

(61)

Concepts

•  LSRs must be able to distinguish between labelled

packets

A label corresponds to a particular Forwarding Equivalence Class (FEC)

•  LSR can distribute the same label/FEC mapping to

different neighbours

•  Same label can be assigned to different FECs if and

only if the LSR can distinguish the interface from which the packet will arrive

That is, the LSR can identify who the upstream neighbour that inserted the label

(62)

Classes of Label Space

•  There are two classes of label spaces:

INTERFACE LABEL SPACE the label is specific to a particular interface. This is generally found (but not

restricted to) in ATM interfaces in MPLS cell mode– which uses the VPI/VCI fields as labels.

PLATFORM LABEL SPACE the label value/meaning is not specific to an interface, but can be understood by a

number of interfaces on the same box. This is generally found in frame mode (This is the Cisco implementation for Frame Mode)

(63)

Per Interface Label Space

•  Per interface label space

Label are unique in a per interface base Used over ATM interfaces

Label = VCs

With interface label space, an LSR will accept labelled

packets from upstream neighbours only if the labels have been previously advertised to that neighbour.

No label spoofing

(64)

Per Interface Label Space

•  LFIB on an LSR contains incoming interface.!

•  Labels have to be assigned for individual interfaces.!

•  The same label can be reused (with a different meaning) on different interfaces.!

•  Label allocation is secure – LSRs cannot send packets with labels that were not assigned to them.!

Destination Incoming I/F IN VPI/VCI Outgoing I/F OUT VPI/VCI 156.50.4.0/24 ATM 0/0 1/73 ATM 1/3 1/339 156.50.4.0/24 ATM 1/0 1/73 ATM 1/3 1/342 ATM 0/0 ATM 1/0 ATM 1/3 LFIB on Router C C D A B 156.50.4.0/24

(65)

Per Platform Label Space

X = 25!

•  LFIB on a LSR does not contain an incoming interface.!

•  The same label can be used on any interface and is announced to all adjacent LSRs.!

•  The label is announced to adjacent LSRs only once and can be used on any link.!

•  Per-platforms label-space is less secure than per-interface label space.!

A

B

C D

Destination IN Label OUT Label Next Hop

X 25 38 Router D LFIB on Router C X E X=25! X=38!

(66)

LDP Identifier & Sessions

66 66 66

(67)

LDP Identifier

•  LSR ID

The LSR ID is a four byte number that identifies a specific LSR. These four bytes must be unique in the network. Generally they are derived from an interface on the LSR. In IOS (by default) this is the highest IP address, or highest IP address of a loopback– if it is available.

•  Label Space ID

A two byte number that identifies a specific label space on the LSR. The label space id 0x00 is reserved for the platform label space (This is the Cisco default for Frame based MPLS)

•  LDP Identifier

The six byte concatenation of the LSR ID and LABEL SPACE ID results in

the LDP Identifier. This uniquely identifies the label space.

•  Example: 156.50.10.1:0

a! b! c! d! n!

(68)

router#show mpls ldp discovery detail

Local LDP Identifier: 200.200.200.200:0 Discovery Sources: Interfaces: Ethernet0/0 (ldp): xmit/recv LDP Id: 10.10.10.10:0

Src IP addr: 100.50.0.2; Transport IP addr: 10.10.10.10

router(config)#mpls ldp router-id loopback0 force

LDP Identifier – IOS Commands

Local LSR ID, global space

Remote LSR ID discovered

Force will change the LSR ID immediately, rather than

waiting for reload or current ID being removed

(69)

LDP Session

•  Each LDP identifier has a separate LDP session per

neighbour

Each LSR label space has its own distinct LDP session Multiple links between adjacent routers use the same session

•  Each session has its own TCP (646) connection and

(70)

LDP Sessions and Label Space

•  One LDP session is established for each announced LDP identifier (Router ID + Label Space).

•  The number of LDP sessions is determined by the number of different label spaces.

POS! ATM! 1.0.0.1:10! 1.0.0.1:20! 1.0.0.1:0! 1.0.0.1:0! 1.0.0.1:0! 1.0.0.1:0! POS! ATM! Ethernet! POS!

Per Interface Label Space! Per Platform Label Space!

Per Platform Label Space!

Single LDP Session!

Two LDP Sessions!

(71)

LDP Neighbor Discovery

71 71 71

(72)

LDP Neighbor Discovery

•  Basic Discovery

Directly connected LSRs

Discovered through hello packets

Sent to multicast all-routers-in-subnet address

•  Extended discovery

Non-directly connected LSRs (e.g., across TE path) Targeted hello packets to specific address

Discovery is asymmetric (one in each direction)

•  Once discovery is done, LDP sessions are

(73)

Basic LDP Discovery

•  LDP Session is established from the LSR with higher transport address. The

establishing router is called the Active LSR.

1.0.0.1! 1.0.0.3! MPLS_A! NO_MPLS_C! 1.0.0.4! MPLS_! 1.0.0.2! MPLS_B! TCP (1.0.0.2:1043  1.0.0.1:646)! UDP: Hello! (1.0.0.1:1050  224.0.0.2:646)! UDP: Hello! (1.0.0.4:1033  224.0.0.2:646)! UDP: Hello! (1.0.0.2:1064  224.0.0.2:646)! TCP (1.0.0.4:1_{065 } 1.0.0.1 :646)! T C P (1 .0 .0 .4 :1 0 6 6  1.0.0.2 :6 4 6 )! A B C D NO MPLS!

(74)

Extended LDP Discovery

•  LDP neighbor discovery of non adjacent neighbors

Differs from normal discovery only in the addressing of hello packets

•  Targeted hello packets use unicast IP address

Instead of multicast address

•  Extended discovery is asymmetric

•  Once a neighbor is discovered, the mechanism to

(75)

LDP Sessions - Non directly connected LSR

R9! R8! R7! R6! R5! R1! R4! R3! R2!

Normally routed path

Traffic Engineered Path R1 – R8 Targeted LDP session UDP: Hello! (118.1.1.1:1052  133.0.0.33)! UDP: Hello! (133.0.0.33:1052  118.1.1.1)! 118.1.1.1 133.0.0.33

(76)

Router# show mpls ldp discovery

Local LDP Identifier: 118.1.1.1:0 Discovery Sources: Interfaces: POS2/0 (ldp): xmit/recv LDP Id: 155.0.0.55:0 Tunnel1 (ldp): Targeted -> 133.0.0.33 Targeted Hellos: 118.1.1.1 -> 133.0.0.33 (ldp): active, xmit/recv LDP Id: 133.0.0.33:0

LDP Identifier – IOS Commands

Targeted Hello being sent

Targeted LDP session is active across the tunnel interface

(77)

77 MPLS Training - Basic ip cef mpls ip mpls label protocol ldp mpls ldp router-id loopback0 interface tunnel0 tunnel destination 10.20.10.1 mpls ip

mpls ldp discovery targeted-hellos accept

Targeted Configuration

Enables LDP with target of 10.20.10.1

If this command is entered then it means that the router will accept and LDP hellos from other end and

(78)

Label Stacking across tunnel interface

TE! LDP! Packet! LDP! Packet! TE! LDP! Packet! TE! LDP! Packet! Labels R9! R8! R7! R6! R5! R1! R4! R3! R2!

(79)

LDP Session Establishment

79 79 79

(80)

LDP Session Negotiation

•  Peers first exchange initialization messages.

•  The session is ready to exchange label mappings after receiving the first keepalive.

1.0.0.1!

MPLS_A!

1.0.0.2!

MPLS_B!

(81)

LDP Session Negotiation

1.0.0.1! MPLS_A! 1.0.0.2! MPLS_B! Initialization message! Establish TCP session! A B

(82)

LDP Session Negotiation

1.0.0.1! MPLS_A! 1.0.0.2! MPLS_B! Initialization message! Establish TCP session! Initialization message! Keepalive! A B

(83)

LDP Session Negotiation

1.0.0.1! MPLS_A! 1.0.0.2! MPLS_B! Initialization message! Establish TCP session! Initialization message! Keepalive! Keepalive! Address message ….! A B

(84)

LDP Session Maintenance

•  LSRs maintain their session by:

Continued periodic transmission of discovery Hello packets to indicate willingness to label switch on link

Periodic transmission of keepalive messages on session TCP connection to monitor integrity of TCP connection

•  In session establishment, if there is a Init fatal

notification, there is an backoff starting at less than 15 seconds and exponentially increasing to 2

minutes. Only the active LSR does this.

•  Hello configuration TLV could be used to speed up

(85)

LDP Neighbours – IOS command

router#show mpls ldp neighbor

Peer LDP Ident: 10.13.1.52:0; Local LDP Ident 10.13.1.59:0

TCP connection: 10.13.1.52.646 - 10.13.1.59.12331

State: Oper; Msgs sent/rcvd: 143/144; Downstream

Up time: 00:00:55

LDP discovery sources:

FastEthernet9/0/0, Src IP addr: 10.13.5.22 Addresses bound to peer LDP Ident:

10.13.1.52 10.13.5.18 200.37.52.5 200.6.52.13 10.13.0.52 10.13.5.22

These are the interface IP addresses of the LDP peer 10.13.1.52

Unsolicited downstream label allocation

(86)

LDP Session Detail – IOS Command

router#show mpls ldp neighbor detail

Peer LDP Ident: 10.13.1.52:0; Local LDP Ident 10.13.1.59:0 TCP connection: 10.13.1.52.646 - 10.13.1.59.12331

State: Oper; Msgs sent/rcvd: 150/153; Downstream; Last TIB rev sent 1138 Up time: 00:07:49; UID: 74; Peer Id 0;

FastEthernet9/0/0; Src IP addr: 10.13.5.22

holdtime: 15000 ms, hello interval: 5000 ms

Addresses bound to peer LDP Ident:

10.13.1.52 10.13.5.18 200.37.52.5 200.6.52.13 10.13.0.52 10.13.5.22

Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab

Hello holdtime, Hello Interval

(87)

87 87 87

Label Distribution, Control and Retention

(88)

Label Distribution Methods

•  Control Whether labels are distributed regardless if

there an outgoing label is available for the prefix

•  Retention Whether received labels are kept on local router

•  Advertisement Whether labels are distributed if requested

•  The modes shown here are generally how Router and ATM switches are configured for MPLS

Router IP+ATM

Control Independent Ordered

Retention Liberal Conservative

Advertisement Unsolicited

(89)

Label Distribution: Unsolicited Downstream

A B

X

B C

B

•  Label for a prefix is allocated and advertised to all

neighbor LSRs, regardless of whether the neighbors are upstream or downstream LSRs for the

(90)

Label Distribution: Unsolicited Downstream

•  Label for a prefix is allocated and advertised to all

neighbor LSRs, regardless of whether the neighbours are upstream or downstream LSRs for the destination.!

X = 25! X = 25! A E X B C D Network LSR Label X Local 25 LIB on Router B"

(91)

Label Distribution: Downstream on Demand

RQ X! Network Next-Hop X C Routing Table B" Network Next-Hop X D Routing Table C" Network Next-Hop X E Routing Table D" Network Next-Hop X Conn Routing Table E"

B E

X

C D

•  A LSR can always assign a label for a prefix, even if it

has no downstream label. !

•  Independent control can only be used for LSRs with

(92)

LSP Control: Independent Control

layer-3 capabilities.! Network Next-Hop X C Routing Table B" Network Next-Hop X D Routing Table C" Network Next-Hop X E Routing Table D" Network Next-Hop X Conn Routing Table E"

B E

X

C D

X = 25!

X 37 - Router E

LFIB on Router C

(93)

LSP Control: Independent Control

X=37!

layer-3 capabilities.! RQ X! Network Next-Hop X C Routing Table B" Network Next-Hop X D Routing Table C" Network Next-Hop X E Routing Table D" Network Next-Hop X Conn Routing Table E"

B E

X

C D

X = 25!

X 37 - Router E

(94)

LSP Control: Ordered Control

•  A LSR can only assign a label if it has already

received a label from the next-hop LSR; otherwise it must request a label from the next-hop LSR. Used in IP+ATM switches! X=17! RQ X! Network Next-Hop X C Network Next-Hop X D Network Next-Hop X E Network Next-Hop X Conn B E X C D X = 25!

X 37 - Router E

LFIB on Router C

RQ X! RQ X!

X=82! X=37!

(95)

Label Retention: Liberal Retention Mode

•  Every LSR stores the received label in its LIB, even

when the label is not received from a next-hop LSR.!

•  Liberal retention mode improves convergence speed.!

X = 25! X = 25! A E X B C D Network LSR Label X - - LIB on Router D" Network LSR Label X - -

LIB on Router A"

Network LSR Label X - - LIB on Router C" Network LSR Label X B 25 Network LSR Label X B 25 Network LSR Label X B 25

(96)

Label Retention: Conservative Retention Mode

•  LSR stores only the labels received from next-hop

LSRs; all other labels are ignored.!

•  Downstream-on-demand distribution is required

during the convergence phase.!

X = 25! X = 25! A E X B C D Network LSR Label X - - LIB on Router D" Network LSR Label X - -

LIB on Router A"

Network LSR Label

X - -

LIB on Router C" Network LSR Label

(97)

97 97 97

(98)

IOS Show commands

router#sh mpls ldp neig | inc TCP

TCP connection: 10.7.0.1.646 - 10.7.0.3.11011 TCP connection: 10.7.0.5.11026 - 10.7.0.3.646 TCP connection: 10.7.0.6.11024 - 10.7.0.3.646 TCP connection: 10.7.0.9.11034 - 10.7.0.3.646

router#show mpls ldp bind 10.5.0.8 255.255.255.252

tib entry: 10.5.0.8/30, rev 46 local binding: tag: 33

remote binding: tsr: 10.7.0.5:0, tag: 17 remote binding: tsr: 10.7.0.1:0, tag: 29 remote binding: tsr: 10.7.0.6:0, tag: 19

remote binding: tsr: 10.7.0.9:0, tag: 20

router#show tag for 10.5.0.8

Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface

33 20 10.5.0.8/30 0 Et3/0 10.5.0.17

LIB structure

LFIB structure

(99)

IOS Show commands

router#show ip route 10.5.0.8

Routing entry for 10.5.0.8/30

Known via "ospf 1", distance 110, metric 30, type intra area Last update from 10.5.0.17 on Ethernet3/0, 1w0d ago

Routing Descriptor Blocks:

* 10.5.0.17, from 10.7.0.2, 1w0d ago, via Ethernet3/0 Route metric is 30, traffic share count is 1

router#show mpls ldp neig 10.7.0.9

Peer LDP Ident: 10.7.0.9:0; Local LDP Ident 10.7.0.3:0 TCP connection: 10.7.0.9.11034 - 10.7.0.3.646

State: Oper; Msgs sent/rcvd: 12932/12965; Downstream Up time: 1w0d

Ethernet3/0, Src IP addr: 10.5.0.17 Addresses bound to peer LDP Ident:

10.5.0.17 10.7.0.9 10.5.0.38 10.5.0.46

(100)

100 100 100

(101)

What is an MPLS-VPN?

•  An IP network infrastructure delivering private

network services over a public infrastructure

Use a layer 3 backbone

Scalability, easy provisioning

Global as well as non-unique private address space QoS

Controlled access

(102)

VPN Models

•  There are two basic types of design models that

deliver VPN functionality Overlay Model

(103)

The Overlay model

•  Private trunks over a TELCO/SP shared

infrastructure

Leased/Dialup lines FR/ATM circuits

IP (GRE) tunnelling

•  Transparency between provider and customer

networks

•  Optimal routing requires full mesh over over

(104)

The Peer model

•  Both provider and customer network use same

network protocol and control plane

•  CE and PE routers have routing adjacency at each site

•  All provider routers hold the full routing information

about all customer networks

•  Private addresses are not allowed

•  May use the virtual router capability

Multiple routing and forwarding tables based on Customer Networks

(105)

MPLS-VPN = True Peer model

•  MPLS-VPN is similar in operation to peer model

•  Provider Edge routers receive and hold routing

information only about VPNs directly connected

•  Reduces the amount of routing information a PE

router will store

•  Routing information is proportional to the number

of VPNs a router is attached to

•  MPLS is used within the backbone to switch

(106)

106 106 106

MPLS VPN Connection

Model

(107)

MPLS VPN Connection Model

•  A VPN is a collection of sites sharing a common

routing information (routing table)

•  A site can be part of different VPNs

•  A VPN has to be seen as a community of interest

(or Closed User Group)

(108)

MPLS VPN Connection Model

•  A site belonging to different VPNs may or MAY NOT

be used as a transit point between VPNs

•  If two or more VPNs have a common site, address

space must be unique among these VPNs

Site-1! Site-3! Site-4! Site-2! VPN-A! VPN-C! VPN-B!

(109)

MPLS VPN Connection Model

•  The VPN backbone is composed by MPLS LSRs

PE routers (edge LSRs) P routers (core LSRs)

•  The customer router connecting to the VPN

backbone is called the Customer Edge (CE)

•  PE routers are faced to CE routers and distribute

VPN information through MP-BGP to other PE routers

VPN-IPv4 addresses, Extended Community, Label

•  P routers do not run MP-BGP and do not have any

(110)

MPLS VPN Components

LSR LSR LSR LSR ELSR ELSR P Network (Provider Control) PE CE PE CE ELSR ELSR C Network (Customer Control) C Network (Customer Control) P

(111)

111 111 111

(112)

PE-CE Routing

• PE and CE routers exchange routing

information through eBGP, Static, OSPF,

ISIS, RIP, EIGRP

• The CE router runs standard routing

software, not aware it is connected to a

VPN network

PE CE2

CE1

(113)

PE-CE routing protocols

•  Static/BGP are the most scalable

Single PE router can support 100s or 1000s of CE routers

•  BGP is the most flexible

Particularly for multi-homing but not popular with Enterprise Very useful if Enterprise requires Internet routes

•  Use the others to meet customer requirements

OSPF popular with Enterprises – but sucks up processes

EIGRP not popular with Service Providers (Cisco proprietary) IS-IS less prevalent in Enterprise environments

(114)

VRF Site A

Routing Protocol Contexts

Routing processes Routing contexts VRF Routing tables VRF Forwarding tables

•  Routing processes run within specific routing contexts

•  Populate specific VPN routing table and FIBs (VRF)

•  Interfaces are assigned to VRFs"

RIP Static RIP 2 RIP 1 BGP 3 BGP 2 BGP 1 BGP VRF Site B Site C VRF

(115)

VRF

Site A Site B VRF Site C VRF

OSPF and Single Routing Instances

OSPF Routing processes Routing contexts VRF Routing tables VRF Forwarding tables

•  With OSPF there is a single process per VRF

•  Same for IS-IS

•  No routing contexts

•  Prior to 12.0(27)S and 12.3(4)T maximum of 28 processes

allowed

(116)

116 116 116

(117)

Routing Tables

•  PE routers maintain separate routing tables

•  Global Routing Table

All the PE and P routes populated by the VPN backbone IGP (ISIS or OSPF)

•  VPN Routing and Forwarding Tables (VRF)

Routing and Forwarding table associated with one or more directly connected sites (CEs)

VRF are associated to (sub/virtual/tunnel) interfaces

Interfaces may share the same VRF if the connected sites may share the same routing information

PE CE2

CE1

 PE-CE routing!

 VPN Backbone IGP (OSPF, ISIS)!

 VRF!

(118)

IGP and label distribution in the backbone

•  All routers (P and PE) run an IGP and label

distribution protocol

•  Each P and PE router has routes for the backbone

nodes and a label is associated to each route

•  MPLS forwarding is used within the core

PE1 P1 P2 PE2

CE2 CE1

CE4 CE3

Dest Next Hop IN OUT PE2 P1 17 50

P2 P1 18 65 P1 S0/0 19 POP

Dest Next Hop IN OUT PE2 P2 50 34

P2 E0/2 65 POP PE1 S3/0 67 POP

Dest Next Hop IN OUT PE2 P1 34 POP P1 E0/1 38 POP PE1 P1 39 67

Dest Next Hop IN OUT P1 P2 44 38 P2 P2 36 65 PE1 P2 18 39

(119)

VPN Routing and Forwarding Table

•  Multiple routing tables (VRFs) are used on PEs

•  Each VRF contain customer routes

•  Customer addresses can overlap

•  VPNs are isolated

•  Multi-Protocol BGP (MP-BGP) is used to propagate

these addresses + labels between PE routers only

PE1 P1 P2 PE2 CE2 CE1 CE4 CE3 MP-iBGP session!

(120)

MPLS VPN Requirements

•  VPN services allow

Customers to use the overlapping address space Isolate customer VPNs – Intranets

Join VPNs - Extranets

•  MPLS-VPN backbone MUST

Distinguish between customer addresses Forward packets to the correct destination

PE1 P1 P2 PE2 CE2 CE1 CE4 CE3 MP-iBGP session!

(121)

VPN Address Overlap

•  BGP propagates ONE route per destination

Standard path selection rules are used

•  What if two customers use the same address?

•  BGP will propagate only one route - PROBLEM !!!

•  Therefore MP-BGP must DISTINGUISH between

customer addresses PE1 P1 P2 PE2 CE2 CE1 CE4 CE3 MP-iBGP session!

(122)

VPN Address Overlap

•  When PE router receives VPN routes from MP-BGP

how do we know what VRF to place route in?

•  How do we distinguish overlapping addresses

between two VPNs PE1 P1 P2 PE2 CE2 CE1 CE4 CE3 MP-iBGP session!

(123)

x x

Route-Target and Route-Distinguisher

•  MP-BGP prepends an Route Distinguisher (RD) to

each VPN route in order to make it unique

•  MP-BGP assign a Route-Target (RT) to each VPN

route to identify VPN it belongs to (or CUG)

Route-Target is the colour of the route

VPN-IPv4 update:  RD1:X, Next-hop=PE1  RT=RED, Label=10! update X! PE1 P1 P2 PE2 CE2 CE1 CE4 CE3 MP-iBGP session! update X! VPN-IPv4 update:  RD2:X, Next-hop=PE1  RT=ORANGE, Label=12! update X! update X!

VPN-IPv4 updates are translated into IPv4 address and inserted into the VRF corresponding to the RT value

(124)

Route Propagation through MP-BGP

•  When a PE router receives an MP-BGP VPN route:

It checks the route-target value to VRF route-targets If match then route is inserted into appropriate VRF

The label associated with the VPN route is stored and used to send packets towards the destination

x x VPN-IPv4 update:  RD1:X, Next-hop=PE1  RT=RED, Label=10! update X! PE1 P1 P2 PE2 CE2 CE1 CE4 CE3 MP-iBGP session! update X! VPN-IPv4 update:  RD2:X, Next-hop=PE1  RT=ORANGE, Label=12! update X! update X!

VPN-IPv4 updates are translated into IPv4 address and inserted into the VRF corresponding to the RT value

(125)

Multi-Protocol BGP

•  Propagates VPN routing information

Customer routes held in VPN Routing and Forwarding tables (VRFs)

•  Only runs on Provider Edge

P routers are not aware of VPN’s only labels

•  PEs are fully meshed

Using Route Reflectors or direct peerings between PE routers

(126)

126 126 126

(127)

MPLS VPN Protocols

•  OSPF/IS-IS

Used as IGP provides reachability between all Label Switch Routers (PE <-> P <-> PE)

•  TDP/LDP

Distributes label information for IP destinations in core

•  MP-BGP4

Used to distribute VPN routing information between PE’s

•  RIPv2/BGP/OSPF/eiGRP/ISIS/Static

(128)

VPN Components

•  VRF Tables

Hold customer routes at PE

•  Route-Distinguisher

Allows MP-BGP to distinguish between identical customer routes that are in different VPNs

•  Route-Targets

Used to import and export routes between different VRF tables (creates Intranets and Extranets)

•  Route-maps

Allows finer granularity and control of importing exporting routes between VRFs instead of just using route-target

(129)

MP-BGP between PE router to distribute routes between VPNs

MPLS VPN Operation

P P

PE PE

PE

IGP (OSPF,ISIS) used to establish reachability to destination networks. Label Distribution Protocol establishes mappings to IGP addresses

CE _CE

CE CE

CE-PE dynamic routing (or static) populate the VRF routing tables Customer routes placed into separate VRF tables at each PE

PE

= RT? = RT?

Import routes into VRF if route-targets match (export = import)

RD + RD + RD + RD + RD + VPN labels, RTs VPN labels, RTs RR RR

(130)

MPLS VPN Label Stack

•  There are at least two labels when using MPLS-VPN

•  The first label is distributed by TDP/LDP

Derived from an IGP route

Corresponds to a PE address (VPN egress point) PE addresses are MP-BGP next-hops of VPN routes

•  The second label is distributed MP-BGP

Corresponds to the actual VPN route

Identifies the PE outgoing interface or routing table

Label 2 L3 Header Data Label 1

L2 Header

(131)

MPLS VPN Forwarding

Example

PE P P PE CE _CE PE PE CE CE Push VPN Label (Red Route)

Push IGP Label (Green PE Router)

Swap IGP Label

(From LFIB) (Pentultimate Hop) POP IGP Label

Pop VPN Label (Red Route)

(132)

132 132 132

(133)

Finance Site 3

MPLS Core

Basic Intranet – Full Mesh

VRF Finance

Site 1 Finance _{Site 2}

F FF_FFF F FF_FFF F_FF F F F VLAN 205

•  Each site has of all other sites (same VPN)

CE can be router or switch

•  MP-BGP VPNv4 updates propagated between PEs

•  Routing is optimal in the backbone

(134)

Basic Extranet – Partial Mesh

Design Site A (DA) Design Site B (DB) Engineering Site B (EB) Engineering Site A (EA) D D D D D VRF D D D D D EB EB EB EB EA EA EB EB DA DA DA E E E E E E E E E E DA DA DA MPLS Core •  Basic Extranet

•  Routes can be imported directly into corresponding VRF

•  NAT may be necessary – if Enterprise have overlapping addressing

•  Import granularity can be very fine

(135)

135 MPLS Training - Basic MPLS Core VRF Bank Branch 1 S1 X Bank Branch 2 VRF S1S2 X S3 S2 X S3 X VRF Bank Branch 3 S1h S2h S3h S2h S1h S2h S3hS1h S3h Hub IN Spoke OUT Central HQ Optional Firewall NAT to X BGP/OSPF/RIP routing BGP/OSPF/ RIProuting

Branch to HQ – Hub and Spoke

•  Forces all branches through the Central HQ

•  Spokes cannot communicate directly

•  Appropriate security screening can be applied

•  Firewalls can be used with NAT to ensure correct return path

S3 S3

S1