You are on page 1of 155

MPLS Introduction

Session Number Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

Agenda

Introduction to MPLS

LDP
MPLS VPN

Monitoring MPLS

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

MPLS Concept
At Edge:
Classify packets Label them

In Core:
Forward using labels (as opposed to IP addr) Label indicates service class and destination

Edge Label Switch Router

(ATM Switch or Router)

Label Switch Router (LSR)


Router ATM switch + Tag Switch Controller

Label Distribution Protocol (LDP)

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

MPLS concept
MPLS: Multi Protocol Label Switching Packet forwarding is done based on Labels. Labels are assigned when the packet enters into the network. Labels are on top of the packet. MPLS nodes forward packets/cells based on the label value (not on the IP information).

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

MPLS concept
MPLS allows:
Packet classification only where the packet enters the network. The packet classification is encoded as a label. In the core, packets are forwarded without having to re-classify them.
- No further packet analysis - Label swapping

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

MPLS Operation
1a. Existing routing protocols (e.g. OSPF, IS-IS) establish reachability to destination networks. 1b. Label Distribution Protocol (LDP) establishes label to destination network mappings. 4. Edge LSR at egress removes(POP) label and delivers packet.

2. Ingress Edge LSR receives packet, performs Layer 3 value-added services, and labels(PUSH) packets.
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

3. LSR switches packets using label swapping(SWAP) .


6

Label Switch Path (LSP)

IGP domain with a label distribution protocol

IGP domain with a label distribution protocol

LSP follows IGP shortest path

LSP diverges from IGP shortest path

LSPs are derived from IGP routing information


LSPs may diverge from IGP shortest path LSPs are unidirectional
Return traffic takes another LSP
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

Encapsulations
ATM Cell Header

GFC

VPI

VCI

PTI

CLP HEC

DATA

Label

PPP Header (Packet over SONET/SDH)

PPP Header

Label Header

Layer 3 Header

LAN MAC Label Header

MAC Header

Label Header

Layer 3 Header

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

Label Header
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Label

EXP S

TTL

Label = 20 bits S = Bottom of Stack, 1 bit

EXP = Class of Service, 3 bits TTL = Time to Live, 8 bits

Header= 4 bytes, Label = 20 bits. Can be used over Ethernet, 802.3, or PPP links Contains everything needed at forwarding time

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

Loops and TTL

In IP networks TTL is used to prevent packets to travel indefinitely in the network


MPLS may use same mechanism as IP, but not on all encapsulations
TTL is present in the label header for PPP and LAN headers (shim headers) ATM cell header does not have TTL

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

10

Loops and TTL


LSR-1
LSR-2 IP packet TTL = 10 Label = 25 IP packet TTL = 6 Label = 39 IP packet TTL = 6 LSR-6 LSR3

LSR-6 --> 25 Hops=4


IGP domain with a label distribution protocol LSR-4

Label = 21 IP packet TTL = 6 LSR-5

IP packet TTL = 6

Egress

TTL is decremented prior to enter the non-TTL capable LSP

If TTL is 0 the packet is discarded at the ingress point


TTL is examined at the LSP exit
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

11

Label Assignment and Distribution

Labels have link-local significance:


Each LSR binds his own label mappings Each LSR assign labels to his FECs

Labels are assigned and exchanged


between adjacent neighboring LSR

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

12

Label Assignment and Distribution


Upstream and Downstream LSRs
171.68.40/24 Rtr-A Rtr-B Rtr-C 171.68.10/24

Rtr-C is the downstream neighbor of Rtr-B for destination 171.68.10/24 Rtr-B is the downstream neighbor of Rtr-A for destination 171.68.10/24 LSRs know their downstream neighbors through the IP routing protocol Next-hop address is the downstream neighbor
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

13

Unsolicited Downstream Distribution


Use label 30 for destination 171.68.10/24 171.68.40/24 Use label 40 for destination 171.68.10/24 171.68.10/24

Rtr-A
In I/F In Lab Address Prefix Out I/F Out Lab In I/F

Rtr-B
In Lab Address Prefix Out I/F Out Lab In I/F

Rtr-C 40 Next-Hop... ... ...


1
In Lab Address Prefix Out I/F Out Lab

171.68.10

...

...

30 Next-Hop... ... ...


1

30 171.68.10

...

...

40 171.68.10

...
IGP derived routes

...

Next-Hop... ...

...

LSRs distribute labels to the upstream neighbors


Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

14

On-Demand Downstream Distribution

Use label 40 for destination 171.68.10/24

Use label 30 for destination 171.68.10/24

171.68.10/24 171.68.40/24 Rtr-A Rtr-B


Request label for destination 171.68.10/24

Rtr-C
Request label for destination 171.68.10/24

Upstream LSRs request labels to downstream neighbors Downstream LSRs distribute labels upon request

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

15

Label Retention Modes


Liberal retention mode
LSR retains labels from all neighbors
Improve convergence time, when next-hop is again available after IP convergence Require more memory and label space

Conservative retention mode


LSR retains labels only from next-hops neighbors
LSR discards all labels for FECs without next-hop Free memory and label space

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

16

Label Distribution Modes


Independent LSP control
LSR binds a Label to a FEC independently, whether or not the LSR has received a Label the next-hop for the FEC The LSR then advertises the Label to its neighbor

Ordered LSP control


LSR only binds and advertise a label for a particular FEC if: it is the egress LSR for that FEC or

it has already received a label binding from its next-hop

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

17

Router Example: Forwarding Packets


Address Prefix I/F 1 1 Address Prefix I/F 0 1

Address Prefix

I/F 0

128.89
171.69

128.89
171.69

128.89

0 1 0

128.89

128.89.25.4 Data
0 128.89.25.4 Data 1

128.89.25.4 Data

128.89.25.4 Data
171.69

Packets Forwarded Based on IP Address


Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

18

MPLS Example: Routing Information


Out In Address Out Iface Label Label Prefix Out In Address Out Iface Label Label Prefix Out In Address Out Iface Label Label Prefix

128.89 171.69

1 1

128.89 171.69

0 1

128.89

0 1 0

128.89

You Can Reach 128.89 Thru Me You Can Reach 128.89 and 171.69 Thru Me
1

Routing Updates (OSPF, EIGRP, )


Presentation_ID

You Can Reach 171.69 Thru Me

171.69

2001, Cisco Systems, Inc. All rights reserved.

19

MPLS Example: Assigning Labels


Out In Address Out Label Iface Label Prefix Out In Address Out Label Iface Label Prefix Out In Address Out Label Iface Label Prefix

128.89 171.69

1 1

4 5

4 5

128.89 171.69

0 1

9 7

128.89

0 1 0

128.89

Use Label 9 for 128.89 Use Label 4 for 128.89 and Use Label 5 for 171.69
1

Label Distribution Protocol (LDP)


(downstream allocation)
Presentation_ID

171.69

Use Label 7 for 171.69

2001, Cisco Systems, Inc. All rights reserved.

20

MPLS Example: Forwarding Packets


Out In Address Out Label Iface Label Prefix Out In Address Out Label Iface Label Prefix Out In Address Out Label Iface Label Prefix

128.89
171.69

1 1

4 5

4
5

128.89 171.69

0 1

9 7

128.89

0 1 0

128.89 Data

128.89.25.4

9
1

128.89.25.4

Data

128.89.25.4 Data

128.89.25.4

Data

Label Switch Forwards Based on Label


Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

21

Agenda

Introduction to MPLS

LDP
MPLS VPN

Monitoring MPLS

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

22

MPLS Unicast IP Routing


MPLS introduces a new field that is used for forwarding decisions. Although labels are locally significant, they have to be advertised to directly reachable peers.
One option would be to include this parameter into existing IP routing protocols. The other option is to create a new protocol to exchange labels.

The second option has been used because there are too many existing IP routing protocols that would have to be modified to carry labels.
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

23

Label Distribution Protocol


Defined in RFC 3036 and 3037

Used to distribute labels in a MPLS network


Forwarding equivalence class
How packets are mapped to LSPs (Label Switched Paths)

Advertise labels per FEC


Reach destination a.b.c.d with label x

Neighbor discovery
Basic and extended discovery
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

24

MPLS Unicast IP Routing Architecture


LSR
Exchange of routing information

Control plane
Routing protocol IP routing table

Exchange of labels

Label distribution protocol

Incoming IP packets
Incoming labeled packets

Data plane
IP forwarding table Label forwarding table

Outgoing IP packets
Outgoing labeled packets

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

25

MPLS Unicast IP Routing: Example


LSR Control plane
OSPF: 10.0.0.0/8 1.2.3.4 10.0.0.0/8 1.2.3.4 OSPF: 10.0.0.0/8

RT:

LIB:

Data plane
10.1.1.1 L=5 10.1.1.1 FIB: LFIB: 10.0.0.0/8 1.2.3.4 10.1.1.1

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

26

MPLS Unicast IP Routing: Example


LSR Control plane
OSPF: 10.0.0.0/8 1.2.3.4 OSPF: 10.0.0.0/8

RT:

10.0.0.0/8 1.2.3.4

LDP: 10.0.0.0/8, L=5

LIB:

10.0.0.0/8 Next-hop L=3, Local L=5

LDP: 10.0.0.0/8, L=3

Data plane
10.1.1.1 L=5 10.1.1.1 FIB: LFIB: 10.0.0.0/8 1.2.3.4 , L=3 L=5 L=3 L=3 10.1.1.1 L=3 10.1.1.1

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

27

Label Allocation in Packet-Mode MPLS Environment


Label allocation and distribution in packet-mode MPLS environment follows these steps:
1. IP routing protocols build the IP routing table. 2. Each LSR assigns a label to every destination in the IP routing table independently. 3. LSRs announce their assigned labels to all other LSRs.

4. Every LSR builds its LIB, LFIB data structures based on received labels.

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

28

Building the IP Routing Table


Routing table of A Network Next-hop X B Routing table of B Network Next-hop X C Routing table of C Network Next-hop X D

FIB on A Network Next hop Label X B

Routing table of E Network Next-hop X C

Netw ork X

IP routing protocols are used to build IP routing tables on all LSRs. Forwarding tables (FIB) are built based on IP routing tables with no labeling information.
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

29

Allocating Labels
Routing table of B Network Next-hop X C

Router B assigns label 25 to destination X.

Netw ork X E

Every LSR allocates a label for every destination in the IP routing table. Labels have local significance. Label allocations are asynchronous.
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

30

LIB and LFIB Set-up


Routing table of B Network Next-hop X C

Router B assigns label 25 to destination X.

Label 25

LFIB on B Action Next hop E pop C

Outgoing action is POP as B has received no label for X Netw ork X from C.
Local label is stored in LIB.

LIB on B Network LSR label X local 25

LIB and LFIB structures have to be initialized on the LSR allocating the label.
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

31

Label Distribution
LIB on B Network LSR label X local 25

X = 25
A B

X = 25
C D

Netw ork X E

The allocated label is advertised to all neighbor LSRs, regardless of whether the neighbors are upstream or downstream LSRs for the destination.
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

32

Receiving Label Advertisement


LIB on A Network LSR label X B 25 LIB on C Network LSR label X B 25

X = 25
A B

X = 25
C D

FIB on A Network Next hop Label X B 25

Netw ork X E

LIB on E Network LSR label X B 25

Every LSR stores the received label in its LIB. Edge LSRs that receive the label from their next-hop also store the label information in the FIB.
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

33

Interim Packet Propagation


Label lookup is performed in LFIB, label is removed.

Label 25

LFIB on B Action Next hop pop C


B

IP: X

Lab: 25

IP: X

FIB on A Network Next hop Label X B 25

IP lookup is performed in FIB, packet is labeled.

Forwarded IP packets are labeled only on the path segments where the labels have already been assigned.
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

34

Further Label Allocation


LIB on C Network LSR label X B 25 local 47

X = 47
A B C D

Router C assigns label Netw ork X 47 to destination X.


Label 47 LFIB on C Action Next hop pop D

Every LSR will eventually assign a label for every destination.


Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

35

Receiving Label Advertisement


FIB on B Network Next hop X C Label 47

LIB on B Network LSR label X local 25 C 47

X = 47
A B C D

Netw ork X E

FIB on E Network Next hop X C

Label 47

LIB on E Network LSR label X B 25 C 47

Every LSR stores received information in its LIB. LSRs that receive their label from their next-hop LSR will also populate the IP forwarding table (FIB).
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

36

Populating LFIB
FIB on B Network Next hop X C Label 47

LIB on B Network LSR label X local 25 C 47

X = 47
A B C D

Label 25

LFIB on B Action Next hop 47 C

Netw ork X E

Router B has already assigned label to X and created an entry in LFIB. Outgoing label is inserted in LFIB after the label is received from the next-hop LSR.
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

37

Packet Propagation Across MPLS Network


Label lookup is performed in LFIB, label is switched. Egress LSR IP: X

Ingress LSR IP: X

Label 25

LFIB on B Action Next hop 47 C


B

Lab: 25

Lab: 47

FIB on A Network Next hop Label X B 25

Label 47 E

LFIB on C Action Next hop pop D

IP lookup is performed in FIB, packet is labeled. Label lookup is performed in LFIB, label is removed.

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

38

Convergence in Packet-mode MPLS Steady State Description

Routing table of B Network Next-hop X C

FIB on B Network Next hop X C

Label 47

LIB on B Network LSR label X local 25 C 47 E 75


Label 25 LFIB on B Action Next hop 47 C

Netw ork X E

After the LSRs have exchanged the labels, LIB, LFIB and FIB data structures are completely populated.
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

39

Link Failure Actions


Routing table of B Network Next-hop X C
FIB on B Network Next hop X C

Label 47

LIB on B Network LSR label X local 25 C 47 E 75


Label 25 LFIB on B Action Next hop 47 C

Netw ork X

Routing protocol neighbors and LDP neighbors are lost after a link failure. Entries are removed from various data structures.
40

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

Routing Protocol Convergence


Routing table of B Network Next-hop X E
FIB on B Network Next hop X E

Label

LIB on B Network LSR label X local 25 C 47 E 75


Label 25 LFIB on B Action Next hop 47 C

Netw ork X

Routing protocols rebuild the IP routing table and the IP forwarding table.

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

41

MPLS Convergence
Routing table of B Network Next-hop X E
FIB on B Network Next hop X E

Label 75

LIB on B Network LSR label X local 25 C 47 E 75


Label 25 LFIB on B Action Next hop 75 E

Netw ork X

LFIB and labeling information in FIB are rebuilt immediately after the routing protocol convergence, based on labels stored in LIB.

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

42

MPLS Convergence After a Link Failure

MPLS convergence in packet-mode MPLS does not impact the overall convergence time. MPLS convergence occurs immediately after the routing protocol convergence, based on labels already stored in LIB.

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

43

Link Recovery Actions


Routing table of B Network Next-hop X E
FIB on B Network Next hop X E

Label 75

LIB on B Network LSR label X local 25 C 47 E 75


Label 25 LFIB on B Action Next hop 75 E

Netw ork X E

Routing protocol neighbors are discovered after link recovery.

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

44

IP Routing Convergence After Link Recovery


Routing table of B Network Next-hop C X E
FIB on B Network Next hop X E C

Label 75

LIB on B Network LSR label X local 25 C 47 E 75


Label 25 LFIB on B Action Next hop 75 E pop C

Netw ork X E

IP routing protocols rebuild the IP routing table. FIB and LFIB are also rebuilt, but the label information might be lacking.
45

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

MPLS Convergence After a Link Recovery


Routing protocol convergence optimizes the forwarding path after a link recovery. LIB might not contain the label from the new next-hop by the time the IP convergence is complete. End-to-end MPLS connectivity might be intermittently broken after link recovery.

Use MPLS Traffic Engineering for make-before-break recovery.

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

46

LDP Session Establishment


LDP and TDP use a similar process to establish a session:
Hello messages are periodically sent on all interfaces enabled for MPLS. If there is another router on that interface it will respond by trying to establish a session with the source of the hello messages.

UDP is used for hello messages. It is targeted at all routers on this subnet multicast address (224.0.0.2). TCP is used to establish the session. Both TCP and UDP use well-known LDP port number 646 (711 for TDP).

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

47

LDP Neighbor Discovery


UDP: Hello UDP: Hello UDP: Hello (1.0.0.2:1064 224.0.0.2:646) (1.0.0.2:1065 224.0.0.2:646) (1.0.0.2:1066 224.0.0.2:646) MPLS_B

1.0.0.2

MPLS_A

UDP: Hello UDP: Hello UDP: Hello (1.0.0.1:1050 224.0.0.2:646) (1.0.0.1:1051 224.0.0.2:646) (1.0.0.1:1052 224.0.0.2:646)

NO_MPLS_C

1.0.0.1

1.0.0.3

UDP: Hello UDP: Hello UDP: Hello (1.0.0.4:1033 224.0.0.2:646) (1.0.0.4:1034 224.0.0.2:646) (1.0.0.4:1035 224.0.0.2:646)

MPLS_D

LDP Session is established from the router with higher IP address.


Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

1.0.0.4

48

LDP Session Negotiation


MPLS_A MPLS_B

1.0.0.1

Establish TCP session


Initialization message Initialization message Keepalive Keepalive

1.0.0.2

Peers first exchange initialization messages. The session is ready to exchange label mappings after receiving the first keepalive.
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

49

Double Lookup Scenario


MPLS Domain
10.0.0.0/8 L=17 17 FIB 10/8 NH, 17 LFIB 35 17 10.1.1.1 FIB 10/8 NH, 18 LFIB 17 18 18 10.0.0.0/8 L=18 10.1.1.1 FIB 10/8 NH, 19 LFIB 18 19 19 10.0.0.0/8 L=19 10.1.1.1 FIB 10/8 NH LFIB 19 untagged 10.0.0.0/8

10.1.1.1

Double lookup is not an optimal way of forwarding labeled packets.

Double lookup is needed: 1. LFIB: remove the label. 2. FIB: forward the IP packet based on IP nexthop address.

A label can be removed one hop earlier.


Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

50

Penultimate Hop Popping


MPLS Domain
10.0.0.0/8 L=17 17 FIB 10/8 NH, 17 LFIB 35 17 10.1.1.1 FIB 10/8 NH, 18 LFIB 17 18 18 10.0.0.0/8 L=18 10.1.1.1 FIB 10/8 NH, 19 LFIB 18 pop Pop or implicit null label is adveritsed. 10.0.0.0/8 L=pop 10.1.1.1 FIB 10/8 NH LFIB 10.0.0.0/8

10.1.1.1

One single lookup.

A label is removed on the router before the last hop within an MPLS domain.
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

51

Penultimate Hop Popping

Penultimate hop popping optimizes MPLS performace (one less LFIB lookup). PHP does not work on ATM (VPI/VCI cannot be removed).

Pop or implicit null label uses value 3 when being advertised to a neighbor.

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

52

LDP Messages

Discovery messages
Used to discover and maintain the presence of new peers Hello packets (UDP) sent to all-routers multicast address Once neighbor is discovered, the LDP session is established over TCP

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

53

LDP Messages

Session messages
Establish, maintain and terminate LDP sessions

Advertisement messages
Create, modify, delete label mappings

Notification messages
Error signalling

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

54

Agenda

Introduction to MPLS

LDP
MPLS VPN

Monitoring MPLS

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

55

What Is a VPN?
VPN is a set of sites which are allowed to communicate with each other. VPN is defined by a set of administrative policies
Policies determine both connectivity and QoS among sites. Policies established by VPN customers. Policies could be implemented completely by VPN service providers.

Using BGP/MPLS VPN mechanisms

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

56

What Is a VPN? (Cont.)


Flexible inter-site connectivity
Ranging from complete to partial mesh

Sites may be either within the same or in different organizations


VPN can be either intranet or extranet

Site may be in more than one VPN


VPNs may overlap

Not all sites have to be connected to the same service provider


VPN can span multiple providers

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

57

IP VPN Taxonomy
IP VPNs DIAL
ClientInitiated NASInitiated
Security Appliance

DEDICATED
IP Tunnel
Router FR

Virtual Circuit
ATM

NetworkBased VPNs
RFC 2547 Virtual Router

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

58

MPLS-VPN Terminology
Provider Network (P-Network)
The backbone under control of a Service Provider

Customer Network (C-Network)


Network under customer control

CE router
Customer Edge router. Part of the C-network and interfaces to a PE router

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

59

MPLS-VPN Terminology
Site
Set of (sub)networks part of the C-network and colocated A site is connected to the VPN backbone through one or more PE/CE links

PE router
Provider Edge router. Part of the P-Network and interfaces to CE routers

P router
Provider (core) router, without knowledge of VPN

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

60

MPLS-VPN Terminology
Route-Target
64 bits identifying routers that should receive the route

Route Distinguisher
Attributes of each route used to uniquely identify prefixes among VPNs (64 bits) VRF based (not VPN based)

VPN-IPv4 addresses
Address including the 64 bits Route Distinguisher and the 32 bits IP address

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

61

MPLS-VPN Terminology
VRF
VPN Routing and Forwarding Instance Routing table and FIB table

Populated by routing protocol contexts

VPN-Aware network
A provider backbone where MPLS-VPN is deployed

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

62

MPLS VPN Connection Model


A VPN is a collection of sites sharing a common routing information (routing table) A site can be part of different VPNs A VPN has to be seen as a community of interest (or Closed User Group) Multiple Routing/Forwarding instances (VRF) on PE routers

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

63

MPLS VPN Connection Model


Site-4 Site-1

VPN-C

VPN-A
Site-2 Site-3

VPN-B

A site belonging to different VPNs may or MAY NOT be used as a transit point between VPNs

If two or more VPNs have a common site, address space must be unique among these VPNs
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

64

MPLS VPN Connection Model


The VPN backbone is composed by MPLS LSRs PE routers (edge LSRs) P routers (core LSRs) PE routers are faced to CE routers and distribute VPN information through MP-BGP to other PE routers

VPN-IPv4 addresses, Extended Community, Label


P routers do not run BGP and do not have any VPN knowledge
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

65

MPLS VPN Connection Model


VPN_A

10.2.0.0
CE
VPN_B

iBGP sessions
CE P P PE CE

VPN_A

11.5.0.0
VPN_A

10.2.0.0 CE
VPN_A

PE

10.1.0.0

11.6.0.0
VPN_B

CE PE

P
PE CE

VPN_B

10.3.0.0

10.1.0.0 CE

P routers (LSRs) are in the core of the MPLS cloud PE routers use MPLS with the core and plain IP with CE routers P and PE routers share a common IGP PE router are MP-iBGP fully meshed
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

66

MPLS VPN Connection Model


C E Site-1
EBGP,OSPF, RIPv2,Static

PE

CE
Site-2

PE and CE routers exchange routing information through: EBGP, OSPF , RIPv2, Static routing

CE router run standard routing software

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

67

MPLS VPN Connection Model


C E
CE
Site-1
EBGP,OSPF, RIPv2,Static

PE
VPN Backbone IGP (OSPF, ISIS)

Site-2

PE routers maintain separate routing tables


The global routing table With all PE and P routes Populated by the VPN backbone IGP (ISIS or OSPF) VRF (VPN Routing and Forwarding)

Routing and Forwarding table associated with one or more directly connected sites (CEs)
VRF are associated to (sub/virtual/tunnel)interfaces Interfaces may share the same VRF if the connected sites may share the same routing information
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

68

MPLS VPN Connection Model


C E Site-1
EBGP,OSPF, RIPv2,Static

PE
VPN Backbone IGP

CE
Site-2

The routes the PE receives from CE routers are installed in the appropriate VRF The routes the PE receives through the backbone IGP are installed in the global routing table By using separate VRFs, addresses need NOT to be unique among VPNs
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

69

MPLS VPN Connection Model


The Global Routing Table is populated by IGP protocols. In PE routers it may contain the BGP Internet routes (standard BGP-4 routes)

BGP-4 (IPv4) routes go into global routing table


MP-BGP (VPN-IPv4) routes go into VRFs

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

70

MPLS VPN Connection Model


P PE
VPN Backbone IGP

P PE

iBGP session

PE and P routers share a common IGP (ISIS or OSPF) PEs establish MP-iBGP sessions between them

PEs use MP-BGP to exchange routing information related to the connected sites and VPNs
VPN-IPv4 addresses, Extended Community, Label
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

71

MPLS VPN Connection Model


P PE-1
VPN Backbone IGP
BGP,RIPv2 update for Net1,NextHop=CE-1

P PE-2

VPN-IPv4 update is translated into IPv4 address (Net1) put into VRF green since RT=Green and advertised to CE-2

CE-2
Site-2

Site-1

CE-1

VPN-IPv4 update: RD:Net1, Next-hop=PE1 SOO=Site1, RT=Green, Label=(intCE1)

PE routers receive IPv4 updates (EBGP, RIPv2, Static) PE routers translate into VPN-IPv4 Assign a SOO and RT based on configuration Re-write Next-Hop attribute Assign a label based on VRF and/or interface Send MP-iBGP update to all PE neighbors
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

72

MPLS VPN Connection Model


P PE-1
BGP,OSPF, RIPv2 update for Net1 Next-Hop=CE-1

P PE-2

VPN-IPv4 update is translated into IPv4 address (Net1) put into VRF green since RT=Green and advertised to CE-2

VPN Backbone IGP

CE-2
Site-2

Site-1

CE-1

VPN-IPv4 update: RD:Net1, Next-hop=PE1 SOO=Site1, RT=Green, Label=(intCE1)

Receiving PEs translate to IPv4 Insert the route into the VRF identified by the RT attribute (based on PE configuration) The label associated to the VPN-IPv4 address will be set on packet forwarded towards the destination
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

73

MPLS VPN Connection Model


Route distribution to sites is driven by the Site of Origin (SOO) and Route-target attributes

BGP Extended Community attribute


A route is installed in the site VRF corresponding to the Route-target attribute

Driven by PE configuration
A PE which connects sites belonging to multiple VPNs will install the route into the site VRF if the Route-target attribute contains one or more VPNs to which the site is associated

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

74

MPLS VPN Connection Model MP-BGP Update


VPN-IPV4 address

Route Distinguisher
64 bits Makes the IPv4 route globally unique RD is configured in the PE for each VRF RD may or may not be related to a site or a VPN IPv4 address (32bits) Extended Community attribute (64 bits) Site of Origin (SOO): identifies the originating site Route-target (RT): identifies the set of sites the route has to be advertised to

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

75

MPLS VPN Connection Model MP-BGP Update


Any other standard BGP attribute

Local Preference MED Next-hop AS_PATH Standard Community ...


A Label identifying: The outgoing interface

The VRF where a lookup has to be done


The BGP label will be the second label in the label stack of packets travelling in the core
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

76

MPLS VPN Connection Model MP-BGP Update - Extended community

BGP extended community attribute


Structured, to support multiple applications
64 bits for increased range

General form
<16bits type>:<ASN>:<32 bit number> Registered AS number <16bits type>:<IP address>:<16 bit number> Registered IP address
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

77

MPLS VPN Connection Model MP-BGP Update - Extended community

The Extended Community is used to:


Identify one or more routers where the route has been originated (site)
Site of Origin (SOO)

Selects sites which should receive the route


Route-Target

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

78

MPLS VPN Connection Model MP-BGP Update


The Label can be assigned only by the router which address is the Next-Hop attribute

PE routers re-write the Next-Hop with their own address (loopback interface address)
Next-Hop-Self BGP command towards iBGP neighbors Loopback addresses are advertised into the backbone IGP PE addresses used as BGP Next-Hop must be uniquely known in the backbone IGP No summarisation of loopback addresses in the core

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

79

MPLS Forwarding Packet forwarding PE and P routers have BGP next-hop reachability through the backbone IGP

Labels are distributed through LDP (hop-by-hop) corresponding to BGP Next-Hops


Label Stack is used for packet forwarding

Top label indicates BGP Next-Hop (interior label)


Second level label indicates outgoing interface or VRF (exterior label)

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

80

MPLS Forwarding Penultimate Hop Popping


CE1
P routers switch the packets based on the IGP label (label on top of the stack) Penultimate Hop Popping P2 is the penultimate hop for the BGP nexthop P2 remove the top label This has been requested through LDP by PE2 PE2 receives the packets with the label corresponding to the outgoing interface (VRF) One single lookup Label is popped and packet sent to IP neighbor

IP packet

PE1

CE2

IGP Label(PE2) VPN IP Label

IP packet
VPN Label

packet

PE1 receives IP packet Lookup is done on site VRF BGP route with Next-Hop and Label is found BGP next-hop (PE2) is reachable through IGP route with associated label

P1

IGP Label(PE2) VPN IP Label

P2

IP packet

PE2

packet

CE3

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

81

Packet Forwarding Example 1


VPN_A VPN_A

10.2.0.0 CE
VPN_B

CE PE2 P P PE1 P P PE
T8T2Data

11.5.0.0
VPN_A

10.2.0.0 CE
VPN_A

CE
Data

10.1.0.0

11.6.0.0
VPN_B

CE

CE

VPN_B

10.3.0.0

10.1.0.0 CE
<RD_B,10.1>,, iBGP iBGP next hop PE1, T2 <RD_B,10.2> NH= PE2 T1 T7 T8
<RD_B,10.2> , iBGP next hop PE2T2 <RD_B,10.3> , iBGP next hop PE3T3 <RD_A,11.6> , iBGP next hop PE1T4 <RD_A,10.1> , iBGP next hop PE4T5 <RD_A,10.4> , iBGP next hop PE4T6 T7 <RD_A,10.2> , iBGP next hop PE2

Ingress PE receives normal IP Packets from CE router

PE router does IP Longest Match from VPN_B FIB , find iBGP next hop PE2 and impose a stack of labels: exterior Label T2 + Interior Label T8
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

T8 T9 T7 TB TB T8

82

Packet Forwarding Example 1 (cont.)


VPN_A

10.2.0.0 CE Data
VPN_B T2 Data
TB T2 Data

VPN_A

CE
P P P
TAT2 Data

11.5.0.0
VPN_A

10.2.0.0 CE
VPN_A

PE2

PE
T8 T2 Data

CE

10.1.0.0

11.6.0.0
VPN_B

CE PE1

CE

VPN_B

10.3.0.0

10.1.0.0 CE

in / out
T8, T8 TA Tw
T7 Tu T9 Tx Ta Ty Tb Tz

All Subsequent P routers do switch the packet Solely on Interior Label Egress PE router, removes Interior Label Egress PE uses Exterior Label to select which VPN/CE to forward the packet to.
Presentation_ID

Exterior Label is removed and packet routed to CE router


2001, Cisco Systems, Inc. All rights reserved.

83

Packet Forwarding Example 2

A 12

130.130.10.1
B 12

130.130.11.3

In VPN 12, host 130.130.10.1 sends a packet with destination 130.130.11.3 Customer sites are attached to Provider Edge (PE) routers A & B.
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

84

Packet Forwarding Example 2 (cont.)

1. Packet arrives on VPN 12 link on PE router A.


A 12

2. PE router A selects the correct VPN forwarding table based on the links VPN ID (12).

VPN-ID 12 12

VPN Site Address 130.130.10.0/24 130.130.11.0/24

VPN Site Label 26 989

Provider Edge Router Address 172.68.1.11/32 172.68.1.2/32

PE Label 42 101

...
Presentation_ID

...

...

...

...
85

2001, Cisco Systems, Inc. All rights reserved.

Packet Forwarding Example 2 (cont.)


VPN-ID A 12 12 12 VPN Site Address 130.130.10.0/24 130.130.11.0/24 ... VPN Site Label 26 989 ... Provider Edge Router Address 172.68.1.11/32 172.68.1.2/32 ... PE Label 42 101 ...

3. PE router A matches the incoming packets destination address with VPN 12s forwarding table. 4. PE router A adds two labels to the packet: one identifying the destination PE, and one identifying the destination VPN site.
Presentation_ID

...

101

989

130.130.11.3

Rest of IP packet

2001, Cisco Systems, Inc. All rights reserved.

86

Packet Forwarding Example 2 (cont.)

5. Packet is label-switched from PE router A to PE B based on the top label, using normal MPLS. The network core knows nothing about VPNs and sites: it only knows how to get packets from A to B using MPLS.
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

87

Packet Forwarding Example 2 (cont.)

12

130.130.11.3 6. PE router B identifies the correct site in VPN 12 from the inner label. 7. PE router B removes the labels and forwards the IP packet to the correct VPN 12 site.
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

88

MPLS VPN mechanisms

VRF and Multiple Routing Instances

VRF: VPN Routing and Forwarding Instance


VRF Routing Protocol Context VRF Routing Tables

VRF CEF Forwarding Tables

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

89

MPLS VPN mechanisms

VRF and Multiple Routing Instances

VRF Routing table contains routes which should be available to a particular set of sites Analogous to standard IOS routing table, supports the same set of mechanisms Interfaces (sites) are assigned to VRFs
One VRF per interface (sub-interface, tunnel or virtualtemplate)
Possible many interfaces per VRF

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

90

MPLS VPN mechanisms

VRF and Multiple Routing Instances

Routing processe s

BGP

RIP

Static

Routing processes run within specific routing contexts

Routing contexts

VRF Routing tables

Populate specific VPN routing table and FIBs (VRF)


Interfaces are assigned to VRFs

VRF Forwarding tables

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

91

MPLS VPN mechanisms

VRF and Multiple Routing Instances


Site-4

Logical view

Site-1

VPN-C

VPN-A
Site-2 Site-3

Multihop MP-iBGP
P P PE
VRF for site-2 Site-1 routes Site-2 routes Site-3 routes

VPN-B

PE
VRF for site-1 Site-1 routes Site-2 routes

Routing view

VRF for site-3 Site-2 routes Site-3 routes Site-4 routes

VRF for site-4 Site-3 routes Site-4 routes

Site-1

Site-2

Site-3

Site-4

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

92

MPLS VPN Topologies


VPN_A

iBGP sessions
CE CE P P PE P P PE PE CE

VPN_A

10.2.0.0
VPN_B

11.5.0.0
VPN_A

10.2.0.0 CE
VPN_A

PE

10.1.0.0

11.6.0.0
VPN_B

CE

CE

VPN_B

10.3.0.0

10.1.0.0 CE

VPN-IPv4 address are propagated together with the associated label in BGP Multiprotocol extension Extended Community attribute (route-target) is associated to each VPN-IPv4 address, to populate the site VRF

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

93

MPLS VPN Topologies

VPN sites with optimal intra-VPN routing

Each site has full routing knowledge of all other sites (of same VPN) Each CE announces his own address space MP-BGP VPN-IPv4 updates are propagated between PEs Routing is optimal in the backbone Each route has the BGP Next-Hop closest to the destination No site is used as central point for connectivity
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

94

MPLS VPN Topologies


Site-3
N3 EBGP/RIP/Static N3 NH=CE3

VPN sites with optimal intra-VPN routing


Routing Table on CE3 N1, PE3 N2, PE3 N3, Local

IntCE3

PE3

VRF for site-3 N1,NH=PE 1 N2,NH=PE 2 N3,NH=CE 3

VRF for site-1 N1,NH=CE 1 N2,NH=PE 2 N3,NH=PE 3


Routing Table on CE1 N1, Local N2, PE1 N3, PE1

PE1

VPN-IPv4 updates exchanged between PEs RD:N1, NH=PE1,Label=IntCE1, RT=Blue RD:N2, NH=PE2,Label=IntCE2, RT=Blue RD:N3, NH=PE3,Label=IntCE3, RT=Blue

EBGP/RIP/Static N2,NH=CE2

IntCE 1

PE2

EBGP/RIP/Static

IntCE2 VRF for site-2 N1,NH=PE 1 N2,NH=CE 2 N3,NH=PE 3

Site-2
N2 Routing Table on CE2 N1,NH=PE2 N2,Local N3,NH=PE2

N1 NH=CE1

Site-1
N1
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

95

MPLS VPN Topologies

VPN sites with Hub & Spoke routing

One central site has full routing knowledge of all other sites (of same VPN) Hub-Site Other sites will send traffic to Hub-Site for any destination Spoke-Sites Hub-Site is the central transit point between Spoke-Sites Use of central services at Hub-Site
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

96

MPLS VPN Topologies

VPN sites with Hub & Spoke routing


VPN-IPv4 update advertised by PE1 RD:N1, NH=PE1,Label=IntCE1, RT=Hub Site-1
N1 IntCE1 VRF (Import RT=Spoke) (Export RT=Hub) N1,NH=CE1 (exported) N2,NH=PE3 (imported) N3,NH=PE3 (imported IntCE2 VRF (Import RT=Spoke) (Export RT=Hub) N1,NH=PE3 (imported) N2,NH=CE2 (exported) N3,NH=PE3 (imported)

BGP/RIPv2

CE1

PE1

Site-2
N2

PE3 PE2

CE2

VPN-IPv4 update advertised by PE2 RD:N2, NH=PE2,Label=IntCE2, RT=Hub

IntCE3-Hub VRF (Import RT=Hub) Site-3 CE3-Hub N1,NH=PE1 N2,NH=PE2 IntCE3-Spoke VRF N3 (Export CE3-Spoke RT=Spoke) N1,NH=CE3Spoke BGP/RIPv2 N2,NH=CE3Spoke N3,NH=CE3VPN-IPv4 updates advertised by PE3 Spoke

RD:N1, NH=PE3,Label=IntCE3-Spoke, RT=Spoke RD:N2, NH=PE3,Label=IntCE3-Spoke, RT=Spoke RD:N3, NH=PE3,Label=IntCE3-Spoke, RT=Spoke

Routes are imported/exported into VRFs based on RT value of the VPN-IPv4 updates

PE3 uses 2 (sub)interfaces with two different VRFs


Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

97

MPLS VPN Topologies


IntCE1 VRF (Import RT=Spoke) (Export RT=Hub) N1,NH=CE1 (exported) N2,NH=PE3 (imported) N3,NH=PE3 (imported

VPN sites with Hub & Spoke routing

Site-1
N1

CE1

PE1

IntCE3-Hub VRF (Import RT=Hub) N1,NH=PE1 N2,NH=PE2

BGP/RIPv2 CE3-Hub Site-3

Site-2
N2

PE3
CE2

N3 IntCE3-Spoke VRF (Export RT=Spoke) N1,NH=CE3Spoke N2,NH=CE3Spoke N3,NH=CE3Spoke

CE3-Spoke BGP/RIPv2

PE2
IntCE2 VRF (Import RT=Spoke) (Export RT=Hub) N1,NH=PE3 (imported) N2,NH=CE2 (exported) N3,NH=PE3 (imported)

Traffic from one spoke to another will travel across the hub site Hub site may host central services Security, NAT, centralised Internet access
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

98

MPLS VPN Internet Routing


In a VPN, sites may need to have Internet connectivity
Connectivity to the Internet means:
Being able to reach Internet destinations Being able to be reachable from any Internet source

The Internet routing table is treated separately In the VPN backbone the Internet routes are in the Global routing table of PE routers Labels are not assigned to external (BGP) routes
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

99

MPLS VPN Internet routing VRF specific default route

A default route is installed into the site VRF and pointing to a Internet Gateway

The default route is NOT part of any VPN


A single label is used for packets forwarded according to the default route

The label is the IGP label corresponding to the IP address of the Internet gateway
Known in the IGP

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

100

MPLS VPN Internet routing VRF specific default route


PE router originates CE routes for the Internet Customer (site) routes are known in the site VRF Not in the global table The PE/CE interface is NOT known in the global table. However: A static route for customer routes and pointing to the PE/CE interface is installed in the global table This static route is redistributed into BGP-4 global table and advertised to the Internet Gateway The Internet gateway knows customer routes and with the PE address as next-hop
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

101

MPLS VPN Internet routing VRF specific default route

The Internet Gateway specified in the default route (into the VRF) need NOT to be directly connected

Different Internet gateways can be used for different VRFs


Using default route for Internet routing does NOT allow any other default route for intra-VPN routing
As in any other routing scheme

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

102

MPLS VPN Internet routing VRF specific default route


192.168.1.1 BGP-4

Internet PE-IG

MP-BGP 192.168.1.2

PE
Serial0

PE

Site-1 Network 171.68.0.0/16 Site-2

ip vrf VPN-A rd 100:1 route-target both 100:1 ! Interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A ! Router bgp 100 no bgp default ipv4-unicast network 171.68.0.0 mask 255.255.0.0 neighbor 192.168.1.1 remote 100 neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 update-source loopback0 ! address-family ipv4 vrf VPN-A neighbor 192.168.10.2 remote-as 65502 neighbor 192.168.10.2 activate exit-address-family ! address-family vpnv4 neighbor 192.168.1.2 activate exit-address-family ! ip route 171.68.0.0 255.255.0.0 Serial0 ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 glob

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

103

MPLS VPN Internet routing VRF specific default route


IP packet D=cisco.co m

192.168.1.1

Internet

PE-IG

Label = 3 IP packet D=cisco.co m

192.168.1.2

PE
Serial0
IP packet D=cisco.co m

Global Table and LFIB 192.168.1.1/32 Label=3 192.168.1.2/32 Label=5 ... Site-2 VRF 0.0.0.0/0 192.168.1.1 (global) Site-1 routes Site-2 routes

PE

Site-1 Network 171.68.0.0/16 Site-2

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

104

MPLS VPN Internet routing VRF specific default route

PE routers need not to hold the Internet table PE routers will use BGP-4 sessions to originate customer routes Packet forwarding is done with a single label identifying the Internet Gateway IP address
More labels if Traffic Engineering is used

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

105

MPLS VPN Internet Routing Separated (sub)interfaces


If CE wishes to receive and announce routes from/to the Internet
A dedicated BGP session is used over a separate (sub) interface The PE imports CE routes into the global routing table and advertise them to the Internet The interface is not part of any VPN and does not use any VRF Default route or Internet routes are exported to the CE PE needs to have Internet routing table

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

106

MPLS VPN Internet Routing Separated (sub)interfaces

The PE uses separate (sub)interfaces with the CE


One (sub)interface for VPN routing
associated to a VRF Can be a tunnel interface

One (sub)interface for Internet routing


Associated to the global routing table

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

107

MPLS VPN Internet Routing Separated (sub)interfaces


192.168.1.1 BGP-4

Internet PE-IG

MP-BGP 192.168.1.2

PE

PE

Serial0.1

Serial0.2

BGP-4 Site-1 Network 171.68.0.0/16 Site-2

ip vrf VPN-A rd 100:1 route-target both 100:1 ! Interface Serial0 no ip address ! Interface Serial0.1 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A ! Interface Serial0.2 ip address 171.68.10.1 255.255.255.0 ! Router bgp 100 no bgp default ipv4-unicast neighbor 192.168.1.1 remote 100 neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 update-source loopback0 neighbor 171.68.10.2 remote 502 ! address-family ipv4 vrf VPN-A neighbor 192.168.10.2 remote-as 502 neighbor 192.168.10.2 activate exit-address-family ! address-family vpnv4 neighbor 192.168.1.2 activate exit-address-family
108

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

MPLS VPN Internet Routing Separated (sub)interfaces


IP packet D=cisco.co m

192.168.1.1

Internet

PE-IG

Label = 3 IP packet D=cisco.co m

192.168.1.2

PE
Serial0.1

PE Global Table Internet routes ---> 192.168.1.1 192.168.1.1, Label=3

PE

Serial0.2
IP packet D=cisco.co m

Serial0.1 Site-1

CE routing table Site-2 routes ----> Serial0.1 Network 171.68.0.0/16 Internet routes ---> Serial0.2 Site-2

Serial0.2

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

109

Scaling

Existing BGP techniques can be used to scale the route distribution: route reflectors
Each edge router needs only the information for the VPNs it supports
Directly connected VPNs

RRs are used to distribute VPN routing information

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

110

MPLS-VPN Scaling BGP


VPN_A

Route Reflectors
RR CE P PE2 P CE PE1 P PE RR P PE

10.2.0.0
VPN_B VPN_A

CE 11.5.0.0 CE 10.1.0.0
VPN_A

VPN_A

10.2.0.0 CE

11.6.0.0
VPN_B

CE VPN_B 10.3.0.0

10.1.0.0 CE

Route Reflectors may be partitioned Each RR store routes for a set of VPNs Thus, no BGP router needs to store ALL VPNs information PEs will peer to RRs according to the VPNs they directly connect
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

111

MPLS-VPN Scaling BGP updates filtering


iBGP full mesh between PEs results in flooding all VPNs routes to all PEs Scaling problems when large amount of routes. In addition PEs need only routes for attached VRFs Therefore each PE will discard any VPN-IPv4 route that hasnt a route-target configured to be imported in any of the attached VRFs This reduces significantly the amount of information each PE has to store Volume of BGP table is equivalent of volume of attached VRFs (nothing more)

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

112

MPLS-VPN Scaling BGP updates filtering


Import RT=yellow
VRFs for VPNs yellow green Import RT=green
VPN-IPv4 update: RD:Net1, Next-hop=PEX SOO=Site1, RT=Green, Label=XYZ

PE
MP-iBGP sessions

VPN-IPv4 update: RD:Net1, Next-hop=PEX SOO=Site1, RT=Red, Label=XYZ

Each VRF has an import and export policy configured Policies use route-target attribute (extended community) PE receives MP-iBGP updates for VPN-IPv4 routes If route-target is equal to any of the import values configured in the PE, the update is accepted Otherwise it is silently discarded
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

113

MPLS-VPN Scaling Route Refresh


Import RT=yellow

PE

2. PE issue a RouteRefresh to all neighbors in order to ask for retransmission

VPN-IPv4 update: RD:Net1, Next-hop=PEX SOO=Site1, RT=Green, Label=XYZ


VPN-IPv4 update: RD:Net1, Next-hop=PEX SOO=Site1, RT=Red, Label=XYZ 3. Neighbors re-send updates and red route-target is now accepted

Import RT=green Import RT=red


1. PE doesnt have red routes (previously filtered out)

Policy may change in the PE if VRF modifications are done New VRFs, removal of VRFs However, the PE may not have stored routing information which become useful after a change

PE request a re-transmission of updates to neighbors


Route-Refresh
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

114

MPLS-VPN Scaling Outbound Route Filters - ORF


Import RT=yellow
2. PE issue a ORF message to all neighbors in order not to receive red routes VPN-IPv4 update: RD:Net1, Next-hop=PEX SOO=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PEX SOO=Site1, RT=Red, Label=XYZ 3. Neighbors dynamically configure the outbound filter and send updates accordingly

PE

Import RT=green
1. PE doesnt need red routes

PE router will discard update with unused route-target Optimization requires these updates NOT to be sent Outbound Route Filter (ORF) allows a router to tell its neighbors which filter to use prior to propagate BGP updates
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

115

MPLS VPN - Configuration


VPN knowledge is on PE routers
PE router have to be configured for VRF and Route Distinguisher VRF import/export policies (based on Route-target) Routing protocol used with CEs MP-BGP between PE routers BGP for Internet routers

With other PE routers


With CE routers

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

116

MPLS VPN - Configuration


VRF and Route Distinguisher

RD is configured on PE routers (for each VRF) VRFs are associated to RDs in each PE Common (good) practice is to use the same RD for the same VPN in all PEs But not mandatory VRF configuration command

ip vrf <vrf-symbolic-name> rd <route-distinguisher-value> route-target import <community> route-target export <community>

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

117

CLI - VRF configuration


ip vrf site1 rd 100:1 route-target export 100:1 route-target import 100:1 ip vrf site2 rd 100:2 route-target export 100:2 route-target import 100:2 route-target import 100:1 route-target export 100:1
Site-4 Site-1

VPN-C
Site-3

VPN-A
Site-2

VPN-B

Multihop MP-iBGP P PE1 P PE2

ip vrf site3 rd 100:3 route-target export 100:2 route-target import 100:2 route-target import 100:3 route-target export 100:3 ip vrf site-4 rd 100:4 route-target export 100:3 route-target import 100:3

VRF for site-1 (100:1) Site-1 routes Site-2 routes

VRF for site-2 (100:2) Site-1 routes Site-2 routes Site-3 routes

VRF for site-3 (100:3) Site-2 routes Site-3 routes Site-4 routes

VRF for site-4 (100:4) Site-3 routes Site-4 routes

Site-1
Presentation_ID

Site-2

Site-3

Site-4
118

2001, Cisco Systems, Inc. All rights reserved.

MPLS VPN - Configuration


PE/CE routing protocols

PE/CE may use BGP, RIPv2 or Static routes

A routing context is used for each VRF


Routing contexts are defined within the routing protocol instance

Address-family router sub-command


Router rip version 2 address-family ipv4 vrf <vrf-symbolicname> any common router sub-command
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

119

MPLS VPN - Configuration


PE/CE routing protocols

BGP uses same address-family command


Router BGP <asn> ... address-family ipv4 vrf <vrf-symbolicname> any common router BGP sub-command

Static routes are configured per VRF


ip route vrf <vrf-symbolic-name>

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

120

MPLS VPN - Configuration


PE router commands

All show commands are VRF based

Show ip route vrf <vrf-symbolic-name> ...


Show ip protocol vrf <vrf-symbolic-name> Show ip cef <vrf-symbolic-name> PING and Telnet commands are VRF based

telnet /vrf <vrf-symbolic-name>


ping vrf <vrf-symbolic-name>
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

121

MPLS VPN - Configuration


ip vrf site1 rd 100:1 route-target export 100:12 route-target import 100:12 ip vrf site2 rd 100:2 route-target export 100:12 route-target import 100:12 route-target import 100:23 route-target export 100:23 ! interface Serial3/6 ip vrf forwarding site1 ip address 192.168.61.6 255.255.255.0 encapsulation ppp ! interface Serial3/7 ip vrf forwarding site2 ip address 192.168.62.6 255.255.255.0 encapsulation ppp

PE/CE routing protocols

Site-4 Site-1

VPN-C
Site-3

VPN-A
Site-2

VPN-B

Multihop MP-iBGP
P P PE2
VRF for site-3 (100:3) Site-2 routes Site-3 routes Site-4 routes

PE1

VRF for site-1 (100:1) Site-1 routes Site-2 routes

VRF for site-2 (100:2) Site-1 routes Site-2 routes Site-3 routes

VRF for site-4 (100:4) Site-3 routes Site-4 routes

ip vrf site3 rd 100:3 route-target export 100:23 route-target import 100:23 route-target import 100:34 route-target export 100:34 ip vrf site-4 rd 100:4 route-target export 100:34 route-target import 100:34 ! interface Serial4/6 ip vrf forwarding site3 ip address 192.168.73.7 255.255.255.0 encapsulation ppp ! interface Serial4/7 ip vrf forwarding site4 ip address 192.168.74.7 255.255.255.0 encapsulation ppp

Site-1
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

Site-2

Site-3

Site-4
122

MPLS VPN - Configuration


router bgp 100 no bgp default ipv4-unicast neighbor 7.7.7.7 remote-as 100 neighbor 7.7.7.7 update-source Loop0 ! address-family ipv4 vrf site2 neighbor 192.168.62.2 remote-as 65502 neighbor 192.168.62.2 activate exit-address-family ! address-family ipv4 vrf site1 neighbor 192.168.61.1 remote-as 65501 neighbor 192.168.61.1 activate exit-address-family ! address-family vpnv4 neighbor 7.7.7.7 activate neighbor 7.7.7.7 next-hop-self exit-address-family

PE/CE routing protocols

Site-4 Site-1

VPN-C
Site-3

VPN-A
Site-2

VPN-B

Multihop MP-iBGP P PE1 PE2


VRF for site-3 (100:2) Site-2 routes Site-3 routes Site-4 routes

VRF for site-1 (100:1) Site-1 routes Site-2 routes

router bgp 100 no bgp default ipv4-unicast neighbor 6.6.6.6 remote-as 100 neighbor 6.6.6.6 update-source Loop0 ! address-family ipv4 vrf site4 neighbor 192.168.74.4 remote-as 65504 neighbor 192.168.74.4 activate exit-address-family ! address-family ipv4 vrf site3 neighbor 192.168.73.3 remote-as 65503 neighbor 192.168.73.3 activate exit-address-family ! address-family vpnv4 neighbor 6.6.6.6 activate neighbor 6.6.6.6 next-hop-self exit-address-family

VRF for site-2 (100:2) Site-1 routes Site-2 routes Site-3 routes

VRF for site-4 (100:3) Site-3 routes Site-4 routes

Site-1
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

Site-2

Site-3

Site-4
123

Summary

Supports large scale VPN services


Increases value add by the VPN Service Provider Decreases Service Providers cost of providing VPN services Mechanisms are general enough to enable VPN Service Provider to support a wide range of VPN customers See RFC2547

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

124

Point-to-point connections vs BGP/MPLS VPNs: routing peering


CE

Site

Routing peering

PE All other sites

Mesh of point-to-point connections requires each (virtual) router to maintain O(n) peering (where n is the number of sites) does not scale to VPNs with large number of sites (due to the properties of existing routing protocols)
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

Amount of routing peering maintained by CE is O(1) - CE peers only with directly attached PE

independent of the total number of sites within a VPN


scales to VPNs with large number of sites (100s - 1000s sites per VPN)

125

Point-to-point connections vs BGP/MPLS VPNs: provisioning


New Site
CE PE All other sites Config change

New Site

Config change

Mesh of point-to-point connections requires O(n) configuration changes (where n is the number of sites) when adding a new site

Amount of configuration changes needed to add a new site (new CE) is O(1): need to configure only the directly attached PE

independent of the total number of sites within a VPN


Presentation_ID 126

2001, Cisco Systems, Inc. All rights reserved.

Agenda

Introduction to MPLS

LDP
MPLS VPN

Monitoring MPLS

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

127

Basic MPLS Monitoring Commands


router(config)#

show tag-switching tdp parameters

Displays TDP parameters on the local router.


router(config)#

show tag-switching interface show mpls interface

12.1(3)T

Displays MPLS status on individual interfaces.


router(config)#

show tag-switching tdp discovery

Displays all discovered TDP neighbors.


Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

128

show tag-switching tdp parameters

Router#show tag-switching tdp parameters Protocol version: 1 No tag pool for downstream tag distribution Session hold time: 180 sec; keep alive interval: 60 sec Discovery hello: holdtime: 15 sec; interval: 5 sec Discovery directed hello: holdtime: 180 sec; interval: 5 sec

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

129

show tag-switching interface

Router#show tag-switching interface detail Interface Serial1/0.1: IP tagging enabled TSP Tunnel tagging not enabled Tagging operational MTU = 1500 Interface Serial1/0.2: IP tagging enabled TSP Tunnel tagging not enabled Tagging operational MTU = 1500

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

130

show tag-switching tdp discovery

Router#show tag-switching tdp discovery Local TDP Identifier: 192.168.3.102:0 TDP Discovery Sources: Interfaces: Serial1/0.1: xmit/recv TDP Id: 192.168.3.101:0 Serial1/0.2: xmit/recv TDP Id: 192.168.3.100:0

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

131

More TDP Monitoring Commands


router(config)#

show tag-switching tdp neighbor

Displays individual TDP neighbors.

router(config)#

show tag-switching tdp neighbor detail

Displays more details about TDP neighbors.

router(config)#

show tag-switching tdp bindings

Displays Tag Information Base (TIB).


Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

132

show tag tdp neighbor

Router#show tag-switching tdp neighbors Peer TDP Ident: 192.168.3.100:0; Local TDP Ident 192.168.3.102:0 TCP connection: 192.168.3.100.711 - 192.168.3.102.11000 State: Oper; PIEs sent/rcvd: 55/53; ; Downstream Up time: 00:43:26 TDP discovery sources: Serial1/0.2 Addresses bound to peer TDP Ident: 192.168.3.10 192.168.3.14 192.168.3.100

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

133

show tag tdp neighbor detail

Router#show tag-switching tdp neighbors detail Peer TDP Ident: 192.168.3.100:0; Local TDP Ident 192.168.3.102:0 TCP connection: 192.168.3.100.711 - 192.168.3.102.11000 State: Oper; PIEs sent/rcvd: 55/54; ; Downstream; Last TIB rev sent 26 UID: 1; Up time: 00:44:01 TDP discovery sources: Serial1/0.2; holdtime: 15000 ms, hello interval: 5000 ms Addresses bound to peer TDP Ident: 192.168.3.10 192.168.3.14 192.168.3.100 Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

134

show tag tdp bindings

Router#show tag tdp bindings tib entry: 192.168.3.1/32, rev 9 local binding: tag: 28 remote binding: tsr: 19.16.3.3:0, tib entry: 192.168.3.2/32, rev 8 local binding: tag: 27 remote binding: tsr: 19.16.3.3:0, tib entry: 192.168.3.3/32, rev 7 local binding: tag: 26 remote binding: tsr: 19.16.3.3:0, tib entry: 192.168.3.10/32, rev 6 local binding: tag: imp-null(1) remote binding: tsr: 19.16.3.3:0,

tag: 28

tag: 27

tag: imp-null(1)

tag: 26

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

135

Monitoring Label Switching


router(config)#

show tag-switching forwarding-table show mpls forwarding-table

Displays contents of Label Forwarding Information Base.


router(config)#

show ip cef detail

Displays label(s) attached to a packet during label imposition on edge LSR.

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

136

Monitoring Label Switching Monitoring LFIB

Router#show tag-switching forwarding-table ? A.B.C.D Destination prefix detail Detailed information interface Match outgoing interface next-hop Match next hop neighbor tags Match tag values tsp-tunnel TSP Tunnel id | Output modifiers <cr>

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

137

show tag-switching forwarding-table

Router#show tag-switching forwarding-table detail Local Outgoing Prefix Bytes tag Outgoing tag tag or VC or Tunnel Id switched interface 26 Untagged 192.168.3.3/32 0 Se1/0.3 MAC/Encaps=0/0, MTU=1504, Tag Stack{} 27 Pop tag 192.168.3.4/32 0 Se0/0.4 MAC/Encaps=4/4, MTU=1504, Tag Stack{} 20618847 28 29 192.168.3.4/32 0 Se1/0.3 MAC/Encaps=4/8, MTU=1500, Tag Stack{29} 18718847 0001D000

Next Hop
point2point point2point

point2point

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

138

show ip cef detail

Router#show ip cef 192.168.20.0 detail 192.168.20.0/24, version 23, cached adjacency to Serial1/0.2 0 packets, 0 bytes tag information set local tag: 33 fast tag rewrite with Se1/0.2, point2point, tags imposed: {32} via 192.168.3.10, Serial1/0.2, 0 dependencies next hop 192.168.3.10, Serial1/0.2 valid cached adjacency tag rewrite with Se1/0.2, point2point, tags imposed: {32}

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

139

Debugging Label Switching and TDP


router(config)#

debug tag-switching tdp ...

Debugs TDP adjacencies, session establishment, and label bindings exchange.


router(config)#

debug tag-switching tfib ... debug mpls lfib

12.1(3)T

Debugs Tag Forwarding Information Base events: label creations, removals, rewrites.
router(config)#

debug tag-switching packets [ interface ] debug mpls packets [ interface ]

12.1(3)T

Debugs labeled packets switched by the router. Disables fast or distributed tag switching.
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

140

Common Frame-Mode MPLS Symptoms


TDP/LDP session does not start.

Labels are not allocated or distributed.


Packets are not labeled although the labels have been distributed. MPLS intermittently breaks after an interface failure. Large packets are not propagated across the network.

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

141

TDP Session Startup Issues: 1/4


Symptom
TDP neighbors are not discovered.
show tag tdp discovery does not display expected TDP neighbors.

Diagnosis
MPLS is not enabled on adjacent router.

Verification
Verify with show tag interface on the adjacent router.

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

142

TDP Session Startup Issues: 2/4


Symptom
TDP neighbors are not discovered.

Diagnosis
Label distribution protocol mismatch - TDP on one end, LDP on the other end.

Verification
Verify with show tag interface detail on both routers.

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

143

TDP Session Startup Issues: 3/4


Symptom
TDP neighbors are not discovered.

Diagnosis
Packet filter drops TDP/LDP neighbor discovery packets.

Verification
Verify access-list presence with show ip interface. Verify access-list contents with show access-list.

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

144

TDP Session Startup Issues: 4/4


Symptom
TDP neighbors discovered, TDP session is not established.
show tdp neighbor does not display a neighbor in Oper state.

Diagnosis
Connectivity between loopback interfaces is broken - TDP session is usually established between loopback interfaces of adjacent LSRs.

Verification
Verify connectivity with extended ping command.
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

145

Label Allocation Issues


Symptom
Labels are not allocated for local routes.
show tag-switching forwarding-table does not display any labels

Diagnosis
CEF is not enabled.

Verification
Verify with show ip cef.

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

146

Label Distribution Issues


Symptom
Labels are allocated, but not distributed.
show tag-switching tdp bindings on adjacent LSR does not display labels from this LSR

Diagnosis
Problems with conditional label distribution.

Verification
Debug label distribution with debug tag tdp advertisement.
Examine the neighbor TDP router IDP with show tag tdp discovery. Verify that the neighbor TDP router ID is matched by the access list specified in tag advertise command.
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

147

Packet Labeling

Symptom
Labels are distributed, packets are not labeled.
show interface statistic does not labeled packets being sent

Diagnosis
CEF is not enabled on input interface (potentially due to conflicting feature being configured).

Verification
Verify with show cef interface.

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

148

show cef interface


Router#show cef interface Serial1/0.1 is up (if_number 15) Internet address is 192.168.3.5/30 ICMP redirects are always sent Per packet loadbalancing is disabled IP unicast RPF check is disabled Inbound access list is not set Outbound access list is not set IP policy routing is disabled Interface is marked as point to point interface Hardware idb is Serial1/0 Fast switching type 5, interface type 64 IP CEF switching enabled IP CEF VPN Fast switching turbo vector Input fast flags 0x1000, Output fast flags 0x0 ifindex 3(3) Slot 1 Slot unit 0 VC -1 Transmit limit accumulator 0x0 (0x0) IP MTU 1500

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

149

Intermittent MPLS Failures after Interface Failure

Symptom
Overall MPLS connectivity in a router intermittently breaks after an interface failure.

Diagnosis
IP address of a physical interface is used for TDP/LDP identifier. Configure a loopback interface on the router.

Verification
Verify local TDP identifier with show tag-switching tdp neighbors.

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

150

Packet Propagation
Symptom
Large packets are not propagated across the network.
Extended ping with varying packet sizes fails for packet sizes close to 1500

In some cases, MPLS might work, but MPLS/VPN will fail.

Diagnosis
Tag MTU issues or switches with no support for jumbo frames in the forwarding path.

Verification
Trace the forwarding path; identify all LAN segments in the path. Verify Tag MTU setting on routers attached to LAN segments. Check for low-end switches in the transit path.

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

151

Summary
After completing this lesson, you will be able to perform the following tasks:
Describe procedures for monitoring MPLS on IOS platforms.

List the debugging commands associated with label switching, LDP and TDP.
Identify common configuration or design errors.

Use the available debugging commands in real-life troubleshooting scenarios.


Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.

152

Customer Reference

Session Number Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

153

Ciscos MPLS Is Proven 150+ Deployments Today


Americas EMEA APT/Japan

Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

154

Thank you.

Session Number Presentation_ID

2001, Cisco Systems, Inc. All rights reserved.

155