Mpls basic

1 | P a g e

Prepared by: Ahmed Hussein Bebars E-mail: [email protected] Mobile:+201024614238

MPLS Course

MPLS (Multi Protocol Label Switching): it's new method use to forward traffic through routers by based

on label

MPLS advantages:

1. cost saving: one core network serve all customer requirements

2. support Traffic Engineer (TE)

3. Decrease forwarding overhead on core routers

4. support forwarding of non IP protocols, ATOM (any traffic over MPLS)

5. support QOS

6. support VPN service

LSR (Label Switched Router) equal P (Provider router) forward traffic based on label

Edge LSR equal PE (Provider edge router): device that primarily labels packet or forward IP out of

MPLS domain

Router Structure:

router divided to two steps, one of them control plane , at this steps router collect needed data to build

routing table , another step data plane, where each line card on router has memory to save final

forwarding table, if there is any hang in control plane, traffic not impacted and complete flow from

source to destination but if there is problem in forwarding path at the same moment control plane hang

traffic will dropped, this function called CEF (Cisco forwarding Express)

at our network we have two forwarding table, FIB& LFIB if incoming traffic pure IP it will forward

according to FIB & if incoming traffic labeled it forward to according to LFIB

2 | P a g e


FIB (Forward Identifier

Base): it's CEF table,

router use it as routing

table to forward IP

data

MPLS operation:

1. traffic income from ingress PE as pure IP traffic and according to LFIB table it will take label and

forward it inside MPLS cloud

2. traffic outgoing from egress PE, PE will make POP for label and out traffic will be pure IP traffic

LFIB (Label Forward Identifier Base): it's label table use to forward traffic based on label

syntax of MPLS Label:

Label: 20 bits

EXP: bits used for QOS

BOS (Bottom of Stack): in some service over MPLS cloud we need more than on label so SOB indicate if

there is more than one label or it is one label only

TTL (Time To Live)

To Build MPLS Network follow steps:

1. install IGP protocol first

3 | P a g e


2. activate MPLS service to initiate label and distribute it

to distribute label data base we have to solution:

■ Piggyback the labels on an existing IP routing protocol

■ Have a separate protocol distribute labels

first solution was difficult where we need change all IGP protocol programming to distribute labels and it

was difficult, so we use the second solution separate protocol to distribute traffic

protocols used to distribute labels:

1. LDP (Label distribution protocol)

2. RSVP (Resource Reservation Protocol)

the below topology will use to explain MPLS network

LDP:

each label switching router (LSR) must perform label swapping to forward the packet. Label operation (Swap,

Push, POP) The LDP peers exchange the label mapping messages across this LDP session.

LDP has four major functions:

The discovery of LSRs that are running LDP

Session establishment and maintenance

Advertising of label mappings

Housekeeping by means of notification

they should discover each other by means of Hello messages. establish a session across a TCP connection.

4 | P a g e


LDP Operation:

The discovery of LSRs that are running LDP

These are all the interfaces with mpls ip configured on them. First, however, you must enable CEF with the global

ip cef command. Then you must enable LDP globally with the mpls ip command. (review LDP lab page 11 )

LDP Hello messages are UDP messages, use address 224.0.0.2 group IP multicast address. The UDP port

used for LDP is 646.

-Router with Highest Router ID start TCP session

The Hello message contains a Hold time. If no Hello message is received from that LSR before the Hold time

expires, the LSR removes that LSR from the list of discovered LDP neighbors.

use command :

show mpls ldp discovery [detail] the below output appear

to know which mpls protocol running and which interface

P#show mpls ldp discovery detail

Local LDP Identifier:

9.9.0.3:0

Discovery Sources:

Interfaces:

FastEthernet0/0 (ldp): xmit/recv

Enabled: Interface config

Hello interval: 5000 ms; Transport IP addr: 9.9.0.3

LDP Id: 9.9.0.2:0

Src IP addr: 9.9.56.1; Transport IP addr: 9.9.0.2

Hold time: 15 sec; Proposed local/peer: 15/15 sec

Reachable via 9.9.0.2/32




LDP Id: 9.9.0.1:0




P# show mpls interfaces

Interface IP Tunnel Operational

FastEthernet0/0 Yes (ldp) No Yes

FastEthernet0/1 Yes (ldp) No Yes

5 | P a g e


To change the interval between sending Hello messages or to change the LDP Hold time, you can use the command

mpls ldp discovery {hello {holdtime | interval} seconds.

The default value for the holdtime is 15 seconds, and the default value for the Hello interval is 5 seconds.

If the Hold time expires for one link, that link is removed from the LDP discovery sources list.

Notes: If the two LDP peers have different LDP Hold times configured, the smaller of the two values is used as the

Hold time for that LDP discovery source.

If the Hold time is too small, the session can be lost immediately even when only a few packets are lost, for example

due to congestion on the link. If the Hold time is set too big, the LDP session might be up too long in the case of a

serious problem,

LDP Identifier: This LDP ID is a 6-byte field that consists of 4 bytes identifying the LSR uniquely and 2 bytes

identifying the label space that the LSR is using

in most of cases 2 bytes is zero (label space is platform label space) (LDP session between Router use IP to Build

Routing table)

How to choose LDP ID: when you write command mpls ldp router-id to activate protocol used in mpls cloud

to distribute labels

1. router-id determine according to below steps:

Highest loopback IP

Highest physical interface IP

this LDP ID very important in LDP Hello Message and need to advertise in IGP Process so we need to adversity

loopback 0 in IGP process

the below command show how it's important to advertise router-id in IGP process

if you not adversity LDP ID in routing table session will not initiate and you can check this by use below command

on PE1&PE2 ldp session down with P router

PE2#show mpls ldp discovery


9.9.0.2:0

Discovery Sources:

Interfaces:


LDP Id: 9.9.0.3:0; no route

6 | P a g e


when check IGP routing table, you will not find LDP ID adversity in routing table

PE2#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

9.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

O 9.9.0.1/32 [110/3] via 9.9.56.2, 00:05:01, FastEthernet0/0

C 9.9.0.2/32 is directly connected, Loopback0

O 9.9.46.0/24 [110/2] via 9.9.56.2, 00:05:01, FastEthernet0/0

C 9.9.56.0/24 is directly connected, FastEthernet0/0

PE2#show mpls ldp discovery detail


9.9.0.2:0

Discovery Sources:

Interfaces:




LDP Id: 9.9.0.3:0; no route to transport addr



7 | P a g e


to show Keep alive interval parameter for Hello message and session use below command

to get ldp parameter that configure on router

Maximum Backoff time: it's time ldp use it to try establish TCP session with neighbors

P#show mpls ldp neighbor 9.9.0.2 detail

Peer LDP Ident: 9.9.0.2:0; Local LDP Ident 9.9.0.3:0

TCP connection: 9.9.0.2.646 - 9.9.0.3.37331 [session initialized between routers and write TCP Ports]

Password: not required, none, in use

State: Oper; Msgs sent/rcvd: 15/15; Downstream; Last TIB rev sent 10

Up time: 00:06:21; UID: 3; Peer Id 1;

LDP discovery sources:

FastEthernet0/0; Src IP addr: 9.9.56.1

holdtime: 15000 ms, hello interval: 5000 ms [Hello interval parameters]

Addresses bound to peer LDP Ident:

9.9.56.1 9.9.0.2

Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab [session interval parameters]

Capabilities Sent:

[ICCP (type 0x0405) MajVer 1 MinVer 0]

[Dynamic Announcement (0x0506)]

[mLDP Point-to-Multipoint (0x0508)]

[mLDP Multipoint-to-Multipoint (0x0509)]

Capabilities Received:

[None]

P#show mpls ldp parameters

Protocol version: 1

Session hold time: 180 sec; keep alive interval: 60 sec

Discovery hello: holdtime: 15 sec; interval: 5 sec

Discovery targeted hello: holdtime: 90 sec; interval: 10 sec

Downstream on Demand max hop count: 255

LDP for targeted sessions

LDP initial/maximum backoff: 15/120 sec

LDP loop detection: off

8 | P a g e


we can change LDP ID by use command mpls ldp router-id <loopback x> force

you can also change LDP transport address

Note: one LDP session is enough in case used per-platform label space and use one binding label

to show LIB table there are two commands:

1. show mpls ldp bindings

2. show mpls ip binding

and I suggest use show mpls ip binding it's get good indication for label assigned from each LSR

The advantage of the command show mpls ip binding is that it also shows which label from all possible remote

bindings is used to forward traffic by indicating inuse.

interface FastEthernet0/0

ip address 9.9.56.2 255.255.255.0

speed auto

duplex auto

mpls ip

mpls ldp discovery transport-address 3.3.3.3 [configure under interface]

PE2#show mpls ldp discovery detail


9.9.0.2:0

Discovery Sources:

Interfaces:




LDP Id: 9.9.0.3:0




9 | P a g e


P# show mpls ip binding

3.3.3.3/32

in label: imp-null

out label: 21 lsr: 9.9.0.1:0

out label: 20 lsr: 9.9.0.2:0

9.9.0.1/32 [LIB table on PE1]

in label: 17 [any traffic sent to P use this label]

out label: imp-null lsr: 9.9.0.1:0 inuse

out label: 17 lsr: 9.9.0.2:0 [any traffic send to PE2 use this label]

9.9.0.2/32 [LIB table on PE2]

in label: 16 [local label that assigned on PE2]

out label: 18 lsr: 9.9.0.1:0 [local label that assigned on PE1]

out label: imp-null lsr: 9.9.0.2:0 inuse

9.9.0.3/32 [LIB table on P]

in label: imp-null

out label: 17 lsr: 9.9.0.1:0

out label: 18 lsr: 9.9.0.2:0

9.9.46.0/24

in label: imp-null

out label: imp-null lsr: 9.9.0.1:0

out label: 16 lsr: 9.9.0.2:0

9.9.56.0/24

in label: imp-null

out label: 16 lsr: 9.9.0.1:0

out label: imp-null lsr: 9.9.0.2:0

10 | P a g e


to understand relation between routing table and LIB table structure:

LIB RIB (Routing Table)

LFIB LDP Peers

1. routing table choose path to destination IP and write interface and IP

2. after LDP became up it start initiate LDP peer (by send LDP ID 9.9.0.2:0) and address to this peer

3. start build LIB table by assign labels to each IP in RIB table

4. finally build LFIB by choose best path and label assigned to it in LIB table

P# show ip route 9.9.0.2 255.255.255.255

Routing entry for 9.9.0.2/32

Known via "ospf 9", distance 110, metric 2, type intra area

Last update from 9.9.56.1 on FastEthernet0/0, 02:27:41

ago

Routing Descriptor Blocks:

* 9.9.56.1, from 9.9.0.2, 02:27:41 ago, via FastEthernet0/0

Route metric is 2, traffic share count is 1

P# show mpls ldp binding 9.9.0.2 255.255.255.255

lib entry: 9.9.0.2/32, rev 6

local binding: label: 16

remote binding: lsr: 9.9.0.1:0, label: 18

remote binding: lsr: 9.9.0.2:0, label: imp-null

P#show mpls ldp neighbor fa0/0

Peer LDP Ident: 9.9.0.2:0; Local LDP Ident 9.9.0.3:0

TCP connection: 9.9.0.2.24363 - 3.3.3.3.646

State: Oper; Msgs sent/rcvd: 89/90; Downstream

Up time: 01:10:43

LDP discovery sources:

FastEthernet0/0, Src IP addr: 9.9.56.1

Addresses bound to peer LDP Ident:

9.9.56.1 9.9.0.2

P# show mpls forwarding-table 9.9.0.2 255.255.255.255

Local Outgoing Prefix Bytes Label Outgoing Next Hop

Label Label or Tunnel Id Switched interface

16 Pop Label 9.9.0.2/32 15239 Fa0/0 9.9.56.1

11 | P a g e


LDP lab

1. install IGP (OSPF,RIP,EIGRP,ISIS) as first step and advertise router-id (loopback0) in routing

protocol

2. enable IP CEF function and mpls on configuration Mode of router

3. enable label protocol that will use to distribute label in configuration mode

4. configure mpls under interface that you need allow it send labels in routing (core interfaces)

hostname PE1

!

ip cef

!

interface Loopback0

ip address 9.9.0.1 255.255.255.255

!


ip address 9.9.46.1 255.255.255.0

duplex auto

no shutdown

speed auto

!

router ospf 9

mpls ldp autoconfig area 0

log-adjacency-changes

network 9.9.0.1 0.0.0.0 area 0

network 9.9.46.0 0.0.0.255 area 0

!

mpls ldp router-id Loopback0

!

12 | P a g e


hostname PE2

!

ip cef

!

interface Loopback0

ip address 9.9.0.2 255.255.255.255

!


ip address 9.9.56.1 255.255.255.0

duplex auto

no shutdown

speed auto

!

router ospf 9



network 9.9.0.2 0.0.0.0 area 0

network 9.9.56.0 0.0.0.255 area 0

!


!

13 | P a g e


hostname P

!

ip cef

!

interface Loopback0

ip address 9.9.0.3 255.255.255.255

!


ip address 9.9.46.2 255.255.255.0

duplex auto

no shutdown

speed auto

!


ip address 9.9.56.2 255.255.255.0

duplex auto

no shutdown

speed auto

!

router ospf 9



network 9.9.0.3 0.0.0.0 area 0

network 9.9.46.0 0.0.0.255 area 0

network 9.9.56.0 0.0.0.255 area 0

!


!

14 | P a g e


LDP Authentication: to avoid TCP session attack by spoofed TCP segment, you can use password

hashed by MD5 authentication algorithm

use following command:

mpls ldp neighbor [vrf vpn-name] ip-addr password [0-7] pswd-string

example:

Notes: at normal behavior there is TTL label inside MPLS label also IP packet has TTL, and each hop inside MPLS

cloud hop copy IP TTL inside MPLS label TTL at ingress and make the same operation at egress this behavior allow

hacker tracer your core network to avoid this behavior disable TTL propagation

P(config)#no mpls ip propagate-ttl

P(config)#mpls ldp neighbor 9.9.0.2 password ?

0 Specifies an UNENCRYPTED password will follow

7 Specifies a HIDDEN password will follow

LINE The UNENCRYPTED (cleartext) password

15 | P a g e


MPLS Service:

MPLS VPN: it's common service provide by MPLS cloud that support secure point-to-point connection

between Customer Edge (CE)

there are two types from VPN:

1. L3VPN: in this case we divided router to vrf (Virtual forwarding router) and in this case

customer send IP packet & according to two labels parameter RT (Root Target) & RD (Root

Distinguisher) MPLS advertise routing table between two PE on edge to allow

2. L2VPN: in this case transfer ATOM over MPLS & PE not have any IP routing table only make X

connect, also you can transmit Ethernet frame like as non-ip service

MPLS VPN Model

A PE router is a provider edge (PE) router. It has a direct connection with the customer edge (CE)

In the MPLS VPN implementation, both P and PE routers run MPLS. This means that they must be able to distribute

labels between them and forward labeled packets. P router not carry any routing table it use only label to forward

traffic, it's save cost and you can extended in PE router according to your requirements

16 | P a g e


L3 VPN:

each customer connect on PE has different vrf and special routing table to save privacy and provide VPN

we need two labels in this case inner and outer label, where each IP traffic come from CE take inner label that will

help us push it in egress PE vrf routing table and outer label use between P & PE to reroute labeled traffic inside

MPLS network

we need also two protocols to distribute two different labels:

1. inner label use MP-BGP protocol (we explain it later section) to define and distribute labels between vrf

on PE routers, where BGP can initiate connection between non-direct connected router and has attributes

allow it carry labels

2. outer label use LDP as show before to distribute labels to reroute labeled traffic

topology will used to explain L3VPN:

in this example we have two customer HSBC & CIB and each one of them use the same IP to connect with PE's and

each one has different vrf

CIB2 IP Range:

1. CIB Loopback 0: 172.9.0.4/32

2. interface fa1/0: 172.9.1.2/30

CIB IP Range:

1. CIB loopback0: 172.9.0.3/32

2. interface fa1/0: 172.9.1.6/30

HSBC IP Range:

1. HSBC Loopback 0: 172.9.0.1/32

2. interface fa1/0: 172.9.1.6/30

HSBC2 IP Range:

1. HSBC Loopback 0: 172.9.0.2/32

2. interface fa1/0: 172.9.1.2/30

core OSPF PID 1

BGP AS 9

17 | P a g e


PE2 IP Range:

1. PE2 Loopback 0: 9.9.0.1/32

2. interface fa1/0: 172.9.1.5/30 (vrf HSBC)

3. interface fa1/1: 172.9.1.5/30 (vrf CIB)

PE1IP Range:

1. PE2 Loopback 0: 9.9.0.3/32

2. interface fa1/0: 172.9.1.1/30 (vrf HSBC)

3. interface fa1/1: 172.9.1.1/30 (vrf CIB)

in our example we have two customer have the same range of IP how PE differentiate between them to push each IP

on exact vrf

RD (root distinguisher): use to differentiate between two customers has the same IP range on PE

The VPN prefixes are propagated across the MPLS VPN network by Multiprotocol BGP (MP-BGP). The problem is

that when BGP carries these IPv4 prefixes across the service provider network, they must be unique. If the

customers had overlapping IP addressing, the routing would be wrong. To solve this problem, the concept of RDs

was conceived to make IPv4 prefixes unique. so prefix derived from the combination of the IPv4 prefix and the RD

is called a vpnv4 prefix.

IBGP carry IPV4 prefix, so we need new BGP carry new prefix called MP-BGP (Multi protocol BGP)

RD 64 bit and IP 32 bit so new address VPNV4 equal 96 bit will distribute between vrf routing table and according

to new address MPLS will assign label in LIB table

RD label: ASN:nn (AS (Autonomous system number) nn unique number assigned in your AS)

VPNV4 prefix:

PE2#sh ip bgp vpnv4 all 172.9.1.2

BGP routing table entry for 9:1:172.9.1.0/30 [VPNV4 addressing, advertise by use MP-BGP]

RT (root target): use to define which routing table imported (from ingress PE) and where it exported in egress PE

RTs label:

If RDs were just used to indicate the VPN, communication between sites of different VPNs would be problematic.

HSBC2 site of Company HSBC would not be able to talk to a site of Company CIB2 because the RDs would not

match. The concept of having sites of Company HSBC being able to talk to sites of Company CIB is called

extranet VPN. The simple case of communication between sites of the same company—the same VPN—is called

intranet. The communication between sites is controlled by another MPLS VPN feature called RTs.

after routes advertise by MP-BGP & routes became know from FIB table, MPLS will assign label to each route

called inner label

18 | P a g e


MPLS L3VPN Lab

steps followed to build MPLS L3VPN:

1. setup IGP Protocol and build MPLS core network as show in LDP lab

2. setup MP-BGP & allow it send extended community (VPNv4) and create vrf and assign interface that

direct connect with CE, this step define only on PE routers

3. setup routing protocol between CE & PE under vrf for each customer

configure MPLS & MP-BGP:

PE2 configuration:

hostname PE2

!

ip vrf CIB [define vrf CIB with RD 9:2 & RT 1:1]

rd 9:2

route-target export 1:1

route-target import 1:1

!

ip vrf HSBC [define vrf CIB with RD 9:2 & RT 1:1]

rd 9:1

route-target export 1:1

route-target import 1:1

!

interface Loopback0

ip address 9.9.0.1 255.255.255.255

!


ip address 10.10.1.6 255.255.255.252

duplex full

!

interface FastEthernet1/0 [define interface under vrf]

ip vrf forwarding HSBC

ip address 172.9.1.5 255.255.255.252

speed auto

duplex full

!


ip vrf forwarding CIB [define interface under vrf]

ip address 172.9.1.5 255.255.255.252

speed auto

duplex auto

!

router ospf 1


network 9.9.0.1 0.0.0.0 area 0

network 10.10.1.4 0.0.0.3 area 0

mpls ldp autoconfig [configure mpls for all interfaces in core network]

!

19 | P a g e


!

router bgp 9

no synchronization

bgp log-neighbor-changes

neighbor 9.9.0.3 remote-as 9

neighbor 9.9.0.3 update-source Loopback0

no auto-summary

!

address-family vpnv4 [activate MP-BGP to send new address VPNv4]

neighbor 9.9.0.3 activate

neighbor 9.9.0.3 send-community extended

exit-address-family

!

address-family ipv4 vrf CIB [define vrf under MP-BGP to start send routing table between PE by use command redistribute]

no synchronization

redistribute connected

redistribute static

exit-address-family

!

address-family ipv4 vrf HSBC

no synchronization

redistribute connected

redistribute static

exit-address-family

!

no ip http secure-server

ip route vrf HSBC 172.9.0.1 255.255.255.255 172.9.1.6 [define simple route between CE & PE static route under vrf]

ip route vrf CIB 172.9.0.3 255.255.255.255 172.9.1.6

!!

end

20 | P a g e


P configuration (free BGP):

HSBC configuration:

we repeat configuration on PE1 & CIB & CIB2 & HSBC2

C:\Users\Op1234\Desktop\PE1.txt C:\Users\Op1234\Desktop\CIB.txt C:\Users\Op1234\Desktop\HSBC2.txt

hostname P

!

ip cef

!

interface Loopback0

ip address 9.9.0.2 255.255.255.255

!


ip address 10.10.1.2 255.255.255.252

duplex full

!


ip address 10.10.1.5 255.255.255.252

speed auto

duplex full

!

router ospf 1


network 9.9.0.2 0.0.0.0 area 0

network 10.10.1.0 0.0.0.3 area 0

network 10.10.1.4 0.0.0.3 area 0

mpls ldp autoconfig

!

end

hostname HSBC

!

interface Loopback0

ip address 172.9.0.1 255.255.255.255

!


ip address 172.9.1.6 255.255.255.252

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.9.1.5 [define default route between CE & PE]

!

end

21 | P a g e


now after we install this lab you can ping from HSBC to HSBC2 & also CIB can do this

define vrf on PE by use below command:

each vrf has one rd & more than RT according to routing table needed to distribute under vrf

Note: vrf case sensitive

configure interfaces that connected between CE & PE under vrf then configure static route between them

enable BGP & allow send VPNv4 and redistribute vrf routing table to allow BGP transfer routing between vrf in two

PE's

PE2(config)#ip vrf HSBC

PE2(config-vrf)#rd 9:1

PE2(config-vrf)#route-target both 1:1

PE2(config)#ip vrf CIB

PE2(config-vrf)#rd 9:2

PE2(config-vrf)#route-target both 1:1

PE2(config)#inter fa 1/0

PE2(config-if)#ip vrf forwarding HSBC

PE2(config-if)#ip add 172.9.1.5 255.255.255.252

PE2(config)#ip route vrf HSBC 172.9.0.1 255.255.255.255 172.9.1.6

PE2(config)#router bgp 9

PE2(config-router)#neighbor 9.9.0.3 remote-as 9 [to setup neighbor ship between PE's]

PE2(config-router)#neighbor 9.9.0.3 update-source loopback 0

PE2(config-router)#address-family vpnv4 [to allow MP-BGP & send VPNv4]

PE2(config-router-af)#neighbor 9.9.0.3 activate

PE2(config-router-af)#neighbor 9.9.0.3 send-community extended

PE2(config-router)#address-family ipv4 vrf HSBC [define type of vrf that will transfer IPv4 CE has IPv4]

PE2(config-router-af)#redistribute connected

PE2(config-router-af)#redistribute static

PE2(config-router)#address-family ipv4 vrf CIB

PE2(config-router-af)#redistribute connected

PE2(config-router-af)#redistribute static

Date post:	21-Jan-2017
Category:	Technology
Upload:	ahmed-hussien-bebars
View:	141 times
Download:	5 times

Mpls basic

Technology