MPLS VPNs - 2

MPLS VPN services enable the possibility for the SP to provide a wide variety of additional services to its customers because MPLS VPNs are aware of the Layer 3 addresses at the customer locations. Additionally, MPLS VPNs can still provide the privacy inherent in Layer 2 WAN services. MPLS VPNs use MPLS unicast IP forwarding inside the SP’s network, with additional MPLS-aware
features at the edge between the provider and the customer.

Both P and PE routers run LDP and an IGP to support unicast IP routing. However, the IGP advertises routes only for subnets inside the MPLS network, with no customer routes included.

PEs have several other duties as well, all geared toward the issue of learning customer routes and keeping track of which routes belong to which customers. PEs exchange routes with the connected CE routers from various customers, using either external BGP (eBGP), RIPv2, OSPF, or EIGRP, noting which routes are learned from which customers. To keep track of the possibly overlapping prefixes, PE routers do not put the routes in the normal IP routing table—instead, PEs store those routes in separate per-customer routing tables, called VRFs. Then the PEs use IBGP to exchange these customer routes with other PEs—never advertising the routes to the P routers.

The extra work for the PE relates to the fact that the MPLS VPN data plane causes the ingress PE to place two labels on the packet, as follows:
- An outer MPLS header (S-bit = 0), with a label value that causes the packet to be label switched to the egress PE
- An inner MPLS header (S-bit = 1), with a label that identifies the egress VRF on which to base the forwarding decision

Virtual Routing and Forwarding Tables

Each VRF has three main components
   1. An IP routing table (RIB)
   2. A CEF FIB, populated based on that VRF’s RIB
   3. A separate instance or process of the routing protocol used to exchange routes with the CEs that need to be supported by the VRF

MP-BGP and Route Distinguishers

MPLS VPN protocols define the use of IBGP to advertise the routes—all the routes, from all the different VRFs. MPLS deals with the overlapping prefix problem by adding another number in front of the original BGP network layer reachability information (NLRI) (prefix). Each different number can represent a different customer, making the NLRI values unique.

RDs allow BGP to advertise and distinguish between duplicate IPv4 prefixes. Every VRF must be configured with an RD. The RD itself is 8 bytes with the first 2 bytes identify which of the three formats is followed.

MPLS RTs enable MPLS to support all sorts of complex VPN topologies—for example, allowing some sites to be reachable from multiple VPNs, a concept called overlapping VPNs. PEs advertise RTs in BGP Updates as BGP Extended Community path attributes (PA). RT values follow the same basic format as the values of an RD. However, note that while a particular prefix can have only one RD, that same prefix can have one or more RTs assigned to it.

It is sometimes helpful to think of the term export to mean “redistribute out of the VRF into BGP” and the term import to mean “redistribute into the VRF from BGP.”

For simple VPN implementations, in which each VPN consists of all sites for a single customer, most configurations simply use a single RT value, with each VRF for a customer both importing and exporting that RT value.

Overlapping VPNs

An overlapping VPN occurs when at least one CE site needs to be reachable by CEs in different VPNs. The RT concept allows an MPLS network to leak routes from multiple VPNs into a particular VRF.

MPLS VPN Configuration

MPLS VPN configuration focuses primarily on control plane functions: creating the VRF and associated RDs and RTs, configuring MP-BGP, and redistributing between the IGP used with the customer and BGP used inside the MPLS cloud.

The mpls ip command tells IOS that IP packets should be forwarded and received with an MPLS label.
The planning process must match the exported RT on one PE router to the imported RT on the remote PE, and vice versa, for the two
routers to exchange routes with MP-BGP.
The route-target both command could be used when using the same value as both an import and export RT.

Configuring the IGP Between PE and CE

The configuration of a routing protocol between the PE and CE. This routing protocol allows the PE router to learn the customer routes, and the customer routers to learn customer routes learned by the PE from other PEs in the MPLS cloud.

Configuring Redistribution Between PE-CE IGP and MP-BGP

The mechanics of the MPLS VPN mutual redistribution configuration requires that both the IGP and BGP be told the specific VRF for which redistribution occurs.
The configuration of the redistribute command, under both the BGP and IGP process, uses the address-family ipv4 vrf vrf-name command to set the VRF context. The redistribute command then acts on that VRF.
BGP uses a default metric (BGP MED) of using the integer metric to the redistributed route, so the redistribute eigrp command did not require a default metric setting.

MPLS Basic - 1

Instead of forwarding packets based on the packets’ destination IP address, MPLS defines how routers can forward packets based on an MPLS label. By disassociating the forwarding decision from the destination IP address, MPLS allows forwarding decisions based on other factors, such as traffic engineering, QoS requirements, and the privacy requirements for multiple customers connected to the same MPLS network, while still considering the traditional information learned using routing
protocols.

With MPLS unicast IP forwarding, the MPLS forwarding logic forwards packets based on labels. However, when choosing the interfaces out which to forward the packets, MPLS considers only the routes in the unicast IP routing table.

Many of the more helpful MPLS applications, such as MPLS Virtual Private Networks (VPN) and MPLS traffic engineering (TE), use MPLS unicast IP forwarding as one part of the MPLS network.

CEF Review

The FIB entry details the information needed for forwarding: the next-hop router and the outgoing interface. Additionally, the CEF adjacency table lists the new data-link header that the router will then copy in front of the packet before forwarding. For the data plane, a CEF router compares the packet’s destination IP address to the CEF FIB, ignoring the IP routing table. CEF optimizes the organization of the FIB so that the router spends very little time to find the correct FIB entry, resulting in a smaller forwarding delay and a higher volume of packets per second through a router. For each packet, the router finds the matching FIB entry, then finds the adjacency table entry referenced by the matching FIB entry, and forwards the packet.

Overview of MPLS Unicast IP Forwarding

The term Label Switch Router (LSR) refers to any router that has awareness of MPLS labels, for example, Routers PE1, P1, and PE2. 

FIB: Used for incoming unlabeled packets. Cisco IOS matches the packet’s destination IP address to the best prefix in the FIB and forwards the packet based on that entry.

LFIB: Used for incoming labeled packets. Cisco IOS compares the label in the incoming packet to the LFIB’s list of labels and forwards the packet based on that LFIB entry.

The MPLS Header and Label

The MPLS header is a 4-byte header, located immediately before the IP header. The MPLS EXP bits allow for QoS marking, which can be done using CB Marking. The MPLS EXP bits allow for QoS marking, which can be done using CB Marking. The LSRs will decrement the MPLS TTL field, and not the IP TTL field, as the packet passes through the MPLS network.

MPLS TTL propagation refers to the MPLS routers propagate the same TTL value across the MPLS network—the same TTL values that would have occurred if MPLS was not used at all.

Cisco routers can be configured to disable MPLS TTL propagation. When disabled, the ingress ELSR sets the MPLS header’s TTL field to 255, and the egress E-LSR leaves the original IP header’s TTL field unchanged. As a result, the entire MPLS network appears to be a single router hop from a TTL perspective, and the routers inside the MPLS network are not seen from the customer’s traceroute command.

PE1 can be configured to use TTL propagation for locally created packets, which allows the traceroute command issued from PE1 to list all the routers in the MPLS cloud. At the same time, PE1 can be configured to disable TTL propagation for “forwarded” packets (packets received from customers), preventing the customer from learning router IP addresses inside the MPLS network. (The command is no mpls ip propagatettl.)

MPLS IP Forwarding: Control Plane

MPLS supports many different control plane protocols. For example, MPLS VPNs use two control plane protocols: LDP and multiprotocol BGP (MP-BGP). While multiple control plane protocols can be used for some MPLS applications, MPLS unicast IP forwarding uses an IGP and one MPLS-specific control plane protocol: LDP.

MPLS LDP Basics

For unicast IP routing, LDP simply advertises labels for each prefix listed in the IP routing table. To do so, LSRs use LDP to send messages to their neighbors, with the messages listing an IP prefix and corresponding label. By advertising an IP prefix and label, the LSR is essentially saying, “If you want to send packets to this IP prefix, send them to me with the MPLS label listed in the LDP update.”

The LDP advertisement is triggered by a new IP route appearing in the unicast IP routing table. Upon learning a new route, the LSR allocates a label called a local label. The local label is the label that, on this one LSR, is used to represent the IP prefix just added to the routing table

The routers in the MPLS cloud must use some IP routing protocol to learn IP routes to trigger the LDP process of advertising labels. Typically, for MPLS unicast IP routing, you would use an interior gateway protocol (IGP) to learn all the IP routes, triggering the process of advertising the corresponding labels. 

The MPLS Label Information Base Feeding the FIB and LFIB

LSRs store labels and related information inside a data structure called LIB. The FIB and LFIB contain labels only for the currently used best LSP segment, while the LIB contains all labels known to the LSR, whether the label is currently used for forwarding or not. To make a decision about the best label to use, LSRs rely on the routing protocol’s decision about the best route.

To enable MPLS for simple unicast IP forwarding, an LSR simply needs to enable CEF, globally enable MPLS, and enable MPLS on each desired interface. Also, IOS uses LDP by default. 

The term remote binding refers to a label-prefix binding learned through LDP from some LDP neighbor.

The FIB is used to forward packets that arrived unlabeled, and the LFIB is used to forward packets that arrived already labeled. 

show mpls forwarding-table 10.3.3.0 24

show mpls ldp bindings 10.3.3.0 24

Label Distribution Protocol Reference

LDP uses a Hello feature to discover LDP neighbors and to determine to what IP address the ensuing TCP connection should be made. LDP multicasts the Hellos to IP address 224.0.0.2, using UDP port number 646 for LDP.

After discovering neighbors through an LDP Hello message, LDP neighbors form a TCP connection to each neighbor, again using port 646.table. After the TCP connection is up, each router advertises all its bindings of local labels and prefixes