MPLS Fundamentals Quick Reference

• Introduction
• Label Distribution
• Forwarding Labeled Packets
• Label Distribution Protocol
  • LDP neighbor discovery
  • LDP session establishment and maintenance
  • How does Label Advertising works
  • LDP Session Notification Messages
  • Targeted LDP Session (Remote LDP)
  • Outbound Label Advertisement Filtering
  • Inbound Label Advertisement Filtering
  • MPLS LDP - IGP Synchronization
  • Flapping Links - LDP Session Protection
• MPLS and ATM Architecture
• Glossary

Introduction

MPLS is enabling routers to forwards traffic by looking at the label and NOT the destination IP address

Use of MPLS does not speed up your network, but rather provides a platform to transport different L2 an L3 protocols (IPv4, IPv6, HLDLC, PPP).

AToM (Any Transport over MPLS) - is a feature that allows any L2 frame to be carried across MPLS backbone.

Service providers were challenged how to better integrate IP over ATM. There were several solutions prior to MPLS:

• Manually establish all ATM circuits, then create manual mappings between IP next hops and ATM endpoints. All of the needs to be manually configured on every ATM router in the network.
• Implement LAN Emulation services (LANE)
• Multiprotocol over ATM, which is the most complex solution

Service providers deploy two major VPN models:

• Overlay VPN Model. For FR for example you create VC with each destination endpoint. To calculate number of VCs needed use: (n-1)*2, where n is number of endpoints (routers).
• Peer-to-peer VPN model. Each endpoint joins VPN cloud, which eliminates need to create multiple VC. At the same time use of packet and route filters is needed to achieve network privateness.

MPLS label structure:

• 20 bit - label
• 3 bit - EXP - experimental
• 1 bit - bottom of stack. If bottom, then set to "1"
• 8 bit - TTL

TTL is decreased by "1" with each hop. If TTL reaches "0", then the packet is discarded.

First label in stack is called "top" label, and last is called the "bottom" label. Both MPLS VPN and AToM use 2 (two) label in label stack.

For MPLS VPN: IGP label, another VPN label.

Encapsulation of the labeled packet:

L2 Frame: L2 Header | MPLS Label Stack | Transported Protocol

MPLS Protocol Identifier Values (in hex) for L2 Encapsulation types:

• PPP - 0x0281
• Ethernet - 0x8847
• HDLC - 0x8847
• Frane Relay = 0x80

There are several protocols that distribute labels

• TDP - Tag Distribution Protocol - Cisco's proprietory. Not used.
• LDP - Label Distribution Protocol. IETF formalized. Has more functionality.
• RSVP - Resource Reservation Protocol

Back to the Top...

 

Label Distribution

For each IGP prefix LSR created local binding (label <=> prefix).

Local and remote bindings are stored in LIB. Each LSR has only 1 binding per prefix (for per-platform).

In Cisco IOS, LDP does not bind labels to BGP IPv4 prefixes.

LFIB chooses only one possible binding per prefix from LIB, and installs it in LFIB.

MPLS Lable Space:

• Per-Interface Label Space. Packet is forwarded based on incoming interface and label.
• Per-Platform Label Space. Packet is forwarded based on label only.

There are 2 Label Distribution Modes:

• Downstream-on-Demand (DoD) - each LSR requests each next-hop (based on IGP info: show ip route) neighbor for a label binding for that IGP route (FEC). Only 1 remote binding in LIB.
• (default) Unsolicited Downstream (UD) - each LSR send local binding to its LDP neighbors without waiting for request. 1 or more remote bindings in LIB.

There are 2 Label Retention Modes:

• (default) Liberal Label Retention (LLR) - LSR keeps all received remote bindings in LIB. Improves convergence.
• Conservative Label Retention (CLR) - LSR stores only remote binding that is associated with the next-hop LSR for a particular FEC (route). Less memory resources needed.

There are 2 LSP (Label Switch Path) Control Modes:

• (default) Independent LSP Control Mode - LSR starts forwarding packets without full LSP, because labels were generated for each IGP prefix already. (LSR doesn't wait for label distribution to finish)
• Ordered LSP Control Mode - forwards only after "full" LSP exists. It only assigns labels for IGP prefixes that are marked as "connected" in "show ip route".

Back to the Top...

 

Forwarding Labeled Packets

LSR forwards the packet based on:

• Top Label value of the received packet
• Corresponding entry in LFIB (LABEL <=> INTERFACE)

#show mpls forwarding-table - will show:

• local label
• outgoing label
• prefix (network)
• outgoing interface
• next-hop

Pomerol#show mpls forwarding-table 
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     Pop tag     10.1.1.12/30      636        Se3/0      point2point
17     Pop tag     10.10.10.1/32     0          Se3/0      point2point
18     21          10.10.10.4/32     0          Se3/0      point2point
19     Pop tag     10.1.1.0/30       0          Se4/0      point2point
       Pop tag     10.1.1.0/30       0          Se3/0      point2point
20     Pop tag     10.10.10.6/32     612        Se2/0      point2point
21     Pop tag     10.1.1.16/30      0          Se3/0      point2point
22     16          10.10.10.5/32     0          Se3/0      point2point
23     Pop tag     10.10.10.2/32     0          Se4/0      point2point

LSR expects packet to come with "top" label being "Local" (from show mpls forwarding-table).

If Outgoing label is "Aggregate", then that means that this is a summary route and more specific lookup is performed.

If LSR cannot find label/interface mapping in LFIB, then it drops the packet.

There are several "RESERVED" labels numbered from 0 to 15:

• 0 - explicit NULL - is used to preserver QoS info through EXP bits. It copies 'ip prec' or DiffServ.
• 1 - router alert label - forces LSR to software switch the packet.
• 3 - implicit NULL - this label is used for "connected" or "summary" routes. This way LSR signals its neighbors to execute "POP label" operation on "connected" routes. It is called PHP, Penultimate Hop Popping, and is used to make sure that LSR does not perform 2 lookups (label + ip).
• 14 - OEM alert label - is used for monitoring purpose.

In Cisco IOS, the default range is 16 through 100,000, but can be expanded by using "mpls label range" command.

TTL is propagated from the IP Header into the label stack and vice versa. When IP packet is send its TTL is 255 and is decremented with each hop. If TTL reaches 0, the packet is dropped, and "time exceeded" to originator of IP packet is sent (only if payload is IPv4).

TTL is copied only to the "top" label of the label stack, all other labels get populated with initial TTL. (Ex: If packet entered with TTL 252, all labels, that are not "top", will have TTL of 252)

MPLS MRU - Maximum receive unit - is used to inform LSR how big a received labeled packet can be that can still forwarded out.

Pomerol#show mpls forwarding-table 10.10.10.4 32 detail
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
18     21          10.10.10.4/32     0          Se3/0      point2point
        MAC/Encaps=4/8, MRU=1500, Tag Stack{21}

Back to the Top...

 

Label Distribution Protocol

All directly connected LSRs must establish an LDP peer relationship or LDP session between them.

Back to the Top...

 

Part 1: LDP neighbor discovery

• Enable CEF switching using ip cef global command.
• Enable MPLS on the interfaces using mpls ip global command.
• Enable LDP on the device using mpls label protocol ldp global command.
• LSR send LDP Hello messages on all links that are ldp enabled. (destination 224.0.0.2 'all routers on this subnet' port UDP/646)
• LDP Hello message has "Hold time" field, which signal other LSRs that if that neighbor does not send Hello within "hold time" interval, then it should be deleted from the list of discovered neighbors
• Verify LDP discovery operations using show mpls ldp discovery [detail]

Router# show mpls ldp discovery detail
Local LDP Identifier:
    10.11.11.11:0
    Discovery Sources:
    Interfaces:
        Serial2/0 (ldp): xmit/recv
            Enabled: Interface config, IGP config;
            Hello interval: 5000 ms; Transport IP addr: 10.11.11.11 
            LDP Id: 10.10.10.10:0
              Src IP addr: 10.0.0.1; Transport IP addr: 10.10.10.10
              Hold time: 15 sec; Proposed local/peer: 15/15 sec

Based on LDP Identifier we can say if peer uses per-platform or per-interface label space. Example: 10.10.10.10:0, where ":0" indicates that neighbor uses per-platform label space. Any other number (":1", ":2", etc.) will signify interface id.

"Hold time" is 15 seconds by default.

Router# show mpls ldp discovery
Local LDP Identifier:
    150.1.5.5:0
    Discovery Sources:
    Interfaces:
       Serial2/0 (ldp): xmit/recv
           LDP Id: 10.10.10.10:0; no host route

Another requirement for LDP peer, is that LDP Id must be in routing table in order to establish peering, otherwise there will be no LDP session between the peers.

Back to the Top...

 

Part 2: LDP session establishment and maintenance

• Enable CEF switching using ip cef global command.

  Router#show adjacency detail
  
  Protocol Interface     Address
  IP  GigabitEthernet3/16  10.20.248.202(11120)
           0 packets, 0 bytes
           00D00178780A
           00D00624440A0800
           ARP  00:05:40
           Epoch: 0
  IP  FastEthernet9/48   10.192.15.254(7)
           0 packets, 0 bytes
           00D0BCF107C8
           00D00624440A0800
           ARP  00:39:20
           Epoch: 0
  IP  FastEthernet9/1   100.1.1.1(2005)
           0 packets, 0 bytes
           0007ECC57000
           00D00624440A0800
           ARP  03:19:20
           Epoch: 0
  

• Enable MPLS on the interfaces using mpls ip global command.
• Enable LDP on the device using mpls label protocol ldp global command.
• LSR send LDP Hello messages on all links that are ldp enabled. (destination 224.0.0.2 'all routers on this subnet' port UDP/646)
• LDP Hello message has "Hold time" field, which signal other LSRs that if that neighbor does not send Hello within "hold time" interval, then it should be deleted from the list of discovered neighbors
• Verify LDP discovery operations using show mpls ldp discovery [detail]

Ater 2 neighbors discovered each other using "Hello" messages, they will continues with Session establishment.
During session establishment both peers will try to open TCP/646 connection to each other, and agree on session parameters.
Session establishment time is limited by backoff parameters. This way neighbors will not overwhelm each other with parameter exchange flood.
The backoff intervals are configured using:

#mpls ldp backoff {initial-backouff} {maximum-backoff} (Defaults are: 15 sec and 120 sec)

Session is maintained using periodic keepalives, which are configured using cvommand below:

#mpls ldp holdtime {sec}

If session between 2 peer breaks for some reason, then each peer will try to reconnect. After holdtime timer expires session is dropped.
To see session status, issue:

# show mpls ldp neighbor {ip-address} details

When 2 peers establish LDP session they send "Hello" messages with the address they want other peer to connect to them.
If we want to request P2 to establish LDP session with P1 over P1's Lo500 interface (IP. 10.1.1.1), then we must send "Hello" message from P1 to P2 with 10.1.1.1 as "Transport IP address".
To do so, we will need to configure the below command on physical interfaces of the P1:

#int E0/1
-if)#ip address 192.168.1.1 255.255.255.0
-if)#mpls ldp discovery transport-address 10.1.1.1 

#int E0/2
-if)#ip address 192.168.2.1 255.255.255.0
-if)#mpls ldp discovery transport-address 10.1.1.1

This way LDP session will be established between 10.1.1.1 (P1) and 10.1.1.2 (P2).
Keep in mind that this setting has nothing to do with LDP Identifier, which is set with:

#mpls ldp {ip_address/router_id} force

Number of LDP sessions depends whether we are using per-platform or per-interface label spacel.

• Per-platform => 1 LDP session per device
• Per-interface => 1 LDP session per each interface.

Back to the Top...

 

Part 3: How does Label Advertising works

Rule: only one label from all of the received labels from all the LDP neighbors of the particular LSR should be used as outgoing label in the LFIB.

Label mapping is constracted in the following way:

 

• LDP Identifier - peer knows from which sessession label mapping is
• Prefix - prefix that was advertised by the neighbor, ex: 10.200.210.0/24
• Label - label advertised by the neighbor. Ex: "imp-null" is for connected routes

Router# show mpls ldp bindings
tib entry: 1.1.1.1/32, rev 4
local binding:  tag: imp-null
remote binding: tsr: 2.2.2.2:0, tag: 19
remote binding: tsr: 3.3.3.3:0, tag: 20
tib entry: 2.2.2.2/32, rev 8
local binding:  tag: 19
remote binding: tsr: 2.2.2.2:0, tag: imp-null
remote binding: tsr: 3.3.3.3:0, tag: 21
tib entry: 3.3.3.3/32, rev 10
local binding:  tag: 20
remote binding: tsr: 2.2.2.2:0, tag: 21
remote binding: tsr: 3.3.3.3:0, tag: imp-null
tib entry: 192.168.12.0/24, rev 2
local binding:  tag: imp-null
remote binding: tsr: 2.2.2.2:0, tag: imp-null
remote binding: tsr: 3.3.3.3:0, tag: 19
tib entry: 192.168.13.0/24, rev 6
local binding:  tag: imp-null
remote binding: tsr: 2.2.2.2:0, tag: 20
remote binding: tsr: 3.3.3.3:0, tag: imp-null
tib entry: 192.168.23.0/24, rev 12
local binding:  tag: 21
remote binding: tsr: 2.2.2.2:0, tag: imp-null
remote binding: tsr: 3.3.3.3:0, tag: imp-null

Rule: label binding stay in the database until peer disconnects or label withdrawn.
Label is withdrawn with "Label Withdraw" message to LDP peer, and then new label is advertise with "Label Mapping" message.

Back to the Top...

 

Part 4: LDP Session Notification Messages

These mesasages are used to signal LDP peers about significant events that happened, such as:

• Malformed protocol data unit (PDU) or message
• Unknown or malformed Type-Length-Value (TLV)
• Session keepalive timer expiration
• Unilateral session shutdown
• Initialization message events
• Events resulting from other messages
• Internal errors
• Loop detection
• Miscellaneous events

Back to the Top...

 

Part 5: Targeted LDP Session (Remote LDP)

These sessions are needed in case when LDP peers are not directly connected, but there are required to exchange labels.
This is usually the case in AToM and MPLS TE deployments. To configure it use the following command:

Router# mpls ldp neighbor vrf {vrf-name} {ip address} targeted { ldp | tdp}

Targeted LDP sessions will improve label convergence time compared to the convergence time with directly connected LDP peers when there are flapping links.

Back to the Top...

 

Part 6: Outbound Label Advertisement Filtering

You can contol which labal bindings are advertised to LDP neighbors. To accomplish that use:

no mpls ldp advertise-labels
mpls ldp advertise-labels [vrf vpn-name] [interface interface | for prefix-access-list [to peer-access-list]]

NOTE: Keep in mind that this command takes immediate effect.

In the following example, the router is configured to advertise the label for network 59.0.0.0 only to LSR 155.0.0.55, the label for network 35.0.0.0 only to LSR 133.0.0.33, and the labels for all other prefixes to all LSRs.

Router(config)# ip access-list standard pfx-filter1
Router(config-std-nacl)# permit 59.0.0.0
Router(config-std-nacl)# exit
Router(config)# ip access-list standard lsr-filter1
Router(config-std-nacl)# permit 155.0.0.55
Router(config-std-nacl)# exit
outer(config)# ip access-list standard pfx-filter2
Router(config-std-nacl)# permit 35.0.0.0
Router(config-std-nacl)# exit
Router(config)# ip access-list standard lsr-filter2
Router(config-std-nacl)# permit 133.0.0.33
Router(config-std-nacl)# exit
Router(config)# mpls ldp advertise-labels for pfx-filter1 to lsr-filter1
Router(config)# mpls ldp advertise-labels for pfx-filter2 to lsr-filter2

If we want to block label advertisement for all labels to the rest of the peers:

Router(config)# no mpls ldp advertise-labels

Part 7: Inbound Label Advertisement Filtering

To control inbound filtering use the command below. Label bindings for prefixes that match 10.b.c.d are accepted, where b is less than or equal to 63, and c and d can be any integer between 0 and 128. Other label bindings received from 10.110.0.10 are rejected.

Router# configure terminal
Router(config)# access-list 1 permit 10.63.0.0 0.63.255.255     
Router(config)# mpls ldp neighbor 10.110.0.10 labels accept 1       
Router(config)# end

Back to the Top...

 

Part 8: MPLS LDP - IGP Synchronization

A problem with MPLS networks is that LDP and IGP are not synchronized, which leads to LSR dropping traffic, due to the fact that LSR will drop packet anytime it will not find label.
To solve this problem, we will enable LDP-IGP sync. We will start announcing links with maximum metric until synchronization is achieved. After LDP session is established and label bindings have been exchanged, the IGP advertises the link with its normal IGP metric.
LDP-IGP synchronization is enabled globally for IGP process using command mpls ldp sync.

Back to the Top...

 

Part 8: Flapping Links - LDP Session Protection

When the directly connected link does go down between 2 LSRs, the targeted LDP session is kept up as long as alternative path exists between the two LSRs.
The LDP link adjacency is removed, but targeted adjacency keeps session up. When link comes back, the LSR does NOT need to re-establish the LDP session.
To enable LDP Session Protection:

#mpls ldp session protection 
/OR
#mpls ldp session protection vrf {vrf-name} for {acl-number} duration {seconds}

Remember, that for Session protection to work, it must be enabled on both LSRs

Back to the Top...

 

MPLS and ATM Architecture

ATM is connection-oriented protocol.
ATM traffic consists of fixed-sized cells of 53 bytes
Header: 5 bytes
Payload: 48 bytes

ATM Header fields

• GFC - 4 bits of generic flow control that are used to provide local functions, such as identifying multiple stations that share a single ATM interface. The GFC field is typically not used and is set to a default value.
• VPI - 8 bits of virtual path identifier that is used, in conjunction with the VCI, to identify the next destination of a cell as it passes through a series of switch routers on its way to its destination.
• VCI - 16 bits of virtual channel identifier that is used, in conjunction with the VPI, to identify the next destination of a cell as it passes through a series of switch routers on its way to its destination.
• PT - 3 bits of payload type. The first bit indicates whether the cell contains user data or control data. If the cell contains user data, the second bit indicates congestion, and the third bit indicates whether the cell is the last in a series of cells that represent a single AAL5 frame.
• CLP - 1 bit of congestion loss priority that indicates whether the cell should be discarded if it encounters extreme congestion as it moves through the network.
• HEC - 8 bits of header error control that are a checksum calculated only on the header itself.

PT Fiels are defined as follows:

• 1 bit => indicated whether cell contains "user data" or "control date"
• 2 bit => indicates whether network congestion is present
• 3 bit => indicates whether the cell is the last cell of an AAL5 frame (PDU)

For traffic to be forwarded correctly through ATM LSRs, the traffic must be MPLS encapsulated, and the MPLS label value must be mapped to VPI/VCI values.
VPI/VCI value is encoded into TOP label in cell mode MPLS, and the label value of the TOP label in the label stack is set to "0".
Rule: Each IGP prefix in the routing table must be assigned a label. Each label value is mapped to VPI/VCI field, and a virtual circuit is built for each label
To enable MPLS on ATM switches, we must configure Label Switching Controlled ATM interfaces (LC-ATM). Default VC is 0/32, and encapsulation is LLC/SNAP

Loop Detection
LC-ATM utilize "Hop Count TLV" and "Path Vector TLV". Those are fields inside "Label Request" LDP messages.
Loop detection is a configurable option which provides a mechanism for finding looping LSPs and for preventing Label Request messages from looping in the presence of non-merge capable LSRs
The mechanisms makes use of a Path Vector and Hop Count TLVs carried by Label Request and Label Mapping messages. It works as follows:

1. A Path Vector TLV contains a list of the LSRs that its containing message has traversed. When an LSR propagates a Path Vector TLV it adds its own LSR Id to the Path Vector list. Then, an LSR that receives a message with a Path Vector containing its own LSR Id can detect that the message has traversed a loop.
   To enable this feature:
   

   #mpls ldp loop detection

2. A Hop Count TLV contains a count of the LSRs that its containg message has traversed. Each time a message containing a Hop Count TLV is propagated, the LSR increments the count.An LSR that detects a Hop Count that has reached a configured maximum value behaves as if the containing message has traversed a loop. To control number of hops, use the below command:
   

   #mpls ldp maxhops {number}

   
   By default, more than 254 hops => LOOP!

Back to the Top...

 

Glossary

FRR - Fast ReRouting - is a feature that allows you to reroute labeled traffic around "dead" router, and it takes less than 50ms to accomplish it.

FEC - Forwarding Equivalence Class - is a group or flow of packets that are forwarded along the same path and are treated the same with regards to the forwarding treatment.

NLPI - Network Level Protocol Identifier - is a field in L2 frame that indicates with L3 protocol will follow.

MTU - Maximum transmission unit - it indicates the maximum size of the IP packet that can be sent on a data link without fragmenting the packet.