burningnode.com
Random networking related stuff.

MPLS course notes


network-banner-001

A bunch of notes on MPLS (MultiProtocol Label Switching)

MPLS Introduction

Process Switching – Fast Switching – CEF

LIB : Label Information Base -> IP / Label (LDP) mapping
LFIB : Label Forwarding Information Base = “Action table”

MPLS=> Layer 2,5

LSR = Label Switch Router = Provider Router = P
Edge LSR = Provider Edge Router = PE

LDP = Label Distribution Protocol UDP 646 / TDP = Tag Distribution Protocol Cisco Prop MPLS pre standard TCP 711
FIB = Forwarding Information Base (IGP)
LFIB = Label Forwarding Information Base (IGP + LDP)

LDP session maintained by the highest router ID on the link, so just one tcp connection active.
LDP bindings -> Label + FEC

Label distribution : downstream unsolicited (advertise labels for prefixes reachable from this router)
downstream on-demand (a node request a label for a learned prefix via downstream node)

POP a label : remove the label and look in the routing table (to reach a customer for example)

PHP : Penultimate Hop Processing = POP one hop before the PE, the goal is to spread the L3 lookup workload
Implicit Null : reserved label #3 (TDP implicit null label = 1)
Explicit null : reserved label #0

push = attaching a label, label imposition (ingress LSR)
pop = label disposition, removing a label (egress LSR)
swap = label swap, change the label (LSR)

FEC (Forwarding Equivalent Class) : group of packets that will be forwarded and treated the same way to the same next hop ip
End to end path followed by a packet using FEC : Label Switch Path
FEC is used by LSR to determine how packets are mapped to LSPs.

Label = 4 fields
Label 20bits, Expiremental(CoS Cisco) 3bits, TTL 8bits, Bottom-of-stack/Stack 1bit

RFC 3031 MPLS Architecture

PID : MPLS PID indicates wether labels have been placed on the packet

Control plane : is where label bindings are exchange

data plane <= FIB + LFIB

MPLS Traffic Engineering : RSVP is used in MPLS TE

if packet not in the LFIB -> IPP interim packet propagation time to find an entry for the label
in this case, CEF forwading, if nothing in the FIB drop the packet.

MPLS Frame Mode Config

Cell mode => for ATM networks

ip cef
ip route-cache cef (per interfaces)

per if :.

mpls ip
mpls protocol ldp
mpls mtu 1512

MTU default 1500
Label stack -> 4octets*3 -> 1512o
MPLS TE -> 1512

switches : enable jumbo frames support

show mpls ?
show ip cef

conf t
mpls label protocol ldp (affect all the interfaces)

ldp -> default
Core routing
in Label and out Label added in the routing table

spoofing label, packet drop

MPLS VPNs Introduction

RFC 2547

Overlay VPN : traditionnal point to point VPNs, WAN links… (carrier invisible)
costly
Peer to Peer VPN : SP integrates with customer network (carrier take care of customer)
easy to add a site, customer rely on SP, SP have to manage customer IP addresses

VRF instances = different routing tables
overlapping address space possible

RD = 64 bit tag prepened to IPv4 adress and route adv(vpnv4 routes)
keeps customer routes unique = belong to the specific customer

RT = route targets, it allows customer vpn to be a part or more than one VPN
defined as import and export values
import routes from a customer vpn
export routes to another vpn
e.g : a vrf dedicated to internet access
shared services for each vpns

MPBGP to exchange customer routes, vpnv4 prefix, running between PE-P routers

MPLS is the fabric, and switch the packets to right P and PE routers

CEF distributed mode -> lower and distribute the load on the core

No full-mesh needed ! Secure – RD separation, no VPN clients, allow MPLS TE

LDP extended neighbor discovery
LDP targeted hellos -> UDP 646
Use in MPLS VPNs environments, multihop LDP hellos

L2 MPLS VPNs
point to point connectivity
provider network is not responsible for distributing site routers as routing relationshjop is between the customer endpoints
require full mesh end points if any-to-any connectivity is required.
(FR DLCI, ATM VC, ppp connection)

L3 MPLS VPNs
multipoint connectivity
SP in charge of routing packets and peering with customer
no full mesh required

in most of case iBGP between CE – PE
Customer redistribute in iBGP static routes or his IGP

full mesh MP-iBGP for the core, but iBGP go route reflector, so no need full mesh. restribution de iBGP in MP-iBGP.

No VPN routes in the core

AS number private pour le réseau

MPLS Security

As secured as ATM/FR
adress space, routing separation, resistance to attacks, resistance to label spoofing

if CPE sends labeled packet (spoofing) they are dropped. only one insertion point.

inherit IP protocol problem

PE is vulnerable

– possible to protect the VPNs from it’s own users : protect the CPE, use AAA and ACLs on CPEs.
– protect routing protocol between CPE-PE = static when possible, route maps, md5 authentication with BGP, MP-BGP,LDP, and other routing protocols
BGP security with BGP dampening, filtering, maximum prefix
– protect PE resources : number of routes limitations per VRF, no telnet acces to VPN sites, privilege levels, acls, enable pws, class based policing for rate limiting to control traffic (specially UDP)

Secure internet connectivity :
-separate links for internet and VPN traffic
-separate PEs for internent and VPN service
-separate Internet service from the MPLS VPN cloud
-use distributed or centralized virtual firewall per VPN (VRF aware FW)
-use encryption where required (CE-CE ipsec tunnels over MPLS VPN network)
-VRF aware IPsec : per VRF/VPN IPsec tunnel
-CE-CE dynamic IPsec VPNs (in EFT) without tunnels

MPLS VPN : Multicast

e.g: financial applications use multicast

-run multicast within an MPLS VPN
-native multicast deployment in the core
-simplified ce provisioning
-efficient : multicast trees built dynamically in the core as needed

multicast VRF -> multicast routing protocols
provider mutilcast forwainding in the core and at the edge (firewall…)

multi-vrf customers ->
map to different VLANs for example
CE – PE associated through multiple subinterfaces (one per vrf)
multi-vrf not necessary at remote site.

Any Transport over MPLS (AToM)
-ATM
-FR
-MetroEthernet
-> mpls l2transport route X.X.X.X1
(between PE, MPLS L2, full connectivity between CE-CE)

VPLS

Virtual Private LAN Services
supports VLAN domains (Virtual Bridge and Switching)

map label with MAC address (FEC) -> the table created is called VSI / VFI (Virtual Service Instance/ Virtual Forwarding Instance)

extend VLANs between campus without thinking about stp….

intensive job for core routers (multicast, L2 traffic…)

H-VPLS (Hierachical VPLS)

Direct LDP session between participating PEs
full mesh of PE for the same VSI.

MPLS QoS

same QoS mechanism with MPLS.
Cisco use expiremental marking for MPLS QoS
class based QoS often used

classification change when enter the SP core (CPE/PE depends if SP manages the CPE)

MPLS TE

– process of routing data traffic in order to balance the traffic load on the various links, routers, and switches in the network
– key in most networks where multiple parallel or alternate paths are available

intelligent load sharing over a few paths

Constrained Shortest Path First
-> path calculations

MPLS management

MPLS embedded management
MPLS OAM

MPLS troubleshooting tool :
-mpls ping
-mpls tracert
-vrf aware ping
-vrf aware tracert
-vrf aware syslog
-virtual circuit connectivity verification
-snmp MIBs
-mpls aware netflow
-mpls/vrf aware IP SLA
-mpls diagnostic tool