MPLS L3VPN Networks

The CCIE Candidate’s
Introduction to MPLS
L3VPN Networks
Keith Barker, Scott Morris

BRKCCIE-3345
Cisco Spark
Questions?
Use Cisco Spark to chat with the
speaker after the session
How
1. Find this session in the Cisco Live MobileApp
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
Cisco Spark spaces will be cs.co/ciscolivebot#BRKCCIE-3345

available until July 3, 2017.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• MPLS Forwarding Fundamentals
• Using VRFs to carve up a routing table
• Adding MPLS L3 VPNs to the mix
Tour Guide
• Keith Barker, CCIE #6783
• CCIE Route/Switch and Security
• VMware, HP, Juniper, F5, Palo Alto, Check Point
• Twitter: @KeithBarkerCCIE
• YouTube & Facebook: Keith Barker Networking
BRKCCIE-3345 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Tour Guide
• Scott Morris, CCIEx4 #4713, CCDE #2009::13, JNCIEx2
• CCIE Route & Switch, ISP/Dial, Security, Service Provider
• Cisco Certified Design Expert
• Juniper Networks JNCIE-SP #153 and JNCIE-ENT #102
• CISSP, CCNP-V, CCNP-DC and several other
random things!
• Twitting: @ScottMorrisCCIE
Journey
• MPLS Forwarding Fundamentals
• Using VRFs to carve up a routing table
• Adding MPLS L3 VPNs to the mix
End Goal: Routes and Transit for each customer.
MPLS Building
Blocks
Ingredients in the MPLS L3VPN Recipe
• IGPs
• MPLS
• VRFs
• iBGP
• MP-BGP
• Routers and Administrators that know how the game is played
MPLS Vocabulary
• P Provider router (not-customer facing)

• PE Provider-Edge router (customer facing)
• CE Customer-Edge router (customers router, connect to provider)
• MPLS Multi Protocol Label Switching (forwarding method, based on labels)
• LSR Label Switching Router (router that can forward based on labels)
• Label 20 bit label in a 32 bit header, added at layer 2.5
• LDP Label Distribution Protocol (like an IGP for label advertisements)
• LFIB Label Forwarding Information Base (like CEF for labels)
Lets apply the vocabulary to our topology
MPLS Labels
Labels
Labels
in MPLS
are OK!
MPLS Header
Label (20 bits) CoS S TTL
L2 Header MPLS Header IP Packet

32 bits
• MPLS (Layer 2.5) Header Fields:

• Label, 20 bits
• Experimental (CoS), 3 bits
• Stacking bit, 1 bit. This is the bottom-of-stack bit. 1=on=last label.
• Time to live, 8 bits
Where Does the Label Go?
• MPLS Header
• Inserted between L2 and L3
• L2 protocol identifier (PID) indicates an MPLS label is present
• Unlabeled IP unicast PID = 0x 0800
• Labeled IP unicast PID = 0x 8847
Stacks of MPLS Labels
Commonly asked questions regarding MPLS labels
• Where do the labels come from?

• As routes appear in the routing table, each router assigns a locally significant label for
each IP route.
• How are they advertised?

• Routers advertise their local label to neighbors, using Label Distribution Protocol
(LDP). It’s like an IGP for labels.
Generating local labels
• IPv4 Network 4.4.4.4 /32 (connected to R4) will be the example
Discover the local bindings for 4.4.4.4
Advertising our labels
• Each router advertises its local label (for net 4.4.4.4) to its LDP neighbors
Implicit Null Advertisement
R3 advertises its label of 302 to R2 and R4
R2 advertises its label of 202 to R1 and R3
How R2 chooses between label 100 (from R1) and
302 (from R3) for forwarding
• (in reference to network 4.4.4.4/32)
Why R2 chooses to use the label from R3
• (regarding network 4.4.4.4/32)
Control and Data Planes
• Control Plane (learned routes/labels) using routing protocols and LDP.
• Packets are forwarded on the Data Plane.
• IP and MPLS, based on CEF and LFIB (Label Forwarding Information Base) respectively.
Labeled packet, leaving R1
How LSRs Use Labels
• POP – remove a label
• PUSH – add a label
• SWAP – which is a pop/push combo
Label Imposition (Push) Label Swap Label Swap Label Disposition (PoP)
L1 L1 L2 L2 L3 L3
L2/L3 Packet
P P
CE PE PE CE
CE CE
PE P P PE
PHP
• PHP – Penultimate Hop Pop
• Next to last LSR, removes top label, so that
egress LSR (PE) doesn’t have to
Label Pushes, Pops and Swaps
Who do we turn to for lookups?
• IP Routing protocols populate the Routing Information Base (RIB) –control plane
• RIB populates CEF and its Forwarding Information Base (FIB) – data plane
• IP only packets: Use CEF
• Label Distribution Protocol (LDP) populates the Label Information Base (LIB) –
control plane
• LDP and RIB populate the Label Forwarding Information Base (LFIB) – data plane
• MPLS labeled packets: Use LFIB
• CEF also stores label information
LIB and LFIB
MPLS Basic Configuration
• (config)# ip cef
• (config)# mpls ip
• (config)# interface G 3/0
• (config-if)# mpls ip
• MTU is automatically adjusted

• Can change with mpls mtu command
• mpls mtu 1512
MPLS LDP Configuration
(config)# mpls ldp router-id loopback0
(config)# interface fastethernet 0/0
(config-if)# mpls label protocol ldp
• Can use TDP, LDP or both on interface
• By default all prefixes have labels advertised for them, and all neighbors have labels advertised
to them
• LDP is the default protocol
• Configure per interface
Conditional LDP Advertisements
(config)# no mpls ldp advertise-labels
(config)# mpls ldp advertise-labels
[for (ACL-of-networks)] [to (ACL-peers)]
(config-if)# mpls label range 200 120000
The Order of Things
• IP IGP routing protocols build the IP tables
• LSRs assign a local label for each route
• LSRs share their labels with other LSRs using LDP
• LSRs build their forwarding tables
Won’t You Be My Neighbor?
• Two step process

• Hello messages
• LDP link hello uses destination UDP port 646 and is sent to 224.0.0.2
• Hello may include the IP address desired for peering, different than the source IP in the
header.
• Indicates if the label space is system wide, or per interface.
• Setup LDP session with neighbor who says hello.
• Session is TCP based on destination port 646
• Router with highest LDP router ID will initiate this TCP session ( called the active LSR ).
Keepalives are sent every 60 seconds.
Why LDP Won’t Neighbor Up
• LDP router ID is highest IP on loopback, but we can force it.
• (config)# mpls ldp router-id loopback0
• IGP Routing may disagree with LDP processes – RID must be reachable over
connected interface, unless we use:
• (config-if)# mpls ldp discovery transport-address interface
Other LDP Features
• Security – Computes MD5 Signatures
• (config)# mpls ldp neighbor (ip#) password (pw)
• Label filters – inbound from neighbor

• (config)# mpls ldp neighbor (ip#) labels accept (#)
• (ip#) = IP address of LDP neighbor
• (#) = number of access-list of network prefixes
MPLS & IP Header TTL
Hide the MPLS core from the client
• Traceroute uses TTL manipulation to trigger feedback.
• Disabling the TTL propagation will not copy the initial IP TTL to the MPLS TTL,
and MPLS will start at 255.
• Results: MPLS LSRs become the invisible network to the eyes of traceroute.
No mpls ip propagate-ttl (on All LSRs)
Monitoring MPLS
• show mpls ldp parameters
• show mpls interface
• show mpls ldp discovery
• show mpls ldp neighbor [detail]
• show mpls ldp bindings (the LIB)
• show mpls forwarding table (the LFIB)
• show ip route a.b.c.d (the RIB)
• show ip cef a.b.c.d [detail] (the FIB)
• show cef interface
• debug mpls ldp
• debug mpls lfib
• debug mpls packets
Troubleshooting MPLS
• LDP neighborship failed
• MPLS not enabled, LDP ports filtered, no L3 route to LDP neighbor LSR router-id, highest
loopback address.
• Labels not assigned

• CEF not enabled
• Labels not shared

• Compatible LDP between neighbors
• Slow convergence
• Get rid of RIP  IGP is biggest factor in convergence delay
• Large packets dropped

• MTU not supported by switches. Multiple labels may be present pushing the MTU to a size not supported by the
infrastructure.
Useful MPLS Troubleshooting Commands
• Verify routing protocol is running properly
• Show ip route 10.10.10.0
• Verify CEF Switching
• Show ip cef 10.10.10.0 detail
• Verify MPLS Operations
• Show mpls interface
• Verify Label Distribution
• Show mpls ldp discovery
• Verify Label Binding
• Show mpls ip binding
• Ping/Traceroute
Interactive
Stretch
Stretch- 1, 2, 3 Go!
VRF: The Virtual Routing Table
• Cisco routers can have multiple VRFs
• VRF: Virtual Routing and Forwarding instance
• Some details about VRFs:
• Each VRF has its own RIB and CEF table
• Interfaces are allocated to a specific VRF
• Interfaces not assigned to a VRF are part of the global routing table on the router.
• VRFs contains identity information such as Route Targets (RT), and Route
Distinguishers (RD)
• More on RT and RD coming up.
MPLS L3VPN Game Plan
• A customer router (CE) at site A peers with a provider router (PE).
• Customer shares their routes with provider, and provider puts learned
routes in a local VRF on the provider router.
• Provider takes the routes from the VRF, and exports them from the VRF into
Multiprotocol BGP (MP-BGP). The routes are now called VPNv4 routes.
• BGP is used to share these VPNv4 routes with other MP-BGP routers in the
provider network with iBGP connections.
• A provider router (PE) peering with a customer router (CE) at site B, takes the
VPNv4 routes from MBGP and imports them into the local VRF for that
same customer, and shares the routes from PE to CE at site B.
Creating VRFs
Creating a VRF and Allocating an Interface
ip vrf cust1
rd 10:10
route-target export 1.1.1.1:1
route-target import 4.4.4.4:1
!
interface GigabitEthernet1/0
ip vrf forwarding cust1
ip address 172.16.0.1 255.255.255.252
Green VRF and Purple VRF, Allocated to Interfaces
What if Cust1 and Cust2 Both Use the Same
Private Network Address space of 10.0.0.0/8 ?
Uniquely Identifying Similar Routes
• What if customer 1 and customer 2 both have a 10.0.0.0/8 network, how do we
differentiate these VPNv4 routes inside of MP-BGP?
Wait for it....
• Route Distinguisher (RD) is added to each route to make it globally unique inside of
MP-BGP
• The route, along with the RD, is the VPNv4 route
• VPNv4 routes are exchanged via iBGP between PE routers
• BGP that supports other address families besides just IPv4 is called multi-protocol
BGP
How the RD is Defined
ip vrf cust1
rd 10:10
route-target export 1.1.1.1:1
route-target import 4.4.4.4:1
interface GigabitEthernet1/0
ip vrf forwarding cust1
ip address 172.16.0.1 255.255.255.252
Route Distinguisher
Viewing Routes in MP-BGP by RD
How do we Deliver the Correct Routes and Traffic for
each customer between their sites?
Import/Export Route Targets
• Export Route Targets identifying VPN membership are added as extended
community values with the customer route when the route is converted into a
VPNv4 route (exported out of the VRF into MP-BGP)
• Each virtual routing table has a set of associated import Route Targets that
select routes to be inserted into the virtual routing table (imported into the VRF
from MP-BGP)
• VRF to BGP (export) – inject the export route target value(s)

• BGP to VRF (import) – only get the routes whose import route target(s) match
the import route targets associated with that VRF
Route Target (Cont.)
• Route Targets are additional attributes attached to VPNv4 BGP routes to
indicate VPN membership
• Extended BGP communities are used to encode these attributes
• Extended communities carry the meaning of the attribute together with its value
• Multiple route targets can be attached to a single route
Secret to Remembering Import/Export
• Export policy means that routes will go from VRF into MP-BGP
• Import policy means that routes will come from the MP-BGP into VRF
• You can have multiple import/export route targets in a VRF
• Import or export policies can be filtered when desired
How the RT is Defined (as part of a VRF)
• R1-PE • R4-PE
ip vrf cust1 ip vrf cust1
rd 10:10 rd 10:10
route-target export 1.1.1.1:1 route-target export 4.4.4.4:1

route-target import 4.4.4.4:1 route-target import 1.1.1.1:1
interface GigabitEthernet1/0 interface GigabitEthernet1/0

ip vrf forwarding cust1 ip vrf forwarding cust1
ip address 172.16.0.1 255.255.255.252 ip address 172.16.1.1 255.255.255.252
Route Targets
• Used as extended community information inside MP-BGP for
import/export to/from VRFs
Viewing the Route Target in MP-BGP
Let’s Follow the Control Plane for 172.16.129.0/24
172.16.129.0/24
R4 VPN label for 172.16.129.0/24
MP-BGP update sent from R4
R1 learned VPN label for 172.16.129.0 /24
advertised via iBGP from R4
R1 learned transit label for next (iBGP) hop of
4.4.4.4 from R2 (label 202)
Regarding 172.16.129.0/24, R1 knows bottom VPN label (label 408) and
top label for the BGP next hop of 4.4.4.4 (label 202)
172.16.129.0/24
Question: Which label should R1 impose?
VPN Label Assignments
• R1 imposes two labels
• Top label 202 is transit label (to reach next hop of 4.4.4.4)
• Bottom label 408 is the VPN label (advertised by R4 to reach 172.16.129.0 /24)
Putting it all
together
Traffic in transit, including MPLS L3VPN activity
Ping to Server
172.16.129.2 Add Top Label 202 172.16.129.2
Remove
Add Bottom label 408 VPN Label
Swap Top Label PHP- Remove

Use 302 Top Label
L3VPN related show commands
• show ip route cef vrf ( vrf name )

• show ip route vrf (vrf name) x.x.x.x
• show vrf (vrf name) {detail}
• show ip bgp vpnv4 all {summary}
• show ip bgp vpnv4 vrf {name}
• show bgp vpnv4 unicast vrf {name}
• show bgp vrf {name} ipv4 unicast summary
Complete Your Online
Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be

available for viewing on demand after the
event at www.CiscoLive.com/Online.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
• BRKCRT-2601: VRF, MPLS and MPBGP Fundamentals
R&S Related Cisco Education Offerings
Course Description Cisco Certification
CCIE R&S Advanced Workshops (CIERS-1 & Expert level trainings including: instructor led workshops, self CCIE® Routing & Switching
CIERS-2) plus assessments, practice labs and CCIE Lab Builder to prepare candidates
Self Assessments, Workbooks & Labs for the CCIE R&S practical exam.
• Implementing Cisco IP Routing v2.0 Professional level instructor led trainings to prepare candidates for the CCNP® Routing & Switching
• Implementing Cisco IP Switched CCNP R&S exams (ROUTE, SWITCH and TSHOOT). Also available in
Networks V2.0 self study eLearning formats with Cisco Learning Labs.
• Troubleshooting and Maintaining
Cisco IP Networks v2.0
Interconnecting Cisco Networking Devices: Configure, implement and troubleshoot local and wide-area IPv4 and IPv6 CCNA® Routing & Switching
Part 2 (or combined) networks. Also available in self study eLearning format with Cisco Learning
Lab.
Interconnecting Cisco Networking Devices: Installation, configuration, and basic support of a branch network.Also CCENT® Routing & Switching
Part 1 available in self study eLearning format with Cisco Learning Lab.
For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com
Service Provider Cisco Education Offerings
Course Description Cisco Certification
Deploying Cisco Service Provider Network Routing SPROUTE covers the implementation of routing protocols (OSPF, IS-IS, BGP), CCNP Service Provider®
(SPROUTE) & Advanced (SPADVROUTE) route manipulations, and HA routing features; SPADVROUTE covers advanced
routing topics in BGP, multicast services including PIM-SM, and IPv6;
Implementing Cisco Service Provider Next-Generation
Core Network Services (SPCORE) SPCORE covers network services, including MPLS-LDP, MPLS traffic engineering,
QoS mechanisms, and transport technologies;
Edge Network Services (SPEDGE) SPEDGE covers network services, including MPLS Layer 3 VPNs, Layer 2 VPNs,
and Carrier Ethernet services; all within SP IP NGN environments.
Building Cisco Service Provider Next-Generation The two courses introduce networking technologies and solutions, including OSI CCNA Service Provider®
Networks, Part 1&2 (SPNGN1), (SPNGN2) and TCP/IP models, IPv4/v6, switching, routing, transport types, security, network
management, and Cisco OS (IOS and IOS XR).
Implementing Cisco Service Provider Mobility UMTS The three courses (SPUMTS, SPCDMA, SPLTE) cover knowledge and skills Cisco Service Provider Mobility
Networks (SPUMTS); required to understand products, technologies, and architectures that are found in CDMA to LTE Specialist;
Implementing Cisco Service Provider Mobility CDMA Universal Mobile Telecommunications Systems (UMTS) and Code Division Multiple Cisco Service Provider Mobility UMTS
Networks (SPCDMA); Access (CDMA) packet core networks, plus their migration to Long-Term Evolution to LTE Specialist
Implementing Cisco Service Provider Mobility LTE (LTE) Evolved Packet Systems (EPS), including Evolved Packet Core (EPC) and
Networks (SPLTE) Radio Access Networks (RANs).
Implementing and Maintaining Cisco Technologies Service Provider/Enterprise engineers to implement, verification-test, and optimize Cisco IOS XR Specialist
Using IOS XR (IMTXR) core/edge technologies in a Cisco IOS XR environment.
For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com
Thank you

MPLS L3VPN Networks

Uploaded by

Copyright:

Available Formats

MPLS L3VPN Networks

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MPLS L3VPN Networks

Uploaded by

Copyright:

Available Formats

The CCIE Candidate’s

Keith Barker, Scott Morris

Cisco Spark spaces will be cs.co/ciscolivebot#BRKCCIE-3345

• P Provider router (not-customer facing)

L2 Header MPLS Header IP Packet

• MPLS (Layer 2.5) Header Fields:

• Where do the labels come from?

• How are they advertised?

• CEF also stores label information

• MTU is automatically adjusted

• Can use TDP, LDP or both on interface

(config-if)# mpls label range 200 120000

• Two step process

• Label filters – inbound from neighbor

• Labels not assigned

• Labels not shared

• Large packets dropped

Wait for it....

• VRF to BGP (export) – inject the export route target value(s)

route-target export 1.1.1.1:1 route-target export 4.4.4.4:1

interface GigabitEthernet1/0 interface GigabitEthernet1/0

Swap Top Label PHP- Remove

• show ip route cef vrf ( vrf name )

Don’t forget: Cisco Live sessions will be

For more details, please visit: http://learningnetwork.cisco.com

For more details, please visit: http://learningnetwork.cisco.com

You might also like