CCIE R&S Written Overview: MPLS

MPLS Layer 3 VPNs

MPLS Overview

• Multiprotocol Label Switching

• Open standard per RFC 3031

“Multiprotocol Label Switching Architecture”

• Previously Cisco proprietary Tag Switching

MPLS Overview – Multiprotocol

• Can transport different payloads

• Layer 2

– Ethernet, HDLC, PPP, Frame Relay, & ATM

• Layer 3

– IPv4 & IPv6

MPLS Overview – Label Switching

• Traffic is switched between interfaces based on locally significant label values

• Similar to how a Frame Relay or ATM switch uses input/output DLCIs and VPI/VCIs

MPLS Label Format

• 4 byte header used to switch packets

• RFC 3032 – “MPLS Label Stack Encoding”

– 20 bit Label = Locally significant to router

– 3 bit EXP = Class of Service

– S bit = Bottom of Stack

• If 1, label is last in the stack

– 8 bit TTL = Time to Live

How Labels Work

• MPLS Labels are bound to FECs

Forwarding Equivalency Class

– Mainly IPv4 prefix for our purposes

– Could also be IPv6 prefix or layer 2 circuit

• Router uses MPLS LFIB to switch traffic

– Essentially CEF table + Label

• Switching logic

– If traffic comes in if1 with label X send it out if2 with label Y

MPLS Device Roles

• PE / LER Provider Edge Router / Label Edge Routers

• Connects to Customer Edge (CE) devices

• Receives unlabeled packets and adds label

– AKA “label push” or “label imposition”

• In L3VPN performs both IP routing & MPLS lookups

• P / LSR devices Provider Router / Label Switch Routers

• Connects to PEs and/or other P routers

• Switches traffic based only on MPLS label

Label Push / Pop / Swap

• PE and P routers perform three major operations

Label push

– Add a label to an incoming packet

– AKA label imposition

• Label swap

– Replace a label on an incoming packet

• Label pop

– Remove a label from an outgoing packet

– AKA label disposition

Label Distribution

• Adjacent P/PEs must agree on label per FEC

• Label binding can be dynamic through…

Tag Distribution Protocol (TDP)

• Cisco proprietary and legacy

Label Distribution Protocol (LDP)

Resource Reservation Protocol (RSVP)

• Used for MPLS Traffic Engineering (MPLS TE)

Multiprotocol BGP (MP-BGP)

Label Distribution Protocol (LDP)

• Standard per RFC 3036 “LDP Specification”

• Neighbor discovery

– UDP port 646 to

• Neighbor adjacency

– TCP port 646 to remote LDP Router-ID

• Label advertisement

– Advertise FEC for connected IGP interfaces

– Advertise FEC for IGP learned routes

Penultimate Hop Popping (PHP)

• Penultimate means next to last

• Normally last hop must…

– Lookup MPLS Label

– Pop MPLS Label

– Lookup IPv4 destination

• PHP avoids extra lookup on last hop

• Accomplished through Implicit NULL label advertisement for connected prefixes

MPLS Layer 3 VPNs

• RFC 4364 – BGP/MPLS IP Virtual Private Networks (VPNs)


• Combines logic of MPLS Tunnels with separation of layer 3 routing information

– PEs learns customer routes from CEs

– PEs advertises CEs routes to other PEs via BGP

– BGP next-hops point to MPLS tunnels

• E.g. Loopbacks of PE routers

How MPLS L3VPNs Work

• MPLS L3VPNs have two basic components

• Separation of customer routing information

– Virtual Routing and Forwarding (VRF) Instance

– Customers have different “virtual” routing tables

• Exchange of customer routing information

– MP-BGP over the MPLS network

– Traffic is label switched towards BGP next-hops

Virtual Routing and Forwarding

• Each VRF has its own routing table

show ip route vrf [name | * ]

• Interfaces not in a VRF are in the global table

show ip route

• VRF and global routes are separate

– Implies addressing can overlap in different VRFs

– Implies VRFs can’t talk to each other because they have no routes to each other

• VRFs without MPLS is considered “VRF Lite”

VRF Aware Routing

• Routing inside a VRF can be through…

– VRF aware static routes

– VRF aware IGPs



– Policy Routing

VRF Lite vs. MPLS VPNs

• In VRF Lite all devices in transit must carry all routes

– Same as normal IP routing logic

• In MPLS VPNs only PE routers need customer routes

• Accomplished through…

VPNv4 Route

• RD + Prefix makes VPN routes globally unique


• PE routers exchange label for each customer route via VPNv4

Transport Label

• Label towards PE’s BGP next-hop

Multiprotocol BGP

• RFC 4364 “BGP/MPLS IP Virtual Private Networks (VPNs)”

– MP-BGP defines AFI 1 & SAFI 128 as VPN-IPv4 or “VPNv4”

• 8 byte Route Distinguisher (RD)

– Unique per VPN or per VPN site

– ASN:nn or IP-address:nn

• 4 byte IPv4 address

– Unique per VPN

– Implies globally unique routes

Controlling VPNv4 Routes

• Route distinguisher used solely to make route unique

• New BGP extended community “route-target” used to control what enters/exits VRF table

• “export” route-target

– What routes will be go from VRF into BGP

• “import” route-target

– What routes will go from BGP into VRF

• Allows granular control over what sites have what routes

– “import map” and “export map” allow control on a per prefix basis

VPNv4 Route Target

• 8 byte field per RFC 4360 “BGP Extended Communities Attribute“

• Format similar to route distinguisher

– ASN:nn or IP-address:nn

• VPNv4 speakers only accept VPNv4 routes with a route-target matching a local VRF

– Route reflection exception

– no bgp default route-target filter

• VPNv4 routes can have more than one route target

• Allows for complex VPN topologies

– Full mesh

• Import and export same everywhere

– Hub and Spoke

• Spokes import only hub’s routes

– Central services

• Multiple VPNs can import routes from a central site or from a central server

– Management VPNs

• Management Loopback on CE routers can be exported into special management VPN


Some screencaps from the MPLS Layer 3 VPN Overview videos:

IMG_0441 IMG_0443 IMG_0445 IMG_0446 IMG_0448 IMG_0449 IMG_0451 IMG_0463