In this post I will try to clarify how to get a basic MPLS setup running. We will configure 6 routers in a lab setup and we will get some IP traffic through MPLS. The goal is not to explain all the details of MPLS, the goal is to get a setup running to see how you can get it going.
What is MPLS?
MPLS stands for Multi Protocol Label Switching. This technology allows traffic to go through a path through the network which answers to criteria you define. This definition of criteria is called Traffic Engineering. The multi protocols means it can be run on different protocols ( ethernet, sonet, …) and it can also carry different protocols, IP, IPv6, Ethernet, …
What it actually will do is add a MPLS header to the traffic. This header will be used so the routers know where the packet came from and where it has to go. Additionally it will also contain CoS, TTL and Bottom of stack information (used in the MPLS protocol).
Why MPLS
Advantages of MPLS:
- Reduce routing lookups
- BGP free core
- Better link usage (not only by igp)
- Multiple services configurable
- L3, L2, pseudowire,…
Reduce routing lookups: The routes only need to get looked up on the edge of the network. The edge router will route the traffic to the right label switched path.
BGP free core: Because the routes only need to get lookup on the edge, it is not necessary to run BGP in the core.
Better link usage: The traffic can follow paths that do not follow the path of the IGP. You can dedicate the traffic to follow a certain path or to pass a certain router.
Multiple services configurable: MPLS supports the transport of IP traffic, Layer 2 and IPv6 are also possible. With pseudowire tunnels you can transport anything transparently.
You can also say: cause my employer / customer / … is using it 😉
Some abbreviations
So there is some MPLS / Service Provider lingo used in this article. Or any book about MPLS. Here are some of the important ones:
MPLS: Multi Protocol Label Switching
LSP: Label Switched Path
CE Router: Customer Edge Router
PE Router: Provider Edge Router
P Router: Provider (core) Router
TE: Traffic Engineering
IGP: Interior Gateway Protocol
AS: Autonomous system
Our lab
The lab consists if virtual SRX devices. I’m using an older version of the virtual SRX (vSRX) for this (firefly-perimeter 12.1X46-D25.7). I’m using the older version because it doesn’t have limitations and uses a small memory footprint. It should also work perfectly fine with newer versions.
- 2 customers are connected to our network (I will use one device for this and configure routing instances)
- CE AS65001 and CE AS65002
- 2 PE routers
- PE-11 and PE-14
- 2 P routers
- P-12 and P-13
Since I am running the setup on SRX devices, we need to put them in “Packet mode”. This is not required for MX devices
You do this by removing the security configuration and adding the following:
security {
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
}
After committing this, the device will require a reboot.
More information here: https://kb.juniper.net/InfoCenter/index?page=content&id=KB30461
Basic setup
Basic MPLS setup consists of following elements:
- Loopbacks configured on all your internal routers
- IGP configured with traffic engineering
- MPLS enabled and family mpls on your internal interfaces
- signaling protocol (LDP or RSVP) enabled on your internal routers
- LSP configured on the PE routers you need to pass traffic (this probably needs to be a full mesh with all PE routers on your network)
Let’s check out the example.
CE routers
So the CE’s just act as test devices. They will announce their loopback addresses to AS65000. Then we can use those addresses for testing.
The CE router does not have to know MPLS is being used inside the network it is connecting to. The CE router is just doing a BGP peering.
The ge-0/0/0 is a management interface, ge-0/0/1 connects to PE 11 and ge-0/0/2 connects to PE12.
lo0.1 is for CE65001 and lo0.2 is for 65002
system {
host-name LAB-CE;
root-authentication {
encrypted-password ""; ## SECRET-DATA
}
services {
ssh;
}
}
interfaces {
ge-0/0/0 {
description "management interface";
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
description "Link to PE-11";
unit 0 {
family inet {
address 10.0.201.1/30;
}
}
}
ge-0/0/2 {
description "Link to PE-14";
unit 0 {
family inet {
address 10.0.205.2/30;
}
}
}
lo0 {
unit 1 {
family inet {
address 10.200.1.1/32;
}
}
unit 2 {
family inet {
address 10.200.2.1/32;
}
}
}
}
policy-options {
policy-statement bgp-as-65001 {
term 1 {
from {
route-filter 10.200.1.1/32 exact;
}
then accept;
}
term 2 {
then reject;
}
}
policy-statement bgp-as-65002 {
term 1 {
from {
route-filter 10.200.2.1/32 exact;
}
then accept;
}
term 2 {
then reject;
}
}
}
security {
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
}
routing-instances {
CE650001 {
instance-type virtual-router;
interface ge-0/0/1.0;
interface lo0.1;
routing-options {
router-id 10.200.1.1;
autonomous-system 65001;
}
protocols {
bgp {
export bgp-as-65001;
group 65000 {
type external;
neighbor 10.0.201.2 {
peer-as 65000;
}
}
}
}
}
CE650002 {
instance-type virtual-router;
interface ge-0/0/2.0;
interface lo0.2;
routing-options {
router-id 10.200.2.1;
autonomous-system 65002;
}
protocols {
bgp {
export bgp-as-65002;
group 65000 {
type external;
family inet {
unicast;
}
neighbor 10.0.205.1 {
peer-as 65000;
}
}
}
}
}
}
PE routers
The PE router will have the most configuration.
For the MPLS, we need the protocols mpls configured, the RSVP and enable traffic engineering in OSPF.
RSVP is the protocol that will take care of the traffic engineering and the labels. It will get it’s information from OSPF. OSPF has the traffic engineering database that RSVP relies on for information. This is however not enabled by default and needs to be enabled (in ISIS this is enabled by default).
It’s also important that the interfaces facing other MPLS routers have the family mpls configured. Otherwise they won’t forward or receive any mpls traffic.
Under MPLS we also need to configure the label switched path. This needs to be a full mesh of all the routers you want to communicate with (it’s unidirectional).
In our example we have just 2 PE routers. In the real world this would be at least all your PE routers.
system {
host-name PE-11;
root-authentication {
encrypted-password ""; ## SECRET-DATA
}
services {
ssh;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.0.201.2/30;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.0.202.1/30;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 10.10.10.11/32;
}
}
}
}
routing-options {
router-id 10.10.10.11;
autonomous-system 65000;
}
protocols {
rsvp {
interface ge-0/0/2.0;
}
mpls {
label-switched-path PE-11-to-PE-14 {
to 10.10.10.14;
}
interface ge-0/0/2.0;
}
bgp {
group 65001 {
type external;
family inet {
unicast;
}
neighbor 10.0.201.1 {
peer-as 65001;
}
}
group internal {
type internal;
local-address 10.10.10.11;
export [ nhs uplink ];
neighbor 10.10.10.14;
}
}
ospf {
traffic-engineering;
area 0.0.0.0 {
interface ge-0/0/2.0 {
interface-type p2p;
}
interface lo0.0 {
passive;
}
}
}
}
policy-options {
policy-statement nhs {
then {
next-hop self;
}
}
policy-statement uplink {
term 1 {
from {
route-filter 10.0.201.0/30 exact;
}
then accept;
}
}
}
security {
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
}
P Routers
As you compare the configuration of the P router with the PE router, you can see the P router has a lot less configured. It just has the basic MPLS/OSPF/RSVP and no BGP configured.
system {
host-name P-13;
root-authentication {
encrypted-password ""; ## SECRET-DATA
}
services {
ssh;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.0.203.2/30;
}
family mpls;
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.0.204.1/30;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 10.10.10.13/13;
}
}
}
}
routing-options {
router-id 10.10.10.13;
autonomous-system 65000;
}
protocols {
rsvp {
interface ge-0/0/1.0;
interface ge-0/0/2.0;
}
mpls {
interface ge-0/0/1.0;
interface ge-0/0/2.0;
}
ospf {
traffic-engineering;
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/1.0 {
interface-type p2p;
}
interface ge-0/0/2.0 {
interface-type p2p;
}
}
}
}
security {
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
}
Verification
So to verify if all of this is working, we can use the ping on the CE routers.
But maybe more importantly, if you have to troubleshoot, first check these things:
- Is my IGP working and do I receive the loopbacks of all my routers?
- Is traffic engineering enabled (only for ospf)?
root@PE-11> show ospf neighbor
Address Interface State ID Pri Dead
10.0.202.2 ge-0/0/2.0 Full 10.10.10.12 128 39
root@PE-11> show route 10.10.10/24
inet.0: 18 destinations, 18 routes (18 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.10.10.11/32 *[Direct/0] 00:53:50
> via lo0.0
10.10.10.12/32 *[OSPF/10] 00:53:23, metric 1
> to 10.0.202.2 via ge-0/0/2.0
10.10.10.13/32 *[OSPF/10] 00:53:23, metric 2
> to 10.0.202.2 via ge-0/0/2.0
10.10.10.14/32 *[OSPF/10] 00:53:23, metric 3
> to 10.0.202.2 via ge-0/0/2.0
root@PE-11> show ospf overview
Instance: master
Router ID: 10.10.10.11
Route table index: 0
LSA refresh time: 50 minutes
Traffic engineering
Area: 0.0.0.0
Stub type: Not Stub
Authentication Type: None
Area border routers: 0, AS boundary routers: 0
Neighbors
Up (in full state): 1
Topology: default (ID 0)
Prefix export count: 0
Full SPF runs: 7
SPF delay: 0.200000 sec, SPF holddown: 5 sec, SPF rapid runs: 3
Backup SPF: Not Needed
-
- Is RSVP working?
root@PE-11> show rsvp neighbor RSVP neighbor: 1 learned Address Idle Up/Dn LastChange HelloInt HelloTx/Rx MsgRcvd 10.0.202.2 5 1/0 53:32 9 356/356 148 root@PE-11> show rsvp session Ingress RSVP: 1 sessions To From State Rt Style Labelin Labelout LSPname 10.10.10.14 10.10.10.11 Up 0 1 FF - 299808 PE-11-to-PE-14 Total 1 displayed, Up 1, Down 0 Egress RSVP: 1 sessions To From State Rt Style Labelin Labelout LSPname 10.10.10.11 10.10.10.14 Up 0 1 FF 3 - PE-14-to-PE-11 Total 1 displayed, Up 1, Down 0 Transit RSVP: 0 sessions Total 0 displayed, Up 0, Down 0
- Is mpls enabled and is the lsp coming up?
root@PE-11> show mpls interface Interface State Administrative groups (x: extended) ge-0/0/2.0 Up <none> root@PE-11> show mpls lsp Ingress LSP: 1 sessions To From State Rt P ActivePath LSPname 10.10.10.14 10.10.10.11 Up 0 * PE-11-to-PE-14 Total 1 displayed, Up 1, Down 0 Egress LSP: 1 sessions To From State Rt Style Labelin Labelout LSPname 10.10.10.11 10.10.10.14 Up 0 1 FF 3 - PE-14-to-PE-11 Total 1 displayed, Up 1, Down 0
Can we do the ping test?
root@LAB-CE# run ping 10.200.2.1 routing-instance CE65001 PING 10.200.2.1 (10.200.2.1): 56 data bytes 64 bytes from 10.200.2.1: icmp_seq=0 ttl=62 time=48.475 ms 64 bytes from 10.200.2.1: icmp_seq=1 ttl=62 time=36.041 ms 64 bytes from 10.200.2.1: icmp_seq=2 ttl=62 time=35.145 ms
Conclusion
I hope you can started with a small setup to get to know MPLS. There are many great resources to find to add more features to the setup.
I would like to recommend Junipers Week one PDF about MPLS:
https://forums.juniper.net/t5/Day-One-Books-Archive/This-Week-Deploying-MPLS/ba-p/87830
Thanks for reading