Monday, January 4, 2010

What is the MPLS VPN Label?

In the MPLS world the concept of labels and stacking labels are used all the time. When running MPLS L3VPNs each route from the CE will end up with at least two MPLS labels: one commonly referred to as the VPN Label and the other referred as the IGP label.


Lets explore what really is the VPN Label. Is it a single label? or a stack of labels? or maybe a group of labels?. Lets analyze it.



When a route is learned from the CE, at the PE it will get a label assigned by BGP.

PE2#sh ip vrf
Name                             Default RD          Interfaces
BLUE                             567:200             FastEthernet0/0

PE2#sh ip bgp vpnv4 vrf BLUE labels
Network          Next Hop      In label/Out label
Route Distinguisher: 567:200 (BLUE)
1.1.1.1/32       150.4.4.4       nolabel/23
2.2.2.2/32       10.2.78.8       20/nolabel
10.1.12.0/24     150.4.4.4       nolabel/24
10.2.78.0/24     0.0.0.0         21/nolabel
22.22.22.0/24    10.2.78.8       25/nolabel

PE2#sh mpls forwarding-table vrf BLUE
Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop
Label  Label or VC   or Tunnel Id      Switched      interface
20     No Label      2.2.2.2/32[V]     570           Fa0/0      10.2.78.8
21     Aggregate     10.2.78.0/24[V]   0             BLUE
25     No Label      22.22.22.0/24[V]  0             Fa0/0      10.2.78.8

PE2#sh mpls forwarding-table vrf BLUE detail
Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop
Label  Label or VC   or Tunnel Id      Switched      interface
20     No Label      2.2.2.2/32[V]     570           Fa0/0      10.2.78.8
MAC/Encaps=0/0, MRU=1504, Label Stack{}
VPN route: BLUE
No output feature configured
21     Aggregate     10.2.78.0/24[V]   0             BLUE
MAC/Encaps=0/0, MRU=1504, Label Stack{}
VPN route: BLUE
No output feature configured
25     No Label      22.22.22.0/24[V]  0             Fa0/0      10.2.78.8
MAC/Encaps=0/0, MRU=1504, Label Stack{}
VPN route: BLUE
No output feature configured

Listing #1

As you can see on line #3, I have VRF BLUE defined in this particular PE. Then in lines #9, #11 and #12 you can see that BGP has assigned some "In Label". These are going to be the labels that packets arriving to this PE wanting to communicate to those destination at the CE will have to have.


Now, these are what are normally referred as the "VPN Label". As you can see, it is not really a "VPN Label" but more a destination label. Lets take destination 2.2.2.2/32 inside the CE. As you may see in line #24, BGP has assigned the label 20. Any packet arriving with label 20 will be "POP" and send as a regular IPv4 packet towards the CE.


If we go to an ASBR which will see all the routes in this lab, we can see that it has knowledge of the label 20 for the destination 2.2.2.2/32 and it has assigned a local label of 23 (see line #11 of Listing #2).

ASBR2#sh mpls forwarding-table
Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop
Label  Label or VC   or Tunnel Id      Switched      interface
16     Pop Label     150.6.6.6/32      0             Fa0/0      150.2.56.6
17     Pop Label     150.2.67.0/24     0             Fa0/0      150.2.56.6
18     16            150.7.7.7/32      0             Fa0/0      150.2.56.6
19     Pop Label     192.168.45.4/32   590           Fa1/0      192.168.45.4
20     18            150.2.2.2/32      0             Fa1/0      192.168.45.4
21     19            150.3.3.3/32      0             Fa1/0      192.168.45.4
22     Pop Label     150.4.4.4/32      0             Fa1/0      192.168.45.4
23     20            567:200:2.2.2.2/32   \
610           Fa0/0      150.2.56.6
24     21            567:200:10.2.78.0/24   \
0             Fa0/0      150.2.56.6
25     25            567:200:22.22.22.0/24   \
0             Fa0/0      150.2.56.6

ASBR2#sh mpls forwarding-table labels 23 detail
Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop
Label  Label or VC   or Tunnel Id      Switched      interface
23     20            567:200:2.2.2.2/32   \
610           Fa0/0      150.2.56.6
MAC/Encaps=14/22, MRU=1496, Label Stack{16 20}
CA00A59C0008CA07A59C00088847 0001000000014000
No output feature configured
ASBR2#

Listing #2

If we go further into the details of that LSP we see that we have stack (line #23 Listing #2) with two labels 16 and 20. The 16 is the top label and the 20 the bottom label. We already know where the 20 comes from (line #9 Listing #1). So, where does the 16 comes from? The answer is in line #6 of Listing #2. That is the IGP label towards the PE which have the CE connected to it. So, this top label will be the one changing on per hop basis but the bottom label will remain there up to the penultimate hop.


In this particular lab that will be P2.

P2#sh mpls forwarding-table
Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop
Label  Label or VC   or Tunnel Id      Switched      interface
16     Pop Label     150.7.7.7/32      6978          Fa1/0      150.2.67.7
17     Pop Label     150.5.5.5/32      7373          Fa0/0      150.2.56.5
18     Pop Label     192.168.45.0/24   0             Fa0/0      150.2.56.5
19     20            150.2.2.2/32      0             Fa0/0      150.2.56.5
20     21            150.3.3.3/32      0             Fa0/0      150.2.56.5
21     22            150.4.4.4/32      610           Fa0/0      150.2.56.5
P2#
Listing #3


As it can be see from Listing #3, the label 16 is removed. Now, that will remove the 16 but will have the label 20 when it arrives to the PE2. At this point, PE2 (line #17 Listing #1) knows what to do. It will POP that label and send a regular IPv4 packet towards the CE.


So, at the end, the VPN label does not refer to a single label but rather to the label or labels that the PE has associated to the VPNv4 routes of a particular VRF.


Hope this explains it... or at least give you enough headache to forget about it ;-)

7 comments:

  1. I read your comment on my blog.

    Buzz me sometime, we can have a chat.

    We can clearly see how much Cisco is relying on OEQs, IOS bugs and other nonsense to make it difficult. Cisco cant corner us on the core technologies!!

    Swap
    ccie19804 _at_ gmail com
    #19804

    ReplyDelete
  2. I am planning to get training on mpls and bgp network, it being great to know about mpls vpn label being so informative.
    MPLS training course


    ReplyDelete
  3. I haven’t any word to appreciate this post.....Really i am impressed from this post....the person who create this post it was a great human..thanks for shared this with us. private internet access review

    ReplyDelete
  4. Many people on Internet discussion forums and answering sites seem to be having a problem with distinguishing between a remote desktop and VPN services. It is hard to blame them, since these two concepts are definitely alike, and a layperson has every right to be confused. To make it easier for you, below you will find a concise explanation of their key differences. howtogetamericannetflix.pro

    ReplyDelete
  5. Compare top best cheap VPN service providers. Read user reviews. Best Cheap VPN

    ReplyDelete
  6. Your firewall setting ought to be done in a way that will permit your VPN to stream freely. In spite of the fact that the firewall may not confine your VPN,get indian ip

    ReplyDelete
  7. I appreciated your work very thanks online
    Thanks for sharing nice information with us. i like your post and all you share with us is uptodate and quite informative, i would like to bookmark the page so i can come here again to read you, as you have done a wonderful job. online

    ReplyDelete