Multi-Protocol

Label Switching (MPLS)

Initial goal: speed up intra-domain IP forwarding by
using circuit identifiers (fixed-length labels) instead
of IP addresses
Computer Networks •  borrow ideas from VC approach
(but IP datagram still keeps IP address!)

Source 1

Lecture 20:
Destination
MPLS, and VPN
Source 2

Router can forward traffic for the same

destination on different interfaces/paths

Label Switching: Circuit Abstraction Label Swapping

Label-switched paths (LSPs): At each hop, MPLS routers forward packets to
• pre-compute a path for each “flow” outgoing interface based only on label value
•  a “flow” can range from a single connection to
a pair of APs or aggregated APs, etc.
(doesn’t even look at IP address)
• paths are “named” by the label at the path’s entry point •  use label to determine outgoing interface

• each MPLS router uses a different label to identify a flow •  replace incoming label with neighbor’s label for the flow

• “downstream” MPLS router tells upstream neighbor its label •  MPLS forwarding table distinct from IP forwarding tables
for each flow A D
2
1

3
Tag Out New

A 2 D
Label Distribution MPLS Encapsulation
Signaling protocol needed to set up forwarding Put an MPLS header in front of IP packet
Network (layer 3): IP
•  responsible for disseminating signaling information
MPLS header layer 2.5?: MPLS
•  Label Distribution Protocol (LDP)
•  RSVP for Traffic Engineering (RSVP-TE) Data Link (layer 2):
IP packet
Ethernet, Frame Relay,
•  allows for forwarding along paths not otherwise ATM, PPP, etc.
obtained from IP routing (e.g., source-specific routing) •  MPLS header includes a label Physical (layer 1)
•  must co-exist with IP-only routers
PPP or Ethernet
header MPLS header IP header remainder of link-layer frame

Source 1
20 bits 3 1 5

Destination ToS & TTL copied from IP

label ToS S TTL
S: 1 if bottom of label stack
Source 2

BGP-Free Backbone Core VPNs With Private Addresses

Why VPN?
iBGP
Customer has several geographically distributed sites
eBGP
• wants private communications over the public network
C 12.11.1.0/24
• wants a unique IP network connecting the sites
A R2 •  single IP addressing plan
R1 •  virtual leased line connecting the sites
R4 •  guaranteed quality of service

B R3 D
Providers have overprovisioned backbones
label based on the • want to sell pseudo-wires (leased lines) that allow for
destination prefix
increased backbone utilization
Routers R2 and R3 don’t need to speak BGP • want technology that has
•  low configuration and maintenance costs
•  is scalable to the number of customers, i.e.,
core states depend on topology, not number of customers
Recall: Customer-based VPN Network VPNs
Encrypt packets at network entry and decrypt at exit Customer based: Provider based:
•  customer buys own equipment, •  provider manages all the
Eavesdropper cannot snoop the data configures IPSec tunnels across the complexity of the VPN,
global Internet, manages usually with MPLS
or determine the real source and destination addressing and routing •  customer simply connects to the
•  ISP plays no role provider equipment
•  customer has more control over
security and ISP choices, but
requires skills Site Site
CE CE

Site Site PE PE
ISP
CE CE
Internet PE
PE
CE CE
CE CE
Site Site Site Site

Types of MPLS Routers MPLS Routers

Provider routers:
Customer edge (CE) routers:
•  provider edge (PE) : routers A and E
•  do not speak MPLS, do not recognize labels at all •  push (at ingress) or pop (at egress) label onto stack

•  speak eBGP with MPLS routers on provider network •  forward IP packets to/from customer routers
to advertise APs •  core (P) : routers B, C, and D
•  or statically configured with allocated APs •  swap (pop+push) label on top of stack
•  doesn’t interact with customer routers

CE CE CE CE
A B C D A B C D
reachability of advertises reachability of advertises
12.11.1.0/24 12.11.1.0/24 12.11.1.0/24 12.11.1.0/24
advertised using eBGP using eBGP advertised using eBGP using eBGP

inner
label
Provider-based VPN High-Level Overview of Operation
Layer 3 BGP/MPLS VPNs (RFC2547)
• provides isola,on: mul,ple logical networks over a single, IP packets arrive at provider
shared physical infrastructure edge (PE) router
PE edge
• uses BGP to router
exchange routes Destination IP looked up in
•  eBGP to
announce APs
“virtual” forwarding table
to PE routers •  there are multiple such tables,
CE customer CE customer
router router
one per customer
• MPLS to forward
traffic P core
•  tunneling: P core
router
Datagram sent to customer’s network using
routers don’t have tunneling (i.e., an MPLS label-switched path)
to do routing, just
PE edge
label switching router

To Use Level 3 BGP/MPLS VPN Identifying a BGP/MPLS VPN

Three things are needed to identify a BGP/MPLS VPN
Two steps needed: 1. inner label: a way for the provider edge (PE) routers at each
end of a VPN to associate a VPN with its owner’s customer
1. set up the VPN
edge (CE) router
2. forward packets on the VPN 2. VPN-APs: a way for the customer’s address prefixes (APs) to
be advertised by BGP
•  the issue is: since customers can use private address ranges (10/8,
172.16/12, and 192.168/16), how to differentiate the same private
address range that has been chosen and used by different customers?

3. outer label: the MPLS labels used by provider’s core (P)

routers to identify a VC
 Setup: Inner Label Setup: VPN-APs
Provider-edge (PE) routers: Provider-edge (PE) routers:
• set up a Virtual Routing and Forwarding (VRF) • use Multi-Protocol BGP’s Route Distinguisher (RD) as the
table for each customer AP VPN ID to differentiate the same APs of different customers
• the VRF ID serves as the inner label for the VPN • use MP-BGP to announce VPN-APs reachability, along with
their inner labels
VRF ID: C1 • runs iBGP to other edge routers to VRF ID: C1
distribute VPN-AP reachabilities
10.0.1.0/24
10.0.1.0/24
10.0.1.0/24
VPN ID (RD): Tan 10.0.1.0/24
Customer 1 VPN ID (RD): Tan
Customer 1

VRF ID: C2
VRF ID: C2
10.0.1.0/24
10.0.1.0/24
Customer 2
10.0.1.0/24
Customer 2
VPN ID (RD): Salmon 10.0.1.0/24
VPN ID (RD): Salmon

Setup: Outer Label To use Level 3 BGP/MPLS VPN

Both provider-edge (PE) and core (P) routers:
• run MPLS Two steps are needed to use a level 3
• use LDP (Label Distribution Protocol) to set up outer labels for BGP/MPLS VPN:
forwarding
•  the PE router advertising a customer AP (i.e., the “destination” or egress 1. Set up the VPN
router) initiates LDP to distribute labels
2. Forward packets on the VPN

22

inner
label
Forwarding in BGP/MPLS VPNs Forwarding
Ingress PE router encapsulates IP packet in MPLS with
Step 1: packet arrives from CE router at PE router’s outer and inner labels
incoming interface

•  look up customer’s VRF to determine egress PE and inner Two-label stack is used for packet forwarding
label (Label I) •  top label indicates next-hop P router (outer label)
Label IP Datagram •  second label indicates outgoing CE interface / VRF (inner label)
I

Step 2: egress PE lookup, add corresponding outer Corresponds to label of Corresponds to VRF/
next-hop (P) interface at exit
label (Label O, also at customer’s VRF)
Layer 2 Label Label IP Datagram
Label Label IP Datagram Header O I
O I

Forwarding on BGP/MPLS VPNs Packet Forwarding

Source CE router sends IP packet to ingress PE router
that advertises destination AP

Ingress PE router looks up egress PE router’s virtual

interface address and the inner label for destination AP,
then encapsulates IP packet in MPLS with outer and
inner labels

Core P routers along the path swap outer labels

Penultimate core P router pop outer label only

Egress PE router uses inner label to look up VRF and

forward packet to customer CE router
Advantages of MPLS VPN Status of MPLS
Customer’s adding or changing APs does not require Deployed in practice
manual configuration at provider •  BGP-free backbone/core
•  Virtual Private Networks
Core P routers do not need to know customer’s CE
•  Traffic engineering
routers or APs forwarding tables only need to scale
to number of edge PE routers, not number of
customers, APs, or VPNs Challenges
•  protocol complexity
The only manual configurations required are at the •  configuration complexity
edge PE routers: •  difficulty of collecting measurement data
• VRF ID and customer’s CE router’s IP address
• MP-BGP Route Distinguisher as VPN ID