When I took my first MPLS training the instructor said that a P router is required for MPLS VPN to pop the top label before packet reaches the PE router. Is this a true statement? I had a lab setup with two PE routers on a switch and the VPN seemed to work fine. Can anyone shed some light on this? We're looking for ways to aggregate PE routers.
Thanks in advance,
>> instructor said that a P router is required for MPLS VPN to pop the top label before packet reaches the PE router. Is this a true statement?
it is not required you can have back to back connections of PE to PE on a common vlan as you have seen in your lab tests.
Penultimate hop popping is performed by the device before egress PE but it can also be the ingress PE.
simply the MPLS label stack will be made of only one label the VPN label.
However, the MPLS frame is still an ethernet frame with MAC DA = egress PE interface MAC address so no ambiguity in the vlan.
What is really important is to verify that
sh mpls forwarding egress-PE-loop-ipaddress
reports outgoing action
if it reports something else you are in trouble:
I've seen devices sending non-sense frames with IPv4 ethertype with VPN label in the position of IPv4 header when outgoing action is untagged instead of pop tag.
In my case this was caused by the fact we were using OSPF as IGP and we had a loopback with non /32 mask.
The workaround for this is to put
ip ospf network point-to-point
in loopback configuration.
MPLS LDP RID = BGP endpoint = BGP next-hop as explained by Peter is the requirement
correct outgoing action
Hope to help
Your instructor was basically true. In an MPLS VPN LSP, the outer label selects the path towards the egress PE. That label will be popped by the P router directly connected to the egress PE. The PE itself will receive a packet with only the inner label that corresponds to a particular destination network in a particular VRF.
The situation between your two directly connected PE routers is very similar to the situation between the PE and its neighboring P router. The LSP between your two PE routers does not use any label as they are directly connected - both routers mutually advertise the implicit null label for it so the outer label is automatically omitted. The inner label will be imposed according to the label bindings advertised through the MP-BGP session between the two PE routers. Now, when a PE router receives a labeled packet from its neighboring PE, the situation is the same as with the P-PE router in the previous example: the only label in the packet corresponds to a particular network in a particular VRF. There's no difference.
One comment, though. The penultimate hop popping is the reason why the BGP sessions shall be run on loopacks and not on physical networks. If a BGP session is terminated on a physical interface, the outer label might be popped one router too soon, resulting in the P neighbors of an egress PE router receving packets with unintelligible labels and possibly dropping, misrouting or looping them. Even if you aggregate your PE routers, make sure that the BGP peerings are terminated on loopbacks.