PE routers on same subnet

Answered Question

When I took my first MPLS training the instructor said that a P router is required for MPLS VPN to pop the top label before packet reaches the PE router. Is this a true statement? I had a lab setup with two PE routers on a switch and the VPN seemed to work fine. Can anyone shed some light on this? We're looking for ways to aggregate PE routers.


Thanks in advance,

John

Correct Answer by Giuseppe Larosa about 7 years 9 months ago

Hello John,


>> instructor said that a P router is required for MPLS VPN to pop the top label before packet reaches the PE router. Is this a true statement?


it is not required you can have back to back connections of PE to PE on a common vlan as you have seen in your lab tests.


Penultimate hop popping is performed by the device before egress PE but it can also be the ingress PE.

simply the MPLS label stack will be made of only one label the VPN label.


However, the MPLS frame is still an ethernet frame with MAC DA = egress PE interface MAC address so no ambiguity in the vlan.


What is really important is to verify that

sh mpls forwarding egress-PE-loop-ipaddress

reports outgoing action

POP tag

if it reports something else you are in trouble:

I've seen devices sending non-sense frames with IPv4 ethertype with VPN label in the position of IPv4 header when outgoing action is untagged instead of pop tag.

In my case this was caused by the fact we were using OSPF as IGP and we had a loopback with non /32 mask.

The workaround for this is to put

ip ospf network point-to-point

in loopback configuration.


MPLS LDP RID = BGP endpoint = BGP next-hop as explained by Peter is the requirement

+

correct outgoing action



Hope to help

Giuseppe



Correct Answer by Peter Paluch about 7 years 9 months ago

Hi John,


Your instructor was basically true. In an MPLS VPN LSP, the outer label selects the path towards the egress PE. That label will be popped by the P router directly connected to the egress PE. The PE itself will receive a packet with only the inner label that corresponds to a particular destination network in a particular VRF.


The situation between your two directly connected PE routers is very similar to the situation between the PE and its neighboring P router. The LSP between your two PE routers does not use any label as they are directly connected - both routers mutually advertise the implicit null label for it so the outer label is automatically omitted. The inner label will be imposed according to the label bindings advertised through the MP-BGP session between the two PE routers. Now, when a PE router receives a labeled packet from its neighboring PE, the situation is the same as with the P-PE router in the previous example: the only label in the packet corresponds to a particular network in a particular VRF. There's no difference.


One comment, though. The penultimate hop popping is the reason why the BGP sessions shall be run on loopacks and not on physical networks. If a BGP session is terminated on a physical interface, the outer label might be popped one router too soon, resulting in the P neighbors of an egress PE router receving packets with unintelligible labels and possibly dropping, misrouting or looping them. Even if you aggregate your PE routers, make sure that the BGP peerings are terminated on loopbacks.


Best regards,

Peter


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Peter Paluch Mon, 10/05/2009 - 09:39
User Badges:
  • Cisco Employee,

Hi John,


Your instructor was basically true. In an MPLS VPN LSP, the outer label selects the path towards the egress PE. That label will be popped by the P router directly connected to the egress PE. The PE itself will receive a packet with only the inner label that corresponds to a particular destination network in a particular VRF.


The situation between your two directly connected PE routers is very similar to the situation between the PE and its neighboring P router. The LSP between your two PE routers does not use any label as they are directly connected - both routers mutually advertise the implicit null label for it so the outer label is automatically omitted. The inner label will be imposed according to the label bindings advertised through the MP-BGP session between the two PE routers. Now, when a PE router receives a labeled packet from its neighboring PE, the situation is the same as with the P-PE router in the previous example: the only label in the packet corresponds to a particular network in a particular VRF. There's no difference.


One comment, though. The penultimate hop popping is the reason why the BGP sessions shall be run on loopacks and not on physical networks. If a BGP session is terminated on a physical interface, the outer label might be popped one router too soon, resulting in the P neighbors of an egress PE router receving packets with unintelligible labels and possibly dropping, misrouting or looping them. Even if you aggregate your PE routers, make sure that the BGP peerings are terminated on loopbacks.


Best regards,

Peter


Correct Answer
Giuseppe Larosa Mon, 10/05/2009 - 10:40
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello John,


>> instructor said that a P router is required for MPLS VPN to pop the top label before packet reaches the PE router. Is this a true statement?


it is not required you can have back to back connections of PE to PE on a common vlan as you have seen in your lab tests.


Penultimate hop popping is performed by the device before egress PE but it can also be the ingress PE.

simply the MPLS label stack will be made of only one label the VPN label.


However, the MPLS frame is still an ethernet frame with MAC DA = egress PE interface MAC address so no ambiguity in the vlan.


What is really important is to verify that

sh mpls forwarding egress-PE-loop-ipaddress

reports outgoing action

POP tag

if it reports something else you are in trouble:

I've seen devices sending non-sense frames with IPv4 ethertype with VPN label in the position of IPv4 header when outgoing action is untagged instead of pop tag.

In my case this was caused by the fact we were using OSPF as IGP and we had a loopback with non /32 mask.

The workaround for this is to put

ip ospf network point-to-point

in loopback configuration.


MPLS LDP RID = BGP endpoint = BGP next-hop as explained by Peter is the requirement

+

correct outgoing action



Hope to help

Giuseppe



dulenjames Wed, 10/07/2009 - 01:44
User Badges:

I think the simple answer to your question, John, is that you are leaving the PE routers to do the job of double lookup. Recurrsive route lookup, and label swapping and popping. In a big live network, speed will be greatly impaired.

Actions

This Discussion