Junos MPLS and VPNs

Junos

and VPNs

10.a

Student Guide
Volume 1

Junl e[

NETWORKS
Worldwide Education Services

1194 North Mathilda Avenue

Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net

Course Number: EDU-JUN-JMV

Tills document is produced by Juniper Networks, Inc.

This document or any part thereof may not be reproduced or transnlltted III any form under penalty of law, without the prior written permission of Jumper Networks
Education Services.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in tile United States and oiller
countnes, The Juniper Networks logo, the Junos logo. and JunosE are trademarks of Juniper Networks, Inc. AI! other trademarks, service marks, registered
trademarks, or registered service marks are the property of their respective owners.
)unos MPLS and VPNs Student Guide, Revision 10.8
Copyright 2010 Juniper Networks, Inc. AI! rights reserved.
Prjnted

In

USA.

Revision History:
Revision 10.a-December 20.10
The information in this document is current as of the <late listed above.
The mformation in this document !las been carefully verified and is believed to be accurate for software Release 10.3Rl.9. Juniper Networks assumes no
responsibihtles for any inaccuracies that may appear in this document. In no event will Juniper Networks be hable for direct, indirect, special, exemplary,
Incidental. or consequential damages resulting from any defect or omission in this document, even if advised of the possibility of such damages.

Juniper Networks reserves tile right to change, modify, transfer, or otllerWlse revise this publication without notice.

YEAR 2000 NOTICE

Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operatll1g system has
no known timerelate<llimitations through the year 2038. However, the NTP application is known to have some difficllity in the year 2036.

SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with tl1e software, or to the extent applicable, in an
agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and
agree to be bound by its license terms and conditions, Generally speaking, the software license restricts tile manner in Wl1ich you are permitted to use the Juniper
Networks software, may contain prohibitions agains: certain uses, and may state conditions under which the license is automatlcaliy terminated. You stlOuld
consult the software license for further details.

Document Conventions

eLi and GUI Text

Frequently throughout this course, we refer to text that appears in a command-line interface (CLI)
or a graphical user interface (GUI). To make the language of these documents easier to read, we
distinguish GUI and CLI text from chapter text according to the following table.
Style

Description

Usage Example

Franklin Gothic

Normal text.

Most of what you read in the Lab Guide

and Student Guide.

Courier New

Console text:
Screen captures
Noncommand-related
syntax
GUI text elements:
Menu names

Text field entry

commit complete
Exiting configuration mode

Select File > Open, and then click

Configuration.confinthe
Filename text box.

Input Text Versus Output Text

You will also frequently see cases where you must enter input text yourself. Often these instances
will be shown in the context of where you must enter them. We use bold style to distinguish text
that is input versus text that is Simply displayed.
Style

Description

Usage Example

Normal CLI

No distinguishing variant.

Physical interface:fxpO,
Enabled

Normal GUI

View configuration history by clicking

Configuration > Histor~
eLI Input

Text that you must enter.

GUI Input

lab@San Jose> show route

Select File > Save, and type
config. ini in the Fi lename field.

Defined and Undefined Syntax Variables

Finally, this course distinguishes between regular text and syntax variables, and it also
distinguishes between syntax variables where the value is already assigned (defined variables) and
syntax variables where you must assign the value (undefined variables). Note that these styles can
be combined with the input style as well.
Style

Description

Usage Example

CLI variable

Text where variable value is

already assigned.

policy my-peers

GUI Variable

Click my-peers in the dialog.

CLI Undefined

GUI Undefined

www.juniper.net

Text where the variable's value

is the user's discretion and text
where the variable's value as
shown in the lab guide might
differ from the value the user
must input.

Type set policy policy-name.

ping

lO.O.~

Select File > Save, and type

filename in the Fi lename field.

Document Conventions ix

Additional Information
Education Services Offerings
You can obtain information on the latest Education Services offerings, course dates, and class
locations from the World Wide Web by pointing your Web browser to:
http://www.juniper.net/training/education/.

About This Publication

The Junos MPLS and VPNs Student Guide was developed and tested using software Release
10.3R1.9. Previous and later versions of software might behave differently so you should always
consult the documentation and release notes for the version of code you are running before
reporting errors,
This document is written and maintained by the Juniper Networks Education Services development
team, Please send questions and suggestions for improvement to [email protected],

Technical Publications
You can print technical manuals and release notes directly from the Internet in a variety of formats:
Go to http:;/www.juniper,netjtechpubs/.
Locate the specific software or hardware release and title you need, and choose the
format in which you want to view or print the document.
Documentation sets and CDs are available through your local Juniper Networks sales office or
account representative.

Juniper Networks Support

For technical support, contactJuniper Networks at http://www.juniper.netjcustomers/supportj, or
at 1-888-314-JTAC (within the United States) or 408-745-2121 (from outside the United States).

x Additional Information

www.juniper.net

Junt8v~[
Junos MPLS and VPNs
Chapter 1: Course Introduction

Junos MPLS and VPNs

II

After successfully completing this chapter, you will be

able to:
Get to know one another
Identify the objectives, prerequisites, facilities, and
materials used during this course
Identify additional Education Services courses at Juniper
Networks
Describe the Juniper Networks Certification Program

This Chapter Discusses:

Objectives and course content information;
Additional Juniper Networks, Inc. courses; and
The Juniper Networks Certification Program.

Chapter 1-2 Course Introduction

www.juniper.net

Contents
Chapter 1:

Course Introduction . ................................................... . 1-1

Chapter 2:

MPLS Fundamentals . ................................................... .2-1

MPLS Foundation ............................................................. 2-3
Terminology .................................................................2-19
MPLS Configuration ...........................................................2-26
MPLS Packet Forwarding ......................................................2-48
Lab 1: MPLS Fundamentals ....................................................2-56

Chapter 3:

Label Distribution Protocols . ............................................ .. 3-1

Label Distribution Protocols ..................................................... 3-3
RSVP ........................................................................ 3-7
LDP ........................................................................3-45
Lab 2: Label Distribution Protocols ..............................................3-69

Chapter 4:

Constrained Shortest Path First ... ........................................ . 4-1

RSVP Behavior Without CSPF .................................................... 4-3
CSPF Algorithm ............................................................... 4-8
CSPF Tie Breaking ........................................................... .4-24
Administrative Groups ........................................................ .4-32
Lab 3: CSPF ................................................................ .4-51

Chapter 5:

Traffic Protection and LSP Optimization . ................................... .5-1

Default Traffic Protection Behavior ............................................... 5-3
Primary and Secondary LSPs .................................................... 5-8
Fast Reroute .................................................................5-22
Bypass LSPs .................................................................5-35
LSP Optimization .............................................................5-42
Lab 4: Traffic Protection .......................................................5-54

Chapter 6:

Miscellaneous MPLS Features . ........................................... . 6-1

Routing Table Integration ....................................................... 6-3
Forwarding Adjacencies .......................................................6-14
Policy Control over LSP Selection ................................................6-19
LSP Metrics .................................................................6-22
Automatic Bandwidth .........................................................6-24
TIL Handling ................................................................6-28
Explicit Null Configuration ......................................................6-34
MPLS Pings .................................................................6-36
Lab 5: Miscellaneous MPLS Features ............................................6-41

www.juniper.net

Contents' iii

Chapter 7:

VPN Review ............................................................ 7-1

Overview of VPNs .............................................................. 7-3
CPE-Based VPNs .............................................................. 7-7
Provider-Provisioned .......................................................... 7-11

Chapter 8:

Layer 3 VPNs .......................................................... 8-1

Layer 3 VPN Terminology ....................................................... 8-3
VPN-IPv4 Address Structure .................................................... 8-10
Policy-Based Routing Information Exchange ..................... , ................. 8-16
Traffic Forwarding ............................................................ 8-28
Lab 6: VPN Baseline Configuration .............................................. 8-39

Chapter 9:

Basic Layer 3 VPN Configuration .......................................... 9-1

Preliminary Steps .............................................................. 9-3
PE Router Configuration ....................................................... 9-11
Lab 7: Layer 3 VPN with Static and BGP Routing ................................... 9-49

Chapter 10: Troubleshooting Layer 3 VPNs ........................................... 10-1

A Layered Approach ........................................................... 10-3
The routing-instance Switch ............................................. 10-14
PE-Based and CE-Based Traceroutes ...........................................10-24
Viewing VRF Tables and PE-PE Signaling Flow .................................... 10-28
Monitoring PE-CE Routing Protocols ............................................ 10-38

Chapter 11: Layer 3 VPN Scaling and Internet Access .................................. 11-1
Scaling Layer 3 VPNs ......................................................... 11-3
Public Internet Access Options .................................................11-24
Lab 8: Route Reflection and Internet Access .....................................11-36

Chapter 12: Layer 3 VPNs-Advanced Topics .......................................... 12-1

Exchanging Routes Between VRF Tables .......................................... 12-3
Hub-and-Spoke Topologies ....................................................12-11
Layer 3 VPN CoS Options .....................................................12-25
Layer 3 VPN and GRE Tunneling Integration ......................................12-33
Layer 3 VPN and IPsec Integration ..............................................12-37
Lab 9: GRE Tunnel Integration .................................................12-43

Chapter 13: Multicast VPNs ........................................................ 13-1

Multicast VPN Overview ....................................................... 13-3
Next-Generation MVPN Operation .............................................. 13-12
Configuration ...............................................................13-33
Monitoring .................................................................13-39

iv Contents

www.juniper.net

Chapter 14: BGP Layer 2 VPNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 14-1

Overview of Layer 2 Provider-Provisioned VPNs .................................... 14-3
BGP Layer 2 VPN Operational Model: Control Plane ............................... 14-11
BGP Layer 2 VPN Operational Model: Oata Plane ................................. 14-22
Preliminary Layer 2 VPN Configuration ......................................... 14-33
Layer 2 VPN Configuration ................................................... 14-40
Layer 2 interworking ........................................................ 14-57
Monitoring and Troubleshooting Layer 2 VPNs ................................... 14-60
Lab 10: BGP Layer 2 VPNs ................................................... 14-71

Chapter 15: Layer 2 VPN Scaling and COS ........................................... 15-1

Review ofVPN Scaling Mechanisms ............................................. 15-3
Layer 2 VPNs and CoS ......................................................... 15-7

Chapter 16: LDP Layer 2 Circuits ................................................... 16-1

LOP Layer 2 Circuit Operation ................................................... 16-3
LOP Layer 2 Circuit Configuration ................................................ 16-8
Layer 2 Internetworking ..................................................... 16-15
LOP Layer 2 Circuit Monitoring and Troubleshooting .............................. 16-18
Circuit Cross Connect ....................................................... 16-26
Lab 11: Circuit Cross Connect and LOP Layer 2 Circuits ........................... 16-33

Chapter 17: Virtual Private LAN Service .............................................. 17-1

Layer 2 MPLS VPNs Versus VPLS ................................................ 17-3
BGP VPLS Control Plane ....................................................... 17-9
LOP VPLS Control Plane ..................................................... 17-23
Learning and Forwarding Process ............................................. 17-26
Loops .................................................................... 17-43

Chapter 18: VPLS Configuration ......... ......................................... .. 18-1

VPLS Configuration ...........................................................18-3
VPLS Troubleshooting ....................................................... 18-31
Lab 12: Virtual Private LAN Service ............................................ 18-42

Chapter 19: InterproviderVPNs .................................................... 19-1

Hierarchical VPN Models .......................................................19-3
Junos Support of Carrier-of-Carriers Model ........................................ 19-9
Junos Support of Carrier-of-Carriers VPN Applications ............................. 19-23
Lab 13: Carrier-of-Carrier VPNs ............................................... 19-40

Appendix A: Acronym List ............. ............................................. . A-1

Appendix B: Answer Key ............................................................B-1

www.juniper.net

Contents v

vi Contents

www.juniper.net

Configure BGP and LDP VPLS.

Troubleshoot VPLS.
Describe the Junos OS support for carrier of carriers.
Describe the Junos OS support for interprovider VPNs.

Intended Audience
This course benefits individuals responsible for configuring and monitoring devices running the
Junos OS.

Course Level
Junos MPLS and VPNs (JMV) is an advanced-level course.

Prerequisites
Students should have intermediate-level networking knowledge and an understanding of the Open
Systems Interconnection (OSI) model and the TCPjlP protocol suite. Students should also have
familiarity with the Protocol Independent Multicast-Sparse Mode (PIM-SM) protocol. Students
should also attend the Introduction to the Junos Operating System (IJOS), Junos Routing Essentials
(JRE), and Junos Service Provider Switching (JSPX) courses prior to attending this class.

www.juniper.net

Course Overview vii

Course Agenda
Day 1
Chapter 1:

Course Introduction

Chapter 2:

MPLS Fundamentals
Lab 1: MPLS Fundamentals

Chapter 3:

Label Distribution Protocols

Chapter 4:

Constrained Shortest Path First

Lab 2: Label Distribution Protocols

Lab 3: CSPF

Day 2
Chapter 5:

Traffic Protection and LSP Optimization

Lab 4: Traffic Protection

Chapter 6:

Miscellaneous MPLS Features

Chapter 7:

VPN Review

Chapter 8:

Layer 3 VPNs

Lab 5: Miscellaneous MPLS Features

Lab 6: VPN Baseline Configuration

Day 3
Chapter 9:

Basic Layer 3 VPN Configuration

Lab 7: Layer 3 VPN with Static and BGP Routing

Chapter 10: Troubleshooting Layer 3 VPNs

Chapter 11: Layer 3 VPN Scaling and Internet Access
Lab 8: Route Reflection and Internet Access
Chapter 12: Layer 3 VPNs-Advanced Topics
Lab 9: GRE Tunnel Integration

Day 4
Chapter 13: Multicast VPNs
Chapter 14: BGP Layer 2 VPNs
Lab 10: BGP Layer 2 VPNs
Chapter 15: Layer 2 VPN Scaling and COS
Chapter 16: LOP Layer 2 Circuits
Lab 11: Circuit Cross Connect and LOP Layer 2 Circuits
Chapter 17: Virtual Private LAN Service

Day 5
Chapter 18: VPLS Configuration
Lab 12: Virtual Private LAN Service
Chapter 19: Interprovider VPNs
Lab 13: Carrier-of-Carrier VPNs

viii Course Agenda

www.juniper.net

Course Overview
This five-day course is designed to provide students with MPLS-based virtual private network (VPN)
knowledge and configuration examples. The course includes an overview of MPLS concepts such
as control and forwarding plane, RSVP Traffic Engineering, LDP, Layer 3 VPNs, next-generation
multicast virtual private networks (MVPNs), BGP Layer 2 VPNs, LDP Layer 2 Circuits, and virtual
private LAN service (VPLS). This course also covers Junos operating system-specific
implementations of Layer 2 control instances and active interface for VPLS. This course is based on
the Junos OS Release 10.3Rl.9.
Through demonstrations and hands-on labs, students will gain experience in configuring and
monitoring the Junos OS and in device operations.

Objectives
After successfully completing this course, you should be able to:
Explain common terms relating to MPLS.
Explain routers and the way they forward MPLS packets.
Explain packet flow and handling through a label-switched path (LSP).
Describe the configuration and verification of MPLS forwarding.
Understand the information in the Label Information Base.
Explain the two label distribution protocols used by the Junos OS.
Configure and troubleshoot RSVP-signaled and LDP-signaled LSPs.
Explain the constraints of both RSVP and LDP.
Explain the path selection process of RSVP without the use of the Constrained
Shortest Path First (CSPF) algorithm.
Explain the Interior Gateway Protocol (IGP) extensions used to build the Traffic
Engineering Database (TED).
Describe the CSPF algorithm and its path selection process.
Describe administrative groups and how they can be used to influence path selection.
Describe the default traffic protection behavior of RSVP-Signaled LSPs.
Explain the use of primary and secondary LSPs.
Explain LSP priority and preemption.
Describe the operation and configuration of fast reroute.
Describe the operation and configuration of link and node protection.
Describe the LSP optimization options.
Explain the purpose of several miscellaneous MPLS features.
Explain the definition of the term "Virtual Private Network".
Describe the differences between prOVider-provisioned and customer-provisioned
VPNs.
Describe the differences between Layer 2 VPNs and Layer 3 VPNs.
Explain the features of provider-provisioned VPNs supported by the Junos OS.
Explain the roles of Provider (P) routers, Provider Edge (PE) routers, and Customer
Edge (CE) routers.
Describe the VPN-IPv4 address formats.
Describe the route distinguisher use and formats.
Explain the RFC 4364 control flow.
www.juniper.net

Course Overview v

Create a routing instance, assign interfaces, create routes, and import and export
routes within the routing instance using route distinguishers and route targets.
Explain the purpose of BGP extended communities and how to configure and use
these communities.
Describe the steps necessary for proper operation of a PE to CE dynamic routing
protocol.
Configure a simple Layer 3 VPN using a dynamic CE-PE routing protocol.
Describe the routing-instance switch.
Explain the issues with the support of traffic originating on multiaccess VPN routing
and forwarding table (VRF table) interfaces.
Use operational commands to view Layer 3 VPN control exchanges.
Use operational commands to display Layer 3 VPN VRF tables.
Monitor and troubleshoot PE-CE routing protocols.
Describe the four ways to improve Layer 3 VPN scaling.
Describe the three methods for providing Layer 3 VPN customers with Internet access.
Describe how the auto-export command and routing table groups can be used to
support communications between sites attached to a common PE router.
Describe the flow of control and data traffic in a hub-and-spoke topology.
Describe the various Layer 3 VPN class-of-service (CoS) mechanisms supported by
the Junos OS.
Explain the Junos OS support for generic routing encapsulation (GRE) and IP Security
(IPsec) tunnels in Layer 3 VPNs.
Describe the flow of control traffic and data traffic in a next-generation MVPN.
Describe the configuration steps for establishing a next-generation MVPN.
Monitor and verify the operation of next-generation MVPNs.
Describe the purpose and features of a BGP Layer 2 VPN.
Describe the roles of a CE device, PE router, and P router in a BGP Layer 2 VPN.
Explain the flow of control traffic and data traffic for a BGP Layer 2 VPN.
Configure a BGP Layer 2 VPN and describe the benefits and requirements of
over-provisioning.
Monitor and troubleshoot a BGP Layer 2 VPN.
Explain the BGP Layer 2 VPN scaling mechanisms and route reflection.
Describe the Junos OS BGP Layer 2 VPN CoS support.
Describe the flow of control and data traffic for an LOP Layer 2 circuit.
Configure an LOP Layer 2 circuit.
Monitor and troubleshoot an LOP Layer 2 circuit.
Describe and configure circuit cross-connect (CCC) MPLS interface tunneling.
Describe the difference between Layer 2 MPLS VPNs and VPLS.
Explain the purpose of the PE device, the CE device, and the P device.
Explain the provisioning of CE and PE routers.
Describe the signaling process of VPLS.
Describe the learning and forwarding process of VPLS.
Describe tile potential loops in a VPLS environment.
vi Course Overview

www.juniper.net

Junos MPLS and VPNs

.. Before we get started ...

Ct

What is your name?

.. Where do you work?

.. What is your primary role in your
organization?
.. What kind of network experience
do you have?
.. Are you certified on Juniper Networks?
.. What is the most important thing for
you to learn in this training session?

Introductions
The slide asks several questions for you to answer during class introductions.

www.juniper.net

Course Introduction' Chapter 1-3

Junos MPLS and VPNs

II1II

Contents:
Chapter 1: Course Introduction
Chapter 2: MPLS Fundamentals
Chapter 3: Label Distribution Protocols
Chapter 4: Constrained Shortest Path First
Chapter 5: Traffic Protection and LSP Optimization
Chapter 6: Miscellaneous MPLS Features
Chapter 7: VPN Review
Chapter 8: Layer 3 VPNs

Course Contents: Part 1

The slide lists the topics we discuss in this course.

Chapter 1-4 Course Introduction

www.juniper.net

Junos MPLS and VPNs

III

Contents: (contd.)
.. Chapter 9: Basic Layer 3 VPN Configuration
.. Chapter 10: Troubleshooting Layer 3 VPNs
.. Chapter 11: Layer 3 VPN Scaling and Internet Access
Chapter 12: Layer 3 VPNs-Advanced Topics
Chapter 13: Multicast VPNs
Chapter 14: BGP Layer 2 VPNs
Chapter 15: Layer 2 VPN Scaling and CoS
Chapter 16: LOP Layer 2 Circuits
Chapter 17: Virtual Private LAN Service
" Chapter 18:VPLS Configuration
Chapter 19: Interprovider Backbones

Course Contents: Part 2

The slide lists the continuation of topics we discuss in this course.

www.juniper.net

Course Introduction' Chapter 1-5

Junos MPLS and VPNs

III

The prerequisites for this course are the following:

.. Understanding of the Open Systems Interconnection model
.. Familiarity with PIM-SM for multicast
Junos OS configuration experience-the Introduction to the
Junos Operating System (IJOS) course or equivalent
.. Intermediate routing knowledge-the Junos Routing
Essentials (JRE) course or equivalent
.. Intermediate switching knowledge-the Junos Service
Provider Switching (JSPX) course or equivalent

Prerequisites
The slide lists the prerequisites for this course.

Chapter 1-6 Course Introduction

www.juniper.net

Junos MPLS and VPNs

III

The basics:
Sign-in sheet
Schedule
Class times
Breaks
Lunch

Break and restroom facilities

Fire and safety procedures
Communications
Telephones a nd wi reless devices
I nternet access

General Course Administration

The slide documents general aspects of classroom administration.

www.juniper.net

Course Introduction' Chapter 1-7

Junos MPLS and VPNs

III

Available materials for classroom-based

and instructor-led online classes:
Lecture material
Lab guide
Lab equipment

III

Self-paced online courses also available

http:;/www.juniper.neVtrainingitechnical_education/

Training and Study Materials

The slide describes Education Services materials that are available for reference both in the
classroom and online.

Chapter 1-8 Course Introduction

www.juniper.net

Junos MPLS and VPNs

III

For those who want more:

Juniper Networks Technical Assistance Center (JTAC)
Ilttp:jjWww.juniper.netjsupportjrequesting-support.lltml

Juniper

Networ~<s

books

http://www.juniper.netjtraining/jnbooksj

Hardware and software technical

documentation
Online: Ilttp:jjwww.juniper.netjtechpubsj
Image files for offline viewing:
http://www.juniper.netjtechpubsjresourcesjcdrom.lltml

Certification resources
http:jjwww.juniper.netjtraining/certificationjresources.lltml

Additional Resources
The slide provides links to additional resources available to assist you in the installation,
configuration, and operation of Juniper Networks products.

www.juniper.net

Course Introduction Chapter 1-9

Junos MPLS and VPNs

G'2i
G'2i
5t'i
5t'i
5t'i
5t'i
5t'i

Fee,jl1ach

5t'i
5t'i

==

III

To receive your certificate, you must complete the

survey
.. Either you will receive a survey to complete at the end of
class, or we will e-mail it to you within two weeks
Completed surveys help us serve you better!

Satisfaction Feedback
Juniper Networks uses an electronic survey system to collect and analyze your comments and
feedback. Depending on the class you are taking, please complete the survey at the end of the class,
or be sure to look for an e-mail about two weeks from class completion that directs you to complete
an online survey form. (Be sure to provide us with your current e-mail address.)
Submitting your feedback entitles you to a certificate of class completion. We thank you in advance
for taking the time to help us improve our educational offerings.

Chapter 1-10 Course Introduction

www.juniper.net

Junos MPLS and VPNs

III

Formats:
Classroom-based instructor-led technical courses
Online instructor-led technical courses
Hardware installation eLearning courses as well as technical
eLearning courses

III

Complete list of courses:

http:;jwww.juniper.neVtraining/technical_educationj

Juniper Networks Education Services Curriculum

Juniper Networks Education Services can help ensure that you have the knowledge and skills to
deploy and maintain cost-effective, high-performance networks for both enterprise and service
provider environments. We have expert training staff with deep technical and industry knowledge.
providing you with instructor-led hands-on courses in the classroom and online, as well as
convenient, self-paced eLearning courses.

Course List
You can access the latest Education Services offerings covering a wide range of platforms at
http://www.juniper.netjtrainingjtechnical_education/.

www.juniper.net

Course Introduction Chapter 1-11

Junos MPLS and VPNs

II

Why earn a Juniper Networks certification?

.. Juniper Networks certification makes you stand out
Unleash your creativity across the
entire network

CERTIFICATION
PROGRAM

Deliver your vision. design. and

arcllitecture
Sets you apart from your peers

.. Capitalize on the promise of the

New Network
Develop and deploy the services
you need
Lead tile way and increase your value

.. Unique benefits for certified individuals

Juniper Networks Certification Program

A Juniper Networks certification is the benchmark of skills and competence on Juniper Networks
technologies.

Chapter 1-12 Course Introduction

www.juniper.net

Junos MPLS and VPNs

Juniper Networks Certification Program Overview

The Juniper Networks Certification Program (JNCP) consists of platform-specific, multitiered tracks
that enable participants to demonstrate competence with Juniper Networks technology through a
combination of written proficiency exams and hands-on configuration and troubleshooting exams.
Successful candidates demonstrate thorough understanding of Internet and security technologies
and Juniper Networks platform configuration and troublesllooting skills.
The JNCP offers the following features:
Multiple tracks;
Multiple certification levels;
Written proficiency exams; and
Hands-on configuration and troubleshooting exams.
Each JNCP track has one to four certification levels-Associate-Ievel, Specialist-level,
Professional-level, and Expert-level. Associate-level and Specialist-level exams are computer-based
exams composed of multiple choice questions administered at Prometric testing centers worldwide.
Professional-level and Expert-level exams are composed of hands-on lab exercises administered at
select Juniper Networks testing centers. Professional-level and Expert-level exams require that you
first obtain the next lower certification in the track. Please visit the JNCP Web site at
http://www.juniper.netjcertification for detailed exam information, exam pricing, and exam
registration.

www.juniper.net

Course Introduction Cilapter 1-13

Junos MPLS and VPNs

III

Training and study resources:

.. Juniper Networks Certification Program Web site
.. Education Services training classes
www.juniper.net/training
Juniper Networks documentation and white papers

III

Preparing for practical exams requires a lot of

hands-on practice:
..

On-the~ob

experience

Education Services training classes

.. Equipment access

Preparing and Studying

The slide lists some options for those interested in preparing for Juniper Networks certification.

Chapter 1-14 Course Introduction

www.juniper.net

Junos MPLS and VPNs

Any Questions?
If you have any questions or concerns about the class you are attending, we suggest that you voice
them now so that your instructor can best address your needs during class.

www.juniper.net

Course Introduction' Chapter 1-15

Junos MPLS and VPNs

Chapter 1-16 Course Introduction

www.juniper.net

Junos MPLS and VPNs

Chapter 2: MPLS Fundamentals

Junos MPLS and VPNs

III

After successfully completing this chapter, you will be

able to:
.. Define common MPLS terms
.. Describe the way a router forwards MPLS packets
.. Describe MPLS packet flow and packet processing from
ingress to egress router
.. Configure a router and interface to perform MPLS
forwarding
.. Examine the Label Information Base

This Chapter Discusses:

Common terms relating to MPLS;
Routers and the way they forward MPLS packets;
Packet flow and handling through a label-switched path (LSP);
Configuration and verification of MPLS forwarding; and
Understanding the information in the Label Information Base (LIB).

Chapter 2-2 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

~ MPLS

Foundation

.. Terminology
.. MPLS Configuration
III

MPLS Packet Forwarding

MPLS Foundation
The slide lists the topics we cover in this chapter. We discuss the highlighted topic first.

www.juniper.net

MPLS Fundamentals Chapter 2-3

Junos MPLS and VPNs

IIIIGP Forwarding
Traffic is routed based on the IGP's best path selection

Traffic that is destined for networks attached to R6 and R7

uses the same path

Rl

IGP Forwarding
This slide shows metric-based traffic engineering in action. When sending traffic from a network
connected to Rl to a network connected to R6, traffic is routed through R3 because it has a lower
overall cost (3, as opposed to 4, through R4). Note that not only the traffic destined for networks
connected to R6 follow the upper path, but also all traffic for networks connected to R7 and any routers
downstream from these routers.

Chapter 2-4 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

III

Redirecting traffic from R1, destined for R7! to

traverse R4 causes traffic destined to R6 to use R4
also
This redirecting of traffic causes some of your links to be
underutilized, while others are overutilized

Rl
1

Redirecting Traffic
At some point, sending all of the traffic for R6 and R7 and points beyond through the R3 might not be
the best idea. For example, a lot of local traffic to the R3 might exist, and this traffic might delay the
traffic to R6 and R7 while the path through R4 is underutilized. Whatever the actual cause, you might
want to route at least some of the traffic to some destinations over the lower links and through R4.
Suppose traffic for R7 needs to be rerouted onto this lower path.
Rerouting traffic for R7 by raising metrics along the current path, as shown in the slide, has the desired
effect. Traffic to R7 now follows the path with cost 4 instead of cost 5. But forcing the traffic to use R4,
by raising the metric on the upper path, has the unintended effect of causing traffic destined for R6 to
do the same and flow through R4.
Because interior gateway protocol (IGP) route calculation is topology driven and based on a simple
additive metric, such as the hop count or an administrative value, the traffic patterns on the network are
not taken into account when the IGP calculates its forwarding table. As a result, traffic will not be evenly
distributed across the network's links, causing inefficient use of expensive resources. Some links may
become congested, while other links remain underutilized. This result might be satisfactory in a smaller
network with less traffic, but in larger networks or networks with many connections, you must control the
paths that traffic takes in order to balance the traffic load. In other words, you need more control for
realistic traffic engineering than the usual IGP method of sending al/ traffic to a group of destinations
over the same, single best path.

www.juniper.net

MPLS Fundamentals Chapter 2-5

Junos MPLS and VPNs

III

Adjusting the IGP metric might destabilize the network

.. Moves the problem to another section of the network
Some of the links will be underutilized
Some of the links will be congested and overutilized

.. Lacks control
All traffic flows over the IG P shortest path

Possible Destabilization
Changing of IGP metric to force traffic path movements has more drawbacks than just moving the traffic
to downstream destinations along with the target to the new path. Adjusting metrics manually can have
a severe destabilizing effect on a network, especially a large one. As Internet service provider (ISP)
networks became more richly connected, it became more difficult to ensure that a metric adjustment in
one part of the network did not cause problems in another part of the network. Adjusting metrics just
tended to move problems around. The low-cost links and paths became saturated, wllile the higher-cost
links and paths remained almost devoid of traffic.
There was little to no real control over the process. All traffic followed the path with the lowest IGP metric
because no other standard mechanism to distribute traffic flow existed. There were no rules and few
guidelines to follow about which metrics to adjust and by how much to adjust them. Traffic engineering
based on metric manipulation offered a trial-and-error approach, rather than a scientific solution to an
increasingly complex problem.

Chapter 2-6 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

l1li

ATM switched networks also known as an Overlay

Network
l1li

Benefits of using ATM

ATM switches offered performance and predictable behavior
Virtual circuits (VCs) could be reengineered without physical
network changes.
Traffic statistics on a per-VC basis

l1li

Downsides of ATM
Maintain separate infrastructure
ATM cell overhead
Scalability issues
Not well integrated

ATM Switched Networks

Despite the obvious drawbacks to manual traffic engiheering through IGP metric adjustments,
metric-based traffic controls continued to be an adequate traffic engineering solution until the mid-'90s.
Most ISPs turned to Asynchronous Transfer Mode (ATM) as their core technology. ATM is also referred to
as an Overlay Network, which indicates tl1ere are multiple networks working in parallel to forward traffic.

Benefits of ATM
ATM switches use what are called virtual circuits (VCs) to logically connect the routers and forward
traffic. From the perspective of the routers these VCs are viewed as pOint-to-point connections, but as
you can see the physical topology can be much more complicated. If a section within the network is
deemed to be overutilized then the VCs can be altered, moving traffic to a less utilized section, without
changing the topology from the routers perspective. Another benefit for using an ATM network is the
ability to gather statistics on a per-VC basis. With standard IGP routing there was no way to gather
relevant statistics because all traffic either entering or leaving the router was counted. Being able to
count the traffic entering or leaving a VC allowed the ISPs to evaluate the network load of each VC and
engineer their network accordingly.
Continued on next page.

www.juniper.net

MPLS Fundamentals Chapter 2- 7

Junos MPLS and VPNs

Downsides of ATM
One of the downsides to running an ATM overlay network is that each of the different core technologies
(ATM and IP) required separate expert engineers and support staff to address the problems in their
platforms.
Another downside is that, ATM cell overhead (often called the ATM cell tax) is introduced when
packet-oriented protocols, such as IP, are carried over an ATM infrastructure. ATM overhead is never less
than about 10% and sometimes as high as 62% (a 40-byte TCP/IP acknowledgement packet requires
106 bytes of ATM on the wire when using ML 5 and multi protocol encapsulation). Assuming 20%
overhead for ATM running on a 2.488-Gbps OC-48 link, 1.99 Gbps is available for customer data, and
498 Mbps-almost a full OC-12-is required for the ATM overhead. On a 10-Gbps OC-192 interface,
some 1.99 Gbps-almost a full OC-48 of the link's capacity-is consumed by ATM overhead!
A network that deploys a full mesh of ATM VCs exhibits the traditional n2 problem for the number of links
to be maintained (n x (n-1))/2) where n is the number of routers. For relatively small or moderately sized
networks, this problem is not a major issue. However, for core ISPs with hundreds of attached routers,
the challenge is quite significant. For example, when expanding a network from five to six routers, an ISP
must increase the number of VCs from 20 to 30. However, increasing the number of attached routers
from 200 to 201 requires the addition of 400 new VCs-an increase from 39,800 to 40,200 VCs. These
numbers do not include backup VCs or additional VCs for networks running multiple services that
require more than one VC between any two routers.
ATM VCs are not integrated with the IGP either. Thus, deploying full-mesh of VCs also stresses the IGP.
This stress results from the number of peer IGP relationships that must be maintained, the challenge of
processing n 3 link-state updates in the event of a failure, and the complexity of performing the Dijkstra
calculation over a topology containing a significant number of logical links. As an ATM core expands, the
n2 stress on the IGP compounds.

Chapter 2-8 MPLS Fundamentals

www.juniper.net

Junos MPlS and VPNs

III

Frame Relay networks

Benefits of using Frame Relay
Uses virtual circuits (VCs)to move traffic to its destination
Uses Data Link Connection Identifier (DLCI) nuniber to separate
VCs
Built in Congestion Control

Downsides of Frame Relay

Maintain separate infrastructure

Frame Relay Networks

Frame relay networks are also an overlay network. Frame Relay also use virtual circuits to create logical
connections between routers. Frame Relay uses a unique data-link connection identifier (DlCI) number
to separate one VC from another. Frame relay also has a built in congestion control mechanism.
Frame relay also has its downsides. Similar to ATM a Frame Relay switch network is running multiple
core technologies (Frame Relay and IP) and each one required separate expert engineers and support
staff to address the problems in their platforms.

www.juniper.net

MPlS Fundamentals Chapter 2-9

Junos MPLS and VPNs

III

Some benefits of MPLS include:

.. Improved route lookup time by using labels to forward traffic
.. Increased scalability
.. Additional control over how traffic moves through the
network using traffic engineering
R3

R6

Rl

Benefits of MPLS: Part 1

Because core routing platforms and link speed increased so much within a few years the benefits of
running a core of ATM switches was no longer being seen. Routers are as fast, if not faster, than the
speediest ATM switch. High-speed interfaces, deterministic performance, and traffic engineering using
VCs no longer distinguish ATM switches from Internet backbone routers. The deployment of a
router-based core solves a number of inherent problems with the ATM model: the complexity and
expense of coordinating two sets of equipment, the bandwidth limitations of ATM segmentation and
reassembly (SAR) interfaces, the cell tax, the n2 VC problem, the IGP stress, and the limitation of not
being able to operate over a mixed-media infrastructure.
MPLS was originally designed to make IP routers as fast as ATM switches for handling traffic. MPLS
uses label values to make its forwarding decisions as traffic traverses the network. It is still
commonly believed that MPLS somehow significantly enhances the forwarding performance of
label-switching routers. However, it is more accurate to say that exact-match lookups, such as those
performed by MPLS and ATM switches, historically have been fasterthan the longest-match lookups
performed by IP routers.
In any case, recent advances in silicon technology allow application-specific integrated circuit
(ASIC)-based route-lookup engines to run just as fast as MPLS or ATM virtual path identifier (VPI)!virtual
channel identifier (VCI) lookup engines, so MPLS is no longer seen as just a faster way of routing.

Chapter 2-10 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

III

Service Providers can offer different technologies like

ATM, Frame Relay, Ethernet, and lover the same
infrastructu re

Benefits of MPLS: Part 2

The real benefit of MPLS is that it provides a clean separation between routing (that is, control) and
forwarding (that is, moving data). This separation allows the deployment of a single forwarding
algorithm-MPLS-that can be used for multiple services and traffic types. In the future, as ISPs must
develop new revenue-generating services, the MPLS forwarding infrastructure can remain the same,
while new services are built by simply changing the way packets are assigned to an LSP. For example,
packets can be assigned to a label-switched path based on a combination of the destination
subnetwork and application type, a combination of the source and destination subnetworks, a specific
quality-of-service (QoS) requirement, an IP multicast group, or a virtual private network (VPN) identifier.
In this manner, new services can be migrated easily to operate over the common MPLS forwarding
infrastructure.

www.juniper.net

MPLS Fundamentals Chapter 2-11

Junos MPLS and VPNs

III

The MPLS packet header

.. M PLS header is prepended to packet with a push operation
at ingress node
.. Label is added immediately after Layer 2 encapsulation
header
Data

32-Bit
MPLSshim Header

.. Packet is restored at the end of the LSP with a pop

operation
.. Normally the label stack is popped at the penultimate
router

MPLS Packet Header

MPLS is responsible for directing a flow of IP packets along a predetermined path across a network. This
path is the LSP, which is similar to an ATM VC in that it is unidirectional. That is, the traffic flows in one
direction from the ingress router to an egress router. Duplex traffic requires two LSPs-that is, one path
to carry traffic in each direction. An LSP is created by the concatenation of one or more label-switched
hops that direct packets between LSRs to transit the MPLS domain.
When an IP packet enters a label-switched path, the ingress router examines the packet and assigns it a
label based on its destination, placing a 32-bit (4-byte) label in front of the packet's header immediately
after the Layer 2 encapsulation. The label transforms the packet from one that is forwarded based on IP
addressing to one that is forwarded based on the fixed-length label. The slide shows an example of a
labeled IP packet. Note that MPLS can be used to label non-IP traffic, such as in the case of a Layer 2
VPN.
MPLS labels can be assigned per interface or per router. The Junos operating system currently assigns
MPLS label values on a per-router basis. Thus, a label value of 10234 can only be assigned once by a
given Juniper Networks router. Multicast and IPv6 labelS are assigned independently of unicast packet
labels. The Junos as currently does not support labeled multicast or IPv6, except in the context of a
Layer 2 or Layer 3 VPN.

Continued on next page.

Chapter 2-12 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

MPLS Packet Header (contd.)

At egress the IP packet is restored when the MPLS label is removed as part of a pop operation. The now
unlabeled packet is routed based on a longest-match IP address lookup. In most cases, the penultimate
(or second to last) router pops the label stack in penultimate hop popping. In some cases, a labeled
packet is delivered to the ultimate router-the egress label-switching router (LSR)-when the stack is
popped, and the packet is forwarded using conventional IP routing.

www.juniper.net

MPLS Fundamentals Chapter 2-13

Junos MPLS and VPNs

II

MPLS shim header consist of four fields

..

..

Label-used to associate packet with an LSP

Experimental bits-carry packet queuing priority (CoS)
Stacking bit
Time to live-limits packet lifetime within LSP
In tnostcases. the IP TTL is copied into the MPLS TTL

MPLSHeader

Data

32 bits

The MPLS Header (Label) Structure

The 32-bit MPLS header consists of the following four fields:

20-bit label: Identifies the packet to a particular LSP. This value changes as the packet
flows on the LSP from LSR to LSR.
Class of service (CoS) (experimental): Indicates queuing priority through the network. This
field was initially just the CoS field, but lack of standard definitions and use led to the
current designation of this field as experimental. In other words, this field was always
intended for CoS, but which type of CoS is still experimental. At each hop along the way, the
CoS value determines which packets receive preferential treatment within the tunnel.
Bottom of stack bit: Indicates whether this MPLS packet has more than one label
associated with it. The MPLS implementation in the Junos OS supports unlimited label
stack depths for transit LSR operations. At ingress up to three labels can be pushed onto a
packet. The bottom of the stack of MPLS labels is indicated by a 1 bit in this field; a setting
of 1 tells the LSR that after popping the label stack an unlabeled packet will remain.
Time to five (TTL): Contains a limit on the number of router hops this MPLS packet can
travel through the network. It is decremented at each hop, and if the TIL value drops below
1, the packet is discarded. The default behavior is to copy the value of the IP packet into
this field at the ingress router.

Chapter 2-14 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

III

Key things to remember about labels:

Labels can be assigned manually or by a signaling protocol
in each LSR during path setup
Label values will change at each segment in the path
The LSR will swap incoming label with new unique outgoing
label
MPLS Labels only have local significance

Things to Remember
The following are some of the key things to remember about working with MPLS labels:
MPLS labels can be either assigned manually or set up by a signaling protocol running in
each LSR along the path of the LSP. Once the LSP is set up, the ingress router and all
subsequent routers in the LSP do not examine the IP routing information in the labeled
packet-they use the label to look up information in their label forwarding tables. Changing
Labels by Segment
Much as with ATM VCls, MPLS label values change at each segment of the LSP. A single
router can be part of multiple LSPs. It can be the ingress or egress router for one or more
LSPs, and it also can be a transit router of one or more LSPs. The functions that each router
supports depend on the network design.
The LSRs replace the old label with a new label in a swap operation and then forward the
packet to the next router in the path. When the packet reaches the LSP's egress point, it is
forwarded again based on longest-match IP forwarding.
There is nothing unique or special about most of the label values used in MPLS. We say
that labels have local significance, meaning that a label value of 10254, for example,
identifies one LSP on one router, and the same value can identify a different LSP on
another router.

www.juniper.net

MPLS Fundamentals Chapter 2-15

Junos MPLS and VPNs

III

Label values 0 through 15 are currently reserved

= IPv4Explicit NULL
-1 = Router Alert Label
-2 = IPv6 Explicit NULL
-3 = Implicit NULL
-0

- 4 through 15 = for future use

Reserved MPLS Label Values

Labels 0 through 15 are reserved according to the procedures outlined in RFC 3032, MPLS Label Stack
Encoding.
A value of 0 represents the IP version 4 (lPv4) explicit null label. This label value is legal
only when it is the sole label stack entry. It indicates that the label stack must be popped,
and the forwarding of the packet must then be based on the IPv4 header.
A value of 1 represents the router alert label. This label value is legal anywhere in the label
stack except at the bottom. When a received packet contains this label value at the top of
the label stack, it is delivered to a local software module for processing. The label beneath
it in the stack determines the actual forwarding of the packet. However, if the packet is
forwarded further, the router alert label should be pushed back onto the label stack before
forwarding. The use of this label is analogous to the use of the router alert option in IP
packets. Because this label cannot occur at the bottom of the stack, it is not associated
with a particular network layer protocol. Essentially, label value 1 gives MPLS modules in
different routers a way to communicate with each other.
Continued on next page.

Chapter 2-16 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

Reserved MPLS Label Values (contd.)

A value of 2 represents the IP version 6 (lPv6) explicit nul/label. This label value is legal
only when it is the sole label stack entry. It indicates that the label stack must be popped,
and the forwarding of the packet then must be based on the IPv6 header.
A value of 3 represents the implicit nul/ label. This is a label that an LSR can assign and
distribute, but it never actually appears in the encapsulation. When an LSR would
otherwise replace the label at the top of the stack with a new label, but the new label is
implicit null, the LSR pops the stack instead of doing the replacement. Although this value
might never appear in the encapsulation. it must be specified in the label signaling
protocol, so a value is reserved.
Values 4-15 are reserved for future use.

www.juniper.net

MPLS Fundamentals Chapter 2-17

Junos MPLS and VPNs

III

Label Information Base

The LIB is stored in the mpls. 0 table
Thempls. 0 table is automatically created, with label values for O.
1. and 2, when you configure the MPLS protocol
This table is used by transit routers to make forwarding decisions
The mpls . 0 table maps the incoming labels with the outgoing
label and next 110P to forward the packets
user@R3> show route table mpls.O

mpls.O: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both
*[MPLS/O] 01:13:17,
Receive
*[MPLS/O] 01:13:17,
Receive
*[MPLS/O] 01:13:17,
Receive
*[MPLS/6] 01:13:16,
> to 172.20.100.14

metric 1
metric 1
metric 1
metric 1
via ge-1/0/6.0, Swap 1000515

Label Information Base

The LIB and mappings are stored in the mpls. 0 routing table. When you configure the MPLS protocol,
the software automatically creates this table. When "it creates this table it installs three default labels in
this table. Packets received with these label values are sent to the Routing Engine for processing. As
mentioned earlier, Label 0 is the IPv4 explicit null label, Label 1 is the MPLS equivalent of the IP Router
Alert label and Label 2 is the IPv6 explicit null label.
The transit routers use this table to make forwarding decisions based on the incoming label. The router
will consult this table and determine what the nexthop should be and what the outgoing label should
be. This happens at each transit router to ensure the traffic is traversing the correct path through the
network.
In the sample output you can see the three default labels are created with the action of Recei ve. You
will also notice there is an incoming label value of 1000050, which indicates that the next-hop is
172.20.100.14 via interface ge-1/0/6. The output also indicates that this particular router will swap the
label with 1000515 before sending the packet on to the next router in tile path.

Chapter 2-18 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

~Terminology

Terminology
The slide highlights the topic we discuss next.

www.juniper.net

MPLS Fundamentals Chapter 2-19

Junos MPLS and VPNs

II

The LSR performs:

MPLS packet forwarding
LSP setup

III

All M Series Routers, T Series Routers, and MX Series

Ethernet Services Routers support LSR capabilities
Simply called routers in this course

Rl

Label-8witching Routers
An LSR understands and forwards MPLS packets, which flow on, and are part of, an LSP. In addition, an
LSR participates in constructing LSPs for the portion of each LSP entering and leaving the LSR. For a
particular destination, an LSR can be at the start of an LSP, the end of an LSP, or in the middle of an
LSP. An individual router can perform one, two, or all of these roles as required for various LSPs.
However, a single router cannot be both entrance and exit points for any individual LSP.

Router = LSR
This course uses the terms LSR and
being an LSR.

Chapter 2-20 MPLS Fundamentals

router interchangeably because all Junos as routers are capable of

www.juniper.net

Junos MPLS and VPNs

III

LSP
" Unidirectional path through netwol-k
"Generally within a single MPLS domain

Label-Switched Path
An LSP is a one-way (unidirectional) flow of traffic, carrying packets from beginning to end. Packets must
enter the LSP at the beginning (ingress) of the path, and can only exit the LSP at the end (egress).
Packets cannot be injected into an LSP at an intermediate hop.
Generally, an LSP remains within a single MPLS domain. That is, the entrance and exit of the LSP, and all
routers in between, are ultimately in control of the same administrative authority. This ensures that
MPLS LSP traffic engineering is not done haphazardly or at cross purposes but is implemented in a
coordinated fashion.

www.juniper.net

MPLS Fundamentals Chapter 2-21

Junos MPLS and VPNs

II

Ingress router
.. Packets enter LSP at ingress
Also called a head-end router
.. Upstream from other routers
Performs label push operation
R3

R6

The Functions of the Ingress Router

Each router in an MPLS path performs a specific function and has a well-defined role based on whether
the packet enters, transits, or leaves the router.
At the beginning of the tunnel, the ingress router encapsulates an IP packet that will use this LSP to R6
by adding the 32-bit MPLS shim header and the appropriate data link layer encapsulation before
sending it to the first router in the path. Only one ingress router in a path can exist, and it is always at the
beginning of the path. All packets using this LSP enter the LSP atthe ingress router.
In some MPLS documents, this router is called the head-end router, or the label edge router (LER) forthe
LSP. In this course, we call it simply the ingress router for this LSP.
An ingress router always performs a push function, whereby an MPLS label is added to the label stack.
By definition, the ingress router is upstream from all other routers on the LSP.
In our example we see the packet structure. We can identify that the label number is 1000050 and the
ingress router action is to push this shim header in between the Layer 2 Frame and the IP header.

Chapter 2-22 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

III

Transit router
.. There can be zero or more transit routers
.. Perform label swap operations
.. Forward traffic to next hop in LSP

The Functions of the Transit Router

An LSP might have one or more transit routers along the path from ingress router to egress router. A
transit router forwards a received MPLS packet to the next hop in the MPLS path. Zero or more transit
routers in a path can exist. In a fully meshed collection of routers forming an MPLS domain, because
each ingress router is connected directly to an exit point by definition, every LSP does not need a transit
router to reach the exit point (although transit routers might still be configured, based on traffic
engineering needs).
MPLS processing at each transit point is a simple swap of one MPLS label for another. In contrast to
longest-match routing lookups, the incoming label value itself can be used as an index to a direct lookup
table for MPLS forwarding, but this is strictly an MPLS protocol implementation decision.
The MPLS protocol enforces a maximum limit of 253 transit routers in a single path because of the 8 bit
TIL field.
In our example we know that the packet was sent to us with the label value of 1000050 as the previous
slide indicated. Since this is a transit router we swap out the incoming label value with the outgoing
label value for the next section of the LSP. We now see that the label has a value of 1000515.

www.juniper.net

MPLS Fundamentals Chapter 2-23

Junos MPLS and VPNs

III

Penultimate router
.. Second-to-Iast router
.. Normally pops the label stack
.. Unlabeled packets sent to egress

The Function of the Penultimate Router

The second-to-Iast router in the LSP often is referred to as tile penultimate hop--a term that simply
means second to the last. In most cases the penultimate router performs a label pop instead of a label
swap operation. This action results in the egress router receiving an unlabeled packet that then is
subjected to a normal longest-match lookup.
Penultimate-hop popping (PHP) facilitates label stacking and can improve performance on some
platforms because it eliminates the need for two lookup operations on the egress router. Juniper
Networks routers perform equally well with, or without, PHP. Label stacking makes use of multiple MPLS
labels to construct tunnels within tunnels. In these cases, having the penultimate node pop the label
associated with tile outer tunnel ensures that downstream nodes will be unaware of the outer tunnel's
existence.
PHP behavior is controlled by the egress node by virtue of the label value that it assigned to the
penultimate node during the establishment of the LSP.
In our example you can see that the MPLS header has been popped and the router is sending the
packet on to the egress router without the MPLS information.

Chapter 2-24 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

III

Egress router
.. Packets exit LSP at egress
.. Also called tail-end router
.. Downstream from other routers
.. Forwards packets based on IP address
R3

Rl

The Functions of the Egress Router

The final type of router defined in MPLS is the egress router. Packets exit the LSP at the egress router
and revert to normal, IGP-based, next-hop routing outside the MPLS domain.
At the end of an LSP, the egress router routes the packet based on the native information and forwards
the packet toward its final destination using the normallP forwarding table. Only one egress router can
exist in a path. In many cases, the use of PHP eliminates the need for MPLS processing at the egress
node.
The egress router is sometimes called the tail-end router, or LER. We do not use these terms in this
course. By definition, the egress router is located downstream from every other router on the LSP.

www.juniper.net

MPLS Fundamentals Chapter 2-25

Junos MPLS and VPNs

~MPLS Configuration

MPLS Configuration
The slide highlights the topic we discuss next.

Chapter 2-26 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

III

Interface Configuration
Default behavior of an interface is to accept only I P packets.
Protocol family inet

Configure interface to accept MPLS packets

Protocol family mpls
[edit interfaces]
user@R2# shoTH'
ge-1/0/0 {
unit 0 {
family inet
address 172.20.100.21/30;

I family

mpls;j

Interface Configuration
The default behavior of an interface is to accept IP packets. In the Junos OS, this is done by adding the
protocol family inet with an IP address to tile interface you are working with. In order for the interface to
recognize and accept MPLS packets we have to also configure the MPLS protocol family under the
interfaces that will be participating in your MPLS domain. Sample output demonstrates an interface
configuration with both families applied.

www.juniper.net

MPLS Fundamentals Chapter 2-27

Junos MPLS and VPNs

III

Configured under protocols hierarchy

" Specify the interfaces that are running rvl PLS
[edit protocols]
user@R2# show

"You may also configure rvlPLS to include all interfaces

[edit protocols]
user@R2# show
mpls~{~~~__~~~
linterface all;
interface fxpO.O
disable;

MPLS is Configured Under Protocols Hierarchy

When configuring the router to support MPLS you must tell the protocol what interfaces it can use. In our
example there is one interface on this router that will be participating in MPLS. In addition to specifying
individual interfaces to participate in MPLS you can use the option to include all interfaces. Remember,
that you have to enable the interface to recognize MPLS traffic. If the interface is not configured for
protocol family MPLS, it will not send or receive MPLS packets. It is also good practice to disable the
management interface (FXPO) from participating, since it is not a routable interface.

Chapter 2-28 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

III

Configure a Static LSP on the ingress router

Define a static-label-switched-path name
Use the ingress configuration to identify the router as the
ingress LSR
Youmllstalso configure the to and next-hop statements
Configure the push statement with the outgoing label number
protoco15 {
mp15 {
5tatic-label-5witched-path <15p-name> {
ingre55 {
next-hop <addre55 or interface of next-hop router>;
to <addre55 of egre55 router>;
pU5h <label>;

Configure a Static LSP on the Ingress Router

The static LSP is configured under the protocols hierarchy.The first thing to configure is the LSP name.
This allows you to configure multiple static LSPs between two specific routers. It is not necessary to
configure unique names for static versus dynamic LSPs (a static LSP could have the same name as a
dynamic LSP configured on the same router). Having named LSPs also allows you to configure a
single-hop static LSP by specifying either an explicit null label or no label.
To configure a static LSP on an ingress router, include the ingress statement at the [edit
protocols mpls static-label-switched-path lsp-name] hierarchylevel.You must also
configure the to (address of egress router) and next-hop (address or interface name of next-hop to
reach next router) statements under the ingress statement. You can optionally configure the push
statement. If you configure the push statement, you must specify a non-reserved label in the range of 0
through 1,048,575. You can also apply preference, CoS values, node protection, and link protection to
the packets under the ingress configuration.

www.juniper.net

MPLS Fundamentals Chapter 2-29

Junos MPLS and VPNs

III

Configuring a static LSP on the Transit router

Use the transi t configuration to identify the router as a
transit LSR
On the penultimate router you will configure the pop action.
There's no need to configure tile egress router since we only
support penultimate 110P popping.
protocols {
mpls {
static-label-switched-path <lsp-name> {
transit <incoming-label> {
next-hop <address or interface of next-hop router>;
swap <outgoing label>;

Configure a Static LSP on the Transit Router

To configure a static LSP on a transit router, include the transit statement at the [edit
protocols mpls static-label-switched-path <static-lsp-name>l hierarchy level.
You must include the expected incoming label directly after the transmit statement.
Under the transit hierarchy you must include the next-hop statement and either the swap or pop action.
If you configure the swap statement, you must specify a non-reserved label in the range of 0 through
1,048,575.

The transit static LSP is added to the mpls.O routing table. You should configure each static LSP using a
unique name and at least one unique incoming label on the router. Each transit static LSP can have one
or more incoming labels configured. If a transit LSP has more than one incoming label. each would
effectively operate as an independent LSP, meaning you could configure all of the related LSP attributes
for each incoming label. The range of incoming labels available is limited to the standard static LSP
range of labels (1,000,000 through 1,048.575). To verify that a static LSP has been added to the
routing table, issue the show route table mpls.O command.

Since we must configure the pop action at the penultimate router we do not need to configure the static
LSP on the egress router. The packet coming into the egress router will be routed based on its Layer 3
information.

Chapter 2-30 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

III

II

The static-label-swi tched-path name

should be unique
Static label values (1,000 ,000 through 1 ,048 ,575)
You can also send a label of 0 to tell the next router to pop
the label.

Additional Information
It is best practice make your LSP names unique to the path. This allows you to quickly identify the path
you are looking for when troubleshooting or making alterations to the configuration.
In the Junos as you can configure your outgoing label with values from 0 to 1,048,575 but will only
accept a incoming label between 1,000,000 and 1,048,575 on the transit router. The Junos as allows
the outgoing label to be configured this way to allow interoperability with other vendor equipment that
may not have the same static label restriction on the transit routers.
The Junos as will also allow the static label to be swapped and sent with a label value of 0 from the
penultimate router. This will allow the egress router to honor the EXP bits when queuing traffic through
the static LS P.

www.juniper.net

MPLS Fundamentals Chapter 2-31

Junos MPLS and VPNs

l1li

Routes associated with signaled LSPs are installed in

the inet . 3 routing table
.. Only BGP can view the contents of inet. 3

III

BGP installs an LSP as the physical next hop for

transit destinations
.. Internal destinations are not associated with a BGP next hop
and therefore do not use LSPs by default

The Use of the inet. 3 RoutingTable

In the Junos OS implementation of MPLS, the default behavior makes BGP the only protocol that is
aware of the presence of LSPs, and only then when BGP attempts to resolve the next hops associated
with advertised prefixes.
Because MPLS LSPs are often used to engineer and direct transit traffic across an ISP's backbone, the
default behavior results in internal traffic, which is not associated with a BGP next hop, continuingto use
IGP forwarding. The result is that transit traffic associated with a BGP next hop that resolves through the
inet .3 table is subjected to LSP forwarding while all other traffic remains unaware of the LSP's
presence. To maintain this separation from the normal IGP routing table, LSPs are normally installed in
the inet . 3 table only.

BGP Installs LSP as Next Hop

When attempting to resolve the BGP next hop associated with a given prefix, BGP first looks in the
inet . 3 table. If the next hop can be resolved in the inet . 3 table, the resulting LSP is installed into
the forwarding table as the next hop for that BGP prefix. If the next hop cannot be resolved in inet . 3,
BGP next attempts to resolve the next hop through the main inet . 0 table.

Chapter 2-32 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

Route Resolution
The example in the next series of slides shows how a router uses the information learned by BGP to
forward transit traffic into a LSP. We begin by examining how traffic is forwarded to the 64.25.1/24
network from the perspective of the Core.
Things start with the 64.25.1/24 prefix being learned by the R5 router through its EBGP session to
Site2. The R1 router then learns about 64.25.1/24 through its internal BGP (IBGP) session to R5. R1
installs the prefix as active and readvertises the prefix to the Site1 router, again using EBGP.
In this example, routers in Site1 begin sending traffic to 64.25.1/24 prefixes through R1. When this
transit traffic arrives at the R1 router, it must decide how to forward this transit traffic to 64.25.1/24.
So far, nothing in this example has anything to do with MPLS or traffic engineering. This has simply been
a recap of conventional BGP operation.

www.juniper.net

MPLS Fundamentals Chapter 2-33

Junos MPLS and VPNs

Site 1
AS65510
84251/24

user@Rl> show route 64.25.1/24 all

inet.O: 13 destinations, 13 routes
= Active Route, - = Last Active,

64.25.1. 0/24

(12 active,
= Both

0 holddown,

1 hidden)

[BGP/170j 00:18:54, localpref 100, from 192.168.1.5

Unusable BGP Next Hop

This example backs up the process a bit and looks at a common problem with BGP routes: unusable
next hops. This discussion helps reinforce the interaction of BGP and LSP routing table integration. Note
that the previous slide shows the R1 router advertising the 64.25.1/24 prefix to a router in Site1. A
route with an unusable next hop cannot be active and, therefore, cannot be exported from the routing
table.
A look at the routing table on the R1 router reveals that the router has learned the 64.25.1/24 through
BGP, but it also shows that the route cannot be used. The route learned from the R5 router to
64.25.1/24 is hidden, which is why the all switch was added to the show route command in the
example. More investigation is necessary to determine why.
Again, there is no MPLS traffic engineering in this example.

Chapter 2-34 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

usec@R1> show route 64.25.1.0/24 all extensive

inet.O: 13 destinations, 13 coutes (12 active, 0 holddown, 1 hidden)
64.25.1.0/24 (1 entcy, 0 announced)
BGP
Pceference: 170/-101
INext hop type: Unusable
Next-hop reference count: 1
state: <Hidden lnt Ext>
Local AS: 65512 Peer AS: 65512
Age: 26:59
Task: BGP 65512.192.168.1.5+60163
AS path: 65511 I
Accepted
Localpref: 100
Routec lD: 192.168.1.5

III

R1 does not have a route to 182.19.200.0/30

Network

Why the Route Is Hidden

An extensive view of the 64.25.1/24 prefix at the R1 router shows that the next hop for this route is
unusable, even though the correct next hop for the route is listed. At this point, it appears that the R1
router does not know how to get to the next hop 182.19.200.2 connected to R5.
The problem here is that the 182.19.200/30 prefix used to support the EBGP peering session between
R5 and Site2 is not advertised by the core IGP. Put simply, the problem is that R1 does not have a route
to 182.19.200/30.

www.juniper.net

MPLS Fundamentals Chapter 2-35

Junos MPLS and VPNs

III

Add an export policy on R5 to change next-hop to self

when advertising this route into IBGP.

Suggested Resolution
This slide solves the 64.25.1/24 hidden route problem at R1 through a next-hop self policy applied at
the R5 router. A next-hop self solution is one of several viable ways to correct unreachable BGP next
hops.
Setting next-hop self on the R5 router results in the route advertisement for 64.25.1/24 arriving at the
R1 router with a BGP next hop that represents the R5 router's loopback address. The R1 router can
resolve the R5 router's loopback address because the IGP running throughout the autonomous system
(AS) advertises that information.
At this stage, transit connectivity to 64.25.1/24 destinations is now provided by the core. This
connectivity is based on IGP forwarding.

Chapter 2-36 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

III

Route now has valid next hop

useL@R1> show route 64.25.1/24 extensive
inet.O: 14 destinations, 21 Loutes (14 active, 0 holddown, 0 hidden)
64.25.1.0/24 (1 entLY, 1 announced)
TSI:

IndiLect next hops: 1

[PLOtofol next hopt 192.168.1. 5: MetRic: ~]
IndiLect next hop: 8f00870 1048576
IndiLect path forwarding next hops: 1
Next ho
e: Router
Next hop: 172.20.0.2 via ge-1/0/6.0 weight Ox1
192.168.1.5/32 originating RIB: inet.3
Metric: 0
Node path count: 1
Forwarding nexthops: 1
Nexthop: 172.20.0.2 via ge-1/0/6.0

Verifying the Route Is Usable

Quick review of the extensive information for the 64.25.1/24 route reveals that the route now has a
usable protocol next hop to R5s loopback interface and we have the physical next hop to R2.

www.juniper.net

MPLS Fundamentals Chapter 2-37

Junos MPLS and VPNs

[edit protocols mpls]

user@RliI show
static-label-switched-path my-lsp
ingre ss {
next-hop 172.20.0.2;
to 192.168.1.5;
push 1000050;

Static LSP From R1 to R5 Is Configured: Part 1

Now that we applied next-hop self to the BGP route making it usable. The sample network is ready for us
to configure a Static LSP.
The key aspects of the configuration at R1 that define a static LSP to R5 are shown on the slide. The LSP
is the preferred route to 64.25.1/24 because BGP looks up a prefix in the inet. 3 table (for LSPs)
before looking in the inet . 0 table (used by IGPs) and because LSPs are preferred over IGP routes due
to route preference.

Chapter 2-38 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

[edit protocols mplsj

llse['@R2# show
static-label-switched-path my-lsp
transit 1000050 {
next-hop 172.30.0.2;
swap 1000515;

[edit protocols mplsj

llser@R4# show
static-label-switched-path my-lsp
transit 1000515 {
next-hop 172.40.0.2;
pop;

l1li

Since the penultimate router is popping the label we

do not have to configure the LSP on the egress router

Static LSP From R1 to R5 Is Configured: Part 2

Now that we have configured the ingress router to forward the traffic into the LSP, we need to configure
the transit LSRs to swap the labels through the rest of the path. The minimum configuration is displayed
above. Notice that we do not define the egress router. As discussed previously we do not need to
configure the static LSP on the egress router because we are popping the MPLS header at the
penultimate router and sending the packet to the egress router in its native form to be routed based on
the Layer 3 header.

www.juniper.net

MPLS Fundamentals Chapter 2-39

Junos MPLS and VPNs

usec@R1> show route 192.168.1.5

inet.O: 14 destinations, 21 coutes (14 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192 .168 .1. 5/32

!*[OSPF/10] 01:34:3?~:~~tcic 3
> to 172.20.0.2 via ge-1/0/6.0
[BGP/1701 00:46:34, localpcef 100, fcom 192.168.1.5
AS path: I
> to 172.20.0.2 via ge-1/0/6.0, Push 1000050

inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both
192 .168.1. 5/32
. , Push 1000050

Comparing Route Preferences

The slide shows that once the LSP to R5 is established, information about the route to the R5 router's
loopback address (the next hop forthe 64.25.1/24 prefix) is present in not one but two routing tables.
These are inet. 0, used by all routing protocols, and inet. 3, which is used by BGP.
But what ensures that BGP resolves its next hop through the LSP to R5 instead of the IGP route? The
answer is simple: the preference assigned to LSPs is lower than the preference assigned to IGP routes.
This causes the routerto prefer LSPs over IGP routes. Should preferences be set the same, entries in the
inet . 3 table are preferred over entries in the inet . 0 table.
A key point on the slide is that both the IGP and MPLS routes are active, albeit in separate tables. The
result is that traffic addressed to 192.168.1.5 uses the IGP route, while traffic associated with a BGP
next hop of 192.168.1.5 uses the LSP.

Chapter 2-40 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

user@R1> show route 64.25.1.0/24

inet.O: 14 destinations, 21 routes (14 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
64.2.5.1. 0/24

localpref loo,[from 192.168.1 . .51

ge-1/0/6.0, Push 10000.50

BGP Installs LSP as Forwarding Next Hop for 64.25.1/24

It helps to keep in mind that the goal of this whole exercise is not to use the LSP to reach the R5 router's
loopback address; the goal is to direct transit traffic associated with the 64.25,1/24 prefix through a
LSP for transport across the Core AS.
The slide shows that the BGP route to 64.25.1/24 is present in the inet . 0 routing table as a BGP
route. However, the results of BGP next-hop resolution through the inet . 3 table results in the static
LSP being installed as the forwarding next hop for traffic associated with the 64.25.1/24 prefix.
Packets destined to 64.25.1/24 that arrive at the R1 router are forwarded over the LSP. No other traffic
will use this LSP with the current configuration. Note also that packets can only enter an LSP at the
ingress node.

www.juniper.net

MPLS Fundamentals Chapter 2-41

Junos MPLS and VPNs

III

Ingress router
.. RSVP/LOP/Static:
Signal LSPs to egress router
InstalilP prefix to egress router into the inet. 3 routing table
- Specifies LSP' s egress interface and label assigned by the
downstream router

IP
Routing Tallie
(inet.O)

IvlPLS
Routing Tallie
(inet.3)

Ingress Router
The previous example demonstrated how signaled LSPs are installed in the inet. 3 routing table.
RSVP, LDP, and Static LSPs install the I P prefix to the egress router into the inet . 3 table on the ingress
router. We will discuss RSVP and LDP in later chapters.
The next-hop data for entries in the inet . 3 table consist of the LSP's egress interface and the label
value assigned by the LSP's first downstream router.
Note that the various routing protocols continue to use the inet. 0 IP routing table to determine the
current active route to IP destinations.
Continued on next page.

Chapter 2-42 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

Ingress Router (contd.)

Asample inet . 3 entry that shows the next-hop forwarding information for an LSP is shown here. Note
the presence of a label push operation and egress interface:
user@R1> show route table inet.3 detail
inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
192.168.1.5/32 (1 entry, 0 announced)
*MPLS
Preference: 6/1
Next hop type: Router
Next-hop reference count: 2
Next hop: 172.20.0.2 via ge-1/0/6.0 weight Ox1, selected
Label operation: Push 1000050
State: <Active lnt>
Local AS: 65512
Age: 39
Metric: 0
Task: MPLS
AS path: I

www.juniper.net

MPLS Fundamentals Chapter 2-43

Junos MPLS and VPNs

I
III

BGP performs recursive lookup to resolve BGP next

hop
BGP also looks in the inet. 3 MPLS routing table
BGP looks in the inet. 0 IP routing table
BGP selects route with lowest preference

--,
I

,.

MPLS

IP
RoutingTable

RoutingTable

(inet.O)

(inet.3)

Contains IP
prefix to egress
router with LSP
nexthop.
On Iy BG P uses
this routing
table.

BGP Resolves Its Next Hop USing Both Tables

BGP must resolve a protocol next hop to a forwarding next hop in a process known as a recursive route
lookup. The goal of this process is to resolve the advertised BGP next hop to a directly connected
forwarding next hop.
BGP uses both the inet. 0 and inet . 3 tables when attempting to resolve a next-hop address. When
the same prefix appears in both inet . 0 and inet . 3 tables, as is the case of this example, BGP
chooses the route with the lowest preference. This results in the selection of the LSP when default
preference values are at play. In the event of a preference tie, entries in inet . 3 are preferred over
inet.O entries.

Chapter 2-44 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

III

BGP favors routes in inet . 3

MPLS preference is better than IS-IS and OSPF
For preference ties, BG P selects ine t . 3

III

LSP to egress router copied to inet . 0 as a

forwarding next hop
Specified LSP's egress interface and label to

-.
.
I

inet.O

inet.3

to: 64,25.~
192.168.1.5 ~ my-lsp
Push label 1000050

192.168.1.5 ~ my-lsp
Push label 1000050

BGP Selects inet.3 over inet.O

By default, BGP prefers LSP-based resolution of a BGP prefix's next hop. If there is a preference tie
between inet. 3 and inet. 0, BGP selects the inet . 3 route over the inet.O route.

LSP Installed as Forwarding Next Hop in inet.O

The LSP's forwarding information is copied into inet . 0 when BGP can resolve its next hop though the
LSP. A key point is that the LSP itself is not installed into inet . O. Rather, the BGP prefix is installed into
inet . 0 with a forwarding next hop that points to the LSP. Thus, traffic not associated with the BGP next
hop in question continues to be unaware of the LSP's presence. The slide shows how the forwarding
table is ultimately configured to forward over the LSP for traffic associated with the BGP prefix

64.25.1/24.

www.juniper.net

MPLS Fundamentals Chapter 2-45

Junos MPLS and VPNs

III

LSPs installed in ingress router's inet. 3 table

.. Points to the IP addresses specified as egress
Normally identifies tile egress router's loopback address
Addressappears as if it were directly connected

.. When LSP is up, next hop is usable and attractive to BGP

.. When LSP is down, LSP next hop is unusable
Can still use normallP routing to reach next hop
III

Only BGP is aware of LSPs

.. Other protocols can use this information with additional
configuration

LSPs Are Installed in Ingress Router's inet . 3 Table

In summary, LSPs appear in the ingress router's inet . 3 table. The next-hop address points to the
egress router as if it were directly connected and not at the end of an LSP passing through many transit
points. Normally the LSP's egress address is specified as the egress router's loopback address, which
also serves as the router ID.
When the LSP is up, this next hop is usable by BGP for next hop route resolution. When the LSP is down,
the next hop referenced by the LSP is unusable. Packets still can use normal IGP routing information to
resolve the next hop, however.

Only BGP Is Aware of inet.3

Only BGP pays attention to the entries housed in inet . 3 and only then when it is resolving a BGP next
hop. LSPs are hidden from the main IP routing table, which allows non-BGP traffic to continue to use the
IGP forwarding path.
Note that the examples we discuss in this section are based on the default LSP routing table integration
behavior. With additional configuration, the presence of LSPs can be made known to non-BGP traffic.
The decision to traffic engineer internal traffic requires careful consideration because MPLS, and even
basic router troubleshooting, might be complicated when pings and trace routes begin using LSPs.

Chapter 2-46 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

III

MPLS uses three tables:

inet. 0
Primary IP unicast routing table
Can install additional prefixes per LSP with
install preix active;

inet.3
MPLS routing table
Houses signaled LSPs at ingress node
Can install additional prefixes per LSP with
ins tall preix;

mpls. 0
MPLS label-switching table
Used by transit and egress routers

Routing Tables Used in MPLS

In summary, three tables are important when you configure MPLS along with normal routing protocols.
These are inet. 0, inet. 3, and mpls . 0:
inet. 0: The primary IP unicast routing table. Normally, IGPs only look in this table to
resolve next hops. You can allow IGPs to access LSP information available in inet. 3 on an
LSP-by-LSP basis by installing LSP prefixes into inet. 0 using the install prefix
active CLI configuration command in the configuration for that LSP.
inet . 3: The MPLS routing table. All signaled LSPs are installed in this table where only
BGP can find them. You can add prefixes associated with the LSP to the inet . 3 table by
using the install prefixCLI configuration command in the configuration for that LSP.
This knob is useful when you want BGP to use the LSP and next-hop self is not in effect at
the egress node.
mpls. 0: The MPLS label switching table. Transit and egress routers use the contents of
this table to swap and pop labels as needed when handling the LSP.

www.juniper.net

MPLS Fundamentals Chapter 2-47

Junos MPLS and VPNs

~ MPLS Packet Forwarding

MPLS Packet Forwarding

The slide highlights the topic we discuss next.

Chapter 2-48 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

III

Ingress router
Performs forwarding lookup based on destination IP address
Resolves in inet. 3 or inet. 0 routing table
After the next hop is determined to be the LSP ,the MPLS
header is added and the packet is forwarded with the
corresponding label
user@R2> show route table inet.3
inet.3: 1 destinations, 1 routes (1 active, 0 holddo,Vll, 0 hidden)

+ = Active Route, - = Last Active, * = Both

192.168.1.5/32

* [MPLS/6/1] 00:25:52, metric 0

> to 172.20.100.22 via ge-1/0/5.0,

Push 1000050

MPLS Forwarding (Ingress Router): Part 1

The ingress router makes its forwarding decisions based on the destination address. It will resolve the
next hop by inspecting the inet . 3 and the inet . 0 routing tables. After the next hop is determined to
be the LSP the MPLS shim header is added and the packet is forwarded on to the appropriate next hop
router.

www.juniper.net

MPLS Fundamentals Chapter 2-49

Junos MPLS and VPNs

III

Transit router
... Performs forwarding lookup based on incoming label
Resolves in mpls . 0 routing table

.. Label handling depends on LSR type

Transit swaps out the incoming label with the outgoing label and
forwards the packet to the next router
Ifthe transit router is also tile penultimate router. it usually pops
the label and forwards it to the egress router in its native form
III

Egress router
.. Performs forwarding lookup based on destination IP address
Resolves in the inet. 0 or inet. 3 routing table

MPLS Forwarding (Transit Router): Part 2

The transit router makes its forwarding decision based on the incoming label and refers to the
information stored in the mpls. 0 routing table. Ifthe transit router is more than two hops away from the
egress router it will perform a label swap operation in the MPLS header. The router will then forward the
packet on to next hop router with the new label to continue through the LSP. If the transit router is also
the penultimate router it will pop the MPLS header and forward the packet on to the egress router in its
native form.

MPLS Forwarding (Egress Router)

The egress router forwards traffic based on the destination IP address and consults both the inet . 0
and inet. 3 routing tables to accomplish this.

Chapter 2-50 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

III

The mpls .0 table contains the mapping information

of incoming labels to outgoing labels and next-hop
information used to forward MPLS packets! also
known as the LIB
user@R2> show route table mpls.O
mpls.O: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

Receive

MPLS Label Mapping

The mpls.O routing table contains the mapping information used to forward traffic by the transit routers.
A quick review of this table will show you the possible incoming label values and indicate what protocol
they were learned by. As you can see in the example you can see local next hop information. The output
also shows us what the label action is and what the next label value will be when the packet is
forwarded on to the next router downstream. This table is sometimes referred to as the LIB.

www.juniper.net

MPLS Fundamentals Chapter 2-51

Junos MPLS and VPNs

III

Penultimate hop popping (PHP) is the default

behavior in the Junos OS
.. Penultimate router pops the MPLS label
.. Forwards the native IP packet to the egress router, which
makes the forwarding decisions based on the IP header
user@R5> show route table mpls.O
mp1s.0: 5 destinations, 5 routes (5 active, 0 ho1ddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1000515
1000515(8=0)

*[MPL8/6] 01:28:33, metric 1

> to 172.20.100.2 via ge-1/0/8.0,
*[MPL8/6] 01:28:33, metric 1
> to 172.20.100.2 via ge-1/0/8.0,

Penultimate Hop Popping

PHP is the default behavior in the Junos OS. As discussed earlier the penultimate router is the router
directly upstream from the egress router. It will pop the label and forward the packet on to the egress
router without the MPLS header.

Chapter 2-52 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

III

Implicit NULL
Default operation in the Junos OS
Egress router signals the penultimate to perform the label
pop

III

Explicit NULL
Configured on the egress router
Signals the penultimate router to forward the packet with a
MPLS header
Egress router pops the label before forwarding it in its native
IP form

Implicit NULL
Implicit Null is the default behavior in the Junos OS from the perspective of the egress router. This
operation tells the upstream router (penultimate) tllat they should pop the label and forward the packet
without a MPLS header.

Explicit NULL
Explicit Null can be configured on the egress router under the [edit protocols mpls] hierarchy. This
operation tells the upstream router (penultimate) they it needs to forward the packets on to the egress
router with a MPLS header and the egress router will handle the pop action.

www.juniper.net

MPLS Fundamentals Chapter 2-53

Junos MPLS and VPNs

II

In this chapter, we:

.. Discussed common MPLS terms (label, LSR, LSP, LIB,
ingress, egress, push, pop, swap, penultimate-hop popping,
implicit-null. explicit-null)
" Described the way a LSR forwards MPLS packets
.. Discussed MPLS packet flow and packet processing from
ingress to egress router
.. Explained how to configure a router and interface to perform
MPLS forwarding
.. Examined the LIB

This Chapter Discussed:

Common terms relating to MPLS;
Routers and the way they forward MPLS packets;
Packet flow and handling through an LSP;
Configuration and verification of MPLS forwarding; and
Understanding the information in the LIB.

Chapter 2-54 MPLS Fundamentals

www.juniper.net

Junos MPLS and VPNs

1. How does the ingress LSR make forwarding

decisions?
2. What is the default behavior in the Junos OS for
popping labels?
3. What routing table does a transit router use to make
forwarding decisions?

Review Questions
1.

2.

3.

www.juniper.net

MPLS Fundamentals Chapter 2-55

Junos MPLS and VPNs

III

Configure the network interfaces.

II

Configure protocols OSPF.

iii

Configure a static LSP, verify uni-directional LSP.

II

Configure the return LSP, verify bi-directional LSP.

Lab 1: MPLS Fundamentals

The slide provides the objectives for this lab.

Chapter 2-56 MPLS Fundamentals

www.juniper.net

Juntf2I~[
Junos MPLS and VPNs
Chapter 3: Label Distribution Protocols

Junos MPLS and VPNs

III

After successfully completing this chapter, you will be

able to:
.. List the two common label distribution protocols used by the
Junos as
Identify the configuration elements used for RSVP-signaled
and LDP-signaled LSPs
Identify the label distribution protocols that can meet the
constraints and configure an LSP, when given a network
topology, the ingress router, the egress router, and path
constraints

This Chapter Discusses:

Two label distribution protocols used by the Junos operating system;
Configuration and verification of RSVP-signaled and LOP-signaled label-switched paths
(LSPs); and
Understanding the constraints of both RSVP and LOP.

Chapter 3-2 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

~ Label
III

RSVP

III

LDP

Distribution Protocols

Label Distribution Protocols

The slide lists the topics we cover in this chapter. We discuss the highlighted topic first.

www.juniper.net

La bel Distribution Protocols

Chapter 3-3

Junos MPLS and VPNs

III

Overview of Label Distribution Protocols

.. Often referred to as signaling protocols
.. Dynamically establishes a LSP
Excllanges label information

.. Junos OS supports two types of label distribution pmtocols.

Resource Reservation Protocol (RSVP)
Label Distribution Protocol (LOP)
- To reduce confusion. tllis course uses tile acronym. LOP. to
refer only to tile particular protocol named Label Distribution
Protocol.

Label Distribution Protocols

Label distribution protocols create and maintain the label-to-forwarding equivalence class (FEC)
bindings along an LSP from the MPLS ingress label-switching router (LSR) to the MPLS egress LSP. A
label distribution protocol is a set of procedures by which one LSR informs a peer LSR of the
meaning of the labels used to forward traffic between them. MPLS uses this information to create
the forwarding tables in each LSR.
Label distribution protocols are often referred to as signaling protocols. However, label distribution is
a more accurate description of their function and is preferred in this course.
Unlike the static LSP we discussed in the last chapter, the label distribution protocols create and
maintain an LSP dynamically with little or no user intervention. Once the label distribution protocols
are configured for the signaling of an LSP, the egress router of an LSP will send label (and other)
information in the upstream direction towards the ingress router based on the configured options.
The Junos OS supports two different label distribution protocols: RSVP and LDP. To reduce the
chance of confusion this course will use the acronym LDP when referring to the particular protocol.
RSVP is a generic label distribution protocol that was adapted for use in MPLS. LDP on the other
hand was developed specifically to be used with MPLS.

Chapter 3-4 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

III

RSVP
Is used for traffic engineering
Internet standard for reserving resources
Extended to support:
Explicit path configuration
Path numbering
Route recording

Provides keepalive status for:

Visibility
Redundancy
III

LOP
LDP always follows the IGP best path
Executes hop by hop
Does not support engineered paths

RSVP
The Junos OS uses RSVP as the label distribution protocol for traffic engineered LSPs.
RSVP was designed to be the resource reservation protocol of the Internet and "provide
a general facility for creating and maintaining distributed reservation state across a set
of multicast or unicast delivery paths" (RFC 2205). Reservations are an important part
of traffic engineering. so it made sense to continue to use RSVP for this purpose rather
than reinventing the whee/.
RSVP was explicitly designed to support extensibility mechanisms by allowing it to carry
what are called opaque objects. Opaque objects make no real sense to RSVP itself but
are carried with the understanding that some adjunct protocol (such as MPLS) might
find the information in these objects useful. This encourages RSVP extensions that
create and maintain distributed state for information other than pure resource
reservation. The designers believed that extensions could be developed easily to add
support for explicit routes and label distribution.
Continued on the next page.

www.juniper.net

Label Distribution Protocols Chapter 3-5

Junos MPLS and VPNs

RSVP (contd.)
Extensions do not make the enhanced version of RSVP incompatible with existing RSVP
implementations. An RSVP implementation can differentiate between LSP signaling and
standard RSVP reservations by examining the contents of each message.
With the proper extensions, RSVP provides a tool that consolidates the procedures for a
number of critical signaling tasks into a single message exchange:
Extended RSVP can establish an LSP along an explicit path that would not have
been chosen by the interior gateway protocol (IGP);
Extended RSVP can distribute label-binding information to LSRs in the LSP;
Extended RSVP can reserve network resources in routers comprising the LSP (the
traditional role of RSVP); and
Extended RSVP permits an LSP to be established to carry best-effort traffic
without making a specific resource reservation.

Thus, RSVP provides MPLS-signaled LSPs with a method of support for explicit routes ("go here, then
here, finally here ... "), path numbering through label assignment, and route recording (where the LSP
actually goes from ingress to egress, which is very handy information to have).
RSVP also gives MPLS LSPs a keepalive mechanism to use for visibility ("this LSP is still here and
available") and redundancy ("this LSP appears dead ... is there a secondary path configured?").

LDP
LDP associates a set of destinations (prefixes) with each data link layer LSP. This set of destinations
is called the FEC. These destinations all share a common data LSP path egress and a common
unicast routing path. LDP supports topology-driven MPLS networks in best-effort, hop-by-hop
implementations. The LDP signaling protocol always establishes LSPs that follow the contours of the
IGP's shortest path. Traffic engineering is not possible with LDP.

Chapter 3-6 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

~RSVP

RSVP
The slide lists the topics we cover in this chapter. We discuss the highlighted topic next.

www.juniper.net

Label Distribution Protocols Chapter 3- 7

Junos MPLS and VPNs

III

RSVP:
.. A generic quality of service (QoS) signaling protocol
.. An Internet control protocol-uses IP as its network layer
.. Designed originally for host-to-host usage
.. Not a data transport protocol
.. Not a routing protocol
Uses the IG P to determine paths

RSVP
RSVP is a generic signaling protocol designed originally to be used by applications to request and
reserve specific quality-of-service (QoS) requirements across an internetwork. Resources are
reserved hop by hop across the internetwork; each router receives the resource reservation request,
establishes and maintains the necessary state for the data flow (if the requested resources are
available), and forwards the resource reservation request to the next router along the path. As this
behavior implies, RSVP is an internetwork control protocol, similar to Internet Control Message
Protocol (ICMP). Internet Group Management Protocol (IGMP), and routing protocols.
RSVP does not transport application data, nor is it a routing protocol. It is simply a label distribution
protocol. RSVP uses unicast and multicast IGP routing protocols to discover paths through the
internetwork by consulting existing routing tables.

Chapter 3-8 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

II

Unidirectional data flows

Ingress router initiates connection

II

Soft state

Path and resources are maintained dynamically

Can change during the life of the RSVP session
Path message are sent downstream
Reservation message are sent upstream
Rl

RSVP Data Flows

RSVP requests resources for unidirectional data flows. Each reservation is made for a data flow from
a specific sender to a specific receiver. While RSVP messages are exchanged between the sender
and receiver, the resulting path itself is unidirectional.
Although the application data flow is from the sender to the receiver, the reservation itself is initiated
by the receiver. The sender notifies the receiver of a pending flow and characterizes the flow, and the
receiver is responsible for requesting the resources. This design choice was made to accommodate
heterogeneous receiver requirements and for multicast flows in which multiple receivers join and
leave a multicast group.

RSVP Is a Soft State Protocol

RSVP requests made to routers along the transit path cause each router either to reject the request
for lack of resources or establish a soft state. This is in contrast to a hard state, which is associated
with virtual connections that remain established for the duration of the data transfer. Soft state
means that the logical path set up by RSVP is not associated necessarily with a physical path through
the internetwork. The logical path might change during its lifetime as the result of the sender's
changing the characterization of the traffic, causing the receiver to modify its reservation request, or
causing the failure of a transit router.
Continued on the next page.

www.juniper.net

Label Distribution Protocols Chapter 3-9

Junos MPLS and VPNs

RSVP Is a Soft State Protocol (contd.)

Refreshing the soft state periodically maintains it. In standard RSVP implementations, sending path
(downstream) and reservation (upstream) messages along the path accomplishes this refreshing.
The Junos OS also uses the hello extension to maintain state and detect router failures; by default,
hello messages are sent every nine seconds. The hello protocol can detect state changes within
seconds, instead of several minutes as with standard RSVP implementations. The hello protocol is
fully backward-compatible with older RSVP implementations. If a neighboring router does not
support hello messages, The Junos OS RSVP uses standard soft-state procedures.
Note tllat path messages are sent all the way to the egress before they trigger the generation of a
reservation message in the upstream direction. Messages are not paired in time on the link.

Chapter 3-10 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

III

Sessions signaled by RSVP messages

Message types for signaling MPLS LSPs:
Patll: RequestLSP be created
Resv: Reserve resources for LSP
PathTear: Remove path (and corresponding reservation) state
ResvTear: Remove reservation state
Path Err: Error message sent upstream to sender
ResvErr: Error message sent downstream

III

Messages are comprised of RSVP objects

RSVP Messages Signal Sessions

Different RSVP message types are used to establish and remove the RSVP state necessary for
signaling MPLS LSPs. This slide describes some of these message types:
Path messages are sent by the ingress router and request that a path (LSP) be created.
Path messages contain a destination address of the egress router but are processed by
all RSVP routers along the requested path.
Resv messages reserve resources-including label assignments-for the LSP. These
messages are sent from the egress router and are forwarded hop by hop along the
reverse path to the ingress router.
PathTear messages delete the path and all dependant reservation state from routers
that receive them. The PathTear message is originated by the sender, or by a router
whose path state has timed out, and it always travels downstream toward the receiver.
Path Err messages report errors in processing path messages, and travel upstream to
the sender along the reverse route of path messages.
Resv Err messages report errors in the processing of Resv messages, and travel hop by
hop downstream to the receiver.
Continued on the next page.

www.juniper.net

Label Distribution Protocols Cilapter 3-11

Junos MPLS and VPNs

Messages Comprised of RSVP Objects

All RSVP messages share a common RSVP header that includes a field for identifying the message
type. The messages is comprised of this common header followed by one or more RSVP objects.
Later slides provide details on the RSVP objects used in the signaling of MPLS LSPs.

Chapter 3-12 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

.. Soft state information

Requires periodic refresh

.. Path state block

III

Reservation state block

(Site 1

Ingress LSR

Soft State Information

To maintain a reservation state, RSVP tracks soft state in each router. The RSVP soft state is created
and periodically refreshed by path and reservation-request messages. The state information is soft
because it is deleted if no matching refresh messages arrive before the expiration of a cleanup
timeout interval. This state can also be deleted as the result of an explicit teardown message. RSVP
periodically scans the soft state to build and forward path and reservation-request refresh messages
to succeeding hops.

Path State Block

Each path state block contains information about a particular session or LSP. This state is derived
from information received in path messages and is stored in each router along the path.

Reservation State Block

Each reservation state block holds a reservation request that arrived in a particular Resv message,
corresponding to the following three objects: (session, next hop, Filter_spec_list).

www.juniper.net

Label Distribution Protocols Chapter 3-13

Junos MPLS and VPNs

l1li

Extensions added to support establishment and

maintenance of LSPs
Hello protocol
Label distribution

III

RSVP is now used for router-to-router connectivity

Traffic Engineering Extensions to RSVP

RSVP has been extended in several ways to support the establishment and maintenance of MPLS
LSPs. For example, a hello mechanism has been added to RSVP to speed up router-to-router failure
detection, and a label object has been added so that RSVP can signal label bindings.

Now Positioned as a Router Signaling Protocol

Extended RSVP is well suited as a router-to-router signaling protocol. Recall that in its original form
RSVP was intended as a 110St-to-host signaling protocol. This change in signaling role makes ongoing
sense as RSVP becomes the signaling protocol of choice for MPLS traffic engineering.
We discuss RSVP extensions in support of traffic engineering in subsequent pages.

Chapter 3-14 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

1111

Path message extensions

Mandatory:
SESSION Object: LSP _TUNNEL_IPv4
LABEL_REQUEST Object: Request LSRs to provide a label binding

Optional:
EXP LI CIT_RO UTE object (ERO): Specify predeterm ined path.
independent of IG P path
Strict Hop: Informs tile network of exact path to use
Loose Hop: LSP must be transited in order. IG P is used
RECORD _ROUTE object(RRO): Listing of the LSRs that the LSP
tunnel traverses
SESSION_A TTRI BUTE object: Aids in session identification and also
controls patll setup priority. Ilolding priority. and local-rerouting
features
RSVP-HOP object: Contains the previous 110P IP address

Path Message Extensions

A path message is transmitted by the ingress LSR toward the egress LSR when it wants to establish
an LSP tunnel. The path message is addressed to the egress LSR, but it contains the router alert IP
option (RFC 2113) in its IP header to indicate that the datagram requires special processing by
intermediate routers. The path message can include a number of RSVP objects that provide
TE-related signaling capabilities:
LABEL_REQUEST object: Request for label mapping from downstream router.
EXPLICIT_ROUTE object (ERO): Strict or loose list of routers that RSVP path messages
must visit. The object can contain strict hops which indicate the exact path to use. In
addition to strict hops the ERO can also contain loose hops which indicate the LSP must
traverse this hop before reaching the egress. You can also use both strict and loose
hops in the same ERO.
RECORD_ROUTE object: List of addresses of all routers visited by the path message.
SESSION_ATTRIBUTE object: Characteristics of the session.
CoS FLOWSPEC object: Identify the resources that will be allocated.
RSVP-HOP object: Indicates the IP address of the interface on the router sending the
Path message. At the next router, the Hop object contains the previous hop IP address.

www.juniper.net

Label Distribution Protocols Chapter 3-15

Junos MPLS and VPNs

III

Expl icit route is passed by R1

Rl transmits a path message addressed to R5

Label request object-req uestfor label binding

ERa = {R2 strict. R4 strict. R5 strict} (optional field)
Record route object lists nodes visited (optional field)
Session object uniquely identifies LSP
RSVP-HOP object indicates tile previous hop IP address
Session attributes: priority. preemption. fast reroute (optional field)
SenderT_Spec: requested bandwidth reservation

Site3

RSVP Path Message

The ingress LSR generates an RSVP path message with a SESSION type of LSP_TUNNEL_IPv4. The
path message contains a LABEL_REQUEST object that asks intermediate LSRs and the egress LSR
to provide a label binding for this path. Ifthe LABEL_REQUEST object is not supported by each LSR
along the path, the ingress LSR is notified by the first LSR on the path that does not support the
LABEL_REQUEST object. In addition to the LABEL_REQUEST object, an RSVP path message can also
contain a number of optional objects:
EXPLICIT_ROUTE object (ERO): Can be added to specify a predetermined path for the
LSP across the service provider's network. When the ERO is present, the RSVP path
message is forwarded towards the egress LSR along the path specified by the ERO,
independent of the IGP's shortest path.
RECORD_ROUTE object (RRO): Allows the ingress LSR to receive a listing of the LSRs
that the LSP tunnel traverses across the service provider's network.
SESSION_ATIRIBUTE object: Can be included in the RSVP path message to aid in
session identification and diagnosis. The SESSION_ATIRIBUTE object also controls the
path setup priority, holding priority, and local-rerouting features.

Continued on the next page.

Chapter 3-16 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

RSVP Path Message (contd.)

The path message also contains the following standard RSVP objects (as opposed to extended
objects):
RSVP-HOP: Identifies the IP address of the neighboring RSVP router. It allows each
device in the network to store information in both the path and Resv state blocks.
Assists in properly routing RSVP messages.
SENDER_TEMPLATE: Contains the sender's IP address and perhaps some additional
information to identifY the sender of the path message.
SENDER_TSPEC: Describes the traffic characteristics of the flow that will be sent along
the LSP. R5 uses tllis information to construct an appropriate RECEIVER_TSPEC
(describing the traffic flow) and RSPEC (defining the desired QoS). The format and
content of the TSPEC and RSPEC are opaque to RSVP.

RSVP Processing at Each Router

Assume that MPLS and RSVP are configured and enabled on R1, R2, R4, and R5.
R1 knows that the LSP Sl10uld follow the explicit route (R1 to R2 to R4 to R5). Each router in the ERO
has the L-bit cleared (making them strict hops) and is identified by a 32-bit IP version 4 (IPv4) prefix.
Required behavior: We want to establish an LSP to carry transit traffic that enters the service
provider'S network at R1 and exits at R5. Transit traffic should follow the physical path of the LSP
rather than the route calculated by the IGP through the network. The result is that all transit traffic
entering the network at R1 (with R5 as its BGP next hop) is forwarded along the LSP.
The physical path for the LSP has been specifically selected by another process to: 1) Reduce the
amount of traffic flowing along the IGP route, 2) Optimize the overall utilization of network resources,
3) Enhance the traffic-oriented performance characteristics for the traffic flow, and 4) Enhance the
traffic-oriented performance characteristics for the entire network.
Processing at Rl: The path message is transmitted toward R5 along the path specified by the ERO.
Recall that the path message is addressed to the egress LSR but contains the router alert IP option
to indicate that the datagram requires special processing by intermediate routers.
Processing at R2: When the path message arrives at R2, it records the LABEL_REQUEST object and
the ERO in its path state block. The path state block also contains the IP address of the previous hop,
the session, the sender, and the TSPEC. This information is used to route the corresponding Resv
message back to R1. R2 forwards the path message toward R5 along the path specified in the ERO.
If R2 cannot allocate a label for the LSP, it responds by sending a Path Err message with an unknown
object class error to R1.
Processing at R4: When the path message arrives at R4, it records the LABEL_REQUEST object and
ERO in its path state block. The path state block also contains the previous hop, session, sender, and
TSPEC. The path message is forwarded toward R5 along the path specified in the ERO.
Processing at R5 (Egress LSR): When the path message arrives at R5, it notices from the
LABEL_REQUEST object that it is the egress LSR for the LSP.

www.juniper.net

Label Distribution Protocols Chapter 3-17

Junos MPLS and VPNs

III

Resv message extensions

" Mandatory:
SESSION object: uniquely identifies the LSP being establislled
LABEL object: performs the upstream on demand label distribution
process
STYLE object: specifies the reservation style (fixed-filter.
wildcard-filter and shared-explicit)

Optional:
RECORD _ROUTE object: returns the LSPs path to the sender of the
path message
HOP object: contains the previous IIOP IP address

Resv Message Extensions

A Resv message is transmitted from the egress LSR toward the ingress in response to the receipt of
a path message. The Resv message establishes path state in each LSR by distributing label
bindings, requesting resource reservations along the path, and specifying the reservation style. The
reservation style object can be a fixed-filter (FF), wildcard-filter (WF), or a shared-explicit (SE) value.
The fixed-filter reservation style consists of distinct reservations among explicit senders. Examples of
applications that use fixed-filter-style reservations are video applications and unicast applications,
which both require flows that have a separate reservation for each sender. The fixed filter
reservation is the default style in RSVP LSPs.
The wildcard-filter reservation style consists of shared reservations among wildcard senders. This
type of reservation reserves bandwidth for any and all senders, and propagates upstream toward all
senders. A sample application for wildcard filter reservations is an audio application in which each
sender transmits a distinct data stream. Typically, only a few senders are transmitting at anyone
time and does not require a separate reservation for each sender.
The shared-explicit reservation style consists of shared reservations among explicit senders. This
type of reservation reserves bandwidth for a limited group of senders. A sample application is an
audio application similar to wildcard filter reservations.
Like the path message, the Resv message can contain the RSVP-Hop object to identify the previous
hops IP address and a record route object that lists all routers visited by the Resv message.

Chapter 3-18 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

III

Resv message processing

R5 transmits a resv message to R4

Label = 3 (indicates that penultimate LSR should pop header)

Session object uniquely identifies tile LSP
RSVP-HOP object contains the previous hop IP address
Record route object lists nodes visited (optional field)

R4 and R2:
Store outbound label, allocate an inbound label
Transmit resv with inbound label to upstream LSR

R1 binds label to FEe

RSVP Processing at Each Router

Following standard RSVP procedures, R5 generates a Resv message for the session to distribute
labels and establish forwarding state for the LSP tunnel. The IP destination address of the Resv
message is the unicast address of the previous-hop router, as obtained from the LSR's local path
state block.
Processing at R5: R5 allocates a label with a value of 3 and places it in the LABEL object of the Resv
message. The value of 3 Ilas a special meaning to R4; when R4 receives an indication that is should
assign label value 3, it knows that it is the penultimate LSR for the LSP. In this case, R4 pops the top
label off the label stack and forwards the packet to R5, the egress router. If R1 inserted a TSPEC in
the path message, R5 uses this information to construct an appropriate receiver TSPEC and RSPEC.
The Resv message is transmitted back toward R1 through R4. The Resv message does not carry a
reverse ERO to find its way back along the path to R1. Instead, the Resv message follows the reverse
path using the RSVP-HOP object, which is set up in the path state block.
Continued on the next page.

www.juniper.net

Label Distribution Protocols Chapter 3 -19

Junos MPLS and VPNs

RSVP Processing at Each Router (contd.)

Processing at R4: R4 receives the Resv message containing the label assigned by R5. R4 stores the
label (3) as part of the reservation state for the LSP. R4 uses this label when forwarding outgoing
traffic along the LSP to R5. R4 allocates a new label (299840) and places it in the LABEL object
(replacing the received label) of the Resv message that it sends upstream to R2. This is the label
that R4 uses to identify incoming traffic on the LSP from R2.
Processing at R2: R2 receives the Resv message containing the label assigned by R4. R2 stores the
label (299840) as part of the reservation state for the LSP. R2 uses this label when forwarding
outgoing traffic along the LSP to R4. R2 allocates a new label (299888) and places it in the LABEL
object (replacing the label received from R4) of the Resv message that it sends upstream to Ri. R2
uses this label to identify incoming traffic on the LSP from Ri.
Processing at Rl: Ri receives the Resv message that contains the label assigned by LSR. It uses this
label for all outgoing traffic that it maps to the LSP. Because of these operations. the LSP is
established from Ri to R5 following the explicitly routed path specified in the ERO. Ri forwards
traffic for prefix X through R2 by pushing the label signaled by R2 (299888) before forwarding the
packet to R2.

Chapter 3-20 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

III

RSVP error messages

Path Error
PATH
ERO= {R2, R4, R5}

Rl
Site3

R4cannot2;ignal LSP

Reservation Error
Rl

R4 Carll"lot process Resv

Path and Resv Error Messages

There are two RSVP error messages, ResvErr and Path Err. Path Err messages are very simple; they
are sent upstream to the sender that created the error, and they do not change path state in the
routers though which they pass. There are only a few possible causes of path errors. However, a
number of ways exist for a valid reservation request to fail at some router along the path. A router
might also decide to preempt an established reservation. Because a reservation request that fails
might be the result of merging a number of requests, a reservation error must be reported to all of
the responsible receivers. The handling of ResvErr messages is somewhat complex as a result.
The upper portion of the slide shows how an error in handing a path message results in the
generation of a PathErr message in the upstream direction. The bottom portion of the slide
demonstrates typical Resv message error handling. In this example the egress router (R5) responds
to the receipt of a path message with a Resv message that is sent to R4. R4 generates a ResvErr
message back towards the source of the reservation request (in the down stream direction) because
it is unable to accommodate the reservation request from some reason. Note that a path or
reservation error message is not sent upstream in this case because R4 has not signaled any
reservation state for the associated path message in this example. Therefore, there is no need to
generate a ResvTear message. If R4 had previously signaled a reservation to its upstream neighbor
(R2), the error that causes R4 to send a ResvErr back to R5 also results in the generation of a
ResvTear message in the upstream direction to remove the existing reservation state.

www.juniper.net

Label Distribution Protocols Chapter 3-21

Junos MPLS and VPNs

III

RSVP Teardown messages

PathTear

user@R5> sh~ log RSVP-traceoptions I find pathtear

Jun ~6 0~:04:56.29704~ RSVP recv PathTear ~92.~68.~.~->~92.~68.~.5 Len=84 ge-O/O/D.D
Jun ~6 0~:04:56.3~08~2
Session7 Len ~6 ~92.~68.~.5(port/tunnel ID 57024 Ext-ID ~92.168.1.1) Proto 0
Jun 16 01:04:56.312844
Hop
Len 12 65.H5.1.17/0x08ea6248
Jun 16 01:04:56.313181
Sender7 Len 12 192.168.1.~(port/lsp ID 54)
Jun 26 01:04:56.325147
Tspec
Len 36 rate Obps size Obps peak Infbps m 20 M 1500

ResvTear
I find resvtear
Jun 16 01:05:55.511991 RSVP send ResvTear 65.115.1.2->65.115.1.1 Len=56 ge-O/O/O.O

user@R2> show log RSVP-traceoptions

PATH
ERO= fR2, R4, R5)

R1

R5

Site 1

Site3

F~4 caliliot signal LSP

RSVP Teardown Messages

RSVP teardown messages remove path or reservation state immediately. The two types of RSVP
teardown messages are PathTear and ResvTear. A PathTear message travels towards all receivers
downstream from its point of initiation and deletes path state, as well as all dependent reservation
state, along the way. A ResvTear message deletes reservation state and travels towards all senders
upstream from its point of initiation. You can conceptualize a PathTear (ResvTear) message as a
reversed-sense path message (Resv message, respectively). A teardown request can be initiated
either by an application in an end system (sender or receiver), or by a router as the result of state
timeout or service preemption. Once initiated, a teardown request must be forwarded hop by hop
without delay.

Chapter 3-22 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

III

Label Request Object

Indicates that a label binding is requested for this LSP
Contains the Layer 3 protocollD (L3PID)

user@Rl> show log RSVP-traceoptions I find "rsvp send"

Jun ~7 ~7:48:49.893994 RSVP send Path ~92.168.1.1->192.~68.~.5 Len=208 ge-O/O/O.O

Jun 17 17:48:49.894~3~
Session7 Len ~6 192.168.~.5(port/tunnel ID 57026 Ext-ID ~92.168.1.~) Proto 0
Jun 17 17:48:49.894643
Hop
Len ~2 65.115.~.1/0x08ffdOOO
Jun 17 17:48:49.894765
Time
Len 8 30000 rna
SrcRoute Len 20 65.115.1.2 S 192.~68.~.3 L
Jun 17 17:48:49.894890
Jun 17 17:48:49.894985
LabelRe~uest Len 8 EtherType OxSOO
Jun 17 ~7:48:49.895088
Properties Len 12 Pr~mary path
SessionAttribute Len 16 Prio (7,0) flag OxO "Rl-to-R5 PI
Jun 1.7 17:48:49.895316
Sender7 Len 12 192.~68.~.~(port/lsp ID J.3)
Jun 17 ~7:48:49.895642
Tspec
Len 36 rate Obps size Obps peak Infbps m 20 M 9192
Jun 17 ~7: 48: 49. 895813
ADspec
Len 48 MTU 1500
Jun .17 17: 48: 49. 895917
Jun 17 17: 48: 49. 896023
RecRoute Len 12
65.115.1.1

The Label Request Object

To establish an LSP tunnel, the ingress LSR generates a path message that contains a
LABEL_REQUEST object. The presence of a LABEL_REQUEST object indicates that a label binding is
requested forthis LSP. The LABEL_REQUEST object also contains the Layer 3 protocollD (L3PID) that
identifies the Layer 3 protocol that will traverse the LSP tunnel. The L3PID is required because it is
not possible to assume that an LSP tunnel transports IPv4 traffic-the Layer 3 protocol cannot be
inferred from the Layer 2 header, which simply identifies the higher layer protocol as MPLS. In this
example, the EtherType is set to Ox0800, which indicates that IPv4 will be transported over the LSP.
The three possible LABEL_REQUEST types are the following:

Request for a label that does not specify a specific label range: This is the common
case in which the MPLS label is carried in a standard MPLS shim header that sits
between the data link and network layer headers. The Junos OS always uses this type of
label request, as shown in the trace output on the slide.
Request for a label with an ATM label range that specifies both the minimum and
maximum virtual path identifier (VPI) and virtual channel identifier (VCI) values: This
type of request is useful when the MPLS label is carried in a Layer 2 Asynchronous
Transfer Mode (ATM) header.
Request for a label with a Frame Relay label range that specifies the minimum and
maximum data-link connection identifier (OLCI) values: This type of request is useful
when the MPLS label is carried in a Layer 2 Frame Relay header.
Continued on the next page.
www.juniper.net

Label Distribution Protocols Chapter 3-23

Junos MPLS and VPNs

The Label Request Object (contd.)

When a path message arrives at an LSR, the LSR stores the LABEL_REQUEST object in the local path
state block for the LSP. If a label range is specified, the label allocation process must assign a label
from that range.
Potential error conditions include the following:
If the LSR receiving the path message recognizes the LABEL_REQUEST object but is
unable to assign a label, it sends a PathErr message (indicating a routing problem or
MPLS label allocation failure) toward the ingress LSR.
If the receiver cannot support the L3PID, it sends a PathErr (routing problem/
unsupported L3PID) toward the ingress LSR. This error causes the LSP setup request to
fail.
If the LSR receiving the message does not recognize the LABEL_REQUEST object, it
sends a PathErr (unknown object class) toward the ingress LSR. This error also causes
LSP setup to fail.

Chapter 3-24 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

Explicit Route Object (ERO)

An explicit route is a specification of muter(s) to be
traversed by the LSP.
Designates strict and loose hops through the use of an L-bit.
I fi.nd "rsvp send"
Jun 17 17:48:49.893994 RSVP send Path 192.168.1.1->192.168.1.5 Len;208 g8-0/0/0.0
Jun 17 17:48:49.894131
session7 Len 16 192.168.1.5 (port/tunnel ID 57026 Ext-ID 192.168.1.1) Proto 0
Jun ~7 17:48:49.894643
Hop
Len 12 65.115.1.1/0x08ffdOOO
Jun ~7 17:48:49.894765
Time
Len 8 30000 rns
Jun 17 17:48:49.894890
!srCRoute Len 20 65.115.1. 2 s 192.168.1. 3 L
Jun 1.7 17:48:49.894985
LabelRequest Len 8 EtherType Ox800
Jun 17 17:48:49.895088
Properties Len 12 Primary path
SessionAttribute Len 16 Prio (7,0) flag OxO "Rl-to-R5 rr
Jun 17 17:48:49.895316
Jun 17 17:48:49.895642
Sender7 Len 12 192.168.1.1(port/1sp ID 13)
Jun 17 17: 48: 49. 895813
Tspec
Len 36 rate Obps size Obps peak Infbps m 20 M 9192
Jun 17 17: 48: 49. 895917
ADspec
Len 48 MTU 1500
Jun .17 17:48:49.896023
RecRoute Len 12
65. 115 . 1. 1
user@Rl> show log RSVP-traceoptions

The Explicit Route Object

By adding the EXPLICIT_ROUTE object to the path message, the ingress LSR can specify a
predetermined explicit route for the LSP that is independent of the IGP's shortest path view. The ERO
is intended to be used only for unicast applications and only when all routers along the explicit route
support RSVP and the ERO.
An explicit route is encoded as a series of subobjects contained in the ERO. Each subobject can
identify a group of routers in the explicit route or can specify an operation to be performed along the
path. Hence, an explicit route is a specification of groups of routers to be traversed and a set of
operations to be performed along the path. The ERO portion of the path message is highlighted in
trace output shown on the slide.
ERO coding designates strict and loose hops through the use of an L bit. If the L-bit is set. the
subobject represents a loose hop, if set to a 0, the corresponding hop is considered to be strict.

Continued on the next page.

www.juniper.net

Label Distribution Protocols Chapter 3-25

Junos MPLS and VPNs

The Explicit Route Object (contd.)

Currently. four types of EXPLICIT_ROUTE subobjects are defined:
IPv4 Prefix: Identifies an abstract router consisting of the set of routers that have an IP
prefix that lies within this IPv4 prefix. A prefix with a length of 32 bits indicates a single
IPv4 router.
IP version 6 (fPv6) Prefix: Identifies an abstract router consisting of the set of routers
that have an IP prefix that lies within this IPv6 prefix. A prefix with a length of 128 bits
indicates a single IPv6 router.

Autonomous System Number: Identifies an abstract router consisting of the set of

routers belonging to the autonomous system.
MPLS LSP Termination: Indicates that the prior abstract router should remove one level
of the label stack from all packets following this LSP tunnel.

The use of EROs can lead to loops in the forwarding of the RSVP path message. Such a loop will
cause LSP setup to fail. Loops are detected with the RRO. as described on the next page.

Chapter 3-26 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

III

Record Route Object

Keeps track of all routers in the LSP path.
Each router adds its egress interface address to the object

user@Rl> show log RSVP-traceoptions I find "rsvp send"

Jun
Jun
Jun
Jun
Jun
Jun
Jun

17
17
17
17
17
17
17

17:48:49.893994 RSVP send Path 192.168.1.1->192.168.1.5 Len~208 ge-O/O/O.O

17:48:49.894131
Session7 Len 16 192.168.1.5 (port/tunne1 ID 57026 Ext-ID 192.168.1.1) Proto 0
17:48:49.894643
Hop
Len 12 65.115.1.1/0x08ffdOOO
17:48:49.894765
Time
Len 8 30000 ms
17:48:49.894890
SrcRoute Len 20 65.115.1.2 S 192.168.1.3 L
17:48:49.894985
Labe1Request Len 8 EtherType Ox800
17:48:49.895088
Properties Len 12 Primary path

Jun 17 17:48:49.895316

Jun
Jun
Jun
Jun

17
17
17
17

17:48:49.895642
17:48:49.895813
17:48:49.895917
J.7:48:49.896023

SessionA.ttribute Len 16 Prio

Sender7
Tspec
ADspec
jRecRoute

Len
Len
Len
Len

(7,0)

flag OxO IrRi-to-R5"

12 192.168.1.1(port/1sp ID 13)
36 rate Obps size Ohps peak Infbps m 20 M 9192
48 HTU 1500
12 65.J.15.1.1!

The Record Route Object

By adding the record route object (RRO) to the path message, the ingress LSR can receive information
about the actual route that the LSP tunnel traverses. The contents of a RRO is a series of data items
called subobjects. Two types of subobjects are currently defined: IPv4 addresses and IPv6 addresses.
Three possible applications for the RRO in RSVP signaling include the following:
Discover Layer 3 routing loops or loops inherent in the explicit route because the RRO is
analogous to a path vector.
Collect up-to-date detailed path information about the LSP setup session.
Define the contents of an EXPLICIT_ROUTE object to be used in the next path message.
Using an EXPLICIT_ROUTE object derived from the previous RRO allows the session
path to be pinned down. When pinned down, the path will not change even if a better
path becomes available.
When an ingress LSR attempts to establish an LSP tunnel, it creates a path message that contains a
LABEL_REQUEST object. The path message can also contain an RRO object. The initial RRO contains
the ingress LSR's IP address, as shown on the slide. When a path message containing an RRO is
received by an intermediate router, the router stores a copy of the RRO in its path state block and
adds its own IP address to the RRO. When the egress LSR receives a path message with an RRO, it
adds the received RRO to its subsequent Resv message. After the exchange of path and Resv
messages, each router along the path will have the complete route of the LSP from ingress to egress,
which is extremely useful for network management purposes.

www.juniper.net

Label Distribution Protocols Chapter 3-27

Junos MPLS and VPNs

III

Resv Message objects

Resv message can contain a number of different RSVP
objects

u!:!8r:@Rl> show log RSVP-traceoptions

Jun
Jun
Jun
Jun
Jun
Jun

Jun
Jun

Jun

I find "recv

Resv"

1.7 20: 1.4: 20.381.741. RSVP rec'? Res'? 65.1.1.5.1.. 2->65 .1.1.5.1..1. Le:fn:=~1.4~422e~m~3~.O~~!.:!~~!:!:rr:E~~~
1.7 20: 1.4: 20.381.871.
;;;;
.1..3.) Proto 0
17 20:1.4:20.382069
1.7 20: 1.4: 20.3821.72
17 20: 1.4: 20.382270
17 20: 1.4: 20.382433
rate Obps size Obps peak Infhps m 20 M 1.186
1.7 20: 1.4: 20.382542
Filter?
1.92.1.68.1..1.(port/1.sp ID 1.3)
17 20: 1.4: 20.382638
17 20: 1.4: 20.382777

Resv Message Objects

The RSVP Resv message can contain a number of different RSVP objects:
LABEL object: Performs the upstream on-demand label distribution process. This object
can contain either a single MPLS label or a stack of labels. If an MPLS implementation
does not support a label stack, only the top label is examined. When the LSR receives a
Resv message corresponding to a previous path message, it confirms that the Resv
message was transmitted by the next hop in the LSP. The LSR then binds a locally
allocated label (300560 in this example) to the LSP's incoming interface. The incoming
interface is the one over which the LSR received the LSP's corresponding path
message.
RECORD_ROUTE object: Returns the LSPs path to the sender of the original path
message.
STYLE object: Carries the value for shared explicit, wildcard or fixed filter reservations.
HOP object: Indicates the previous hops IP address.
SESSION object: Carries the parameters that uniquely identify the session (port,
protocol, and destination address).

Chapter 3-28 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

III

Traceoptions
Configured under the [edi t
hierarchy

protocols rsvp]

Used for troubleshooting and should be deleted or deactivated

after troubleshooting is finished.
Contains information regarding the protocol communication
between LSRs
- Used in previous slides to show message objects
Viewed by issuing operational mode command show log
filename
[edit protocols rsvp]
user@Rl/l show
traceoptions {
file Rsvp-traceoptions;
flag all detail;

Traceoptions
Traceoptions are configured under the protocol that you want to troubleshoot. Because the
information gathered can be very extensive it is recommended that you only turn on traceoptions
when troubleshooting a specific issue. The more specific you can make the flag options, the easier it
is to locate the information you need to review. As displayed in earlier slides you can also use match
and find conditions to narrow down the information displayed when looking at the file. In our
example we capture all available information for RSVP communication. We also included the detailed
tag to increase the detail of information captured in the RSVP-traceoptions file.

www.juniper.net

Label Distribution Protocols Chapter 3-29

Junos MPLS and VPNs

III

MTU discovery on RSVP-signaled LSPs

Prevents issues with traffic being black holed when
ingress MTU exceeds the MTU of a path element
Uses the Adspec object as per the integrated services
object defined in RFCs 2210 and 2215
Configuration options for:
MTU discovery
Fragmentation at ingress LSR

MTU Discovery for RSVP-5ignaled LSPs

The Junos OS supports maximum transmission unit (MTU) discovery when using RSVP signaling. The
discovery mechanism is performed according to the integrated services object as defined in
RFCs 2210 and 2215. This feature helps to prevent the black hole condition that is normally
associated with mismatched MTUs along an the elements that make up an LSP.
MTU discovery signaling can be configured independently of ingress LSR fragmentation, but you
must have mtu-signaling configured if you are configuring the allow fragmentation option. Both
options are configured at the [edit protocols mpls path-mtul hierarchy.
In operation, the ingress LSR sets the M value in the TSPEC to 9192 and codes the egress
interface's IP MTU in the ADSPEC object in the path message. At each hop transit LSRs update the
MTU value in the ADSPEC object with the minimum of the incoming value and egress interface MTU.
When the path message is received by the egress LSR the smaller of the two values coded in the
TSPEC and ADSPEC objects is signaled back to the ingress router using the Flowspec object in the
Resv message. This behavior is shown on the slide where the 1500-byte MTU is correctly reported to
the egress router in the ADSPEC object.

Chapter 3-30 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

user@Rl> show rsvp session detail

Ingress RSVP: 1 sessions
192.168.1.5
From: 192.168.1.1, LSPstate: up, ActiveRoute: 4
LSPname: Rl-to-R5, LSPpath: Primary
Suggested label received: -, Suggested label sent: Recovery label received: -, Recovery label sent: 300096
Resv style: 1 FF, Label in: -, Label out: 300096
Time left:
-, Since: Wed Jun 16 20:57:29 2010
Tspec: rate Obps size Obps peak Infbps m 201M 91921
Port numbeL: sender 4 receiveL 57026 protocol 0
PATH rev from: localclient

PATH sentto: 65.115.1.2 (ge-O/O/O.O) 11 pkts

RESV Lcvfrom: 65.115.1.2 (ge-O/O/O.O) 11 pkts
Record route: <self> 65.115.1.2 65.115.1.10 65.115.1.18
Total 1 displayed, Up 1, Down 0
EgLess RSVP: 0 sessions
Total 0 displayed, Up 0, Down 0
TLansit RSVP: 0 sessions
Total 0 displayed, Up 0, Down 0

MTU Discovery and Fragmentation

You can confirm proper operation with the output of a show rsvp session command when the
detail switch is added as reflected in the slide.
For proper operation all routers along the LSP path must support MTU signaling. In a network where
there are devices that do not support MTU signaling in RSVP, you might have the following behaviors:
If the egress router does not support MTU signaling in RSVP, the MTU is set to 1,500
bytes by default.
A Juniper Networks transit router that does not support MTU signaling in RSVP sets an
MTU value of 1,500 bytes in the ADSPEC object by default.
Note that for link/node protection, the MTU of the bypass is only signaled at the time the bypass
becomes active. Thus, during the time it takes for the new path MTU to be propagated, there might
be packet loss due to MTU mismatch. Similarly for fast-reroute, the MTU of the path will be updated
only after the detour becomes active; thus, there will be a delay in the update on the head end.

www.juniper.net

Label Distribution Protocols Chapter 3-31

Junos MPLS and VPNs

III

HMAC-MD5 based authentication available

Configured at the interface level
Prevents replay and communications with unauthorized
peers
[edit PLotocols LSVP]
useL@R1# set interface ge-O/O/O.O authentication-key jni
[edit

ation-key "$9$m5z6hclK!1X"; ## SE
useL@R1> show rsvp interface ge-O/O/O.O detail
ge-O/O/O.O Index 72, State Ena/up
IAuthentication,1 NoAggLegate, NoReliable, NoLinkPLotection
HelloInteLval 9(second)
AddLess 65.115.1.1
ActiveResv 1, PLeemptioncnt 0, Update thLeshold 10%
SUbSCLiption 100%, StaticBW 1000Mbps, AvailableBW 1000Mbps
ReseLvedBW [0] Obps[1] Obps[2] Obps[3] Obps[4] Obps[5] Obps [6] Obps[7] Obps

Authenticate RSVP Exchanges

When desired, you can configure Hashed Message Authentication Code (HMAC)-Message Digest 5
(MD5) authentication for RSVP exchanges based on the procedures defined in RFC 2747. RSVP
authentication is configured on a per-interface basis, as shown on the slide for the router's
ge- 0/0/0 interface. Once configured, all RSVP messages are authenticated using a message
digest based on a shared secrete key. Sequence numbers are added to all messages to prevent
replay attacks.
The slide shows the command used to configure RSVP authentication and the resulting RSVP
configuration stanza. As the slide also shows, you confirm that authentication is in effect using the
show rsvp interface <interface-name> detail command.

Chapter 3-32 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

Graceful restart maintains forwarding state during a

router restart or reboot
Signaled with Restart_Cap object in hello messages
Requires helper mode in adjacent nodes
Helpers send a recovery label to restarting node to recover forwarding
state; this is the last label advertised by peer before it restarts

Enabled with graceful-restart statement under

rOll ting-options hierarchy
[edit]
user@Rl# set routing-options graceful-restart

Disable graceful restart, helper mode, or both for

RSVP
[edit protocols rsvp]
user@Rl# set graceful-restart disable

RSVP Graceful Restart

The Junos OS supports RSVP graceful restart procedures as defined in RFC 3473. To enable graceful
restart, add the graceful-restart statement to the main routing instance at the [edit
routing-options] hierarchy. This global configuration statement enables graceful restart on all
protocols that support the capability, for example LDP and OSPF. To specifically disable RSVP
graceful restart. helper mode, or both, add explicit configuration to the RSVP stanza as shown on the
slide.
In operation, a router makes its RSVP graceful restart capabilities known through the inclusion of a
RestarCCap object in its hello messages. By default, both graceful restart and helper mode are
enabled for RSVP when the graceful-restart statement is added to the main routing instance.
After a restart, the local router signals that it was able to preserve its forwarding state by sending a
RestarCCap object with a recovery-time value that is not zero. Neighbors with helper mode
enabled respond to this message by sending back the labels that were last advertised by the
restarting router. The result is that the restarting router's signaling plane can be bootstrapped back
into its pre-restart state, while forwarding continues unabated.
Note that you cannot modify the timers associated with RSVP graceful restart at this time. Also note
that RSVP helper mode is enabled by default, even when the graceful-restart option is not
specified in the main routing instance. Therefore, a Junos OS RSVP implementation will always try to
help another RSVP peer restart, unless you explicitly disable helper mode.

www.juniper.net

Label Distribution Protocols Chapter 3-33

Junos MPLS and VPNs

III

Various operational mode commands can be used to

confirm RSVP graceful restart:
usec@Rl> show rsvp version
Resoucce ReSecVation Pcotocol, vecsion 1. Lfc2205
RSVP pcotocol:
Enabled

Maximum
Restact time:

cecovecy time:
60000 msec

Verify RSVP Graceful Restart

Use the show rsvp version command to determine the global RSVP settings for graceful restart
and helper mode. Remember that helper mode is always enabled unless it is explicitly disabled.

Chapter 3-34 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

.. Configuration will be displayed from R 1 (ingress

router)
All otller routers require appropriate interfaces configured under
protocols rsvp and protocols mpls
III

Verification and show commands will be from the

perspective of R 1 and R2
Rl

R1 = 192.168.1.1
R2 = 192.168.1.2
R3 = 192.168.1.3
R4 = 192.168.1.4

Configuration Example
As noted in the slide, all configuration examples will be from the perspective of the ingress router
(Rl). We will use the topology and IP addressing illustrated on this slide to demonstrate the
configuration required to create an LSP that egresses at R5.
All verification and show commands will be displayed from the ingress router (Rl) or one of the
transit routers (R2).

www.juniper.net

Label Distribution Protocols Chapter 3-35

Junos MPLS and VPNs

l1li

Basic functional RSVP configuration requires:

41

Adding the mpls family to desired interfaces

Not needed for loopback interface

41

Linking interfaces with the router's MPLS process

Enabling RSVP on desired interfaces

Configure the label-swi tched-pa th under the
protocols mpls hierarchy
41

[edit interfaces)
user@R1# show ge-O/O/O
unit 0 {
family inet {
address 65.115.1.1/30;

[edit protocols mpls]

user@R1# show

to 192.168.1.5;

family mpls;

[edit pcotocols rsvp]

user@R1# show
intecface ge-O/O/O.O;

Basic RSVP Configuration

You must add family mpls to all appropriate interfaces on each router throughout the network.
You must also add these interfaces to both protocols MPLS and RSVP in order for the LSP to
establish correctly.
The labelswitchedpath is configured under the MPLS protocol hierarchy. For a basic RSVP LSP to
signal through the network you must define the egress address under the
label-switched-path <path-name> hierarchy by adding the to <ip-address>
statement. In the example on the slide, the LSP is named Rl- to-R5 and the egress address of the
LSP is the loop back address on the egress router. Any traffic from Rl with a BGP protocol nexthop of
this loopback address will traverse the network through this LSP.
As you may have noticed in the example configuration, the statement no-cspf was also used. CSPF
has been turned off because we have not discussed this topic and is not required to signal the LSP.
CSPF will be covered in detail in the next chapter.

Chapter 3-36 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

III

III

Add the path statement under the [edit

protocols mpls] hierarchy.
Set the path as the primary or secondary path
under the protocols mpls label-switchedpa th <path-name> hierarchy.
[edit protocols mplsJ
user@R1# show
no-cspf;
label-switched-path R1-to-R5
to 192.168.1.5;
[primary ERO-through-R3;1
path ERO-through-R3 {
192.168.1.3
interface ge-

Configuring an Explicit Route Object

To configure an explicit path trough the network you begin by configuring the path pa th-name
statement under protocols mpls. The path statement is where you indicate what routers you
want the LSP to traverse. You can either specify strict or loose hops. After defining the path to
be used you must add this path to the label- swi tched-path as either a primary or
secondary path.
In the example illustrated on the slide, the path is named ERO-through-R3 and has defined that
the LSP must be signaled through 192 . 168 . 1 . 3, which is the loopback address of R3. The path is
also applied as the primary path under the R1-to-RS LSP.

www.juniper.net

Label Distribution Protocols Chapter 3-37

Junos MPLS and VPNs

III

P2MP LSP overview

.. RSVP LSP with multiple destinations (Single ingress)
.. Avoids unnecessary packet replication at the ingress router
.. Replication takes place when packets are fonvarded to two
different destinations requiring different network paths
.. Functionality is similar to that provided by IP multicast
Rl

R5

Point-to-Multipoint LSPs
A point-to-multipoint MPLS LSP is an RSVP LSP with multiple destinations. By taking advantage of
the MPLS packet replication capability of the network, point-to-multipoint LSPs avoid unnecessary
packet replication at the ingress router.
Lets walk through the packet processing detailed on the slide. Router Rl is configured with a
point-to-multipoint LSP to routers R3 and R5. When router Rl sends a packet through the
point-to-multipoint LSP, router R2 replicates the packet and forwards it on to routers R3 and R5.

Chapter 3-38 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

III

P2MP LSPs
A P2MP LSP allows you to use MPLS to carry data from one
ingress point to multiple egress points.
Add and remove branch LSPs from a main LSP without
disrupting traffic
Configure a router to be both a transit and an egress router
for different branch
Supports link protection (no fast-I-eroute)
Configure branch LSPs either statically, dynamically, or as a
combination of static and dynamic LSPs
Supports Graceful Routing Engine Switchover (GRES) and
graceful restart for LSPs at ingress and egress routers.

Point-to-Multipoint Details
A point-to-multipoint LSP allows you to use MPLS for point-to-multipoint data distribution. This
functionality is similar to that provided by IP multicast. A branch can be added or removed from the
main point-to-multipoint LSP without disrupting traffic. The unaffected parts of the LSP continue to
function normally. A router can be configured as both a transit and an egress router for different
branch LSPs of the same point-to-multipoint LSP. Link protection can also be used with
point-to-multipoint LSPs. Link protection can provide a bypass LSP for each of the branch LSPs that
make up the LSP. If any of the primary paths fail, traffic can be quickly switched to the bypass.
Point-to-multipoint LSPs can be configured either statically, dynamically, or as a combination of static
and dynamic LSPs. You can enable graceful Routing Engine switchover (GRES) and graceful restart
for point-to-multipoint LSPs at ingress and egress routers.

www.juniper.net

Label Distribution Protocols Chapter 3-39

Junos MPLS and VPNs

II

Replace PIM in provider core with P2MP LSP

Core routers can forward multicast data (encapsulated in
MPLS) without the need for a multicast routing protocol

I S-IP

SA

1224 .7 7.7IM-castDat3
DA

Label

MPLS

! S-IP !224.7.7.7IM-castDat3

SA
.MP"w........... _

S-IPI224.7.771

SA

M-CaStDat~

DA

Multicast Example
One of the obvious benefits of using point-to-multipoint LSPs is that its forwarding properties are very
mUlticast-like. The Junos OS allows for the configuration of point-to-multipoint LSPs as a
replacement for multicast routing protocols in the core of a network. In the example on this slide and
the next. P1 is configured for a point-to-multipoint that terminates on both R3 and R5. A multicast
source is attached to R1 and a receiver is attached to both R3 and R5. As multicast data arrives from
the source to R1. R1 encasulates the multicast traffic into an MPLS header and sends the MPLS
packet into the core. R2 will then receive that traffic. replicate the traffiC. swap the labels. and send
the traffic out of its two outgoing interfaces. R3 and R5 will eventually receive the multicast traffic
even without a multicast routing protocol running in the core.

Chapter 3-40 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

II

RSVP views a P2MP LSP as multiple sub LSPs

One sub LSP for each egress node
Each sub LSP uses the same P2MP session object

[edit protocols mpls]

user@Rl# show
label-switched-path sub lsp_tO_RS
{

p2m p

[edit routing-options]
user@Rl# show
static {
route 224.7.7.7/32
p2mp-Isp-next-hop

'---=--1

1-.._"'-_-1

label-switched-path sub_lsp_tO_R3
{

multicast
interface ge-l/l/S.0;

p2mp ........._~_-'

Enable multicast forwarding without

enabling a multicast routing protocol

Point-to-multipoint LSP Configuration

The slide shows the steps needed to build a point-to-multipoint LSP that ingresses at R1 and
terminates at R3 and R5. To enable the forwarding of multicast traffic on R1 without enabling a
multicast routing protocol, the source facing interface must be configured for multicast as shown in
the slide. Also, a multicast static route must be configured with the point-to-multipoint LSP listed as
the next hop. This will allow R1 to know where to send the multicast traffic.

www.juniper.net

Label Distribution Protocols Chapter 3-41

Junos MPLS and VPNs

II

RSVP related operation mode commands:

-clear rsvp session
-show rsvp sessions
-clear mpls lsp
-show mpls lsp
-show rsvp interface

For additional details about these commands please visit:

IlttpJ/NWWJ uni per.net/tecli pulls/en_U;Vju nos lO.l/illforrnatiull-procluc:ts/topic,::ollectionsj:3wclnd ref-protocol:3/ Cl18 p-rsvp-op-mocl e-Clrl cls.lltrn #CI18 p-rsvp-o p-lr1 ocje-'~rn(:Is
1

RSVP Operational Mode Commands

This slide reviews some ofthe more common operational mode commands used to monitor the
status and operation of the RSVP protocol and RSVP-signaled LSPs. Each command is briefly
described here:

clear rsvp session: This command is used to clear the named RSVP session, or
all RSVP sessions (ingress, transit, and egress) when no session name is specified.

show rsvp session: Displays current RSVP session status. Use the ingress, egress,
or transit switch to limit command output to the type of session that is of interest.
clear ropls lsp: Used to clear the named LSP session. You can only clear ingress
LSPs with this command.
show ropls lsp: Many operators prefer the show ropls lsp extensive
command when troubleshooting LSP establishment problems because the command's
output provides additional error information when compared to the output ofthe show
rsvp session detail command.
show rsvp interface: Use this command to display RSVP-enabled interfaces,
along with their operational status and reservation state. Any link coloring
(administrative groups) associated with RSVP interfaces is also displayed.

Chapter 3-42 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

user@RZ> show rsvp session detail transit

Transit RSVP: 1 sessions
192.168.1.5
From: 192.168.1.1, LSPstate: Up, ActiveRoute: 1
LSPname: R1-to-R5, LSPpath: primary
Suggested label received: -, Suggested label sent: Recovery label received: -, Recovery label sent: 299808
Resv style: 1 FF, Label in: 300000, Label out: 299808
Time left:
126, Since: Wed Jun 16 18:07:20 2010
Tspec: rate Obps size Obps peak Infbps m 20 101 1500
Port number: sender 3 receiver 57026 protocol
PATH rcvfrom: 65.115.1.1 (ge-O/O/O.O) 70 pkts
Adspec: received !~TU 1500 sent MTU 1500
PATH sentto: 65.115.1.6 (ge-0/0/l.0) 70 pkts
RESV rcvfrom: 65.115.1.6 (ge-0/O/l.0) 70 pkts
Explct route: 65.115.1.6 192.168.1.3
Record route: 65.115.1.1 <self> 65.115.1.6 65.115.1.14 65.115.1.18
Total 1 displayed, Up 1, Down 0

RSVP Session Status Example

This slide provides an example of the output associated with a show rsvp session command
using the detail and transi t switches.

www.juniper.net

Label Distribution Protocols Chapter 3-43

Junos MPLS and VPNs

user@Rl> showrnpls lsp ingress extensive

Ingress LSP: 1 sessions

192.168.1.5
From: 192.168.1.1, State: Up, ActiveRoute: 4, LSPname: Rl-to-R5
ActivePath: ERO-through-R3 (primary)
LoadBalance: Random
Encoding type: Packet, SWitching type: Packet, GPID: IPv4
*Primary
ERO-through-R3
State: Up
Priorities: 7 0
SmartoptimizeTimer: 180
Received RRO (ProtectionFlag l=Available 2=InUse 4=s/w 8=Node 10=SoftPreempt 20=Nocie-ID):
65.115.1.2 65.115.1.6 65.115.1.14 65.115.1.18
65.115.1.2 65.115.1.665.115.1.14 65.115.1.18
1.5 oun 16 18:07:26.889 Record Route:
14 oun 16 18:07:26.884 Up
1.3 oun 16 18:07:26.654 Originate Call
12 oun 16 18:07:26.630 Clear Call
11 oun 16 17:40:04.936 Selected as active path
65.115.1.2 65.115.1.10 65.115.1.18
10 oun 16 17:40:04.935 Record Route:
oun 16 17:40:04.933 Up
oun 16 17:40:04.852 Origin.te Call
oun 16 17:40:04.840 Clear Call
oun 16 17:40:04.838 Deselected as active
oun 16 17:38:12.317 Selected as active path
oun 16 17:38:12.316 Record Route: 65.115.1.2 65.115.1.6 65.115.1.14 65.115.1.18
oun 16 17: 38: 12.314 Up
2 oun 16 17:38:~.740 Originate Call
1 oun 16 17:37:44.0i9 CSPF: could not determine self
Created: ~~ed oun 16 17:37:43 2010
Total 1 displayed, Up 1, Down 0

MPLS LSP Status Example

This slide provides an example of the output associated with a show mpls Isp command using
the extensive and ingress switches. Note that the display contains a time-stamped log of
significant events in the life of the LSP. This information often proves invaluable when
troubleshooting RSVP control plane problems.

Chapter 3-44 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

~LDP

LDP
The slide lists the topics we cover in this chapter. We discuss the highlighted topic next.

www.juniper.net

Label Distribution Protocols Chapter 3-45

Junos MPLS and VPNs

III

Purpose of LDP
Creates forwarding equivalence class (FEC)
A group of IP packets tl1at are forwarded in tile same manner

Manages LSP to egress router

LD P associates tile FEC witl1 eacl1 LSP it creates
LDP creates an LSP tree for eacl1 FEC from every possible ingress
router to egress router
(EgreSS LSR
Rl

R5

Purpose of LDP
LDP associates a set of destinations (prefixes) with each LSP. This set of destinations is called the
FEC. These destinations share a common LSP path and egress router, as well as a common unicast
routing path.
LDP maps groups of prefixes to an egress router at the end of an LSP. LDP manages the LSP to the
egress router for each FEC. LDP is not related to RSVP or traffic engineering concepts from previous
lectures.
LDP maps the FECs (prefixes) to label values. The LSP forwarding paths look like a unicast
forwarding path, in that MPLS traffic for the ultimate destination is forwarded along the unicast
forwarding tree.
LDP allows multiple prefixes to share the same label mapping. No constraints are allowed when
signaling the LSPs. The LSPs must follow the IGP best path. LDP merges together traffic from
different tunnels, which results in fewer total tunnels than would be required with RSVP.
LDP will create a LSP tree for each FEC from every possible ingress point in the LDP network to the
egress point. Each LDP speaking router will advertise the addresses reachable via a MPLS label into
the LDP domain. The label information is exchanged in a hop by hop fashion so every LSR in the
domain will become an ingress router to all other routers in the network. This process creates a full
mesh LDP environment. The slide displays what LSPs will be generated for the FEC egressing at R5.

Chapter 3-46 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

.. LDP messages types

Discovery: Locate potential LDP peers
It Session: Manage peer-to-peer TCP sessions
It Advertisement: Create, change, or delete label mappings
It Notification: Provide advisory information
It

Downstream
LDP peer

TCP Session g&'i!1~[fV!~li~~\\~~~iil~3~'~)'

Establishment W~
Initialization
Messages
Label Request
Messages

'0!4t_~~~ll~~~~1

~[!t{k!!~~~ll!~'~~l\l!k~~s~Ji\~~l

Label Mapping 1~~~~il~~~liil;~II!:jf~U

Messages

Aclv8r'tisem8l1t

LOP Message Types

LDP uses several types of messages to establish, remove mappings and to report errors. All LDP
messages have a common structure that incorporate a type/length/value (TLV) encoding scheme.
Discovery Messages: Discovery messages announce and maintain the presence of a
router in a network. Routers indicate their presence in a network by periodically sending
hello messages. This hello message is encapsulated within a User Datagram Protocol
(UDP) packet that is sent to the LDP port (port 646) using the multicast all routers group
address. The use of the 224,0.0.2 multicast address limits neighbor discovery to
directly connected peers by default. Extended LDP neighbor discovery is discussed on a
subsequent page.
Session Messages: Session messages establish, maintain, and terminate sessions
between LDP peers. When a router establishes a session with another router learned
through hello exchanges, it uses the LDP initialization procedure over a Transmission
Control Protocol (TCP) transport. Note that the higher IP address is responsible for
establishing the TCP session. When the initialization procedure completes successfully
the two routers are LDP peers and tlley can begin the exchange of advertisement
messages.
Continued on the next page,

www.juniper.net

Label Distribution Protocols Cilapter 3-47

Junos MPLS and VPNs

LDP Message Types (contd.)

Advertisement Messages: Advertisement messages create, change, and delete label
mappings for FECs. Requesting a label or advertising a label mapping to a peer is a
decision made by the local router. In general, the router requests a label mapping from
a neighboring router when it needs one and it advertises a label mapping to a
neighboring router when it wants the neighbor to use a label.
Notification Messages: Notification messages convey advisory and error related
information. LDP sends notification messages to report errors and other events of
interest. The two kinds of LDP notification messages are the following:
Error notifications signal fatal errors. If a router receives an error notification from
a peer it terminates the LDP session by closing the TCP transport connection and
discarding all label mappings learned that were learned through that session.
Advisory notifications pass information to the router about the LDP session.

Chapter 3-48 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

III

Hello-Based Neighbor Discovery

.. Neighbor discovery is an asymmetric process
Respond only if LDP session is desired

Active node is elected based on the highest IP address

Transport address takes precedence over source address

R2

R1
10.0.1.2

Neighbor Discovery
The discovery process can either send a hello message to 224.0.0.2 (basic discovery) or to a specific
address (extended discovery), in both cases using UDP encapsulation and port 646. 224.0.0.2 is the
aI/ routers on this subnet multicast address. Note that a station's response to a hello message
indicates its desire to establish an LOP session with the neighboring router.

Transport Address
The transport address is used to determine which side is active. The transport address is placed into
the Hello message as a transport address object. If the transport address object is not specified, the
source address of the hello packet is used to determine the active router.

www.juniper.net

Label Distribution Protocols Chapter 3-49

Junos MPLS and VPNs

.. Active Node initiates Tep session

" LDP Session initiated after TCP session established

R1
R2
(paSSive):-:-:-:-:-:-:-:::-:-:-:-:-:-:-:::-i.(Active)
10.0.1.2

100.1.1

Session Initialization
.of -

Version, Label modes. Timer lkilues . - - -

<1- -

-~-=-;:.-:::...-=.":..

- - -

- - -

- - - - -

-+

-+

Version, Label modes. Timer Values

Transport Connection Establishment

The router with the numerically highest IP address is responsible for initiating the TCP session. After
successful TCP connection establishment, the LDP session can be established.

Chapter 3-50 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

III

LOP label mapping:

Downstream peer assigns labels
Benefits:
Traffic engineering information is not piggybacked on routing
protocols

Limitations:
LSPs follow the conventionallG P patll
Does not support explicit routing
Upstream
LDP Peer

FEe: 1000.1/32
label: 17

............................ ,

----------ge-DjO/O
ge-DjO/O
Advertise
Incoming
label

LSR

FEe 100.0.1/32
label: 52

.............................

Downstream
LDP Peer

----------ge-D/O/3
ge-D/O/3

FEe: 10.0.01/32
label: 3

............................ ,

-------..

ge-D/2/0

Receive
Outgoing
label

LDP Label Mapping

Label Request and Label Map messages are used to associate FECs with labels. In this example on
the slide, the router on the right has knowledge of network 10.0.0.1/32, and it is running LDP with
its upstream neighbors. The router in the middle receives a FEC mapping of 10.0.0.1/32 to Label 52
over its ge-0/0/3 interface.
The middle router now advertises the FEC for 10.0.0.1/32 upstream, which is to the router on the
left in this case, with a label mapping of 17. The process continues until there are no more LDP
adjacencies to which the FEC can be advertised.
The slide focuses on the 10.0.0.1/32 FEC. There may be additional FECs within this same network.

www.juniper.net

Label Distribution Protocols Chapter 3-51

Junos MPLS and VPNs

II

Session Maintenance
LDP session requires at least 1 hello adjacency
Hello interval: 5-second default
Hold timer: 15-second default
If hold timer expires. LSR deletes hello adjacency
Can be asymmetric

." Transportaddress selection:

Interface add ress
Router ID

Session Maintenance
An LDP peer must receive an LDP packet every keepalive period to prevent the tear down of neighbor
state. Any LDP protocol message is acceptable for keepalive purposes, so keepalive messages are
sent only in the absence of other LDP traffic. Either end can shut down the session by issuing a
shutdown message. If a router has multiple links to an LDP peer then hellos are sent across all of the
links. As long as one of the links can continue to exchange hellos, the LDP session remains active.
See the last section on the next page for more detail on choosing an LDP transport address.
The LDP hello messages enable LDP routers to discover one another and to detect the failure of a
neighbor, or the link, to that neighbor. Hello messages are sent periodically on all interfaces on which
LDP is enabled. By default. LDP sends hello messages every 5 seconds. This value can be
configured depending on the network requirements.
The hold time determines how long a router can wait for a hello message before declaring the
neighbor lost. The configured value is sent inside of hello messages to inform the receiving router
how often it should expect to receive a hello; this mechanism means that hello intervals do not be
the same between neighbors. The default hold time is 15 seconds; this value represents the
recommended setting of three times the hello interval.

Continued on the next page.

Chapter 3-52 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

Session Maintenance (contd.)

You can control the transport address used by LDP. The transport address is the IP address used to
support the TCP session. You can configure the transport address globally for all LDP sessions or for
each interface independently. If you select interface, the interface address is used as the transport
address for any LDP sessions to neighbors that are reachable over that interface.
You cannot specify interface when there are multiple parallel links to the same LDP neighbor
because the LDP specification requires that the same transport address be advertised on all
interfaces to the same neighbor. If LDP detects multiple parallel links to the same neighbor, it
disables interfaces to that neighbor one by one until the condition is cleared.

www.juniper.net

Label Distribution Protocols Chapter 3-53

Junos MPLS and VPNs

III

Support for LDP version 1

.. Downstream unsolicited label allocation, liberal retention,
with an ordered control mode
.. Basic and extended neighbor discovery
.. Support for LDP tunneling

Junos as LDP Implementation

The Junos OS implementation of LDP supports LDP Version 1. Constraint-Based Routed Label
Distribution Protocol (CR-LDP) is not supported. The Junos OS implementation of LDP supports the
"ordered downstream unsolicited with liberal label retention" mode defined in RFC 3036. This
means that each LDP peer will store all label bindings received (liberal retention), that each
downstream peer will advertise all FECs for which it is prepared to receive labeled traffic
(downstream unsolicited), and that FECs are only advertised when the router is the traffic's egress
point, or it has received a label mappingforthe traffic's next hop (ordered).
With the Junos OS using the minimum LDP configuration, LSRs will form LSPs to the /32 router ID of
all LDP capable routers that are reachable.
Basic neighbor discovery forms an LDP session with a directly connected neighbor because the hello
messages have a destination address of 224.0.0.2; messages sent to these addresses are not
routed.
Extended discovery allows peers to establish LDP sessions through an RSVP-signaled LSP, thus
allowing some level of traffic engineering for LDP traffic. You explicitly configure the destination
address of the hello messages when using extended discovery; because a routable IP address is
specified, the LDP peer can be reached via IP routing and no longer needs to be directly connected.
Extended discovery enables LDP to be tunneled over RSVP. This is explained in more detail in the
following slides.

Chapter 3-54 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

III

LDP tunneling over RSVP LSPs

Allows traffic engineering to be applied to traffic traversing
LOP LSPs
Enable LOP on the 100.0 interface under the [edi t
protocols IdpJ hierarchy
Define the LSP that you want LOP to operate over by
including the Idp-tunneling statement
protocols {
mpls {
label-switched-path <Lsp-pat1! -name>
from <source address>;
to <destination address>;
ldp-tunneling;

LOP Tunneling
You can tunnel LDP LSPs over RSVP-signaled LSPs using label stacking. Note that you must enable
LDP on the 100. a interface to support extended neighbor discovery needed for this application.
Additionally, you must configure the LSPs over which you want LDP to operate by including the
Idp-tunneling statement as sllown.

www.juniper.net

Label Distribution Protocols Chapter 3-55

Junos MPLS and VPNs

II
II

LDP views the entire RSVP LSP as a single hop,

LDP will traverse the RSVP LSP instead of using the
two hops through R3
R3

LDP over RSVP

This slide SllOWS that LDP-over-RSVP tunneling results in LDP traffic being forwarded through the
RSVP tunnel, which itself takes a traffic engineered path. By default, LDP always follows the IGP's
shortest path, which in this case, would be the 3-hop path at the top ofthe slide. LDP views the RSVP
LSP as a single hop, therefore the RSVP path becomes the more preferred path even though the LSP
actually traverses 5 hops.
The label assignment is also shown on this slide. When the traffic enters into the LDP LSP it pushes
a label value of 100101. When received on R2 it accepts the packet based on the assigned incoming
label. R2 will lookup the route and identify that the route will be sent over the RSVP LSP. R2 pushes
on the LDP label value of 100002 and then stacks an outer label value of 106102 for the RSVP
label. When the packet is received at R4 it accepts the packet based on the RSVP label and swaps
the outer label with the label assigned to the outgoing interface (105200) and forwards the traffic to
the next LSR. R5 received the packet based on the incoming RSVP label. R5 swaps the RSVP label
value with the next label (102000) and forwards it on to R6. R6 will also process the packet based
on the RSVP label. Since R6 is the penultimate LSP for the RSVP LSP it will pop the RSVP label and
forward to the next LSR with the LDP label and R7 will accept and forward the pact based on the LDP
label.

Chapter 3-56 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

III

MD5-based authentication for TCP transport

Configured at the LOP session level
Sessions form between 100 addresses by default

Applies to LOP session messages, not neighbor discovery

[edit protocols IdpJ
user@Rl# show
interface ge-O/O/O.O;
interface 100.0;
session 192.168.1.2 {
authentication-key "$9$IZYESleKMxNbylaUjH5TQF3ncpIEyKvLlK"; ## SECRET-DATA

If you apply an M05 signature to an LOP interface with an

established session, it drops the TCP connection and all the
associated label bindings to the FEC entries for that session
and will renegotiate a new session.

Authenticate LOP Sessions

When you want, you can configure MD5based authentication for the TCP transport protocol that
supports LDP sessions. LDP session authentication is configured on a persession basis, as shown
on the slide for the Rl's LDP session to R2 (192.168.1.2). Note that LDP session authentication
does not apply to the UDPbased neighbor discovery mechanism. Thus, mismatched LDP
authentication settings permit LDP neighbor discovery and adjacency formation, but the LDP session
will not establish without compatible authentication values. Note that specifying interface addresses
under the session stanza requires the use of transportaddress interface for authentication to be in
effect because LDP sessions form between 100 addresses by default.
The slide shows the command used to configure LDP authentication and the resulting LDP
configuration stanza.

www.juniper.net

Label Distribution Protocols Chapter 3-57

Junos MPLS and VPNs

III

Graceful restart maintains forwarding state during a

router restart or reboot
.. Signaled with Fault Tolerant TLV in initialization messages
It

It

Requires helper mode in adjacent nodes

Enabled with graceful-restart statement in main
routing instance
[edit]
user@Rl# set routing-options graceful-restart

.. Disable graceful restart, helper mode, or both for LOP

[edit protocols ldp]
user@Rl# set graceful-restart disable
[edit protocols ldpJ
user@Rl# set graceful-restart helper-disable

LDP Graceful Restart

The Junos OS supports LOP graceful restart procedures as defined in RFC 3478: Graceful Restart
Mechanism for Label Distribution Protocol. LOP graceful restart is enabled when you add the
graceful-restart statement to the main routing instance at the [edit
routing-options] hierarchy. This global configuration statement enables graceful restart on all
protocols that support the capability. In operation, a router makes its LOP graceful restart
capabilities known through the inclusion of the Fault Tolerant TLV in its session initialization
messages. By default, both graceful restart and helper mode are enabled for LOP when the
graceful-restart statement is added to the main routing instance. After a restart, the local
router signals that it was able to preserve its forwarding state by sending a nonzero
recovery-time TLV in session messages to all neighbors. Neighbors with LOP helper mode
enabled maintain the label mappings they last advertised to the restarting peer. When the LOP
session is reestablished, the retained labels are readvertised (using mapping messages), which
allows the restarting router to refresh all label bindings that are still valid (nonrefreshed labels are
marked as stale and flushed).
The result is that the restarting router's signaling plane can be bootstrapped back into its pre-restart
state, while forwarding continues unabated.
As mentioned earlier, LOP graceful restart and helper modes are enabled by default when graceful
restart is configured. You can explicitly disable of LOP graceful restart and recovery, as well as
prevent the router from performing helper mode function to a restarting router.

Chapter 3-58 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

III

Use the show ldp seSSlon detail command

user:@R1> show ldp session detail
Addr:ess: 192.168.1.2, State: Oper:ational, Connection: Open, Hold time: 25
Session ID: 192.168.1.1:0--192.168.1.2:0
Next keepalive in 8 seconds
passive, l'Iaximum PDU: 4096, Hold time: 30, Neighbor: count: 1
Neighbor: types: discovered
Keepa1ive interval: 10, Connect r:etr:y interval: 1
Local addr:ess: 192.168.1.1, Remote addr:ess: 192.168.1.2
Up for: 00:07:01
Last down 00:07:08 ago; Reason: received unexpected EOF
Number: of session flaps: 1
capabilities adver:tised: none
Capabilities received: none
Pr:otection: disabled
cal
Restar:t: enabled, Helper: mode: enabled, Reconnect tLme: 600UU
mote - Restart: enabled, Helper mode: enabled, Reconnect time: 60000
cal maximum neighbor: r:econnect time: 120000 msec
cal maximum neighbor: r:ecover:y time: 240000 msec
Nonstop r:outLng state: Not In sync
Next-hop addr:esses r:eceived:
65.115.1. 2
65.115.1.5
192.168.1.2

View LDP Graceful Restart

Use the show ldp session command with the detail switch to confirm LDP graceful restart
settings.

www.juniper.net

Label Distribution Protocols Chapter 3-59

Junos MPLS and VPNs

III

Configuration and Verification commands will be from

the perspective of R2
All other routers should be configured similarly

Loopbacks

Rl = 192.168.1.1
R2 = 192.168.1.2
R3 = 192.168.1.3
Rl

R3

R2
.1

65.115.10;30

ge-G/O/O

.2

ge-G/o;o

.5

ge-O;O/1

65.115.1.4;30

.6

ge-G/o/1

Sample LDP Topology

This slide serves to establish a simple LDP topology that we use to drive the configuration examples
and screen captures shown on subsequent pages.

Chapter 3-60 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

III

A functional LOP configuration involves:

Enabling LDP on desired interfaces
Adding the mpls family to desired interfaces
Not needed for loopback interface

Linking interfaces with the router's MPLS process

[edit]
use!:@R2i1 show protocols Idp
inte!:face ge-O/O/O.O;
inte!:face ge-0/0/1.0;
inte!:face 100.0;
[edit]
use!:@R2i1 show protocols mpls
inte!:face all;

[edit]
useL@R2# show interfaces ge-O/O/O
unit 0 {
family inet {
add!:ess 65.115.1.2/30;
family mpls;

Minimum LDP Configuration

You must configure LDP for each interface on which you want LDP to run. Further, you must also add
family mpls to all interfaces that are expected to handle labeled packets, and you must
associate these interfaces with the router's MPLS process under the [edit protocols mpls]
hierarchy. A minimum LDP configuration that is functional at both the signaling and data planes is
shown on the slide. Note that you should specifically disable LDP on the router's out-of-band (OoB)
interface when using the interface all option instead of manually specifying the interfaces.
By default, the Junos OS implementation of LDP only advertises the /32 router ID (RID) address,
which is normally obtained from the 100 interface. Note that you must enable LDP on the 100
interface to achieve this behavior.

www.juniper.net

Label Distribution Protocols Chapter 3-61

Junos MPLS and VPNs

II

Start by looking at the interfaces:

uset:@R2> show 1dp interface
Intet:face
Label space ID
ge-O/O/O .0
192.168.1.2:0
ge-O/O/ 1. 0
192 . 168 .1. 2 : 0
100.0
192.168.1.2:0

l1li

Nbt: count
1
1
0

Next hello
1
2
0

Next, look at the neighbor information:

uset:@R2> shol~ 1dp neighbor
Addt:ess
Intet:face
65.115.1.1
ge-O/O/O.O
65.115.1.6
ge-0/0/1.0

Label space ID
192 .168.1.1: 0
192.168.1.3:0

Hold time
11
14

Confirm LDP Interfaces

The show 1dp interface command is an excellent place to begin LDP verification. In this
example, all expected interfaces are listed, including the routers' 100 interface. Note that the display
also shows a count of neighbors detected on that interface.

Confirm LDP Neighbors

With LDP interfaces confirmed, you move on to verify that neighbor discovery is operational with the
show 1dp neighbors command. Note that each neighbor's RID is used to uniquely identify the
label space for that neighbor.

Chapter 3-62 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

III

Verify that the sessions are operational.

usec@R2> show Idp session
Addcess
State
192.168.1.1
Opeca tional
Opera tional
192.168.1. 3

Connection
Open
Open

Hold time
29
26

Verify Session State

With LDP interfaces and neighbors confirmed, you move on to verify that the sessions have been
established using the show Idp sessions command.

www.juniper.net

Label Distribution Protocols Chapter 3-63

Junos MPLS and VPNs

III

LDP-signaled LSPs are placed into the inet .3

routing table
user@R2> show route table inet.3
inet.3: 2 destinations, 2 routes (2 active, 0 holddown,
~ Active Route, - ~ Last Active, * ~ Both

0 hidden)

192.168.1.1/32
192.168.1.3/32

II

*[LDP/9] 00:34:00, metric 1

> to 65.115.1.1 via ge-O/O/O.O
*[LDP/9] 00:34:01, metric 1
> to 65.115.1.6 via ge-O/O/1.0

Why don't we see label information?

Confirm the LOP Control Plane

A quick way to verify that LDP signaling is operational is to look for established LSPs in the routers
inet . 3 routing table. Because the default behavior of LDP in the Junos OS is to establish tunnels to
the /32 RID of all reachable routers, there should be at least one LSP if LDP is working at all. Note
that the LSP to R3 is not associated with a label operation due to penultimatehop popping (PHP)
behavior.

Chapter 3-64 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

III

Lets look a the label mapping table

user@R2> show route table mpls.O
mpls.O: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1
2

299792
299792 (S=O)
299840

299840 (S=O)

* [MPLS/O] 08 :08 :15, metric 1

Receive
* [MPLS/O] 08 :08 :15, metric 1
Receive
*[MPLS/O] 08:08:15, metric 1
Receive
*[LDP/9] 00:34:13, metric 1
> to 65.115.1.6 via ge-0/0/1.0,
*[LDP/9] 00:34:13, metric 1
> to 65.115.1.6 via ge-0/0/1.0,
*[LDP/9] 00:34:12, metric 1
> to 65.115.1.1 via ge-O/O/O.O,
*[LDP/9] 00:34:12, metric 1
> to 65.115.1.1 via ge-O/O/O.O,

Pop
Pop
Pop
Pop

Verify Label Information Base

Verify the expected labels are correctly mapped in the Label Information Base (LIB) by reviewing the
contents of the mpls. 0 route table. Take note of the incoming label values on the left and ensure
the router's egress interface is correct with the correct label operation.

www.juniper.net

Label Distribution Protocols Chapter 3-65

Junos MPLS and VPNs

user@R2> ShON Idp database

Input label database, 192.168.1.2:0--192.168.1.1:0
Label
Prefix
3
192.168.1.1/32
299904
192.168.1.2/32
299920
192.168.1.3/32
Output label database, 192.168.1.2:0--192.168.1.1:0
Label
Prefix
299840
192.168.1.1/32
3
192.168.1.2/32
299792
192.168.1.3/32
Input label
Label
299856
299792
3

database, 192.168.1.2:0--192.168.1.3:0
prefix
192.168.1.1/32
192.168.1.2/32
192.168.1.3/32

Output label database, 192.168.1.2:0--192.168.1.3:0

Label
prefix
299840
192.168.1.1/32
3
192.168.1.2/32
299792
192.168.1.3/32

LDP Label Database

You can view the label databases of LDP neighbors with the show 1dp database command, as
demonstrated on the slide. Note that there will be a separate entry for each LDP peer. The LDP
session ID delineates the entries learned over each session, with all the labels for either the input or
output direction displayed. For example, LDP session 192.168.1.2: 0-192.168.1.1: 0 has
three labels in the input label database and three labels in the output label database.

Chapter 3-66 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

III

In this chapter, we:

Discussed two common label distribution protocols used by
the Junos OS
Identified the configuration elements used by RSVP-signaled
and LDP-signaled LSPs
Discussed the capabilities of each label distribution protocol
and how they are implemented with the Junos OS

This Chapter Discussed:

The two label distribution protocols that the Junos OS supports;
The configuration elements needed to implement RSVP or LDP to dynamically signal a
LSP; and
The capabilities of both LDP and RSVP when using the Junos OS.

www.juniper.net

Label Distribution Protocols Chapter 3 -67

Junos MPLS and VPNs

1. Which router requires you to define the labelswitched-path when configuring RSVP?
2. What are 3 RSVP objects that we discussed in this
chapter?
3. Does the Junos OS support traffic engineering on
LDP LSPs?

Review Questions
1.

2.

3.

Chapter 3-68 Label Distribution Protocols

www.juniper.net

Junos MPLS and VPNs

II

Given a network configured with routing protocols and

MPLS, configure LDP

II

Establish LSPs using LDP

II

Establish LSPs using RSVP

III

Modify the LSP path using EROs

II

Establish an LSP meeting certain requirements

Lab 2: Label Distribution Protocols

The slide provides the objectives for this lab

www.juniper.net

Label Distribution Protocols Chapter 3-69

Junos MPLS and VPNs

Chapter 3- 70 Label Distribution Protocols

www.juniper.net

Junt~v~[
Junos MPLS and VPNs
Chapter 4: Constrained Shortest Path First

Junos MPLS and VPNs

III

After successfully completing this chapter, you will be

able to:
.. Describe the path selection process of RSVP-signaled label
switched paths without the use of the (CSPF) algorithm
.. Describe the IGP extensions needed to build and maintain a
TED
.. Explain how the CSPF algorithm selects the best path based
on provided constraints
.. Explain how administrative groups can be used to influence
path selection

This Chapter Discusses:

The path selection process of RSVP without the use of the Constrained Shortest Path
First (CSPF) algorithm;
The interior gateway protocol (IGP) extensions used to build the traffic engineering
database (TED);
The CSPF algorithm and its path selection process; and
Administrative groups and how they can be used to influence path selection.

Chapter 4-2 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

-7 RSVP Behavior Without CSPF

III

CSPF Algorithm

III

CSPF Tie Breaking

l1li

Administrative Groups

RSVP Behavior Without CSPF

The slide lists the topics we cover in this chapter. We discuss the highlighted topic first.

www.juniper.net

Constrained Shortest Path First Chapter 4-3

Junos MPLS and VPNs

III

The primary benefit of enabling the traffic engineering

extensions to OSPF or ISIS is to allow each ingress
router to calculate and signal protection paths around
a failed link or node
.. Some of the M PLS traffic protection methods that have
been developed rely on the use of the TED and the CSPF
Algorithm
Fast Reroute
Link Protection

To help in your understanding of how the LSP path

calculation changes when CSPF is deployed, the next few
slides review the path calculation with its use

Protecting the MPLS Network

This chapter discusses the details of how an ingress router for an RSVP-signaled label-switched path
(LSP) can use the CSPF algorithm and the TED to calculate its path through the network. As you read,
keep in mind that it is this functionality that can provide protection against packet loss in an MPLS
network. Some of the widely used protection methods for RSVP-signaled LSPs, like fast reroute and
link protection (described in the next chapter), use the CSPF algorithm. The next few slides will
prepare you for the CSPF topic by reviewing the path selection behavior of RSVP when CSPF has not
been deployed.

Chapter 4-4 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

l1li

Path message is sent initially by ingress router

Requests the reservation of resources by downstream
routers and notifies those routers of how and where to build
the session
Some path message objects are used to specify what is to
be reserved
Label Object: req uest for an M PLS label reservation
SenderTspec Object: requestfor bandwidth reservation

Explicit Route Object specifies the path the session will take
When an ERO has not been configured the path message is sent
with no ERO along the IG P'sshortest calculated path
For a non-empty ERO, the administrator of the ingress LSR must
manually configure the explicit path [edit]
user@R1i1 ShOI~ protocols mpls
label-switched-path r1-to-r2
to 192.168,2,2;

Initial Path Message

As it was described in the previous chapter, the initial path message related to the setup of an LSP is
sent by the ingress router. The path message will contain objects. The objects within the path
message are used to either request the reservation of resources by downstream routers (MPLS
label, bandwidth, and so forth) or inform those same downstream routers of the direction in which
they should be building the RSVP session (MPLS LSP). The path the session will take depends on
both the IGP shortest path calculation along with what is contained in the Explicit Route Object (ERO)
of the path message. When CSPF is not in use (no-cspf option) and no ERO has been manually
configured by the administrator of the ingress router, the initial path message will be sent with no
ERO. For a path message to have a non-empty ERO, it must be manually configured by the
administrator of the ingress router.

www.juniper.net

Constrained Shortest Path First Chapter 4-5

Junos MPLS and VPNs

111

An RSVP-signaled LSP can be configured to support a

particular bandwidth along the path of the LSP
Signaled by the Sender Tspec object
Each router along the path determines supportability of request
If the local or downstream LSRs along the path cannot support the
requested bandwidth. LSP establishment will fail

LSRs will not police the traffic that enters an LSP, by default
By default. each LSR along tIle path checks only to see if there is
enough rsvp reservable bandwidtll available (no policing)
Use the auto-policing statement or apply a policer configured
under [edi t firewall] directly to the LSP
[edit]
user@R1# show protocols rnpls
auto-policing {
class all drop;
label-switched-path r1-to-r2 {
to 192.168.2.2;
bandwidth 35m;
no-cspf;

[edit]
user@R1# show protocols mp1s
label-switched-path r1-to-r2
to 192.168.2.2;
bandwidth 35m;
no-cspf;
policing filter eXample;

Bandwidth Reservation
It is possible for an LSP to be configured to reserve bandwidth along the path of the LSP. During the
setup process for an LSP configured for bandwidth (as shown in slide), each downstream router will
receive a request to reserve bandwidth for the LSP in the form of the traffic specification (TSpec)
object. Each router along the path will make its own individual decision as whether it has enough
available bandwidth on its egress interface for the LSP. To determine whether or not there is enough
available bandwidth, a router will sum the bandwidth of all LSPs traversing the egress interface and
subtract it from the total bandwidth for the interface. If there is not enough available bandwidth, the
LSP will fail to be instantiated and the upstream routers will be informed with a PathErr message.
By default, the bandwidths described on the slide are only logical and used for LSP setup. The
amount of traffic that actually traverses an LSP is not enforced. It is possible, however, to override
the default behavior and have the ingress router police the traffic that enters an LSP however. This
can be done by configuring auto-policing or configuring a firewall filter an applying directly to
the specific LSP.

Chapter 4-6 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

1\1

The physical speed of the interface becomes the

RSVP available bandwidth, by default
View the current reservable RSVP bandwidth by issuing the
show rsvp interface command

usec@Rl> show rsvp interface

RSVP intecface: 2 active
Active subscc- static
iption BiN
Intecface
State cesv
1
100% lOOOMbps
ge-1/0/0.220 up
0
100% 1000Mbps
ge-1/0/1. 221 up

Available

Resecved

BiN

BiN

1000Mbps
1000Mbps

Obps
Obps

Highwatec
mack
Obps
Obps

Limit percentage of interface bandwidth reservable by RSVP

with a range of 0 to 65000
[edit pcotocols csvpl
usec@RlIf set interface ge-O/O/O subscription pe:rcelltage

Configure interface or logical unit bandwidth

[edit pcotocols csvpl
usec@Rl# set interface ge-0/0/0.100 bandwidth

va~ue

RSVP Bandwidth
Whether or not the CSPF algorithm is being used, when RSVP is being used for LSP signaling in a a
network, every interface on every router will have an associated available bandwidth associated with
it. By default. the available bandwidth for LSP reservation is equivalent to the physical speed of the
interface. This can be overridden by one of the methods shown on the slide.

www.juniper.net

Constrained Shortest Path First Chapter 4- 7

Junos MPLS and VPNs

~CSPF Algorithm

CSPF Algorithm
The slide highlights the topic we discuss next.

Chapter 4-8 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

.. Modified shortest-path-first algorithm

III Integrates TED data
IGPtopology information, available bandwidth, and
Administrative group
.. Determines optimal path and setup order according to
user-provided constraints

Maximum hop count (for fast reroute detours)

Bandwidth
Strict or loose routing (EROs)
Administrative groups
Priority

.. Prunes nonqualifying paths and performs SPF on

remaining routes
The result is either an ERO that is handed to RSVP for
signaling, or a no route to host error message

A Modified Shortest-Path-First Algorithm

The ingress router determines the physical path for each LSP by applying a CSPF algorithm to the
information in the TED. CSPF is a shortest-path-first (SPF) algorithm that has been modified to take
into account specific restrictions when calculating the shortest path across the network. Links that
do not comply with the restrictions are removed from the tree and cannot be factored into the
resulting SPF calculations.

TED and User Constraint Integration

CSPF integrates topology link-state information learned from IGP traffic engineering extensions and
is maintained in the TED. The information stored in the TED includes attributes associated with the
state of network resources (such as total link bandwidth, reserved link bandwidth, available link
bandwidth, and link color). When calculating a path, the CSPF algorithm factors in user-provided
constraints such as bandwidth requirements, maximum allowed hop count, and administrative
groups, all of which are obtained from user configuration.
Continued on next page.

www.juniper.net

Constrained Shortest Path First Chapter 4-9

Junos MPLS and VPNs

Prune Nonqualifying Links

As CSPF considers each candidate node and link for a new LSP, it either accepts or rejects a specific
path component based on resource availability and whether selecting the component violates a user
provided constraint. The output of a successful CSPF calculation is an explicit route consisting of a
sequence of router addresses that provides the shortest path through the network that meets all
provided constraints. This explicit route is then passed to the RSVP-signaling component, which
establishes forwarding state in the routers along the LSP. When no compliant route can be found, the
output of the CSPF algorithm is a rather generic no route to host error message.

Chapter 4-10 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

User
Constraints

1) Store information from IGP flooding

2) Store traffic engineering information (TED)
3) Examine user-defined constraints
4) Calculate the physical path for the LSP
5) Represent path as an explicit route
6) Pass ERO to RSVP for signaling

Ingress LSR Operations

The slide lists the six primary aspects of the CSPF process from the perspective of the ingress
label-switching router (LSR). We describe each CSPF component in the following list:

1.

2.

Information Propagation: Traffic engineering extensions to either Intermediate

System-to-Intermediate System (IS-IS) or Open Shortest Path First (OSPF) carry traffic
engineering topology information.
Information Storage: The router stores traffic engineering link-state information in the

TED.
3.

User Constraints: The user specifies constraints for a specific LSP through configuration
settings.

4.

Physical Path Calculation: The CSPF algorithm finds the shortest path based on links
that comply with user-provided constraints.

Continued on next page.

www.juniper.net

Constrained Shortest Path First Chapter 4-11

Junos MPLS and VPNs

Ingress LSR Operations (contd.)

The following list is a continuation of the CSPF components:

5.

Explicit Route Generation: The router forms a complete list of EROs that describes the
sequence of nodes and links representing the shortest compliant path between ingress
and egress LSRs.

6.

RSVP-signaling: The router passes the computed ERO list to RSVP for LSP signaling.
Note that because the TED contains a relatively up-to-date view of the entire network's
current state, a high probability exists that the RSVP-signaled LSP will succeed. Put
another way, if no path in the network meets a provided constraint, CSPF does not
compute an ERO list, and RSVP does not even attempt to signal an LSP that would be
doomed to failure anyway. Last minute changes in the state of the network might result
in the TED being slightly out of date, and this can lead to RSVP path signaling failures
until the TED is again synchronized with the true state of the network.

Chapter 4-12 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

l1li

IGP extensions propagate additional information

IS-IS uses TLV tuples
OSPF uses opaque LSA Type 10
Information propagated within area or level only

l1li

Infor/11ation propagated:
Bandwidth available
Administrative Groups (link colors)
Router ID

IGP Extensions
Both OSPF and IS-IS can propagate additional information through some form of extension. IS-IS
carries different parameters in type/length/value (TLV) tuples, which are propagated within a level;
these TLVs do not propagate between levels. OSPF, on the other hand, uses Type 10 opaque LSAs to
carry traffic engineering extensions. Type 10 LSAs have an area flooding scope, meaning that the
information is propagated within a given area only; OSPF traffic engineering extensions do not cross
area border routers (ABRs). The MPLS Traffic Engineering Information carried by these IGP
extensions is defined in RFCs 3630 and 4203 for OSPF, and RFCs 3784 and 4205 for IS-IS.

Information Propagated
The TLVs listed here are based on IS-IS traffic engineering extensions. OSPF supports more or less
the same parameters; the primary difference is how the extended information is propagated (TLV
versus opaque LSA).
Router ID (TLV 134): Single stable address, regardless of node's interface state. The
/32 prefix for router ID should not be installed into the forwarding table or it can lead to
forwarding loops for systems that do not support this TLV.
Extended IP Reachability (TLV 135): One bit used for route leaking (up/down bit);
extends metrics from 6 bits to 32 bits.

Continued on next page.

www.juniper.net

Constrained Shortest Path First Chapter 4-13

Junos MPLS and VPNs

Information Propagated (contd.)

Extended IS Reachability (TLV 22): Contains information about a series of neighbors.
Consists of the following sub-TLVs:
IPv4 Neighbor Address (Sub-TLV 8).
Maximum Link Bandwidth (Sub-TLV 9): A 32-bit field, Institute of Electrical and
Electronics Engineers (IEEE) floating point format. Units are bytes per second and
unidirectional.
Maximum Reservable Bandwidth (Sub-TLV 10): A 32-bit field, IEEE floating point
format. Units are bytes per second and unidirectional. Supports over subscription
(can be greater than link bandwidth).
Unreserved Bandwidth (Sub-TLV 11): A 32-bit field, IEEE floating point format.
Units are bytes per second. A value is specified for each priority level 0 through 7.
Traffic Engineering Default Metric (Sub-TLV 18): A 24-bit unsigned integer.
Resource Class/Color (Sub-TLV 3): Specifies administrative group membership
(also known as affinity class). Up to 32 different groups. Each group is
represented by a different bit.
OSPF traffic engineering extensions include the following TLVs. Note that these extensions are
silently discarded by non-traffic-engineering-aware routers in accordance with opaque LSA
processing rules.
Router TLV: Stable IP address of advertising router.
Link TLV: Composed of the following sub-TLVs:
Link Type: PP or multiaccess.
Link ID: Identifies other end of link. A designated router is identified if the link is
used for multiaccess.
Local Interface Address: IP address of the link; advertising router address if
unnumbered link.
Remote Interface IP Address: Neighbors' IP address; first two octets 0 if
unnumbered, remaining octets are local interface index assignment. This sub-TLV
and local address used to discern multiple parallel links between systems.
Traffic Engineering Metric: Link metric for traffic engineering. Might be different
than the OSPF link metric.
Maximum Bandwidth (Unidirectional): A 32-bit IEEE floating point format. Bytes
per second.
Maximum Reservable Bandwidth: A 32-bit IEEE floating point format. Over
subscription supported. Bytes per second.
Unreserved Bandwidth: Unreserved bandwidth for each of the eight priority
levels. Bytes per second. 32-bit IEEE floating point format. Each value less than
or equal to maximum reservable bandwidth.
Resource Class/Color: Specifies administrative group membership (also known
as affinity class). Up to 32 different groups. Each group is represented by a
different bit.

Chapter 4-14 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

user@Rl> show ospf database opaque-area detail

OSPF database, Area 0.0.0.0
OpaqArea*1.0.0.3
192.168.2.1
Area-opaque TE LSA
Link (2), length 100:
Linktype (I), length 1:

Ox80000002

Ox22 Oxe2c

124

LinkID (2), length 4:

172.22.220.2
LoclfAdr (3), length 4:
172.22.220.1
RemlfAdr (4), length 4:
0.0.0.0
TEMetric (5), length 4:
1

MaxBW (6), length 4:

1000Mbp5
MaxRsvBW (7), length 4:
1000Mbps
UnRsvBW (8), length 32:
Priority 0, lOOOMbps
Priority 1, 1000Mbp5
priority 2, lOOOMbps
priority 3, 1000Mbps
Priority 4, 1000lVlbps
Priority 5, 1000Mbps
priority 6, 1000Mbps
Priority 7, 1000Mbps
Color (9), length 4:

IGP Extensions: OSPF

The capture shown on the slide provides an example of an IGP update that also carries traffic
engineering extensions for distribution to the TED. By default, the IGP only sends an update message
if the available link bandwidth changes by greater than 10%. The update threshold command
(covered later in this chapter) allows you to alter this default behavior. The highlighted portion of the
slide calls out the following attributes:

Unreserved bandwidth indicates the reservable bandwidth by priority level for a

given link;
Maximum reservable bandwidth indicates the total reservable bandwidth for a
given link;
Maximum bandwidth communicates the total bandwidth forthe link; and
Color identifies the hexadecimal bit mask used to associate affinity classes
(administrative groups) with this link.

www.juniper.net

Constrained Shortest Path First Chapter 4-15

Junos MPLS and VPNs

III

RSVP interface bandwidth refresh

Tune the IGP update threshold for RSVP interface bandwidth
Use the update threshold

thresho~d

% (1 .. . 20)

command under RSVP interface

Default update threshold set to 10%

Interface Bandwidth Refresh

The Junos operating system propagates changes in bandwidth according to a configured threshold
percentage. By default, updates are sent only if the bandwidth changes by 10%. However, you can
configure the update threshold to be a percentage from 1 to 20.

Chapter 4-16 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

III

Used exclusively for calculating explicit LSP paths

across the physical topology
Maintains traffic engineering information learned fmm IGP
extensions

III

Contains:
Up-to-date network topology information
Current unreserved bandwidth of links
Link administrative groups (colors)
Link priority information

Used Exclusively for LSP Path Computation

Each router maintains network link attributes and topology information in its TED. The TED is used
exclusively for calculating explicit paths for the placement of LSPs across the physical topology.
Because the TED does not know about existing LSPs, the TED does not allow a CSPF LSP to form over
an LSP (because a non-CSPF LSP consults the routing table on a hop-by-hop basis to forward the
RSVP messages, a non-CSPF LSP might try to form over an existing LSP) if features like forwarding
adjacencies or traffic engineering shortcuts are enabled.

TED Contents
CSPF uses the TED to calculate explicit paths across the physical topology. It is similar to IGP
link-state database (LSDB) and relies on extensions to the IGP, but it is stored independently of the
IGP database.
Traffic engineering requires detailed knowledge about the network topology as well as dynamic
information about network loading. The information distribution component is implemented by
defining relatively simple extensions to the IGPs so that link attributes are included as part of each
router's link-state advertisement (LSA). The standard flooding algorithm used by the link-state IGPs
ensures that link attributes are distributed to all routers in the routing domain. Some of the traffic
engineering extensions to be added to the IGP link-state advertisement include maximum link
bandwidth, maximum reserved link bandwidth, current bandwidth reservation levels, and link
coloring.

www.juniper.net

Constrained Shortest Path First Chapter 4-17

Junos MPLS and VPNs

user@Rl> show ted database extensive

TED database: 0 ISIS nodes 31 INET nodes
NodeID: 192.168.1.1
Type: ---, Age: 588 secs, LinkIn: 2, LinkOut: 0
NodeID: 192.168.2.1
Type: Rtr, Age: 9 sees, LinkIn: 2, LinkOut: 2
Protocol: OSPF(O.O.O.O)
To: 172.22.220.2-1, Local: 172.22.220.1, Remote: 0.0.0.0
Local interface index: 0, Remote interface index: 0
Color: Ox20 gold
Metric: 1
Static BW: 1000Mbps
Reservable BW: 1000Mbps
Available BW [priority] bps:
[0] 1000Mbps
[1] 1000Mbps
[2] 1000Mbps
[3]
[4] 1000Mbps
[5] 1000Mbps
[6] 1000Mbps
[7]
Interface switching Capability Descriptor(l):
switching type: Packet
Encoding type: Packet
!Vlaximum LSP BW [priority] bps:
[0] 1000Mbps
[1] 1000Mbps
[2] 1000Mbps
[3]
[4] 1000Mbps
[5] 1000Mbps
[6] 1000Mbps
[7]

1000Mbps
1000Mbps

1000Mbps
1000Mbps

Analyzing the TED

Each router maintains network link attributes and topology information in a specialized TED. The TED
is used exclusively for calculating explicit paths for the placement of LSPs across the physical
topology. A separate database is maintained so that the subsequent traffic engineering computation
is independent of the IGP and the IGP's link-state database. Meanwhile, the IGP continues its
operation without modification, performing the traditional shortest-path calculation based on
information contained in the router's link-state database. There is only one TED, and it can be
populated only from the default routing instance.
The TED shows the total number of IS-IS nodes and inet nodes. Each broadcast domain DATA LINK
LAYER generates a pseudonode to represent the network. The portion of the TED shown represents
a node: the type field indicates Rtr (router). It could also indicate Net (network) if it were a
pseudonode. The node has two input and output links running OSPF Area 0 (only one link is shown in
the slide). One link leads to a router with the IP address of 172.22.220.2.
The TED also includes detailed traffic engineering information for each link. This information
includes administrative groups, metrics, static bandwidth, reservable bandwidth, and available
bandwidth by priority level.

Continued on next page.

Chapter 4-18 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

Analyzing the TED (contd.)

The Local: and Remote: fields in the show ted database extensive command output
specify IP address information about the link. Four different combinations of Local: and Remote:
values are possible. If both fields contain nonzero IP addresses, the link is a point-to-point link. If the
both fields are 0. 0. 0.0, the link represents a pseudonode.lf only the Remote: value is 0.0.0.0,
the link is a LAN interface. Finally, if only the Local: value is o. 0.0.0, the link is an unnumbered
interface.

www.juniper.net

Constrained Shortest Path First Chapter 4-19

Junos MPLS and VPNs

r
II

User-defined constraints
influence path selection
Bandwidth requirements*
Hop count limitations (for fast
reroute)
Administrative groups (colors)
Priority (setup and hold)*
Explicit route (strict or loose)*

User-Provided Constraints
You can influence the outcome of the CSPF path selection process by specifying one of more of the
following constraints when defining an RSVP-signaled LSP:
Bandwidth: The bandwidth to reserve forthis LSP. The reserved bandwidth is calculated
against each link's available bandwidth. The available bandwidth is the bandwidth
remaining after the subscription factor is applied to the link and all existing link
subscriptions are removed.
Hop count: The maximum number of hops to extend the path to bypass the next
downstream node when creating a fast-reroute detour.
Link color: Administrative groups, also known as link coloring or resource class, are
manually assigned attributes that describe the color of links, such that links with the
same color conceptually belong to the same class. You can use administrative groups to
implement a variety of policy-based LSP routing controls.
Priority: Specifies the setup and hold priority for the LSP. New setup priorities are
compared with existing hold values. When not enough bandwidth is available to satisfy
all LSPs concurrently, a given link is considered in the path only when the new LSP's
setup priority is stronger tilan the hold priority of existing LSPs.

EROs: Both CSPF and non-CSPF LSPs can be constrained with one or more ERO routing
directives.

Chapter 4-20 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

III

For LSP = (highest priority) to (lowest priority):

1. Prune links with insufficient bandwidth
2. Prune links that do not contain an included color
3. Prune links that contain an excluded color
4. Calculate shortest path from ingress to egress consistent
with ERO
5. If equal-cost paths exist. choose the path whose last hop
address equals the LSP's destination
6. Select among equal-cost paths (least hop, then fill related
criteria)
7. Pass explicit route (ERO) to RSVP

How CSPF Selects a Path

The CSPF algorithm computes the path of LSPs one at a time, beginning with the highest-priority LSP
(the one with the numerically lowest setup priority value). We cover LSP priority settings in the next
chapter. Among LSPs of equal priority, CSPF begins with those that have the highest bandwidth
requirement. For each such LSP, the following sequence is executed:
1.

Prune the topology database (TED) of all the links that are not full duplex and do not
have sufficient reservable bandwidth.

2.

If the LSP configuration contains an include-any statement, prune all links that do
not have at least one of the included colors assigned, including those links with no color
assigned. If the LSP configuration contains an include -all statement, prune all
links that do not have all of the included colors assigned.

3.

Ifthe LSP configuration contains an exclude statement, prune all links that contain
excluded colors; links with no color are not pruned.

4.

Find the shortest path towards the LSP's egress router, taking into account ERO
constraints. For example, if the path must pass through Router A, two separate SPFs
are computed, one from the ingress router to Router A, the other from Router A to the
egress router.

Continued on next page.

www.juniper.net

Constrained Shortest Path First Chapter 4-21

Junos MPLS and VPNs

How CSPF Selects a Path (contd.)

The following list continues the sequence from the previous page:
5.

If several paths Ilave equal cost, choose the one whose last hop address is the same as
the LSP's destination.

6.

If several equal-cost paths remain, select the one with the fewest number of hops. If
equal-cost paths still remain, apply the CSPF load-balancing rule configured on the LSP
(least fill, most fill, or random).

7.

When a path is chosen, pass the complete ERO list to RSVP for signaling.

Chapter 4-22 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

III

Negative feedback: Path Err message handling

Maintains knowledge of Path Err message fOI' TED
calculations
Default Path Err retention for TED = 20 seconds
Can be modified with the rsvp-error-hold-time

hold-time (0 ... 240 sec) statement

Negative Feedback
Junos os automatically retains knowledge of RSVP Path Err messages for a short period oftime. This
knowledge prevents the TED from resignaling in the same direction that caused the original error. By
default, the system maintains knowledge of Path Err messages for 20 seconds, configurable from
o to 240 seconds in the [edit protocols mplsJ hierarchy with the
rsvp-error-hold-time command.

www.juniper.net

Constrained Shortest Path First Chapter 4-23

Junos MPLS and VPNs

~CSPF Tie Breaking

CSPF Tie Breaking

The slide higlllights the topic we discuss next.

Chapter 4-24 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

II

The following terms and formulas are used in

breaking CSPF ties:
Reservable bandwidth
Link bandwidth x link subscription factor

Available bandwidth
Reservable bandwidth minus the sum of the LSP bandwidths
traversing the link

Available bandwidth ratio

Available bandwidtlljreservable bandwidth

Minimum available bandwidth ratio (for a path)

Smallest available bandwidth ratio of tile links tllat comprise a
path

CSPF Tie-Breaking Terms

The terms and formulas shown on the slide are used by the CSPF algorithm to break CSPF ties. You
should familiarize yourself with these terms and formulas to understand the various CSPF
tie-breaking behaviors available in Junos OS. We explain these terms on subsequent pages.

www.juniper.net

Constrained Shortest Path First Chapter 4-25

Junos MPLS and VPNs

III

Random:
Default behavior; chooses a path at random from set of
equal-cost alternatives
.. Tends to balance total number of LSPs over all available
paths

III

Least fill:
.. Finds the path with the largest minimum available
bandwidth ratio

III

Most fill:
.. Prefers the path with the smallest minimum available
bandwidth ratio

l1li

Configured at the [edit protocols mpls

label-swi tched-path pa th-name] hierarchy

Random
If more than one path is available after running the CSPF algorithm, a tie-breaking rule is applied to
choose the path for the LSP. Three tie-breaking rules are available: random, least fill, and most fill.
The actual rule used depends on the specifics of your configuration. The default tie-breaking method
is random, which, as you might surmise, chooses one of the qualifying paths at random. This rule
tends to place an equal number of LSPs on each link, regardless of the available bandwidth.

Least Fill
The least-fill option chooses the path with the largest minimum available bandwidth ratio. This rule
tries to equalize the reservation levels on each link. This form of load balancing might be preferred
when the goal is to minimize the total number of LSPs that are disrupted when a link failure occurs.

Continued on next page.

Chapter 4-26 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

Most Fill
The most-fill option prefers the path with the smallest minimum available bandwidth ratio. This rule
tries to fill a link before moving traffic to alternative link and might be preferred in certain
usage-based billing environments where bulk discounts are gained by consolidating as much traffic
onto as few links as possible. The most-fill option tends to fully pack your lower bandwidth links first.
such that your highest bandwidth links remain available for LSPs with large bandwidth requirements,
which is another possible motivation for using this type of load balancing.

Configuration
To explicitly configure a tie-breaking behavior, include the random, least - fill, or most- fill
statement atthe [edit protocols mpls label-switched-path path-name] hierarchy
level. Note that you do not have to explicitly configure random load balancing as this is the default.

www.juniper.net

Constrained Shortest Path First Chapter 4-27

Junos MPLS and VPNs

lin ks Fast Ethernet

Available bandwidth ratio

IGP= IS-IS
AIIIGP path metrics equal

III

Which path
will a new LSP
with a 12-Mbps
bandwidth request take?

Analysis of Least-Fill Operation

Because all four patlls shown in the example on the slide have equal metric costs (note that the
information provided on the slide indicates that default IS-IS metrics are not in use), select the path
that has the most available bandwidth. (Remember that you are selecting the path that is least full
on a percentage basis; therefore, it has the largest available bandwidth.)
Amongst the two lower hop count links, the top path has the largest minimum available bandwidth
ratio. Least fill is desirable when you want to smooth out the overall bandwidth that is available on all
your links.

Chapter 4-28 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

All links Fast Ethernet

IGP~

IS-IS

All IG P path metrics eq ua I

III

Available bandwidth ratio

65J

Which path
will a new LSP
with a 12-Mbps
bandwidth request take?

Analysis of Most-Fill Operation

Because all four paths shown in the example on the slide have equal metric costs (note again that
default IS-IS metrics are not in use), select the path that has the least available bandwidtll ratio.
(Remember that you are selecting the path that is most full on a percentage basis; therefore, it has
the smallest available bandwidth.) Amongst the two lower hop count links, the bottom path has the
smallest minimum available bandwidth ratio.
You might configure most fill load balancing when you want to fully pack your lower bandwidth links
first so that your higher bandwidth links remain available for LSPs with large bandwidth
requirements.

www.juniper.net

Constrained Shortest Patll First Chapter 4-29

Junos MPLS and VPNs

Top and bottom links are

GE, middle links
areFE

III

Using
least-fill load
balancing, which 430M
path will a new LSP
with a 12-Mbps bandwidth
request take?

Do you find this odd?

An Interesting Question
Step 6 of the CSPF algorithm, as explained on a previous page, indicates that if no decision is
reached after the router processes the first five steps of the algorithm, the paths with the smaller
hop count are selected. When multiple paths remain, the tie-breaking algorithm moves on to
consider fill-related criteria.
Because least fill looks for the largest available bandwidth ratio, you might expect the middle links to
be selected because they have 95 and 85 available bandwidth ratios. However, these links are not
chosen because they have more hops. The two outer paths have their available bandwidth ratios
compared because they have lower (and equal) hop counts. Therefore, the bottom path, which has
an available bandwidth ratio of 57 ((1000-430)11000) is selected over the top link, which has an
available bandwidth ratio of 50 ((1000-500)/1000).
Note that the same logic is followed regardless of the actual bandwidth available on a link. For
example, if the outer paths were Fast Ethernet links with lower available bandwidth ratios than the
two middle paths-which could be Gigabit Ethernet with really high available bandwidth ratios-the
CSPF hop count rule will still eliminate the middle links due to their higher hop-counts. Even if the
Gigabit Ethernet links have huge amounts of percentage or actual bandwidth available, the hop
count rule holds sway over what paths are considered equal, and therefore subject to a
load-balancing decision.

Chapter 4-30 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

All lin ks 100% su bscri ption factor

Each link shows reserved bandwidth
IS-IS IGP; all paths equal metrics
Top links are FE
Bottom links are GE

II

Using
least-fill load
balancing, which
path will a new LSP
with a 4-Mbps bandwidth
request take?

Do you find this odd?

Another Interesting Question

Because all four paths have equal metric costs in the example on the slide, you must first look at hop
counts, and then available bandwidth ratios, to find the correct answer to this riddle,
The middle two paths have available bandwidth ratios of 90 and 99, the top link has an available
bandwidth ratio of 95, and the bottom link 11as an available bandwidth ratio of 80. In this case, the
outer two links have lower hop counts, and therefore, only these links factor into available bandwidth
ratio comparisons. The top path has the larger available bandwidth ratio, which causes it to be
selected by the least fill algorithm.
The point here is that the Fast Ethernet link has more bandwidth percentage available than the
Gigabit Ethernet link in this example. Therefore, even though the total bandwidth available on the
Gigabit Ethernet is much greater than that of a Fast Ethernet interface, the LSP will be routed over
the Fast Ethernet links based on the bandwidth percentages.

www.juniper.net

Constrained Shortest Path First Chapter 4-31

Junos MPLS and VPNs

-7 Administrative

Groups

Administrative Groups
The slide highlights the topic we discuss next.

Chapter 4-32 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

III

Thirty-two named groups, 0 through 31-carried as

32-bit value in IGP updates
Groups assigned to interfaces
Also referred to as color or link affinity

.;::::::------.".

S;I~c I
San

,~

Francisco'

'\,

Bronze

-----.

'-----jr-----:;~

............

Administrative Group Overview

Administrative groups allow you to constrain the routing of an LSP to the set of links that meet the
prescribed administrative groupings. Each interface can support 32 different administrative groups.
The administrative groups associated with each interface is communicated through the extended
IGP for storage in the TED. When the ingress router performs a CSPF computation, it includes or
excludes links based on their associated colors, as specified in the LSP's definition. The net result is
that the routing of the LSP will be controlled by its need to avoid, or make use of, links with the
specified colors.
If you use administrative groups, you must configure them identically on all routers participating in
an MPLS domain. Great confusion results when a pair of routers do not agree on the color
associated with mutually attached link. You can assign more than one administrative group to each
physical link, or you might opt to leave one or more links uncolored by not assigning any
administrative group values.

www.juniper.net

Constrained Shortest Path First Chapter 4-33

Junos MPLS and VPNs

III

Colors advertised on a per-link basis using IGP

.. Using hexadecimal-for example, OxCOOOOOOE

III

Colors assigned on router:

.. Internal management-for example, bronze, silver, gold, etc.

IGP Advertisements
A traffic engineering aware IGP communicates the administrative group of each interface as a 32-bit
(4 bytes) bit mask. Each of the bit values in 32-bit sequence represents a different administrative
group.

Color Assignments
Each bit value is correlated through configuration to a human-friendly name within Junos OS. This
capability helps to simplify router management, as the name silver often means more to the typical
human than the hexadecimal value of Ox02, for example.
These names are often assigned as colors, but they do not have to be a color; they can be any
descriptive term you want. Each link can have one or more bits enabled, and can therefore be
associated with one or more colors simultaneously. The colors advertised by each link are displayed
in both hexadecimal and in symbolic form in the output of show ted database extensive
command. When multiple bits are set in the TED, the order of the colors displayed correlates to the
order of the bits that are set. When no colors are assigned, the 32 bits default to all zeros
(OxOOOOOOOO).

Chapter 4-34 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

[edit protocols 1
u5er@R1# show
mp15 {
admin-groups
gold 1;
silver: 2;
br:onze 3;
manageme n t 30;
internal 31;

Colors
defined

--~

- l j Uj u.nO {
admin-group [g",old manageme ntJl

interface ge-1/0/1.221 {
admin-group silver:;
interface ge-1/0/2.222 {
admin-group gold;

(
Colors
assigned

interface ge-1/0/3.223 {
admin-group gold;

Configuring Administrative Groups

You configure administrative groups under the [edit protocols mpls] hierarclw by defining
the group names and their associated bit values. The bit values can range from 0 to 31. Note that
the actual group name is for local reference only, which means that the exact spelling and case need
not be identical between all routers in the traffic engineering domain.
You should configure all defined groups that are in use within the traffic engineering domain on all
routers, even though a particular group might not be assigned to any interfaces on every router. This
configuration is necessary because undefined administrative groups referenced in a LSP definition
prevent your candidate configuration from committing.
After defining all groups, you next associate one or more groups with each router interface. You
reference the symbolic name that is associated with each group when assigning groups to your
interfaces. Recall that you can configure multiple group names on a single interface.
In this example, the configuration for interface ge-1/0/0.220 is not a typographical error. The two
administrative groups assigned to this interface are, in fact, gold and management.

www.juniper.net

Constrained Shortest Path First Chapter 4-35

Junos MPLS and VPNs

III

CSPF can factor include-any, include-all, and

excl ude constraints into the path calculation
[edit Pl:'otocols]
USel:'@R1!f show
mpls {
label-switched-path to-miami
to 1.1.1.1;

use

go

admin-gl:'oup {
Logical AND

}
path

incIUde-any [ gold silvel:' ];

include-all [ pl:'emium customel:'
exclude [ bl:'onze il:'on ],

use-fargo {
10.0.1.2 loose;
Logical OR

Using Administrative Groups

If you omitthe include-any, include-all, and exclude statements, the LSP's path
calculation proceeds unchanged using the default CSPF path selection criteria. When you configure
an include-any list, only links that contain one or more of the specified administrative groups are
included in the SPF calculation. In other words, a logical OR is performed on the administrative
groups in the include-any statement. When you configure an include-all list, only links that
contain all of the specified administrative groups are included in the SPF calculation. In other words,
a logical AND is performed on the administrative groups in the include-all statement. Finally,
when you configure an exclude list, links that contain any of the specified administrative groups
present are automatically excluded from the SPF calculation. In other words, a logical OR is
performed on the administrative groups in the exclude statement. Links that do not have an
administrative group assigned are automatically disqualified by an include-any or
include-all list; such uncolored links can be included in the SPF calculation when only
exclude criteria is defined.
When you specify more than one include-any, include-all, and exclude lists for a given
LSP, each link considered in the SPF calculation must comply with all lists. This behavior mimics the
functionality of a logical AND.
Changing an LSP's administrative group causes an immediate recomputation of its routing, which
might result in the LSP being rerouted.

Chapter 4-36 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

III

Use show mpls interface command to display

the administrative groups that have been assigned to
each interface

usec@R1> show mp1s interface

Intecface

state

Administcative gcoups

ge-1/0/0.220

Up

gold

ge-1/0/1. 221

Up

gold

Displaying Administrative Group Assignments

You can quickly verify the colors assigned to each MPLS-enabled interface using the show mpls
interface command. This command also confirms whether or not the mpls family is declared
under the correct logical unit in the [edit interfaces] hierarchy. If the interface does not show
up, the MPLS family is not defined for that interface.

www.juniper.net

Constrained Shortest Path First Chapter 4-37

Junos MPLS and VPNs

III

Choose the IGP's best path from A to I

IGPMetrics

Administrative Groups I: IGP Routing

In this initial example, you must determine the shortest path from A to I according to the perspective
of the IGP. Each link displays the associated IGP metric value. It should not take you long to
determine that the IGP's shortest path from A to I is path A-D-E-G-I, with a total cost of 6.
This calculation reflects normallGP processing and therefore, tile default routing of an
RSVP-signaled LSP. You can influence LSP routing with the inclusion of administrative constraints, as
is demonstrated in subsequent pages in this section.

Chapter 4-38 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

II

Path A-D-E-G-I has the lowest IGP metric (6)

Administrative Groups I: The Solution

This slide displays the solution to the question asked on the previous slide. In this case, the IGP's
shortest path has a metric of 6 and consists of the path A, D, E, G, and I.

www.juniper.net

Constrained Shortest Path First Chapter 4-39

Junos MPLS and VPNs

III

Choose the path from A to I according to:

[edit pcOtOC015 mp15j
u5ec@cA# show
label-switched-path to-I
to 1.1.1. U
pdmacy pdmaqr-path
admin-gcoup include-any [ gold silver

j;

Administrative Groups II: Include-Any Constraints

The LSP definition in this example requires that the link include either the color gold or the color
sil ver. The CSPF algorithm begins by pruning the following links because they do not include the
required colors: A-B, A-D, C-D, B-E, B-G, D-E, E-G, D-H, F-H, G-H, or H-1. The links that do comply with
the constraints are A-C, C-F, F-G, and G-1.
A shortest path is computed from the links that remain, which in this case yields only one viable
path. The only path available, given these constraints, is shown on the next slide.

Chapter 4-40 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

.. Path A-C-F-G-I uses only gold or sil ver links

Administrative Groups II: The Solution

This slide displays the solution to the question asked on the previous slide. In this case, the only path
meeting the provided include-any constraints consists of the path A, C, F, G, and I.

www.juniper.net

Constrained Shortest Path First Chapter 4-41

Junos MPLS and VPNs

III

Choose the path from A to I according to:

[edit pcotocols mpls]
usec@cA# show
label-switched-path to-I
to 1.1.1.1;
pcimacy pcimacy-path
admin-gcoup {
include-any [ coppec bconze ];
exclude admin;

Administrative Groups III: Include-Any and Exclude Constraints

The LSP definition in this case requires that the link include either the copper or bronze colors,
while a/so excluding the admin color. Put another way, a qualifying link can include copper and
exclude admin, or it can include bronze and exclude admin. The CSPF algorithm begins by
pruning the following links because they do not include the required colors: A-C, A-B, C-F, C-D, F-G,
F-H, and G-1.
The CSPF algorithm then prunes the following links because they are associated with an excluded
color: D-H. Note that links A-B and F-H are already excluded by virtue of the incl ude-any
constraint but that link D-H passes the include -any constraint, and so it is not pruned until the
exclude constraint is processed.
The links that pass both sets of constraints are A-D, D-E, E-B, B-G, E-G, G-H, and H-1. A shortest path
is now computed from the compliant links. In this case two possible paths exist: A-D-E-B-G-H-I, with a
cost of 19, and A-D-E-G-H-I, with a cost of 13. The CSPF algorithm selects the metrically shorter of
the two paths, which results in the routing of the LSP over the path A-D-E-G-H-1.

Chapter 4-42 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

III

Path A-D-E-G-H-I is the shortest path excl uding the

adnun class and including coppe1..~ or bronze

Administrative Groups III: The Solution

This slide displays the solution to the question asked on the previous slide. In this case, the
metrically shorter of the two paths meeting both the include-any and exclude constraints
consists of the path A, D, E, G, H, and I.

www.juniper.net

Constrained Shortest Path First Chapter 4-43

Junos MPLS and VPNs

III

Choose the path from A to H using:

[edit pcotocols mpls]
usec@cA# show
label-switched-path to-H
to 2.2.2.2;
pcimacy pcimacy-path
admin-gcoup {
include-any [ coppec bconze ];
exclude admin;

Administrative Groups IV: Include-Any and Exclude Constraints

The LSP definition in this case once again requires that the link include either the copper or
bronze colors, while also excluding the admin color. Note that the destination node and the cost of
the G-H link has been changed from previous examples.
The CSPF algorithm begins by pruning the following links because they do not include the required
colors: A-C, A-B, C-F, C-O, F-G, and F-H. The CSPF algorithm then prunes the following links because
they are associated with the excluded color: O-H. Note that links A-B and F-H are already excluded by
virtue of the include -any constraint but that link O-H passes the include-any constraint, and
so it is not pruned until the exclude constraint is processed.
The links that pass both sets of constraints are A-O, O-E, E-B, B-G, E-G, G-I, G-H, and H-1. A shortest
path is now computed from the set of compliant links. In this case, four possible paths exist:
A-O-E-B-G-H (cost 14), A-O-E-G-H (cost 8), A-O-E-B-G-I-H (cost 13), and A-O-E-G-I-H (cost 7). The CSPF
algorithm selects the metrically shorter of these paths, resulting in the routing of the LSP over the
path A-O-E-G-I-H.
Note that the path chosen in this example has the lowest metric but not necessarily the lowest hop
count. The metric variation in this example results from the fact that it is metrically closer to traverse
both the G-I and I-H links (2) than it is to cross the G-H link directly (3).

Chapter 4-44 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

II

Path A-D-E-G-I-H is the shortest path excluding the

admin class and including copper or bronze

Administrative Groups IV: The Solution

This slide displays the solution to the question asked on the previous slide. In this case, the
metrically shorter of the paths that meets both the include-any and exclude constraints
consists of the path A, D, E, G, I, and H.

www.juniper.net

Constrained Shortest Path First Chapter 4-45

Junos MPLS and VPNs

III

Choose the path from A to H using:

[edit protocols mpls]
user@rA# show
label-switched-path to-H
to 2.2.2.2;
primary primary-path {
admin-group include-all [ gold silver ];

Administrative Groups V: Include-All Constraints

In this case, the LSP definition requires that the link include both the gold and sil ver colors.
The CSPF algorithm begins by pruning the links that do not include the required colors. In this
example, no link includes both the gold and sil ver colors. Therefore, all links are pruned from
consideration and the LSP setup fails because there is no path that meets the defined constraints.

Chapter 4-46 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

III

No path between A and H exists that incl udes both

gold and sil ver so LSP setup fails

Administrative Groups V: The Solution

This slide displays the solution to the question asked on the previous slide. In this case, there is no
path between A and H that meets the defined constraints. LSP setup fails.

www.juniper.net

Constrained Shortest Path First Chapter 4-47

Junos MPLS and VPNs

III

Will CSPF prune link C-O when choosing the path

from A to H using this constraint?

[edit protocols mpls]

user@rA# show
label-switched-path to-I
to 1.1.1.1;
primary primary-path
admin-

Test for Understanding

The answer to the question on the slide is no. The CSPF algorithm prunes links that do not have the
specified include colors or that specifically match any specified exclude colors. In this example,
there are no include constraints, and therefore, CSPF does not prune the C-D link. Note that the
provided excl ude color in this case is admin; because link C-D has no color, it is considered to
meet the constraints provided.

Chapter 4-48 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

III

In this chapter, we:

Described the path selection process of RSVP-signaled LSPs
without the use of the CSPF algorithm
Described the IGP extensions needed to build and maintain
a TED
Explained how the CSPF algorithm selects the best path
based on provided constraints
Explained how administrative groups can be used to
influence path selection

This Chapter Discussed:

RSVP-signaled LSPs without the use of the CSPF algorithm;
IGP extensions used to build the a TED;
Path selection process of the CSPF algorithm; and
The usage of administrative groups.

www.juniper.net

Constrained Shortest Path First Chapter 4-49

Junos MPLS and VPNs

1. Describe how IS-IS and OSPF support traffic

engineering extensions that build the TED.

2. List three user inputs to the CSPF algorithm.

3. What is the default CSPF tie-breaking algorithm?
4. Describe how administrative groups can be used to
control path selection.

Review Questions
1.

2.

3.

4.

Chapter 4-50 Constrained Shortest Path First

www.juniper.net

Junos MPLS and VPNs

III

III

Configure RSVP LSPs that reserve bandwidths in the

network.
Assign administrative groups to interfaces, and signal
LSPs using those group values.

Lab 3: CSPF
The slide provides the objectives for this lab.

www.juniper.net

Constrained Shortest Path First Chapter 4-51

Junos MPLS and VPNs

Chapter 4-52 Constrained Shortest Path First

www.juniper.net

Junl~f~r
Junos MPlS and VPNs
Chapter 5: Traffic Protection and LSP Optimization

Junos MPLS and VPNs

III

After successfully completing this chapter, you will be

able to:
.. Describe the default traffic protection behavior of RSVPsignaled LSPs
.. Describe primary and secondary LSPs
.. Explain how LSP priority and preemption operate
.. Explain the configuration and operation of fast reroute
.. Describe the configuration and operation of link and node
protection
Describe LSP optimization options

This Chapter Discusses:

The default traffic protection behavior of RSVP-signaled label-switched paths (LSPs);
The use of primary and secondary LSPs;
LSP priority and preemption;
Operation and configuration of fast reroute;
Operation and configuration of link and node protection; and
LSP optimization options.

Chapter 5-2 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

~ Default Traffic Protection Behavior

III

Primary and Secondary LSPs

l1li

Fast Reroute

III

Bypass LS Ps

III

LSP Optimization

Default Traffic Protection Behavior

The slide lists the topics we cover in this chapter. We discuss the highlighted topic first.

www.juniper.net

Traffic Protection and LSP Optimization

Chapter 5-3

Junos MPLS and VPNs

II

Transit traffic will be dropped for a time when a failure

in the LSP's path occurs
Several steps must occur before traffic can be restored so
that packet drops can stop
.. The tl-affic protection methods described later in this
chapter can be used to minimize this down time
PATH
ERO= {R2, R3}

Rl
{Site 1

Site 2

R5

Network Failures
When a network failure occurs along the path of an RSVP-signaled LSP, traffic that is currently
traversing the LSP will be dropped. In the example, at the instant that the link between R3 and R4
fails, traffic that has already encapsulated in an MPLS header by Rl and forwarded downstream will
be dropped. Also, until Rl receives PathTear message forthe LSP, Rl may continue forwarding traffic
using the LSP. That traffic will also be dropped. The time that it takes for traffic flow to be restored
depends on the time it takes Rl to be notified of the failure followed as well as resignal a new LSP
that will bypass the failed link. There are several features, like fast reroute and link protection which
are described later in this chapter, that can significantly reduce down time.

Chapter 5-4 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

IIiI

R3 determines that there is a link failure between R3

and R4
Packets traversing the LSP begin dropping
R3 sends a ResvTear upstream towards the ingress router
as notification of the failure

------1>

"'......................
ResvTear

R5

Link Failure Between R3 and R4

The following slides illustrate a failure scenario using the default settings of an RSVP-signaled LSP.
That is, no traffic protection mechanism has been configured.
Transit packets begin to drop at the instant that the link between R3 and R4 fails. In response to the
link failure, R3 will send a ResvTear message upstream to R2. R2 will, in turn, send a ResvTear
upstream to R1.

www.juniper.net

Traffic Protection and LSP Optimization

Chapter 5-5

Junos MPLS and VPNs

l1li

R1 reacts to the reception of a ResvTear for the LSP

Path and Resv state blocks for LSP are removed
LSP route is removed from inet.3
In tile case of Layer 2 and Layer 3 VPNs. the associated BG P
routes become unreachable

R1 attempts to build a new LSP by sending a path message

downstream
Packets continue to drop
PATH
ERO= {R2, R3}

Rl

Link Failure

R1 Receives PathTear
When Rl receives the PathTear, it considers the LSP down and deletes the Path and Resv state
block. The LSP is no longer a valid next-hop for routes in inet.3 (or any other routing table) so the /32
route associate with the LSP in inet3 is removed. Also, any BGP routes that had been using the LSP
as a next-hop will need to have their next-hop recalculated. Now at this point, if the LSP was only
being used to forward standard IP traffic (non-VPN traffic) packet drops may stop and new packets
could be forwarded using next hops learned by using interior gateway protocol (IGP) routes in the
inet.O table. However, in a virtual private network (VPN) scenario as described in future chapters, a
route in inet.3 must exist to forward traffic for a VPN between Site 1 and Site 2. Traffic between VPN
sites might still continue to be dropped due to the lack of a valid route in the inet.3 table.
Along with the churn that occurs in the routing tables as described above, Rl will also attempt to
reestablish the failed LSP by sending a Path message downstream towards the egress router.

Chapter 5-6 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

III

A new LSP is established around the failed link

LSP route is added to inet.3
In tile case of Layer 2 and Layer 3 VPNs, the associated BG P
routes become reachable again

Packets are no longer dropped

PATH
ERO= {R2, R3)

Rl

------ ..
R5

A New LSP Is Established

Assuming the link between R3 and R4 remains in a failed state, it is possible in the example network
for a new LSP to be established using R5 as a path around the failed link, Once the LSP comes up,
the LSP's /32 route is added back into inet3 and becomes a valid and generally more preferred
destination for BGP recursive next hop calculations for routes that were learned from the egress
router, R4, At this point, packets between VPN Site 1 and 2 are no longer dropped.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5- 7

Junos MPLS and VPNs

~ Primary and Secondary LSPs

Primary and Secondary LSPs

The slide Ilighlights the topic we discuss next.

Chapter 5-8 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

III

Primary path is optional: zero or one primary path

If configured, EROs dictate physical path for LSP
If not configured, LSR makes all decisions to reach egress

III

Revertive capability
Modified with retry-timer, retry-limit, and
revert-timer
retry-timer:
Time between attempts to bring up failed primary path
Default is 30 seconds

retry-limit:
Number of failed attempts to bring up primary path
Default is 0 (unlimited retries)
If limit reached. human intervention required

revert - timer:
Minimum time the primary must be up and stable before traffic is
reverted to it
Default is 60 seconds
If set to 0 the LSP does not revert
Primary Physical Paths
Primary paths are optional. Only one primary path is permitted per LSP definition. The primary physical
path can specify loose or strict Explicit Route Object (ERO) values under the named path hierarchy.
Within the primary physical path you can specify parameters, like bandwidth or priority, that affect only
the primary physical path. As a side note, the same parameters specified at the
label-switched-path hierarchy affect both the primary and secondary physical path.

Primary Paths Revert by Default

By default, an LSP fails over to its secondary path if its primary path fails. This failover occurs even if
another physical path exists that complies with the primary path's constraints. The LSP still fails over to
a secondary path (when such a path is defined) before it attempts to resignal an alternate primary
physical path.
The router tries to resignal the primary path according to the number of seconds specified by the
retry- timer, and it attempts to resignal the primary path LSP the number of times specified by the
retry-limi t. The alternate primary physical path must be up and stable for at least the number of
seconds specified by the revert-timer before the LSP reverts back to the primary path.
Continued on next page.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-9

Junos MPLS and VPNs

Primary Paths Revert by Default (contd.)

By default, the retry-timer is 30 seconds, the retry-limi t is 0 (unlimited retries), and the
revert-timer is 60 seconds. Setting the revert-timer to 0 means the LSP will not revert. If the
revert-timer is set to 0 or the retry-limi t is exceeded, you must manually clear the LSP to
restart signaling attempts and move traffic to the primary path.
You configure the retry- timer and retry-limi t values for individual LSPs at the [edit
protocols mpls label-switched-path lsp-name] configuration hierarchy. You can specify
the revert-timer for all LSPs at the [edit protocols mpls] configuration hierarchy orfor an
individual LSP at the [edit protocols mpls label-switched-path lsp-name]
configuration hierarchy. When specified, the per-LSP value overrides the global value.

Chapter 5-10 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

l1li

Optional: zero or more secondary paths

All secondary paths are equal
Activated based on order of listing in configuration

l1li

Standby option:
Preestablishes and maintains secondary path
Eliminates LSP signaling delays when active path fails
Additional state information must be maintained

Secondary Physical Paths

Like primary paths, secondary paths are also optional. By default, a secondary path becomes active
when a primary, or another secondary, physical path fails. Secondary paths are signaled in the order
they appear in the router configuration when multiple secondary paths are defined.
Continued on next page.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-11

Junos MPLS and VPNs

Standby
You can specify the standby command for a secondary path. This command causes the router to
signal the secondary path, even though the secondary path is not currently needed, that is, the primary
path has not yet failed. Note that standby secondaries result in routers having to maintain additional
state in the form of the preestablished standby LSPs. When the standby option is specified at the
label-switched-path lsp-name hierarchy, the router maintains standby state for all secondary
paths. To place only selected secondaries into the standby state, specify the standby keyword at the
secondary name hierarchy, as shown here:
[edit]
user@rl# show protocols mpls 1abel-switched-path green
to 192.168.24.1;
primary one {
bandwidth 35m;
priority 6 6;
secondary two
standby;

Chapter 5-12 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

[edit protocols mpls]

user@R1# show

Prim ary or secowlary

clesignation is linl,(";(1 to::I

bandwidth 35m;
priority 6 6;

cems

172.22.220.2 strict;

!path two {
172.22.221.2 strict;
172.22.203.2 strict;
172.22.204.2 strict;

Primary and Secondary Configuration

The Junos operating system does not require that a primary and secondary path share the same
parameters. You can decide to configure your primary paths with stringent resource requirements
while your secondary paths are far more lax in their demands. Such asymmetric settings helps to
ensure that your secondary paths can be established during periods of diminished resources. In the
example on the slide, primary path one requires 35 Mbps of bandwidth while secondary path two
requires only IP reachability.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-13

Junos MPLS and VPNs

III

Default is automatic path selection

If up and stable, the primary path is active
If not, secondary paths are tried in the order in which they
appear in the configuration
III

III

Override with select manual

or select uncondi tional path parameters
The two parameters are mutually exclusive
select unconditional:
III

Higller precedence than select manual

Path is selected as active even if it is down or degraded
III

select manual:
Path is selected as active if up and stable
Traffic reverts to this patll based on retry- timer,
retry-limit, and revert-timer

Automatic Path Selection

By default, the primary path is selected as the path to actively carry traffic, If the primary path is down or
degraded (receiving errors from downstream), the automatic path selection algorithm tries secondary
paths in the order in which they appear in the configuration, The first secondary path that is up and
stable becomes the active path, Traffic reverts to a recently restored primary path based on the
parameters previously discussed.

Overriding Default Behavior

You can override the automatic selection of the active path by specifying either select
unconditional or select manual at the [edit protocols mpls
label-switched-path lsp-name primary primary-path-name] orthe [edit
protocols mpls label-switched-path lsp-name secondary
secondary-path-name] configuration hierarchy. The two parameters are mutually exclusive, and
only one path per LSP can specify each parameter, If one path specifies select unconditional
and another path specifies select manual, the path with select unconditional takes
precedence.

Continued on next page.

Chapter 5-14 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

Overriding Default Behavior (contd.)

The select unconditional parameter forces the path to become active even if it is down or
degraded. The select manual parameter forces the path to become active as long as it is up and
stable (and select uncondi tional is not configured on another path). Ifthe path with select
manual is down or degraded, automatic path selection is used to choose the active path. Upon
restoration, traffic reverts to the path with the select manual parameter based on the settings of
retry-timer, retry-limit. and revert-timer.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-15

Junos MPLS and VPNs

1. How do you configure an LSP that does not revert

back to a path that has failed?
2. What happens when four secondaries exist! and the
first one fails?

Check Your Knowledge

You might want to configure an alternate path through the network in case the active path fails but you
do not want the traffic to change its physical path through the network after it has failed over to the
alternate path. By default, when a primary path fails, traffic switches over to a secondary physical path,
but this traffic reverts back to the primary physical path when it is again deemed operational.
This behavior brings us to the first question on the slide: How can you configure alternate LSP paths
without chancing reversion to a path that has previously failed?
The second question is designed to test your understanding of secondary paths and how they are
handled in the face of failures.

Chapter 5-16 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

lab@R1# show protocols mpls

label-switched-path green
to 192.168.2.2;

Irevert-timer ~:~: I
primary one;
secondary bNO;

path one {
172.22.220.2 strict;
path two {
172.22.221.2 strict;

l1li

Solution: Set revert-timer to 0 for the LSP

Check Your Knowledge: Solutions

By default, Junos OS will revert back to a defined primary path. You can disable this default behavior by
specifying a value of 0 for the revert- timer. Wilen specified at the LSP level, this value affects only
a single LSP. When specified at the MPLS level, the value affects all LSPs.
An alternative solution involves the definition of secondary paths only. In this case, Junos OS brings up
the second configured secondary LSP when the first secondary path fails. Later, if the first secondary
path is capable of being used again, Junos OS continues to use the existing secondary LSP and does not
revert to the original secondary path.
The answer to the second question depends on whether or not select unconditional or
select manual is configured. If neither is configured and the primary path is absent or down,
Junos OS attempts to establish an active path by signaling each secondary LSP in the order in which
it appears in the configuration. If the first secondary physical path fails or cannot be established, the
router attempts to signal the next secondary physical path, and so on. The select
uncondi tional and select manual parameters override this behavior.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-17

Junos MPLS and VPNs

II

Existing LSPs can be torn down to make room for

higher-priority LSPs
.. Setup priority of new LSP must be stronger than eXisting
LSP's hold priority for preemption to occur
Priority values range from 0 (strongest)to 7 (weakest)
Default priority settings prevent preemption (setup = 7 110Id = 0)
LSP's 110Id priority must be equal to or stronger than the setup
priority to prevent preemption loops

.. High-priority LSPs are signaled first and receive optimal

paths
IiiI

Soft preemption is available

[edit protocols mpls]

user@r1# show
labe1-switched-path sj-to-10
to 192.168.28.1;

interface all;

LSP Priorities and Preemption

RSVP-signaled LSPs support the notion of LSP setup and hold priorities. These priorities work together
to determine the relative priority of a new LSP that must be established versus the hold priority of
existing LSPs. When insufficient resources exist to accommodate all LSPs simultaneously, an LSP with a
strong setup priority preempts-or causes the teardown-of an existing LSP with a weaker hold priority. At
software startup, LSPs are signaled in order from strongest to weakest setup priority; this behavior
ensures that high-priority LSPs are established first and are afforded optimal paths.
LSP setup and hold priorities range in value from 0 (the strongest) to 7 (the weakest). The default
settings disable preemption by assigning all LSPs the weakest setup priority (7) and the strongest hold
priority (0). Note that you cannot commit a configuration in which an LSP's hold priority is less (weaker)
than its setup priority because such a configuration can lead to preemption churn. Before the sample
LSP shown on the slide can cause preemption, the default hold priority (0) must be set to a value of 5 or
higher on existing LSPs. Modified LSP priority values are displayed in the output of a show mpls lsp
extensive command.
Continued on next page.

Chapter 5-18 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

Using Soft Preemption

In normal operation, a preempted LSP is torn down before a new path is located. During this process,
traffic associated with the preempted LSP can be lost. To avoid traffic loss the Junos OS can specify
soft preemption behavior on a per-LSP basis. When configured, the ingress LSR sets the soft
preemption desired flag in the record route object (RRO) sub-object of the path message to signal
the desire for soft preemption behavior in downstream nodes. This feature is backwards compatible
in that LSP establishment succeeds even if one or more nodes does not support this sub-object. To
enable soft preemption, add the soft-preemption keyword at the [edit protocols mpls
label-switched-path lsp-name] hierarchy. The output of a show rsvp session
detail command displays whether soft preemption is requested for a given LSP.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-19

Junos MPLS and VPNs

user@Rl> show mpls lsp extensive

Ingress LSP: 2 sessions

192.168.2.2
From: 192.168.2.1,
Acti vePath: two

State: Up, ActiveRoute:

(secondary)

0, LSPname: green

LsPtype: static configured

LoadBalance: Random

Encoding type:
Primary

Packet, switching type: Packet, GPID: IPv4

one

State: Dn

Prio rities: 6 6

Bandwidth: 1000Nbps
smartOptimizeTimer: 180
computed ERa (S [L] denotes strict [loose] hops):

(CSPF metric: 5)

172.22.220.2 S 172.22.202.2 S 172.22.203.2 S 172.22.204.2 S 172.22.223.1 S

88 Sep 14 20:36:39.273 Requested bandwidth unavailable

84 Sep 14 20:36:39.183 172.22.220.1: Down

83 Sep 14 20:32:18.968 Record Route:
172.22.204.2 172.22.223.1

172.22.220.2 172.22.202.2 172.22.203.2

82 Sap 14 20:32:18.968 Up
81 Sep 14 20:32:18.954 Originate Call

Monitoring Preemption
This slide shows that at 20:36:39, the green LSP's primary path, path one, was preempted and the
secondary path, path two, became active. This scenario uses equal setup and hold values for each LSP,
with the priority values set to 6 for the green LSP. In this example, another LSP with a higher priority 0
has caused the preemption of the green LSP's primary path, path one, which in turn results in the
establishment of a secondary path, path two. The green LSP's secondary path is configured with a
lower bandwidth requirement to allow it to establish in the event the primary path is preempted. There is
no reference to the LSP with 0 0 priority in the screen captures because this is a priori knowledge. The
truncated capture below continues the output shown on the slide. The output confirms that the
secondary path, path two, became active at the same time the primary path was preempted:

*Secondary two
State: up
Priorities: 7 0
SmartOptimizeTimer: 180
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 4)
172.22.221.2 S 172.22.203.2 S 172.22.204.2 S 172.22.223.1 S
Received RRO (protectionFlag l=Available 2=InUse 4=B!W 8=Node 10=SoftPreempt 20=Node-ID):
172.22.221.2 172.22.203.2 172.22.204.2 172.22.223.1
83 Sep 14 20:36:39.286 Selected as active path
82 Sep 14 20:36:39.284 Record Route:
172.22.221.2 172.22.203.2 172.22.223.1
81 Sep 14 20:36:39.284 Up

Chapter 5-20 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

_L9"E,Gr,~~nwl.o J;Jj!NI~P Qm
IS-IS Metrio 20

LSP Blue 10 Mbps 7 7

label-5witched-path Red
to 192.168.24.1;
priority 6 6;
bandwidth 10M;

III

Given that all links with existing LSPs have less than 10 M
available, which LSPs can be preempted by LSP Red?

Test Understanding
You can assume in this example that all links with existing LSPs have less than 10 M available.
Therefore, the only way to establish LSP Red is for it to preempt one of the existing LSPs. Can you
determine which LSP will be preempted by LSP Red?
The setup priority for Red is 6 (the first number). The hold priority (the second number) for LSPs Green
and Purple are both less than 6, which gives these LSPs a stronger hold priority that will prevent their
preemption. In contrast, LSP Bl ue has a hold a priority of 7, which is weaker that LSP Red's setup
priority. Thus, LSP Red can on Iy preempt LSP Bl ue. Note the IS-IS metric has no effect on LSP
preemption.
Question: What if LSP Red had priority [3 7J?
Answer: This is a trick question because such a priority setting is not allowed. Recall that an LSP
cannot have a setup priority that is stronger than its hold setting.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-21

Junos MPLS and VPNs

~ Fast Reroute

Fast Reroute
The slide highlights the topic we discuss next.

Chapter 5-22 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

III

Ask yourself these questions:

Is there a way to get quicker failover in the event of primary
LSP failure?
How can I reduce packet loss when I lose my primary LSP?

Question for Yourself

Fast reroute is a feature that can dramatically reduce packet loss in the event of a primary path failure.
If you ever find yourself asking the types of questions posed on the slide, the answer you seek might
very well be fast reroute!
When you define a secondary physical path in the standby state, the router presignals an alternate
physical path for the LSP. However, traffic transiting the network is still lost while the network
forwards information about failed links (and the failed primary path) to the ingress router. When the
ingress router learns that a link is down, it begins using the alternate path immediately, but during
this time traffic that is in transit or still being presented to the primary path is lost. Fast reroute
provides a way for intermediate LSRs to immediately start forwarding traffic over an alternate route
while simultaneously alerting the ingress LSR to the presence of downstream link or node failures.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-23

lunos MPLS and VPNs

III

Short-term solution to reduce packet loss

.. Implements the one-to-one backup method defined in
RFC4090
.. When node or link fails, upstream node:
Immediately detours

Signals failure to ingress LSR

Fast Reroute Reduces Packet Loss

You configure fast reroute to minimize the effects of a LSP failure. Fast reroute enables a router
upstream of the failure to quickly route around the failure while the primary path is torn down and
resignaled. The router that detects the primary path failure signals the outage to the ingress router. Fast
reroute serves as an interim connectivity mechanism during the establishment of a new primary path.
Once the new primary path is signaled, the fast reroute detours associated with the original paths are
torn down; fast reroute is a short-term solution.
When fast reroute is enabled, the ingress router adds an object to the RSVP Path messages requesting
that downstream routers establish reroute detours. These downstream routers then originate detour
Path messages to detour the LSP around that LSR's downstream link and node.
When an active physical path fails and a detour is available, the upstream router sends a Path Err
message to the ingress router. This message triggers new CSPF computations and a switchover to an
alternate path if available. If a fast reroute detour is not available, the downstream node sends a
ResvTear message and begins withdrawing the MPLS labels, which brings down the LSP. A fast
reroute path might stay up indefinitely if an alternative primary path is not found.

Chapter 5-24 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

III

Only ingress LSR knows all TE constraints

Ingress router computes alternate route based on
configured secondary paths; tries to reestablish primary
Initiates long-term reroute solution
By default, reroute detours inherit administrative groups
only-detours do not honor bandwidth, EROs, and so on

III

General characteristics:
Configured on ingress router only
Detours around node or link failure

~~ 100s of

ms reroute time after failure detected

Detour paths immediately available

Uses TED to calculate detours
Does not require a CSPF LSP on ingress node

Only Ingress Knows All Traffic Engineering Constraints

By default, the fast reroute path only inherits the administrative group settings from the original LSP. It is
therefore possible for a fast reroute detour to have substantially less bandwidth than was specified in
the original LSP. As soon as the ingress node resignals the LSP, the fast reroute path is torn down. Note
that the newly signaled LSP will have the correct traffic parameters, including bandwidth constraints.
This behavior tends to classify fast reroute detours as temporary. You can configure the following fast
reroute parameters if wanted: bandwidth, hop limit, include, and exclude administrative groups. You can
also disable the inheritance of include and exclude administrative groups (because fast reroute detours
inherit administrative groups by default).
Continued on next page.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-25

lunos MPLS and VPNs

General Characteristics
By default, the router uses the traffic engineering database (TED) to calculate a detour path. These
detours can add up to an additional six hops to the LSP path in an attempt to bypass the downstream
node. Use the hop-count parameter to change the default number of hops the router will support
when calculating a detour.
When a router with a fast reroute detour available recognizes a link or node failure, it immediately
begins to detour the traffic. The Packet Forwarding Engine (PFE) maintains precomputed fast reroute
detours to provide convergence times that, in some cases, rival SONET Automatic Protection Switching
(APS)!
Each downstream node originates its own detour path messages. It is possible that a given node will not
be able to establish a detour path. The result is that some portions of the LSP might have fast reroute
protection while other portions do not. An LSP will never be torn down just because fast reroute detours
cannot be established.
You configure fast reroute at the label-switched-path lap-name hierarchy, which causes all
primary and secondary physical paths to signal fast reroute.

Chapter 5-26 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

LSP from San Francisco to New York through LA!

Austin! and Miami
II Enable fast reroute on ingress

III

LA creates detour to NY
r
NY

rto NY

San

LSP from San Francisco to New York

In this fast reroute example we begin with San Francisco acting as the ingress node for a LSP that
terminates at New York. The routing of this LSP is via Los Angeles, Austin, and Miami, as shown on the
slide.
Continued on next page.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-27

Junos MPLS and VPNs

Enable Fast Reroute on Ingress

The configuration of the to-NY LSP is shown here. Note that the fast - reroute keyword is present in
this example. As a result, San Francisco determines the next downstream node is Los Angeles, with a
follow-on node of Austin. Node San Francisco therefore calculates and signals a fast reroute path
around Los Angeles to New York. Los Angeles likewise calculates and signals a path around Austin to
New York. Austin calculates and signals a route around Miami to New York. If any link or node fails, the
fast reroute path recognizes the failed LSP quickly and immediately begins sending traffic on the fast
reroute path.
mpls {
label-switched-path to-NY
to 192.168.2.2;
primary use-austin;
secondary use-seattle;
fast-reroute;
path use-austin
192.168.1.2 loose;

}
path use-seattle {
192.168.8.1 loose;

Chapter 5-28 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

III

Los Angeles to Austin link fails

Los Angeles immediately detours around Austin
Los Angeles signals back to San Francisco that failure
occurred (Path Err)

II

San Francisco begins using secondary path through

Seattle
Fargo

Miami

Los Angeles Detects Failure

In the example on the slide, the link between Los Angeles and Austin failed. Los Angeles recognizes the
failure (possibly within milliseconds), and immediately begins to forward the traffic along the fast reroute
path to node Phoenix. It also sends a Path Err message to San Francisco so that San Francisco can
resignal the LSP.

The Final Solution

Once notified of the primary path failure, node San Francisco signals the secondary path through
Seattle to New York. Traffic is then switched from the primary path, which is stili using a fast reroute
detour, and the remnants of the primary path are torn down. At this point, node San Francisco tries to
resignal a new primary path.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-29

Junos MPLS and VPNs

l1li

Add the fast-reroute keyword to LSP definition

Applies to all primary and secondary paths
[edit protocols mpls]
user@Rl# show
label-switched-path test
to 192.168.2.2;

bandwidth 1m;

path top
172.22.220.2 strict;
path bottom {
172.22.221.2 strict;

secondary bottom
standby;

Configure Fast Reroute

You configure fast reroute by including the fast-reroute keyword atthe label-switched-path
lsp-name hierarchy. This setting applies to all defined primary and secondary paths.
By default, fast reroute has a limit of six hops out of the way to get to the next downstream path. You
can configure a larger or smaller number with the hop-count parameter.

Chapter 5-30 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

useL@Rl> show mpls Isp extensive

1 sessions

J;;;..;.~;';;;';;';;"''';;;';''';;;';';'';

192 .168.2 .2
FLom: 192.168.2.1, state: up, ActiveRoute: 0, LSPname: test
ActivePath: top (pLimaLY)

LoadBalance: Random
Encoding type: Packet, switching type: Packet, GPID: IPv4
*PLimaLY
top
state: up
pdoLities: 7 0
Bandwidth: 1000kbps
SmaLtoptimizeTimeL: 180
Computed ERO (S [L] denotes stLict [loose] hops): (CSPF metric: 4)
172.22.220.2 S 172.22.201.2 S 172.22.206.2 S 172.22.222.1 S
Received RRO (ProtectionFlag 1=l\.vailable 2=InUse 4=B/W 8=Node ... ):
172.22.220.2 (flag=9) 172.22.201. 2 (flag=9) 172.22.206.2 (flag=1) 172.22.222.1

Monitor Fast Reroute: Ingress

The output from the show mpls lsp extensive command indicates that fast reroute was
requested. You can also see an indication that the fast reroute path is up-along with a timestampwithin the active path's history.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-31

Junos MPLS and VPNs

user@Pl> show mpls lsp extensive

Transit LSP: 4 sessions, 1 detours
192 .168.2.2
From: 192.168.2.1, LSPstate: Up, ActiveRoute: 1
LSPname: test, LSPpath: Primary
Suggested label received: -, Suggested label sent: -

Explct route: 172.22.201.2 172.22.206.2 172.22.222.1

Record route: 172.22.220.1 <self> 172.22.201.2 172.22.206.2 172.22.222.1
Detour is up
Detour Tspec: rate Obps size Obps peak Infbps m 20 M 1500
Detour adspec: received MTU 1500 sent MTU 1500
Path MTU: received 1500
Detour PATH sentto: 172.22.202.2 (ge-1/0/4.202) 17 pkts
Detour RESV rcvfrom: 172.22.202.2 (ge-l/0/4.202) 14 pkts
Detour Explct route: 172.22.202.2 172.22.203.2 172.22.204.2 172.22.223.1

Confirm Fast Reroute-Transit LSR

A previous slide already showed that fast reroute is enabled for the LSP and that the detour is available
at the ingress node. The output on this slide shows the transit section from show mpls lsp
extensi ve for a downstream router that was able to compute a fast reroute detour.
This output shows that a detour branch, used to skip a downstream neighbor is active.

Chapter 5-32 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

III

By default, Junos OS only places the active LSP's

next hop in the forwarding table
II

At the time of failure, the detour next hop will need to

be placed in forwarding table which can add down time

user@R1> show route forwarding-table

Routing table: default.inet
Internet:
Type RtRef Next hop
Destination
perm
0
default
perm
0
0.0.0.0/32

Type Index NhRef Netif

rjct

36

dscd

34

1
1

192.168.2.0/24 user

Only Active LSP's Next Hop Is in the Forwarding Table

Even though there is an active fast reroute detour available for an LSP, a router will not install the
detour LSP's next hop in the forwarding table until there is a failure, by default. The output in the
slide shows the single next hop in the forwarding table. When a link failure occurs on ge-l/0/0.220
(on the path of the active and protected LSP) it will take some small time for the routing engine to
install the detour next hop in the PFE's forwarding table.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-33

Junos MPLS and VPNs

III

To minimize downtime (packet drops) apply a load balancing

policy to the forwarding table to place the detour next hop in
the forwardin table rior to the occurrence of a failure
[edit]
user@R1# show policy-options
policy-statement load-balance
term 10 {
then {
load-balance per-packet;
[edit]
user@Rl# show routing-options forwarding-table
export load-balance;
user@R1> show route forwarding-table
Routing table: default.inet
Internet:
Destination
Type RtRef Next hop
default
perm
0
192.168.2.0/24 user
0

Type Index NhRef Netif

rjct
36
1
indr 1048575
2

r------------pu-s-h--3-00-8-1-6---6-2-4--1----------~

Push 300240

625

Minimize Packet Drops

To override the default behavior of the forwarding table, you can configure a load balancing policy to
the forwarding table which will place the fast reroute detour next hop in the PFE's forwarding table
prior the occurrence of a failure on the active and protected LSP. The output on the slide above
shows that after applying the load balancing policy to the forwarding table, two next hops are
available for use by the router's PFE.

Chapter 5-34 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

~ Bypass LS Ps

Bypass LSPs
The slide highlights the topic we discuss next.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-35

Junos MPLS and VPNs

III

Protects interfaces instead of entire LSP path

.. Implements the facility backup method defined in RFC 4090
.. LSPs must be flagged to make use of a bypass LSP
.. Bypass LSP established around protected interface to
adjacent node
Uses CSPF to calculate bypass LSP
Can add ERO to influence CSPF routing of bypass LSP
Egress LSR

PrimaryLSP
Bypass LSP
(Link Protection)

Protects Interfaces
Link protection is the Junos OS nomenclature for the facility backup feature defined in RFC 4090. The
link protection feature is interface based, rather than LSP based. The slide shows how the R2 node is
protecting its interface and link to R3 through a bypass LSP that is calculated using CSPF and the node's
TED.
While fast reroute attempts to protect the entire path of a given LSP, you can apply link protection on
a per-interface basis as needed. LSPs must be tagged for them to make use of a bypass LSP, and
you can provide an ERO list to influence the CSPF-based routing of the bypass LSP. Note that a
bypass LSP must terminate on the adjacent downstream node, but the bypass LSP can transit other
nodes as shown on the slide.

Chapter 5-36 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

III

Protects against failure of downstream node

.. Uses similar mechanisms to link protection
Relies on RSVP hello timers to determine node failure
LSPs must be flagged to make use of a bypass LSP
.. One bypass LSP established around downstream node

Egress LSR

Site2 '

Node Protection
Node protection is the Junos OS nomenclature for the facility backup feature defined in RFC 4090. Node
protection uses the same messaging as link protection. The slide shows that R2 is protecting against the
complete failure of R3 through a bypass LSP that is calculated using CSPF.
LSPs must be tagged for node-link protection to make use of the bypass LSPs, and you can provide
an ERO list to influence the CSPF-based routing of the bypass LSP.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-37

Junos MPLS and VPNs

III

By default, a single bypass LSP is automatically

created to provide link protection
.. You may also specify a number of bypass LSPs are
automatically created (using max-bypasses statement)
You may also manually configure individual bypass LSPs
.. The router will use the following algorithm to determine
which bypass LSP to use for a new protected LSP
Use any currently active bypass LSP that satisfies bandwidth. link
protection. and node-link protection of original LSP will be used
If no active bypass LSP is available then scan through manual
bypass LSPs in order of configuration for a bypass LSP that can
satisfy req uirements
Automatically create a new bypass LSP (if max-bypasses> 0)

Single Bypass LSPs Are Automatically Created for Protection

When an LSP is configured for link protection it will signal to downstream routers that it requires that
protection in the Path message. If the LSP will traverse a downstream link that is also configured for
link-protection (under [edit protocols rsvp interface interface-name]) the
attached upstream router to the protected link will automatically create a bypass LSP. You may also
specify that the router can automatically create more than one bypass LSP. Finally, you can also
manually configure a number of bypass LSPs. The slide shows the algorithm that is used to
determine which bypass LSP will be used to protect a new LSP that is signaling that link protection is
necessary.

Chapter 5-38 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

III

Configure each protected interface under the [edit

protocol rsvp] hierarchy
Minimal ConfigIJration

Bypass LSP Options

[edit PLotocols LSVP inteLface interface-name]
link-pLotection {
exclude g2'oup-names;
include-all group-names;
include-any group-names;
bandwidth bps;
bypass bypass-name {
bandwidth bps;
Manual
Bypass
path addLess <strict I loose>;
LSPs
}
to addxess;

Allows for RSVP to accept requests for

link and node protection for an
interface

[edit protocols rsvp]

user@pl# show
interface all;
interface ge-l/O/4.201
link-protection;

max-bypasses number; ....----_AutomaticBypassLSPs

path addLe5s <strict
loose>;
(Default= 1)

Configuring Bypass LSP

Bypass LSPs are configured atthe [edit protocols rsvp interface interface-name]
level of the hierarchy. You can specify manual bypass LSP to be used for protection by specifying a
bypass LSP by name along with its associate parameters. Also, to give the router the ability to
automatically create more the one bypass LSP (the default value) simply use the max-bypasses
statement using a value greater than 1.
The slide also shows the minimum configuration for a router to support both link or node-link
protection on a particular interface.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-39

Junos MPLS and VPNs

l1li

Link protection configuration

Configure each protected interface under the
[edi t protocol rsvp J hierarchy
Tag LSPs allowed to use bypass LSP

[edit protocolB rBvp]

[edit protocolB mplB]

uBer@p1# show
interface ge-O/O/O.O;

uBer@Bf# show
label-Bwitched-path to-NY
to 192.168.2.2;

interface ge-O/O/1.0;
interface ge-O/O/3.0;
'nterface ge-1/0/4.201

4 - - - - 0r node-link-protection

~--~--------~

primary uBe-auBtin;

link-protection;
path uBe-auBtin
192.168.1.2 looBe;
interface all;

Link Protection Configuration

You configure the interfaces to be protected under the [edi t protocol s rsvp 1 hierarchy as shown
on the left of the slide, This configuration allows for but does not cause a bypass LSP to be signaled.
Instead, it is a request in the form of a Path message for an LSP requesting protection that causes a
bypass LSP to be create. A bypass LSP will only then be created if the node (pI, in this case) has the TED
entries that are needed to compute the bypass LSP's route,
Note that the mere presence of a bypass LSP does not, in itself, provide protection to the LSPs that
might happen to egress the protected interface. You must add the link-protection keyword to
the ingress node's LSP definitions for all LSPs that are expected to benefit from the existence of
bypass LSPs.

Chapter 5-40 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

uset:'@P1> show rsvp interface extensive

RSVP intet:'face: 6 active
ge-1/0/4.201 Index 160, state Ena/up
NOAuthentication, NoAgg t:'e gate , NoReliable, 17r;:::;;;;;::-;::;:-;::;T::~
HelloIntet:'val 9 (second)
Addt:'ess 172.22.201.1
ActiveResv 2, Pt:'eemptioncnt 0, Update tht:'eshold 10%
Subsct:'iption 100%,
Pt:'otection: On, Bypass: 1, LSP: 1, Pt:'otected LSP: 1, Unpt:'otected LSP: 0
3 Sep 14 22:37:28 Delete bypass Bypa55->172.22.201.2, inactivity timeout
2 Sep 14 22:35:11 New bypass Bypass->172.22.201.2->172.22.206.2
1 sep 14 22:30:43 New bypass Bypass->172.22.201.2
Bypa5s: Bypass->172.22.201.2->172.22.206.2, state: up, Type: NP, LSP: 1, ...
3 sep 14 22:35:12 Recot:'d Route: 172.22.202.2 172.22.203.2 172.22.204.2 ...
2 Sep 14 22:35:12 Up
1 Sep 14 22:35:12 CSPF: computation t:'esult accepted

Monitoring Link and Node Protection

This slide shows how the output of a show rsvp interface extensive command indicates
the presence of a bypass LSP at the transit node. Note that link protection is an RSVP feature, and as
a result. the resulting bypass LSPs are not listed in the output of show mpls lsp commands.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-41

Junos MPLS and VPNs

-7 LSP Optimization

LSP Optimization
The slide highlights the topic we discuss next.

Chapter 5-42 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

III

Optimization allows LSP rerouting through CSPF

recomputations
When disabled, the LSP's path is fixed until a topology
change (or manual clearing) forces a recomputation of the
path

l1li

Optimization is disabled by default

Enable with:
[edit protocols mpls label-switched-path lsp-name]
user@pl# set optimize-timer seconds (0 ... 65535)

Optimization can also be manually initiated

LSP Rerouting
Once an LSP is established, changes in topology or available resources might result in the existing path
becoming suboptimal. A subsequent CSPF recomputation might result in the determination that a better
path is now available. When optimization is enabled, LSPs can be rerouted as a result of periodic CSPF
recomputations. Without optimization the LSP has a fixed path and cannot take advantage of newly
available network resources, at least until the next topology change or operator induced clearing breaks
the LSP and forces recomputation of a new path. Note that optimization is not related to failover; a new
path is always computed when topology failures occur that disrupt an established path.

Enable Optimization
Because of the potential system overhead involved, you should carefully consider the frequency at
which routers perform optimization runs. By default, the optimize-timer is set to 0 (that is, it is
disabled). LSP optimization is only meaningful for CSPF LSPs. Due to statistical characteristics that arise
in large topologies, a network can effectively synchronize and end up trying to recalculate all LSPs at the
same time when all reoptimization timers are set the same. To prevent this behavior, the LSP
reoptimization timer is modified to include a randomization factor when recalculating LSPs. The
randomization factor is fixed and cannot be modified.
Note that you can manually trigger optimization with the operational mode clear mpls lsp
optimize command.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-43

Junos MPLS and VPNs

II

Optimize if new path can be found that meets all of

the following conditions:
1. CSPF metric is not higher (metric is <==)
2. If CSPF metric is equal, path must have fewer hops
3. New path does not cause preemption
4. Does not worsen congestion overall-compare available
bandwidth on each link from new and old paths, starting
with most congested links first
5. Reduces congestion by 10% (implies previous rule)
Compares aggregate available bandwidth of new and old path (for
least fill only)

.. Intentionally conservative rules: Use with care

.. Optimize aggressive (optional): Limits reoptimization to IGP
metric only; tends to reroute more often

Optimization Rules
By default, an LSP can only have its path optimized when all of the following criteria are met. These rules
are intentionally conservative as stability is better than being optimal in many cases:
1.

The new path is not higher in CSPF metric. (The metric for the old path is updated during
computation, so if a recent link metric changed somewhere along the old path, it is
accounted for.)

2.

If the new path has the same CSPF metric, it must not have more hops.

3.

The new path does not cause preemption. (This is to reduce the ripple effect of one
preemption causing yet more preemption.)

4.

The new path does not worsen congestion overall. This is determined by comparing the
percentage of available bandwidth on each link traversed by the new and old paths,
starting from the most congested links.

When all the above conditions are met. then if the new path has a lower CSPF metriC, it is accepted. If
the new path has an equal CSPF metric and lower hop count, it is accepted. If you choose least fill as a
load-balancing algorithm and if the new path reduces congestion by at least 10 percent aggregated over
all links it traversed, it is accepted. For random or most-fill algorithms, this rule does not apply.
Otherwise, the new path is rejected.
Continued on next page.

Chapter 5-44 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

Optimization Rules (contd.)

Here is a sample calculation to help explain how links are compared. You compare the percentage of
available bandwidth on each link traversed by the new and old paths, starting from the most congested
links. Assume that Path 1 (active) has four hops with availability: hop 1: 10%; hop 2: 15%; hop 3: 25%;
hop 4:15%. The new candidate path has a lower IGP metric, will not cause preemption, and is three
hops away with availability as follows if the new LSP was implemented, and the old LSP removed:
hop 1: 10%; hop 2: 50%; hop 3: 15%. The active path will be sorted as 10, 15, 15,25. The candidate
path will be sorted as 10, 15, 50, 100. The two paths will be compared, on an item by item basis.
100>25,50>15, 15=15 10=10. The candidate path does not worsen congestion. Every single link in
the candidate path must have available bandwidth >= those in the active. For example, all four
candidate links were >= available bandwidth of the original path (do not forget that a pseudo
100 availability was used for the final link).
What if only three out of four links had better availability? In this case, the congestion is considered
worsened so the reoptimization is not accepted.
To force the reoptimization to be based upon IGP metric only, enable the optimize-aggressive
keyword. This setting negates the tests outlined in Steps 2, 3, and 4 on the previous page. You can
manually trigger aggressive optimization with a clear mpls optimize-aggressive
command. The LSP must still comply with the original CSPF constraints when optimized aggressively,
but no attention is paid to available bandwidth ratios, as explained in the sample calculation above,
so you will tend to see more LSP rerouting when operating in aggressive mode.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-45

Junos MPLS and VPNs

II

Adaptive mode provides make-before-break capability

.. Establish new path (same session ID, different sender
template) with SE-style reservation
.. Transfer traffic to new path
.. Tear down old path
.. Primarily useful when rerouting an LSP
.. Avoids double-counting resources on shared links
When configured as a primary/secondary path option,
adaptive does not prevent double bandwidth counting
for tllat primary/secondary pair
When configured at the LSP level. adaptive prevents double
counting of resources for tllat primary/secondary pair

l1li

Configuration example: LSP level application

[edit protocols mpls label-switched-path lsp-name]
user@host# set adaptive

Adaptive Provides Make Before Break

You can configure an LSP to use a shared explicit (SE) style reservation by setting it to be adaptive. While
any LSP can be established with an SE-style reservation, this capability is most useful when attempting
to reroute an LSP. When an LSP is adaptive, it holds onto existing resources until the new path is
successfully established and traffic is cut over to the new path. To retain its resources, an adaptive LSP
does the following: 1) Maintains existing paths and allocated bandwidths (which ensures that the
existing path is not torn down prematurely and allows the current traffic to continue flowing while the
new path is being set up), and 2) Avoids double-counting for links that share the new and old paths.
Double-counting occurs when an intermediate router does not recognize that the new and old paths
belong to the same LSP and counts them as two separate LSPs, requiring separate bandwidth
allocations. If some links are close to saturation, double-counting might cause the setup of the new path
to fail. By default, adaptive behavior is disabled.
Continued on next page.

Chapter 5-46 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

Configuration
To define an adaptive LSP, include the adaptive statement when defining the LSP, as shown on the
slide. When adaptive is specified at the label-switched-path lsp-name hierarchy and
sufficient resources exist to establish both LSPs, the primary and all secondary paths share the same
bandwidth reservation (the higher of all bandwidths defined). When adaptive is included at the
primary or secondary hierarchy level, the SE-style reservation behavior is enabled only for the path
(primary or secondary) that is so configured. When specified at the primary and secondary level, the
corresponding primary and secondary paths are considered as separate adaptive settings, and
therefore, their resources are double-counted.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-47

Junos MPLS and VPNs

Egress
LSR

FF Reservation Style: (default)

Each session/sender has its own identity
Each session has its own bandwidth
reservation

SE Reservation Style: (adaptive)

Each session/sender has its own identity
Sessions share a single bandwidth
reservation

RSVP Reservation Styles

Fixed filter (FF): The FF-style reservation is commonly used for applications where traffic from each
sender is likely to be concurrent and independent Each of the individual senders is identified by an IP
address and an internal identification number-an LSP ID.

When used with MPLS, the FF style allows the establishment of multiple, parallel, unicast, point-to-point
LSPs to support load balancing. If the LSPs share a common link, the total amount of reserved
bandwidth for the shared link is the sum of the reservations for the individual senders. By default,
Junos OS uses the FF style.
Shared Explicit (SE): SE reservations share the bandwidth of the largest request across any shared
links. The SE-style reservation is critical for supporting the ability to reroute an LSP with the
make-before-break capability because on shared links, if reservations are counted twice, the router's
admission control function could reject the new LSP due to a lack of resources. The SE reservation style
permits the old and new LSPs to share resources over shared links. You can configure SE-style
reservations with the adaptive keyword under the LSP or primary/secondary path configuration
hierarchy.
Continued on next page.

Chapter 5-48 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

RSVP Reservation Styles (contd.)

It is extremely important that the flow of subscriber traffic is not disrupted when an LSP is rerouted. A
smooth transition requires support for a concept called make before break-the new LSP tunnel must
be established and the traffic transferred to it before the old LSP tunnel is torn down. One of the
benefits of RSVP signaling is that the legacy SE reservation style provides an elegant solution to this
challenging problem.

Establishing the Initial LSP Tunnel: In the initial Path message, the ingress LSR:
1.

Forms a LSP3UNNEUPv4 SESSION object that uniquely identifies the LSP tunnel. The
LSP_TUNNEUPv4 SESSION object contains: a) IP version 4 (IPv4) address of the egress
node for the LSP tunnel, b) TunneUD that remains constant for the life of the LSP tunnel
between the ingress and egress LSRs, and c) the Extended_TunneUD that identifies the
ingress node of the tunnel (that is, the ingress router's IPv4 address).

2.

Sets the ingress node might reroute bit of the SESSION_ATIRI BUTE object to request that
the egress LSR use the SE reservation style.

3.

Forms a SENDER_TEMPLATE object that contains: a) The IPv4 address of the sender
(ingress) node, and b) an LSP_ID that can be changed in the future to allow the ingress LSR
to appear as a different sender so it can share resources with itself if the LSP needs to be
rerouted (see the LSP_ID field of the LSP_TUNNEL_IPv4 C-type extension for the
SENDER3EMPLATE and FILTER_SPEC objects).

4.

Upon receipt of the Path message, the egress LSR sends a Resv message with a SE
reservation style toward the ingress node. When the ingress LSR receives the Resv
message, the initial LSP tunnel is established with an SE reservation style.

Establishing the Rerouted LSP Tunnel: When the ingress LSR wants to increase the bandwidth or
change tile path for an existing LSP, it transmits a new Path message. During the reroute operation, the
ingress LSR must appear as two different senders to the RSVP session. This is achieved by including a
new LSPJD in the SENDER_TEMPLATE and the FILTER_SPEC objects. In the new Path message, the
ingress LSR:
1.

Creates an EXPLICIT_ROUTE (ERO) object for the new LSP tunnel.

2.

Uses the existing LSP_TUNNEUPv4 SESSION object to identify the LSP that will be
rerouted.

3.

Picks a new LSP_ID and creates a new SENDER_TEMPLATE. By selecting a new LSP_ID for
the SENDER_TEMPLATE, the ingress LSR appears as a different sender to tile RSVP
session.

4.

The ingress LSR transmits the new Path message toward the egress LSR. (However, the
ingress LSR continues to use the old LSP tunnel to forward traffic and continues to refresh
the original Path message.)

5.

The egress LSR responds to the receipt of the new Path message with a Resv message that
contains a number of RSVP objects, including: a) A LABEL object to support the upstream
on demand label distribution process, and b) an SE reservation style object.

Continued on next page.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-49

Junos MPLS and VPNs

RSVP Reservation Styles (contd.)

On links not shared by the old and new LSP tunnels, the new Path/Resv message pair is treated as a
new conventional LSP setup, However, on links that are traversed by both the old and the new LSP
tunnels, the LSP_TUNNEL_IPv4 SESSION object and SE reservation style allow the new LSP tunnel to
be established so that it shares resources with the old LSP tunnel. This eliminates the double
counting problem on shared links, After the ingress LSR receives the Resv message for the new LSP,
it can begin using the new LSP tunnel to forward traffic, The ingress LSR should send a PathTear
message for the old LSP tunnel to remove its state from intermediate LSRs,

Chapter 5-50 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

II

Will the secondary physical path Green be in an up

state or a down state?
Primary PliYsical Patti

[edit protocols mpls]

lab@HongKong# show label-switched-path to-AM
to 192.168.24.1;
bandwidth 85m;
no-cspf;
primary Blue {
adaptive;

secondary Green
standby;
adaptive;

Check Your Knowledge: Adaptive

In the example on the slide, the secondary physical path Green will be in a down state. Although the
adapti ve keyword indicates resources should not be double-counted, this behavior only applies to
LSPs that are considered to belong to a common session.
Because the adapti ve keyword was specified at both the primary and secondary levels, the
result is two independent sessions that both signal an SE-style reservation. The fact that the two
sessions are seen as being independent means that, despite the SE-style reservations, the bandwidth
requirements for the primary and secondary paths will be double-counted. In this specific topology
shown on the slide, this causes the secondary path to fail. Note that application of the adaptive
keyword at the LSP level, as shown here, allows the establishment of both primary and secondary paths
with a single session ID that does not incur double bandwidth counting.

[edit protocols mpls]

user@HongKong# show label-switched-path to-AM
to 192.168.24.1,
bandwidth 85m;
no-cspf;
adaptive;
primary Blue;
secondary Green
standby;
adaptive;
www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-51

Junos MPLS and VPNs

III

In this chapter, we:

Described the default traffic protection behavior of RSVPsignaled LSPs
Described primary and secondary LSPs
Explained how LSP priority and preemption operate
Explained the configuration and operation of fast reroute
., Described the configuration and operation of link and node
protection
Described LSP optimization options

This Chapter Discussed:

The default traffic protection behavior of RSVP-signaled LSPs;
The use of primary and secondary LSPs;
LSP priority and preemption;
Operation and configuration of fast reroute;
Operation and configuration of link and node protection; and
LSP optimization options.

Chapter 5-52 Traffic Protection and LSP Optimization

www.juniper.net

Junos MPLS and VPNs

1. Describe the traffic protection behavior of an LSP

configured for a primary and secondary path
2. Describe the difference between fast reroute and
link protection
3. Describe the difference between normal and
aggressive LSP optimization

Review Questions
1.

2.

3.

www.juniper.net

Traffic Protection and LSP Optimization Chapter 5-53

Junos MPLS and VPNs

III

Configure primary and secondary LSP paths.

III

Configure fast reroute and load balancing.

III

Configure link and node-link protection.

Lab 4: Traffic Protection

The slide provides the objectives for this lab.

Chapter 5-54 Traffic Protection and LSP Optimization

www.juniper.net

Junt~v~[
Junos MPLS and VPNs
Chapter 6: Miscellaneous MIPLS Features

Junos MPLS and VPNs

III

After successfully completing this chapter! you will be

able to:
.. Identify the purpose of several miscellaneous MPLS
features
.. Choose features that meet given design requirements

This Chapter Discusses:

The purpose of several miscellaneous MPLS features; and
The features that will meet given design requirements.

Chapter 6-2 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

-7 Routing Table Integration

III

Forwarding Adjacencies

III

Policy Control over LSP Selection

fill

LSP Metrics

fill

Automatic Bandwidth

fill

TTL Handling

fill

Explicit Null Configuration

fill

MPLS Pings

Routing Table Integration

The slide lists the topics we cover in this chapter. We discuss the highlighted topic first.

www.juniper.net

Miscellaneous MPLS Features Chapter 6-3

Junos MPLS and VPNs

III

By default only the /32 prefix associated with the LSP

endpoint is added to the inet . 3 routing table
- Add additional prefixes to inet. 3, by using the install
keyword when defining the LSP
-Include the active keyword to allow the route to be
installed in inet. 0 routing table
Installingthe route in inet. 0 allows the IGP to usethe LSP for
forwarding

Default Routing Table Behavior

By default only the /32 prefix associated with the egress point of the label-switched path (LSP) is
installed in the inet.3 routing table. You can add additional prefixes to the inet. 3 routing table by
using the install <prefix> option under the LSP you are configuring. You can also add this
prefix to the inet. 0 routing table by including the active tag. Adding the prefix to inet . 0 allows
the LSP to be used by BGP as well as the interior gateway protocol (IGP). We will discuss these
options in more detail in the following section.

Chapter 6-4 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

l1li

Adding prefixes to inet. 3 example

EBGP peer interfaces included in OSPF as passive
Traffic is traversing the network using the OSPF best ath
[edit]
instead of using the LS ~~""" "'\"",
user@R1# show protocols mpls
label-switched-path LSP-to-R4
{

to 192.168.1.4;
primary thru-R2;
path thru-R2 {
192.168.1.2 loose;

Adding Prefixes Example

We will be using the example to demonstrate a circumstance where you may need to utilize the
install prefix option. In the topology reflected on the slide we are connecting site 1 with site 2.
There is a LSP that has been signaled from Rl to R4 that must traverse R2 because of the loose
Explicit Route Object (ERO) that has been configured. The external facing interfaces on Rl and R4
have been included in the IGP as passive interfaces so that internal BGP (IBGP) could resolve the
next hop for EBGP routes learned from site 1 and site 2. The traffic that is sent from site 1 to site 2 is
using the IGP best path and not the LSP as expected.

www.juniper.net

Miscellaneous MPLS Features Chapter 6-5

Junos MPLS and VPNs

user@R1> show route 192.168.11.2 extensive

inet.O: 36 destinations, 36 routes (36 active, 0 holddown, 0 hidden)
192.168.11.2/32 (1 entry, 1 announced)

III

Indirect next hops: 1

lprojocol next hop: 10.0.11.2 Metric: 5
Indirect next hop: 8fd62dO 1048574
Indirect path forwarding next hops: 1
Next hop type: Router
Next hop: 172.22.201.6 via ge-1/0/0.0
1fr.:1':':'0""':OO:-.~1":"1-;~]i724
.
Originating RIB: i~~t. 0]
Metric: 5
Node path count: 1
Forwarding nexthops: 1
Nexthop: 172.22.201.6 via ge-1/0/0.0

Route Review

Protocol next-hop is not the egress LSP IP address

" Protocol next-hop is resolved using the inet. 0 table
user@R1> show route table inet.3
inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

Route Review
Start by looking at your EBGP routes to determine what the next hop is. As displayed on the slide, we
do have an active route. The protocol next hop for this route is 10.0.11.2 and you can tell that the
next hop was resolved in the inet . 0 table. You can also see that there is not an entry in the inet.3
routing table. This is because the LSP terminates at the loopback address of R4. Because BGP will
first try to resolve the next hop in the inet . 3 table, we need to add this prefix in order to route the
traffic through the LSP.

Chapter 6-6 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

III

Configuration
Add the next hop using the install prefix option under
the [edit protocols mpls label-switchedpath lsp-name] hierarchy
.. Prefix can be a single host or an entire network

[edit protocols mpls label-switched-path LSP-to-R4l

user@Rl# show

Configuring the Install Option

The install option is configured under the [edit protocols mpls
labe 1- swi tched -pa th 1 sp- namel hierarchy. By specifying the ins tall prefix statement
under the specific LSP, the Junos OS knows what LSP to associate the prefix with. With the install
option you can indicate and single host with a /32 or you can include an entire network. These
routes will be installed into the inet . 3 routing table. When BGP needs to resolve a next hop to the
address you installed it will use this route over and IGP route that may exist. The sample
configuration on the slide shows that the 10.0.11.2/32 prefix is now installed in the inet. 3 routing
table. Remember from the previous slide that 10.0.11.2/32 is the BGP protocol next hop for our
routes to site 2.

www.juniper.net

Miscellaneous MPLS Features Chapter 6- 7

Junos MPLS and VPNs

i
l1li

Verify the routes

user@Rl> show route 192.168.11.2 extensive
inet.O: 36 destinations, 36 routes (36 active, 0 holddown,
192.168.11.2/32 (1 entry, 1 announced)

0 hidden)

Indirect next hops: 1

Protocol next hop: 10.0.11.2 Metric: 4
Indirect next hop: 8fd62dO 1048574
Indirect path forwarding next hops: 1
Next hop type: Router
Next hop: 172.22.201.2 via ge-O/O/O.O weight Ox1
[10.0.11.2/32 originating R~2} ~net.:3]
I'letnc: 4
Node path count: 1
Forwarding nexthops: 1
Nexthop: 172.22.201.2 via ge-O/O/O.O
user@R1> show route table inet.3
inet.3: 2 destinations, 2 routes (2 active, 0 holddown,
= Active Route, - = Last Active, * = Both

0 hidden)

192.168.1. 4/32

* [RSVP/7/1] 00:07:00, metric 4

> to 172.22.201.2 via ge-O/O/O.O, label-switched-path LSP-to-R4
*[RSVP/7/1] 00:07:00, metric 4
> to 172.22.201.2 via ge-O/O/O.O, label-switched-path LSP-to-R4

Verify the Route Changes

After making the appropriate configuration changes it is important to verify the results. As the slide
shows. the protocol next hop for the BGP route to site 2 is being resolved in the inet . 3 routing
table. The slide also show the 10.0.11.2/32 route is installed in the inet . 3 routing table. The
traffic from site 1 to site 2 is going to traverse the network using the LSP.

Chapter 6-8 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

l1li

Default behavior
LDP and RSVP routes are stored in inet. 3
Table inet. 0 is not aware of routes installed in inet. 3
user@R1> show route 10.0.11.2
inet.O: 36 destinations, 36 routes (36 active,
= Active Route, - = Last Active, * = Both

0 holddown,

0 hidden)

10.0.11.0/24

*[OSPF/10] 01:21:41, metric 5

> to 172.22.201.6 via ge-1/0/0.0

inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)

= Active Route, - = Last Active, * = Both

10.0.11.2/32

*[RSVP/7/1] 00:02:42, metric 4

> to 172.22.201.2 via ge-O/O/O.O, label-switched-path LSP-to-R4

Default Routing Table Behavior

The inet. 3 routing table is where LDP and RSVP signaled routes are stored. By default only BGP
pays attention to tile entries stored in inet . 3 and only then when it is resolving a BGP next hop.
The LSPs are hidden from the main IP routing table. which allows non-BGP traffic to continue to use
the IGP forwarding path. This behavior can be altered so that non-BGP traffic can also use the LSP.
The output on the slide shows an active OSPF route used to route IGP traffic and a RSVP route used
by BGP traffic when the protocol next hop is the 10.0.11.2 prefix. We are going to discuss altering the
default behavior next.

www.juniper.net

Miscellaneous MPLS Features Chapter 6-9

Junos MPLS and VPNs

II

Altering default behavior

Include the acti ve option when using the install
prefix option under the [edi t protocols mpls
label-swi tched-pa th 1 sp-name] hierarchy
[edit protocols mpls label-switched-path LSP-to-R4J
user@R1# show
to 192.168.1.4;
install 10.0.11.

III

Verifying changes
user@R1> show route 10.0.11.2

destinations, 37 routes
Route, - ~ Last Active,

(37 active, 0 holddown, 0 hidden)

~ Both

*[RSVP/7/lJ 00:03:22, metric 4

> to 172.22.210.2 via ge-1/0/0.210, label-switched-path LSP-to-R4

Altering the Default Routing Behavior

To allow prefixes you have installed in the inet. 3 routing table to be installed and usable by the IGP
you need to include the active tag when configuring the install prefix statement. The result
is a route that is installed in the inet . 0 table any time the LSP is established, which means you can
ping or trace the route. Use this option with care, because this type of prefix is very similar to a static
route. This is especially useful when you need to push all traffic (internal and external) destined for a
specific network through the LSP. In the slide example we installed a specific /32 prefix and included
the active option. Any BGP traffic with a protocol next hop of 10.0.11.2 will use the LSP as well as
any IGP traffic that is destined to the 10.0.11.2 address.

Verifying the Changes

You can verify this easily by looking at the route forthe prefix you installed using the command show
route prefix. You should see that the route has been moved from the inet . 3 routing table into
the inet. 0 routing table.

Chapter 6-10 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

II

Traffic engineering bgp-igp

LSP end points normally installed into inet. 3 table
Usable only by BG P for next-hop resolution

Provides traffic engineering for internal destinations

Moves all inet. 3 prefixes into inet. 0
IG P can now use all LSPs

Configured at the [edit protocols mplsJ hierarchy

[edit protocols mplsJ
user@Rl# set traffic-engineering?
possible completions:
bgp
BGP destinations only
bgp-igp
BGP and IGP destinations
bgp-igp-both-ribs
BGP and IGP destinations with routes in both routing tables
mpls-forwarding
Use MPLS routes for forwarding, not routing

Traffic Engineering for BGP and IGP

If traffic engineering for BGP and IGP is enabled, the router moves the routes from the inet. 3
routing table into the main routing table, inet. O. This move merges all routes together and at the
same time empties the inet . 3 table. The number of routes in inet . 0 will be exactly the same as
before, but they will now have the potential to be reachable via LSPs as next hops. The next hops for
any given route can point to a physical interface, an LSP, or both if the metrics are equal. The bgp
option restores the default behavior, which installs the LSP endpoints into inet. 3 only.
The bgp-igp-both-ribs option allows the routes to stay in inet. 0 and inet. 3. This option
helps resolve hidden route issues when running virtual private networks (VPNs), which is in keeping
with normal VPN route resolution behavior that makes use of the inet. 3 routing table. The LOP
no- forwarding option maintains LOP routes in inet. 3, even when bgp-igp is configured. This
option is discussed next.

www.juniper.net

Miscellaneous MPLS Features Chapter 6-11

Junos MPLS and VPNs

III

Traffic engineering mpls-forwarding

.. Addresses issues with bgp-igp overshadowing IGP routes
for RSVP-signaled and LDP-signaled LSPs
.. Configured at the [edit protocols rnplsJ hierarchy
.. Keeps routes in inet. 3 for VPN and normal BGP route
resolution
.. Keeps IGP routes active (for policy export, etc.) while
allowing LSP fonvarding next hops in inet. 0
[edit protocols mpls]
user@Rl# set traffic-engineering mpls-forwarding

MPLS Forwarding
Another option for traffic engineering is mpls - forwarding. The mpls- forwarding option is
designed to overcome some of the problems associated with the use of traffic-engineering
bgp- igp. Specifically, the option is designed to prevent the overshadowing of IGP routes in the
inet.O routing table when RSVP or LOP-signaled LSPs are copied from inet. 3 into inet . 0 so
that LSPs can be used when forwarding to internal destinations.
By keeping the IGP routes active, your export policies continue to operate as expected, even though
forwarding might occur over an LSP next hop. Unlike the bgp- igp option, mpls - forwarding
maintains copies of the LSPs in the inet . 3 routing table where they can still be used for normal
VPN or BGP next-hop resolution.

Chapter 6-12 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

III

MPLS forwarding: operational results

[edit protocols mpls]
user@R1# run show route 192.168.1.4

inet.O: 37

holddown,

0 hidden)

ct1ve Route,

192.168.1. 4/32

1@[OSPF/10]100:00:58, metric 4
> to 172.22.2Q1.6 via ge-1/0/0.0
1#[RSVP/7/1]J 00: 00:53, metric 4
> to 172.22.201.2 via ge-O/O/O.O, label-switched-path LSP-to-R4

inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)

+ = Active Router - = Last Active, * = Both
192.168.1. 4/32

* [RSVP/7/1]

00:00:53, metric 4

> to 172.22.201.2 via ge-O/O/O.O, label-switched-path LSP-to-R4

MPLS Forwarding: Operational Results

This slide demonstrates the effects of adding the mpls - forwarding statement to an RSVP-based
configuration. In this case, the 192.168.1.4 route is present in both the inet. 0 and inet . 3
routing tables as an RSVP-signaled LSP. Note that the route is also present in the inet . 0 table as
an OSPF route.
When the mpls-forwarding option is enabled, new symbols are used to indicate the status of a
route. The @ symbol is used to indicate a route that is active for routing use only, that is, active from
the perspective of an export policy. The corresponding forwarding entry is identified with a # symbol.
You would normally use the mpls- forwarding option as a substitute for bgp-igp when you
want to engineer traffic to both IGP and BGP destinations without having to concern yourself with the
effects of having LDP or RSVP signaled LSPs overshadow existing routes in the inet . 0 table.

www.juniper.net

Miscellaneous MPLS Features Cilapter 6-13

Junos MPLS and VPNs

~ Forwarding

Adjacencies

IIIIl

Forwarding Adjacencies
The slide highlights the topic we discuss next.

Chapter 6-14 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

[edit]
user@R4# show protocols
rsvp {
interface all;
mpls {
label-switched-path green
to 192.168.5.6;
primary R4-to-R6;
path R4-to-R6 {
192.168.5.5 loose;
interface all;
ospf {
traffic-engineering;
area 0.0.0.0 {
interface all;
_---,--~-'I
label-switched-path green (
metric 1;

Forwarding
adjacencies
announce LSPs
as pointtopoint
interfaces into
the IGP routing
table

Forwarding Adjacency Overview

Forwarding adjacencies allow the advertisement of LSPs as point-to-point interfaces within a
link-state routing protocol's link-state advertisements, This behavior allows nodes that are upstream
of the LSP ingress to factor the LSP as part of their shortest-path-first (SPF) calculations,
Forwarding adjacencies might be useful in a network that has a full-mesh of RSVP traffic-engineered
LSPs between core routers, Forwarding adjacencies allow edge routers to utilize traffic-engineered
LSPs in the network core without the complexity and scaling issues involved with extending the
full-mesh of RSVP traffic-engineered LSPs to all routers,
The slide illustrates how the OSPF protocol is configured to advertise the green LSP into area 0 with
a metric of 1, Note that you must enable traffic engineering for OSPF. Remember traffic engineering
is enabled by default for IS-IS.

www.juniper.net

Miscellaneous MPLS Features Chapter 6-15

Junos MPLS and VPNs

Forwarding Adjacency: Operation

You should only use Constrained Shortest Path First (CSPF) LSPs for forwarding adjacency
applications to ensure that the LSP is injected into the IGP for IGP calculations, but not injected into
the traffic engineering database (TED). A CSPF LSP is not placed into the TED, and therefore, other
CSPF LSPs will not try to form over the LSP that is now being advertised into the IGP. If you use
non-CSPF LSPs, it is possible that a new LSP will attempt to establish itself over an existing LSP
(because you are not using the TED in this case), which causes an RSVP error.
Remember that LSPs are unidirectional. IS-IS requires that an LSP have a corresponding LSP in the
reverse direction before advertising the forwarding adjacency in link-state advertisements. OSPF
only requires the reverse direction to have IP-Ievel reachability (by means of an LSP or a routed path)
before advertising the forwarding adjacency in link-state advertisements. In both IS-IS and OSPF the
LSP is advertised into the IGP, but no hellos or routing updates occur over the LSP-only user traffic is
sent over the LSP. IS-IS and OSPF use the local copy of the link-state database to verify their
bidirectional reachability requirements.

Chapter 6-16 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

user@R7> traceroute 192.168.5.8

trace route to 192.168.5.8 (192.168.5.8), 30 hops max, 40 byte packets
1 172.22.211.2 (172.22.211.2)
32.694 ms 0.284 ms 0.277 ms
2
2.22.203.2 (172.
. 13
abel=299968 CoS=O TTL=l S=l
3

192.168.5.8 (192.168.5.8)

ms

1.420 ms

The Forwarding Adjacency Data Plane

In the screen capture on the slide, a traceroute shows that packets are traversing an LSP that was
provided in the middle of the network. This screen capture correlates to the diagram on the previous
page.

www.juniper.net

Miscellaneous MPLS Features Chapter 6-17

Junos MPLS and VPNs

user@R7> show route protocol ospf

inet.O: 37 destinations, 37 routes (37 active,
= Active Route, - = Last Active, * = Both

0 ho1ddown,

0 hidden)

172.22.240.0/24
172 .22 .241.0/24
192.168.5.1/32
192.168.5.2/32
192.168.5.3/32

192.168.5.4/32
192.168.5.5/32
192.168.5.6/32
192 .168.5.8/32
224.0.0.5/32

*[OSPF/10] 00:35:07, metcic 2

> to 172.22.210.2 via ge-1/0/0.210
*[OSPF/10] 00:35:12, metcic 2
> to 172.22.211.2 via ge-1/0/1.211
*[OSPF/10] 00:35:07, metcic 1
> to 172.22.210.2 via ge-1/0/0.210
*[OSPF/10] 00:35:07, metric 2
> to 172.22.210.2 via ge-1/0/0.210
*[OSPF/10] 00:35:07, metcic 3
> to 172.22.210.2 via ge-1/0/0.210
to 172.22.211.2 via ge-1/0/1.211
*[OSPF/10] 00:35:12, metric 1
> to 172.22.211.2 via ge-1/0/1.211
*[OSPF/10] 00:35:12, metric 2
> to 172.22.211.2 via e-1/0/1.211
*[OSPF/10] 00:35:12, metric 2
> to 172.22.211.2 via ge-1/0/1.211
*[OSPF/10] 00:34:40, metric 3
> to 172.22.211.2 via ge-1/0/1.211
*[OSPF/10] 03:17:20, metric 1
MultiRecv

The Forwarding Adjacency Control Plane

Checking the IGP routes on Router R7 clearly shows that OSPF is including the LSP, with an
associated cost of 1, in its best route calculations for a total metric of 2. This capture correlates to
the diagram and the configuration shown on the preceding pages.

Chapter 6-18 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

~ Policy Control over LSP Selection

Policy Control over LSP Selection

The slide highlights the topic we discuss next.

www.juniper.net

Miscellaneous MPLS Features Cilapter 6-19

Junos MPLS and VPNs

III

Control LSP next hops installed in the forwarding table

Use install-nexthop lsp
policy statement

~sp-nam.e

action in a

Apply as an export policy to the forwarding table

policy-options {
policy-statement lsp-policy {
term first-route {
from {
route-filter 192.168.48.0/24 exact;

routing-options

term second-route
from {
route-filter 192.168.49.0/24 exact;

Selecting an LSP Next Hop

When multiple equal-cost LSPs to a destination exist, you can use policy to control which LSP gets
installed in the forwarding table. This control provides fine-grained engineering of traffic flows across
equal-cost LSPs.

Continued on next page.

Chapter 6-20 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

Selecting an LSP Next Hop (contd.)

Use the insta11-nexthop 1sp lsp-name command as the action in a policy statement, and
then apply the export policy to the forwarding table. The configuration on the slide will install the
LSP-l LSP as the next hop for the 192.168.48.0/24 prefix and the LSP-2 LSP as the next hop
for the 192.168.49.0/24 prefix. You can use the show route command to confirm the desired
operation as shown in this capture:

user@R7> show route 192.168.48.0/24 exact

inet.O: 47 destinations, 47 routes (47 active, 0 holddown,
+ = Active Route, - = Last Active, * = Both
192.168.48.0/24

0 hidden)

* [BGP/170] 2d 06:23:21, MED 0, localpref 100, from 192.168.1.4

AS path: I
> to 172.22.211.2 via ge-1/0/1.211, label-switched-path LSP-1

user@R7> show route 192.168.49.0/24 exact

inet.O: 47 destinations, 47 routes (47 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192 .168.49.0/24

* [BGP/170] 00:20:29, MED 0, localpref 100, from 192.168.1.4

AS path: I
> to 172.22.210.2 via ge-1/0/0.210, label-switched-path LSP-2

www.juniper.net

Miscellaneous MPLS Features Cilapter 6-21

Junos MPLS and VPNs

~LSP Metrics

LSP Metrics
The slide highlights the topic we discuss next.

Chapter 6-22 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

811

When calculating paths with CSPF:

By default CSPF uses metric of shortest IGP path
IS-IS te-metric to modify metric for CSPF calculation
(only)

811

For LSP selection from existing LSPs:

LSP metric is IGP shortest cost regardless of CSPF metric
Can be overridden with manual metric assignment
[edit pr:otocols mpls label-switched-path LSP-to-R4J
user:@R1# show
to 192.168.1. 4;
metr:ic 4;

IGP protocol metric can be manually assigned for forwarding

adjacency

CSPF Path Metrics

You can assign LSP metrics to several different locations. By default, CSPF uses the default IGP
metric for the links that comprise the shortest path. For IS-IS, you can assign a te-metric on each
interface that is only used for CSPF while the ISIS link-state database continues to utilize the
standard IS-IS link metric. Basically, CSPF will use either the IGP metric (the default) or the
te-metric value when so configured, to compute a shortest path for an LSP. In essence, the
te-metric option allows you to have an ISIS shortest path topology that differs from the TEDs
view of the shortest path through your network.

Path Selection with LSP Metrics

By default, each LSP inherits the IGP's shortest-path metric, regardless of whether or not the LSP
actually follows the shortest path. You can override the value derived from the TED (based on default
inheritance of the IGP's path metric or values specified with the te-metric option) by explicitly
specifying an LSP metric value within the LSP's definition using the metric keyword.
When using forwarding adjacencies, you can also explicitly specify an LSP metric along with the
LSP's declaration in the corresponding IGP stanza. To avoid awkward forwarding situations, you
should only explicitly assign a metric in the MPLS definition OR in the LSP's reference within the IGP;
we recommend that you do not assign a metric in both places.

www.juniper.net

Miscellaneous MPLS Features Chapter 6-23

Junos MPLS and VPNs

-7 Automatic Bandwidth

Automatic Bandwidth
The slide highlights the topic we discuss next

Chapter 6-24 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

II

Network automatically adjusts LSP bandwidth

Router resignals LSP for highest average utilization over
specified timeframe
Utilization determined by MPLS statistics feature (default =
5 minutes), default resignaling interval is 24 hours
Configuration options include:
Minimum and maximum bandwidth range for auto provisioning
Time interval for adjusting LSP' s bandwidttl
Thresllold for average LSP utilization cllange ttlat triggers new LSP
calculation
Statistics gathering interval under
[edit protocols mpls statistics]

Wor~\s with adaptive for

ma~\e-before-break

capability

Automatic Bandwidth Provisioning

Auto-bandwidth provisioning allows the router to monitor actual traffic usage on each LSP and
reconfigure the bandwidth of a given LSP to support observed traffic levels.
The MPLS statistics feature gathers statistics that are used to support automatic bandwidth
calculations. The router monitors the highest utilization levels for the LSP over a predefined time
period (24 hours by default). At the end of the time period. the existing LSP is resignaled. using
make-before-break and shared explicit (SE)-style reservations to provision a new bandwidth
reservation of the LSP.

www.juniper.net

Miscellaneous MPLS Features Chapter 6-25

Junos MPLS and VPNs

[edit]
uset:@R1# show protocols mpls
statistics {
file Auto-Example;
auto-bandwidth;
label-switched-path LSP-to-R4 {
to 192 .168.1.4;
metLic 4;
auto-bandwidth;
interface all;
interface fxpO. 0
disable;

Configure Automatic Bandwidth Provisioning

This slide provides a sample configuration in support of automatic bandwidth provisioning. Note that
MPLS statistics must be enabled to allow the router to monitor traffic usage. By default, the router
monitors usage every 300 seconds. If the average utilization over the adjustment interval exceeds a
certain value, the router resignals the LSP. The following options are available for automatic
bandwidth provisioning:

Option
adjust-interval

Meaning
Time to adjust LSP bandwidth (300 .. 4294967295

seconds)
adjust-threshold

Change in average LSP utilization to trigger

autoadjustment

maximum-bandwidth

Maximum LSP bandwidth (bps)

minimum-bandwidth

Minimum LSP bandwidth (bps)

moni tor-bandwidth

Monitor LSP bandwidth without adjustments

Chapter 6-26 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

user@R1> show mpls lsp ingress extensive

Ingress LSP: 1 sessions
192.168.1. 4
From: 192.168.1.1, State: Up, ActiveRoute: 0, LSPname: LSP-to-R4
ActivePath:
(primary)
LSPtype: Static Configured
LoadBalance: Random
l'Ietric: 4
Autobandwldth
AdjustTimer: 86400 secs
Max AvgBW util: Obps, Bandwidth Adjustment in 86331 second(s).
Overflow limit: 0, Overflow sample count: 0
Encoding type: Packet, switching type: Packet, GPID: ~Pv4
*Primary
State: Up

Monitor Automatic Bandwidth Provisioning

The operational aspects of automatic bandwidth provision is displayed in the output of a show
mpls Isp extensive command, as shown on this slide.

www.juniper.net

Miscellaneous MPLS Features Chapter 6-27

Junos MPLS and VPNs

~TTL

Handling

TIL Handling
The slide higillights the topic we discuss next.

Chapter 6-28 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

II

Default TTL Behavior

Decrements TTL on all LSR hops
Used for loop prevention and topology discovery using the traceroute
utility

Default TTL Behavior

By default, the time-to-live (TIL) value in the packet header is decremented by 1 for every hop the
packet traverses in the LSP, thereby preventing loops and allowing topology discovery. If the TIL field
value reaches 0, packets are dropped and an Internet Control Message Protocol (ICMP) error packet
can be sent to the originating router. You might want to disable normal TIL decrementing to make
the MPLS cloud appear transparent, thereby hiding the network topology.
The normal TIL handing behavior maps the IP packet's TIL value into the MPLS TIL field on the
ingress router. When the MPLS packet leaves the router, it is decremented by one, as shown in the
slide. Each transit label-switching router (LSR) decrements the TIL field by one until the packet
reaches the penultimate hop. At the penultimate hop, the penultimate router strips off the top label
and writes tile MPLS TIL value back into the IP TIL value. The egress router decrements the IP TIL
by one. The TIL values are indicated for every hop in the path on the slide.

www.juniper.net

Miscellaneous MPLS Features Chapter 6-29

Junos MPLS and VPNs

l1li

Altering default behavior: no-decrement-ttl

.. Disable TTL decrement inside LSP using
no-decrement-ttl
Configured on the ingress router only
Proprietary Juniper Networks object: all LSRs mustsupportthe
option
Supported for RSVP on a per LSP basis or global basis
IP TTL decremented at egress router only

r"""""~~~~1
L"_m"m,,_,,,,_~m"_-.!

Sets MPLS TTL to 255 on ingress router. disables TTL writeback on

penultimate router

MPLS TTL Handling: No Decrement

On the ingress of the LSP, if you include the no- decrement - t t l statement at the
[edit protocols mpls label-switched-path lsp-name] hierarchy, the ingress router
negotiates with all downstream routers using a proprietary RSVP object to ensure all routers are in
agreement. This command can also be typed within the primary or secondary path hierarchy. If
negotiation succeeds, the whole LSP appears as two hops for transit IP traffic.
[edit protocols mpls label-switched-path lsp-name]
user@Rl# set no-decrement-ttl
Note that the RSVP object is proprietary to the Junos OS and might not work with other vendors.
Further, this potential incompatibility applies only to RSVP-signaled LSPs, not LDP-signaled LSPs.
Also note that you can apply no-decrement- t t l on a per-LSP basis or globally under the
[edit protocols mpls] hierarchy.

Continued on next page.

Chapter 6-30 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

MPLS TTL Handling: No Decrement (contd.)

If normal TTL decrement is disabled, the TTL field of IP packets entering LSPs are decremented by 1
upon transiting the LSP, making the LSP appear as a two-hop router to diagnostic tools like
traceroute. This function is performed by the ingress router, which pushes a label on IP packets with
the TTL field in the label initialized to 255. The label's TTL field value is decremented by 1 for every
hop the MPLS packet traverses in the LSP. On the penultimate hop of the LSP, the router pops the
label but does not write the label's TTL field value to the IP packet's TTL field. Instead, when the IP
packet reaches the egress router, the IP packet's TTL field value is decremented by 1.
When you use traceroute to diagnose problems with an LSP, traceroute sees tile ingress router,
altllough the egress router performs the TTL decrement. Note that this assumes that traceroute is
initiated outside of the LSP. The behavior of traceroute is different if it is initiated from the ingress
router of the LSP. In this case, the egress router would be the first router to respond to traceroute.

www.juniper.net

Miscellaneous MPLS Features Chapter 6-31

Junos MPLS and VPNs

III

Altering default behavior: no-propagate-ttl

Disable TTL decrement inside LSP using
no-propagate-ttl
Configured on every LSR
Global effect on LDP and RSVP. not configurable per-LSP
No topology discovery
IP TTL decremented at egress router only
Sets MPLS TTL to 255 on ingress router and disables writeback on
penultimate router
Allows interoperability with other vendors in the LSP patll

MPLS TTL Handling: No Propagate

You must include the no-propagate-ttl statement at the [edit protocols mpls]
hierarchy level of all routers in the path of the LSP for proper operation, which is in contrast to the
ingress based setting for the no-decrement- t t l option. Note that this statement applies to all
LSPs in a global manner, regardless of whether they are RSVP or LDP signaled. Once set, all future
LSPs traversing through this router behave as a single hop to IP packets. LSPs established before
this statement is committed are not affected. Note that this option affects RSVP-signaled LSPs,
despite its being configured under the [edi t protocol mpls] hierarchy:
[edit protocols mpls]
user@Rl# set no-propagate-ttl
Make sure all routers are configured consistently within an MPLS domain when using
no-propagate-ttl; failing to do so might cause the IP packet TIL to increase while in transit
within LSPs. This can happen, for example, when the ingress router has no-propagate- t t l
configured but the penultimate router does not, which results in the penultimate router writing the
MPLS TIL value (which starts from the ingress router as 255) back into the IP packet.
The no-propagate-ttl option is designed to be interoperable with equipment made by other
vendors. However, you must ensure all routers are configured identically.
Continued on next page.

Chapter 6-32 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

MPLS TIL Handling: No Propagate (contd.)

The no-propagate-ttl option also causes the MPLS cloud to show up as two hops from the
perspective of IP packets transiting the LSP.
The penultimate router pops the label and forwards the IP packet, but does not copy the MPLS TTL
value back into the IP packet's TTL field. The egress router then decrements the IP packet, thereby
making the cloud appear as if it consisted of only two hops.
Note that with either option (no-propagate-ttl and no-decrement-ttl), the ingress router
decrements the IP packet's TTL by one prior to placing the MPLS shim label on incoming packets.
This performance is to prevent the possibility of an endless routing loop (formed when two LSPs have
a routing loop pointing at each other). If the IP TTL were not decremented by one on ingress, the
egress router would encapsulate the IP packet with a new MPLS header without decrementing the IP
TTL. If the two routers have a routing loop, the packet would loop to infinity.

www.juniper.net

Miscellaneous MPLS Features Cllapter 6-33

Junos MPLS and VPNs

~ Explicit Null Configuration

Explicit Null Configuration

The slide highlights the topic we discuss next.

Chapter 6-34 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

III

Configure explicit null globally under MPLS or LDP

Enables routers to signal label 0 instead of 3
Compliant with RFC 3032
Enables easier CoS configuration and interoperability
Configuration for RSVP
[edit]
user@R4# set protocols mpls explicit-null

Configuration for LDP

[edit]
user@R4# set protocols ldp explicit-null
[edit]
user@R3# run show rsvp session
Transit RSVP: 2 sessions
State
To
From
Up
192.168.1.1
192.168.1.4
Up
192.168.1. 4
192.168.1.1
Total 2 displayed, up 2, Down 0

Rt Style Labelin Labelout LSPname

1 1 FF 300512
300480 LSP-to-Rl
1 1 FF 300544
LSP-to-R4

Configuring Explicit Null

Because class-of-service (CoS) configurations with penultimate hop popping (PHP) require that the
egress router classify and queue packets based on IP-related parameters as opposed to MPLS shim
header values, end-to-end CoS designs can be made complex with PHP.
With the Junos OS you can negate the default PHP behavior to effect the receipt of labeled packets
at the egress node. In operation, the egress router will signal label 0 upstream instead of label 3. As
a result, the same CoS configuration used at transit LSRs can now also be used for the egress router.
This feature is configured globally for either MPLS or LDP. The implementation is compliant with
RFC 3032, "MPLS Label Stack Encoding".

www.juniper.net

Miscellaneous MPLS Features Chapter 6-35

Junos MPLS and VPNs

~MPLS

Pings

MPLS Pings
The slide highlights the topic we discuss next.

Chapter 6-36 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

l1li

Feature allows ping testing of RSVP-signaled and

LDP-signaled LSPs
Does not rely on BGP routes or modification of default
routing table integration rules
A 127.0.0.1/32 address must be present on egress router's
loopback interface
The Junos OS automatically creates a 100.16384 Wittl tile
127.0.0.1/32address
Migtlt need to manually assign the 127.0.0.1/32 address on other
vendor's toopbacks

user@Rl> ping mpls rsvp LSP-to-R4

!ll! !

--- Isping statistics --5 packets transmitted, 5 packets received,

0% packet loss

user@Rl> ping mpls Idp 192.168.1.4

!l!! !
--- Isping statistics --5 packets transmitted, 5 packets received,
0% packet loss

MPLS Ping Utility

This slide illustrates the operation of the MPLS ping capability. By adding the mpls switch to a
standard ping command, you can now verify the forwarding plane of RSVP-signaled or LDPsignaled
LSPs. In the past, ping testing of an LSP required the presence of BGP routes, or the modification of
the default routing table integration rules to permit traffic engineering for internal destinations, that
is, the egress node's router ID. For RSVP-signaled LSPs, you specify the LSP name as the target for
the MPLS ping.
Note that the target address of an MPLS ping is hard-coded to 127.0.0.1; the LSP's egress node
must have a 127.0.0.1 address assigned to its loopback interface for the MPLS ping to succeed.The
Junos OS automatically creates a 100 .16384 with the 127.0.0.1/32 address assigned. You might
however, need to manually assign the 127.0.0.1/32 address if the egress router is not running the
Junos OS. You can verify the loopback address is present on the egress router by issuing the
show interfaces terse I match 100 operational mode command on the egress router.

user@R4> show interfaces terse I match 100

up
up
100
up
inet
100.0
up
up
inet
100.16384
up
up
inet
100.16385
up

192.168.1.4
127.0.0.1

-> 0/0
-->

0/0

Continued on next page.

www.juniper.net

Miscellaneous MPLS Features Chapter 6-37

Junos MPLS and VPNs

MPLS Pings to Confirm MPLS Forwarding Plane (contd.)

The detail switch provides additional output:

user@R1> ping mp1s rsvp test count 1 detail

Request for seq 1, to interface 9, labels <100096, 0, 0>
Reply for seq 1, return code: Egress-ok
--- lsping statistics --1 packets transmitted, 1 packets received, 0% packet loss

Chapter 6-38 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

III

In this chapter, we:

Discussed the purpose of several miscellaneous MPLS
features
Discussed features that meet given design requirements

This Chapter Discussed:

Several miscellaneous MPLS features; and
Features that fulfill some given design requirements.

www.juniper.net

Miscellaneous MPLS Features Cilapter 6-39

Junos MPLS and VPNs

1. What does the inclusion of the active option do

when installing a prefix for a RSVP LSP?
2. What is the default resignaling interval when using

auto-bandwidth?
3. What are the primary differences between nodecrement-ttl and no-propagate-ttl?

Review Questions
1.

2.

3.

Chapter 6-40 Miscellaneous MPLS Features

www.juniper.net

Junos MPLS and VPNs

Configure an RSVP LSP to install a route in inet. O.

III Configure mpls traffic engineering to install a route in
inet. O.
III Use policy to control LSP selection.
III Use metrics to control LSP selection.
III Configure the network to not decrement TTL.
III Configure a router to signal explicit null.
III Configure a router to automatically adjust the RSVP
reservation based on observed bandwidth.
III Use MPLS pings to monitor connectivity.
III

Lab 5: Miscellaneous MPLS Features

The slide provides the objectives for this lab.

www.juniper.net

Miscellaneous MPLS Features Cilapter 6-41

Junos MPLS and VPNs

Chapter 6-42 Miscellaneous MPLS Features

www.juniper.net

Juntf2v'~[
Junos MPLS and VPNs
Chapter 7: VPN Review

Junos MPLS and VPNs

III

After successfully completing this chapter, you will be

able to:
Define the term "Virtual Private Network"
Describe the difference between provider-provisioned VPNs
and customer-provisioned VPNs and provide examples of
each
Describe differences between Layer 2 and Layer 3 VPNs
List the provider-provisioned MPLS VPN features supported
by the Junos operating system

This Chapter Discusses:

The definition of the term virtual private network (VPN);
Differences between provider-provisioned and customer-provisioned VPNs;
Differences between Layer 2 and Layer 3 VPNs; and
The features of provider-provisioned VPNs supported by the Junos operating system.

Chapter 7 - 2 VPN Review

www.juniper.net

Junos MPLS and VPNs

-7 Overview of VPNs
l1li

ePE-Based VPNs

l1li

Provider-Provisioned

Overview of VPNs
The slide lists the topics we cover in this chapter. We discuss the highlighted topic first.

www.juniper.net

VPN Review Chapter 7-3

Junos MPLS and VPNs

III

Virtual private network:

Branch Office

A private network constructed over a shared infrastructure

Virtual: Not a separate physical network
Private: Separate addressing and routing
Network: A collection of devices that communicate
Constraints are key-restricted connectivity is the goal

Virtual Private Network

A VPN is a private network that is constructed over a shared, public infrastructure such as Frame
Relay, an Asynchronous Transfer Mode (ATM) network, or the Internet. It is considered virtual
because it does not require a separate physical network, but instead it is a logical network, one of
possibly many logical networks, that uses a single physical network. It is considered a private
network because a VPN can have its own separate addressing and routing scheme to interconnect
devices that must communicate.
A VPN is designed so that only devices intended to communicate with each other can do so. For
instance, as shown on the slide, a VPN can be the network infrastructure that provides
communication between the corporate headquarters, branch offices, mobile users, data centers,
suppliers, and customers, while ensuring that unwanted devices cannot gain access to this private
network.

Chapter 7-4 VPN Review

www.juniper.net

Junos MPLS and VPNs

III

Uses IP infrastructure
Can be shared with Internet services

III

III

Increasing importance of IP/MPLS (not ATM/Frame

Relay)
Subscriber benefits:
Lower operational expenses
Single network connection for multiple services

III

Provider benefits:
Multiservice infrastructure
Creates additional source of revenue

Uses IP Infrastructure
Most companies today provide their employees with access to the Internet for e-mail and web
browsing services. The Internet has become part of everyday life in today's society. By utilizing the
Internet as the public infrastructure for building VPNs. companies can use their existing equipment
to reduce costs.

Increasing Importance of IP/MPLS (Not ATM/Frame Relay)

With more people having access to the Internet. it makes sense to use the IP/MPLS network as a
building block for VPNs. MPLS is now being used by many Internet service provider (ISP). This allows
these providers to offer VPN services to its customers using an IP solution.

Subscriber Benefits
VPNs deployed over the Internet can lower operational expenses for companies by making it possible
to use a single network connection to provide multiple services. A company no longer needs a Frame
Relay network to provide VPN services and Internet connectivity for e-mail services; it can all be done
using one Internet connection.

Provider Benefits
VPNs can also create an additional source of revenue for the provider. ISPs can now offer not only
Internet service but also value-added VPN services. Everybody wins!

www.juniper.net

VPN Review Chapter 7-5

Junos MPLS and VPNs

III

CPE-VPNs:
L2TP and PPTP
IPsectunnel mode

III

PP-VPNs:
BGP/MPLS-based VPNs (RFC 4364)
RFC 4364 was formerly
draft-ietf-13vpn-rfc2547 bis

Virtual routers
<& Layer 2 M PLS VPNs

"Site 1

BGP Layer 2 VPN

LDP Layer 2 circuits

VPLS
BG P signaled VPLS
LDP signaled VPLS

Customer Premises VPN Solutions

A customer premises equipment (CPE) VPN solution is a VPN that relies only on the customer's
equipment to create and manage tunnels for the private IP traffic. Layer 2 Tunneling Protocol (L2TP),
Point-to-Point Tunneling Protocol (PPTP), and IP Security (IPsec) tunnel mode are protocols used by
customer premises equipment for this purpose. When the ISP receives IP packets from the
customer, they are treated as normal IP packets and are routed accordingly.

Provider-Provisioned VPN Solutions

A provider-provisioned VPN solution is a VPN that relies on the provider's equipment to create and
manage tunnels for the private traffic using MPLS as the enabling technology. Examples of
provider-provisioned VPNs include BGP/MPLS-based VPNs, such as Layer 3 VPNs (defined in
RFC 4364), Layer 2 MPLS-based VPNs, including BGP Layer 2 VPNs (defined in draft-kompella), and
LDP Layer 2 circuits (defined in RFC 4447), as well as virtual routers and the virtual private LAN
service (VPLS) approach, which includes BGP signaled VPLS (defined in RFC 4761) and LDP signaled
VPLS (defined in RFC 4762).

Chapter 7 -6 VPN Review

www.juniper.net

Junos MPLS and VPNs

~ CPE-Based

VPNs

CPE-8ased VPNs
The slide highlights the topic we discuss next.

www.juniper.net

VPN Review Chapter 7 - 7

Junos MPLS and VPNs

III

Application: Dial access for remote users

.. Layer 2 Tunneling Protocol
RFC2661
Combination of L2F and Point-to-Point Tunneling Protocol

.. Point-to-Point Tunneling Protocol

Bundled with Windows and Windows NT

.. Authentication dUI-ing setup

.. IPsec can operate over PPP for stronger security

Application: Dial Access for Remote Users

Several protocols that provide dial access for remote users to their corporate sites are in use today.
L2TP and PPTP are the most common methods used for tunneling Point-to-Point Protocol (PPP)
traffic over an IP network. L2TP is a defined in RFC 2661. It combines Cisco's Layer 2 Forwarding
(L2F) protocol and Microsoft's PPTP and uses User Datagram Protocol (UDP) for transport.
PPTP, which is typically bundled with Windows and Windows NT, uses Transmission Control Protocol
(TCP) to transport PPP. PPTP and PPP use a system of authentication during the setup of the tunnels.
Also, both make use of the PPP authentication protocols-the Challenge Handshake Authentication
Protocol (CHAP) and tile Password Authentication Protocol (PAP)-to provide access authentication.
IPsec, another tunneling protocol, is used to tunnel private IP traffic over an IP backbone. L2TP and
PPTP are used to tunnel PPP traffic (Layer 2) using UDP or TCP as the transport protocol. IPsec
tunnels IP traffic (Layer 3) using IP as the delivery protocol.

Chapter 7 -8 VPN Review

www.juniper.net

Junos MPLS and VPNs

III

IPsec defines IETF Layer 3 security architecture

III

Applications:
"Strong security requirements, across one or multiple ISPs
" Customer responsible for key management

III

Security services include:

" Access control
" Data origin authentication
" Replay protection
" Data integrity
" Data privacy (encryption)
" Key management

IPsec Defines IElF Layer 3 Security Architecture

RFCs 4301, 4302, 4303, and 4305 contain the definition of IPsec.

Applications
For a customer with a strong security requirement, IPsec is a perfect fit. However, key management
and routing between sites are the customer's responsibility.

Security Services
Security services include the following:
Access control;
Data origin authentication;
Replay protection;
Data integrity;
Data privacy (encryption); and
Key management.

www.juniper.net

VPN Review Chapter 7-9

Junos MPLS and VPNs

II!I

Routing must be performed at CPE

!III

Secure tunnels terminate on subscriber premise

l1li

Only the CPE must support IPsec

Modifications to shared/public resources are not required

Site 1

Routing Performed at CPE

In the example on the slide, the customer provides the routing for its internal network, The tunneled
traffic is forwarded across the public Internet as a normal IP packet

Tunnels Terminate on Subscriber Premises

Private IP traffic from the site 1 destined for site 2 is encapsulated using IPsec by the CPE. This
traffic is then forwarded across the public Internet to the destination CPE. The branch office CPE
then de-encapsulates the private IP traffic and forwards it to the destination host

Only CPE Must Support IPsec

Typically, the customer's edge devices are IPsec capable and create and maintain the tunnels
between themselves. The ISP is only responsible for providing IP connectivity between the sites.

Chapter 7 -10 VPN Review

www.juniper.net

Junos MPLS and VPNs

~ Provider-Provisioned

Provider-Provisioned
The slide highlights the topic we discuss next.

www.juniper.net

VPN Review Chapter 7-11

Junos MPLS and VPNs

III

Layer 3 characteristics
Provider's routers participate in customer's Layer 3 routing
Provider's routers manage VPf\/-specific routing tables,
distributes routes to remote sites
CE routers advertise their routes to the provider

III

Layer 2 characteristics
Customer maps its Layer 3 routing to the circuit mesh
Provider delivers Layer 2 circuits to the customer, one for
each remote site
Customer routes are transparent to provider

Provider-Provisioned Layer 3 VPN Characteristics

For Layer 3 VPNs, the provider's routers participate in the customer's Layer 3 routing. Thus, the
customer's routing protocol is terminated by the provider's router. It is the responsibility of the
provider's router to manage VPN-specific routing tables and to distribute those VPN-specific routes to
the customer's remote sites.

Provider-Provisioned Layer 2 VPN Characteristics

For Layer 2 VPNs, as with Frame Relay, a Layer 2 VPN customer maps its Layer 3 routing to the
Layer 2 circuit mesh. In this situation, the provider delivers Layer 2 circuits to the customer, one for
each remote site. The provider does not participate in the routing of the customer's private IP traffic,
so the routing protocol used by the customer edge (CE) device is terminated by the remote CE device.

Chapter 7 -12 VPN Review

www.juniper.net

Junos MPLS and VPNs

III

Application: Outsource VPN

PE router maintains VPN-specific forwarding tables for each
of its directly connected VPNs
ConventionallP routing between CE and PE routers
VPN routes distributed using MP-BGP
Uses extended communities

VPN traffic forwarded across provider backbone using MPLS

CE

Service Provider Network

CE

Outsourced VPNs
MPLS-based VPNs make it possible for a service provider to offer value-added services to new and
existing customers using its existing network infrastructure.
The Junos OS supports Layer 3 provider-provisioned VPNs based on RFC 4364. In this model, the
provider edge (PE) routers maintain VPN-specific routing tables called VPN route and forwarding
(VRF) tables for each of their directly connected VPNs. To populate these forwarding tables, the CE
routers advertise routes to the PE routers using conventional routing protocols like RIP, OSPF and
EBGP.
The PE routers then advertise these routes to other PE routers with Multiprotocol Border Gateway
Protocol (MP-BGP) using extended communities to differentiate traffic from different VPN sites.
Traffic forwarded from one VPN site to another is tunneled across the service provider's network
using MPLS. The MPLS-based forwarding component allows support for overlapping address space
and private addressing.

www.juniper.net

VPN Review Chapter 7 -13

Junos MPLS and VPNs

III

III

LDP or RSVP is used to set up PE-to-PE LSPs

MP-BGP is used to distribute information about the
VPN
.. Routing and reachability for the VPf\]
.. Labels for customer sites (tunneled in PE-PE LSP)

III

Constrain connectivity by route filtering

Flexible, policy-based control mechanism

Label Distribution Protocol for LSPs

Setting up and maintaining label-switched paths (LSPs) between PE routers requires a label
distribution protocol. Options include the LDP or RSVP.

MP-BGP Distributes VPN Information

MP-BGP is used to distribute information about the VPNs. These communications include routing
and reachability information as well as the MPLS labels that map traffic to a particular VPN
forwarding table and interface.

Provider Constrains Connectivity by Route Filtering

To ensure that routing information about a particular VPN is only made available to sites
participating in that VPN, the provider must constrain advertisements using routing policy (for
example, route filtering).

Chapter 7 -14 VPN Review

www.juniper.net

Junos MPLS and VPNs

III

Virtual router functions:

Virtual router maintains VPN-specific forwarding tables
PE router participates in private network routing
Routing for private networ~\s is tunneled along with data
using IPsec, GRE, or possibly MPLS between PE routers
Virtual router within PE router operates as if it were a normal router
in the private network

Virtual Routers
A virtual router functions much like an RFC 4364 PE router in that it maintains site-specific routing
instances and tables for use in the forwarding of IP-based VPN traffic. A significant difference,
however, is that in the virtual router approach. the PE router does not terminate the routing protocol
used by the CE device. In effect, the two PE routers create a sham link representing the connection
between the PE routers for use in the flooding of OSPF LSAs across the provider's backbone.

www.juniper.net

VPN Review Chapter 7 -15

Junos MPLS and VPNs

III

Subscriber:
.. Offload routing complexity to provider
.. Suits enterprises that do not want to build core routing
competency into their organizations

IiII

Provider:
VPN-specific routing information is not maintained on all
backbone routers
.. Value-added service (revenue opportunity)

Advantages for the Subscriber

With Layer 3 provider-provisioned VPNs, the subscriber can offload its routing responsibilities to the
provider, thus allowing the customer to focus on its core competencies.

Advantages for the Provider

The provider can offer a value-added (revenue producing) service to its customers using a scalable
IP-centric-based backbone technology.

Chapter 7 -16 VPN Review

www.juniper.net

Junos MPLS and VPNs

III

Outsourcing moves administrative burden to provider

Can be a substantial provisioning and maintenance burden
Network management tools for adds. moves. and changes

III

Some customers prefer to maintain control of their

routing architecture

Limitations of Provider-Provisioned VPNs

Layer 3 provider-provisioned VPNs do have some drawbacks. The configuration and maintenance of
an RFC 4364 solution can represent a significant increase in the provider's administrative burden.
This is especially true during situations where adds, moves, and changes to the VPNs are required.
The use of automated provisioning tools can simplify day-to-day operations in the network greatly.
VPN provisioning mistakes can be costly, especially when considering that the provider could
become liable for the security of the customer's networks.

Resistance to Outsourced Routing

It might be difficult to convince some customers to outsource their routing to the provider. For these
customers, a Layer 2 VPN can be an ideal fit, as it allows them to control all aspects of their routing.

www.juniper.net

VPN Review Chapter 7 -17

Junos MPLS and VPNs

III

Layer 2 MPLS-based VPNs:

.. CCC
.. BGP Layer 2 VPNs (draft-kompella)
.. LDP Layer 2 circuits (RFC 4447)
.. BGP VPLS (RFC 4761)
.. LDP VPLS (RFC 4762)

Layer 2 MPLS-Based VPNs

The following pages discuss circuit cross-connect (CCC). BGP Layer 2 VPNs, LDP Layer 2 VPNs. BGP
signaled VPLS. and LDP signaled VPLS.

Chapter 7 -18 VPN Review

www.juniper.net

Junos MPLS and VPNs

II

Provides the foundation for MPLS-based Layer 2 VPNs

\9

Broad support of PE-CE interface types

ATM. Frame Relay, VLAN. PPP. and HDLe

III

Service provider maintains LSPs between PE routers

One LSP per VC being serviced
\9 Ingress PE maps each inbound PVC to a dedicated LSP
\9 Egress PE maps incoming LSP to outbound PVC

II

CE routes VPN traffic based on subnetjPVC mappings

CCC: The Foundation of Layer 2 VPNs

CCC provides the foundation for MPLS-based Layer 2 VPNs by providing support for the tunneling of
Layer 2 frames over MPLS LSPs. CCC supports a variety of Layer 2 protocols including ATM, Frame
Relay, virtual LANs (VLANs), PPP, and High-Speed Data Link Control (HDLC).

Provider Maintains LSP and Connection Mesh

The CCC application does not support label stacking. As a result, the provider must configure one
LSP, per direction, per virtual circuit being serviced. The provider must also define each connection
by manually mapping local connection identifiers to LSPs.

CE Maps Connections to Remote Sites

Customers route traffic based on subnet/permanent virtual connection (PVC) mappings, as they
would with any conventional Frame Relay, ATM, or private line solution.

www.juniper.net

VPN Review Chapter 7 -19

Junos MPLS and VPNs

III

List of

eee drawbacks includes:

.. CE and PE router configuration

Complex initial configuration
Tedious configuration for adds. moves. and cllanges
Interaction between service provider and customer required

.. Each DLCIjPVC requires a dedicated set of LSPs

.. Only appropriate for small numbers of individual private
connections
.. Interface types must be the same at all CE device locations
TCC can be used for unlike interfaces

CCC Drawbacks
The following list details some of the drawbacks of CCC:
CE and PE router configuration can be complex, especially during adds, moves, and
changes. The customer must coordinate with the service provider.
Each data-link connection identifier (DLCI)/PVC requires a dedicated set of MPLS LSPs.
There can be no sharing of the LSP when using CCC.
CCC as a Layer 2 VPN solution is only appropriate for small numbers of individual
private connections.
Interface types must be the same at all CE device locations. For instance, if Frame Relay
is used at one VPN site then Frame Relay must be used at all other sites. However, the
Junos OS has a feature called translational cross-connect (TCC) that can be used when
there are different interfaces types at the CE locations.

Chapter 7 -20 VPN Review

www.juniper.net

Junos MPLS and VPNs

eee and

III

Leverages experience with

III

Scalable in data and control planes

M PLS

Data plane: Label stacking consolidates multiple DLCls,

PVCs, or VLANs over a single LSP
Provisioning: BGP for autoconfiguration
III

Routing for private network is

eE to eE

Leverages Experience with CCC and MPLS

With BGP Layer 2 VPNs the VPNs are created using bidirectional MPLS LSPs, similar to eee.
However, instead of mapping the LSPs to an interface on the PE routers, the LSPs are automatically
mapped to Layer 2 circuits. Data is forwarded using a two-level label stack that permits the sharing
of the LSP by numerous Layer 2 connections. The outer label delivers the data across the core of the
network from the ingress PE router to the egress PE router. The egress PE router then uses the inner
label to map the Layer 2 data to a particular VPN-specific table.

Scalable in the Data and Control Planes

The use of label stacking improves scalability, as now multiple VPNs can share a single set of LSPs
for the forwarding of traffic. Also, by over-provisioning Layer 2 circuits on the PE device (described in
a later chapter), adds and changes are simplified, as only the new site's PE router requires
configuration. This automatic connection to LSP mapping greatly simplifies operations when
compared to the eee approach.

Routing Is CE to CE
Because the provider delivers Layer 2 circuits to the customer, the routing forthe customer's private
network is entirely in the hands of the customer. From the perspective of the attached eE device,
there is no operational difference between a Frame Relay service, eee, and a BGP Layer 2 VPN
solution.

www.juniper.net

VPN Review Chapter 7 -21

Junos MPLS and VPNs

fII

l1li

Leverages experience with GGG and MPLS

Improved data plane scalability with Layer 2 VPNs
Label stacking consolidates multiple DLCls, PVCs, or VLANs
over a single LSP

III

fII

Must provision both ends of each circuit when adding

a site
Routing for private network is GE to GE

LSP1

Leverages Experience with CCC and MPLS

With LDP Layer 2 circuits, the circuits are created using bidirectional MPLS LSPs, like CCC. However,
instead of mapping the LSPs to an interface on the PE routers, the LSPs are mapped to a
VPN-specific forwarding table (similar to BGP Layer 2 VPNs). This table then maps the data to a
Layer 2 circuit. The LDP Layer 2 circuit approach also makes use of stacked headers for improved
scalability.

Data Plane Scalability

Label stacking means that PE devices can use a single set of MPLS LSPs between them to support
many VPNs. The LDP Layer 2 circuit signaling approach does not support the auto-provisioning of
Layer 2 connections, and it relies on LDP for signaling.

Manual Provisioning for Moves and Changes

The LDP Layer 2 circuit approach requires configuration on all PE routers involved in the VPN when
moves, adds, and changes occur. Draft-kompella support for MP-BGP-based Signaling and its
automatic connection mapping features make it far simpler to deploy and maintain a Layer 2 VPN
service.

Routing for Private Network Is CE to CE

Because the provider delivers Layer 2 circuits to the customer, the routing for the customer's private
network is entirely in the hands the customer.
Chapter 7 -22 VPN Review

www.juniper.net

Junos MPLS and VPNs

III

To the customer in a VPLS environment, the

provider's network appears to function as a single
LAN segment
Acts similarly to a learning bridge

l1li

Administrator does not need to map local circuit IDs

to remote sites
PE device learns MAC address from received Layer 2 frames
MAC addresses are dyna
Ily mapped to outbound MPLS
LSPs
or interfaces

Provider's Network Appear to Be a Single LAN Segment

A newer service that can be provided to the customer is VPLS. To the customer, VPLS appears to be a
single LAN segment. In fact, it appears to act similarly to a learning bridge. That is, when the
destination media access control (MAC) address is not known, an Ethernet frame is sent to all
remote sites. If the destination MAC address is known, it is sent directly to the site that owns it. The
Junos OS supports two variations of VPLS, BGP signaled VPLS and LDP signaled VPLS. VPLS is
covered in more detail in later chapters.

No Need to Map Local Circuit to Remote Sites

In VPLS, PE devices learn MAC addresses from the frames that it receives. They use the source and
destination addresses to dynamically create a forwarding table (vpn -name. vpls) for Ethernet
frames. Based on this table, frames are forwarded out of directly connected interfaces or over an
MPLS LSP across the provider core. This behavior allows an administrator to not have to manually
map Layer 2 circuits to remote sites.

www.juniper.net

VPN Review' Chapter 7-23

Junos MPLS and VPNs

II

Subscriber:
Can outsource circuits
Maintains control of routing
Uses any Layer 3 protocol

II

Provider:
Complements RFC 4364
Operates over tile same core. using tile same outer LSP

Can collapse Layer 2 VPNs (Frame Relay, ATM, and VLANs)

onto a single IP/MPLS infrastructure
Reduces the number of LSPs with label stacking compared
with CCC
Simplifies adds, moves, and changes with automatic
provisioning when using BGP Layer 2 VPNs

Subscriber Advantages
With Layer 2 VPNs the customer can outsource Layer 2 circuits to the provider over an existing
Internet access circuit while maintaining control over the routing of its traffic. Also, because the
provider is encapsulating Layer 2 traffic for transport using MPLS, the customer can use any Layer 3
protocol-not only IP-based protocols.

Provider Advantages
Layer 2 and Layer 3 VPNs can coexist by using the same MPLS transport and Signaling protocols. The
provider can now sell Frame Relay or ATM circuits to different customers using its existing IP core.
Automatic provisioning of Layer 2 circuits simplifies the processes of adds, moves, and changes.
Also, the use of label stacking greatly improves efficiency and scalability.

Chapter 7 -24 VPN Review

www.juniper.net

Junos MPLS and VPNs

II

Circuit type (ATM/Frame Relay/VLAN) to each VPN

site must be uniform
TCC can be used when circuits connecting sites differ

III

Removes a provider revenue opportunity

Provider no longer adding value by managing routing over
the backbone

l1li

Customer must have routing expertise

Circuit Types Must Be the Same

The circuit type (ATM/Frame Relay/VLAN) to each VPN site must be uniform. TCC can be used to
connect sites with different circuit types. TCC removes the Layer 2 frame and replaces it with a new
one used for the outgoing circuit.

Removes Revenue Opportunity

Because the customer is responsible for the routing of traffic between its sites, the provider can no
longer add value by providing outsourced routing services, as is the case with Layer 3 VPNs.

Customer Routing Experience

The customer must have routing expertise and the necessary staffing to configure and maintain its
backbone routing.

www.juniper.net

VPN Review Chapter 7 - 25

Junos MPLS and VPNs

II1II

In this chapter, we:

.. Defined the term "Virtual Private Network"
Explained the difference between provider-provisioned VPNs
and customer-provisioned VPNs and provide a few examples
of each
Described differences between Layer 2 and Layer 3 VPNs
.. Listed the provider-provisioned MPLS VPI\J features
supported by the Junos operating system

This Chapter Discussed:

The definition of VPN;
Differences between provider-provisioned VPNs and customer-provisioned VPNs;
Differences between Layer 2 and Layer 3 VPNs; and
Provider-provisioned MPLS VPN features supported by the Junos OS.

Chapter 7 -26 VPN Review

www.juniper.net

Junos MPLS and VPNs

1. What is a "Virtual Private Network"?

2. What is the primary difference between a CPE-VPN
and a PP-VPN?
3. What are the differences between a Layer 2 VPN
and a Layer 3 VPN?

Review Questions
1.

2.

3.

www.juniper.net

VPN Review Chapter 7 -27

Junos MPLS and VPNs

Chapter 7 -28 VPN Review

www.juniper.net

Juntr2v~[
Junos MPLS and VPNs
Chapter 8: Layer 3 VPNs

Junos MPLS and VPNs

lIB

After successfully completing this module, you will be

able to:
Define the roles of P, P[ and CE routers
Describe the format of VPN-IPv4 addresses
Explain the role of the route distinguisher
Describe the flow of RFC 4364 control information
Explain the operation of the RFC 4364 forwarding plane

This Chapter Discusses:

The roles of provider (P). provider edge (PE). and customer edge (CE) routers;
Virtual private network (VPN) IP version 4 (IPv4) address formats;
Route distinguisher use and formats;
RFC 4364 control flow; and
RFC 4364 data flow.

Chapter 8-2 Layer 3 VPNs

www.juniper.net

Junos MPLS and VPNs

-7 Layer 3 VPN Terminology

II

VPN-IPv4 Address Structure

III

Operational Characteristics
Policy-Based Routing Information Exchange
Traffic Forwarding

Layer 3 VPN Terminology

The slide lists the topics we cover in this chapter. We discuss the highlighted topic first.

www.juniper.net

Layer 3 VPNs Chapter 8-3

Junos MPLS and VPNs

III

CE routers:
Located at customer premises
.. Provide access to the service provider network
.. Can use any access technology or routing protocol for the
CEjPE connection

Customer Edge Routers

CE routers are located at the customer location and provide access to the provider-provisioned VPN
(PP-VPN) service. CE routers can interface to provider PE routers using virtually any Layer 2
technology and routing protocol.

Chapter 8-4 Layer 3 VPNs

www.juniper.net

Junos MPLS and VPNs

III

PE routers:
Maintain VPN-specific forwarding tables
Exchange VPN routing information with other PE routers
using BGP
Use MPLS LSPs to forward VPN traffic

Provider Edge Routers

PE routers are located at the edge of the provider's network. They interface to the CE routers on one
side and to the provider's core routers on the other. PE routers maintain site-specific VPN route and
forwarding (VRF) tables. The PE and CE routers function as routing peers, with the PE router
terminating the routing exchange between customer sites and the provider's core.
Routes learned from the CE routers (and stored in the PE router's VRF table) are sent to remote
PE routers using Multiprotocol Border Gateway Protocol (MP-BGP).
PE routers use MPLS LSPs when forwarding customer VPN traffic between sites. LSP tunnels in the
provider's network separate VPN traffic in the same fashion as PVCs in a legacy ATM or Frame Relay
network.

www.juniper.net

Layer 3 VPNs Chapter 8-5

Junos MPLS and VPNs

l1li

P routers:
(I

Forward VPN data transparently over established LSPs

Do not maintain VPN-specific routing information

Provider Routers
Provider (P) routers are located in the provider's core. These routers do not carry VPN customer
routes, nor do they interface in the VPN control and signaling planes. This is a key aspect of the RFC
4364 scalability model; only PE routers are aware of VPN customer routes, and no single PE router
must hold all VPN customer state information.
P routers are involved in the VPN forwarding plane where they act as label-switching routers (LSRs)
performing label swapping (and popping) operations.

Chapter 8-6 Layer 3 VPNs

www.juniper.net

Junos MPLS and VPNs

III

III

A site is a collection of machines that can

communicate without traversing the service provider
backbone
Each VPN site is mapped to a PE router interface
Routing information is stored in different tables for each site

VPN Sites
A VPN site is a collection of devices that can communicate with each other without the need to
transit the provider's backbone. A site can range from a single location with one router to a network
consisting of many geographically diverse routers.

Mapped to a VRF
Each VPN site is attached to at least one PE router and can be dual-homed with multiple connections
to different PE routers. Each site is associated with a site-specific VRF table in the PE routers. It is
here that the PE router maintains the routes specific to that site and. based on policy. the routes for
remote sites to which this location can communicate.

www.juniper.net

Layer 3 VPNs Chapter 8- 7

Junos MPLS and VPNs

A VRF is created

Virtual Private Network Routing and Forwarding Tables

In the Layer 3 VPN model, site-specific VRF tables house each site's routes. This separation of routes
allows VPN customers to use private addresses that can overlap witll addresses used by other VPN
customers.
On this slide, PE 1 has three VRF tables-one for each of its attached VPN sites. The VRF tables store
routes learned from the attached site, as well as routes learned through MP-BGP interaction with
remote PE routers. In the latter case, VPN policy determines which routes are copied into which VRF
tables based on the presence of a VPN-IPv4 route attribute known as a route target.

Chapter 8-8 Layer 3 VPNs

www.juniper.net

Junos MPLS and VPNs

III

Each VRF table is populated with:

.. Routes received from directly connected CE sites associated
with the VRF table
.. Routes received from other PE routers with acceptable
MP-BGP attributes

III

Packets from a given site are only matched against

the site's corresponding VRF table
.. Provides isolation between VP[\Js

VRF Table Population

As mentioned previously, each PE router maintains site-specific VRF tables that house routes
learned from the local CE device, as well as routes learned from remote PE routers having matching
route attributes.

Site Separation
When a packet is received from a given site, the PE router performs a longest-match Layer 3 lookup
against only the entries housed in that site's VRF table. This separation permits duplicate addressing
among VPN customers with no chance of routing ambiguity.

www.juniper.net

Layer 3 VPNs Chapter 8-9

Junos MPLS and VPNs

~VPN-IPv4 Address Structure

an

VPN-IPv4 Address Structure

The slide highlights the topiC we discuss next.

Chapter 8-10 Layer 3 VPNs

www.juniper.net

Junos MPLS and VPNs

III

VPNs A and B use the same address space

PE 1 uses a separate routing (VRF) table for each VPN site
PE 2 would normally choose between the two 10.1/16 routes
MPLSjBGP VPNssolve this problem with the route distinguisller

Duplicate Addresses Welcome!

This slide stresses that two VPN customers can use overlapping address space with no issues due to
the separation of their routes in site-specific VRF tables.
In this example, VPN Site A is using the 10.1/16 addresses space, which is also being used by VPN
customer B. However. housing these overlapping routes in separate VRF tables on PE routers is only
half of the solution. A mechanism is needed to allow the PE routers to exchange these routes with
remote PE routers without any chance of one address stepping on the otller.
For example, when PE 1 advertises routes from its two VRF tables to PE 2, they arrive over a common
MP-BGP connection that is not inherently associated with a particular VRF table. How can we assure
that PE 2 interprets these routes as being independent and unrelated? The answer lies in the
structure of a VPN-IPv4 address containing a route distinguisher designed to fix the very problem
posed here.

www.juniper.net

Layer 3 VPNs Chapter 8-11

Junos MPLS and VPNs

(1 byte)
II

(3 bytes)

(2 bytesXvariable length)(variable length)

(0-4 bytes)

VPN-IPv4 address family

New BGP-4 subsequent address family identifier (SAFI 128)
Consists of MPLS label + route distinguisher + subscriber IPv4 prefix
Route distinguisher disambiguates IPv4 addresses
Allows service provider to administer its own numbering space

II

VPN-IPv4 addresses are distributed by MP-BGP

Uses multiprotocol extensions for BGP4 (RFC 2858)

,. A/32 IPv4 prefix produces a VPN-IPv4 prefix with a mask

of /120 (15 octets)
The Junos OS CLI displays (and the examples in this class) only
show IPv4 prefix length (that is, /32)

................

VPN-IPv4 Address Family

The slide shows the structure of a VPN-IPv4 address. VPN addresses use a new MP-BGP subsequent
address family identifier (SAFI). Because they are, in the end, IPv4 addresses, they use the same family
identifier (1) as conventional IPv4 routes.
VPN network layer reachability information (NLRI) contains a 24-bit MPLS label, which is sometimes
called a VRF label because the label's function is to associate packets with a particular VRF instance in
the receiving PE router. VPN addresses also contain a route distinguisher field, which is used to
disambiguate VPN routes. In other words, two identical IP prefixes are considered as different, and
therefore incomparable, when they carry different route distinguisher values.

Distributed by MP-BGP
Labeled VPN routes are exchanged over the MP-BGP sessions, which terminate on the PE routers.

VPN Route Masks

A 32-bit IPv4 prefix combined with the other fields in a VPN-IPv4 address produce a VPN-IPv4 prefix
with a mask of 120 bits. The Junos operating system only displays the mask for the IPv4 prefix
portion of the prefix. Thus, in this case, the operation would see a VPN-IPv4 prefix with a mask length
of /32.

Chapter 8-12 Layer 3 VPNs

www.juniper.net

Junos MPLS and VPNs

(Type)

(Adm)

L-..

Assigned N urn her Field: N u mberassigned by the identified

a uthority fora particular purpose

Mmi!Jj~tiQ!J.Fi.Glq:

Identifies the assigned n urnbera uthority

2-Byte Tyoo Field: Oeterm ines the len gthsofthe other two fields
ill

Two values are defined for type field: 0 and 1

Type 0: adm field

= 2 bytes,

AN field

= 4 bytes

Adm field should contain an ASN from lANA

AN field is a number assigned by service provider

Type 1: adm field = 4 bytes, AN field = 2 bytes

Administration field should contain an IP address assigned by lANA
Assigned number field is a number assigned by service provider

Examples: 10458:22:10.1.0.0/16 or
1.1.1.1:33:10.1.0.0 16

Two Route Distinguisher Formats Defined

The route distinguisher can be formatted two ways:

Type 0: This format uses a 2-byte administration field that codes the provider's
autonomous system number, followed by a 4-byte assigned number field. The assigned
number field is administered by the provider and should be unique across the autonomous
system.
Type 1: This format uses a 4-byte administration field that is normally coded with the router
10 (RID) of the advertising PE router, followed by a 2-byte assigned number field that caries
a unique value for each VRF table supported by the PE router.
The examples on the slide show both the Type 0 and Type 1 route distinguisher formats. The first
example shows the 2-byte administration field with the 4-byte assigned number field (Type 0).

www.juniper.net

Layer 3 VPNs Chapter 8-13

Junos MPLS and VPNs

II

Route distinguisher disambiguates IPv4 addresses

fill

VPN-I Pv4 routes

Ingress PE router prepends route distinguisher to IPv4 prefix
of routes received from each CE device
1/1

1/1

II

VPN-IPv4 routes are exchanged between PE routers using

MP-BGP
Egress PE router converts VPN-IPv4 routes into IPv4 routes
before inserting into site's routing (VRF) table

VPN-IPv4 is used only in the control plane

1/1

Data plane uses MPLS-encapsulated IPv4 packets

Disambiguates IPv4 Addresses

As mentioned on the previous page, the route distinguisher allows the router to disambiguate two
identicallP prefixes.

VPN-IPv4 Routes
The ingress PE router adds (or prepends) the route distinguisher to the IPv4 prefix of routes received
from each CE router. These VPNIPv4 routes are then exchanged between PE routers using MpBGP. The
egress router converts the VPNIPv4 routes back into IPv4 routes before inserting them into the site's
routing table.

Used Only in the Control Plane

The VPN address family exists only in the signaling or control plane between PE routers. Routes that
match VPN policy, and are therefore installed into a particular VRF table, have the 8byte route
distinguisher (and MPLS label) removed so that they appear as conventionallPv4 routes in the VRF
table. Because the sitespecific VRF tables provide route isolation, there is no need for the route
distinguisher once a route is safely stored away in a VRF table. Only signaling exchanges between
PE routers use tile VPNIPv4 address format.

Chapter 8-14 Layer 3 VPNs

www.juniper.net

Junos MPLS and VPNs

III

The overlapping routes from A and B appear to be

non-overlapping to PE2 because of the prepended
route distinguisher

Overlapping Routes Revisited

With the inclusion of the route distinguisher, the overlapping address spaces used by VPN customers A
and B do not cause ambiguity at PE 2 because the different route distinguishers make these routes
incomparable.
The sole purpose of the route distinguisher is to make what would otherwise be identical addresses
incomparable. The PE routers do not interpret or act on the fields in the route distinguisher for any
other reason.

www.juniper.net

Layer 3 VPNs Chapter 8-15

Junos MPLS and VPNs

~ Operational Characteristics
~ Policy-Based

Routing Information Exchange

Policy-Based Routing Information Exchange

The slide highlights the topic we discuss next.

Chapter 8-16 Layer 3 VPNs

www.juniper.net

Junos MPLS and VPNs

VPNB

Site 2

VPNA

Site3

III

Control flow (signaling pia

Routing information exchange between CE and PE routers
Independent at botll ends
Routing information exchange between PE routers
LSP establishment between PE routers (RSVP or LOP
signaling)

III

Data flow (forwarding plane):

Forwarding user traffic

Control Flow
VPN control flows exist at various places in the RFC 4364 environment. First, we have the signaling
exchange between CE and PE routers that can take the form of OSPF, RIP, BGP, or even static routing.
The control exchanges between PE and CE routers are totally independent, due to the PE routers
terminating the local CE-PE signaling flows. The PE routers then use MP-BGP to convey routes from
site-specific VRF tables for the purposes of populating the VRF tables on remote PE routers.
Finally, the need for LSPs in the provider's networks results in the presence of MPLS-related signaling in
the form of either RSVP or LDP.

Data Flow
Data flow relates to the actual forwarding of VPN traffic from CE router to CE router using MPLS
label-based switching through the provider's core.

www.juniper.net

Layer 3 VPNs Chapter 8-17

Junos MPLS and VPNs

II1II

VPNs are defined by administrative policies

.. Used for connectivity and quality of service guarantees
" Defined by customers
" Implemented by service providers

III

Full-mesh or hub-and-spoke connectivity

" Logical VPN topology results from the application of export
and import route target policies

Administrative Policy
The use of policy in the PE routers determines the connectivity that results between VPN sites. While site
connectivity requirements are defined by the VPN customers, the act of implementing this policy is the
job of the service provider.
Mistakes made by the provider when defining and implementing VPN policy can lead to security
breaches at worst and broken VPN connectivity at best.

VPN Topology Options

VPN policy is extremely flexible and can result in full-mesh, partial-mesh, or hub-and-spoke
topologies. The combination of VPN import and export policy determines the resulting site
connectivity.

Chapter 8-18 Layer 3 VPNs

www.juniper.net

Junos MPLS and VPNs

l1li

Distribution of routes is controlled by BGP extended

community attributes and VRF policy
Route target
Identifies a set of VRFs to which a PE router distributes routes

Site of origin/route origin

Identifies the specific site from which a PE router learns a route
l1li

Structured similarly to the route distinguisher

8 bytes in length (2-byte type field, 6-byte value field)
Type 0:
2-byte global administrator subfield (ASN)
4-byte local administrator subfield

Type 1:
4-byte global administrator subfield (lANA-assigned IP Address)

Route Distribution Between PE Routers

VPN policy makes use of extended BGP communities that allow PE routers to filter routes for which they
have no VPN members. When a PE router has locally attached VPN members, these communities allow
the PE router to install the VPN route into the VRF table associated with specific sites.
The most important extended community is the route target, which is used to convey a route's
association with a given VPN/VRF table. The site of origin (SoO) community is used in certain corner
cases to prevent the unnecessary advertisement of routes back to a site that originated it.

Structure of Extended Communities

BGP extended communities are defined in RFC 4360. Extended communities' attributes have a
structure similar to the route distinguisher in that they are 8 bytes in length and support the same
type code options and structure.

www.juniper.net

Layer 3 VPNs Chapter 8-19

Junos MPLS and VPNs

III

Each VPN-IPv4 route advertised through MP-BGP is

associated with a route target community
Export policy or explicit configuration define the targets
associated with routes a PE router sends

III

Upon receipt of a VPN-IPv4 route, a PE router decides

whether to add that route to a VRF table
.. Import policies or explicit configuration define which routes
to add to a given VRF table

l1li

Route isolation between VRF tables is accomplished

through careful policy administration
.. Service provider provisioning tools can determine the
appropriate export and import targets automatically

Route Advertisements
Each VPN-IPv4 route advertised by a PE router contains one or more route target communities. These
communities are added using VRF export policy or explicit configuration.

Receiving Routes
When a PE router receives route advertisements from remote PE routers, it determines whether the
associated route target matches one of its local VRF tables. Matching route targets cause the PE router
to install the route into all VRF tables whose configuration matches the route target.

Careful Policy Administration

Because the application of policy determines a VPN's connectivity, you must take extra care when
writing and applying VPN policy to ensure that the VPN customer's connectivity requirements are
faithfully met. Several companies offer automated VPN provisioning tools to minimize the worl< required
when reprovisioning a VPN to meet changing customer requirements. These tools can also limit the
errors that tend to occur when changes are manually entered by human operators.
Go to http:;/www.juniper.netjpartners/oss_partners.htmlto obtain updated information on the
alliances that Juniper Networks has formed with the providers of such provisioning tools.

Chapter 8-20 Layer 3 VPNs

www.juniper.net

Junos MPLS and VPNs

".c"'(

l"'2,

l VPN
B"'CE-l
\
-.
';Sitel
"'~\"h+"""".,.#"",

_110~;~~1

(0
III

CE device advertises route to PE router

Using traditional routing techniques (for example, OSPF, RI p,
BGP, and static routes)

Routing Exchange
The following sequence of slides discusses the end-to-end exchange of routing information between
CE routers belonging to the same VPN.
CE-4 sends tile routes associated with VPN A Site 2 to its attached PE router. The 10.1/16 prefix can be
exchanged using OSPF, RIP, or BGP. Static routing can also place a site's routes into the local PE router's
VRFtable.
Whatever protocol is used between CE-4 and PE-2, the operation of this protocol is terminated by the
PE router. This termination provides isolation of the VPN site's routing protocol and the MP-BGP
protocols used to convey the routes between PE routers. This isolation improves scalability and
stability as malfunctions in the PE-CE routing protocol tend to be limited to that PE-CE pairing.

www.juniper.net

Layer 3 VPNs Chapter 8-21

Junos MPLS and VPNs

III

IPv4 address is added to the appropriate VRF table

Populating the Local VRF Table

Routes received by a local CE device are automatically installed into the VRF table associated with
that site.

Chapter 8-22 Layer 3 VPNs

www.juniper.net

Junos MPLS and VPNs

III

VRF table is configured to advertise the routes in the

VRF table as L3 VPN routes using MP-BGP
VRF table configuration adds VPN RED route target
community

VRF Export Policy

The PE router evaluates the route based on its configuration. If the VRF export policy accepts the
route, or if a VRF target is configured, the PE router converts the address into the VPN-IPv4 format by
adding the configured route distinguisher. At this time the PE router also chooses a 20-bit MPLS
label value used to associate received traffic with this VRF table. Lastly, the PE router associates the
route with one or more extended communities. At a minimum, the route will have a route target
community added.

www.juniper.net

Layer 3 VPNs Chapter 8-23

Junos MPLS and VPNs

/jV';~~

,,~ite2i)
'Y"""W'~'"I"v5"J'

"VP
"'-:'110.1;161
N 1\"'\
" Site2,)

IiII

VPN-IPv4 NLRI is advertised to other PE routers

.. Inner label (also known as VRF label, BGP label)
Extended communities
Routetarget
Site of origin

.. BGP next hop (RID of advertising PE router)

Advertisement to Remote PE Routers

In Step 4, PE-2 generates a BGP update message containing the route learned from CE4 at VPN Site
A. This route is sent to all MP-BGP peers configured on the PE router that have successfully
negotiated the support of the VPN-IPv4 address family. Other routes learned from the CE device that
share common community attributes can be packed into a single NLRI advertisement.

Chapter 8-24 Layer 3 VPNs

www.juniper.net

Junos MPLS and VPNs

.(',~~""q,,\

/*VPNg'\

Site2/~.)

V~~'A'\
n.

MP-BGP

III

VPN RED Export

Label?
Next Hop PE-2

Site2.

_1 10.1/16 1

Each PE router is configured with import route targets

Import route target is used to incorporate VPN-IPv4 routes into
VRF tables selectively
If impolt route target matches route target attribute in BGP route, the route is
installed into the bgp .13vpn table and copied into appropriate VRFtable(s)
Based on configured route target or impolt policies, 10458:23:10,1/16 is
copied into the RED VRF-but not the BLUE VRF

Import Targets Determine the Route's Fate

Step 5 shows the remote PE routers receiving the VPN route advertisement. These PE routers use their
configured VRF import policy or VRF target to determine if any of their local VRF tables have matching
route targets,
If no local configuration matches the route target, the PE router silently discards the route, Thus, a
PE router must only carry VPN routes when it has one or more locally attached sites belonging to the
same VPN, Should the remote PE router's import policy or VRF target change, BGP route refresh is used
to solicit a retransmission of previously advertised routes, because route target matches can now occur
due to the policy modifications. Use of BGP route refresh means that BGP sessions do not have to be
disrupted when adds, moves, or changes to the VPN topology occur.
When the received route's target does match a VRF table's route target configuration, the PE router
copies the VPN route into the bgp. 13vpn, 0 table. This table houses all received VPN routes whose
route target matched at least one VPN's configuration. The route is also copied into one or more local
VRF tables after having the route distinguisher removed. The result is that prefix 10.1/16 is now present
in PE-1's random early detection (RED) VRF table in a native IPv4 format.
PE-1 now associates the RID of PE-2 as the next hop for 10.1/16 when forwarding traffic that
matches the prefix and was received on its RED VRF interface.

www.juniper.net

Layer 3 VPNs Chapter 8-25

Junos MPLS and VPNs

VPN RED Import

.1Q_45!i.~JJL!i1.Q
BGP Label (Inner) Label eZ)
MPLSeOuter)Label ey)
l1li

MP-BGP

VPN RED Export

LabelZ
NextHop PE-2

_110.1/ 16 1

Each VPN-IPv4 route in a VRF table is associated with:

Inner (VRF) label to reach the advertised N LRI (carried in
MP-BGP update)
Outer label to reach the PE router

l1li

All routes associated with the same VRF interface can

share a common label

Label Association
When VPN routes are advertised, part of the NLRI is the VRF label chosen by the advertising PE router.
This label is often called the inner label because it is always found at the bottom of the label stack. The
purpose of this label is to associate received packets with the correct VRF table.
The receiving PE router must be able to resolve the RID of the advertising route to an MPLS LSP stored
in the inet . 3 table. If an LSP does not exist to the advertising PE router, the route is hidden due to an
unusable next hop. VPN traffic can only be forwarded across the provider's backbone using MPLS
switching. If an LSP to the egress PE router does not exist, the VPN route can never be used.
The result of this process is a two-level label stack used to forward packets across the provider's
backbone, and then to associate the traffic with a specific VRF table on the receiving PE router.

Common Labels
RFC 4364 allows the PE router to issue a single VRF label for all routes belonging to a common VRF
interface orto allocate a unique label for each route being advertised. The Junos OS takes the former
approach because it drastically reduces the number of VRF labels that must be managed. Compliant
implementations that use per-route VRF label assignment are interoperable with this
one-Iabel-per-VRF-interface approach, however.

Chapter 8-26 Layer 3 VPNs

www.juniper.net

Junos MPLS and VPNs

III

Each IPv4 route installed in a VRF table can be

advertised to the CE devices associated with that VRF
table
For example, RI P, OSPF, and BG P
Routing policy can be used on the PE-CE link to control the
exchange of routing information further

Advertising Received Routes

In the last step of the Layer 3 VPN signaling flow. the receiving PE router (PE-l) readvertises the routes
learned from remote PE routers to its locally attached CE routers.
These routes can be exchanged using any supported PE-CE routing protocol. or they can be defined
statically on the CE device. The CE device associates the PE router's VRF interface as the next hop for
the routes learned from the PE router.
Because the local PE-CE routing protocol is terminated by the PE router's VRF table, in this example,
CE-4 can run EBGP, while CE-3 might be running OSPF or RIP.
Where wanted, you can use routing policy to control or refine the route exchange between PE and
CE routers further. This policy would function in addition to the VRF import and export policy
discussed in this section.

www.juniper.net

Layer 3 VPNs Chapter 8-27

Junos MPLS and VPNs

~ Operational Characteristics

I
~Traffic

Forwarding

Traffic Forwarding
The slide highlights the topic we discuss next.

Chapter 8-28 Layer 3 VPNs

www.juniper.net

Junos MPLS and VPNs

CE-2/0VPNa\

Site2)
',""S\,

""""",,<,,?

10.1{16
III

The PE-to-PE LSP must be in place before forwarding

data across the M PLS backbone
LSPs are signaled through LDP or RSVP

LSP Must Exist Between Ingress and Egress PE Routers

Because VPN traffic is forwarded across the provider's backbone using MPLS, the presence of an MPLS
LSP between ingress and egress PE routers must be in place before VPN packets can be forwarded.
RSVP or LDP can establish the PE-to-PE LSP. The PE-to-PE LSPs can involve PE routers running LDP with
the resulting LDP LSPs tunneled over a traffic engineered RSVP LSP.

www.juniper.net

Layer 3 VPNs Chapter 8-29

Junos MPLS and VPNs

l1li

The CE device performs a traditional IPv4 lookup and

sends packets to the PE router

CE Device Forwards VPN Traffic to PE Router

On this slide, the CE device performs a longest-match lookup on a packet addressed to 10.1/16.
This lookup results in the CE device forwarding the packet to the IP address associated with the
PE router's VRF interface.

Chapter 8-30 Layer 3 VPNs

www.juniper.net

Junos MPLS and VPNs

PE-1
1) Lookup route in Red VRF
2) Push BGP label (z)
3) Push outerlabel(x)

lIP!

10_1116

.. The PE router consults the appropriate VRF table for

the inbound interface
III

Two labels are derived from the VRF route lookup and
are pushed onto the packet

PE Router Consults VRF Table for Longest Match

Upon receipt of the packet, the PE router conducts a longest-match route lookup in the VRF table
associated with the interface on which the packet arrived.

Two Labels Derived

Assuming that a match is found, the PE router associates the packet with two labels: the VRF label
originally advertised with the route, and an outer MPLS label, assigned by either LDP or RSVP, which
is used to associate the packet with the LSP between ingress and egress PE routers.

www.juniper.net

Layer 3 VPNs Chapter 8-31

Junos MPLS and VPNs

PE-1
1) Look u p route in Red VRF
2) Push BG P label (z)
3) Push outer la bel (x)

III

Packets are forwarded using two-level label stack

Outer (MPLS) label:
Identifies the LSP to egress
PE router
Resolves BG P next Il0p
through inet . 3
Distributed by RSVP or LDP

Inner (MP-BGP) label:

Identifies outgoing
interface from egress PE
to CE
Communicated in MP-BGP
updates (control plane)

Two-Level Label Stack Required

The PE router performs a double label push operation involving both the VRF and MPLS labels. The
VRF label associates the packet with the correct VRF table on the egress PE router while the MPLS
label associates the packet with the LSP that terminates on the egress PE router. The ingress
PE router now forwards the labeled packet to the next-hop LSR along the LSps path.

Chapter 8-32 Layer 3 VPNs

www.juniper.net

Junos MPLS and VPNs

/'

10.1/16

III

After packets exit the ingress PE router, the outer

label is used to traverse the service provider
P routers are not VPN aware

MPLS Forwarding Across Provider Core

As the labeled packet traverses the provider's core, the LSRs that make up the LSP act upon (and swap)
the outer MPLS label. In contrast, the inner VRF label remains untouched throughout the labeled
packet's journey.
The use of exact match MPLS forwarding allows the P routers to forward the packet towards the
egress PE router correctly, without any awareness of the labeled packet's contents. This concept is
key to RFC 4364 scalability, because this MPLS capability is what allows P routers to remain
unaware of the VPN.

www.juniper.net

Layer 3 VPNs Chapter 8-33

Junos MPLS and VPNs

BGP label (z)

It'

10.1.2.3

l1li

Penultimate hop popping (before reaching the egress

PE router) removes the outer label

Penultimate Hop Popping

The last P router in the LSP's patll performs a pop operation, which results in a single-level label
stack. The packet is now forwarded to the LSP's egress point with only the VRF label.

Chapter 8-34 Layer 3 VPNs

www.juniper.net

Junos MPLS and VPNs

IIPl
~10.1/16
II

III

The inner label is removed at the egress PE router

The native IPv4 packet is sent to the outbound
interface associated with the label

VRF Label Removed by Egress PE Router

The egress PE router uses the received VRF label to map the packet to a specific VRF interface.

IPv4 Packet Sentto Outbound Interface

After mapping the packet to a specific VRF interface, the VRF label is popped, and the packet is sent
to the CE device attached to that VRF interface.

www.juniper.net

Layer 3 VPNs Chapter 8-35

Junos MPLS and VPNs

II

In this chapter, we:

Defined the roles of P, PE, and CE routers
Described the format of VPN-IPv4 addresses
Explained the role of the route distinguisher
Described the flow of RFC 4364 control information
Explained the operation of the RFC 4364 forwarding plane

This Chapter Discussed:

The roles of P, PE, and CE routers;
VPN-IPv4 address formats;
Route distinguisher use and formats;
RFC 4364 control flow; and
RFC 4364 data flow.

Chapter 8-36 Layer 3 VPNs

www.juniper.net

Junos MPLS and VPNs

1. Can you define the roles of P, PE, and CE routers?

2. What is the format of VPN-IPv4 addresses?

3. What is the role of the route distinguisher?

Review Questions (Part 1)

1.

2.

3.

Continued on next page.

www.juniper.net

Layer 3 VPNs Chapter 8-37

Junos MPLS and VPNs

4. Describe the flow of RFC 4364 control information.

5. Explain the operation of the RFC 4364 forwarding
plane.

Review Questions (Part 2)

4.

5.

Chapter 8-38 Layer 3 VPNs

www.juniper.net

JUIlOS

iii

MPLS and VPNs

Configure the baseline network to be used for all VPN

labs.

Lab 6: VPN Baseline Configuration

The slide provides the objectives for this lab.

www.juniper.net

Layer 3 VPNs Chapter 8-39

Junos MPLS and VPNs

Chapter 8-40 Layer 3 VPNs

www.juniper.net

Appendix A: Acronym List

AAL5 ........................................................................... ATM Adaptation Layer 5
ABR ................................................................................. area border router
AFI. ............................................................................ address family indicator
APS ...................................................................... Automatic Protection Switching
ARP ......................................................................... Address Resolution Protocol
AS ................................................................................ autonomous system
ASBR ............................................................... autonomous system boundary router
ASIC .................................................................application-specific integrated circuit
ATM ....................................................................... Asynchronous Transfer Mode
BECN ............................................................ backward explicit congestion notification
BUM ............................................. broadcast, unicast with unknown destination, and multicast
CCC ............................................................................... circuit cross-connect
CE ..................................................................................... customer edge
CHAP ........................................................ Challenge Handshake Authentication Protocol
CIR ......................................................................... committed information rate
Cisco HDLC ............................................................. Cisco High-Level Data Link Control
CLI .............................................................................command-line interface
CoS ....................................................................................class-of-service
CoS ....................................................................................class of service
CPE ....................................................................... customer premises equipment
CRC ............................................................................ cyclic redundancy check
CR-LDP ..................................................Constraint-Based Routed Label Distribution Protocol
CSPF ..................................................................... Constrained Shortest Path First
DE ....................................................................................discard eligibility
DLCI ...................................................................... data-link connection identifier
DPC ............................................................................ Dense Port Concentrator
DR ...................................................................................designated router
ERO ............................................................................... Explicit Route Object
FEC ........................................................................ forwarding equivalence class
FECN ............................................................... forward explicit congestion notification
FF ......................................................................................... fixed filter
FPC ........................................................................... Flexible PIC Concentrator
FT1 ...................................................................................... fractional T1
GCRA ....................................................................... Generic Cell Rate Algorithm
GRE .......................................................................generic routing encapsulation
GRES ................................................................. graceful Routing Engine switch over
GUI .............................................................................graphical user interface
HDLC ...................................................................... High-Speed Data Link Control
HMAC .............................................................. Hashed Message Authentication Code
IBGP ..................................................................................... internal BGP
ICMP ................................................................... Internet Control Message Protocol
IEEE ........................................................ Institute of Electrical and Electronics Engineers
IESG ................................................................. Internet Engineering Steering Group
IETF...................................................................... Internet Engineering Task Force
IGMP ................................................................ Internet Group Management Protocol
IGP ............................................................................ interior gateway protocol
I-PMSI .................................................................................. Inclusive-PMSI
IPsec .......................................................................................IP Security
IPTV .........................................................................Internet Protocol Television
IPv4 ......................................................................................IPversion4
IPv6 ......................................................................................IPversion 6
IS-IS .......................................................... Intermediate System-to-Intermediate System
ISP ............................................................................ Internet service provider
JNCP ...............................................................Juniper Networks Certification Program
L2F ................................................................................ Layer 2 Forwarding
www.juniper.net

Acronym List Appendix A-1

L2TP ......................................................................... Layer 2 Tunneling Protocol

L3PID .............................................................................. Label 3 Protocol ID
LER .................................................................................. label edge router
LIB ..............................................................................Label Information Base
LSA ............................................................................ link-state advertisement
LSDB ............................................................................... link-state database
LSI ............................................................................. label-switched interface
LSP ................................................................................ label-switched path
LSR .............................................................................. label-switching router
MAC .............................................................................. media access control
MD5 ................................................................................ Message Digest 5
MP-BGP ............................................................. Multiprotocol Border Gateway Protocol
MP-IBGP ............................................................................ multiprotocollBGP
MSDP ................................................................ Multicast Source Discovery Protocol
MTU ......................................................................... maximum transmission unit
MVPN ................................................................... multicast virtual private network
NAT ........................................................................ Network Address Translation
NG MVPN .................................................. next-generation multicast virtual private network
NLRI ............................................................... network layer reachability information
OSI. ...................................................................... Open Systems Interconnection
OSPF ...........................................................................Open Shortest Path First
PAP .................................................................... Password Authentication Protocol
PDU ................................................................................. protocol data unit
PE ..................... , ................................................................ provider edge
PFE .......................................................................... Packet Forwarding Engine
PHP ........................................................................... penultimate-hop popping
PIM ...................................................................... Protocol Independent Multicast
PLP ................................................................................ packet loss priority
PMSI ................................................................. Provider-Multicast Service Interface
POP ................................................................................. point of presence
PPP ............................................................................. Point-to-Point Protocol
PPTP .................................................................... Point-to-Point Tunneling Protocol
PVC ........................................................................... permanent virtual circuit
PVC ....................................................................... permanent virtual connection
PWE3 ............................................................... Pseudo Wire Emulation Edge to Edge
QoS .................................................................................. quality of service
RD ................................................................................. route distinguisher
RDI ............................................................................remote defect indication
RED ............................................................................. random early detection
RID ......................................................................................... router ID
RP ................................................................................... rendezvous point
RRO ................................................................................ record route object
SA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. secu rity association
SAFI ................................................................. subsequent address family identifier
SAR ....................................................................... segmentation and reassembly
SE ..................................................................................... shared explicit
SLA ............................................................................ service-level agreement
SNAP ...................................................................... subnetwork attachment point
SoO ......................................................................................site of origin
SPF ................................................................................. shortest path first
S-PMSI .................................................................................Selective-PMSI
STP .............................................................................Spanning Tree Protocol
TCC ......................................................................... translational cross-connect
TCP ....................................................................... Transmission Control Protocol
TED ........................................................................ traffic engineering database
TLV ................................................................................. type/length/value
TPID ..............................................................................Tag Protocol Identifier
Tspec ............................................................................... traffic specification
TIL ........................................................................................ time to live
UDP ............................................................................ User Datagram Protocol
Appendix A-2 Acronym List

www.juniper.net

VC .......................................................................................virtual circuit
VCI ............................................................................ virtual channel identifier
VCT .............................................................................. VPN connection table
VFT ............................................................................... VPN forwarding table
VLAN ...................................................................................... virtual LAN
VPI ............................................................................... virtual path identifier
VPLS .......................................................................... virtual private LAN service
VPN ..............................................................................virtual private network
VRF table ................................................................ VPN routing and forwarding table
WF ..................................................................................... wildcard filter
WRR ..............................................................................weighted round-robin

www.juniper.net

Acronym List Appendix A-3

Appendix A-4 Acronym List

www.juniper.net

Appendix B: Answer Key

Chapter 1:

Course Introduction
This chapter contains no review questions.

Chapter 2:

MPLS Fundamentals
1.
The ingress router uses the destination IP address of the packet to make its forwarding decision. It will
consult the inet.O and inet.3 routing table to resolve the next-hop.

2.
The default behavior in the Junos OS is for the egress router to signal the penultimate hop router to pop
the mpls header and send the packet downstream without a mpls header. This is known as penultimate
hop popping.

3.
The transit router will use the mpls.O routing table to make its forwarding decisions. These decisions are
made based on the incoming label value.

Chapter 3:

Label Distribution Protocols

1.
The only router that requires configuration is the ingress router. The other routers need to have protocols
MPLS and RSVP configured but do not need information about the label-switched-path.

2.
There are many RSVP Objects. We discussed the SESSION, LABEL_REQUEST, EXPLICIT_ROUTE (ERO),
RECORD_ROUTE (RRO), SESSION_ATIRIBUTE, RSVP-HOP, LABEL, and the STYLE objects within this
chapter.

3.
No. The Junos OS does not support traffic engineering for LDP signaled LSPs. You can 110wever, us LDP
tunneling over RSVP traffic engineered LSPs to apply traffic engineering to the LDP traffic.

Chapter 4:

Constrained Shortest Path First

1.
OSPF supports the flooding of the opaque type 10 LSA. IS-IS supports the flooding of extended TLVs for
traffic engineering. Both of the extensions to the protocols support the advertisement of rsvp bandwidth,
administrative group, and router ID.

2.
Some possible user inputs are bandwidth requirement, administrative group requirement, explicit route,
and priority.

3.
The default CSPF tie-breaking algorithm is random.

4.
When configuring an LSP an administrator can specify which administrative groups the LSP can traverse.
The administrator can specify several administrative group constraints for an LSP by using the
include-any, include-all, and the exclude statements.

www.juniper.net

Answer Key Appendix B-1

Chapter 5:

Traffic Protection and LSP Optimization

1.
When a primary is active and there is a failure along the path the ingress router will signal the secondary
LSP to provide protection for traffic while the primary is down.

2.
Fast reroute protects an entire LSP from failures along the path. Link protection provides protection forthe
failure of a single link.

3.
Aggressive optimization only takes IGP metric into consideration. Normal optimization also takes into
consideration number of hops, congestion, and preemption.

Chapter 6:

Miscellaneous MPLS Features

1.
Including the acti va option when installing a prefix for a RSVP LSP installs the route in the inet . 0
routing table and allows both the IGP and BGP to use the LSP.

2.
The default resignaling interval is 24 hours when using the auto-bandwidth feature.

3.
First no-decrement- t t l is only configured on the ingress router and no-propagate-ttl must be
configured on all LSRs in the path. Second, uSingno-decrement-ttl allows you to change default
behavior on a per LSP basis while no-propagate-ttl is only allowed at the global level and applies to
all LSPs.

Chapter 7:

VPN Review
1.
A VPN is a private network that is constructed over a shared, public infrastructure such as Frame Relay,
an ATM network, or the Internet.

2.
The primary difference is that the CPE VPN requires the customer equipment to create and manage
tunnels for the private IP traffic. A provider-provisioned VPN solution is a VPN that relies on the provider's
equipment to create and manage tunnels for the private traffic using MPLS as the enabling technology.

3.
The first and most notable difference is with a Layer 2 VPN solution, the backbone routing is the
responsibility of the customer. With a Layer 3 VPN solution, the backbone routing is handled by the
provider. Another difference is that with a Layer 2 VPN solution, non-IP traffic can be passed from site to
site. With a Layer 3 VPN solution the traffic has to be IP.

Appendix B-2' Answer Key

www.juniper.net

Chapter 8:

Layer 3 VPNs
1.
The CE router is located at the customer's VPN site and only participates in the customer's routing. The
PE router is located on the edge of the provider network and participates in both the customer's routing
and the provider's network. The PE maintains all of the customer specific VRF tables. The P routers
participate in the core network and is able to forward VPN traffic using MPLS LSPs without knowledge of
the customer's network.

2.
The VPN-IPv4 NLRI consists of an MPLS label, a route distinguisher, an IPv4 address, and a 120 bit mask.

3.
The route distinguisher is used to disambiguate overlapping IPv4 addresses.

4.
Some routing method (OSPF, BGP, static routing) is used to share routes between the customer VPN sites
and the PE routers. MP-BGP is used by PE routers to pass customer routes learned from CE routers to other
PE routers. PE routers will then pass VPN routes learned from other PE routers to the associated
CE routers.

5.
A CE router will forward IPv4 packets to the locally connected PE router. The PE router will perform an route
lookup using the VRFtable associated with the incoming interface. The PE router will then encapsulate the
packets in 2 MPLS headers: the innermost will be the label learned from MP-BGP while the outermost will
be the label associated with the LSP that ends at the remote PE. The P routers along the LSP will perform
label swapping on the outermost header as the packet traverses the provider's network. The penultimate
router along the LSP will pop the outermost label and send a singly labeled packet to the remote PE. The
remote PE will analyze the packets label in order to map the packet to a particular routing table, VRF. The
remote PE pops the MPLS label and forwards the IPv4 packet to the remote CE router.

Chapter 9:

Basic Layer 3 VPN Configuration

1.
We used the target. origin and domain-id extended communities.

2.
The four required options for creating a Layer 3 VPN instance are instance- type, interfaces.
route-distinguisher, and vrf - target or vrf - import/vrf - export policies.

3.
The protocol match criteria required when exporting OSPF routes across your Layer 3 VPN to a remote PE
is OSPF.

Chapter 10:

Troubleshooting Layer 3 VPNs

1.
When using network commands like ping, traceroute, and ssh, the routing-instance switch is used to
specify the routing table that should be used to forward packets for the session. By default, the router will
use the inet.O table not the VRF table.

2.
By default, an egress PE that has an Ethernet VRF interface cannot perform both a pop of the MPLS label
and an ARP for packets that come from the core. Therefore, an ARP must be performed by the egress
router prior to receiving packet from the core. This can be achieved simply by receiving at least one route
from the connected CE (which causes an ARP to occur to determine next hop). Also, a static route can be

www.juniper.net

Answer Key Appendix B-3

configured within the VRF instance that points to the connected CEo This is generally sufficient. However,
if it is necessary to ping the VRF interface without adding routes to the VRF table, vrf - table-label or
a VT interface can be used to allow for both a pop and ARP operation by the egress router.

3.
ICMP tunneling can be configured which allows for P router hops to be revealed.

4.
To view PE to PE control flow use the show route receive-protocol bgp and show route
advertise-protocol bgp commands which show received and sent BGP routes. Routes that are
located in the bgp .l3vpn. 0 table have been accepted by at least one vrf-import policy with a matching
route target.

5.
To view a VRF table, use the show route table vpn-name command.

6.
To view the status of the PE-CE routing protocols, use the standard protocol troubleshooting commands
modified with the instance switch.

Chapter 11:

Layer 3 VPN Scaling and Internet Access

1.
Some of the recommended methods are: observing PE router limits regarding total number of routes,
keeping the CE-to-PE routing simple, using BGP route reflectors for VPN routes, using the BGP refresh
option, and using route target filtering.

2.
First there is Option 1 which provides Internet access through a non-VRF interface (PE router has no
Internet routes). Second there is Option 2 which provides Internet access through a VRF interface (the
PE router has some or all Internet routes). And finally there is Option 3 which provides Internet access
til rough a central CE device.

Chapter 12:

Layer 3 VPNs-Advanced Topics

1.
To place routes from one routing table into a second routing table, you must first create a routing
table-group that lists both routing tables as an import routing table with the primary table listed first. Once
the routing table-group is specified, you need to specify which routes will go into the routing table-group.
A common set of routes to place in the routing table-group would be interface routes which can be applied
to the routing table-group under [edit routing-options interface-routes] level of the
hierarchy. Apply the routing table-group at this level of the hierarchy will take the local and direct routes
found in the primary table (the first table in the list) and ensure they exist in both tables. For routes learned
by routing protocols, these routes can be applied to the routing table-group at the [edit protocols
protocol-name] level of the hierarchy.

2.
Routes from Spoke PEs and CEs are received by and accepted by the Spoke instance on the Hub PE. The
HUB PE passes those route to the HUB CEo The HUB CE then advertises those routes to the Hub instance
on the Hub PE. The Hub PE then advertises those routes to the Spoke sites.

3.
The Junos as supports firewall filtering and rate limiting. It also support the setting of the experimental
bits on botll the inner and outer headers of an MPLS packet.

4.
GRE and IPsec tunnels are support from CE to CE, PE to PE, and CE to PE using the Junos
Appendix B-4 Answer Key

as.

www.juniper.net

Chapter 13:

Multicast VPNs
1.
The draft-Rosen required that the provider network be running PIM for signaling. The next-generation
approach uses BGP to signal the providers network and does not require PIM be configured in the core.

2.
Type 1:
Type 2:
Type 3:
Type 4:
Type 5:
Type 6:
Type 7:

Intra-AS Inclusive MVPN Membership Discovery

Inter-AS Inclusive MVPN Membership Discovery
Selective MVPN Autodiscovery Route
Selective MVPN Autodiscovery Route for Leaf
Source Active Autodiscovery Route
Shared Tree Join Route
Source Tree Join Route

3.
The first hop deSignated router, the candidate rendezvous points, and all PE routers participating in the
multicast network, unless using vrf-table-Iabel option, require the use of a tunnel services interface.

Chapter 14:

BGP Layer 2 VPNs

1.
The CE device handles all the customer's routing to the remote sites. The CE device serves as the gateway
to other customer sites within their network. The PE router maintains and exchanges VPN-related
information with other PE routers. The PE router also delivers Layer 2 circuits to the customer and maps
these circuits to the LSPs used to connect to the remote site. The P routers forward VPN traffic
transparently over established LSPs.

2.
Over-provisioning is when you configure more logical connection to a site than are needed for current site
connections. This allows you to easily and quickly add additional sites to the network.

3.
On a PE router with a site ID of one, the first interface configured will be associated with the remote site
ID oftwo. The next interface configured will be associated with three. Each additional interface configured
will add one on to the previous site association.

Chapter 15:

Layer 2 VPN Scaling and COS

1.
The use of route reflectors and route target filtering are recommended methods of improving Layer 2 VPN
scaling.

2.
The EXP bits of the VRF label can be set by using an input firewall filter. The EXP bits of the outer
RSVP-signalled label can be set with the class-af-service setting on the LSP definition.

www.juniper.net

Answer Key Appendix B-5

Chapter 16:

LDP Layer 2 Circuits

1.
LOP Layer 2 circuit signalling exchanges virtual circuit labels with targeted peers to indicate what
parameters are needed to establish a session. Layer 2 circuits also uses these values to uniquely identify
circuit connection to ensure traffic is delivered to the correct networks. It differs in that. Layer 2 circuits
require the use of LOP to carry the virtual circuit information to remote peers. Some other differences are
that Layer 2 circuits do not require a VRF instance configuration and do not require a route-distinguisher
or VRF target policy, instead LOP Layer 2 circuits use the virtual circuit 10 to identify which incoming
circuit-connection requests are allowed. Also LOP Layer 2 circuits can only be used to connect remote sites
and can not be used to connect local sites which are connected to the same PE router.

2.
The virtual circuit label is used to send circuit information to targeted remote PE routers. The remote router
uses this label value as its output label when forwarding traffic associated with this FEC back to the
originating router.

3.
The command to display the operational status of a LOP Layer 2 circuit is show 12circui t

connections.

Chapter 17: Virtual Private LAN Service

1.
A Layer 2 VPN is point to point in nature while a VPLS is point to multipoint.

2.
Adding and removing sites from a BGP VPLS requires the configuration of only one PE. All other PE's will
automatically discover the added or removed site.

3.
In a BGP VPLS, PEs advertise label blocks to remote PEs. The label blocks have enough labels to reach
and be reached by all currently configured sites in the VPLS. In an LOP VPLS, individual labels are
advertised using an LDP extended neighbor relationship to all remote PEs participating in the VPLS.

Chapter 18: VPLS Configuration

1.
To prevent a layer 2 loop when a CE is multi homed to a single PE, you must configure either primary!
backup link, LAG, ERP, or a spanning tree protocol.

2.
To prevent a layer 2 loop when a CE is multihomed to multiple PEs, you must use BGP for signaling which
automatically prevents a loop or when using LDP for VPLS signaling specify a neighbor and a backup
neighbor.

3.
When tunnel services are not available (no Tunnel PIC) the command no-tunnel-services can be enabled
to use LSI interfaces instead of vt interfaces.

4.
The flooding behavior on a PE is based upon the interface that BUM traffic arrives on. If BUM traffic arrives
from a locally connect CE, then the traffic needs to be flooded to all local CEs (except the one the traffic
came from) and to all remote PEs. If BUM traffic arrives from a remote PE, then the traffic needs to be
flooded to only local CEs, not to any remote PE (because of PE full-mesh). If BUM traffic arrives from the
RE, then the traffic needs to be flooded to all local CEs and to all remote PEs. There should be a flood route
for each of the 3 scenarios.
Appendix B-6 Answer Key

www.juniper.net

Chapter 19:

Interprovider VPNs
1.
In a carrier-of-carrier application the customer routers maintain both customer internal and external
routes. In an interprovider VPN, except forthe ASBRs connect to VPN sites, the customer routers maintain
customer internal routes only.

2.
Option A specifies the use of separate VRFs for everyVPN on the ASBRs. Option B specifies the used ofthe
EBGP exchange of VPN routes between ASBRs. Option C specifies the use of multihop EBGP (or IBGP) to
exchange VPN routes between PEs in remote autonomous systems.

3.
The labeled-unicast address family is used between PE and CEo

www.juniper.net

Answer Key Appendix B- 7

Appendix 8-8 Answer Key

www"juniper.net