cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
943
Views
0
Helpful
4
Replies

MPLS understnding

silex
Level 1
Level 1

                  Hi I wonder if anyone can help. I have an router with MPLs configured, that is a subinterface from my wan connection eg.

interface fastethernet0

ip address 1.1.1.1

interface 0.200

encapsulation dot1Q 200

ip address 2.2.2.2

On the lan side I have 5 different subnets that are routing on the switches and then have a default route to the router lan interface.

there is an existing live legacy VPN config on this router which the mpls should replace.

interface Tunnel0

description GRE Tunnel

bandwidth 4096

ip address 6.6.6.6 255.255.255.252

tunnel source FastEthernet0

tunnel destination x.x.x.6

crypto map CMAP1

I was wondering,

1.how do I point the traffic over the MPLs, given that MPLS is Layer 2? it just seems all the traffic is still going through the tunnel.

I am thinking that is because the Access-list is still live and therefore sending through the tunnel.

2. If I delete the access-list, can I just add an ip route for the remote route subnet to point to 2.2.2.3? which will be the far end of the MPLS circuit

It is a live system, so I need to make sure I can predict the expected behaviour.

3. My confusion is that although the MPLs is L2, they have an ip address

1 Accepted Solution

Accepted Solutions

Hello silex,

so my local interface is say 2.2.2.2 and the remote interface on the MPLS VPN is 2.2.2.3

my static route should be 192.168.10.0 255.255.255.0 2.2.2.3

Yes, that is correct. After modifying the routing (please be careful if you want to do it remotely, as you may inadvertently cut yourself off the router if the modified route covers also the reachability of the network you are configuring the router from), please verify the routing table to make sure that the only route that covers 192.168.10.0/24 is the one pointing through 2.2.2.3.

could you clarify why the encapsualtion dot1Q 200 command would be required?

I suppose that your service provider distinguishes between your connection to the internet (the untagged interface), and your connection to the MPLS cloud (the tagged interface with VLAN 200). You can either use two physically separate interfaces to have these two connections distinct, or you can use some kind of interface virtualization technology, such as 802.1Q VLANs, to logically split a single interface into several sub-interfaces, each representing a different connection.

Best regards,

Peter

View solution in original post

4 Replies 4

Peter Paluch
Cisco Employee
Cisco Employee

Hi silex,

If I understand you correctly, you do not really have MPLS configured on your router - I see no MPLS-related commands. You are probably using MPLS VPN service but the MPLS is running in your service provider's network only. MPLS VPN customers do not see any MPLS labels - in fact, they can be, for the most part, completely oblivious to the fact that the VPN technology is MPLS.

1.how do I point the traffic over the  MPLs, given that MPLS is Layer 2? it just seems all the traffic is still  going through the tunnel.

MPLS is not Layer2. In fact, it is hard to categorize MPLS into layers. MPLS uses labels and performs switching similar to Layer2 switching but these labels are mapped to IP networks and learned from the next-hop router towards the particular network - which makes them strongly tied to Layer3. MPLS is somewhere inbetween.

Regarding routing the traffic over MPLS cloud - simply configure your IP routing so that the traffic is directed to your nearest router in the MPLS cloud. If the next hop towards a network points to the router in the MPLS cloud, the traffic will be handled by the MPLS cloud. Do not worry about MPLS and labels - as a customer, you do not care about it.

2. If I delete the access-list, can I  just add an ip route for the remote route subnet to point to 2.2.2.3?  which will be the far end of the MPLS circuit

It is a live system, so I need to make sure I can predict the expected behaviour.

Just to be on a safe side, I would recommend reserving a maintenance window for this transition, especially considering the fact you are not familiar with MPLS VPNs yet. But in your case, what you need to change is the routing table - the next hop through which the traffic is supposed flow. Currently, your traffic is being tunneled and encrypted because the routing is configured so that in order to reach the remote networks, you route them through the tunnel interface. You need to change your routing so that instead of the tunnel interface, you point to the IP address of the neighboring router in the MPLS cloud. I do not know how your routing is configured - whether it is statically set up or a dynamic routing protocol is being used so I am not giving any step-by-step guidance at this moment.

3. My confusion is that although the MPLs is L2, they have an ip address

As explained earlier, MPLS is not Layer2. Imagine MPLS like routers telling each other not just about the networks they know but also for each network, they also announce the row number the network lies in their routing tables. This row number can be considered the label. Now, if a router knows that to reach a network 192.0.2.0/24, neighbor X is the next hop on the best path and this network is on 76th row in X's routing table, it labels all packets going go 192.0.2.0/24 with the label 76 and sends them towards neighbor X. The X will then do the same - pop the label and insert a new label advertised for this network by its own next-hop, and so on. So the IP address of the next hop is still of utmost importance in MPLS because it is exactly that neighbor whose label bindings we need to consult to see what label corresponds to which destination network.

The key takeaway for you as a MPLS VPN service customer, however, is that you should not care about MPLS at all. To you, the MPLS VPN behaves like a giant router so you just point to that router's IP address to have it carry your VPN traffic across.

Best regards,

Peter

Thanks Peter, for the explanation. from reading what you said, I am using static routes as it only needs to hit one subnet at the far end. call it 192.168.10.0

so my local interface is say 2.2.2.2 and the remote interface on the MPLS VPN is 2.2.2.3

my static route should be 192.168.10.0 255.255.255.0 2.2.2.3

could you clarify why the encapsualtion dot1Q 200 command would be required?

Hello silex,

so my local interface is say 2.2.2.2 and the remote interface on the MPLS VPN is 2.2.2.3

my static route should be 192.168.10.0 255.255.255.0 2.2.2.3

Yes, that is correct. After modifying the routing (please be careful if you want to do it remotely, as you may inadvertently cut yourself off the router if the modified route covers also the reachability of the network you are configuring the router from), please verify the routing table to make sure that the only route that covers 192.168.10.0/24 is the one pointing through 2.2.2.3.

could you clarify why the encapsualtion dot1Q 200 command would be required?

I suppose that your service provider distinguishes between your connection to the internet (the untagged interface), and your connection to the MPLS cloud (the tagged interface with VLAN 200). You can either use two physically separate interfaces to have these two connections distinct, or you can use some kind of interface virtualization technology, such as 802.1Q VLANs, to logically split a single interface into several sub-interfaces, each representing a different connection.

Best regards,

Peter

Hi Peter, many thanks, all makes perfect sense. very kind of you to take the time to explain it all