Multiprotocol Label Switching (MPLS) is a networking process that replaces complete network addresses with short path labels for directing data packets to network nodes. The labels identify virtual links (paths) between distant nodes rather than endpoints. MPLS is scalable and protocol-independent. Data packets are assigned labels, which are used to determine packet forwarding destinations without examining the packet.
Arista switches utilize MPLS to improve efficiency and control from servers through data centers and to the WAN. The MPLS implementation supports static MPLS tunneling that is manually configured on each switch or established over a network by an SDN controller. The configuration is specified by a set of rules that filter packets based on matching criteria. Each rule applies MPLS-related actions to packets that match the rule's criteria. Each rule includes a metric that the switch uses to select an action when multiple rules match a packet.
MPLS static rule parameters contain the following:
- A 20-bit value that is compared to the top header label of each MPLS packet. Other rule parameters may be applied to packets whose top label match this value.
- A nexthop location that specifies the packet’s next destination (IPv4 or IPv6) and the interface through which the switch forwards the packet.
An MPLS label stack management action that is performed on filtered packets:
- pop-payload: removes the top label from stack; this terminates an LSP (label-switched path).
- swap-label: replaces top label with a specified new label; this passes a packet along an LSP.
- A rule metric that the switch uses to select a rule when multiple rules match an MPLS packet.
Packets that do not match any MPLS rules are dropped.
MPLSoGRE Filtered Mirroring
In MPLS over Generic Routing Encapsulation (MPLSoGRE) filtered mirroring, IPv4 over MPLS over GRE (IPv4oMPLSoGRE) and IPv6 over MPLS over GRE (IPv6oMPLSoGRE) packets that enter a GRE tunnel endpoint on which MPLS lookup is performed, are selected for mirroring based on the destination IP address field in the inner IPv4 or IPv6 header.
the image below shows the header format of the packets that are selected for mirroring.
When mirroring to a GRE tunnel, the payload of the outgoing GRE packet contains the payload of the incoming source packet starting from the MPLS header. L2 and outer L3 headers are stripped from the mirror copy. When the MPLS lookup fails, the packet is still eligible for mirroring based on the selection criteria defined in the ACL.
MPLS routing is enabled through the mpls ip command.
This command enables MPLS routing.
switch(config)#mpls ip switch(config)#show running-config mpls ip ! end switch(config)#
MPLS rules are created by thempls static command. MPLS static rules identify a set of MPLS packets by a common top label and defines the method of handling these packets.
These commands create an MPLS rule that matches packets with a top label value of 3400 and causes the removal of the top label from the header stack. The nexthop destination of the IPv4 payload is IP address 10.14.4.4 through Ethernet interface 3/3/3. This rule has a metric value of 100.
switch(config)#mpls static top-label 3400 ethernet 3/3/3 10.14.4.4 pop payload-type ipv4 switch(config)#show running-config ! mpls static top-label 3400 Ethernet3/3/3 10.14.4.4 pop payload-type ipv4 ! end switch(config)#
These commands create a backup rule that forwards the packet through Ethernet interface 4/3. This rule’s metric value of 150 assigns it backup status prior to the first rule.
switch(config)#mpls static top-label 3400 ethernet 4/3 10.14.4.4 pop payload-type ipv4 metric 150 switch(config)#show running-config ! mpls static top-label 3400 Ethernet4/3 10.14.4.4 pop payload-type ipv4 metric 150 mpls static top-label 3400 Ethernet3/3/3 10.14.4.4 pop payload-type ipv4 ! end switch(config)#
These commands create an MPLS rule that forwards the packet to the nexthop address through any interface.
switch(config)#mpls static top-label 4400 10.15.46.45 pop payload-type ipv4 switch(config)#show running-config ! mpls static top-label 3400 Ethernet4/3 10.14.4.4 pop payload-type ipv4 metric 150 mpls static top-label 3400 Ethernet3/3/3 10.14.4.4 pop payload-type ipv4 mpls static top-label 4400 10.15.46.45 pop payload-type ipv4 ! end switch(config)#
This command configures a static tunnel for the tunnel endpoint 220.127.116.11 and pushes a label 11111 to it.
switch(config)#mpls static STATIC 18.104.22.168/32 22.214.171.124 Port-Channel7 label-stack 11111
The switch’s MPLS static rule configuration for specified routes and rules is displayed by show mpls route.
This command displays the MPLS rule configuration.
switch>show mpls config route In-LabelOut-LabelMetricPayloadNextHop 3400pop100 ipv4 10.14.4.4,Et3/3/3 3400pop150 ipv4 10.14.4.4,Et4/3 switch>
Statistics about the configuration and implementation of MPLS rules are displayed by theshow mpls route summary command.
This command displays a summary of MPLS rule implementation.
switch>show mpls route summary Number of Labels: 1 (1 unprogrammed) Number of adjacencies in hardware: 0 Number of backup adjacencies: 2 switch>
Egress IPv4/IPv6 over MPLS ACLs
IPv4/IPv6 over MPLS packets are now eligible for ACLs at the egress stage by default, applicable only to IPv4/IPv6 over MPLS packets that are MPLS label popped (such as if the label is at the bottom of stack). The user can override this behavior if required, thereby disabling egress ACLs for certain MPLS labels by configuration. No special configuration is required to enable egress ACLs on IPv4/IPv6 over MPLS packets.
This command disables egress ACLs for MPLS top-label 12000 on the egress interface 126.96.36.199 nexthop address.
switch(config)#no mpls static top-label 12000 188.8.131.52 pop payload-type ipv6 switch(config)#
This command enables egress ACLs for MPLS top-label 12000 on the egress interface 184.108.40.206 nexthop address.
switch(config)#mpls static top-label 12000 220.127.116.11 pop payload-type ipv6 switch(config)#
Configuring MPLSoGRE Filtered Mirroring
The filtered mirroring of terminated MPLSoGRE packets is configured by creating an IPv4 access-list, and then attaching the IPv4 access-list to a monitor session source where a tunnel decap group has been configured. This IPv4 access-list has rules that match to either inner IPv4 or IPv6 destination addresses.
Enabling the TC-Counters TCAM Profile
The following limitations are applicable to MPLSoGRE filtered mirroring in tc-counters TCAM profile:
- Security ACLs are not enforced on IPv4oMPLSoGRE and IPv6oMPLSoGRE terminated packets.
- The rules of a mirroring-ACL are set to match either inner IPv4 or inner IPv6 header fields, but not both.
The ACLs containing rules to match both inner IPv4 and inner IPv6 header fields are not applicable to a single source interface in multiple mirroring sessions. In other words, all ACLs applied to a shared source interface must contain either inner IPv4 rules or inner IPv6 rules.
The commands below switch to the tc-counters TCAM profile in the running configuration.
switch(config)#hardware tcam switch(config-hw-tcam)#system profile tc-counters switch(config-hw-tcam)#exit
Defining Two IPv4 Access-Lists
The ip access-list command places the switch in ACL configuration mode, which is a group change mode that modifies an IPv4 access control list. The command specifies the name of the IPv4 ACL that
subsequent commands modify and creates an ACL if it references a nonexistent list. All changes in a group change mode edit session are pending till the end of the session.
The permit (Role) command configures one access-list to match the inner IPv4 address, and the other access-list to match the inner IPv6 address.
switch(config)#ip access-list dIPv4 switch(config)#10 permit ip any any inner ip any host 18.104.22.168 switch(config)#exit switch(config)#ip access-list dIPv6 switch(config)#10 permit ip any any inner ipv6 any host 55::55 switch(config)#exit
switch(config)#monitor session sess1 source et1 rx ip access-group dIPv4 switch(config)#monitor session sess1 destination tunnel mode gre source 22.214.171.124 destination 126.96.36.199 switch(config)#monitor session sess2 source et2 rx ip access-group dIPv6 switch(config)#monitor session sess2 destination tunnel mode gre source 188.8.131.52 destination 184.108.40.206 switch(config)#show monitor session Session sess1 ------------------------ Source Ports: Rx Only: Et1(IP ACL: dIPv4) Destination Ports: statussourcedest TTL DSCPprotoVRFfwd-drop Gre1 :active220.127.116.11 18.104.22.1688 0 0x88be defaultno Session sess2 ------------------------ Source Ports: Rx Only: Et2(IP ACL: dIPv6), Et5(IP ACL: dIPv6) Destination Ports: status sourcedest TTL DSCPprotoVRFfwd-drop Gre2 :active 22.214.171.124 126.96.36.19928 0 0x88be defaultno switch(config)#