打印

MPLS

These sections describe the Arista MPLS implementation:

MPLS Description

MPLS Overview

Multiprotocol Label Switching (MPLS) is a networking process that replaces complete network addresses with short path labels for directing data packets to network nodes. The labels identify virtual links (paths) between distant nodes rather than endpoints. MPLS is scalable and protocol-independent. Data packets are assigned labels, which are used to determine packet forwarding destinations without examining the packet.

Arista switches utilize MPLS to improve efficiency and control from servers through data centers and to the WAN. The MPLS implementation supports static MPLS tunneling that is manually configured on each switch or established over a network by an SDN controller. The configuration is specified by a set of rules that filter packets based on matching criteria. Each rule applies MPLS-related actions to packets that match the rule's criteria. Each rule includes a metric that the switch uses to select an action when multiple rules match a packet.

MPLS Implementation

MPLS static rule parameters contain the following:

  • A 20-bit value that is compared to the top header label of each MPLS packet. Other rule parameters may be applied to packets whose top label match this value.
  • A nexthop location that specifies the packet’s next destination (IPv4 or IPv6) and the interface through which the switch forwards the packet.
  • An MPLS label stack management action that is performed on filtered packets:

    • pop-payload: removes the top label from stack; this terminates an LSP (label-switched path).
    • swap-label: replaces top label with a specified new label; this passes a packet along an LSP.
  • A rule metric that the switch uses to select a rule when multiple rules match an MPLS packet.

Packets that do not match any MPLS rules are dropped.

MPLSoGRE Filtered Mirroring

In MPLS over Generic Routing Encapsulation (MPLSoGRE) filtered mirroring, IPv4 over MPLS over GRE (IPv4oMPLSoGRE) and IPv6 over MPLS over GRE (IPv6oMPLSoGRE) packets that enter a GRE tunnel endpoint on which MPLS lookup is performed, are selected for mirroring based on the destination IP address field in the inner IPv4 or IPv6 header.

Note: These packets are not selected for mirroring if they are forwarded based on either the L2 or outer L3 header destination address.

the image below shows the header format of the packets that are selected for mirroring.

Figure 1. Header Format of Packets


When mirroring to a GRE tunnel, the payload of the outgoing GRE packet contains the payload of the incoming source packet starting from the MPLS header. L2 and outer L3 headers are stripped from the mirror copy. When the MPLS lookup fails, the packet is still eligible for mirroring based on the selection criteria defined in the ACL.

MPLS Configuration

MPLS routing is enabled through the mpls ip command.

  • This command enables MPLS routing.

switch(config)#mpls ip
switch(config)#show running-config mpls ip
!

end
switch(config)#

MPLS rules are created by thempls static command. MPLS static rules identify a set of MPLS packets by a common top label and defines the method of handling these packets.

These commands create an MPLS rule that matches packets with a top label value of 3400 and causes the removal of the top label from the header stack. The nexthop destination of the IPv4 payload is IP address 10.14.4.4 through Ethernet interface 3/3/3. This rule has a metric value of 100.

switch(config)#mpls static top-label 3400 ethernet 3/3/3 10.14.4.4 pop 
payload-type ipv4
switch(config)#show running-config

!
mpls static top-label 3400 Ethernet3/3/3 10.14.4.4 pop payload-type ipv4
!

end
switch(config)#

These commands create a backup rule that forwards the packet through Ethernet interface 4/3. This rule’s metric value of 150 assigns it backup status prior to the first rule.

switch(config)#mpls static top-label 3400 ethernet 4/3 10.14.4.4 pop payload-type 
ipv4 metric 150
switch(config)#show running-config

!
mpls static top-label 3400 Ethernet4/3 10.14.4.4 pop payload-type ipv4 metric 150
mpls static top-label 3400 Ethernet3/3/3 10.14.4.4 pop payload-type ipv4
!

end
switch(config)#

These commands create an MPLS rule that forwards the packet to the nexthop address through any interface.

switch(config)#mpls static top-label 4400 10.15.46.45 pop payload-type ipv4
switch(config)#show running-config

!
mpls static top-label 3400 Ethernet4/3 10.14.4.4 pop payload-type ipv4 metric 150
mpls static top-label 3400 Ethernet3/3/3 10.14.4.4 pop payload-type ipv4
mpls static top-label 4400 10.15.46.45 pop payload-type ipv4
!

end
switch(config)#

This command configures a static tunnel for the tunnel endpoint 64.0.0.1 and pushes a label 11111 to it.

switch(config)#mpls static STATIC 64.0.0.1/32 54.0.0.1 Port-Channel7 label-stack 11111

The switch’s MPLS static rule configuration for specified routes and rules is displayed by show mpls route.

This command displays the MPLS rule configuration.

switch>show mpls config route
In-LabelOut-LabelMetricPayloadNextHop
3400pop100 ipv4 10.14.4.4,Et3/3/3
3400pop150 ipv4 10.14.4.4,Et4/3
switch>

Statistics about the configuration and implementation of MPLS rules are displayed by theshow mpls route summary command.

This command displays a summary of MPLS rule implementation.

switch>show mpls route summary
Number of Labels: 1 (1 unprogrammed)
Number of adjacencies in hardware: 0
Number of backup adjacencies: 2
switch>

Egress IPv4/IPv6 over MPLS ACLs

IPv4/IPv6 over MPLS packets are now eligible for ACLs at the egress stage by default, applicable only to IPv4/IPv6 over MPLS packets that are MPLS label popped (such as if the label is at the bottom of stack). The user can override this behavior if required, thereby disabling egress ACLs for certain MPLS labels by configuration. No special configuration is required to enable egress ACLs on IPv4/IPv6 over MPLS packets.

  • This command disables egress ACLs for MPLS top-label 12000 on the egress interface 120.1.1.1 nexthop address.
    switch(config)#no mpls static top-label 12000 120.1.1.1 pop payload-type ipv6
    switch(config)# 
  • This command enables egress ACLs for MPLS top-label 12000 on the egress interface 120.1.1.1 nexthop address.
    switch(config)#mpls static top-label 12000 120.1.1.1 pop payload-type ipv6 
    switch(config)#

Configuring MPLSoGRE Filtered Mirroring

The filtered mirroring of terminated MPLSoGRE packets is configured by creating an IPv4 access-list, and then attaching the IPv4 access-list to a monitor session source where a tunnel decap group has been configured. This IPv4 access-list has rules that match to either inner IPv4 or IPv6 destination addresses.

Enabling the TC-Counters TCAM Profile

The following limitations are applicable to MPLSoGRE filtered mirroring in tc-counters TCAM profile:

  • Security ACLs are not enforced on IPv4oMPLSoGRE and IPv6oMPLSoGRE terminated packets.
  • The rules of a mirroring-ACL are set to match either inner IPv4 or inner IPv6 header fields, but not both.

The ACLs containing rules to match both inner IPv4 and inner IPv6 header fields are not applicable to a single source interface in multiple mirroring sessions. In other words, all ACLs applied to a shared source interface must contain either inner IPv4 rules or inner IPv6 rules.

The commands below switch to the tc-counters TCAM profile in the running configuration.

switch(config)#hardware tcam
switch(config-hw-tcam)#system profile tc-counters
switch(config-hw-tcam)#exit

Defining Two IPv4 Access-Lists

The ip access-list command places the switch in ACL configuration mode, which is a group change mode that modifies an IPv4 access control list. The command specifies the name of the IPv4 ACL that

subsequent commands modify and creates an ACL if it references a nonexistent list. All changes in a group change mode edit session are pending till the end of the session.

The permit (Role) command configures one access-list to match the inner IPv4 address, and the other access-list to match the inner IPv6 address.

switch(config)#ip access-list dIPv4
switch(config)#10 permit ip any any inner ip any host 5.5.5.5
switch(config)#exit

switch(config)#ip access-list dIPv6
switch(config)#10 permit ip any any inner ipv6 any host 55::55
switch(config)#exit

Attaching Access-Lists

The monitor session source and monitor session destination commands allow to attach two access-lists to two different monitor session sources.

switch(config)#monitor session sess1 source et1 rx ip access-group dIPv4
switch(config)#monitor session sess1 destination tunnel mode gre source 1.1.1.1 
destination 2.2.2.2
switch(config)#monitor session sess2 source et2 rx ip access-group dIPv6
switch(config)#monitor session sess2 destination tunnel mode gre source 3.3.3.3 
destination 4.4.4.4
switch(config)#show monitor session

Session sess1
------------------------

Source Ports:

Rx Only: Et1(IP ACL: dIPv4)

Destination Ports:

statussourcedest TTL DSCPprotoVRFfwd-drop
Gre1 :active1.1.1.1 2.2.2.2128 0 0x88be defaultno


Session sess2
------------------------

Source Ports:

Rx Only: Et2(IP ACL: dIPv6), Et5(IP ACL: dIPv6)

Destination Ports:

status sourcedest TTL DSCPprotoVRFfwd-drop
Gre2 :active 3.3.3.3 4.4.4.4128 0 0x88be defaultno

switch(config)#
..