This chapter covers MPLS (Multiprotocol Label Switching) network implementation, a critical topic for the N10-009 exam under Domain 2.4 (Network Implementation). MPLS is a high-performance, label-based switching technology used by service providers to build scalable, traffic-engineered backbones and Layer 3 VPNs. Expect 5-8% of exam questions to touch on MPLS concepts, labels, LSPs, and basic configuration verification. Mastery of MPLS is essential for understanding modern WAN and service provider networks.
Jump to a section
Think of MPLS as a nationwide package delivery network with dedicated express lanes. Traditional IP routing is like every package being processed at every local post office, each deciding the next hop based on the destination address alone — slow, variable, and inefficient. MPLS instead assigns each package a 'route label' at the entry point. The first sorting facility (ingress LSR) looks at the destination and attaches a fixed-length label. From that point on, every intermediate facility (transit LSR) only reads the label, swaps it for a new one, and forwards the package along a pre-established express lane (LSP). The final facility (egress LSR) removes the label and delivers the package using standard IP routing. This bypasses slow per-packet IP lookups, enables traffic engineering to avoid congestion, and supports multiple services (VPN, voice, video) on the same infrastructure. Just as express lanes guarantee delivery time and reduce handling, MPLS provides deterministic performance and network efficiency.
What is MPLS and Why It Exists
MPLS (Multiprotocol Label Switching) is a data-carrying technique that directs data from one network node to the next based on short, fixed-length labels rather than long network addresses. It was standardized by the IETF (RFC 3031) to combine the speed of Layer 2 switching with the scalability of Layer 3 routing. Traditional IP routing requires every router to perform a longest-prefix match lookup on the destination IP address — a computationally expensive process that varies in time based on the size of the routing table. MPLS eliminates this by attaching a label to each packet at the ingress router; subsequent routers forward the packet by simply swapping labels, a fast and deterministic operation.
MPLS is not a single service but a framework that enables multiple applications: - Layer 3 VPNs (RFC 4364): Service providers offer isolated customer networks over a shared MPLS backbone. - Layer 2 VPNs (VPLS, VPWS): Emulate Ethernet or Frame Relay connections over MPLS. - Traffic Engineering (MPLS-TE): Explicitly route traffic to optimize bandwidth utilization and meet SLAs. - G-MPLS (Generalized MPLS): Extends MPLS to control time-division and wavelength-switched networks.
How MPLS Works: Label Switching and LSPs
MPLS operates between Layer 2 and Layer 3, often called Layer 2.5. The core mechanism involves three types of devices: - Ingress LSR (Label Switch Router): Receives an unlabeled IP packet, performs a routing lookup, and pushes an MPLS label stack onto the packet. - Transit LSR: Receives a labeled packet, swaps the top label with a new one (label swap), and forwards it out the appropriate interface. - Egress LSR: Receives a labeled packet, pops the label (removes it), and forwards the original IP packet to its destination using standard IP routing.
A Label Switched Path (LSP) is the unidirectional path that a labeled packet follows from ingress to egress. LSPs are established using a label distribution protocol such as LDP (Label Distribution Protocol) or RSVP-TE (Resource Reservation Protocol with Traffic Engineering extensions).
Label Format and Operations
An MPLS label is a 20-bit field embedded in a 32-bit shim header that sits between the Layer 2 header and the IP packet. The label header includes: - Label (20 bits): The actual label value, locally significant on each link. - Exp (Experimental, 3 bits): Used for QoS (Class of Service). Originally experimental, now used for MPLS QoS. - S (Bottom of Stack, 1 bit): Set to 1 for the last label in the stack; otherwise 0. - TTL (Time to Live, 8 bits): Copied from the IP TTL to prevent loops.
Label operations: - Push: Add a new label to the top of the stack. - Swap: Replace the top label with a new label. - Pop: Remove the top label. If the removed label was the bottom (S=1), the packet becomes an IP packet again.
MPLS Forwarding: The Label Forwarding Information Base (LFIB)
Each LSR maintains an LFIB that maps incoming labels (interface + label) to outgoing actions (swap/pop and outgoing interface + label). When a labeled packet arrives, the router looks up the top label in the LFIB, performs the indicated operation, and forwards the packet. This is much faster than an IP routing lookup because the LFIB is indexed by the label (a fixed 20-bit value) rather than requiring a longest-prefix match.
Label Distribution Protocol (LDP)
LDP (RFC 5036) is the most common protocol for distributing labels in MPLS networks. It operates between directly connected LSRs to establish LSPs for every route in the IGP (e.g., OSPF, IS-IS). Key points:
LDP uses UDP for discovery (hello messages on port 646) and TCP (port 646) for session establishment and label exchange.
Labels are assigned per FEC (Forwarding Equivalence Class). A FEC is typically a destination IP prefix.
LDP builds LSPs automatically based on the IGP topology, following the shortest path.
Default timers: Hello interval = 5 seconds (multicast 224.0.0.2), hold time = 15 seconds. Session keepalive interval = 15 seconds, keepalive hold = 45 seconds.
MPLS Traffic Engineering (MPLS-TE)
MPLS-TE uses RSVP-TE to establish explicit LSPs that do not necessarily follow the IGP shortest path. This allows network operators to:
Route traffic away from congested links.
Reserve bandwidth along the path.
Provide fast reroute (FRR) protection via bypass tunnels.
RSVP-TE messages include PATH (from ingress to egress) and RESV (from egress to ingress) to reserve resources. The path can be explicitly defined by the operator (strict or loose hops) or computed dynamically by a Path Computation Element (PCE).
MPLS VPNs: Layer 3 VPN (RFC 4364)
In a Layer 3 MPLS VPN, the service provider's backbone carries customer routes using two labels: - Inner label (VPN label): Assigned by the egress PE (Provider Edge) to identify the customer VPN. - Outer label (transport label): Assigned by the ingress PE to forward the packet across the MPLS backbone to the egress PE.
Customer routers (CE) connect to PE routers. PEs run MP-BGP (Multiprotocol BGP) to exchange VPNv4 routes (IPv4 prefixes with an 8-byte Route Distinguisher) with other PEs. The VPNv4 routes carry VPN labels. P routers (Provider core) only see the transport label and have no customer route information, ensuring isolation.
MPLS Configuration and Verification (Cisco IOS Example)
Enable MPLS on an interface:
interface GigabitEthernet0/0
mpls ip
mpls mtu 1510Configure LDP (optional, enabled by default with 'mpls ip'):
mpls ldp router-id Loopback0 force
mpls label protocol ldpConfigure MPLS-TE tunnel:
interface Tunnel1
ip unnumbered Loopback0
tunnel mode mpls traffic-eng
tunnel destination 10.0.0.2
tunnel mpls traffic-eng path-option 1 explicit name PATH1Verification commands:
- show mpls ldp neighbor — view LDP neighbors.
- show mpls forwarding-table — view LFIB (label, outgoing interface, next hop).
- show mpls ldp bindings — view label bindings.
- show mpls traffic-eng tunnels — view TE tunnel status.
- show ip route — verify IGP reachability.
- ping mpls ipv4 10.0.0.2/32 — test MPLS LSP connectivity.
Interaction with Related Technologies
MPLS and QoS: MPLS EXP bits map to IP DSCP or 802.1p priorities. The entire MPLS header is small, allowing efficient QoS marking.
MPLS and IPv6: 6PE and 6VPE allow IPv6 transport over MPLS using IPv4-based LSPs.
MPLS and Multicast: mLDP (Multicast LDP) and RSVP-TE P2MP (Point-to-Multipoint) enable multicast over MPLS.
MPLS and Segment Routing: Segment Routing (SR-MPLS) replaces LDP with IGP-based label distribution, simplifying operations.
Enable MPLS on interfaces
On each router that will participate in MPLS (PE, P, or both), enable MPLS on the interfaces connecting to other MPLS routers. On Cisco IOS, use 'mpls ip' under the interface configuration. This activates LDP discovery and label exchange on that link. Also adjust the MTU to accommodate the MPLS label header (typically 4 bytes per label) by setting 'mpls mtu' to at least 1504 bytes for a single label, or higher for label stacks. Verify with 'show mpls interfaces'.
Configure LDP router ID and parameters
Set the LDP router ID to a stable loopback interface using 'mpls ldp router-id Loopback0 force'. This ensures LDP sessions are not affected by interface flaps. Optionally adjust LDP timers: 'mpls ldp discovery hello interval 10' and 'mpls ldp holdtime 30'. LDP will then discover neighbors via UDP hello messages (multicast 224.0.0.2) on all MPLS-enabled interfaces. Once neighbors are discovered, TCP sessions are established to exchange label bindings.
Verify LDP neighbor adjacencies
Use 'show mpls ldp neighbor' to confirm LDP sessions are up. The output shows neighbor LDP ID, IP address, interface, hold time, and session state (Operational). If neighbors are missing, check interface state, IP connectivity, and that 'mpls ip' is enabled on both ends. Also verify that LDP is not filtered by ACLs and that TCP port 646 is open.
Verify MPLS forwarding table (LFIB)
Use 'show mpls forwarding-table' to inspect the LFIB. Each entry shows the incoming label (local label), outgoing label (assigned by next-hop LSR), outgoing interface, and next-hop IP. The LFIB should contain entries for all IGP-learned routes. If routes are missing, check that LDP bindings exist ('show mpls ldp bindings') and that the IGP is advertising the route. Also verify that the MTU is sufficient for labeled packets.
Test MPLS LSP connectivity
Use 'ping mpls ipv4 <destination-ip>/32' to test end-to-end LSP connectivity. This sends an MPLS-encapsulated echo request along the LSP. A successful reply confirms label switching works. If ping fails, use 'traceroute mpls ipv4 <destination-ip>/32' to identify where labels are being dropped or misrouted. Common issues include label mismatch, MTU problems, or LDP not distributing labels for the destination.
Configure MPLS VPN (if applicable)
On PE routers, configure VRF (Virtual Routing and Forwarding) instances for each customer. Assign interfaces to VRFs. Enable MP-BGP for VPNv4 route exchange between PEs. Configure route targets (RT) and route distinguishers (RD). Verify with 'show ip vrf', 'show bgp vpnv4 unicast all', and 'show mpls forwarding-table vrf <vrf-name>'. Ensure P routers have no customer routes and only transport labels.
MPLS is the backbone of most service provider networks worldwide. Here are three common deployment scenarios:
1. Enterprise WAN Replacement with MPLS Layer 3 VPN A multinational company with 50 branch offices replaces its expensive Frame Relay/ATM WAN with an MPLS L3 VPN from a service provider. Each branch has a CE router connected to the provider's PE. The provider assigns each branch a VRF with a unique RD and RT. All branches can communicate via the provider's backbone without needing a full mesh of point-to-point links. The enterprise saves cost and gains any-to-any connectivity. Misconfiguration often involves incorrect RT import/export, causing routes to leak between customer VPNs or not being advertised at all. Also, overlapping customer IP addresses require careful RD allocation.
2. Traffic Engineering for Data Center Interconnect A cloud provider connects three data centers across a metro area using MPLS-TE. The IGP (OSPF) sees multiple equal-cost paths, but some links are congested while others are underutilized. The operator configures RSVP-TE tunnels that explicitly route traffic over less congested paths, reserving bandwidth for critical replication traffic. They also set up fast reroute (FRR) backup tunnels to protect against fiber cuts. Common pitfalls: misconfigured path options causing tunnels to not come up, or bandwidth reservation exceeding available capacity. Verification involves 'show mpls traffic-eng tunnels' and 'show ip rsvp reservation'.
3. Service Provider Core with MPLS and Segment Routing Migration A legacy ISP running MPLS with LDP decides to migrate to Segment Routing (SR-MPLS) to simplify operations. SR-MPLS uses the IGP (IS-IS or OSPF) to distribute labels, eliminating LDP sessions. The operator configures prefix-SIDs and adjacency-SIDs. The migration is done incrementally, with some routers running both LDP and SR. Interworking requires mapping between LDP and SR labels. Problems arise when SIDs are not unique or when the IGP does not propagate SIDs correctly. The operator uses 'show isis segment-routing label' to verify.
The N10-009 exam tests MPLS under Domain 2.4 (Network Implementation) and also touches on it in Domain 3.0 (Network Operations) and Domain 4.0 (Network Troubleshooting). Key exam points:
Objective 2.4: 'Given a scenario, implement network solutions' — includes MPLS concepts. You must know the difference between MPLS and traditional routing, label operations (push, swap, pop), and the role of LDP.
Objective 3.2: 'Given a scenario, use appropriate network monitoring tools' — you may need to interpret 'show mpls forwarding-table' output.
Objective 4.3: 'Given a scenario, troubleshoot common network issues' — MPLS-related issues like label mismatch, MTU problems, and LDP session failures.
Common Wrong Answers: 1. *'MPLS replaces IP routing entirely.'* — False. MPLS works alongside IP routing; IP routing is still used at edges and for control plane. 2. *'MPLS labels are globally unique.'* — False. Labels are locally significant per link. 3. *'LDP uses TCP for discovery.'* — False. LDP uses UDP (port 646) for discovery (hello messages) and TCP for session establishment. 4. *'MPLS-TE uses LDP to establish explicit paths.'* — False. MPLS-TE uses RSVP-TE, not LDP.
Specific Numbers to Memorize: - MPLS label size: 20 bits. - MPLS shim header: 4 bytes per label. - LDP hello interval: 5 seconds (default), hold time: 15 seconds. - LDP TCP port: 646. - MPLS operates at Layer 2.5.
Edge Cases: - Penultimate Hop Popping (PHP): The penultimate router pops the label before sending to the egress, reducing load on the egress LSR. - Implicit null label (label 3): Instructs the penultimate hop to pop the label. - Explicit null label (label 0): Used for QoS preservation; the egress LSR receives a labeled packet with label 0. - Router Alert label (label 1): Used for MPLS OAM.
Eliminating Wrong Answers: Focus on the mechanism: MPLS is about label switching, not IP routing. If a question mentions 'routing table lookup at every hop', it's wrong for MPLS. If it mentions 'globally unique labels', it's wrong. Remember that MPLS can carry any protocol (IPv4, IPv6, Ethernet), hence 'multiprotocol'.
MPLS uses fixed-length labels (20 bits) to forward packets, avoiding slow IP routing lookups.
MPLS labels are locally significant per link, not globally unique.
LDP (Label Distribution Protocol) automatically distributes labels for IGP routes; uses UDP for discovery (port 646) and TCP for sessions (port 646).
Default LDP hello interval: 5 seconds; hold time: 15 seconds.
MPLS-TE uses RSVP-TE to establish explicit LSPs with bandwidth reservation.
Penultimate Hop Popping (PHP) reduces load on egress LSR by popping label at penultimate hop.
MPLS supports multiple protocols (IPv4, IPv6, Ethernet) via different encapsulation methods.
MPLS L3VPN uses two labels: transport label (outer) and VPN label (inner).
These come up on the exam all the time. Here's how to tell them apart.
Traditional IP Routing
Each router performs a longest-prefix match lookup on destination IP.
Lookup time varies with routing table size.
No built-in traffic engineering; follows IGP metric.
No inherent VPN support; overlay tunnels (IPsec, GRE) needed.
Operates at Layer 3 only.
MPLS
Ingress router pushes label; transit routers perform label swap.
Fast, deterministic forwarding via LFIB indexed by label.
Supports explicit path control via MPLS-TE (RSVP-TE).
Built-in L3VPN and L2VPN support via MP-BGP and labels.
Operates at Layer 2.5 (shim header between L2 and L3).
Mistake
MPLS replaces IP routing entirely.
Correct
MPLS does not replace IP routing; it works alongside it. IP routing is still used at the edges (CE to PE) and in the control plane (IGP, BGP). MPLS only optimizes forwarding in the core.
Mistake
MPLS labels are globally unique across the network.
Correct
MPLS labels are locally significant per interface. Each LSR assigns its own label values. The label mapping is exchanged via LDP or other protocols.
Mistake
LDP uses TCP for neighbor discovery.
Correct
LDP uses UDP (port 646) for discovery (hello messages). TCP (port 646) is used only for session establishment and label exchange after discovery.
Mistake
MPLS-TE uses LDP to establish explicit paths.
Correct
MPLS-TE uses RSVP-TE (Resource Reservation Protocol with Traffic Engineering extensions) to establish explicit paths. LDP only follows the IGP shortest path.
Mistake
MPLS is only for service providers.
Correct
While commonly used by SPs, MPLS is also deployed in large enterprise networks for traffic engineering, VPNs, and QoS. Any network with multiple sites can benefit.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
IP routing requires each router to perform a longest-prefix match on the destination IP address, which is computationally expensive and varies with routing table size. MPLS instead attaches a label at the ingress router; subsequent routers simply swap labels based on a fixed-size lookup in the LFIB, making forwarding fast and deterministic. MPLS also enables traffic engineering and VPNs that are difficult with pure IP routing.
LDP (Label Distribution Protocol) automatically distributes label bindings between MPLS routers. It discovers neighbors via UDP hello messages (multicast 224.0.0.2, port 646) and establishes TCP sessions for label exchange. LDP assigns labels to every IGP-learned prefix, creating a full mesh of LSPs along the shortest path. It is the most common label distribution protocol in production networks.
MPLS-TE uses RSVP-TE to establish explicit LSPs that can follow paths different from the IGP shortest path. The ingress router sends a PATH message with explicit route objects (EROs) listing hops. Each transit router reserves bandwidth and forwards the PATH. The egress responds with a RESV message, confirming reservation. This allows operators to balance traffic, avoid congestion, and provide fast reroute protection.
PHP is a technique where the penultimate LSR (the router before the egress) pops the MPLS label before forwarding the packet to the egress LSR. This reduces the workload on the egress router, which would otherwise have to pop the label itself. The egress advertises an implicit null label (label 3) to signal the penultimate hop to pop the label. PHP is enabled by default in most MPLS implementations.
MPLS L3VPN (RFC 4364) provides Layer 3 connectivity between customer sites; the PE router participates in customer routing (via VRF and MP-BGP). Customer routers (CE) peer with PE routers. MPLS L2VPN (VPLS, VPWS) provides Layer 2 connectivity, emulating a switch or point-to-point link over the MPLS backbone. The PE router forwards Layer 2 frames (Ethernet) without inspecting Layer 3 headers. L3VPN is more common for IP WANs; L2VPN is used for data center interconnect or transparent LAN services.
Start by verifying LDP neighbors are up ('show mpls ldp neighbor'). Check LFIB entries for missing labels ('show mpls forwarding-table'). Use 'ping mpls ipv4' and 'traceroute mpls ipv4' to test LSP connectivity. Common issues: MTU mismatch (packets with labels exceed interface MTU), ACLs blocking LDP (UDP/TCP 646), IGP not advertising routes, or LDP not enabled on interfaces. Also check that the MPLS MTU is set appropriately ('mpls mtu').
An MPLS packet can carry multiple labels, forming a stack. The bottom label has the S bit set to 1. Labels are processed from top to bottom. The stack allows hierarchical LSPs, such as in MPLS VPNs (outer transport label, inner VPN label) or in MPLS-TE with fast reroute (backup tunnel label below primary). The maximum stack depth is limited by hardware; typical deployments use 2-3 labels.
You've just covered MPLS Network Implementation — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?