Label Switching or how I learned to ignore IP and become a better forwarder

A simple label switched path. The stack of rectangles represents an IP packet and the envelope at the top is a label.

To be clear, the title isn’t completely accurate. MPLS uses the information from the IGP for labels and whether or not the forwarding efficiency is improved is debatable. In fact, if you’re using a protocol like RSVP for traffic engineering, the path that a packet takes might not be the shortest path. I’d love to just ramble on about how many options there are when using MPLS but this post is a continuation of the VPN discussion that started with IPSec SSL VPNs.

So what makes MPLS L3VPN a different private network than an IPSec SSL VPN? A lot of things but one of the first things that comes to mind is encryption. The label switched VPN can have encrypted tunnels but encryption is not a requirement. Let’s start with the business requirement: how can we, as a service provider (SP), allow multiple customers to use our network as an extension of their own?

Part of the answer is segmentation. It’s a familiar technique that is often applied at layer 2 via the humble VLAN which separate a physical switch into multiple logical switches to break the network into multiple networks. The concept can be applied to layer 3 with virtual routing and forwarding instances (VRF) whereby a physical router is separated into several logical routers. Each VRF has its own routing table and is ignorant of any other instances on the same router. Routers at the edge of the provider network, commonly called provider edges (PE), assign each customer to a VRF, solving one aspect of the problem.

The other problem arises in transit, when traffic needs to traverse multiple routers between two PEs. Why not use VRFs for all the routers in the network? VRFs are assigned interfaces. Two instances cannot share a common interface so if VRFs were to be implemented throughout the entire network, the provider would have to manually create a path from one PE to another. Not only is this a complex, time consuming task, it also is not scalable or flexible.

It would be ideal if only the PE routers needed to know about different customers. When a new customer site is attached to the network, one VRF is configured at that site and there will be full connectivity. How the network achieves this agnostic behavior is through label switching. Instead of relying on the destination IP address to route traffic, the routers in between the PEs, named provider routers (P), use labels instead.

There are many flavors of label switching protocols but MPLS L3VPN uses label distribution protocol (LDP) to propagate label information. The SP network runs an IGP like OSPF or IS-IS to allow reachability throughout the network. LDP uses the routing table from the IGP to assign a label per route and then advertises that label to its LDP neighbors. For example if the destination is the subnet at is reachable through the next hop of on the local router, the router can assign a label of 100 and tell all its neighbors to attach that label on any traffic going to the subnet. The number is locally significant to the router so other routers can use 100 as a label for the same route or a completely different one.

The local router would also need the label information from its next hop neighbor. If the neighbor chooses 200 as the label for the subnet then the local router has all the information it needs to forward traffic to that subnet. When it receives a packet with the label 100 it swaps that label with a label of 200 and forwards it out the appropriate interface. So initially the IP information is used for label assignment but after all the labels have been exchanged, forwarding depends purely on labels.

When everything has been configured and the network has converged, a packet can traverse the SP network like so:

  1. The packet arrives at a PE. The PE knows exactly which routing table to look up forwarding information on because the interface belongs to a specific VRF.
  2. The PE finds a route to the destination IP and then looks up the label forwarding information table to determine what label it should attach.
  3. The PE attaches the appropriate label and sends it towards a P router.
  4. The P router looks at the label and knows that it needs to switch it with the label that its neighbor had advertised to it. It switches the labels and forwards the packet out the appropriate interface.
  5. Repeat step four until the packet reaches the destination PE.
  6. The destination PE looks at the IP address and forwards the packet out the appropriate interface and back into the customer network.

One optional step that happens before the packet reaches the destination PE is something called the penultimate hop pop (PHP.) The P router pops the label off the packet and sends it on to the PE as a vanilla IP packet. There are scenarios in which there are multiple label stacks but that’s a more complicated topic not directly related to our VPN solution.

To the customer, the SP network is just one giant router that sends traffic from one site to another as if they were connected on the same LAN. There is one major part of this MPLS L3VPN solution that I haven’t discussed yet. It involves multiprotocol BGP, a topic that deserves multiple posts by itself.

When I first read about MPLS I was studying for the CCNA and a lot of the terminology was obscure to me. Still, it piqued my interest and I’m glad I pursued it. The ingenuity involved in MPLS networks is inspiring and even having read through several books, there is still so much more to learn. MPLS technologies in general are much more easily understood through illustrations and video and I encourage anyone learning this material to check out sites like for a more visual discussion.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: