IP routing makes forwarding decisions at every hop. Each router looks up the destination, checks its routing table, forwards the packet. Repeat at every hop. Works fine, but expensive at scale.
MPLS (Multi-Protocol Label Switching) adds a label at network edge. Interior routers forward based on label only — a simple table lookup, no IP processing. Labels are swapped at each hop until the edge, where the label is removed and IP routing resumes.
MPLS is still relevant for service provider networks — enabling VPNs, traffic engineering, and fast forwarding at scale.
MPLS Concepts
How MPLS Works
Without MPLS (IP forwarding):[IP Header: dst=10.0.0.1] → Router A → [route lookup] → Router B → [route lookup] → Router C
With MPLS:[IP Header] → Edge Router → adds [Label: 100] → Core Router → swaps [Label: 200] → Edge Router → removes label → [IP Header]Key Terms
| Term | Description |
|---|---|
| Label | 20-bit identifier for forwarding |
| LSP | Label Switched Path (tunnel through network) |
| LDP | Label Distribution Protocol (assigns labels) |
| Push | Add label to packet |
| Pop | Remove label from packet |
| Swap | Replace label with new one |
| PHP | Penultimate Hop Popping |
MPLS Header
┌────────────────────────────────────────────┐│ Label (20 bits) │ TC │ S │ TTL │ ││ (0-1048575) │ 3b │1b │ 8b │ │└────────────────────────────────────────────┘
TC: Traffic Class (QoS)S: Bottom of Stack (1 if last label)TTL: Time to LiveVyOS MPLS Support
VyOS supports MPLS through FRRouting:
# Check MPLS supportcat /proc/sys/net/mpls/platform_labels# If exists, MPLS kernel support is available
# Load MPLS modulesmodprobe mpls_routermodprobe mpls_iptunnelBasic MPLS Configuration
Enable MPLS on Interfaces
configure
# Enable MPLS kernel supportset system sysctl parameter net.mpls.platform_labels value 100000
# Enable MPLS input on interfaces (via sysctl)set system sysctl parameter net.mpls.conf.eth0.input value 1set system sysctl parameter net.mpls.conf.eth1.input value 1
commitConfigure LDP
configure
# Enable LDP router IDset protocols mpls ldp router-id 10.255.0.1
# Configure LDP interfacesset protocols mpls ldp interface eth0set protocols mpls ldp interface eth1
# Optional: Discovery hello intervalset protocols mpls ldp discovery hello-interval 5set protocols mpls ldp discovery hello-holdtime 15
commitLDP with Targeted Neighbors
configure
# For non-adjacent neighbors (over tunnels)set protocols mpls ldp targeted-neighbor ipv4 address 10.255.0.2
commitLDP Operation
LDP Session Establishment
1. Router discovers neighbors via Hello packets (UDP 646)2. TCP session established to neighbor (port 646)3. Label mappings exchanged4. LSPs formedViewing LDP Status
# Show LDP neighborsshow mpls ldp neighbor
# Output:# Peer LDP Identifier: 10.255.0.2:0# TCP connection: 10.255.0.1:646 - 10.255.0.2:54321# State: Operational# Messages sent/received: 1234/5678
# Show LDP bindings (label mappings)show mpls ldp binding
# Show MPLS forwarding tableshow mpls tableMPLS Forwarding
Label Operations
# View MPLS forwarding tableshow mpls table
# Output:# Inbound Label Type Nexthop Outbound Label# 100 LDP 10.0.0.2 200# 101 LDP 10.0.0.2 201# 102 LDP 10.0.0.2 implicit-null
# implicit-null = PHP (penultimate hop popping)Penultimate Hop Popping (PHP)
Without PHP:[Label:100] → Router A → [Label:200] → Router B → [Label:300] → Router C → [no label] → Destination ↑ Two operations: pop label + IP lookup
With PHP:[Label:100] → Router A → [Label:200] → Router B → [no label] → Router C → Destination ↑ Pop here (second-to-last hop) ↑ Only IP lookup neededRouter C signals “implicit-null” label to Router B, telling it to pop the label.
MPLS with IGP
MPLS + OSPF
configure
# Configure OSPFset protocols ospf area 0 network 10.0.0.0/24set protocols ospf passive-interface defaultset protocols ospf passive-interface lo disableset protocols ospf interface eth0 passive disableset protocols ospf interface eth1 passive disable
# LDP follows OSPF pathsset protocols mpls ldp interface eth0set protocols mpls ldp interface eth1
commitMPLS + IS-IS
configure
# Configure IS-ISset protocols isis interface eth0set protocols isis interface eth1set protocols isis net 49.0001.0100.0100.0001.00
# LDP follows IS-IS pathsset protocols mpls ldp interface eth0set protocols mpls ldp interface eth1
commitSimple MPLS Network Example
Topology
[CE1] ── [PE1] ═══ [P1] ═══ [PE2] ── [CE2] 10.255.0.1 10.255.0.2 10.255.0.3
PE = Provider Edge (MPLS edge)P = Provider (MPLS core)CE = Customer Edge (no MPLS)PE1 Configuration
configure
# Loopback for router-idset interfaces loopback lo address 10.255.0.1/32
# WAN interface toward P1set interfaces ethernet eth0 address 10.0.0.1/30
# Customer interface (no MPLS)set interfaces ethernet eth1 address 192.168.1.1/24
# OSPFset protocols ospf router-id 10.255.0.1set protocols ospf area 0 network 10.255.0.1/32set protocols ospf area 0 network 10.0.0.0/30
# LDPset protocols mpls ldp router-id 10.255.0.1set protocols mpls ldp interface eth0
commitP1 Configuration
configure
# Loopbackset interfaces loopback lo address 10.255.0.2/32
# Interfacesset interfaces ethernet eth0 address 10.0.0.2/30set interfaces ethernet eth1 address 10.0.0.5/30
# OSPFset protocols ospf router-id 10.255.0.2set protocols ospf area 0 network 10.255.0.2/32set protocols ospf area 0 network 10.0.0.0/30set protocols ospf area 0 network 10.0.0.4/30
# LDPset protocols mpls ldp router-id 10.255.0.2set protocols mpls ldp interface eth0set protocols mpls ldp interface eth1
commitTroubleshooting MPLS
LDP Neighbor Not Forming
# Check interface MPLS is enabledshow interfaces ethernet eth0
# Check LDP is listeningss -tulnp | grep 646
# Check for LDP hellossudo tcpdump -i eth0 udp port 646
# Check OSPF/IGP adjacency (LDP follows IGP)show ip ospf neighborLabels Not Assigned
# Check LDP bindingsshow mpls ldp binding
# Check MPLS forwarding tableshow mpls table
# Verify MPLS modules loadedlsmod | grep mplsPackets Not Label-Switched
# Verify ingress interface has MPLS enabledcat /proc/sys/net/mpls/conf/eth0/input
# Should be 1, if 0:echo 1 > /proc/sys/net/mpls/conf/eth0/input
# Check kernel MPLS supportcat /proc/sys/net/mpls/platform_labelsMPLS MTU Considerations
MPLS label adds 4 bytes per label:
# Standard Ethernet MTU: 1500# With one MPLS label: 1500 - 4 = 1496 effective payload# With two labels (VPN): 1500 - 8 = 1492 effective payload
# Option 1: Increase MTU on MPLS interfacesset interfaces ethernet eth0 mtu 1508
# Option 2: Fragment at ingress (less efficient)MPLS Security
Control Plane Security
# Restrict LDP sessions# Only accept from known neighborsset protocols mpls ldp neighbor 10.255.0.2 password "secret"
# Filter LDP discovery# (Use firewall to limit UDP 646)Data Plane Considerations
# MPLS doesn't encrypt traffic# Anyone on the path can read label and content
# For encryption, use:# - IPsec over MPLS# - MACSec at Layer 2The Lesson
MPLS is still relevant for service provider networks.
MPLS provides:
- Fast forwarding (label lookup vs. IP lookup)
- VPN services (L2VPN, L3VPN)
- Traffic engineering (explicit paths)
- QoS capabilities
VyOS MPLS support is functional but limited:
- Basic LDP works
- Advanced features (RSVP-TE, Segment Routing) may be limited
- Check VyOS version for specific feature support
For modern networks:
- Small networks: IP routing is fine
- Large SP networks: MPLS still valuable
- Newer alternative: Segment Routing (SR-MPLS, SRv6)
Understand MPLS fundamentals even if you don’t use it daily — many service provider networks and VPN services depend on it.