Category Archives: mpls

Traceroute behaviour in MPLS

Traceroute is a great tool to discover the path a packet traverses in outgoing direction but if you have an MPLS cloud, you may have some unexpected behavior if you don’t do some tweaks. First of all let’s see how traceroute discovers a path when there isn’t any MPLS cloud.


The network above is using IP to route packets and we are running traceroute on GW2 device towards Debian1 device.

We can clearly see the two hops in our traceroute. IP addresses displayed on the output are from ingress interface of our probe packets. For this traceroute I also took a packet capture on ingress interface of GW1 i.e side.

Junos and Linux traceroute by default use UDP to send probe packets and each hop receives 3 UDP segments.
Continue reading

Layer 2 Circuit on SRX

I will briefly show how you can set up Layer 2 circuit between two packet-mode SRX boxes on 12.1X46-D10 release. Simply, if you set up a Layer 2 circuit between two sites, you can connect the same subnet between two different geographic location over an MPLS cloud. Look at the following sample topology and assume SRX j29 is in Ankara, which is my hometown 🙂 and j34 (which is in Amsterdam where live currently). I know they are so far 🙁 but we will set up the circuit and j40 will be able to ping address of j35 from its address which are in the same subnets.


First of all my assumptions on this setup;

  • J29,j30 and j34 are forming an MPLS cloud
  • We use LDP for label distribution
  • On this setup all these boxes are in packet mode
  • We don’t care what is on J30 as long as it provides MPLS connectivity, nothing special configured on that device
  • J40 and j35 have no special config, you can put PCs to test the connectivity as well.

Let’s first bring the L2 link UP;

Configure interfaces on PE routers
L2 circuit is established between j29 and j34. Interface configuration is really important as a single mistake doesn’t bring the link up.

Continue reading

BGP L3VPN with Flow services

This is the 5th and final post of my MPLS series. You can find all posts under mpls-tutorial tag. So far I have run all SRX devices in packet mode which means we weren’t able to use service features of SRX firewall. With this new config, we can also inspect the traffic. You can find the juniper document which describes this setup also in here I am just taking the flow section of this document and try to explain it the way I comprehend it. I have also modified my topology to make things simpler.

Continue reading


This post is the 4th post of my MPLS series. You can find the first three here: #1, #2 , #3
In an MPLS network, PE routers keep the site specific VPN routes inside VRF (Virtual Routing and Forwarding) tables and send the routes that they learned from CE routers to remote PE routers by using MP-BGP (Multiprotocol BGP). LSPs we have configured so far will be used to send our L3VPN traffic.
One of the greatest things that VRF along with MP-BGP is that in your PE router you can keep the same network addresses in different sites and completely isolated from each other.


I will setup a BGP-L3VPN between CustC ( and CustA (

I can start configuring VRF tables on both sides. VRF is a simple routing instance in a junos box but its instance type is vrf. For simplicity I won’t configure BGP between CE and PE routers but you can also do that.

Continue reading

MPLS/RSVP configuration & troubleshooting #3

This is the 3rd post of my MPLS/RSVP series. In the first and second, I set up an MPLS cloud with some sort of redundancy. In this post, I will enable traffic engineering support on OSPF in order to use CSPF and fast reroute feature. To explain fast reroute I need the topology again;


In a standard MPLS setup without fast reroute, if you have an LSP from J35 to J40 (Path: J34->J30->J29) and link between J30 and J29 breaks, it will take time for PATH error message to be received by J35 ingress router. However, if you enable fast reroute every router along the path will have alternate PATH available in case its link breaks and detours very quickly and will keep forwarding the traffic till the new LSP is established by the ingress router.
Please note that this is a temporary workaround to keep the traffic flowing without any disruption. Now it is time to get into the CLI to see how this works;

We must enable traffic engineering on OSPF and CSPF on MPLS. Otherwise fastreroute doesn’t work. This is what I have seen at least. In addition to this, my OSPF setup is multiarea for which I have to enable expand-loose-hop option in every MPLS router. According to the description from Juniper page “ it allows an LSP to traverse multiple OSPF areas within a service provider’s network.” Also according to juniper docs, if you configure an interarea LSP, you must set inter-domain option.
Continue reading

MPLS/RSVP configuration & troubleshooting #2

In my previous post MPLS/RSVP configuration & troubleshooting I have configured two LSPs between two MPLS routers. Now I will continue where I left off. Just one thing I must inform you that MPLS labels in the previous post won’t match this post as I restarted my routers. We will again use the same topology;


Previously we had two LSPs but didn’t know what to do with them. Now we will see how we can make use of them. When we create the LSP, one new routing table inet.3 will be populated.

inet.3 is the MPLS routing table. Once an LSP is established, you can find it here. You can see this table in an Ingress MPLS router but not in transit one in which you can see mpls.0 switching table populated.

BGP has very close connection with this table. For example, the network has been discovered via IBGP from J40 to J35. This means protocol next hop is address. BGP first look in the inet.3 table and if it finds there, it will install the physical next hop in inet.0

Continue reading

MPLS label allocation failure

I was playing with a test MPLS network today and I saw that my LSP isn’t UP.  When I checked with the show mpls command , I have seen the following “MPLS label allocation failure” message.
Then I checked the router to troubleshoot the issue. The issue was again I forgot to enable mpls at interface level.


Once I added the “family mpls” to the interfaces, all started working fine. Then I enforced some path for my LSP and then I got the following “No route toward dest” error.

This time error was the missing mpls family on the exit interface of device. Again it worked when I fixed this error. It seems I need some time on this topic:)