This should show a simple use of how to get the MPLS + Ingress to work. Here's a simple topology we use for testing. 1.1.2 1.1.1 1.0.2 1.0.1 2.0.1 2.0.2 2.1.1 2.1.10 -------- ------- ------ ------- -------- | Host A |------| LER A |-------| CORE |---------| LER B |-------| Host B | -------- ------- ------ ------- -------- eth0 eth1 eth0 eth1 eth2 eth0 eth1 eth0 All the addresses start with 10. in our case. So for example, Host A has an address 10.1.1.2 on eth0 You only need to worry about configuring the LER A, the LSR labelled CORE and the LER B. The hosts are MPLS unaware. I'll start by explaining configuration for for simple MPLS validation, then i'll add how to do Ingress later. MPLS config ----------- This will show a config where you have a bidirectional labelling. Jim's README file has a more pictorial view of the different parts of the syntax. This will show an end to end picture. LER A: ----- LER A labels packets going towards HOST B with a tag of 16. It also POPs all labels with tag 21 and sends them up the IP stack. LER A configuration: --------------- Cut here -------------------------------- # assign label spaces to both eth0 and 1 # mplsadm -v -L eth0:0 mplsadm -v -L eth1:0 #explicitly add a route to say that Core knows about host B # route add 10.2.1.10/32 gw 10.1.0.1 # Explicitly add a Gen MPLS label #"if you see a packet from Host A going out on eth0 then stash MPLS #label 16 on it; use 10.1.0.1 as the next hop." # #in this case we originate the MPLS label 16 # mplsadm -v -A -B -O gen:16:eth0:ipv4:10.1.0.1 -f 10.2.1.10/32 # "If you see a packet with label 21 on it, please POP that label # off and re-direct to the IP layer; in this case we terminate # the MPLS label 21 to IP." # mplsadm -v -A -I gen:21:0 XXXXXXXXXXXXXXXXXXXX END SCRIPT HERE XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX LER B: ----- For continuity let me show the LER B script. LER B labels packets going towards HOST A with a tag of 20. It also POPs all labels with tag 16 and sends them up the IP stack. --------------- Cut here -------------------------------- # assign label spaces to both eth0 and 1 # mplsadm -v -L eth0:0 mplsadm -v -L eth1:0 #explicitly add a route to say that Core knows about host B # route add 10.1.1.2/32 dev eth0 # If you see a packet with label 16 on it, please POP that label # off and re-direct to the IP layer; in this case we terminate # the MPLS label 16 to IP. # mplsadm -v -A -I gen:16:0 # Explicitly add a Gen MPLS label which says : #if you see a packet from Host B going out on eth0 then stash MPLS #label 20 on it; use 10.2.0.1 as the next hop. # #in this case we originate the MPLS label 20 # mplsadm -v -A -B -O gen:20:eth0:ipv4:10.2.0.1 -f 10.1.1.2/32 XXXXXXXXXXXXXXXXXXXX END SCRIPT HERE XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX So the settings result in the following: Packets destined for Host B (from host A, since it is the only host on that side) will get labelled with tag 16 at LER A; When LER B gets label 16 on the incoming interface, it will remove it and send the packet to the IP stack. The stack will then forward it using the normal path to Host B. Likewise in the opposite direction, When LER B gets packets going towards host A it will label them with tag 20; label 20 gets swapped at the LSR for label 21(see script below). When LER A receives packets with label 21, it pops off the label and sends it up the IP stack. The packet is then forwarded to the host A by the normal IP forwarding. Now of course the LSR (CORE) will have to switch those Labels for this to succeed. LSR: --- So here's the config for the LSR: ----------------------------- Cut here -------------------- #add the labels mplsadm -v -L eth1:0 mplsadm -v -L eth2:0 # add an LSP: #if you see label 16 (on space 0), switch it out with label 16 # using 10.2.0.2 as your next hop # mplsadm -v -A -I gen:16:0 -O gen:16:eth2:ipv4:10.2.0.2 -B # add another LSP(this one with more variety): #if you see label 20 (on space 0), switch it out with label 21 # using 10.2.0.2 as your next hop # mplsadm -v -A -I gen:20:0 -O gen:21:eth1:ipv4:10.1.0.2 -B XXXXXXXXXXXXXXXXXXXX END SCRIPT HERE XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Ingress policing: ================ This will show ingress policing in action at LER B; complimented by Jim's MPLS setups in LER A and at the LSR. The bi-directional policing is left as an exercise ;-> PS:- This is a totaly new config unrelated to the one above where we showed a simple bidirectional MPLS setup i.e you need to reconfigure from scratch. You will need the tc utility from iproute2 for this to work. LER A: ----- So lets look at LER A's config ----------------------------- Cut here -------------------- mplsadm -v -L eth0:0 mplsadm -v -A -I gen:16:0 XXXXXXXXXXXXXXXXXXXX END SCRIPT HERE XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX It simply adds a labelspace 0 on eth0 and a policy to pop off any label 16 packets seen from the LSR before being sent up the IP stack. The LSR: ------- ----------------------------- Cut here -------------------- mplsadm -v -L eth1:0 mplsadm -v -L eth2:0 mplsadm -v -A -I gen:20:0 -O gen:16:eth1:ipv4:10.1.0.2 -B XXXXXXXXXXXXXXXXXXXX END SCRIPT HERE XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Adds label spaces to eth1 and eth0. Adds a policy "if you see a general label 20 (on space 0), switch it out with label 16 using 10.2.0.2 as your next hop" label space 20 is set by LER B (as noted below). And finally LER B: ----------------- This is a very simple script whose goal is just to show how to configure the policer. Later on we'll add more complex examples. In this script, all packets with src host B (regardless of their destination) will be subjected to the following policy: If not exceeding meter1 put a label of 20 on them and let them through else drop them on the floor. meter1 is defined as: having a rate of 1Mbps and a burst of 90KBytes. You can uncomment the script section commented below to have a more interesting scenario which would do the following If not exceeding meter1 put a label of 20 on them and let them through else If not exceeding meter1a // but exceeded meter1 put a label of 21 on them and let them through else // exceeded both meters drop The Ingress policer follows the cascading rules of CISCOs CAR (except we have more powerful filtering rules and i was going to add some more interesting things when i get time). So CISCO is good source of documentation as well on how to do things;-> And now the script: Please ignore the PIR/CIR/CBS/EBS semantics; this script extracted from one that one did Juha Heinanens Color blind marker. ----------------------------- Cut here -------------------- #! /bin/sh -x # # sample script on using the ingress capabilities using u32 classifier # with # This is sort of "color blind" # the minor number becomes the label used on the # JHS: 2000/03/28 # # ############## START: parameters you might need to change ################### # #Location of the iproute2 directory IPROUTE=/root/iproute2 #tc's paths TC=$IPROUTE/tc/tc # The input device where packets come in INDEV=eth1 # Two commited Information rates; you have two of them; #play with them to tweak things if you wish # CIR1=1000kbit # The PIR is the excess (in addition to the CIR i.e if always # going to the PIR --> average rate is CIR+PIR) PIR1=1000kbit #The CBS is about 60 MTU sized packets CBS1=90k #the EBS is about 10 max sized packets EBS1=15k # The meters using these parameters meter1=" police rate $CIR1 burst $CBS1 " meter1a=" police rate $PIR1 burst $EBS1 " ############## END: parameters you might need to change ################### # install the ingress qdisc on the ingress interface ############################################################ $TC qdisc add dev $INDEV handle ffff: ingress ############################################################ # ############################################################ # #anything from host 10.2.1.10/32 is passed on with a tcindex value 1 #if it doesnt exceed its restrictions # # Create the outgoing label 20 mplsadm -v -A -O gen:20:eth0:ipv4:10.2.0.1 # grab the KEY for gen:20:eth0 KEY=`grep 'gen 20' /proc/net/mpls_out | cut -d' ' -f1` $TC filter add dev $INDEV parent ffff: protocol ip prio 1 u32 \ match ip src 10.2.1.10/32 $meter1 \ drop flowid :$KEY # remove the "drop" above and replace with "continue" #also uncomment the three lines below to allow the described # sample in the notes above the start of script # # Create the outgoing label 21 # mplsadm -v -A -O gen:21:eth0:ipv4:10.2.0.1 # # grab the KEY for gen:21:eth0 # KEY2=`grep 'gen 21' /proc/net/mpls_out | cut -d' ' -f1` # #$TC filter add dev $INDEV parent ffff: protocol ip prio 2 u32 \ #match ip src 10.2.0.10/32 $meter1a \ #continue flowid :$KEY2 #deleting the ingress qdisc #$TC qdisc del $INDEV ingress XXXXXXXXXXXXXXXXXXXX END SCRIPT HERE XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Testing the above: ------------------ 1) Install the scripts on LER A and the LSR but not the LER B 2) ftp with data going from Host B --> Host A i.e from host A ftp to host B and do a get. You should observe a high rate >= 5Mbps depending on how good your connections whether switched/hubbed etc. 3) quit from the ftp 4) now turn on ingress policing on LER B 5) ftp again with data going from Host B --> Host A (as in step 2 ) You should observe a restriction to around 1Mbps + or - a few error values which can be tuned further later on. ----------------------------------------------------------------------- General tidbits: --------------- 1) The following script is a sample on how to display stats etc useful for debugging. This is for LER A (serves as an example) : ----------------------------- Cut here -------------------- echo "---- MPLS details ----------" mplsadm -v INDEV=eth1 TC=/root/iproute2/tc/tc echo "---- qdisc parameters Ingress ----------" $TC qdisc ls dev $INDEV echo "---- filter parameters Ingress ----------" $TC filter -s ls dev $INDEV parent ffff: XXXXXXXXXXXXXXXXXXXX END SCRIPT HERE XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 2) To see the labelling properly at the different points in the network topology use tcpdump in conjuctions with AMY's patches. This will not work properly, it needs some beautification code that i did submit to Jim that he either forgot to include or chose not to. 3) To enable ingress in the kernel: for the sake of simplicty: Just select everything under the QoS options. Also you must select the netfilter/packet filtering options. Dont select the debugging for packet filtering unless you want to see volumes of useless logs.