This post represents the solution and explanation for quiz-8.
Have a look at the quiz to understand the problem.

Quiz Review & Solution

In this scenario, the MPLS Core team brings up a new link between PE-1 and P-4 routers. All links have same OSPF cost and, as observed in the diagram, so the new link will be chosen as best path between the PEs:

ldp-igp-synchronization

The problem hidden in this quiz is that the network engineer forgot to enable LDP on the new link. This mistake causes connectivity outage for the customers using MPLS VPN services because the OSPF (the IGP inside the MPLS core) will choose this new link as the best path and the VPN packets will be sent untagged over it (since LDP is not yet configured). As a result, the core of the MPLS (P routers) will drop them (as they don't have information about VPNs).

I agree with your comments that it is very unlikely for a core engineer to forget this, but that quiz represents an introduction for this current article, and anyway, you should never exclude any kind of mistakes when implementing network changes (in the end, even the core engineer is human and prone to mistakes).

The solution to this quiz is to enable MPLS on the new interface (either using mpls ip at the interface level or via other methods such as mpls ldp autoconfig under OSPF process).

Contrary to what some people commented, the suggestion to enable LDP-IGP synchronization could be a solution by itself, alone, only in certain scenarios ! To cover all situations, LDP-IGP sync (mpls ldp sync) should be accompanied by LDP Autoconfiguration (mpls ldp autoconfig). I will present few test cases on this topic below.

MPLS LDP-IGP Synchronization is a feature enabled under the IGP process (OSPF or IS-IS) that protects against packet loss when the IGP peering is established before LDP label exchange is completed (because, in these cases, packets will be sent untagged on that link, which will break MPLS VPN connectivity).

Test cases

PE-1#
router ospf 1
 mpls ldp sync
 network 0.0.0.0 255.255.255.255 area 0
!
interface FastEthernet0/1
 ip address 10.10.6.1 255.255.255.252
!
P-4#
router ospf 1
 mpls ldp sync
 network 0.0.0.0 255.255.255.255 area 0
!
interface FastEthernet0/0
 ip address 10.10.6.2 255.255.255.252
!
WARNING

The LDP-IGP synchronization feature does not protect against packet loss in this situation (and it does not represent a solution for our quiz !).

Although sync is enabled, its status is not required so the protection is not triggered, as seen below: 

PE-1#sh ip osp nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.4 1   FULL/DR         00:00:35    10.10.6.2       FastEthernet0/1
2.2.2.2           1   FULL/DR         00:00:38    10.10.1.2       FastEthernet0/0

PE-1#sh ip osp mpls ldp int fa0/1
FastEthernet0/1
  Process ID 1, Area 0
  LDP is not configured through LDP autoconfig
  LDP-IGP Synchronization : Not required
  Holddown timer is disabled
  Interface is up
PE-1#
PE-1#sh mpls ldp igp sync
    FastEthernet0/1:
        LDP not configured; LDP-IGP Synchronization enabled.
        Sync status: sync not achieved; peer reachable.
        Sync delay time: 0 seconds (0 seconds left)
        IGP holddown time: infinite.
        IGP enabled: OSPF 1
    
PE-1#sh ip cef 3.3.3.3
3.3.3.3/32, version 297, epoch 0, cached adjacency 10.10.6.2
...
    tag rewrite with Fa0/1, 10.10.6.2, tags imposed: {}

CE-2#ping 192.168.1.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!...................

As shown, the protection is not triggered and from the moment when the OSPF adjancency is UP and the new best path towards PE-3 (3.3.3.3) is via the new link that has no LDP on it, the end-to-end customer connectivity is lost!

PE-1#
router ospf 1
 mpls ldp sync
 network 0.0.0.0 255.255.255.255 area 0
!
interface FastEthernet0/1
 ip address 10.10.6.1 255.255.255.252
 mpls ip
!
P-4#
router ospf 1
 mpls ldp sync
 network 0.0.0.0 255.255.255.255 area 0
!
interface FastEthernet0/0
 ip address 10.10.6.2 255.255.255.252
!

The LDP-IGP synchronization does protect against the packet loss in this situation. It is interesting to note that the OSPF adjancency does not come up (on the side that has MPLS enabled) because LDP-IGP synchronization will keep the interface down for OSPF process: 

PE-1#sh ip ospf int br
Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C
Fa0/1        1     0               10.10.6.1/30       1     DOWN  0/0
Lo0          1     0               1.1.1.1/32         1     LOOP  0/0
Fa0/0        1     0               10.10.1.1/24       1     BDR   1/1
PE-1#
PE-1#sh ip ospf mpls ldp interface fa0/1
FastEthernet0/1
  Process ID 1, Area 0
  LDP is not configured through LDP autoconfig
  LDP-IGP Synchronization : Required
  Holddown timer is not configured
  Interface is down and pending LDP
PE-1#
PE-1#sh mpls ldp igp sync
    FastEthernet0/1:
        LDP configured; LDP-IGP Synchronization enabled.
        Sync status: sync not achieved; peer reachable.
        Sync delay time: 0 seconds (0 seconds left)
        IGP holddown time: infinite.
        IGP enabled: OSPF 1
PE-1#sh ip cef 3.3.3.3
3.3.3.3/32, version 279, epoch 0, cached adjacency 10.10.1.2
...
    tag rewrite with Fa0/0, 10.10.1.2, tags imposed: {18}

CE-2#ping 192.168.1.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Note that the LDP-IGP sync is enabled & required on the side where MPLS is configured, and sync is not achieved which triggers the protection !

LDP initially enabled at both ends and removed later

PE-1#
router ospf 1
 mpls ldp sync
 network 0.0.0.0 255.255.255.255 area 0
!
interface FastEthernet0/1
 ip address 10.10.6.1 255.255.255.252
 mpls ip
!
P-4#
router ospf 1
 mpls ldp sync
 network 0.0.0.0 255.255.255.255 area 0
!
interface FastEthernet0/0
 ip address 10.10.6.2 255.255.255.252
 mpls ip
!

If the mpls ip command is later removed from any end of the link, then the connectivity is lost as the router will change its status to "sync is not required" and remove the protection.

Actually it is always recommended to use the "LDP Autoconfiguration" feature under the OSPF process by configuring the command (config-router)#<blue>mpls ldp autoconfig

which will enable LDP on every interface associated with that IGP - OSPF in this case - and will not allow manual removal with "no mpls ip" from individual interfaces!.

LDP session initially ok but going down at a later time

Let's see how the LDP-IGP Synchronization helps in situations when, for whatever reason, the LDP session goes down on a link that is part of the IGP best path between PEs. To simulate this, I'll use an ACL to block the LDP session: 

ip access-list extended DENY_LDP
 deny   udp any eq 646 any log
 deny   tcp any any eq 646 log
 deny   tcp any eq 646 any log
 deny   udp any any eq 646 log
 permit ip any any
!
PE-1(config)#int fa0/1
PE-1(config-if)#ip access-group DENY_LDP in
!

After this, the following will happen:

  • LPD session between PE-1 (1.1.1.1) and P-4 (4.4.4.4) will go down
  • OSPF peering between them will continue to stay up
  • LDP-IGP synchronization will be activated and will make OSPF announce the max-metric on that link
  • OSPF will reconverge using the other link where LDP is UP (fa0/0 on PE-1) and VPN connectivity will not be lost
PE-1(config-if)#
*Mar  1 02:41:46.987: %SEC-6-IPACCESSLOGP: list DENY_LDP denied tcp 4.4.4.4(49095) -> 1.1.1.1(646), 1 packet

PE-1(config-if)#do sh mpl ldp discover
 Local LDP Identifier:
    1.1.1.1:0
    Discovery Sources:
    Interfaces:
        FastEthernet0/0 (ldp): xmit/recv        !!! the only LDP peer is on Fa0/0 (P-2)
            LDP Id: 2.2.2.2:0
        FastEthernet0/1 (ldp): xmit             !!! no LDP peer on Fa0/1 due to ACL

PE-1(config-if)#do sh ip osp nei
Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.4           1   FULL/DR         00:00:32    10.10.6.2       FastEthernet0/1
2.2.2.2           1   FULL/DR         00:00:36    10.10.1.2       FastEthernet0/0

PE-1(config-if)#do sh ip cef 3.3.3.3
3.3.3.3/32, version 241, epoch 0, cached adjacency 10.10.1.2
0 packets, 0 bytes
  tag information set, shared
    local tag: 18
    fast tag rewrite with Fa0/0, 10.10.1.2, tags imposed: {18}
...

PE-1(config-if)#**do sh ip osp database router 4.4.4.4**
            OSPF Router with ID (1.1.1.1) (Process ID 1)

                Router Link States (Area 0)

  LS age: 476
  Options: (No TOS-capability, DC)
  LS Type: Router Links
  Link State ID: 4.4.4.4
  Advertising Router: 4.4.4.4
  LS Seq Number: 8000003C
  Checksum: 0xD224
  Length: 72
  Number of Links: 4

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 10.10.6.2
     (Link Data) Router Interface address: 10.10.6.2
      Number of TOS metrics: 0
       TOS 0 Metrics: 65535
...
PE-1(config-if)#do sh ip ospf mpls ldp int
FastEthernet0/1
  Process ID 1, Area 0
  LDP is configured through LDP autoconfig
  LDP-IGP Synchronization : Required
  Holddown timer is not configured
  Interface is up and sending maximum metric

In the end, I'd like to mention that the quiz may also have another solution by using LDP Session Protection via Targetted LDP Helloes... but this will be detailed in a separate post, maybe after another quiz ☻

Thank you for your comments in the quiz!