http://www.oracle.com/technetwork/java/archive-139210.html

Finishing of the CCNA Security

1. IPv6
2. CCNP BGP labs
3. CCNP OSPF labs

Also I would like to start doing my labs with IPv6, I will hopefully be able to accomplish this.

I have also just changed the blog theme, see the bottom of the page for theme name and the author details.

Info on about ZBF can be found at the following links:

Overview on the config for ZBF

More Indepth look from Cisco (12.4T)

Video about ZBF from ipexpert.com

We have two security zones defined, “in-zone” & “out-zone”

code 1
!
zone security in-zone
zone security out-zone
!
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 192.168.3.1 255.255.255.0
zone-member security in-zone
speed 100
full-duplex
!
interface Serial0/1
description $FW_OUTSIDE$
ip address 10.2.2.1 255.255.255.252
zone-member security out-zone
clock rate 2000000
!

We have a Zone Pair called “sdm-zp-in-out” which looks at traffic sourced from “in-zone” destined to “out-zone”. The zone pair has a service policy which is inspecting a policy-map called “sdm-inspect”

!
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!

The Policy Map is shown below, it contains four named class-maps and a default one, you can see the action that will be taken if traffic is matched against the class maps. Further down the page I will paste each of the class-maps.

!
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class type inspect SDM-Voice-permit
  inspect
 class class-default
  pass
!

The first class-map is called “sdm-invalid-src”, this will match traffic in Access-list 100. This is not a permit or deny ACL its a match or no match ACL. So if a packet arrive with a source address of 10.2.2.1 it will match ACL 100 and then the above service policy will drop the packet. This particular class-map is preventing spoofing from some invalid sources as seen from the inside interface fa0/1.

!
class-map type inspect match-all sdm-invalid-src
 match access-group 100
!
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.2.2.0 0.0.0.3 any
!

The second class-map is called “sdm-insp-traffic”, this will match traffic from another class-map called “sdm-cls-insp-traffic”. The class-map called “sdm-cls-insp-traffic”

!
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
!
 class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
!

The third class-map matches http and is called “sdm-potocol-http”

!
class-map type inspect match-all sdm-protocol-http
 match protocol http
!

The fourth class-map matches three protocols and is called “SDM-Voice-permit”

!
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
!

The final class-map is called class-default and it matches any and permits it.

!
class-map
 Class Map match-any class-default (id 0)
   Match any
!

The match-all and match-any Keywords

The match-all and match-any keywords need to be specified only if more than one match criterion is configured in the traffic class.

The match-all keyword is used when all of the match criteria in the traffic class must be met in order for a packet to be placed in the specified traffic class.

The match-any keyword is used when only one of the match criterion in the traffic class must be met in order for a packet to be placed in the specified traffic class.

If neither the match-all nor match-any keyword is specified, the traffic class will behave in a manner consistent with match-all keyword.

1. What happens if I run macof without PortSecurity enabled?
2. What happens if I run macof with PortSecurity in its different forms?
3. What will happen if I change my MAC address?

Topology, Equipment & Software Using a laptop plugged into FastEthernet0/2 on a 2950 switch, on the laptop I will be using a piece if software called “macof” to generate masses of source MAC addresses.

Fig1 – Laptop plugged into Cisco 2950 switch, the laptop is also connected to the console port.

What happens if I run macof without PortSecurity enabled?

Well as you would expect the switch ‘failsopen’ and should therefor act like a hub/repeater and forward all frames out of all interfaces, although I didn’t see this happening when I tried to user Wireshark and sniff the traffic (I will keep trying until i can prove this works)

What happens if I run macof with PortSecurity in its different forms?

Here are the config options for “port-security”

switch(config-if)# switchport mode access

!Set the interface mode as access!

switch(config-if)# switchport port-security

!Enable port-security on the interface!

switch(config-if)# switchport port-security mac-address { <mac_addr> | sticky }

!Enable port security on the MAC address as H.H.H or record the first MAC addresses connected to the interface!

switch(config-if)# switchport port-security maximum <max_addresses>

!Set maximum number of MAC addresses on the port!

switch(config-if)# switchport port-security violation { protect | restrict | shutdown }

!Protect, Restrict or Shutdown the port. Cisco recommends the shutdown option, shutdown is the default!







Violation Shutdown

!
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security maximum 5
switchport port-security mac-address sticky
switchport port-security violation shutdown
end
!

Now to run the macof software to flood the CAM table, this is done from a Linux PC







As soon as the CAM table passes 5 mac addresses I saw the following message.

2950_sw_1#
12:54:44: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/2, putting Fa0/2 in err-disable state
12:54:44: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6cca.e319.99e3 on po.
12:54:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down
12:54:46: %LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to down

I noticed that the port fa0/2 went into “errordisable” so I wanted to check.

2950_sw_1#sh int f0/2 status                                                                                          

Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/2                        err-disabled 10           auto   auto 10/100BaseTX
2950_sw_1#

When I then looked at the config for fa0/2 it showed that the first 5 source mac addresses learned when then written into the config, this is what the sticky feature does. It allows the mac addresses to be saved even after a reload.

!
interface FastEthernet0/2
 switchport access vlan 10
 switchport mode access
 switchport port-security
 switchport port-security maximum 5
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0013.72a5.6d34
 switchport port-security mac-address sticky 3ea4.e70a.f669
 switchport port-security mac-address sticky 58ec.bf7f.8377
 switchport port-security mac-address sticky 7cf5.5864.15d2
 switchport port-security mac-address sticky ee6b.f378.a2a1
 spanning-tree portfast
end

To finish an reset port-security config the config back to before it learned and mac addresses I used the following command. Please assume I did these each time before running macof again.

 2950_sw_1#clear port-security sticky

Violation Protect



Violation Protect learns the mac addresses, doesn’t send a syslog, doesn’t shut/errordisable the port.
In the config above only the first five source mac addresses will be allowed pass frames.

!
interface FastEthernet0/2
 switchport access vlan 10
 switchport mode access
 switchport port-security
 switchport port-security maximum 5
 switchport port-security violation protect
 switchport port-security mac-address sticky
 spanning-tree portfast
end
!

Now to run the macof software to flood the CAM table.




I didn’t see and logging on the console screen and I had to look at the config to see the changes.

!
interface FastEthernet0/2
 switchport access vlan 10
 switchport mode access
 switchport port-security
 switchport port-security maximum 5
 switchport port-security violation protect
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0013.72a5.6d34
 switchport port-security mac-address sticky 0048.8305.ff6e
 switchport port-security mac-address sticky 0632.0036.908b
 switchport port-security mac-address sticky 36bc.5370.cd65
 switchport port-security mac-address sticky a0ec.090c.14e1
 spanning-tree portfast
end

!
2950_sw_1#sh int f0/2 status                                                                                         

Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/2                        connected    10         a-full  a-100 10/100BaseTX
2950_sw_1#

Violation restrict




With the restrict violation a Syslog message is sent, but port not shut or in errordisable.

Now to run the macof software to flood the CAM table.

2950_sw_1#
13:20:32: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address ce96.df1b.275e on port FastEthernet0/2

Here is what was written to the config

!
interface FastEthernet0/2
 switchport access vlan 10
 switchport mode access
 switchport port-security
 switchport port-security maximum 5
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0013.72a5.6d34
 switchport port-security mac-address sticky 72dd.5e68.afd5
 switchport port-security mac-address sticky a47a.9a59.fc41
 switchport port-security mac-address sticky c4f0.8269.136a
 switchport port-security mac-address sticky d83c.7f68.93fb
 spanning-tree portfast
end

And the interface is still up but only forwarding for the mac addresses it learn’t

2950_sw_1#sh int f0/2 status                                                                                         

Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/2                        connected    10         a-full  a-100 10/100BaseTX
2950_sw_1#

And finally I used the command “show port-security” to see the information about port-security.

!
2950_sw_1#sh port-sec
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Fa0/2              5            5                  0          Restrict
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 4
Max Addresses limit in System (excluding one mac per port) : 1024                                                    

2950_sw_1#
!

http://nptel.iitm.ac.in/video.php?courseId=1061 = Ten Videos focusing on Internet Technologys

http://nptel.iitm.ac.in/video.php?courseId=1081 = Ten Videos focusing on Data Communication

http://nptel.iitm.ac.in/video.php?courseId=1050 = Ten Videos focusing on Computer Organization

More vids

This is a very simple packet analysis to show what happens when we connect (ssh in this case) from PC1 to the IP address of PC2.

[edit] I might come back to this and edit it when I have more time. I hope to show more about what ssh is doing with key-exchanging and a more detail explination on information within the whole trace. This was more of an exercise on posting the information.

Firstly PC1 needs to know how to get to PC2 on a layer2 (switched network) so it does and ARP broadcast, on hearing the Broadcast PC2 responds to the ARP request as the owner of the IP address with its MAC address. As seen in the picture below as packets 1 & 2.

Now PC1 knows the MAC address it can start to connect to the SSH daemon running on PC2, as SSH is a TCP protocol it starts the three-way handshake. Packet 4 shows the [SYN] synchronise bit set in the TCP header, packet 5 show the [ACK] acknowledgement to the [SYN] in packet 4 and a [SYN] of its own. Packet 6 is the [ACK] to [SYN] in packet 5.

From this point on the two PCs are connected, when its time to finish the connection PC 1 set the [FIN] finish bit in the TCP header, PC2 responds with an [ACK] and also sends a [FIN] packets 63 & 64

This is a follow on lab from the basic site to site lab I created a few days ago it has the addition of GRE so I can have dynamic routing protocols accross the VPN.

Here is the relevant config for the router IPSec_remote, notice that the tunnel interface is defined but shut down on this side

!
hostname IPSec_remote
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 32000
crypto isakmp key 6 poophead address 50.0.0.10
!
!
crypto ipsec transform-set TOHO ah-sha-hmac esp-aes
!
crypto map TOHO 10 ipsec-isakmp
set peer 50.0.0.10
set transform-set TOHO
match address 100
!
!
!
interface Loopback0
ip address 192.168.200.200 255.255.255.255
!
interface Tunnel1
ip address 10.0.2.2 255.255.255.252
shutdown
tunnel source FastEthernet0
tunnel destination 50.0.0.10
!
interface Ethernet0
ip address 10.0.1.254 255.255.255.0
half-duplex
!
interface FastEthernet0
ip address 50.0.0.1 255.255.255.252
speed 100
full-duplex
crypto map TOHO
!
router ospf 1
log-adjacency-changes
network 10.0.1.0 0.0.0.255 area 1
network 10.0.2.0 0.0.0.3 area 1
network 192.168.200.0 0.0.0.255 area 1
!
ip route 0.0.0.0 0.0.0.0 50.0.0.2
!
!
access-list 100 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit icmp 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit gre any any
!

Here is route table, only connected and static routes

!
IPSec_remote#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 50.0.0.2 to network 0.0.0.0
50.0.0.0/30 is subnetted, 1 subnets
C       50.0.0.0 is directly connected, FastEthernet0
192.168.200.0/32 is subnetted, 1 subnets
C       192.168.200.200 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C       10.0.1.0 is directly connected, Ethernet0
S*   0.0.0.0/0 [1/0] via 50.0.0.2

Here we can see that the IPSec VPN is up with peer 50.0.0.10 which is R4

IPSec_remote#sh cry isakmp sa

dst             src             state          conn-id slot status
50.0.0.10       50.0.0.1        QM_IDLE              1    0 ACTIVE

We can ping over to e0 interface on R4 which shows us that the VPN is working.

IPSec_remote#ping 10.0.0.254 source e0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.254, timeout is 2 seconds:
Packet sent with a source address of 10.0.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/121/224 ms

Now lets see the config on R4(HO-VPN-1)

!
hostname HO-VPN-1
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 32000
crypto isakmp key 6 renshaw address 50.0.0.1
!
!
crypto ipsec transform-set TOVPNREMOTE ah-sha-hmac esp-aes
!
crypto map TOVPNREMOTE 10 ipsec-isakmp
set peer 50.0.0.1
set transform-set TOVPNREMOTE
match address 100
!
interface Loopback0
ip address 192.168.100.100 255.255.255.255
!
interface Tunnel1
ip address 10.0.2.1 255.255.255.252
tunnel source FastEthernet0
tunnel destination 50.0.0.1
!
interface Ethernet0
ip address 10.0.0.254 255.255.255.0
half-duplex
!
interface FastEthernet0
ip address 50.0.0.10 255.255.255.248
speed 100
full-duplex
crypto map TOVPNREMOTE
!
router ospf 1
log-adjacency-changes
network 10.0.0.0 0.0.0.255 area 1
network 10.0.2.0 0.0.0.3 area 1
network 192.168.100.0 0.0.0.255 area 1
!
ip route 0.0.0.0 0.0.0.0 50.0.0.9
!
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit icmp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit gre any any
!

Lets look at the route table, again all connected and static only

HO-VPN-1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 50.0.0.9 to network 0.0.0.0

50.0.0.0/29 is subnetted, 1 subnets
C       50.0.0.8 is directly connected, FastEthernet0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.0.2.0/30 is directly connected, Tunnel1
C       10.0.0.0/24 is directly connected, Ethernet0
192.168.100.0/32 is subnetted, 1 subnets
C       192.168.100.100 is directly connected, Loopback0
S*   0.0.0.0/0 [1/0] via 50.0.0.9

Lets ping to e0 on IPSec_remote router

HO-VPN-1#ping 10.0.1.253 sou e0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.253, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/318/704 ms

Ok so we have seen the config for both routers and we saw the IPsec tunnel no lets do a “no shut” on the tunnel interface on the IPSec_remote router, we should then see a OSPF message as OSPF forms a neighbour adjacency..

IPSec_remote#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
IPSec_remote(config)#int tun 1
IPSec_remote(config-if)#no shut
IPSec_remote(config-if)#

*Mar  1 00:22:58.295: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.100.100 on Tunnel1 from LOADING to FULL, Loading Done
*Mar  1 00:22:59.271: %LINK-3-UPDOWN: Interface Tunnel1, changed state to up
*Mar  1 00:23:00.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up

and no as seem from R4(HO-VPN-1)

HO-VPN-1#
*Mar  1 00:24:02.395: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.200.200 on Tunnel1 from LOADING to FULL, Loading Done

Lets look at the routing table of both routers we should see the OSPF learned routes

IPSec_remote#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 50.0.0.2 to network 0.0.0.0

50.0.0.0/30 is subnetted, 1 subnets
C       50.0.0.0 is directly connected, FastEthernet0
192.168.200.0/32 is subnetted, 1 subnets
C       192.168.200.200 is directly connected, Loopback0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C       10.0.2.0/30 is directly connected, Tunnel1
O       10.0.0.0/24 [110/11121] via 10.0.2.1, 00:00:54, Tunnel1
C       10.0.1.0/24 is directly connected, Ethernet0
192.168.100.0/32 is subnetted, 1 subnets
O       192.168.100.100 [110/11112] via 10.0.2.1, 00:00:54, Tunnel1
S*   0.0.0.0/0 [1/0] via 50.0.0.2

R4 routing table

HO-VPN-1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 50.0.0.9 to network 0.0.0.0

50.0.0.0/29 is subnetted, 1 subnets
C       50.0.0.8 is directly connected, FastEthernet0
192.168.200.0/32 is subnetted, 1 subnets
O       192.168.200.200 [110/11112] via 10.0.2.2, 00:01:30, Tunnel1
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C       10.0.2.0/30 is directly connected, Tunnel1
C       10.0.0.0/24 is directly connected, Ethernet0
O       10.0.1.0/24 [110/11121] via 10.0.2.2, 00:01:30, Tunnel1
192.168.100.0/32 is subnetted, 1 subnets
C       192.168.100.100 is directly connected, Loopback0
S*   0.0.0.0/0 [1/0] via 50.0.0.9

Lab Description:

The purpose of this lab is to created a IPSec site to site VPN between two routers “IPSec_remote” and “R4”. The routers IPS1 & R2 are simulating IPS routers and are routing the traffic between “IPSec_remote” & “R4”. Below is the interface addressing for the two routers:

IPSec_remote:

f0: 50.0.0.2/30
e0: 10.0.1.254/24

R4:

f0: 50.0.0.10/29
e0: 10.0.0.254/24

Both R4 & IPSec_remote and NOT doing Port Address Translation as I want all traffic to traverse the VPN tunnel.

Here is the relevant config for both routers:

IPSec_remote:

!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 32000
!
crypto isakmp key 6 worksucks address 50.0.0.10
!
!
crypto ipsec transform-set TOHO ah-sha-hmac esp-aes
!
crypto map TOHO 10 ipsec-isakmp
set peer 50.0.0.10
set transform-set TOHO
match address 100
!
!
interface FastEthernet0
ip address 50.0.0.1 255.255.255.252
speed 100
full-duplex
crypto map TOHO
!
!
access-list 100 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit icmp 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!

R4:

!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 32000

crypto isakmp key 6 worksucks address 50.0.0.1
!
!
crypto ipsec transform-set TOVPNREMOTE ah-sha-hmac esp-aes
!
crypto map TOVPNREMOTE 10 ipsec-isakmp
set peer 50.0.0.1
set transform-set TOVPNREMOTE
match address 100
!
!
interface FastEthernet0
ip address 50.0.0.10 255.255.255.248
speed 100
full-duplex
crypto map TOVPNREMOTE
!
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit icmp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
!

For testing the VPN I ping from “PC_remote” 10.0.1.253 to “R6” 10.0.1.253:

remotePC#ping 10.0.0.253
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.253, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 148/324/796 ms

Jump onto IPSec_remote

IPSec_remote#sh crypto isakmp sa
dst         src           state       conn-id slot status
50.0.0.1 50.0.0.10 QM_IDLE 1 0 ACTIVE

So this is our basic site-to-site VPN, next I will add GRE so I can use routing protocols across the VPN tunnel.

Cisco Express Forwarding (CEF)
Prerequist for MPLS, builds a forwarding table for hardware switching instead of process switching (routing), runs in the control plane.

Forwarding information base (FIB)
The FIB is built by CEF baised on the entrys in the routing table, resides in the dataplane.

Label Distrabution Protocol (LDP)
Protocol (rfc3036) that forwards labels to neighbours an generates and label information base (LIB), runs int the control plane.

Label Forward Information Base (LFIB)
The LFIB is the next hop table formed from the LIB, it runs in the data plane.

Label Switch Router (LSR)
Router witch is performing MPLS label switching

Edge Label Switch Router (edgeLSR)
Router performing MPLS label switching, label imposing and label removal.

Label Switch Path (LSP)
Path which the label packet with take through the MPLS network.

Provider Router (P)
Router that is only doing label switching in MPLS

Provider Edge (PE)
Router that has interfaces in the MPLS network and IP network

Customer Edge (CE)
Router that resides at the customer site connects to the PE routers using IP

Lab setup:

This is a messy setup but it was one that I slapped on the play with MPLS, I also wanted to play with MP-BGP and VPNs hence the extra un-named routers that I will used later at some point.

I have configured this using mainly GNS3 which I broke out onto real equipment using USB NICs, PE-3 is a real 2621 router as is the Internet as I broke out and used PAT to get out onto the internet.

1. Configure P routers with OSPF interfaces all in area0
2. Configure P2 & P4 interface with OSPF area 1
3. Configure PE router with OSPF interfaces in area 1
4. Configure CE routers with static routes pointing at next hop interfaces.

This is the interface config before the MPLS config is applied,

!
interface Loopback0
 ip address 100.0.0.100 255.255.255.255
 ip ospf 1 area 1
!
interface FastEthernet0/0
 description link-to-CE-1r1
 ip vrf forwarding phillips
 ip address 50.0.0.5 255.255.255.252
 duplex full
 speed auto
!
interface GigabitEthernet1/0
 description link-to-P2-backbone
 ip address 100.0.0.17 255.255.255.252
 ip ospf authentication message-digest
 ip ospf authentication-key june
 ip ospf 1 area 1
 negotiation auto
!
PE-1#sh mpls forwarding-table
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
25     Aggregate   50.0.0.4/30[V]    0
!

Add the config, first to Gig1/0 which is the interface facing into the WAN,
notice the message below, a LDP adjacancy formed with 100.0.0.0.18

!
PE-1(config)#int g1/0
PE-1(config-if)#mpls label protocol ldp
PE-1(config-if)#mpls mtu 1508
PE-1(config-if)#mpls ip
PE-1(config-if)#^Z
PE-1#
*Jun 16 18:48:04.603: %LDP-5-NBRCHG: LDP Neighbor 100.0.0.18:0 (1) is UP
!

The adjacancy with 100.0.0.18 means we get all the labels for upstream LSRs, look at the entry for 100.0.0.102/32 which is the loopback0 address for PE-2. The local tag is 16 and outgoing tag is 23 which has been recieived by P2. On P2 we can see an entry for 100.0.0.102/32, if we get a tagged frame with the lable 23 it will get swapped for lable 23 and sent out Gi1/0 to P1

!
PE-1#sh mpls forwarding-table
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     23          100.0.0.102/32    0          Gi1/0      100.0.0.18
17     19          100.0.0.103/32    0          Gi1/0      100.0.0.18
18     20          100.0.0.4/30      0          Gi1/0      100.0.0.18
19     Pop tag     100.0.0.0/30      0          Gi1/0      100.0.0.18
20     21          100.0.1.0/30      0          Gi1/0      100.0.0.18
21     17          100.0.0.12/30     0          Gi1/0      100.0.0.18
22     Pop tag     100.0.0.8/30      0          Gi1/0      100.0.0.18
23     22          100.0.0.20/30     0          Gi1/0      100.0.0.18
24     18          100.0.0.24/30     0          Gi1/0      100.0.0.18
25     Aggregate   50.0.0.4/30[V]    0
!

LFIB table from P2

P2-backbone#sh mpls forwarding-table
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     Pop tag     100.0.0.100/32    1587       Gi3/0      100.0.0.17
17     Pop tag     100.0.0.12/30     0          Gi2/0      100.0.0.10
18     Pop tag     100.0.0.24/30     0          Gi2/0      100.0.0.10
19     Pop tag     100.0.0.103/32    252        Gi2/0      100.0.0.10
20     Pop tag     100.0.0.4/30      0          Gi1/0      100.0.0.1
21     Pop tag     100.0.1.0/30      0          Gi1/0      100.0.0.1
22     21          100.0.0.20/30     0          Gi2/0      100.0.0.10
       22          100.0.0.20/30     732        Gi1/0      100.0.0.1
23     22          100.0.0.102/32    0          Gi2/0      100.0.0.10
       23          100.0.0.102/32    3761       Gi1/0      100.0.0.1
50.0.0.0/30[V]    0          Gi1/0      100.0.0.18
PE-1#

A great overview on MPLS from Keith Barker CCIE #6783