KittUnderlay MPLS and VRF Architecture

KittUnderlay MPLS and VRF Architecture (WIP Draft)

Introduction

While simpler approaches like VRF-Lite or Policy-Based Routing (PBR) could isolate traffic using a single routing table per session, they fall short when scaling with Route Reflectors. With RRs distributing routes to multiple clients, VRF-Lite/PBR lacks the label-based forwarding needed to maintain proper isolation across the fabric. MPLS provides the necessary separation—each VRF route carries its own label, ensuring traffic reaches the correct routing instance even when passing through intermediate RRs.

KittUnderlay selectively uses MPLS for VRF route distribution, enabling proper network segmentation and traffic isolation. This approach reserves MPLS specifically for VRF-associated routes, where label-based forwarding provides clear benefits.

MPLS in KittUnderlay

MPLS is reserved specifically for VRF-associated routes, where label-based forwarding provides clear benefits in segmentation and traffic isolation. Unlike traditional MPLS deployments that might label all routes, KittUnderlay applies MPLS only where it adds value.

Key Goals for MPLS/VRF

Apply MPLS only where it adds value (VRF segmentation)
Maintain clear separation of global and VRF routing planes
Enable proper isolation and label-based forwarding between different routing instances

VRF Routing with MPLS

MPLS is used exclusively for VRF routes, enabling proper isolation and label-based forwarding between different routing instances.

BGP Template Configuration

The BGP template enables MPLS label distribution for VRF routes while maintaining separation from the global routing table:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
template bgp kittunderlay {
  local port 1790;
  neighbor port 1790;
  rr client;
  path metric off;
  ipv4 mpls {
    extended next hop;
    next hop self;
    import keep filtered;
    import filter {
      if is_valid4_loopback() then {
        accept;
      } else reject;
    };
    export filter { if is_valid4_loopback() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; };
    import limit 1000 action block;
  };
  ipv6 mpls {
    next hop self;
    import keep filtered;
    import filter {
      if is_valid6_loopback() then {
        accept;
      } else reject;
    };
    export filter { if is_valid6_loopback() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; };
    import limit 1000 action block;
  };
  mpls {
    label policy aggregate;
  };
}

VRF-Specific BGP Sessions

Each VRF instance establishes BGP sessions with MPLS label distribution:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# <IFNAME>
# L: AS4242421945 | R: AS4242421945
protocol bgp <IFNAME> from kittunderlay {
  # disabled;
  local as 4242421945;
  neighbor fe80::xxxx as 4242421945;
  interface "<IFNAME>";
  direct;
  ipv4 mpls { # Inform MPLS labels in addition to loopback routes
    import filter {
      if ( is_valid4_loopback() ) then {
        # here use some additional functions to set MED / communities
        accept;
      }
      reject;
    };
  };
  ipv6 mpls { # Inform MPLS labels in addition to loopback routes
    import filter {
      if ( is_valid6_loopback() ) then {
        # here use some additional functions to set MED / communities
        accept;
      }
      reject;
    };
  };
  mpls {
    label policy aggregate;
  };
}

MPLS Label Handling

The label policy aggregate in the BGP template ensures efficient MPLS label allocation for VRF routes. This approach:

Reduces label consumption by aggregating when possible
Maintains proper forwarding state for VRF instances
Enables seamless traffic isolation between routing tables

Features

✅ Clear separation of global and VRF routing planes
✅ MPLS integration for VRF-specific traffic only
✅ NixOS friendly configurations

Getting Started

Planned documentation will include:

Enabling VRFs with MPLS-based forwarding
Understanding MPLS label distribution for VRF routes
Configuring VRF instances and route distinguishers
Verifying VRF isolation and forwarding behavior

MPLS in KittUnderlay is about applying the right level of complexity—using label-based forwarding only where it provides clear benefits for traffic segmentation.