MPLS Basics

MPLS Basics

Version Info

RouterOS 7.16 | Min: v6.0+ | 25 minutes | Intermediate

Tested on: 7.16 7.14

Version-specific notes

• v7.0+: New command syntax uses slashes (/mpls/ldp/ instead of /mpls ldp)
• v7.0+: Dual-stack IPv4/IPv6 LDP support added
• v7.0+: VRF support for LDP instances

TL;DR (quick start)

For the impatient: basic LDP setup between two routers.

# Create loopback interface for stable LDP sessions
/interface/bridge/add name=lo
/ip/address/add address=1.1.1.1/32 interface=lo

# Configure LDP instance
/mpls/ldp/add lsr-id=1.1.1.1 transport-addresses=1.1.1.1

# Enable LDP on interfaces connected to MPLS network
/mpls/ldp/interface/add interface=ether1
/mpls/ldp/interface/add interface=ether2

# Verify LDP neighbors
/mpls/ldp/neighbor/print

Verify with:

/mpls/forwarding-table/print
# Should show labels assigned to routes

Overview

What this does: MPLS (MultiProtocol Label Switching) replaces traditional IP routing lookups with efficient label-based forwarding. Instead of examining destination IP addresses at each hop, routers swap short fixed-length labels, enabling faster forwarding decisions.

When to use this:

• Building service provider networks with traffic engineering
• Creating Layer 2 VPNs (VPLS) across routed networks
• Implementing MPLS IP VPN for customer isolation
• Optimizing forwarding in large networks
• Traffic engineering with explicit path control (RSVP-TE)

Prerequisites:

• IGP routing configured (OSPF or static routes) between all MPLS routers
• Loopback interfaces for stable LDP sessions
• Understanding of basic routing concepts

MPLS Limitations

MPLS forwarding bypasses IP header processing. NAT, firewall filters, and mangle rules do not apply to MPLS-switched traffic. These must be applied at ingress/egress points of the MPLS network.

Core concepts

What is MPLS?

Traditional IP routing examines the destination address of every packet at every hop, performing a longest-prefix match against the routing table. MPLS simplifies this by attaching a short label to packets. Routers then make forwarding decisions based on the label alone—a simple table lookup rather than a complex routing decision.

Label Switched Path (LSP)

An LSP is the path a labeled packet takes through the MPLS network:

1. Ingress (Push): First router determines packet should use MPLS, pushes a label
2. Transit (Swap): Intermediate routers swap incoming label for outgoing label
3. Egress (Pop): Final router removes the label and delivers via normal IP routing

Label Distribution Protocol (LDP)

LDP automatically distributes labels between routers. When LDP neighbors establish a session, they exchange label bindings for routes in their routing tables. This creates the label mappings needed for LSPs to form.

Penultimate Hop Popping (PHP)

PHP is an optimization where the second-to-last router removes the MPLS label instead of the egress router. The egress router receives an unlabeled packet, saving it from doing both label lookup and IP lookup. RouterOS uses PHP by default (advertises implicit-null label).

Label Switch Router (LSR)

Any router participating in MPLS label switching. The LSR-ID uniquely identifies each router in the MPLS domain—typically the loopback address.

Configuration steps

Step 1: plan your MPLS network

Before configuring, ensure:

• All routers have IGP connectivity (OSPF recommended)
• Each router has a unique loopback address
• Loopbacks are reachable from all other routers

Step 2: create loopback interface

Create a loopback for stable LDP sessions. LDP sessions should use loopbacks, not physical interfaces, because loopbacks don’t go down when a single link fails:

/interface/bridge/add name=lo
/ip/address/add address=1.1.1.1/32 interface=lo

Ensure the loopback is advertised in your IGP (OSPF/static routes).

Step 3: configure LDP instance

Create the LDP instance with your loopback as both LSR-ID and transport address:

/mpls/ldp/add lsr-id=1.1.1.1 transport-addresses=1.1.1.1

Parameter	Purpose
lsr-id	Unique identifier for this router in MPLS domain
transport-addresses	Source address for LDP TCP sessions

Step 4: enable LDP on interfaces

Enable LDP on interfaces connecting to other MPLS routers:

/mpls/ldp/interface/add interface=ether1
/mpls/ldp/interface/add interface=ether2

LDP sends hello packets on these interfaces to discover neighbors.

Step 5: verify LDP neighbors

Check that LDP sessions have established:

/mpls/ldp/neighbor/print

Expected output:

 #   PEER            LOCAL-TRANSPORT  OPERATIONAL  DYNAMIC
 0   2.2.2.2:0       1.1.1.1          yes          yes
 1   3.3.3.3:0       1.1.1.1          yes          yes

operational=yes indicates an active LDP session.

Step 6: verify MPLS forwarding table

Check that labels have been assigned to routes:

/mpls/forwarding-table/print

Expected output:

 #   PREFIX            LABEL   OUT-LABEL     NEXTHOPS
 0   2.2.2.2/32        17      impl-null     ether1
 1   3.3.3.3/32        18      19            ether1

• impl-null = Penultimate hop popping (you’re the second-to-last hop)
• Numeric label = Push this label when forwarding

Common scenarios

Scenario: three-router MPLS backbone

Set up MPLS between three routers (R1-R2-R3):

Router R1 (1.1.1.1):

/interface/bridge/add name=lo
/ip/address/add address=1.1.1.1/32 interface=lo
/mpls/ldp/add lsr-id=1.1.1.1 transport-addresses=1.1.1.1
/mpls/ldp/interface/add interface=ether1

Router R2 (2.2.2.2):

/interface/bridge/add name=lo
/ip/address/add address=2.2.2.2/32 interface=lo
/mpls/ldp/add lsr-id=2.2.2.2 transport-addresses=2.2.2.2
/mpls/ldp/interface/add interface=ether1
/mpls/ldp/interface/add interface=ether2

Router R3 (3.3.3.3):

/interface/bridge/add name=lo
/ip/address/add address=3.3.3.3/32 interface=lo
/mpls/ldp/add lsr-id=3.3.3.3 transport-addresses=3.3.3.3
/mpls/ldp/interface/add interface=ether1

Scenario: MPLS MTU configuration

If your network doesn’t support jumbo frames, set MPLS MTU to 1500:

/mpls/interface/add interface=ether1 mpls-mtu=1500
/mpls/interface/add interface=ether2 mpls-mtu=1500

MPLS adds 4 bytes per label. Default MTU is 1508, which may cause silent drops on networks with 1500-byte MTU limits.

Scenario: hide MPLS hops from traceroute

Disable TTL propagation to hide internal MPLS topology:

/mpls/settings/set propagate-ttl=no

With this setting, traceroute shows only ingress and egress routers, not transit hops.

Scenario: filter LDP to loopbacks only

Reduce label distribution to only loopback addresses (recommended for large networks):

# Only advertise labels for loopbacks
/mpls/ldp/advertise-filter/add prefix=1.1.1.0/24 advertise=yes
/mpls/ldp/advertise-filter/add prefix=0.0.0.0/0 advertise=no

# Only accept labels for loopbacks
/mpls/ldp/accept-filter/add prefix=1.1.1.0/24 accept=yes
/mpls/ldp/accept-filter/add prefix=0.0.0.0/0 accept=no

Scenario: dual-stack LDP (IPv4 and IPv6)

Configure LDP for both address families:

/mpls/ldp/add afi=ip,ipv6 lsr-id=1.1.1.1 \
    transport-addresses=1.1.1.1,2001:db8::1 preferred-afi=ipv6

Scenario: unique label ranges per router

Prevent label conflicts during network convergence:

# Router 1
/mpls/settings/set dynamic-label-range=4096-8191

# Router 2
/mpls/settings/set dynamic-label-range=8192-12287

# Router 3
/mpls/settings/set dynamic-label-range=12288-16383

Verification

Confirm your MPLS configuration is working:

Check 1: LDP neighbors

/mpls/ldp/neighbor/print

Expected: All neighbors show operational=yes.

Check 2: local label mappings

/mpls/ldp/local-mapping/print

Expected: Labels assigned to your routes.

Check 3: remote label mappings

/mpls/ldp/remote-mapping/print

Expected: Labels received from neighbors.

Check 4: MPLS forwarding table

/mpls/forwarding-table/print

Expected: Entries with labels and next-hops for remote destinations.

Check 5: ping with MPLS

Test end-to-end connectivity using loopbacks:

/ping 3.3.3.3 src-address=1.1.1.1

Traffic should be label-switched through the network.

Troubleshooting

Symptom	Cause	Solution
LDP neighbor not forming	No route to transport address	Verify IGP routes to loopbacks exist
LDP interface shows “invalid”	Interface is a bridge slave	Use the bridge interface, not slave ports
Forwarding table empty	LDP not distributing labels	Check LDP instance and interface config
Packets dropped silently	MPLS MTU larger than link MTU	Set mpls-mtu=1500 on all interfaces
LDP session flapping	Mismatched timers	Align hello-interval and hold-time with IGP
Filter changes not applied	Existing bindings not updated	Restart LDP neighbor or instance
No route through MPLS	LDP only follows active IGP routes	Verify OSPF/static routes exist

Debug: check LDP session state

/mpls/ldp/neighbor/print detail

Look for:

• operational=yes — Session established
• throttled=yes — Session failed, in backoff (up to 120s)
• dynamic=yes — Discovered via hello packets

Debug: check LDP interface status

/mpls/ldp/interface/print

Interfaces should not show “invalid” status.

Debug: verify IGP routes

LDP only distributes labels for active routes (not BGP by default):

/ip/route/print where dst-address~"2.2.2.2"

The route must exist before LDP will create a label binding.

Common Mistakes

• Using physical interface IPs as transport-addresses — Use loopbacks for stability
• Forgetting to advertise loopbacks in IGP — LDP needs routes to form sessions
• Enabling LDP on bridge slave ports — Use the bridge interface instead
• Expecting NAT/firewall to work on MPLS traffic — They don’t; apply at ingress/egress
• Mismatched MPLS MTU — Causes silent packet drops for large packets
• Not setting unique label ranges — Can cause issues during convergence

Community Tips

LDP Timer Alignment: Match LDP timers to your IGP dead interval to ensure LDP and OSPF converge together:

/mpls/ldp/interface/set [find] hello-interval=10s hold-time=40s

Loopback Naming: Use descriptive names for loopbacks (e.g., lo0 or loopback) rather than lo to avoid confusion with other bridge interfaces.

Verify Before Production: Test label switching with ping between loopbacks before deploying services. If ping works but traceroute shows direct IP path, LDP isn’t working.

Reserved Labels: Labels 0-15 are reserved. RouterOS allocates dynamic labels starting at 16 by default.

MPLS architecture overview

• CE routers connect customers to the MPLS network
• PE routers push/pop labels at network edges
• P routers only swap labels (fastest operation)

Device compatibility

Device Type	MPLS Support
CCR series	Yes
RB series (most)	Yes
CRS series	Yes
CHR	Yes
hAP lite, hAP lite TC, hAP mini	No (SMIPS devices)

Check with: /system/resource/print — SMIPS architecture cannot run MPLS.

Related topics

MPLS features

• MPLS Traffic Engineering - RSVP-TE for explicit path control
• VPLS - Layer 2 VPN over MPLS

Routing protocols

• OSPF - IGP commonly used with MPLS
• BGP - MP-BGP for MPLS VPN signaling
• Static Routes - basic routing for MPLS

Infrastructure

• IP Addresses - loopback addresses for LDP
• Firewall Basics - allow LDP (TCP/UDP 646)

Reference

• MikroTik MPLS Overview
• MikroTik LDP
• MikroTik MPLS MTU and Forwarding

Command reference

Command	Required Args	Optional Args	Notes
/mpls/ldp/add	lsr-id, transport-addresses	afi, vrf, disabled	Create LDP instance
/mpls/ldp/interface/add	interface	hello-interval, hold-time	Enable LDP on interface
/mpls/ldp/neighbor/print	-	detail	Show LDP neighbors
/mpls/ldp/local-mapping/print	-	-	Show locally assigned labels
/mpls/ldp/remote-mapping/print	-	-	Show labels from neighbors
/mpls/forwarding-table/print	-	-	Show MPLS forwarding entries
/mpls/settings/print	-	-	Show global MPLS settings

Key properties

LDP instance properties (/mpls/ldp)

Property	Type	Default	Description
lsr-id	IP	-	Label Switch Router identifier (required)
transport-addresses	IP list	-	Source addresses for LDP sessions (required)
afi	ip/ipv6/ip,ipv6	ip	Address families for label distribution
distribute-for-default	yes/no	no	Distribute labels for default route
use-explicit-null	yes/no	no	Advertise explicit-null instead of implicit-null
vrf	string	main	VRF table for this instance

LDP interface properties (/mpls/ldp/interface)

Property	Type	Default	Description
interface	string	-	Interface name (required)
hello-interval	time	5s	Interval between hello packets
hold-time	time	15s	Neighbor timeout
accept-dynamic-neighbors	yes/no	yes	Accept discovered neighbors

MPLS settings properties (/mpls/settings)

Property	Type	Default	Description
dynamic-label-range	range	16-1048575	Label allocation range
propagate-ttl	yes/no	yes	Copy TTL from IP to MPLS header
allow-fast-path	yes/no	yes	Enable MPLS FastPath