vpls introduction

5/28/2018 VPLS Introduction

1/82

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

An Introduction to

VPLS

Jeff Apcar, Distinguished Services Engineer

APAC Technical Practices, Advanced Services


2/82


Agenda

VPLS Introduction

Pseudo Wire Refresher

VPLS Architecture

VPLS Configuration Example

VPLS Deployment

Summary


3/82


Do you want to date VPLS?

VPLS is like having ParisHilton as your girlfriend.

The concept is fantastic, butin reality the experience mightnot be what you expected.

But were still willing to giveit a go as long as we canunderstand/handle herbehaviour

Me, Just Then


4/82


VPLS Introduction


5/82


Virtual Private LAN Service (VPLS)

VPLS defines an architectureallows MPLS networks offerLayer 2 multipoint Ethernet Services

SP emulates an IEEE Ethernet bridge network (virtual)

Virtual Bridges linked with MPLS Pseudo Wires

Data Plane used is same as EoMPLS (point-to-point)

PE PECE CE

VPLS is an Architecture

CE


6/82


Virtual Private LAN Service

End-to-end architecturethat allows MPLS networks toprovide Multipoint Ethernet services

It is Virtual because multiple instances of this service

share the same physical infrastructure It is Private because each instance of the service is

independent and isolated from one another

It is LAN Service because it emulates Layer 2

multipoint connectivity between subscribers


7/82 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7

Why Provide A Layer 2 Service?

Customer have full operational controlover their routingneighbours

Privacy of addressing space- they do not have to be

shared with the carrier network Customer has a choice of using any routing protocol

including non IP based (IPX, AppleTalk)

Customers could use an Ethernet switchinstead of a

router as the CPE

A single connectioncould reach all other edge pointsemulating an Ethernet LAN (VPLS)



VPLS is defined in IETF

Application

General

Ops and Mgmt

Routing

Security

IETF

MPLS

Transport

Formerly PPVPNworkgroup

VPWS, VPLS, IPLS

BGP/MPLS VPNs (RFC4364 was 2547bis)IP VPNs using VirtualRouters (RFC 2764)CE based VPNs usingIPsec

Pseudo Wire Emulationedge-to-edgeForms the backbonetransport for VPLS

IAB

ISOC

As of 2-Nov-2006

Internet

L2VPN

L3VPN

PWE3



Classification of VPNs

CPE

Based

Layer 3

MPLS

VPN

Virtual

Router

GREIPSec

Layer 3

P2P VPWSEthernet

FrameRelay

PPP/HDLC

ATM/CellRela

y

Ethernet(P2P

)

FrameRelay

ATM

Ethernet(P2M

P)

Ethernet(MP2

MP)

Network

Based

Layer 2

VPLS

IPLS

VPN



ATM

AAL5/Cell

PPPHDLC

Ethernet FR

L2VPN Models

IP

L2TPv3

Point-to-Point

ATM

AAL5/Cell

PPPHDLC

Ethernet FR

VPWS

Point-to-Point

Like-to-LikeAny-to-Any

Like-to-Like

L2VPN

MPLS

VPLS/IPLS

Multipoint

Ethernet



IP LAN-Like Service (IPLS)

An IPLS is very similar to a VPLS except

The CE devices must be hosts or routers not switches

The service will only carry IPv4 or IPv6 packets

IP Control packets are also supportedARP, ICMP

Layer 2 packets that do not contain IP are not supported

IPLS is a functional subset of the VPLS service

MAC address learning and aging not required

Simpler mechanism to match MAC to CE can be used

Bridging operations removed from the PE

Simplifies hardware capabilities and operation

Defined in draft-ietf-l2vpn-ipls



VPLS Components

N-PE

MPLS

Core

CE router

CE router

CE switch

CE router

CE router

CE switch

CE switch

CE router

Attachment circuitsPort or VLAN mode

Mesh of LSP between N-PEs

N-PE

N-PE

Pseudo Wires within LSPVirtual Switch Interface (VSI)terminates PW and provides

Ethernet bridge function

Targeted LDP between PEs toexchange VC labels for Pseudo

Wires Attachment CEcan be a switch or

router



Virtual Switch Interface

Flooding / Forwarding

MAC table instances per customer (port/vlan) for each PE

VFI will participate in learning and forwarding process

Associate ports to MAC, flood unknowns to all other ports

Address Learning / Aging

LDP enhanced with additional MAC List TLV (label withdrawal)

MAC timers refreshed with incoming frames

Loop PreventionCreate full-mesh of Pseudo Wire VCs (EoMPLS)

Unidirectional LSP carries VCs between pair of N-PE Per

A VPLS use split horizonconcepts to prevent loops



Pseudo WireRefresher



Pseudo Wires in VPLS

IETF working group PWE3

Pseudo Wire Emulation Edge to Edge;

Requirements detailed in RFC3916

Architecture details in RFC3985

Develop standards for the encapsulation & serviceemulation of Pseudo Wires

Across a packet switched backbone

A VPLS is based on a full mesh of Pseudo Wires



Pseudo Wire Reference Model (RFC 3916)

A Pseudo Wire (PW) is a connection between two provider edge devicesconnecting two attachment circuits (ACs)

In an MPLS core a Pseudo Wire uses two MPLS labels

Tunnel Label (LSP) identifying remote PE router

VC Label identifying Pseudo Wire circuit within tunnel

Emulated Service

IP/MPLS

PE1

Attachment Circuit

Pseudo Wire

PDUs

Customer

SiteCustomer

Site

Customer

Site

Customer

Site

PSN Tunnel (LSP in MPLS)

Packet Switched

Network (PSN)

IP or MPLS

Pseudo Wire

PE2CE

PW1

PW2

CE

CE

CE



Pseudo Wire Standards (Care for a Martini?)

RFC 4446Numeric values for PW types

RFC 4447Distribution mechanism for VC labels

Previously called draft-martini-l2circuit-trans-mpls

RFC 4448Encapsulation for Ethernet using MPLSPreviously called draft-martini-l2circuit-encap-mpls

Other drafts are addressing different encapsulations

draft-ietf-pwe3-frame-relay/draft-ietf-pwe3-atm-encap

draft-ietf-pwe3-ppp-hdlc-encap-mpls

Originally part of draft-martini-l2circuit-encap-mpls



MPLS PW Types (RFC 4446)

0x0001 Frame Relay DLCI ( Martini Mode )

0x0002 ATM AAL5 SDU VCC transport

0x0003 ATM transparent cell transport

0x0004 Ethernet Tagged Mode (VLAN)

0x0005 Ethernet (Port)

0x0006 HDLC

0x0007 PPP

0x0008 SONET/SDH Circuit Emulation

0x0009 ATM n-to-one VCC cell transport

0x000A ATM n-to-one VPC cell transport

0x000B IP Layer2 Transport

0x000C ATM one-to-one VCC Cell Mode

0x000D ATM one-to-one VPC Cell Mode

0x000E ATM AAL5 PDU VCC transport

0x000F Frame-Relay Port mode

0x0010 SONET/SDH Circ. Emu. over Packet

0x0011 Structure-agnostic E1 over Packet

0x0012 Structure-agnostic T1 over Packet

0x0013 Structure-agnostic E3 over Packet

0x0014 Structure-agnostic T3 over Packet

0x0015 CESoPSN basic mode

0x0016 TDMoIP AAL1 Mode

0x0017 CESoPSN TDM with CAS

0x0018 TDMoIP AAL2 Mode0x0019 Frame Relay DLCI



VC Information Distribution (RFC 4447)

VC labels are exchanged across a targeted LDPsession between PE routers

Generic Label TLV within LDP Label Mapping Message

LDP FEC element defined to carry VC information

Such PW Type (RFC 4446) and VCID

VC information exchanged using DownstreamUnsolicited label distribution procedures

Separate MAC List TLV for VPLSDefined indraft-ietf-l2vpn-vpls-ldp

Use to withdraw labels associated with MAC addresses



VC Labelidentifies interface

Tunnel Label(s)gets to PE router

UnidirectionalTunnel LSP between PE routers to transport PWPDU from PE to PE using tunnel label(s)

Both LSPs combined to form single bi-directional Pseudo Wire

Directed LDP session between PE routers to exchange VCinformation, such as VC labeland control information

VC Distribution Mechanism using LDP

IP/MPLS

PE1LSP created

using IGP+LDP

or RSVP-TE

Customer

SiteCustomer

Site

Customer

Site

Customer

Site

Label Switch Path

Directed LDP Session

between PE1 and PE2

PE2CE

CE

CE

CE



PW Encapsulation over MPLS (RFC 4448)

Ethernet Pseudo Wires use 3 layers of encapsulation

Tunnel Encapsulation (zero, one or more MPLS Labels)

To get PDU from ingress to egress PE;

Could be an MPLS label (LDP, TE), GRE tunnel, L2TP tunnel

Pseudo Wire Demultiplexer (PW Label)

To identify individual circuits within a tunnel;

Obtained from Directed LDP session

Control Word (Optional)

The following is supported when carrying Ethernet

Provides the ability to sequence individual frames

Avoidance of equal-cost multiple-path load-balancing

Operations and Management (OAM) mechanisms

Control word format varies depending on transported PDU

TunnelLabel

PWLabel

ControlWord

Layer 2PDU


22/82 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID22

Ethernet PW Tunnel Encapsulation

Tunnel Encapsulation

One or more MPLS labels associated with the tunnel

Defines the LSP from ingress to egress PE routerCan be derived from LDP+IGP, RSVP-TE, BGP IPv4+Label

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

EXP TTL (set to 2)VC Label (VC) 1

Tunnel Label (LDP,RSVP,BGP)

Layer-2 PDU

0 0 0 0 Reserved Sequence Number

EXP TTL0

PW Demux

Tunnel Encaps

Control Word



Ethernet PW Demultiplexer

VC Label

Inner label used by receiving PE to determine the following

Egress interface for L2PDU forwarding (Port based)Egress VLAN used on the CE facing interface (VLAN Based)

EXP can be set to the values received in the L2 frame

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1



Layer-2 PDU

0 0 0 0 Reserved Sequence Number

EXP TTL0

PW Demux

Tunnel Encaps

Control Word



Ethernet PW Control Word

Control Word is Optional (as per RFC)

0 0 0 0 First nibble is 0x0 to prevent aliasing with IPPackets over MPLS (MAC addresses that start

with 0x4 or 0x6)Reserved Should be all zeros, ignored on receive

Seq number provides sequencing capability to detect outof order packets - currently not in Ciscos

implementationprocessing is optional



Layer-2 PDU

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

PW Demux

Tunnel Encaps

Control Word 0 0 0 0 Reserved Sequence Number

EXP TTL0



P2P1

PW Operation and Encapsulation

IP/MPLS

Customer

Site

Customer

Site

Directed LDP Sessionbetween PE1 and PE2

PE2CE CE

LSP

PW1

Lo0:

Label 24for Lo0:

Label Popfor Lo0:

Label 38for Lo0:

Label 72for PW1

PE1

LDP

Session

LDP

Session

LDP

Session

24 72 L2 PDU

This process happens in both directions

(Example shows process for PE2 PE1 traffic)

38 72 L2 PDU72 L2 PDU



VPLS Architecture



VPLS Standards

Architecture allows IEEE 802.1 bridge behaviour in SP plus:Autodiscovery of other N-PE in same VPLS instance

Signaling of PWs to interconnect VPLS instances

Loop avoidance & MAC Address withdrawal

Two drafts have been approved by IETF L2VPN Working Group

draft-ietf-l2vpn-vpls-ldp

Uses LDP for signalling, agnostic on PE discovery method

Predominant support from carriers and vendors

Cisco supports this draft

draft-ietf-l2vpn-vpls-bgp

Uses BGP for signalling and autodiscovery



NMS/OSS

Cisco VPLS Building Blocks

TunnelProtocol

MPLS IP

L2VPNDiscovery

CentralisedDNS Radius Directory Services

DistributedBGP

SignalingLabel Distribution

Protocol

Point-to-PointLayer 2 VPN

Layer 2 VPNMultipoint

Layer 2 VPNLayer 3 VPN

ForwardingMechanism

Interface-Based/Sub-Interface

EthernetSwitching (VFI)

IP Routing

Hardware Cisco 7600 Catalyst 6500 Cisco 12000



VPLS Auto-discovery & Signaling

Draft-ietf-l2vpn-vpls-ldpDoes not mandate an auto-discovery protocol

Can be BGP, Radius, DNS, or Directory based

Uses Directed LDP for label exchange (VC) and PW signaling

PWs signal control information as well (for example, circuit state)

Cisco IOS supports Directed LDP for all VC signaling

Point-to-pointCisco IOS Any Transport over MPLS (AToM)

MultipointCisco IOS MPLS Virtual Private LAN Services

VPNDiscovery

CentralisedDNS Radius Directory Services

DistributedBGP

SignalingLabel Distribution

Protocol


30/82


VPLS Flooding & Forwarding

Flooding (Broadcast, Multicast, Unknown Unicast)

Dynamic learning of MAC addresses on PHY and VCs

Forwarding

Physical Port

Virtual Circuit

Data SA DA?

Unknown DA? Pseudo Wire in LSP


31/82


MAC Address Learning and Forwarding

Broadcast, Multicast, and Unknown Unicast are learned via the

received label associations Two LSPs associated with a VC (Tx & Rx)

If inbound or outbound LSP is down

Then the entire Pseudo Wire is considered down

PE1 PE2

Send me frames

using Label 170

Send me frames

using Label 102

CECE

E0/0 E0/1

MAC 2 E0/1MAC Address Adj

MAC 1 102

MAC 2 170MAC Address Adj

MAC 1 E0/0

Use VCLabel 102

MAC1

Use VCLabel 170

MAC2

PE2170MAC2MAC1Data

PE2 102 MAC1 MAC2 Data

Directed LDP


32/82


MPLS

MAC Address Withdrawal Message

Message speeds up convergence process

Otherwise PE relies on MAC Address Aging Timer

Upon failure PE removes locally learned MAC addresses

Send LDP Address Withdraw (RFC3036) to remote PEs in VPLS(using the Directed LDP session)

New MAC List TLV is used to withdraw addresses

X

Directed LDP


33/82


MPLS

VPLS Topology PE View

Each PE has a P2MP view of all other PEs it sees it self as a rootbridge with split horizon loop protection

Full mesh topology obviates STP in the SP network

Customer STP is transparent to the SP / Customer BPDUs areforwarded transparently

PEs

CEs

PE view

Full Mesh LDP

Ethernet PW to each peer


34/82


MPLSPEs

CEs

PE view

Full Mesh LDP

Ethernet PW to each peer

VPLS Topology CE View

CE routers/switches see a logical Bridge/LAN

VPLS emulates a LANbut not exactly

This raises a few issues which are discussed later

MPLS VPLS CoreMPLS

CEs


35/82


VPLS Architectures

VPLS defines two Architectures

Direct Attachment(Flat)

Described in section 4 of Draft-ietf-l2vpn-vpls-ldp

Hierarchical or H-VPLScomprising of two access methods

Ethernet Edge (EE-H-VPLS)QinQ tunnelsMPLS Edge (ME-H-VPLS) - PWE3 Pseudo Wires (EoMPLS)

Described in section 10 of Draft-ietf-l2vpn-vpls-ldp

Each architecture has different scaling characteristics


36/82


VPLS Functional Components

CE U-PE N-PE MPLS Core N-PE U-PE CE

CustomerMxUs SP PoPs

CustomerMxUs

N-PE provides VPLS termination/L3 services

U-PE provides customer UNI

CE is the custome device


37/82


Directed attachment (Flat) Characteristics

Suitable for simple/small implementations

Full mesh of directed LDP sessions required

N*(N-1)/2 Pseudo Wires required

Scalability issue a number of PE routers grows

No hierarchical scalability

VLAN and Port level support (no QinQ)

Potential signaling and packet replication overhead

Large amount of multicast replication over same physical

CPU overhead for replication


38/82


Direct Attachment VPLS (Flat Architecture)

CE N-PE MPLS Core N-PE CE

Ethernet(VLAN/Port

Ethernet(VLAN Port)

Full Mesh PWs + LDP

MAC2MAC1Data

PEVCMAC2MAC1Data

MAC2MAC1Data802.1q

Customer

Pseudo WireSP Core


39/82


Hierarchical VPLS (H-VPLS)

Best for larger scale deployment

Reduction in packet replication and signaling overhead

Consists of two levels in a Hub and Spoke topology

Hub consists of full mesh VPLS Pseudo Wires in MPLS core

Spokes consist of L2/L3 tunnels connecting to VPLS (Hub) PEs

Q-in-Q (L2), MPLS (L3), L2TPv3 (L3)

Some additional H-VPLS terms

MTU-s Multi-Tenant Unit Switch capable of bridging (U-PE)

PE-r Non bridging PE router

PE-rs Bridging and Routing capable PE


40/82


Why H-VPLS?

Potential signaling overhead

Full PW mesh from the Edge

Packet replication done at the Edge

Node Discovery and Provisioningextends end to end

Minimizes signaling overhead

Full PW mesh among Core devices

Packet replication done the Core

Partitions Node Discovery process

VPLS H-VPLS

CE

CE

CECE

CE

CE

PE

PE

PE

PE

PE

PE

PE

PE

CE

CE

MTU-s

CE

CE

PE-rs

PE-rs

PE-rs

PE-rs

PE-rs

PE-rs

PE-r

CE

CE


41/82


Ethernet Edge H-VPLS (EE-H-VPLS)

CE

N-PE

PE-rs MPLS Core

N-PE

PE-rs CE

QinQ

Tunnel Full Mesh PWs + LDP

U-PE

MTU-s

U-PE

MTU-s

802.1q

Access

802.1q

Access

QinQ

Tunnel

MAC2MAC1DataVlanCE

P

E

VCMAC2MAC1DataVlan

CE

MAC2MAC1DataVlanCE

VlanSP

802.1qCustomer

QinQSP Edge

Pseudo Wire

SP Core

1 2

3

1

2

3


42/82


Bridge Capability in EE-H-VPLS

Local edge traffic does not have to traverse N-PE

MTU-s can switch traffic locally

Saves bandwidth capacity on circuits to N-PE

CE

N-PE

PE-rs

U-PE

MTU-s


43/82


MPLS VPLS

N-PE

N-PE

N-PE

P P

PP

GE Ring

Metro AU-PE

PE-AGG

Metro C

U-PE

DWDM/

CDWM

U-PE

User Facing Provider Edge (U-PE)

Network Facing Provider Edge (N-PE)

Ethernet Edge Topologies

U-PE

RPR

Metro D

Large ScaleAggregationPE-AGG

IntelligentEdgeN-PE

MultiserviceCoreP

EfficientAccessU-PE

IntelligentEdgeN-PE

EfficientAccessU-PE

SiSi

SiSi

Metro B

10/100/

1000 Mbps

10/100/

1000 Mbps

10/100/

1000 Mbps

10/100/

1000 Mbps

Hub andSpoke

FullServiceCPE

FullServiceCPE


44/82


MPLS Core

MPLS Edge H-VPLS

CE

N-PE

PE-rs MPLS Core

N-PE

PE-rs CE

MPLS

Pseudo Wire Full Mesh PWs + LDP

U-PE

PE-rs

U-PE

PE-rs

802.1q

Access

802.1q

Access

MPLSPseudo

Wire

MAC2MAC1DataVlanCE

P

E

VCMAC2MAC1DataVlan

CE

802.1qCustomer

MPLS PWSP Edge

Pseudo Wire

SP Core

PEVCMAC2MAC1DataVlanCE

Same VCID used inEdge and core (Labels

may differ)

MPLSAcces

s

MPLSAcces

s

1 2

3

1

2

3


45/82


46/82


N-PE1

Pseudo Wire #3

VFI and NOSplit Horizon (ME-H-VPLS)

VFI

Pseudo Wire #2

VirtualForwarding

Interface Pseudo Wires

NO Split Horizon

This model applicable H-VPLS with MPLS Edge

PW #1, PW #2 will forward traffic to PW #3 (non split horizon port)

Split Horizon Active

11111

3 3 3 3 3

3 3 3 3 3

Unicast

Pseudo WireMPLS Based

22222

111 22

Pseudo Wire #1U-PE

N-PE3

Split Horizon

disabledN-PE2

CE

CE


47/82


VPLS Logical Topology Comparison

Direct Attach H-VPLS QinQ tunnel H-VPLS - MPLS PW

Pros Simple access viaEthernet

Simple access via Ethernet

Hierarchical support viaQinQ at access

Scalable customer VLANs

(4K x 4K)4K customers supported perEthernet Access Domain

Fast L3 IGP convergence

MPLS TE FRR


48/82


Configuration

Examples


49/82


Configuration Examples

Direct AttachmentUsing a Router as a CE (VLAN Based)

Using a Switch as a CE (Port Based)

H-VPLS

Ethernet QinQ

EoMPLS Pseudo Wire (VLAN Based)

EoMPLS Pseudo Wire (Port Based)

Sample Output


50/82


MPLS Core

Direct Attachment Configuration (C7600)

CEs are all part of same VPLS instance (VCID = 56)

CE router connects using VLAN 100 over sub-interface

PE1 PE2CE1 CE2

CE2

PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0 gi4/4

gi4/2

pos4/1 pos4/3

pos3/0 pos3/1VLAN100

VLAN100

VLAN100

Direct Attachment CE router


51/82


interface GigabitEthernet 1/3.100

encapsulation dot1q 100ip address 192.168.20.2


encapsulation dot1q 100

ip address 192.168.20.3

Direct Attachment CE routerConfiguration

CE routers sub-interface on same VLAN

Can also be just port based (NO VLAN)

CE1 CE2

CE2

VLAN100

VLAN100

VLAN100

Subnet192.168.20.0/24


encapsulation dot1q 100ip address 192.168.20.1


52/82


l2 vfi VPLS-A manual

vpn id 56

neighbor 2.2.2.2 encapsulation mpls



vpn id 56neighbor 1.1.1.1 encapsulation mpls



vpn id 56neighbor 2.2.2.2 encapsulation mpls


MPLS Core

Direct Attachment VSI Configuration

Create the Pseudo Wires between N-PE routers

PE1 PE2CE1 CE2

CE2

PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0 gi4/4

gi4/2

pos4/1 pos4/3


VLAN100

VLAN100


53/82


MPLS Core

Direct Attachment CE Router (VLAN Based)

Same set of commands on each PE

Configured on the CE facing interface

PE1 PE2CE1 CE2

CE2

PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0 gi4/4

gi4/2

pos4/1 pos4/3


VLAN100

VLAN100Interface GigabitEthernet3/0

switchport

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 100

!

Interface vlan 100no ip address

xconnect vfi VPLS-A

!

vlan 100

state active

This command associates the

VLAN with the VPLS instance

VLAN100 = VCID 56


54/82





H-VPLS

Ethernet QinQ



Sample Output


55/82


MPLS Core

Direct Attachment CE switch (Port Based)

PE1 PE2CE1 CE2

CE2

PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0 gi4/4

gi4/2

pos4/1 pos4/3

pos3/0 pos3/1All VLANs

All VLANs

All VLANsInterface GigabitEthernet3/0

switchport

switchport mode dot1qtunnel

switchport access vlan 100

l2protocol-tunnel stp

!

Interface vlan 100no ip address

xconnect vfi VPLS-A

!

vlan 100

state active

This command associates the

VLAN with the VPLS instance

VLAN100 = VCID 56

If CE was a switchinstead of a router then we can use QinQ QinQ places all traffic (tagged/untagged) from switch into a VPLS


56/82





H-VPLS

Ethernet QinQ



Sample Output


57/82


MPLS Core

H-VPLS Configuration (C7600/3750ME)

U-PEs provide services to customer edge device

CE traffic then carried in QinQ or EoMPLS PW to N-PE

PW VSI mesh configuration is same as previous examples

N-PE1 N-PE2

N-PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0

gi4/2

pos4/1 pos4/3

pos3/0 pos3/1

U-PE3Cisco 3750ME

CE1 CE2

CE1

CE2

CE1CE2

U-PE1Cisco

3750ME

gi4/4 gi1/1/1fa1/0/1

U-PE2Cisco

3750ME4.4.4.4


58/82





H-VPLS

Ethernet QinQ



Sample Output


59/82


MPLS Core

H-VPLS QinQ Tunnel (Ethernet Edge)

N-PE1 N-PE2

N-PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0 gi4/4 gi1/1/1

gi4/2

pos4/1 pos4/3

pos3/0 pos3/1

U-PE3Cisco 3750ME

CE1 CE2

CE1

CE2

U-PE1Cisco

3750ME

Interface GigabitEthernet4/4switchport


switchport trunk encapsulation dot1q

switchport trunk allowed vlan 100

!

Interface vlan 100

no ip addressxconnect vfi VPLS-A

!

vlan 100

state active

U-PE carries all traffic from CE using QinQOuter tag is VLAN100, inner tags are customers

interface FastEthernet1/0/1

switchport

switchport access vlan 100switchport mode dot1q-tunnel

switchport trunk allow vlan 1-1005

!

interface GigabitEthernet 1/1/1

switchport


switchport allow vlan 1-1005

CE1

CE2

fa1/0/1

4.4.4.4

U-PE2Cisco

3750ME


60/82





H-VPLS

Ethernet QinQ



Sample Output


61/82


MPLS Core

H-VPLS EoMPLS PW Edge (VLAN Based)

CE interface on U-PE can be access or trunk portxconnect per VLAN is required

N-PE1 N-PE2

U-PE2Cisco

3750ME

N-PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0

gi4/2

pos4/1 pos4/3

pos3/0 pos3/1

U-PE3Cisco 3750ME

CE1 CE2

CE1

CE2

U-PE1Cisco

3750ME


switchport

switchport access vlan 500

!interface vlan500

xconnect 2.2.2.2 56 encapsulation mpls

!

interface GigabitEthernet1/1/1

no switchport

ip address 156.50.20.2 255.255.255.252

mpls ip

gi4/4 gi1/1/1

CE1

CE2

fa1/0/1

Interface GigabitEthernet4/4no switchport

ip address 156.50.20.1 255.255.255.252

mpls ip

!


vpn id 56

neighbor 1.1.1.1 encapsulation mplsneighbor 3.3.3.3 encapsulation mpls

neighbor 4.4.4.4 encaps mpls no-split

4.4.4.4

Ensures CE traffic passed on

PW to/from U-PE


62/82





H-VPLS

Ethernet QinQ



Sample Output


63/82


MPLS Core

H-VPLS EoMPLS PW Edge (Port Based)

CE interface on U-PE can be access or trunk portxconnect for entire PORT is required

N-PE1 N-PE2

U-PE2Cisco

3750ME

N-PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0

gi4/2

pos4/1 pos4/3

pos3/0 pos3/1

U-PE3Cisco 3750ME

CE1 CE2

CE1

CE2

U-PE1Cisco

3750ME


no switchport

xconnect 2.2.2.2 56 encapsulation mpls

!interface GigabitEthernet1/1/1

no switchport

ip address 156.50.20.2 255.255.255.252

mpls ip

gi4/4 gi1/1/1

CE1

CE2

fa1/0/1

Interface GigabitEthernet4/4no switchport

ip address 156.50.20.1 255.255.255.252

mpls ip

!

l2 vfi PE1-VPLS-A manual

vpn id 56



neighbor 4.4.4.4 encaps mpls no-split

4.4.4.4

Ensures CE traffic passed on

PW to/from U-PE


64/82





H-VPLS

Ethernet QinQ



Sample Output


65/82


MPLS Core

show mpls l2 vc

N-PE1 N-PE2

U-PE2Cisco

3750ME

N-PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0

gi4/2

pos4/1 pos4/3

pos3/0 pos3/1

U-PE3Cisco 3750ME

CE1 CE2

CE1

CE2

U-PE1Cisco

3750ME

gi4/4 gi1/1/1

CE1

CE2

fa1/0/1

NPE-A#show mpls l2 vc

Local intf Local circuit Dest address VC ID Status

------------- ------------- ------------- ------ -----

VFI VPLS-A VFI 1.1.1.1 10 UP

VFI VPLS-A VFI 3.3.3.3 10 UP

4.4.4.4


66/82


MPLS Core

show mpls l2 vc detail

N-PE1 N-PE2

U-PE2Cisco

3750ME

N-PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0

gi4/2

pos4/1 pos4/3

pos3/0 pos3/1

U-PE3Cisco 3750ME

CE1 CE2

CE1

CE2

U-PE1Cisco

3750ME

gi4/4 gi1/1/1

CE1

CE2

fa1/0/1

NPE-2#show mpls l2 vc detail

Local interface: VFI VPLS-A up

Destination address: 1.1.1.1, VC ID: 10, VC status: up

Tunnel label: imp-null, next hop 156.50.20.1

Output interface: POS4/3, imposed label stack {19}

Create time: 1d01h, last status change time: 00:40:16

Signaling protocol: LDP, peer 1.1.1.1:0 up

MPLS VC labels: local 23, remote 19

4.4.4.4Use VCLabel 19

Use VCLabel 23


67/82


Deployment Issues


68/82


Deployment Issues

MTU Size Broadcast Handling

Router or a Switch CPE?

Ramblings of an EngineerA Sample Problem


69/82


Pseudo Wire Data Plane Overhead

At imposition, N-PE encapsulates CE Ethernet or VLANpacket to route across MPLS cloud

These are the associated overheads

Transport Header is 6 bytes DA + 6 bytes SA + 2 bytes Etype +OPTIONAL4 Bytes of VLAN Tag (carried in Port based service)

At least 2 levels of MPLS header (Tunnel + VC) of 4 bytes each

There is an optional 4-Byte control word

Inner Label

(32-bits)

Outer Label

(32-bits)

Tunnel Header VC HeaderL2 Header Original Ethernet Frame


70/82


Calculating Core MTU Requirements

Core MTU Edge MTU + Transport Header + AToM Header +(MPLS Label Stack * MPLS Header Size)

Edge MTU is the MTU configured in the CE-facing PE interface

Examples (all in Bytes):

1530[1526]

1530[1526]

1526[1522]

Total

431500EoMPLS Port w/ TE FRR

421500EoMPLS VLAN Mode

421500EoMPLS Port Mode

MPLSHeader

MPLSStack

Edge

14

18

14

Transport

4 [0]

4 [0]

4 [0]

AToM


71/82


Beware the MTU It Can Get Real Big

DA SA Type TE VcTu DA SA TPID TCI Type DataSFDPre

Enterprise MPLS Frame

FCS

Pream

ble

Start

ofFrame

Delim

ter

CarrierDest

MAC

CarrierSource

MAC

Ether

type=8847

TrafficEngineerlabel

EoMP

LSTunnelLabel

EoMP

LSVCLabel

CustDestinationMAC

CustSourceMAC

VLAN

ProtocolID=8100

VLAN

IDInfo

7 1 6 6 2 4 4 4 6 6 2 2 2

CustType

Cust

Packet

Fram

eCh

eck

Sequen

ce

> 1500 4

Cntrl

ControlWord

4

Carrier Pseudowire Encapsulation

Data portion maybe > 1500 if

carrying MPLSlabels

MTU Sizing

Packet size can get very large in backhaul due tomultiple tags and labels

Ensure core and access Ethernet interfaces areconfigured with appropriate MTU size


72/82


Broadcast/Multicast/Unknown Unicast Handling

VPLS relies on ingress replication

Ingress PE replicates the multicast packet to each egress PseudoWire (PE neighbour)

Ethernet switches replicate broadcast/multicast flows once

per output interfaceVPLS may duplicate packets over the same physical egressinterfacefor each PW that interface carriers

Unnecessary replication brings the risk of resource exhaustionwhen the number of PWs increases

Some discussion on maybe using multicast for PWs

Rather than full mesh of P2P Pseudo Wires

S i h R CE d i


73/82


Switch or Router as CE device

Ethernet Switch as CE deviceIf directly attached SP allocates VLAN could be an issue incustomer network

SP UNI exposed to L2 network of customer

L2 PDUs must be tunnelled such as STP BPDUs

No visibility of network behind CE switch

Many MAC address can exists on UNI

High exposure to broadcast storms

Router as CE device

Single MAC Address exists (for interface of router)

No SPT interactions

Router controls broadcast issues (multicast still happens)

VPLS C t


74/82


VPLS Caveats (Ramblings of an Engineer)

VPLS may introduce non-deterministic behaviour in SP CoreCase in pointlearning of VPN routes

An MPLS-VPN provides ordered manner to learn VPNv4 routers usingMP-BGPunknown addresses are dropped

In VPLS, learning is achieved through flooding MAC address

Excessive number of Unknown, Broadcast and Multicast frames couldbehave as a series of packet bombs

Solution: Ingress Threshold Filters (on U-PE or N-PE)

How to selectively choose which Ethernet Frames to discard?

How to avoid dropping Routing and Keepalives (control)

May cause more problems in customer networkHow many MAC addresses allowed?

Does SP really want to take this responsibility?

VPLS C t


75/82


VPLS Caveats (Ramblings of an Engineer)

DoS attack has a higher probability of manifesting

Whether intentional or by mis-configuration

Since traffic is carried at layer 2, a lot of chatter could betraversing the MPLS core unnecessarily.

For example, status requests for printers

How is CoS applied across for a VPLS service?

Should all frames on a VPLS interface be afforded the same classof service?

Should there be some sort of differentiation?

A C VPLS P bl


76/82


A Common VPLS Problem

Protocols expect LAN behaviour VPLS is viewed as an Ethernet network

Although it does not necessarily behave like one

VPLS is virtual in its LAN service

There are some behaviours which differ from a real LAN

An example

The OSPF designated router problem

OSPF D i t d R t P bl


77/82


OSPF Designated Router Problem

VPLS ViewRouter A is the DR, Router B is the BDR

Router C sees both A and B via Pseudo Wires

OSPF DR(A)

OSPFBackup DR

(B)

OSPF Neighbour(C)

Pseudo WiresOSPF DR

(A)

OSPFBackup DR

(B) OSPF Neighbour(C)

Router View

Router A, B and C behave like they are on a LAN

OSPF D i t d R t P bl


78/82


OSPF Designated Router Problem

Assume PW between A and B loses connectivityRouter A and Router B cannot see each other

Router C can still see both the Router A and Router B

Pseudo WiresOSPF DR

(A)

OSPFBackup DR

(B) OSPF Neighbour(C)

Ethernet frames travel along discrete paths a VPLS

Therefore Router C can see both Router A and BBut Router A and Router B cannot see each other!

Router B assumes A has failed and becomes the DR

Router C now see two DRs on same LAN segmentProblem!

No arbitration available between

Router A and Router B


79/82


Summary

S


80/82


Summary

VPLS has its advantages and benefits

Non-IP protocols supported, customers do not have routinginteraction etc..

Use routers as the CE device

Understand their multicast requirements

Then again, maybe MPLS-VPN could do the job?

Avoid switches as CPE

Otherwise understand customers network requirements

Devices, applications (broadcast/multicast vs unicast)


81/82


Q & A


82/82

vpls introduction

Documents

cisco systems

cisco confidentialpresentation

then5282018 vpls introduction

introduction tovplsjeff

service isindependent

mpls networks offerlayer

bisip vpns

multipoint connectivity