VPLS Introduction
-
Upload
legenda-p-pratama -
Category
Documents
-
view
46 -
download
6
description
Transcript of VPLS Introduction
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
An Introduction to VPLS
Jeff Apcar, Distinguished Services EngineerAPAC Technical Practices, Advanced Services
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Agenda
VPLS Introduction
Pseudo Wire Refresher
VPLS Architecture
VPLS Configuration Example
VPLS Deployment
Summary
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Do you want to date VPLS?
“VPLS is like having Paris Hilton as your girlfriend.
The concept is fantastic, but in reality the experience might not be what you expected.
But… we’re still willing to give it a go as long as we can understand/handle her behaviour”
Me, Just Then
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
VPLS Introduction
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
Virtual Private LAN Service (VPLS) VPLS defines an architecture allows MPLS networks offer
Layer 2 multipoint Ethernet Services
SP emulates an IEEE Ethernet bridge network (virtual)
Virtual Bridges linked with MPLS Pseudo WiresData Plane used is same as EoMPLS (point-to-point)
PE PECE CE
VPLS is an Architecture
CE
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Virtual Private LAN Service
End-to-end architecture that allows MPLS networks to provide Multipoint Ethernet services
It is “Virtual” because multiple instances of this service share the same physical infrastructure
It is “Private” because each instance of the service is independent and isolated from one another
It is “LAN Service” because it emulates Layer 2 multipoint connectivity between subscribers
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
Why Provide A Layer 2 Service?
Customer have full operational control over their routing neighbours
Privacy of addressing space - they do not have to be shared with the carrier network
Customer has a choice of using any routing protocol including non IP based (IPX, AppleTalk)
Customers could use an Ethernet switch instead of a router as the CPE
A single connection could reach all other edge points emulating an Ethernet LAN (VPLS)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
VPLS is defined in IETF
Application
General
Ops and Mgmt
Routing
Security
IETF
MPLS
Transport
Formerly PPVPNworkgroup
VPWS, VPLS, IPLS
BGP/MPLS VPNs (RFC 4364 was 2547bis)IP VPNs using Virtual Routers (RFC 2764)CE based VPNs using IPsec
Pseudo Wire Emulation edge-to-edge Forms the backbone transport for VPLS
IAB
ISOC
As of 2-Nov-2006
Internet
L2VPN
L3VPN
PWE3
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
Classification of VPNs
CPEBased
Layer 3
MPLSVPN
VirtualRouter
GREIPSec
Layer 3
P2P VPWSEthernet
Frame R
elayP
PP
/HD
LCA
TM/C
ell R
elayE
thernet (P
2P)
Frame
Relay
ATM
Ethernet (P
2MP
)E
thernet (M
P2M
P)
NetworkBased
Layer 2
VPLSIPLS
VPN
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
ATMAAL5/Cell
PPPHDLC
Ethernet FR
L2VPN Models
IP
L2TPv3Point-to-Point
ATMAAL5/Cell
PPPHDLC
Ethernet FR
VPWSPoint-to-Point
Like-to-LikeAny-to-Any
Like-to-Like
L2VPN
MPLS
VPLS/IPLSMultipoint
Ethernet
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
IP LAN-Like Service (IPLS)
An IPLS is very similar to a VPLS exceptThe CE devices must be hosts or routers not switchesThe service will only carry IPv4 or IPv6 packets IP Control packets are also supported – ARP, ICMPLayer 2 packets that do not contain IP are not supported
IPLS is a functional subset of the VPLS serviceMAC address learning and aging not requiredSimpler mechanism to match MAC to CE can be usedBridging operations removed from the PESimplifies hardware capabilities and operation
Defined in draft-ietf-l2vpn-ipls
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
VPLS Components
N-PE
MPLS Core
CE router
CE router
CE switch
CE router
CE router
CE switch
CE switch
CE router
Attachment circuitsPort or VLAN mode
Mesh of LSP between N-PEsN-PE
N-PE
Pseudo Wires within LSPVirtual Switch Interface (VSI) terminates PW and provides
Ethernet bridge function
Targeted LDP between PEs to exchange VC labels for Pseudo
Wires Attachment CEcan be a switch or
router
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
Virtual Switch Interface
Flooding / Forwarding MAC table instances per customer (port/vlan) for each PEVFI will participate in learning and forwarding processAssociate ports to MAC, flood unknowns to all other ports
Address Learning / AgingLDP enhanced with additional MAC List TLV (label withdrawal)MAC timers refreshed with incoming frames
Loop PreventionCreate full-mesh of Pseudo Wire VCs (EoMPLS)Unidirectional LSP carries VCs between pair of N-PE PerA VPLS use “split horizon” concepts to prevent loops
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
Pseudo Wire Refresher
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Pseudo Wires in VPLS
IETF working group PWE3 ‘Pseudo Wire Emulation Edge to Edge’;Requirements detailed in RFC3916Architecture details in RFC3985
Develop standards for the encapsulation & service emulation of “Pseudo Wires”
Across a packet switched backbone
A VPLS is based on a full mesh of Pseudo Wires
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
Pseudo Wire Reference Model (RFC 3916)
A Pseudo Wire (PW) is a connection between two provider edge devices connecting two attachment circuits (ACs)
In an MPLS core a Pseudo Wire uses two MPLS labelsTunnel Label (LSP) identifying remote PE routerVC Label identifying Pseudo Wire circuit within tunnel
Emulated Service
IP/MPLS
PE1
Attachment Circuit
Pseudo Wire PDUs
Customer Site
Customer Site
Customer Site
Customer Site
PSN Tunnel (LSP in MPLS)
Packet Switched Network (PSN)
IP or MPLS
Pseudo Wire
PE2CE
PW1
PW2
CE
CE
CE
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
Pseudo Wire Standards (Care for a Martini?)
RFC 4446 – Numeric values for PW types
RFC 4447 – Distribution mechanism for VC labelsPreviously called draft-martini-l2circuit-trans-mpls
RFC 4448 – Encapsulation for Ethernet using MPLSPreviously called draft-martini-l2circuit-encap-mpls
Other drafts are addressing different encapsulationsdraft-ietf-pwe3-frame-relay/draft-ietf-pwe3-atm-encapdraft-ietf-pwe3-ppp-hdlc-encap-mplsOriginally part of draft-martini-l2circuit-encap-mpls
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
MPLS PW Types (RFC 4446)
0x0001 Frame Relay DLCI ( Martini Mode )
0x0002 ATM AAL5 SDU VCC transport
0x0003 ATM transparent cell transport
0x0004 Ethernet Tagged Mode (VLAN)
0x0005 Ethernet (Port)
0x0006 HDLC
0x0007 PPP
0x0008 SONET/SDH Circuit Emulation
0x0009 ATM n-to-one VCC cell transport
0x000A ATM n-to-one VPC cell transport
0x000B IP Layer2 Transport
0x000C ATM one-to-one VCC Cell Mode
0x000D ATM one-to-one VPC Cell Mode
0x000E ATM AAL5 PDU VCC transport
0x000F Frame-Relay Port mode 0x0010 SONET/SDH Circ. Emu. over Packet 0x0011 Structure-agnostic E1 over Packet
0x0012 Structure-agnostic T1 over Packet 0x0013 Structure-agnostic E3 over Packet
0x0014 Structure-agnostic T3 over Packet 0x0015 CESoPSN basic mode 0x0016 TDMoIP AAL1 Mode 0x0017 CESoPSN TDM with CAS
0x0018 TDMoIP AAL2 Mode 0x0019 Frame Relay DLCI
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
VC Information Distribution (RFC 4447)
VC labels are exchanged across a targeted LDP session between PE routers
Generic Label TLV within LDP Label Mapping Message
LDP FEC element defined to carry VC informationSuch PW Type (RFC 4446) and VCID
VC information exchanged using Downstream Unsolicited label distribution procedures
Separate “MAC List” TLV for VPLS Defined in draft-ietf-l2vpn-vpls-ldpUse to withdraw labels associated with MAC addresses
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
VC Label identifies interface
Tunnel Label(s) gets to PE router
Unidirectional Tunnel LSP between PE routers to transport PW PDU from PE to PE using tunnel label(s)
Both LSPs combined to form single bi-directional Pseudo Wire
Directed LDP session between PE routers to exchange VC information, such as VC label and control information
VC Distribution Mechanism using LDP
IP/MPLS
PE1LSP created
using IGP+LDP or RSVP-TE
Customer Site
Customer Site
Customer Site
Customer Site
Label Switch Path
Directed LDP Session between PE1 and PE2
PE2CE
CE
CE
CE
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
PW Encapsulation over MPLS (RFC 4448)
Ethernet Pseudo Wires use 3 layers of encapsulationTunnel Encapsulation (zero, one or more MPLS Labels)
To get PDU from ingress to egress PE; Could be an MPLS label (LDP, TE), GRE tunnel, L2TP tunnel
Pseudo Wire Demultiplexer (PW Label)To identify individual circuits within a tunnel; Obtained from Directed LDP session
Control Word (Optional) The following is supported when carrying Ethernet
Provides the ability to sequence individual framesAvoidance of equal-cost multiple-path load-balancingOperations and Management (OAM) mechanisms
Control word format varies depending on transported PDU
TunnelLabel
PWLabel
ControlWord
Layer 2PDU
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
Ethernet PW Tunnel Encapsulation
Tunnel Encapsulation One or more MPLS labels associated with the tunnelDefines the LSP from ingress to egress PE routerCan be derived from LDP+IGP, RSVP-TE, BGP IPv4+Label
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
EXP TTL (set to 2)VC Label (VC) 1
Tunnel Label (LDP,RSVP,BGP)
Layer-2 PDU
0 0 0 0 Reserved Sequence Number
EXP TTL0
PW Demux
Tunnel Encaps
Control Word
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
Ethernet PW Demultiplexer
VC LabelInner label used by receiving PE to determine the following
Egress interface for L2PDU forwarding (Port based)Egress VLAN used on the CE facing interface (VLAN
Based)
EXP can be set to the values received in the L2 frame
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
EXP TTL (set to 2)VC Label (VC) 1
Tunnel Label (LDP,RSVP,BGP)
Layer-2 PDU
0 0 0 0 Reserved Sequence Number
EXP TTL0
PW Demux
Tunnel Encaps
Control Word
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
Ethernet PW Control Word
Control Word is Optional (as per RFC)0 0 0 0 First nibble is 0x0 to prevent aliasing with IP
Packets over MPLS (MAC addresses that start with 0x4 or 0x6)
Reserved Should be all zeros, ignored on receiveSeq number provides sequencing capability to detect out
of order packets - currently not in Cisco’s implementation – processing is optional
EXP TTL (set to 2)VC Label (VC) 1
Tunnel Label (LDP,RSVP,BGP)
Layer-2 PDU
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
PW Demux
Tunnel Encaps
Control Word 0 0 0 0 Reserved Sequence Number
EXP TTL0
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
P2P1
PW Operation and Encapsulation
IP/MPLS
Customer Site
Customer Site
Directed LDP Session between PE1 and PE2
PE2CE CE
LSP“PW1”
Lo0:
Label 24for Lo0:
Label Popfor Lo0:
Label 38for Lo0:
Label 72for PW1
PE1
LDPSession
LDPSession
LDPSession
24 72 L2 PDU
This process happens in both directions(Example shows process for PE2 PE1 traffic)
38 72 L2 PDU72 L2 PDU
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
VPLS Architecture
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
VPLS Standards
Architecture allows IEEE 802.1 bridge behaviour in SP plus:Autodiscovery of other N-PE in same VPLS instanceSignaling of PWs to interconnect VPLS instancesLoop avoidance & MAC Address withdrawal
Two drafts have been approved by IETF L2VPN Working Group
draft-ietf-l2vpn-vpls-ldp Uses LDP for signalling, agnostic on PE discovery method Predominant support from carriers and vendorsCisco supports this draft
draft-ietf-l2vpn-vpls-bgpUses BGP for signalling and autodiscovery
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
NMS/OSS
Cisco VPLS Building Blocks
TunnelProtocol MPLS IP
L2VPN Discovery
CentralisedDNS Radius Directory Services
DistributedBGP
Signaling Label DistributionProtocol
Point-to-PointLayer 2 VPNLayer 2 VPN Multipoint
Layer 2 VPN Layer 3 VPN
ForwardingMechanism
Interface-Based/Sub-Interface
Ethernet Switching (VFI) IP Routing
Hardware Cisco 7600 Catalyst 6500 Cisco 12000
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
VPLS Auto-discovery & Signaling
Draft-ietf-l2vpn-vpls-ldpDoes not mandate an auto-discovery protocolCan be BGP, Radius, DNS, or Directory basedUses Directed LDP for label exchange (VC) and PW signalingPWs signal control information as well (for example, circuit state)
Cisco IOS supports Directed LDP for all VC signalingPoint-to-point – Cisco IOS Any Transport over MPLS (AToM) Multipoint – Cisco IOS MPLS Virtual Private LAN Services
VPN Discovery
CentralisedDNS Radius Directory Services
DistributedBGP
Signaling Label DistributionProtocol
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30
VPLS Flooding & Forwarding
Flooding (Broadcast, Multicast, Unknown Unicast)
Dynamic learning of MAC addresses on PHY and VCs
ForwardingPhysical PortVirtual Circuit
Data SA DA?
Unknown DA? Pseudo Wire in LSP
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31
MAC Address Learning and Forwarding
Broadcast, Multicast, and Unknown Unicast are learned via the received label associations
Two LSPs associated with a VC (Tx & Rx) If inbound or outbound LSP is down
Then the entire Pseudo Wire is considered down
PE1 PE2
Send me frames using Label 170
Send me frames using Label 102
CECE
E0/0 E0/1
MAC 2 E0/1
MAC Address Adj
MAC 1 102
MAC 2 170
MAC Address Adj
MAC 1 E0/0
Use VCLabel 102
MAC1
Use VCLabel 170
MAC2
PE2170MAC2MAC1Data
PE2 102 MAC1 MAC2 Data
Directed LDP
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32
MPLS
MAC Address Withdrawal Message
Message speeds up convergence processOtherwise PE relies on MAC Address Aging Timer
Upon failure PE removes locally learned MAC addresses
Send LDP Address Withdraw (RFC3036) to remote PEs in VPLS (using the Directed LDP session)
New MAC List TLV is used to withdraw addresses
XMAC
Withdrawal
MA
CW
ithdr
awal
Directed LDP
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33
MPLS
VPLS Topology – PE View
Each PE has a P2MP view of all other PEs it sees it self as a root bridge with split horizon loop protection
Full mesh topology obviates STP in the SP network
Customer STP is transparent to the SP / Customer BPDUs are forwarded transparently
PEs
CEs
PE view
Full Mesh LDP
Ethernet PW to each peer
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34
MPLSPEs
CEs
PE view
Full Mesh LDP
Ethernet PW to each peer
VPLS Topology – CE View
CE routers/switches see a logical Bridge/LAN
VPLS emulates a LAN – but not exactly…This raises a few issues which are discussed later
MPLS VPLS CoreMPLS
CEs
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 35
VPLS Architectures
VPLS defines two Architectures Direct Attachment (Flat)Described in section 4 of Draft-ietf-l2vpn-vpls-ldpHierarchical or H-VPLS comprising of two access methods
Ethernet Edge (EE-H-VPLS) – QinQ tunnelsMPLS Edge (ME-H-VPLS) - PWE3 Pseudo Wires
(EoMPLS)Described in section 10 of Draft-ietf-l2vpn-vpls-ldp
Each architecture has different scaling characteristics
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 36
VPLS Functional Components
CE U-PE N-PE MPLS Core N-PE U-PE CE
Customer MxUs
SP PoPs Customer MxUs
N-PE provides VPLS termination/L3 services
U-PE provides customer UNI
CE is the custome device
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 37
Directed attachment (Flat) Characteristics
Suitable for simple/small implementations
Full mesh of directed LDP sessions required N*(N-1)/2 Pseudo Wires requiredScalability issue a number of PE routers grows
No hierarchical scalability
VLAN and Port level support (no QinQ)
Potential signaling and packet replication overheadLarge amount of multicast replication over same physicalCPU overhead for replication
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 38
Direct Attachment VPLS (Flat Architecture)CE N-PE MPLS Core N-PE CE
Ethernet (VLAN/Port
Ethernet(VLAN Port)Full Mesh PWs + LDP
MAC2MAC1Data
PEVCMAC2MAC1Data
MAC2MAC1Data802.1q
Customer
Pseudo WireSP Core
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 39
Hierarchical VPLS (H-VPLS)
Best for larger scale deployment
Reduction in packet replication and signaling overhead
Consists of two levels in a Hub and Spoke topologyHub consists of full mesh VPLS Pseudo Wires in MPLS coreSpokes consist of L2/L3 tunnels connecting to VPLS (Hub) PEs
Q-in-Q (L2), MPLS (L3), L2TPv3 (L3)
Some additional H-VPLS termsMTU-s Multi-Tenant Unit Switch capable of bridging (U-PE)PE-r Non bridging PE routerPE-rs Bridging and Routing capable PE
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 40
Why H-VPLS?
Potential signaling overhead Full PW mesh from the Edge Packet replication done at the Edge Node Discovery and Provisioning
extends end to end
Minimizes signaling overhead Full PW mesh among Core devices Packet replication done the Core Partitions Node Discovery process
VPLS H-VPLS
CE
CE
CE CE
CE
CE PE
PE
PE
PE
PE
PE
PE
PE CE
CE
MTU-s
CE
CE
PE-rs
PE-rs
PE-rs
PE-rs
PE-rs
PE-rs
PE-r
CE
CE
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 41
Ethernet Edge H-VPLS (EE-H-VPLS)
CEN-PEPE-rs MPLS Core
N-PEPE-rs CE
QinQTunnel Full Mesh PWs + LDP
U-PEMTU-s
U-PEMTU-s
802.1qAccess
802.1qAccess
QinQTunnel
MAC2MAC1Data VlanCE
PEVCMAC2MAC1Data VlanCE
MAC2MAC1Data VlanCE
VlanSP
802.1q Customer
QinQSP Edge
Pseudo WireSP Core
1 23
1
2
3
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 42
Bridge Capability in EE-H-VPLS
Local edge traffic does not have to traverse N-PEMTU-s can switch traffic locallySaves bandwidth capacity on circuits to N-PE
CEN-PEPE-rs
U-PEMTU-s
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 43
MPLS VPLS
N-PE
N-PE
N-PEP P
PP
GE Ring
Metro A U-PEPE-AGG
Metro C
U-PE
DWDM/CDWM
U-PE
User Facing Provider Edge (U-PE)
Network Facing Provider Edge (N-PE)
Ethernet Edge Topologies
U-PE
RPR
Metro D
Large ScaleAggregation
PE-AGG
Intelligent EdgeN-PE
Multiservice Core
P
Efficient Access
U-PE
Intelligent EdgeN-PE
Efficient Access
U-PE
SiSi
SiSi
Metro B
10/100/1000 Mbps
10/100/1000 Mbps
10/100/1000 Mbps
10/100/1000 Mbps
Hub and Spoke
FullService
CPE
FullService
CPE
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 44
MPLS Core
MPLS Edge H-VPLS
CEN-PEPE-rs MPLS Core
N-PEPE-rs CE
MPLSPseudo Wire Full Mesh PWs + LDP
U-PEPE-rs
U-PEPE-rs
802.1qAccess
802.1qAccess
MPLSPseudo
Wire
MAC2MAC1Data VlanCE
PEVCMAC2MAC1Data VlanCE
802.1q Customer
MPLS PWSP Edge
Pseudo WireSP Core
PEVCMAC2MAC1Data VlanCE
Same VCID used in Edge and core (Labels
may differ)
MPLS Acces
sMPLS Acces
s
1 23
1
2
3
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 45
VFI and Split Horizon (VPLS, EE-H-VPLS)
VFI
Pseudo Wire #2
VirtualForwarding
Interface Pseudo Wires
Local Switching
Virtual Forwarding Interface is the VSI representation in IOSSingle interface terminates all PWs for that VPLS instanceThis model applicable in direct attach and H-VPLS with Ethernet Edge
Split Horizon Active
11111
3 3 3 3 3
3 3 3 3 3
3 3 3 3 3Broadcast/Multicast
Bridging Function(.1Q or QinQ)
22222
111 22Pseudo Wire #1
N-PE1
1 11 1
2 22 2
33 33
3 33 3 N-PE2
N-PE3
CE
CE
This traffic will not be replicated out PW #2 and visa versa
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 46
N-PE1
Pseudo Wire #3
VFI and NO Split Horizon (ME-H-VPLS)
VFI
Pseudo Wire #2
VirtualForwarding
Interface Pseudo Wires
NO Split Horizon
This model applicable H-VPLS with MPLS EdgePW #1, PW #2 will forward traffic to PW #3 (non split horizon port)
Split Horizon Active
11111
3 3 3 3 3
3 3 3 3 3
Unicast
Pseudo WireMPLS Based
22222
111 22Pseudo Wire #1
U-PE
N-PE3
Split Horizon disabled
N-PE2
CE
CE
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 47
VPLS Logical Topology ComparisonDirect Attach H-VPLS – QinQ tunnel H-VPLS - MPLS PW
Pros Simple access via Ethernet
Simple access via Ethernet
Hierarchical support via QinQ at access
Scalable customer VLANs (4K x 4K)
4K customers supported per Ethernet Access Domain
Fast L3 IGP convergence
MPLS TE FRR <50msec
Hierarchical support via MPLS PW at access
Cons No hierarchical scalability
Customer VLAN cannot over lap
4K customer VLAN limit in Ethernet access domain
High STP reconvergence time
High STP re-convergence time
MAC is not scalable as customer MAC still seen on SP network
Supported on SIP-600 only as of 12.2(33)SRA
More complicated provisioning
Requires MPLS to u-PE
OSM/SIP-400/600 as U-PE facing card on N-PE (for 7600)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 48
Configuration Examples
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 49
Configuration Examples
Direct AttachmentUsing a Router as a CE (VLAN Based)Using a Switch as a CE (Port Based)
H-VPLSEthernet QinQ EoMPLS Pseudo Wire (VLAN Based)EoMPLS Pseudo Wire (Port Based)
Sample Output
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 50
MPLS Core
Direct Attachment Configuration (C7600)
CEs are all part of same VPLS instance (VCID = 56)CE router connects using VLAN 100 over sub-interface
PE1 PE2CE1 CE2
CE2
PE3
1.1.1.1 2.2.2.2
3.3.3.3
gi3/0 gi4/4
gi4/2
pos4/1 pos4/3
pos3/0 pos3/1VLAN100
VLAN100
VLAN100
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 51
interface GigabitEthernet 1/3.100 encapsulation dot1q 100 ip address 192.168.20.2
interface GigabitEthernet 2/0.100 encapsulation dot1q 100 ip address 192.168.20.3
Direct Attachment CE router Configuration
CE routers sub-interface on same VLANCan also be just port based (NO VLAN)
CE1 CE2
CE2
VLAN100
VLAN100
VLAN100Subnet
192.168.20.0/24
interface GigabitEthernet 2/1.100 encapsulation dot1q 100 ip address 192.168.20.1
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 52
l2 vfi VPLS-A manual vpn id 56 neighbor 2.2.2.2 encapsulation mpls neighbor 1.1.1.1 encapsulation mpls
l2 vfi VPLS-A manual vpn id 56 neighbor 1.1.1.1 encapsulation mpls neighbor 3.3.3.3 encapsulation mpls
l2 vfi VPLS-A manual vpn id 56 neighbor 2.2.2.2 encapsulation mpls neighbor 3.3.3.3 encapsulation mpls
MPLS Core
Direct Attachment VSI Configuration
Create the Pseudo Wires between N-PE routers
PE1 PE2CE1 CE2
CE2
PE3
1.1.1.1 2.2.2.2
3.3.3.3
gi3/0 gi4/4
gi4/2
pos4/1 pos4/3
pos3/0 pos3/1VLAN100
VLAN100
VLAN100
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 53
MPLS Core
Direct Attachment CE Router (VLAN Based)
Same set of commands on each PE Configured on the CE facing interface
PE1 PE2CE1 CE2
CE2
PE3
1.1.1.1 2.2.2.2
3.3.3.3
gi3/0 gi4/4
gi4/2
pos4/1 pos4/3
pos3/0 pos3/1VLAN100
VLAN100
VLAN100Interface GigabitEthernet3/0 switchport switchport mode trunk switchport trunk encapsulation dot1q switchport trunk allowed vlan 100!Interface vlan 100 no ip address xconnect vfi VPLS-A!vlan 100 state active
This command associates the VLAN with the VPLS instance
VLAN100 = VCID 56
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 54
Configuration Examples
Direct AttachmentUsing a Router as a CE (VLAN Based)Using a Switch as a CE (Port Based)
H-VPLSEthernet QinQ EoMPLS Pseudo Wire (VLAN Based)EoMPLS Pseudo Wire (Port Based)
Sample Output
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 55
MPLS Core
Direct Attachment CE switch (Port Based)
PE1 PE2CE1 CE2
CE2
PE3
1.1.1.1 2.2.2.2
3.3.3.3
gi3/0 gi4/4
gi4/2
pos4/1 pos4/3
pos3/0 pos3/1All VLANs
All VLANs
All VLANsInterface GigabitEthernet3/0 switchport switchport mode dot1qtunnel switchport access vlan 100 l2protocol-tunnel stp! Interface vlan 100 no ip address xconnect vfi VPLS-A!vlan 100 state active
This command associates the VLAN with the VPLS instance
VLAN100 = VCID 56
If CE was a switch instead of a router then we can use QinQ QinQ places all traffic (tagged/untagged) from switch into a VPLS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 56
Configuration Examples
Direct AttachmentUsing a Router as a CE (VLAN Based)Using a Switch as a CE (Port Based)
H-VPLSEthernet QinQ EoMPLS Pseudo Wire (VLAN Based)EoMPLS Pseudo Wire (Port Based)
Sample Output
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 57
MPLS Core
H-VPLS Configuration (C7600/3750ME)
U-PEs provide services to customer edge deviceCE traffic then carried in QinQ or EoMPLS PW to N-PEPW VSI mesh configuration is same as previous examples
N-PE1 N-PE2
N-PE3
1.1.1.1 2.2.2.2
3.3.3.3
gi3/0
gi4/2
pos4/1 pos4/3
pos3/0 pos3/1
U-PE3Cisco 3750ME
CE1 CE2CE1
CE2
CE1
CE2
U-PE1Cisco
3750ME
gi4/4 gi1/1/1 fa1/0/1
U-PE2Cisco
3750ME4.4.4.4
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 58
Configuration Examples
Direct AttachmentUsing a Router as a CE (VLAN Based)Using a Switch as a CE (Port Based)
H-VPLSEthernet QinQ EoMPLS Pseudo Wire (VLAN Based)EoMPLS Pseudo Wire (Port Based)
Sample Output
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 59
MPLS Core
H-VPLS QinQ Tunnel (Ethernet Edge)
N-PE1 N-PE2
N-PE3
1.1.1.1 2.2.2.2
3.3.3.3
gi3/0 gi4/4 gi1/1/1
gi4/2
pos4/1 pos4/3
pos3/0 pos3/1
U-PE3Cisco 3750ME
CE1 CE2
CE1
CE2
U-PE1Cisco
3750ME
Interface GigabitEthernet4/4 switchport switchport mode trunk switchport trunk encapsulation dot1q switchport trunk allowed vlan 100!Interface vlan 100 no ip address xconnect vfi VPLS-A!vlan 100 state active
U-PE carries all traffic from CE using QinQOuter tag is VLAN100, inner tags are customer’s
interface FastEthernet1/0/1 switchport switchport access vlan 100 switchport mode dot1q-tunnel switchport trunk allow vlan 1-1005!interface GigabitEthernet 1/1/1 switchport switchport mode trunk switchport allow vlan 1-1005
CE1CE2
fa1/0/1
4.4.4.4U-PE2
Cisco 3750ME
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 60
Configuration Examples
Direct AttachmentUsing a Router as a CE (VLAN Based)Using a Switch as a CE (Port Based)
H-VPLSEthernet QinQ EoMPLS Pseudo Wire (VLAN Based)EoMPLS Pseudo Wire (Port Based)
Sample Output
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 61
MPLS Core
H-VPLS EoMPLS PW Edge (VLAN Based)
CE interface on U-PE can be access or trunk portxconnect per VLAN is required
N-PE1 N-PE2
U-PE2Cisco
3750ME
N-PE3
1.1.1.1 2.2.2.2
3.3.3.3
gi3/0
gi4/2
pos4/1 pos4/3
pos3/0 pos3/1
U-PE3Cisco 3750ME
CE1 CE2
CE1
CE2
U-PE1Cisco
3750ME
interface FastEthernet1/0/1 switchport switchport access vlan 500!interface vlan500 xconnect 2.2.2.2 56 encapsulation mpls!interface GigabitEthernet1/1/1 no switchport ip address 156.50.20.2 255.255.255.252 mpls ip
gi4/4 gi1/1/1
CE1
CE2
fa1/0/1Interface GigabitEthernet4/4 no switchport ip address 156.50.20.1 255.255.255.252 mpls ip!l2 vfi VPLS-A manual vpn id 56 neighbor 1.1.1.1 encapsulation mpls neighbor 3.3.3.3 encapsulation mpls neighbor 4.4.4.4 encaps mpls no-split
4.4.4.4
Ensures CE traffic passed on PW to/from U-PE
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 62
Configuration Examples
Direct AttachmentUsing a Router as a CE (VLAN Based)Using a Switch as a CE (Port Based)
H-VPLSEthernet QinQ EoMPLS Pseudo Wire (VLAN Based)EoMPLS Pseudo Wire (Port Based)
Sample Output
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 63
MPLS Core
H-VPLS EoMPLS PW Edge (Port Based)
CE interface on U-PE can be access or trunk portxconnect for entire PORT is required
N-PE1 N-PE2
U-PE2Cisco
3750ME
N-PE3
1.1.1.1 2.2.2.2
3.3.3.3
gi3/0
gi4/2
pos4/1 pos4/3
pos3/0 pos3/1
U-PE3Cisco 3750ME
CE1 CE2
CE1
CE2
U-PE1Cisco
3750ME
interface FastEthernet1/0/1 no switchport xconnect 2.2.2.2 56 encapsulation mpls!interface GigabitEthernet1/1/1 no switchport ip address 156.50.20.2 255.255.255.252 mpls ip
gi4/4 gi1/1/1
CE1
CE2
fa1/0/1Interface GigabitEthernet4/4 no switchport ip address 156.50.20.1 255.255.255.252 mpls ip!l2 vfi PE1-VPLS-A manual vpn id 56 neighbor 1.1.1.1 encapsulation mpls neighbor 3.3.3.3 encapsulation mpls neighbor 4.4.4.4 encaps mpls no-split
4.4.4.4
Ensures CE traffic passed on PW to/from U-PE
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 64
Configuration Examples
Direct AttachmentUsing a Router as a CE (VLAN Based)Using a Switch as a CE (Port Based)
H-VPLSEthernet QinQ EoMPLS Pseudo Wire (VLAN Based)EoMPLS Pseudo Wire (Port Based)
Sample Output
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 65
MPLS Core
show mpls l2 vc
N-PE1 N-PE2
U-PE2Cisco
3750ME
N-PE3
1.1.1.1 2.2.2.2
3.3.3.3
gi3/0
gi4/2
pos4/1 pos4/3
pos3/0 pos3/1
U-PE3Cisco 3750ME
CE1 CE2
CE1
CE2
U-PE1Cisco
3750ME
gi4/4 gi1/1/1
CE1
CE2
fa1/0/1
NPE-A#show mpls l2 vc Local intf Local circuit Dest address VC ID Status------------- ------------- ------------- ------ ------VFI VPLS-A VFI 1.1.1.1 10 UP VFI VPLS-A VFI 3.3.3.3 10 UP
4.4.4.4
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 66
MPLS Core
show mpls l2 vc detail
N-PE1 N-PE2
U-PE2Cisco
3750ME
N-PE3
1.1.1.1 2.2.2.2
3.3.3.3
gi3/0
gi4/2
pos4/1 pos4/3
pos3/0 pos3/1
U-PE3Cisco 3750ME
CE1 CE2
CE1
CE2
U-PE1Cisco
3750ME
gi4/4 gi1/1/1
CE1
CE2
fa1/0/1
NPE-2#show mpls l2 vc detailLocal interface: VFI VPLS-A up Destination address: 1.1.1.1, VC ID: 10, VC status: up Tunnel label: imp-null, next hop 156.50.20.1 Output interface: POS4/3, imposed label stack {19} Create time: 1d01h, last status change time: 00:40:16 Signaling protocol: LDP, peer 1.1.1.1:0 up MPLS VC labels: local 23, remote 19
4.4.4.4Use VCLabel 19
Use VCLabel 23
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 67
Deployment Issues
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 68
Deployment Issues
MTU Size
Broadcast Handling
Router or a Switch CPE?
Ramblings of an Engineer
A Sample Problem
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 69
Pseudo Wire Data Plane Overhead
At imposition, N-PE encapsulates CE Ethernet or VLAN packet to route across MPLS cloud
These are the associated overheadsTransport Header is 6 bytes DA + 6 bytes SA + 2 bytes Etype + OPTIONAL 4 Bytes of VLAN Tag (carried in Port based service)At least 2 levels of MPLS header (Tunnel + VC) of 4 bytes eachThere is an optional 4-Byte control word
Inner Label (32-bits)
Outer Label (32-bits)
Tunnel HeaderTunnel Header VC HeaderVC HeaderL2 HeaderL2 Header Original Ethernet FrameOriginal Ethernet Frame
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 70
Calculating Core MTU Requirements
Core MTU ≥ Edge MTU + Transport Header + AToM Header + (MPLS Label Stack * MPLS Header Size)
Edge MTU is the MTU configured in the CE-facing PE interface
Examples (all in Bytes):
1530[1526]
1530[1526]
1526[1522]
Total
431500EoMPLS Port w/ TE FRR
421500EoMPLS VLAN Mode
421500EoMPLS Port Mode
MPLSHeader
MPLSStackEdge
14
18
14
Transport
4 [0]
4 [0]
4 [0]
AToM
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 71
Beware the MTU – It Can Get Real Big
DA SA Type TE VcTu DA SA TPID TCI Type DataSFDPre
Enterprise MPLS Frame
FCS
Preamble
Start of Frame
Delim
ter
Carrier D
estM
AC
Carrier Source
MA
C
Ether type = 8847
Traffic Engineer label
EoMPLS Tunnel Label
EoMPLS VC
Label
Cust D
estination MA
C
Cust Source M
AC
VLAN
Protocol ID = 8100
VLAN
ID Info
7 1 6 6 2 4 4 4 6 6 2 2 2
Cust Type
Cust Packet
Frame C
heck Sequence
> 1500 4
Cntrl
Control W
ord
4
Carrier Pseudowire Encapsulation
Data portion may be > 1500 if
carrying MPLS labels
MTU SizingPacket size can get very large in backhaul due to multiple tags and labelsEnsure core and access Ethernet interfaces are configured with appropriate MTU size
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 72
Broadcast/Multicast/Unknown Unicast Handling
VPLS relies on ingress replication Ingress PE replicates the multicast packet to each egress Pseudo Wire (PE neighbour)
Ethernet switches replicate broadcast/multicast flows once per output interface
VPLS may duplicate packets over the same physical egress interface – for each PW that interface carriersUnnecessary replication brings the risk of resource exhaustion when the number of PWs increases
Some discussion on maybe using multicast for PWsRather than full mesh of P2P Pseudo Wires
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 73
Switch or Router as CE device
Ethernet Switch as CE deviceIf directly attached SP allocates VLAN could be an issue in customer networkSP UNI exposed to L2 network of customerL2 PDUs must be tunnelled such as STP BPDUsNo visibility of network behind CE switch
Many MAC address can exists on UNIHigh exposure to broadcast storms
Router as CE deviceSingle MAC Address exists (for interface of router)No SPT interactions Router controls broadcast issues (multicast still happens)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 74
VPLS Caveats (Ramblings of an Engineer)
VPLS may introduce non-deterministic behaviour in SP CoreCase in point – learning of VPN routes An MPLS-VPN provides ordered manner to learn VPNv4 routers using MP-BGP – unknown addresses are droppedIn VPLS, learning is achieved through flooding MAC addressExcessive number of Unknown, Broadcast and Multicast frames could behave as a series of “packet bombs”
Solution: Ingress Threshold Filters (on U-PE or N-PE)How to selectively choose which Ethernet Frames to discard?How to avoid dropping Routing and Keepalives (control)May cause more problems in customer network…How many MAC addresses allowed?Does SP really want to take this responsibility?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 75
VPLS Caveats (Ramblings of an Engineer)
DoS attack has a higher probability of manifestingWhether intentional or by mis-configuration
Since traffic is carried at layer 2, a lot of chatter could be traversing the MPLS core unnecessarily.
For example, status requests for printers
How is CoS applied across for a VPLS service? Should all frames on a VPLS interface be afforded the same class of service?Should there be some sort of differentiation?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 76
A Common VPLS Problem
Protocols expect LAN behaviour
VPLS is viewed as an Ethernet networkAlthough it does not necessarily behave like oneVPLS is “virtual” in its LAN serviceThere are some behaviours which differ from a real LAN
An example The OSPF designated router problem…
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 77
OSPF Designated Router Problem
VPLS ViewRouter A is the DR, Router B is the BDRRouter C sees both A and B via Pseudo Wires
OSPF DR(A)
OSPF Backup DR
(B)OSPF Neighbour
(C)
Pseudo WiresOSPF DR
(A)
OSPF Backup DR
(B) OSPF Neighbour(C)
Router ViewRouter A, B and C behave like they are on a LAN
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 78
OSPF Designated Router Problem
Assume PW between A and B loses connectivityRouter A and Router B cannot see each otherRouter C can still see both the Router A and Router B
Pseudo WiresOSPF DR
(A)
OSPF Backup DR
(B) OSPF Neighbour(C)
Ethernet frames travel along discrete paths a VPLSTherefore Router C can see both Router A and BBut Router A and Router B cannot see each other!
Router B assumes A has failed and becomes the DRRouter C now see two DRs on same LAN segment – Problem!
No arbitration available between Router A and Router B
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 79
Summary
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 80
Summary
VPLS has its advantages and benefitsNon-IP protocols supported, customers do not have routing interaction etc..
Use routers as the CE deviceUnderstand their multicast requirementsThen again, maybe MPLS-VPN could do the job?
Avoid switches as CPEOtherwise understand customer’s network requirementsDevices, applications (broadcast/multicast vs unicast)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 81
Q & A
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 82