L2TP. VPDNs. Pseudowires, AToM. Virtual Private LAN ...wh.cs.vsb.cz/sps/images/6/6f/Metro-VPLS.pdf · •May provide a new QoS-aware L2 service on the existing MPLS core •Flexible

© 2009 Petr Grygarek, Advanced Computer Networks Technologies 1

L2 VPNs.L2 VPNs.

L2TP. VPDNs.L2TP. VPDNs.Pseudowires, AToM.Pseudowires, AToM.

Virtual Private LAN Services. Virtual Private LAN Services. Metro/Carrier Ethernet.Metro/Carrier Ethernet.

Petr GrygPetr Grygáárekrek

2© 2009 Petr Grygarek, Advanced Computer Networks Technologies

Layer 2 VPNsLayer 2 VPNs


Usages of L2 VPNsUsages of L2 VPNs• Server farms/clusters and other L2-dependent Server farms/clusters and other L2-dependent

applicationsapplications• redundancy and load-balancing implementations dependent redundancy and load-balancing implementations dependent

on L2 connectivity (single broadcast domain)on L2 connectivity (single broadcast domain)

• Virtual leased linesVirtual leased lines• Including potential L2 protocol conversion between Including potential L2 protocol conversion between

customer sites (“interworking”)customer sites (“interworking”)• e.g. Ethernet - Frame Relaye.g. Ethernet - Frame Relay

• Virtual Private LANs (multipoint)Virtual Private LANs (multipoint)• Overlay networks with customer routing separated Overlay networks with customer routing separated

from the ISP routingfrom the ISP routing


Comparison of L2 and L3 VPNs (1)Comparison of L2 and L3 VPNs (1)

• Information used by ISP to forward Information used by ISP to forward packets/frames (L3 or L2 headers)packets/frames (L3 or L2 headers)

• Level of customer's control of the routingLevel of customer's control of the routing• Customer routing may be integrated or independent Customer routing may be integrated or independent

on ISP routingon ISP routing


Comparison of L2 and L3 VPNs (2)Comparison of L2 and L3 VPNs (2)• IP-specific (L3) or multiprotocol (L2)IP-specific (L3) or multiprotocol (L2)

• GRE may help to carry L2 traffic over L3 tunnelsGRE may help to carry L2 traffic over L3 tunnels

• Access technologyAccess technology• any IP-based line (L3) or specific L2 technologyany IP-based line (L3) or specific L2 technology

Note that L3 VPN prevails todayNote that L3 VPN prevails today• 80% of ISPs' services80% of ISPs' services• Although service provider's devices start to become Although service provider's devices start to become

overwhelmed with VPNv4 addresses which is why overwhelmed with VPNv4 addresses which is why some SPs sometimes prefer to provide L2 P2P some SPs sometimes prefer to provide L2 P2P circuitscircuits


L2VPN Services (1)L2VPN Services (1)• PseudowiresPseudowires

• P2P, Muxed or unmuxed UNIP2P, Muxed or unmuxed UNI• Muxed UNI allows to terminate multiple (separate) VCs on Muxed UNI allows to terminate multiple (separate) VCs on

the same physical interfacethe same physical interface• Muxed UNI possible if L2 framing differentiates between Muxed UNI possible if L2 framing differentiates between

traffic flowstraffic flows• 802.1q, FR, ATM802.1q, FR, ATM

• Various framing optionsVarious framing options• Ethernet (including 802.1q)Ethernet (including 802.1q)• Frame RelayFrame Relay• HDLC, PPPHDLC, PPP• ATM (AAL5 and Cell Relay)ATM (AAL5 and Cell Relay)• + interworking+ interworking


L2VPN Services (2)L2VPN Services (2)

• Virtual Private LAN Service (VPLS)Virtual Private LAN Service (VPLS)• Ethernet RelayEthernet Relay• Muxed or unmuxed UNIMuxed or unmuxed UNI

• With muxed UNI, user can connect to multiple VPLS With muxed UNI, user can connect to multiple VPLS instancesinstances

L2VPN service classification does not dictate how L2VPN service classification does not dictate how is the service implemented in the SP core network is the service implemented in the SP core network (EoMPLS, AToM, QinQ, ...)(EoMPLS, AToM, QinQ, ...)


Most Common Implementations of L2 Most Common Implementations of L2 VPN TunnelsVPN Tunnels

• EoMPLSEoMPLS• L2TPv3L2TPv3• GREGRE


Any Transport over MPLSAny Transport over MPLS(AToM)(AToM)

• AToM Technical OverviewAToM Technical Overview

• http://www.informit.com/library/content.aspx?http://www.informit.com/library/content.aspx?b=Troubleshooting_VPNs&seqNum=61b=Troubleshooting_VPNs&seqNum=61


SpecificationsSpecifications• ““The AToM framework and transport options for the various Layer 2 protocols are The AToM framework and transport options for the various Layer 2 protocols are

defined in RFC 4447, RFC 4385, RFC 4448, RFC 4717, RFC 4618, and RFC 4619. In defined in RFC 4447, RFC 4385, RFC 4448, RFC 4717, RFC 4618, and RFC 4619. In addition to these methods to transport Layer 2 protocols, RFC 4553 and RFC 4842 addition to these methods to transport Layer 2 protocols, RFC 4553 and RFC 4842 define methods to transport TDM-based services, such as T1/E1, T3/E3, and define methods to transport TDM-based services, such as T1/E1, T3/E3, and SONET/SDH, over a core MPLS network.” -Tiso, John (2011-10-31). Designing SONET/SDH, over a core MPLS network.” -Tiso, John (2011-10-31). Designing Cisco Network Service Architectures (ARCH) Foundation Learning Guide: (CCDP Cisco Network Service Architectures (ARCH) Foundation Learning Guide: (CCDP ARCH 642-874) (3rd Edition) (Foundation Learning Guides) (Kindle Locations 4189-ARCH 642-874) (3rd Edition) (Foundation Learning Guides) (Kindle Locations 4189-4191). Pearson Education. Kindle Edition.4191). Pearson Education. Kindle Edition.

• RFCs:RFCs:

• draft-martini-l2circuit-trans-mpls-07.txt: Transport of Layer 2 Frames over draft-martini-l2circuit-trans-mpls-07.txt: Transport of Layer 2 Frames over MPLSMPLS

• draft-martini-l2circuit-encap-mpls-03.txt: Encapsulation Methods for draft-martini-l2circuit-encap-mpls-03.txt: Encapsulation Methods for Transport of Layer 2 Frames over MPLSTransport of Layer 2 Frames over MPLS


AToM Usages and AdvantagesAToM Usages and Advantages

• Provides traditional L2 connectivity using MPLS coreProvides traditional L2 connectivity using MPLS core• Ethernet/FR/ATM/HDLC/PPP circuitsEthernet/FR/ATM/HDLC/PPP circuits• Transparent to usersTransparent to users

• All techniques of MPLS TE and MPLS QoS may be All techniques of MPLS TE and MPLS QoS may be applied to reach desirable characteristics of pseudowiresapplied to reach desirable characteristics of pseudowires• Allows the provisioning of QoS-aware virtual leased linesAllows the provisioning of QoS-aware virtual leased lines

• May utilize traffic-engineering tunnelsMay utilize traffic-engineering tunnels

• 802.1p, FR DE and ATM CLP may be also transferred802.1p, FR DE and ATM CLP may be also transferred


L2 Protocols Supported by AToML2 Protocols Supported by AToM• Ethernet (including 802.1q)Ethernet (including 802.1q)• ATM AAL5 PDUs + OAM cellsATM AAL5 PDUs + OAM cells• Frame Relay + LMIFrame Relay + LMI• ATM Cell RelayATM Cell Relay• PPPPPP• HDLCHDLC• Protocol InterworkingProtocol Interworking

• e.g. FR PVCs<->Ethernet VLANse.g. FR PVCs<->Ethernet VLANs• See example at See example at

http://www.debugall.co.uk/2009/08/03/frame-relay-to-http://www.debugall.co.uk/2009/08/03/frame-relay-to-vlan-interworking-atom/vlan-interworking-atom/


AToM OperationAToM Operation• Frames encapsulated with 2-level label stackFrames encapsulated with 2-level label stack

• Transport label identifies egress PETransport label identifies egress PE• VC label identifies outgoing interface on the egress PEVC label identifies outgoing interface on the egress PE

• Multiple VCs may exist between a pair of PEsMultiple VCs may exist between a pair of PEs

• Directed LDP session between PEs is used to Directed LDP session between PEs is used to distribute VC labels (Martini specification)distribute VC labels (Martini specification)• New LDP TLVs to signal Label-to-VCID mapping and VC New LDP TLVs to signal Label-to-VCID mapping and VC

type were definedtype were defined• Alternatively BGP may be used to distribute label-to-VC Alternatively BGP may be used to distribute label-to-VC

mapping (Kompella specification)mapping (Kompella specification)• PE autodiscovery possible using BGP RRs (special AF)PE autodiscovery possible using BGP RRs (special AF)

• 2 unidirectional LSPs 2 unidirectional LSPs


AToM Control WordAToM Control Word• Carried after label(s) instead of the original L2 headerCarried after label(s) instead of the original L2 header

• Special bits of original L2 headersSpecial bits of original L2 headers• FECN, BECN and DE for Frame RelayFECN, BECN and DE for Frame Relay• CLP for ATMCLP for ATM

• L2 header is reconstructed on the egress PEL2 header is reconstructed on the egress PE• May carry sequence number to avoid out-of-order frame deliveryMay carry sequence number to avoid out-of-order frame delivery

• Out-of-order frames are discardedOut-of-order frames are discarded

• Mandatory for FR and ATM AAL5, optional for other Mandatory for FR and ATM AAL5, optional for other protocolsprotocols• PEs use new LDP TLV to negotiate whether Control Words will be PEs use new LDP TLV to negotiate whether Control Words will be

present present


EoMPLSEoMPLS

• May be considered subset of AToMMay be considered subset of AToM• Ethernet frames over MPLS LSPEthernet frames over MPLS LSP• virtual circuit servicevirtual circuit service

– No L2 destination MAC address lookupNo L2 destination MAC address lookup– No L2 address learningNo L2 address learning– Port-based or VLAN-based (like Muxed E-LINEPort-based or VLAN-based (like Muxed E-LINE


Virtual Private LAN Service (VPLS)Virtual Private LAN Service (VPLS)

See also See also http://www.h3c.com/portal/Products___Solutions/Technology/MPLS/http://www.h3c.com/portal/Products___Solutions/Technology/MPLS/

VPLS/200701/195598_57_0.htmVPLS/200701/195598_57_0.htm


Virtual Private LANVirtual Private LAN• Ethernet-based any-to-any communication over IP/MPLS Ethernet-based any-to-any communication over IP/MPLS

corecore• Simulates single Ethernet broadcast domainSimulates single Ethernet broadcast domain

• virtual distributed switch that connects together customer's virtual distributed switch that connects together customer's geographically dispersed LANsgeographically dispersed LANs

• Simulates “real” Ethernet bridge over WANSimulates “real” Ethernet bridge over WAN• self-learning of MAC addresses, flooding of frames with self-learning of MAC addresses, flooding of frames with

unknown addresses+broadcasts (+multicasts), MAC address unknown addresses+broadcasts (+multicasts), MAC address withdrawal after topology change (new LDP TLV)withdrawal after topology change (new LDP TLV)

• Sites are connected by pseudowires (PW)Sites are connected by pseudowires (PW)• EoMPLS, L2TPv3EoMPLS, L2TPv3• Much faster convergence in case of failure (LSP rerouting) Much faster convergence in case of failure (LSP rerouting)

comparing with STPcomparing with STP


VPLS AdvantagesVPLS Advantages• For service providers:For service providers:

• May provide a new QoS-aware L2 service on the May provide a new QoS-aware L2 service on the existing MPLS coreexisting MPLS core

• Flexible bandwidth allocationFlexible bandwidth allocation• Compare with core composed from 100Mb/1 Gb/10Gbps Compare with core composed from 100Mb/1 Gb/10Gbps

Ethernet switch-based infrastructuresEthernet switch-based infrastructures

• No STP issuesNo STP issues

• For customers:For customers:• Simple and well-known Ethernet technologySimple and well-known Ethernet technology• The same technology in the carrier network and in The same technology in the carrier network and in

customer's LANcustomer's LAN


Implementaiton of Virtual Distributed Implementaiton of Virtual Distributed Ethernet Switch (1)Ethernet Switch (1)

• VFIs (Virtual Forwarding Instances) of the same L2 VFIs (Virtual Forwarding Instances) of the same L2 VPN (VPLS instance) on PE switches constitute VPN (VPLS instance) on PE switches constitute broadcast domainbroadcast domain• VFI is also called VSI (Virtual Switching Instance)VFI is also called VSI (Virtual Switching Instance)• Similar concept as VRF (routing instance) but on L2Similar concept as VRF (routing instance) but on L2• VFI may also relate to multiple broadcast domain if VLAN VFI may also relate to multiple broadcast domain if VLAN

tagging is usedtagging is used

• Full mesh of pseudowires between PE routersFull mesh of pseudowires between PE routers• PWs signalled using BGP (Kompella specification) or PWs signalled using BGP (Kompella specification) or

directed LDP (Martini specification)directed LDP (Martini specification)


Implementaiton of Virtual Distributed Implementaiton of Virtual Distributed Ethernet Switch (2)Ethernet Switch (2)

• Control planeControl plane• Autodiscovery – finding other routers participating in the Autodiscovery – finding other routers participating in the

same VPNsame VPN• BGP, other autodiscovery protocols (DNS, ...)BGP, other autodiscovery protocols (DNS, ...)

• Signalling Signalling • process of establishing pseudowires – BGP or LDPprocess of establishing pseudowires – BGP or LDP

• BGP (RFC 4761)BGP (RFC 4761)• LDP (RFC 4762)LDP (RFC 4762)

• MAC address learningMAC address learning• New LDP TLVsNew LDP TLVs• Be aware that MAC addresses are NOT treated independently in each Be aware that MAC addresses are NOT treated independently in each

VLAN VLAN • problem with L3 devices sharing same MAC address on different VLANsproblem with L3 devices sharing same MAC address on different VLANs


Pseudowire ImplementationPseudowire Implementation

• stack of two MPLS headersstack of two MPLS headers• Outer (transport) label identifies target PEOuter (transport) label identifies target PE• Inner label identifies pseudowire terminated on that PEInner label identifies pseudowire terminated on that PE

• PEs associate it with particular VPLS instance (Virtual PEs associate it with particular VPLS instance (Virtual Switching Instance)Switching Instance)

• A local switching table related to particular virtual distributed switchA local switching table related to particular virtual distributed switch• May be VLAN-awareMay be VLAN-aware

• Multiple VSIs may exist on the same PE device Multiple VSIs may exist on the same PE device • customer separationcustomer separation


VPLS Forwarding Loop AvoidanceVPLS Forwarding Loop Avoidance

• A frame received from PEx is never forwarded A frame received from PEx is never forwarded to PEz by PEyto PEz by PEy• only to PEy's attachment circuits (to CEs)only to PEy's attachment circuits (to CEs)• analogy of Split Horizon ruleanalogy of Split Horizon rule• requires full mesh of PWsrequires full mesh of PWs

• Spanning Tree may be still applied as an Spanning Tree may be still applied as an alternativealternative• not recommendednot recommended


Problems of VPLS ScalingProblems of VPLS Scaling• Full mesh of PWs between PEs is neededFull mesh of PWs between PEs is needed

• Both for data and control trafficBoth for data and control traffic• route reflector may help for signalling via IBGProute reflector may help for signalling via IBGP• static configuration of LDP directed sessions is always unscalablestatic configuration of LDP directed sessions is always unscalable

• Signalling and packet replication overhead (in PE)Signalling and packet replication overhead (in PE)• especially broadcasts and unknown unicast floodingespecially broadcasts and unknown unicast flooding

• A solution is to establish a hierarchy, i.e. divide a A solution is to establish a hierarchy, i.e. divide a VPLS VPN into 2 tiersVPLS VPN into 2 tiers• Multiple customers are aggregated in 2-nd level and Multiple customers are aggregated in 2-nd level and

connected to the same PE router => hierarchical VPLS (H-connected to the same PE router => hierarchical VPLS (H-VPLS)VPLS)


Hierarchical VPLSHierarchical VPLS


H-VPLS (1)H-VPLS (1)• 2-tier architecture 2-tier architecture

• analogical to a star topology of spoke switches connected to analogical to a star topology of spoke switches connected to a core switch (without local switching in spokes)a core switch (without local switching in spokes)

• High-performance core tierHigh-performance core tier• Limited number of PEsLimited number of PEs• Stable full mesh of virtual circuits between PEs Stable full mesh of virtual circuits between PEs • Packet replication and switching function occurs only in the Packet replication and switching function occurs only in the

corecore

• MPLS or (cheaper) QinQ Ethernet-based access tier in MPLS or (cheaper) QinQ Ethernet-based access tier in POPsPOPs• U-PE faces to the customerU-PE faces to the customer• N-PE faces to the coreN-PE faces to the core


H-VPLS (2)H-VPLS (2)

• 11stst layer of H-VPLS hierarchy can be also layer of H-VPLS hierarchy can be also implemented on MPLS cloudimplemented on MPLS cloud• pseudowires over MPLS coudpseudowires over MPLS coud• switching function only in N-PE routerswitching function only in N-PE router


H-VPLS AdvantagesH-VPLS Advantages

• Limited size of the PW full-mesh in the coreLimited size of the PW full-mesh in the core• Cheaper QinQ-based (possibly Metro Ethernet) Cheaper QinQ-based (possibly Metro Ethernet)

technology in POPs' access networkstechnology in POPs' access networks• Expansion of POP network does not require Expansion of POP network does not require

configuration change of core PEs (N-PEs)configuration change of core PEs (N-PEs)


802.1q and MPLS Tags (labels)802.1q and MPLS Tags (labels)in H-VPLSin H-VPLS

• Customer tagCustomer tag• Optional, for customers that needs to transport Optional, for customers that needs to transport

802.1q-tagged traffic802.1q-tagged traffic

• Service-provider tagService-provider tag• Appended by ingess QinQ access-layer Ethernet Appended by ingess QinQ access-layer Ethernet

switchswitch• Converted to (inner) MPLS tag on ingres core PE Converted to (inner) MPLS tag on ingres core PE

routerrouter• Identifies VFI on the target PE router(s)Identifies VFI on the target PE router(s)

• Transport tagTransport tag• Identifies egress core PE routerIdentifies egress core PE router


Cisco OTV: Alternative to VPLSCisco OTV: Alternative to VPLS• ““Overlay-Transport-Virtualization”Overlay-Transport-Virtualization”• Designed to solve following VPLS disadvantages:Designed to solve following VPLS disadvantages:

• VPLS is based on flooding of frames with unknown VPLS is based on flooding of frames with unknown destination MAC address and flooding-based address destination MAC address and flooding-based address learninglearning• flooding is not desirable when running over WANflooding is not desirable when running over WAN

• Problem with maintenance of PW meshProblem with maintenance of PW mesh• Problem with head-end broadcast replicationProblem with head-end broadcast replication• Requires MPLSRequires MPLS


OTV Principle (1)OTV Principle (1)• The solution is to decouple data plane and The solution is to decouple data plane and

control planecontrol plane• Provides L2 extension over standard IP coreProvides L2 extension over standard IP core• Proactive advertising of MAC address reachabilityProactive advertising of MAC address reachability

• no floodingno flooding

• endpoints are assumed to be neither silent nor unidirectionalendpoints are assumed to be neither silent nor unidirectional

• uses well-known multicast group for MAC address learninguses well-known multicast group for MAC address learning• Utilizes ISIS-style TLVsUtilizes ISIS-style TLVs

• Every PE registers to the groupEvery PE registers to the group

• Keepalives sent by each edge devices are used to be able to remove Keepalives sent by each edge devices are used to be able to remove addresses behind failed PE (ISIS IIH)addresses behind failed PE (ISIS IIH)

• If multicast is not supported on core network, adjacency server If multicast is not supported on core network, adjacency server can be established/configured to provide list of OTV memberscan be established/configured to provide list of OTV members


OTV Principle (2) OTV Principle (2)

• ““Dynamic” L2 frame tunellingDynamic” L2 frame tunelling• No pre-defined L2 tunnelsNo pre-defined L2 tunnels• In principle, L2 frames may be tunnelled over ANY In principle, L2 frames may be tunnelled over ANY

transporttransport• Most commonly IP (v4/v6)Most commonly IP (v4/v6)


LISPLISPLocator Identity Separation Locator Identity Separation

ProtocolProtocol


LISP MotivationLISP Motivation• Identity and Location are mixed together in today's IP Identity and Location are mixed together in today's IP

routing schemerouting scheme• Advent of server virtualization made servers (VMs) Advent of server virtualization made servers (VMs)

mobilemobile• VMs decoupled from physical infrastructureVMs decoupled from physical infrastructure• Mobility is advantageous for various operational reasonsMobility is advantageous for various operational reasons• VM has to still to keep its identity, even if moved between VM has to still to keep its identity, even if moved between

subnetssubnets• VLAN extension over the World is not too wise solutionVLAN extension over the World is not too wise solution

• Same principle may apply to Internet multihoming Same principle may apply to Internet multihoming with provider-independent addressingwith provider-independent addressing


LISP Principles (1)LISP Principles (1)• Location / IP address separationLocation / IP address separation

• Endpoint Identifier (EID)Endpoint Identifier (EID)

• Routing Locator (RLOC)Routing Locator (RLOC)

• Separate address spaces for IDs and LocatorsSeparate address spaces for IDs and Locators• arbitrary values (e.g. MAC + GPS) or IP addressesarbitrary values (e.g. MAC + GPS) or IP addresses

• additional level of indirectionadditional level of indirection

• Mapping of EID->RLOC neededMapping of EID->RLOC needed• Encapsulation used to route traffic to current position Encapsulation used to route traffic to current position

of EID (identified by one or more alternative of EID (identified by one or more alternative RLOCs)RLOCs)• Ingress Tunnel Router: (ITR) site → LISPIngress Tunnel Router: (ITR) site → LISP

• Egress Tunnel Router (ETR): LISP → siteEgress Tunnel Router (ETR): LISP → site


LISP Principles (2)LISP Principles (2)• Various proposed mapping mechanismsVarious proposed mapping mechanisms

• Mapping server(s)/resolver(s)Mapping server(s)/resolver(s)• BGP ALT topology or DNS-like structureBGP ALT topology or DNS-like structure

• Standardized Query/Reply messagesStandardized Query/Reply messages• Resolver proxies info from mapping mechanism for clients Resolver proxies info from mapping mechanism for clients

• Client can find suitable resolver e.g. using anycastingClient can find suitable resolver e.g. using anycasting• EIDs may be advertised as whole subnets or per hostEIDs may be advertised as whole subnets or per host• Multiple RLOCs may be advertised for single EIDMultiple RLOCs may be advertised for single EID

• Priority differentiates between alternative ETRsPriority differentiates between alternative ETRs• Weight defines load share between ETRs of same priorityWeight defines load share between ETRs of same priority


LISP Principles (3)LISP Principles (3)• Preconfigured EID (subnet) to RLOC mapping useful e.g. for subnet Preconfigured EID (subnet) to RLOC mapping useful e.g. for subnet

multihomingmultihoming

• New EID mapping may be published dynamically if ETR detects arrival of VM New EID mapping may be published dynamically if ETR detects arrival of VM to its subnetto its subnet

• Informs other ETRs (multicast group) and registers new RLOC(s) with Informs other ETRs (multicast group) and registers new RLOC(s) with mapping servermapping server


LISP VM moves between L3 LISP VM moves between L3 segmentssegments

• Outgoing traffic uses original VM's default GWOutgoing traffic uses original VM's default GW• VM does not know it has been migratedVM does not know it has been migrated

• Proxy ARP will solve cold migration scenerioProxy ARP will solve cold migration scenerio• ARP cache is emptyARP cache is empty

• Manual synchronization of HSRP MAC address Manual synchronization of HSRP MAC address between DC sites (different IP segments) can between DC sites (different IP segments) can solve hot migration casesolve hot migration case


Layer 2 Tunneling Protocol Layer 2 Tunneling Protocol (L2TP)(L2TP)


Layer 2 Tunneling Protocol Layer 2 Tunneling Protocol (L2TP)(L2TP)

• Encapsulates PPP frames into IPEncapsulates PPP frames into IP• Allows to decouple L2 termination point and PPP Allows to decouple L2 termination point and PPP

session termination pointsession termination point• i.e. extend the PPP session over IP backbonei.e. extend the PPP session over IP backbone• Allows remote client to communicate with access server as if Allows remote client to communicate with access server as if

it would be connected directlyit would be connected directly

• Useful for creation of VPDNsUseful for creation of VPDNs


• Connects remote client into private network Connects remote client into private network using shared infrastructureusing shared infrastructure

• L2TPv3 used most often to tunnel L2 traffic over L2TPv3 used most often to tunnel L2 traffic over IPIP• other L2 tunneling protocols may also apply (L2F, other L2 tunneling protocols may also apply (L2F,

PPTP, ...)PPTP, ...)

Virtual Private Dial-up Network Virtual Private Dial-up Network (VPDN)(VPDN)


Authentication and Session Authentication and Session Forwarding in VPDNsForwarding in VPDNs

• L2TP Tunnel termination point is derived from L2TP Tunnel termination point is derived from authentication responseauthentication response• implied by successfully authenticated user's domain implied by successfully authenticated user's domain

namename• passed to LAC as RADIUS attribute from passed to LAC as RADIUS attribute from

authenticating RADIUS serverauthenticating RADIUS server

• ISP's AAA hands the semi-finished ISP's AAA hands the semi-finished authentication process to particular customer's authentication process to particular customer's AAA serverAAA server


L2TP DevicesL2TP Devices

• LAC - L2TP Access ConcentratorLAC - L2TP Access Concentrator• Terminates L2 connection from clientTerminates L2 connection from client• Originates L2TP tunnel to LNSOriginates L2TP tunnel to LNS

• LNS – L2TP Network ServerLNS – L2TP Network Server• Terminates PPP sessionTerminates PPP session


L2TPv3L2TPv3

• RFC 3931RFC 3931• Extension of “regular” L2TP that supports Extension of “regular” L2TP that supports

encapsulation of any L2 protocol frames into IPencapsulation of any L2 protocol frames into IP• Control plane provides session signallingControl plane provides session signalling• Data Plane provides tuneling of L2 framesData Plane provides tuneling of L2 frames


L2TPv3 Control Plane (1)L2TPv3 Control Plane (1)• Authentication (between devices)Authentication (between devices)

• shared secret (CHAP)shared secret (CHAP)

• Negotiation of session parametersNegotiation of session parameters• Session IDs, Cookies, ...Session IDs, Cookies, ...

• Established by 3-way handshakeEstablished by 3-way handshake• Each end advertises its control connection IDEach end advertises its control connection ID• ReliableReliable

• inclusive acknowledgementsinclusive acknowledgements• keepaliveskeepalives• Hello and Circuit Status messagesHello and Circuit Status messages


L2TPv3 Control Plane (2)L2TPv3 Control Plane (2)

• Uses very simple header + AV pairsUses very simple header + AV pairs• Cookie: optional, cryptographically random number Cookie: optional, cryptographically random number

that extends the Session ID space to protect against that extends the Session ID space to protect against brute force attacksbrute force attacks


L2TPv3 Data PlaneL2TPv3 Data Plane• Session established by control channel Session established by control channel

• or by other control mechanism, including manual or by other control mechanism, including manual configurationconfiguration

• multiple sessions may be associated with single control multiple sessions may be associated with single control channelchannel

• Header contains Session IDHeader contains Session ID• + optional Cookie+ optional Cookie

• Data channel is NOT reliableData channel is NOT reliable• Seq # in header ensures only detection of out-of-order, Seq # in header ensures only detection of out-of-order,

duplicate or missing framesduplicate or missing frames


Metro EthernetMetro Ethernet(Carrier Ethernet)(Carrier Ethernet)


Metro Ethernet ForumMetro Ethernet Forum• Industry alliance Industry alliance

• manufacturers of ME provider devicesmanufacturers of ME provider devices

• DefinesDefines• L2 services delivered over native Ethernet-based L2 services delivered over native Ethernet-based

metro networks or other transport technologies (like metro networks or other transport technologies (like MPLS/IP)MPLS/IP)

• Technologies of carrier-class Ethernet-based transport Technologies of carrier-class Ethernet-based transport networksnetworks

• Architectures, Ethernet OAM extensionsArchitectures, Ethernet OAM extensions

• Develops technical specifications for Carrier Develops technical specifications for Carrier Ethernet implementations and interoperability Ethernet implementations and interoperability (MEF standards)(MEF standards)


Ethernet Operation, Administration, and Ethernet Operation, Administration, and ManagementManagement

• Necessary for provider-class Ethernet-based linksNecessary for provider-class Ethernet-based links• WAN links, Metro EthernetWAN links, Metro Ethernet

• Virtual Circuit Connectivity Verification, Label Virtual Circuit Connectivity Verification, Label Switched Path ping, performance verification,E-Switched Path ping, performance verification,E-LMI etc.LMI etc.

• See See http://www.cisco.com/en/US/prod/collateral/routers/ps368/prhttp://www.cisco.com/en/US/prod/collateral/routers/ps368/prod_white_paper0900aecd804a0266.htmlod_white_paper0900aecd804a0266.html for more details for more details


Metro Ethernet Network Metro Ethernet Network TerminologyTerminology

• User to Network Interface (UNI)User to Network Interface (UNI)• Demarcation point between CE device and MENDemarcation point between CE device and MEN• Uses standard 802.3 PHY and MACUses standard 802.3 PHY and MAC

• Ethernet Virtual Connection (EVC)Ethernet Virtual Connection (EVC)• Connects 2 or more subscriber UNIsConnects 2 or more subscriber UNIs• P2P or multipointP2P or multipoint

• BundlingBundling• 2 or more customer VLANs mapped into a single 2 or more customer VLANs mapped into a single

EVCEVC


Metro Ethernet Services Metro Ethernet Services ClassificationClassification

• P2P or multipoint serviceP2P or multipoint service• Multiplexed / non-multiplexed UNIMultiplexed / non-multiplexed UNI

2 x 2 service options give 4 services types in total2 x 2 service options give 4 services types in total


Metro Ethernet Service Types (1)Metro Ethernet Service Types (1)• E-Line - P2PE-Line - P2P

• Ethernet Private Line (EPL)Ethernet Private Line (EPL)• Dedicated UNIs (single EVC per UNI)Dedicated UNIs (single EVC per UNI)

• Ethernet Virtual Private Line (EVPL)Ethernet Virtual Private Line (EVPL)• Multiplexed UNIs allow customer to connect to multiple EVCs Multiplexed UNIs allow customer to connect to multiple EVCs

by a single physical lineby a single physical line• Replacement of FR and ATMReplacement of FR and ATM

• E-LAN - multipoint L2 VPNE-LAN - multipoint L2 VPN• Ethernet Private LAN ServiceEthernet Private LAN Service

• Dedicated UNIDedicated UNI

• Ethernet Virtual Private LAN ServiceEthernet Virtual Private LAN Service• Multiplexed UNIMultiplexed UNI


Metro Ethernet Service Types (2)Metro Ethernet Service Types (2)

• E-Tree – P2MP services (broadcasting)E-Tree – P2MP services (broadcasting)• Ethernet Private Tree ServiceEthernet Private Tree Service• Ethernet Virtual Private Tree ServiceEthernet Virtual Private Tree Service• Restrict communication between leavesRestrict communication between leaves


ME Service Framework ME Service Framework (Service Attributes)(Service Attributes)

• Characteristics of the service are defined by Characteristics of the service are defined by attributesattributes• Does not prescribe the way how the ME core Does not prescribe the way how the ME core

implements the desired behavior implements the desired behavior • Serves as contract specification between customer and Serves as contract specification between customer and

service providerservice provider

• UNI AttributesUNI Attributes• EVC AttributesEVC Attributes• L2 Control Processing AttributesL2 Control Processing Attributes


UNI Attributes (1)UNI Attributes (1)• UNI ID (arbitrary string)UNI ID (arbitrary string)• Speed (10/100/1000,...)Speed (10/100/1000,...)• Duplex modeDuplex mode• Service multiplexing Service multiplexing

• multipexed/dedicated UNImultipexed/dedicated UNI

• Ingress Bandwidth ProfileIngress Bandwidth Profile• Per-UNI, per-EVC, per-CoSPer-UNI, per-EVC, per-CoS• CIR, EIR, Bc, BeCIR, EIR, Bc, Be


UNI Attributes (2)UNI Attributes (2)

• CE-VLAN-ID to EVC mappingCE-VLAN-ID to EVC mapping• Customer's 802.1q tags may be either preserved, Customer's 802.1q tags may be either preserved,

rewritten or removedrewritten or removed• All VLANs may be bundled into one EVCAll VLANs may be bundled into one EVC


EVC AttributesEVC Attributes

• EVC ID (arbitrary string)EVC ID (arbitrary string)• EVC Type (E-Line/E-LAN)EVC Type (E-Line/E-LAN)• CE VLAN Preservation (Yes/No)CE VLAN Preservation (Yes/No)• CE CoS Preservation (Yes/No)CE CoS Preservation (Yes/No)• Unicast/Multicast/Broadcast frames deliveredUnicast/Multicast/Broadcast frames delivered• EVC Performance – QoS parametersEVC Performance – QoS parameters

• availability, delay, jitter, frame lossavailability, delay, jitter, frame loss


L2 Control Processing AttributesL2 Control Processing Attributes

• Define how L2 control protocols are tunneled Define how L2 control protocols are tunneled over MEN or interact with control protocols in over MEN or interact with control protocols in the MEN corethe MEN core• STP, 802.3x, LACP, 802.1x, GARP, proprietary STP, 802.3x, LACP, 802.1x, GARP, proprietary

protocols (PAgP, VTP, CDP, ...)protocols (PAgP, VTP, CDP, ...)

• Processing Options:Processing Options:• PassPass• DiscardDiscard• PeerPeer


Special Capabilities of Metro Special Capabilities of Metro Ethernet DevicesEthernet Devices

• Advanced manipulation with 802.1q headersAdvanced manipulation with 802.1q headers• push/pop/match+rewritepush/pop/match+rewrite• works with single tags or with sequences of tagsworks with single tags or with sequences of tags

• ME switches allow to divert a group of VLANs ME switches allow to divert a group of VLANs from a trunk to a specific port (Flexible QinQ)from a trunk to a specific port (Flexible QinQ)

• Ethernet OAMEthernet OAM

Documents

L2TP. VPDNs. Pseudowires, AToM. Virtual Private LAN ...wh.cs.vsb.cz/sps/images/6/6f/Metro-VPLS.pdf · •May provide a new QoS-aware L2 service on the existing MPLS core •Flexible