Download ppt - An Introduction to VPLS

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

An Introduction to VPLS

Jeff Apcar, Distinguished Services Engineer

APAC Technical Practices, Advanced Services


Agenda

VPLS Introduction

Pseudo Wire Refresher

VPLS Architecture

VPLS Configuration Example

VPLS Deployment

Summary


Do you want to date VPLS?

“VPLS is like having Paris Hilton as your girlfriend.

The concept is fantastic, but in reality the experience might not be what you expected.

But… we’re still willing to give it a go as long as we can understand/handle her behaviour”

Me, Just Then


VPLS Introduction


Virtual Private LAN Service (VPLS)

VPLS defines an architecture allows MPLS networks offer Layer 2 multipoint Ethernet Services

SP emulates an IEEE Ethernet bridge network (virtual)

Virtual Bridges linked with MPLS Pseudo WiresData Plane used is same as EoMPLS (point-to-point)

PE PECE CE

VPLS is an Architecture

CE


Virtual Private LAN Service

End-to-end architecture that allows MPLS networks to provide Multipoint Ethernet services

It is “Virtual” because multiple instances of this service share the same physical infrastructure

It is “Private” because each instance of the service is independent and isolated from one another

It is “LAN Service” because it emulates Layer 2 multipoint connectivity between subscribers


Why Provide A Layer 2 Service?

Customer have full operational control over their routing neighbours

Privacy of addressing space - they do not have to be shared with the carrier network

Customer has a choice of using any routing protocol including non IP based (IPX, AppleTalk)

Customers could use an Ethernet switch instead of a router as the CPE

A single connection could reach all other edge points emulating an Ethernet LAN (VPLS)


VPLS is defined in IETF

Application

General

Ops and Mgmt

Routing

Security

IETF

MPLS

Transport

Formerly PPVPNworkgroup

VPWS, VPLS, IPLS

BGP/MPLS VPNs (RFC 4364 was 2547bis)IP VPNs using Virtual Routers (RFC 2764)CE based VPNs using IPsec

Pseudo Wire Emulation edge-to-edge Forms the backbone transport for VPLS

IAB

ISOC

As of 2-Nov-2006

Internet

L2VPN

L3VPN

PWE3


Classification of VPNs

CPEBased

Layer 3

MPLSVPN

VirtualRouter

GREIPSec

Layer 3

P2P VPWSEthernet

Fra

me

Re

lay

PP

P/H

DL

CA

TM

/Ce

ll R

ela

yE

the

rne

t (P

2P

)

Fra

me

R

ela

yA

TM

Eth

ern

et (P

2M

P)

Eth

ern

et

(MP

2M

P)

NetworkBased

Layer 2

VPLSIPLS

VPN


ATMAAL5/Cell

PPPHDLC

Ethernet FR

L2VPN Models

IP

L2TPv3Point-to-Point

ATMAAL5/Cell

PPPHDLC

Ethernet FR

VPWSPoint-to-Point

Like-to-LikeAny-to-Any

Like-to-LikeAny-to-Any Like-to-LikeLike-to-Like

L2VPN

MPLS

VPLS/IPLSMultipoint

Ethernet


IP LAN-Like Service (IPLS)

An IPLS is very similar to a VPLS exceptThe CE devices must be hosts or routers not switches

The service will only carry IPv4 or IPv6 packets

IP Control packets are also supported – ARP, ICMP

Layer 2 packets that do not contain IP are not supported

IPLS is a functional subset of the VPLS serviceMAC address learning and aging not required

Simpler mechanism to match MAC to CE can be used

Bridging operations removed from the PE

Simplifies hardware capabilities and operation

Defined in draft-ietf-l2vpn-ipls


VPLS Components

N-PE

MPLS Core

CE router

CE router

CE switch

CE router

CE router

CE switch

CE switch

CE router

Attachment circuitsPort or VLAN mode

Mesh of LSP between N-PEsN-PE

N-PE

Pseudo Wires within LSPVirtual Switch Interface (VSI) terminates PW and provides

Ethernet bridge function

Targeted LDP between PEs to exchange VC labels for Pseudo

Wires Attachment CEcan be a switch or

router


Virtual Switch Interface

Flooding / Forwarding MAC table instances per customer (port/vlan) for each PE

VFI will participate in learning and forwarding process

Associate ports to MAC, flood unknowns to all other ports

Address Learning / AgingLDP enhanced with additional MAC List TLV (label withdrawal)

MAC timers refreshed with incoming frames

Loop PreventionCreate full-mesh of Pseudo Wire VCs (EoMPLS)

Unidirectional LSP carries VCs between pair of N-PE Per

A VPLS use “split horizon” concepts to prevent loops


Pseudo Wire Refresher


Pseudo Wires in VPLS

IETF working group PWE3 ‘Pseudo Wire Emulation Edge to Edge’;

Requirements detailed in RFC3916

Architecture details in RFC3985

Develop standards for the encapsulation & service emulation of “Pseudo Wires”

Across a packet switched backbone

A VPLS is based on a full mesh of Pseudo Wires


Pseudo Wire Reference Model (RFC 3916)

A Pseudo Wire (PW) is a connection between two provider edge devices connecting two attachment circuits (ACs)

In an MPLS core a Pseudo Wire uses two MPLS labelsTunnel Label (LSP) identifying remote PE routerVC Label identifying Pseudo Wire circuit within tunnel

Emulated Service

IP/MPLS

PE1

Attachment Circuit

Pseudo Wire PDUs

Customer Site

Customer Site

Customer Site

Customer Site

PSN Tunnel (LSP in MPLS)

Packet Switched Network (PSN)

IP or MPLS

Pseudo Wire

PE2CE

PW1

PW2

CE

CE

CE


Pseudo Wire Standards (Care for a Martini?)

RFC 4446 – Numeric values for PW types

RFC 4447 – Distribution mechanism for VC labelsPreviously called draft-martini-l2circuit-trans-mpls

RFC 4448 – Encapsulation for Ethernet using MPLSPreviously called draft-martini-l2circuit-encap-mpls

Other drafts are addressing different encapsulationsdraft-ietf-pwe3-frame-relay/draft-ietf-pwe3-atm-encap

draft-ietf-pwe3-ppp-hdlc-encap-mpls

Originally part of draft-martini-l2circuit-encap-mpls


MPLS PW Types (RFC 4446)

0x0001 Frame Relay DLCI ( Martini Mode )

0x0002 ATM AAL5 SDU VCC transport

0x0003 ATM transparent cell transport

0x0004 Ethernet Tagged Mode (VLAN)

0x0005 Ethernet (Port)

0x0006 HDLC

0x0007 PPP

0x0008 SONET/SDH Circuit Emulation

0x0009 ATM n-to-one VCC cell transport

0x000A ATM n-to-one VPC cell transport

0x000B IP Layer2 Transport

0x000C ATM one-to-one VCC Cell Mode

0x000D ATM one-to-one VPC Cell Mode

0x000E ATM AAL5 PDU VCC transport

0x000F Frame-Relay Port mode

0x0010 SONET/SDH Circ. Emu. over Packet

0x0011 Structure-agnostic E1 over Packet

0x0012 Structure-agnostic T1 over Packet

0x0013 Structure-agnostic E3 over Packet

0x0014 Structure-agnostic T3 over Packet

0x0015 CESoPSN basic mode

0x0016 TDMoIP AAL1 Mode

0x0017 CESoPSN TDM with CAS

0x0018 TDMoIP AAL2 Mode

0x0019 Frame Relay DLCI


VC Information Distribution (RFC 4447)

VC labels are exchanged across a targeted LDP session between PE routers

Generic Label TLV within LDP Label Mapping Message

LDP FEC element defined to carry VC informationSuch PW Type (RFC 4446) and VCID

VC information exchanged using Downstream Unsolicited label distribution procedures

Separate “MAC List” TLV for VPLS Defined in draft-ietf-l2vpn-vpls-ldp

Use to withdraw labels associated with MAC addresses


VC Label identifies interface

Tunnel Label(s) gets to PE router

Unidirectional Tunnel LSP between PE routers to transport PW PDU from PE to PE using tunnel label(s)

Both LSPs combined to form single bi-directional Pseudo Wire

Directed LDP session between PE routers to exchange VC information, such as VC label and control information

VC Distribution Mechanism using LDP

IP/MPLS

PE1LSP created

using IGP+LDP or RSVP-TE

Customer Site

Customer Site

Customer Site

Customer Site

Label Switch Path

Directed LDP Session between PE1 and PE2

PE2CE

CE

CE

CE


PW Encapsulation over MPLS (RFC 4448)

Ethernet Pseudo Wires use 3 layers of encapsulationTunnel Encapsulation (zero, one or more MPLS Labels)

To get PDU from ingress to egress PE; Could be an MPLS label (LDP, TE), GRE tunnel, L2TP tunnel

Pseudo Wire Demultiplexer (PW Label)To identify individual circuits within a tunnel; Obtained from Directed LDP session

Control Word (Optional) The following is supported when carrying Ethernet

Provides the ability to sequence individual framesAvoidance of equal-cost multiple-path load-balancingOperations and Management (OAM) mechanisms

Control word format varies depending on transported PDU

TunnelLabel

PWLabel

ControlWord

Layer 2PDU


Ethernet PW Tunnel Encapsulation

Tunnel Encapsulation One or more MPLS labels associated with the tunnel

Defines the LSP from ingress to egress PE router

Can be derived from LDP+IGP, RSVP-TE, BGP IPv4+Label

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

EXP TTL (set to 2)VC Label (VC) 1

Tunnel Label (LDP,RSVP,BGP)

Layer-2 PDU

0 0 0 0 Reserved Sequence Number

EXP TTL0

PW Demux

Tunnel Encaps

Control Word


Ethernet PW Demultiplexer

VC Label

Inner label used by receiving PE to determine the following

Egress interface for L2PDU forwarding (Port based)

Egress VLAN used on the CE facing interface (VLAN Based)

EXP can be set to the values received in the L2 frame

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1



Layer-2 PDU

0 0 0 0 Reserved Sequence Number

EXP TTL0

PW Demux

Tunnel Encaps

Control Word


Ethernet PW Control Word

Control Word is Optional (as per RFC)0 0 0 0 First nibble is 0x0 to prevent aliasing with IP

Packets over MPLS (MAC addresses that start with 0x4 or 0x6)

Reserved Should be all zeros, ignored on receive

Seq number provides sequencing capability to detect out of order packets - currently not in Cisco’s

implementation – processing is optional



Layer-2 PDU

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

PW Demux

Tunnel Encaps

Control Word 0 0 0 0 Reserved Sequence Number

EXP TTL0


P2P1

PW Operation and Encapsulation

IP/MPLS

Customer Site

Customer Site

Directed LDP Session between PE1 and PE2

PE2CE CE

LSP“PW1”

Lo0:

Label 24for Lo0:

Label Popfor Lo0:

Label 38for Lo0:

Label 72for PW1

PE1

LDPSession

LDPSession

LDPSession

24 72 L2 PDU

This process happens in both directions(Example shows process for PE2 PE1 traffic)

38 72 L2 PDU72 L2 PDU


VPLS Architecture


VPLS Standards

Architecture allows IEEE 802.1 bridge behaviour in SP plus:

Autodiscovery of other N-PE in same VPLS instance

Signaling of PWs to interconnect VPLS instances

Loop avoidance & MAC Address withdrawal

Two drafts have been approved by IETF L2VPN Working Group

draft-ietf-l2vpn-vpls-ldp

Uses LDP for signalling, agnostic on PE discovery method

Predominant support from carriers and vendors

Cisco supports this draft

draft-ietf-l2vpn-vpls-bgp

Uses BGP for signalling and autodiscovery


NMS/OSS

Cisco VPLS Building Blocks

TunnelProtocol MPLS IP

L2VPN Discovery

CentralisedDNS Radius Directory Services

DistributedBGP

Signaling Label DistributionProtocol

Point-to-PointLayer 2 VPNLayer 2 VPN Multipoint

Layer 2 VPN Layer 3 VPN

ForwardingMechanism

Interface-Based/Sub-Interface

Ethernet Switching (VFI) IP Routing

Hardware Cisco 7600 Catalyst 6500 Cisco 12000


VPLS Auto-discovery & Signaling

Draft-ietf-l2vpn-vpls-ldp

Does not mandate an auto-discovery protocol

Can be BGP, Radius, DNS, or Directory based

Uses Directed LDP for label exchange (VC) and PW signaling

PWs signal control information as well (for example, circuit state)

Cisco IOS supports Directed LDP for all VC signaling

Point-to-point – Cisco IOS Any Transport over MPLS (AToM)

Multipoint – Cisco IOS MPLS Virtual Private LAN Services

VPN Discovery

CentralisedDNS Radius Directory Services

DistributedBGP

Signaling Label DistributionProtocol


VPLS Flooding & Forwarding

Flooding (Broadcast, Multicast, Unknown Unicast)

Dynamic learning of MAC addresses on PHY and VCs

Forwarding

Physical Port

Virtual Circuit

Data SA DA?

Unknown DA? Pseudo Wire in LSP


MAC Address Learning and Forwarding

Broadcast, Multicast, and Unknown Unicast are learned via the received label associations

Two LSPs associated with a VC (Tx & Rx)

If inbound or outbound LSP is downThen the entire Pseudo Wire is considered down

PE1 PE2

Send me frames using Label 170

Send me frames using Label 102

CECE

E0/0 E0/1

MAC 2 E0/1

MAC Address Adj

MAC 1 102

MAC 2 170

MAC Address Adj

MAC 1 E0/0

Use VCLabel 102

MAC1

Use VCLabel 170

MAC2

PE2170MAC2MAC1Data

PE2 102 MAC1 MAC2 Data

Directed LDP


MPLSMPLS

MAC Address Withdrawal Message

Message speeds up convergence process

Otherwise PE relies on MAC Address Aging Timer

Upon failure PE removes locally learned MAC addresses

Send LDP Address Withdraw (RFC3036) to remote PEs in VPLS (using the Directed LDP session)

New MAC List TLV is used to withdraw addresses

X

MAC

Withdrawal

MA

CW

ith

dra

wal

Directed LDP


MPLSMPLS

VPLS Topology – PE View

Each PE has a P2MP view of all other PEs it sees it self as a root bridge with split horizon loop protection

Full mesh topology obviates STP in the SP network

Customer STP is transparent to the SP / Customer BPDUs are forwarded transparently

PEs

CEs

PE view

Full Mesh LDP

Ethernet PW to each peer


MPLSMPLSPEs

CEs

PE view

Full Mesh LDP

Ethernet PW to each peer

VPLS Topology – CE View

CE routers/switches see a logical Bridge/LAN

VPLS emulates a LAN – but not exactly…This raises a few issues which are discussed later

MPLS VPLS CoreMPLS VPLS CoreMPLSMPLS

CEs


VPLS Architectures

VPLS defines two Architectures Direct Attachment (Flat)

Described in section 4 of Draft-ietf-l2vpn-vpls-ldp

Hierarchical or H-VPLS comprising of two access methods

Ethernet Edge (EE-H-VPLS) – QinQ tunnels

MPLS Edge (ME-H-VPLS) - PWE3 Pseudo Wires (EoMPLS)

Described in section 10 of Draft-ietf-l2vpn-vpls-ldp

Each architecture has different scaling characteristics


VPLS Functional Components

CE U-PE N-PE MPLS Core N-PE U-PE CE

Customer MxUs

SP PoPs Customer MxUs

N-PE provides VPLS termination/L3 services

U-PE provides customer UNI

CE is the custome device


Directed attachment (Flat) Characteristics

Suitable for simple/small implementations

Full mesh of directed LDP sessions required N*(N-1)/2 Pseudo Wires required

Scalability issue a number of PE routers grows

No hierarchical scalability

VLAN and Port level support (no QinQ)

Potential signaling and packet replication overheadLarge amount of multicast replication over same physical

CPU overhead for replication


Direct Attachment VPLS (Flat Architecture)

CE N-PE MPLS Core N-PE CE

Ethernet (VLAN/Port

Ethernet(VLAN Port)Full Mesh PWs + LDP

MAC2MAC1Data

PEVCMAC2MAC1Data

MAC2MAC1Data802.1q

Customer

Pseudo WireSP Core


Hierarchical VPLS (H-VPLS)

Best for larger scale deployment

Reduction in packet replication and signaling overhead

Consists of two levels in a Hub and Spoke topologyHub consists of full mesh VPLS Pseudo Wires in MPLS core

Spokes consist of L2/L3 tunnels connecting to VPLS (Hub) PEs

Q-in-Q (L2), MPLS (L3), L2TPv3 (L3)

Some additional H-VPLS termsMTU-s Multi-Tenant Unit Switch capable of bridging (U-PE)

PE-r Non bridging PE router

PE-rs Bridging and Routing capable PE


Why H-VPLS?

Potential signaling overhead

Full PW mesh from the Edge

Packet replication done at the Edge

Node Discovery and Provisioning extends end to end

Minimizes signaling overhead

Full PW mesh among Core devices

Packet replication done the Core

Partitions Node Discovery process

VPLS H-VPLS

CE

CE

CE CE

CE

CE PE

PE

PE

PE

PE

PE

PE

PE CE

CE

MTU-s

CE

CE

PE-rs

PE-rs

PE-rs

PE-rs

PE-rs

PE-rs

PE-r

CE

CE


Ethernet Edge H-VPLS (EE-H-VPLS)

CEN-PEPE-rs MPLS Core

N-PEPE-rs CE

QinQTunnel Full Mesh PWs + LDP

U-PEMTU-s

U-PEMTU-s

802.1qAccess

802.1qAccess

QinQTunnel

MAC2MAC1Data VlanCE

PEVCMAC2MAC1Data VlanCE

MAC2MAC1Data VlanCE

VlanSP

802.1q Customer

QinQSP Edge

Pseudo WireSP Core

1 23

1

2

3


Bridge Capability in EE-H-VPLS

Local edge traffic does not have to traverse N-PEMTU-s can switch traffic locally

Saves bandwidth capacity on circuits to N-PE

CEN-PEPE-rs

U-PEMTU-s


MPLS VPLS

N-PE

N-PE

N-PE

P P

PP

GE Ring

Metro A U-PEPE-AGG

Metro C

U-PE

DWDM/CDWM

U-PE

User Facing Provider Edge (U-PE)

Network Facing Provider Edge (N-PE)

Ethernet Edge Topologies

U-PE

RPR

Metro D

Large ScaleAggregation

PE-AGG

Intelligent EdgeN-PE

Multiservice Core

P

Efficient Access

U-PE

Intelligent EdgeN-PE

Efficient Access

U-PE

SiSi

SiSi

Metro B

10/100/

1000 Mbps

10/100/

1000 Mbps

10/100/1000 Mbps

10/100/1000 Mbps

Hub and Spoke

FullService

CPE

FullService

CPE


MPLS CoreMPLS Core

MPLS Edge H-VPLS

CEN-PEPE-rs MPLS Core

N-PEPE-rs CE

MPLSPseudo Wire Full Mesh PWs + LDP

U-PEPE-rs

U-PEPE-rs

802.1qAccess

802.1qAccess

MPLSPseudo

Wire

MAC2MAC1Data VlanCE


802.1q Customer

MPLS PWSP Edge

Pseudo WireSP Core


Same VCID used in Edge and core (Labels

may differ)

MPLS Acces

s

MPLS Acces

s

1 23

1

2

3


VFI and Split Horizon (VPLS, EE-H-VPLS)

VFI

Pseudo Wire #2

VirtualForwarding

Interface Pseudo Wires

Local Switching

Virtual Forwarding Interface is the VSI representation in IOSSingle interface terminates all PWs for that VPLS instanceThis model applicable in direct attach and H-VPLS with Ethernet Edge

Split Horizon Active

11111

3 3 3 3 3

3 3 3 3 3

3 3 3 3 3Broadcast/Multicast

Bridging Function(.1Q or QinQ)

22222

111 22

Pseudo Wire #1

N-PE1

1 11 1

2 22 2

33 33

3 33 3N-PE2

N-PE3

CE

CE

This traffic will not be replicated out PW #2 and visa versa


N-PE1

Pseudo Wire #3

VFI and NO Split Horizon (ME-H-VPLS)

VFI

Pseudo Wire #2

VirtualForwarding

Interface Pseudo Wires

NO Split Horizon

This model applicable H-VPLS with MPLS Edge

PW #1, PW #2 will forward traffic to PW #3 (non split horizon port)

Split Horizon Active

11111

3 3 3 3 3

3 3 3 3 3

Unicast

Pseudo WireMPLS Based

22222

111 22Pseudo Wire #1

U-PE

N-PE3

Split Horizon disabled

N-PE2

CE

CE


VPLS Logical Topology Comparison

Direct Attach H-VPLS – QinQ tunnel H-VPLS - MPLS PW

Pros Simple access via Ethernet

Simple access via Ethernet

Hierarchical support via QinQ at access

Scalable customer VLANs (4K x 4K)

4K customers supported per Ethernet Access Domain

Fast L3 IGP convergence

MPLS TE FRR <50msec

Hierarchical support via MPLS PW at access

Cons No hierarchical scalability

Customer VLAN cannot over lap

4K customer VLAN limit in Ethernet access domain

High STP reconvergence time

High STP re-convergence time

MAC is not scalable as customer MAC still seen on SP network

Supported on SIP-600 only as of 12.2(33)SRA

More complicated provisioning

Requires MPLS to u-PE

OSM/SIP-400/600 as U-PE facing card on N-PE (for 7600)


Configuration Examples



Direct AttachmentUsing a Router as a CE (VLAN Based)

Using a Switch as a CE (Port Based)

H-VPLSEthernet QinQ

EoMPLS Pseudo Wire (VLAN Based)

EoMPLS Pseudo Wire (Port Based)

Sample Output


MPLS CoreMPLS Core

Direct Attachment Configuration (C7600)

CEs are all part of same VPLS instance (VCID = 56)CE router connects using VLAN 100 over sub-interface

PE1 PE2CE1 CE2

CE2

PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0 gi4/4

gi4/2

pos4/1 pos4/3

pos3/0 pos3/1VLAN100

VLAN100

VLAN100


interface GigabitEthernet 1/3.100 encapsulation dot1q 100 ip address 192.168.20.2


Direct Attachment CE router Configuration

CE routers sub-interface on same VLANCan also be just port based (NO VLAN)

CE1 CE2

CE2

VLAN100

VLAN100

VLAN100

Subnet 192.168.20.0/24



l2 vfi VPLS-A manual vpn id 56 neighbor 2.2.2.2 encapsulation mpls neighbor 1.1.1.1 encapsulation mpls



MPLS CoreMPLS Core

Direct Attachment VSI Configuration

Create the Pseudo Wires between N-PE routers

PE1 PE2CE1 CE2

CE2

PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0 gi4/4

gi4/2

pos4/1 pos4/3


VLAN100

VLAN100


MPLS CoreMPLS Core

Direct Attachment CE Router (VLAN Based)

Same set of commands on each PE

Configured on the CE facing interface

PE1 PE2CE1 CE2

CE2

PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0 gi4/4

gi4/2

pos4/1 pos4/3


VLAN100

VLAN100Interface GigabitEthernet3/0 switchport switchport mode trunk switchport trunk encapsulation dot1q switchport trunk allowed vlan 100!Interface vlan 100 no ip address xconnect vfi VPLS-A!vlan 100 state active

This command associates the VLAN with the VPLS instance

VLAN100 = VCID 56





H-VPLSEthernet QinQ



Sample Output


MPLS CoreMPLS Core

Direct Attachment CE switch (Port Based)

PE1 PE2CE1 CE2

CE2

PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0 gi4/4

gi4/2

pos4/1 pos4/3

pos3/0 pos3/1All VLANs

All VLANs

All VLANsInterface GigabitEthernet3/0 switchport switchport mode dot1qtunnel switchport access vlan 100 l2protocol-tunnel stp! Interface vlan 100 no ip address xconnect vfi VPLS-A!vlan 100 state active

This command associates the VLAN with the VPLS instance

VLAN100 = VCID 56

If CE was a switch instead of a router then we can use QinQ

QinQ places all traffic (tagged/untagged) from switch into a VPLS





H-VPLSEthernet QinQ



Sample Output


MPLS CoreMPLS Core

H-VPLS Configuration (C7600/3750ME)

U-PEs provide services to customer edge deviceCE traffic then carried in QinQ or EoMPLS PW to N-PE

PW VSI mesh configuration is same as previous examples

N-PE1 N-PE2

N-PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0

gi4/2

pos4/1 pos4/3

pos3/0 pos3/1

U-PE3Cisco 3750ME

CE1 CE2

CE1

CE2

CE1

CE2

U-PE1Cisco

3750ME

gi4/4 gi1/1/1 fa1/0/1

U-PE2Cisco

3750ME4.4.4.4





H-VPLSEthernet QinQ



Sample Output


MPLS CoreMPLS Core

H-VPLS QinQ Tunnel (Ethernet Edge)

N-PE1 N-PE2

N-PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0 gi4/4 gi1/1/1

gi4/2

pos4/1 pos4/3

pos3/0 pos3/1

U-PE3Cisco 3750ME

CE1 CE2

CE1

CE2

U-PE1Cisco

3750ME

Interface GigabitEthernet4/4 switchport switchport mode trunk switchport trunk encapsulation dot1q switchport trunk allowed vlan 100!Interface vlan 100 no ip address xconnect vfi VPLS-A!vlan 100 state active

U-PE carries all traffic from CE using QinQOuter tag is VLAN100, inner tags are customer’s

interface FastEthernet1/0/1 switchport switchport access vlan 100 switchport mode dot1q-tunnel switchport trunk allow vlan 1-1005!interface GigabitEthernet 1/1/1 switchport switchport mode trunk switchport allow vlan 1-1005

CE1

CE2

fa1/0/1

4.4.4.4

U-PE2Cisco

3750ME





H-VPLSEthernet QinQ



Sample Output


MPLS CoreMPLS Core

H-VPLS EoMPLS PW Edge (VLAN Based)

CE interface on U-PE can be access or trunk portxconnect per VLAN is required

N-PE1 N-PE2

U-PE2Cisco

3750ME

N-PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0

gi4/2

pos4/1 pos4/3

pos3/0 pos3/1

U-PE3Cisco 3750ME

CE1 CE2

CE1

CE2

U-PE1Cisco

3750ME

interface FastEthernet1/0/1 switchport switchport access vlan 500!interface vlan500 xconnect 2.2.2.2 56 encapsulation mpls!interface GigabitEthernet1/1/1 no switchport ip address 156.50.20.2 255.255.255.252 mpls ip

gi4/4 gi1/1/1

CE1

CE2

fa1/0/1Interface GigabitEthernet4/4 no switchport ip address 156.50.20.1 255.255.255.252 mpls ip!l2 vfi VPLS-A manual vpn id 56 neighbor 1.1.1.1 encapsulation mpls neighbor 3.3.3.3 encapsulation mpls neighbor 4.4.4.4 encaps mpls no-split

4.4.4.4

Ensures CE traffic passed on PW to/from U-PE





H-VPLSEthernet QinQ



Sample Output


MPLS CoreMPLS Core

H-VPLS EoMPLS PW Edge (Port Based)

CE interface on U-PE can be access or trunk portxconnect for entire PORT is required

N-PE1 N-PE2

U-PE2Cisco

3750ME

N-PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0

gi4/2

pos4/1 pos4/3

pos3/0 pos3/1

U-PE3Cisco 3750ME

CE1 CE2

CE1

CE2

U-PE1Cisco

3750ME

interface FastEthernet1/0/1 no switchport xconnect 2.2.2.2 56 encapsulation mpls!interface GigabitEthernet1/1/1 no switchport ip address 156.50.20.2 255.255.255.252 mpls ip

gi4/4 gi1/1/1

CE1

CE2

fa1/0/1Interface GigabitEthernet4/4 no switchport ip address 156.50.20.1 255.255.255.252 mpls ip!l2 vfi PE1-VPLS-A manual vpn id 56 neighbor 1.1.1.1 encapsulation mpls neighbor 3.3.3.3 encapsulation mpls neighbor 4.4.4.4 encaps mpls no-split

4.4.4.4

Ensures CE traffic passed on PW to/from U-PE





H-VPLSEthernet QinQ



Sample Output


MPLS CoreMPLS Core

show mpls l2 vc

N-PE1 N-PE2

U-PE2Cisco

3750ME

N-PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0

gi4/2

pos4/1 pos4/3

pos3/0 pos3/1

U-PE3Cisco 3750ME

CE1 CE2

CE1

CE2

U-PE1Cisco

3750ME

gi4/4 gi1/1/1

CE1

CE2

fa1/0/1

NPE-A#show mpls l2 vc

Local intf Local circuit Dest address VC ID Status

------------- ------------- ------------- ------ ------

VFI VPLS-A VFI 1.1.1.1 10 UP

VFI VPLS-A VFI 3.3.3.3 10 UP

4.4.4.4


MPLS CoreMPLS Core

show mpls l2 vc detail

N-PE1 N-PE2

U-PE2Cisco

3750ME

N-PE3

1.1.1.1 2.2.2.2

3.3.3.3

gi3/0

gi4/2

pos4/1 pos4/3

pos3/0 pos3/1

U-PE3Cisco 3750ME

CE1 CE2

CE1

CE2

U-PE1Cisco

3750ME

gi4/4 gi1/1/1

CE1

CE2

fa1/0/1

NPE-2#show mpls l2 vc detail

Local interface: VFI VPLS-A up

Destination address: 1.1.1.1, VC ID: 10, VC status: up

Tunnel label: imp-null, next hop 156.50.20.1

Output interface: POS4/3, imposed label stack {19}

Create time: 1d01h, last status change time: 00:40:16

Signaling protocol: LDP, peer 1.1.1.1:0 up

MPLS VC labels: local 23, remote 19

4.4.4.4Use VCLabel 19

Use VCLabel 23


Deployment Issues


Deployment Issues

MTU Size

Broadcast Handling

Router or a Switch CPE?

Ramblings of an Engineer

A Sample Problem


Pseudo Wire Data Plane Overhead

At imposition, N-PE encapsulates CE Ethernet or VLAN packet to route across MPLS cloud

These are the associated overheadsTransport Header is 6 bytes DA + 6 bytes SA + 2 bytes Etype + OPTIONAL 4 Bytes of VLAN Tag (carried in Port based service)

At least 2 levels of MPLS header (Tunnel + VC) of 4 bytes each

There is an optional 4-Byte control word

Inner Label (32-bits)

Outer Label (32-bits)

Tunnel HeaderTunnel Header VC HeaderVC HeaderL2 HeaderL2 Header Original Ethernet FrameOriginal Ethernet Frame


Calculating Core MTU Requirements

Core MTU ≥ Edge MTU + Transport Header + AToM Header + (MPLS Label Stack * MPLS Header Size)

Edge MTU is the MTU configured in the CE-facing PE interface

Examples (all in Bytes):

1530[1526]

1530[1526]

1526[1522]

Total

431500EoMPLS Port w/ TE FRR

421500EoMPLS VLAN Mode

421500EoMPLS Port Mode

MPLSHeader

MPLSStack

Edge

14

18

14

Transport

4 [0]

4 [0]

4 [0]

AToM


Beware the MTU – It Can Get Real Big

DA SA Type TE VcTu DA SA TPID TCI Type DataSFDPre

Enterprise MPLS Frame

FCS

Pream

ble

Start o

f Fram

e D

elimter

Carrier D

estM

AC

Carrier S

ou

rce M

AC

Eth

er type =

8847

Traffic

En

gin

eer label

Eo

MP

LS

Tu

nn

el L

ab

el

Eo

MP

LS

VC

Lab

el

Cu

st Destin

atio

n M

AC

Cu

st So

urce

MA

C

VL

AN

Pro

toco

l ID =

8100

VL

AN

ID In

fo7 1 6 6 2 4 4 4 6 6 2 2 2

Cu

st Typ

e

Cu

st Pa

cket

Fram

e Ch

eck Seq

ue

nce

> 1500 4

Cntrl

Co

ntro

l Wo

rd

4

Carrier Pseudowire Encapsulation

Data portion may be > 1500 if

carrying MPLS labels

MTU SizingPacket size can get very large in backhaul due to multiple tags and labels

Ensure core and access Ethernet interfaces are configured with appropriate MTU size


Broadcast/Multicast/Unknown Unicast Handling

VPLS relies on ingress replication Ingress PE replicates the multicast packet to each egress Pseudo Wire (PE neighbour)

Ethernet switches replicate broadcast/multicast flows once per output interface

VPLS may duplicate packets over the same physical egress interface – for each PW that interface carriers

Unnecessary replication brings the risk of resource exhaustion when the number of PWs increases

Some discussion on maybe using multicast for PWsRather than full mesh of P2P Pseudo Wires


Switch or Router as CE device

Ethernet Switch as CE deviceIf directly attached SP allocates VLAN could be an issue in customer network

SP UNI exposed to L2 network of customer

L2 PDUs must be tunnelled such as STP BPDUs

No visibility of network behind CE switch

Many MAC address can exists on UNI

High exposure to broadcast storms

Router as CE deviceSingle MAC Address exists (for interface of router)

No SPT interactions

Router controls broadcast issues (multicast still happens)


VPLS Caveats (Ramblings of an Engineer)

VPLS may introduce non-deterministic behaviour in SP CoreCase in point – learning of VPN routes

An MPLS-VPN provides ordered manner to learn VPNv4 routers using MP-BGP – unknown addresses are dropped

In VPLS, learning is achieved through flooding MAC address

Excessive number of Unknown, Broadcast and Multicast frames could behave as a series of “packet bombs”

Solution: Ingress Threshold Filters (on U-PE or N-PE)How to selectively choose which Ethernet Frames to discard?

How to avoid dropping Routing and Keepalives (control)

May cause more problems in customer network…

How many MAC addresses allowed?

Does SP really want to take this responsibility?


VPLS Caveats (Ramblings of an Engineer)

DoS attack has a higher probability of manifestingWhether intentional or by mis-configuration

Since traffic is carried at layer 2, a lot of chatter could be traversing the MPLS core unnecessarily.

For example, status requests for printers

How is CoS applied across for a VPLS service? Should all frames on a VPLS interface be afforded the same class of service?

Should there be some sort of differentiation?


A Common VPLS Problem

Protocols expect LAN behaviour

VPLS is viewed as an Ethernet networkAlthough it does not necessarily behave like one

VPLS is “virtual” in its LAN service

There are some behaviours which differ from a real LAN

An example The OSPF designated router problem…


OSPF Designated Router Problem

VPLS ViewRouter A is the DR, Router B is the BDR

Router C sees both A and B via Pseudo Wires

OSPF DR(A)

OSPF Backup DR

(B)

OSPF Neighbour(C)

Pseudo WiresOSPF DR

(A)

OSPF Backup DR

(B) OSPF Neighbour(C)

Router ViewRouter A, B and C behave like they are on a LAN


OSPF Designated Router Problem

Assume PW between A and B loses connectivityRouter A and Router B cannot see each other

Router C can still see both the Router A and Router B

Pseudo WiresOSPF DR

(A)

OSPF Backup DR

(B) OSPF Neighbour(C)

Ethernet frames travel along discrete paths a VPLSTherefore Router C can see both Router A and B

But Router A and Router B cannot see each other!

Router B assumes A has failed and becomes the DRRouter C now see two DRs on same LAN segment – Problem!

No arbitration available between Router A and Router B


Summary


Summary

VPLS has its advantages and benefitsNon-IP protocols supported, customers do not have routing interaction etc..

Use routers as the CE deviceUnderstand their multicast requirements

Then again, maybe MPLS-VPN could do the job?

Avoid switches as CPEOtherwise understand customer’s network requirements

Devices, applications (broadcast/multicast vs unicast)


Q & A
