cisco presentation guide - vsb.cz

© 2009 Petr Grygarek, Advanced Computer Networks Technologies 1

L2 VPNs.L2 VPNs.Pseudowires, AToM.Pseudowires, AToM.

Virtual Private LAN Services (VPLS).Virtual Private LAN Services (VPLS).

Petr GrygPetr Grygáárekrek

2© 2009 Petr Grygarek, Advanced Computer Networks Technologies

Layer 2 VPNsLayer 2 VPNs


Usages of L2 VPNsUsages of L2 VPNs•Server farms/clusters and other L2-dependent Server farms/clusters and other L2-dependent applicationsapplications

•redundancy and load-balancing implementations redundancy and load-balancing implementations dependent on L2 connectivity (single broadcast dependent on L2 connectivity (single broadcast domain)domain)

•multisite datacenter L2 extensionmultisite datacenter L2 extension

•Virtual leased lines Virtual leased lines / / Virtual Private LANs (multipoint)Virtual Private LANs (multipoint)

•Links of overlay networks with customer routing Links of overlay networks with customer routing separated from the SP routingseparated from the SP routing

•If SP reaches L3 VPN scalability limitsIf SP reaches L3 VPN scalability limits


L2VPN Services (1)L2VPN Services (1)•PseudowiresPseudowires

•P2P, Muxed or unmuxed UNIP2P, Muxed or unmuxed UNI

•Muxed UNI allows to terminate multiple Muxed UNI allows to terminate multiple (separate) VCs on the same physical interface(separate) VCs on the same physical interface•Muxed UNI possible only if L2 framing Muxed UNI possible only if L2 framing differentiates between traffic flowsdifferentiates between traffic flows

•802.1q, FR, ATM802.1q, FR, ATM•Various framing optionsVarious framing options

•Ethernet (including 802.1q) – most casesEthernet (including 802.1q) – most cases•Frame RelayFrame Relay

•HDLC, PPPHDLC, PPP

•ATM (AAL5 and Cell Relay)ATM (AAL5 and Cell Relay)

•+ interworking+ interworking


L2VPN Services (2)L2VPN Services (2)

•Virtual Private LAN Service (VPLS)Virtual Private LAN Service (VPLS)•Ethernet RelayEthernet Relay

•Muxed or unmuxed UNIMuxed or unmuxed UNI

•With muxed UNI, user can connect to With muxed UNI, user can connect to multiple VPLS instances multiple VPLS instances (MPLS-cloud-wide virtual switch (MPLS-cloud-wide virtual switch

instances) instances) using a single physical attachmentusing a single physical attachment

Formal L2VPN service classification does not Formal L2VPN service classification does not dictate how is the service implemented in the dictate how is the service implemented in the SP core network (EoMPLS, AToM, QinQ, ...)SP core network (EoMPLS, AToM, QinQ, ...)


Any Transport over MPLSAny Transport over MPLS(AToM)(AToM)

•AToM Technical OverviewAToM Technical Overview

•http://www.informit.com/library/content.aspx?http://www.informit.com/library/content.aspx?b=Troubleshooting_VPNs&seqNum=61b=Troubleshooting_VPNs&seqNum=61


SpecificationsSpecifications•““The AToM framework and transport options for the various Layer 2 protocols are The AToM framework and transport options for the various Layer 2 protocols are defined in RFC 4447, RFC 4385, RFC 4448, RFC 4717, RFC 4618, and RFC 4619. In defined in RFC 4447, RFC 4385, RFC 4448, RFC 4717, RFC 4618, and RFC 4619. In addition to these methods to transport Layer 2 protocols, RFC 4553 and RFC 4842 define addition to these methods to transport Layer 2 protocols, RFC 4553 and RFC 4842 define methods to transport TDM-based services, such as T1/E1, T3/E3, and SONET/SDH, methods to transport TDM-based services, such as T1/E1, T3/E3, and SONET/SDH, over a core MPLS network.” -Tiso, John (2011-10-31). Designing Cisco Network Service over a core MPLS network.” -Tiso, John (2011-10-31). Designing Cisco Network Service Architectures (ARCH) Foundation Learning Guide: (CCDP ARCH 642-874) (3rd Edition) (Architectures (ARCH) Foundation Learning Guide: (CCDP ARCH 642-874) (3rd Edition) (

•RFCs:RFCs:•draft-martini-l2circuit-trans-mpls-07.txt: Transport of Layer 2 Frames over draft-martini-l2circuit-trans-mpls-07.txt: Transport of Layer 2 Frames over MPLSMPLS

•draft-martini-l2circuit-encap-mpls-03.txt: Encapsulation Methods for draft-martini-l2circuit-encap-mpls-03.txt: Encapsulation Methods for Transport of Layer 2 Frames over MPLSTransport of Layer 2 Frames over MPLS


AToM Usages and AdvantagesAToM Usages and Advantages

•Provides traditional L2 P2P connectivity using MPLS Provides traditional L2 P2P connectivity using MPLS corecore

•Ethernet/FR/ATM/HDLC/PPP circuitsEthernet/FR/ATM/HDLC/PPP circuits

•Transparent to usersTransparent to users

•All techniques of MPLS TE and MPLS QoS may be All techniques of MPLS TE and MPLS QoS may be applied to reach desirable characteristics of pseudowiresapplied to reach desirable characteristics of pseudowires

•allows provisioning of QoS-aware virtual leased linesallows provisioning of QoS-aware virtual leased lines•May utilize traffic-engineering tunnelsMay utilize traffic-engineering tunnels

•802.1p, FR DE and ATM CLP may be also 802.1p, FR DE and ATM CLP may be also transferredtransferred


L2 Protocols Supported by AToML2 Protocols Supported by AToM

•Ethernet (including 802.1q)Ethernet (including 802.1q)

•ATM AAL5 PDUs + OAM cellsATM AAL5 PDUs + OAM cells

•Frame Relay + LMIFrame Relay + LMI

•ATM Cell RelayATM Cell Relay

•PPPPPP

•HDLCHDLC

•Protocol InterworkingProtocol Interworking•e.g. FR PVCs<->Ethernet VLANse.g. FR PVCs<->Ethernet VLANs

•See example at See example at http://www.debugall.co.uk/2009/08/03/frame-relay-to-http://www.debugall.co.uk/2009/08/03/frame-relay-to-vlan-interworking-atom/vlan-interworking-atom/


AToM (Pseudowore) OperationAToM (Pseudowore) Operation•Frames are encapsulated with 2-level label stackFrames are encapsulated with 2-level label stack

•Transport label identifies egress PETransport label identifies egress PE

•VC label identifies virtual switch instance (VSI) /outgoing interface on the egress PEVC label identifies virtual switch instance (VSI) /outgoing interface on the egress PE

•Multiple VCs may exist between a pair of PEsMultiple VCs may exist between a pair of PEs

•Directed LDP session between PEs is used to Directed LDP session between PEs is used to distribute VC (inner) labels (Martini specification)distribute VC (inner) labels (Martini specification)

•New LDP TLVs to signal Label-to-VCID mapping and VC type were definedNew LDP TLVs to signal Label-to-VCID mapping and VC type were defined

•Alternatively BGP may be used to distribute label-to-Alternatively BGP may be used to distribute label-to-VC mapping (Kompella specification)VC mapping (Kompella specification)

•In addition, PE autodiscovery is possible using BGP RRs (special AF)In addition, PE autodiscovery is possible using BGP RRs (special AF)

•Data plane: 2 unidirectional LSPsData plane: 2 unidirectional LSPs•Encapsulation type on both sides must matchEncapsulation type on both sides must match

•Even trunk (802.1q)/non-trunk access circuit interface type is negotiatedEven trunk (802.1q)/non-trunk access circuit interface type is negotiated


AToM Control WordAToM Control Word•Carried after label(s) instead of the original L2 headerCarried after label(s) instead of the original L2 header

•Special bits of original L2 headersSpecial bits of original L2 headers

•FECN, BECN and DE for Frame RelayFECN, BECN and DE for Frame Relay•CLP for ATMCLP for ATM

•L2 header is reconstructed on the egress PEL2 header is reconstructed on the egress PE

•May carry sequence number to avoid out-of-order frame deliveryMay carry sequence number to avoid out-of-order frame delivery

•Out-of-order frames are discardedOut-of-order frames are discarded

•Mandatory for FR and ATM AAL5, optional for other Mandatory for FR and ATM AAL5, optional for other protocolsprotocols

•PEs use special LDP TLV to negotiate whether Control Words will be PEs use special LDP TLV to negotiate whether Control Words will be present in data framespresent in data frames


EoMPLSEoMPLS

•May be considered subset of AToMMay be considered subset of AToM

•Ethernet frames over MPLS LSPEthernet frames over MPLS LSP

•virtual circuit servicevirtual circuit service–No L2 destination MAC address lookupNo L2 destination MAC address lookup–No L2 address learningNo L2 address learning–Port-based or VLAN-based (like Muxed E-LINE)Port-based or VLAN-based (like Muxed E-LINE)


Virtual Private LAN Service (VPLS)Virtual Private LAN Service (VPLS)

See also See also http://www.h3c.com/portal/Products___Solutions/Technology/MPLS/http://www.h3c.com/portal/Products___Solutions/Technology/MPLS/

VPLS/200701/195598_57_0.htmVPLS/200701/195598_57_0.htm


Virtual Private LANVirtual Private LAN•Ethernet-based any-to-any communication over IP/MPLS Ethernet-based any-to-any communication over IP/MPLS corecore

•Simulates single Ethernet broadcast domainSimulates single Ethernet broadcast domain•virtual distributed switch which connects together customer's geographically virtual distributed switch which connects together customer's geographically dispersed LANsdispersed LANs

•Simulates “real” Ethernet bridge over WANSimulates “real” Ethernet bridge over WAN

•self-learning of MAC addresses, flooding (headend replication) of BUM self-learning of MAC addresses, flooding (headend replication) of BUM frames , MAC address withdrawal after topology change (new LDP TLV)frames , MAC address withdrawal after topology change (new LDP TLV)

•Multiple VPLS instances can coexist on the same MPLS coreMultiple VPLS instances can coexist on the same MPLS core

•Even reachable from single muxed UNIEven reachable from single muxed UNI

•Sites are connected by pseudowires (PW)Sites are connected by pseudowires (PW)•EoMPLS EoMPLS (alternatively L2TPv3 – not used too much)(alternatively L2TPv3 – not used too much)

•Much faster convergence in case of failure in SP network (LSP Much faster convergence in case of failure in SP network (LSP rerouting) comparing with STPrerouting) comparing with STP


VPLS AdvantagesVPLS Advantages•For service providers:For service providers:

•May provide a new (potentially QoS-aware) L2 service on the May provide a new (potentially QoS-aware) L2 service on the existing MPLS coreexisting MPLS core

•Flexible bandwidth allocationFlexible bandwidth allocation

•Compare with core built using 100Mb/1 Gb/10Gbps Compare with core built using 100Mb/1 Gb/10Gbps Ethernet-switch-based provider infrastructuresEthernet-switch-based provider infrastructures

•No STP issuesNo STP issues

•For customers:For customers:•Simple and well-known Ethernet technologySimple and well-known Ethernet technology

•The same technology in the carrier network and in customer's The same technology in the carrier network and in customer's LANLAN


Implementaiton of Virtual Distributed Implementaiton of Virtual Distributed Ethernet Switch (1)Ethernet Switch (1)

•VFIs (Virtual Forwarding Instances) of the same L2 VPN VFIs (Virtual Forwarding Instances) of the same L2 VPN (VPLS instance) on PE switches constitute broadcast domain(VPLS instance) on PE switches constitute broadcast domain

•VFI is also called VSI (Virtual Switching Instance)VFI is also called VSI (Virtual Switching Instance)

•Similar concept as VRF (routing instance) but on L2Similar concept as VRF (routing instance) but on L2

•VFI may also handle multiple separate broadcast domains if VFI may also handle multiple separate broadcast domains if VLAN tagging is used (like VLAN-aware switch)VLAN tagging is used (like VLAN-aware switch)

•Full mesh of pseudowires between PE routersFull mesh of pseudowires between PE routers•PWs signalled using BGP (Kompella specification) or PWs signalled using BGP (Kompella specification) or directed LDP (Martini specification)directed LDP (Martini specification)

•Not very scalableNot very scalable


Implementaiton of Virtual Distributed Implementaiton of Virtual Distributed Ethernet Switch (2)Ethernet Switch (2)

•Control planeControl plane•Autodiscovery – finding of other PE LSRs Autodiscovery – finding of other PE LSRs participating in the same VPNparticipating in the same VPN

•BGP or other autodiscovery protocols (DNS, ...)BGP or other autodiscovery protocols (DNS, ...)•SignallingSignalling

•process of establishing pseudowires – BGP or process of establishing pseudowires – BGP or LDPLDP

•BGP (RFC 4761)BGP (RFC 4761)•LDP (RFC 4762)LDP (RFC 4762)


VPLS MAC Address LearningVPLS MAC Address Learning

•Learning from data frames' source MACsLearning from data frames' source MACs•Unqualified mode (default): all VLANs share MAC address spaceUnqualified mode (default): all VLANs share MAC address space

•problem with L3 devices that share same MAC address on different problem with L3 devices that share same MAC address on different VLANsVLANs

•Qualified mode (optional): per-VLAN MAC addresses learningQualified mode (optional): per-VLAN MAC addresses learning

•Standard aging timersStandard aging timers

•Optional MAC Address Withdrawal LDP messageOptional MAC Address Withdrawal LDP message•e.g. when access circuit failse.g. when access circuit fails


Pseudowire ImplementationPseudowire Implementation

•stack of two MPLS headersstack of two MPLS headers•Outer (transport) label identifies target PEOuter (transport) label identifies target PE

•Inner label identifies pseudowire terminated on Inner label identifies pseudowire terminated on that PEthat PE

•PEs associate inner label with particular VPLS PEs associate inner label with particular VPLS instance (Virtual Switching Instance)instance (Virtual Switching Instance)•Multiple VSIs may exist on the same PE deviceMultiple VSIs may exist on the same PE device•Inner label is generated by egress switch for Inner label is generated by egress switch for particular configured VCID during PW setup particular configured VCID during PW setup (control plane)(control plane)


VPLS Forwarding Loop AvoidanceVPLS Forwarding Loop Avoidance•A frame received from PEx is never forwarded to A frame received from PEx is never forwarded to PEz by PEyPEz by PEy

•but only to PEy's attachment circuits (to CEs)but only to PEy's attachment circuits (to CEs)

•analogy of Split Horizon ruleanalogy of Split Horizon rule

•requires full mesh of PWsrequires full mesh of PWs

•Solutions to avoid loops across sites with multiple Solutions to avoid loops across sites with multiple attachment circuits exists (ICCP) but is not attachment circuits exists (ICCP) but is not standardizedstandardized

•Spanning Tree may be still applied as an Spanning Tree may be still applied as an alternative, alternative, not recommendednot recommended


Problems of VPLS ScalingProblems of VPLS Scaling•Full mesh of PWs between PEs is neededFull mesh of PWs between PEs is needed

•Both for data and control trafficBoth for data and control traffic•route reflector may help for signalling via IBGProute reflector may help for signalling via IBGP•static configuration of LDP directed sessions is always static configuration of LDP directed sessions is always unscalableunscalable

•Signalling and packet replication overhead (in PE)Signalling and packet replication overhead (in PE)•especially broadcasts and unknown unicast floodingespecially broadcasts and unknown unicast flooding

•One solution is to establish a hierarchy, i.e. divide a One solution is to establish a hierarchy, i.e. divide a VPLS VPN into 2 tiersVPLS VPN into 2 tiers

•Multiple customers are aggregated in 2-nd level and Multiple customers are aggregated in 2-nd level and connected to the same PE router => hierarchical VPLS (H-connected to the same PE router => hierarchical VPLS (H-VPLS)VPLS)


Hierarchical VPLSHierarchical VPLS


H-VPLS (1)H-VPLS (1)•2-tier architecture2-tier architecture

•analogical to a star topology of spoke switches connected to a analogical to a star topology of spoke switches connected to a core switch (without local switching in spokes)core switch (without local switching in spokes)

•High-performance core tierHigh-performance core tier•Limited number of PEsLimited number of PEs

•Stable full mesh of virtual circuits between PEsStable full mesh of virtual circuits between PEs

•Packet replication and switching function occurs only in the corePacket replication and switching function occurs only in the core

•MPLS or (cheaper) QinQ Ethernet-based access tier in MPLS or (cheaper) QinQ Ethernet-based access tier in POPsPOPs

•U-PE faces to the customerU-PE faces to the customer

•N-PE faces to the coreN-PE faces to the core


H-VPLS (2)H-VPLS (2)

•11stst layer of H-VPLS hierarchy can be also layer of H-VPLS hierarchy can be also implemented on MPLS cloudimplemented on MPLS cloud

•pseudowires over MPLS coudpseudowires over MPLS coud

•switching function only in N-PE routerswitching function only in N-PE router


H-VPLS AdvantagesH-VPLS Advantages

•Limited size of the PW full-mesh in the coreLimited size of the PW full-mesh in the core

•Cheaper QinQ-based (possibly Metro Ethernet) Cheaper QinQ-based (possibly Metro Ethernet) technology in POPs' access networkstechnology in POPs' access networks

•Expansion of POP network does not require Expansion of POP network does not require configuration change of core PEs (N-PEs)configuration change of core PEs (N-PEs)


802.1q and MPLS Tags (labels)802.1q and MPLS Tags (labels)in H-VPLSin H-VPLS

•Customer tag (802.1q)Customer tag (802.1q)•Optional, for customers that needs to transport 802.1q-Optional, for customers that needs to transport 802.1q-tagged traffictagged traffic

•Service-provider tag (802.1q)Service-provider tag (802.1q)•Appended by ingess QinQ access-layer Ethernet switchAppended by ingess QinQ access-layer Ethernet switch

•Converted to (inner) MPLS tag on ingres core PE routerConverted to (inner) MPLS tag on ingres core PE router

•Identifies VFI on the target PE router(s)Identifies VFI on the target PE router(s)

•Transport tag (MPLS)Transport tag (MPLS)•Identifies egress core PE routerIdentifies egress core PE router

cisco presentation guide - vsb.cz

Documents