L2VPN

Overview of L2VPN
Layer 2 (L2) transport over MPLS and IP already exists for like-to-like attachment circuits, such as
Ethernet-to-Ethernet, PPP-to-PPP, High-Level Data Link Control (HDLC), etc.
• L2VPNs are built with Pseudowire (PW) technology
• PWs provide a common intermediate format to transport multiple types of network services over
a Packet Switched Network (PSN) – a network that forwards packets – IPv4, IPv6, MPLS,
Ethernet
• PW technology provides Like-to-Like transport and also Interworking (IW)
• Frames that are received at the PE router on the AC are encapsulated and sent across the PSW to
the remote PE router.
• The egress PE router receives the packet from the PSW and removes their encapsulation.
• The egress PE extracts and forwards the frame to the AC.
Motivation for L2VPNs
Old and New Drivers
• Network Consolidation
‒ Multiple access services (FR, ATM, TDM)
required multiple core technologies Acc
Access Accessss
e
• Enterprise Ethernet WAN Connectivity L3 service

‒ Ethernet well understood by Enterprise / SPs IP/IPSec IP or MPLS IP/IPSec

‒ CAPEX (lower cost per bit) / Growth (100GE)
‒ Layer 2 VPN replacement to ATM/Frame
L2 service
‒ Relay Internet / Layer 3 VPN access (CE to FR/ATM FR/ATM
Broadband ATM Broadband
• Data
PE)Center Interconnection (DCI)
• Mobile Backhaul Evolution
L1 service
‒ TDM /PDH to Dual/Hybrid to All-packet
(IP/ Ethernet) SONET / SDH
TDM TDM
‒ Single (voice + data) IP/Ethernet
mobile backhaul universally accepted
solution
MPLS L2 VPN Models
1. VPWS Services
• Point-to-point • Referred to as Pseudowires
(PWs)
2. VPLS Services
• Multipoint
• Mac Learning
• Why is L2VPN needed?
• Allows SP to have a single infrastructure for both IP and legacy services
• Migrate legacy ATM and Frame Relay services to MPLS/IP core without interruption to existing
services
• Provisioning new L2VPN services are incremental (not from scratch) in existing MPLS/IP core
• Capital and Operational savings of converged IP/MPLS network
• SP provides new point-2-point or point-2-multi-point services Customer can have their own
routing, QoS policies, security mechanisms, etc.
 Pseudo Wire Reference Model
Emulated Service

Pseudo Wire

PSN Tunnel (LSP in MPLS) Customer

Customer
Site CE CE Site

IP/MPLS
PW1
Attachment Circuit
PW2

CE PE1 PE2 Customer

Customer
Pseudo Wire
CE Site
Site
PDUs
Packet Switched
Network (PSN)
IP or MPLS
 A Pseudo Wire (PW) is a connection between two provider edge devices
connecting two attachment circuits (ACs)
 In an MPLS core a Pseudo Wire uses two MPLS labels
Tunnel Label (LSP) identifying remote PE router
VC Label identifying Pseudo Wire circuit within tunnel
VPWS
VPWS (Virtual Private Wired Service)
L2VPNs employ L2 services over MPLS in order to build a topology of
point-to-point connections that connect end customer sites in a VPN.
These L2VPNs provide an alternative to private networks that have been
provisioned by means of dedicated leased lines or by means of L2 virtual
circuits that employ ATM or Frame Relay. The service provisioned with
these L2VPNs is known as Virtual Private Wire Service (VPWS).
Customers are unwilling to migrate to the MPLS VPN solution for two
reasons. The first reason is that they want to retain complete control
over their network and the way it is built. The second reason is that they
have legacy equipment (for example, IBM FEP) running protocols that
cannot be carried over IP.
 Pseudowire Reference Model
• Any Transport Over MPLS (AToM) is implementation of VPWS for IP/MPLS
Cisco’s networks
• An Attachment Circuit (AC) is the physical or virtual circuit attaching a CE to a PE
• Customer Edge (CE) equipment perceives a PW as an unshared link or circuit

Emulated Layer-­‐2 Service

Pseudowire (PW)
Nati ve Nati ve
Service PSN Service
Tunnel
PW1

AC PW2 AC
CE PE PE CE
AC AC

CE CE
Ref: RFC 3985 Pseudo Wire EmulaJon Edge-­‐to-­‐Edge (PWE3) Architecture, March 2005
In VPWS, the two pseudo-wire technologies that enable point-to-point
Layer 2 services are as follows:
• AToM—A pseudo-wire technology that uses MPLS-enabled networks
to provide Layer 2 services.
• L2TPv3—A pseudo-wire technology for non-MPLS enabled networks
or purely native IP-based networks.
Both AToM and L2TPv3 support the transport of Frame Relay, ATM,
High-Level Data Link Control (HDLC), PPP, and Ethernet traffic over an
MPLS or IP core.
VPWS
Discovery and Signaling
Alternatives
• VPWS Signaling VPN Discovery
‒ LDP-based (RFC 4447)
Manual Border Gateway
‒ BGP-based No Auto-Discovery Protocol (BGP)
draft- – expired
kompella- Most widely
l2vpn-l2vpn deployed
2012
Signaling
• VPWS with LDP-signaling and No
RFC6624
auto-discovery Label
Static BGP
‒ Most widely deployed solution No Signaling
Distribution
Protocol (LDP)
• Auto-discovery for point-to-
point services not as relevant
as for multipoint

25
VPWS Forwarding Plane Processing
PE1 PE2
CE-1 CE-2
P1 P2
MPLS

Pseudowire

Traffic direction
Tunnel label
swapping through Penultimate Hop
Popping (PHP) VC label
VC and Tunnel MPLS cloud disposition
label imposition

Push Swap Pop Pop

Push

Tunnel Label Label = 34 Label = 45

VC Label Label = 28 Label = 28 Label = 28

Payload Payload Payload Payload Payload

How Are Ethernet Frames Transported?

• Ethernet frames transported without Preamble, Start Frame Delimiter

(SFD) and FCS
• Two (2) modes of operation supported:
‒ Ethernet VLAN mode (VC type 0x0004) – created for VLAN over MPLS application
‒ Ethernet Port / Raw mode (VC type 0x0005) – created for Ethernet port tunneling application

Original Ethernet Frame

802.1q Length/
Preamble DA SA Ethernet Payload FCS
tag Type
6B 6B 4B (optional) 2B
MPLS
E-Type
MPLS-encapsulated Ethernet Frame
LSP VC Ethernet
Ethernet Payload
DA’ SA’ 0x8847
Label Label Control Word Header
FCS’

4B 4B 4B (optional)

MPLS Stack AToM Header

Config Ex
L2VPN Interface
Verify Config
R5

R6
Config Ex.
Verify
With Tunnel
pseudowire-class te1 pseudowire-class te1
encapsulation mpls encapsulation mpls
preferred-path interface Tunnel1 preferred-path interface Tunnel1
! !
interface GigabitEthernet2.20 interface GigabitEthernet1.20
encapsulation dot1Q 20 encapsulation dot1Q 20
xconnect 6.6.6.6 20 encapsulation mpls pw-class te1 xconnect 7.7.7.7 20 encapsulation mpls pw-class te1
! !
interface Tunnel1 interface Tunnel1
ip unnumbered Loopback0 ip unnumbered Loopback0
tunnel source Loopback0 tunnel source Loopback0
tunnel mode mpls traffic-eng tunnel mode mpls traffic-eng
tunnel destination 6.6.6.6 tunnel destination 7.7.7.7
tunnel mpls traffic-eng path-option 1 dynamic tunnel mpls traffic-eng path-option 1 dynamic
! !
Verify
VPLS
Virtual Private LAN Service
Overview

• Defines Architecture to provide

Ethernet Multipoint connectivity CE-A1 CE-A3
MPLS
sites, as if they were connected
using a LAN CE-B1 CE-B3

• VPLS operation emulates an

IEEE
• Ethernet switch
Two (2) signaling methods CE-A2

‒ RFC 4762 (LDP-Based VPLS) CE-B2

‒ RFC 4761 (BGP-Based VPLS)

Virtual Private LAN Service
End-to-end architecture that allows MPLS networks to provide Multipoint
Ethernet services
• It is “Virtual” because multiple instances of this service share the same
physical infrastructure
• It is “Private” because each instance of the service is independent and
isolated from one another
• It is “LAN Service” because it emulates Layer 2 multipoint connectivity
between subscribers
Implement VPLS
Virtual Private LAN Service
Reference Model

• VFI (Virtual Forwarding Instance)

‒ Also called VSI (Virtual Switching Instance) CE-A3
CE-A1
PE1 MPLS PE3
‒ Emulates L2 broadcast domain among ACs and VCs
‒ Unique per service. Multiple VFIs can exist same PE VFI VFI CE-B3
CE-B1

• AC (Attachment Circuit) VFI VFI

Connect to CE device, it could be Ethernet

physical or logical port PE2
‒ One or multiple ACs can belong to same VFI Full-mesh of PWs
VFI
between VFIs
• VC (Virtual Circuit) VFI
CE-A2

‒ EoMPLS data encapsulation, tunnel label used to

reach remote PE, VC label used to identify VFI CE-B2

‒ One or multiple VCs can belong to same VFI

‒ PEs must have a full-mesh of PWs in the
VPLS core
VC Distribution Mechanism using LDP
Directed LDP Session Tunnel Label(s) gets to PE router
between PE1 and PE2

Label Switch Path Customer

Customer
Site CE CE Site

IP/MPLS

Customer CE PE1 PE2 CE Customer

Site LSP created Site
using IGP+LDP
VC Label identifies interface
or RSVP-TE

 Unidirectional Tunnel LSP between PE routers to transport PW

PDU from PE to PE using tunnel label(s)
Both LSPs combined to form single bi-directional Pseudo Wire
 Directed LDP session between PE routers to exchange VC
information, such as VC label and control information
PW Encapsulation over MPLS

 Ethernet Pseudo Wires use 3 layers of encapsulation

Tunnel Encapsulation (zero, one or more MPLS Labels)
To get PDU from ingress to egress PE;
Could be an MPLS label (LDP, TE), GRE tunnel, L2TP tunnel
Pseudo Wire Demultiplexer (PW Label)
To identify individual circuits within a tunnel;
Obtained from Directed LDP session
Control Word (Optional)
The following is supported when carrying Ethernet
Provides the ability to sequence individual frames
Avoidance of equal-cost multiple-path load-balancing
Operations and Management (OAM) mechanisms
 Control word format varies depending on transported PDU

Layer 2 Control PW Tunnel

PDU Word Label Label
 Ethernet PW Tunnel Encapsulation
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Tunnel Encaps Tunnel Label (LDP,RSVP,BGP) EXP 0 TTL

PW Demux VC Label (VC) EXP 1 TTL (set to 2)

Control Word 0 0 0 0 Reserved Sequence Number

Layer-2 PDU

 Tunnel Encapsulation
One or more MPLS labels associated with the tunnel
Defines the LSP from ingress to egress PE router
Can be derived from LDP+IGP, RSVP-TE, BGP IPv4+Label
 Ethernet PW Demultiplexer
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Tunnel Encaps Tunnel Label (LDP,RSVP,BGP) EXP 0 TTL

PW Demux VC Label (VC) EXP 1 TTL (set to 2)

Control Word 0 0 0 0 Reserved Sequence Number

Layer-2 PDU

 VC Label
Inner label used by receiving PE to determine the following
Egress interface for L2PDU forwarding (Port based)
Egress VLAN used on the CE facing interface (VLAN Based)
 EXP can be set to the values received in the L2 frame
 Ethernet PW Control Word
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Tunnel Encaps Tunnel Label (LDP,RSVP,BGP) EXP 0 TTL

PW Demux VC Label (VC) EXP 1 TTL (set to 2)

Control Word 0 0 0 0 Reserved Sequence Number

Layer-2 PDU

 Control Word is Optional (as per RFC)

0000 First nibble is 0x0 to prevent aliasing with IP
Packets over MPLS (MAC addresses that start
with 0x4 or 0x6)
Reserved Should be all zeros, ignored on receive
Seq number provides sequencing capability to detect out
of order packets - currently not in Cisco’s
implementation – processing is optional
Virtual Private LAN Service
Operation
Applies
• Flooding / Forwarding Split-
Horizon
Customer
‒ Forwarding based on destination MAC Equipment N-PE 1 N-PE 3

addresses CE

CE
‒ Flooding (Broadcast, Multicast, Unknown
PW
Unicast) CE
U-PE B N-PE 4Applies
N-PE 2 Applies
Split-
• MAC Learning/Aging/Withdrawal Ethernet UNI Split-
Horizon Ethernet UNI
Horizon
‒ Dynamic learning based on Source MAC
and VLAN
Customer
Equipment
‒ Refresh aging timers with incoming packet N-PE 1 N-PE 3

CE
‒ MAC withdrawal upon topology changes
CE

• Split-Horizon and Full-Mesh of PWs for CE

PW
loop-avoidance in core U-PE B
N-PE 2 N-PE 4
Ethernet UNI Ethernet UNI
 VPLS Flooding & Forwarding

Unknown DA? Pseudo Wire in LSP

Data SA DA?

 Flooding (Broadcast, Multicast, Unknown Unicast)

 Dynamic learning of MAC addresses on PHY and VCs
 Forwarding
Physical Port
Virtual Circuit
 MAC Address Learning and Forwarding
Send me frames Send me frames
Directed LDP
using Label 102 using Label 170
MAC1 MAC2
PE1 PE2
CE Use VC CE
Label 102
E0/0 Use VC E0/1
Label 170
MAC Address Adj MAC Address Adj
MAC 2 170 MAC 2 E0/1
PE2 102 MAC1 MAC2 Data
MAC 1 E0/0 MAC 1 102
Data MAC1 MAC2 170 PE2

 Broadcast, Multicast, and Unknown Unicast are learned via the received
label associations
 Two LSPs associated with a VC (Tx & Rx)
 If inbound or outbound LSP is down
Then the entire Pseudo Wire is considered down
MAC Address Withdrawal Message
Directed LDP

MAC wal
d ra
With
X

l
ra w a
Withd C
MPLS

MA
MPLS

 Message speeds up convergence process

Otherwise PE relies on MAC Address Aging Timer
 Upon failure PE removes locally learned MAC addresses
 Send LDP Address Withdraw (RFC3036) to remote PEs in VPLS
(using the Directed LDP session)
 New MAC List TLV is used to withdraw addresses
 VFI and Split Horizon
This traffic will not be
replicated out PW #2 and
visa versa
CE
1 1 1 1 1 1 1 1 1
3 3 3 3 Pseudo Wire #1 N-PE2
1 2 1 2 1 3 3 3 3 3
CE
2 2 2 2 VFI
3 3 3 3 3 2 2 2 2 2
3 3 3 3
Pseudo Wire #2 N-PE3
N-PE1 3 3 3 3 3
Broadcast
/Multicast
Virtual
Bridging Function Forwarding
(.1Q or QinQ) Interface Pseudo Wires

Local Switching Split Horizon Active

 Virtual Forwarding Interface is the VSI representation in IOS

Single interface terminates all PWs for that VPLS instance
This model applicable in direct attach and H-VPLS with Ethernet Edge
 VFI and NO Split Horizon
CE Split Horizon 1 1 1 1 1
disabled
Pseudo Wire #1 N-PE2
U-PE 1 2 1 2 1 3 3 3 3 3
CE Pseudo Wire #3 VFI
3 3 3 3 3 2 2 2 2 2
Pseudo Wire #2 N-PE3
Unicast

N-PE1

Virtual
Pseudo Wire Forwarding
MPLS Based Interface Pseudo Wires

NO Split Horizon Split Horizon Active

 This model applicable H-VPLS with MPLS Edge

PW #1, PW #2 will forward traffic to PW #3 (non split horizon port)
 VPLS Topology – PE View

CEs

PEs MPLS
MPLS

Full Mesh LDP

Ethernet PW to each peer

PE view

 Each PE has a P2MP view of all other PEs it sees it self as a root bridge
with split horizon loop protection
 Full mesh topology obviates STP in the SP network
 Customer STP is transparent to the SP / Customer BPDUs are forwarded
transparently
VPLS Topology – CE View
CEs

PEs MPLSMPLS
VPLS
MPLS VPLSCore
MPLS Core
Full Mesh LDP
Ethernet PW to each peer

PE view

• CE routers/switches see a logical Bridge/LAN

• VPLS emulates a LAN
Hierarchical VPLS (H-VPLS)

 Best for larger scale deployment

 Reduction in packet replication and signaling overhead
 Consists of two levels in a Hub and Spoke topology
Hub consists of full mesh VPLS Pseudo Wires in MPLS core
Spokes consist of L2/L3 tunnels connecting to VPLS (Hub) PEs
Q-in-Q (L2), MPLS (L3), L2TPv3 (L3)
 Some additional H-VPLS terms
MTU-s Multi-Tenant Unit Switch capable of bridging (U-PE)
PE-r Non bridging PE router
PE-rs Bridging and Routing capable PE
 Why H-VPLS?
VPLS H-VPLS
PE
CE
CE CE PE-rs MTU-s
PE PE

CE
CE PE PE CE PE-rs PE-rs

CE
CE
PE PE

PE-rs PE-r

CE CE PE-rs PE-rs
CE
PE CE
• Potential signaling overhead • Minimizes signaling overhead
• Full PW mesh from the Edge • Full PW mesh among Core devices
• Packet replication done at the Edge • Packet replication done the Core
• Node Discovery and Provisioning extends • Partitions Node Discovery process
end to end
VPLS
Discovery and Signaling
Alternatives
• VPLS Signaling VPN Discovery
‒ LDP-based (RFC 4762)
Manual Border Gateway
‒ BGP-based (RFC 4761) No Auto-Discovery Protocol (BGP)

• VPLS with LDP-signaling and No

Most widely
auto-discovery deployed RFC
RFC 4761
‒ Most widely deployed solution Signaling 6074

‒ Operational complexity for larger

deployments Label
Static BGP
No Signaling
Distribution
• BGP-based Auto-Discovery (BGP- Protocol (LDP)
AD) (RFC 6074)
‒ Enables discovery of PE devices in a
VPLS instance
26
PW Control Plane Operation
LDP Signaling PEs advertize local VC label using
LDP label-mapping message:
4 Label TLV + PW FEC TLV

2
New targeted
LDP session
between PE PE-1 PE-2
routers
established, in
MPLS CE-2
case one does CE-1
not already exist

1 Interface A Interface B

PW manually Local_int = A Local_int = B

provisioned – Remote Remote PE = PE2_ip Remote PE = PE1_ip PW manually
provisioned – Remote
PE info included VC-id <123>
PEs assigns
VC-id <123>
PE info included
1
local VC label to
PW

5 PEs bind remote

label for PW with Local Label X 3 Local Label Y 3
matching VC-id
Remote Label Y 5 Remote Label X
 BGP Auto Discovery
Auto−discovery is a means for a provider edge (PE) to learn which remote PEs are
members of a given VPLS domain. Signaling is a means for a PE to learn the
pseudowire label expected by a given remote PE for a given VPLS domain.

Refer to these Internet Engineering Task Force (IETF) documents:

• RFC 4762 Virtual Private LAN Service (VPLS) Using Label Distribution
Protocol (LDP) Signaling describes BGP auto−discovery with Label Distribution
Protocol (LDP) signaling for VPLS (also known as Martini).
• RFC 4761 Virtual Private LAN Service (VPLS) Using BGP for Auto−Discovery and
Signaling describes BGP auto−discovery and BGP signaling for VPLS (also known as
Kompella).
 BGP Auto-Discovery (BGP-AD)
• Eliminates need to manually provision
BGP Update
VPLS neighbors BGP session message with
VPLS NLRI
• Automatically detects when new PEs are PE1 BGP RR PE3
added / removed from the VPLS domain CE-A1 CE-A3

• Uses BGP Update messages to advertize VFI VFI

PE/VFI mapping (VPLS NLRI) MPLS

• Typically used in conjunction with BGP PE2

I am a new PE with ACs
Route Reflectors to minimize iBGP full- Pseudowire on BLACK VFI
mesh peering requirements VFI

• Two (2) RFCs define use of BGP for

CE-A2
VPLS AD1
‒ RFC
6074 –
when LDP
used for
(1) VPLS BGP PW
NLRIs from RFC 6074 and 4761 are different in format and thus not compatible, even though they share same AFI / SAFI values
28
• The MP-BGP NLRI (Network Layer Reachability Information) from the RR contains an additional
extended community called the L2VPN AGI or attachment group identifier. It's a specific value used
in BGP autodiscovery and it identifies the VPLS domain. The AGI is also labeled as the VPLS-ID
and is in the format of [ASN:VPN ID]. The PEs advertise the AGI to identify their membership for a
particular VPLS domain.
How the VPLS Autodiscovery BGP Based
Feature Works
• BGP uses the Layer 2 VPN (L2VPN) Routing Information Base (RIB) to
store endpoint provisioning information, which is updated each time
any Layer 2 virtual forwarding instance (VFI) is configured. The prefix
and path information is stored in the L2VPN database, which allows
BGP to make decisions about the best path. When BGP distributes the
endpoint provisioning information in an update message to all its BGP
neighbors, this endpoint information is used to configure a
pseudowire mesh to support L2VPN-based services.
VPLS Auto Discovery and Signaling via
BGP
The important factor in VPLS signaling via BGP is Network Layer Reachability
Information (NLRI). The BGP Network Layer Reachability Information consists of
Route Distinguisher (RD), VPLS Endpoint (VE ID), VE Block Offset (VBO), VE Block Size
(VBS), and Label Base (LB). The BGP extended community attributes carry next-hop
value, RT value, and any other layer 2 information.

The Route Target import/export mechanism as used in L3VPN is also used here to
filter out the L2 VPN NLRI information for a particular VPLS instance. The Route
Distinguisher (RD) keeps the NLRI unique for various VPLS instances.

IOS XE : “suppress-signaling-protocol ldp”

IOS XR : “signalling ldp disable”
Architecture of the Solution
Because this is VPLS, there is still a hop−by−hop signaling protocol needed in
the core in order to carry the labeled packets from PE to PE router. This
transport function in the core must still be fulfilled by LDP or MPLS traffic
engineering. BGP needs to send the necessary information in order to set up the
pseudowires in a point−to−multipoint fashion needed by VPLS. This signaling
information includes:

• PE router endpoint identification

• VPLS identity
• Block of MPLS labels
• Encapsulation information
PE Router Endpoint Identification
• The BGP update pertaining to Layer 2 Virtual Private Networks
(L2VPN) VPLS is identified by AFI/SAFI 25/65. This address family
is negotiated when BGP sends the OPEN message.
VPLS Identity and MPLS Labels
The NLRI, also known as the prefix, holds the information on VPLS
identity and the block of MPLS labels. Its encoding has a total length of
19 bytes:
Advertised Label Block
One PE router must advertise at least one label block. The label block is a continuous set of
MPLS labels and is used by the remote PE routers in order to select one remote VC label. The
remote label is used for the PW between the local and remote PE router.
• The VE-ID must be configured on each PE. It identifies the PE routers within the VPLS domain.
• The VE Block Size (VBS) is the size of the label block and has a default value of 10. If 've range'
is configured, it is that value. 've range' can be configured to be [11 -100].
• The Label Base (LB) is the first label value of a free set of labels that can be reserved by the PE
router to be used for this VPLS domain.
• VE Block Offset (VBO) is the offset value to be used when multiple label blocks must be
created by a PE router. VBO is calculated with this equation:
• VBO = RND(VE-ID/VBS) * VBS
• The label block advertised to the remote PE routers is {LB, LB + 1, ? , LB + VBS - 1}. The label
block is defined by the LB and the VBS; the block starts at LB and ends with (LB + VBS - 1).
Config ex.
Verify
 BG
P 100 P1
BG 00

OSPF A0
MPLS BGP
100
BGP AD - LDP Signaling
BGP AD - BGP Signaling
 “Kesepian tanpa kekasih,
Cukup sekian Terima Kasih.”