Guest

Cisco IOS Software Releases 12.0 S

Virtual Private LAN Service over MPLS on Cisco 12000 Series Router Line Cards

  • Viewing Options

  • PDF (529.2 KB)
  • Feedback
Virtual Private LAN Service over MPLS on Cisco 12000 Series Router Line Cards

Table Of Contents

Virtual Private LAN Service over MPLS on Cisco 12000 Series Router Line Cards

Virtual Private LAN Service Overview

VPLS Quality of Service

VPLS Layer 2 Access Control Lists

Transparent Layer 2 Protocol Tunnelling and PDU Filtering

Pseudowire Tunnel Selection

Restrictions

Related Documents

Supported Platforms

Edge Cards

Core Cards

Supported Standards, MIBs, and RFCs

Standards

MIBs

RFCs

Prerequisites

Configuration Tasks

Provisioning a VPLS Service

Verifying VPLS Configurations

Monitoring VPLS

Configuring and Verifying VPLS

Example of Configuring an Ethernet VPLS Network

Example of Verifying a VPLS Configuration

Example of Configuring VPLS for an Ethernet Attachment Circuit

Example of Configuring VPLS for a dot1Q Attachment Circuit

Example of Configuring VPLS for a QinQ Attachment Circuit

Example of Configuring VPLS for a QinAny Attachment Circuit

Example of Configuring a VPLS Ingress Policer

Example of Configuring a VPLS Egress Shaper

Example of Configuring a VPLS Ingress Exp Policy Setting

Example of Configuring VPLS Ingress Match Criteria

Command Reference

mac-address-table aging-time

mac-address-table limit

clear mac-address-table

l2 vfi <name> manual

Glossary


Virtual Private LAN Service over MPLS on Cisco 12000 Series Router Line Cards


Part Number OL-8680-02 Rev. 02 April 20, 2007

Feature History

Release
Modification

12.0(32)S

This feature was introduced on the Cisco 12000 series routers.

12.0(32)SY

This release adds support for the following features on the Cisco 12000 series routers:

Fast Reroute

Support for edge facing Engine 5 line cards

Support for 802.1ad (QinQ) on version 2 Engine 5 line cards

12.0(33)S

This release adds support for the following features on the Cisco 12000 series routers:

Support for Hierarchical-VPLS capability using Access Pseudo-Wire

Support for the following new QoS features:

Access PseudoWire QoS

"match vlan" functionality for VFI AC interfaces

Support for MAC table management enhancements

Support for Layer 2 Access Control Lists on version 2 Engine 5 line cards


This feature module contains the following sections:

Virtual Private LAN Service Overview

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Monitoring VPLS

Configuring and Verifying VPLS

Command Reference

Glossary

Virtual Private LAN Service Overview

Virtual Private LAN Service (VPLS) enables geographically separated Local Area Network (LAN) segments to be interconnected as a single bridged domain over an MPLS network. The full functionalities of the traditional LAN like MAC address learning, aging and switching are emulated across all the remotely connected LAN segments that are part of a single bridged domain. A service provider can offer VPLS service to multiple customers over the MPLS network by defining different bridged domains for different customers. Packets from one bridged domain are never carried over or delivered to another bridged domain, thus ensuring the "private" LAN service.

Figure 1 shows the logical components in a VPLS network.

Figure 1 Logical VPLS Components

Table 1 Acronym Definitions for Figure 1

CE

Customer edge device. Used to connect to the service provider network.

n-PE

Network-facing provider edge device. A gateway between the MPLS core and the customer domain.

VFI

Virtual Forwarding Instance (VFI). Each Virtual Forwarding Instance maintains its own MAC table. Provides the Ethernet bridge function within the n-PE.

PW

Pseudowire. An emulated point-to-point link between the endpoints.

LSP

Label Switch Path. The path the pseudowire takes in an MPLS network.


The service provider configures the customer's VPLS service by first provisioning the customer's attachment circuits and associating them to a VPLS instance specific to the customer. The attachment circuits can only be Ethernet in the current release. Within Ethernet as access medium, the attachment circuit's type could be untagged, tagged VLAN, QinQ (802.1ad) or Q in Any. The type of the attachment circuit could be different at different n-PEs for the same customer. Please refer to the "restrictions" section for exceptions to this.

After provisioning attachment circuits, neighbor relationship across the MPLS network for this specific instance is established through a set of manual commands identifying the end PEs. Once the neighbor association is done, a full mesh of pseudowires are established among the n-PEs and the service provider network will now start switching the packets within the bridged domain specific to this customer by looking at destination MAC addresses. All traffic with unknown, broadcast and multicast destination MAC addresses are flooded to all the connected CEs. n-PEs learn the source MAC addresses as the packets get flooded and then onwards the traffic gets unicasted to the CE for all the learnt MAC addresses.

Transparent LAN Service (TLS) and Ethernet Virtual Connection Service (EVCS) are available for service provider and enterprise use.

VPLS Quality of Service

The Modular QoS CLI (MQC) is a platform independent interface for configuring QoS features on Cisco platforms.

The following three different VPLS specific match criteria are introduced in 12.0(32)S:

Match destination-address mac vpls-unknown For unknown traffic

Match destination-address mac vpls-known For known traffic

Match destination-address mac multicast For multicast traffic

More details and configuration of the QoS feature can be found in "Any Transport over MPLS (AToM): Layer 2 QoS (Quality of Service)" at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s30/12sl2qos.htm#wp1050921

VPLS Layer 2 Access Control Lists

Layer 2 Access Control Lists (ACLs) provide the ability to filter traffic on a VPLS enabled interface based on the source MAC address in the Layer 2 header of the packet. More details and configuration of this feature can be found in "Protocol-Independent MAC ACL Filtering on the Cisco 12000 Series Internet Router" at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s32/macacl.htm

Transparent Layer 2 Protocol Tunnelling and PDU Filtering

The Transparent Layer 2 Protocol Tunneling feature allows Layer 2 protocol data units (PDUs) to be tunneled across the core network without being interpreted and processed by intermediary network devices.

Layer 2 PDU filtering allows a service provider to specify which Layer 2 PDUs are to be dropped at an ingress interface on a provider edge (PE) router. Transparent Layer 2 Protocol Tunneling and PDU Filtering provide an enhanced feature set for service providers that transmit customer traffic from metro Ethernet VPNs across an MPLS core network.

These features are supported on VPLS enabled edge interfaces and are supported on VPLS attachment circuits.

Details and configuration of these features (L2PT/L2PDU filtering) can be found in "Transparent Layer 2 Protocol Tunneling and PDU Filtering" at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s28/l2pt.htm

Pseudowire Tunnel Selection

The Pseudowire Tunnel Selection feature provides the capability to select core-facing routes and map them with VPLS Pseudowire overriding the default route selected by routing. The selected core-facing route could be a next hop or a traffic engineering tunnel.

Traffic engineering (TE) tunnels define LSPs destined to the peer PE router. The default TE tunnel configuration creates one TE tunnel with multiple choices of different paths with different priorities, including tunnel to IGP.

The preferred-path CLI also provides the option to specify whether the VCs should fallback to default route (the route LDP used for signaling) once the preferred path becomes unreachable. The fallback option is enabled by default unless it is explicitly disabled.

Pseudowire Tunnel Selection support is available on a per-neighbor basis. The Virtual Forwarding Instance (VFI) neighbor configuration uses the pseudowire-class as shown in the following example:


pseudowire-class tselect1
encapsulation mpls
preferred-path interface Tunnel1 
!
pseudowire-class tselect2
encapsulation mpls
preferred-path peer 1.1.1.1
!
pseudowire-class tselect3
encapsulation mpls
preferred-path interface Tunnel2 disable-fallback
!
pseudowire-class tselect4
encapsulation mpls
preferred-path peer 1.1.1.2 disable-fallback
!
l2 vfi VPLS1 manual
vpn id 10
neighbor 8.8.8.1 pw-class tselect1
neighbor 8.8.8.2 pw-class tselect2
neighbor 8.8.8.3 pw-class tselect3
neighbor 8.8.8.4 pw-class tselect4

Restrictions

In this release, the following limitations and restrictions apply:

Only 2.5G and 10G IP Services Engine (ISE) line cards can be used for VPLS service on Cisco 12000 series routers.

VPLS over IP and VPLS over L2TPv3 are not supported.

4-Port ISE Gigabit Ethernet line cards cannot have different Ethernet attachment circuits associated with the same VPLS instance. Only homogeneous interfaces and sub-interfaces are allowed.

MPLS forwarding is not supported on non-ISE legacy line cards in a chassis configured as a VPLS provider edge router.

Auto-discovery is not supported.

The MPLS Fast Reroute feature is not supported in the core for VPLS connections on Engine 3 cards. The MPLS Fast Reroute feature is supported in the core for VPLS connections on Engine 5 cards.

QinQ interfaces should not be configured as backup core facing interfaces when using the MPLS Fast Reroute feature

The same 4-Port ISE Gigabit Ethernet line card cannot be used for both customer facing interfaces as well as core facing interfaces.

VPLS over DPT core is not supported.

VLAN ID is not supported as a match criteria for VPLS traffic.

Only three Aggregate NetFlow schemes can be configured on the main interface when VPLS is configured.

The QinQ and QinAny features are supported only on the version 2 SPAs for Engine 5.

Related Documents

For information on configuring Cisco 12000 Series Routers, refer to the following documents:

Modular Quality of Service Command-Line Interface

Stacked VLAN Processing

Cisco IOS Quality of Service Solutions Command Reference

Cisco 12000 Series Router Configuration Guide for Cisco IOS

Any Transport over MPLS

Any Transport over MPLS (AToM): Layer 2 QoS (Quality of Service)

MPLS VPNs over IP Tunnels

Supported Platforms

VPLS is supported in Cisco IOS Release 12.0(32)SY on the following Integrated Services Engine (ISE) line cards and SPAs:

Edge Cards

Ethernet Line Cards

4-port Gigabit Ethernet ISE Line Card (Minimum 512 Megabytes memory)

Core Cards

POS Line Cards

4-port OC-12c POS MM (Minimum 512 Megabytes memory)

1-port OC-48 (Minimum 512 Megabytes memory)

16-port OC-3 (Minimum 512 Megabytes memory)

Cisco 12000 SIP-600 SPAs

1-port 10-Gigabit Ethernet SPA

5-port Gigabit Ethernet SPA

10-port Gigabit Ethernet SPA

1-port OC-192c/STM-64 POS SPA

2-port OC48-POS/RPR SPA

Cisco 12000 SIP-401/501/601 SPAs

8-port FastEthernet SPA

8-port FastEthernet SPA Version 2 (12.0(32)SY)

1-port 10-Gigabit Ethernet SPA

1-port 10-Gigabit Ethernet SPA Version 2 (12.0(32)SY)

2-port Gigabit Ethernet SPA

2-port Gigabit Ethernet SPA hiVersion 2 (12.0(32)SY)

5-port Gigabit Ethernet SPA

5-port Gigabit Ethernet SPA Version 2 (12.0(32)SY)

10-port Gigabit Ethernet SPA

10-port Gigabit Ethernet SPA Version 2 (12.0(32)SY)

1-port OC-192c/STM-64 POS SPA

2-port OC48-POS/RPR SPA

Supported Standards, MIBs, and RFCs

The Virtual Private LAN Service over MPLS on Cisco 12000 Series Router Line Cards feature supports the following standards, MIBs, and RFCs.

Standards

Standards
Title

IEEE 802.1Q


MIBs

MIBs
MIBs Link

PWE3-MIB

VPDN-MIB

IF-MIB

No other new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature.


Prerequisites

Before you configure VPLS, ensure that the network is configured as follows:

Configure IP routing in the core so that the PE routers can reach each other via IP.

Configure MPLS and LDP in the core so that a label switched path (LSP) exists between the PE routers.

Configure a loopback interface for originating and terminating Layer 2 traffic. Make sure the PE routers can access the other router's loopback interface. Note that the loopback interface is not needed in all cases. For example, tunnel selection does not need a loopback interface when VPLS is directly mapped to a TE tunnel.

Configuration Tasks

See the following sections for configuration tasks for the VPLS feature.

Provisioning a VPLS Service

Verifying VPLS Configurations

Provisioning a VPLS Service

You must provision a VPLS service on all provider edge devices as follows:

1. First create a Layer 2 Virtual Forwarding Instance (VFI) on all provider edge devices.

2. Then, attach an Ethernet attachment circuit (untagged, tagged VLAN, QinQ (802.1ad) or Q in Any) to the VFI on the provider edge devices.

Steps for Provisioning a VPLS Service

 
Command
Purpose
 
Creating a Layer 2 Virtual Forwarding Instance (VFI)

Step 1 

Router#config t

Router(config)#

Enter configuration mode.

Step 2 

Router(config)#l2 vfi <name> manual

Router(config-vfi)#

Creates a named Layer 2 Virtual Forwarding Instance (VFI) and enters the L2 VFI manual configuration mode.

For examples:

Router(config)#l2 vfi Goldfinger manual

Router(config)#l2 vfi Moonraker manual

Router(config)#l2 vfi Goldeneye manual

Router(config)#l2 vfi Thunderball manual

Step 3 

Router(config-vfi)#vpn id <vpn id>

Configures a VPN ID for the VPLS domain. The emulated VCs bound to this L2 VFI use this VPN ID for signaling.

Step 4 

Router(config-vfi)#neighbor <remote router id> { encapsulation {l2tpv3 | mpls} | pw-class <pw name> }

Specifies the remote peering router ID, which is the IP address of the router, and the tunnel encapsulation type (always set to mpls) or the pseudowire property for the emulated VC. Split horizon is enabled by default and should not be disabled in a fully meshed VPLS network to avoid looping.

Step 5 

Router(config-vfi)#bridge-domain <id>

Specifies the bridge domain ID number.

Step 6 

Router(config-vfi)#exit

Router(config)#

Exits the L2 VFI manual configuration mode.

 
Configuring the Interfaces for Ethernet Service

Step 7 

Router(config)#interface GigabitEthernet <slot/port>

Specifies the interface slot and port numbers.

Step 8 

Router(config-if)#no ip directed-broadcast

Blocks broadcast transmissions to the VPLS network.

Step 9 

Router(config-if)#bridge-domain <id>

Specifies the bridge domain ID number.

Step 10 

Router(config-if)#no cdp enable

Prevents Cisco Discovery Protocol (CDP) from being enabled.

Verifying VPLS Configurations

You can verify the operation of the VPLS Ethernet Service by verifying each of the following components:

State of the Virtual Forwarding Instance (VFI)

State of the attachment circuit

State of the pseudowire

MAC address in the MAC table

 
Command
Purpose

Step 1 

vpls-pe#show vfi <name>

Verifies the state of the Virtual Forwarding Instance (VFI) on each provider edge router. For examples:

vpls-pe#show vfi Goldfinger

vpls-pe#show vfi Moonraker

vpls-pe#show vfi Goldeneye

vpls-pe#show vfi Thunderball

Step 2 

vpls-pe#show xconnect interface GigabitEthernet <slot/port>

Verifies the state of the attachment circuit on each provider edge router.

Step 3 

vpls-pe#show mpls l2transport vc <vcNumber> detail

Displays information about Any Transport over MPLS (AToM) virtual circuits (VCs) that have been enabled to route Layer 2 packets on a router.

Step 4 

vpls-pe#show mac address-table bridge-domain <id>

Verifies the MAC address in the MAC table for each provider edge router in the specified bridge domain.

Monitoring VPLS

To monitor VFI information, use the following show commands:

Command
Purpose

Router#show vfi


Shows the state, type, emulation, and neighbors of all VFIs. For example:

Router#show vfi

VFI name: Goldfinger, state: up, type: 
multipoint
  Bridge-Domain 1 attachment circuits:
    GigabitEthernet1/0  
  Neighbors connected via pseudowires:
    7.7.7.7  6.6.6.6 

VFI name: Moonraker, state: up, type: multipoint
  Bridge-Domain 1 attachment circuits:
    GigabitEthernet1/0  
  Neighbors connected via pseudowires:
    7.7.7.7  6.6.6.6 

Router#show vfi <name>


Shows the state, type, emulation, and neighbors of the specified VFI name. For Example:

Router#show vfi Goldfinger

VFI name: Goldfinger, state: up, type: 
multipoint
  Bridge-Domain 1 attachment circuits:
    GigabitEthernet1/0  
  Neighbors connected via pseudowires:
    7.7.7.7  6.6.6.6 


Configuring and Verifying VPLS

This section provides the following examples for configuring and verifying VPLS on provider edge routers:

Example of Configuring an Ethernet VPLS Network

Example of Verifying a VPLS Configuration

Example of Configuring an Ethernet VPLS Network

Provider Edge 1—PE1

Router#config t
Router(config)#l2 vfi Goldfinger manual
Router(config-vfi)#vpn id 1
Router(config-vfi)#bridge-domain 1
Router(config-vfi)#neighbor 120.0.0.3 encapsulation mpls
Router(config-vfi)#neighbor 162.0.0.2 encapsulation mpls
Router(config-vfi)#exit
Router(config)#interface Loopback 0
Router(config-if)#ip address 20.0.0.1 255.255.255.255
Router(config-if)#exit
Router(config)#interface GigabitEthernet 2/1
Router(config-if)#bridge-domain 1
Router(config-if)#exit
Router(config)#interface GigabitEthernet 2/2
Router(config-if)#bridge-domain 1
Router(config-if)#exit

Provider Edge 2—PE2

Router#config t
Router(config)#l2 vfi Moonraker manual
Router(config-vfi)#vpn id 1
Router(config-vfi)#bridge-domain 1
Router(config-vfi)#neighbor 120.0.0.3 encapsulation mpls
Router(config-vfi)#neighbor 20.0.0.1 encapsulation mpls
Router(config-vfi)#exit
Router(config)#interface Loopback 0
Router(config-if)#ip address 162.0.0.2 255.255.255.255
Router(config-if)#exit
Router(config)#interface GigabitEthernet 2/1
Router(config-if)#bridge-domain 1
Router(config-if)#exit

Provider Edge 3—PE3

Router#config t
Router(config)#l2 vfi Goldeneye manual
Router(config-vfi)#vpn id 1
Router(config-vfi)#bridge-domain 6
Router(config-vfi)#neighbor 162.0.0.2 encapsulation mpls
Router(config-vfi)#neighbor 20.0.0.1 encapsulation mpls
Router(config-vfi)#exit
Router(config)#l2 vfi Thunderball manual
Router(config-vfi)#vpn id 200
Router(config-vfi)#bridge-domain 1
Router(config-vfi)#neighbor 162.0.0.2 encapsulation mpls
Router(config-vfi)#neighbor 20.0.0.1 encapsulation mpls
Router(config-vfi)#exit
Router(config)#l2 vfi Mercury manual
Router(config-vfi)#vpn id 300
Router(config-vfi)#bridge-domain 1
Router(config-vfi)#neighbor 162.0.0.2 encapsulation mpls
Router(config-vfi)#neighbor 20.0.0.1 encapsulation mpls
Router(config-vfi)#exit
Router(config)#interface Loopback 0
Router(config-if)#ip address 120.0.0.3 255.255.255.255
Router(config-if)#exit
Router(config-if)#interface GigabitEthernet 2/1.1
Router(config-subif)#encapsulation dot1Q 134 second-dot1q 876
Router(config-subif)#bridge-domain 1
Router(config-subif)#exit
Router(config-if)#interface GigabitEthernet 2/1.2
Router(config-subif)#encapsulation dot1q 212
Router(config-subif)#bridge-domain 1
Router(config-subif)#exit
Router(config-if)#exit
Router(config)#interface GigabitEthernet 3/1
Router(config-if)#bridge-domain 1
Router(config-if)#exit

Example of Verifying a VPLS Configuration

These examples show how to verify the operation of the VPLS Ethernet Service by verifying each its components.

State of the Virtual Forwarding Instance (VFI)

The following example verifies the state of the Virtual Forwarding Instance (VFI) on PE1.

vpls-pe1#show vfi Goldfinger
VFI name: Goldfinger, state: up, type: multipoint
  Bridge-Domain 1 attachment circuits:
    GigabitEthernet1/0  
  Neighbors connected via pseudowires:
    7.7.7.7  6.6.6.6 

State Of The Attachment Circuit

The following example verifies the state of the attachment circuit on PE1.

vpls-pe1#show xconnect interface GigabitEthernet 1/0
Legend: XC ST=Xconnect State, S1=Segment1 State, S2=Segment2 State
UP=Up, DN=Down, AD=Admin Down, IA=Inactive, NH=No Hardware
XC ST  Segment 1                         S1 Segment 2                         S2
------+---------------------------------+--+---------------------------------+--
UP     ac   Gi1/0(Ethernet)              UP vfi  VPLS_ETH_SERVICE             UP
vpls-pe1#
Verify the state of AC on PE2
vpls-pe2#sh xconnect interface g1/0
Legend: XC ST=Xconnect State, S1=Segment1 State, S2=Segment2 State
UP=Up, DN=Down, AD=Admin Down, IA=Inactive, NH=No Hardware
XC ST  Segment 1                         S1 Segment 2                         S2
------+---------------------------------+--+---------------------------------+--
UP     ac   Gi1/0(Ethernet)              UP vfi  VPLS_ETH_SERVICE             UP
vpls-pe2#

State of the Pseudowire

The following example verifies the state of the pseudowire on PE1.

vpls-pe1#show mpls l2transport vc 1 detail 
Local interface: VFI VPLS_ETH_SERVICE VFI up
  MPLS VC type is VFI, interworking type is Ethernet
  Destination address: 6.6.6.6, VC ID: 1, VC status: up
    Preferred path: not configured  
    Default path: active
    Next hop: 26.26.26.2
    Output interface: Gi5/1/0, imposed label stack {33}
  Create time: 00:36:12, last status change time: 00:20:13
  Signaling protocol: LDP, peer 6.6.6.6:0 up
    MPLS VC labels: local 31, remote 33 
    Group ID: local 0, remote 0
    MTU: local 1500, remote 1500
    Remote interface description: 
  Sequencing: receive disabled, send disabled
  VC statistics:
    packet totals: receive 0, send 0
    byte totals:   receive 0, send 0
    packet drops:  receive 0, seq error 0, send 0

Local interface: VFI VPLS_ETH_SERVICE VFI up
  MPLS VC type is VFI, interworking type is Ethernet
  Destination address: 7.7.7.7, VC ID: 1, VC status: up
    Preferred path: not configured  
    Default path: active
    Next hop: point2point
    Output interface: PO2/2, imposed label stack {28 36}
  Create time: 00:36:13, last status change time: 00:09:03
  Signaling protocol: LDP, peer 7.7.7.7:0 up
    MPLS VC labels: local 30, remote 36 
    Group ID: local 0, remote 0
    MTU: local 1500, remote 1500
    Remote interface description: 
  Sequencing: receive disabled, send disabled
  VC statistics:
    packet totals: receive 0, send 0
    byte totals:   receive 0, send 0
    packet drops:  receive 0, seq error 0, send 0

vpls-pe1#

Mac Address in the Mac Table

The following example verifies the MAC address in the MAC table on PE1.

vpls-pe1#show mac address-table bridge-domain 1001 

Mac Address Table: 4  Bridge domain id: 1001
==========================================
aging time : 500 sec
max size : 5000
total number of addresses : 1
slots: 4, 5
 

 Mac Address      Learned from     LC learned
--------------  ----------------   ----------
0012.1212.1212  VC Label:2017       4
 
Total Mac Addresses displayed : 1

Example of Configuring VPLS for an Ethernet Attachment Circuit

Create and apply an ethernet attachment circuit.

vpls-pe1#l2 vfi vpls.1 manual
 vpn id 1
 bridge-domain 1
 neighbor 7.7.7.7 encapsulation mpls
 neighbor 6.6.6.6 encapsulation mpls

interface GigabitEthernet1/0
 no ip address
 no ip directed-broadcast
 bridge-domain 1
 duplex full
 negotiation auto
 no cdp enable
end

Example of Configuring VPLS for a dot1Q Attachment Circuit

Create and apply a dot1Q attachment circuit.

vpls-pe1#l2 vfi vpls.1 manual
 vpn id 1
 bridge-domain 1
 neighbor 7.7.7.7 encapsulation mpls
 neighbor 6.6.6.6 encapsulation mpls

interface GigabitEthernet1/0.1
 encapsulation dot1Q 1 second-dot1q 11
 no ip directed-broadcast
 bridge-domain 1
 no cdp enable
end

Example of Configuring VPLS for a QinQ Attachment Circuit

Create and apply a QinQ attachment circuit.

vpls-pe1#l2 vfi vpls.1 manual
 vpn id 1
 bridge-domain 1
 neighbor 7.7.7.7 encapsulation mpls
 neighbor 6.6.6.6 encapsulation mpls

interface GigabitEthernet1/0.1
 encapsulation dot1Q 1 second-dot1q 11
 no ip directed-broadcast
 bridge-domain 1
 no cdp enable
end

Example of Configuring VPLS for a QinAny Attachment Circuit

Create and apply a QinAny attachment circuit.

vpls-pe1#l2 vfi vpls.1 manual
 vpn id 1
 bridge-domain 1
 neighbor 7.7.7.7 encapsulation mpls
 neighbor 6.6.6.6 encapsulation mpls

interface GigabitEthernet1/0.1
 encapsulation dot1Q 1 second-dot1q any
 no ip directed-broadcast
 bridge-domain 1
 no cdp enable
end

Example of Configuring a VPLS Ingress Policer

Create and apply a 2 rate 3 color policer policy to the ethernet attachment circuit.

vpls-pe1#policy-map vpls_police
  class class-default
   police cir percent 2 bc 256 ms pir percent 5 be 30 ms
     conform-action transmit 
     exceed-action set-mpls-exp-imposition-transmit 7
     violate-action drop

vpls-pe1#l2 vfi vpls.1 manual
 vpn id 1
 bridge-domain 1
 neighbor 7.7.7.7 encapsulation mpls
 neighbor 6.6.6.6 encapsulation mpls

interface GigabitEthernet1/0
 no ip address
 no ip directed-broadcast
 bridge-domain 1
 service-policy input vpls_police
 duplex full
 negotiation auto
 no cdp enable
end

Example of Configuring a VPLS Egress Shaper

Create and apply an egress shaper policy to the ethernet attachment circuit.


vpls-pe1#policy-map vpls_shape_parent
  class class-default
    shape average percent 2
   service-policy vlan_shape_child

vpls-pe1#policy-map vpls_shape_child
  class class-default
    queue-limit 1000 packets
    shape average percent 1 1 ms 1 ms

vpls-pe1#l2 vfi vpls.1 manual
 vpn id 1
 bridge-domain 1
 neighbor 7.7.7.7 encapsulation mpls
 neighbor 6.6.6.6 encapsulation mpls

interface GigabitEthernet1/0
 no ip address
 no ip directed-broadcast
 bridge-domain 1
 service-policy output vpls_shape_parent
 duplex full
 negotiation auto
 no cdp enable
end

Example of Configuring a VPLS Ingress Exp Policy Setting

Create and apply an ingress exp policy to ethernet attachment circuit.


vpls-pe1#policy-map vpls_exp
  class class-default
   set mpls experimental imposition 3

vpls-pe1#l2 vfi vpls.1 manual
 vpn id 1
 bridge-domain 1
 neighbor 7.7.7.7 encapsulation mpls
 neighbor 6.6.6.6 encapsulation mpls

interface GigabitEthernet1/0
 no ip address
 no ip directed-broadcast
 bridge-domain 1
 service-policy input vpls_exp
 duplex full
 negotiation auto
 no cdp enable
end

Example of Configuring VPLS Ingress Match Criteria

Create and apply an ingress exp policy with different match criteria to ethernet attachment circuit.

vpls-pe1#class-map match-all vpls_multicast
  match destination-address mac multicast
vpls-pe1#class-map match-all vpls_known
  match destination-address mac vpls-known
vpls-pe1#class-map match-all vpls_unknown
  match destination-address mac vpls-unknown

vpls-pe1#policy-map vpls_exp
  class vpls_multicast
   set mpls experimental imposition 3

vpls-pe1#policy-map vpls_exp
  class vpls_known
   set mpls experimental imposition 3

vpls-pe1#policy-map vpls_exp
  class vpls_unknown
   set mpls experimental imposition 3

vpls-pe1#l2 vfi vpls.1 manual
 vpn id 1
 bridge-domain 1
 neighbor 7.7.7.7 encapsulation mpls
 neighbor 6.6.6.6 encapsulation mpls

interface GigabitEthernet1/0
 no ip address
 no ip directed-broadcast
 bridge-domain 1
 service-policy input vpls_exp
 duplex full
 negotiation auto
 no cdp enable
end

Command Reference

This section documents new commands for VPLS. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.

mac-address-table aging-time

To configure the aging time for entries in the Layer 2 table, use the mac-address-table aging-time command in global configuration mode. To reset the seconds value to the default setting, use the no form of this command.

Cisco 12000 Series Routers

mac-address-table aging-time seconds [bridge-domain id]

no mac-address-table aging-time seconds [bridge-domain id]

Syntax Description

seconds

Aging time; valid values are 0, and from 10 to 1,000,000 seconds.

bridge-domain id

(Optional) Specifies the bridge-domain to apply the changed aging time; valid values are from 2 to 1001.


Defaults

300 seconds

Command Modes

Global configuration

Command History

Release
Modification

12.0(7)XE

This command was introduced on Catalyst 6000 family switches.

12.0(32)S

This command was integrated into Cisco IOS Release 12.0(32)S on Cisco 12000 series routers.

12.1(1)E

This command was implemented on Catalyst 6000 family switches.

12.2(2)XT

This command was introduced on Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers.

12.2(8)T

This command was integrated into Cisco IOS Release 12.2(8)T on Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers.

12.2(11)T

This command was integrated into Cisco IOS  Release 12.2(11)T.


Usage Guidelines

Cisco 12000 Series Routers

The aging time entry will take the specified value. Valid entries are from 10 to 1,000,000 seconds.

This command cannot be disabled.

If you do not enter a VLAN, the change is applied to all routed-port VLANs.

Enter 0 seconds to disable aging.

Examples

Cisco 12000 Series Routers

The following example shows the aging time being configured:

Router(config)# mac-address-table aging-time 300

The following example shows the aging time being disabled:

Router(config)# mac-address-table aging-time 0

Related Commands

Command
Description

show mac-address-table aging-time

Displays the MAC address aging time.


mac-address-table limit

To enable MAC limiting, use the mac-address-table limit command. Use the no form of this command to disable MAC limiting.

mac-address-table limit [maximum num] [action {warning | limit | shutdown}] [notification {syslog | trap | both}]

mac-address-table limit [{vlan vlan} | {interface type mod/port}] [maximum num] [action {warning | limit | shutdown}] [flood]

no mac-address-table limit [vlan vlan] [maximum | action]

Syntax Description

maximum num

(Optional) Specifies the maximum number of MAC entries per VLAN per EARL allowed; valid values are from 5 to 32000 MAC-address entries.

action

(Optional) Specifies the type of action to be taken when the action is violated.

warning

Specifies that the one syslog message will be sent and no further action will be taken when the action is violated.

limit

Specifies that the one syslog message will be sent and/or a corresponding trap will be generated with the MAC limit when the action is violated.

shutdown

Specifies that the one syslog message will be sent and/or the VLAN is moved to the blocked state when the action is violated.

notification

(Optional) Specifies the type of notification to be sent when the action is violated.

syslog

Sends a syslog message when the action is violated.

trap

Sends trap notifications when the action is violated.

both

Sends syslog and trap notifications when the action is violated.

vlan vlan

(Optional) Enables MAC limiting on a per-VLAN basis.

interface type mod/port

(Optional) Enables MAC limiting on a per-port basis.

flood

(Optional) Enables unknown unicast flooding on a VLAN.


Defaults

The defaults are as follows:

maximum num is 500 MAC address entries.

action is warning.

notification is syslog.

Command Modes

Global configuration

Command History

Release
Modification

12.2(17b)SXA

Support for this command was introduced on the Supervisor Engine 720.

12.2(17d)SXB

Support for this command on the Supervisor Engine 2 was extended to the 12.2 SX release.

12.2(18)SXD1

This command was changed to include the vlan vlan keyword and argument to support per VLAN MAC limiting.

12.2(18)SXE

This command was changed to include the interface type mod/port keyword and arguments to support per-port MAC limiting.


Usage Guidelines

This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 32.

Use this syntax for enabling MAC limiting globally:

mac-address-table limit [maximum num] [action {warning | limit | shutdown}] [notification {syslog | trap | both}]

Use this syntax for enabling per-VLAN MAC limiting:

mac-address-table limit [vlan vlan] [maximum num] [action {warning | limit | shutdown}] [flood]

Use this syntax for enabling per-port MAC limiting:

mac-address-table limit [interface type mod/port] [maximum num] [action {warning | limit | shutdown}] [flood]

If you enable per-VLAN MAC limiting, the per-VLAN MAC limiting supersedes the mac-address-table limit command that globally enables MAC limiting.

The maximum number of MAC entries is based per VLAN and per EARL.

If you do not specify a maximum, an action, or a notification, the default settings are used.

If you enable per-VLAN MAC limiting, MAC limiting is enabled on the VLAN specified only.

The flood keyword is supported on VLAN interfaces only.

The flood action occurs only if the limit action is configured and is violated.

In the shutdown state, the VLAN remains in the blocked state until you reenable it through the CLI.

Examples

This example shows how to enable the MAC limit globally:

Router(config)# mac-address-table limit
Router(config)#

This example shows how to enable per-VLAN MAC limiting:

Router(config)# mac-address-table limit vlan 501 maximum 50 action shutdown
Router(config)#

clear mac-address-table

To remove a specified address (or set of addresses) from the MAC address table, use the clear mac-address-table command in privileged EXEC mode.

Cisco 12000 Series Routers

clear mac-address-table [dynamic | secure | static] [address mac-address] [interface type slot/port]

Syntax Description

bridge-domain id

(Optional) Clears all addresses for a specified bridge-domain.

address

(Optional) Clears only a specified address.

mac-address

(Optional) Target MAC address.

interface

Clears all addresses for an interface.

type

(Optional) Interface type: ethernet, fastethernet, fddi, atm, or port channel.

slot

(Optional) The module interface number. Valid entries equal the number of ports on the chassis.

port

(Optional) Port interface number ranges based on type of Ethernet switch network module used:

0 to 15 for NM-16ESW
0 to 35 for NM-36ESW
0 to 1 for GigabitEthernet


Defaults

Cisco 12000 Series Routers

All MAC addresses on the router being configured are cleared.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.0(32)S

This command was integrated into Cisco IOS Release 12.0(32)S on Cisco 12000 series routers.

12.2(2)XT

This command was introduced on Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers.

12.2(8)T

This command was integrated into Cisco IOS Release 12.2(8)T on Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers.

12.2(11)T

This command was integrated into Cisco IOS  Release 12.2(11)T.


Usage Guidelines

Cisco 12000 Series Routers

If the clear mac-address-table command is invoked with no options, all MAC addresses are removed. If you specify an address but do not specify an interface, the address is deleted from all interfaces. If you specify an interface but do not specify an address, all addresses on the specified interface are removed.

If a targeted address is not present in the MAC forwarding table, the following error message appears:

MAC address not found

Examples

Cisco 12000 Series Routers

The following example shows how to clear all dynamic addresses in the MAC forwarding table:

Router# clear mac-address-table dynamic

The following example shows how to clear the static address 0040.C80A.2F07 on Ethernet port 1:

Router# clear mac-address-table static address 0040.C80A.2F07 interface ether 0/1

Related Commands

Cisco 12000 Series Routers

Command
Description

mac-address-table (aging-time)

Configures the length of time the switch keeps dynamic MAC addresses in memory before discarding.

show (mac-address-table)

Displays addresses in the MAC address table for a switched port or module.


l2 vfi <name> manual

To create a Layer 2 Virtual Forwarding Instance (VFI), use the l2 vfi <name> manual command in L2 VFI manual configuration mode.

l2 vfi <name> manual

Syntax Description

name

Variable that specifies the name of the Layer 2 Virtual Forwarding Instance (VFI) being created.

manual

Keyword that specifies that the VFI is being created manually as opposed to being created automatically by VPLS.


Defaults

No default behavior or values.

Command Default

l2 vfi <name> manual

Command Modes

L2 VFI manual configuration mode

Router(config-vfi)#

Command History

Release
Modification

12.0(32)SY

This command was introduced.


Usage Guidelines

You must create a Layer 2 Virtual Forwarding Instance (VFI) for each provider edge router in the VPLS network.

Examples

The following example shows how to create a Layer 2 Virtual Forwarding Instance (VFI) for Ethernet service labeled as "Goldfinger".

Router#config t
Router(config)#l2 vfi Goldfinger manual
Router(config-vfi)#vpn id 1
Router(config-vfi)#bridge-domain 1
Router(config-vfi)#neighbor 120.0.0.3 encapsulation mpls
Router(config-vfi)#neighbor 162.0.0.2 encapsulation mpls
Router(config-vfi)#exit
Router(config-vfi)#

Related Commands

Command
Description

Router#show vfi

Shows the state, type, emulation, and neighbors of all VFIs.

Router#show vfi <name>

Shows the state, type, emulation, and neighbors of the VFI with the specified name.


Glossary

ACL

Access Control List

BPDU

Bridge Protocol Data Unit

CE

Customer Edge

CDP

Cisco Discovery Protocol

EVCS

Ethernet Virtual Connection Service

L2PT

Layer 2 Protocol Tunnelling

MAC

Media Access Control

MPLS

Multi Protocol Label Switching

PE

Provider Edge

QoS

Quality of Service

Split Horizon

A packet forwarding technique that prevents packets received from an emulated VC from being forwarded to another emulated VC. This technique is important for creating loop-free paths in a full-meshed network.

STP

Spanning-Tree Protocol

TLS

Transparent LAN Service

VC

Virtual Connection

VFI

Virtual Forwarding Instance

VPLS

Virtual Private LAN Service

VPN

Virtual Private Network

VRF

A Virtual Private Network (VPN) routing/forwarding instance.

VTP

Virtual Terminal Protocol