The Cisco ASR 9000 Series Routers Carrier Ethernet Model
This chapter introduces you to Layer 2 (L2) features and standards. This chapter also describes how to configure L2VPN features on the Cisco ASR 9000 Series Aggregation Services Routers supporting Cisco IOS XR software.
The distributed Gigabit Ethernet and 10-Gigabit Ethernet architecture and features deliver network scalability and performance, while enabling service providers to offer high-density, high-bandwidth networking solutions designed to interconnect the router with other systems in POPs, including core and edge routers and L2 and Layer 3 (L3) switches.
Note This chapter does not include configuration information for Management Ethernet interfaces. To set up a Management Ethernet interface and enable Telnet servers, see the Cisco ASR 9000 Series Aggregation Services Routers Getting Started Guide. To configure a Management Ethernet interface for routing or to modify the configuration of a Management Ethernet interface, see the Advanced Configuration and Modification of the Management Ethernet Interface on the Cisco ASR 9000 Series Router chapter.
Feature History for Configuring Ethernet Interfaces on the Cisco ASR 9000 Series Routers
This feature was introduced on the Cisco ASR 9000 Series Routers.
Scalability of EFPs on bundle interfaces was introduced.
Prerequisites for Configuring Layer 2 Ethernet Interfaces
Before configuring Ethernet interfaces, ensure that these tasks and conditions are met:
You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command.
If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Confirm that at least one of these line cards is installed on the Cisco ASR 9000 Series Routers:
– 4-port 10-Gigabit Ethernet (4 x 10 GE) line card
– 8-port 10-Gigabit Ethernet (4 x 10 GE) line card
– 40-port 1-Gigabit Ethernet line card
You know the interface IP address.
You know how to apply the specify the generalized interface name with the generalized notation rack/slot/module/port.
Cisco ASR 9000 Series Routers Layer 2 Theory and Standards Adherence
To configure Ethernet interfaces, you must understand these concepts:
Ethernet Technology Overview
Ethernet is defined by the IEEE 802.3 international standard. It enables the connection of up to 1024 nodes over coaxial, twisted-pair, or fiber-optic cable.
The Cisco ASR 9000 Series Routers supports Gigabit Ethernet (1000 Mbps) and 10-Gigabit Ethernet (10 Gbps) interfaces.
Carrier Ethernet Services
Cisco and the Metro Ethernet Forum (MEF) endorse these main L2 Ethernet service types. The names of the services differ, but their functionality is the same. These are the services:
Ethernet Wire Service (EWS)
Ethernet Relay Service (ERS)
Ethernet Multipoint Service (EMS)
Ethernet Flow Point (EFP)
Ethernet Virtual Connection (EVC)
When discussing an Ethernet WAN (EWAN), these terminologies should be used:
CE (customer edge): The customer device connecting to the service provider
PE (provider edge): The service provider device connecting to the customer
UNI: The connection between the CE and PE
AC: The physical or virtual circuit attaching a CE to a PE.
Multiplexed UNI: A UNI supporting multiple VLAN flows
Pseudowire: A term used to indicate an end-to-end path in a service provider network
Figure 1 EWAN Terms
Ethernet Wire Service
An Ethernet Wire Service (EWS) is a service that emulates a point-to-point Ethernet segment. This is similar to Ethernet private line (EPL), a Layer 1 point-to-point service, except the provider edge operates at L2 and typically runs over a L2+ network. The EWS encapsulates all frames that are received on a particular UNI and transports these frames to a single-egress UNI without reference to the contents contained within the frame. The operation of this service means that an EWS can be used with VLAN-tagged frames. The VLAN tags are transparent to the EWS (bridge protocol data units [BPDUs])—with some exceptions. These exceptions include IEEE 802.1x, IEEE 802.2ad, and IEEE 802.3x, because these frames have local significance and it benefits both the customer and SP to terminate them locally.
Since the service provider simply accepts frames on an interface and transmits these without reference to the actual frame (other than verifying that the format and length are legal for the particular interface) the EWS is indifferent to VLAN tags that may be present within the customer Ethernet frames.
EWS subscribes to the concept of all-to-one bundling. That is, an EWS maps a port on one end to a point-to-point circuit and to a port on another end. EWS is a port-to-port service. Therefore, if a customer needs to connect a switch or router to n switches or routers it will need n ports and n pseudowires or logical circuits.
One important point to consider is that, although the EWS broadly emulates an Ethernet Layer 1 connection, the service is provided across a shared infrastructure, and therefore it is unlikely that the full interface bandwidth will be, or needs to be, available at all times. EWS will typically be a sub-line rate service, where many users share a circuit somewhere in their transmission path. As a result, the cost will most likely be less than that of EPL. Unlike a Layer 1 EPL, the SP will need to implement QoS and traffic engineering to meet the specific objectives of a particular contract. However, if the customer's application requires a true wire rate transparent service, then an EPL service—delivered using optical transmission devices such as DWDM (dense wavelength division multiplexing), CDWM (coarse wavelength division multiplexing), or SONET/SDH—should be considered.
Ethernet Relay Service
Ethernet Relay Service (ERS) is similar to EWS in that it offers point-to-point connectivity. The key differentiation between EWS and ERS is that an ERS uses a VLAN tag to multiplex several, non-same-destination pseudowires to one port. That is, unlike EPL and EWS, ERS is a one-to-many multiplexed service. Service multiplexing simply means that multiple pseudowires utilize a single access interface or UNI. These circuits can terminate within an L2VPN or on, for example, an Internet gateway. From the service user's perspective, this service multiplexing capability offers more efficient interface utilization, simplification of cable plant, and reduced maintenance costs associated with additional interfaces.
Using the same example as above, where a router connects to n other routers, the source router only needs one port for the service instead of n, as is the case with an EWS. The service need not be port-to-port, but can be logical-pseudowire-to-logical-pseudowire. In the case of an ERS, each circuit can terminate at a different remote location, whereas using EWS, all frames are mapped to a single circuit and therefore a single egress point.
Figure 2 ERS Service Multiplexing Example: One Port (Left) Can Be Used for All Destinations (Right)
Like Frame Relay, ERS allows a customer device to access multiple connections through a single physical port attached to the service provider network. The service offered by ERS can be thought of as being similar in concept to Frame Relay, in that a VLAN number is used as a virtual circuit identifier in a similar fashion to Frame Relay data link connection identifier (DLCI). Unlike EWS, ERS does not forward BPDUs, because IEEE 802.1Q (VLAN tagging) only sends BPDUs on a default VLAN. In a hub-and-spoke network, only one spoke at most would receive BPDUs, thus breaking the spanning tree in the rest of the network. Therefore, an ERS does not transmit any BPDUs and runs routing protocols instead of Ethernet Spanning Tree. The routing protocols give the customer and provider greater flexibility, traffic determination characteristics, and value-added services.
Ethernet Multipoint Service
An Ethernet Multipoint Service (EMS) differs from EWS and ERS in that an EMS provides a multipoint connectivity model. It should be noted that an EMS service definition is still under review within the IETF Virtual Private LAN Service (VPLS) working group. Although EMS uses a multipoint model, it can forward unicast packets to single destinations; that is, it also supports point-to-point connections. To the end user, the network looks like a giant Ethernet switch where each customer has their own VLAN or broadcast domain, rather than end-to-end pseudowire link(s).
An EMS does not map an interface or VLAN to a specific point-to-point pseudowire. Instead, it models the operation of a virtual Ethernet switch: EMS uses the customer's MAC address to forward frames to the correct egress UNI within the service provider's network. An EMS emulates the service attributes of an Ethernet switch and learns source MAC to interface associations, floods unknown broadcast and multicast frames, and (optionally) monitors the service user's spanning tree protocol. One important point to note is that although the service provider may utilize spanning tree within the transport network, there is no interaction with the service user's spanning tree.
This service works similar to an MPLS VPN, except it functions at L2 instead of L3. While a VPLS EMS is a viable solution, its scalability and QoS control are suspect compared to that of MPLS VPNs. In addition, it is much more difficult, and may be impossible, for the service provider to offer value-added Layer 3 services (this is discussed later in the document).
Ethernet Flow Point
An Ethernet Flow Point (EFP) is a substream partition of a main interface. On Cisco ASR 9000 Series Routers, the EFP is implemented as an L2 subinterface with an encapsulation statement.
Ethernet Virtual Circuit
An Ethernet Virtual Circuit (EVC) is a point-to-point tunnel. On Cisco ASR 9000 Series Routers, the EVC is implemented as a pseudowire (PW).
Ethernet OAM Protocols
Ethernet as a Metro Area Network (MAN) or a Wide Area Network (WAN) technology benefits greatly from the implementation of Operations, Administration and Maintenance (OAM) features. OAM features allow Service Providers to monitor the quality of the connections on a MAN or WAN. Service providers can monitor specific events, take actions on events, and if necessary, put specific interfaces into loopback mode for troubleshooting. Ethernet OAM features can be configured to monitor either side or both sides of a link.
For more information on Ethernet OAM protocols, refer to the Configuring Ethernet Interfaces on the Cisco ASR 9000 Series Router chapter of the Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide.
Layer 2 VPN on Ethernet Interfaces
Layer 2 Virtual Private Network (L2VPN) connections emulate the behavior of a LAN across an IP or MPLS-enabled IP network, allowing Ethernet devices to communicate with each other as if they were connected to a common LAN segment.
The L2VPN feature enables service providers (SPs) to provide L2 services to geographically disparate customer sites. Typically, an SP uses an access network to connect the customer to the core network. This access network may use a mixture of L2 technologies, such as Ethernet and Frame Relay. The connection between the customer site and the nearby SP edge router is known as an attachment circuit (AC). Traffic from the customer travels over this link to the edge of the SP core network. The traffic then tunnels through a pseudowire over the SP core network to another edge router. The edge router sends the traffic down another AC to the customer's remote site.
The L2VPN feature enables the connection between different types of L2 attachment circuits and pseudowires, allowing users to implement different types of end-to-end services.
Cisco IOS XR software supports a point-to-point end-to-end service, where two Ethernet circuits are connected together. An L2VPN Ethernet port can operate in one of two modes:
Port Mode—In this mode, all packets reaching the port are sent over the pseudowire, regardless of any VLAN tags that are present on the packets. In VLAN mode, the configuration is performed under the l2transport configuration mode.
VLAN Mode—Each VLAN on a CE (customer edge) or access network to PE (provider edge) link can be configured as a separate L2VPN connection (using either VC type 4 or VC type 5). To configure L2VPN on VLANs, see the The Cisco ASR 9000 Series Routers Carrier Ethernet Model chapter in this manual. In VLAN mode, the configuration is performed under the individual subinterface.
Switching can take place in three ways:
AC-to-PW—Traffic reaching the PE is tunneled over a PW (pseudowire) (and conversely, traffic arriving over the PW is sent out over the AC). This is the most common scenario.
Local switching—Traffic arriving on one AC is immediately sent out of another AC without passing through a pseudowire.
PW stitching—Traffic arriving on a PW is not sent to an AC, but is sent back into the core over another PW.
Keep these in mind when configuring L2VPN on an Ethernet interface:
L2VPN links support QoS (Quality of Service) and MTU (Maximum Transmission Unit) configuration.
If your network requires that packets are transported transparently, you may need to modify the packet’s destination MAC (Media Access Control) address at the edge of the Service Provider (SP) network. This prevents the packet from being consumed by the devices in the SP network.
Use the show interfaces command to display AC and pseudowire information.
Gigabit Ethernet Protocol Standards Overview
The Gigabit Ethernet interfaces support these protocol standards:
These standards are further described in the sections that follow.
IEEE 802.3 Physical Ethernet Infrastructure
The IEEE 802.3 protocol standards define the physical layer and MAC sublayer of the data link layer of wired Ethernet. IEEE 802.3 uses Carrier Sense Multiple Access with Collision Detection (CSMA/CD) access at a variety of speeds over a variety of physical media. The IEEE 802.3 standard covers 10 Mbps Ethernet. Extensions to the IEEE 802.3 standard specify implementations for Gigabit Ethernet, 10-Gigabit Ethernet, and Fast Ethernet.
IEEE 802.3ab 1000BASE-T Gigabit Ethernet
The IEEE 802.3ab protocol standards, or Gigabit Ethernet over copper (also known as 1000BaseT) is an extension of the existing Fast Ethernet standard. It specifies Gigabit Ethernet operation over the Category 5e/6 cabling systems already installed, making it a highly cost-effective solution. As a result, most copper-based environments that run Fast Ethernet can also run Gigabit Ethernet over the existing network infrastructure to dramatically boost network performance for demanding applications.
IEEE 802.3z 1000 Mbps Gigabit Ethernet
Gigabit Ethernet builds on top of the Ethernet protocol, but increases speed tenfold over Fast Ethernet to 1000 Mbps, or 1 Gbps. Gigabit Ethernet allows Ethernet to scale from 10 or 100 Mbps at the desktop to 100 Mbps up to 1000 Mbps in the data center. Gigabit Ethernet conforms to the IEEE 802.3z protocol standard.
By leveraging the current Ethernet standard and the installed base of Ethernet and Fast Ethernet switches and routers, network managers do not need to retrain and relearn a new technology in order to provide support for Gigabit Ethernet.
IEEE 802.3ae 10 Gbps Ethernet
Under the International Standards Organization’s Open Systems Interconnection (OSI) model, Ethernet is fundamentally a L2 protocol. 10-Gigabit Ethernet uses the IEEE 802.3 Ethernet MAC protocol, the IEEE 802.3 Ethernet frame format, and the minimum and maximum IEEE 802.3 frame size. 10 Gbps Ethernet conforms to the IEEE 802.3ae protocol standards.
Just as 1000BASE-X and 1000BASE-T (Gigabit Ethernet) remained true to the Ethernet model, 10-Gigabit Ethernet continues the natural evolution of Ethernet in speed and distance. Because it is a full-duplex only and fiber-only technology, it does not need the carrier-sensing multiple-access with the CSMA/CD protocol that defines slower, half-duplex Ethernet technologies. In every other respect, 10-Gigabit Ethernet remains true to the original Ethernet model.
General Ethernet Standards
Ethernet II framing also known as DIX.
IEEE 802.3 framing also includes LLC and LLC/SNAP protocol frame formats
IEEE 802.1d MAC Bridges and Spanning Tree—This standard specifies the MAC learning and MAC aging in a bridging environment. It also defines the original spanning tree protocol. Also MSTP is defined in IEEE 802.1s and IEEE 802.1q.
IEEE 802.1q VLAN tagging—This standard defines VLAN tagging, and also the traditional VLAN trunking between switches. Technically, it also defines QinQ tagging, and MSTP. The Cisco ASR 9000 Series Routers do NOT support ISL.
IEEE 802.1ad Provider Bridges—This standard is a subset of 802.1q and is often referred to as 802.1ad. The Cisco ASR 9000 Series Routers do not adhere to the entire standard, but large portions of the standard's functionality are supported.
A MAC address is a unique 6-byte address that identifies the interface at L2.
The Ethernet Maximum Transmission Unit (MTU) is the size of the largest frame, minus the 4-byte Frame Check Sequence (FCS), that can be transmitted on the Ethernet network. Every physical network along the destination of a packet can have a different MTU.
Cisco IOS XR software supports two types of frame forwarding processes:
Fragmentation for IPV4 packets—In this process, IPv4 packets are fragmented as necessary to fit within the MTU of the next-hop physical network.
Note IPv6 does not support fragmentation.
MTU discovery process determines largest packet size—This process is available for all IPV6 devices, and for originating IPv4 devices. In this process, the originating IP device determines the size of the largest IPv6 or IPV4 packet that can be sent without being fragmented. The largest packet is equal to the smallest MTU of any network between the IP source and the IP destination devices. If a packet is larger than the smallest MTU of all the networks in its path, that packet will be fragmented as necessary. This process ensures that the originating device does not send an IP packet that is too large.
Jumbo frame support is automatically enable for frames that exceed the standard frame size. The default value is 1514 for standard frames and 1518 for 802.1Q tagged frames. These numbers exclude the 4-byte FCS.
Flow Control on Ethernet Interfaces
The flow control used on 10-Gigabit Ethernet interfaces consists of periodically sending flow control pause frames. It is fundamentally different from the usual full- and half-duplex flow control used on standard management interfaces. On the Cisco ASR 9000 Series Routers both ingress & egress flow control are off by default.
The Virtual Router Redundancy Protocol (VRRP) eliminates the single point of failure inherent in the static default routed environment. VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to one of the VPN concentrators on a LAN. The VRRP VPN concentrator controlling the IP addresses associated with a virtual router is called the master, and forwards packets sent to those IP addresses. When the master becomes unavailable, a backup VPN concentrator takes the place of the master.
For more information on VRRP, see the Implementing VRRP chapter of Cisco ASR 9000 Series Routers IP Addresses and Services Configuration Guide.
Hot Standby Routing Protocol (HSRP) is a proprietary protocol from Cisco. HSRP is a routing protocol that provides backup to a router in the event of failure. Several routers are connected to the same segment of an Ethernet, FDDI, or token-ring network and work together to present the appearance of a single virtual router on the LAN. The routers share the same IP and MAC addresses and therefore, in the event of failure of one router, the hosts on the LAN are able to continue forwarding packets to a consistent IP and MAC address. The transfer of routing responsibilities from one device to another is transparent to the user.
HSRP is designed to support non disruptive failover of IP traffic in certain circumstances and to allow hosts to appear to use a single router and to maintain connectivity even if the actual first hop router they are using fails. In other words, HSRP protects against the failure of the first hop router when the source host cannot learn the IP address of the first hop router dynamically. Multiple routers participate in HSRP and in concert create the illusion of a single virtual router. HSRP ensures that one and only one of the routers is forwarding packets on behalf of the virtual router. End hosts forward their packets to the virtual router.
The router forwarding packets is known as the active router. A standby router is selected to replace the active router should it fail. HSRP provides a mechanism for determining active and standby routers, using the IP addresses on the participating routers. If an active router fails, a standby router can take over without a major interruption in the host's connectivity.
HSRP runs on top of User Datagram Protocol (UDP), and uses port number 1985. Routers use their actual IP address as the source address for protocol packets, not the virtual IP address, so that the HSRP routers can identify each other.
For more information on HSRP, see the Implementing HSRP chapter of Cisco ASR 9000 Series Routers IP Addresses and Services Configuration Guide.
Link Autonegotiation on Ethernet Interfaces
Link autonegotiation ensures that devices that share a link segment are automatically configured with the highest performance mode of interoperation. Use the negotiation auto command in interface configuration mode to enable link autonegotiation on an Ethernet interface. On line card Ethernet interfaces, link autonegotiation is disabled by default.
Note The negotiation auto command is available on Gigabit Ethernet interfaces only.
What is an Ethernet Flow Point?
An Ethernet Flow Point (EFP) is a Layer 2 logical subinterface used to classify traffic under a physical or a bundle interface.
A physical interface can be a Gigabit Ethernet 0/0/0/1 or a 10 Gigabit Ethernet 0/0/0/0 interface and has ports on the line card. A bundle interface is a virtual interface, created by grouping physical interfaces together.
For example, physical interfaces such as Gigabit Ethernet 0/0/0/1 and 10 Gigabit Ethernet 0/0/0/0 can be configured as members of a bundle interface.
Grouping physical interfaces together can:
Reduce the routing entries
Increase the bandwidth of the bundle interface
Balance the traffic on the bundle members
EFP has the following characteristics:
An EFP represents a logical demarcation point of an Ethernet Virtual Connection (EVC) on an interface. For an EVC associating two or more UNIs, there is a flow point on each interface of every device, through which that EVC passes.
An EFP can be regarded as an instantiation of a particular service. An EFP is defined by a set of filters. These filters are applied to all the ingress traffic to classify the frames that belong to a particular EFP. An EFP filter is a set of entries, where each entry looks similar to the start of a packet (ignoring source/destination MAC address). Each entry usually contains 0, 1 or 2 VLAN tags. A packet that starts with the same tags as an entry in the filter is said to match the filter; if the start of the packet does not correspond to any entry in the filter then the packet does not match the filter.
An EFP serves four purposes:
– Identifies all frames that belong to a particular flow on a given interface
– Performs ingress and egress Ethernet header manipulations
– Adds features to the identified frames
– Optionally define how to forward those frames in the data path
You can perform a variety of operations on the traffic flows when a router is configured with EFPs on various interfaces. Also, you can bridge or tunnel the traffic by many ways from one or more of the router’s ingress EFPs to one or more egress EFPs. This traffic is a mixture of VLAN IDs, single or double (QinQ) encapsulation, and ethertypes.
An EFP subinterface is configured to specify which traffic on ingress is vectored to that EFP. This is done by specifying a VLAN, range of VLANs, or QinQ tagging to match against on ingress. All traffic on ingress is compared to each EFP’s matching criterion, and processed by that EFP if a match occurs. The processing performed by an EFP can change VLAN IDs, add or remove VLAN tags, and change ethertypes.
Improving the Scalability of EFPs on Bundle Interfaces
You can improve the scalability of EFPs on bundle interfaces in two ways:
Increase the number of EFPs per chassis from 32000 to 64000.
Increase the number of EFPs per line card, on a single node point, to the same scale as the physical interface scaling.
The following example illustrates how to improve the scalability of EFPs per line card:
Consider a B module line card type1 with a bundle interface scaling of 4000 and a physical interface scaling of 16000. The scalability of EFPs on the B module is improved by adding three additional bundles of 4000 EFPs per bundle.
Note The maximum number of EFPs that can be added to a bundle interface is 4000.
The number of EFPs per line card is now scaled to 16000 or 4 bundles of 4000 EFPs each.
EFP CLI Overview
Cisco IOS XR implements a structured CLI for EFP and EVC configuration. These commands are typically used to configure an EFP:
l2transport command - This command identifies a subinterface (or a physical port or bundle-port parent interface) as an EFP.
encapsulation command - This command is used to specify matching criteria.
rewrite command - This command is used to specify the VLAN tag rewrite criteria.
Egress EFP Filtering
The Egress EFP Filtering feature implements a means of filtering EFP egress traffic, ensuring that all the given EFP’s egress traffic complies with the ingress matching criterion.
An ingress EFP is similar to an egress EFP. The router is configured to send traffic on the EFP, that matches that EFP’s ingress matching criterion. It is possible to configure a router so that this does not occur, and there is no safeguard to prevent such mismatching egress EFP traffic from exiting the router.
The Cisco ASR 9000 Series Routers allows for different VLANs on different ports within the same bridge domain. This allows a bridge to forward a packet out of a port not configured for the VLAN tag on the packet. Egress EFP filtering checks this and drops invalid packets at the egress port.
Identifying Frames of an EFP
The EFP identifies frames belonging to a particular flow on a given port, independent of their Ethernet encapsulation. An EFP can flexibly map frames into a flow or EFP based on the fields in the frame header.
The frames can be matched to an EFP using
VLAN tag or tags
MAC address (source address, destination address, or both)
802.1p CoS bits
Logical conjunction of two or more of the above: VLAN, MAC, and CoS
Default match (that is, any other traffic that has not matched a more specific EFP)
The frames cannot be matched to an EFP through use of any of these:
Any information outside the outermost Ethernet frame header and its associated tags such as
– IPv4, IPv6, or MPLS tag header data
– C-DMAC, C-SMAC, or C-VLAN
Logical disjunction of the valid frame matches above: VLAN, MAC, and CoS
The specific match criteria are covered in more detail in these sections.
VLAN Tag Matching
Table 1 describes the different encapsulation types and the EFP identifier corresponding to each.
Table 1 VLAN Tag Matching
Static configuration on the ingress physical interface or a subinterface that uses the untagged keyword in the encapsulation command. There can be only one untagged subinterface. If an untagged subinterface has been created, traffic goes to this interface instead of the main interface.
Priority-tagged Ethernet frames
A priority-tagged frame is defined as having a single 802.1Q VLAN header, with a VLAN id of zero.
Cisco ASR 9000 Series Routers do not support native VLAN.
Use this command:
encapsulation dot1q <vlan-id>, untagged
Single tagged frames
802.1Q customer-tagged Ethernet frames
Double tagged frames
802.1Q (ethertype 0x8100) double tagged frames
802.1ad double tagged frames
Legacy 0x9100 and 0x9200 double tagged frames
An EFP which has a maximum-match wildcard. The effect is to receive any traffic that does not match any other EFP on the same physical interface.
You can use wildcards as well as VLAN ranges while defining frames that map to a given EFP. EFPs can distinguish flows based on a single VLAN tag, a range of VLAN tags, a stack of VLAN tags or a combination of both (VLAN stack with wildcards). It provides the EFP model, a flexibility of being encapsulation agnostic, and allows it to be extensible as new tagging or tunneling schemes are added.
MAC Address Matching
The source MAC address, the destination MAC address, or both can be matched. In all cases, the MAC address requires an exact match. A wildcard match or partial match is not adequate.
802.1p CoS Bits Matching
One or more exact CoS matches are specified. Because CoS is only 3 bits, this limits it to 8 possible choices.
All of the match criteria above can be selectively combined those frames that match all of the separate criteria.
A single EFP can be defined that matches all other traffic that has not been matched by a more specific EFP.
Match Precedence and Config Verification
Overlapping EFPs are allowed to be configured, where it is possible to determine an order in which they should be used for matching. But EFPs that conflict with other EFPs or subinterfaces on the parent trunk interface should be blocked at config verification.
An ordering precedence is used for how EFP matches are applied in hardware. The model is for matches that are more specific to be processed before matches that are less specific.
The EFP matching criteria can also be used on egress to police the frames that can egress from the EFP, based on the platform support. Frames that do not match the criteria (source/destination MAC match criteria are reversed) are dropped.
After the frames are matched to a particular EFP, any appropriate features can be applied. In this context, “features” means any frame manipulations specified by the configuration as well as things such as QoS and ACLs. The Ethernet infrastructure provides an appropriate interface to allow the feature owners to apply their features to an EFP. Hence, IM interface handles are used to represent EFPs, allowing feature owners to manage their features on EFPs in the same way the features are managed on regular interfaces or subinterfaces.
The only L2 features that can be applied on an EFP that is part of the Ethernet infrastructure are the L2 header encapsulation modifications. The L2 features are described in this section.
EFP supports these L2 header encapsulation modifications on both ingress and egress:
Push 1 or 2 VLAN tags
Pop 1 or 2 VLAN tags
Note This modification can only pop tags that are matched as part of the EFP.
Rewrite 1 or 2 VLAN tags:
– Rewrite outer tag
– Rewrite outer 2 tags
– Rewrite outer tag and push an additional tag
– Remove outer tag and rewrite inner tag
For each of the VLAN ID manipulations, these can be specified:
The VLAN tag type, that is, C-VLAN, S-VLAN, or I-TAG. The ethertype of the 802.1Q C-VLAN tag is defined by the dot1q tunneling type command.
The VLAN ID. 0 can be specified for an outer VLAN tag to generate a priority-tagged frame.
Note For tag rewrites, the CoS bits from the previous tag should be preserved in the same way as the DEI bit for 802.1ad encapsulated frames.
Defining Data-Forwarding Behavior
The EFP can be used to designate the frames belonging to a particular Ethernet flow forwarded in the data path. These forwarding cases are supported for EFPs in Cisco IOS XR software:
L2 Switched Service (Bridging)—The EFP is mapped to a bridge domain, where frames are switched based on their destination MAC address. This includes multipoint services:
– Ethernet to Ethernet Bridging
– Virtual Private LAN Service (VPLS)
L2 Stitched Service (AC to AC xconnect)—This covers point-to-point L2 associations that are statically established and do not require a MAC address lookup.
– Ethernet to Ethernet Local Switching—The EFP is mapped to an S-VLAN either on the same port or on another port. The S-VLANs can be identical or different.
Tunneled Service (xconnect)—The EFP is mapped to a Layer 3 tunnel. This covers point-to-point services only:
L2 Terminated Service (Ethernet access to Layer 3 service)—The EFP is mapped to an IP interface that has a global address or belongs to a VRF (includes both IP and MPLS Layer 3 VPNs).
A VLAN is a group of devices on one or more LANs that are configured so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, it is very flexible for user and host management, bandwidth allocation, and resource optimization.
The IEEE's 802.1Q protocol standard addresses the problem of breaking large networks into smaller parts so broadcast and multicast traffic does not consume more bandwidth than necessary. The standard also helps provide a higher level of security between segments of internal networks.
The 802.1Q specification establishes a standard method for inserting VLAN membership information into Ethernet frames.
The IEEE 802.1Q tag-based VLAN uses an extra tag in the MAC header to identify the VLAN membership of a frame across bridges. This tag is used for VLAN and Quality of Service (QoS) priority identification. The VLANs can be created statically by manual entry or dynamically through Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP). The VLAN ID associates a frame with a specific VLAN and provides the information that switches must process the frame across the network. A tagged frame is four bytes longer than an untagged frame and contains two bytes of Tag Protocol Identifier (TPID) residing within the type and length field of the Ethernet frame and two bytes of Tag Control Information (TCI) which starts after the source address field of the Ethernet frame.
Subinterfaces are logical interfaces created on a hardware interface. These software-defined interfaces allow for segregation of traffic into separate logical channels on a single hardware interface as well as allowing for better utilization of the available bandwidth on the physical interface.
Subinterfaces are distinguished from one another by adding an extension on the end of the interface name and designation. For instance, the Ethernet subinterface 23 on the physical interface designated TenGigE 0/1/0/0 would be indicated by TenGigE 0/1/0/0.23.
Before a subinterface is allowed to pass traffic it must have a valid tagging protocol encapsulation and VLAN identifier assigned. All Ethernet subinterfaces always default to the 802.1Q VLAN encapsulation. However, the VLAN identifier must be explicitly defined.
The subinterface Maximum Transmission Unit (MTU) is inherited from the physical interface with an additional four bytes allowed for the 802.1Q VLAN tag.
VLAN Subinterfaces on Ethernet Bundles
An Ethernet bundle is a group of one or more Ethernet ports that are aggregated together and treated as a single link. Multiple VLAN subinterfaces can be added to a single Ethernet bundle.
For more information about configuring Ethernet bundles, see the Configuring Link Bundles chapter in this document. The procedure for creating VLAN subinterfaces on an Ethernet bundle is exactly the same as the procedure for creating VLAN subinterfaces on a physical Ethernet interface.
The configuration model for configuring VLAN Attachment Circuits (ACs) is similar to the model used for configuring basic VLANs, where the user first creates a VLAN subinterface, and then configures that VLAN in subinterface configuration mode. To create an Attachment Circuit, you need to include the l2transport keyword in the interface command string to specify that the interface is a L2 interface.
VLAN ACs support three modes of L2VPN operation:
Basic Dot1Q Attachment Circuit—The Attachment Circuit covers all frames that are received and sent with a specific VLAN tag.
QinQ Attachment Circuit—The Attachment Circuit covers all frames received and sent with a specific outer VLAN tag and a specific inner VLAN tag. QinQ is an extension to Dot1Q that uses a stack of two tags.
Q-in-Any Attachment Circuit—The Attachment Circuit covers all frames received and sent with a specific outer VLAN tag and any inner VLAN tag, as long as that inner VLAN tag is not Layer 3 terminated. Q-in-Any is an extension to QinQ that uses wildcarding to match any second tag.
Note The Q-in-Any mode is a variation of the basic Dot1Q mode. In Q-in-Any mode, the frames have a basic QinQ encapsulation; however, in Q-in-Any mode the inner tag is not relevant, except for the fact that a few specific inner VLAN tags are siphoned for specific services. For example, a tag may be used to provide L3 services for general internet access.
Each VLAN on a CE-to-PE link can be configured as a separate L2VPN connection (using either VC type 4 or VC type 5).
Keep these in mind when configuring L2VPN on a VLAN:
Cisco IOS XR software supports 4000 Attachment Circuits per line card.
In a point-to-point connection, the two Attachment Circuits do not have to be of the same type. For example, a port mode Ethernet Attachment Circuit can be connected to a Dot1Q Ethernet Attachment Circuit.
Pseudowires can run in VLAN mode or in port mode. A pseudowire running in VLAN mode has a single Dot1Q tag, while a pseudowire running in port mode has no tags. Some interworking is required to connect these different types of circuits together. This interworking takes the form of popping, pushing, and rewriting tags. The advantage of L2VPN is that is simplifies the interworking required to connect completely different media types together.
The Attachment Circuits on either side of an MPLS pseudowire can be different types. In this case, the appropriate conversion is carried out at one or both ends of the Attachment Circuit to pseudowire connection.
Use the show interfaces command to display Attachment Circuit and pseudowire information.
Note For more information on the show interfaces command, refer to the Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Command Reference.
How to Configure Layer 2 Features on Ethernet Interfaces
Note For more information on configuring interfaces, refer to the Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide.
Default Configuration Values for Gigabit Ethernet and 10-Gigabit Ethernet
Table 2 describes the default interface configuration parameters that are present when an interface is enabled on a Gigabit Ethernet or 10-Gigabit Ethernet modular services card and its associated PLIM.
Note You must use the shutdown command to bring an interface administratively down. The interface default is no shutdown. When a modular services card is first inserted into the router, if there is no established preconfiguration for it, the configuration manager adds a shutdown item to its configuration. This shutdown can be removed only be entering the no shutdown command.
Configuring an Attachment Circuit on an Ethernet Port
Use this procedure to configure an attachment circuit on a Gigabit Ethernet or 10-Gigabit Ethernet port. For more information on configuring an attachment circuit, refer to the Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide.
Note The steps in this procedure configure the L2VPN Ethernet port to operate in EFP mode.
Adds an interface to a bridge domain that allows packets to be forwarded and received from other interfaces that are part of the same bridge domain. The interface EFP now becomes an attachment circuit on this bridge domain.
Adds an interface to a bridge domain that allows packets to be forwarded and received from other interfaces that are part of the same bridge domain. The interface EFP now becomes an attachment circuit on this bridge domain.
When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before exiting(yes/no/cancel)?
– Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
– Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
– Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
show run interface [ GigabitEthernet | TenGigE ] instance.subinterface
RP/0/RSP0/CPU0:router# show run interface GigabitEthernet0/5/0/1.15
(Optional) Displays statistics for the subinterface on the router.
Configuring Egress EFP Filtering
This section describes the procedures for configuring the egress EFP filtering feature on the Cisco ASR 9000 Series Routers.
Egress EFP filtering is a L2 subinterface specific feature that controls how strictly subinterface encapsulation filtering is performed in the egress direction. According to the EFP behavior and model, all packets transmitted out of a subinterface should match the subinterface encapsulation or rewrite criteria if the same packet is to be received on the subinterface (with the source and destination MAC addresses swapped).
Egress EFP filtering has two stages; first stage is without rewrite command, and the second stage is with rewrite command.
In the first stage filtering, the packet is checked against the encapsulation to ensure the match, the same way it is checked on ingress to determine that the packet is forwarded to that EFP.
In the second stage filtering, the packet is checked before the egress rewrite occurs to ensure that the packet in its egress pre-rewrite state is correct. This means that the egress packet's VLAN encapsulation should be same as a hypothetical ingress packet after the ingress rewrite occurs.
In case of an interface configured with both a rewrite and egress EFP filtering, where egress traffic is getting dropped unexpectedly due to egress EFP filtering, the user must first ascertain which stage the drops occur.
Note Output drops counter displays the drops occurred due to egress EFP filtering in the “show interface” display for that interface. Output drops counter is a summation of drops from multiple causes and not necessarily due to egress EFP filtering.
By using the ethernet egress-filter command, you can configure egress EFP filtering in either global or L2 subinterface mode:
ethernet egress-filter strict configures Egress EFP Filtering in global configuration mode.
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.