Cisco ANA NSA provides wizards that allow you to provision Carrier Ethernet services. The wizards also allow you to provision elements that allow services to be created and activated, such as Ethernet flow points, QoS policies, and ACLs. The following topics provide an overview to the services and technologies activated or provisioned by Cisco ANA NSA:
•Carrier Ethernet Overview
•Carrier Ethernet Technologies
Carrier Ethernet Overview
A Carrier Ethernet service includes service elements that exist on an Ethernet subnetwork domain. Components include:
•User Network Interface (UNI)—A UNI is a physical interface that marks the boundary between service provider, cable operator, or carrier and the subscriber. The UNI is located at the edge of the subnetwork domain.
•Network to Network Interface (NNI)—An interface that marks the boundary between carrier Ethernet networks operated by one or more carriers Network to network interface.
•Ethernet Virtual Connection (EVC)—a Logical representation of an Ethernet service as defined by the association between two or more UNIs.
Note EVCs are not supported in this Cisco ANA NSA release.
•Ethernet Flow Point (EFP)—an Ethernet service endpoint.
•QoS Policy—Defines bandwidth profiles at the UNI and EFP levels.
•MAC Layer Security Policy—If MAC security is enabled, defines a subset of MAC address for inclusion or exclusion.
•Layer 2 Access Control Lists—Are similar to Layer 3 (router) ACLs but are supported on physical interfaces and configured on switch Layer 2 interfaces.
Carrier Ethernet Technologies
The following sections provide an overview to Carrier Ethernet technologies supported by Cisco ANA NSA:
•VPLS and H-VPLS
•Layer 3 VPN
•Layer 2 Access Control Lists
An E-Line Ethernet service (Figure 2-1), is based on a point-to-point Ethernet Virtual Connection (EVC). An E-Line service can be used to create a broad range of point-to-point services. E-Line point-to-point services include Ethernet Private Line (EPL) and Ethernet Virtual Private Line (EVPL).
•Ethernet Private Line—Uses a point-to-point EVC between two UNIs. EPLs provides high service frame transparency between interconnected UNIs such that the service frame header and payload are identical at both the source and destination UNI.
•Ethernet Virtual Private Line—Creates a point-to-point EVC similar to the EPL. However, the EVPL allows for service multiplexing at the UNI, which means the EVPL can support more than one EVC at the UNI. The EVPL also does not require full service frame transparency.
Figure 2-1 E-Line Service
Cisco ANA NSA provides the following E-Line wizards:
•E-Line Point-to-Point Service, page 3-17.
•E-Line Local Connect Service, page 3-22.
An E-LAN service is a multipoint-to-multipoint EVC that delivers service frames to a UNI in an EVC following rules defined for the service. A single broadcast or multicast ingress service frame (as determined from the destination MAC address) at a given UNI is replicated in the Carrier Ethernet Network and a single copy is delivered to each of the other UNIs in the EVC.
Figure 2-2 E-LAN Service
Cisco ANA NSA provides E-LAN services combined with VPLS and H-VPLS. See VPLS and H-VPLS.
VPLS and H-VPLS
Virtual Private LAN Service (VPLS) offers multipoint Ethernet LAN services over MPLS networks. A VPLS offers the same connectivity as an NE attached to an Ethernet switch. The VPLS architecture that links virtual switch instances (VSIs) using MPLS pseudowires form an emulated Ethernet switch. Figure 2-3 shows the basic VPLS configuration component.
Figure 2-3 VPLS Configuration
VPLS offers two types of service:
•Transparent LAN Service (TLS)
•Ethernet Virtual Connection Service (EVCS)
TLS and EVCS services are differentiated by the way that MAC addresses are learned and the way that bridging protocol data units (BPDU) are processed. TLS performs unqualified learning. All customer VLANs of a Layer 2 VPN are treated as if they were in the same broadcast domain. In EVCS, the outer VLAN tag on the Ethernet packet differentiates one customer VLAN instance from another. Each VLAN has its own MAC address space, which allows qualified learning. In qualified learning, MAC addresses of different VLANs might overlap with one another, and each VLAN has a separate Layer 2 forwarding table.
VPLS requires that the edge NE is MPLS-capable and it participates in routing protocols and the Label Distribution Protocol (LDP). Hierarchical VPLS (H-VPLS) partitions the network into several edge domains that are interconnected using an MPLS core. The edge NEs only learn of their local N-PE network elements and therefore do not need large routing table support. The edge domain can also be built using Ethernet switches and techniques such as Q-in-Q.
Cisco ANA NSA provides the following VPLS and H-VPLS wizards:
•E-LAN VPLS Hub, page 3-2
•E-LAN VPLS Neighbor, page 3-8
•E-LAN H-VPLS Hub Neighbor, page 3-11
•E-LAN H-VPLS Spoke, page 3-13
Ethernet Flow Points
An Ethernet Flow Point (EFP) is a forwarding decision point in the PE router, which gives network designers flexibility to make many Layer 2 flow decisions within the interface itself. Many EFPs can be configured on a single physical port. (The number varies from one device to another.) EFPs are the logical demarcation points of an Ethernet virtual connection (EVC) on an interface. An EVC that uses two or more UNIs requires an EFP on the associated ingress and egress interfaces of every device that the EVC passes through.
EFPs can be configured on any Layer 2 traffic port; however, they are usually configured on UNI ports. The following parameters can be configured on the EFP:
•Match criteria—Defines the matching rules of the frames that should enter the EFP. The matching rules can be for:
–Frames of a specific VLAN, a VLAN range, or a list of VLANs (100-150 or 100,103,110).
–Frames with no tags (untagged).
–Frames with the same double-tags (VLAN tags) as specified.
–Frames with same Class of Service (CoS).
A frame passes each configured match criteria until the correct matching point is found. If a frame does not fit any of the matching criteria, it is dropped. Default criteria can be configured to avoid dropping frames.
•Rewrite commands—In each EFP, VLAN tag management can be specified with the following actions:
–Pop—1) pops out a tag; 2) pops out two tags.
–Push—1) pushes in a tag; 2) pushes in two tags.
–Translate—1 to 1) changes a tag value; 1 to 2) pops one tag and pushes two tags; 2 to 1) pops two tags and pushes one tag; 2 to 2) changes the value for two tags.
•Forwarding commands—Each EFP specifies the forwarding command for the frames that enter it. Only one forwarding command can be configured per EFP. The forwarding options are:
–Layer 2 Point-to-Point—Forwards to a pseudowire tunnel.
–Multipoint Bridging—Forwards to a bridge domain entity.
–Local Switching—Switches between two different interfaces.
•Feature commands—Change QoS parameters and update the ACL
In addition, the direction of the configuration can be indicated. The symmetric option indicates whether or not this configuration is the same for the both ingress and egress traffic.
EFPs are implemented as service instances for Cisco 7600 Series Routers, or as subinterfaces for the Cisco ASR 9000 Aggregation Services Routers. These two implementations function identically. Cisco ANA displays EFP information on the port physical inventory, and on the VLAN bridge and link aggregation group logical inventories.
Cisco ANA NSA provides the following EFP wizard:
•Activate Access, page 3-25
Layer 3 VPN
MPLS Layer 3 VPNs use a peer-to-peer VPN Model that leverages BGP to distribute VPN-related information. This peer-to-peer model allows subscribers to outsource routing information to Service Providers. Service Providers can provide additional services, such as QoS and Traffic Engineering, to enable voice, video and data convergence. MPLS Layer 3 VPNs can be deployed with a MPLS TE and Fast Reroute to offer Tight SLAs. Layer 3 VPN QoS-based offerings range from two to five services classes.
Layer 3 VPNs use roles to describe a specific job in the network system. The role describes what the element should do irrespective of any physical platform. Layer 3 VPN roles include are Provider Edge (PE), Provider (P), Route Reflector (RR), and Autonomous System Boundary Router (ASBR).
Figure 2-4 shows the Layer 3 VPN roles within a Carrier Ethernet network.
Figure 2-4 Layer 3 VPN Roles
MPLS VPN functionality is enabled at the edge of an MPLS network. The PE router:
•Exchanges routing updates with the CE router.
•Translates the CE routing information into VPNv4 routes.
•Exchanges VPNv4 routes with other PE routers through the Multiprotocol Border Gateway Protocol (MP-BGP)
Each VPN is associated with one or more virtual routing and forwarding (VRF) instances. A VRF defines the VPN membership of a customer site attached to a PE router. A VRF consists of the following components:
•An IP routing table.
•A derived CEF table.
•A set of interfaces that use the forwarding table.
•A set of rules and routing protocol parameters that control the information that is included in the routing table.
A one-to-one relationship does not necessarily exist between customer sites and VPNs. A site can be a member of multiple VPNs. However, a site can associate with only one VRF. A site's VRF contains all the routes available to the site from the VPNs of which it is a member.
Packet forwarding information is stored in the IP routing table and the CEF table for each VRF. A separate set of routing and CEF tables is maintained for each VRF. These tables prevent information from being forwarded outside a VPN, and also prevent packets that are outside a VPN from being forwarded to a router within the VPN.
The distribution of VPN routing information is controlled through the use of VPN route target communities, implemented by BGP extended communities. VPN routing information is distributed as follows:
•When a VPN route that is learned from a CE router is injected into BGP, a list of VPN route target extended community attributes is associated with it. Typically the list of route target community extended values is set from an export list of route targets associated with the VRF from which the route was learned.
•An import list of route target extended communities is associated with each VRF. The import list defines route target extended community attributes that a route must have in order for the route to be imported into the VRF. For example, if the import list for a particular VRF includes route target extended communities A, B, and C, then any VPN route that carries any of those route target extended communities—A, B, or C—is imported into the VRF.
A PE router can learn an IP prefix from the following sources:
•A CE router by static configuration.
•A BGP session with the CE router.
•A Routing Information Protocol (RIP) exchange with the CE router.
The IP prefix is a member of the IPv4 address family. After the PE router learns the IP prefix, the PE converts it into a VPN-IPv4 prefix by combining it with an 8-byte route distinguisher (RD). The generated prefix is a member of the VPN-IPv4 address family. It uniquely identifies the customer address, even if the customer site is using globally non-unique (unregistered private) IP addresses. The route distinguisher used to generate the VPN-IPv4 prefix is specified by a configuration command associated with the VRF on the PE router.
BGP distributes reachability information for VPN-IPv4 prefixes for each VPN. BGP communication takes place at two levels:
•Within IP domains, known as an autonomous system (interior BGP [IBGP]).
•Between autonomous systems (external BGP [EBGP]).
PE-PE or PE-RR (route reflector) sessions are IBGP sessions, and PE-CE sessions are EBGP sessions.
BGP propagates reachability information for VPN-IPv4 prefixes among PE routers by means of the BGP multiprotocol extensions (refer to RFC 2283, Multiprotocol Extensions for BGP-4), which define support for address families other than IPv4. Using the extensions ensures that the routes for a given VPN are learned only by other members of that VPN, enabling members of the VPN to communicate with each other.
Cisco ANA NSA provides the following Layer 3 VPN wizards:
•Layer 3 VPN, page 3-28
Quality of Service (QoS) refers to the capability of a network to provide better service to selected network traffic over various technologies, including Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, SONET, and IP-routed networks that might use any or all of these underlying technologies. The primary goal of QoS is to provide a prioritization methodology, including dedicated bandwidth, controlled jitter and latency (required by some real-time and interactive traffic), and improved loss characteristics. A secondary goal is to ensure that providing priority for one or more flows does not cause other flows to fail. QoS technologies provide the elemental building blocks.
Cisco ANA NSA provides the following QoS wizards:
•QoS Policy, page 3-55
Layer 2 Access Control Lists
Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. The router examines each packet to determine whether to forward or drop the packet, based on the criteria specified within the access lists. Access list criteria can be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, or other information.
Layer 2 (port) ACLs are similar to Layer 3 (router), ACLs but are supported on physical interfaces and configured on switch Layer 2 interfaces. Layer 2 ACLs support only inbound traffic filtering. The Layer 2 ACL can be configured as one of three access type lists: standard, extended, and MAC-extended.
Processing of the Layer 2 ACL is similar to that of the router ACLs; the switch examines ACLs associated with features configured on a given interface and permits or denies packet forwarding based on packet-matching criteria in the ACL.
When applied to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When applied to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
The main benefit of the Layer 2 ACL is that it can filter IP traffic (using IP access lists) and non-IP traffic (using MAC access list). Both types of filtering can be achieved—that is, a Layer 2 interface can have both an IP access list and a MAC access list applied to it at the same time.
Cisco Mobile Transport over Packet (MToP) extends Cisco IP network intelligence from the network core to the edge by preparing Radio Access Network (RAN) traffic for transport on the packet network. MToP establishes a common backbone for migration from traditional, disparate networks to a converged IP/Multiprotocol Label Switching (MPLS) mobile architecture.
MToP uses pseudowires to extend the packet-based core closer to the edge of the network. It flattens the multiple layers of the RAN onto a single MPLS network by encapsulating and transporting time-division multiplexing (TDM), Frame Relay, and ATM traffic over MPLS.
MToP builds a MPLS cloud between the distribution nodes (between access and aggregation) and the aggregation nodes on the network edge. The MPLS network is also extended over point-to-point links from the distribution nodes through Ethernet, serial, microwave, or a Layer 2 access network.
The CEoPs and STM-1c/OC-3c ATM SPAs on aggregation Cisco 7600 Series routers terminate the pseudowire connections at the RNC/BSC site. CEoPS SPAs collect ATM/TDM native traffic at the distribution nodes and encapsulates them in pseudowires and transports the traffic to the aggregation nodes using MPLS.
MToP services include:
•Using MPLS technology to extend the packet-based core to the edge of the network.
•Employing pseudowires, which are MPLS virtual circuit tunnels, aggregate and transport time-division multiplexing (TDM), IP, Ethernet, and ATM traffic, as well as clock synchronization, from the RAN to the network core.
•Converting RAN voice and data frames into IP packets at the cell site and transporting them seamlessly over a backhaul network.
At the central site, extracting the frames from the IP packets rebuilding the ATM or TDM streams.
Cisco ANA NSA provides the following MToP wizards:
•MToP ATM Pseudowire Service, page 3-33
•MToP TDM Pseudowire Service, page 3-37
•MToP Clocking Synchronization, page 3-42