- Release 15.4SY Supervisor Engine 2T Software Configuration Guide
- Preface
- Product Overview
- Command-Line Interfaces
- Smart Port Macros
- Virtual Switching Systems (VSS)
- Enhanced Fast Software Upgrade (eFSU)
- Fast Software Upgrades
- Stateful Switchover (SSO)
- Non-Stop Forwarding (NSF)
- RPR Supervisor Engine Redundancy
- Interface Configuration
- UniDirectional Link Detection (UDLD)
- Instant Access
- EnergyWise
- Power Management
- Environmental Monitoring
- Online Diagnostics
- Onboard Failure Logging (OBFL)
- Switch Fabric Functionality
- Cisco IP Phone Support
- Power over Ethernet
- Layer 2 LAN Port Configuration
- Flex Links
- EtherChannels
- IEEE 802.1ak MVRP and MRP
- VLAN Trunking Protocol (VTP)
- VLANs
- Private VLANs (PVLANs)
- Private Hosts
- IEEE 802.1Q Tunneling
- Layer 2 Protocol Tunneling
- Spanning Tree Protocols (STP, MST)
- Optional STP Features
- IP Unicast Layer 3 Switching
- Policy Based Routing (PBR)
- Layer 3 Interface Configuration
- Unidirectional Ethernet (UDE) and unidirectional link routing (UDLR)
- Multiprotocol Label Switching (MPLS)
- MPLS VPN Support
- Ethernet over MPLS (EoMPLS)
- Virtual Private LAN Services (VPLS)
- L2VPN Advanced VPLS (A-VPLS)
- Ethernet Virtual Connections (EVC)
- Layer 2 over Multipoint GRE (L2omGRE)
- Campus Fabric
- IPv4 Multicast Layer 3 Features
- IPv4 Multicast IGMP Snooping
- IPv4 PIM Snooping
- IPv4 Multicast VLAN Registration (MVR)
- IPv4 IGMP Filtering
- IPv4 Router Guard
- IPv4 Multicast VPN Support
- IPv6 Multicast Layer 3 Features
- IPv6 MLD Snooping
- NetFlow Hardware Support
- Call Home
- System Event Archive (SEA)
- Backplane Platform Monitoring
- Local SPAN, RSPAN, and ERSPAN
- SNMP IfIndex Persistence
- Top-N Reports
- Layer 2 Traceroute Utility
- Mini Protocol Analyzer
- PFC QoS Guidelines and Restrictions
- PFC QoS Overview
- PFC QoS Classification, Marking, and Policing
- PFC QoS Policy Based Queueing
- PFC QoS Global and Interface Options
- AutoQoS
- MPLS QoS
- PFC QoS Statistics Data Export
- Cisco IOS ACL Support
- Cisco TrustSec (CTS)
- AutoSecure
- MAC Address-Based Traffic Blocking
- Port ACLs (PACLs)
- VLAN ACLs (VACLs)
- Policy-Based Forwarding (PBF)
- Denial of Service (DoS) Protection
- Configuring IGMP Proxy
- Control Plane Policing (CoPP)
- Dynamic Host Configuration Protocol (DHCP) Snooping
- IP Source Guard
- Dynamic ARP Inspection (DAI)
- Traffic Storm Control
- Unknown Unicast Flood Control
- IEEE 802.1X Port-Based Authentication
- Configuring Web-Based Authentication
- Port Security
- Lawful Intercept
Virtual Private LAN Services (VPLS)
- Prerequisites for VPLS
- Restrictions for VPLS
- Information About VPLS
- Default Settings for VPLS
- How to Configure VPLS
- How to Configure VPLS BGP-Based Autodiscovery
- Configuration Examples for VPLS
- Configuration Examples for VPLS BGP-Based Autodiscovery
- Additional References for Virtual Private LAN Services (VPLS)
- Feature Information for Virtual Private LAN Services (VPLS)
Note ● For complete syntax and usage information for the commands used in this chapter, see these publications:
http://www.cisco.com/en/US/products/ps11845/prod_command_reference_list.html
- Cisco IOS Release 15.0SY supports only Ethernet interfaces. Cisco IOS Release 15.0SY does not support any WAN features or commands.
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum
Prerequisites for VPLS
Before you configure VPLS, ensure that the network is configured as follows:
- Configure IP routing in the core so that the PE routers can reach each other via IP.
- Configure MPLS in the core so that a label switched path (LSP) exists between the PE routers.
- Configure a loopback interface for originating and terminating Layer 2 traffic. Make sure the PE routers can access the other router's loopback interface. Note that the loopback interface is not needed in all cases. For example, tunnel selection does not need a loopback interface when VPLS is directly mapped to a TE tunnel.
VPLS configuration requires you to identify peer PE routers and to attach Layer 2 circuits to the VPLS at each PE router.
Restrictions for VPLS
- With a Supervisor Engine 2T, Layer 2 protocol tunneling is not supported with VPLS ( CSCue45974).
- Split horizon is the default configuration to avoid broadcast packet looping and to isolate Layer 2 traffic. Split horizon prevents packets received from an emulated VC from being forwarded into another emulated VC. This technique is important for creating loop-free paths in a full-meshed network.
- Supported maximum values:
– Total number of VFIs: 4,096 (4K)
– Maximum combined number of edge and the core peer PEs per VFI:
Information About VPLS
VPLS Overview
VPLS (Virtual Private LAN Service) enables enterprises to link together their Ethernet-based LANs from multiple sites via the infrastructure provided by their service provider. From the enterprise perspective, the service provider's public network looks like one giant Ethernet LAN. For the service provider, VPLS provides an opportunity to deploy another revenue-generating service on top of their existing network without major capital expenditures. Operators can extend the operational life of equipment in their network.
Virtual Private LAN Services (VPLS) uses the provider core to join multiple attachment circuits together to simulate a virtual bridge that connects the multiple attachment circuits together. From a customer point of view, there is no topology for VPLS. All of the CE devices appear to connect to a logical bridge emulated by the provider core.
Full-Mesh Configuration
The full-mesh configuration requires a full mesh of tunnel label switched paths (LSPs) between all the PEs that participate in the VPLS. With full-mesh, signaling overhead and packet replication requirements for each provisioned VC on a PE can be high.
You set up a VPLS by first creating a virtual forwarding instance (VFI) on each participating PE router. The VFI specifies the VPN ID of a VPLS domain, the addresses of other PE routers in the domain, and the type of tunnel signaling and encapsulation mechanism for each peer PE router.
The set of VFIs formed by the interconnection of the emulated VCs is called a VPLS instance; it is the VPLS instance that forms the logic bridge over a packet switched network. The VPLS instance is assigned a unique VPN ID.
The PE routers use the VFI to establish a full-mesh LSP of emulated VCs to all the other PE routers in the VPLS instance. PE routers obtain the membership of a VPLS instance through static configuration using the Cisco IOS CLI.
The full-mesh configuration allows the PE router to maintain a single broadcast domain. Thus, when the PE router receives a broadcast, multicast, or unknown unicast packet on an attachment circuit, it sends the packet out on all other attachment circuits and emulated circuits to all other CE devices participating in that VPLS instance. The CE devices see the VPLS instance as an emulated LAN.
To avoid the problem of a packet looping in the provider core, the PE devices enforce a "split-horizon" principle for the emulated VCs. That means if a packet is received on an emulated VC, it is not forwarded on any other emulated VC.
After the VFI has been defined, it needs to be bound to an attachment circuit to the CE device.
The packet forwarding decision is made by looking up the Layer 2 virtual forwarding instance (VFI) of a particular VPLS domain.
A VPLS instance on a particular PE router receives Ethernet frames that enter on specific physical or logical ports and populates a MAC table similarly to how an Ethernet switch works. The PE router can use the MAC address to switch those frames into the appropriate LSP for delivery to the another PE router at a remote site.
If the MAC address is not in the MAC address table, the PE router replicates the Ethernet frame and floods it to all logical ports associated with that VPLS instance, except the ingress port where it just entered. The PE router updates the MAC table as it receives packets on specific ports and removes addresses not used for specific periods.
H-VPLS
Hierarchical VPLS (H-VPLS) reduces both signaling and replication overhead by using both full-mesh as well as hub and spoke configurations. Hub and spoke configurations operate with split horizon to allow packets to be switched between pseudo-wires (PWs), effectively reducing the number of PWs between PEs.
Note Split horizon is the default configuration to avoid broadcast packet looping. To avoid looping when using the no-split-horizon keyword, be very mindful of your network configuration.
VPLS BGP Based Autodiscovery
VPLS Autodiscovery enables each Virtual Private LAN Service (VPLS) provider edge (PE) device to discover other PE devices that are part of the same VPLS domain. VPLS Autodiscovery also tracks PE devices when they are added to or removed from a VPLS domain. As a result, with VPLS Autodiscovery enabled, you no longer need to manually configure a VPLS domain and maintain the configuration when a PE device is added or deleted. VPLS Autodiscovery uses the Border Gateway Protocol (BGP) to discover VPLS members and set up and tear down pseudowires in a VPLS domain
BGP uses the Layer 2 VPN (L2VPN) Routing Information Base (RIB) to store endpoint provisioning information, which is updated each time any Layer 2 virtual forwarding instance (VFI) is configured. The prefix and path information is stored in the L2VPN database, which allows BGP to make decisions about the best path. When BGP distributes the endpoint provisioning information in an update message to all its BGP neighbors, this endpoint information is used to configure a pseudowire mesh to support L2VPN-based services.
The BGP autodiscovery mechanism facilitates the configuration of L2VPN services, which are an integral part of the VPLS feature. VPLS enables flexibility in deploying services by connecting geographically dispersed sites as a large LAN over high-speed Ethernet in a robust and scalable IP Multiprotocol Label Switching (MPLS) network.
The VPLS BGP based Autodiscovery feature was introduced on Cisco Catalyst 6500 series Switches starting with the 15.1(1)SY release.
The VPLS BGP based Autodiscovery High Availability feature was introduced on Catalyst 6500 series Switches starting with the Release 15.5(1)SY2. This feature provides Stateful Switchover (SSO) support for VPLS BGP based Autodiscovery feature. SSO minimizes the amount of time a network is unavailable to its users following a RP switchover.
Supported Features
Multipoint-to-Multipoint Support
Two or more devices are associated over the core network. No one device is designated as the Root node, but all devices are treated as Root nodes. All frames can be exchanged directly between nodes.
Non-Transparent Operation
A virtual Ethernet connection (VEC) can be transparent or non-transparent with respect to Ethernet PDUs (that is, BPDUs). The purpose of VEC non-transparency is to allow the end user to have a Frame Relay-type service between Layer 3 devices.
Circuit Multiplexing
Circuit Multiplexing allows a node to participate in multiple services over a single Ethernet connection. By participating in multiple services, the Ethernet connection is attached to multiple logical networks. Some examples of possible service offerings are VPN services between sites, Internet services, and third-party connectivity for intercompany communications.
MAC-Address Learning Forwarding and Aging
PEs must learn remote MAC addresses and directly attached MAC addresses on customer facing ports. MAC address learning accomplishes this by deriving topology and forwarding information from packets originating at customer sites. A timer is associated with stored MAC addresses. After the timer expires, the entry is removed from the table.
Jumbo Frame Support
Jumbo frame support provides support for frame sizes between 1548 through 9216 bytes. You use the CLI to establish the jumbo frame size for any value specified in the above range. The default value is 1500 bytes in any Layer 2/VLAN interface. You can configure jumbo frame support on a per-interface basis.
Q-in-Q Support and Q-in-Q to EoMPLS Support
With 802.1Q tunneling (Q-in-Q), the CE issues VLAN-tagged packets and the VPLS forwards the packets to a far-end CE. Q-in-Q refers to the fact that one or more 802.1Q tags may be located in a packet within the interior of the network. As packets are received from a CE device, an additional VLAN tag is added to incoming Ethernet packets to segregate traffic from different CE devices. Untagged packets originating from the CE use a single tag within the interior of the VLAN switched network, while previously tagged packets originating from the CE use two or more tags.
VPLS Services
Transparent LAN Service
Transparent LAN Service (TLS) is an extension to the point-to-point port-based EoMPLS, used to provide bridging protocol transparency (for example, bridge protocol data units [BPDUs]) and VLAN values. Bridges see this service as an Ethernet segment. With TLS, the PE router forwards all Ethernet packets received from the customer-facing interface (including tagged, untagged, and BPDUs) as follows:
- To a local Ethernet interface or an emulated VC if the destination MAC address is found in the Layer 2 forwarding table.
- To all other local Ethernet interfaces and emulated VCs belonging to the same VPLS domain if the destination MAC address is a multicast or broadcast address or if the destination MAC address is not found in the Layer 2 forwarding table.
Note With a Supervisor Engine 2T, Layer 2 protocol tunneling is not supported with VPLS, which prevents use of the Cisco Discovery Protocol (CDP), the VLAN Trunking Protocol (VTP), and the Spanning-Tree Protocol (STP) over VPLS (CSCue45974).
Ethernet Virtual Connection Service
Ethernet Virtual Connection Service (EVCS) is an extension to the point-to-point VLAN-based EoMPLS that allows routers to reach multiple intranet and extranet locations from a single physical port. Routers see subinterfaces through which they access other routers. With EVCS, the PE router forwards all Ethernet packets with a particular VLAN tag received from the customer-facing interface (excluding BPDUs) as follows:
- To a local Ethernet interface or to an emulated VC if the destination MAC address is found in the Layer 2 forwarding table.
- To all other local Ethernet interfaces and emulated VCs belonging to the same VPLS domain if the destination MAC address is a multicast or broadcast address or if the destination MAC address is not found in the Layer 2 forwarding table.
Note Because it has only local significance, the demultiplexing VLAN tag that identifies a VPLS domain is removed before forwarding the packet to the outgoing Ethernet interfaces or emulated VCs.
Default Settings for VPLS
How to Configure VPLS
- Configuring PE Layer 2 Interfaces to CEs
- Configuring Layer 2 VLAN Instances on a PE
- Configuring MPLS in the PE
- Configuring the VFI in the PE
- Associating the Attachment Circuit with the VSI at the PE
- H-VPLS with MPLS Edge
- VPLS Integrated Routing and Bridging
Note ● Use the procedures in the QoS chapters to configure QoS for VPLS traffic.
- Provisioning a VPLS link involves provisioning the associated attachment circuit and the VFI on the PE.
Configuring PE Layer 2 Interfaces to CEs
- Configuring 802.1Q Trunks for Tagged Traffic from a CE
- Configuring 802.1Q Access Ports for Untagged Traffic from CE
- Configuring Q-in-Q to Place All VLANs into a Single VPLS Instance
Note ● It is important to define the trunk VLANs; use the switchport trunk allow vlan command as shown in the first example below.
- You must configure the Layer 2 interface as a switchport for local bridging. You have the option of selecting tagged or untagged traffic from the CE device.
Configuring 802.1Q Trunks for Tagged Traffic from a CE
Note When EVCS is configured, the PE router forwards all Ethernet packets with a particular VLAN tag to a local Ethernet interface or emulated VC if the destination MAC address is found in the Layer 2 forwarding table.
|
|
|
Disables IP processing and enters interface configuration mode. |
||
Modifies the switching characteristics of the Layer 2-switched interface. |
||
This example shows how to configure the tagged traffic.
This example shows how to use the show run interface command to verify the configuration.
Configuring 802.1Q Access Ports for Untagged Traffic from CE
This example shows how to configure the untagged traffic.
This example shows how to use the show run interface command to verify the configuration.
Configuring Q-in-Q to Place All VLANs into a Single VPLS Instance
Note When TLS is configured, the PE router forwards all Ethernet packets received from the CE device to all local Ethernet interfaces and emulated VCs belonging to the same VPLS domain if the MAC address is not found in the Layer 2 forwarding table.
This example shows how to configure the tagged traffic.
This example shows how to use the show run interface command to verify the configuration.
Use the show spanning-tree vlan command to verify the port is not in a blocked state.
Use the show vlan id command to verify that a specific port is configured to send and receive a specific VLAN’s traffic.
Configuring Layer 2 VLAN Instances on a PE
Configuring the Layer 2 VLAN interface on the PE enables the Layer 2 VLAN instance on the PE router to the VLAN database to set up the mapping between the VPLS and VLANs.
|
|
|
This is an example of configuring a Layer 2 VLAN instance.
Use the show interfaces vlan command to verify the VLAN is in the up state (example not shown).
Configuring MPLS in the PE
To configure MPLS in the PE, you must provide the required MPLS parameters.
Note Before configuring MPLS, ensure that you have IP connectivity between all PEs by configuring Interior Gateway Protocol (IGP) (Open Shortes Path First [OSPF] or Intermediate System to Intermediate System [IS-IS]) between the PEs.
This example shows global MPLS configuration.
Use the show ip cef command to verify that the LDP label is assigned.
Configuring the VFI in the PE
The virtual switch instance (VFI) specifies the VPN ID of a VPLS domain, the addresses of other PE routers in this domain, and the type of tunnel signaling and encapsulation mechanism for each peer. (This is where you create the VSI and associated VCs.) Configure a VFI as follows:
Note Only MPLS encapsulation is supported.
The following example shows a VFI configuration.
The following example shows a VFI configuration for hub and spoke.
The show mpls 12transport vc command displays various information related to PE1.
Note The show mpls l2transport vc [detail] command is also available to show detailed information about the VCs on a PE router as in the following example.
Note The VC ID in the output represents the VPN ID; the VC is identified by the combination of the Dest address and the VC ID as in the example below.
The show vfi vfi name command shows VFI status.
Associating the Attachment Circuit with the VSI at the PE
After defining the VFI, you must bind it to one or more attachment circuits (interfaces, subinterfaces, or virtual circuits).
This example shows an interface VLAN configuration.
Use the show vfi command for VFI status.
H-VPLS with MPLS Edge
Overview
The Hierarchical VPLS model comprises hub and spoke and full-mesh networks. In a full-mesh configuration, each PE router creates a multipoint-to-multipoint forwarding relationship with all other PE routers in the VPLS domain using VFIs.
In the hub and spoke configuration, a PE router can operate in a non-split-horizon mode that allows inter-VC connectivity without the requirement to add a Layer 2 port in the VLAN.
In the example below, the VLANs on CE1, CE2, CE3, and CE4 (in red) connect through a full-mesh network. The VLANs on CE2, CE5, and ISP POP connect through a hub and spoke network where the ISP POP is the hub and CE2 and CE5 are the spokes. shows the configuration example.
Configuration on PE1
Configuring VSIs and VCs
This sample configuration shows the creation of the virtual switch instances (VSIs) and associated VCs. Note that the VCs in green require the no-split-horizon keyword. The no-split-horizon command disables the default Layer 2 split horizon in the data path.
Configuring the CE Device Interface
This sample configuration shows the CE device interface (there can be multiple Layer 2 interfaces in a VLAN).
Associating the Attachment Circuit with the VFI
This sample configuration shows how the attachment circuit (VLAN) is associated with the VFI.
Configuration on PE2
Configuring VSIs and VCs
This sample configuration shows the creation of the virtual switch instances (VSIs) and associated VCs.
Configuring the CE Device Interface
This sample configuration shows the CE device interface (there can be multiple Layer 2 interfaces in a VLAN).
Associating the Attachment Circuit with the VFI
This sample configuration shows how the attachment circuit (VLAN) is associated with the VFI.
Configuration on PE3
Configuring VSIs and VCs
This sample configuration shows the creation of the virtual switch instances (VSIs) and associated VCs.
Configuring the CE Device Interface
This sample configuration shows the CE device interface (there can be multiple Layer 2 interfaces in a VLAN).
Configuring the Attachment Circuits
This sample configuration shows the attachment circuits.
Configuring Port-based EoMPLS on the uPE Device
This sample configuration shows port-based EoMPLS on the uPE device.
VPLS Integrated Routing and Bridging
VPLS integrated routing and bridging can route Layer 3 traffic as well as switch Layer 2 frames for pseudowire connections between provider edge (PE) devices using Virtual Private LAN Services (VPLS) multipoint PE. The ability to route frames to and from these interfaces supports termination of a pseudowire into a Layer 3 network (VPN or global) on the same switch, or to tunnel Layer 3 frames over a Layer 2 tunnel (VPLS).
Note ● VPLS integrated routing and bridging is also known as routed pseudowire and routed VPLS.
To configure routing support for the pseudowire, configure an IP address and other Layer 3 features for the Layer 3 domain (VPN or global) in the virtual LAN (VLAN) interface configuration.
- The following example assigns the IP address 10.10.10.1 to the VLAN 100 interface. (Layer 2 forwarding is defined by the VFI VFI100.)
- The following example assigns an IP address 20.20.20.1 of the VPN domain VFI200. (Layer 2 forwarding is defined by the VFI VFI200.)
How to Configure VPLS BGP-Based Autodiscovery
Enabling VPLS BGP-based Autodiscovery
Perform this task to enable Virtual Private LAN Service (VPLS) PE devices to discover other PE devices that are part of the same VPLS domain.
|
|
|
Enables VPLS Autodiscovery on a PE device and enters L2 VFI configuration mode. |
||
Configuring BGP to enable VPLS Autodiscovery
The Border Gateway Protocol (BGP) Layer 2 VPN (L2VPN) address family supports a separate L2VPN Routing Information Base (RIB) that contains endpoint provisioning information for Virtual Private LAN Service (VPLS) Autodiscovery. BGP learns the endpoint provisioning information from the L2VPN database, which is updated each time a Layer 2 virtual forwarding instance (VFI) is configured. When BGP distributes the endpoint provisioning information in an update message to all its BGP neighbors, the endpoint information is used to configure a pseudowire mesh to support L2VPN-based services.
Configuration Examples for VPLS
In a full-mesh configuration, each PE router creates a multipoint-to-multipoint forwarding relationship with all other PE routers in the VPLS domain using a VFI. An Ethernet or VLAN packet received from the customer network can be forwarded to one or more local interfaces and or emulated VCs in the VPLS domain. To avoid broadcasted packets looping around in the network, no packet received from an emulated VC can be forwarded to any emulated VC of the VPLS domain on a PE router. That is, the Layer 2 split horizon should always be enabled as the default in a full-mesh network.
This shows the creation of the virtual switch instances (VSIs) and associated VCs.
This configures the CE device interface (there can be multiple Layer 2 interfaces in a VLAN).
Here the attachment circuit (VLAN) is associated with the VSI.
This is the enablement of the Layer 2 VLAN instance.
This shows the creation of the virtual switch instances (VSIs) and associated VCs.
This configures the CE device interface (there can be multiple Layer 2 interfaces in a VLAN).
Here the attachment circuit (VLAN) is associated with the VSI.
This is the enablement of the Layer 2 VLAN instance.
This shows the creation of the virtual switch instances (VSIs) and associated VCs.
This configures the CE device interface (there can be multiple Layer 2 interfaces in a VLAN).
Here the attachment circuit (VLAN) is associated with the VSI.
This is the enablement of the Layer 2 VLAN instance.
The show mpls l2 vc command provides information on the status of the VC.
The show vfi command provides information on the VFI.
The show mpls 12transport vc command provides information the virtual circuits.
Configuration Examples for VPLS BGP-Based Autodiscovery
This shows the configuration of VPLS BGP-Autodiscovery on PE.
The following is a sample output for the show bgp l2vpn vpls all command:
This displays the Routing Information Base (RIB) High Availability (HA) checkpoint information:
Additional References for Virtual Private LAN Services (VPLS)
MIBs
|
|
---|---|
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Feature Information for Virtual Private LAN Services (VPLS)
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
|
|
|
---|---|---|
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum