Cisco ME 3800x and ME 3600x Switches Software Configuration Guide, Cisco IOS Release 15.3(3)S

VPN Benefits

MPLS VPNs allow service providers to deploy scalable VPNs and build the foundation to deliver value-added services, including:

• Connectionless service—MPLS VPNs are connectionless, which means that no prior action is required to establish communication between hosts. A connectionless VPN does not require tunnels and encryption for network privacy.
• Centralized service—MPLS VPNs are seen as private intranets, which allows delivery of targeted IP services to a group of users represented by a VPN.
• Scalability— MPLS-based VPNs use the peer model and Layer 3 connectionless architecture to leverage a highly scalable solution. The peer model requires a customer site to act as a peer to one PE router as opposed to all other customer PE or CE devices that are members of the VPN. The PE routers maintain VPN routes for those VPNs that are members. Routers in the core network do not maintain any VPN routes.
• Security—MPLS VPNs offer the same level of security as connection-oriented VPNs. Packets from one VPN do not inadvertently go to another VPN. Security provided at the edge of a provider network ensures that packets received from a customer are placed on the correct VPN; security provided at the backbone ensures that VPN traffic is kept separate.
• Easy to create—Because MPLS VPNs are connectionless, no specific point-to-point connection maps or topologies are required, and you can add sites to intranets and extranets to form closed user groups.
• Flexible addressing—Customers can continue to use their present address spaces without network address translation (NAT) because the MPLS VPN provides a public and private view of the address. A NAT is required only if two VPNs with overlapping address spaces want to communicate.
• Straightforward migration—You can build MPLS VPNs over multiple network architectures. Migration for the end customer is simplified because the CE router is not required to support MPLS, so no customer's intranet modifications are needed.
• MPLS VPN also provides increased BGP functionality.

Figure 1-1 shows an example of a VPN with a service-provider backbone network, provider-edge (PE) and customer leading-edge (CLE) routers and customer-edge (CE) devices.

Figure 1-1 VPNs with a Service-Provider Backbone

Each VPN contains customer devices attached to the customer-edge (CE) devices. The customer devices use VPNs to exchange information between devices, and the provider routers (P) are not aware of the VPNs.

Figure 1-2 shows five customer sites communicating within three VPNs. The VPNs can communicate with these sites:

VPN1: Sites 2 and 4

VPN2: Sites 1, 3, and 4

VPN3: Sites 1, 3, and 5

Figure 1-2 Customer Sites with VPNs

Distribution of VPN Routing Information

The distribution of VPN routing information is controlled through the use of VPN route target communities, implemented by BGP extended communities. VPN routing information is distributed in this manner:

• When a VPN route learned from a CE device is added to the BGP process, a list of VPN route target extended community attributes is associated with it. The attribute values are obtained from an export list of route targets associated with the VRF from which the route was learned.
• An import list of route target extended communities is also associated with each VRF. The import list defines route target extended community attributes that a route must have in order for the route to be imported into the VRF. For example, if the import list for a particular VRF includes route target communities A, B, and C, then any VPN route that carries any of those route target extended communities—A, B, or C—is imported into the VRF.

A PE router can learn an IP prefix from a CE device by static configuration, through a BGP session, or through a routing protocol, such as OSPF, EIGRP and Routing Information Protocol (RIP), with the CE device. The IP prefix is a member of the IPv4 address family. After it learns the IP prefix, the PE router converts it into a VPN-IPv4 prefix by combining it with an 8-byte route distinguisher. The generated prefix is a member of the VPN-IPv4 address family and uniquely identifies the customer address, even if the customer site is using globally nonunique (unregistered private) IP addresses.

BGP distributes reachability information for VPN-IPv4 prefixes for each VPN. BGP communication takes place at two levels: within IP domains, known as autonomous systems (internal BGP or IBGP), and between autonomous systems (external BGP or EBGP). The PE-to-PE sessions are IBGP sessions, and PE-to-CE sessions are EBGP sessions.

BGP propagates reachability information for VPN-IPv4 prefixes among provider-edge routers by using the BGP multiprotocol extensions, which define support for address families other than IPv4. It does this in a way that ensures that the routes for a given VPN are learned only by other members of that VPN, which enables members of the VPN to communicate with each other.

Default MPLS Configuration

By default, label switching of IPv4 packets along normally routed paths is globally enabled. MPLS forwarding of IPv4 packets is disabled by default on interfaces.

If no label protocol is explicitly configured for an interface, the default label distribution protocol for the switch is used by the Label Distribution Protocol (LDP). By default, the labels of all destinations are advertised to all LDP neighbors.

No VRFs are defined. The default routing table for an interface is the global routing table.

MPLS VPN Configuration Guidelines

Follow these guidelines when configuring MPLS VPN:

• MPLS requires that CEF is enabled on the switch. CEF is enabled by default. For more information about CEF, see the “Configuring Cisco Express Forwarding” section.
• The switch supports MPLS forwarding on the following interfaces:

– Routed ports

– SVIs

– Routed EtherChannels

Note Some MPLS features require specific software licenses.

SVI Limitations

The following limitations apply when configuring MPLS VPN over SVIs:

1. When MPLS is enabled on SVI, the SVI cannot be part of more than 4 EFP.

2. SVI cannot be part of a switchport trunk, allowing that VLAN and EVC BD.

3. SVI is not supported on port channel interfaces.

4. MPLS-TE is not supported on SVI.

5. When Xconnect is configured on a SVI, mpls ip configuration on that SVI is not allowed.

Enabling MPLS

To use MPLS in a network, such as the one shown in Figure 1-1, MPLS must be globally enabled and explicitly configured on the provider-edge routers.

Beginning in privileged EXEC mode, follow these steps to incrementally deploy MPLS through a network, assuming that packets to all destination prefixes should be label-switched:

Repeat these steps for every PE router in the network and the appropriate interfaces until all routers and connected interfaces are enabled for MPLS.

Use the no mpls ip global configuration command to disable MPLS on the switch. Use the no mpls label protocol ldp global configuration command to disable LDP.

Defining VPNs

Note Before defining VPNs, enable MPLS on the switch (see Enabling MPLS).

Beginning in privileged EXEC mode, follow these steps to define VPN routing instances on the PE router:

Use the no ip vrf vrf-name global configuration command to delete a VRF and remove interfaces from it. Use the no ip vrf forwarding interface configuration command to remove an interface from a VRF.

Configuring BGP Routing Sessions

Beginning in privileged EXEC mode, follow these steps on the provider-edge router to configure BGP routing sessions in a provider network:

Use the no router bgp autonomous-system global configuration command to delete the BGP routing session.

Configuring Provider-Edge-to-Provider-Edge Routing Sessions

You can configure provider-edge-to-provider-edge (PE-PE) routing sessions using IBGP or BGP.

IBGP Provider-Edge-to-Provider-Edge Configuration

Beginning in privileged EXEC mode, follow these steps on the provider-edge router to configure a PE-to-PE routing session in a provider network that uses IBGP:

Use the no router bgp autonomous-system global configuration command to delete the BGP routing session.

IBGP Provider-Edge-to-Provider-Edge Configuration

Beginning in privileged EXEC mode, follow these steps on the provider-edge router to configure a PE-to-PE routing session in a provider network that uses IBGP:

Use the no router bgp autonomous-system global configuration command to delete the BGP routing session.

Configuring Provider-Edge-to-Customer-Edge Routing Sessions

You can configure provider-edge-to-customer-edge (PE-CE) routing sessions using any of these protocols:

• BGP
• OSPF
• RIPv2
• Static Route
• EIGRP

BGP Provider-Edge-to-Customer-Edge Configuration

Beginning in privileged EXEC mode, follow these steps on the provider-edge router to configure a provider-edge-to-customer-edge (PE-to-CE) routing session in a provider network that uses BGP:

Use the no router bgp as-number global configuration command to delete the BGP routing session.

OSPF Provider-Edge-to-Customer-Edge Configuration

Beginning in privileged EXEC mode, follow these steps on the provider-edge router to configure a PE-to-PE routing session in a provider network that uses OSPF:

Use the no router bgp as-number global configuration command to delete the BGP routing session.

RIPv2 Provider-Edge-to-Customer-Edge Routing Sessions

Beginning in privileged EXEC mode, follow these steps on the provider-edge router to configure RIPv2 PE-to-CE routing:

Use the no router rip global configuration command to disable RIP routing.

Configuring Static Route Provider-Edge-to-Customer-Edge Routing Sessions

Beginning in privileged EXEC mode, follow these steps on the provider-edge router to configure static routing:

EIGRP Provider-Edge-to-Customer-Edge Configuration

Beginning in privileged EXEC mode, follow these steps on the provider-edge router to configure a provider-edge-to-customer-edge (PE-to-CE) routing session in a provider network that uses EIGRP:

Use the no router eigrp as-number global configuration command to delete the EIGRP routing session.

Packet Flow in an MPLS VPN

Figure 1-3 is an example of packet flow between two customer sites in an MPLS VPN network.

Figure 1-3 Sample MPLS VPN Packet Flow

A customer (Fast Ethernet) port on switch PE1 is configured for routed operation in a VPN. The port uses static routing or a routing protocol (RIP, OSPF, EIGRP, or BGP) to forward packets. MP-BGP is configured over the PE1 switch ES port with a route distinguisher that is associated with the customer’s VPN. MP-BGP is configured to redistribute the routes and their associated VPN labels over the ES port that is using this route distinguisher.

The packet flow follows these steps:

Step 1 Provider-edge switch PE1 (which could be a Metro switch) receives a packet from the customer switch at site 1. The switch determines from the lookup table that the VRF is a VLAN running MPLS and uses the MPLS lookup table to determine what to do with the packet. The MPLS lookup table contains the peer LSR as the destination MAC address and the local interface as the source MAC address.

Step 2 PE1 finds a BGP route with the appropriate next hop and labels, adds the appropriate labels to the packet, and forwards the packet out of the ES port to the next hop router (P3).

Step 3 The P3 router receives the packet and forwards it over the MPLS-VPN network, based on the packet’s top label—the interior gateway protocol (IGP) label—and then removes the top label.

Step 4 PE3 receives the packet, removes the MPLS encapsulation, and forwards the packet by using the VRF interface associated with the VPN label contained in the packet that has the customer-edge switch CE2 as the destination.

Sample Configurations

This example shows a Layer 3 VPN configured on an EFP:

This example shows a Layer 3 VPN configured on a switched virtual interface (SVI):

This example shows a Layer 3 VPN configured using non-switchport port mode:

This example shows a Layer 3 VPN configured on a switchport and an SVI:

For information about load balancing, see the Multiprotocol Label Switching Configuration Guide Library, Cisco IOS Release 15.x.

MPLS TE

MPLS traffic engineering (TE) provides control over how traffic is routed through the network. This increases the bandwidth efficiency by preventing over-use of some links while other links are under used. TE overrides the shortest path selected by the Interior Gateway Protocol (IGP) to select the most efficient path for traffic. Network resources are advertised by using a link-state routing protocol, such as Intermediate System-to-Intermediate System (IS-IS) or Open Shortest Path First (OSPF). MPLS TE then uses a unidirectional LSP or tunnel to forward traffic, calculating the tunnel paths based on required and available resources.

Regular MPLS traffic engineering automatically establishes and maintains label-switched paths (LSPs) across the backbone using Resource Reservation Protocol (RSVP). The path used by a given LSP is based on the LSP resource requirements and available network resources such as bandwidth. Available resources are flooded via extensions to the link-state based IGP.

For more information on MPLS TE, see Multiprotocol Label Switching Configuration Guide Library, Cisco IOS Release 15.x.

Paths for LSPs are calculated at the LSP headend, the first router in the LSP path. Under failure conditions, the headend determines a new route for the LSP based on destination, bandwidth, link attributes, and priority. RSVP-TE then establishes and maintains the TE tunnel across the MPLS backbone network. Packets are switched inside the tunnel by using MPLS labels. Recovery at the headend provides for the optimal use of resources.

The number of supported tunnels depends upon the installed license. Refer to the licensing document.

The switch supports these MPLS TE features:

• OSPF, IS-IS, and RSVP extensions to support MPLS TE
• TE autotunnel primary and backup
• TE tunnel reoptimization to improve overall efficiency by rerouting some traffic trunks to new paths
• TE load sharing to a destination over paths with unequal costs. The switch supports up to 256 load-shared routes (load-shared routes for up to 256 destinations). Any additional load-balanced routes are forwarded in one path in the hardware.
• TE IP explicit address exclusion to exclude a link or node from the path. You use the ip explicit-path global configuration mode to enter explicit-path configuration mode and then use the exclude-address command to specify addresses to exclude from the path.
• Support for LDP over TE tunnels for Layer 3 VPN traffic by entering the mpls ip interface configuration command on the tunnel interface. The switch does not support LDP over TE tunnels for Layer 2 VPN traffic.
• Traffic forwarding to the TE tunnel using static routing
• TE autoroute, which installs the routers announced by the tailend router and the downstream routers into the routing table of the headend router. All traffic directed to prefixes beyond the tunnel end are pushed into the tunnel.
• Prefix-independent fast reroute.

The switch does not support these MPLS TE features:

• Interarea TE support for OSPF and IS-IS
• TE path protection
• Shared risk link group (SRLG)
• Traffic forwarding to the TE tunnel using policy routing
• Traffic forwarding to the TE tunnel using forwarding adjacency
• Auto bandwidth
• Autotunnel mesh group

MPLS TE Fast Reroute

With MPLS TE, when a link or node failure occurs, the LSP headend determines a new route for the LSP. However, due to messaging delays, the headend cannot recover as quickly as making a repair at the point of failure. Fast reroute (FRR) protects the LSPs from link and node failures by locally repairing the LSP at the point of failure, allowing data to continue to flow while the headend routers establish replacement end-to-end LSPs. Fast reroute locally repairs the protected LSP by rerouting all LSP traffic crossing a failed link over backup tunnels that bypass the failed link or node.

• Link protection is also referred to as next hop (N-Hop) protection because the new route terminates at the next hop beyond the LSP failure.
• Node protection is also referred to as next-next-hop (NN-Hop) protection because the new route bypasses the next hop node and terminates at the node following the next-hop node. Node protection also provides protection from link failures because traffic bypasses the failed link and the failed node.

For more information about MPLS TE fast reroute, see Multiprotocol Label Switching Configuration Guide Library, Cisco IOS Release 15.x.

The reroute decision is completely controlled locally by the router interfacing the failed link. The headend of the tunnel is also notified of the link failure through the IGP or through RSVP; the headend then attempts to establish a new LSP that bypasses the failure.

Note Local reroute prevents any further packet loss caused by the failed link. If the tunnel is configured to be dynamic, the headend of the tunnel then has time to reestablish the tunnel along a new, optimal route. If the headend still cannot find another path to take, it continues to use the backup tunnel.

Fast link change detection (FLCD) and RSVP hello messages form the failure detection mechanism. FLCD is notified when an interface encounters a link status change and RSVP hello enables the RSVP nodes to detect when a neighboring node is not reachable. You can configure RSVP hello messages by entering the ip rsvp signalling hello [ fast reroute ] refresh global configuration command.

Note The ip rsvp signalling hello [fast reroute] refresh command is needed only when loss of signal cannot be detected.

Backup tunnels have these characteristics on the switch:

• A backup tunnel can protect multiple LSPs.
• When the primary tunnel restores, traffic changes from the backup tunnel back to the primary tunnel.
• The switch does not support backup tunnel bandwidth protection.
• The switch supports MPLS TE fast reroute over only routed ports and not over SVIs or EtherChannels.

MPLS TE Primary and Backup Autotunnel

The primary and backup autotunnel feature enables a switch to dynamically build backup tunnels and to dynamically create one-hop primary tunnels on all interfaces configured for MPLS TE.

• Primary autotunnel dynamically creates one-hop primary tunnels on all MPLS TE interfaces. Instead of configuring an MPLS TE tunnel with fast-reroute, you enter the mpls traffic-eng auto-tunnel primary onehop global configuration command to dynamically create one-hop tunnels on all MPLS TE interfaces.
• Backup autotunnel enables a router to dynamically build backup tunnels when they are needed so that you do not need to configure them manually. To configure backup autotunnel, enter the mpls traffic-eng auto-tunnel backup router configuration command.

Default MPLS TE and Fast Reroute Configuration

MPLS TE and fast reroute are not configured.

Backup or primary autotunnel is not configured.

MPLS TE and Fast Reroute Configuration Guidelines

Follow these guidelines when configuring MPLS TE:

• Not all of the MPLS TE commands that are visible in the switch command-line interface help are supported. See the “Multiprotocol Label Switching (MPLS) Commands” section of Appendix 1, “Unsupported Commands in Cisco IOS Release 15.3(2)S.”
• To configure MPLS traffic engineering and fast reroute, the network must be running IP Cisco Express Forwarding (CEF) and MPLS and support at least one of these protocols: OSPF or IS-IS.
• For information on all MPLS commands, see the MPLS command reference at this URL:

http://www.cisco.com/en/US/docs/ios-xml/ios/mpls/command/mp-cr-book.html

Configuring MPLS TE

For more information on MPLS TE, see Multiprotocol Label Switching Configuration Guide Library, Cisco IOS Release 15.x.

Beginning in privileged EXEC mode, follow these steps to configure MPLS TE and configure an interface to support RSVP-based tunnel signalling and IGP flooding:

Enter no mpls traffic-eng tunnels to disable MPLS traffic engineering tunnels on the switch or interface. Enter the no rsvp bandwidth interface configuration command to return to the default.

Configuring an MPLS TE Tunnel

Beginning in privileged EXEC mode, follow these steps to configure an MPLS traffic engineering tunnel. The configured tunnel has two path setup options—a preferred explicit path and a backup dynamic path.

Enter the no forms of the commands to remove the configured MPLS tunnels. Enter the no ip explicit-path name global configuration command to disable IP explicit paths.

Configuring the Routing Protocol for MPLS TE

Beginning in privileged EXEC mode, follow these steps to configure IS-IS or OSPF for MPLS traffic engineering:

To remove the traffic engineering router identifier, use the no mpls traffic-eng router-id command.

Configuring TE Fast Reroute

Before or after entering the commands described in these procedures, you must enable the MPLS traffic engineering tunnel capability globally on the tunnel routers by entering the mpls traffic-eng tunnels global and interface configuration com mands. For information about the commands for MPLS TE fast reroute, see this URL:

http://www.cisco.com/en/US/docs/ios-xml/ios/mpls/command/mp-cr-book.html

Beginning in privileged EXEC mode, follow these steps to enable MPLS traffic engineering fast reroute on an MPLS tunnel and to create a backup tunnel to the next hop or next-next hop:

Enter the no tunnel mode mpls traffic-eng global configuration command to disable MPLS traffic engineering or the no ip explicit-path global configuration command to remove the IP explicit path configuration.

Configuring a Protected Link to Use a Backup Tunnel

Beginning in privileged EXEC mode, follow these steps to configure a protected link to use the backup tunnel:

To remove the backup tunnel configuration, enter the no mpls traffic-eng backup-path tunnel interface configuration command.

Configuring Fast Reroute Failure Detection (Optional)

This configuration is needed only when loss of signal cannot be detected.

Beginning in privileged EXEC mode, follow these steps to configure fast reroute failure detection:

Enter the no ip rsvp signalling hello global configuration command to disable Hello signalling on the switch. Enter the no ip rsvp signalling hello fast-reroute refresh misses or the no ip rsvp signalling hello fast-reroute refresh interval interface configuration command to set the misses or refresh interval to the default.

Configuring Primary and Backup Autotunnels

The Autotunnel Primary and Backup feature enables a router to dynamically build backup tunnels and to dynamically create one-hop primary tunnels on all interfaces configured for MPLS TE. For information about the commands for MPLS autotunnel, see this URL:

http://www.cisco.com/en/US/docs/ios-xml/ios/mpls/command/mp-cr-book.html

Beginning in privileged EXEC mode, follow these steps to automatically create primary tunnels to all next hop neighbors:

Enter the no form of each command to delete the tunnel or disable the feature or capability. To remove all primary auto tunnels, enter the clear mpls traffic-eng auto-tunnel primary privileged EXEC command.

Beginning in privileged EXEC mode, follow these steps to establish MPLS backup auto tunnels:

Enter the no form of each command to delete the tunnel or disable the feature or capability.

Interaction with Other Features

This section describes how EoMPLS interacts other features. It includes these sections:

• EoMPLS and IEEE 802.1Q Tunneling
• EoMPLS and Layer 2 Tunneling
• EoMPLS and Q in Q
• EoMPLS and QoS

EoMPLS and IEEE 802.1Q Tunneling

IEEE 802.1Q tunneling enables service providers to use a single VLAN to support customers who have multiple VLANs, while preserving customer VLAN IDs and segregating traffic in different VLANs. For more information about IEEE 802.1Q tunneling, see Chapter1, “Configuring Ethernet Virtual Connections (EVCs)”

Figure 1-4 is an example configuration where IEEE 802.1Q-tunneled traffic is forwarded using EoMPLS over an MPLS network. To support IEEE 802.1Q tunneling in a topology where a Layer 2 device connects to an MPLS network through a switch functioning as a provider-edge device, the ingress LAN port on the PE that receives the IEEE 802.1Q tunnel-encapsulated traffic (PE1) is configured as a tunnel port that accepts VLAN 100 traffic. On PE1, the interface is configured for port-based EoMPLS forwarding, with PE2 as the destination IP address. When packets from VLANs 10 to 50 arrive from CE1, they are encapsulated in VLAN 100 and sent to the PE1 egress port that is connected to the MPLS network. At the egress port, an MPLS tag is added to the frame header before it is mapped to a virtual connection and forwarded to the next MPLS PE (PE2).

Figure 1-4 EoMPLS Example

By entering the xconnect interface configuration command on either a VLAN for VLAN-based EoMPLS or an Ethernet port for port-based EoMPLS, you can configure an EoMPLS tunnel to forward traffic based on either the customer VLAN or the Ethernet port.

• To forward IEEE 802.1Q tunnel-encapsulated traffic through the MPLS core to a specific recipient on the other side of the MPLS network, configure port-based EoMPLS.
• To forward IEEE 802.1Q tunnel-encapsulated traffic from an access device to a provider-edge router, configure VLAN-based EoMPLS.

EoMPLS and Layer 2 Tunneling

Layer 2 protocol tunneling over an EoMPLS link allows CDP, STP, and VTP protocol data units (PDUs) to be tunneled through an MPLS network. To support Layer 2 protocol tunneling when the Layer 2 device connects to an MPLS network through a switch functioning as a PE, you configure the ingress port on the provider-edge that receives the Layer 2 protocol traffic as a tunnel port. The Layer 2 protocol traffic is encapsulated before it is forwarded over the MPLS network. For more information about Layer 2 protocol tunneling, see Chapter1, “Configuring Ethernet Virtual Connections (EVCs)”

This example shows how to configure Layer 2 tunneling:

S witch(config)# interface Vlan102

S witch(config-if)# no ip address

S witch(config-if)# xconnect 12.12.12.12 102 encapsulation mpls

S witch(config)# interface GigabitEthernet0/24

S witch(config-if)# switchport trunk allowed vlan none

S witch(config-if)# switchport mode trunk

S witch(config-if)# no keepalive

S witch(config-if)# service instance 1 ethernet

S witch(config-if)# encapsulation untagged

S witch(config-if)# l2protocol tunnel cdp

S witch(config-if)# bridge-domain 102

EoMPLS and Q in Q

When the remote PE supports Q in Q, but not VC type 4, you can use the platform rewrite imposition tag push 1 symmetric interface configuration command to push an additional VLAN tag to make the type 5 PW work like a Q in Q Layer 2 port.

Note The command has no effect on a VC type 4 PW.

This example sends packets with VLAN 11 to EFP 1. When the packets reach the remote PE, the payload Layer 2 packets have two VLAN tags, VLAN 101 and VLAN 11.

Packets sent from the remote PE have an outer VLAN with any VLAN number and VLAN 11. The outer VLAN number is popped at this PE, and the packets are sent out from EFP 1 with VLAN 11.

EoMPLS and QoS

EoMPLS supports QoS by using three experimental bits in a label to determine the priority of packets. To support QoS between label edge routers (LERs), you set the experimental bits in both the virtual connection and the tunnel labels. EoMPLS QoS classification occurs on ingress, and you can only match on Layer 3 parameters (such as IP or DSCP) and Layer 2 parameters (CoS). See Chapter 1, “Configuring Quality of Service (QoS)” for more information about EoMPLS and QoS.

EoMPLS Limitations

These restrictions apply to EoMPLS:

• You cannot configure MPLS and EoMPLS on the same port.
• MTU—EoMPLS does not support packet fragmentation and reassembly. Therefore, the maximum transmission unit (MTU) of all intermediate links between endpoints must be sufficient to carry the largest Layer 2 VLAN received. The ingress and egress provider-edge routers must have the same MTU value.
• Address Format—All loopback addresses on provider-edge routers must be configured with 32-bit masks to ensure proper operation of MPLS forwarding. OSPF requires the use of loopback addresses.
• Packet Format—EoMPLS supports VLAN packets that conform to the IEEE 802.1Q standard. ISL encapsulation is not supported between provider-edge and customer-edge routers.
• STP— Do not enable per-VLAN spanning-tree (PVST) on the VLAN configured for an EoMPLS session. STP instances are not supported on this VLAN. All PVST bridge protocol data units (BPDUs) coming in on the EoMPLS VLAN from the customer side are tunneled transparently as data packets over to the EoMPLS pseudowire and vice-versa.
• Trunking—The native VLAN of a trunk cannot be an EoMPLS VLAN.
• You can enable EoMPLS on IEEE 802.1Q interfaces by using the xconnect interface configuration command. Use the xconnect command to configure pseudowire redundancy.
• IGMP—Disable IGMP for any bridge domain where pseudowire is configured.

Default EoMPLS Configuration

By default, EoMPLS is not configured.

The mpls ldp router-id command is disabled. No virtual connections are configured.

EoMPLS Configuration Guidelines

When you configure EoMPLS, you must follow these guidelines:

• Before enabling EoMPLS, you must enable dynamic MPLS labeling by using the mpls ip interface configuration command on all paths between the imposition and disposition LERs. MPLS is globally enabled by default.
• For VLAN-based EoMPLS, you must configure VLANs on the switch.
• EoMPLS operation between two provider-edge routers requires an LDP session between the routers. The IP address used by each router as its LDP router ID must be reachable through IP by the other. Use the optional mpls ldp router-id global configuration command to control the selection of the LDP router ID by specifying the interface whose IP address should be used.

– If the specified interface is up and has an IP address, you can use the command without the optional force keyword. When the router ID is selected, that IP address is selected as the router ID.

– If the specified interface is not up or does not have an IP address, use the force keyword with the command to ensure that the IP address of the specified interface is used when that interface is brought up.

• Both provider-edge routers require a loopback address that you can use to create a virtual connection between the routers. When you use OSPF as the interior gateway protocol, you must configure all loopback addresses on provider-edge routers with 32-bit masks to ensure proper operation of MPLS forwarding between the provider-edge routers.
• Do not configure EoMPLS on an interface configured for VLAN mapping.
• You can set the maximum transmission unit (MTU) value on an SVI.

Configuring EoMPLS

You configure VLAN-based EoMPLS on a VLAN interface. When VLAN-based EoMPLS is enabled, the switch associates the tunnel and virtual-connection labels based on the VLAN ID. You use the same commands to enable port-based EoMPLS.

Beginning in privileged EXEC mode, follow these steps on the provider-edge routers to configure EoMPLS to transport Layer 2 packets between two endpoints:

Use the no xconnect destination vc-id encapsulation mpls interface command to delete the EoMPLS tunnel.

This example shows how to configure an EoMPLS tunnel between switch PE1’s routed port and PE2’s VLAN 4 interface.

PE1 has an IP address 10.0.0.1/32, and PE2 has IP address 20.0.01/32. Both provider-edge routers are configured with an MPLS connection to the MPLS core. The VC ID is 123.

Enter these commands on the PE1 switch:

Enter these commands on the PE2 switch:

This example shows how to set the MTU value on an SVI.

Configuring the Pseudowire Using Pseudowire Class

The pseudowire-class configuration specifies the characteristics of the tunneling mechanism, including encapsulation type and control protocol. You must specify the encapsulation mpls command as part of the pseudowire class for the AToM VCs to work properly.

Beginning in privileged EXEC mode, follow these steps to configure a pseudowire class:

This example configures the pseudowire class test.

This example shows how to display the preferred path using the show mpls l2transport vc 2 detail command.

Configuring L2VPN Interworking

Layer 2 transport over MPLS and IP exists for like-to-like attachment circuits, such as Ethernet-to-Ethernet. L2VPN interworking builds on this functionality by allowing disparate attachment circuits to be connected. An interworking function facilitates the translation between the different Layer 2 encapsulations.

For information about L2VPN interworking, see the L2VPN Interworking feature module at this URL:

http://www.cisco.com/en/US/docs/ios-xml/ios/mp_l2_vpns/configuration/15-s/mp-l2-vpns-15-s-book.html

Note that the switch does not support ATM interfaces, Point-to-Point Protocol (PPP), or frame relay as mentioned in this document.

L2VPN interworking on the ME 3800X and ME 3600X switches works in either Ethernet mode (VC type 5) or VLAN mode (VC type 4). You specify the mode by entering the interworking { ethernet | vlan } command in pseudowire-class configuration mode. Although visible in the command-line interface help, the ip keyword is not supported. Entering the interworking command causes the attachment circuits to be terminated locally.

The keywords perform these functions:

• The ethernet keyword causes Ethernet frames to be extracted from the attachment circuit and sent over the pseudowire. Ethernet end-to-end transmission is assumed. Attachment circuit frames that are not Ethernet are dropped.
• The vlan keyword causes VLAN-tagged packets to be extracted and sent over the pseudowire. Frames that are not VLAN-tagged are dropped.

Beginning in privileged EXEC mode, follow these steps to configure L2VPN VLAN interworking on a PE router:

This example shows how to configure VLAN interworking:

For a more detailed configuration example, see the configuration example for “Ethernet to VLAN over AToM (Bridged): Example” in the L2VPN Interworking feature module.

EoMPLS and EVC

When a pseudowire is configured on a VLAN interface, the pseudowire becomes a virtual Layer 2 port in that VLAN or bridge domain. You can configure other types of L2 ports, such as EFP ports and switch ports in the same bridge domain. Switch functions, such as MAC address learning, flooding, and forwarding to learned MAC addresses apply to all the Layer 2 ports, including the pseudowire.

Note When EFP and a pseudowire are configured in the same bridge domain, EFP cannot be configured with the rewrite ingress tag pop 2 symmetric command. Other restrictions on switching between EFPs or between EFPs and switch ports also apply.

This example shows how to configure a pseudowire on a VLAN interface:

To see the MAC addresses learned from a pseudowire, enter the show mac address-table dynamic command. The example below shows output from the command.

You can disable MAC address learning on a VLAN or a bridge domain.

This command disables MAC address learning on a VLAN.

This command disables MAC address learning on a bridge domain.

Note The output of the show mac address-table command does not include the port name for a pseudowire from which a MAC address is learned.

Configuring EVC Xconnect

Follow these steps to configure EVC xconnect:

Configure Pseudowire-class

This example shows how to configure EVC Xconnect:

Configuring Support for Integrated Routing and Bridging (IRB)

IRB enables a user to route a protocol on one group of interfaces and bridge a protocol on separate group of interfaces within a single router. The protocol can be either routed or bridged on a given interface, but not both.

This example show how to configure IRB:

Packet Flow in an EoMPLS Network

Figure 1-5 is an example of packet flow in an EoMPLS network. A customer port on PE1 is configured for a per-port EoMPLS tunnel to a remote customer port on PE2. This allows the two physically separated customer switches (A and B) connected to these ports to appear as if they are directly connected on the same physical LAN.

The EoMPLS tunnel is configured with the IP address of Switch B and a VC ID that is associated with the remote customer port. Switch PE1 establishes a tunnel LSP with switch PE2 by using a label advertised with LDP by Router A, which is connected to switch PE1. Switch PE1 then establishes a targeted LDP session to switch PE2 to advertise the virtual-connection label associated with the VC ID. When switch PE2 is configured with the EoMPLS tunnel, it also establishes a targeted LDP session to advertise the virtual-connection label it associated to the VC ID. This establishes an EoMPLS tunnel between switch PE1 and switch PE2.

Figure 1-5 Sample EoMPLS Packet Flow

Assume that Host A is connected to the customer switch on VLAN 3 that has a trunk port connected to PE1 configured for IEEE 802.1Q tagging. Host A sends a packet to Host B, using the specific values of MAC addresses, labels, and VLANs shown in the figure. The customer switch tags the host packet and forwards it over the trunk port to switch PE1.

The tagged packet is received on the customer-edge port that is configured for per-port EoMPLS tunneling. The PE1 switch examines the packet headers and looks at the tables stored in the switch to determine what to do with the packet. Because the port is configured for per-port EoMPLS tunneling, the switch does not remove any VLAN tags that are in the packet, but assigns the packet to an internal VLAN. Only the customer port and the PE1 port are configured with that internal VLAN, which makes the PE1 port the only possible destination for the packet.

The PE1 port encapsulates the packet header with the tunnel label and the virtual-connection label and forwards the packet to the next hop, in this case Router A, to send it across the MPLS network.

The router receives the packet and forwards it over the MPLS network to the remote PE2 switch. PE2 removes the MPLS encapsulation and sends the packet out the port associated with the virtual-connection label. Customer Switch B removes the final VLAN tag and forwards the packet to the remote host B.

VLAN-based EoMPLS packet flow is basically the same as port-based EoMPLS, except that the customer VLAN is used instead of an internal VLAN. The PE1 switch looks up the customer VLAN ID to determine that the packet is forwarded to the designated port, where the packet is again examined and encapsulated with the tunnel label and virtual-connection label based on the EoMPLS for that VLAN.

Configuring L2VPN Pseudowire Redundancy

Successful transmission of Layer 2 frames between PE routers requires a connection, called a pseudowire , between the routers. You can use the L2VPN pseudowire redundancy feature to configure your network to detect a failure in the network and reroute the Layer 2 service to another endpoint that can continue to provide service. This feature provides the ability to recover from a failure of either the remote provider edge (PE) router or of the link between the PE and customer edge (CE) routers.

For more information see Wide-Area Networking Configuration Guide Library, Cisco IOS Release 15.x.

L2VPNs also provide pseudowire resiliency through their routing protocols. When connectivity between end-to-end PE routers fails, an alternative path is provided between the directed LDP session and the user data. However, there are some parts of the network where this rerouting mechanism does not protect against interruptions in service. Figure 1-6 shows those parts of the network that are vulnerable to an interruption in service.

Figure 1-6 Points of Potential Failure in an L2 VPN Network

L2VPN pseudowire redundancy provides the ability to ensure that the CE2 router in Figure 1-6 can always maintain network connectivity, even if one or all of the failures in the figure occur. You can configure a backup pseudowire so that if the primary pseudowire fails, the provider-edge router switches to the backup pseudowire. You can configure the primary pseudowire to resume operation after it restarts. You can also configure the network with redundant pseudowires and redundant network elements (routers).

Figure 1-7 shows a network with redundant pseudowires and redundant attachment circuits. You can also optionally configure the network with redundant CE routers and redundant PE routers.

Figure 1-7 L2 VPN Network with Redundant Pseudowires and Attachment Circuits

This section includes this information:

• Configuration Guidelines
• Configuring Pseudowire Redundancy
• Forcing a Manual Switchover to the Backup Pseudowire VC
• Monitoring L2VPN Pseudowire Redundancy

Configuration Guidelines

Follow these guidelines when configuring L2 VPN pseudowire redundancy:

• The default Label Distribution Protocol (LDP) session hold-down timer enables the software to detect failures in about 180 seconds. You can use the mpls ldp holdtime global configuration command to configure the switch to detect failures more quickly.
• The primary and backup pseudowires must run the same type of transport service. You must configure Any Transport over MPLS (AToM) on both the primary and backup pseudowires.
• L2VPN pseudowire redundancy does not support different pseudowire encapsulation types on the MPLS pseudowire.
• L2VPN pseudowire redundancy does support setting the experimental (EXP) bit on the MPLS pseudowire.
• The switch does not support LDP MAC address withdrawal.
• The mpls l2transport route command is not supported. Use the xconnect command instead.
• The backup pseudowire cannot be operational at the same time that the primary pseudowire is operational. The backup pseudowire becomes active only after the primary pseudowire fails.
• VCCV is supported only on the active pseudowire.
• The switch does not support more than one backup pseudowire.

Configuring Pseudowire Redundancy

When configuring pseudowire redundancy, you use the xconnect interface configuration command for each transport type. Beginning in privileged EXEC mode, follow these steps to configure pseudowire redundancy on a PE router:

This example shows how to configure pseudowire redundancy as a switchover to the peer with the IP address 10.1.1.12 immediately when a failure occurs and to not switch back to the primary VC when it becomes available.

This example shows the output of the show mpls l2transport vc privileged EXEC command when the primary attachment circuit is up and the backup attachment circuit is available, but not currently selected.

Forcing a Manual Switchover to the Backup Pseudowire VC

You can manually force the router to switch to the backup or primary pseudowire. You can specify either the interface of the primary attachment circuit or the IP address and VC ID of the peer router. If the specified interface or peer is not available, the switchover does not occur. The backup pseudowire becomes active when you enter the command.

Beginning in privileged EXEC mode, follow these steps to force a pseudowire switchover:

This command forces a switchover to the peer with the IP address 10.1.1.4 and VCID 33.

Monitoring L2VPN Pseudowire Redundancy

Use the privileged EXEC commands in Table 1-3 to verify or monitor pseudowire redundancy.

You can also use the xconnect logging redundancy global configuration command to track the status of the xconnect redundancy group. The command generates messages during switchover events.

This example shows pseudowire redundancy.

Restrictions for Routed VPLS/EoMPLS

• Routed Pseudowire with VC Type 4 is not supported.

Figure 1-8 shows how Routed VPLS/EoMPLS is connected.

Figure 1-8 Routed VPLS/EoMPLS

Configuring Routed Pseudowire

In the privileged EXEC mode, perform these steps to configure routed pseudowire.

This is an example of routed pseudowire configuration:

Configuring Routed VPLS

In the privileged EXEC mode, perform these steps to configure routed VPLS.

This is an example of basic routed VPLS configuration:

Full-Mesh Configuration

A full-mesh configuration requires a full mesh of tunnel label switched paths (LSPs) between all the PEs that participate in the VPLS. With full mesh, signaling overheads and packet replication requirements for each provisioned VC on a PE can be high.

Set up a VPLS by first creating a virtual forwarding instance (VFI) on each participating PE router. The VFI specifies the VPN ID of a VPLS domain, the addresses of other PE routers in the domain, and the type of tunnel signaling and encapsulation mechanism for each peer PE router.

The set of VFIs formed by the interconnection of the emulated VCs is called a VPLS instance. It is the VPLS instance that forms the logic bridge over a packet-switched network. The VPLS instance is assigned a unique VPN ID.

The PE routers use the VFI to establish a full-mesh LSP of emulated VCs to all the other PE routers in the VPLS instance. PE routers obtain the membership of a VPLS instance through static configuration using the Cisco IOS CLI.

A full-mesh configuration allows the PE router to maintain a single broadcast domain. Thus, when the PE router receives a broadcast, multicast, or unknown unicast packet on an attachment circuit, it sends the packet out through all the other attachment circuits and emulated circuits to all the other CE devices participating in that VPLS instance. The CE devices see the VPLS instance as an emulated LAN.

To avoid the problem of a packet looping in the provider core, the PE devices enforce a split-horizon principle for the emulated VCs. This means that if a packet is received on an emulated VC, it is not forwarded on any other emulated VC.

After the VFI is defined, it must be bound to an attachment circuit, then to the CE device.

The packet forwarding decision is made by looking up the Layer 2 VFI of a particular VPLS domain.

A VPLS instance on a particular PE router receives Ethernet frames that enter on specific physical or logical ports and populate a MAC table that is similar to the way an Ethernet switch works. The PE router can use the MAC address to switch those frames into the appropriate LSP for delivery to the another PE router at a remote site.

If the MAC address is not in the MAC address table, the PE router replicates the Ethernet frame and floods it to all the logical ports associated with that VPLS instance, except the ingress port it just entered. The PE router updates the MAC table as it receives packets on specific ports, and removes the addresses that have not been used for specific periods.

Hub and Spoke

In a hub-and-spoke model, the PE router that acts as the hub establishes a point-to-multipoint forwarding relationship with all the PE routers at the spoke sites. An Ethernet or VLAN packet received from the customer network on the hub PE can be forwarded to one or more emulated VCs.

The PE routers that act as spokes establish a point-to-point connection to the PE at the hub site. Ethernet or VLAN packets received from the customer network on the spoke PE are forwarded to the VFI or VPLS instance at the hub. If there are a number of customer sites connecting to the spokes, you can terminate multiple VCs per spoke in the same VFI or VPLS instance at the hub.

VPLS-Supported Features

• Imposition VLAN rewrite per pseudowire—This feature connects two L2 domains. VLAN rewrite is usually done at the disposition router. However some devices do not have this capability.

VLAN rewrite at imposition is supported, but with the following restrictions:

– The rewritten VLANs must be the same if multiple ACs are attached to the same pseudowire

– Only two VLANS can be written when combining the outer and inner VLANs.

– All PW inner headers will have the same EtherType.

• AToM control word per pseudowire—This feature inserts a control word on a per pseudowire basis. The control word is always set to 0 and does not support any sequencing scheme.

PW QoS—This feature is provided by configuring an input and output policy map on a UNI or PW interface.

• PW statistics—This feature provides statistics on packets, bytes, and drops per PW prior to label imposition for packets entering a tunnel and after MPlS disposition for packets exiting a tunnel.
• UNI to PW mapping for service selection—This feature allows the following UNI attributes to be used for service selection using port mode EoMPLS and EFP-based EoMPLS:

– Per UNI port

– Per UNI port, per C-VLAN

– Per UNI port, per C-VLAN, per C-CoS

– Per UNI port, per C-VLAN, per C-DSCP

• Auto sense signalling—This feature allows two remote PEs to negotiate VC-type signaling. In earlier software release, two types of VCs were defined, Ethernet VLAN and Ethernet. Only Ethernet is applicable now.
• BGP signaling—This feature enables you to use BGP as both an autodiscovery and a signaling protocol for VPLS, in accordance with RFC 4761.
• Pseudowire over TE tunnel—This feature allows PW to go over the TE tunnels in which LDP is enabled over the TE tunnel interface and the tunnels are configured end-to-end.
• Pseudowire over FRR path—This feature allows PW to go over the FRR path.
• PW path selection over Equal-cost routes—This feature allows PWs to be routed over different paths in order to distribute the traffic load.
• LDP MAC address withdrawal—To support faster convergence times, remove and relearn the MAC addresses that have been learned over pseudowire. The LDP Address withdrawal Message contains a list of the MAC address entries that have to be relearned. The message is sent on the backup link to the remote PEs in the VPLS domain.

VPLS Services

Transparent LAN Service (TLS) and Ethernet Virtual Connection Service (EVCS) are available for service providers and enterprises.

• TLS—Use when you need transparency with regard to bridging protocols (for example, bridge protocol data units [BPDUs]) and VLAN values. Bridges see this service as an Ethernet segment.
• EVCS—Use when you need routers to reach multiple intranet and extranet locations from a single physical port. Routers see subinterfaces through which they access other routers.

Transparent LAN Service

TLS is an extension of point-to-point port-based EoMPLS. With TLS, the PE router forwards all the Ethernet packets received from the customer-facing interface (including tagged, untagged, and BPDUs) as follows:

• To a local Ethernet interface or an emulated VC if the destination MAC address is found in the Layer 2 forwarding table.
• To all other local Ethernet interfaces and emulated VCs belonging to the same VPLS domain if the destination MAC address is a multicast or broadcast address or if the destination MAC address is not found in the Layer 2 forwarding table.

VPLS BGP Signaling

Before beginning, you should be familiar with the concepts in the "Configuring Virtual Private LAN Services" and the "VPLS Autodiscovery BGP Based" modules of the MPLS Layer 2 VPNs Configuration Guide .

Prerequisites for Configuring VPLS BGP Signaling

Prior to the VPLS BGP Signaling feature, BGP was used for autodiscovery and Label Distribution Protocol (LDP) for signaling in accordance with RFC 6074. The VPLS BGP Signaling feature enables you to use BGP as the control plane protocol for both autodiscovery and signaling in accordance with RFC 4761.

As specified in RFC 4761, internal BGP (iBGP) peers will exchange update messages of the L2VPN AFI/SAFI with L2VPN information to perform both autodiscovery and signaling. The BGP multiprotocol Network Layer Reachability Information (NLRI) consists of the following:

• Route Distinguisher (RD)
• VPLS Endpoint ID (VE ID)
• VE Block Offset (VBO)
• VE Block Size (VBS)
• Label Base (LB)

The figure below shows the format of the NLRI for RFC 4761.

Figure 1-10 Figure 1 RFC 4761 NLRI

Additional information, such as next-hop, route target (specified for a VPLS instance), and other Layer 2 data are carried in the BGP extended community attributes. A route target-based import/export mechanism similar to L3VPN is performed by BGP to filter L2VPN NLRIs of a particular VPLS instance.

Whether you use BGP signaling (RFC 4761) or LDP signaling (RFC 6074) depends on the commands you specify. To enable the VPLS BGP Signaling feature, use the autodiscovery bgp signaling bgp command in L2 VFI configuration mode. This command is supported on a per VPLS instance basis.

If a BGP session receives an invalid (that is, not matching the configuration) BGP update advertisement (update or withdraw), it is ignored.

BGP's main task in supporting VPLS is route distribution via the L2VPN address family and interactions with L2VPN. Interactions between BGP and other components remain the same. Basic BGP functionalities like best-path selection, next-hop handling, and update generation, continue to operate in the same manner with VPLS BGP signaling. BGP RT constraint works seamlessly with the BGP VPLS Signaling feature.

VPLS BGP Signalling Limitations

The following limitations apply to the VPLS BGP signalling feature for the 3.8 release:

• MAC Flushing is not supported.
• Templates are not supported.
• Traffic Engineering (TE) as core interface is supported but TE as preferred path is not supported because templates are not supported.
• Support for H-VPLS will only be available for the hierarchical route reflector (RR) model.
• The maximium number of supported BGP Signaling neighbors per VFI is 32.
• BGP signaling Inter-AS option A is supported. BGP signaling Inter-AS option B and Option C are not supported.
• When the route designator (RD) is explicitly configured within the same VPLS domain, the virtual forwarding interface (VFI) with the same VPN ID on different PE's must have the same RD configured. This is as the auto-generated RD is same for Intra AS. All the PE's within a VPLS domain must have the same RD. See example Configuring VPLS BGP Signaling with Explicit RD Configurations

Configuring VPLS BGP Signaling

Summary Steps

1. enable

2. configure terminal

3. l2vpn vfi context name

4. vpn id vpn-id

5. autodiscovery bgp signaling { bgp | ldp } [ template template-name ]

6. ve id ve-id

7. ve range ve-range

8. exit

9. exit

10. router bgp autonomous-system-number

11. bgp graceful-restart

12. neighbor ip-address remote-as autonomous-system-number

13. address-family l2vpn [ vpls ]

14. neighbor ip-address activate

15. neighbor ip-address send-community [ both | standard | extended ]

16. neighbor ip-address suppress-signaling-protocol ldp

17. end

18. show bgp l2vpn vpls { all | rd route-distinguisher }

Detailed Steps

Configuration Examples for VPLS BGP Signaling

The following example configures and verifies VPLS BGP Signaling:

For access side configurations, the following example assumes that you have switchport trunk configurations on the interface:

For access side configurations, the following example assumes that instead of switchport trunk configurations, you are configuring EFP on the access interface:

Configuring VPLS BGP Signaling with Explicit RD Configurations

Configuring the VPLS Pseudowire

To configure a VPLS pseudowire tunnel between two PE routers, use either of the following procedures:

• Configuring a VPLS Pseudowire Using VFI
• Configuring the Pseudowire Using Pseudowire Class

Configuring a VPLS Pseudowire Using VFI

Create a virtual circuit (VC) using VC Type 5 signaling on each provider edge (PE) router. The interface must be a routed interface or a switched virtual interface (SVI). To establish a bidirectional label-switched protocol (LSP), perform the configuration on both the PE routers. The VC ID is used by both the PE routers to identify a VC.

In the global configuration mode, perform these steps to create a virtual forwarding infrastructure (VFI).

Configuring a P2P Pseudowire Using pw-class

In the privileged EXEC mode, perform these steps to configure a P2P pseudowire using pw-class:

VPLS Autodiscovery: BGP Based

VPLS Autodiscovery enables each Virtual Private LAN Service (VPLS) provider edge (PE) router to discover which other PE routers are part of the same VPLS domain. VPLS Autodiscovery also automatically detects when PE routers are added to or removed from the VPLS domain. You no longer need to manually configure the VPLS and maintain the configuration when a PE router is added or deleted. VPLS Autodiscovery uses the Border Gateway Protocol (BGP) to discover the VPLS members and to set up and tear down pseudowires in the VPLS.

Information About VPLS Autodiscovery: BGP Based

To understand VPLS Autodiscovery, you should understand the following concepts:

• How the VPLS Feature Works
• How the VPLS Autodiscovery: BGP Based Feature Works
• How Enabling VPLS Autodiscovery Differs from Manually Configuring VPLS
• Show Commands Affected by VPLS Autodiscovery: BGP Based

How the VPLS Feature Works

VPLS allows Multiprotocol Label Switching (MPLS) networks to provide multipoint Ethernet LAN services, also known as Transparent LAN Services (TLS). All customer sites in a VPLS appear to be on the same LAN, even though those sites might be in different geographic locations.

How the VPLS Autodiscovery: BGP Based Feature Works

VPLS Autodiscovery enables each VPLS PE router to discover the other PE routers that are part of the same VPLS domain. VPLS Autodiscovery also tracks when PE routers are added to or removed from the VPLS domain. The autodiscovery and signaling functions use BGP to find and track the PE routers.

BGP uses the L2VPN Routing Information Base (RIB) to store endpoint provisioning information, which is updated each time any Layer 2 VFI is configured. Prefix and path information is stored in the L2VPN database, allowing BGP to make decisions on the best path. When BGP distributes the endpoint provisioning information in an update message to all its BGP neighbors, the endpoint information is used to configure a pseudowire mesh to support L2VPN-based services.

The BGP autodiscovery mechanism facilitates the configuration of L2VPN services, which are an integral part of the Cisco IOS Virtual Private LAN Service (VPLS) feature. VPLS enables flexibility in deploying services by connecting geographically dispersed sites as a large LAN over high-speed Ethernet in a robust and scalable IP MPLS network. For more information about BGP and the L2VPN address family in relation to VPLS Autodiscovery, see the following documents:

• The section called “L2VPN Address Family” in the Cisco BGP Overview .
• The document called BGP Support for the L2VPN Address Family

How Enabling VPLS Autodiscovery Differs from Manually Configuring VPLS

With VPLS Autodiscovery, you no longer need to manually set up the VPLS. The commands you use to set up VPLS Autodiscovery are similar to those you use to manually configure a VPLS, as shown in Table 2 . VPLS Autodiscovery uses neighbor commands in L2VPN address family mode to distribute endpoint information to configure a pseudowire.

When you configure VPLS Autodiscovery, you enter the l2vfi autodiscovery command. This command allows the VFI to learn and advertise the pseudowire endpoints. As a result, you no longer need to enter the neighbor (VPLS) command in L2 VFI configuration mode.

However, the neighbor (VPLS) command is still supported with VPLS Autodiscovery in L2 VFI command mode. You can use the neighbor (VPLS) command to allow PE routers that do not participate in the autodiscovery process to join the VPLS. You can also use the neighbor (VPLS) command with PE routers that have been configured using the Tunnel Selection feature. You can also use the neighbor (VPLS) command in hierarchical VPLS configurations that have U-PE routers that do not participate in the autodiscovery process and have split-horizon forwarding disabled.

Show Commands Affected by VPLS Autodiscovery: BGP Based

VPLS Autodiscovery changes the following show commands:

• The show mpls l2transport vc command with the detail keyword has been updated to include FEC 129 signaling information for the autodiscovered VPLS pseudowires.
• The show vfi command now displays information related to autodiscovered VFIs. The new information includes the VPLS ID, the route distinguisher (RD), the RT, and the router IDs of the discovered peers.
• The show xconnect command has been updated with the rib keyword to provide RIB information about the pseudowires.

How to Configure VPLS Autodiscovery: BGP Based

To configure VPLS Autodiscovery, perform the following tasks:

• Enabling VPLS Autodiscovery: BGP Based (required)
• Configuring BGP to Enable VPLS Autodiscovery (required)
• Customizing the VPLS Autodiscovery Settings (optional)

Enabling VPLS Autodiscovery: BGP Based

Perform the following task to enable each VPLS PE router to discover the other PE routers that are part of the same VPLS domain.

Configuring BGP to Enable VPLS Autodiscovery

BGP learns the endpoint provisioning information from the L2VPN database which is updated each time a Layer 2 virtual forwarding instance (VFI) is configured. When BGP distributes the endpoint provisioning information in an update message to all its BGP neighbors, the endpoint information is used to configure a pseudowire mesh to support aL2VPN-based services.