MEN Part 2- Day4 -Ver1_NoRestriction

8/14/2019 MEN Part 2- Day4 -Ver1_NoRestriction

1/57

Network Learning CentreProprietary & Confidential

11

MEN Part 2

50467565


2/57


22

Agenda

Day4

Module 4o L2 VPN

Module 5o VPLS


3/57


33

Module 4

L2 VPN


4/57


44Page 4

Traditional L2 VPN

Leased Line Main shortcoming provisioning is time consuming,

expensive and difficult to manage it

Virtual Circuit Comparing with LL lower time consuming, lower price Providing service on ATM or FR network while the

network need to be set up and maintained separately Low speed

Complicated configuration

Leased line is the earliest "First Mile" technology employed for broadband access.Seldom used for residential broadband access due to their high monthly rental cost,leased lines are most commonly used by medium and large businesses andorganizations to provide broadband access to their employees over a Local Area

Network.Traditional VPNs are based on Asynchronous Transfer Mode (ATM) or Frame Relay(FR), where different VPNs can share the network structure of carriers. However,traditional VPNs have the following disadvantages.

Dependence on special media (such as ATM or FR): for ATM-based or FR-basedVPNs, carriers must establish ATM networks or FR networks across the country,which is a waste of network construction.

Complicated VPN structure: when a site is added to an existing VPN, it is required tomodify the configuration of all edge nodes that access the VPN site, the configurationtask is heavy and complicated.


5/57


55Page 5

What is MPLS L2 VPN

MPLS L3 VPN

MPLS L2 VPN

Tunnel Label Inner Label Layer3 Header Data

Tunnel Label VC Label Layer2 Header Data

VPN as we know it is virtual private network, using some tunnel technology totransmit customer data from one side to another side through the provider network.MPLS L3 VPN we have learned that when customer data transmitted from one PEto another PE, the data only covers layer 3 and above information, without the

information of layer 2.

We define a Layer 2 VPN as one where a Service Provider provides a layer 2network to the customer. Within the Service Provider's network, the layer 2 packetsare transported within tunnels, which could be MPLS Label-Switched Paths (LSPs)or GRE tunnels, if we choose MPLS, just means MPLS L2 VPN.

Compare with L3 VPN , L2 VPN have many advantages, later we will introduce it.


6/57


66Page 6

MPLS L2 VPN Network Structure

PEPE

Tunnel

Pseudo Wires

CustomerSite

CustomerSite

CustomerSiteCustomer

Site

The basic principle of all MPLS L2VPN modes,except CCC, is the same as the above shown.

From this figure we know that L2 VPN network structure is same like L3 VPNnetwork structure, and the definition of PE, P, CE is the same. The public network tunnel also is MPLS LSP tunnel. While there have some differences, usually MPLSL2 VPN packets also have two labels but CCC, CCC only have the tunnel label, the

others have a inner label means VC label. As we know, in MPLS L3 VPN, innerlabel used to identify different route, while in L2 VPN, inner label used to identifythe CE.


7/57


77Page 7

MPLS L2 VPN Characters

The service provider use MPLS network to provide Layer 2 services to the customer. It seems that CEs areconnected directly or connected through layer2 switchnetworks, such as ATM, FR, Ethernet switch networks.

Routing occurs between CE routers

PE sends VPN traffic across the service providersnetwork to the PE router connected via LSP tunnels.

From the network structure we know that CE connect to PE, as for CE to CE,provider network provide layer 2 connection service, it seems that CEs areconnected directly or connected through layer 2 switch networks.

As provider network works like a layer 2 switch network, it will not participatecustomers routing exchange, so routing occurs between CE routers. This isdifferent with MPLS L3 VPN.

When PE sending VPN traffic across providers network, it use the MPLS LSPtunnel, same as MPLS L3 VPN.


8/57


88Page 8

Advantages of MPLS L2 VPN

High Scalability

Separation of Administrative Responsibilities

Routing Privacy and Security

Ease of Configuration

Native Multi protocol Support

Signaling Flexibility

Cost-efficient Migration from Traditional Layer 2 VPN

High Scalability

PE routers share between themselves only a small amount of information abouteach CE router. Therefore, each PE need only maintain a single entry from eachCE

Separation of Administrative Responsibilities

The Service Provider is responsible for Layer 2 connectivity, and the customeris responsible for Layer 3 connectivity. This separation of responsibility alsoisolates customer-generated faults from provider network.

Routing Privacy and Security

As the routing information of the user is not imported, PE cannot obtain andprocess the users VPN routing information

Ease of Configuration

As for traditional layer 2 VPN, if CE is full-meshed, there have N 2 problem, justfor each CE, need to configure N-1 PVCs to other CEs, even when add a newCE, not only you need to configure the connected PE, the other PEs connectedwith other CEs also need to be configured. While Kompella L2 VPN, byconfiguring excessive CE range, when adding a new CE, only need to configure

the connected PE, spare more configuration task.


9/57


10/57


1010Page 10

L2 VPN Common Packet Structure

Tunnel LabelIngress PE to Egress PE switching label

VC LabelIdentify different VC in the same tunnel

Emulate VC Encapsulation (Control Word) 32-bit Control Word

demultiplexer Field

L2 PDU

(Emulated)

TunnelHeader

Connection

Controlprotocol

LDP BGP STATIC-LSP and so on VC labels negotiation, withdrawing and error notification

Emulated Circuitsthree layers encapsulation

In an MPLS network, it is possible to use control protocols to set up "emulated virtualcircuits" that carry the Protocol Data Units of layer 2 protocols across the network. Anumber of these emulated virtual circuits may be carried in a single tunnel. Thisrequires of course that the layer 2 PDUs be encapsulated. We can distinguish three

layers of this encapsulation: the "tunnel header", which contains the information needed to transport the PDUacross the MPLS network; this is header belongs to the tunneling protocol, e.g.,MPLS, GRE, L2TP.

the "demultiplexer field", which is used to distinguish individual emulated virtualcircuits within a single tunnel; this field must be understood by the tunneling protocolas well; it may be, e.g., an MPLS label or a GRE key field.

the "emulated VC encapsulation", which contains the information about the enclosedlayer 2 PDU which is necessary in order to properly emulate the corresponding layer 2protocol.

-Although different layer 2 protocols require different information to be carried in thisencapsulation, an attempt has been made to make the encapsulation as common aspossible for all layer 2 protocols.


11/57


1111Page 11

PDU Structure

Encap type Control Word

ATM AAL5 Y

Ethernet N

Frame Relay Y

HDLC NPPP N

Tunnel Label(LDP or RSVP)

0 7 15 23 31

EXP 0 TTLVC Label(VC) EXP 1 TTL(Set to 2)

Rsvd Flags 0 0 Length Sequence Number

Layer-2 PDU

Tunnel Label /VC Label

Control Word

Layer-2 Protocol Data Unit

In most cases, it is not necessary to transport the layer 2 encapsulation across thenetwork; rather, the layer 2 header can be stripped at ingress PE, and reproduced ategress PE. This is done using information carried in the control word, as well asinformation that may already have been signaled from ingress PE to egress PE.

There are three requirements that may need to be satisfied when transporting layer 2

protocols over an MPLS backbone:1. Sequentiality may need to be preserved.

2. Small packets may need to be padded in order to be transmitted on amedium where the minimum transport unit is larger than the actual packetsize.

3. Control bits carried in the header of the layer 2 frame may need to betransported.

The control word defined here addresses all three of these requirements. For

some protocols this word is REQUIRED, and for others OPTIONAL. Forprotocols where the control word is OPTIONAL implementations MUSTsupport sending no control word, and MAY support sending a controlword.

In the control word the first 4 bits are reserved for future use. They MUST be set to 0when transmitting, and MUST be ignored upon receipt.

The next 4 bits provide space for carrying protocol specific flags. These are definedin the protocol-specific.

The next 2 bits MUST be set to 0 when transmitting. The next 6 bits provide alen th field which is used as follows: If the acket's len th defined as the len th


12/57


1212Page 12

1 CCC1 CCC

2 Martini2 Martini

3 SVC3 SVC

4 Kompella4 Kompella


13/57


1313Page 13

CCC (Circuit Cross Connect)

MPLS Network

Branch Office A

PE

PE

PE

Branch Office A Branch Office A

Tunnel Label Layer2 Header Data

Local Connection

RemoteConnection

Branch Office B

Headquarter B

Headquarter A

Only one level

An important application of MPLS is the "convergence" of Layer 2 networks,i.e., a means of transporting Layer 2 frames over an MPLS infrastructure. CCCis the first instantiation of this technology that was deployed in productionnetworks.

CCC Circuit Cross Connect is a static VC connected VPN, according to theconfiguration, PE map the received layer 2 packets to a static configured LSP,and then the packet forwarded through the provider network by MPLS to theother end, finally to the other CE.

CCC is different with other MPLS L2 VPN, CCC only have one level label andwith this label to execute label switching, so CCC occupy the static LSPmonopolistic, and as we know LSP is one way, so we need to configure twoLSPs. Because the LSP is monopolistic, it can not be used to other service such

as other MPLS L2 VPN connection or BGP/MPLS VPN or IP packetforwarding and so on. CCC VPN only need the provider network to supportMPLS is OK

CCC is apt for mini and simple topology MPLS network, all the LSP need to beconfigured manually. And it does not need signaling protocol. So the resourcecost is low, easy to understand but maintain is difficult.

CCC provide transparent layer 2 connection with two CEs, when transmittingthe packets only the layer 2 address is changed without other changes.


14/57


1414Page 14

1 CCC1 CCC

2 Martini2 Martini

3 SVC3 SVC



15/57


1515Page 15

Martini Network Structure

MPLS Network

PE

M P LS T u n n e l ( LS P )

M P L S T u n n

e l ( L S P )

PE

MP L

S T

unn

el

( L S P

)

Headquarter A

Outer Label VC Label

PE

VC Label distributed by LDP

Branch Office A

Branch Office A

Headquarter B

Branch Office B

Branch Office B

Layer2 Header Data

The Martini mode implements MPLS L2VPN by setting up a point-to-point link. Ittakes LDP as the signaling protocol to transfer Layer 2 information and VC labels.

Martini MPLS L2VPN adopts VC-type plus VC-ID to identify a VC between twoCEs.

VC-type: indicates the type of the VC, such as ATM, VLAN and PPP.

VC-ID: VC-ID of each VC in the same VC-type must be unique in the wholePE.

PEs connecting two CEs exchange VC labels through LDP, and bind thecorresponding CE by VC-ID.

Martini supports inter-AS L2VPN in multi-hop mode. But it does not support localconnection.


16/57


1616Page 16

Draft for Martini

The Mode is based on two drafts from LuccaMartini. draft-martini-l2circuit-trans-mpls

VC label distribution, uses extended LDP

draft-martini-l2circuit-encap-mpls Different encapsulation mechanism for different

L2 circuit.

draft-martini-l2circuit-trans-mpls :

This document describes methods for transporting the Protocol Data Units (PDUs)of layer 2 protocols such as Frame Relay, ATM AAL5, Ethernet, and providing acircuit emulation service across an MPLS network.

draft-martini-l2circuit-encap-mpls :

This document describes methods for encapsulating the Protocol Data Units(PDUs) of layer 2 protocols such as Frame Relay, ATM, or Ethernet for transportacross an MPLS network. Although different layer 2 protocols require differentinformation to be carried in this encapsulation, an attempt has been made to makethe encapsulation as common as possible for all layer 2 protocols.


17/57


1717Page 17

Martini Characters

VC ID is used to identify a VC,VC Type indicates theencapsulation type.

Martini Protocol extends LDP by adding VC FEC typeincluding VC ID and VC Type. One label is allocated for per VC FEC.VC label has only local meanings.

VC FEC and VC label is exchanged through targetedLDP session between two PEs.

Tunnel between PEs can be used commonly by differentVCs. Tunnel type can be LSP,TE tunnel or GRE tunnel.

Cant provide local connection.

The Martini mode implements MPLS L2VPN by setting up a point-to-point link. Ittakes LDP as the signaling protocol to transfer layer 2 information and VC labels.

Martini MPLS L2VPN adopts VC-Type + VC-ID to identify a VC between twoCEs.

VC-Type: indicates the type of the VC. For example, ATM, VLAN orPPP.

VC-ID: VC-ID of each VC in the same VC-TYPE must be unique in thewhole PE.

PEs connecting two CEs exchange VC labels through LDP, and bind thecorresponding CE by VC-ID.

After the LSP connecting the two PEs is successfully created, and the labelexchange and the binding with CE are finished, a VC is set up.

In order to exchange VC labels between PEs, Martini has extended LDP by addingthe FEC type in the VC FEC. Moreover, because the two PEs exchanging VClabels may not be connected directly, a remote LDP session must be set up totransfer the VC FEC and VC labels.

Martini supports inter-AS L2VPN in multi-hop mode. But it does not support localconnection. Why? Because VC type + VC ID is unique, one PE cant connect two

CEs with the same VC type and VC ID.


18/57


19/57


1919Page 19

VC Status

An In Label is allocated when a LDP VC is configured. If the Local State is up i.e. if the interface is up

LDP Session is established

at least one tunnel to destination exists

then a mapping containing L2VPN Info like VC-ID, Interface typeand other Interface parameters are sent to the destination.

VC state is not up until it receives a mapping from the remote peer with matching VC ID, Interface type and parameters.

With this mapping we also receive the in-label of the remote VCwhich is out-label for the local LDP VC.

When the VC status will be UP, there should be local LDP VC is configured andlocal state and interface is UP, LDP session is established and a mapping messagefrom remote peer is received with matching VC ID encapsulation type andparameters, both sides do the same works, then the VC status will be UP.


20/57


2020Page 20

Label Mapping

PE1 PE2

2. PE1 starts LDP sessionwith PE2 if one does notalready exist

CE1CE2

1.L2 transport routeentered on ingress PE

3. PE1 allocates VC labelFor new interface & bindsto configured VCID

4. PE1 sends label mappingMessage containing VC FECTLV & VC label TLV

5. PE2 receives VC FECTLV & VC label TLV thatMatches local VCID

PE2 repeats steps 1-5 sothat bi-directionallabel/VCID mappings areestablished

The VC label mapping procedures are as follows:

1. L2 transports routes to the ingress PE1

2. PE1 checks whether there have the LDP remote session with the other PE like

PE2, if not, sets up the remote session with PE2.

3. PE1 allocates a VC label for the new interface and bind it to the configured VCID.

4. PE1 sends out the label mapping message to the remote peer PE2.

5. PE2 receive the message and check matches of VC ID, if matched, keep themapping label. And also PE2 repeat the steps 1-5.


21/57


2121Page 21

Label Withdrawing

PE1 PE2

CE1 CE2

If a PE route detects a condition that affects normalservice, it must withdraw the corresponding VC labelthrough the LDP signaling

Circuit status signaling PE port failure triggersGroup ID withdraw

LDP label withdraw VCID20 VC label 100

CE port/VC failuretriggers Labelwithdraw Msg

As mentioned before the Group ID field can be used to withdraw all VC labelsassociated with a particular group ID. This procedure is OPTIONAL, and if it isimplemented the LDP label withdraw message should be as follows: the VCinformation length field is set to 0, the VC ID field is not present, and the interface

paramenters field is not present. All LSRs implementing this design areREQUIRED to accept such a withdraw message, but are not required to send it.

The interface parameters field must not be present in any LDP VC label withdrawalmessage or release message. A wildcard release message must include only thegroup ID.A Label Release message initiated from the imposition router mustalways include the VC ID.


22/57


2222Page 22

Questions

Martini provide local connection or not? Why?

As we know, two CEs which can set up the VPN connection need to be

the same encapsulation type and CE ID, then on PE the in and out VC

label is the same?

1. Not support, Because VC type + VC ID is unique, one PE cant connect twoCEs with the same VC type and VC ID.

2. Remember? In label is allocated by local PE, out label is allocated by remotePE, they are allocated independently. So usually it is not the same.


23/57


2323Page 23

1 CCC1 CCC

2 Martini2 Martini

3 SVC3 SVC



24/57


2424Page 24

SVC (Static Virtual Circuit)

Similar to Martini MPLS L2VPN, the onlydifference is In and Out VC Label is allocatedmanually.

Targeted LDP session between two PEs is notneeded for VC info exchange.

VC state only depends on the local state and thetunnel state between two PEs.

Tunnels are used to pass on the data packets

between the PEs.

SVC implements MPLS L2VPN through static configuration. SVC transfersL2VPN information without using the signaling protocols. But it requires themanual configuration of VC Label information.

While creating the static L2VC connection of SVC, you can specify the tunnel type(LDP LSP, CR LDP or GRE) to be used and load balancing through tunnelpolicies.

SVC supports inter-AS L2VPN in multi-hop mode but does not support localconnection.

Note:

The labels used by CCC and SVC range from 16 to 1023, that is, they are in thesame label space with those reserved for static LSP.


25/57


2525Page 25

1 CCC1 CCC

2 Martini2 Martini

3 SVC3 SVC



26/57


2626Page 26

Kompella Network Structure

MPLS Network

PE

M P LS T u n n e l ( LS P )

M P L S T u n n

e l ( L S P )

PE

MP L

S T

unn

el

( L S P

)

Headquarter A

Outer Label VC Label Layer2 Header Data

PE

l2VPN Instance info distributed by BGP

Brach Office A

Brach Office A

Headquarter B

Brach Office BBrach Office B

The Kompella mode realizes MPLS L2VPN by means of end-to-end (CE to CE) inthe MPLS network. It takes BGP as the signaling protocol to transfer Layer 2information and VC labels.

Kompella MPLS L2VPN is different from Martini in that it does not operate on theconnection between the CEs directly. It allocates different VPNs in the whole SPnetwork and encodes each CE in the VPN. Similar to BGP/MPLS VPN, KompellaMPLS L2VPN also uses VPN targets to identify different VPNs that make the VPNnetworking more flexible.

To connect two CEs, you need to configure local CE ID and remote CE ID on thePE.

Kompella supports both local and remote connections.

It supports inter-AS L2VPN in the following two modes:

Multi-hop mode: adopts routes with BGP label.

MP-EBGP mode: saves label block on the ASBR


27/57


2727Page 27

Draft for Kompella

Implemented through a draft from KeertiKompella. draft-kompella-l2vpn-l2vpn-01

Describes label distribution, uses BGP4

Continue to use Martini draft for encapsulation draft-martini-l2circuit-encap-mpls

draft-kompella-l2vpn-l2vpn-01.txt. this draft expiration date is July 2006.

This document offers a solution that preserves the advantages of a Layer 2 VPNwhile allowing the Service Provider to maintain and manage a single network forIP, IP VPNs and Layer 2 VPNs, and reducing the provisioning problemsignificantly. In particular, adding a site to an existing VPN in most cases requiresconfiguring just the Provider Edge router connected to the new site.

To ease the restriction that all sites within a single VPN connect via the same layer2 technology, this document proposes a limited form of layer 2 interworking,restricted to IP only as the layer 3 protocol.


28/57


2828Page 28

Kompella Control Plane

PE1PE2

CE1CE2

MP-BGP

PE1 sends out theconfigured VPN info

to neighbors with

MP-BGP

PE2 receives theInformation and checks it

and calculate the VClabel with it

1. BGP version 4 is used as the auto-discovery and signaling protocol for Layer 2VPNs. In BGP, the Multiprotocol Extensions (MP-BGP) are used to carry L2-VPN signaling information. MP-BGP defines the format of two BGP attributes(MP_REACH_NLRI and MP_UNREACH_NLRI) that can be used to

announce and withdraw the announcement of reachability information. Weintroduce a new address family identifier (AFI) for L2-VPN [to be assigned byIANA, because it is a draft], a new subsequent address family identifier (SAFI)[to be assigned by IANA], and also a new NLRI format for carrying theindividual L2-VPN label-block information. One or more NLRIs will be carriedin the above-mentioned BGP attributes. L2VPN NLRIs must be accompaniedby one or more extended communities. the reuse of ROUTE TARGETextended community. Its usage is exactly the same as in the case of MPLS L3VPN, also RD.

2. Different site within the same VPN is identified by using CE ID, in the sameVPN, CE ID should be unique.

3. Each PE use the receiving l2vpn information to calculate the VC label.Different VC label is bound with PE-CE link, not like L3 VPN for route.


29/57


2929Page 29

VPN Information Label Block

1000

1001

1002

1003

1004

1005

1006

1007

1008

PE Label Block

CE1 Label Block1LB=1000LR=3LO=0



PE chooses a Label Block. Label Base : Smallest Label

in Block Range : number of labels of

the block Offset: the sum of all the

previous label blocks range. A remote site with CE ID m will

connect to this CE with a labelselected from one of the labelblocks. block offset


30/57


3030Page 30

Label Block Structure

Length

Route Distingguisher

CE ID

Label-block Offset Label Base

Label Base

0 7 15 23 31

Variable TLVs

Circuit State Vector (CSV): variable TLV,used to identify the status of circuit.

One or more such NLRIs can be carried in a single MP_REACH_NLRI orMP_REACH_NLRI attribute. An L2VPN NLRI is uniquely identified by the RD,CE ID and the Label-block Offset. So an L2VPN NLRI carried inMP_UNREACH_NLRI attribute must contain only these 3 fields other than the

length field.

Length :

The Length field indicates the length in octets of the L2-VPN address information.

Route Distinguisher :

Has the same meaning as in MPLS L3 VPN.

CE ID, Label Base and Label offset please refer to previous slide.

Variable-TLVs:

L2VPN TLVs can be added to extend the information carried in the L2 VPN NLRI.In L2VPN TLVs, type is 1 octet, length is 2 octets and represents the size of thevalue field in bits.

A new sub-TLV (CSV) is introduced to carry the status of an L2VPN PVC betweena pair of PEs. This sub-TLV is a mandatory part of MP_REACH_NLRI.

The value field of this TLV is a bit-vector, each bit of which indicates the status of

the VC associated with the corresponding label in the label-block. Bit value 0


31/57


3131Page 31

Layer2-Info Extended Community

Extended Community type Encaps Type

Layer-2 MTU

0 7 15 23 31

Control Flags

Reserved

The extended community, Layer2-Info, Usedto carry layer 2 specific information in aVPN. This extended community must becarried as part of path attribute in all BGPupdate messages carrying L2VPN NLRIs.

Extended Community Type TBD( to be determined)

Encapsulation Type Identifies the layer 2 encapsulation, e.g., ATM, Frame Relayetc. The following encapsulation types are defined:

Value Encapsulation

0 Reserved

1 Frame Relay

2 ATM AAL5 VCC transport

3 ATM transparent cell transport

4 Ethernet VLAN

5 Ethernet

6 Cisco-HDLC

7 PPP

8 CEM [8]

9 ATM VCC cell transport

10 ATM VPC cell transport

11 MPLS


32/57


3232Page 32

VC Label Calculation-1

PE1 PE2

CE mCE k

L2VPNA (RD RT)CE mlabel-block : LmLm's block offset : LOmlabel-base : LBmlabel-range : LRm

L2VPNA (RD RT)CE klabel-block : LkLk's block offset : LOklabel-base : LBklabel-range : LRkMP-BGP

When a PE receives a Layer 2 VPN advertisement, it checks if the receivedVPN Target community matches any VPN that it is a member of.

Advertised PE1

VPN A

CE m

label-block Lm

Lm's block offset as LOm

label-base as LBm

label-range as LRmreceiving PE2 is a member of VPN A

the configured CE ID is k.

label-block Lk.

Lk's block offset LOk

label-base as LBk


33/57


3333Page 33

VC Label Calculation-2

Check the encapsulation type for VPN A, if does not match stop.(Note that for IP-only layer 2 interworking a separate encapsulationtype is defined).

Check if k = m. If so, issue an error: Stop. Search among all the label-blocks from m for one which satisfies

LOm


34/57


3434Page 34

VC Calculation Example

PE1 PE3

PE2

CE2

CE3CE1

102

103

201 203

301

302

2001 PayloadTunnel

1002 PayloadTunnel

3001 PayloadTunnel 1003 PayloadTunnel

3002 PayloadTunnel

2003 PayloadTunnel

I have:VPN : redCE-id: 1Label Base: 1000Label Range: 10

I have:VPN : redCE-id: 1Label Base: 1000Label Range: 10

I have:VPN : redCE-id: 2Label Base: 2000

Label Range: 10

I have:VPN : redCE-id: 2Label Base: 2000

Label Range: 10

I have:VPN : red

CE-id: 3Label Base: 3000Label Range: 10

I have:VPN : red

CE-id: 3Label Base: 3000Label Range: 10

For example: PE1s calculation

1.Check the encapsulation type

2.Check k=m or not.

3.Find a label block. [ Local block offset


35/57


3535Page 35

Kompella Summary

MP-BGP is used for signaling to transfer layer 2 NLRI and VC Label use CE-ID toidentify CE.

Label Block is allocated based on the CERange.

Advantages: Topology Auto-discovery; Support local

cross ; Inter-as support. Disadvantages

Implementation is complex; Venderswho support this are less; LabelWastage.


36/57


3636Page 36

L2VPN Types

ModeIndex

Kompella Martini CCC SVC

Signaling BGP LDP NA NA

Tunnel Type GRE/LSP/

L2TPv3

GRE/LSP/

L2TPv3

Static LSP GRE/LSP/

L2TPv3

Tunnel Shared Shared Shared Exclusive Shared

EncapsulationType

ATM/FR/PPP/HDLC/ETH/VLAN

ATM/FR/PPP/

HDLC/ETH/

VLAN

ATM/FR/PPP/

HDLC/ETH/

VLAN

ATM/FR/PPP

/HDLC/ETH/

VLAN

Scalability High High Low Normal


37/57


3737Page 37

Layer 2 Interworking

As defined so far, all CE-PE connections for a given Layer 2 VPN mustuse the same layer 2 encapsulation, e.g., they must all be FrameRelay. This is often a burdensome restriction.

PE1 PE2

CE1CE2

FR LinkATM Link

Outer Label VC Label Layer3 Header Data

For Layer 2 interworking as defined here, when an IP packet arrives at a PE, itsLayer 2 address is noted, then all Layer 2 overhead is stripped, leaving just theIP packet. Then, a VPN label is added, and the packet is encapsulated in the PE-PE tunnel (as required by the tunnel technology). Finally, the packet is

forwarded. Note that the forwarding decision is made on the basis of the Layer 2information, not the IP header. At the egress, the VPN label determines to whichCE the packet must be sent, and over which virtual circuit; from this, the egressPE can also determine the Layer 2 encapsulation to place on the packet once theVPN label is stripped.

Notes:

In L2VPN interworking, L2VPN connection can only be established inKompella, Martini or CCC local connection mode, not in CCC remote

connection or SVC mode.

As for Huaweis device, the following interfaces used in L2VPN can beencapsulated with ip-interworking:

Interfaces and sub interfaces of Ethernet type

Interfaces and sub interfaces of Gigabit Ethernet type

Interfaces of Virtual-Ethernet type

Note that,


38/57


3838

Module 5

VPLS


39/57


3939Page 39

Basic concept of VPLS

VPLS is also known as Transparent LAN Service (TLS) and VirtualPrivate Switched Network service

VPLS provides L2 VPN service. By function, L2 VPN and L3 VPN aredifferent in whether L2 forwarding or L3 forwarding functions aresimulated on the public network

In VPLS, users are connected through a point-to-multipoint network,rather than the point-to-point connection service provided on thetraditional L2 VPN.

VPLS, in fact, is about creating a series of virtual switches on the PE to

be leased to users. Such virtual switches can be networked in thesame way as traditional switches. This way, the users can implementtheir own LAN connections through the WAN

VPLS OverviewVPLS Overview

VPLS is a L2 VPN technology based on MPLS and Ethernet technology. In thepast ten years, the Ethernet technology has seen rapid growth and found wideapplication. Its rate has increased from 10M to 100M and then to 1000M, while thedeployment costs become increasingly lower. The Ethernet technology has not onlyfound application with enterprise networks but also increasingly more application

with the operating networks, particularly MANs. Thanks to its high bandwidth andlow costs, the Ethernet is highly competitive. However, MAN Ethernet oftenprovides point-to-point services, and cannot provide services across the WAN. Thedevelopment of MPLS has enabled the wide application of the L2 VPN based onMPLS. However, other L2 VPNs except VPLS all provide only point-to-pointservices. To provide multipoint services similar to Ethernet on the MAN/WAN,VPLS has emerged at the right time.

VPLS provides services similar to LAN on the MPLS network. It allows users toaccess the network at the same time from multiple districted points to visit eachother, as if these points have been directly connected to a LAN. VPLS enables

users to expand their LANs to the MAN or even to WAN.


40/57


4040Page 40


VPLS StructureVPLS Structure

M P L S L S P

MP L

S L

S P

M P L S L S P

RR

RR

RRIP/MPLS network

B headquarters

PE

A branch 1

A branch 2A headquarters

B branch 1 B branch 2

PE

PE

CE

CEAttachmentCircuit

AttachmentCircuit

Pseudo-wire

Emulated Service

VirtualSwitchInstance

CEVirtualSwitchInstance

PE

CE

SS

SS

SS

SS

SS

SS

CE

CE

Pseudo Wire (PW): It is a virtual connection used to transmit frames between twoPEs in VPLS. PE establishes and maintains PWs through the use of signaling, andthe two PEs at two ends of a PW maintain PW state information.

Virtual Switch Instance (VSI): Every VSI can offer separate VPLS service. TheVSI implements Ethernet bridge function and terminates Pseudo Wire (PW). InCisco it is called as VFI (Virtual Forwarding Instance)

Virtual Circuit (VC): a logic single directional circuit between two nodes. A PW isconstitutes by two opposite directional VCs. A VC can be used as a singledirectional PW.

Attachment Circuit (AC): In L2VPN, CE accesses PE through AC. AC can beeither a physical link or a logical link. AC transmits frames between CE and PE.


41/57


4141Page 41


Pseudo Wire (PW): It is a virtual connection used to transmit framesbetween two PEs in VPLS

Virtual Switch Instance (VSI): Every VSI can offer separate VPLSservice. The VSI implements Ethernet bridge function and terminatesPseudo Wire (PW). In Cisco it is called as VFI (Virtual ForwardingInstance)

Virtual Circuit (VC): a logic single directional circuit between twonodes. A PW is constitutes by two opposite directional VCs. A VC canbe used as a single directional PW.

Attachment Circuit (AC): In L2VPN, CE accesses PE through AC. AC

can be either a physical link or a logical link. AC transmits framesbetween CE and PE .

VPLS Basic ConceptVPLS Basic Concept


42/57


4242Page 42

Working process of VPLS

Member relationship discovery (controlplane)PW creation and maintenance (controlplane)

Forwarding based on MAC addresses inVSI (data plane)

Working process of VPLSWorking process of VPLS


43/57


4343Page 43


Member discovery: It is the process to find all other PEs in thesame VPLS. This can be implemented either through manualconfiguration or automatically by the use of some protocols. In thelater case, it is called auto discovery.Signaling mechanism: It is the process to use the signalingprotocol between the PEs of the same VPLS to establish, maintainand remove PW.

Huawei products support the use of the BGP or LDP to implementthe control plane of VPLS, referred to as Kompella VPLS andMartini VPLS respectively. Whereas, Cisco products support only

Martini.

Control PlaneControl Plane


44/57


4444Page 44


Encapsulation: When receiving Ethernetframes from CE, PE sends them to PSN after encapsulation.

Forwarding: How to forward packets dependson the interface receiving the packets and thedestination MAC addresses of the packets .

Data PlaneData Plane


45/57


4545Page 45


RR

RR

RR

VPLS Forwarding ModelVPLS Forwarding Model

RR

RR

RR RR

RR

RR

VSI1

VSI2

VSI1

VSI2

VSI1 VSI2

CEVLAN1

CEVLAN2

CEVLAN1

CEVLAN2

CEVLAN2

CEVLAN1

PE PE

PE

PE implements VPLS forwarding through the use of VSIs. Ethernet frames can beforwarded between two PEs through the fully-connected Ethernet emulated circuitor PW.

PEs in a VPLS must be fully connected, that is, there is a PW between any twoPEs. Then packets can be directly transmitted from ingress PE to egress PE,without forwarded by intermediate PEs. Therefore, loop is free between PEs, andSpanning Tree Protocol (STP) is unnecessary to run.


46/57


4646Page 46


Packet transport processPacket transport process

M P L S L S P

MP L

S L

S P M P L S L S P

RR

RR

RRIP/MPLS network

A branch 1

A branch 2

A headquarters

PE

PE

CE

CE

CEPE

SS

SS

SS

The VPLS tunnel, for the CE equipment, islike a L2 switch thathas no protocolstarted, as ittransparentlytransmitted thepackets of the users

According to the VPNs of the users, thePE encapsulates the PDUs with the VCLabels to distinguish different users inthe MPLS network. According to thedestination MACs of the users, thePSTN labels are encapsulated for

transmission to the destination PE:Obviously, the PE in the VPLS networkmust have the ability to learn the MACaddresses of the users

When the PE forwardsthe packets from theremote PE, it selectsthe home VPNs of thePDUs of the usersaccording to the VClabel, and it looks for the egress interfaces of the packets ac cordingto the destinationaddresses of the users,removing the VC Labeland sending the originalPDUs of the users tothe CE

User PDUVC IDLableMAC User PDU

VC IDLableMAC User PDU


47/57


4747Page 47

Martini VPLS

Using the LDP as signaling Using the TLV of the expanded standard LDP to carry the

information of VPLS FEC TLV of type 128 and type 129 added

Label allocation and reservation mode when PW isestablished DU (downstream unsolicited) used as the allocation

mode Liberal label retention used as the label retention mode

LDP connection used for exchanging VC signaling must beconfigured to be the Remote mode in Huawei routers

OverviewOverview

Martini VPLS: LDP used for signaling, and needing manual designation of variouspeers of the PE. Since full connections must be established between various PEs inthe same VPLS, whenever a new PE joins, all related PEs modify theconfiguration, which causes poor expandability. Since the PW is actually a point-to-point link, the LDP is more effective to be used for establishing, maintaining and

removing the PW.


48/57


4848Page 48

Martini VPLS

Signaling processSignaling processPE1 PE2

Configuring VSI, anddesignatingthe PE2 as Peer Configuring VSI, and

designatingthe PE1 as Peer

Mapping Message

Mapping MessageInterface parametersmatch . PW UP

Interface parametersmatch . PW UP

Withdraw Message

Release MessageRemoving PWPW Down

Recycle labelPW Down

This slide shows a typical process where the LDP is used as the signaling for theestablishment and removal of the PW. When the PE1 is configured with one VSI(Virtual Switch Instance) and the PE2 has been designated as its peer, a label willbe assigned and the mapping message will be sent to PE2 if the LDP session hasalready been established between PE1 and PE2. After PE2 receives the mapping

message, it checks if the same VSI has been configured locally. If the same VSIhas been configured, and the VSI ID and encapsulation type are both the same, itmeans that the VSIs on these two PEs are within the same VPN. If the interfaceparameters are the same between them, the PW on the PE2 end has beenestablished. After PE1 receives the mapping message from PE2, it performs thesame check and processing.When PE1 no longer wants to forward the packets of PE2 (for example, the user cancels the designation of the PE2 as peer), it sends thewithdraw message to the PE2. After PE2 receives the withdraw message, itremoves the PW and responds with the release message. After PE1 receives therelease message, it releases the label and removes the PW.


49/57


4949Page 49

Martini VPLS

RR RR

SS

Setup PWSetup PW

SS

IP MPLS Network

PE PE

CE CE

Vlan: 10 20 50 Vlan: 10 20 50

TrunkVLAN 10-50

TrunkVLAN 10-50

LSP

Remote Session

1.1.1.1

2.2.2.21.1.1.1

VCVC:111 in VLAN 10 VC:111 in VLAN 10

VC:222 in VLAN 20 VC:222 in VLAN 20

VC:555 in VLAN 50 VC:555 in VLAN 50.

.

.

2.2.2.2

Common LDP Neighbor still needs to be established between PE and P for theallocation of the MPLS labels of the public network.

Neighborhood relationship is established between PEs through the expanded LDP,and the TCP connection is directly used to send LDP messages to maintain theRemote LDP Session.

Through this LDP Session, the VPN control information is interacted, including theallocation of the PW labels (equivalent to the private labels in the L3VPN)PEcreates one VSI (Virtual Switch Instance) for each VPN. Each VSI has one ID.When the LDP negotiates for PW, the ID works as the tag of VPN


50/57


5050Page 50

Martini VPLS

Label allocationLabel allocation

To establish one VC, PE needs to allocate two layers of labels for it.

The outer layer label is the MPLS LSP label of the public network, asallocated by the LDP. Only with the outer layer label, packets can betransmitted on the public network.

The inner layer label is the VC label, as allocated through the negotiation of the remote LDP Session. PE allocates one label for each VC. PEdetermines the VC to which the packets belong according to the inner layer label, and then sends the packets to the right CE.

The VC can be up and the VPLS can start to work only when two layer

labels have been correctly allocated.

PW label allocation: PE allocates labels for the PW in the incoming direction, andidentifies it as Local-Labels. That of the PW in the outgoing direction is allocatedby the other party, and is identified as Remote-Label locally.

To establish one VC, PE needs to allocate two layers of labels for it.

The outer layer label is the MPLS LSP label of the public network, as allocated bythe LDP. Only with the outer layer label can packets be transmitted on the publicnetwork.

The inner layer label is the VC label, as allocated through the negotiation of theremote LDP Session established on the Loopback interface. PE allocates one labelfor each VC. How this is allocated is determined in advance by the PEs on bothends. PE determines the VC to which the packets belong according to the innerlayer label, and then sends the packets to the right CE.

The VC can be up and the VPLS can start to work only when two layer labels havebeen correctly allocated.


51/57


5151Page 51

Martini VPLS

RR RR

SS

Packet forwardingPacket forwarding

SS

IP MPLS Network

PE PE

CE CE

Vlan: 10 20 50 Vlan: 10 20 50

TrunkVLAN 10-50Tag Payload

VC label Tag Payload

MPLS VC label Tag PayloadPrivate Label

Private LabelPublic Label

Start PE:

Each VSI is bound with a L3 vlan virtual interface connected to CE.

In packet forwarding, after a user packet is received, the VSI of the packet isselected according to the vlan of the physical port on the PE. Then, the ID of the

remote PE of the packet is found in the MAC table in the VSI according to thedestination MAC in the user packet, and label A of direction PW is foundaccording to the remote PE ID, and the label is encapsulated on the user packet.

If the MAC table of the VSI does not have the destination mac entry of the user, thepacket is sent as a broadcast packet. In other words, the packet is sent to all the PE-Peers of the VPN (in the VPN, the multicast packets of the user are processed inthe same way)

MPLS of the public network is looked up according to the ID of the remote PE,next the public network label is encapsulated, and then the Mac header of thepublic network is encapsulated

On the P equipment: SWAP,When the packet is propagated in the MPLS backbone network, all the Pequipments perform SWAP of the common public network label or perform PHPaccording to the LSP table.

End PE:

After a packet is forwarded to the end PE, the end PE views the label of the packetand finds the right VSI for the packet in the label table, and then the physical egressof the MAC is found in the MAC table of the VSI, and the label of the packet isPOPed. Finally the packet is forwarded from the appropriate physical port


52/57


5252Page 52

Key Technology

In the VPLS, the service provider network simulates the bridge

equipment, and the PE performs MAC address learning. To forward

packets, the PE must be able to associate the destination MAC address

with the PW. The PE learns the remote MAC address through the PW,

and learns the MAC address of direct access through the AC.

MAC address from the remote PE: recorded as MACLSR-ID of

the remote PE

MAC from the local CE: recorded as MACVSI corresponding

interface

MAC Address LearningMAC Address Learning


53/57


5353Page 53

Key Technology

RR

RR

RR

MAC Address Learning and FloodingMAC Address Learning and Flooding

SS

SS

SS

MAC A IP 1.1.1.2

ARP Broadcast

VSI MAC PORT

VPN1 A Vlan10,port1

VPN1 B PW1

VSI MAC PORT

VPN1 A PW2

VSI MAC PORT

VPN1 A PW1

VPN1 B Vlan10,port1MAC B IP 1.1.1.3

ARP Response

PW2

P W 2P W 1

I) Source MAC address learning

To forward packets, the PE needs to create the MAC forwarding table. It isdifferent from the BGP VPN in that the BGP VPN uses the route distributionmechanism to create the routing table, working on the control plane. TheVPLS uses the standard bridge learning function to create the forwardingtable, performed by the forwarding plane. The method for creating the MACforwarding table is MAC address learning, including learning the packetsfrom the user side and the packets from the PW. The outgoing interfaces of the MAC addresses learnt from the PW must be set to the correspondingoutgoing PW of the PW. The MAC address learning process consists of twoparts:

A. Remote MAC address learning associated with PW

Because the PW consists of one pair of unidirectional VC LSP (only when the VCLSP in both directions are both UP, the PW is deemed as UP), when anunknown MAC address is learnt from the VC LSP of the incoming direction,the PW must map the address MAC to the VC LSP of the outgoing direction.

B. Local MAC address learning of the port directly connected to the user

For a L2 packet submitted by the CE, the source MAC address in the packet mustbe learnt to the corresponding port of the VSI.

II) MAC address aging

The remote MAC addresses learnt by the PE must have an aging mechanism toremove the entries related to the VC label that are no longer used. When apacket is received, its appropriate aging timer is reset according to the sourceaddress. Similarly, the MAC addresses learnt in the local VSI must all

undergo the aging process.


54/57


5454Page 54

Key Technology

Qualified PE learns MAC addresses according to MAC addresses of

Ethernet packets and VLAN tags, that is, based on everyVLAN of every VSI. In this mode, every VLAN forms itsown broadcast domain and has its own independent MACaddress range.

Unqualified PE learns MAC addresses according to MAC addresses of

Ethernet packets, that is, based on every VSI. In this mode,all VLANs share a broadcast domain and a MAC address

range. The MAC address of a VLAN must be unique, an dno overlapped address exists .

Two modes of MAC address learningTwo modes of MAC address learning

One feature of the Ethernet network is that for broadcast packets, multicast packetsor unicast packets with unknown destination MAC addresses, the Ethernet network sends them to all the other ports on the same Ethernet segment.

In VPLS, the service provider network stimulates network bridge devices and PEperforms MAC address learning. PE must associate destination MAC address withPW to forward packets. PE learns remote MAC addresses through PW and directly-connected MAC addresses through AC.

There are two modes of MAC address learning:

Qualify: PE learns MAC addresses according to MAC addresses of Ethernetpackets and VLAN tags, that is, based on every VLAN of every VSI. In this mode,every VLAN forms its own broadcast domain and has its own independent MACaddress range.

Unqualify: PE learns MAC addresses according to MAC addresses of Ethernetpackets, that is, based on every VSI. In this mode, all VLANs share a broadcastdomain and a MAC address range. The MAC address of a VLAN must be unique,and no overlapped address exists.


55/57


5555Page 55

Key Technology

If PE receives broadcast sent by the local customer, PEforwards it to all other ports and PEs of the same VPLS.

If PE receives broadcast sent by remote PE, PE forwards it todirectly-connected VPLS customers, instead of other PEs.

For the packet whose destination MAC address is non-broadcast address, if PE does not learn such MAC address,then PE broadcasts this packet.

Broadcast Traffic ForwardingBroadcast Traffic Forwarding

If PE receives broadcast flows sent by the local customer, PE forwards it to allother ports and PEs of the same VPLS.

If PE receives broadcast flow sent by remote PE, PE forwards it to directly-connected VPLS customers, instead of other PEs.

For the packet whose destination MAC address is non-broadcast address, if PEdoes not learn such MAC address, then PE broadcasts this packet.


56/57


5656Page 56

Key Technology

802.1Q tag,Ethernet access: (also known as QinQ access) The PE of the

carrier ignores the 802.1Q tag in the user packets, and it selects their home

VPNs according to the QinQ VLAN. This mode requires intervention in the

VLAN planning of the user, and one PE allows the VLAN overlapping of

different CEs.

VLAN access: The carrier allocates a user with a VLAN for access, and all the

packets of the user must be placed with the tag of the VLAN and sent to the

PE. Otherwise, communication is impossible. This mode requires intervention

in the user VLAN planning, and one PE does not allow the VLAN overlapp ingof different CEs.

Packet Encapsulation on ACPacket Encapsulation on AC


57/57


5757

ThankYou

Documents

MEN Part 2- Day4 -Ver1_NoRestriction