introduction to l2vpns - twaren
TRANSCRIPT
INTRODUCTION TO L2VPNS
444
11© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
Introduction to Layer 2 and Layer 3 VPN Services
• Layer 2 and Layer 3 VPN Services are offered from the edge of a network
CE
PE
PE
CE
CE
Layer 3 VPN Link Comprised of IP Traffic
Passed Over IP Backbone
CE
Layer 2 VPN Which Passes—Ethernet, ATM, Frame Relay, PPP,
HDLC Traffic Over IP Backbone
Layer 3 VPN Layer 2 VPN
LEGEND
IPBackbone
12© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
VPN Technology Variants:VPN Forwarding Decisions, SP Relationship
LAYER 3 VPNS
• Provider devices forward customer packets based on Layer 3 information (e.g., IP)
• SP involvement in routing
• MPLS/BGP VPNs(RFC 2547), MPLS VPN over IP, GRE, virtual router approaches
LAYER 2 VPNS
• Provider devices forward customer packets based on Layer 2 information
• Tunnels, circuits, LSPs, MAC address
• “pseudowire” concept
What Information Is Relevant in Forwarding Customer Traffic?
13© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
Multipoint Replication
AToM
L2TPv3
FR
ATM (AAL5 and Cell)
Ethernet
PPP / HDLC
QoS
High Availability
Security
QoS
High Availability
Security
Network ManagementPeer Discovery
Attachment and Extension VCs
Directory
Pseudowires
Any-to-Any Switched Frame Transport Service Over a Pseudowire Using Customer MACs for Forwarding
L2VPN
Interworking
What Is an L2VPN?L2VPN Network Service Functions
VPLSVirtual Private LAN Service
VPWSVirtual Private Wire ServicePoint-to-Point Switched FrameTransport Over a Pseudowire
15© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
Pseudo Wires
VPWS Reference Model
A Pseudowire (PW) Is a Connection Between Two Provider Edge (PE) Devices Which Connects Two Pseudowire End-Services (PWESs) of the Same Type
Emulated Service
PEPE
PWES PWES
PSN Tunnel
PWES PWES
Customer Site
Customer Site
Customer Site
Customer Site
• Ethernet
• 802.1Q (VLAN)
• ATM VC or VP
• HDLC
• PPP
• Frame Relay VC
Service Types:
PWES
16© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
Virtual Private Wire Service (VPWS):Customer Perspective
• Point-to-point connections between Provider Edge (PE) nodes• Same look and feel as existing L2 PVCs (i.e., Frame Relay point-to-point)• Service provider simply forwarding incoming frames based on Layer 2
information (i.e. DLCI, VLAN Tag, VPI/VCI, etc.)
CE1
CE4
CE3
CE2
CE5
161616
17© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
VPLS Reference Model
PE PE
MPLS
Attachment VCs are Ethernet
Full Mesh of Pseudowires
Customer Site
A Full Mesh of Pseudowires (PW) Is Used to Connect All Provider Edge (PE) Devices Which Support a Given VPLS VPN
Customer Site
Customer Site
18© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
Virtual Private LAN Service (VPLS):Customer Perspective
• Multipoint-to-multipoint configuration
• Forwarding of frames based on learned MAC addresses
• Uses a Virtual Switching Instances (VSI) for customer separation
CE1 CE3
All PEs Appear Connected on a Common Switch
CE4CE2
181818
19© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
Ethernet
Unmuxed UNI
Ethernet Wire Service(EWS)
Ethernet Relay Service (ERS)
Ethernet Multipoint Service (EMS)
Ethernet Relay Multipoint Service (ERMS)
Service Offerings:L2VPN Transport Services
Unmuxed UNI
Muxed UNI
PPP/HDLC over Pseudowire
FR over Pseudowire
PPP/HDLC
Frame RelayATM
Muxed UNI
AAL5 over Pseudowire
Cell Relay w/ packing over Pseudowire
OTHER VARIANTS…
Muxed UNIMuxed UNI
VPWS VPLS
Muxed UNI
Unmuxed UNI
20© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
L2 VPN Service Comparison
MPLSIP and MPLSService Provider Core Protocol
AnyAnyCustomer Protocol Support
NoNoRouting Involvement by SP
Ethernet OnlyAny (FR, ATM/Cell,
Ethernet/VLAN, HDLC, PPP)
L2 Encap Types
Multipoint-to-Multipoint (at L2)Point-to-Point (at L2)Connection Type
VPLSVPWS
21© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
Summary of Benefits for L2VPNs
• New Service OpportunitiesVirtual leased line ServiceOffer “PVC like” Layer 2 based service
• Reduced Cost—Consolidate multiple core technologies into a single packet-based infrastructure
• Simplify Services—Layer 2 transport provide options for Service Providers who need to provide L2 connectivity and maintain customer autonomy
• Protect Existing Investments—Greenfield networks to extend customer access to existing Layer 2 networks without deploying an old-world infrastructure
• Feature Support—Through the use of Cisco IOS® features such as IPsec, QoS, and Traffic Engineering, L2 transport can be tailored to meet customer requirements
222222
ANY TRANSPORT OVER MPLS (AToM) OVERVIEW
23© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
VPWS: Any Transport over MPLS (AToM)
MPLS Core
Frame RelayATM
Leased LineEthernet
Leased LineEthernet
Frame RelayATM
AToM
• AToM is Cisco’s implementation of VPWS for MPLS networks• Provides ability to transport layer 2 traffic such as ATM, FR, Ethernet,
PPP, and HDLC across MPLS packet-based core networks• A standards track open architecture allows extensibility to many
transport types• AToM, combined with Cisco IOS® QoS and MPLS traffic engineering
allows service provides to offer “virtual leased line” types of services
• Service provider does not participate in customer routing232323
24© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
VC Label Negotiation with Directed LDP
PE2PE1
Attachment Circuit
CE CE
LSP
Pseudo Wire
6. PE2 repeats steps 1-5 so that bidirectional label/VCID mappings are established
1. Attachment circuit configured with peer address and VC ID
3. PE1 allocates VC label for new circuit and binds to configured VC ID
4. PE1 sends LDP label mapping message containing VC FEC TLV and VC label TLV
5. PE2 receives VC FEC TLV and VC label TLV that matches local VCID
2. PE1 starts directed LDP session with PE2 if one does not already exist
Directed LDP
IP/MPLS
25© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
Length Sequence number0 0 0 0 Flags
EXP TTL (set to 2)1VC Label (VC)
EXP TTL0Tunnel Label (LDP / RSVP)
Layer 2 PDU
0 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
FRG
VC Label
Tunnel Label
Control Word
Encap. RequiredCR
Eth
FR
HDLCPPP
AAL5NoYes
Control Word
No
NoNo
Yes
AToM Traffic Encapsulation
• Three-level encapsulation
• Packets switched between PEs using top (tunnel) label
• VC label identifies PW
• VC label negotiated between PE with directed LDP
• Optional control word carries Layer 2 control bits and enables sequencing
252525
26© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
AToM:XConnect CLI Components
Two Ways to Configure:- xconnect <target PE>
- mpls l2transport route <target PE>
ldp-enabled
- Defines LDP as label protocol
- Globally defined
pseudowire-class (optional)- Characteristics template for PWs
- Tunneling mechanism
- Data plane encapsulation type
Example:
mpls label protocol ldp
mpls ldp router-id loopback 0 force
pseudowire-class atom_default
encapsulation mpls
sequencing both
interface FastEthernet5/1.500
encapsulation dot1Q 500
service-policy input vlan-hi-priority
xconnect 172.18.255.3 1002 pw-class foo
383838© 2005 Cisco Systems, Inc. All rights reserved.AGG-100010998_04_2005_c1
ATTACHMENT CIRCUITS
39© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
Frame Relay and ATM Support in AToM
Frame Relay ATM• Two encapsulations: AAL5
and Cell Relay
• Single or multiple Cell Relay supported
• AAL5 supported in VC mode
• Cell Relay in VC/VP and Port modes
• OAM traffic carried transparently
• AAL5 mode may perform OAM emulation
• Two main transport modes: Port-to-Port or DLCI-to-DLCI
• LMIs carried transparently for Port-to-Port
• LMIs terminated for DLCI-to-DLCI with remote notifications via LDP
• Multiple FR encapsulation support
• Multiple LMI support
40© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
Ethernet/HDLC/PPP Support in AToM
Ethernet PPP/HDLC
• Two main transport modes: VLAN and Port
• VLAN mode requires 802.1q
• VLAN mode supports VLAN Id rewrite
• Support Ethernet Speed of 10/100/1000MBps
• No special restrictions on HDLC Traffic
• PEs do not participate in PPP negotiation
• PPP negotiation requires attachment circuit compatibility
PSEUDOWIRE REDUNDANCY
484848
49© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
Pseudowire Service Failure Points
PE1
PE2
Packet Switch Network (IP or MPLS)
CE1
1 CE22 3 4
Pseudowire
1 PSN failure due to end-to-end routing failure
2 PE failure due to HW or SW fault
3 Attachment circuit failure due to line break
4 CE failure due to HW or SW fault
494949
50© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
Redundancy Problem Statement
• Service Provider desires to build in pseudowire redundancy so that if the service becomes unavailable, it can quickly be migrated over to another point in the service provider’s network or the customer’s network
• Let us assume that only one end of the network (e.g. hub site) justifies the allocation of redundancy
• This type of redundancy is end-to-end redundancy
• Can be used with other availability techniques such as SSO/NSF and FRR
51© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
Pseudowire Redundancy: Single Side Full Redundancy
Pro:• Addressed fault in four key areas of a PW Implementation• Reduces the number of PW that must be active at a give time, thus scale
impact is reduced when compare to the full redundancy solution
Con:• Redundant CE/PE required; this increases the cost of the solution
PE1
PE2b
Packet Switch Network
CE2a
CE1
Primary Pseudowire
CE2bIP or MPLS
PE2a
Attachment Circuits
Attachment Circuit
Redundant Pseudowire
515151
52© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
Redundancy Features
• Configure one redundant PE endpoint• Switch to redundant PE based on failure detection
mechanism. The failure mechanism must be able to detect a failure in PSN, remote PE, or remote PE-CE connection
• Ability to manually start the switchover to the redundant device
• After a failure, the implementation will be able to detect when a primary PE becomes available and switch back to that device
• Must support some type of dampening technique so as to not switch back and forth between PEs during periods of instability. The dampening algorithm allows for timers for “switchover” and “fallback”
53© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
Failure Identification
• Attachment circuit can be caused by interface condition (up/down/LOS) or integrated LMI notification
• Pseudowire failure for AToM is discovered by LDP timeout
• L2TPv3 pseudowire failure is identified by control plane keepalive failure
• In the near future we are looking at expediting the failure detection by using an automated BFD over pseudowire VCCV
54© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
L2VPN VPWS Redundancy CLI
• One-sided CLI, the redundancy information is only configured on the PE who sees multiple peers
• Multiple redundant peers may be specified, each peer may have a different priorities. • ‘enable-delay’ sets the amount of time a failure must persist before performing
switchover • ‘disable-delay’ sets the amount of time the primary VC must be available before
falling back to the primary VC • ‘never’ disables fallback to the primary after a switchover. Fallback will only occur if the
secondary goes down • Currently, all peers must be of the same type, i.e. MPLS pseudowires, or L2TP
pseudowires—No mix and match allowed. This is enforced by not allowing the pw-class encapsulation types to be different. Note, if the pw-class is not specified in the backup statements, it will be inherited from the parent xconnect
Configuration CLI:xconnect <ip-addr> <vcid> pw-class <name>
backup peer <ip-addr> <vcid> <pw-class <x>> priority <value>backup delay <enable-delay> <disable-delay | never>
55© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialAGG-1000
L2VPN VPWS Redundancy CLI (Cont.)
• This new xconnect command is available from the exec prompt. The IP address and VCID should match the values of the xconnect the customer wishes to switch over to. When entered by the user, this command will locate the xconnect configuration associated with the IP address/VCID and will generate a switchover event to the redundancy manager for this VC
“manual switchover” CLI:Router> xconnect backup force-switchover peer <ip-addr> <vcid>
Router> xconnect backup force-switchover interface <ifcname>