Professional Documents
Culture Documents
Module 0 Page 1
Module Overview
Module 0 |
Module 0 Page 2
Objectives
ALCATEL-LUCENT
NETWORK ROUTING SPECIALIST I
ALCATEL-LUCENT
NETWORK ROUTING SPECIALIST II
ALCATEL-LUCENT
ALCATEL-LUCENT
TRIPLE PLAY ROUTING PROFESSIONAL MOBILE ROUTING PROFESSIONAL
36 DAYS / 8 COURSES / 8 WRITTEN EXAMS /
1 PRACTICAL LAB EXAM
ALCATEL-LUCENT
SERVICE ROUTING ARCHITECT
49 DAYS / 11 COURSES / 11 WRITTEN EXAMS / 2 PRACTICAL LAB EXAMS
Module 0 |
Module 0 Page 3
Module 0 |
Module 0 Page 4
Exam Number
Exam Pre-requisites
(4A0-XXX)
4A0-100
NA
4A0-101
NA
4A0-102
NA
Exam Name
4A0-103
NA
4A0-104
NA
4A0-105
NA
4A0-106
NA
4A0-107
NA
4A0-108
NA
4A0-109
NA
4A0-110
NA
4A0-M01
NA
4A0-M02
NA
NRSII4A0
MRP4A0
ASRA4A0
100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110,
NRSII4A0
Module 0 |
Module 0 Page 5
Exam Delivery
Written Exams
Delivered by Prometric
Global provider of testing services
5000+ test sites worldwide
Lab Exams
Written at Alcatel-Lucent sites
NRS II Certification
Half-day lab exam
SRA Certification
Full-day lab exam
Module 0 |
Module 0 Page 6
Register at:
www.prometric.com/alcatel-lucent
Plano, USA
Europe
Ottawa, Canada
Mexico City, Mexico
Sao Paulo, Brazil
Antwerp, Belgium
Newport, UK
Paris, France
Class schedules posted @ www.alcatel-lucent.com/src
Registration online @ www.alcatel-lucent.com/srcreg
Module 0 |
Module 0 Page 7
Melbourne, Australia
Your Own Service Router Lab Now you can have one
Module 0 |
Module 0 Page 8
Module 0 |
Module 0 Page 9
Module 0 |
10
Module 0 Page 10
Module 0 |
11
Module 0 Page 11
Explain the concept of SAP and SDP and how they are used
Module 0 |
12
Module 0 Page 12
Day 1
Module 0 Course Introduction
Module 1 Services Overview and Implementation
Lab 1 IP/MPLS Infrastructure
Lab 2 - Distributed Epipe Service
Day 2
Module 2 Virtual Private Wire Service section 2 and 3
Module 3 Virtual Private LAN Service
Lab 3 VPLS Service
Lab 4 Spoke Termination to a VPLS
Module 0 |
13
Module 0 Page 13
Day 3
Module 4 OAM Tools and Mirroring Service
Lab 5 OAM Tools
Module 5 Layer 3 Services (Sections 1 and 2)
Lab 7 IES
Lab 8 VPLS Spoke Termination on IES
Day 4
Module 5 Layer 3 Services (Sections 3-6)
Lab 9 IPv4 VPRN
Lab 10 IPv6 VPRN
Module 0 |
14
Module 0 Page 14
Module 0 |
15
Notice that the BGP section of the ASIN course is one of the important topics required as a prerequisite for
the Virtual Private Routed Network sections of module 5.
Module 0 Page 15
Alcatel-Lucent 7750 SR
Customer sites
Generic switch
Internet
MP-BGP Update
Pipe
Network cloud
(various colors)
Module 0 |
16
Module 0 Page 16
IP router
Registration
Facility information
Restrooms
Communications
Materials
Schedule
Introductions
Name and company
Experience
Familiarity with Services Architecture
Questions
Module 0 |
17
Module 0 Page 17
Administration
www.alcatel-lucent.com
3HE-02770-AAAA-WBZZA Edition 01
Module 1 Page 1
Module Objectives
Module 1 |
Module 1 Page 2
Module 1 Page 3
Section Objectives
After successfully completing this section, you will be able to:
Describe the features of a service router
List the differences between a service router and a traditional
router
Module 1 |
Module 1 Page 4
Module 1 |
Module 1 Page 5
Module 1 |
A number of factors are driving service providers to evolve to a single network infrastructure that supports
the delivery of a wide variety of telecommunications services. These include:
High cost of maintaining and operating discrete legacy networks.
Service provider desire to continue to support high-revenue legacy services such as Frame Relay and
TDM.
Consumer demand for new services such as wireless data and streaming video.
Competitive market creating consumer expectations of higher bandwidth service at decreasing prices.
One approach to building a common infrastructure for deploying a wide range of telecommunication
services uses a core IP/MPLS network that supports a range of virtual private network (VPN) services.
Module 1 Page 6
Module 1 |
The Alcatel-Lucent 7750 SR product family was specifically designed to build a single network
infrastructure using a core IP/MPLS network that supports a range of virtual private network (VPN)
services
The Alcatel-Lucent 7750 SR has the ability to collapse separate overlay networks onto one platform while
still supporting an overlay model. Before we get into the details of the Alcatel-Lucent Service Router, we
need to understand what is meant by virtual private network (VPN)
Module 1 Page 7
Service:
A logical entity that refers to a type of connectivity (Internet, Layer 2 or
Layer 3 VPN)
Each service is uniquely identified by a service ID
Module 1 |
VPN is a network in which a service provider shared infrastructure is used to provide private services to its
customers. It is virtual since it does not require separate dedicated circuits between various locations, and
it is based on the logical as opposed to physical separation of the facilities. It is private in the sense that
customers can maintain their own addressing and routing schemes fully independent of and transparent to
other customers.
A service is a logical globally unique entity that provides a uniform, end-to-end configuration,
management, and billing model for provisioning either Internet or VPN connectivity between customer
access points; it can be either local or distributed.
Module 1 Page 8
Module 1 |
A service router is a scalable Internet router that offers best-effort Internet services as well as enables the
migration of traditional data services to a service-oriented architecture.
Existing Layer 3 switches and Internet routers were designed around interfaces or physical ports for besteffort packet forwarding. It is often the case that edge routers are old core/Internet routers with
channelized interfaces; traditional IP service platforms were designed for low-speed, best-effort consumer
services.
Alternately, the Alcatel-Lucent service router is designed primarily for use as a service router. The service
router delivers service-level-agreement-based services, also known as SLA-based services. A service
router such as the 7750 SR must support additional functionality including:
Quality of Service (QoS) - The ability to provide distinct levels of service depending on the customer,
application or service level agreement.
Accounting - The ability to measure the traffic and service delivered based on a specific customer or
service and perform logging and billing accordingly
Filtering The ability to restrict or monitor specific traffic, based on customer or service
Troubleshooting The ability to analyze and troubleshoot problems from the perspective of a specific
service
These capabilities are supported to a varying degree in traditional IP routers, but generally they are
oriented around the routers interfaces or physical ports. It can be difficult to apply these functions to a
specific service instance since many services may use the same port.
Module 1 Page 9
Module 1 |
10
The key component in a service network is the provider edge (PE) router that provides the interface
between the customer network and the core service provider network. All the service-specific functions are
found in the PE router
The service router functions as the PE router in a service network. It is a scalable, full function IP/MPLS
router that supports the full range of service types and customers and the additional service management
capabilities described earlier.
Access Routers typically support low-speed Internet access services and are not equipped to provide the
higher bandwidth required to meet future customer needs.
Core or Provider (P) routers support high-speed interfaces and are primarily designed to provide the
capacities for forwarding large quantities of data. Core routers are not well-suited for supporting the QoS,
bandwidth management and accounting functions needed by a service-edge router. These devices can be
connected to other PE or P routers. They will run a routing protocol for the purposes of internal routing in
the provider core using the providers choice of IP addressing.
Layer 2 or IP Service Switches were created in an attempt to enhance core routers; by increasing the
processing power, IP service switches provide services such as subscriber management and encryption.
However, the IP service switch does not support complete Internet routing functionality, nor does it provide
the same variety of routing policies that are available in a service edge router.
Module 1 Page 10
Mirroring services
Module 1 |
11
A variety of different service types are supported in a service network of Alcatel-Lucent 7750 SRs, based
on a common core of IP/MPLS technology. The different possible VPN services are:
Virtual Private Wire Service (VPWS) also known as Virtual Leased Lines (VLL) Layer 2 point-to-point
service.
Virtual Private LAN Service (VPLS) - Layer 2 multipoint-to-multipoint VPN
Virtual Private Routed Network (VPRN) - Layer 3 IP multipoint-to-multipoint VPN service as defined in
RFC 4364 (formerly RFC 2547bis)
In addition to the VPN based services, the 7750 SR supports the Internet Enhanced Service. IES is a
Layer 3 direct Internet access service where the customer is assigned an IP interface for Internet
connectivity.
Mirroring services - allows an operator to see the actual traffic on a customers service with a sniffer.
Mirror service be will be discussed later in module 4.
Module 1 Page 11
Module 1 |
12
Module 1 Page 12
Types of VPWS
Module 1 |
13
Module 1 Page 13
VPWS Advantages
Customers perspective:
Supports ATM, Frame Relay, TDM or Ethernet
Service provider (SP) network appears as a leased line between the two
customer locations
Module 1 |
14
Scalability the service provider can support thousands of customers per router
Flexibility many different services for different customers can be provided over a single core IP/MPLS
network
Module 1 Page 14
Module 1 |
15
Alcatel-Lucent supports Virtual Private LAN Service (VPLS) multipoint switched services. A VPLS is a
multipoint Layer 2 service that allows multiple customer sites to be connected in a single-switched domain
contained within a provider-managed IP/MPLS network. Customer sites in the VPLS appear to be on the
same LAN, even if the sites are geographically dispersed.
VPLS services switch traffic based on MAC addresses.
Module 1 Page 15
VPLS Advantages
Customers perspective:
It looks as if all sites appear to be connected to a single-switched
VLAN
Can operates over a single, local site or over multiple,
geographically-dispersed sites
Frames are only forwarded across the required links in the network
Service providers perspective:
The advantages to the service provider are similar to those of a
VPWS service
Module 1 |
16
Module 1 Page 16
Module 1 |
17
Module 1 Page 17
VPRN Advantages
Customers perspective:
Sites are connected to a private routed network administered by
the service provider for that customer only
The VPRN can operate over a single local site or over multiple
geographically-dispersed sites
Service providers perspective:
The advantages to the service provider are the same advantages as
for a VPWS or VPLS service
Module 1 |
18
Module 1 Page 18
Module 1 |
19
An Internet enhanced service (IES) is a routed connectivity service where the subscriber communicates
with a Layer 3 IP interface to send and receive Internet traffic.
The difference between the IES and a basic network interface is that the service provider can apply all
QoS, billing, ingress/egress shaping and policing available within a service to the IES interface.
Module 1 Page 19
The service provider can apply all billing, ingress/egress shaping and
policing to the customer
Module 1 Page 20
Section Objectives
After successfully completing this section, you will be able to:
Explain how customer data is transmitted across the service
provider network (MPLS vs. GRE tunnels)
Explain the encapsulation of service data with a service label and
transport label
Module 1 |
21
Module 1 Page 21
MPLS or GRE tunnels are used to transmit customer data across the service
provider network
Inner service label defines the service tunnel; outer transport label defines
the transport tunnel
Module 1 |
22
All the IP/MPLS VPN services described in section one use MPLS or GRE tunnels to transmit customer
data across the service provider network. When MPLS is used, customer data is encapsulated with two
MPLS labels; an outer transport label and an inner service label.
Alcatel-Lucent routers are connected to physical links that are used to carry traffic. When a service is set
up using MPLS, transport LSP tunnels are set up between provider edge, or PE, routers. Each service or
customer sends traffic through a service tunnel within the transport LSP tunnel. Transport tunnel LSPs are
identified by MPLS labels that are swapped at each intermediate router, also known as a transit LSR,
along the LSP from the ingress to the egress of the MPLS network.
The service label, or VC label, is used to identify which service or customer owns the packet. In the
identification process, the label is attached at the ingress point and does not change value as the packet
travels from ingress to egress.
Module 1 Page 22
Service tunnels:
MP-BGP or T-LDP are used to set up per-VPN service tunnels
Module 1 |
23
Typically the transport tunnel is an RSVP-TE or LDP signaled LSP although it may also be a GRE tunnel.
Because the customer data is MPLS-encapsulated, forwarding across the network is not based at all on
the customer data. The encapsulated data is simply forwarded to the tunnel egress, which is the egress
PE for the service.
In GRE the data is encapsulated with an IP header. The source IP address is the ingress PE router and
the destination address is the egress PE router. This header is used to route the packet across the
network. The customers data has no influence on forwarding while the packet is in the GRE tunnel. GRE
does not support traffic engineering futures that are available in MPLS
Our focus here is on the use of MPLS for transport tunnels.
Module 1 Page 23
GRE tunnel
Service (inner) label The service, or virtual circuit (VC) label that
identifies the service the packet belongs to
Control word Optional and primarily used for ATM or Frame Relay
services
Module 1 |
24
Module 1 Page 24
IP header and the GRE header are used instead of the MPLS transport label
The service provider routers use the GRE header to route the packet across
the network
Module 1 |
25
Module 1 Page 25
Module 1 |
26
Signaling protocols use LDP and/or RSVP-TE to set up LSPs, which can then be used for various service
tunnels.
Service labels are used to encapsulate and identify customer traffic belonging to a particular service. This
label is applied to the customer traffic before the transport label is applied. Service labels for VPLS and
VPWS services are signaled using T-LDP.
T-LDP is the same protocol as link LDP used for signaling transport labels with a few additional
capabilities added. Sessions are LDP sessions between non-directly connected peers. When a service
distribution point (SDP) is configured (SDP will be explained in the next section), automatic ingress and
egress labeling is enabled by default, and ingress and egress service labels are signaled over a T-LDP
connection. If signaling is turned off on an SDP, ingress and egress service labels must be manually
configured when the SDP is bound to a service.
In a VPRN service, MP-BGP is used to exchange customer routes across the VPRN. The BGP updates
also include a label for these routes.
Signaling is required between the PE routers in order to provide the necessary connectivity information
throughout the VPN. Two approaches exist to provide this end-to-end signaling information. One approach
is known as Martini Signaling and uses LDP, while the second approach is known as Kompella Signaling
and uses BGP. The Draft-Martini uses T-LDP between the PE routers to distribute VC labels. This
mechanism contains information such as the unique VC ID, the specific interface parameters and the VC
Type, such as ATM, Frame Relay and Ethernet. The PE routers use this information to build the
forwarding tables and set up the VC LSPs. The Draft-Kompella approach makes use of BGP between the
PE routers to advertise route distinguishers and route targets. This enables the receiving PE to determine
if the incoming BGP update is relevant for its VPN clients. If so, the receiving PE accepts the update and
populates the forwarding tables accordingly. Currently the Martini approach is more commonly used than
the Kompella Draft for signaling purposes.
Martini draft was standardized under RFC 4096. Draft-Kompella is obsolete and was not standardized.
Module 1 Page 26
TLDP/MPBGP
Module 1 |
27
The physical topology of the base is made up of four routers set up in series-form. The routers presented
in this slide are two PE routers, representing the edge of the service provider network, and two P routers,
representing the service provider core.
The service provider makes use of an IGP to propagate routing knowledge for PE-PE connectivity.
Either LDP or RSVP-TE is used for label propagation. Once each router has advertised its label
knowledge to the neighboring routers, a complete LSP will have been created.
Targeted (targeted) LDP or MP-BGP is then used to establish an end-to-end connection-oriented session,
providing the inner label. The inner label is used for service tunnel signaling.
Once we have signaled service labels and created a transport tunnel between the two PE endpoints, we
have created a service.
The difference between link LDP and T-LDP is that T-LDP is used for exchanging service label information
and the T-LDP peers do not need to be directly connected. Because they may not be directly connected, a
router must know the IP address of its T-LDP peer. It then sends its Hello messages to its peers unicast
address instead of the multicast address. Otherwise the process for establishing adjacencies and the
messages exchanged are the same as for link LDP.
LDP must be enabled to configure VPWS or VPLS services so that T-LDP can signal the service labels,
even if RSVP-TE is used for signaling the transport labels.
Module 1 Page 27
Module 1 |
28
Module 1 Page 28
Module 1 |
29
The core LSRs use information from the top label when switching the labeled frame across the MPLS
domain. It is possible that during this process, additional labels can be also be pushed along the way. The
egress LER infers from the VC label how to process the frame and then forwards it to the appropriate
outgoing port; however, the VC label is not visible until the frame reaches the egress LER due to the
MPLS tunneling hierarchy.
This slide shows the order of events that occur when signaling transport and service labels for a service
and then subsequently forwarding a packet. The control plane is right to left, while the data plane is left to
right (the traffic is sent from PE1 to PE2). It is important to note that the control and data planes are
always in opposite directions. For the purpose of this discussion it is assumed that IGP convergence has
already occurred.
LDP is enabled, which creates the outer service tunnel label. It should be noted that RSVP could
also have been used in this case. PE1 receives LDP label 217 from P1 and, therefore, uses label
217 as the label representing the LSP to PE2
T-LDP or MP-BGP is enabled, which creates an end-to-end connection-oriented session between
PE1 and PE2, and propagates the service label
A data packet arrives at PE1 and is encapsulated with both the outer label, learned through LDP,
as well as the service label, learned through T-LDP or MP-BGP
As the data packet traverses the P routers, the outer label is swapped while the inner label remains
unchanged
Upon receiving the data packet, the receiving PE, in this case PE2, removes the outer LDP label.
Then, prior to removing the inner label, the receiving PE maps it to the appropriate service.
The result is the original data packet, which is then forwarded to correct interface for the service,
and then on to the CE (not shown).
Note: the control plane / dataplane would be in the opposite direction for sending traffic from PE2 to PE1
Alcatel-Lucent Services Architecture v3.2
Module 1 Page 29
Module 1 Page 30
Section Objectives
After successfully completing this section, you will be able to:
Describe the main components required to configure Alcatel-Lucent
services (SAP, service ID, VC-ID, SDP)
Explain the concept of SAP and encapsulation identifier
Module 1 |
31
Module 1 Page 31
Module 1 |
32
The Alcatel-Lucent router is based on the service model where service edge routers are deployed at the
provider edge. Services are provisioned on the router and transported across an IP and/or IP/MPLS
provider core network in encapsulation tunnels, created using GRE or MPLS LSPs.
The service model uses logical service entities to construct a service. The logical service entities are
designed to provide a uniform, service-centric configuration, management and billing model for service
provisioning.
The service model is based on the following components:
Service access point (SAP) - The subscribers point of interface to the service network
Customer ID - A value associated with the service that can be used to group together a number of services
for reporting purposes
Service ID - The numeric value used on the 7750 SR to identify the service
Service Type The type of the service that is configured on the 7750 SR (VPWS, VPLS, VPRN, IES)
VC ID - Identifies the service when signaling the service labels. This value must match at both ends of the
service. The VC ID is usually the same as the service ID
Service distribution point (SDP) - A logical representation of the transport tunnel that will be used to deliver
the service data to the egress PE
Transport tunnel - This is the LSP used to transport the service data, typically signaled with RSVP-TE or LDP.
An SDP is associated with the transport tunnel
Service tunnel - This is the tunnel represented by the service labels signaled end-to-end by the two PEs that
are the service endpoints
Demultiplexer - Represents the operation of delivering the data arriving at the egress router to the appropriate
service based on the service label
Module 1 Page 32
Service Components
The customer ID for the service cannot be changed once the service is created
Module 1 |
33
Once a service has been created with a customer association, it is not possible to edit the customer
association; the service must be deleted and recreated with a new customer association. Once a service
is created, the use of the customer ID is optional for navigating into the service configuration context.
Attempting to edit a service with the incorrect customer ID specified will result in an error.
The customer must be created before the service is created. The customer ID for the service cannot be
changed once the service is created. Although it is recommended that a globally consistent value be used
for the customer ID, it is never signaled to other PEs and has no effect on the service.
Module 1 Page 33
Customer Creation
: 1
Contact
: (Not Specified)
Description
: Default customer
Phone
: (Not Specified)
Customer-ID
: 100
Contact
: (Not Specified)
Description
: VPWS_Customer
Phone
: 1-111-111-1111
------------------------------------------------------------------------------Total Customers : 2
Module 1 |
34
When using the CLI to configure services, a customer ID of 1 is used by default, but it is good practice to
configure specific customer IDs
Module 1 Page 34
Customers
Service Identifiers
Service ID - The numeric value used on the 7750 SR to identify the
service
A service is associated with a customer ID
Module 1 |
35
Service
The Alcatel-Lucent 7750 service router is a service-based router. All functionality revolves around the
concept of a service, where a service is a unique entity that refers to the type of connectivity for either
Internet (Layer 3), or VPN (Layer 2 or Layer 3) connectivity.
A service is considered to be any of the following:
VPWS, including apipe, epipe and fpipe
VPLS
VPRN
IES
Mirroring, which is used for management and troubleshooting
A service can be either a local service, in which case it must be defined and associated with two local
SAPs; or it can be distributed, in which case it must be defined and associated with a SAP and an SDP.
Local and distributed service will be explained in more details in the following slides.
Module 1 Page 35
Service Creation
Module 1 |
36
The slide shows the creating of an epipe service. The service is operationally down because it is not
completely configured.
Service ID identifies the service on the local router. A service must be created using a unique service ID.
Once a value is used for one service it cannot be used for another on that router.
Note: the vpn id is used to specify the VPN ID number, allowing you to identify virtual private networks
(VPNs) by a VPN ID. If this parameter is not specified, the VPN ID uses the same service ID number.
Values 1 2147483647
Default null (0)
Module 1 Page 36
*A:PE-1>config>service>epipe$ no shutdown
SAP
1/2/3
Service
Module 1 |
37
Module 1 Page 37
All SAPs must be explicitly created and are administratively enabled at the time of
creation there are no default SAPs
VLAN IDs have local port significance
A SAP can be configured with any of the following:
Ingress and egress filter policy
Ingress and egress QoS policy
Ingress and egress scheduler policy
Accounting policy
Module 1 |
38
Module 1 Page 38
SAP ID
A SAP is a local entity to the service router and is uniquely
identified by the following:
The physical Ethernet port or SONET/SDH or TDM port and channel
Module 1 |
39
The encapsulation identifier depends on the type of port used as the SAP. For example, if the SAP is an
Ethernet port, the encapsulation identifier can be a VLAN tag or a Q-in-Q tag. The encapsulation identifier
may be null in which case the SAP is simply the port.
The encapsulation type is an access property of a service Ethernet port or SONET/SDH or TDM channel.
The appropriate encapsulation type for the port or channel depends on whether it is required to support
multiple services on a single port/channel on the associated SAP, and the capabilities of the downstream
equipment connected to the port/channel. For example, a port can be tagged with IEEE 802.1Q
encapsulation, referred to as dot1Q encapsulation, in which each individual tag can be identified with a
service. A SAP is created on a given port or channel by identifying the service with a specific
encapsulation ID.
Depending on the encapsulation used, a physical port or POS channel can have more than one SAP
associated with it. Using dot1Q encapsulation or POS channels, the router can support either multiple
services for one customer, or one service for multiple customers.
SAPs cannot be created on ports designated as core-facing network ports bacause these ports have a
different set of features enabled in software.
Module 1 Page 39
Ethernet Encapsulations
Null supports a single service on the port
Dot1Q supports multiple services for one customer or multiple services
for multiple customers
Module 1 |
40
Null supports a single service on the port; for example, where a single customer with a single service customer
edge (CE) device is attached to the port, the encapsulation ID is always zero. For example: sap 1/1/3
Dot1Q supports multiple services for one customer or multiple services for multiple customers.
For example: the port is connected to a multi-tenant unit (MTU) device with multiple downstream customers.
The encapsulation ID used to distinguish an individual service is the VLAN ID in the IEEE 802.1Q header. For
example: sap 1/1/3:50
Q-in-Q The Q-in-Q encapsulation type adds an IEEE 802.1Q tag to the 802.1Q-tagged packets entering the
network in order to expand the VLAN space by tagging tagged packets.
For example: sap 1/1/3:10:100
On SONET ports the following encapsulation types are supported:
Internet Protocol Control Protocol (IPCP)
IPCP supports a single IP service on SONET/SDH for each port or for each channel.
This is typically used for router interconnection that uses point-to-point protocol (PPP).
SONET/SDH port
BCP-null is used for bridging a single service between two devices using PPP over SONET/SDH. The
encapsulation ID is always zero.
BCP-Dot1Q is used for bridging multiple services between two devices using PPP over SONET/SDH.
The encapsulation ID that is used to distinguish services is the VLAN ID in the IEEE 802.1Q header found in
the BCP-encapsulated frame.
Module 1 Page 40
Q-in-Q The Q-in-Q encapsulation type adds an IEEE 802.1Q tag to the
802.1Q-tagged packets entering the network to expand the VLAN space by
tagging tagged packets. This produces a double-tagged frame
SAP Configuration
Module 1 |
41
To be used as a SAP, a port must be configured as an access port. Ports are configured as network ports
by default.
Note: when the ports are configured as Ethernet access ports with dot1q encapsulation, they are
automatically changed to an MTU (maximum transmission unit) of 1518. This defines the maximum size of
frame that will be accepted for a service using this port as a SAP. By default the 7750 SR configures an
Ethernet access port to accept a standard-sized Ethernet frame. Since this port is configured for dot1q
encapsulation, the MTU is 1518. MTU consideration will be explained in detail in Module 2.
Many other encapsulation types are possible. These depend on the MDA type of the port and the type of
service being provisioned. SAP encapsulations are described in more detail in Module 2.
Module 1 Page 41
Local Service
Module 1 |
42
A service can be either local or distributed. A local service involves two SAPs and provides a connection
path between two sites. A local service provides a point-to-point logical connection from the customers
perspective.
Module 1 Page 42
Module 1 |
43
Module 1 Page 43
Module 1 |
44
As shown in the slide, the epipe service is up and the CE routers should be able to reach each other over
the Ethernet connection, as shown in the ping test below:
*A:CE-1> ping 192.168.1.2 count 1
PING 192.168.1.2 56 data bytes
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=4.45ms.
Module 1 Page 44
SDP binding is required to signal the service labels and define the
transport to the remote router
Module 1 |
45
A distributed service has components on multiple routers and uses the IP/MPLS network to connect the
service and deliver data.
Distributed service spans more than one router. It uses SDPs to direct traffic to another router; traffic is
transported by a transport tunnel through a service tunnel.
Module 1 Page 45
Distributed Service
SDPs are locally unique; the same SDP ID can be used on another router
An SDP is not specific to one service; many services can use the same SDP
Operations on an SDP will affect all services that are bound to that SDP
Module 1 |
46
A service distribution point (SDP) acts as a logical way to direct traffic from one router to another through
a unidirectional service tunnel. The SDP terminates at the far-end router, which directs packets to the
correct service egress SAPs on that device. A distributed service consists of a configuration with at least
one SAP on a local router, one SAP on a remote router, and an SDP binding the service to the service
tunnel.
An SDP has the following characteristics:
An SDP is locally unique to a router. The same SDP ID can appear on other routers.
An SDP uses the system IP address to identify the far-end edge router.
An SDP is not specific to any one service or type of service. Once an SDP is created, services are
bound to the SDP. An SDP can also have more than one service type associated with it.
All services mapped to an SDP use the same transport encapsulation type defined for the SDP
either GRE or MPLS.
An SDP is a management entity. Even though the SDP configuration and the services carried
within are independent, they are related objects. Operations on the SDP affect all the services
associated with the SDP. For example, the operational and administrative state of an SDP controls
the state of services bound to the SDP.
A return-path SDP is needed when a far-end device communicates with a local device. Each device must
have an SDP defined for every remote router that is receiving service. Before a distributed service can be
configured, SDPs must first be created.
Module 1 Page 46
Module 1 |
47
Module 1 Page 47
Module 1 |
48
Module 1 Page 48
GRE encapsulation:
Encapsulates traffic in an IP/GRE header, appears as an IP packet
Low control plane overhead
GRE uses normal IP routing to find a path
Module 1 |
49
MPLS Encapsulation
MPLS uses LDP or RSVP-TE for label signaling
LDP relies on an IGP to find its path
RSVP-TE requires manual configuration, path can be loose or strict, may reserve bandwidth, and
can use fast reroute to speed convergence after change
Module 1 Page 49
Module 1 |
50
Transport Tunnel
A transport tunnel is used by an SDP to direct traffic from one router to another.The diagram shows that
multiple services can use the same SDP.
Multi-router VPWS and VPLS traffic is transported using unidirectional service tunnels. Service tunnels
originate on an SDP on one router and terminate at a destination router. The destination router directs
packets to the correct service egress interfaces on that device. Service tunnels can be configured to use
either GRE or MPLS LSPs. Services that originate and terminate on the same router do not require
service tunnels or SDPs.
Module 1 Page 50
Module 1 |
51
Each SDP identifies the destination-system-ID as the far-end address, thereby specifying the targeted
LDP connection. The SDP ID is not transferred to the far-end system, therefore the SDP ID does not need
to match. Although it is not necessary for the SDP ID to be identical on opposite sides of the service
tunnel, it is suggested. Alternately, the SDP ID must be locally unique in each system. In addition, it is not
necessary that the service ID be identical on each system. By default, the service ID equals the VC ID.
In the diagram in this slide, Subscriber A has two sites which are being connected by a VPWS. This
VPWS provides a virtual point-to-point connection across any existing IP/MPLS network infrastructure,
while maintaining the appearance of a directly connected segment.
Module 1 Page 51
Module 1 |
52
Multiple services can be associated with the same SDP allowing subscribers to have access to multiple
sites across multiple platforms for multiple services.
In the diagram in this slide, Subscriber A has two sites while Subscriber B has three sites. In relation to
Subscriber A, Site 1 and Site 2 are connected by a point-to-point connection a VPWS. In the case of
Subscriber B, each site requires access to all three locations, which is more indicative of a VPLS offering.
Since services can be bound to multiple SDPs, the number of SDPs only needs to equal to the number of
connected neighbors, regardless of how many subscribers or services are being used.
Module 1 Page 52
Multiple Subscribers
Module 1 |
53
Multiple SAPs can be associated with a single service. In this way, a subscriber can have multiple access
points into a single service.
In the diagram in this slide, Subscriber B, Subscriber Site 1, Subscriber Site 2 and Subscriber Site 3 are
all interconnected; however, Subscriber Site 1 and Subscriber Site 2 have two SAPs each.
Module 1 Page 53
Module 1 |
54
Physical interfaces can be identified with multiple services based on the tag information. In the diagram
on this slide, two subscribers, A and B, are using the same physical port but are uniquely identified by their
tag ID. The tag ID is used to uniquely identify two separate SAPs connected to two separate services.
Module 1 Page 54
Module 1 |
55
Connection
Connectiontype
typeisisdependant
dependanton
onhow
how
the
service
is
defined.
the service is defined.
Module 1 Page 55
Module 1 |
56
Service Connectivity
Service Access Point (SAP)
The SAP is the customer access point to the service
The SAP is provisioned on access ports only; encapsulation must be specified
Service Distribution Point (SDP)
SDPs have a locally unique ID number
The SDP typically uses the system address of the far-end router
The SDP encapsulation type is GRE or MPLS
Service ID
The service ID is provisioned by the user to uniquely identify a service
It is suggested to have a globally unique value for each service
Virtual Circuit ID (VC ID)
The VC ID must be identical end-to-end
The VC ID is provisioned by the user by default and used by T-LDP to negotiate the service label in
Martini encapsulation
Using T-LDP, the egress and ingress service label that is provisioned or dynamically assigned
uniquely identifies the service to the tunnels far end
Module 1 Page 56
Module 1 Page 57
Module 1 |
58
Module 1 Page 58
Module 1 |
59
Module 1 Page 59
Module 1 |
60
The following slides demonstrate the provisioning steps using the network topology shown in this slide. In
this case, we will be using OSPF for the IGP and RSVP to set up our transport tunnels.
Module 1 Page 60
IGP Configuration
Network ports and system interface are added to IGP
*A:PE-1>config>router>ospf# info
---------------------------------------------area 0.0.0.0
interface "system"
exit
interface "to-PE2"
interface-type point-to-point
exit
exit
*A:PE-1>config>router# info
---------------------------------------------echo "IP Configuration"
#---------------------------------------------interface "system"
address 10.10.10.1/32
exit
interface "to-PE2"
address 10.1.2.1/27
port 1/1/1
exit
Module 1 |
61
Module 1 Page 61
Network Convergence
Routing table contains the system addresses
Module 1 |
62
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix
Type
Proto
Age
Pref
Next Hop[Interface Name]
Metric
------------------------------------------------------------------------------10.1.2.0/27
Local
Local
13h45m55s
0
to-PE2
0
10.10.10.1/32
Local
Local
01d16h57m
0
system
0
10.10.10.2/32
Remote OSPF
13h28m51s
10
10.1.2.2
100
------------------------------------------------------------------------------No. of Routes: 3
===============================================================================
Module 1 Page 62
Enable MPLS
Module 1 |
63
Module 1 Page 63
If LDP is not enabled, the SDPs that are configured in the next step will not
become operational
===============================================================================
LDP Status for LSR ID 10.10.10.1
===============================================================================
Admin State
: Up
Oper State
: Up
Created at
: 01/30/2012 17:24:48 Up Time
: 0d 00:00:21
Oper Down Reason
: n/a
Oper Down Events
: 2
Last Change
: 02/01/2012 10:32:12 Tunn Down Damp Time : 3 sec
Module 1 |
64
LDP is disabled by default. If LDP is not enabled, the SDPs that are configured in the next step will not
become operational. When configuring SDPs, you are essentially setting up targeted-LDP sessions. The
LDP must be enabled on any PE participating in the service. One exception to that is when signaling is
intentionally disabled (static label mappings), but that is not a routine case. Another reason to shutdown
signaling may be if the network is only used for VPRN (which will be discussed later), as T-LDP is not
used in VPRN.
Module 1 Page 64
Module 1 |
65
A path can be created explicitly or dynamically. If explicit, the path can be loose or strict.
An LSP must be configured to use a specific predefined path. The path can be either a primary path or a
secondary path. Any number of secondary paths may be defined. If a primary path, once defined, goes
down, the secondary path will be used to reach the destination LSR. However, if the primary path is
inaccessible and no secondary path has been identified, then the LSP fails.
Note: a secondary path may be defined without a primary path. The LSP will use the secondary path in
absence of a primary path. One difference between a primary path and a secondary path is that once a
primary path becomes available, the router will ignore the secondary path in favor of the primary path.
However, the router will not ignore a secondary path in favor of another secondary path. Another
difference between a primary path and a secondary path is that a secondary path cannot have fast reroute
enabled.
Module 1 Page 65
[no] ldp
[no] lsp
: [1..17407]
: keywords - specify delivery mechanism
: keyword - mandatory while creating an entry.
- Enable/disable LDP-signaled LSP's
- Configure LSP to be used by SDP
Module 1 |
66
If you do not specify GRE or MPLS, the default encapsulation type is GRE.
Note: the tunnel is created when you specify the far-end IP address. In essence, you are creating the path
from Point A to Point B. When you configure a distributed service, you must identify a SDP ID.
Use the show service sdp command to display the qualifying SDPs.
Note: when specifying MPLS SDP parameters, you can only either specify an LSP or enable an LDP.
There cannot be two methods of transport in a single SDP. If an LSP name is specified then RSVP is used
for dynamic signaling within the LSP.
Module 1 Page 66
Configuring an SDP
Module 1 |
67
Configuring SDPs
Configuration involves creating, deleting or editing an SDP. An SDP is a logical mechanism that directs
traffic from one router to another through a unidirectional service tunnel. Each SDP represents a method
for reaching a service edge router.
An IP generic router encapsulation (GRE) tunnel is one type of tunnel encapsulation. GRE does not
specify a specific path to the service edge router. A GRE-based SDP uses the underlying IGP routing
table to find the best next hop to the far-end service edge router.
Another type of tunnel uses multiprotocol label switching (MPLS) encapsulation. A service supports both
signaled (LDP or RSVP-TE) and non-signaled label switched paths (LSPs) through the network. Nonsignaled static paths are defined at each hop through the network, while signaled paths are
communicated through protocol from end-to-end using resource reservation protocol (RSVP). Paths may
be manually configured or dynamically derived using the constrained shortest path first (CSPF) algorithm
and data from OSPF-TE or ISIS-TE traffic engineering databases (TED).
SDPs are created and bound to services, and many services may be bound to a single SDP. The
operational and administrative state of the SDP controls the state of the SDP binding to the service.
Module 1 Page 67
Module 1 |
68
Module 1 Page 68
interface "to-CE2"
address 192.168.2.1/27
port 1/1/3:50
no shutdown
exit all
Module 1 |
69
Module 1 Page 69
Service Configuration
Module 1 |
70
Configuration Tasks:
Module 1 Page 70
Once the service infrastructure has been configured, the distributed service
can be provisioned
Module 1 |
71
Once the service infrastructure has been configured, the distributed service can be provisioned.
Configuration of a distributed service is very similar to the local service. The difference is that an SDP
binding is required to signal the service labels and define the transport to the remote router. On the 7750
SR, the SDP binding is defined as a spoke or mesh binding. Mesh bindings are used only for VPLS
services. The difference between the two is described later in the course.
The SDP binding specifies both the SDP ID and the VC ID in the format spoke-sdp sdp-id:vc-id. This
identifies the transport tunnel and service tunnel for the pseudowire that is signaled by T-LDP.
Module 1 Page 71
Service Verification
Once the service is configured on the remote router with a matching VC ID,
a service label is signaled and the service is up as shown below:
*A:PE-1# show service id 50 base
===============================================================================
Service Basic Information
===============================================================================
Service Id
: 50
Vpn Id
: 0
Service Type
: Epipe
Name
: (Not Specified)
Description
: (Not Specified)
Customer Id
: 100
Last Status Change: 02/01/2012 11:28:39
Last Mgmt Change : 01/31/2012 21:05:55
Admin State
: Up
Oper State
: Up
MTU
: 1514
Vc Switching
: False
SAP Count
: 1
SDP Bind Count
: 1
Per Svc Hashing
: Disabled
Force QTag Fwd
: Disabled
------------------------------------------------------------------------------Service Access & Destination Points
------------------------------------------------------------------------------Identifier
Type
AdmMTU OprMTU Adm Opr
------------------------------------------------------------------------------sap:1/1/3:50
q-tag
1518
1518
Up
Up
sdp:2:50 S(10.10.10.2)
Spok
0
1556
Up
Up
===============================================================================
Module 1 |
72
Once the service infrastructure has been configured, the distributed service can be provisioned.
A pseudowire is bidirectional and is not operational until both ends are successfully signaled.
Module 1 Page 72
ttl=64
ttl=64
ttl=64
ttl=64
ttl=64
time=5.35ms.
time=2.20ms.
time=2.26ms.
time=2.19ms.
time=2.25ms.
Module 1 |
73
Once the service infrastructure has been configured, the distributed service can be provisioned.
Configuration of a distributed service is very similar to the local service. The difference is that an SDP
binding is required to signal the service labels and define the transport to the remote router. On the 7750
SR, the SDP binding is defined as a spoke or mesh binding. Mesh bindings are used only for VPLS
services. The difference between the two is described later in the course.
The SDP binding specifies both the SDP ID and the VC ID in the format spoke sdp sdp-id:vc-id. This
identifies the transport tunnel and service tunnel for the pseudowire that is signaled by T-LDP.
A pseudowire is bidirectional and is not operational until both ends are successfully signaled.
Module 1 Page 73
Module 1 |
74
Module 1 Page 74
Module Summary
Module 1 |
75
Module 1 Page 75
Both VPWS and VPLS can be defined as either local services or distributed
services
A SAP is where traffic enters and exits the service in relation to the customer
sites
A service is a globally unique, logical entity that provides connectivity
between SAPs; a service also provides a uniform, end-to-end configuration,
management and billing model for Layer 2 or Layer 3 service provisioning
Module 1 |
76
Module 1 Page 76
The following are transport tunnel encapsulation options: MPLS/RSVPTE, MPLS/LDP or IP/GRE
To provision a service, a customer ID must be associated with the
service when it is created
The following are SAP identifiers: physical Ethernet port or POS port and
channel, encapsulation type and encapsulation identifier
SDPs are locally unique and normally use the system IP address to
identify far-end destinations
Module 1 |
77
Module 1 Page 77
SDP is not specific to one service; many services can use the same SDP
Module 1 |
78
Module 1 Page 78
Module 1 |
79
Module 1 Page 79
Learning Assessment
1. List three advantages of VPWS from the customers perspective.
2. Which VPWS services are currently supported by Alcatel-Lucent?
3. Is the following statement true or false? Epipe service does not perform any
MAC learning.
Module 1 |
80
3. Verify whether the following statement is true or false: Epipe service does not perform any MAC
learning.
True
4. Verify whether the following statement is true or false: SAPs can be created on either access ports or
network ports.
False. SAPs must be created on access ports
5. In total, how many SDPs need to be created on a local epipe service?
None. A local service only needs SAPs. SDPs are used for distributed services.
6. Verify whether the following statement is true or false: A service ID must always be equal to the VC ID.
False. It is recommended to use the same service ID as VC ID, but not required.
Module 1 Page 80
______
a. Local significance
SDP ID
______
b. Global significance
VC ID
______
c. Point-to-point significance
Customer ID ______
8.
Fill in the blank: A SAP can only be configured on a port which has been
configured as an ____________ port.
9.
10. Verify whether the following statement is true or false: Service tunnels
are unidirectional.
11. Verify whether the following statement is true or false: A SAP can never
be associated with more than one service.
Alcatel-Lucent Services Architecture v 3.2
Module 1 |
81
SDP ID
VC ID
Service ID
Customer ID
8. Fill in the blank: A SAP can only be configured on a port which has been configured as an access port.
9. Fill in the blank: The default configuration for a port is network.
10.Verify whether the following statement is true or false: Service tunnels are unidirectional.
True
11. Verify whether the following statement is true or false: A SAP can never be associated with more than
one service.
True
Module 1 Page 81
Service ID ______
Configure IGP routing and LDP for the service provider network
Module 1 |
82
Module 1 Page 82
www.alcatel-lucent.com/src
3FL-30636-AAAA-ZZZZA Edition 01
Module 2 Page 1
Module Objectives
After successfully completing this module, you will be able to:
Examine the details of E-pipe configuration and verification
Module 2 |
This course is part of the Alcatel-Lucent Service Routing Certification (SRC) Program. Visit the AlcatelLucent web site at www.alcatel-lucent.com/src for more information on the SRC program.
To locate additional information related to the topics presented in this manual, refer to the following:
Technical Practices for the specific product
Internet Standards documentation such as protocol standards bodies, RFCs and IETF drafts
Technical support pages of the Alcatel-Lucent web site located at http://www.alcatellucent.com/support
This module defines and identifies the VPWS services implemented by Alcatel-Lucent. In this module, you
will be introduced to the process used by Alcatel-Lucent in the implementation of VPWS, including epipe,
apipe, fpipe and cpipe services. This module provides information on these Layer 2 point-to-point services
and how customer data is encapsulated and transported across a service providers IP or MPLS network.
Epipe, apipe, fpipe and cpipe are identified as completely transparent to the subscribers data and
protocols.
Module 2 Page 2
Section 1 Epipe
Module 2 Page 3
Section Objectives
After successfully completing this section, you will be able to:
Define the different types of VPWS available
Module 2 |
Module 2 Page 4
Module 2 |
Module 2 Page 5
Module 2 |
SAP encapsulation provides the router with a way of delineating services. Null means that there is only
one service on the port; the other encapsulations, such as dot1Q and Q-in-Q, indicate that there can be
multiple services on that port.
Ethernet Encapsulation
The following are three encapsulation types that are supported on Ethernet access ports:
Null supports a single service on the port and is used in situations where there is a single customer
edge (CE) device connected to the port. The encapsulation identifier (ID) is set to zero.
Dot1Q a single Q-tag (Qtag1) is used to delineate customer services. This tag can have a value
anywhere from 0 to 4096. All tags are local in relation to the port where the SAP is bound.
Q-in-Q up to two Qtags (Qtag1 and Qtag2) are used to delineate customer services. Each tag can
have a value anywhere from 0 to 4096. All tags are either local to the port where the SAP is bound, or the
inner label can be transported intact to the destination if the router is configured to do so.
Module 2 Page 6
Encapsulation type
VLAN tags
SAP syntax
null
port
Example - Port 1/1/1
dot1q
port:tag
Example - port 1/1/1:10
qinq
port:outer-tag.inner-tag
Example - port 1/1/1:10.100
Module 2 |
The Alcatel-Lucent 7750 SR implementation of an epipe is based on RFC 4448 (Encapsulation Methods
for Transport of Ethernet over MPLS Networks).
IEEE 802.1Q, or VLAN Tagging, is a networking standard written by the IEEE 802.1 workgroup. It allows
multiple-bridged networks to transparently share the same physical network link without leakage
of information between networks. IEEE 802.1Q also known as dot1q is commonly used to refer to
the encapsulation protocol used to implement this mechanism over Ethernet networks.
When a VLAN tag is specified as part of the encapsulation, it is considered to be service delimiting. This
means that the VLAN tag is used to determine which service the frame belongs to. For example, if a SAP
is created in a service as 1/1/1:10, all frames arriving at port 1/1/1 with VLAN tag 10 belong to the service.
All other frames do not.
Using service delimiting VLAN tags, multiple SAPs can be defined on a single port for different services.
Module 2 Page 7
Module 2 |
sap
- no sap <sap-id>
- sap <sap-id> [create] [no-endpoint]
- sap <sap-id> [create] endpoint <endpoint-name>
<sap-id>
: null
- <port-id|bundle-id|bpgrp-id|lag-id|aps-id>
dot1q
- <port-id|bundle-id|bpgrp-id|lag-id|aps-
qinq
- <port-id|bundle-id|bpgrp-id|lag-
id>:qtag1
id>:qtag1.qtag2
Module 2 Page 8
Dot1Q
On the 7750 SR, VLAN tags are stripped at the SAP ingress by default
Module 2 |
When service delimiting VLAN tags are used on the 7750 SR, they are stripped at the SAP ingress by
default. The FCS for the frame is also removed. All other fields of the customers frame are maintained.
The figure in the slide shows the encapsulation of data on the provider network as it is transmitted across
the epipe service. An Ethernet frame arrives at PE1. It has a VLAN tag with a value of 50. The VLAN tag
identifies the service that is intended to handle the frame and is stripped from the frame by router PE1
along with the FCS field. The rest of the frame, (header and data) is encapsulated with two MPLS labels.
This frame is then encapsulated in a Layer 2 frame for transmission to the next hop. The FCS in this case
is for the entire frame carrying the MPLS encapsulated data.
When the frame reaches the egress PE router (PE2), the MPLS labels are popped and the untagged
frame is transmitted on the SAP interface. A VLAN tag is added to the frame, depending on the
encapsulation ID on the SAP. In this example, the SAP on PE2 is 1/1/4:100, so the VLAN tag added to the
customer frame is 100.
Module 2 Page 9
Module 2 |
10
VLAN tags do not have to be service delimiting and can be passed transparently. Similar to the behavior in
null encapsulation, in a case where a SAP is defined as a dot1Q service, delimiting SAP and a Q-in-Q
frame is received at the port. If the outer tag matches the value in the SAP, it will be stripped and the
frame transmitted over the service with the inner tag transparently maintained. If the outer tag does not
match the SAP value, the frame is ignored by the service.
The default SAP can be used in a situation where it is desired to pass all customer VLAN tagged frames
transparently, but capture some specific traffic for another purpose.
The null SAP is used when it is desirable to capture untagged traffic in another service. Use of the null
SAP and default SAP are mutually exclusive on a port - if one is defined in a service the other cannot be
used.
Module 2 Page 10
VLAN tags are not stripped and are passed transparently on a default SAP
Module 2 |
11
The figure in the slide shows the encapsulation of data on the provider network as it is transmitted across
the epipe service. One Ethernet frame that has a VLAN tag value of 50 arrives at PE1. Since the
encapsulation on the SAP is default dot1q (1/1/4:*), the VLAN tag will not be stripped and will pass
transparently. The frame (header, VLAN tag, and data) is encapsulated with two MPLS labels. This frame
is then encapsulated in a Layer 2 frame for transmission to the next hop. When the frame reaches the
egress PE router (PE2), the MPLS labels are popped and the tagged frame is transmitted on the SAP
interface. Again, the SAP encapsulation is default dot1q, therefore the VLAN tag (50) is passed
transparently.
Another Ethernet frame that is untagged arrives at PE1. Since the encapsulation on the SAP is default
dot1q (1/1/4:*), the frame is accepted and will be encapsulated with two MPLS labels. This frame is then
encapsulated in a Layer 2 frame for transmission to the next hop. When the frame reaches the egress PE
router (PE2), the MPLS labels are popped and the untagged frame is transmitted on the SAP interface.
Again, the SAP encapsulation is default dot1q, therefore no VLAN tags will be added to the frame.
Module 2 Page 11
Module 2 |
12
For Q-in-Q encapsulated SAPs there is no default SAP. An encapsulation of port:*.* is not valid on the
7750 SR so there is no way to capture all combinations of Q-in-Q tagged frames, except to configure the
port for null or dot1Q encapsulation and use the dot1Q default SAP.
Wildcard SAP - SAP 1/1/3:10.* Will only match 10 as the top Q tag and may have any bottom tag or
no bottom tag at all.
Null SAP - SAP 1/1/3:0.* - Will allow any untagged frames and/or frames with an outer tag of 0 only.
If the outer tag is 10,for example, the frame will be dropped. However, if the outer tag is 0 and the inner
tag is 10, then the frame will not be dropped.
Null bottom SAP - SAP 1/1/3:10.0 Will only match 10 as the top Q tag and may have a bottom tag of 0
or no bottom tag at all.
Module 2 Page 12
Null SAP will pass untagged frames, frames with one VLAN tag of 0, or
double-tags where the outer VLAN tag is 0
Module 2 |
13
A VLAN tag received on a SAP port is considered service delimiting if it matches the encapsulation on the
SAP port. The figure in the slide shows the encapsulation of data on the customer network as it is
transmitted across the epipe service. Three frames arrive at a null SAP on PE1.
The first Ethernet frame is untagged; null SAP will accept the frame and the frame (header, data) is
encapsulated with two MPLS labels. This frame is then encapsulated in a Layer 2 frame for transmission
to the next hop. When the frame reaches the egress PE router (PE2), the MPLS labels are popped and
the untagged frame is transmitted on the SAP interface. The SAP encapsulation on PE2 is null, therefore
no tags are added and the frame is passed transparently.
The second frame has an outer VLAN tag of 0, and no inner VLAN tag. SAP 1/1/4:0.* will accept the frame
and service delimiting tag of 0 is stripped before the frame is encapsulated with the two MPLS labels. On
PE2 the frame will be passed transparently as in the first case.
The third frame has an outer tag of 0 and an inner tag of 10. The null SAP 1/1/4:0.* will accept the frame,
the service outer tag is stripped and the inner tag (10) is passed transparently. The frame (header, VLAN
tag 10, and data) will be encapsulated with the two MPLS labels. When the tagged frame reaches the PE2, the MPLS labels are popped and the tagged frame is transmitted on the null SAP interface. No other
VLAN tags will be added to the frame.
Module 2 Page 13
Ethertype Values
IEEE 802.1Q specifies a hex value of 0x8100 to be used in the Ethertype
field to indentify the frame as a tagged frame
On the 7750 SR, Ethertype can be configured as follows:
*A:PE-1# configure port 1/1/1
*A:PE-1>config>port# ethernet dot1q-etype ?
- no dot1q-etype
<0x0600..0xffff>
Module 2 |
14
IEEE 802.1Q specifies a hex value of 0x8100 to be used in the Ethertype field to indentify the frame as a
tagged frame. This value is also used for the Ethertype value in the inner VLAN tag for Q-in-Q
encapsulation. However, some older switches use proprietary Ethertype values to identify the VLAN tag. If
the 7750 SR in its default configuration receives a tagged frame with an Ethertype value other than
0x8100, it is simply treated as an untagged frame.
It is possible to configure the port on the 7750 SR to use a different Ethertype value to identify tagged
frames. A different value can be specified for either the outer tag (dot1Q Ethertype) or the inner tag (Q-inQ Ethertype), or both.
When the Ethertype value is changed, any frame with an Ethertype that does not match the configured
value is treated as an untagged frame.
Module 2 Page 14
- dot1q-etype <0x0600..0xffff>
Module 2 |
15
A fundamental characteristic of any Layer 2 technology is its MTU. When the pseudowire is established
with T-LDP signaling, an MTU is negotiated that must match at each end of the service.
In designing an IP/MPLS network, there are a number of entities where MTU must be considered. These
are:
Access port, or SAP MTU
Service MTU
SDP path MTU
Network port MTU
MTU is an important consideration in a Layer 2 service since oversized frames arriving at a Layer 2
interface are not fragmented, but simply discarded.
A Layer 3 service, such as a VPRN, will fragment oversized packets for transmission; however, this is an
expensive operation and generally undesirable. Thus MTU is an important issue in both Layer 2 and Layer
3 services.
Module 2 Page 15
Module 2 |
16
An Ethernet VPN service, such as an epipe or VPLS service, has a default service MTU of 1514 bytes.
This is the size required to carry a standard Ethernet frame - a 1500 byte payload and a 14 byte Data Link
Control (DLC) header with no FCS.
Layer 2 technologies do not support fragmentation. If an oversized frame is received at an Ethernet
interface, it is discarded. The router will compare the service MTU to the SAP MTU (port MTU) to ensure
that frames offered to SAPs from the service will not be discarded. If the SAP MTU is too small, the router
will signal the SAP to the operationally down state.
The service MTU also serves to limit the size of payload the service can process before discarding and
fragmenting for Layer 2 and Layer 3 services, respectively.
In a Layer 2 service, the SAP MTU must always be equal to or larger than the service MTU. Of course, if
the SAP MTU is larger than the service MTU, there is the risk that a frame will be dropped at ingress to
the service. SAP MTU is changed by changing the port MTU.
A dot1q encapsulated SAP has a default MTU of 1518, and the VLAN tag is removed before transmitting.
A Q-in-Q encapsulated SAP has a default MTU of 1522, and both VLAN tags are removed before
transmitting.
When using default values, the service MTU and SAP MTU are set to the appropriate values for a full-size
Ethernet frame.
Module 2 Page 16
Module 2 |
17
MTU problems arise when we have a configuration different from the regular default configuration. For
example, in a default dot1Q SAP, VLAN tags are not stripped at the SAP since they are not service
delimiting. The diagram shows a default dot1Q SAP for an epipe service.
The default SAP will accept a full-size frame of 1518 bytes (1500 byte payload), but since the VLAN tag is
not stripped from the customer frame, the service payload is 1518 bytes. A frame of this size exceeds the
service MTU of 1514 and the frame is dropped. Therefore, to carry a full-size Ethernet frame for the
default dot1Q SAP, we need a service MTU of 1518. to configure the service for this larger MTU, the
command PE1 # config>service>epipe# service-mtu 1518 is used. When increasing the service MTU
we must also consider the SDP path MTU which is discussed in the following slides.
A null encapsulated SAP behaves in the same manner as a dot1Q default SAP and has the same issue if
it receives VLAN tagged frames.
To configure a service MTU the command is
configure service <service type> <service id> service-mtu <octets>
<octets>
: [1..9194]
Module 2 Page 17
VC-MTU
Layer 2 services: service MTU is configured
VC-MTU = configured service MTU 14 (DLC header)
Module 2 |
18
The VC-MTU is derived from the configured service MTU (VC-MTU = configured service MTU 14
(Ethernet overhead, FCS not counted)). By default, epipe and VPLS services are configured with a service
MTU of 1514. By default, the signaled VC-MTU is 1500.
Layer 3 services have no service MTU configured. By default, there is also no SDP path MTU configured.
Whereas in Epipe and VPLS services the signaled VC-MTU = configured service-mtu 14 (ethernet), in
the case of a Layer 3 service, the signaled VC-MTU = configured IP-MTU.
VC-MTU of a Layer 3 interface can be configured by configuring the IP-MTU parameter under the Layer 3
service.
PE>config>service>vprn# interface toCustomerVPRN ip-mtu
- ip-mtu <octets>
- no ip-mtu
<octets>
: [512..9000]
Module 2 Page 18
Module 2 |
19
The diagram in the slide shows the relationship between network port, path, service and access port MTU.
The default value for the SDP path MTU on the 7750 SR is calculated on the ingress PE router by
subtracting the encapsulation overhead of the transport tunnel from the egress network port MTU.
Many different services may be bound to the same SDP. These services may have different service
MTUs, but they can never exceed the SDP path MTU.
Note: if the access port MTU is larger than the service MTU there is the risk that a frame will be dropped
at ingress to the service. Best practice is to keep the network MTU (and hence SDP MTU) to largest
possible values to accommodate many services then, if required, change the service specific MTU with
the service MTU setting in Layer 2 and ip-MTU in Layer 3.
Module 2 Page 19
Module 2 |
20
As an example, assume the SDP network port is a gigabit Ethernet port with an MTU of 9212 (default on
the 7750 SR), and the SDP uses MPLS encapsulation. The encapsulation overhead of the transport tunnel
is 14 bytes for the Ethernet header plus 8 bytes for the two MPLS labels. Therefore, the default path MTU
for the SDP is 9212 - 22 = 9190 bytes
If an SDP is defined with GRE for the transport tunnel, it uses a GRE header (4 bytes) and an IP header
(20 bytes) instead of the 4 byte MPLS transport label. The encapsulation overhead for a GRE tunnel on
the same Ethernet interface is 14 bytes for Ethernet header plus 20 bytes for IP header plus 4 bytes for
GRE header plus 4 bytes for service label = 42 bytes. The SDP path MTU for a GRE-encapsulated SDP is
9212 - 42 = 9170 bytes.
When calculating the required network port MTU, you must also consider any other factors that increase
the encapsulation overhead. For example, facility backup or LDP over RSVP each require an additional
MPLS label. If both are used together on the same LSP, this is an additional eight bytes of encapsulation
overhead.
Module 2 Page 20
Port Type
Mode
Encap Type
Default (Bytes)
Ethernet
access
null
1514
Ethernet
access
Dot1Q
1518
Ethernet
access
Q-in-Q
1522
Fast Ethernet
network
1514
Gigabit Ethernet
network
9212
Module 2 |
21
The default MTU value depends on the port or sub-port type, the
mode and the encapsulation, which are listed in the table below:
Module 2 Page 21
Configuring the SDP path MTU impacts a single SDP traversing any
port:
config>service>sdp# path-mtu
path mtu values can be: [1500..9194]
Module 2 |
22
A tool that is useful in determining the effective path MTU of an SDP is the command oam sdp-mtu,
which transmits increasingly large packets on the SDP. The OAM commands are described in more detail
later in the course.
For GRE tunnels, this value is set by the administrator; it is assumed that reality matches the config.
For signaled MPLS tunnels, the path MTU can be determined by the signaling exchange. This is
accomplished using the adspec command, which is configured under the router mpls lsp context.
RSVP defines the adspec object that can be used in the path message to collect information about the
path at each router, including MTU information. If adspec is configured on the LSP used as the transport
for the SDP, the SDP path MTU is derived from the path MTU signaled in RSVP using the ADSPEC
object. Negotiated MTU for the LSP is set to the smallest MTU value found on the path. If the path of the
RSVP changes, the MTU will change to reflect MTU on the new path.
Module 2 Page 22
The SDP between the PE routers uses RSVP-signaled LSPs for transport
Module 2 |
23
Module 2 Page 23
*A:PE-1>config>port# info
------------------------------ethernet
mode access
encap-type dot1q
exit
no shutdown
-------------------------------
Module 2 |
24
The configuration of the customer-facing port on PE1 (port 1/1/4) is shown, similar configuration exists on
PE2 for port 1/1/4.
Note: the network port MTU value is 9212 for the gig Ethernet port.
Since the encapsulation type used is dot1q, the MTU value for the SAP is 1514 + 4 (VLAN tag) = 1518
The configuration of the customer port facing the PE router on CE1 (port 1/1/3) is shown, similar
configuration exists on CE2 for port 1/1/3.
Module 2 Page 24
*A:PE-1>config>service# sdp 2
*A:PE-1>config>service>sdp# info
--------------------------------------------far-end 10.10.10.2
lsp "to-PE2"
keep-alive
shutdown
exit
no shutdown
---------------------------------------------
Module 2 |
25
Since the SDP network port is a gigabit Ethernet port with an MTU of 9212 (default on the 7750 SR) and
the SDP uses MPLS encapsulation, the default path MTU for the SDP is 9212 14 (transport tunnel
encapsulation overhead) 8 ( two MPLS labels) = 9190 bytes.
The sdp keep-alive option enables SDP connectivity monitoring keep-alive messages for the SDP ID.
Default state is disabled (shutdown) in which case the operational state of the SDP-ID is not affected by
the keep-alive message state.
Module 2 Page 25
*A:PE-1>config>router>mpls# info
----------------------------------interface "system"
exit
interface "to-P1"
exit
path "loose"
no shutdown
exit
lsp "to-PE2"
to 10.10.10.2
primary "loose"
exit
no shutdown
exit
no shutdown
-----------------------------------
*A:PE-1>config>service# info
----------------------------------------
epipe 50 customer 100 create
sap 1/1/4:50 create
exit
spoke-sdp 2:50 create
exit
no shutdown
exit
-----------------------------------------
Module 2 |
26
Since the service delimiting VLAN tag is used on PE1 (dot1q encapsulation), it is stripped at the SAP
ingress by default. Therefore the service MTU for the epipe will be 1514 bytes = 1500 bytes (payload) +
14 bytes DLC.
When an Ethernet frame arrives at PE1, it has a VLAN tag with a value of 50. The VLAN tag is stripped
from the frame by router PE1 along with the FCS field. The rest of the frame, (header and data) is
encapsulated with two MPLS labels. This frame is then encapsulated in a Layer 2 frame for transmission
to the next hop.
When the frame reaches the egress PE router (PE2 in this case), the MPLS labels are popped and the
untagged frame is transmitted on the SAP interface. A VLAN tag is added to the frame, depending on the
encapsulation ID on the SAP. In this example, the SAP on PE2 is 1/1/4:50, so the VLAN tag added to the
customer frame is 50.
This show service id base command displays basic information about the service ID including service
type, description, SAPs and SDPs; it is a useful command to use when summary information about a
service is required.
Syntax id: service-id base
Context: show>service
Description: Display information for a particular service-id.
Parameters: service-id the unique service identification number that identifies the service in the service
domain. Information such as the service type, admin and operational states can be determined using this
command. In addition, all of the relevant SAPs and SDPs that are bound to a service are displayed.
Module 2 Page 26
Module 2 |
27
When using default values, the service MTU and SAP MTU are set to the appropriate values for a full-size
Ethernet frame. The ping commands with specific packet sizes shown demonstrate that.
The size value specifies the size of the ping packet, but does not include the 20 bytes of the IP header or
the 8 bytes of the ICMP header. Thus a 1500 byte IP packet is created with a ping value of 1500 - 20 - 8 =
1472.
Note: the ping of size 1473 is not transmitted through the service, because the frame size is now 1473 +
20 + 8 + 14 = 1515, which is larger than the service MTU of 1514. If the IP header do not fragment flag is
not set, the packet is fragmented into smaller packets that will not exceed the configured MTU size. If the
do not fragment bit is set (as in this case), the packet is silently discarded at egress when it exceeds the
IP MTU.
Module 2 Page 27
*A:PE-1>config>service>epipe# info
-----------------------------------------service-mtu 1518
sap 1/1/4:50 create
exit
spoke-sdp 2:50 create
exit
no shutdown
------------------------------------------
*A:PE-2>config>service>epipe# info
-----------------------------------------service-mtu 1518
sap 1/1/4:50 create
exit
spoke-sdp 1:50 create
exit
no shutdown
------------------------------------------
Module 2 |
28
When the service MTU is changed on both PE routers, the entire service goes down because SAP-MTU
can not support the new service.
The SAP-MTU must be changed so that it can support the service MTU.
In this case, since the SAP is dot1Q encapsulated, it must be changed to 1522 (service MTU + 4 bytes
Dot1Q encap).
Note: if the MTU is increased on PE1 only, then the SDP binding will also be down. The service MTU is
used in the T-LDP signaling of the pseudowire and must match at both ends of the service. We increased
the MTU on both PE1 and PE2 and the path MTU is up.
Module 2 Page 28
Module 2 |
29
The SAP MTU is changed to 1522 (service MTU + 4 bytes Dot1Q encapsulation). The service is up.
Module 2 Page 29
Module 2 |
30
The calculation of SDP path MTU from the egress network port assumes that all ports on the SDP path
have an equal or greater MTU. When this is not the case, it may cause problems with services bound to
the SDP. We have changed the MTU on the network ports between P1 and P2 to 1514 bytes.
To support a service MTU of 9000, we need to increase the SAP MTU to 9004 since we are using dot1q
encapsulation.
The SDP path MTU is 9190, which is calculated as physical interface MTU - 14 bytes DLC (6 byte source
MAC + 6-byte dest MAC + 2 byte Ethertype) - 4 byte (MPLS transport label) - 4 byte (MPLS service label).
The service MTU is smaller than the SDP path of 9190, so the service is up.
Module 2 Page 30
Module 2 |
31
Although we can ping across the epipe, we find that it does not support anywhere near the size frame
expected with a service MTU of 9000 bytes. The maximum size ping is found to be 1450 bytes. The size
of the frame transmitted on the network port for this ping can be calculated as 1450 plus 28 byte IP/ICMP
header plus 14 byte payload Ethernet header plus 22 bytes transport encapsulation overhead = 1514
bytes. This is exactly as expected since the link MTU between PE1 and PE2 is 1514.
Module 2 Page 31
Module 2 |
32
The command oam sdp-mtu transmits increasingly large packets on the SDP. The slide shows the use of
this tool to determine the effective path MTU for SDP 2 of 1492 bytes. If we add the transport
encapsulation overhead of 22 bytes to this, we get a network port MTU of 1514.
Module 2 Page 32
To determine the effective path MTU of the SDP, the command oam
sdp-mtu is used
Epipe MTU Case Study SDP path-MTU - Verify Path MTU Using RSVP ADSPEC
If ADSPEC is configured on the LSP used as the transport for the SDP, the SDP pathMTU is derived from the path MTU signaled in RSVP using the ADSPEC object
Negotiated MTU for the LSP is set to the smallest MTU value found on the path
0
Record
1500
Enabled
Module 2 |
33
RSVP defines the ADSPEC object that can be used in the path message to collect information about the
path at each router, including MTU information.
Negotiated MTU for the LSP is set to the smallest MTU value found on the path. If the path of the RSVP
changes, the MTU will change to reflect MTU on the new path.
If ADSPEC is configured on the LSP used as the transport for the SDP, the SDP path MTU is derived from
the path MTU negotiated by RSVP-TE using the ADSPEC object. Notice that the LSP MTU is 1500 bytes.
The SDP path MTU is 8 bytes less to accommodate the two MPLS labels.
Module 2 Page 33
Epipe MTU Case Study SDP path MTU - Verify Path MTU Using RSVP ADSPEC
: Up
: None
: 131071
Oper State
Collect Stats
Egress Label
: Down
: Disabled
: 131069
:
:
:
:
:
:
Signaling
Force Vlan-Vc
Precedence
: TLDP
: Disabled
: 4
02/09/2012 18:53:18
02/09/2012 17:56:14
N/A
Down
PathMTUTooSmall
pwNotForwarding
Module 2 |
34
The service is down because the SDP path MTU is now less than the service MTU of 9000. The Flags
field is set to PathMTUTooSmall
The show service sdp detail command displays detailed information related to a particular SDP. This
SDP may or may not be bound to a service.
Syntax: sdp [sdp-id | far-end ip-address] [detail | keep-alive-history]
Context: show>service
Description: Displays SDP information. If no optional parameters are specified, a summary SDP output
for all SDPs is displayed.
Parameters: sdp-id the SDP ID associated with the displayed information
Default all SDPs
Values 1 - 17407
far-end ip-address: Displays only SDPs matching the specified far-end IP address
Default SDPs with any far-end IP address
Detail: Displays detailed SDP information
Default SDP summary output
keep-alive-history: Displays the last fifty keep-alive events for the SDP
Default: SDP summary output
Some of the important pieces of information that can be obtained from this command include the following:
SDP far-end IP address: This information is the system address of the far-end router where the SDP
terminates.
Delivery: This information indicates whether this SDP is a MPLS- or GRE-based SDP.
LSP Name: This information relates to the LSP associated with the SDP and their administrative and
operational states. This information applies if the SDP is a MPLS-based SDP and RSVP-TE is being used
as the MPLS signaling protocol.
The show service id sdp detail command displays information for the specific SDPs associated with a
particular service. In this case, we are displaying information about the SDP associated with the service
that has a service ID of 50.
Alcatel-Lucent Services Architecture v3.2
Module 2 Page 34
===============================================================================
Service Basic Information
===============================================================================
Service Id
: 50
Vpn Id
: 0
Service Type
: Epipe
Name
: (Not Specified)
Description
: (Not Specified)
Customer Id
: 100
Last Status Change: 02/09/2012 19:15:45
Last Mgmt Change : 02/09/2012 17:56:14
Admin State
: Up
Oper State
: Up
MTU
: 9000
Vc Switching
: False
SAP Count
: 1
SDP Bind Count
: 1
Per Svc Hashing
: Disabled
Force QTag Fwd
: Disabled
------------------------------------------------------------------------------Service Access & Destination Points
------------------------------------------------------------------------------Identifier
Type
AdmMTU OprMTU Adm Opr
------------------------------------------------------------------------------sap:1/1/4:50
q-tag
9004
9004
Up
Up
sdp:2:50 S(10.10.10.2)
Spok
0
9190
Up
Up
===============================================================================
Module 2 |
35
The service could be made operationally up by setting the service MTU to 1492; however, we want to be
able to support a service MTU of 9000 bytes. Changing the MTU on the link from P1 to P2 to 9212 will
make the service up again as shown.
The show service sap-using command displays information for a particular SAP that may be associated
with a service.
You can also verify the service is up using the following command
*A:PE-1# show service service-using epipe
===============================================================================
Services [epipe]
===============================================================================
ServiceId Type
Adm Opr CustomerId Service Name
------------------------------------------------------------------------------50
Epipe
Up
Up
100
------------------------------------------------------------------------------Matching Services : 1
-------------------------------------------------------------------------------
Another show command that displays the service tunnel labels that are being used by the service is
*A:PE-1# show service id 50 labels
===============================================================================
Martini Service Labels
===============================================================================
Svc Id
Sdp Binding
Type I.Lbl
E.Lbl
------------------------------------------------------------------------------50
2:50
Spok 131071
131071
-------------------------------------------------------------------------------
Module 2 Page 35
:
:
:
:
:
:
:
:
:
Up
None
131071
n/a
n/a
n/a
Not Preferred
0
02/09/2012 19:15:45
Oper State
Collect Stats
Egress Label
Egr Mac Fltr-Id
Egr IP Fltr-Id
Egr IPv6 Fltr-Id
Oper ControlWord
Oper BW(Kbps)
Signaling
Module 2 |
36
:
:
:
:
:
:
:
:
:
Up
Disabled
131071
n/a
n/a
n/a
False
0
TLDP
The command show service id all displays detailed information related to all aspects of the service.
Syntax id: service-id all
Context: show>service
Description: Displays information for a particular service ID
Parameters: service-id the unique service identification number that identifies the service in the service
domain.
Some of the important pieces of information that can be obtained using this command are as follows:
Administrative and operational states: This can help you to determine if the service is administratively
and operationally up.
SDP and VC ID information: The VC ID in the example in this slide is 50, and is associated with an SDP
ID of 2.
Ingress and egress labels: The ingress label, which is 131071 in this example, is the label that this router
has advertised to the adjacent router. The adjacent router will use the same label when sending data to
this router. The egress label, which is 131071 in this example, is the label that this router will use when
sending data to the adjacent router.
LSP Name: If this SDP is bound to a RSVP-TE-based LSP, then the name of the LSP is displayed.
If you want to delete an epipe service, perform the following steps prior to deleting it:
1. Shut down the SAP and SDP.
2. Delete the SAP and SDP.
3. Shut down the service.
You can shut down an epipe service without deleting the service parameters by using the shutdown
command.
Module 2 Page 36
Module 2 |
37
RFC 4448 defines the transport of Ethernet frames over an MPLS network and defines two VC types for
the Ethernet pseudowire: tagged mode and raw mode. The 7750 SR supports both, with raw mode the
default. The VC type is specified when the SDP is bound to the service and is signaled by T-LDP.
In raw mode, the service delimiting VLAN tag or tags are stripped at the ingress and are not carried across
the epipe. In tagged mode, a VLAN tag is carried in the frame. Tagged mode is supported on the 7750 SR
mainly for interoperability with systems that only support tagged mode.
If tagged mode is used, remember to add an additional 4 bytes when calculating the required service
MTU.
When type VLAN is specified and the SAP is defined with a service delimiting tag, this value is used for
the tag on the pseudowire. If there is no service delimiting tag, a tag with value of 0 is used.
The value for the tag can be configured to use a specific value.
Module 2 Page 37
VC Type Configuration
The epipe on PE1 is configured with type VLAN
*A:PE-1>config>service# epipe 50
*A:PE-1>config>service>epipe# spoke-sdp 2:50 shutdown
*A:PE-1>config>service>epipe# spoke-sdp 2:50 vc-type vlan create
*A:PE-1>config>service>epipe>spoke-sdp# vlan-vc-tag 150
*A:PE-1>config>service>epipe# spoke-sdp 2:50 no shutdown
*A:PE-1>config>service>epipe# info
---------------------------------------------service-mtu 9000
sap 1/1/4:50 create
exit
spoke-sdp 2:50 vc-type vlan create
vlan-vc-tag 150
exit
no shutdown
----------------------------------------------
Module 2 |
38
The slide shows the configuration of epipe 50 with type VLAN using a tag value of 150 on PE1. The other
end of the epipe (PE2) is still using type ether.
Module 2 Page 38
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
Up
None
131071
n/a
n/a
n/a
Not Preferred
0
02/10/2012 11:27:18
02/10/2012 11:27:57
N/A
Down
NoEgrVCLabel
None
None
Module 2 |
39
Oper State
Collect Stats
Egress Label
Egr Mac Fltr-Id
Egr IP Fltr-Id
Egr IPv6 Fltr-Id
Oper ControlWord
Oper BW(Kbps)
Signaling
Force Vlan-Vc
Precedence
:
:
:
:
:
:
:
:
:
:
:
Down
Disabled
0
n/a
n/a
n/a
False
0
TLDP
Disabled
4
T-LDP will not make a pseudowire operational unless the VC ID and VC type match. The Flags field
contains NoEgrVCLabel, which is an indication that there is no service at the other end.
Module 2 Page 39
===============================================================================
LDP LSR ID: 10.10.10.1
===============================================================================
Legend: U - Label In Use, N - Label Not In Use, W - Label Withdrawn
S - Status Signaled Up, D - Status Signaled Down
E - Epipe Service, V - VPLS Service, M - Mirror Service
A - Apipe Service, F - Fpipe Service, I - IES Service, R - VPRN service
P - Ipipe Service, WP - Label Withdraw Pending, C - Cpipe Service
TLV - (Type, Length: Value)
===============================================================================
LDP Service FEC 128 Bindings
===============================================================================
Type
VCId
SvcId
SDPId Peer
IngLbl EgrLbl LMTU RMTU
------------------------------------------------------------------------------E-Vlan 50
50
2
10.10.10.2
131071U
-8986 0
?-Eth 50
Ukwn
R. Src 10.10.10.2
-131071S 0
8986
------------------------------------------------------------------------------No. of VC Labels: 2
Module 2 |
40
The show router ldp bindings fec-type services command shows two different services with VC ID of
50 but different VC types.
Module 2 Page 40
Module 2 |
41
Module 2 Page 41
Module 2 |
42
After the remote router (PE-2) is configured as type VlAN, the service is operational
Module 2 Page 42
Module 2 |
43
The slide shows the different combinations of frame transmission possible for a null encapsulated SAP
with different egress encapsulations. The behavior of the default dot1Q SAP is the same.
Notice in the diagram above:
VLAN tags received on a customer SAP port are never considered by null SAPs to be service delimiting.
Therefore, ingress VLAN tags are passed transparently through the network from ingress SAP to egress
SAP. Since these tags are not considered to be service delimiting, in VC type VLAN mode, we will always
add a dummy tag with default VLAN ID = 0.
Note: on the egress SAP, the tags configured on the SAP always encapsulate the frame, including any
VLAN tag received.
Module 2 Page 43
Module 2 |
44
The slide shows the different combinations of frame transmission possible for a dot1Q encapsulated SAP
with different egress encapsulations.
An encapsulation of dot1Q with a service SAP of 0 accepts untagged traffic or traffic with VLAN ID=0.
This means that untagged Ethernet traffic or Ethernet traffic with VLAN ID=0 will be mapped on this SAP.
To determine the handling of VLAN tags received on a SAP ingress port, you must determine if the VLAN
are considered service delimiting. Service delimiting VLANs are also called provider VLANs. If the VLANs
are considered service delimiting tags, they may be sent on a VC type VLAN; however, they will be
stripped on the egress PE instead of being sent out the egress PE SAP.
A VLAN tag received on a SAP port is considered service delimiting if it matches the encapsulation on the
SAP port. For example, in case B2 the encapsulation used on the dot1Q port is :C. Therefore, the
encapsulation matches the VLAN ID received, hence the tag is considered service delimiting and will not
be seen on the SAP egress of the far-end PE. When a VC type Ether is used, service delimiting tags are
stripped rather than passed over. In the case of a VC type VLAN, a single service delimiting tag is sent
over the core but stripped at the far-end PE.
In case B3, the same procedure is used to determine which of the VLAN tags received are service
delimiting. In this case, the SAP is dot1Q encapsulated, therefore there can only be a single service
delimiting tag. The outer VLAN tag on the Ethernet frame received on the SAP is C, which matches the
SAP encapsulation. Therefore, the outer VLAN tag is considered service delimiting. If a tag received on a
SAP port is not service delimiting, as in case B2, if the VC type is Ether, the service delimiting tag C is
not passed through; if the VC type is VLAN, the service delimiting tag C is passed through but is not
seen on the egress SAP.
In the cases presented here, when the VC type is VLAN, the service delimiting VLAN ID is sent over. If a
VLAN-VC-tag is defined with a new VLAN-ID, it is this VLAN ID that will be sent as the service delimiting
VLAN over. In the default case, the VLAN-VC-tag is not defined and the service delimiting tag that
matches the SAP encapsulation tag is sent over the core.
Module 2 Page 44
Module 2 |
45
In the cases presented here, when the VC type is VLAN, the service delimiting VLAN ID is sent over. If a
VLAN-VC-tag is defined with a new VLAN-ID, it is this VLAN ID that will be sent as the service delimiting
VLAN. In the default case, the VLAN-VC-tag is not defined and the service delimiting tag that matches the
SAP encapsulation tag is used.
Module 2 Page 45
Module 2 |
46
There are many options for SAP encapsulations as well as two options for the VC type on an Ethernet
pseudowire.
An epipe can be configured with any combination of SAP encapsulation at each end; a null SAP on one
side and a Q-in-Q encapsulated SAP on the other side, for example.
Module 2 Page 46
SAP:*, allows untagged frames and tagged frames with any VLAN ID that
has not been explicitly defined on the port
Module 2 |
47
Examples:
When a SAP is defined with the 1/1/1:0, any untagged frames and/or frames with a tag of 0 are
accepted.
When a SAP is defined with a wild card (SAP 1/1/1:*), the default SAP will allow untagged frames and
tagged frames with any VLAN ID that has not been explicitly defined on port 1/1/1.
Module 2 Page 47
Module 2 |
48
Examples
SAP 1/1/1:0.* Will allow any untagged frames and/or frames with a top tag of 0 only.
SAP 1/1/1:10.* Will only match 10 as the top Q tag and may have any bottom tag or no bottom tag at
all.
SAP 1/1/1:10.0 Will only match 10 as the top Q tag and may have a bottom tag of 0 or no bottom tag
at all.
SAP 1/1/1:10.* and 1/1/1:10.0 Co-exist in the same service: traffic with a top tag of 10 will always be
learned from SAP 1/1/1:10.0
SAP 1/1/1:10.11 Will only match packets with an existing top and bottom tag, in this case the top tag is
10 and the bottom tag is 11.
Module 2 Page 48
SAP:top.* strips the top VLAN tag and preserves the bottom (MTU
implications)
Module 2 |
49
Module 2 Page 49
Module 2 Page 50
Section Objectives
After successfully completing this section, you will be able to:
Describe the main characteristics of fpipe service
Describe the main characteristics of apipe service
Module 2 |
51
In the previous section we described the epipe service in detail, and throughout this course most of the
attention to Layer 2 services is given to Ethernet. Other Layer 2 services supported by the Alcatel-Lucent
7750SR are also important. Although the trend in current network deployments is increasingly to Ethernet
for reasons of cost and performance, there is still a very significant demand for other technologies that
represent very significant revenues to service providers. These services can be deployed on an IP/MPLS
infrastructure that simultaneously provides a base for modern Ethernet and IP services. Layer 2 services
available besides Ethernet (epipe) are fpipe, apipe, cpipe and ipipe (ipipe will be covered in the next
section).
These services are all based on RFC 4447 (Pseudowire Setup and Maintenance Using LDP) and most of
the characteristics, configuration and maintenance that we describe for epipes apply to these services as
well. In this section we introduce each of these services, paying particular attention to any characteristics
that distinguish them from an epipe service.
Module 2 Page 51
Describe the two modes of operation supported on the AlcatelLucent 7750 SR for apipe
The control word is required for an fpipe because the Frame Relay header is
not carried with the encapsulated frame
Module 2 |
52
In the past, VPN markets were dominated by both Frame Relay and private lines, which dominated
approximately 90 percent of enterprise connections. The popularity of Frame Relay service over a private
line is based on the lower cost of Frame Relay as well as its ability to support large amounts of traffic.
However, growth in Frame Relay services is limited by its lower speed and the cost of multipoint solutions.
For service providers with established Frame Relay services, the MPLS network allows them to leverage
their existing infrastructure to enable new revenue opportunities. These new revenue opportunities are
created by blending technologies through service interworking in order to create a service hybrid. For the
enterprise that is seeking a gradual transition from a Frame Relay VPN to an Ethernet VPWS or who
wants to add a new site with Ethernet access while still maintaining Frame Relay at the other sites, a
service hybrid is ideal.
UNI: user network interface.
Frame Relay pseudowires are described in RFC 4619 (Encapsulation Methods for Transport of Frame
Relay Over MPLS Networks). The 7750 SR supports one-to-one mode for the mapping of a Frame Relay
DLCI (data link connection identifier) to a pseudowire. This means that a single Frame Relay circuit is
mapped to an fpipe service.
From the customers perspective, the PE router should appear as much as possible like a native Frame
Relay UNI (user network interface).
When a frame arrives at the fpipe SAP, the Frame Relay header and any padding are removed. The frame
is encapsulated with a service label and transport label as for any pseudowire service. The fpipe also uses
the MPLS control word, which is a 4-byte field directly following the service label. Specific values from the
Frame Relay header are copied into the control word.
The MPLS control word is an optional field in the RFC 4447 pseudowire encapsulation. It is not generally
used in an epipe, but is always present in the fpipe encapsulation.
The control word is required for an fpipe because the Frame Relay header is not carried with the
encapsulated frame. When the frame is received at the ingress SAP, specific bits are copied to the control
word. When the Frame Relay frame is reconstructed at the egress SAP these bits are copied to the
appropriate bit in the header.
Module 2 Page 52
Fpipe Service
Module 2 |
53
There is no Frame Relay MDA. Frame Relay encapsulation is supported on all MDAs that support POS
encapsulation.
Module 2 Page 53
The physical port or channel is a SONET port set for Frame Relay
framing
Apipe Service
Module 2 |
54
ATM pseudowires are described in RFC 4717 (Encapsulation Methods for Transport of ATM Over MPLS
Networks).
ATM VPWS (apipes) provide a point-to-point ATM service between users connected to 7750 SR routers
on an IP/MPLS network. Users are directly connected to either a 7750 SR PE or through an ATM access
network. In both cases, an ATM PVC (permanent virtual circuit) is configured on the 7750 SR PE; for
example, a virtual channel (VC) or a virtual path (VP) are configured on the 7750 SR PE. This feature
supports local cross-connection when users are attached to the same 7750 SR PE router. VPI/VCI
translation is supported in the ATM VPWS.
An ATM PVC is configured on the PE; the apipe appears as an ATM circuit to the customer.
Module 2 Page 54
Module 2 |
55
Two different modes of operation are supported on the Alcatel-Lucent 7750 SR for ATM apipes: the N:1
cell mode and AAL5 frame mode.
Module 2 Page 55
Module 2 |
56
N:1 cell mode provides a service that supports the transport of control, signaling and routing information
since cells arriving at the SAP are transparently carried over the apipe.
The figure shows a group of ATM cells encapsulated in N:1 cell mode.
An important characteristic of N:1 concatenation is that multiple cells can be encapsulated in a single
MPLS packet. The advantage of concatenation is more efficient bandwidth use, since the encapsulated
ATM cells are only 52 bytes each (The 5-byte ATM header is transported as 4 bytes, the Header Error
Check byte (HEC) is removed). The disadvantage is that the waiting required to complete an MPLS
packet increases the delay for the ATM connection.
The cell-concatenation command is used in the spoke SDP context to specify the concatenation
parameters for the pseudowire. The default is no cell concatenation.
Module 2 Page 56
AAL5 was defined for a best effort, connectionless packet service such as IP
Allows ATM AAL5 PDUs traveling on a particular ATM PVC across the network
to travel to another ATM PVC
Module 2 |
57
The AAL5 SDU (service delivery unit) is the payload that the service is intended to carry - in this case, the
IP packet. The SDU is encapsulated in an AAL5 PDU, which has no header but an 8-byte trailer, and is
padded so that the SDU + trailer + padding is an exact multiple of 48 bytes long. The AAL5 PDU is then
split into the necessary number of cells for transmission. This operation is known as segmentation and
reassembly (SAR).
Module 2 Page 57
Module 2 |
58
The AAL5 SDU (service delivery unit) is the payload that the service is intended to carry - in this case, the
IP packet. The SDU is encapsulated in an AAL5 PDU, which has no header but an 8-byte trailer, and is
padded so that the SDU + trailer + padding is an exact multiple of 48 bytes long. The AAL5 PDU is then
split into the necessary number of cells for transmission. This operation is known as segmentation and
reassembly (SAR).
When the apipe is defined as VC type atm-sdu, the PEs perform the SAR operation and only the AAL5
SDU is carried in the MPLS-encapsulated packet. This provides more efficient use of the bandwidth, since
the AAL5 overhead (padding and trailer) and the ATM cell headers are discarded.
The SAP defines a single PVC in the format port:pvi/pci.
As in the fpipe, the control word is also required for an apipe in AAL5 frame mode. The purpose is to carry
the information lost when the cell headers are stripped in the SAR process.
Module 2 Page 58
Module 2 |
59
The same provisioning steps used in the configuration of epipe also apply to apipe, with the exceptions
shown in the slide.
Module 2 Page 59
Cpipe Service
Module 2 |
60
Circuit Emulation Services (CES) VPWS or Cpipe, is a point-to-point VPN service emulating a TDM
leased line. Two PE routers connected to the customer sites through the local attachment circuit receive
native TDM traffic, perform both VPN (PW) and transport tunnel encapsulation, and finally send the traffic
through the packet-switched network to reach the remote site. The packet-switched network is PSN,
usually IP/MPLS.
Cpipes are an implementation of TDM pseudowires to transport T1 or E1 circuits. T-1 is a digital circuit
that uses the DS-1 (Digital Signaling level 1) signaling format to transmit voice/data over the PSTN
network at 1.544 Mbps. T-1 can carry up to 24 uncompressed digital channels of 64 Kbps (DS0) for voice
or data. E-1 is the European equivalent of the T-1, except E-1 carries information at the rate of 2.048
Mbps. E-1 is used to transmit 30 64Kbps digital channels (DS0) for voice or data calls, plus a 64Kbps
channel for signaling, and a 64Kbps channel for framing and maintenance.
Module 2 Page 60
Module 2 |
61
Module 2 Page 61
Module 2 |
62
Configuring a cpipe is similar to configuring an epipe or apipe, with the exception of the VC type and the
syntax used for the SAP.
Module 2 Page 62
Module 2 Page 63
Section Objectives
After successfully completing this section, you will be able to:
Identify the 7750 SR interworking capabilities provided with VPWS
Module 2 |
64
Module 2 Page 64
Interworking VPWS
ATM
Frame Relay
Ethernet
ATM
Apipe
Epipe (bridged)
Ipipe (routed)
Frame Relay
Fpipe
Epipe (bridged)
Ipipe (routed)
Ethernet
Epipe (bridged)
Ipipe (routed)
Epipe (bridged)
Ipipe (routed)
Epipe
Module 2 |
65
The Alcatel-Lucent VPWS offers network interworking for Ethernet, ATM and Frame Relay across a
common IP/MPLS network. The interworking capabilities of the VPWS allow different Layer 2 networks to
be connected together across an IP/MPLS core network.
The table in this slide lists the various interworking scenarios possible with ATM, Frame Relay and
Ethernet ports at either end of a pseudowire.
When IP traffic, encapsulated inside an Ethernet frame, needs to be transported by a bridge/router over
its ATM port to a bridge/router with an Ethernet port, bridged encapsulation is used. An epipe is required
to transport this type of traffic.
Routed encapsulation is used when native IP traffic is transported across a bridge/router with an ATM port
to a bridge/router with an Ethernet port. An ipipe is required to transport this type of traffic.
Module 2 Page 65
Module 2 |
66
On the Alcatel-Lucent 7750 SR, Frame Relay traffic can be transported over an ATM network to another
Frame Relay network on the other side through the use of an apipe. This is known as Frame Relay Forum
(FRF.5) Network Interworking.
It is configured on the 7750 SR by creating an apipe service that specifies interworking FRF.5 and a
Frame Relay SAP with a DLCI encapsulation ID. The port is configured for Frame Relay encapsulation.
The other end of the apipe has a regular ATM SAP with VPI/VCI encapsulation ID. The VC type of the
apipe must be atm-sdu
Module 2 Page 66
Epipe is used between the Ethernet user and the ATM-attached user or
Frame-Relay-attached user
Provides ATM and Frame Relay bridged encapsulation access to the epipe
service of an Alcatel-Lucent 7750 SR
Module 2 |
67
This slide provides an example of an Ethernet interworking VPWS. The Ethernet interworking VPWS
provides a point-to-point Ethernet VPWS between Frame-Relay-attached users, ATM-attached users and
Ethernet-attached users across an IP/MPLS packet-switched network. It effectively provides ATM and
Frame Relay bridged encapsulation termination on the existing Epipe service of the 7750SR.
The Frame Relay network must be sending and receiving Ethernet encapsulated frames as defined by
RFC 2427 (Multiprotocol Interconnect over Frame Relay). The ATM network must be sending and
receiving Ethernet encapsulated frames as defined by RFC 2684 (Multiprotocol Encapsulation over
AAL5). One side of the epipe has either a Frame Relay or ATM SAP, the other an Ethernet SAP. Any
VLAN tags in the encapsulated frames are passed transparently as they would be for a null SAP.
Module 2 Page 67
Module 2 |
68
Ipipe is a point-to-point Ethernet interworking VPWS that supports interconnection between hosts that are
attached to different point-to-point access circuits on either end of a pseudowire.
Ipipe supports interconnection between:
ATM - using RFC 2684 routed encapsulation.
Frame Relay - using RFC 2427 routed encapsulation.
point-to-point protocol (PPP) - using IPCP encapsulation as defined in RFC 1332
Ethernet - using null, dot1Q or Q-in-Q encapsulation
Cisco HDLC - routed encapsulation
The difference between Ethernet interworking VPWS and an IP interworking VPWS (ipipe) is that the
former supports bridged encapsulation and the latter supports routed encapsulation. Ipipes provide a
routed interworking service. We say routed because the encapsulated data are Layer 3 (IP) packets
instead of the Layer 2 frames. They are not truly routed, since the ipipe is a point-to-point service.
Ipipe is useful for network migration purposes; for example, in the interim step during ATM/Frame Relay
network to Ethernet network migration, where ATM/Frame Relay equipment uses routed IP encapsulation.
Module 2 Page 68
Module 2 |
69
The ipipe shown in the figure is configured with a Frame Relay SAP on PE1 and a dot1Q encapsulated
SAP configured on PE2. Both PE devices must also know the IP address of the local and remote CE
devices. On PE1, for example, the SAP is configured with the address of the local CE device, and the
spoke SDP is configured with the address of the remote CE. PE2 is configured in a similar manner. When
the service is brought up, PE 2 broadcasts an ARP request on the local LAN for the MAC address of the
CE device. The two PE routers are now able to exchange encapsulated IP packets over the ipipe between
the two CE devices.
Any protocol that runs over IP can also run over the ipipe. OSPF, RIP, BGP sessions can be established
between two CEs connected by an ipipe. IS-IS does not run over IP; we cannot establish IS-IS
adjacencies between the two CEs over an ipipe.
Module 2 Page 69
Module Summary
Alcatel-Lucent supports epipe, apipe, fpipe, cpipe and ipipe as
VPWS applications
Ethernet SAP encapsulation types are null, dot1q, and qinq
For null encapsulation, the service is delimited by the port
Module 2 |
70
Module 2 Page 70
Service MTU defines the maximum customer payload that can be carried in
a VPN service
The SDP path MTU defines the maximum payload size that can be carried by
a service using that SDP
Module 2 |
71
Module 2 Page 71
The Alcatel-Lucent VPWS offers network interworking for Ethernet, ATM and
Frame Relay across a common IP/MPLS network
Module 2 |
72
Module 2 Page 72
Learning Assessment
1. Which VPWS emulates a point-to-point TDM circuit?
2. What is the purpose of using a VLAN tag?
3. Verify whether the following statement is true or false: Multiple
SAPs can be defined on a single port for different services
5. What is the default service MTU value for an Ethernet VPN service
such as an epipe?
6. What is the relationship between the network port MTU and the SDP
path MTU?
7. What are the two modes of operation supported on Alcatel-Lucent
7750 SR for an apipe service?
Module 2 |
73
Module 2 Page 73
Module 2 |
74
3FL-30636-AAAA-ZZZZA Edition 01
www.alcatel-lucent.com/src
Module 3 Page 1
Module Objectives
After successfully completing this module, you will be able to:
Explain the operation of Virtual Private LAN Service (VPLS)
Module 3 |
Module 3 Page 2
Module 3 Page 3
Section Objectives
After successfully completing this section, you will be able to:
Define a VPLS and list its features
Explain the similarities and differences between epipe and VPLS
Module 3 |
Module 3 Page 4
Multiple VPLS services can be deployed using the same IP/MPLS core
Module 3 |
A VPLS is a multipoint Layer 2 service that allows multiple customer sites to be connected in a single
bridged domain contained within a provider-managed IP/MPLS network. Customer sites in the VPLS
appear to be on the same LAN, even if the sites are geographically-dispersed. VPLS characteristics are
described in RFC 4665 (Service Requirements for Layer 2 Provider-Provisioned Virtual Private Networks)
and RFC 4762 (Virtual Private LAN Service Using LDP Signaling)
VPLS is essentially an enhancement of the Ethernet pseudowire service, or Virtual Private Wire Service
(VPWS) to a multipoint service.
As discussed in Module 1, the advantages of a VPLS from the customers perspective are:
To the customer it appears as if all sites are connected to a single switched Ethernet network.
The VPLS is transparent to the customers data and higher layer protocols.
The VPLS can operate over a single local site or at multiple, geographically-dispersed sites.
The VPLS performs MAC learning so that frames are forwarded only across the required links in the
network.
The advantages of a VPLS for the service provider are:
Only the PE devices require configuration for the VPLS service.
There is a clear demarcation of functionality between the service provider and customer networks.
Scalability the provider can support thousands of customers per router.
Flexibility many different services for many different customers can be provided over a single core
IP/MPLS network.
The service provider can apply QoS, billing, ingress/egress traffic shaping and policing on a per service
basis
Module 3 Page 5
VPLS Overview
Differences:
The VPLS appears as a single switched LAN to the customer; the epipe appears as a
direct Ethernet connection
A VPLS performs MAC learning to build a forwarding database (FDB) containing the
addresses of customer-attached devices
Module 3 |
Module 3 Page 6
Similarities:
Module 3 |
VPLS 1 and VPLS 2 can use the same IP address ranges due to a VPN functionality provided with the
VPLS service.
Note: since VPLS is a Layer 2 service, the customer site router interfaces that connect to the VPLS must
belong to the same subnet. From the customers perspective, the routers are logically connected by a
Layer 2 Ethernet switch.
Module 3 Page 7
All PE routers in the VPLS are T-LDP peers and exchange labels for the service
The VC-ID configured for the service must match among targeted LDP peers
Customer frames are encapsulated with a service label and a transport label
The VPLS instance on each PE router is often referred to as a virtual switch (VS)
Module 3 |
For the transport of customer data, the VPLS acts as if it were a full mesh of epipes between all the PEs in
the service.
Note: there is only a single T-LDP session required between two routers to signal service labels,
regardless of the number of services that exist between them. For example, even if there were 100 VPLS
or epipe services between PE 1 and PE 2, only a single T-LDP session would exist. The T-LDP session is
used to negotiate service labels for all 100 services.
Note: if the VC IDs do not match point-to-point, the service label will not be present; therefore, the service
will not be accessible on the remote router.
The VPLS instance on each PE router is often referred to as a virtual switch (VS) since it emulates the
behavior of an Ethernet switch.
Module 3 Page 8
VPLS connects the customers multiple locations like a virtual Ethernet switch
All SAPs belong to the same broadcast domain in a VPLS, regardless of the VLAN tags
Module 3 |
The PE routers must support all classical Ethernet features, such as MAC learning, packet replication
and forwarding. The PE routers learn the source MAC addresses of the traffic arriving on their access and
network ports. From a functional point of view, this means that the PEs must implement a switch for each
VPLS instance; this is often called a virtual switch, or VS for short.
The VS functionality is implemented in the PE through a forwarding data base (FDB) for each VPLS
instance; this FDB is populated with all the learned MAC addresses. All traffic is switched based on MAC
addresses and forwarded between all participating PE routers using the LSP tunnels.
By default, packets with an unknown destination are replicated and forwarded on all LSPs to the PE
routers participating in that service. This is done until the target station responds and the MAC address is
learned by the PE routers associated with that service. Packet destinations may be unknown when, for
example, the destination MAC address has not been learned.
One significant difference between the VPLS and an Ethernet switch is that the VPLS joins any VLANs
used for service delimiting tags. On an Ethernet switch, VLAN tags create separate broadcast domains.
However, in a VPLS, all SAPs belong to the same broadcast domain, regardless of the VLAN tags. The
figure shows six different tag values that are used at the six different sites. Since service delimiting tags
are stripped at ingress, they are effectively invisible to the VPLS, and the VLANs are joined. If it is
desirable to maintain VLAN tags, the SAPs can be defined using a null encapsulation.
Module 3 Page 9
Module 3 |
10
Because a VPLS provides multipoint connectivity, traffic entering the service must be appropriately
replicated to the other locations. As in an Ethernet switch, known unicast traffic is sent only to the
destination. The figure shows an Ethernet frame arriving at PE4. The FDB on PE4 contains the destination
MAC address of the frame and thus can forward the encapsulated frame to PE3. The FDB on PE3 also
contains the destination MAC so PE3 forwards the frame out the appropriate SAP.
Module 3 Page 10
Mesh SDP floods frames received from a SAP or from a spoke SDP, but does not flood
frames received from another mesh SDP
Module 3 |
11
On an Ethernet switch, traffic to multicast, broadcast or unknown unicast addresses is flooded to all ports.
A VPLS also floods such traffic to all SAPs in the service.
When an SDP is bound to a service, it is bound as either a spoke SDP or a mesh SDP. The type of SDP
indicates how flooded traffic is transmitted.
All mesh SDPs bound to a service are logically treated as a single bridge port for flooded traffic; flooded
traffic received on any mesh SDP on the service is replicated to other ports (spoke SDPs and SAPs) and
is not transmitted on any mesh SDPs.
In the figure, PE3 forwards the frame it receives only to the SAPs and not on the SDP to PE1 or PE2. In a
basic VPLS such as this one, the SDP is bound to the service as a mesh SDP. In a VPWS, the SDP is
bound as a spoke SDP. The only difference between the two is their flooding behavior.
A basic VPLS is configured with a full mesh of mesh SDPs between all the PE routers in the service.
Module 3 Page 11
Module 3 |
12
A spoke SDP is treated as the equivalent of a traditional bridge port where flooded traffic received on the
spoke SDP is replicated on to all other ports and not transmitted on the port it was received from. Other
ports include other spoke SDPs and mesh SDPs or SAPs.
In the figure shown, the service is now configured with spoke SDPs between the routers. PE 4 forwards
the frame it received from the SAP to PE2 and PE3. PE3 forwards the frame it receives from PE1 to the
SAPs and on the SDP to PE1. PE2 also does the same; it forwards the frame to the SAPs and on the SDP
to PE1 resulting in unwanted and uncontrolled flooding of frames in the VPLS.
Mesh SDPs ensure that all PE devices receive the frame without looping or duplication of frames. In
section 3 we describe some specific situations where spoke SDPs are used in a VPLS.
Module 3 Page 12
Spoke SDP floods frames received from a SAP, spoke SDP or mesh
SDP
Module 3 |
13
The figure shows a VPLS service on one PE. It has two SAPs on the local PE and four SDPs that lead to
other PE devices. A frame received on one SAP and destined to a broadcast, multicast or unknown
address must be flooded through the VPLS. It is transmitted on the other SAP, the two mesh SDPs and
the two spoke SDPs. The frame is not transmitted on the port it was received from.
Module 3 Page 13
Module 3 |
14
The figure shows a frame received on a spoke SDP to be flooded through the VPLS, transmitted on both
SAPs, the other spoke SDP and both mesh SDPs
Module 3 Page 14
Module 3 |
15
The figure shows a frame received on a mesh SDP to be flooded through the VPLS, transmitted on both
SAPs, both spoke SDPs, but not the other mesh SDP
Module 3 Page 15
Module 3 |
16
The VPLS learns the MAC addresses of the customers attached devices in the same manner as an
Ethernet switch. The learned addresses are stored in a forwarding database (FDB) kept on each PE
device.
The PE maintains a separate FDB for every VPLS service configured on the router. The figure shows the
two FDBs maintained on PE1 for two different VPLS services.
Module 3 Page 16
Module 3 |
17
The figure shows the transmission of a customer frame across a VPLS to see how the PE routers learn
MAC addresses. When PE2 receives a frame from M2 destined to M1, it is flooded because M1 is an
unknown address. Afterwards, all PE routers in the VPLS have learned M2s address.
The step-by-step process is as follows:
M2 transmits a unicast Ethernet frame destined to M1 that is received at the SAP on PE-2.
PE-2 learns the location of M2 on the SAP from the source address in the received frame and updates
its FDB with M2s MAC address.
Because M1s address (the destination address) is unknown, PE-2 floods the frame to both SDPs in
the service.
PE-1 and PE-3 both receive the frame and learn the location of M2 as being on the SDP to PE-2 and
update their FDBs with M2s MAC address.
Since the destination address is unknown to PE-1 and PE-3, they both flood the frame out their local
SAPs. The frame arrives at the customer device, M1.
Module 3 Page 17
Once the frame arrives at M2, both PE1 and PE2 have learned M1s MAC address and
have it in their FDBs
Module 3 |
18
M1 next sends a frame to M2. Since M2 is now known in the FDB, the frame does not have to be flooded
and can be sent directly to PE2. Once the frame arrives at M2, both PE1 and PE-2 have learned M1s
MAC address and have it in their FDBs
The step-by-step process is as follows:
M1 transmits a frame with M2 as the destination. The frame arrives at the SAP on PE1.
PE1 has the MAC address for M2 in its FDB and knows to transmit the frame on the SDP to PE2. PE1
learns the location of M1 from the source address in the frame and updates its FDB.
PE2 has the MAC address for M2 in its FDB and knows to transmit the frame out the SAP. PE2 learns
the location of M1 from the source address in the frame and updates its FDB. The frame arrives at the
destination, M2.
After the transmission from M1 to M2, both PE1 and PE2 have an entry for M1 in their FDB. Since the
frame from M1 was not flooded in the VPLS, PE3 does not have M1 in its FDB. If it receives a frame
destined for M1 it will be flooded in the VPLS by PE3.
Note: if M2 is to send a frame to M1, the flow of the frame will be from M2 to PE2, PE2 to PE1, and PE1
will only send it over SAP 1/1/1 to M1. The frame will not be sent over SAP 1/1/2 as in the previous
slide.
Module 3 Page 18
Module 3 Page 19
Section Objectives
After successfully completing this section, you will be able to:
Identify the steps to configure a VPLS
Configure and verify a VPLS
Module 3 |
20
Module 3 Page 20
Infrastructure Configuration
Configure IP interfaces and an IGP for basic routing in the core
network
Configure MPLS interfaces and LSPs. Either LDP or a full mesh of
RSVP-TE LSPs between all PE routers is required
Module 3 |
21
As for any other VPN service, the following must be done before provisioning a VPLS service on the
Alcatel-Lucent 7750 SR:
IGP configuration - OSPF is used in this case study
IGP convergence (routing tables have system addresses)
Enable signaling of transport labels with LDP or RSVP
Enable LDP for dynamic signaling of service labels using T-LDP
Create path (if using RSVP) RSVP is used in this case study and a loose path is created
Create LSP and bind path (if using RSVP) full mesh of RSVP-TE LSP has been created
Create SDP and bind SDP to LSP (if using RSVP or select LDP)
Change customer-facing ports to access mode and change encapsulation as required Null
encapsulation is used here
Create VPLS service
Add SAPs to service
Add SDPs to service with VC ID
Module 3 Page 21
Module 3 |
22
*A:PE-1>config>router>ospf# info
---------------------------------------------traffic-engineering
area 0.0.0.0
interface "system"
exit
interface "to-PE2"
interface-type point-to-point
exit
interface "to-PE3"
interface-type point-to-point
exit
exit
----------------------------------------------
A single area OSPF with traffic engineering enabled is configured on the PE routers.
Module 3 Page 22
Module 3 |
23
A full mesh of RSVP-TE LSPs are configured on the PE routers. The configuration on PE1 is shown.
Module 3 Page 23
*A:PE-1>config>router>mpls# info
---------------------------------interface "system"
exit
interface "to-PE2"
exit
interface "to-PE3"
exit
path "loose"
no shutdown
exit
lsp "to-PE2"
to 10.10.10.2
primary "loose"
exit
no shutdown
exit
lsp "to-PE3"
to 10.10.10.3
primary "loose"
exit
no shutdown
exit
lsp "to-PE4"
to 10.10.10.4
primary "loose"
exit
no shutdown
exit
no shutdown
-------------------------------
SDPs Configuration
Module 3 |
24
*A:PE-1>config>service# info
-----------------------------------------customer 1 create
description "Default customer"
exit
customer 1000 create
description "VPLS_Customer"
exit
sdp 2 mpls create
far-end 10.10.10.2
lsp "to-PE2"
keep-alive
shutdown
exit
no shutdown
exit
sdp 3 mpls create
far-end 10.10.10.3
lsp "to-PE3"
keep-alive
shutdown
exit
no shutdown
exit
sdp 4 mpls create
far-end 10.10.10.4
lsp "to-PE4"
keep-alive
shutdown
exit
no shutdown
exit
Module 3 Page 24
VPLS Configuration
Steps to configure a VPLS Service:
Configure the customer-facing ports as access ports
Create the VPLS service on each of the PE routers
Add the appropriate customer-facing SAPs
Verify that the service is operationally up on all PEs
Verify connectivity through the service by pinging between the
customer devices
Module 3 |
25
At this point the infrastructure configuration for the IP/MPLS network is completed, and we are ready to
configure the VPLS service. The steps shown in the slides are required for a successful VPLS
configuration.
Note: it is possible to have VPLS topologies that don't have a full mesh; these topologies will be covered
in the following section.
Module 3 Page 25
*A:PE-1>config>service>vpls# info
-----------------------------------stp
shutdown
exit
mesh-sdp 2:1000 create
exit
mesh-sdp 3:1000 create
exit
mesh-sdp 4:1000 create
exit
no shutdown
Module 3 |
26
Notice that the customer facing ports on PE1 and PE2 have been configured as access ports with null
encapsulation. Any encapsulation supported for an epipe is possible in a VPLS. Recall that the port MTU
changes to 1514 when it is configured as an access port.
The creation of the VPLS and the binding of the SDPs to the service is shown on PE1. Similar
configuration is required on all participating PEs. The mesh SDPs are used to create a loop-free core for
the VPLS.
Unlike binding a spoke SDP to a service where we need to specify the VC-ID, when binding the mesh
SDP to the VPLS service, the VC-ID is not specified, by default it uses the def-mesh-vc-id as the VC-ID.
Since the def-mesh-vc-id is the service ID by default, so the VC-ID in this case will be equal to 1000. All
mesh SDPs within a single service will use the same VC-ID.
To change the default mesh VC ID, use the following command:
*A:PE-1>config>service# vpls 1000 def-mesh-vc-id
- def-mesh-vc-id <vc-id>
- no def-mesh-vc-id [<vc-id>]
<vc-id>
: [1..4294967295]
This might be required if there are two different VPLS service IDs configured that require a mesh SDP
between them.
Module 3 Page 26
Module 3 |
27
A full mesh of SDPs is required for the VPLS. The VPLS ID is the same in all four PEs. All mesh SDPs
use the same VC ID. A mesh SDP must be established in both directions before it becomes operational.
The configuration shown is on PE1 and PE2. The configuration PE3 and PE4 are similar as shown below:
*A:PE-3>config>service>vpls# info
*A:PE-4>config>service>vpls# info
------------------------------------- ------------------------------------stp
stp
shutdown
shutdown
exit
exit
exit
exit
exit
exit
exit
exit
no shutdown
no shutdown
Module 3 Page 27
Module 3 |
28
After the VPLS 1000 is configured on the other PE routers and the service is bound to the SDPs, the PEs
have signaled a label for VC-ID 1000, which creates an ingress and an egress service label binding.
A VC label will only be signaled when a service is bound to a SDP. For example, if we shutdown the mesh
SDP binding on PE-2 towards PE-1.
*A:PE-2>config>service>vpls# mesh-sdp 1 shutdown
We notice that PE-1 does not have an egress VC label, and the flag for the SDP shows NoEgrVCLabel
because there has been no label signaled by PE-2.
*A:PE-1# show service id 1000 sdp 2
===============================================================================
Service Destination Point (Sdp Id : 2)
===============================================================================
SdpId
Type IP address
Adm
Opr
I.Lbl
E.Lbl
------------------------------------------------------------------------------2:1000
Mesh 10.10.10.2
Up
Down
131068
0
===============================================================================
*A:PE-1# show service id 1000 sdp 2 detail
===============================================================================
Service Destination Point (Sdp Id : 2) Details
===============================================================================
Sdp Id 2:1000 -(10.10.10.2)
------------------------------------------------------------------------------Description
: (Not Specified)
SDP Id
: 2:1000
Type
: Mesh
VC Type
: Ether
VC Tag
: n/a
Admin Path MTU
: 0
Oper Path MTU
: 9190
Far End
: 10.10.10.2
Delivery
: MPLS
Ingress Label
: 131068
Egress Label
: 0
Flags
: NoEgrVCLabel
Alcatel-Lucent Services Architecture v3.2
Module 3 Page 28
*A:PE-1>config>service>vpls# info
---------------------------------stp
shutdown
exit
sap 1/1/4 create
exit
mesh-sdp 2:1000 create
exit
mesh-sdp 3:1000 create
exit
mesh-sdp 4:1000 create
exit
no shutdown
---------------------------------
*A:PE-2>config>service>vpls# info
---------------------------------------stp
shutdown
exit
sap 1/1/4 create
exit
mesh-sdp 1:1000 create
exit
mesh-sdp 3:1000 create
exit
mesh-sdp 4:1000 create
exit
no shutdown
---------------------------------------
Module 3 |
29
With null encapsulation there can only be one SAP ID associated with the port.
The slide shows that the customer-facing ports on PE1 and PE2 (port 1/1/4), which has been configured
as an access port, is now added to the service as sap 1/1/4.
Module 3 Page 29
Module 3 |
30
Once the service is configured on the other PE devices, the VPLS is operationally up.
Module 3 Page 30
time=7.20ms.
time=2.34ms.
time=2.88ms.
time=2.34ms.
time=2.32ms.
---- 192.168.1.2 PING Statistics ---5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.32ms, avg = 3.42ms, max = 7.20ms, stddev = 1.90ms
Module 3 |
31
Once the VPLS is up, we should be able to ping through the service from devices in the CE network.
Module 3 Page 31
Module 3 |
32
The ARP table for CE1 is shown. Each CE routers ARP table only dynamically learns ARP entries for the
far-end CE routers interface connected to the service. This is logical because the CE routers are not
aware of any details of the service providers network, rather, the CE routers appear to be directly
connected by a single Ethernet switch.
After the ping we see that PE1 has learned the MAC addresses for CE1 and CE2 and stored them in its
FDB. PE1 knows that it reaches one device through SAP 1/1/4 and the other through SDP 2. similarly,
PE2 knows that it reaches one device through SAP 1/1/4 and the other through SDP 1 as shown below:
*A:PE-2# show service fdb-mac
===============================================================================
Service Forwarding Database
===============================================================================
ServId
MAC
Source-Identifier
Type
Last Change
Age
------------------------------------------------------------------------------1000
60:24:01:01:00:03 sdp:1:1000
L/30
02/22/2012 14:29:03
1000
60:25:01:01:00:03 sap:1/1/4
L/30
02/22/2012 14:54:53
-------------------------------------------------------------------------------
When CE1 pings CE2 router interface 192.168.1.2, it first sends an ARP request to learn the destination
MAC address to use for the Ethernet frame. The ARP request has a broadcast destination MAC address,
and therefore PE1 floods it to all the mesh SDPs. When PE2 receives the ARP from the mesh SDP, it only
floods it to the SAP towards CE-2 because traffic received from one mesh SDP is not sent to another
mesh SDP binding. Because CE2 has an interface with address 192.168.1.2 it responds to the ARP
message.
After the ARP exchange, the MAC address of CE1 interface to PE1 and CE2 interface to PE2 are known
on PE1 and PE2, but not on PE3 or PE4.
From this point on, all communication between CE1 and CE2 is done using the SDPs and LSPs between
PE1 and PE2. PE3 and PE4 are not used for communication.
Module 3 Page 32
Module 3 |
33
PE3 and PE4 have only a single entry for the source MAC address for CE1 interface to PE1. This MAC
address was learned from the original ARP request broadcast by CE1 to find the MAC address of CE2
interface to PE2.
Module 3 Page 33
Traffic received from one mesh SDP is not sent to another meshSDP binding
Module 3 |
34
Module 3 Page 34
Module 3 Page 35
Section Objectives
Module 3 |
36
Module 3 Page 36
Module 3 |
37
A VPLS can span a single router or multiple routers. On a VPLS that spans a single router, subscriber
data is distributed through multiple service access points (SAPs) on the router. A VPLS on a single router
does not require a service distribution path (SDP).
On a VPLS that spans multiple sites, customer data enters the service using at least one SAP on each
router. Data is transported among the routers through service tunnels over an IP/MPLS provider core
network. Core VPLS networks are typically fully meshed using mesh SDPs, which means that there is an
SDP binding from every router to every other service-aware router. No Layer 2 loops are present.
So far, the VPLS topologies we have seen in the previous sections use fully meshed topology. This is a
simple and reliable approach to provisioning a VPLS. However, there are circumstances where other,
more complex topologies are preferred. These topologies are introduced in the following slides.
Module 3 Page 37
Module 3 |
38
A hub and spoke topology can be deployed when it is necessary to have traffic flowing through a central
location (hub). This might be to implement security policies or packet filtering, deep packet inspection or
some other constraint of the physical topology.
Broadcast traffic or traffic destined to unknown MAC addresses between PE B and PE C will flow as
follows:
When the traffic arrives on SAP 1/2/1 of PE B it will be flooded out of the spoke SDP towards PE A. PE A
will flood the traffic out of SAP 1/1/1 and the spoke SDP towards PE C. When the traffic arrives at PE C,
the traffic will be flooded out of 1/1/1. As the traffic traverses, the FDB will be populated based on the
source MAC address. There is no longer a requirement for an SDP between PE B and PE C because of
the flooding rules that apply to a spoke SDP. In the topology in this slide, PE B and PE C will associate all
remote MAC addresses with the spoke SDP going towards PE A. All traffic between PE B and PE C will
traverse PE A.
Note: if a spoke SDP was configured between PE B and PE C, there would be a loop on the VPLS
service. In this case, spanning tree has to be enabled. Spanning tree is covered in the Alcatel-Lucent
VPLS course.
Module 3 Page 38
Module 3 |
39
H-VPLS enables VPLS services to span multiple metro networks, as shown in the diagram in this slide.
This architecture minimizes the signaling overhead and avoids the use of a full mesh of tunnels and LSPs
between the two metro networks.
The scalability of a VPLS can be improved by joining together smaller meshed VPLSs with spoke SDPs.
The number of SDPs required for a fully meshed VPLS is n * (n - 1) , where n is the number of PE routers
participating in the service. Also, the addition of a new router in a fully meshed VPLS means that an SDP
must be configured on every router in the network to the new router.
The figure shows two metro networks that contain four fully meshed routers. If we join these two networks
using fully meshed VPLS, then we need 8*7 = 56 SDP. However, if we use spoke SDP to join them, then
we will only need 2* (3*4) = 24 SDPs plus another two spoke SDPs.
A spoke connection is used to connect each VPLS service between the two metros. In a simple scenario,
all of the VPLS services could be carried on a single tunnel LSP.
Frames from PE C within metro B destined for PE A of metro A will have three different service labels. It
will traverse a mesh SDP towards PE B, then follow the spoke SDP to metro A arriving at PE C. PE C will
then deliver the frame to PE A using a mesh SDP.
Module 3 Page 39
Module 3 |
40
Using a spoke SDP reduces the number of SDPs required and simplifies the addition of new routers.
Traffic to be terminated on a given VPLS service is identified by the VC label present in the service packet,
as if it was connected to another VPLS service spoke SDP.
Module 3 Page 40
The VC-ID of the spoke SDPs on the epipe service and the VPLS service must match
VC-ID (100) does not have to match the service ID of either the epipe or the VPLS
The service MTU of the VPLS and epipe service must match
Module 3 |
41
The VC-ID of the spoke SDPs on the epipe service and the VPLS service must match. Recall that the VCID has point-to-point significance. Also note that the VC-ID (100) does not have to match the service ID of
either the epipe or the VPLS as long as both ends are the same.
Module 3 Page 41
Module 3 |
42
Module 3 Page 42
Module 3 |
43
The epipe service on PE1 and the spoke SDP are operationally up.
Module 3 Page 43
Module 3 |
44
The VPLS on PE2 and spoke SDP bindings are operationally up.
Module 3 Page 44
ttl=64
ttl=64
ttl=64
ttl=64
ttl=64
time=6.62ms.
time=2.27ms.
time=2.25ms.
time=2.94ms.
time=2.28ms.
---- 192.168.1.2 PING Statistics ---5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.25ms, avg = 3.27ms, max = 6.62ms, stddev =
1.69ms
Module 3 |
45
Module 3 Page 45
Module 3 |
46
On PE2, the MAC address of CE2 is learned from SAP 1/1/4 and the MAC address of CE1 is learned from
an SDP binding. Note that it makes no difference whether the MAC is learned from a spoke terminating in
another VPLS or in an epipe. Both cases represent a simple pseudowire between the PE routers, and the
MAC is learned from the pseudowire.
A MAC FDB does not exist for the epipe service even when it is terminated on a VPLS. Traffic that enters
SAP 1/1/4 of the epipe is simply forwarded over the spoke SDP to PE2 and traffic received from the spoke
SDP is forwarded to the SAP and on to CE1.
Module 3 Page 46
Admin State
: Up
Oper State
: Down
MTU
: 1514
Module 3 |
47
In the configuration shown, we have changed the VC-ID of the spoke SDP of the epipe service to 50. The
VPLS spoke SDP VC-ID remains the same (100).
Note: the epipe service is now operationally down because of the VC-ID mismatch.
The error flag for the SDP shows NoEgrVCLabel.
*A:PE-1# show service id 50 sdp detail
===============================================================================
Services: Service Destination Points Details
===============================================================================
Sdp Id 2:50 -(10.10.10.2)
------------------------------------------------------------------------------Description
: (Not Specified)
SDP Id
: 2:50
Type
: Spoke
Spoke Descr
: (Not Specified)
VC Type
: Ether
VC Tag
: n/a
Admin Path MTU
: 0
Oper Path MTU
: 9190
Far End
: 10.10.10.2
Delivery
: MPLS
Hash Label
: Disabled
Admin State
: Up
Oper State
: Down
Acct. Pol
: None
Collect Stats
: Disabled
Ingress Label
: 131068
Egress Label
: 0
Module 3 Page 47
Module 3 |
48
The output shows that the VPLS service is still operationally up, however, the spoke SDP binding to the epipe service
is down.
The error flag for the SDP shows NoEgrVCLabel.
*A:PE-2# show service id 1000 sdp 1:100 detail
===============================================================================
Service Destination Point (Sdp Id : 1:100) Details
===============================================================================
Sdp Id 1:100
-(10.10.10.1)
------------------------------------------------------------------------------Description
SDP Id
Spoke Descr
: (Not Specified)
: 1:100
Type
: Spoke
: (Not Specified)
: (Not Specified)
VC Type
: Ether
VC Tag
: n/a
: 0
: 9190
Far End
: 10.10.10.1
Delivery
: MPLS
Hash Label
: Disabled
Admin State
: Up
Oper State
: Down
Acct. Pol
: None
Collect Stats
: Disabled
Ingress Label
: 131070
Egress Label
: 0
Signaling
: TLDP
Retries Left
: 3
Flags
: NoEgrVCLabel
Module 3 Page 48
Admin State
: Up
Oper State
: Down
MTU
: 1500
Module 3 |
49
In the configuration shown, we have changed the VC-ID of the spoke SDP of the epipe service back to 100, however
we have changed the service MTU to be 1500 bytes. The VPLS spoke SDP VC-ID and service MTU remain the
same.
Note: the epipe service is now operationally down because of the service MTU mismatch.
The error flag for the SDP shows ServiceMTUMismatch.
*A:PE-1# show service id 50 sdp 2 detail
===============================================================================
Service Destination Point (Sdp Id : 2) Details
===============================================================================
Sdp Id 2:100 -(10.10.10.2)
------------------------------------------------------------------------------Description
: (Not Specified)
SDP Id
: 2:100
Type
: Spoke
Spoke Descr
: (Not Specified)
VC Type
: Ether
VC Tag
: n/a
Admin Path MTU
: 0
Oper Path MTU
: 9190
Far End
: 10.10.10.2
Delivery
: MPLS
Hash Label
: Disabled
Admin State
Acct. Pol
Ingress Label
: Up
: None
: 131062
Oper State
Collect Stats
Egress Label
: Down
: Disabled
: 131068
:
:
:
:
:
:
Signaling
Force Vlan-Vc
Precedence
: TLDP
: Disabled
: 4
02/23/2012 13:42:05
02/23/2012 13:42:05
N/A
Down
ServiceMTUMismatch
pwNotForwarding
Module 3 Page 49
Module Summary
VPLS is a class of VPN that allows the connection of multiple
sites in a single-bridged domain over a provider-managed
IP/MPLS network
VPLS emulates a virtual Ethernet switch, in particular its MAC
learning and flooding behavior
Module 3 |
50
Module 3 Page 50
Module 3 |
51
Module 3 Page 51
Learning Assessment
1. How many SDPs must be configured for local VPLS?
2. What is the difference in behavior of an Ethernet switch
and a VPLS?
4. Verify whether the following statement is true or false:
Using spoke SDPs in a VPLS removes the requirement for a
full mesh of SDP bindings.
5. Which signaling protocol is used to create the following:
a. The inner label of a label stack in a VPLS application?
b. The outer label of a label stack in a VPLS application?
Module 3 |
52
Module 3 Page 52
Module 3 |
53
Module 3 Page 53
Module 3 |
54
3FL-30636-AAAA-ZZZZA Edition 01
www.alcatel-lucent.com/src
Module 4 Page 1
Module Objectives
After successfully completing this module, you will be able to:
Module 4 |
Module 4 Page 2
Module 4 Page 3
Section Objectives
After successfully completing this section, you will be able to:
Provide an overview of OAM tools
Module 4 |
Module 4 Page 4
OAM Overview
Delivery of services requires a number of operations to occur
properly and at different levels in the service delivery model
Module 4 |
Traditionally, ICMP ping has been commonly used to troubleshoot IP based networks. However, as an
MPLS core network has different behavior, ICMP ping will not be able to fully troubleshoot MPLS
networks. ICMP ping has some shortcomings, such as the inability to detect MPLS data plane failure if the
IP layer is working properly.
Proper delivery of services requires a number of operations to occur properly and at different levels in the
service delivery model. For example, operations such as the association of packets to a service, service
labels to a service and each service to a service tunnel must be performed properly in the forwarding
plane for the service to function properly. In order to verify that a service is operational, a set of in-band,
packet-based OAM tools is required, with the ability to test each of the individual packet operations.
For in-band testing, the OAM packets closely resemble customer packets to effectively test the customer's
forwarding path, but are distinguishable from customer packets so they are kept within the service
provider's network and not forwarded to the customer.
The 7750 SR OS suite of OAM diagnostics supplement the basic IP ping and traceroute operations with
diagnostics specialized for the different levels in the service delivery model. There are diagnostics for
MPLS LSPs, SDPs, Services and VPLS MACs within a service.
Module 4 Page 5
OAM Tools
OAM tools are useful in managing and troubleshooting a network
MPLS paths diagnostic tools:
Module 4 |
Operations, administration and maintenance (OAM) tools available in modern routers are useful to
manage and troubleshoot the network.
The OAM tools that will be covered in this section are:
lsp-ping and lsp-trace - These allow the network operator to diagnose and discover the condition of
MPLS paths in the network.
sdp-ping and sdp-mtu - These allow the network operator to diagnose and discover details about a
configured SDP, including path MTU.
svc-ping - This tools allows the network operator to diagnose a configured service and the SDP bindings
for the service at both the local and remote ends.
lsp-ping and lsp-trace are defined in RFC 4379 and can inter-operate with other vendors equipment.
sdp-ping and svc-ping are tools proprietary to the Alcatel-Lucent 7750 SR.
Module 4 Page 6
Module 4 |
The 7750SR LSP diagnostics are implementations of LSP ping and LSP traceroute based on RFC
4379, Detecting Multi-Protocol Label Switched (MPLS) Data Plane Failures.
When an LSP fails to deliver user traffic, the failure cannot always be detected by the MPLS control plane.
For the MPLS data plane verification, the IP data plane verification tools (ping and traceroute) are
extended to work on the MPLS networks. The lsp Ping/traceroute, modeled after the ping/traceroute
paradigm: ping is used for connectivity verifications, and traceroute is used for hop-by-hop
fault localization and path tracing.
LSP ping and LSP traceroute provide diagnostics and troubleshooting capabilities for MPLS LSPs. These
tools provide basic building blocks for the MPLS OAM capabilities. This enables verification of the MPLS
data plane consistency.
The basic idea behind lsp-ping and lsp-trace tests is to verify that packets that belong to a particular
Forwarding Equivalence Class (FEC) actually end their MPLS path on a label switching router (LSR) that
is an egress for that FEC. These tests are carried out by sending a packet (OAM or MPLS echo request
packet) along the same data path as other packets belonging to this FEC. An MPLS echo request also
carries information about the FEC whose MPLS path is being verified. This echo request is forwarded just
like any other packet belonging to that FEC. In "ping" mode (basic connectivity check), the packet should
reach the end of the path, at which point it is sent to the control plane of the egress LSR, which then
verifies whether it is indeed an egress for the FEC. In traceroute mode (fault isolation), the packet is sent
to the control plane of each transit LSR, which performs various checks that it is indeed a transit LSR for
this path; this LSR also returns further information that helps check the control plane against the data
plane. For example, that the forwarding matches what the routing protocols determined as the path.
Module 4 Page 7
The destination IP address of the MPLS echo request packet is defined as a 127.x.y.z/8 address
The 127.x.y.z/8 address prevents the IP packet from being IP switched to its destination if the LSP
is broken
LSP-ping/traceroute uses the same label stack as is used by the LSP, which causes the echo to be
switched inband of LSP
An MPLS echo reply is sent in response to an MPLS echo request. The reply is sent as an IP packet
and it may not take the same path used by the LSP
LSP-ping/traceroute only verifies the LSP paths in one direction; it does not verify the LSP return
path
Module 4 |
LSP ping needs to diagnose situations where the control and data planes are out of sync. It performs this by routing
an MPLS echo request packet based solely on its label stack. That is, the IP destination address is never used in a
forwarding decision. In fact, the sender of an MPLS echo request packet may not know, a priori, the address of the
router at the end of the LSP.
The MPLS echo request packet is sent to a target router through the use of the appropriate label stack associated
with the LSP to be validated. Use of the label stack causes the packet to be forwarded over the LSP itself.
For the LSP ping/trace packet to be treated as a control packet, the same label stack is used as is used by the LSP,
which causes the echo to be switched in-band of the LSP tested. The destination of the echo request is a 127.x.y.z/8
address and not the same as the one used for selecting the LSP.
Any router using the 127/8 address for forwarding (because of a broken LSP) punts the packet for local processing,
for example: the packet will not be forwarded naturally and is sent to the switch CPU for process switching. 127/8 also
forces the packet to be processed by the route processor (RP) at the egress router for a given LSP. The 127.x.y.z/8
address prevents the IP packet from being IP switched to its destination if the LSP is broken.
LSP Ping/traceroute uses the same label stack as is used by the LSP, which causes the echo to be switched in-band
of LSP.
An MPLS echo reply is sent in response to an MPLS echo request. The reply is sent as an IP packet and it is
forwarded using IP, MPLS, or a combination of both types of switching. The source address of the MPLS echo reply
packet is an address obtained from the router generating the echo reply. The destination address is the source
address of the router that originated the MPLS echo request packet.
An echo reply, which may or not be labeled, has the same outgoing interface IP address as the source. The
destination IP address and port are copied from the source address and port of the echo request. The echo reply can
thus take an MPLS or an IP path to return to the source router. LSP Ping/Traceroute verifies only the LSP paths in
one direction and not the LSP return path.
Module 4 Page 8
Module 4 |
The figure shows the network topology used to demonstrate the use of lsp-ping and lsp-trace. The default
metric in this network is 100 and the link between PE3 and PE4 has been set to 1000 to force traffic on a
specific LSP. The default port MTU is 9212, but this has been set to 1514 on the link between PE1 and
PE2.
Notice that Maximum Receivable Unit (MRU) is the biggest packet size that a router can receive and
forward downstream without fragmentation.
LDP is configured on all router
*A:PE-3# show router ldp peer
===============================================================================
LDP Peers
===============================================================================
Peer
Adm
Opr
Hello
Hold
KA
KA
Passive
Auto
Factor
Time
Factor
Timeout
Mode
Created
------------------------------------------------------------------------------10.10.10.1
Up
Up
45
40
Disabled
Yes
10.10.10.2
Up
Up
45
40
Disabled
Yes
10.10.10.4
Up
Up
45
40
Disabled
Yes
------------------------------------------------------------------------------No. of Peers: 3
Module 4 Page 9
---- LSP 10.10.10.4/32 PING Statistics ---1 packets sent, 1 packets received, 0.00% packet loss
round-trip min = 1.81ms, avg = 1.81ms, max = 1.81ms, stddev = 0.000ms
Module 4 |
10
The use of lsp-ping and lsp-trace is similar for RSVP-TE, although the LSP is specified by name. An LSP
is configured from PE3 to PE2 using a loose path, since the metric value on the link between PE3 and
PE4 is high, the path for this LSP will be via PE1 as shown below:
*A:PE-3# show router mpls lsp "to-PE2" path detail
===============================================================================
Oper MTU
: 1500
Neg MTU
: 1500
Adaptive
: Enabled
Oper Metric : 200
ExplicitHops:
No Hops Specified
Actual Hops :
10.1.3.3(10.10.10.3)
Record Label
: N/A
-> 10.1.3.1(10.10.10.1)
Record Label
: 131066
-> 10.1.2.2(10.10.10.2)
Record Label
: 131063
ResigEligib*: False
Module 4 Page 10
---- LSP to-PE2 PING Statistics ---1 packets sent, 1 packets received, 0.00% packet loss
round-trip min = 1.84ms, avg = 1.84ms, max = 1.84ms, stddev = 0.000ms
Module 4 |
11
lsp-ping can be used for measuring the round trip time for a specific forwarding class, or testing the path
MTU. The size of the MPLS payload can be specified as a parameter and used to determine the effective
MTU of the path.
In the above network, since the PE1-PE2 link has a port MTU of 1514, the maximum MPLS payload that
can be accommodated is 1496 bytes (1514 14 bytes Ethernet header 4 bytes MPLS label).
Note: if fast reroute is used then you need to consider another 4 bytes for that, therefore the MTU value
would be 1492 bytes
Module 4 Page 11
Module 4 |
12
sdp-ping performs in-band unidirectional or round-trip connectivity tests on SDPs. The SDP ping OAM
packets are sent in-band in the tunnel encapsulation, so they will follow the same path as traffic within the
service. The SDP ping response can be received out-of-band in the control plane, or in-band using the
data plane for a round-trip test.
A Unidirectional test requires egress SDP ID and tests ability to reach the far-end IP address of the SDP
within the SDP encapsulation. A bi-directional test requires a local egress SDP ID and a remote SDP ID
and tests the remote SDP encapsulation.
The path MTU discovery tool provides a powerful tool that enables the service provider to get the exact
MTU supported between the service ingress and service termination points (accurate to one byte).
Module 4 Page 12
Bi-directional sdp-ping
SDP-ping
Module 4 |
13
The figure shows a network topology with an SDP configured between PE3 and PE4. The SDP IDs at PE3
and PE4 are 4 and 3 respectively. The metric for the link between PE3 and PE4 has been set to 1000 to
force traffic on a specific LSP. The default port MTU is 9212, but this has been set to 1514 on the link
between PE1 and PE2.
Note: the SDP has a path MTU of 9190 (9212 14 4 4) even though the link between PE1 and PE2
has an MTU value of 1514. As described in Module 2, the path MTU is set based on the network port MTU
unless adspec is configured on the RSVP-TE LSP.
*A:PE-3# show router mpls lsp "to-PE4" path detail
Actual Hops :
10.1.3.3(10.10.10.3)
Record Label
: N/A
-> 10.1.3.1(10.10.10.1)
Record Label
: 131070
-> 10.1.2.2(10.10.10.2)
Record Label
: 131065
-> 10.2.4.4(10.10.10.4)
Record Label
: 131070
ResigEligib*: False
LastResignal: n/a
CSPF Metric : 0
===============================================================================
Module 4 Page 13
SDP-MTU
Module 4 |
14
The sdp-mtu command can be used to find the actual path MTU of the SDP as shown. The value of 1492
is as expected and is calculated as (1514 - 8 - 14 = 1492).
Note: the path MTU is 4 bytes less than the MTU discovered using lsp-ping in slide 11. This is because
lsp-ping uses only a single MPLS label, while sdp-mtu uses both the service and transport label.
Module 4 Page 14
SVC-ping
Provides end-to-end connectivity testing for an individual service
Service ping operates at a higher level than the SDP diagnostics
Module 4 |
15
svc-ping verifies the correct configuration of a service and can help verify any miss-configuration.
Service ping is initiated from a 7750 SR router to verify round-trip connectivity and delay to the far-end of
the service. Transport tunnels can run svc-ping on a continuous basis to monitor the health of the tunnel
and optionally notify the operator of a connectivity issue.
Module 4 Page 15
SVC-ping Parameters
The parameter local-sdp specifies that the ping should be sent to the far-end in-band
using the SDP
The parameter remote-sdp specifies that the return ping should be sent in-band
Module 4 |
16
The parameter local-sdp specifies that the ping should be sent to the far end in-band using the SDP, and
the parameter remote-sdp specifies that the return ping should be sent in-band.
If local-sdp / remote-sdp parameters are not specified the ping is sent out of band.
Module 4 Page 16
Example of svc-ping
This example specifies local-sdp, and the output shows that the SDP was not used by
the remote end
Err Info
Local
Remote
---------------------------------------------------Type:
EPIPE
EPIPE
Admin State:
Up
Up
Oper State:
Up
Up
Service-MTU:
1514
1514
Customer ID:
1
1
IP Interface State: Up
Actual IP Addr:
10.10.10.3
10.10.10.4
Expected Peer IP:
10.10.10.4
10.10.10.3
SDP Path Used:
Yes
No
SDP-ID:
4
3
Admin State:
Up
Up
Operative State:
Up
Up
Binding Admin State:Up
Up
Binding Oper State: Up
Up
Binding VC ID:
100
100
Binding Type:
Spoke
Spoke
Binding Vc-type:
Ether
Ether
Binding Vlan-vc-tag:N/A
N/A
Egress Label:
131062
131062
Ingress Label:
131062
131062
Egress Label Type: Signaled
Signaled
Ingress Label Type: Signaled
Signaled
Request Result: Sent - Reply Received
Module 4 |
17
The slide shows an example of svc-ping for the configured epipe 100. This example specifies local-sdp,
and the output shows that the SDP was not used by the remote end.
Module 4 Page 17
The local-sdp and the remote-sdp are specified, and the output shows that the SDP
was used by the remote end
The svc-ping output shows the service MTU as the configured value for the epipe
Err Info
Local
Remote
----------------------------------------------------Type:
EPIPE
EPIPE
Admin State:
Up
Up
Oper State:
Up
Up
Service-MTU:
1514
1514
Customer ID:
1
1
IP Interface State: Up
Actual IP Addr:
10.10.10.3
10.10.10.4
Expected Peer IP:
10.10.10.4
10.10.10.3
SDP Path Used:
Yes
Yes
SDP-ID:
4
3
Admin State:
Up
Up
Operative State:
Up
Up
Binding Admin State:Up
Up
Binding Oper State: Up
Up
Binding VC ID:
100
100
Binding Type:
Spoke
Spoke
Binding Vc-type:
Ether
Ether
Binding Vlan-vc-tag:N/A
N/A
Egress Label:
131062
Ingress Label:
131062
Egress Label Type: Signaled
Ingress Label Type: Signaled
Request Result: Sent - Reply Received
131062
131062
Signaled
Signaled
Module 4 |
18
The slide shows another example of svc-ping for the configured epipe 100. The localsdp and the remote-sdp are specified and the output shows that the SDP was used by
the remote end.
Note: the output shows the service MTU as the configured value for the epipe. There is
no verification by svc-ping that the service is actually able to transport a payload of this
size. The sdp-mtu command in slide 14 shows that the effective path MTU for this
service is actually 1492 bytes.
*A:PE-3# show service id 100 base
===============================================================================
Service Basic Information
===============================================================================
Service Id
: 100
Vpn Id
: 0
Service Type
: Epipe
Admin State
: Up
Oper State
: Up
MTU
: 1514
Module 4 Page 18
Module 4 |
19
Module 4 Page 19
Module 4 Page 20
Section Objectives
After successfully completing this section, you will be able to:
Describe mirroring service
Differentiate between local and distributed mirror service
Module 4 |
21
Module 4 Page 21
Module 4 |
22
When troubleshooting complex operational problems, customer packets can be examined as they traverse
the network. One way to accomplish this is with an overlay of network analyzers, together with skilled
technicians operating them to decode the data provided. This method of traffic-mirroring often requires
setting up complex filters in multiple switches and/or routers. At best, these switches and routers are only
able to mirror from one port to another on the same device.
Alcatel-Lucent mirroring service extends and integrates these capabilities into the network and provides
significant operational benefits. Each device can mirror packets from a specific service to any destination
point in the network, regardless of interface type or speed.
While some Layer 3 switches and routers can mirror on a per-port basis within the device, the AlcatelLucent 7750 SR provides a similar feature with much more powerful capabilities.
The mirror source can not only be a port, but other service entities such as a SAP, MPLS label, IP filter or
MAC filter.
The replicated traffic can not only be sent to a destination on the local switch, but also through an SDP to
a remote location.
Original packets are forwarded, while a copy is sent from the mirrored port to the mirroring (destination)
port.
Mirroring service allows an operator to see the actual traffic on a customers service with a sniffer sitting
in a central location. In many cases, this reduces the need for a separate, costly overlay sniffer network.
The mirrored frame size that is transmitted to the mirror destination can be explicitly configured using
slicing features. This enables mirroring only the parts needed for analysis. For example, only the headers
can be copied for analysis, protecting the integrity and security of customer data, or conversely, copying
the full packet, including customer data.
Module 4 Page 22
The mirror source and mirror destination are on the same device
The mirror service includes a SAP that identifies where the traffic is replicated
If a dot1Q encapsulation is used, the same physical port can be used for multiple
distinct service destinations
The mirror source can be a port, SAP, IP filter, MAC filter, or ingress label
Module 4 |
23
Mirror destinations can terminate on egress virtual ports, which allows multiple mirror destinations to send
to the same packet decode device, delimited by IEEE 802.1Q (Dot1q) tags. This is helpful when
troubleshooting a multi-port issue within the network.
Mirror sources can be ports in either access or network mode. On a 7750 SR Port, mirroring is supported
in the following combinations:
Port Type
Port Mode
faste/gige/xgige
access
dot1q, null
faste/gige/xgige
network
dot1q, null
Module 4 Page 23
A mirror source ID, which is the same as the mirror destination service
ID
At least one source type specified (port, SAP, IP filter, MAC filter, or
ingress label)
Module 4 |
24
The configure mirror mirror-dest command is used to specify where the mirrored traffic should be sent.
*A:PE-1# configure mirror mirror-dest
- mirror-dest <service-id> [create] [type <encap-type>]
- no mirror-dest <service-id>
<service-id>
<create>
<encap-type>
: ether|frame-relay|ppp|ip-only|atm-sdu|satop-e1|satopt1|cesopsn|cesopsn-cas
The debug mirror-source command is used as traffic selection criteria to identify traffic that is to be
mirrored at the source.
*A:PE-1# debug mirror-source
- mirror-source <service-id>
- no mirror-source <service-id>
<service-id>
Module 4 Page 24
The mirror source is configured on SAP 1/1/4 of the epipe to mirror both ingress and
egress traffic
Module 4 |
99
sap 1/1/4 ingress egress
no shutdown
exit
25
The diagram in this slide displays a sample configuration of a local mirror service where the source and destinations
are on the same device (PE1).
An epipe service is configured between PE1 and PE2, the mirror destination is configured on SAP 1/1/2, while the
mirror source is configured on SAP 1/1/4 of the epipe to mirror both ingress and egress traffic to the destination.
The service destination is created using the configure mirror mirror-dest <service-id> create command.
The mirror source is configured using the debug mirror-source command.
A packet sniffer is attached to port 1/1/2 of PE1. The mirrored traffic is transmitted on this port and received by the
sniffer.
When PE1 gets traffic from CE1, it sends it to PE-2 and replicates it out of SAP 1/1/2 towards the sniffer.
In this example, we configure a router with an IP filter on a local epipe SAP to emulate the sniffer. The filter captures
traffic sent to the IP address of the far end router. The filter configuration is shown later.
The epipe is operationally up as shown below:
*A:PE-1# show service id 50 base
===============================================================================
Service Basic Information
===============================================================================
Service Id
: 50
Vpn Id
: 0
Service Type
: Epipe
Admin State
: Up
Oper State
: Up
MTU
: 1514
Module 4 Page 25
Module 4 |
26
Module 4 Page 26
*A:Sniffer>config>filter# info
----------------------------------------log 111 create
destination memory 100
exit
ip-filter 11 create
entry 10 create
match
dst-ip 192.168.1.0/27
exit
log 111
action forward
exit
exit
-----------------------------------------
Module 4 |
*A:Sniffer>config>service>epipe# info
------------------------------------sap 1/1/1 create
exit
sap 1/1/2 create
ingress
filter ip 11
exit
exit
no shutdown
--------------------------------------
27
In this example, we are not using a conventional PC to function as a sniffer, instead we are configuring an
IP filter to replace the PC and act as a sniffer.
When the packets arrive at SAP 1/1/4 on PE1, they will be replicated to SAP 1/1/2. To examine these
packets, we need a network protocol analyzer or sniffer.
The slide shows the configuration of an IP filter on a local epipe 110 that is configured on the sniffer router.
The filter is configured to capture traffic sent to destination 192.168.1.0/27, forward it through the local
epipe 110, and log this information and store it the memory. The filter is applied at SAP 1/1/2 for the
ingress traffic.
Module 4 Page 27
ttl=64
ttl=64
ttl=64
ttl=64
ttl=64
time=2.52ms.
time=2.58ms.
time=2.47ms.
time=2.45ms.
time=2.50ms.
Module 4 |
28
If we ping the far-end CE router with a count of two, the packets are replicated and sent to the mirror
destination. This can be seen by viewing the filter log as shown. Because the packets are replicated, the
original packets are still forwarded through the epipe and a reply received. Both ingress and egress traffic
is mirrored so we see both the echo request and the echo reply.
*A:Sniffer>config>service>epipe# show filter log 111
===============================================================================
Filter Log
===============================================================================
Admin state : Enabled
Description : (Not Specified)
Destination : Memory
Wrap
: Enabled
------------------------------------------------------------------------------Maximum entries configured : 100
Number of entries logged
: 10
2012/03/02 17:06:12 Ip Filter: 11:10 Desc:
SAP: 1/1/2 Direction: Ingress Action: Forward
Src MAC: 60-24-01-01-00-03 Dst MAC: 60-25-01-01-00-03 EtherType: 0800
Src IP: 192.168.1.1 Dst IP: 192.168.1.2 Flags: 0 TOS: 00 TTL: 64
Protocol: ICMP Type: Echo Request Code: 0
2012/03/02 17:06:12 Ip Filter: 11:10 Desc:
SAP: 1/1/2 Direction: Ingress Action: Forward
Src MAC: 60-25-01-01-00-03 Dst MAC: 60-24-01-01-00-03 EtherType: 0800
Src IP: 192.168.1.2 Dst IP: 192.168.1.1 Flags: 0 TOS: 00 TTL: 64
Protocol: ICMP Type: Echo Reply Code: 0
2012/03/02 17:06:13 Ip Filter: 11:10 Desc:
SAP: 1/1/2 Direction: Ingress Action: Forward
Src MAC: 60-24-01-01-00-03 Dst MAC: 60-25-01-01-00-03 EtherType: 0800
Src IP: 192.168.1.1 Dst IP: 192.168.1.2 Flags: 0 TOS: 00 TTL: 64
Module 4 Page 28
The mirror source and mirror destination parameters must be configured using the
same mirror service ID
The router with the mirror source (PE2) has an SDP as the mirror destination
The mirrored traffic is encapsulated and sent to the far-end router (PE1)
The far-end router has a local mirror destination defined that accepts the packets
from the remote source
Module 4 |
29
Remote mirroring uses a service distribution path (SDP), which acts as a logical way of directing traffic
from one 7750 SR (PE2) to another (PE1) through a unidirectional service tunnel. The SDP terminates at
the far-end 7750 SR (PE1), which directs packets to the correct destination on that device.
The SDP configuration from the mirrored device to a far-end 7750SR requires a return-path SDP from the
far-end 7750 SR (PE1) back to the mirrored router (PE2). Each device must have an SDP defined for
every remote router to which it wants to provide mirroring services. SDPs must be created before services
can be configured.
Module 4 Page 29
Module 4 |
30
Module 4 Page 30
The mirror source is configured on SAP 1/1/4 to mirror both ingress and egress traffic
Module 4 |
31
The diagram in this slide displays a sample configuration of a remote mirror service where the source is
on PE2 and the destination is on PE1.
An epipe service is configured between PE1 and PE2, the mirror destination is configured on SAP 1/1/2
while the mirror source is configured on SAP 1/1/4 of the epipe to mirror both ingress and egress traffic to
the destination via the spoke SDP 1:999.
A packet sniffer is attached to port 1/1/2 of PE1. The mirrored traffic is transmitted on this port and
received by the sniffer. In this example, we configure a router with an IP filter on a local epipe SAP to
emulate the sniffer. The filter configuration is shown below.
*A:Sniffer>config>filter# info
----------------------------------------log 111 create
destination memory 100
exit
ip-filter 11 create
entry 10 create
match
dst-ip 192.168.1.0/27
exit
log 111
action forward
exit all
----------------------------------------*A:Sniffer>config>service>epipe# info
------------------------------------sap 1/1/1 create
exit
sap 1/1/2 create
ingress
filter ip 11
exit
exit
no shutdown
Module 4 Page 31
The mirror source is configured on SAP 1/1/4 to mirror both ingress and egress traffic
Module 4 |
32
For the spoke binding used for the mirror service to be operationally up, the far-end has to be configured
so there will be an egress label. The mirror destination configuration at the far- end of the tunnel (PE1) is
shown in the slide.
Once the remote mirror destination is configured on PE1, an egress label is signaled to PE2 using T-LDP
and the mirror service is up. There is no egress label signaled by PE2, since a mirror service really only
requires a one-way pseudowire.
Module 4 Page 32
The filter log is cleared and then ping packets are sent
Module 4 |
33
The mirror service is operationally up as shown below. When ping packets are sent between the CE
routers, the packets will be replicated and sent to the sniffer as shown in the slide. The slide shows that
we see packets on the sniffer router. There are only 10 in this case, 5 in each direction.
*A:PE-2# show service service-using mirror
===============================================================================
Services [mirror]
===============================================================================
ServiceId
Type
Adm
Opr
------------------------------------------------------------------------------999
Mirror
Up
Up
-------------------------------------------------------------------------------
Module 4 Page 33
Under the debug mirror-source context, define one or more entries to the
filter, which will identify matching traffic for mirroring
Module 4 |
34
The regular rules regarding filters still apply here; only one ingress and one egress filter are permitted, and
in each case either an IP filter or a MAC filter may be used, but not both. This example will use an IP filter.
The filter must be applied to a SAP or IP interface. If a filter is defined but not associated with a SAP or IP
interface, mirroring will not be enabled as there are no packets to mirror. In this example the filter is
applied to SAP 1/1/4 on PE2.
Simply having a filter applied to a SAP or IP interface does not cause mirroring; by default, none of the
packets matching any of the filter criteria are mirrored. The mirroring of packets must be explicitly defined
by identifying the entries to use for matching.
All packets are mirrored as they appear on the wire. Ingress packets are mirrored as they appear before
any ingress modifications. Egress packets are mirrored as they appear after all egress modifications and
encapsulations have been applied.
Note: an IP filter cannot be applied to a mirror destination SAP. No change is necessary to the
configuration of the mirror destination (compared with the previous example).
Module 4 Page 34
Module 4 |
35
In this example an IP filter is applied to SAP 1/1/4 on PE2. The IP filter specified only the destination IP
address of the ping (192.168.1.0/27)
Module 4 Page 35
Module 4 |
36
An entry to the filter is applied under the debug mirror source instead of the previously configured SAP
1/1/4. This entry identifies the matching traffic for mirroring.
We need to clear the filter log before we ping 192.168.1.1 from CE2 in order to verify the configurations.
After the filter log is cleared we can see that there are 0 entries logged.
*A:Sniffer# clear filter log 111
*A:Sniffer# show filter log 111
===============================================================================
Filter Log
===============================================================================
Admin state : Enabled
Description : (Not Specified)
Destination : Memory
Wrap
: Enabled
: 0
===============================================================================
Module 4 Page 36
Module 4 |
37
The slide shows that we see packets on the sniffer router. There are only five in this case (only two are
shown) since the IP filter for the mirror source specified only the destination IP address of the ping.
Module 4 Page 37
Mirror Slicing
Mirror service allows network operators to slice customer data, mirroring
only the parts they need to analyze
Allows only a specified number of bytes to be transmitted to the mirror
destination
Enables the copying of a specific packet size of each frame
Module 4 |
38
In traditional routers, replication of mirrored packets typically affected performance and needed to be used
with caution. Due to the duplication of some or all packets, the total amount of traffic within the network
would increase, possibly causing congestion in downstream links and routers.
The replication of packets is handled by the hardware on the IOM (Input/Output Module) and thus has
minimal impact on router performance. However, it is important to remember that mirroring involves the
duplication of traffic and thus increases the bandwidth required. If ingress and egress traffic on a 1 Gb/s
port is mirrored, this could represent as much as an additional 2 Gb/s of traffic to the mirror destination.
When a mirror destination is configured, the packet slice option can truncate mirrored packets to the
destination. This minimizes replication and tunneling overhead.
Slicing is useful for monitoring network usage without having to copy the actual data. Slicing enables you
to mirror frames larger than the destination-packet decode equipment can handle. It also enables the
conservation of mirroring resources by limiting the size of the stream of packets traveling through the SR
and the core network.
When a mirror slice size is defined, a threshold is created that truncates a mirrored frame to a specific
size. For example, if the value of 256 bytes is defined, up to the first 256 bytes of the frame are transmitted
to the mirror destination. The original frame is not affected by the truncation. Mirrored frames will most
likely be slightly larger due to encapsulation overhead, but no more than 256 bytes of the original packet
will be transmitted.
The transmission of a sliced or non-sliced frame is also dependent on the mirror destination SDP path
MTU and/or the mirror destination SAP physical MTU. Packets that require a larger MTU than the
mirroring destination supports are discarded if the defined slice size does not truncate the packet to an
acceptable size.
Module 4 Page 38
Module 4 |
39
*A:PE-2>config>mirror>mirror-dest# slice-size
- no slice-size
- slice-size <slice-size>
<slice-size>
: [128..9216]
Default: no slice-size mirrored packet truncation is disabled.
Parameters: bytes the number of bytes to which mirrored frames will be truncated; the value is
expressed as a decimal integer.
Values: 128 9216
This command enables mirrored frame truncation and specifies the maximum size, in bytes, of a mirrored frame that
can be transmitted to the mirror destination. It enables the mirroring of frames larger than the destination-packet
decode equipment can handle. It also allows conservation of mirroring resources by limiting the size of the packet
stream traveling through the router and the core network.
The actual capability of the 7750 SR to transmit a sliced or non-sliced frame is also dictated by the mirror destination
SDP path MTU and/or the mirror destination SAP physical MTU. Packets that require a larger MTU than the mirroring
destination can support are discarded if the defined slice size does not truncate the packet to an acceptable size. The
no form of the command disables mirrored packet truncation.
The slide shows the configuration of mirror slicing on PE2. Recall that epipe 50 service MTU is 1514, the maximum
payload that can be carried through the service is 1514-14 = 1500 bytes. The SDP MTU is 9190 as shown below.
*A:PE-2# show service id 50 base
===============================================================================
Service Id
: 50
Vpn Id
: 0
Service Type
: Epipe
MTU
: 1514
Module 4 Page 39
---- 192.168.1.1 PING Statistics ---1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 3.08ms, avg = 3.08ms, max = 3.08ms, stddev = 0.000ms
Module 4 |
40
To verify mirror slicing, we have cleared the filter IP (see below), therefore there are no packets captured.
Then we sent a ping from CE2 to CE1 with a size of 1200 byte, as shown in the slide (the size value
specifies the size of the ping packet; recall that the maximum size for a successful ping would be 1472
bytes). If we check the IP filter counter we see (as expected) there is only one packet that has been
matched on the ingress, and the size of that packet is 132 bytes - 4 bytes more than the 128 bytes
configured in the mirror slicing due to encapsulation overhead.
*A:Sniffer# clear filter ip 11
*A:Sniffer# show filter ip 11 counters
======================================================================
IP Filter
======================================================================
Filter Id
: 11
Applied
: Yes
Scope
: Template
Def. Action
: Drop
Radius Ins Pt: n/a
CrCtl. Ins Pt: n/a
Entries
: 1
Description : (Not Specified)
----------------------------------------------------------------------Filter Match Criteria : IP
----------------------------------------------------------------------Entry
: 10
Ing. Matches : 0 pkts
Egr. Matches : 0 pkts
Module 4 Page 40
OAM tools are provided in modern routers to help manage and troubleshoot
the network
Module 4 |
41
Module Summary
Module 4 Page 41
Mirror source is configured under the debug context, whereas the mirror
destination is configured under the config mirror context
Port
SAP
IP filter
MAC filter
Ingress label
Mirror slicing enables the copying of a specific packet size of each frame
Module 4 |
42
Module 4 Page 42
Learning Assessment
1. What are the OAM SDP diagnostic tools?
2. What is lsp-ping used for?
3. Why is the path MTU found using sdp-mtu 4 bytes less than the MTU
discovered using lsp-ping?
Module 4 |
43
Module 4 Page 43
10. Verify whether the following statement is true or false: With local
mirroring, the local mirror source and mirror destination components
must be configured using the same service ID.
Module 4 |
44
8. What happens to a mirror source when the corresponding mirror destination service ID is shut down?
The mirror source is put into an operational down mode.
9. Which command syntax is used to configure a mirror source? Which command syntax is used to
configure a mirror destination?
A mirror source uses the debug>mirror-source context, while the mirror destination uses the
config>mirror context.
10.Verify whether the following statement is true or false: With local mirroring, the local mirror source and
mirror destination components must be configured under the same service ID context.
True
Module 4 Page 44
Module 4 |
45
Module 4 Page 45
Module 4 |
46
Module 4 Page 46
Module 4 |
47
3FL-30636-AAAA-ZZZZA Edition 01
www.alcatel-lucent.com/src
Module 5 Page 1
Module Objectives
After successfully completing this module, you will be able to:
Provide an overview of IES and its features
Describe the operation and implementation of an IES
Describe the application of Layer 3 service spoke termination
to a Layer 2 service
Configure and verify an IES spoke termination to a VPLS
Module 5 |
Module 5 Page 2
Module 5 |
Module 5 Page 3
Module 5 Page 4
Section Objectives
Module 5 |
Module 5 Page 5
Module 5 |
Internet enhanced service (IES) is a routed connectivity service where the customer communicates
with an IP router interface to send and receive Internet traffic. An IES has one or more logical IP
routing interfaces, each with a SAP that acts as the access point to the customers network. IES
allows customer-facing IP interfaces to participate in the same routing instance used for service
network core routing connectivity.
From the customers perspective, it provides a direct connection to the Internet. Unlike other services
such as epipe, VPLS and VPRN, there is nothing virtual or private about an IES.
Module 5 Page 6
IES Characteristics
Multiple IES services are created to separate customer-owned IP interfaces
More than one IES service can be created for a single customer ID
Multiple interfaces can be configured in a single IES
Module 5 |
The Internet Enhanced Service (IES) is essentially a way of providing a Layer 3 interface to a
customer. It is similar to a normal Layer 3 interface, but treated as a service, with the port configured
as a SAP (SAPs support multiple encapsulation types such as Ethernet null, dot1Q, Q-in-Q.). This
provides more flexibility and also the ability to use all service-oriented capabilities of an access port
such as QoS, accounting and filtering. Like any IP interface, the customer can use the IES interface as
a neighbor for a routing protocol such as OSPF, IS-IS or BGP. The IES provides access to the service
providers core routing instance.
Since the traffic in an IES communicates using an IP interface for the core routing instance, there is no
need for the concept of tunneling traffic to a remote router. As such, a simple IES does not necessarily
require the configuration of any SDPs when configuring the service.
In the following section we will discuss how an IES can provide Layer 3 termination of a Layer 2 VPLS
service. In that case, a spoke SDP is used in conjunction with an IES.
Module 5 Page 7
Module 5 |
Module 5 Page 8
Module 5 |
An IES 100 is configured with two interfaces as shown. The customer CE router interfaces are
configured as shown below:
*A:CE1>config>router# info
#-------------------------------------------------echo "IP Configuration"
#-------------------------------------------------interface "IES_1"
address 192.168.100.1/27
port 1/1/3:1
exit
interface "IES_2"
address 192.168.200.1/27
port 1/1/3:2
exit
interface "system"
address 10.10.10.5/32
exit
#--------------------------------------------------
Module 5 Page 9
Module 5 |
10
The configured IES interfaces appear as regular Layer 3 interfaces in the base router instance. We
refer to the core routing instance on the Alcatel-Lucent 7750 SR as the base router instance.
Although the IES interface is similar to a standard IP interface, the SAP provides the QoS, accounting
and billing capabilities of a service interface. You can use the command show service id 100 sap
1/1/4:1 detail to see those details.
The same default SAP MTU rules that were covered for Layer 2 services apply to an IES. The SAP
MTU is based on the physical port to which it is bound. Access ports have a default MTU of 1514 if
their encapsulation type is null, 1518 if their encapsulation type is dot1Q, and 1522 if their
encapsulation type is Q-in-Q. Notice that the SAP MTU value is 1518 bytes, because we have used
dot1Q encapsulation.
Notice that when we use the command show service service-using ies there is another IES created;
it has a service ID of 2147483648. After release 8.0, service objects such as interfaces, SAPs and
related objects can be automatically created for internal use in IES or in configured VPRN services.
*A:PE-1# show service service-using ies
===============================================================================
Services [ies]
===============================================================================
ServiceId
Type
Adm
Opr
------------------------------------------------------------------------------100
IES
Up
Up
2147483648 IES
Up
Down 1
_tmnx_InternalIesService
------------------------------------------------------------------------------Matching Services : 2
Module 5 Page 10
IES Verification
*A:CE1>config>router>ospf# info
---------------------------------------------area 0.0.0.0
interface "IES_1"
interface-type point-to-point
mtu 1500
exit
interface "IES_2"
interface-type point-to-point
mtu 1500
exit
exit
----------------------------------------------
Module 5 |
11
In order for Customer A to have access to the provider core and exchange routes, OSPF is configured
between CE1 and PE1. The slide shows OSPF configuration on CE1.
Notice that the port MTU on the CE router must match the SAP MTU of the IES in order for the OSPF
adjacency to be established.
OSPF configuration on PE1 is shown below:
*A:PE-1>config>router>ospf# info
---------------------------------------------area 0.0.0.0
interface "system"
exit
interface "to-PE2"
interface-type point-to-point
exit
interface "to-PE3"
interface-type point-to-point
exit
interface "to-Site1"
interface-type point-to-point
exit
interface "to-Site2"
interface-type point-to-point
exit
exit
Module 5 Page 11
Module 5 |
12
The customer is able to receive the routes from the provider core and will be able to access the
Internet via the core network.
Module 5 Page 12
Module 5 |
13
The ping test shown verifies that the customer can reach destinations within the provider core. Since
the CE router system interface has not been advertised through the network (as shown in previous
slide for the OSPF configuration of the CE router), a source address needs to be specified in the ping
because the default behavior of the 7750 SR is to use the system interface as the source address of a
ping destined to a non-directly attached network.
The frame size generated by the ping with size 1472 bytes equals to 1518 bytes ( 1472 + 20 IP header
+ 8 ICMP header + 14 Layer 2 header + 4 VLAN tag). In this case, the ping is successful because the
frame size is less than the SAP MTU.
In the second ping test, the frame size equals 1519 bytes (ping size 1473), which is larger than the
SAP MTU; however, the ping is still successful. The reason is that Layer 3 service performs
fragmentation to accommodate larger packets.
In the third ping test, when the do-not-fragment option is added, the ping is not successful because
fragmentation is not performed. This results in a frame size larger than the SAP MTU.
Module 5 Page 13
---- 10.10.10.4 PING Statistics ---1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 2.99ms, avg = 2.99ms, max = 2.99ms, stddev = 0.000ms
Module 5 Page 14
Section Objectives
Highlight the MTU issues that can arise when configuring a Layer 3
service spoke termination to a Layer 2 VPN service
Module 5 |
15
Module 5 Page 15
Introduces the ability to connect the spoke SDP of a Layer 2 service with a Layer 3
service
See left diagram below: the spoke is tied to a Layer 2 Service (VPLS or epipe)
Module 5 |
16
Sometimes it is desirable to use a Layer 2 service, such as an epipe or a VPLS, to connect the
customer to the Layer 3 (IES or VPRN) interface. This is known as a spoke termination on an IES or
VPRN, respectively. This feature introduces the ability to cross-connect traffic entering on a spoke
SDP used for Layer 2 services to a Layer 3 service.
From a logical point of view, the spoke SDP entering on a network port is connected to the Layer 3
service as if it had entered through a service SAP. The main exception applies to traffic entering the
Layer 3 service through a spoke SDP; in this case, the traffic is handled based on network QoS
policies rather than access QoS policies.
This section will show the configuration details of spoke termination on an IES. Similar configuration
steps are used for spoke termination on VPRN.
The diagram shows a network where a spoke SDP is used to connect Layer 3 service to Layer 2
service. On the left, the spoke is tied to a VPLS or epipe service: no special or different configuration
is required. On the right, a Layer 3 (IES or VPRN) IP interface terminates the spoke-SDP.
As usual, one SDP may carry other services in addition to the IES or VPRN service.
Module 5 Page 16
See right diagram below: a Layer 3 (IES or VPRN) IP interface terminates the spoke
SDP
Traffic that has to be terminated on a given Layer 3 service is identified by the SDP
ID and VC label present in the service packet
A Layer 3 service can only terminate a spoke SDP, not a mesh SDP
Layer 2 and Layer 3 service MTUs must be equal
Module 5 |
17
Module 5 Page 17
*A:PE-2>config>service>vpls# info
---------------------------------------------stp
shutdown
exit
sap 1/1/4 create
exit
spoke-sdp 1:100 create
exit
mesh-sdp 3:1000 create
exit
mesh-sdp 4:1000 create
exit
no shutdown
----------------------------------------------
Module 5 |
18
In the network shown, the service provider is providing a VPLS to its customer that terminates on an
IES. This supplies a Layer 3 interface to the customer. The slide shows the IES configuration. Notice
that the spoke SDP connected to the service is included in the IES instead of a SAP.
*A:CE>config>router# info
------------------------------------echo "IP Configuration"
#-----------------------------------interface "system"
address 10.10.10.6/32
exit
interface "to-IES"
address 192.168.100.1/27
port 1/1/3
exit
-------------------------------------
Module 5 Page 18
Module 5 |
19
Module 5 Page 19
Admin ControlWord
Last Status Change
Last Mgmt Change
Class Fwding State
Flags
Peer Pw Bits
: Up
: None
: 131064
:
:
:
:
:
:
Oper State
Collect Stats
Egress Label
Not Preferred
Oper ControlWord
01/30/2012 16:55:09
Signaling
03/12/2012 11:43:42
Down
PWPeerFaultStatusBits ServiceMTUMismatch
pwNotForwarding
: Down
: Disabled
: 131062
: False
: TLDP
Module 5 |
20
We see that the spoke SDP is not operational with a flags value of ServiceMTUMismatch. This is
because the MTU signaled from the IES side is based on the network port MTU (network port MTU is
9212 by default), and the MTU signaled from the VPLS is based on the service MTU of the VPLS
which is 1514 by default. The pseudowire will not become operational if the MTUs are not the same.
show router ldp bindings fec-type services command shows the different MTU values signaled by
the two ends of the pseudowire.
The network port MTU is 9212 as shown below. The VC MTU will be equal to 9176 bytes ( 9212-14
port encapsulation 14 Ethernet header 4 transport label 4 service label).
*A:PE-1# show port 1/1/1
===============================================================================
Ethernet Interface
===============================================================================
Description
Interface
: 1/1/1
Oper Speed
Link-level
: Ethernet
Config Speed
: N/A
Admin State
: up
Oper Duplex
: full
Oper State
: up
Config Duplex
: N/A
Physical Link
: Yes
MTU
: 9212
: 1 Gbps
Module 5 Page 20
The spoke SDP binding only becomes operationally up if the VC-MTU (signaled using
T-LDP ) on both ends match.
Module 5 |
21
Module 5 Page 21
Module 5 |
22
SDP path-MTU = network port MTU 4 (transport label) 4 (VC-label) port encapsulation (14 in case
of null encapsulation, 18 in case of Dot1Q...)
VC-MTU = network port-MTU 14 SDP path-MTU
Module 5 Page 22
Module 5 |
23
Whereas in epipe and VPLS services the signaled VC-MTU = configured service-mtu 14 (Ethernet
header), in the case of an IES or VPRN service, the signaled VC-MTU = configured IP-MTU.
The following command is used to configure the ip-mtu:
*A:PE-1>config>service# ies 100 interface "To_VPLS_1000" ip-mtu
- ip-mtu <octets>
- no ip-mtu
<octets>
: [512..9000]
Another option to solve the MTU mismatch is changing the SPD path MTU. However, setting the SDP
path MTU may also impact other services running over that SDP.
A third option is to change the network port MTU. However, this option is also not recommended for
the following reasons:
It needs to be configured on the network ports of both routers.
It will impact all services over that port.
Module 5 Page 23
Module 5 |
24
Admin State
: Up
Oper State
: Up
MTU
: 1514
Def. Mesh VC Id
: 1000
SAP Count
: 1
SDP Bind Count
: 4
Snd Flush on Fail : Disabled
Host Conn Verify : Disabled
Propagate MacFlush: Disabled
Per Svc Hashing
: Disabled
Def. Gateway IP
: None
Def. Gateway MAC : None
------------------------------------------------------------------------------Service Access & Destination Points
------------------------------------------------------------------------------Identifier
Type
AdmMTU OprMTU Adm Opr
------------------------------------------------------------------------------sap:1/1/4
null
1514
1514
Up
Up
sdp:1:100 S(10.10.10.1)
Spok
0
9190
Up
Up
sdp:3:1000 M(10.10.10.3)
Mesh
0
9190
Up
Up
sdp:4:1000 M(10.10.10.4)
Mesh
0
9190
Up
Up
===============================================================================
Module 5 Page 24
Module 5 |
25
When traffic is sent from the CE router, it enters the SAP of the VPLS on PE2. Traffic is passed to
PE1 using the spoke SDP between PE2 and PE1. From PE1 traffic can be sent to other routers as an
IP packet using the IGP.
The ARP table of the CE router has one dynamically learned entry for the gateway address. However,
because the gateway address is an IES interface on a spoke SDP, the MAC address supplied to the
CE router is the chassis MAC of PE1.
The VPLS learns two MAC addresses. The first address is the MAC of the CE router, which it learns
from the SAP. The second MAC address is PE1 chassis MAC address for the IES interface.
*A:PE-1# show chassis
===============================================================================
Chassis Information
===============================================================================
Name
: PE-1
Module 5 Page 25
interface
Module 5 |
26
Module 5 Page 26
Module 5 |
27
Module 5 Page 27
Module 5 Page 28
Section Objectives
Module 5 |
29
Module 5 Page 29
VPRN
Module 5 |
30
VPRN service allows multiple customer sites to communicate securely at the IP level over a
provider-managed MPLS network. As shown in the slide, a single provider-managed IP/MPLS
infrastructure permits the deployment of multiple, distinct customer-routed networks that are
fully isolated from each other.
Although VPRNs are known by many names, they all have the same definition: a Layer 3 routed
service across a provider-managed IP/MPLS core.
Other names commonly used to define VPRNs include: Layer 3 Backbone VPNs, Layer 3 MPLS-based
VPNs, MPLS-based IP-VPNs, or Border Gateway Protocol (BGP)/MPLS-based VPNs (according to the
standard RFC 2547bis, which is co-authored by Alcatel-Lucent).
RFC 2547bis is an extension of the original RFC 2547, which details a method of distributing routing
information and forwarding data to provide a Layer 3 virtual private network (VPN) service to endcustomers.
Although RFC 2547bis has long been quoted as an industry standard and is used in common
terminology to define this class of VPN, this RFC has since been made obsolete by RFC 4364.
Module 5 Page 30
Network Model
Advantages:
Customers perspective: each site is connected to a routed network
administered by the service provider that appears to be solely dedicated
to the customer
Module 5 |
31
A VPRN is the Alcatel-Lucent service implementation of a MPLS Layer 3 VPN. RFC 4364 describes a
method of a Layer 3 VPN service that provides the following functions to the customer:
Distributing the customers routing information between sites.
Forwarding customer originated data packets to the appropriate destination.
Providing secure Layer 3 routing connectivity among the various customer sites.
Each VPRN consists of a set of customer sites connected to one or more provider routers. Each
associated provider router maintains a separate IP forwarding table for each VPRN.
Customers can manage their own IP addressing and select their own preference in terms of the
routing protocol.
The provider network remains a shared infrastructure, offering services to multiple customers while
securely isolating the routing and packet forwarding of each customer. Moreover, the provider can
offer a full range of IP-enabled services to its customers.
Each customer router becomes a routing peer of the provider router that is directly connected to, not a
peer to the other customer routers. A customer router provides the provider router with routing
information for the private (not necessarily implementing private IP addressing) customer network.
Regardless of the routing exchange between the customer and provider routers, the provider
infrastructure is provisioned in such a way that from the point of view of the customer routers, they
appear to be directly connected at Layer 3.
The service provider can reuse the IP/MPLS infrastructure to offer multiple services to each or all
customers.
Module 5 Page 31
VPRN Features
Module 5 |
32
VPRNs take advantage of the dynamics of IP routing protocols, supporting site additions or removal of
the VPN using the same infrastructure.
This type of VPN invokes label stacking with a top label that allows traffic received from a customer to
transit the interior gateway protocol (IGP) service provider cloud and a bottom label that directs the
traffic to the appropriate outgoing interface or service towards the final destination of the customer
network.
An additional feature of the VPRN includes the ability to support any-to-any IP-only connectivity,
providing connectivity among any number of customer sites.
Module 5 Page 32
Module 5 |
33
There are many benefits to be gained by implementing a Layer 3 VPRN service, such as:
Routing at customer sites can be simplified as the provider is managing the routed infrastructure.
Some sites can achieve full connectivity with only a default route.
The entire infrastructure can be provider-managed and provider-maintained.
Redundancy and resiliency are provided by the service providers infrastructure, and any architectural
benefits designed in the core can be leveraged by the customer.
Privacy is maintained by the isolation of each customer network and routing topology, which separates
routes into logical routing tables (VRF). The customer is permitted to use virtually any addressing
hierarchy and structure, independent of the providers choice of addressing and the addressing of any
other customer of the provider.
Any type of physical interconnection can be used between the CE and the PE provided that the
routers support the required interface type.
Module 5 Page 33
VPRN Architecture
Customer Edge devices (CE)
Module 5 |
34
The Customer Edge (CE) device is the interface from the customer site to the service provider
network. In a Layer 3 VPN, the CE device is typically a router; however, in some service
implementations, an Ethernet switch can be used as the CE device. In the VPRN context, the CE is
typically Layer 3-aware.
If the CE device is a switch, a static route pointing to the switch subnet is configured on the PE device.
The customer typically owns and operates these devices. These routers will run a routing protocol for
the purposes of internal routing at the site, using the customers choice of IP addressing. The CE also
runs a common routing protocol with the service provider router in order to exchange routes with the
provider network.
This routing protocol can be the same as or differ from the routing protocol used internally at the
customer site or in the provider network.
The CE is typically unaware of the existence of the MPLS protocol or the VPNs and runs standard IP
routing protocols.
Module 5 Page 34
Module 5 |
35
The service providers backbone consists of PE routers as well as other routers ("P routers") that do
not attach to CE devices.
The Provider Edge (PE) is the device that interfaces the customer network to the provider-managed
IP MPLS network. A PE is commonly shared among multiple customers, or in some cases, can be
dedicated to a single customer.
The provider owns and operates the PE devices in which each PE runs multiple instances of routing
protocols and serves a different purpose. They will run a routing protocol for the purposes of internal
routing in the provider core using the providers choice of IP addressing. There is typically only one
routing protocol instance used for this purpose.
The PE will run a routing protocol with all other PE devices in the provider core in order to exchange
VPRN routes. The PE also runs a common routing protocol with each connected CE to exchange
routes with the local customer site. This protocol can be the same or different than the routing protocol
used internally to the provider core.
Each instance of a routing protocol used for PE-CE routing should be fully isolated from the other. The
PE must be configured for MPLS and related protocols and must be aware of the VPRNs. They run
standard IP routing protocols for various exchanges of required routing information and additional
protocols that exchange MPLS-related information to enable the VPRN service.
Provider (P) devices are devices that comprise the internal provider network core. These devices can
be connected to other PE or P routers but do not have any connections to the CE. They will run a
routing protocol for the purposes of internal routing in the provider core using the providers choice of
IP addressing. There is typically only one routing protocol instance used for this purpose.
Module 5 Page 35
Module 5 |
36
In the VPRN context, each packet should have a label stack consisting of two labels applied by the PE
router that receives the packet from the customer.
The top label is known as the outer label, transport label or LSP label and identifies the label
switched path (LSP) between PEs.
The inner label is known as the service label or VPN label and identifies the customer VPRN.
Note: Layer 2 encapsulation is removed and only the IP packet that is encapsulated for transmission
across the VPRN.
Module 5 Page 36
Module 5 |
37
A VRF is a logical private forwarding routing table created within a PE router. It securely isolates the
routing information of one customer from the next, and also from the routes of the provider core
network.
The SP network provides connectivity between same-customer sites while isolating customers from
each other. The keystone of the PE-based VPN model is the isolation between routing tables,
achieved at two levels:
Isolation between customersCustomer-specific routing tables (VRF tables) are used on the edge
routers. At any particular edge router, one VRF routing table is associated with each site connected to
that router. Entries from one VRF table do not leak to another unless explicitly configured to do so.
Isolation between core and edge routingProviders routes, used by PE routers to reach each other
over the provider backbone, are kept separate from customers routes. As a matter of fact, most
provider core routers (P-routers) store only these routes while overlooking customer routes.
Each PE router maintains a number of separate forwarding tables. One of the forwarding tables is the
default forwarding table. The others are VPN routing and forwarding tables or "VRFs".
VPRN service uses VRFs within a PE device to maintain forwarding information on a per-site basis.
Each PE can maintain multiple separate VRFs based on the number of customer sites it connects to.
Module 5 Page 37
Module 5 |
38
The routing control plane function of the VPRN provides the necessary exchange of routing
information between devices that are aware of the VPRN. A PE maintains a specific VRF containing
routes for each VPRN. A CE maintains a standard IP routing table containing routes for the VPRN to
which it belongs.
The customer is running a routing protocol internal to their site. A PE learns the routes of a customer
site from the CE using the routing protocol configured between the CE and the PE. The internal
customer network routing protocol and the CE to PE routing protocol do not have to be identical.
PE maintains the base routing table with internal provider network routes and maintains separate
VRFs for the associated VPRNs. PE devices exchange routes among each other across the provider
core. Isolation must be maintained between the routes received from each customer (per-VRF) and
from provider core routes.
Routes received from each CE might need to be propagated to multiple remote PE devices.
PE to CE route exchange: a policy is required to advertise the remote customer routes to the local CE.
The PE-CE routing protocol, supported on the Alcatel-Lucent 7750, includes static routes, OSPF, RIP,
and BGP
Module 5 Page 38
Module 5 |
39
All routers in the provider core are MPLS-enabled and perform MPLS label signaling and label
exchange functions in order to form the MPLS label switched path or LSP between PEs. The LSP
label is signaled for this purpose. These LSPs form the forwarding path between PE devices across
the provider core network.
Label signaling, used to create the LSP, is not sufficient to establish a VPRN service. The LSP label
only provides the packet with the information required to reach the far-end PE at the edge of the MPLS
domain. There is no indication of which VPRN the packet should be sent to once it reaches the edge.
VPN labels are also signaled between PE devices. VPN labels are used with other identification
values to differentiate between the specific customer destination networks.
VPN labels are the second set of labels used in the VPRN context to identify the customer site as the
destination of the VPRN service.
Module 5 Page 39
Module 5 |
40
CE devices are not MPLS-enabled and are only configured with traditional routing protocols.
The CE forwards unlabeled packets from the customer site to the PE based on the routing table of the
originating CE. The ingress PE receives the packets and pushes (inserts or imposes) a label stack
onto each customer packet.
The LSP label identifies the egress PE for this VPRN and the VPN label identifies the specific VPRN
(customer network) on the egress PE.
The VPRN appears as an IP router to the customer network. This means that data arriving at the
VPRN has the Layer 2 encapsulation removed and the PE makes a forwarding decision. It is the IP
packet that is encapsulated for transmission across the VPRN.
Module 5 Page 40
Egress PE to CE
The egress PE forwards unlabeled packets to the customer based on the
VPN label
Module 5 |
41
PE to PE:
The ingress PE switches the labeled packets into the provider core. The P devices internal to the
provider core label switch the packets to the correct egress PE using the LSP label.
The VPN label should never be visible to P devices since these devices forward exclusively based on
the LSP label. Moreover, there should not be any routing of customer packets by the P routers. For
customer packets, only label switching occurs in the provider core.
Egress PE to CE:
The egress PE receives a label stacked packet from the provider core. Since it is the endpoint of the
LSP, the LSP terminates. The LSP label is popped (removed) from the packet and the egress PE
exposes the VPN label in the packet.
The VPN label is now visible to the egress PE so it can determine which VPRN the packet is
associated with. The VPN label is popped (removed) from the packet. Based on the VRF associated
to the VPN label, the egress PE forwards unlabeled packets to the correct customer.
Module 5 Page 41
The egress PE receives label stacked packets from the provider core
Module 5 Page 42
Section Objectives
Module 5 |
43
Module 5 Page 43
Module 5 |
44
Module 5 Page 44
Module 5 |
45
VPRN control plane tasks include the routing exchange and label exchange. Routes must be
exchanged between all routers in the provider network for core routing purposes and separately
between routers at the customer edge for VPRN connectivity.
Module 5 Page 45
Overlapping IP Addressing
Route
Route Table
Table (Router:
(Router: Base)
Base)
===============================================================================
===============================================================================
Dest
Address
Next
Type
Proto
Age
Metric
Pref
Dest Address
Next Hop
Hop
Type
Proto
Age
Metric
Pref
------------------------------------------------------------------------------------------------------------------------------------------------------------10.1.1.0/24
CE_Blue
Remote
BGP
03d18h53m
0
170
10.1.1.0/24
CE_Blue
Remote BGP
03d18h53m 0
170
10.1.1.0/24
CE_Red
Remote
00h25m00s
170
10.1.1.0/24
CE_Red
Remote BGP
BGP
00h25m00s 00
170
Module 5 |
46
If BGP sessions are established between the PE devices, we can accomplish the goal of route
exchange and policy which can be applied to the exchange. Secondly, the provider core P routers do
not have to run BGP at all, eliminating the need for the P routers to manage the volume of routes
present and increasing security through the isolation of the P network from the customer routes.
BGP sessions established between PE devices will transport all VRF routes across the provider core.
The sessions must be established in a logical iBGP full mesh between all PE peers. BGP will also
provide the required separation of the provider core routing from the customer VRF routes since the
provider core routes are to never be carried by BGP.
Although BGP provides the scalable solution to the exchange of routes across the provider core, it
does not immediately address all issues. BGP was designed for public Internet use where all
addressing (and routes) are managed by a central authority and must be unique.
In the VPRN context, a provider core links separate sites of a private routed domain using the VPRN;
however, the provider deals with multiple customers. It is possible that any or all of these customers
have implemented private (RFC 1918) addressing in their network. Furthermore, it is possible that
more than one of these customers has implemented the same (overlapping) addressing.
If these customer networks were not linked by a common provider core, this would not present a
problem because the overlapping routes would be isolated from each other. This is not true in the
VPRN context since a single BGP session carries all prefixes between PEs across the same provider
core. BGP was not designed with this intention in mind, therefore you would not be able to see a
routing table similar to the one above in real situation. Therefore, we have to look for an alternative.
Module 5 Page 46
A single BGP session carries all prefixes between PEs across the
same provider core for all its customers
Flag
Nexthop
LocalPref
Flag Network
Network
Nexthop
LocalPref MED
MED
VPN
As-Path
VPN Label
Label
As-Path
------------------------------------------------------------------------------------------------------------------------------------------------------------u*>
CE_Blue
none
none
u*> 10.1.1.0/24
10.1.1.0/24
CE_Blue
none
none
64496
64496
u*
10.1.1.0/24
CE_Red
none
none
u*
10.1.1.0/24
CE_Red
none
none
64497
64497
Module 5 |
47
An important consideration to note with overlapping addressing is that if BGPv4 sees two (or more)
separate entries for the same IPv4 address prefix, it will treat these prefixes as if they are going to the
same destination and will install only one route in the routing table (by default) based on the route
selection criteria.
In the case of VPRN, this poses a problem. The routes are for the same destination prefix but have
originated in different customer VPRNs. Therefore, they are completely separate and distinct
destination networks.
Module 5 Page 47
Module 5 |
48
IP version 4 expects all address instances to be unique. In the VPRN model, it is expected that this will
not occur. A new addressing structure, called the VPN-IPv4 address family, is defined.
VPN-IPv4 Address Family
A solution to this problem requires a mechanism that allows BGP to recognize multiple entries that exist
with the same prefixes and have originated from distinct customers. This makes it possible to install
multiple routes for the same prefix in the BGP table with a unique identifier to distinguish from which
customer VPRN the route originated. RFC 4364 supports this capability by defining the VPN-IPv4
address family.
An RD is simply a number that does not contain any inherent information and does not identify the origin
of the route or the set of VPNs to which the route is to be distributed. The purpose of the RD is solely to
allow one to create distinct routes to a common IPv4 address prefix. Other means are used to determine
where to redistribute the route.
Module 5 Page 48
The RD is appended to the IPv4 prefix to form the 12-byte VPNIPv4 prefix
Administrator
Assigned Number
VPN-IPv4 example
2 Bytes (Type 0)
2 Bytes (ASN)
4 Bytes
0:64496:100:10.1.1.0/24
2 Bytes (Type 1)
2 Bytes
1:10.10.10.10:100:10.1.1.0/24
2 Bytes (Type 2)
4 Bytes (ASN)
2 Bytes
2:64496:100:10.1.1.0/24
Module 5 |
49
Module 5 Page 49
The VPN-IPv4 address family is only used in the provider core control plane
when exchanging MP-BGP routing updates.
Alcatel-Lucent Services Architecture v3.2
Module 5 |
50
Module 5 Page 50
MP-BGP Update
received at PE-2
The sending PE will add the RD to the IPv4 prefixes before sending the
VPN-IPv4 prefixes in MP-BGP updates
Problem: How will the receiving PE know which routes belong to which
VRFs?
Alcatel-Lucent Services Architecture v3.2
Module 5 |
51
When using the MP-BGP: before sending an update to the remote PE, the sending PE will prepend a
unique (per-customer) 64-bit route distinguisher to each customers 32-bit IPv4 prefix thus exchanging
unique VPN-IPv4 routing updates with the remote PE. The PE routers (BGP peers) will send each
other these prepended VPN-IPv4 routes. Now how is the router going to know what routes belong to
which VRF?
A new identifier, separate from the route distinguisher, is required to associate a route to a VRF and
defines the VPRN membership of the route. This identifier is called route target.
Module 5 Page 51
Module 5 |
52
Module 5 Page 52
MP-BGP Update
received at PE-2
Module 5 |
53
The routes associated with a VRF are exported out of the VRF table of the originating PE with
defined route target values associated to the prefix. VPN-IPv4 prefixes are exported by a PE with the
route target attached.
The receiving PE will install routes into the associated VRFs if its configured import route target is the
same value as the route target 'exported' by the originating PEs. For example, if routes are exported
on the sending PE with a route target value of '64496:10', these routes will only be imported into a
VRF on the receiving PE if that VRF imports route target values of '64496:10'.
Each VPRN route is tagged with one or more route target values when it is exported from a VRF by
the sending PE and transported across the provider core by MP-BGP. Therefore, the import route
target value of the receiving PE should match the export route target value of the originating PE.
You can also associate a set of route targets with a VRF, and any route tagged with at least one of
those route targets will be imported into the VRF. This technique allows the creation of complex VPRN
topologies. In these cases, a single VPRN might need more than one route target for successful
implementation, and VRF policies must be used instead of the simple vrf-target command. This is
discussed in details in the VPRN course.
Module 5 Page 53
PE to CE Route Exchange
IPv4 routing information is exchanged between the PE and CE after
being received via MP-BGP updates over the provider core
Module 5 |
54
A routing protocol must be run between the PE and CE for the purposes of exchanging the customer
routing information from the receiving PE to the customer sites. The receiving PE will propagate routes
from the VRF to the CE as IPv4 routes.
Module 5 Page 54
Module 5 |
55
After the establishment of the routing topology in the provider core, the network must be MPLSenabled to support services such as VPRN. Transport tunnels must be created between the PEs. The
transport tunnel is either an MPLS LSP or a GRE point-to-point tunnel between PEs. These tunnels
serve as the label switched paths the customer packets will take as they cross the provider core
network.
VPRNs are also known as BGP/MPLS VPNs. BGP is used to distribute VPRN routing information
across the provider's backbone and MPLS is used to forward VPRN traffic from one VPRN site to
another. BGP is a fundamental protocol in the VPRN implementation that is used in the control plane
for both routing exchange and label signaling. Multiprotocol extensions to BGP (MP-BGP) convey the
inner label that a specific VPRN uses between different PE routers. MP-BGP is also used to advertise
routes between VPRN sites.
Alcatel-Lucent 7750 SR routers support MP-BGP for VPN label signaling for VPRN service regardless
of whether RSVP-TE or LDP is used for the LSP signaling
Module 5 Page 55
Tells the far-end PE which label to push on the stack such that VPRN data is
encapsulated to the correct VRF
Configure SDP and bind the VPRN service instance to the SDP
instance
Module 5 |
56
The 7750 SR supports multiple mechanisms to provide transport tunnels for the forwarding of traffic between PE
routers:
RSVP-TE protocol to create tunnel LSP's between PE routers
LDP protocol to create tunnel LSP's between PE routers
GRE tunnels between PE routers.
The transport tunnel in a VPRN is created either by configuring the auto-bind option under the VPRN service
instance or by configuring an SDP and binding the VPRN service instance to the SDP instance.
When the 'auto-bind' command is used, next-hop resolution refers to the base (core) routing instance for IP
reachability. For VPRN service, auto-bind specifies the lookup to be used by the routing instance if an SDP to the
destination does not exist. In this way auto-bind acts as a replacement by creating SDPs for the transport tunnels
manually.
Auto-bind ldp binds the VPRN service to the LDP FECs in the core without the need to configure SDPs explicitly
Auto-bind rsvp-te
Allows the use of traffic-engineered paths between PE routers for VPRN services without explicitly
defining them through the SDP configuration mechanism.
If configured, this feature will use the RSVP-TE-based LSP with the lowest metric to resolve the MPBGP route within a VPRN context.
Auto-bind mpls allows auto-bind to select available RSVP-TE or LDP LSPs to resolve IP-VPN routes from
remote PEs.
For VPRN services, SDP tunnels can be created using MPLS/rsvp-te. If SDP-based tunnels are used, they must
be created prior to their binding to the VPRN service. The configuration of an SDP includes specifying the far-end
PE address and the type of encapsulation used, such as MPLS.
Module 5 Page 56
Module 5 Page 57
Section Objectives
Module 5 |
58
Module 5 Page 58
Module 5 |
59
Module 5 Page 59
Module 5 |
60
The network diagram will be used to demonstrate the configuration and operation of VPRN.
The loopback interfaces simulate locally-connected networks.
Customer sites, belonging to different VPRNs, will be able to use the same private IP address space.
Module 5 Page 60
Network Diagram
VPRN Implementation
Successful operation of a VPRN service requires the following
preliminary configuration steps:
Configure the foundation network infrastructure
Configure the IGP for the provider core routing protocol
Module 5 |
61
Students should be able to configure the foundation network infrastructure, IGP for provider core
routing (OSPF is used), and the provider core for MPLS tunneling (LDP is used). These configurations
are not shown.
Note: If the tunnel type is chosen to be IP/GRE, then no MPLS tunneling configuration is needed.
Module 5 Page 61
A:PE1>config>router>ospf# info
---------------------------------------------area 0.0.0.0
interface "system"
exit
interface "toPE2"
interface-type point-to-point
exit
exit
----------------------------------------------
A:PE1>config>router>ldp# info
-----------------------------------------interface-parameters
interface "toPE2"
exit
exit
targeted-session
exit
------------------------------------------
Module 5 |
62
Configure the IGP routing protocol (IGP for the provider core network) on the system interface
and all provider-core-facing interfaces of all PE and P devices. Typically OSPF or IS-IS are
used.
Module 5 Page 62
Configuring MP-BGP
A:PE2>config>router>bgp# info
---------------------------------------------group "multi-bgp
family vpn-ipv4
peer-as 64496
neighbor 10.10.10.1
local-address 10.10.10.2
exit
exit
----------------------------------------------
Module 5 |
63
To enable BGP on the PE devices, the BGP autonomous system number is first configured in the
global context.
The MP-BGP sessions established between the PE routers allow for the exchange of customer VPRN
routes across the service provider core network. Sessions must be established between all PE routers
in the MPLS domain to ensure a scalable and reliable implementation. The MP-BGP sessions also
enable the exchange of VPN labels which are transported along with the routing information in MPBGP updates.
To transport VPN-IPv4 routes, the 'vpn-ipv4' address family must be configured under the BGP
context. All remaining parameters related to the MP-BGP session are then configured under the 'vpnipv4' address family in a fashion similar to the configuration of traditional BGP neighbors.
Defining a BGP group is mandatory; within this group, the peer parameters will be configured. The
remote and local device addresses used for the session must be defined. The MP-BGP sessions
should always be established between the system addresses of each PE device.
Module 5 Page 63
Module 5 |
64
The show router bgp neighbor command is used to verify the details of the BGP sessions of the PE,
including the operational status of the MP-BGP sessions.
The following is shown in the slide:
The verification of the internal PE neighbor
The VPN-IPv4 address family is supported between the neighbors for the purpose of VPRN
route exchange
Module 5 Page 64
Module 5 |
65
The service configuration commands to provision a VPRN service are located under the
config>service>vprn context
The show commands are in the show>service context.
A summary of the steps required to provision a VPRN customer are shown and detailed in the
following pages. Only the configurations on PE1 will be shown.
Module 5 Page 65
Module 5 |
66
Description
Contact name
Telephone number
Module 5 Page 66
Module 5 |
67
The VPRN service must be defined and associated to the customer ID created in an earlier
configuration. A description for the VPRN should always be included for ease of reference and
troubleshooting.
The router ID is manually configured to establish a predictable identifier for the protocols that require
one, such as OSPF and BGP. This is preferred over leaving the router ID selection to the default
mechanism, which can result in unpredictable values.
The creation of the VPRN for customer Blue and customer Red in PE1 is shown in the slide.
Module 5 Page 67
Module 5 |
68
The simplest way is to use the vrf-target command. For example, the command vrf-target
target:64496:10 will add the community string target:64496:10 to all routes taken from the VRF into MPBGP and select all MP-BGP routes with this community string and put them in the VRF.
Context:
Syntax:
community>}
Parameters:
Default:
config>service>vprn
- vrf-target {<ext-community>|export <ext-community>|import <ext- no vrf-target
<ext-community> :
target:{<ip-addr:comm-val>|
<2byte-asnumber:ext-comm-val>|
<4byte-asnumber:comm-val>}
ip-addr
- a.b.c.d
comm-val
- [0..65535]
2byte-asnumber - [0..65535]
ext-comm-val
- [0..4294967295]
4byte-asnumber - [0..4294967295]
no vrf-target
Description: This command facilitates a simplified method to configure the route target to be added to
advertised routes or to be compared against received routes from other VRFs on the same or remote
PE routers (via MP-BGP).VPN-IPv4 routes imported with a vrf-target statement will use the BGP
preference value of 170 when imported from remote PE routers, or retain the protocol preference value
of the exported route when imported from other VRFs in the same router.
vrf-import
- vrf-import <policy-name> [<policy-name>...(upto 5 max)]
- no vrf-import
vrf-export
- vrf-export <policy-name> [<policy-name>...(upto 5 max)]
- no vrf-export
Module 5 Page 68
The route target will be added to advertised routes and compared to the
value contained in received routes.
PE1>config>service# vprn 10
PE1>config>service>vprn$ vrf-target target:64496:10
PE1>config>service>vprn$
PE1>config>service# vprn 20
PE1>config>service>vprn$ vrf-target target:64496:20
PE1>config>service>vprn$
Module 5 |
69
The route-distinguisher command sets the identifier attached to routes that distinguish the VPN they
belong to. Each routing instance must be associated with a unique (within the carriers domain) route
distinguisher. A route distinguisher must be defined for a VPRN to be operationally-active.
The vrf-target command facilitates a simplified method to configure the route target to be added to
advertised routes or compared against received routes from other VRFs on the same or remote PE
routers (using MP-BGP).
The vrf-target command does not allow multiple export or import route targets to be specified.
Module 5 Page 69
PE1>config>service# vprn 20
PE1>config>service>vprn$ route-distinguisher 64496:2
PE1>config>service>vprn$
PE1>config>service# vprn 10
PE1>config>service>vprn# interface "toCE1" create
PE1>config>service>vprn>if$ description "Customer BlueSite1"
PE1>config>service>vprn>if$ address 10.1.3.1/27
PE1>config>service>vprn>if$ sap 1/1/3 create
PE1>config>service>vprn>if$ exit all
PE1>config>service# vprn 20
PE1>config>service>vprn# interface "toCE3" create
PE1>config>service>vprn>if$ description "Customer RedSite1"
PE1>config>service>vprn>if$ address 10.1.6.1/27
PE1>config>service>vprn>if$ sap 1/1/2 create
PE1>config>service>vprn>if$ exit all
Module 5 |
70
The PE routers customer-facing interfaces are configured and associated to the VPRN service.
Module 5 Page 70
Module 5 |
71
Module 5 Page 71
Configure the PE
Configure the CE
The same PE-CE routing protocol is not mandatory for all sites
Module 5 |
72
Static routing, RIP, OSPF, or BGP can be used as the PE-CE routing protocol. In this case study, BGP
will be used.
When BGP is used as the PE-CE routing protocol, PE and CE routers will become BGP peers. The CE
will use BGP to tell the PE router the set of address prefixes that are reachable at the router site of the
CE.
To configure BGP on the PE, the BGP instance must be created under the VPRN service context. The
CE is configured with a standard BGP instance, since it is not MPLS-aware.
When BGP is configured in the CE, care must be taken to ensure that address prefixes from other sites
(for example, address prefixes learned by the CE router from the PE router) are never displayed to the
PE. Specifically, if a PE router receives a VPN-IPv4 route and as a result distributes an IPv4 route to a
CE, then that route must not be distributed back from the site of the CE to a PE router, either from the
same or a different router.
This topic is discussed in further detail in the VPRN course.
Module 5 Page 72
Configuring PE to CE Routing
Module 5 |
73
If BGP is used as the PE-CE protocol, then each PE device will have multiple BGP peerings. The MPBGP mesh must be maintained between PE devices. Meanwhile, a traditional BGP session must be
established for each CE running BGP with the PE.
Module 5 Page 73
BGP Peerings
*A:PE1>config>router>policy-options# info
*A:PE1>config>router>policy-options# info
------------------------------------------------------------------------------------------policy-statement "mpbgp-bgp"
policy-statement "mpbgp-bgp"
entry 10
entry 10
from
from
protocol bgp-vpn
protocol bgp-vpn
exit
exit
action accept
action accept
exit
exit
exit
exit
exit
exit
-------------------------------------------------------------------------------------------
Module 5 |
74
Policy must be defined to allow the exchange of routes from MP-BGP into the configured PE-CE
protocol. The route policy can be applied as an import policy or an export policy. The policies must be
defined before they can be applied.
Routes that belong to a VPRN must use the protocol owner, VPN-IPv4, to denote that it is a VPRN
route. This can be used within the route policy match criteria.
Module 5 Page 74
Module 5 |
75
The PE must also be configured with BGP by defining the CE as a peer. This is done in traditional BGP
fashion. All PE BGP configuration is performed under the service context, including the autonomous
system number, except in the case of VPRN.
The defined policy is applied to the configured PE-CE routing protocol as a route export policy to control
the flow of routing information from MP-BGP to BGP.
Module 5 Page 75
*A:CE1>config>router>policy-options# info
*A:CE1>config>router>policy-options# info
------------------------------------------------------------------------------------------policy-statement "direct-bgp"
policy-statement "direct-bgp"
entry 10
entry 10
from
from
protocol direct
protocol direct
exit
exit
to
to
protocol bgp
protocol bgp
exit
exit
action accept
action accept
exit
exit
exit
exit
exit
exit
-------------------------------------------------------------------------------------------
Module 5 |
76
Recall that in this case study we are using the loopback interfaces to simulate locally connected
networks. It is more likely that the customer would be running a routing protocol like OSPF, in that case
the OSPF routes need to be exported into BGP.
Module 5 Page 76
Module 5 |
77
The CE will be configured with BGP as the routing protocol, as shown in the slide.
Note: the autonomous system is defined in the global context and a policy is specified to control the set
of prefixes exchanged with peers.
Module 5 Page 77
Configure the CE for BGP with the specified route policy applied.
Module 5 |
78
When issued from the PE, the CE should appear as a BGP neighbor under the show router <service
id> bgp summary command.
The details of the CE-PE BGP neighbor relationship will be visible under the show router <service id>
bgp neighbor command.
Module 5 Page 78
CE Routing Table
===============================================================================
===============================================================================
Route Table (Router: Base)
Route Table (Router: Base)
===============================================================================
===============================================================================
Dest Prefix
Type
Proto
Age
Pref
Dest Prefix
Type
Proto
Age
Pref
Next Hop[Interface Name]
Metric
Next Hop[Interface Name]
Metric
------------------------------------------------------------------------------------------------------------------------------------------------------------10.1.3.0/27
Local
Local
01h35m30s
0
10.1.3.0/27
Local
Local
01h35m30s
0
toPE1
0
toPE1
0
10.10.10.3/32
Local
Local
05d04h01m
0
10.10.10.3/32
Local
Local
05d04h01m
0
system
0
system
0
192.168.1.0/27
Local
Local
01h14m50s
0
192.168.1.0/27
Local
Local
01h14m50s
0
BlueSite1
0
BlueSite1
0
------------------------------------------------------------------------------------------------------------------------------------------------------------No. of Routes: 6
No. of Routes: 6
===============================================================================
===============================================================================
Module 5 |
79
The show router route-table command (in this case on the CE) is used to verify the contents of the
base routing instance.
As shown in the slide, this table contains only the locally connected customer routes. There are no
remote routes as the VPRN service is not yet enabled.
Module 5 Page 79
Module 5 |
80
To enable the VPRN service, no shutdown command is used. The slide shows the complete VPRN
configuration on PE1 for customer Blue. Similar configurations are on PE2 as shown below:
---------------------------------------vprn 10 customer 10 create
description "Customer Blue"
router-id 10.10.10.2
autonomous-system 64496
route-distinguisher 64496:1
auto-bind ldp
vrf-target target:64496:10
interface "toR4" create
address 10.2.4.2/27
sap 1/1/3 create
exit
exit
bgp
group "toCE2"
neighbor 10.2.4.4
export "mbgp-bgp"
peer-as 64498
exit
exit
exit
no shutdown
Module 5 Page 80
Route Dist.
Dist.
ASRoute
Number
AS Number
ECMP
ECMP
Max
IPv4 Routes
MaxIPv6
IPv4Routes
Routes
Max
Max IPv6
Routes
Ignore
NH Metric
Ignore
NH Metric
Hash
Label
Hash
Label
Vrf Target
Vrf
Target
Vrf Import
VrfExport
Import
Vrf
Vrf Vrf
Export
MVPN
Target
MVPNVrf
VrfImport
Target
MVPN
MVPN
VrfExport
Import
MVPN Vrf
MVPN Vrf Export
: 64496:1
64496:1
: :64496
64496
: :Enabled
: :NoEnabled
Limit
Limit
: :NoNoLimit
No Limit
: :Disabled
:
Disabled
: Disabled
:
Disabled
: target:64496:10
target:64496:10
: :None
None
: :None
None
: :None
None
: :None
:
None
: None
: None
VPRN Type
VPRN Type
Router
Id
Router
ECMP
Max Id
Routes
ECMPBind
Max Routes
Auto
Auto Bind
: regular
regular
: :10.10.10.1
: :1 10.10.10.1
1
: :LDP
: LDP
SAP Count
: 1
SDP Bind Count
: 0
SAP Count
: 1
SDP Bind Count
: 0
------------------------------------------------------------------------------------------------------------------------------------------------------------Service
Access & Destination Points
Service
Access
&
Destination
Points
------------------------------------------------------------------------------------------------------------------------------------------------------------Identifier
Type
AdmMTU OprMTU Adm Opr
Identifier
Type
AdmMTU OprMTU Adm Opr
------------------------------------------------------------------------------------------------------------------------------------------------------------sap:1/1/3
null
1514
1514
Up
Up
sap:1/1/3
null
1514
1514
Up
Up
Module 5 |
81
The show service id <id> base command displays detailed information for a particular service ID.
Shown in this slide is the verification of the configuration of auto-bind for LDP, the configured route
distinguisher and the route target.
Note: the SAP count is 1, indicating that a SAP has been associated to this service; however, the
SDP bind count is 0 because we have not used an SDP in this configuration.
Module 5 Page 81
===============================================================================
===============================================================================
Route Table (Router: Base)
Route Table (Router: Base)
===============================================================================
===============================================================================
Dest Prefix
Type
Proto
Age
Pref
Dest Prefix
Type
Proto
Age
Pref
Next Hop[Interface Name]
Metric
Next Hop[Interface Name]
Metric
------------------------------------------------------------------------------------------------------------------------------------------------------------10.1.3.0/27
Local
Local
01h35m30s
0
10.1.3.0/27
Local
Local
01h35m30s
0
toPE1
0
toPE1
0
10.2.4.0/27
Remote BGP
00h27m11s
170
10.2.4.0/27
Remote BGP
00h27m11s
170
10.1.3.1
0
10.1.3.1
0
10.10.10.3/32
Local
Local
05d04h01m
0
10.10.10.3/32
Local
Local
05d04h01m
0
system
0
system
0
10.10.10.4/32
Remote BGP
00h27m11s
170
10.10.10.4/32
Remote BGP
00h27m11s
170
10.1.3.1
0
10.1.3.1
0
192.168.1.0/27
Local
Local
01h14m50s
0
192.168.1.0/27
Local
Local
01h14m50s
0
BlueSite1
0
BlueSite1
0
192.168.2.0/27
Remote BGP
00h27m11s
170
192.168.2.0/27
Remote BGP
00h27m11s
170
10.1.3.1
0
10.1.3.1
0
------------------------------------------------------------------------------------------------------------------------------------------------------------No. of Routes: 6
No. of Routes: 6
===============================================================================
===============================================================================
Module 5 |
82
The show router route-table command (in this case on the CE) is used to verify the contents of the
base routing instance.
As shown in the slide, this table should contain customer routes only. The service ID parameter is not
required on the CE because this device is not MPLS-aware and runs only standard IGP routing
protocols.
Module 5 Page 82
===============================================================================
===============================================================================
Route Table (Service: 1)
Route Table (Service: 1)
===============================================================================
===============================================================================
Dest Prefix
Type
Proto
Age
Pref
Dest Prefix
Type
Proto
Age
Pref
Next Hop[Interface Name]
Metric
Next Hop[Interface Name]
Metric
------------------------------------------------------------------------------------------------------------------------------------------------------------10.1.3.0/27
Local
Local
00h26m35s
0
10.1.3.0/27
Local
Local
00h26m35s
0
toCE1
0
toCE1
0
10.2.4.0/27
Remote BGP VPN 00h40m13s
170
10.2.4.0/27
Remote BGP VPN 00h40m13s
170
10.10.10.2 (tunneled)
0
10.10.10.2 (tunneled)
0
10.10.10.3/32
Remote BGP
00h25m45s
170
10.10.10.3/32
Remote BGP
00h25m45s
170
10.1.3.3
0
10.1.3.3
0
10.10.10.4/32
Remote BGP VPN 00h39m29s
170
10.10.10.4/32
Remote BGP VPN 00h39m29s
170
10.10.10.2 (tunneled)
0
10.10.10.2 (tunneled)
0
192.168.1.0/27
Remote BGP
00h25m45s
170
192.168.1.0/27
Remote BGP
00h25m45s
170
10.1.3.3
0
10.1.3.3
0
192.168.2.0/27
Remote BGP VPN 00h39m29s
170
192.168.2.0/27
Remote BGP VPN 00h39m29s
170
10.10.10.2 (tunneled)
0
10.10.10.2 (tunneled)
0
------------------------------------------------------------------------------------------------------------------------------------------------------------No. of Routes: 6
No. of Routes: 6
===============================================================================
===============================================================================
Module 5 |
83
The show router <service-id> route-table command is used to verify the contents of the routing
instance for the specified service.
As shown in the slide, this table should contain customer routes such as physical links to the PE
devices, system interfaces of the CE devices, and internal customer LAN networks.
The prefixes received from the local CE will be learned from the configured PE-CE protocol (BGP), while
the prefixes received from the remote CE will be learned from the BGP VPN (MP-BGP) protocol.
Module 5 Page 83
Module 5 |
84
The show router mpls label command displays the bindings of the in-use MPLS labels and their
owner. In this case, there should be labels bound to LDP as a result of the transport tunnel signaling
and labels bound to the VPRN as a result of MP-BGP service label signaling.
ILDP is an interface LDP and refers to the transport tunnel (LSP) label, while VPRN refers to the inner
(VPN) label.
Although it is considered optional to configure MPLS when using LDP as the label signaling protocol,
any show router mpls command can be available when MPLS is enabled.
Module 5 Page 84
If RSVP were configured, the label owned by RSVP would be the LSP
label.
Module 5 |
85
The show router bgp routes vpn-ipv4 command displays the VPN-IPv4 routes received by PE1,
including the VPN label.
Module 5 Page 85
Module 5 |
86
The show router <service id> fib command can be used to verify the contents of the FIB.
Prefixes learned from traditional routing mechanisms are listed and associated with the traditional IP
forwarding parameters of the next-hop address and egress interface.
Prefixes learned from MP-BGP as VPN-IPv4 routes are listed and associated with the egress label
and MPLS forwarding and LSP parameters.
Module 5 Page 86
ttl=62
ttl=62
ttl=62
ttl=62
ttl=62
time=2.33ms.
time=3.01ms.
time=2.32ms.
time=2.48ms.
time=2.47ms.
---- 192.168.2.1 PING Statistics ---5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.32ms, avg = 2.52ms, max = 3.01ms, stddev = 0.255ms
Module 5 |
87
Verify the connectivity from the local CE to the remote CE after service implementation.
The MPLS-enabled core routers will not be reported as valid traceroute hops and will not be visible in
the traceroute output (not shown here).
The egress PE will report a timeout represented by the '* * *' in the traceroute output. Therefore, the
ingress PE device and the routers at the customer site are the only devices visible in the traceroute
results.
Module 5 Page 87
Verify the routes are reachable via the VPRN service using ping and
traceroute commands.
Module 5 |
88
In order to verify that a service is operational, a set of in-band, packet-based operation, administration,
and maintenance (OAM) tools is required with the ability to test each of the individual packet
operations.
For in-band testing, the OAM packets closely resemble customer packets to effectively test the
customer's forwarding path, but they are distinguishable from customer packets so they are kept
within the service provider's network and not forwarded to the customer.
The suite of OAM diagnostics supplements the basic IP ping and traceroute operations with
diagnostics specialized for the different levels in the service delivery model.
The oam vprn-ping command is used to verify that the customer VPRN service is operational. The
oam vprn-trace command is used to verify the path taken for the customer VPRN service and the
tunneling mechanism used across the provider core.
Module 5 Page 88
Module 5 |
89
The control plane flow demonstration is shown for the Blue VPN.
This case study uses BGP as the PE-CE routing protocol; however, static, RIP, OSPF, OSPFv3 or
EPGP routing may also be used.
The CE router needs a policy to advertise directly connected routes to the PE. CE-x to PE-x routing
protocol may be configured independent of any other CE-y-PE-y routing protocol.
A:CE1>config>router>policy-options# info
---------------------------------------------policy-statement "direct-bgp"
entry 10
from
protocol direct
exit
to
protocol bgp
exit
action accept
exit
exit
exit
A:CE1>config>router>bgp# info
---------------------------------------------group "toPE1"
peer-as 64496
neighbor 10.1.3.1
export "direct-bgp"
exit all
Module 5 Page 89
The PE will install the route into the VRF based on the configuration
of the interface the route was received on.
Module 5 |
90
When PE propagates customer routes to a BGP table, it becomes a VPN-IPv4 route by adding the RD
and RT.
CE to PE routing protocol may be configured independent of any other CE-PE routing protocol.
Module 5 Page 90
Module 5 |
91
PE1 and PE2 are BGP neighbors and thus have a BGP session in which MP-BGP updates are
exchanged.
Each VPRN appears as an additional routing instance and the routes for a service are
exchanged via MP-BGP between various PEs.
Module 5 Page 91
PE2 FIB
Prefix
VPN Label
192.168.1.0/27
131069
Module 5 |
92
Module 5 Page 92
The receiving PE (egress PE) installs the VPN-IPv4 routes into a VRF
based on the route target in the MP-BGP update.
Module 5 |
93
A:PE2>config>router>policy-options# info
---------------------------------------------policy-statement "mbgp-bgp"
entry 10
from
protocol bgp-vpn
exit
to
protocol bgp
exit
action accept
exit all
---------------------------------------------echo "Service Configuration"
service
customer 10 create
description "Default customer"
exit
vprn 10 customer 10 create
bgp
group "toCE1"
neighbor 10.1.3.3
export "mbgp-bgp"
peer-as 64497
exit
exit
exit
no shutdown
Module 5 Page 93
Module 5 |
94
Similarly, route exchanges must occur in the opposite direction. CE2 learns a route and propagates to
PE2 via the configured PE-CE protocol (BGP). PE2 will then install the route into the VRF based on
the configuration of the interface the route is received on. Customer routes are then automatically
propagated into the BGP table on the PE2.
MP-BGP updates pass the customer routes via VPN-IPv4 prefixes and route targets across the
provider core. The receiving PE (PE1) places all VPN-IPv4 routes into the VRFs corresponding to the
proper route targets. The VRF routes are then exchanged to the PE1-CE1 routing protocol via policy.
Module 5 Page 94
Module 5 |
95
Packet Flow:
1. An IP Packet intended for 192.168.1.1 is forwarded by the CE2 router via its routing table to the PE2 router.
2. At PE2, the packet is received on an interface associated to the Blue VRF. The PE thus knows that
it will use the Blue VRF for forwarding decisions.
3. In the Blue VRF, the next-hop address for the FEC is PE1.
Module 5 Page 95
PE2 FIB
Prefix
VPN Label
192.168.1.0/27
131069
Module 5 |
96
Packet Flow:
The packet will receive a service label by PE2 defining the service on the egress PE.
Module 5 Page 96
Module 5 |
97
Packet Flow:
1. A label will be determined for the next-hop address from the LFIB. The label associated to
10.10.10.1 is 131071.
2. The packet will be labeled by PE2 with a transport label of 131071, which defines the transport
tunnel to the egress PE.
Note: Packet flow at P routers (not shown in the slide): each P router along the path will swap the LSP
label and label switches the packet towards the egress PE. There are no changes to the IP header or
the VPN label in the core network. The packet will be label switched across the provider core until it
reaches the egress PE.
Module 5 Page 97
Module 5 |
98
Packet Flow:
1. The egress PE will POP the LSP label as there is no egress label in the LFIB.
2. The result is an MPLS labeled packet.
Module 5 Page 98
The LSP label will be popped, while the next label will be
processed
PE1 FIB
Module 5 |
99
Prefix
VPN Label
192.168.1.0/27
131069
Packet Flow:
1. The egress PE will reference the VPN label and determine the associated VRF as there is a unique
one-to-one association between a VPN label and a VRF.
2. The VPN label is popped and results in an unlabeled packet forwarded via the VRF based on the
longest match lookup algorithm.
3. The next-hop is identified as being external to the MPLS domain. The packet will be forwarded by
PE1 to CE1.
4. CE1 receives an unlabeled packet for destination 192.168.1.1 and will route the unlabeled packet
via its routing table.
Module 5 Page 99
The VPN label will be popped, while the unlabeled packet will be sent
out to the interface corresponding to the longest match lookup
algorithm
AS 64499
Red VPN Site 1
BGP
Pod 2
Pod 1
Pod 3
Pod 4
BGP
AS 64498
Blue VPN Site 2
AS 64500
Red VPN Site 2
Module 5 |
100
MP-BGP
LDP
Section Objectives
Module 5 |
102
Module 5 |
103
Internet Protocol version 6 (IPv6) is a replacement of IPv4. The industry believes that IPv6 will
boost the development of a series of new services and technologies, particularly in mobile
communications and digital home appliances.
IPv6 cannot be deployed in one action. IPv4 is currently a dominant protocol of the Internet in which
almost all applications on the IP network are based on it. Thus, the applications of IPv6 are to be
developed step-by-step.
Currently, the main body of the Internet is still using IPv4, whereas IPv6 is deployed in merely a few
IPv6 backbone networks such as the CNGI in China and the e-Japan in Japan. The primary issue is
how to enable those isolated IPv6 networks to communicate with each other.
There are many issues involved when interconnecting IPv4 and IPv6 networks, as well as many
strategies for transitioning to IPv6. Tunneling technologies are used to connect separated IPv6
networks.
Currently, the main body of the Internet is still using IPv4, whereas
IPv6 is only deployed in a few IPv6 backbone networks
6VPE Technology
What is 6VPE?
6VPE technology is an extension of VPRN technology for IPv6, which can
carry an IPv6 or IPv4 VPN service on IPv4 MPLS backbone networks.
Module 5 |
104
6VPE (BGP-MPLS IPv6 VPN) is a RFC 4364-like VPN model for IPv6 networks. It is a method in
which a service provider may use its packet-switched backbone to provide Virtual Private Network
services for its IPv6 customers.
6VPE supports multiple IPv6 VRFs on the PE routers. The 6VPE route delivery and packet forwarding
principles are consistent with those of the VPRN using traditional IPv4. The 6VPE router is a PE router
that provides a BGP-MPLS IPv6 VPN service over an IPv4-based MPLS core.
As explained earlier, VRF is a VPN routing and forwarding instance in a PE. Meanwhile, a VRF table
is a routing and a forwarding table associated with a VRF. This customer-specific table enables the PE
router to maintain independent routing states for each customer.
The ingress PE makes a forwarding decision based on the contents of the VRF.
Differences
A new address family, VPN-IPv6 is defined.
A VPN-IPv6 address is a 16-byte IPv6 address prepended with an 8-byte RD to form a 24byte address.
The PE routers run a dual stack of IPv4 and IPv6.
IPv6 routes must be resolved to an IPv6 next-hop.
Module 5 |
105
In principle, no difference exists between IPv4 VPNs and IPv6 VPNs, as specified in RFC 4659 BGPMPLS IP VPN Extension for IPv6 VPN. Similar to IPv4, MP-BGP is the centerpiece of the MPLS
VPN-IPv6 architecture. It is used to distribute IPv6 routes over the SP backbone with the same set of
mechanisms to deal with overlapping addresses, redistribution policies, and scalability issues.
Although IPv6 should not have overlapping address space, the IPv6 VPN addresses are still
prepended with a route distinguisher. The route target extended community is used to control
distribution of routing information, by tagging exported routes and filtering imported ones.
Similar to VPN-IPv4, the ingress PE makes a forwarding decision in the data plane based on the
contents of the VRF. IPv6 data packets are encapsulated with a service and transport label for
transmission across the core.
The differences between 6VPE and VPN-IPV4 are:
A new address family, VPN-IPv6 is defined for 6VPE, the VPN-IPv6 address is created by adding the
eight byte route distinguisher (RD) to a 16 byte IPv6 address.
The PE routers run a dual stack of IPv4 and IPv6. Only IPv4 is required in the core network.
IPv6 routes must be resolved to an IPv6 next-hop. IPv4 addresses in the core are mapped to IPv6
addresses to accomplish this.
6VPE Overview
Customer IPv6 VPRN routes are exchanged between 6VPE routers across
the IPv4 MPLS provider core infrastructure.
The customers connected to 6VPE could run a native IPv6 or IPv4.
Module 5 |
106
The routing component of the VPN operation is divided into core routing and edge routing.
Core routing, which involves PE routers and P routers, is typically performed by an IPv4 IGP such as OSPF or
IS-IS. The core routing enables connectivity among the P and PE routers.
Edge routing takes place in two directions: routing between PE pairs achieved via MP-BGP using a specific
address family (VPN-IPv6) and routing between a PE and a CE. Routing between the CE and its PE is achieved
using a routing protocol that is VRF-aware. At this time, only static routes and BGP are VRF-aware.
The following routing tables are used at PE1:
IPv6 VRFs: a set of customer-specific IPv6 routing tables that contains customer routes. Each of these routing
tables contains routes received from the CE routers, as well as routes from remote sites in the same VPN.
A default routing table that is exclusively used to reach routers inside the provider network. It is an IPv4 table if
the MPLS core is IPv4 based (as in this case), and IPv6 otherwise.
A BGP table that contains entries from all customer-specific IPv6 routing tables.
Similar to VPRN for IPv4 customers, route distribution between sites occurs as follows:
1. The CE1 router announces a customer prefix to the provider router (PE1). Although this entry belongs to the
default routing table at the CE1, it is installed in a VRF IPv6 table (red) at the PE1. The interface on which these
entries are received determines the table into which they should be installed.
2. PE1 redistributes this entry into its MP-BGP table after prefixing it with the RD, referencing the VRF table the
entry is coming from.
3. Once in the BGP table, the entry is announced to the BGP peer at PE2.
4. Once installed in the PE2 BGP table, the entry is redistributed into one or more VRF tables after stripping off
the RD.
Note: the RD is used solely to distinguish entries in BGP, not as a policy mechanism to determine what entry
from which VRF table is to be redistributed in which VRF table on the remote PE. Instead, BGP communities
(route targets) are used for that purpose.
5. From the VRF table, the entry is finally redistributed into the customer site.
Each PE router maintains a separate logical routing table (VRF) for each
IPv6 VPRN.
The outer label is known as the top, transport, or LSP label that identifies
the transport tunnel between PEs.
Signaled via LDP or RSVP
The inner label is known as the service, VC, or VPN label that identifies
the customer VPRN.
Signaled via MP-BGP
These labels are applied on the IPv6 packet directly (no additional headers
are needed although the core is IPv4)
Alcatel-Lucent Services Architecture v3.2
Module 5 |
107
The IPv6 VPRN Service, similar to IPv4 VPRNs, uses a label stack consisting
of two labels.
If the provider network is a native IPv6, the next-hop will be the IPv6
address of the egress PE.
Module 5 |
108
The 6VPE BGP sessions are established over an IPv4 core, and the core (P) routers do not have IPv6
enabled.
When announcing a prefix, MP-BGP running on one PE inserts a BGP next-hop in the update
message sent to a remote PE. This next-hop is the address of the PE sending the update message
(egress PE). For the VPN-IPv6 address family, it has to be an IPv6 address, regardless of the nature
of the network between the PE speakers.
When the ingress 6VPE router receives an IPv6 packet, it looks for the destination
address in the VRF table.
This destination prefix is either local to the 6VPE (which is another interface participating in
the VPN) or a remote ingress 6VPE router.
For the prefix learned through the remote 6VPE router, the ingress router does a
The VPN-IPv6 route has an associated MPLS label to a MBGP next-hop and an
associated VPRN service label.
The ingress 6VPE router needs to push two MPLS labels in order to send the packets
to the egress 6VPE router.
The top label is an MPLS IPv4 label that is used to reach the egress 6VPE router.
The bottom label is an MPLS label that is advertised in MBGP by the remote 6VPE router for
the IPv6 prefixes in the VRF.
Module 5 |
109
The egress 6VPE router pops the bottom IPv6 VPRN service label and
identifies the target VRF and the address family.
A further Layer 3 lookup is performed in the target VRF and the IPv6
packet is sent toward the proper customer edge router in the IPv6 domain.
The egress 6VPE forwards unlabeled packets to the customer
Module 5 |
110
Router
System addresses
PE1
10.10.10.1/32
CE1
2001:db8:1:1f1::1/64
2001:db8:1:100::1/128
CE2
2001:db8:1:1f2::2/64
PE2
10.10.10.2/32
2001:db8:1:100::2/128
CE1
2001:db8:1:200::1/128
CE2
2001:db8:1:200::2/128
Module 5 |
111
6VPE operation is very similar to MPLS VPN for IPv4. The main difference is that the advertised
customer routes are IPv6 instead of IPv4.
The provider edge (PE) routers must run IPv4 (to communicate with the IPv4 MPLS core) and IPv6 (to
communicate with customers).
The provider core routers are IPv6-unaware and do not need to run BGP.
6VPE Configuration
Network Diagram
There are two separate sites of an IPv6 VPN customer.
These customer sites (CE1 and CE2) only run IPv6. They are
separated in the middle by the IPv4 network.
Module 5 |
112
The network diagram will be used to demonstrate the configuration and operation of 6VPE (Blue
VPN).
The loopback interfaces simulate locally connected networks.
The goal of this case study is to test IPv6 VPN routing over IPv4 MPLS infrastructure with BGP routing
between CE and PE (static routing can also be used).
This architecture requires no backbone infrastructure upgrades nor a reconfiguration of core routers
since forwarding is purely based on MPLs labels.
No changes are made to the core routing configuration from the IPv4 VPRN case study. OSPF is used
for core routing and LDP as the transport tunnel.
Note: In order to use IPv6 on the Alcatel-Lucent 7750 SR, you must first enable chassis mode c.
PE1 and PE2 are dual stack (IPv4/IPv6) routers. They have
interfaces connected to both IPv6 or IPv4 networks.
Module 5 |
113
BGP is used as a PE-CE protocol. The BGP configuration is pretty straightforward with an ipv6
family and the use of an IPv6 address for neighbor declaration. No changes are needed for the policy
configuration, which are used to redistribute customer routes into BGP.
#-------------------------------------------------echo "Policy Configuration"
#-------------------------------------------------policy-options
begin
policy-statement "direct-bgp"
entry 10
from
protocol direct
exit
to
protocol bgp
exit
action accept
exit
exit
exit
commit
exit
Module 5 |
114
Module 5 |
115
PE1 and PE2 are the 6VPE routers in the network. They run IPv4 (towards the core) and IPv6
(towards the CE and other PEs).
In order to support 6VPE and exchange the IPv6 VPN routes, they need to run multi-protocol BGP
(MBGP) between them.
LDP is used in the IPv4 network to setup MPLS tunnels for IPv6 over IPv4.
Module 5 |
116
The route policy mpbgp-bp is used at the 6VPE router in order to export MBGP IPv6 routes into the
VPN.
There is no need to define any import policy to advertise VPN IPv6 prefixes when BGP is being used
as a PE-CE routing protocol.
The VRF route-target attribute needs to be set and match in order to import/export routes between
6VPEs.
In our example, we used a route-target value of target:64496:10.
Note: that the core routers (not present in this network) do not run BGP. They use IPv4 MPLS to
switch the packets.
6VPE Verification
Module 5 |
117
After the configuration, both IPv6 networks are visible to each other via the 6VPE routers.
The show router 10 bgp summary command can be used at the PE to verify that the BGP session to
CE is established and that VPN IPv6 routes are exchanged.
Verify that the BGP session to CE is established and VPN IPv6 routes
are exchanged.
Module 5 |
118
The show router bgp summary command can be used at the PE to verify that the MP-BGP session
to 6VPE is established and that VPN IPv6 routes are exchanged.
Module 5 |
119
The VPN IPv6 routes received by PE1 and PE2 can be seen using the show router bgp routes vpnipv6 command.
A:PE2# show router bgp routes vpn-ipv6
=============================================================================
BGP Router ID:10.10.10.2
AS:64496
Local AS:64496
=============================================================================
Legend Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
Origin codes : i - IGP, e - EGP, ? - incomplete, > - best
=============================================================================
BGP VPN-IPv6 Routes
=============================================================================
Flag Network
LocalPref
MED
Nexthop
VPNLabel
As-Path
----------------------------------------------------------------------------u*>i 64496:1:2001:db8:12::/64
100
None
::FFFF:A0A:A01
131070
No As-Path
u*>? 64496:1:2001:db8:1:200::1/128
100
None
::FFFF:A0A:A01
131070
64497
u*>? 64496:1:2001:db8:1:1f1::/64
100
None
::FFFF:A0A:A01
131070
64497
----------------------------------------------------------------------------Routes : 3
Verify that the VPN IPv6 routes are received by PE1 and PE2.
Module 5 |
120
The show router 10 route-table ipv6 command can be used in PE1 and PE2 to verify VPN.
IPv6 routes are learnt via MBGP from the remote 6VPE router.
A:PE2# show router 10 route-table ipv6
=============================================================================
IPv6 Route Table (Service: 1)
=============================================================================
Dest Prefix
Type
Proto
Age
Pref
Next Hop[Interface Name]
Metric
----------------------------------------------------------------------------2001:db8:12::/64
Remote BGP VPN 01h55m11s
170
10.10.10.1 (tunneled)
0
2001:db8:56::/64
Local
Local
00h50m59s
0
toR4
0
2001:db8:1:200::1/128
Remote BGP VPN 01h32m39s
170
10.10.10.1 (tunneled)
0
2001:db8:1:200::2/128
Remote BGP
00h29m21s
170
2001:db8:56::6
0
2001:db8:1:1f1::/64
Remote BGP VPN 01h32m39s
170
10.10.10.1 (tunneled)
0
2001:db8:1:1f2::/64
Remote BGP
00h29m21s
170
2001:db8:56::6
0
----------------------------------------------------------------------------No. of Routes: 6
Verify that the VPN IPv6 routes are learnt via MP-BGP from the
remote 6VPE router and installed in the VRF.
Module 5 |
121
The show router route-table ipv6 command can be used in CE1 and CE2 to verify the VPN.
IPv6 routes are learnt via the PE-CE BGP session and installed in the route table.
The ping command can be used in CE1 to verify that CE2s advertised network is accessible.
A:CE1# ping 2001:db8:1:200::2
PING 2001:db8:1:200::2 56 data bytes
64 bytes from 2001:db8:1:200::2 icmp_seq=1 hlim=62 time=2.80ms.
64 bytes from 2001:db8:1:200::2 icmp_seq=2 hlim=62 time=3.13ms.
64 bytes from 2001:db8:1:200::2 icmp_seq=3 hlim=62 time=2.67ms.
64 bytes from 2001:db8:1:200::2 icmp_seq=4 hlim=62 time=3.82ms.
64 bytes from 2001:db8:1:200::2 icmp_seq=5 hlim=62 time=3.61ms.
---- 2001:db8:1:200::2 PING Statistics ---5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.67ms, avg = 3.21ms, max = 3.82ms, stddev = 0.448ms
Verify that the VPN IPv6 routes are learned via the PE-CE BGP
session and installed in the route table.
Module 5 |
122
The show router bgp routes 64496:1:2001:db8:1:200::2/128 hunt command can be used to verify
that the IPv6 route is learnt via M-BGP over the IPv4 core.
The next-hop for the route is an IPv4-mapped IPv6 route.
This command also displays the VPN label 131069 used for 6VPE (remember from IPv4 MPLS VPNs
that we use platform-based labeling).
Note: that BGP must have a valid next hop for the route before it is installed in the route table. If the
MPLS transport in the VPRN (auto-bind ldp in this case) has not been configured, then the route will
be marked as Invalid and not used by BGP as there is no transport tunnel to the next hop.
Verify that the IPv6 route is learned via M-BGP over the IPv4 core.
AS 64497
Blue VPN Site 1
AS 64499
Red VPN Site 1
BGP
MP-BGP
LDP
Pod 3
Pod 4
BGP
AS 64498
Blue VPN Site 2
AS 64500
Red VPN Site 2
Module 5 |
123
In this lab, students will configure and verify IPv6 VPN (6VPE) routing over IPv4 MPLS infrastructure
with BGP routing between CE and PE.
Pod 2
Pod 1
Module Summary
IES is a routed Layer 3 connectivity service.
IES provides direct Internet access with billing, ingress and egress shaping
and policing capabilities.
Module 5 |
124
PE routers must run traditional routing protocols with the CE and MPLS
protocols with the P routers.
P routers are MPLS-enabled but are not aware of customer VPRNs.
PE routers maintain a separate VRF for each VPRN.
VPRN service uses an MPLS label stack consisting of two labels:
The LSP label defines the forwarding path between PEs.
The VPN label identifies the customer network on the egress PE.
Module 5 |
125
CE routers are not MPLS-enabled and are only configured with traditional
routing protocols.
Module 5 |
126
VPN-IPv4 addresses are carried only across the provider's backbone by the
MP-BGP protocol.
Module 5 |
127
As in IPv4 VPRN, MP-BGP is used to distribute routes from an IPv6 VPN site
to all the other PE routers connected to a site of the same IPv6 VPN.
PEs use VPN routing and forwarding tables (VRFs) to maintain the
reachability and forwarding information for each IPv6 VPN separately.
Module 5 |
128
In 6VPE, the PE routers run a dual stack of IPv4/IPv6 and exchange the
IPv6 routes using MP-BGP.
Learning Assessment
1. Verify whether the following statement is true or false: An IES must
be configured with a SAP and an SDP.
Module 5 |
129
1. Verify whether the following statement is true or false: An IES is configured with a SAP and a SDP.
False
2. Verify whether the following statement is true or false: An IES may configured to either a
SAP or on a network port.
False; it cannot be configured on a network port.
3. When an IES is used to provide a Layer 3 termination for a SAP, what extra configuration is
necessary within the SAP?
No extra configuration is required for the SAP.
4. When an IES is used to terminate the spoke SDP of a VPLS, what extra configuration must be done
on the VPLS side?
No extra configuration is required within the VPLS.
5. When an IES is used to terminate the spoke SDP of a VPLS, what extra configuration must done on
the IES side?
The VC MTU must match on both sides of the spoke SDP, so it will typically be necessary to
define the IP-MTU setting for each interface within the IES.
6. When an IES is used to terminate the spoke SDP of a VPLS, what MAC address appears in the
VPLS FDB for the IES interface?
The MAC address of the IES corresponds to the base chassis MAC address of the IES router.
7. What are the three key functions described in RFC 4364 to provide a
Layer 3 VPN service?
8. What table is used for a VPRN service in PE routers?
10. Contrast between the functions of a PE and P device.
11. How does a VPRN service allow the usage of overlapping customer
addressing?
12. What is the function of a VPN label?
Module 5 |
130
15. What are the different types of CE-PE routing protocols supported for the
VPRN service?
16. Fill in the blanks: A VPN-IPv4 address is a ______byte value consisting of the
_______byte route distinguisher (RD) and the ____ byte IPv4 address prefix.
17. Why are VPN-IPv4 addresses used for a VPRN service?
18. Is there a fixed association between the choice of PE-CE protocols and the
choice of MPLS protocols used in a VPRN network?
Module 5 |
131
14. Fill in the blank: For VPRN services, PE routers exchange the routing
information learnt from all customer sites according to the
_________________ routing protocol.
Module 5 |
132
This appendix is provided as supplementary material for students who did not take the latest IRP course
version. Its material is not part of the services exam.
Appendix IPv6
Appendix Overview
Module 5 |
134
IPv6 addressing
ICMPv6
Configuring IPv6 interfaces on Alcatel-Lucent 7750 SR
IPv6 Addressing
No broadcast address
Solicited-node multicast used instead of broadcast
Module 5 |
135
IPv6 Addressing
Module 5 |
136
Since the IPv6 address is 128 bits, there are a number of conventions used to shorten them as much as
possible.
1. Addresses are written in groups of 4 hex digits, separated by a single colon. For example
2001:0db8:0000:0000:0021:0000:4ab9:0300.
2. One or more groups of zeroes can be replaced by two colons. The number above becomes
2001:0db8::0021:0000: 4ab9:0300.
3. Only one group of zeroes can be replaced with double colons. Otherwise it would not possible to tell
where the zeroes are located. However, leading zeroes in a group can also be omitted. The address
above becomes 2001:db8::21:0: 4ab9:300.
Module 5 |
137
Regular IPv6 unicast addressing uses a fixed structure where 64 bits are defined as the routing prefix
and 64 bits are defined as the interface identifier. For a globally routed address, 48 bits of the routing
prefix are used as the global routing prefix and 16 bits are the local routing prefix (or subnet).
The allocation for globally routed IPv6 addresses is the address space 2000::/3. This represents one
eighth of the entire address space and is all addresses beginning with the bit pattern 001. An ISP is
typically allocated a network assignment of /32 or larger (larger means a smaller prefix such as /31 or 30
and hence a larger network range). An individual enterprise typically receives a /48 or larger. Since a /48
has 16 bits available for the local subnet, this provides 65,536 individual subnets.
The interface ID portion of the address is locally assigned, but can be automatically derived from the 48
bit MAC address. It might also be assigned from a DHCPv6 server, through an auto-discovery
mechanism or manually assigned.
Unicast Addresses
Module 5 |
138
To derive an IPv6 interface ID from the MAC address, the approach is to create a modified EUI-64
(Extended Unique Identifier-64). This involves flipping the 7th most significant bit of the OUI
(Organizationally Unique Identifier) and inserting the hex string ff:fe between the 3 bytes of the OUI and
the 3 bytes of the NIC-specific component.
For example, assume an organization is assigned the prefix 2001:db8/48. The organization has 16 bits
for subnetting. Perhaps they have 30 locations and decide to assign the first 8 bits based on the location
and the next 8 on the subnet at that location. Subnet 10 at location 3 gives a subnet value of 030a, for a
routing prefix of 2001:db8:0:30a::/64. With the modified EUI-64 assignment, the host with MAC address
00:16:4d:13:5c:ae has an interface ID of 0216:4dff:fe13:5cae. The resulting IPv6 address is
2001:db8::30a:216:4dff:fe13:5cae.
Module 5 |
139
There are a number of other unicast addresses in IPv6 that have special meaning.
::/128 is the unspecified host address (all zeroes). This address might be used until an address is
assigned to the device.
::1/128 is the loopback address (all zeroes except the last bit). This corresponds to the address
127.0.0.1 in IPv4.
::/0 is the default unicast route (the same as 0.0.0.0/0 in IPv4).
fe80::/64 is the prefix for the link-local address (binary 1111111010 followed by 54 zeroes). IPv6
requires that every IPv6 interface have a link-local address. This is not a valid routing prefix and is only
used for communications on the local link.
Typically the link-local interface ID is assigned the same value as the global interface ID which means
using the modified EUI-64 address. For the global address 2001:db8:0:30a:216:4dff:fe13:5cae, the link
local address would be fe80::216:4dff:fe13:5cae.
fc00::/7 defines a range known as Unique Local Addresses (ULA, RFC 4193). These are addresses
intended to be used on a private network and not routed on the global Internet (similar to private
addresses in IPv4). The ULA range is split into two ranges, depending on the value of the eighth bit.
fd00::/8 is intended to be used as a 48-bit prefix with the remaining 40 bits self-assigned using a
pseudo-random generator. This means that even though addresses are self-assigned, the probability of
two networks sharing the same prefix is very small. This is intended to make it easier to interconnect
privately-addressed networks.
fc00::/8 addresses are intended to have the remaining 40 bits allocated by a registrar to provide
globally unique private addresses, although the mechanism is yet to be defined (draft-hain-ipv6-ulac-02)
at the time of writing.
::ffff:0:0/96 is a prefix for IPv4-mapped IPv6 addresses. This provides an IPv6 address space that can
be used by native IPv4 applications. It is acceptable to use the standard IPv4 notation for the low order
32 bits of the address. For example 192.168.0.1 is mapped to the IPv6 address ::ffff:0:0:192.168.0.1.
Module 5 |
140
All IPv6 multicast addresses have an 8 bit prefix of all ones (ff00::/8) followed by 4 flag bits and 4 bits
that define the multicast scope. For general multicast addresses, the remaining 112 bits define the
multicast group.
Some well known IPv6 multicast addresses are:
ff02::1 - All routers on the local link.
ff02::2 - All routers on the local link.
ff02::1:2 - All DHCPv6 servers and relays on the local link.
Module 5 |
141
IPv6 also defines a group of multicast addresses called solicited-node multicast. The sixteen bits of the
prefix, flags and scope are followed by 79 zeroes and 9 ones. The remaining 24 bits are taken from the
last 24 bits of the unicast address (or addresses) that is being solicited. If the destination router has the
address 2001:db8::30a:216:4dff:fe13:5cae, then the solicited-node multicast address becomes
ff02::1:ff13:5cae.
The IEEE provides the range of multicast addresses of 03-03-xx-xx-xx-xx for IPv6, where the xx-xx-xxxx string is the 32 low-order bits of the multicast IP address. Each IPv6 node on Ethernet automatically
joins the multicast groups corresponding to their solicited-node address and the all-routers address.
Thus, the host in this example will receive the Ethernet multicast groups:
03-03-ff-13-5c-ae and
03-03-00-00-00-01
The use of solicited-node multicast for host address resolution is described in the ICMPv6 section.
Anycast Addresses
Module 5 |
142
Anycast addresses are used in limited situations in IPv4, but IPv6 formally incorporates the concept of
an anycast addresses. Think of an anycast address as a virtual unicast address shared by multiple
hosts. An IPv6 packet sent to an anycast address is routed to the nearest reachable host assigned the
anycast address. This is a useful mechanism for providing a redundant service, such as a DNS server.
An anycast address can be formed from any unicast address. In addition, RFC 2526 defines a range of
anycast addresses to be reserved on every subnet for well-known services. This range is the highest
128 interface addresses on the subnet. These addresses must never be assigned as unicast addresses.
Its similar to the concept in IPv4 of reserving the highest address as the broadcast address on a subnet,
except that a range of 128 addresses (from 0 to 127) is reserved for anycast in IPv6. To date, only one
address in this range has been assigned - the value 126, for Mobile IPv6 Home Agents.
Module 5 |
143
Despite the significant differences in addressing, IPv6 has many similarities to IPv4 - its actually a fairly
conservative revision of the protocol. The forwarding mechanism is essentially the same as in IPv4.
Packets are forwarded hop-by-hop based on a lookup in the forwarding table for the longest prefix
match. This provides the next hop for forwarding the packet. The IPv6 header has some significant
changes that simplify the forwarding process compared to IPv4.
The main changes in the forwarding process are:
- No header length field to process since the IPv6 header is a fixed length.
-No checksum calculations. In IPv4 the header checksum is verified and recalculated at each hop since
the TTL value changes at each hop. IPv6 relies on the error checking performed by
Layer 2 and the error checking of upper layer protocols.
- No fragmentation operations to perform
IPv6 Header
Module 5 |
144
Version As in IPv4 this field contains the protocol version number, in this case the value 6.
Traffic Class Similar to the TOS (Type of Service) field in IPv4, this value is used for prioritizing the
treatment of traffic. The first 6 bits are to be interpreted as the Differentiated Services Code Point
(DSCP) defined in RFC 2474 and the last two as Explicit Congestion Notification defined in RFC 3168.
Flow Label This field has no counterpart in IPv4. It can be used to indicate that this packet belongs to
a specific data flow of an upper layer protocol or application. This could be used as a simple
classification mechanism by an intermediate router to identify all the packets belonging to a specific
application, for example. The use of this field is defined in RFC 3697.
Payload Length Similar to the IPv4 total length field except that this field indicates payload length
only. Since this is a 16 bit field, the maximum size of a regular size IPv6 packet is 65,535 bytes plus
headers. A larger size field in the hop-by-hop options extension header provides for jumbograms up to
a maximum of 232 - 1 bytes.
Next Header This corresponds to the Protocol field in IPv4. In IPv6 it is also used to indicate that
there are extension headers in use. An IPv6 packet may have 0 or multiple extension headers. The
value in this field in the last extension header indicates the upper layer protocol carried in the packet.
Hop Limit This is the same as the TTL field in IPv4, although it is considered strictly a hop count in
IPv6. The value is decremented by each router. If the value reaches zero the packet is discarded and an
ICMPv6 message is sent to the source.
Source and Destination Address These fields have the same meaning as in IPv4, except that each
requires 128 bits in IPv6.
Value
0
6
17
41
43
44
50
51
58
59
60
Description
IPv6 Hop-by-hop options
Upper layer protocol TCP
Upper layer protocol UDP
IPv6 Encapsulation header (tunneling)
Routing extension header
Fragment extension header
Encapsulating Security Payload (ESP)
Authentication Header (AH)
ICMPv6
IPv6 No next header
Destination options
Module 5 |
145
In general, only the IPv6 header is used by intermediate routers for forwarding, and the extension
headers are only processed at the destination. The exception is the hop-by-hop options header that
must be processed by each intermediate router. Therefore, if it exists, it must be the first extension
header after the IPv6 header. The extension headers described below must be supported by all IPv6
routers.
Hop-by-hop options These are a grouping of options that must be processed by intermediate
routers. These include the option for jumbograms (RFC 2675) and the Router Alert option (RFC 2711).
Routing extension header This provides the ability for source routing. RFC 2460 defines a Type 0
routing header (RH0) for loose source, but this was deprecated in RFC 5095 because of security
concerns. Mobility support in IPv6 (RFC 3775) defines a Type 2 routing header (RH2).
Fragment extension header IPv6 routers do not fragment IPv6 packets, but the fragment extension
header allows the source router to fragment packets in case the payload supplied by the upper layer
protocol is too large for the link or path MTU. This should not be a common occurrence.
ESP header The ESP header (RFC 2402) is an IPsec header that provides security for IPv6 and
IPv4. ESP provides authentication, data integrity and data confidentiality for all fields after the ESP
header, but not for the IPv6 header.
AH header The AH header (RFC 2406) is an IPsec header that provides authentication for IPv6 and
IPv4. AH provides authentication and data integrity services for the entire packet, except for the fields of
the header that might change in transit (Traffic Class, Flow Label and Hop Limit).
Destination options The destination extension header defines options that are to be examined only
by the destination router. Mobility support in IPv6 (RFC 3775) defines a Type 201 destination option for
carrying the Home Address of a mobile router.
Except for the hop-by-hop options header, the extension headers have no impact of the forwarding of
IPv6 packets and are not discussed any further in this course.
Module 5 |
146
The ICMPv6 header is similar to ICMPv4. The meaning of each field is described below:
Type The 8-bit type field indicates the type of ICMPv6 message.
Code Similar to IPv4, a specific ICMPv6 message type may (or may not) have a number of codes
defined to further define the nature of the message.
Checksum A 16-bit checksum of the ICMPv6 message, plus the IPv6 pseudo-header (includes the
source address, destination address, length and next header fields of the IPv6 header).
Message The contents of the message body varies, depending on the type of message.
ICMPv6
Destination Unreachable
Time Exceeded
4
127
Parameter Error
Reserved for expansion of ICMPv6 error messages
128
Echo Request
129
Echo Reply
130
131
132
133
Router Solicitation
134
Router Advertisement
135
Neighbor Solicitation
136
Neighbor Advertisement
137
Redirect Message
255
Module 5 |
147
For the type value, the range 0 to 127 (high order bit zero) is used for error messages. The range 128 to
255 (high order bit one) is used for informational messages (anything other than an error message).
Some of the different ICMPv6 message types are shown above. At present (2011) the IANA has
allocated all the values from 128 thru 154.
Some of the ICMPv6 message types are described in more detail below:
Destination Unreachable Generated when the packet could not be routed to the destination or the
upper layer protocol. Code values 0 thru 6 are defined.
Packet Too Big Generated when the MTU of the forwarding interface is too small for the packet to
be forwarded. This message is used for path MTU discovery, which should be supported by IPv6
routers.
A sender will initially choose its link MTU as the path MTU. If this is too large for transmission to the
destination, the sender will receive a Packet Too Big message with the MTU of the smaller link. The
sender will reset the path MTU to the MTU of the smaller link and will continue in this way until no more
Packet Too Big messages are received. If the path to the destination changes during a session and a
Packet Too Big message is received, the sender resets the path MTU to this value.
When the path MTU is smaller than the local link MTU, the sender may periodically (every 10 minutes is
recommended) send a packet at the size of the link MTU to determine whether the path MTU can be
increased. A sender that does not support path MTU discovery should always use the minimum IPv6
MTU of 1280 for its transmissions.
Time Exceeded Generated if the hop limit is exceeded or the time to reassemble a packet at the
destination is exceeded (60 seconds).
Parameter Error Generated if an unknown or illegal parameter is found in the header, such as an
unknown value in the Next Header field.
Echo Request, Echo Reply A program such as ping will send an Echo Request to a destination
router. The destination should respond with an Echo Reply message.
Type
Module 5 |
148
The neighbor discovery (ND) protocol for IPv6 (RFC 4861) provides the capabilities handled in IPv4 by
ARP, router discovery and router redirect and quite a few additional capabilities as well. The functions
handled by ND are:
Router discovery Find routers on a link.
Prefix discovery Find the address prefixes for a link.
Parameter discovery Find link parameters such as MTU or hop Limit.
Address autoconfigurationMechanism that allows an interface to configure its own address (defined
in RFC 4862).
Address resolution Resolve a destination IP address to a link layer address.
Next-hop determination Map an IP address into the next-hop address that the packet should be
sent to.
Neighbor unreachability detection Mechanism to determine that the neighbor is no longer
reachable. If this is the default router, the host can change its default to another router.
Duplicate address detection Mechanism to identify duplicate addresses on the link.
Redirect Allow a router to inform a host of a better next hop to a destination.
Description
Module 5 |
149
ND uses five different ICMPv6 messages to perform the functions described above. The messages are:
Router Solicitation (Type 133) When a host becomes active on a link it can send a Router
Solicitation to ask for a Router Advertisement immediately.
Router Advertisement (Type 134) Routers advertise their presence and link parameters periodically
with Router Advertisement messages. This information can include link MTU, link prefixes and route
information.
Neighbor Solicitation (Type 135) Used by a router to determine the link address on a neighbor, or
to verify that the neighbor is still reachable. If the link address is unknown, the message is sent to the
solicited node multicast address. Since this address is formed with the last 24 bits of the IP address, it is
unlikely that there will be more than one router with the address. This makes the protocol much less
disruptive than ARP. If the router is verifying a known link address, the message is sent to the unicast
address.
Neighbor Advertisement (Type 136) Response to a Neighbor Solicitation sent to the unicast
address. A router may also send an unsolicited Neighbor Advertisement to announce a link address
change.
Redirect (Type 137) Sent by a router to inform a host of a better next hop address.
Type Message
Module 5 |
150
Neighbor Discovery replaces the ARP protocol in IPv4. A device that wants to resolve an IPv6 address
to a MAC address sends a Neighbor Solicitation message containing the IPv6 address. This message is
sent to the solicited node multicast address formed from the desired unicast address. The neighbor that
has this unicast address is likely the only one listening to this multicast group. It responds with a
Neighbor Advertisement message containing its MAC address. ND is more efficient than ARP since
other hosts on the network do not have to process a broadcast message.
The flags in the Neighbor Advertisement message have the following meaning:
Router The advertisement message was sent by a router.
Solicited The advertisement was sent in response to a Neighbor Solicitation message.
Override The advertisement should override an existing cache entry.
*A:R1#
*A:R1# configure
configure system
system chassis-mode
chassis-mode cc force
force
*A:R1#
*A:R1# configure
configure router
router
*A:R1>config>router#
*A:R1>config>router# interface
interface "toR2"
"toR2" ipv6
ipv6
*A:R1>config>router
if>ipv6# exit
exit
*A:R1>config>router>>if>ipv6#
*A:R1>config>router#
*A:R1>config>router# interface
interface "toR3"
"toR3" ipv6
ipv6
*A:R1>config>router>if>ipv6#
*A:R1>config>router>if>ipv6# exit
exit
*A:R1>config>router#
*A:R1>config>router# interface
interface "system"
"system" ipv6
ipv6
*A:R1>config>router>if>ipv6#
*A:R1>config>router>if>ipv6# address
address 2001:db8:1:100::1/128
2001:db8:1:100::1/128
*A:R1>config>router>if>ipv6#
*A:R1>config>router>if>ipv6# exit
exit
Module 5 |
151
Configuring IPv6 interfaces and routing for IPv6 is very similar to configuration of IPv4. The most
obvious difference is the use of IPv6 addresses. IPv6 and IPv4 can be configured in parallel on the
same network.
In order to use IPv6 on the Alcatel-Lucent 7750 SR, you must first enable chassis mode c or higher.
IPv6 is only supported on IOM2s or newer. As soon as we enable IPv6 on the interface, a link local
address is automatically assigned based on the modified EUI-64 address. If its not necessary to route to
the interfaces, we dont need to assign them global routing addresses - we can simply use the link local
addresses.
In this example, the enterprise has been allocated a prefix from their service provider, 2001:db8:1::/48.
The enterprise decides to subnet the prefix using the first 8 bits to identify a specific location and the
second 8 bits to identify subnets at that location. The router in this example is at location 01. System
interfaces are addressed using subnet 00 at all locations. The system address for this router is thus
2001:db8:1:100::1/128, which is assigned to the system interface.
Interface Verification
===============================================================================
===============================================================================
Interface
Interface Table
Table (Router:
(Router: Base)
Base)
===============================================================================
===============================================================================
Interface-Name
Adm
Opr(v4/v6)
Port/SapId
Interface-Name
Adm
Opr(v4/v6) Mode
Mode
Port/SapId
IP-Address
PfxState
IP-Address
PfxState
------------------------------------------------------------------------------------------------------------------------------------------------------------system
Up
Up/Up
Network
system
Up
Up/Up
Network system
system
10.10.10.1/32
n/a
10.10.10.1/32
n/a
2001:DB8:1:100::1/128
PREFERRED
2001:DB8:1:100::1/128
PREFERRED
toR2
Up
Up/Up
Network
1/1/1
toR2
Up
Up/Up
Network 1/1/1
10.1.2.1/27
n/a
10.1.2.1/27
n/a
FE80::225:BAFF:FE30:7908/64
PREFERRED
FE80::225:BAFF:FE30:7908/64
PREFERRED
toR3
Up
Up/Up
Network
toR3
Up
Up/Up
Network 1/1/3
1/1/3
10.1.3.1/27
n/a
10.1.3.1/27
n/a
FE80::225:BAFF:FE30:790A/64
PREFERRED
FE80::225:BAFF:FE30:790A/64
PREFERRED
------------------------------------------------------------------------------------------------------------------------------------------------------------Interfaces
Interfaces :: 33
===============================================================================
===============================================================================
Module 5 |
152
The interfaces have already been configured with IPv4 addresses. You can see that the link local
address was formed from the MAC address of the interfaces. The router is running both IPv4 and IPv6
and the interfaces are up for both protocols.
IPv6 defines state for prefixes. They can be tentative, preferred, duplicated or deprecated. An address
should be preferred, which means it can be used without restrictions. An IPv6 interface performs
duplicate address detection and the state of the prefix is Tentative until the address has been confirmed
as unique.
*A:R1>config>router#
*A:R1>config>router# show
show router
router interface
interface
===============================================================================
===============================================================================
IPv6
IPv6 Route
Route Table
Table (Router:
(Router: Base)
Base)
===============================================================================
===============================================================================
Dest
Prefix
Type
Proto
Age
Pref
Dest Prefix
Type
Proto
Age
Pref
Next
Metric
Next Hop[Interface
Hop[Interface Name]
Name]
Metric
------------------------------------------------------------------------------------------------------------------------------------------------------------2001:DB8:1:100::1/128
Local
00h08m56s
2001:DB8:1:100::1/128
Local Local
Local
00h08m56s 00
system
00
system
------------------------------------------------------------------------------------------------------------------------------------------------------------No.
No. of
of Routes:
Routes: 11
===============================================================================
===============================================================================
*A:R1>config>router#
*A:R1>config>router#
Module 5 |
153
The interfaces have already been configured with IPv4 addresses. You can see that the link local
address was formed from the MAC address of the interfaces. The router is running both IPv4 and IPv6
and the interfaces are up for both protocols.
*A:R1>config>router#
*A:R1>config>router# show
show router
router route-table
route-table ipv6
ipv6
Module 5 |
154
3FL-30636-AAAA-ZZZZA Edition 01
www.alcatel-lucent.com/src