لطفا منتظر باشید ...
VPLS Configuration Case Studies
The feature requirements for VPLS originated from service providers that were deploying Metro Ethernet services and wanted to extend the coverage beyond the boundary of a metro using their WAN infrastructure. As part of the Cisco Metro Ethernet service portfolio, the integrated VPLS solution in Cisco IOS fulfills such requirements.
This section describes how to configure VPLS on a Cisco router. The case studies that are commonly seen in Metro Ethernet deployment, which are by no means exhaustive, can help you further understand the Cisco VPLS solution. Configuration examples in this section are based on the Cisco 7600 series router. Refer to Cisco.com to obtain the information on the latest platform and hardware support.
Case Study 15-1: Basic Configuration
Before you configure VPLS, you need to ensure that IP routing and MPLS forwarding are configured properly and that the minimal Layer 2 VPN connectivity requirements are met:
Every PE router has a loopback interface that is configured with an IP address and a /32 network mask. This address is used as the Router ID in LDP signaling for the PE router.
PE routers have IP connectivity to each other, and the IP routing tables contain those host routes that were previously configured on the loopback interfaces. This ensures that you can establish the LDP sessions for pseudowire signaling. You can verify the reachability for the host routes by using the show ip route command.
PE routers have MPLS label switched paths (LSPs) for those host routes. This ensures that MPLS encapsulated pseudowire packets are not sent to a black hole caused by a broken LSP. You can verify this by using the show mpls forwarding-table command.
The next few sections discuss the tasks involved for baseline VPLS configuration, demonstrate with a complete example, and verify the configuration results.
Configuring Attachment Circuit
Attachment circuits that are used in VPLS can be Layer 2 switch-port interfaces, Gigabit Ethernet interfaces on intelligent line cards, or other interfaces with bridged encapsulation. Because of the low cost and high port density, Layer 2 switchport interfaces are the most commonly deployed attachment circuits.
Before going into the configuration steps for Layer 2 switchport interface, it is necessary to explain the difference and the correlation between a service-delimiting VLAN tag and an internal VLAN tag. Chapter 6 introduced the concept of a service-delimiting VLAN tag. To recap, service providers use service-delimiting VLAN tags to identify different types of customer traffic. Because a service-delimiting VLAN tag usually has only local significance, it is removed at the ingress PE router. The egress PE router might have a different service-delimiting VLAN tag, which is added to the packets that are sending to a CE router.
An internal VLAN tag identifies a bridge domain on a PE router. In the context of VPLS, it is the virtual switch. Conceptually, service-delimiting VLAN tags and internal VLAN tags are two independent entities. A bridge domain, represented by an internal VLAN tag, might have multiple attachment circuits, where each is provisioned with a different service-delimiting VLAN tag. Such independence allows service providers to offer multiple value-added services to a single VPLS customer using the same physical connection. Currently, this provisioning model is available only on interfaces of high-end intelligent access line cards.
Traffic from VPLS customers does not always have service-delimiting VLAN tags, such as untagged customer traffic. In addition, having an 802.1q VLAN tag in the packet does not automatically make it a service-delimiting VLAN tag. Later in this section, you will study the characteristics of a service-delimiting VLAN tag and an internal VLAN tag when used in different switchport modes of the Layer 2 switchport interface.
A Layer 2 switchport interface can operate in one of three mutually exclusive switchport modes. The following list recaps how each mode is used in normal bridging applications:
access The interface sends and accepts untagged Ethernet packets only. Tagged Ethernet VLAN packets are dropped.
trunk The interface sends and receives tagged Ethernet VLAN packets and native VLAN packets.
dot1q-tunnel Any packet, tagged or untagged, is forwarded through a QinQ tunnel. A QinQ tunnel is identified by the access VLAN tag that is configured on the Layer 2 switchport interface. The access VLAN tag is added to the packet at the ingress tunnel interface and removed at the egress tunnel interface, which means that the VLAN tags must be identical at both interfaces for a given QinQ tunnel.
In VPLS, the switchport modes work in a similar fashion from an end user''s perspective, but some of the internal operations vary slightly.
The following configuration steps highlight how service-delimiting VLAN tags and internal VLAN tags are used in each switchport mode.
Configuring the Access Mode
The access mode in VPLS is identical to that in normal bridging. Only untagged Ethernet packets are sent and received on the Layer 2 switchport interface, and the Ethernet header is sent over the pseudowire unmodified because no service-delimiting VLAN tag exists. You can configure the access mode as follows:
The interface configuration after these steps is shown in Example 15-1.
Example 15-1. Access Mode Interface Configuration
interface FastEthernet4/3
no ip address
switchport
switchport access vlan 2
switchport mode access
Configuring the Trunk Mode
When you configure a Layer 2 switchport interface as trunk mode in VPLS, the VLAN tag maps packets received from a CE router to a bridge domain. In other words, the VLAN tag in the customer traffic is considered the service-delimiting VLAN tag. A Layer 2 switchport interface does not support a configurable service-delimiting VLAN tag; therefore, the service-delimiting VLAN tag has to match the internal VLAN tag of the bridge domain for a given VPLS customer. Because the trunk mode supports multiple VLAN tags, traffic of different VPLS customers can be sent and received over a Layer 2 switchport interface.
In trunk mode, a PE router removes the service-delimiting VLAN tag on the Ethernet header before applying the pseudowire encapsulation. For the opposite direction, a PE applies the internal VLAN tag to the Ethernet header after the pseudowire encapsulation is removed from the pseudowire packet. Use the following steps to configure the trunk mode on a Layer 2 switchport interface:
Example 15-2 shows the interface configuration after you complete the steps for the trunk mode.
Example 15-2. Trunk Mode Interface Configuration
interface FastEthernet4/3
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-10
switchport mode trunk
Configuring dot1q-tunnel Mode
QinQ tunneling is an Ethernet native tunneling mechanism that stacks VLAN tags together in a similar fashion to the MPLS labels. The outer VLAN tag that is added at the tunnel ingress interface is the access VLAN tag that is configured on the Layer 2 switchport interface. The purpose of the outer VLAN tag is similar to that of the tunnel label in an MPLS-encapsulated pseudowire packet. The outer VLAN tag is to forward the packet from the ingress tunnel endpoint to the egress tunnel endpoint and hide the inner VLAN tag from the transit network.
In VPLS, the transit network is an MPLS network, and a tunnel label is used to move packets from the LSP ingress endpoint to the egress endpoint. Because the function of an outer VLAN tag is effectively replaced by an MPLS tunnel label, the outer VLAN tag is no longer added to the Ethernet header when the Layer 2 switchport interface is configured as dot1q-tunnel mode. That is the main difference in the way dot1q-tunnel mode operates in VPLS versus normal bridging.
The following is an example of configuring a Layer 2 switchport interface as dot1q-tunnel mode:
Step 1. | Configure the interface as a switchport:
|
Step 2. | Configure the switchport as dot1q-tunnel mode:
|
Step 3. | Assign the Layer 2 switchport interface to a bridge domain, which is represented by an internal VLAN tag:
|
The interface configuration for dot1q-tunnel mode is shown in Example 15-3.
Example 15-3. dot1q-tunnel Mode Interface Configuration
interface FastEthernet4/3
no ip address
switchport
switchport access vlan 2
switchport mode dot1q-tunnel
Layer 2 switchport interfaces are the predominant interface type in VPLS deployment, and new attachment circuit types are being added as the VPLS solution is being enhanced. Refer to Cisco.com to obtain the latest attachment circuit support.
Configuring VFI
When you configure AToM or L2TPv3 pseudowire emulation, the pseudowire portion of the configuration is done from the attachment circuit configuration mode. For example, interface mode is used for PPP and HDLC pseudowires, PVC mode for ATM AAL5, and connect mode for Frame Relay data-link connection identifier (DLCI). This implicitly builds the one-to-one mapping between an attachment circuit and a pseudowire.
VPLS needs to build a many-to-many mapping for each VPLS domain. For the pseudowire portion of the configuration, VPLS uses the VFI configuration mode to specify a set of pseudowires and associated properties for a given VPLS domain. Before enabling any other command, configure the VFI needs with a VPN ID. As explained earlier in the "VPLS Signaling" section, a VPN ID identifies a VPLS domain throughout the network. It is encoded in the Pseudowire ID field of the protocol messages. The VFI configuration mode also specifies the addresses of the peering PE routers, the type of pseudowire signaling, and the encapsulation method for each peer.
The following steps show an example of configuring a VFI:
Note
Currently, the manual mode is the only provisioning option available for multipoint VFI. When an autodiscovery mechanism is introduced for VPLS in the future, a VFI can be provisioned automatically.
Example 15-4 shows an example of a VFI configuration.
Example 15-4. VFI Configuration
l2 vfi blue manual
vpn id 100
neighbor 10.0.0.2 encapsulation mpls
neighbor 10.0.0.3 encapsulation mpls
neighbor 10.0.0.4 encapsulation mpls
Associating Attachment Circuits to the VFI
The final step in building the many-to-many mapping involves how to associate attachment circuits to a VFI in configuration.
In the switchport mode configuration steps, a bridge domain or an internal VLAN is assigned to attachment circuits for a given VPLS domain. For example, Layer 2 switchport interfaces in access and dot1q-tunnel mode use the command switchport access vlan to specify the bridge domain explicitly. Those in trunk mode use the service-delimiting VLAN tags instead.
You can view a VLAN interface as a virtual interface representation of a bridge domain. By associating the VFI under the VLAN interface configuration mode, the many-to-many association is finally accomplished. To configure the VFI under a VLAN interface, use the following steps:
The next section shows the complete configuration example and ways to verify whether it is working.
Configuration Example
With the basic VPLS configuration building blocks, network operators can construct fairly sophisticated multipoint Layer 2 VPNs. Figure 15-7 shows an example of a full-mesh VPLS Layer 2 VPN with four CE routers of the same VPLS customer.
Figure 15-7. VPLS Configuration Example
[View full size image]
To illustrate the flexibility of how you can connect CE devices, the configuration example uses different switchport modes and service-delimiting VLAN tags on each PE router as follows:
CE1 sends and receives untagged Ethernet packetsthat is, null service-delimiting VLAN tags. PE1 configures the switchport mode as dot1q-tunnel to forward packets that have an unmodified Ethernet header. The internal VLAN that is associated with the switchport is 2.
CE2 sends and receives tagged Ethernet VLAN packets of which the service-delimiting VLAN tag is 4. PE2 configures the switchport mode as a trunk to remove or add the service-delimiting VLAN tag accordingly. The internal VLAN that is associated with the switchport is 4.
CE3 sends and receives untagged Ethernet packetsthat is, null service-delimiting VLAN tags. PE2 configures the switchport mode as access to forward all untagged packets. The internal VLAN that is associated with the switchport is 8.
CE4 sends and receives tagged Ethernet VLAN packets of which the service-delimiting VLAN tag is 10. PE4 configures the switchport mode as a trunk to remove or add the service-delimiting VLAN tag accordingly. The internal VLAN that is associated with the switchport is 10.
Example 15-5 shows the configuration on PE1.
Example 15-5. PE1 Configuration
hostname PE1
!
mpls label protocol ldp
mpls ldp logging neighbor-changes
mpls ldp router-id Loopback0
!
l2 vfi l2vpn manual
vpn id 1
neighbor 10.0.0.2 encapsulation mpls
neighbor 10.0.0.3 encapsulation mpls
neighbor 10.0.0.4 encapsulation mpls
!
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
interface POS3/1
ip address 10.0.1.1 255.255.255.252
mpls ip
!
interface FastEthernet4/2
no ip address
switchport
switchport access vlan 2
switchport mode dot1q-tunnel
!
interface Vlan2
no ip address
xconnect vfi l2vpn
Example 15-6 shows the configuration on PE2.
Example 15-6. PE2 Configuration
hostname PE2
!
mpls label protocol ldp
mpls ldp logging neighbor-changes
mpls ldp router-id Loopback0
!
l2 vfi l2vpn manual
vpn id 1
neighbor 10.0.0.1 encapsulation mpls
neighbor 10.0.0.3 encapsulation mpls
neighbor 10.0.0.4 encapsulation mpls
!
interface Loopback0
ip address 10.0.0.2 255.255.255.255
!
interface POS3/1
ip address 10.0.2.1 255.255.255.252
mpls ip
!
interface FastEthernet4/2
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 4
switchport mode trunk
!
interface Vlan4
no ip address
xconnect vfi l2vpn
Example 15-7 shows the configuration on PE3.
Example 15-7. PE3 Configuration
hostname PE3
!
mpls label protocol ldp
mpls ldp logging neighbor-changes
mpls ldp router-id Loopback0
!
l2 vfi l2vpn manual
vpn id 1
neighbor 10.0.0.1 encapsulation mpls
neighbor 10.0.0.2 encapsulation mpls
neighbor 10.0.0.4 encapsulation mpls
!
interface Loopback0
ip address 10.0.0.3 255.255.255.255
!
interface POS3/1
ip address 10.0.3.1 255.255.255.252
mpls ip
!
interface FastEthernet4/2
no ip address
switchport
switchport access vlan 8
switchport mode access
!
interface Vlan8
no ip address
xconnect vfi l2vpn
Example 15-8 shows the configuration on PE4.
Example 15-8. PE4 Configuration
hostname PE4
!
mpls label protocol ldp
mpls ldp logging neighbor-changes
mpls ldp router-id Loopback0
!
l2 vfi l2vpn manual
vpn id 1
neighbor 10.0.0.1 encapsulation mpls
neighbor 10.0.0.2 encapsulation mpls
neighbor 10.0.0.3 encapsulation mpls
!
interface Loopback0
ip address 10.0.0.4 255.255.255.255
!
interface POS3/1
ip address 10.0.4.1 255.255.255.252
mpls ip
!
interface FastEthernet4/2
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10
switchport mode trunk
!
interface Vlan10
no ip address
xconnect vfi l2vpn
You can examine the VFI using the command show vfi (see Example 15-9).
Example 15-9. Verifying the VFI Status
PE1#show vfi l2vpn
VFI name: l2vpn, state: up
Local attachment circuits:
Vlan2
Neighbors connected via pseudowires:
10.0.0.2 10.0.0.3 10.0.0.4
Table 15-1 lists the MAC addresses that are associated with each CE router. When a CE router also functions as an Ethernet switch, it bridges customer Ethernet traffic toward the attached PE router. In that scenario, the PE router learns multiple source MAC addresses from the CE router.
CE1 | 000b.5fb5.0080 |
CE2 | 000b.5fad.e580 |
CE3 | 000b.5fb1.5780 |
CE4 | 000b.5fb1.5480 |
After full connectivity is established among all CE routers, every PE router should learn all MAC addresses from the CE routers. To verify the learning process on each PE router, use the command show mac-address-table vlan, as shown in Example 15-10.
Example 15-10. Verifying the Learning Process on Each PE Router
PE1#show mac-address-table vlan 2
Legend: * - primary entry
vlan mac address type learn ports
------+---------------+-------+-----+-----------------------
* 2 000b.5fb5.0080 dynamic Yes Fa4/2
* 2 000b.5fad.e580 dynamic Yes
* 2 000b.5fb1.5780 dynamic Yes
* 2 000b.5fb1.5480 dynamic Yes
PE2#show mac-address-table vlan 4
Legend: * - primary entry
vlan mac address type learn ports
------+----------------+-------+-----+-----------------------
* 4 000b.5fb5.0080 dynamic Yes
* 4 000b.5fad.e580 dynamic Yes Fa4/2
* 4 000b.5fb1.5780 dynamic Yes
* 4 000b.5fb1.5480 dynamic Yes
PE3#show mac-address-table vlan 8
Legend: * - primary entry
vlan mac address type learn ports
------+----------------+-------+-----+-----------------------
* 8 000b.5fb5.0080 dynamic Yes
* 8 000b.5fad.e580 dynamic Yes
* 8 000b.5fb1.5780 dynamic Yes Fa4/2
* 8 000b.5fb1.5480 dynamic Yes
PE4#show mac-address-table vlan 10
Legend: * - primary entry
vlan mac address type learn ports
------+----------------+-------+-----+------------------------
* 10 000b.5fb5.0080 dynamic Yes
* 10 000b.5fad.e580 dynamic Yes
* 10 000b.5fb1.5780 dynamic Yes
* 10 000b.5fb1.5480 dynamic Yes Fa4/2
To display the status of the pseudowires that interconnect the virtual switches, use the command show mpls l2transport vc on PE routers, as shown in Example 15-11.
Example 15-11. Displaying the Status of the Pseudowires
PE1#show mpls l2transport vc
Local intf Local circuit Dest address VC ID Status
------------- -------------------- --------------- ---------- ----------
VFI l2vpn VFI 10.0.0.2 1 UP
VFI l2vpn VFI 10.0.0.3 1 UP
VFI l2vpn VFI 10.0.0.4 1 UP
Case Study 15-2: Per-VLAN MAC Address Limiting
Service providers are concerned that a rogue VPLS customer will take too much system and network resources and affect normal services for other customers. One of the limited system resources on which different VPLS customers compete is the MAC address table.
Generally speaking, the size of the MAC address table on a given system is finite, and the portion allocated for each bridge domain directly impacts the forwarding performance. The larger the portion allocated is, the less likely a packet is subject to flooding. Flooding is always an expensive operation in terms of processing power and the network bandwidth it takes; it penalizes overall packet forwarding performance.
To limit the maximum number of MAC address entries on a per-VLAN basis, use the mac-address-table limit command, as shown in Example 15-12. Cisco VPLS allows setting a limit for each bridge domain, which is represented by an internal VLAN.
Example 15-12. mac-address-table limit Command
PE1(config)#mac-address-table limit vlan 2 maximum 1000
PE1(config)#
To display the MAC address limiting status for a VLAN, use the show mac-address-table limit vlan command, as shown in Example 15-13.
Example 15-13. show mac-address-table limit vlan Command
PE1#show mac-address-table limit vlan 2
vlan module action maximum Total entries flooding
-------+--------+-----------+-------+--------------+------------
2 2 warning 1000 0 enabled
2 4 warning 1000 0 enabled
Case Study 15-3: Quality of Service
On Cisco 7600 series routers, Layer 2 switchport interfaces use Policy Feature Card (PFC)based QoS configuration, and the core-facing interfaces use Modular QoS CLI (MQC). The general topics on PFC-based and MQC-based configuration alone warrant a book. This book does not cover the details on these topics. Refer to Cisco.com for the PFC-based and MQC-based QoS commands and examples. This QoS case study shows an example that is related to VPLS.
Per-VLAN traffic shaping in VPLS specifies the shaping rate of individual MPLS uplinks for a given bridge domain, not the aggregated rate of all MPLS uplinks. For example, if a VLAN is configured with a shaping rate of 10 Mbps, and there are two MPLS uplinks toward the MPLS core network, the shaper allows up to 20 Mbps of VPLS traffic forwarded into the core network.
In Example 15-14, PE1 matches all traffic coming from CE1 and shapes the VPLS traffic on each core-facing interface to 10 Mbps.
Example 15-14. VPLS Per-VLAN Traffic Shaping
hostname PE1
!
class-map match-all all-traffic
match any
!
policy-map vpls-policy
class all-traffic
shape average 1000000 4000 4000
!
interface Vlan2
no ip address
xconnect vfi l2vpn
service-policy output vpls-policy
To verify QoS configuration status, use the show policy-map interface command, as shown in Example 15-15.
Example 15-15. Verifying QoS Status
PE1#show policy-map interface
Vlan2
Service-policy output: vpls-policy
Class-map: all-traffic (match-all)
6 packets, 2316 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
queue size 0, queue limit 0
packets output 6, packet drops 0
tail/random drops 0, no buffer drops 0, other drops 0
shape (average) cir 1000000 bc 4000 be 4000
target shape rate 1000000
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Case Study 15-4: Layer 2 Protocol Tunneling
Layer 2 protocol tunneling allows Layer 2 PDUs, such as Cisco Discovery Protocol (CDP), Spanning-Tree Protocol (STP), and VLAN Trunking Protocol (VTP), to be tunneled through an Ethernet-switched network. Without Layer 2 protocol tunneling, Layer 2 switchport interfaces drop STP and VTP packets and process CDP packets.
To allow CE1 and CE3 in Figure 15-7 to view each other as CDP neighbors, the interfaces on PE1 and PE3 that connect to CE1 and CE3 respectively need to enable Layer 2 protocol tunneling (see Example 15-16).
Example 15-16. Enabling Layer 2 Protocol Tunneling
PE1(config)#interface FastEthernet 4/2
PE1(config-if)#l2protocol-tunnel cdp
PE3(config)#interface FastEthernet 4/2
PE3(config-if)#l2protocol-tunnel cdp
To verify the effectiveness, use the command show cdp neighbors on the CE devices, as demonstrated in Example 15-17.
Example 15-17. Verifying CDP Neighbors with the show cdp neighbors Command
CE1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
CE3 Fas 0/1 157 R S I WS-C3550-2Fas 0/1
CE3#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
CE1 Fas 0/1 170 R S I WS-C3550-2Fas 0/1
For STPs, a separate spanning tree is created at each customer site if Layer 2 protocol tunneling is not enabled on PE routers. Using the network shown in Figure 15-7 as an example, bridging devices at Site 1including CE1build a spanning tree solely for Site 1 without considering convergence parameters of other customer sites. In this particular example, the disjointed spanning tree domains do not lead to potential forwarding loops because of the use of Layer 2 split horizon in the service provider network. However, if the customer sites have backdoor links, it is imperative that you have a single spanning-tree domain for the VPLS customer to avoid forwarding loops in the customer network.
Figure 15-8 shows a backdoor link that connects CE1 and CE2. A possible forwarding loop exists between CE1 and CE2 when packets can be sent over the links that are connected to the service provider and the backdoor link. To identify the possible forwarding loop, examine the spanning-tree status on both CE routers.
Figure 15-8. VPLS with Backdoor Link
[View full size image]
On CE1, the interface FastEthernet0/1 connected to PE1 acts as a designated port for VLAN 2 and is in the forwarding state. The interface FastEthernet0/3 connected to Site 1 is a root port for VLAN 2 and is also in the forwarding state (see Example 15-18).
Example 15-18. VLAN 2 Spanning-Tree Status on CE1 Before the Forwarding Loop Is Fixed
CE1#show spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 32770
Address 000b.5fadfie580
Cost 19
Port 3 (FastEthernet0/3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32770 (priority 32768 sys-id-ext 2)
Address 000b.5fb5.0080
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/3 Root FWD 19 128.3 P2p
CE2 is the root bridge for VLAN 2 because it has a lower bridge address than CE1 when both have the same bridge priority. Both the interface FastEthernet0/1 that connects to PE2 and the interface FastEthernet0/3 that connects to Site 2 have a role of designated port for VLAN 2, and they are both in the forwarding state (see Example 15-19).
Example 15-19. VLAN 2 Spanning-Tree Status on CE2 Before the Forwarding Loop Is Fixed
CE2#show spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 32770
Address 000b.5fadfie580
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32770 (priority 32768 sys-id-ext 2)
Address 000b.5fadfie580
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/3 Desg FWD 19 128.3 P2p
Because the spanning-tree status on all four ports is in the forwarding state for VLAN 2, the forwarding loop is inevitable. The problem apparently is caused by the two ports connected through the pseudowire that cannot exchange BPDUs.
To fix this problem, PE routers need to configure Layer 2 protocol tunneling for STP traffic (see Example 15-20).
Example 15-20. Configuring Layer 2 Protocol Tunneling for STP Traffic
PE1(config)#int FastEthernet4/2
PE1(config-if)#l2protocol-tunnel stp
PE2(config)#int FastEthernet4/2
PE2(config-if)#l2protocol-tunnel stp
The interface configuration on PE1 and PE2 is shown in Example 15-21. Notice that the VLAN that is configured on the dot1q-tunnel interface is an internal VLAN. It can be different from the VLAN that is used in customer traffic.
Example 15-21. PE1 and PE2 Interface Configuration
interface FastEthernet4/2
no ip address
no keepalive
switchport
switchport access vlan 4
switchport mode dot1q-tunnel
l2protocol-tunnel stp
To display Layer 2 protocol tunneling status on PE routers, use the show l2protocol-tunnel command, as in Example 15-22.
Example 15-22. Displaying the Layer 2 Protocol Tunneling Status
PE1#show l2protocol-tunnel summary
COS for Encapsulated Packets: 5
Drop Threshold for Encapsulated Packets: 0
Port Protocol Shutdown Drop Status
Threshold Threshold
(cdp/stp/vtp) (cdp/stp/vtp)
------- ----------- ---------------- ---------------- ----------
Fa4/2 --- stp --- ----/----/---- ----/----/---- up
After you enable Layer 2 protocol tunneling on PE1 and PE2, the forwarding loop no longer exists. On CE1, the interface FastEthernet0/3 is now in the blocking state for VLAN 2, and packets in VLAN 2 are forwarded through the interface FastEthernet0/1 only (see Example 15-23).
Example 15-23. VLAN 2 Spanning-Tree Status on CE1 After the Forwarding Loop Is Fixed
CE1#show spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 32770
Address 000b.5fad580
Cost 19
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32770 (priority 32768 sys-id-ext 2)
Address 000b.5fb5.0080
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 19 128.1 P2p
Fa0/3 Altn BLK 19 128.3 P2p
Case Study 15-5: Multihoming
VPLS Redundancy" section, each metro area or island consists of a group of U-PE and N-PE routers that are connected through a LAN. Figure 15-9 shows a network with three separate islands. The goal is to run STPs within each island for redundancy while preventing the spanning trees from spreading across the WAN. In a Metro Ethernet environment, devices from different network vendors are often deployed and required to work together, which means the network needs to run standard network protocols. For STPs, IEEE 802.1S Multiple Spanning Tree Protocol (MSTP) fits the purpose.
Figure 15-9. VPLS Redundancy Using Multihoming
[View full size image]
Both U-PE1 and U-PE2 are peered with N-PE1 and N-PE2. To reduce the amount of complexity and processing power required, N-PE1 and N-PE2 do not run STPs themselves but simply relay BPDUs from one link to another. To prevent BPDUs from leaking to the WAN, you need to separate customer traffic from the BPDUs that originated in each island. In this case study, you accomplish this by marking these two types of traffic with different service provider VLAN tags. After the two types of traffic are separated into different VLANs, you can configure N-PE routers in such a way that only VLAN traffic that is marked as customer traffic can be forwarded to other islands. VLAN traffic that is marked as BPDU is only forwarded to other N-PE routers of the same island.
In Island A, two separate forwarding loops exist:
From U-PE1 to N-PE1, N-PE2, and back to U-PE1
From U-PE2 to N-PE1, N-PE2, and back to U-PE2.
Because U-PE1 and U-PE2 do not have direct connections, they can construct separate spanning trees.
On U-PE1, MST traffic is carried in the native VLAN for which the tag value is 200. VLAN 2 carries customer traffic for a particular VPLS customer. The configuration on U-PE1 is shown in Example 15-24.
Example 15-24. U-PE1 Configuration
hostname U-PE1
spanning-tree mode mst
!
spanning-tree mst configuration
name MST-1
revision 1
instance 1 vlan 2
!
vlan dot1q tag native
!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 200
switchport trunk allowed vlan 2,200
switchport mode trunk
no ip address
!
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 200
switchport trunk allowed vlan 2,200
switchport mode trunk
no ip address
On U-PE2, MST traffic is carried in the native VLAN for which the tag value is 400. VLAN 2 carries the customer traffic. The configuration on U-PE2 is shown in Example 15-25.
Example 15-25. U-PE2 Configuration
hostname U-PE2
spanning-tree mode mst
!
spanning-tree mst configuration
name MST-2
revision 1
instance 1 vlan 2
!
vlan dot1q tag native
!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 400
switchport trunk allowed vlan 2,400
switchport mode trunk
no ip address
!
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 400
switchport trunk allowed vlan 2,400
switchport mode trunk
no ip address
STPs are disabled on N-PE1 and N-PE2. To relay BPDUs for each MST instance transparently, in addition to configuring Layer 2 protocol tunneling N-PE1 and N-PE2, you must configure a dedicated VFI for each MST instance, where the neighbors are N-PE routers in the same island. The configuration on N-PE1 is shown in Example 15-26.
Example 15-26. N-PE1 Configuration
hostname N-PE1
!
mpls label protocol ldp
mpls ldp router-id Loopback0
!
l2 vfi l2vpn manual
vpn id 1
neighbor 10.0.0.2 encapsulation mpls
neighbor 10.0.0.3 encapsulation mpls
neighbor 10.0.0.4 encapsulation mpls
!
l2 vfi mst-1 manual
vpn id 1001
neighbor 10.0.0.2 encapsulation mpls
!
l2 vfi mst-2 manual
vpn id 2001
neighbor 10.0.0.2 encapsulation mpls
!
no spanning-tree vlan 2,200,400
!
vlan dot1q tag native
!
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
interface POS3/1
ip address 10.0.1.1 255.255.255.252
mpls ip
!
interface FastEthernet4/2
no ip address
no keepalive
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 200
switchport trunk allowed vlan 2,200
switchport mode trunk
l2protocol-tunnel stp
!
interface FastEthernet4/3
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 400
switchport trunk allowed vlan 2,400
switchport mode trunk
l2protocol-tunnel stp
no cdp enable
!
interface Vlan2
no ip address
xconnect vfi l2vpn
!
interface Vlan200
no ip address
xconnect vfi mst-1
!
interface Vlan400
no ip address
xconnect vfi mst-2
The configuration on N-PE2 is shown in Example 15-27.
Example 15-27. N-PE2 Configuration
hostname N-PE2
!
mpls label protocol ldp
mpls ldp router-id Loopback0
!
l2 vfi l2vpn manual
vpn id 1
neighbor 10.0.0.1 encapsulation mpls
neighbor 10.0.0.3 encapsulation mpls
neighbor 10.0.0.4 encapsulation mpls
!
l2 vfi mst-1 manual
vpn id 1001
neighbor 10.0.0.1 encapsulation mpls
!
l2 vfi mst-2 manual
vpn id 2001
neighbor 10.0.0.1 encapsulation mpls
!
no spanning-tree vlan 2,200,400
!
vlan dot1q tag native
!
interface Loopback0
ip address 10.0.0.2 255.255.255.255
!
interface POS3/1
ip address 10.0.2.1 255.255.255.252
mpls ip
!
interface FastEthernet4/2
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 400
switchport trunk allowed vlan 2,400
switchport mode trunk
l2protocol-tunnel stp
!
interface FastEthernet4/3
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 200
switchport trunk allowed vlan 2,200
switchport mode trunk
l2protocol-tunnel stp
!
interface Vlan2
no ip address
xconnect vfi l2vpn
!
interface Vlan200
no ip address
xconnect vfi mst-1
!
interface Vlan400
no ip address
xconnect vfi mst-2
To verify that MSTP removes the forwarding loops, use the show spanning-tree mst command on U-PE1 and U-PE2 (see Example 15-28). Notice that each router is the root bridge for its own MST instance, the interface FastEthernet0/1 acts as a designated port and is in a forwarding state, and the interface FastEthernet0/2 acts as a backup port and is in a blocking state.
Example 15-28. MST Instance Status on U-PE Routers
U-PE1#show spanning-tree mst 1
###### MST01 vlans mapped: 2
Bridge address 000b.5fb5.0080 priority 32769 (32768 sysid 1)
Root this switch for MST01
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 200000 128.1 P2p
Fa0/2 Back BLK 200000 128.2 P2p
U-PE2#show spanning-tree mst 1
###### MST01 vlans mapped: 2
Bridge address 000b.5fad580 priority 32769 (32768 sysid 1)
Root this switch for MST01
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 200000 128.1 P2p
Fa0/2 Back BLK 200000 128.2 P2p
