Cisco Press Layer 2 VPN Architectures Mar 2005 eBook-LiB CHM PDF

Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Pub Date: March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

Copyright

Wei Luo
Table of
Contents
Carlos
Pignataro
Index
ISBN: 1-58705-168-0
Pages: 648
Dmitry Bokotey
Anthony Chan
gains
Copyright 2005productivity
Cisco Systems,
Inc.
Published by:
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by
any means, electronic or mechanical, including photocopying, recording, or by any information
storage and retrieval system, without written permission from the publisher, except for the
inclusion of brief quotations in a review.
Printed in the United States of America 1 2 3 4 5 6 7 8 9 0
First Printing February 2005
Library of Congress Cataloging-in-Publication Number: 2003109688
ISBN: 1-58705-168-0
Warning and Disclaimer
technology
thatinformation
would allowabout
LayerLayer
2 transport
over
a Layer 3
This book is designed
to provide
2 VPN
architectures.
Every effort
has been made toinfrastructure.
make this book as complete and as accurate as possible, but no warranty or
fitness is implied.
(VPN)
and describes
Layer
2 VPN
techniques
The information isNetwork
provided
on anconcepts,
"as is" basis.
The author,
Cisco
Press,
and Ciscovia
Systems,
introductory
and comprehensive
scenarios.
This book
Inc., shall have neither
liabilitycase
nor studies
responsibility
to any persondesign
or entity
with respect
to any
assists from
readers
to meet
those requirements
byfrom
explaining
loss or damages arising
thelooking
information
contained
in this book or
the usethe
of the discs
and implementation
details of the two technologies available from
or programs that history
may accompany
it.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSThe opinions expressed
in thisand
book
belong
to the author
and version
are not 3necessarily
those
of Cisco
based cores
Layer
2 Tunneling
Protocol
(L2TPv3) for
native
Systems, Inc.
Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been
appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of
this information. Use of a term in this book should not be regarded as affecting the validity of
any trademark or service mark.
Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value.
Each book is crafted with care and precision, undergoing rigorous development that involves
the unique expertise of members from the professional technical community.
Readers' feedback is a natural continuation of this process. If you have any comments
regarding how we could improve the quality of this book, or otherwise alter it to better suit
your needs, you can
us through e-mail at feedback@ciscopress.com. Please make sure
Layercontact
2 VPN Architectures
to include the book title and ISBN in your message.
No. 4460,
Anthony
Chan, - CCIE No. 10,266
We greatly appreciate
your
assistance.
Publisher: Cisco
Press
Corporate and Government
Sales
Cisco Press offers excellent

discounts on this book when ordered in quantity for bulk purchases
ISBN: 1-58705-168-0
Table of
or special
sales. For more information please contact: U.S. Corporate and Government Sales 1
Pages: 648
Contents corpsales@pearsontechgroup.com
800-382-3419
Index
For sales outside the U.S. please contact: International Sales international@pearsoned.com
Master the world of LayerJohn

2 VPNs
Waitto provide enhanced services and enjoy
productivity gains
Editor-in-Chief
John Kane
Publisher
Executive Editor Learn about Layer 2Brett

Bartow
Virtual
Private Networks (VPNs)
Cisco Representative
Anthony Wolfenden
network
architecture
Cisco Press Program
Manager
Jeff Brady
Production Manager
Patrick
Gain from the first book
to Kanouse
address Layer 2 VPN application utilizing
Development Editor
Dayna Isley
Review strategies that

allow
Karen
Gilllarge enterprise customers to enhance
Technical Editors
Archana Sharma, Aamer Akhter, John
For a majority of Service Chang,
Providers,
a Zhang
significant portion of their revenues
Wen
Team Coordinator
Tammi
Barnett
technologies. Although Layer
3 MPLS
VPNs fulfill the market need for some
customers,
they have some
drawbacks.
Ideally, carriers with existing
Book and Cover
Designer
Louisa
Adair
Composition
Markwould
Shirar
backbone while new carriers
like to sell the lucrative Layer 2
Indexer
Tim Wright
infrastructure.
Copy Editor

Corporate Headquarters
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSCisco Systems, Inc.
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
170 West TasmanIPDrive
cores. The structure of this book is focused on first introducing the
San Jose, CA 95134-1706
USA
www.cisco.com progressively covering each currently available solution in greater detail.
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
European Headquarters
Cisco Systems International BV
Haarlerbergpark
Haarlerbergweg 13-19
1101 CH Amsterdam
The Netherlands
www-europe.cisco.com
Tel: 31 0 20 357 1000
Fax: 31 0 20 357 1100
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
www.cisco.com
ISBN: 1-58705-168-0
Table526-7660
of
Tel: 408
Pages:
648
Fax: Contents
408 527-0883
Index
Asia Pacific Headquarters

Cisco Systems, Inc.
Capital Tower
168 Robinson Road
productivity gains
#22-01 to #29-01
Singapore 068912
www.cisco.com
Tel: +65 6317 7777 Learn about Layer 2 Virtual Private Networks (VPNs)
Fax: +65 6317 7799
network
architecture
Cisco Systems has more
than 200
offices in the following countries and regions. Addresses,
phone numbers, and fax numbers are listed on the Cisco.com Web site at
www.cisco.com/go/offices.
Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa
Review
strategies
thatUAE
allow
large enterprise
customers
to enhance
Rica Croatia Czech Republic
Denmark
Dubai,
Finland
France Germany
Greece
Hong Kong
their service
offerings
routing
control Malaysia Mexico
SAR Hungary India Indonesia
Ireland
Israelwhile
Italymaintaining
Japan Korea
Luxembourg
The Netherlands New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania
Russia Saudi Arabia
Scotland
Singapore
Slovakia
Slovenia
South Africa
Spain
Sweden
For
a majority
of Service
Providers,
a significant
portion
of their
revenues
Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam
Zimbabwe
they have
some
drawbacks.
carriers
existing
Copyright 2003customers,
Cisco Systems,
Inc. All
rights
reserved.Ideally,
CCIP, CCSP,
thewith
Cisco
Arrow logo,
Layer
2 and
networksVerified
would like
toCisco
moveUnity,
toward
a single
the Cisco Poweredlegacy
Network
mark,
theLayer
Cisco3Systems
logo,
Follow
Me
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
Browsing, FormShare, iQ Net Readiness Scorecard, Networking Academy, and ScriptShare
are
services
over Inc.;
their Changing
existing Layer
3 cores.
The solution
in these
cases is
a
trademarks of Cisco
Systems,
the Way
We Work,
Live, Play,
and Learn,
The
technology
wouldQuotient,
allow Layer
transport
over
Layer 3marks of Cisco
Fastest Way to Increase
Yourthat
Internet
and2iQuick
Study
area service
infrastructure.
Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the
Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco
Layer 2 VPN
Architectures
introduces
readers
to Layerthe
2 Virtual
Private
Systems, Cisco Systems
Capital,
the Cisco Systems
logo,
Empowering
Internet
Generation,
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient,
IOS,
introductory
case
studies andMGX,
comprehensive
design scenarios.
This book
IP/TV, iQ Expertise,
the iQ logo,
LightStream,
MICA, the Networkers
logo, Network
assists
readers looking
to meet those
requirements
explaining
the
RegistrarPacket, PIX,
Post-Routing,
Pre-Routing,
RateMUX,
Registrar,by
SlideCast,
SMARTnet,
history
and
implementation
details
of
the
two
technologies
available
StrataView Plus, Stratm, SwitchProbe, TeleRouter, TransPath, and VCO are registeredfrom
the Systems,
Cisco Unified
suite:
Any Transport
(ATOM)
for MPLStrademarks of Cisco
Inc. VPN
and/or
its affiliates
in the over
U.S. MPLS
and certain
other
countries.
IP cores.
The structure
of this book
is focused
onthe
firstproperty
introducing
the
All other trademarks
mentioned
in this document
or Web
site are
of their
reader
to Layer
VPN benefits
and implementation
requirements
and
respective owners.
The use
of the2word
partner does
not imply a partnership
relationship
comparing
to those
of Layer 3 based VPNs, such as MPLS, then
between Cisco and
any otherthem
company.
(0303R)
Printed in the USA
Dedications
Wei Luo: This book is dedicated to my mother, Ximen, in loving memory for her everlasting
selfless devotion and belief in me. This book is also dedicated to my father, Jiyang Luo, my
sister and brother-in-law, Michelle and Tong Ge, and my lovely nephew and niece, Jesse and
Lauren, for all their sacrifices and support over the years and their enduring love.
Carlos Pignataro: I dedicate this book to my son, Luca, and my wife, Veronica, for filling my
Layer
2 VPN Architectures
life with joy. I also
dedicate
this book to my mother, Elena Renee Goenaga, in loving memory,
and to my father,By
Juan
Carlos,
with
heartfelt
gratitude
deepest
Wei Luo,
- CCIE
No. 13,291,
Carlos
Pignataro, -and
CCIE
No. 4619,love.
Dmitry Bokotey, - CCIE
Dmitry Bokotey: To dear friends Tom Kladek, Kevin Taylor, and Carlos Pignataro who opened
all the doors.
Anthony Chan: Dedicated
to my wonderful parents, Foon and Sin Ying Chan, my brother and
ISBN:and
1-58705-168-0
sister-in-law,
Johnny Chan
Diana Chu, and to the memory of my grandmother, Fung Yu
Table of
Pages:
648
Choy,
for
their
guidance
and
wisdom.
I also dedicate this book to my niece, Alicia. May your
Contents
future
be
bright
and
filled
with
opportunities.
Index
productivity gains
infrastructure.

About the Authors
Cisco
Press
Wei Luo, CCIE No. Publisher:
13,291, is
a technical
leader at Cisco Systems, Inc. Since joining Cisco in
Pub
Date:
March
10, 2005and development initiatives in remote-access
1998, Wei has led many product design
ISBN:technologies.
1-58705-168-0 He is the principle designer and developer for Cisco
networks,
WANs, and MPLS
Table of
Pseudowire
Emulation
and
Layer
Pages:
648 2 VPN products, such as AToM and VPLS. He actively
Contents
participates
in
IETF
standardization
processes, contributing to and authoring various RFCs and
Index
Internet drafts in the IETF working groups. Wei has B.S. and M.S. degrees in computer science.
Carlos Pignataro, CCIE No. 4619, is a senior engineer in the Escalation Team for Cisco
Systems, Inc. In this
rolethe
he world
is responsible
handling
difficult
and complex
escalations,
Master
of Layer for
2 VPNs
to provide
enhanced
services
and enjoy
working on critical
or
stalled
software
defects,
and
participating
in
the
new
product
and
productivity gains
development process. Carlos has a B.S. in electrical engineering and an M.S. in
telecommunications and networking. Carlos has contributed to IETF Internet drafts, is an active
speaker at Net-workersLearn
conventions,
and 2has
authored
Cisco
Multiservice
Switching Networks
about Layer
Virtual
Private
Networks
(VPNs)
also by Cisco Press.
Dmitry Bokotey, CCIE
No. 4460,
holds a quadruple CCIE title in the fields of Routing and
network
architecture
Switching, ISP Dial, Security, and Service Provider. He is a network consulting engineer with
Gain
the
first book
to address
2 VPN
utilizing
the Central Engineering
andfrom
Metro
Ethernet
team
of Cisco Layer
Systems.
Forapplication
the past twelve
years,
both ATOM and
L2TPnetworking
protocols environments for various large
he has designed and implemented
diverse
enterprise and service provider customers. Over the course of his career, he has presented
strategies
that allow
large
enterprise
customers
to enhance
seminars on numerousReview
advanced
networking
subjects.
He
is coauthor
on two other
books
their
service
offerings
while
maintaining
routing
controlStudies: Remote
published by Cisco Press:
CCIE
Practical
Studies:
Security
and CCNP
Practical
Access .
are still Provider
derived from
and voice
based
on legacy
transport
Anthony Chan, Service
CCIEdata
No. 10,266,
is services
a network
consulting
engineer
for Cisco
technologies.
Although
Layer 3 MPLS
VPNs fulfill
the market
need for
Systems' Advanced
Services Central
Engineering
organization.
Anthony
participates
in some
MPLS
customers,
they
have
some drawbacks.
Ideally,
carriers with
existing
and routing technology
teams,
which
provide
focused design
and proactive
support
to service
legacy customers.
Layer 2 andHe
Layer
3 networks
would
like in
to electrical
move toward
a single from
provider and enterprise
holds
a bachelor's
degree
engineering
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
Northwestern University and has previously worked at Ford Motor Company and International
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
is a
Network Services.
infrastructure.


About the Technical Reviewers
Publisher:
Press
Archana Sharma, CCIE
No.Cisco
3080,
has over five years of troubleshooting experience with the
Pub
Date:
March
10,been
2005 working on the Catalyst switches since they were first
campus switched networks and has
ISBN:has
1-58705-168-0
released
by Cisco. Archana
been troubleshooting and resolving customer issues since 1995
Table of
she joined Cisco Pages:
when
as
a
support
engineer in the RTP TAC team supporting the Cisco campus
648
Contents
switching
product
line.
She
has
extensive
troubleshooting experience with both Layer 2
Index
switching and Layer 3 switching and provides escalation support for these in her role as team
lead and as a Cisco diagnostic engineer.
Aamer Akhter, CCIE

No.
4543,
joined
Cisco
Systems
in 1998enhanced
after graduating
Master
the
world
of Layer
2 VPNs
to provide
servicesfrom
and Georiga
enjoy
Tech with a B.S. in
electrical
engineering
to
work
in
the
Cisco
Technical
Assistance
Center. He
productivity gains
then went on to support Cisco's larger enterprise customers in the NSA unit where he helped
design and deploy several large Layer 2 networks. Aamer later moved to Networked Solutions
Integration Test Engineering
(NSITE),
where
after Private
a brief stint
with IPSec
VPNs, he moved into
Learn about
Layer
2 Virtual
Networks
(VPNs)
a new group for testing MPLS-VPNs. Four years later, MPLS-VPNS had matured much but
costs and
the Aamer
reach of
services
by unifying
your
testing of MPLS relatedReduce
technologies
still extend
continues.
is your
currently
leading
a team for
network
architecture
testing Layer 3 VPNs and
related
technologies in a cross-Cisco effort.
from
first book
address
Layer
VPNSystems,
application
utilizing
John Chang, CCIE No.Gain
2736,
is athe
solution
test to
lead
engineer
at 2
Cisco
Inc.
In this
both ATOM
and L2TP
protocols
role, John provides technical
leadership
to verify
the function, scalability, and performance of
remote access and IP VPN solutions. With over 20 years of network engineering experience, he
Review
allowof
large
customers
enhance
has designed, developed,
and strategies
supported that
a variety
LANenterprise
and WANs.
John has to
B.S.
and M.S.
degrees in electrical engineering.
ForNo.
a majority
Service Providers,
significantteam
portion
of their
revenues
Wen Zhang, CCIE
4302, is of
a member
of the TACaescalation
at Cisco
Systems.
He
still derived
from technologies.
data and voiceWith
services
on legacy
currently focuses are
on VPN
and security
Ciscobased
since 1997,
Wentransport
was a regular
Although
3 his
MPLS
VPNs
market
need for some
contributor to thetechnologies.
Cisco Open Forum.
He Layer
earned
B.S.
andfulfill
M.S. the
degrees
in electrical
they have some drawbacks. Ideally, carriers with existing
engineering from customers,
Clemson University.
infrastructure.

Acknowledgments
Publisher:
Cisco
Wei Luo: I would like
to thank
allPress
the people from Cisco Press who helped make this book
Pub
Date:
March
2005
possible, and special thanks go to10,
our
Executive Editor Brett Bartow for putting up with us.
Table of
ISBN: 1-58705-168-0
I want
to thank Greg Burns,
Gary Green, and other colleagues at Cisco Systems for the
Pages: 648
Contents
unreserved support, wisdom, and insight. Without all of your talent and excellence in making
Index
the Layer 2 VPN technology a reality, this book would not have been possible.
This book is a true work of collaboration. I want to thank my coauthors for all their hard work
and devotion. I cannot thank my coauthors without giving my special gratefulness to Dmitry
Bokotey for opening the door for me and always being there.
productivity gains
Carlos Pignataro: I would like to thank my coauthors for their teamwork and talent that
made this book possible.
Thanks
toLayer
our reviewers
all their
helpful(VPNs)
comments. I also want to
Learn
about
2 Virtual for
Private
Networks
thank all the people at the Cisco Systems family that in one way or another make these
technologies a reality. Reduce costs and extend the reach of your services by unifying your
Special thanks to W. Mark Townsley for his most valued insight, openness, and for giving me a
great opportunity to learn,
myfirst
colleague
Wen
Zhang
for always
helping me utilizing
find answers
Gain and
fromtothe
book to
address
Layer
2 VPN application
to my questions with his
expertise
and L2TP
experience.
both
ATOM and
protocols
I would like to thank asReview
well our
Executive
Editor
Brett
Bartow
and our
Development
Editor
strategies
that
allow
large
enterprise
customers
to enhance
Dayna Isley for their professionalism
and patience,
along with all
the Cisco
Press team.
their service offerings
while maintaining
routing
control
Finally, I want to For
thank
all the design
engineers,
network
architects,
and NOC
engineers
that
a majority
of Service
Providers,
a significant
portion
of their
revenues
keep Layer 2 VPNare
networks
running
smoothly.
still derived from data and voice services based on legacy transport
Dmitry Bokotey:
This book they
is a product
of collective
effort.
I would
like to
thank
my
customers,
have some
drawbacks.
Ideally,
carriers
with
existing
coauthors, Anthony
Chan,
Wei2Luo,
Carlos
Pignataro,
for like
theirtoenormous
talent
and
legacy
Layer
andand
Layer
3 networks
would
move toward
a single
expertise.
As always, I'm grateful to my wife, Alina, for her help with writing and editing my chapters.
infrastructure.
I would also like to thank Brett Bartow and others at Cisco Press for another fruitful
collaboration. Your patience is truly appreciated.
Big thanks to my Cisco Systems family for the opportunity to explore and implement the
technology that became the basis for this book.
andmom
implementation
of thefor
two
available
from
Finally, I want to history
thank my
and dad for details
being there
metechnologies
and my little
Alyssa for
letting
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSme be there for her.
cores.toThe
this
book
is focused
on first introducing
the entire
Anthony Chan: IP
Thanks
my structure
coauthorsoffor
their
continued
perseverance
during this
process.
progressively
covering
currently
available
solution
in greater
detail.
Thanks to Brett Bartow
and Dayna
Isley each
and others
from
Cisco Press
for their
patience
despite
my numerous requests for extensions along the way.
I would also like to thank all Cisco engineering and architecture team who developed and
supported L2TPv3 and UTI for creating an equivalent IP pseudowire solution.

This Book Is Safari Enabled
Publisher:
Cisco Press
Enabled
The Safari
icon on the cover of your favorite technology book
Pub
Date:
March
10, 2005 through Safari Bookshelf. When you buy this
means the book is available
ISBN: 1-58705-168-0
Table of book, you get free access to the online edition for 45 days.
Contents
Index
Pages: 648
Safari Bookshelf is an electronic reference library that lets you easily search thousands of
technical books, find code samples, download chapters, and access technical information
whenever and wherever you need it.
productivity
To gain 45-day Safari
Enabledgains
access to this book:

Go to http://www.ciscopress.com/safarienabled
Reduce
costs and
Complete the brief
registration
formextend the reach of your services by unifying your
Enter the coupon code P7OE-29WP-IPO0-DHPJ-G8BD
both ATOM
L2TP
protocolsor accessing the online edition, please eIf you have difficulty registering
onand
Safari
Bookshelf
mailcustomer-service@safaribooksonline.com.

infrastructure.

Icons Used
in This Book
Cisco Systems uses Publisher:

the following
standard icons to represent different networking devices. You
Cisco Press
will encounter several
ofDate:
these
icons
within this book.
Pub
March
10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

Wei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
CommandBy
Syntax
Conventions
The conventions used

to present
syntax in this book are the same conventions used
Publisher:
Cisco command
Press
in the IOS CommandPub
Reference.
Command Reference describes these conventions as
Date: MarchThe
10, 2005
follows:
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Boldface
indicates
commands
and keywords that are entered literally as shown. In actual
Index
configuration examples and output (not general command syntax), boldface indicates
commands that are manually input by the user (such as a show command).
Italics indicate
arguments
forof
which
you
supply
values.
Master
the world
Layer
2 VPNs
to actual
provide
enhanced services and enjoy
productivity gains
Vertical bars (|) separate alternative, mutually exclusive elements.
Square brackets [Learn
] indicate
aboutoptional
Layer 2elements.
Virtual Private Networks (VPNs)
Braces { } indicate
a required
Reduce
costs choice.
and extend the reach of your services by unifying your
Braces within brackets [{ }] indicate a required choice within an optional element.

infrastructure.

Introduction
Publisher:
Cisco Press
Until recently, the VPN
landscape
has been quite complex as service providers have struggled
Pub
Date:
March
10, 2005 access technologies (such as, dial, Frame Relay, and
with how best to accommodate traditional
ISBN:
1-58705-168-0
ATM)Table
along
with new ones
(like,
Ethernet and wireless) and Layer 3 VPNs over a common
of
network
infrastructure.
A
new
solution,
enabling service providers to converge Layer 2 and
Pages:
648
Contents
Layer
3
services
and
provide
legacy
data
services over an IP or MPLS backbone, promises to
Index
simplify matters, benefiting both service providers and enterprises.
The historical disconnect between legacy Layer 2 and Layer 3 VPN solutions has forced service
providers to build,
operate,
maintain
separate
to accommodate
various
Master
theand
world
of Layer
2 VPNs infrastructures
to provide enhanced
services and
enjoy VPN
access technologies.
However,
this
costly
proposition
is
no
longer
necessary.
As
part
of
its new
productivity gains
Unified VPN Suite, Cisco Systems now offers next-generation Layer 2 VPN services like Layer 2
Tunneling Protocol version 3 (L2TPv3) and Any Transport over MPLS (AToM) that enable
service providers to offer
Frame
Relay,
ATM,
Ethernet,
andNetworks
leased line
services over a common
Learn
about
Layer
2 Virtual
Private
(VPNs)
IP/MPLS core network. By unifying multiple network layers and providing an integrated set of
Reduce costs tools
and extend
theinfrastructure,
reach of your services
unifying
your
software services and management
over this
the Ciscoby
Layer
2 VPN
network
architecture
solution enables established
carriers,
IP-oriented ISP/CLECs, and large-enterprise customers
(LECs) to reach a broader set of potential VPN customers and offer truly global VPNs.
ATOM
protocols
Although Layer 3 MPLSboth
VPNs
fulfilland
the L2TP
market
need for some customers, they have some
drawbacks. Namely, Layer 3 MPLS VPNs only handle IP traffic, and they require the customer
Review strategies
thatfrom
allow
to enhance
to change their usual CPE/subscriber
model
a large
Layerenterprise
2 peering customers
model to interfacing
with
offerings
while
maintaining
routing
control
the service provider attheir
Layerservice
3. Ideally,
carriers
with
existing legacy
Layer
2 and Layer 3
networks would like to move towards a single backbone while new carriers would like to sell the
a majority
of Service
Providers,
a significant portion of their revenues
lucrative Layer 2 For
services
over their
existing
Layer 3 cores.
technologies.
Layer
MPLS VPNs
the market
for3some
The solution in these
cases is aAlthough
technology
that3allows
Layer fulfill
2 transport
over need
a Layer
customers,
theyreaders
have some
drawbacks.
Ideally,
carriers with
infrastructure. This
book assists
looking
to meet those
requirements
byexisting
explaining the
legacy Layer
2 andofLayer
3 networks
would
like to move
toward
a single
history and implementation
details
the two
technologies
available
from the
Cisco
Unified VPN
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
suite: AToM for MPLS-based cores and L2TPv3 for native IP cores.
infrastructure.


Goals andBy
Methods
The goal of this bookPublisher:

is to introduce
you to the technologies and practices related to Layer 2
Cisco Press
VPN architectures and
Pseudowire
Emulation,
including the following:
Pub
Date: March 10,
2005
ISBN: 1-58705-168-0
Table of
Pages:
Addresses Layer 2 VPN 648
applications utilizing both AToM and L2TPv3 protocols providing
Contents
extensive conceptual background.
Index
Compares Layer 3 versus Layer 2 provider provisioned VPNs.

Discusses IETF
standardization
for pseudowire
edge-to-edge
and
Master
the world of activities
Layer 2 VPNs
to provide emulation
enhanced services
and enjoy
Layer 2 VPNs.
productivity gains
Describes mechanisms used to decode control plane signaling and data plane pseudowire
packets.
Specifies and exemplifies
how to
maintain
of service
in AToM
and L2TPv3
Reduce costs
and
extend quality
the reach
of your (QoS)
services
by unifying
your
pseudowire environments.
Provides advanced
AToM
topics
suchbook
as load-sharing,
inter-AS
scenarios,
andutilizing
VCCV.
Gain
from
the first
to address Layer
2 VPN
application
Describes Path MTU Discovery mechanisms and issues in L2TPv3 networks.
Introduces VPLS concepts,
design,
and configurations.
their service
offerings
while maintaining routing control
Details how For
to achieve
security
and authentication.
a majority
of Service
Providers, a significant portion of their revenues
In addition to describing
the concepts
related
VPNs,
thisthe
book
provides
technologies.
Although
Layerto
3 Layer
MPLS 2
VPNs
fulfill
market
needan
forextensive
some
collection of case customers,
studies thatthey
show
you
how
the
technologies
and
architectures
work.
have some drawbacks. Ideally, carriers with existingThe case
studies include both
AToM
and2L2TPv3
and 3reveal
real world
provider
and enterprise
legacy
Layer
and Layer
networks
would service
like to move
toward
a single
design problems and
solutions
with
hands-on
and implementation
backbone
while
new
carriers configuration
would like to examples
sell the lucrative
Layer 2
details. The case services
studies include
all Layer
2 technologies
transported
using
AToM cases
and L2TPv3
over their
existing
Layer 3 cores.
The solution
in these
is a
pseudowires including
Ethernet,
Ethernet
VLAN,
HDLC,
PPP,
Frame
Relay,
ATM
AAL5
and ATM
cells, and advanced
cases.
infrastructure.
After reading thisLayer
book,2you
be able to
understand,
describe,
and2explain
2
VPNshould
Architectures
introduces
readers
to Layer
Virtual Layer
Private
architectures andNetwork
design, configure
and troubleshoot
complex
scenarios that
(VPN) concepts,
and describes
Layernetwork
2 VPN techniques
via use AToM
and L2TPv3.


How This By
Book
Is Organized
Although this book could

be read
cover-to-cover, it is designed to be flexible and allow you to
Publisher:
Cisco Press
easily move betweenPub
chapters
and10,sections
of chapters to cover just the material that you
Date: March
2005
need more work with. Accordingly, the book follows a modular design. Layer 2 VPN
ISBN: 1-58705-168-0
Table of
Architectures
is divided into the following main parts and chapters:
Contents
Index
Pages: 648
Part I: Foundation The book begins by explaining the existing market drivers for Layer
2 VPNs and explores where each of the various types of VPNs exist. It introduces the
architectural framework and choices for Layer 2 VPNs and delves into pseudowire
Master the and
world
of Layer
VPNsalso
to provide
enhanced
services and
enjoy
emulation realizations
details.
This2 part
describes
the architectural
reference
productivity gainsprocess of Layer 2 VPNs and pseudowire technologies, and
model and standardarization
introduces you to AToM and L2TPv3.
about Layer 2
Virtual
Private Networks
(VPNs)
Chapter 1, Learn
"Understanding
Layer
2 VPNs":
This chapter
introduces L2VPNs and
its motivations. It also compares Layer 2 versus Layer 3 VPNs.
architecture
Chapter 2, network
"Pseudowire
Emulation Framework and Standards" This chapter
presents the pseudowire emulation reference model and architectural components,
from theand
firstexplains
book to the
address
Layer
VPN applicationofutilizing
defines key Gain
terminology,
history
and2standardization
pseudowire
both
ATOM
and
L2TP
protocols
emulation in the IETF.
that allow largeThis
enterprise
enhance
Chapter 3, Review
"Layerstrategies
2 VPN Architectures"
chaptercustomers
introducesto
AToM
and
service
offerings
maintaining
routing
control when choosing
L2TPv3 and their
presents
business
andwhile
technical
factors to
be considered
a Layer 2 VPN technology.
are still
derived from
data
and
voice
services
based on overview
legacy transport
Part II: Layer
2 Protocol
Primer
This
part
provides
a complete
of Layer 2
technologies.
Although
Layer
3
MPLS
VPNs
fulfill
the
market
need for some
LAN and WAN technologies.
legacy
LayerProtocols"
2 and LayerThis
3 networks
like
to overview
move toward
a single
Chapter
4, "LAN
chapter would
includes
and
of LAN
protocols,
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
such as Ethernet II and 802.3, Ethernet dot1Q, Ethernet QinQ, spanning2tree, and
over their existing Layer 3 cores. The solution in these cases is a
relatedservices
technologies.
infrastructure.
Chapter
5, "WAN Data-Link Protocols" This chapter outlines different WAN
protocols including HDLC, PPP, Frame Relay, and ATM.
Network
(VPN)over
concepts,
VPNcover
techniques
via
Part III: Any
Transport
MPLSand
Thedescribes
chaptersLayer
in this2part
the theoretical
and
case
studies
and
comprehensive
design
scenarios.
This book
operational introductory
details of MPLS
and
LDP as
they
pertain to AToM,
analyze
the control
plane
readers
to meet
requirements
by explaining
theand
(pseudowireassists
signaling)
and looking
data plane
(datathose
encapsulation),
describe
the design
history
and implementation
details
of the
two
technologies
available
implementation
of AToM
technologies, and
provide
LAN
and
WAN protocols
over from
MPLS and
the Cisco
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSadvanced AToM
case studies.
Chapter
6, "Understanding
Any
over on
MPLS"
This chapterthe
details
IP cores.
The structure of
thisTransport
book is focused
first introducing
AToM and
LDPtooperations
for benefits
pseudowire
and describes
AToM pseudowire
reader
Layer 2 VPN
and signaling
implementation
requirements
and
encapsulation.
Chapter 7, "LAN Protocols over MPLS Case Studies" This chapter presents the
underlying theory and case studies for LAN protocols over MPLS including port-toport and dot1Q modes.
Chapter 8, "WAN Protocols over MPLS Case Studies" This chapter presents the
underlying theory and case studies for all WAN protocols over MPLS and their
various modes of operation.
Chapter 9, "Advanced AToM Case Studies" This chapter concludes the AToM
section with advanced case studies such as load sharing, preferred path selection,
AToM with traffic engineering (TE), AToM over GRE, inter-AS AToM, VCCV and QoS.
Part IV: Layer 2 Tunneling Protocol Version 3 This part discusses the theory on
Layer 2 over
VPN Architectures
Layer 2 protocols
Layer 2 Tunneling Protocol version 3 (L2TPv3) in IP networks,
analyzes theBycontrol
protocol
interactions
and4619,
data
plane
encapsulation
Wei Luo, plane
- CCIE L2TPv3
No. 13,291,
Carlos Pignataro,
- CCIE No.
Dmitry
Bokotey,
- CCIE
details, and No.
provides
LAN Chan,
and WAN
4460,Anthony
- CCIEprotocols
No. 10,266 and advanced case studies.
Chapter Publisher:
10, "Understanding
L2TPv3" This chapter starts with Universal
Cisco Press
Transport Interface (UTI) history and evolvement into L2TPv3; it then details
L2TPv3 control plane including tunnels, sessions, cookies, AVPs, control plane
ISBN: 1-58705-168-0
Table ofmessages and message formats, as well as the L2TPv3 data plane including the data
Pages:
packet formats. 648
Contents
Index
Chapter 11, "LAN Protocols over L2TPv3 Case Studies" This chapter presents
the underlying theory and case studies for LAN protocols over L2TPv3 including
static sessions, static sessions with keepalives, and dynamic sessions for Ethernet
Masterand
theVLAN
worldmodes
of Layer
2 VPNs
to provide
enhanced
port-to-port
with
and without
VLAN
rewrite.services and enjoy
productivity gains
Chapter 12, "WAN Protocols over L2TPv3 Case Studies" This chapter presents
the fundamental theory and case studies for all WAN protocols over L2TPv3 including
Virtual
Networks
HDLC, PPP, Learn
Frameabout
RelayLayer
(DLCI2and
portPrivate
modes),
and ATM(VPNs)
(AAL5 and the various
Cell Relay modes).
network
architecture
Chapter 13,
"Advanced
L2TPv3 Case Studies" This chapter details advanced
case studies for L2TPv3 networks including Path MTU Discovery, ATM OAM Emulation
Gain from
the first book to address Layer 2 VPN application utilizing
and cell packing,
and QoS.
Part V: Additional Layer 2 VPN Architectures This part presents Any-to-Any Layer 2
strategiesand
thatVirtual
allow large
enterprise
customers
enhance
VPN interworking,Review
local switching,
Private
LAN Service
(VPLS).toThe
part
their service
while
maintaining
routing
control and design case
includes both architectural
andofferings
theoretical
frameworks,
and
configuration
studies.
are14,
still"Layer
derived2from
data and voice
based on legacy
transport
Chapter
Interworking
andservices
Local Switching"
This chapter
technologies.
Although
3 MPLS VPNs of
fulfill
the2market
for some
introduces
the related
Layer 2Layer
VPN architectures
Layer
IP and need
Ethernet
customers,
have some
drawbacks.
Ideally, carriers
with existing
interworking
(thatthey
is, routed
and bridged
interworking,
respectively),
Layer 2 local
legacy
2 and Layer 3ofnetworks
would
likelocal
to move
toward
a single
switching,
andLayer
the combinations
interworking
with
switching.
This
chapter
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
includes details and case studies for both AToM and L2TPv3.
technology
that would
allow
Layer
2 transport
over a Layer
3
Chapter
15, "Virtual
Private
LAN
Service"
This chapter
introduces
the VPLS
infrastructure.
application
with theory, configuration, and multiple case studies.
Layer
2 VPN
Architectures
introduces readers
toand
Layer
2 Virtual
The book concludes
with
an appendix
that summarizes
the Cisco
IETF
L2TPv3Private
AVP
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
attribute types.

Part I: Foundation
Chapter 1
Table of
Chapter 2
Contents
Index
Chapter 3
Understanding Layer 2 VPNs
ISBN: 1-58705-168-0
Pseudowire
Emulation Framework and Standards
Pages:
648
productivity gains
infrastructure.

Chapter 1. Understanding Layer 2 VPNs

Cisco Press
This chapter covers Publisher:
the following
topics:
ISBN: 1-58705-168-0
Table of
Understanding traditional
Pages:
648VPNs
Contents
Index
Introducing enhanced Layer 2 VPNs
A virtual private network (VPN) is a data network that utilizes a portion of a shared public
network to extend a customer's private network. This provides private communications
Master
world ofoffices
Layer and
2 VPNs
to provide enhanced
services
and enjoy
between end users,
suchthe
as remote
telecommuters.
VPNs can
be broadly
productivity
gains
categorized as either Layer 2 VPNs or Layer 3 VPNs.
This chapter begins with an overview of traditional VPNs, both Layer 2 and Layer 3, followed by
a more in-depth look at enhanced Layer 2 VPN solutions over IP/Multiprotocol Label Switching
(MPLS) and the factors that motivated their evolution. This chapter also covers the different
types of Layer 2 VPNs available today.
infrastructure.

Understanding
Traditional VPNs
This section offers examples

of traditional,
older forms of VPNs (as opposed to the newer,
Publisher: Cisco
Press
enhanced Layer 2 VPNs
that March
are the
topic of this book)specifically Layer 3 VPNs and legacy
Pub Date:
10, 2005
Layer 2 VPNs.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Legacy Layer 2 VPNs

Originally, VPNs were built using leased lines to provide connectivity between various customer
Master
the world
of Layer
VPNs
to provide
services
and enjoy
locations. A customer
bought
the leased
line2 as
a service
fromenhanced
the provider.
The leased
line was
gains
installed betweenproductivity
the customer's
sites that required interconnectivity. The line was dedicated to
that customer, and others did not share it.
about Layer
Virtual
Private
Networks
(VPNs)
Since its introduction inLearn
the 1990s,
Frame2Relay
has
dominated
the field
of early VPN
technologies. Frame Relay has enabled service providers to offer the same basic connectivity to
costslines,
and extend
the reach
your services
by unifying
their customers as withReduce
the leased
except instead
of of
provisioning
a dedicated
lineyour
for
network
architecture
each customer, they have been able to use a shared line and allocate a virtual circuit for each
customer to keep each customer's traffic separate. The virtual circuits are referred to as
Gain(PVC).
from the
first book toPVCs,
address
2 VPN
application
utilizing
permanent virtual circuits
By configuring
the Layer
data-link
connection
identifiers
both
ATOM
and
L2TP
protocols
(DLCI) associated with various devices are established. This builds a tunnel for customer traffic
to follow a dedicated path through the service provider's shared network.
their
service the
offerings
maintaining
control in the Layer 3
A service provider merely
supplies
Layer while
2 connectivity
androuting
is not involved
aspects of the customer's traffic (hence the name, Layer 2 VPNs). The advantage of Layer 2
VPNs is the independence that customers have in terms of controlling their Layer 3 network
design for routing, addressing, and so on.
customers, they
some
Ideally,
withchoice
existing
Frame Relay's independence
fromhave
all Layer
3 drawbacks.
protocols has
made carriers
it a popular
for LANlegacy
Layer
2
and
Layer
3
networks
would
like
to
move
toward
a single VPNs
to-LAN connections and intranet communications. Service providers also offer ATM-based
while
new carriers
like to
sellservice
the lucrative
Layer
2 Layer 2
as a higher-speedbackbone
alternative
to Frame
Relay. would
Currently,
most
providers
offer
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
is a
VPNs using Frame Relay, ATM, or combinations of the two.
infrastructure.
Layer 3 VPNsLayer 2 VPN Architectures
introduces readers to Layer 2 Virtual Private

introductory
case
studies
and comprehensive
design
scenarios.
book
Currently, the most
widely used
Layer
3-based
VPN technologies
are IP
Security This
(IPsec)
and
assists
readers
looking
to
meet
those
requirements
by
explaining
the
MPLS Border Gateway Protocol (BGP) VPNs. These technologies can service intranet, extranet,
history
and implementation
details of the two
technologies
available
and Internet access
applications
for securely interconnecting
customer's
remote
sites.from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLScoresprovider
and Layer
2 Tunneling
version
3 (L2TPv3)
for native
In Layer 3 VPNs, based
the service
offers
a leased Protocol
line or PVC
connection
between
a
cores. point
The structure
of this
book
focused
onprovider's
first introducing
the
customer and theIP
nearest
of presence
(POP)
onisthe
service
network.
Figure 1-1 shows comparing
an examplethem
of a to
basic
MPLS
VPN model.
those
of Layer
3 based VPNs, such as MPLS, then
Figure 1-1. Private BGP Network with Private IP Addresses

[View full size image]

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
In an MPLS VPN, the customer edge (CE) router peers up with the PE router at Layer 3 instead
of the other CE routers (as is the case with enhanced Layer 2 VPNs), providing the PE router
Master the information
world of Layer
VPNs
to provide
enhanced
andcollects
enjoy
with routing and forwarding
for 2the
private
network.
The PE services
router then
productivity
gainscustomer and stores the tables along with the public Internet
one private routing
table for each
routing information.
about Layer
2 Virtual
Private
Networks
(VPNs)
InFigure 1-2, not all ofLearn
the customer's
private
networks
are
passed on
to the global routing
table.
Figure
1-2.
PE/CE
Relationship
in an MPLS VPN
both
ATOM
and L2TP
protocols

[View full
size image]
while
maintaining routing control
infrastructure.
Through Layer 3 VPNs,
customers
rely onofInternet
service
provider
(ISP)
IP/MPLS-based
IP cores.
The structure
this book
is focused
on first
introducing
the
backbones for private
and
communication.
reader
to secure
Layer 2any-site-to-any-site
VPN benefits and implementation
requirements and
Challenges of Traditional VPNs

Layer 3 VPNs also have several limitations. For instance, IP is the only protocol that is
supported over the MPLS Layer 3 VPN network. The customer gives up control of its routing to
the service provider, which might not be desirable for both parties. Also, over-utilization of the
PE routers is possible. To become truly scalable, the MPLS VPN implementation requires a wide
deployment of high-end, more powerful and, thus, more expensive routers.
As mentioned, legacy Layer 2 connection services provide the point-to-point connectivity upon
which private networks are built. To support a customer's Layer 3 traffic, a separate Layer 3
network has to be built. This results in service providers having to maintain separate networks
for Layer 2 and Layer 3 traffic, which is difficult and costly.
Another challengeBythat
traditional
service
providers
is that
if Bokotey,
they have
to expand
Wei Luo,
- CCIE No.Layer
13,291,2Carlos
Pignataro,
- CCIEface
No. 4619,
Dmitry
- CCIE
their networks, the
speeds
can
to with ATM in the core is OC48. They cannot
No.highest
4460,Anthony
Chan,they
- CCIE
No.go
10,266
grow to higher speeds or make use of more cost-effective technologies, such as Ethernet.
Therefore, service providers
havePress
been searching for ways to maximize the efficiency and cost
Publisher: Cisco
of their infrastructures
and simplify management.
ISBN: 1-58705-168-0
TheseTable
goals
of can be achieved in an environment in which multiple Layer 2 services can be
Pages:
648
transported
IP/MPLS backbone. Newly developed IP-based services allow
Contents across a common
customers
Index to minimize their network expenses while improving their productivity and
competitiveness. For service providers, these new developments mean an opportunity to offer
savings to their customers, which, in turn, can prompt an increase in customer base and
service revenue.
productivity
The following types
of servicegains
providers would benefit from such a solution:
Learnoffer
about
Layer
2 Virtual Private
Networks
(VPNs) and would like to
Carriers that currently
only
circuit-based
Layer 2
infrastructures
expand Layer 3 infrastructure to sell more services
architecture
Service providersnetwork
that currently
offer only Layer 3 infrastructure and would like to cost
effectively expand their offering of Layer 2 services
andoffer
L2TPcircuit-based
protocols
Service providersboth
that ATOM
currently
Layer 2 and IP-based Layer 3 services
throughout separate infrastructures and would like to join the two to increase profitability
infrastructure.

Introducing
Enhanced Layer 2 VPNs
A solution has been Publisher:

developed
to Press
address the desire to consolidate the Layer 2 and IP/MPLSCisco
based Layer 3 VPNs.Pub
New,
enhanced
Layer 2 VPNs allow offering a traditional Layer 2 service,
Date:
March 10, 2005
such as Frame Relay, by employing an IP/MPLS network infrastructure. This might decrease
ISBN: 1-58705-168-0
Tableofofproviding a comparable service using a dedicated Layer 2 network. In contrast with
the cost
Pages:
648
LayerContents
3 VPNs, Layer 2 VPNs are capable of carrying multiprotocol (IP and non-IP alike)
Index across a common infrastructure. Another drawback of Layer 3 VPNsthe need for edge
transport
routers to support routing tables of every connected VPNis eliminated with enhanced Layer 2
VPNs because customer routing tables are not stored on the provider's network. Instead, they
are transparently switched site-to-site to the customer's own infrastructure, which reduces
complexity.
productivity gains
Even though a Layer 2 service over IP/MPLS might cost the same as a dedicated ATM/Frame
Relay-based Layer 2 network, the ability to offer new value-add services is one of the most
compelling reasons to move to a packet-based network.
Figure 1-3 illustrates a sample topology with Layer 2 VPN service. Instead of building a
separate, private IP network and running traffic across it, enhanced Layer 2 VPNs take existing
Layer 2 traffic and send it through point-to-point tunnels on the IP/MPLS network backbone.
Figure
1-3.offerings
Layer 2-Based
VPN Services
their service
while maintaining
routing control

[Viewand
full size
image]
are still derived from data
voice
services based on legacy transport
infrastructure.
Both enhanced Layer 2 VPNs and Layer 3 VPNs rely on IP/MPLS transport through the core.
The principal difference lies in how PE-CE router relations are handled. In an enhanced Layer 2
VPN, the PE router is not a peer to the CE router and does not maintain separate routing
tables. Rather, it simply maps incoming Layer 2 traffic onto the appropriate point-to-point
tunnel.
Enhanced Layer 2 VPNs use the privacy of Frame Relay and ATM and the flexibility and
scalability of IP/MPLS. They deliver network services over routed IP/MPLS networks. Higher
efficiency and scalability are achieved because service decisions are made at the VPN and
tunnel endpoints and switched without requiring additional provisioning.
Layer22 VPN
Architectures
With enhanced Layer
VPNs,
service providers can offer such services as VPNs with managed
Internet, intranet,Byand
extranet
complexity
required
in the -past.
Wei Luo,
- CCIE without
No. 13,291,the
Carlos
Pignataro, - that
CCIE they
No. 4619,
Dmitry Bokotey,
CCIE The new
Layer 2 VPN services
do Anthony
not require
equipment spending because they are available
No. 4460,
Chan, -additional
CCIE No. 10,266
by upgrading Cisco IOS Software. By reducing customer networking complexity and cost, the
new Layer 2 VPNs allow
service
to expand their customer base to small and mediumPublisher:
Ciscoproviders
Press
sized businesses.
ISBN: 1-58705-168-0
LayerTable
2 services
have proven
to be steady revenue-generating resources because the provider
of
Pages:
is notContents
required to participate 648
in customer Layer 3 services. Therefore, although service
providers
Index are branching into IP/MPLS-based core networks, they continue to maintain an
extensive network of Layer 2-based equipment and services. By combining Layer 2 transport
with Layer 3, enhanced Layer 2 VPNs offer an attractive alternative and convergence point for
Layer 2 and Layer 3 infrastructures.
productivity of
gains
Some of the key advantages
enhanced Layer 2 VPNs over other VPN techniques include the
following:

Simple design and implementation Because these Layer 2 VPNs are based on the
Reduce
costsof
and
extendreduces
the reach
your services
by unifyinginvolved
your
IP/MPLS model, the
simplicity
IP/MPLS
theofamount
of administration
in deploying and maintaining
the Layer 2 VPN services.
Gain from the
first book
to address
Layerby
2 VPN
application
utilizing
New services facilitation
Additional
revenue
is realized
selling
more services
to
both
ATOM
and
L2TP
protocols
existing customers or by offering new services. By introducing services such as
Pseudowire Emulation Edge to Edge (PWE3) (discussed in Chapter 2, "Pseudowire
Review
strategies
that allow
enterprise customers
to are
enhance
Emulation Framework
and
Standards"),
other large
revenue-generating
services
easy to
their service
while maintaining
controlto their existing
add. Service providers
can sellofferings
more bandwidth
and betterrouting
performance
Layer 2 customers.
are still
derived
from
data and
voice services
based
on legacy transport
By utilizing enhanced
Layer
2 VPNs,
service
providers
can do the
following:
legacy
Layer 2 and
Layer
3 networks
would
like to
move
toward IP/MPLS
a single
Lower the cost
of providing
legacy
Layer
2 services
through
new
generation
cores.
Expand theirtechnology
present Layer
networks
to further
in their legacy
that 2would
allowwithout
Layer 2having
transport
over a invest
Layer 3
networks. infrastructure.
Reduce service
provider's
capital expenditures
(capex)
and
expenses
(opex)
Layer
2 VPN Architectures
introduces
readers
tooperational
Layer 2 Virtual
Private
associated with
offering
numerous
services
to a customer
through
service consolidation
Network
(VPN)
concepts,
and describes
Layer 2
VPN techniques
via
across a shared
infrastructure.
Implement
transparent LAN
and IP/MPLS
functionality
introductory
case studies
and comprehensive
design
scenarios.
This book for
IP/MPLS VPN
services
by providing
a simple
tunneling
mechanism.
assists
readers
looking to
meet those
requirements
by explaining the
Preserve current
investment
building
2 VPNover
support.
the Cisco
Unified while
VPN suite:
AnyLayer
Transport
MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Transport Layer
2 andThe
Layer
3 protocols.
IP cores.
structure
of this book is focused on first introducing the
In addition, new Layer 2 VPNs enable service providers to broaden the geographic scope of
their established Layer 2 service to places where their Layer 2 infrastructures are not currently
present. By using the IP/MPLS core, traditional Layer 2 services can extend as far as the core.
Enhanced Layer 2 VPNs offer service providers several major cost reductions on their existing
infrastructure, which leads to higher profitability. First, by consolidating networks, service
providers reduce operational costs by migrating to a single infrastructure, rather than
supporting and investing in multiple infrastructures. Second, enhanced Layer 2 VPNs eliminate
the need to provision multiple infrastructures (such as Layer 2 and Layer 3) across the core,
reducing expensive configuration and maintenance costs.
Service providers can also continue to make money from their existing investments. Existing
investments represent expenses not only in equipment, but also in configuration (such as
creating circuits, security, and service levels). Although new Layer 2 VPNs offer high return on
investment (ROI) when you are buying a routing platform because they integrate with the
Layer 2 they
VPN Architectures
existing infrastructure,
also help maximize the ROI on the existing infrastructure by
ByWei Luo,
- CCIE
No. 13,291,
Carlos
Pignataro, - CCIE
No.from
4619,Dmitry
CCIE or
working with it, rather
than
replacing
it. By
aggregating
traffic
ATM, Bokotey,
Frame -Relay,
No. 4460,Anthony
Chan, - and
CCIEconfiguration
No. 10,266
Ethernet edge platforms,
equipment
investments continue to generate
revenue, rather than create more cost or end their return.
On the customer side,

enhanced Layer 2 VPNs offer the following advantages:
ISBN: 1-58705-168-0
Table of
Simple to configure
Pages:
648
Contents
Index
Provide connectivity of non-IP protocols, both routable and bridged
With enhanced Layer 2 VPNs, customers can independently maintain their routing and security
policies. DeployedMaster
edge platforms
to customer
networks
continue
to create
the
the world connecting
of Layer 2 VPNs
to provide
enhanced
services
and enjoy
circuits and interface
with
customer
networks,
whereas
the
Layer
2
VPN-enabled
IP/MPLS
productivity gains
routing platform essentially creates an intelligent "pipe" to move the traffic through the core,
emulating the customer circuit. A VPN that is based on Layer 2 eliminates the need for end
Learn
about Layer
2 Virtual
Networks
(VPNs) the network
users to exchange routing
information
with
servicePrivate
providers,
thus reducing
management, complexity, and associated costs. Additional investment in equipment is
Reduce
costs
and extend
the reach
of your services by unifying your
unnecessary because the
existing
customer
hardware
is sufficient.
Some of the features of enhanced Layer 2 VPNs are as follows:
The configuration is simplified because only two endpoints must be configured and the
Review
thatwith
allow
large enterprise
enhance
rest is signaled across
thestrategies
core, unlike
traditional
Layer 2 customers
networks intowhich
you
their
must provision hop
by service
hop. offerings while maintaining routing control
Forfrom
a majority
of Service
a significant
portion
of their
revenues
The transition
a traditional
LayerProviders,
2 VPN from
the customer's
point
of view
is
uncomplicated.
The customer
is responsible
itssome
own routing.
All the
provider
needs
to existing
show is that CEcustomers,
they for
have
drawbacks.
Ideally,
carriers
with
to-CE connection
single2hop.
legacyisLayer
and Layer 3 networks would like to move toward a single
Because theservices
service provider
not take
part
in theThe
routing
process,
the cases
customer's
over theirdoes
existing
Layer
3 cores.
solution
in these
is a
routing privacy
is
preserved
from
the
provider.
infrastructure.
Layer 2 VPN does not require storing a routing table for each site on the service provider's
end.
A misbehaving
CE can, atcase
worst,
flap its
as opposed
to scenarios.
an MPLS VPN,
introductory
studies
andinterface,
comprehensive
design
This whereby
book
an interfaceassists
flapping
can
affect
performance
of
the
provider's
edge
router
because
readers looking to meet those requirements by explaining the of BGP
peering.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSSeveral enhanced Layer 2 VPN techniques have been developed. One such technique, defined
in an IETF draft, is known as Any Transport over MPLS (AToM), which has been designed to
allow an MPLS-enabled network to transport Layer 2 frames. Another emerging technology
within the IETF is the Layer 2 Tunneling Protocol Version 3 (L2TPv3).
progressively
covering
each
currently
available solution
in greater detail.
Both AToM and L2TPv3
have the
common
objective
of transmitting
packet-switched
traffic
(Frame Relay, ATM, and Ethernet) across a packet-switched network (PSN). What separates
the two is the fact that AToM transports Layer 2 traffic over an MPLS-enabled network,
whereas L2TPv3 transports it over a native IP network core. Both L2TPv3 and AToM are offered
as part of the new Cisco Unified VPN Suite.
Figure 1-4 shows a sample enhanced Layer 2 VPN topology. The Layer 2 VPN tunnels provide
the transport to make routers 3 and 4 appear to be directly connected to Packet over SONET
(POS) interfaces (interfaces 1 and 4).
Figure 1-4. Enhanced Layer 2 VPN Example

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
Supported Layer 2 encapsulations
High-Level
Data Link Control
Learn aboutinclude
Layer 2802.1Q
Virtual VLAN,
PrivateCisco
Networks
(VPNs)
(HDLC), Ethernet, Frame Relay, POS, ATM, and PPP.
The first phase of Layernetwork
2 VPN development
architecture in Cisco IOS Software supports like-to-like
connectivity. This requires that the same transport type be at each end of the network. In the
second phase, Layer 2 Gain
VPNsfrom
werethe
enhanced
to to
provide
interworking
functions
thatutilizing
can connect
first book
address
Layer 2 VPN
application
disparate transport types
atATOM
each end,
such protocols
as Frame Relay at one end connecting to Ethernet
both
and L2TP
VLAN at the other.

Subsequent customers,
chapters refer
tohave
"enhanced
Layer 2 VPNs"
as "Layer
2 VPNs"
for
they
some drawbacks.
Ideally,
carriers
with existing
simplicity. legacy Layer 2 and Layer 3 networks would like to move toward a single
infrastructure.
Note


Summary By
The enhanced LayerPublisher:

2 VPN approach
Cisco Pressis the preferred approach for networks to extend and
scale legacy Layer 2 Pub
VPNDate:
deployments,
March 10, 2005transport-oriented carriers in general, or any situation
that has few VPN sites.
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Service
providers that are building
on the vision of extensible and efficient packet-based
Index
infrastructures
need a deployable migration solution to maximize and protect their existing
investments and revenues. Development of the new Layer 2 VPN technologies such as AToM
and L2TPv3 enables the consolidation of Layer 2 and 3 networks while building the value-added
IP service portfolios.
productivity gains

infrastructure.

Chapter 2. Pseudowire Emulation

Framework and Standards

ISBN: 1-58705-168-0
Table of covers the following topics:

This chapter
Contents
Index
Pages: 648
Pseudowire emulation overview
Pseudowire emulation standardization

Chapter 1, "Understanding
Layer
2 VPNs," introduced Layer 2 virtual private network (VPN)
productivity
gains
concepts and the problems it is designed to solve. It also highlighted the technology and
deployment differences between Layer 2 VPNs and Layer 3 VPNs.
Among the new packet-based Layer 2 VPN architectures, pseudowire emulation forms the
foundation for transporting
Layer
2 traffic
acrossthe
IP/Multiprotocol
Switching
(MPLS)
Reduce
costs
and extend
reach of your Label
services
by unifying
your
networks. This chapternetwork
describes
the general architecture for pseudowire emulation and
architecture
networking solutions proposed in standardization organizations that sometimes compete with
Gain from
the Layer
first book
to architectures
address Layerthat
2 VPN
utilizing
one another. It also highlights
other
2 VPN
areapplication
based on pseudowire
emulation.

infrastructure.

Pseudowire
Emulation Overview
Pseudowire emulation
is essentially
a mechanism that re-creates the characteristics of a Layer
Publisher:
Cisco Press
1 or Layer 2 circuit service,
multiplexing (TDM) or Frame Relay, over a
Pub Date:such
Marchas
10,time-division
2005
packet-switched network (PSN). Pseudowires are emulated circuits that carry service-specific
ISBN: 1-58705-168-0
Tabledata
of
protocol
units (PDU) from one customer device to another through the service provider
Pages:
648
Contents
network.
To end customers and their devices, it is transparent that the circuit service is
Index through pseudowire emulation. In other words, if the transit network is migrated from
provided
a circuit-based legacy network to a packet-based IP/MPLS network, end customers do not
perceive any change in services offered by the service provider.
Master
the world
of Layer
2 VPNs
to provide
enhanced
and enjoy
The motivation for
pseudowire
emulation
comes
from
the desire
to haveservices
a converged
network
productivity
that delivers multiple
servicesgains
that are currently provided by parallel or overlay networks. Each
of these parallel networks offers a specific service. Parallel networks are not only expensive in
terms of capital expense and operational costs, but they also make it difficult to expand and
maintain network infrastructure and services.
Because IP traffic has increasingly become the majority of the overall network communication,
many service providers realize the benefit of investing in packet-based core networks either by
expanding the existing PSNs or migrating from their legacy circuit-based networks. Although
aiming at providing new packet-based services such as voice over IP (VoIP) and video on
demand with this new network infrastructure, service providers also look for ways to migrate
the existing services toReview
the new
infrastructure
to maximize
the return
on capital
strategies
that allow
large enterprise
customers
toand
enhance
operational investmenttheir
without
impact
to thewhile
existing
revenue streams.
service
offerings
maintaining
routing control
makes it possible to achieve this objective.
The next sectionsare
describe
the fundamental
concepts
pseudowire
the
still derived
from data and
voice of
services
basedemulation
on legacyand
transport
processes involved
in
its
deployment,
as
follows:
Network reference model
services
over their
existing Layer 3 cores. The solution in these cases is a
Protocol layer
and system
architecture
Transportinginfrastructure.
over PSNs
Pseudowire Layer
setup 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network Reference
Model
history and
implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSDespite different based
Layer 2cores
VPN and
solutions
deployment
models,
a common
network
reference
Layerand
2 Tunneling
Protocol
version
3 (L2TPv3)
for native
model can be applied
to
illustrate
the
general
properties
of
pseudowire
and
other
network
components in the
pseudowire
emulation
architecture,
as shown in Figure
2-1.
reader
to Layer
2 VPN benefits
and implementation
requirements
and
Figure 2-1. Pseudowire Emulation Network Reference Model


Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
A provider edge (PE) device is in the service provider administrative domain. It provides
Master
the world
Layer 2 edge
VPNs(CE)
to provide
services
pseudowire emulation
service
to a of
customer
deviceenhanced
that belongs
to theand enjoy
productivity
gains
administrative domain
of the customer.
One or more attachment circuits are used to connect a CE to the PE. An attachment circuit can
about
Layera 2PPP
Virtual
Private
Networks Data
(VPNs)
be an Ethernet port, anLearn
Ethernet
VLAN,
session,
a High-Level
Link Control (HDLC)
link, a Frame Relay data-link connection identifier (DLCI), an ATM virtual path identifier
Reduce
costs
and extend
the reach of your services by unifying your
(VPI)/virtual connection
identifier
(VCI),
and so on.
A pseudowire is a virtual circuit between two PE devices that interconnects two attachment
Gain
from the
first book
to address
2 VPNsignaling.
application
utilizing
circuits. You can set it up
through
manual
configuration
orLayer
automatic
After
you
both
ATOM
and
L2TP
protocols
establish a pseudowire between two PE devices, native frames received from an attachment
circuit are encapsulated into pseudowire PDUs and sent over pseudowire to the peering PE.
Review
that allow
large enterprise
customers
to into
enhance
When pseudowire PDUs
arrive strategies
at the receiving
PE device,
they are changed
back
the native
their
service
offerings
while
maintaining
routing
control
form and forwarded to the corresponding attachment circuit.
For form
a majority
of Service Providers,
a significant
portion
of their to
revenues
Provider (P) devices
the packet-switched
core network
and are
transparent
CE devices.
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
They are unaware of pseudowires and pseudowire traffic, which PE devices manage. This kind
technologies.
Although
Layer 3 MPLS
fulfill the Therefore,
market need
forcan
some
of transparency alleviates
the design
complexity
of theVPNs
core network.
you
customers,
they
have
some
drawbacks.
Ideally,
carriers
with
existing
optimize the core network for core routing and packet forwarding performance without being
legacy
Layer 2ofand
Layer
3 networks
would like toalso
move
toward
a single
constrained by the
complexity
edge
services.
This transparency
helps
to scale
the
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
number of emulated circuits. You need to provision only the edge devices for new circuits;
you
services
their existing Layer 3 cores. The solution in these cases is a
can leave the core
devicesover
alone.
infrastructure.
Protocol Layer
and
System
Architecture
Layer
2 VPN
Architectures
introductory
studies
andlayers:
comprehensive design scenarios. This book
involvescase
three
protocol
PSN layer the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Pseudowire IP
encapsulation
layer
cores. The structure
Payload layer
The PSN layer specifies the network addressing information of PE devices, which can be IPv4
addresses, IPv6 addresses, or MPLS labels. Network devices use the PSN layer to determine
the forwarding path of pseudowire packets. You can think of this path as a packet-switched
tunnel that carries pseudowire packets.
The pseudowire encapsulation layer consists of a pseudowire demultiplexing sublayer and an
encapsulation sublayer. The pseudowire demultiplexing sublayer provides a means to carry
multiple pseudowires over a single packet-switched tunnel. Each pseudowire has a
demultiplexing value that is unique within a tunnel. The encapsulation sublayer carries payload
encapsulation information that is removed at the ingress PE device so that the receiving PE
device can reconstruct the payload into its native form before sending it to the attached CE
device. For example, when the sublayer is transporting Frame Relay traffic over MPLS
networks, it removes the Frame Relay header. Payload encapsulation information, such as the
2 VPN Architectures
backward explicitLayer
congestion
notification (BECN) bit and discard eligible (DE) bit, must be
ByWei Luo, - sublayer.
CCIE No. 13,291,
Carlos Pignataro,
CCIE No. 4619,
Bokotey,
- CCIE numbers
placed in the encapsulation
If necessary,
this- sublayer
alsoDmitry
carries
sequence
4460,Anthony
Chan,
- CCIE No. 10,266
that are used for No.
in-order
packet
delivery.
The payload layer carries
theCisco
pseudowire
payload in various forms. For example, it can be
Publisher:
Press
Frame Relay packetsPub
in the
native form or simplified form, ATM AAL5 packets, ATM cells,
Date: March 10, 2005
Ethernet packets, and so on.
ISBN: 1-58705-168-0
Table of
Pages:
648
Figure
2-2 illustrates the interaction
of pseudowire protocol layers that reside on two peering
Contents
PE devices.
Each layer on one PE communicates with the same layer on the other PE through
Index
the lower layers, and the lower layers provide services to the upper layers.
productivity
gains
Figure
2-2. Pseudowire
Emulation Protocol Layers
Learn about Layer[View
2 Virtual
full size image]
infrastructure.
PE devices play the
key role incase
pseudowire
emulation.
In fact, the
conversion
between
native
introductory
studies and
comprehensive
design
scenarios.
This book
circuits and emulated
circuits
is
performed
mostly
inside
PE
devices.
Therefore,
you
can
assists readers looking to meet those requirements by explaining the benefit
from having a high-level
understanding
of thedetails
system
of a PE device.
Figure
2-3
history and
implementation
ofarchitecture
the two technologies
available
from
shows an example
of
the
general
system
architecture.
Figure 2-3.
PEthose
Device
System
Architecture
comparing
them to
of Layer
3 based
VPNs, such as MPLS, then

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
Review strategies
that into
allow
large
enterprise
customers
enhance
The PE device system architecture
is divided
the
control
plane and
the datatoplane.
The
service
offerings while maintaining routing control
data plane componentstheir
include
the following:
are still derived
from
voice services
based
on forth
legacy
Physical interfaces
Convert
bitsdata
into and
electronic
signals back
and
ontransport
the physical
media.
Device drivers
Serve
as2the
layer that
constructs
media-specific
framing
legacy
Layer
andintermediate
Layer 3 networks
would
like to move
toward a single
for the physical
interface
and
provides
a media-independent
the upper
layer.
backbone
while
new
carriers
would like to sell theinterface
lucrativetoLayer
2
Native service
processor
and pseudowire
encapsulation
that deal
technology
that would
allow Layer 2
transport over System
a Layer modules
3
with the data
packet manipulation, which is discussed in detail in the following sections.
infrastructure.
Network forwarding
When aintroduces
data packet
is passed
to the
forwarding
Layer 2 VPNengine
Architectures
readers
to Layer
2 network
Virtual Private
engine fromNetwork
the pseudowire
encapsulation
module, a
destination
network address
is also
(VPN) concepts,
and describes
Layer
2 VPN techniques
via
provided. Depending
on the
of the
PSN
that carries the
pseudowire
traffic,
introductory
casetype
studies
and
comprehensive
design
scenarios.
This the
book
network forwarding
engine looking
looks uptothe
address
the IPv4, IPv6,
or MPLS forwarding
assists readers
meet
thoseinrequirements
by explaining
the
tables. If it finds
anand
outgoing
interface, itdetails
encapsulates
thetechnologies
packet with available
the appropriate
history
implementation
of the two
from
link encapsulation
andUnified
sends VPN
the packet
out of
the output
interface.
Otherwise,
it discards
the Cisco
suite: Any
Transport
over
MPLS (ATOM)
for MPLSthe data packet.
The control planereader
components
include
following:
to Layer
2 VPNthe
benefits
and implementation requirements and
Link layer protocol controller Performs line protocol signaling, such as Frame Relay
Local Management Interface (LMI) and ATM Integrated Local Management Interface
(ILMI), which is needed for setting up attachment circuits.
Pseudowire protocol processor and network protocol processor Perform
pseudowire and routing protocol signaling procedures respectively. PE devices use these
procedures to establish pseudowires and packet forwarding paths, as illustrated in Figure
2-2. The forwarding information that is obtained through the signaling procedures is
distributed to the data plane so that the forwarding table can be populated.
Native Service Processing

Layerscenarios,
2 VPN Architectures
In some deployment
data packets that arrive from attachment circuits are
forwarded into pseudowires
in their
native
form.
In other
cases,
youDmitry
mustBokotey,
process
native
ByWei Luo, - CCIE
No. 13,291,
Carlos
Pignataro,
- CCIE
No. 4619,
- CCIE
packets before applying
pseudowire
encapsulation.
No. 4460,the
Anthony
Chan, - CCIE
No. 10,266
Often, different types

of attachment circuits require different native service processing
procedures. Furthermore, attachment circuits of the same type might require slightly different
processing depending on the configuration that is associated with each attachment circuit.
ISBN: 1-58705-168-0
Native
service
processing
occurs on a per-attachment circuit basis.
Table
of
Contents
Pages: 648
The native
Index service processor (NSP) can manipulate packets in whichever way is necessary as
the packets pass through it. For example, when a PPP packet arrives from a PPP attachment
circuit that uses HDLC framing, the NSP removes the HDLC header so that the remaining PPP
payload can be in a media-independent format. When the pseudowire encapsulated PPP
the world
of Layer
2 payload
VPNs to provide
enhanced
services
andpseudowire
enjoy
payload arrives atMaster
the far-end
PE device,
the
is passed
to the NSP
after the
productivity
gains
encapsulation is removed.
Then
the NSP associated with the outgoing attachment circuit
determines whether media-specific framing needs to be applied to the PPP payload.
Learn
2 Virtual
Privatethey
Networks
When Ethernet VLAN tags
areabout
used Layer
as service
delimiter,
usually(VPNs)
have only local
significance. The role of NSP is to remove the service-delimiting VLAN tag when receiving a
Reduce costs
and extend
your services by unifying
packet from the VLAN attachment
circuit
and to the
add reach
a localofservice-delimiting
VLAN tagyour
when it
network
architecture
receives a packet from the pseudowire.
Gain
from control
the firstinformation
book to address
Layer native
2 VPN packet
application
utilizing
The NSP also normalizes
certain
in different
encapsulation
both
ATOM
and
L2TP
protocols
into a unified representation for pseudowire operation. For example, besides the Ethernet
native frame format, Ethernet packets from CE devices can arrive in other native
Review
that bridged
allow large
to enhance
encapsulations, such as
Framestrategies
Relay or ATM
encapsulations.
By normalizing
the
their
service
offerings
while
maintaining
routing
control
different forms of native packets into a single Ethernet frame format, you reduce the
complexity of pseudowire processing.
Pseudowire Encapsulation
Processing
customers, they
have some drawbacks. Ideally, carriers with existing
backbone
while new
carriers would
like to is
sell
the lucrative
Layer 2
After going through
native service
processing,
the payload
ready
for pseudowire
services over
theirmight
existing
Layer
3 cores.
The solutioncontrol
in these
cases is a and
encapsulation processing.
The NSP
gather
some
payload-specific
information
technology
that would allow
Layer(PEP),
2 transport
over
a Layer
pass it to the pseudowire
encapsulation
processor
typically
through
an3out-of-band
infrastructure.
mechanism. The rationale
behind the out-of-band mechanism is that in this way, the PEP can
treat the payload as an opaque data object; therefore it is relieved from payloadLayer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
protocolspecific operation.
introductory
case
studies
comprehensive
book
The payload control
information
is used
forand
per-packet
signalingdesign
that isscenarios.
necessaryThis
for certain
readers looking
to meet those
requirements
byinclude
explaining
thefor realservices. Besides assists
this information,
the pseudowire
encapsulation
might
timing
history and
time traffic or sequencing
for implementation
out-of-order detection.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSFor point-to-pointbased
pseudowire
emulation,
one-to-one
relationship
exists
between
cores and
Layer 2 aTunneling
Protocol
version
3 (L2TPv3)
forattachment
native
circuits and pseudowires.
In
other
words,
given
an
attachment
circuit,
the
PEP
has
a
corresponding pseudowire
vice
versa.
A pseudowire
consists of arequirements
transmitting and
reader to and
Layer
2 VPN
benefits
and implementation
and a
receiving demultiplexer.
Thethem
transmitting
is applied
theas
payload
comparing
to thosedemultiplexer
of Layer 3 based
VPNs, to
such
MPLS, along
then with
other control information
and sent
to theeach
network
forwarding
engine
for the
remotedetail.
PE device
progressively
covering
currently
available
solution
in greater
to identify the pseudowire. When the network forwarding engine passes a pseudowire packet to
the PEP, the PEP uses the receiving demultiplexer in the packet header to determine to which
attachment circuit and NSP it needs to redirect after removing the pseudowire encapsulation.
Transporting over the PSN

Depending on the PSN infrastructure, you can use either IP or MPLS to transport pseudowire
traffic. The PSN infrastructure not only determines the network layer encapsulation for
pseudowire packets, but it also usually determines the format of the pseudowire demultiplexer.
For instance, if you use IP as the underlying transport, the demultiplexer can be some kind of
IP tunnel protocol field that provides demultiplexing capability. If you are using MPLS, you can
Layer 2inVPN
employ an MPLS label
theArchitectures
label stack for such a purpose.
Some might argue

pseudowire
demultiplexer
is not part of the pseudowire
No.that
4460,the
Anthony
Chan, - CCIE
No. 10,266
encapsulation because of its association with PSN tunneling protocols. This book categorizes
pseudowire demultiplexer
asCisco
partPress
of the pseudowire encapsulation based on its functionality for
Publisher:
pseudowires, not how
it is implemented in a tunneling protocol. Moreover, the type of
pseudowire demultiplexer can differ from the type of the underlying PSN. For example, in some
ISBN: 1-58705-168-0
Table of scenarios, it is necessary to carry pseudowire payload over MPLS and then over IP.
deployment
Pages:
648
That Contents
is usually because of the
existence of a hybrid IP and MPLS network infrastructure for
Index
administrative
or migration purposes. In this case, pseudowires use MPLS labels as the
demulitplexer but IP as the PSN. The protocol details of transporting pseudowire over IP and
MPLS are discussed in Chapter 3, "Layer 2 VPN Architectures."
productivity gains
Setting Up a Pseudowire
aboutservice,
Layer 2you
Virtual
(VPNs) between two PE
Prior to establishing anLearn
emulated
needPrivate
to set Networks
up a pseudowire
devices. You can trigger this setup through one of the following methods:
Manual configuration
ATOM and L2TP protocols
Dynamic protocolboth
signaling
strategies that allow large enterprise customers to enhance
An autodiscoveryReview
mechanism
The manual setup process is much like provisioning ATM permanent virtual circuits (PVC) in
For a Layer
majority
of Service
Providers,
a significant
portion
of their
traditional ATM-based
2 VPNs.
Essentially,
network
operators
determine
all revenues
parameters
are
still
from data
voice
services
based
transport
that are needed to
set
upderived
pseudowires.
Thenand
they
configure
them
on on
thelegacy
PE devices
manually
technologies.
Although
Layer
3 MPLS
VPNs fulfill the process.
market need for some
or through network
management
tools. This
can
be a labor-intensive
Dynamic protocollegacy
signaling
relieves
from many
the operations
that are
Layer
2 andnetwork
Layer 3 operators
networks would
like toofmove
toward a single
required in the manual
setup
by exchanging
and negotiating
backbone
while
new carrierspseudowire
would like information
to sell the lucrative
Layer 2 the
parameters automatically.
Some
initial
provisioning
to be
done
manually
even
with is a
services over
their
existing
Layer 3has
cores.
The
solution
in these
cases
dynamic protocoltechnology
signaling, such
addresses
of peering
PE devices
identification
of
that as
would
allow Layer
2 transport
over and
a Layer
3
remote attachment
circuits.
infrastructure.
An auto-discoveryLayer
mechanism
utilizes an existing
network
distribution
that
is designed
2 VPN Architectures
introduces
readers
to Layerscheme
2 Virtual
Private
for large-scale network
operation
and management,
suchLayer
as a distributed
directory
Network
(VPN) concepts,
and describes
2 VPN techniques
viadatabase or
an interdomain routing
protocol
likestudies
BGP, to
advertise
the emulated
services.
When
devices
introductory
case
and
comprehensive
design
scenarios.
ThisPE
book
learn about the emulated
services
from each
other,
they
automatically
pseudowires
assists readers
looking
to meet
those
requirements
byestablish
explaining
the
among them accordingly.
Ideally,
an auto-discovery
mechanism
has the minimal
amount
history and
implementation
details of
available
fromof
manual involvement
pseudowire
setup.
Although
auto-discovery
definitely
helps
in some
the for
Cisco
Unified VPN
suite:
Any Transport
over MPLS
(ATOM)
for MPLSsituations, especially
during
migration,
the nature
of Layer
2 services
always
incurs a
based
coresservice
and Layer
2 Tunneling
Protocol
version
3 (L2TPv3)
for native
fair amount of manual
provisioning
compared
Layer
services.
IP cores.
The structure
of thistobook
is 3
focused
on first introducing the
Pseudowire setupcomparing
often requires
protocols
or extending
existing
protocols
themcreating
to thosenew
of Layer
3 based
VPNs, such
as MPLS,
then to
signal pseudowireprogressively
information. covering
Creating each
and extending
pseudowire
emulation
protocols
is a
currently available
solution
in greater
detail.
hotly debated area in the networking industry and standardization bodies, as described in the
next section.

Pseudowire
Emulation Standardization
Whenever a major new

technology
emerges, many companies and organizations get involved
Publisher:
Cisco Press
in the standardization
process
and10,try
to push the proposals that are favorable to their
Pub
Date: March
2005
business interests.
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents emulation is no exception.
Pseudowire
Organizations such as Internet Engineering Task Force
Index
(IETF),
IEEE, International Telecommunication Union (ITU), ATM Forum, and MPLS Forum have
produced many technical proposals and documents on pseudowire emulation. Because the
majority of vendor and operator support and activity of pseudowire emulation happen in the
IETF, this section focuses on the standard process of the IETF.
productivity gains
IETF Working Groups

The IETF is the predominant organization that standardizes protocols and solutions based on
Reduce
costs andwork
extend
the IETF
reachisofdivided
your services
unifying
the Internet architecture.
The technical
of the
by topicby
into
severalyour
areas,
network
architecture
such as internet, routing, and transport. Under each technical area are several working groups
where the actual work is done.
both
L2TP protocols
Working groups form as
theATOM
resultand
of popular
interests of solving a particular problem from the
networking community and disband when the problem is resolved. Sometimes the charter of a
that arises
allow large
customers
to enhance
working group changesReview
when astrategies
new problem
or theenterprise
original problem
evolves.
Prior to becoming a working group, an informal discussion group, known as Birds of a Feather
a majority
Service
Providers,
significant
portion
of theirinrevenues
(BOF), is formed For
to measure
theofscope
of the
problema and
the level
of interests
finding the
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
solutions.
customers,
they have
some
Ideally, carriers
with
existing
In the IETF, the following
working
groups
are drawbacks.
discussing proposals
that are
related
to
pseudowire emulation:
technology
that
would allow Layer
2 transport
over
a Layer
Pseudowire
Emulation
Edge-to-Edge
(PWE3)
working
group
The3goal of this
infrastructure.
working group
is to develop standards for the encapsulation and service emulation of
pseudowires. That is, the goal is to encapsulate service-specific PDUs received on one
2 VPNthem
Architectures
introduces
readers
to Layer
2 Virtual and
Private
ingress portLayer
and carry
across a tunnel,
and to
emulate
the behaviors
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
characteristics of the service as closely as possible. The two most debated proposals
on
introductory
case
studies
and
comprehensive
design
scenarios.
This
bookBOF
pseudowire emulation"draft-martini" and "draft-kompella"first surfaced in this PWE3
assists
lookinglater
to meet
those
requirements by explaining the
session. Both
draftsreaders
are discussed
in this
chapter.
theworking
Cisco Unified
VPN
suite:
Any group
Transport
over MPLSfor
(ATOM)
MPLSLayer 2 VPN
group
This
working
is responsible
three for
major
Layer 2
based
cores and Layer
2 Tunneling
Protocol
version
3 (L2TPv3)
for native
VPN solutions
or architectures:
Virtual
Private LAN
Service
(VPLS),
Virtual Private
Wire
IP cores.
structure
this book
focusedgroup
on first
introducing
the2 VPN
Service (VPWS),
and The
IP-only
Layer of
2 VPNs.
Theisworking
focuses
on Layer
reader
to Layerrather
2 VPNthan
benefits
and
implementation
requirements
signaling and
provisioning
Layer
2 native
service emulation,
whichand
is the
comparing
them
to those
responsibility
of the PWE3
working
group.
Layer 2 Tunneling Protocol working group This working group is responsible for
protocol extensions that support carrying multiple Layer 2 services over IP networks.
Layer 2 VPN Architectures on Pseudowire Emulation

During the Circuit Emulation over Transport BOF (later renamed to PWE3) at the 49th IETF
meeting in 2000, two Internet drafts made their debut and stirred up waves of commotion and
heated debates. They were known as "draft-martini" and "draft-kompella."
Both drafts addressed the question of how to achieve pseudowire emulation over packet-based
networks, but the solutions that each proposed were vastly different. The two drafts were
focused on achieving
emulation over MPLS-based packet networks, and each
Layerpseudowire
2 VPN Architectures
solution had its advantages and disadvantages. Members of the networking community quickly
divided themselves into two camps based on the different design philosophies that were
embedded in the two drafts.
Table of
Note
Contents
ISBN: 1-58705-168-0
Pages: 648
Index
The terms draft-martini and draft-kompella have become synonyms for the two
different network architectures that they represent. The actual drafts do not exist in
IETF anymore, but the ideas behind them are making their ways toward becoming
standards. However,
these
informal
names
aretostill
widelyenhanced
used in the
networking
Master the
world
of Layer
2 VPNs
provide
services
and enjoy
community to
identify
the
doctrine
of
each
vendor
implementation.
This
section lists
productivity gains
the pros and cons of each architecture and does not intend to advertise one method
over the other.
draft-martini
The most significant characteristic
of draft-martini
is its simplicity and straightforwardness.
both ATOM and
L2TP protocols
UsingFigure 2-1 as reference, the draft describes how to establish a pseudowire between two
attachment circuits that
are located
on two
peering
PE devices.
It also
specifiestothe
Review
strategies
that
allow large
enterprise
customers
enhance
encapsulation methodstheir
for each
Layer
2 service.
The
Label Distribution
Protocol (LDP)
service
offerings
while
maintaining
routing control
distributes MPLS labels for various MPLS applications, including pseudowire emulation. The
For a majority
of Service
significant
portion of their
revenues
architecture is concerned
with creating
andProviders,
managingaindividual
point-to-point
pseudowires,
are still derived
from data and voice services based on legacy transport
which have no correlation
to one another.
Before initiating acustomers,
pseudowirethey
to ahave
remote
PE,drawbacks.
you need toIdeally,
provision
the local
with a virtual
some
carriers
withPE
existing
circuit (VC) ID or legacy
pseudowire
shared
by 3both
the local
andlike
remote
attachment
circuit,
LayerID
2 and
Layer
networks
would
to move
toward a
singleand
an IP address of the
remotewhile
PE. Because
the baseline
LDP
not lucrative
readily have
the
backbone
new carriers
would like
todoes
sell the
Layer
2 necessary
protocol element services
for pseudowire
signaling,
draft3 defines
a pseudowire
forisLDP.
over their
existingthe
Layer
cores. The
solution inextension
these cases
a A
pseudowire is considered
established
when
theLayer
peering
PE devices
exchange
information
technology
that would
allow
2 transport
over
a Layer label
3
for the pseudowire.
Using LDP terminology, this means that each PE device sends and receives
infrastructure.
a label mapping message for a given pseudowire.
Network operators
can provision
pseudowires
using the
architecture
that is defined
Network
(VPN) concepts,
andby
describes
Layer
2 VPN techniques
via in draftmartini manually introductory
or through some
of network
management
system.
It is much
like
case sort
studies
and comprehensive
design
scenarios.
This
book
provisioning traditional
Relay
or ATM
PVCbased
2 VPNs. by
However,
someone
assistsFrame
readers
looking
to meet
those Layer
requirements
explaining
the could
perceive this as either
a good
attribute or a bad
one.of
Some
liketechnologies
the architecture
because
this is
history
and implementation
details
the two
available
from
a familiar business,
much
of the
experience
and
tools developed
in (ATOM)
the traditional
Layer 2
theand
Cisco
Unified
VPN
suite: Any
Transport
over MPLS
for MPLSVPNs can be leveraged.
Others
think
the2architecture
suffers the
same
of problems,
such as
based cores
and
Layer
Tunneling Protocol
version
3 set
(L2TPv3)
for native
scalability, as those
of the The
traditional
Layer
2 VPNs.
IP cores.
structure
of this
book is focused on first introducing the
This Layer 2 VPN comparing
architecture
supports
point-to-point
Layer 2
services,
them
to those
of Layer 3 based
VPNs,
such including
as MPLS, Frame
then Relay,
ATM AAL5, ATM Cell,
Ethernet, covering
Ethernet each
VLAN,
PPP, andavailable
HDLC, insolution
additioninto
Layer detail.
1 service,
progressively
currently
greater
such as TDM.
draft-kompella
The architecture that is proposed in draft-kompella does not resemble that of the draft-martini
or the traditional Layer 2 VPNs. To a certain degree, it shares some characteristics of Layer 3
dynamic routing. Unlike draft-martini, it involves complex signaling procedures and algorithms,
and the provisioning scheme, which is somewhat tricky, works better with some Layer 2
services than others.

One major objective of draft-kompella is to tackle the inherent scalability problem of the
Layer
2 VPN
traditional Layer 2
VPNs.
AsArchitectures
shown earlier in Figure 2-1, a pseudowire is needed to connect two
CE devices that attach
to two
different
PECarlos
devices.
To have
among
the CE
ByWei Luo,
- CCIE
No. 13,291,
Pignataro,
- CCIEfull
No.connectivity
4619,Dmitry Bokotey,
- CCIE
devices when theNo.
number
of CEChan,
devices
increases,
4460,Anthony
- CCIE
No. 10,266 the number of pseudowires that needs to be
established and managed grows exponentially.
In addition, every time you add a new CE device or move an existing CE device to attach to a
different PE device, you must reconfigure all the PE devices that are participating in this VPN to
ISBN: 1-58705-168-0
maintain
Table the
of full-mesh connectivity. This can become a dauntingly labor-intensive task for
Pages:
network
operators. The draft648
attempts to solve the scaling problem by over-provisioning the
Contents
number
Indexof attachment circuits needed for current CE devices so that the existing CE and its PE
devices do not need to be reconfigured when adding a new CE to a VPN. The basic premise for
over-provisioning is that the attachment circuits between CE and PE devices are relatively
cheap.
productivity
gains
To provision a Layer
2 VPN using
the architecture that is defined in draft-kompella, each CE
that belongs to the VPN is given a CE ID, and each CE is configured with a maximum number
of CE devices that it can connect to. This is also known as the CE range . Each attachment
Learn
Layer
Virtual
Private
Networks
(VPNs)
circuit between a CE and
a PEabout
is given
an 2index
value,
which
corresponds
to a particular remote
CE ID in this VPN. By such an arrangement, each CE can derive which attachment circuit
Reduce
costs PE
and
the reachwith
of your
by unifying
your
connects to which remote
CE. Each
is extend
then configured
the services
VPNs in which
it participates.
network
architecture
Each VPN is denoted by a VPN ID. The PE is provisioned with a list of CE devices that are
members of a given VPN. The PE also knows the CE ID, CE range, and the index values for the
attachment circuits of each CE.
When a PE is configured with all the necessary information for a CE, it allocates a contiguous
range of MPLS labels that corresponds to the CE range. The smallest value in this label range is
called the label base . For each CE, the PE then advertises its own router ID, VPN ID, CE range,
and label base through
BGP update
messages,
which aare
broadcast
to all other
PErevenues
devices.
For a majority
of Service
Providers,
significant
portion
of their
Even though some
PE
devices
might
not
be
part
of
the
VPN,
they
can
receive
and
keep
this
information just in
case
a
CE
that
is
connected
to
the
PE
joins
the
VPN
in
the
future.
Because
the baseline BGP customers,
does not readily
have some
the necessary
protocol
element
forwith
pseudowire
they have
drawbacks.
Ideally,
carriers
existing
signaling, the draft
defines
a
pseudowire
extension
for
BGP.
This architecture solves the scaling problem by making the provisioning task of adding a new
CE device a local matter. That is, whenever a new CE device is added, only the CE and the PE
to which it is attached need to be configured. Remote CE and PE devices do not need
infrastructure.
reconfiguration because they can calculate which spare attachment circuit should be used to
communicate with
the new
CE.
Remote PE devices
can readers
also learn
new CE
through
Layer
2 VPN
Architectures
introduces
to about
Layer the
2 Virtual
Private
BGP update messages.
The
broadcast
nature
of
BGP
makes
it
easy
to
automatically
Network (VPN) concepts, and describes Layer 2 VPN techniques viadiscover PE
devices that are participating
Layer
2 VPNs,
further reduces
configuration
on PE
introductory in
case
studies
and which
comprehensive
designthe
scenarios.
This book
devices.
The weakness of this architecture comes from the validity of the assumptions it is based on.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSFor example, the low cost of attachment circuits is valid when the CE and PE are directly
connected through virtual circuits such as Frame Relay and ATM PVCs, but not when they are
connected through a switched Frame Relay or ATM network, or the attachment circuits are
individual physical links and ports, such as PPP and HDLC links. In the latter case in which the
cost of individual attachment circuits is expensive, over-provisioning becomes impractical. Also,
the typical Layer 2 VPNs deployed today are rarely fully meshed because having a fully meshed
flat network creates scaling problems for Layer 3 routing, where hierarchy is desired. If a Layer
2 VPN consists only of sparse point-to-point connections, advertising the information of a CE to
all other PE devices and keeping it on these PE devices waste network resources because such
information is only interesting to a single remote PE.
Not exhaustively, Table 2-1 compares the most noticeable characteristics of the two Layer 2
VPN architectures that are defined by draft-martini and draft-kompella.
Table 2-1. Pseudowire Emulation Architecture Comparison

ByWei
Luo, - CCIE No. 13,291,Carlos Pignataro,
- CCIE No. 4619,Dmitry Bokotey, - CCIE
draft-martini
draft-kompella
Network
topology
Individual point-to-point
pseudowires
Publisher:
Cisco Press
Fully meshed point-to-point

pseudowires
Complexity

Low
High
Table of
Contents
Index
Scalability
Applicability
Signaling
protocol
Discovery
protocol
Support base
ISBN: 1-58705-168-0
Poor with fully meshed

Pages: 648
topology; fair with arbitrary
topology
High with fully meshed

topology; poor with arbitrary
topology
High; works well on both

Fair; works better on directly
Layer 2 and Layer 1 services
connected Frame Relay and
Master the world of Layer 2 VPNs toATM
provide
services
PVCsenhanced
than other
types and enjoy
productivity gains
LDP
BGP

Do not support autodiscovery BGP
network
architecture
Wide
vendor
support
Limited vendor support
Gain from
the first
book to address
Layer 2 VPN application utilizing
Standardization Proceed
to PWE3
working
Obsolete
bothdocument
ATOM andstatus
L2TP protocols
progress
group
Even though draft-martini has made a lot of progress in standardization and deployment, its
primitivenesssuchFor
as athe
lack of of
support
inProviders,
Layer 2 VPN
autodiscoveryis
New
majority
Service
a significant
portionrecognized.
of their revenues
solutions have since
been
worked
on
to
overcome
the
issues
found
throughout
product
development andtechnologies.
network deployment.
find 3out
more
about
thethe
latest
development
in the
AlthoughTo
Layer
MPLS
VPNs
fulfill
market
need for some
standardization process,
refer
to
the
IETF
web
site
at
http://www.ietf.org.
services
Other Layer 2
VPN over
Architectures
infrastructure.
The Layer 2 VPN architectures on pseudowire emulation generally define the procedures for
setting up individual pseudowires and encapsulation methods for different Layer 2 services.
They are the foundation and building blocks for other types of Layer 2 VPN architectures.
VPWS is directly derived from pseudowire emulation. A VPWS is essentially a network of pointassists readers looking to meet those requirements by explaining the
to-point pseudowires that interconnect CE devices of a Layer 2 VPN. Besides the basic
pseudowire emulation service, VPWS defines the specifications for point-to-point Layer 2 VPN
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSservice in broader terms, such as quality of service (QoS), security, redundancy, VPN
membership discovery, and so on. VPWS in some way is designed as a replacement for the
traditional Frame Relay or ATM-based Layer 2 VPN.
comparing
them to those
of Layer
3 based
VPNs,
suchdifferent
as MPLS,architecture
then
VPLS also uses the
basic pseudowire
emulation
service,
but it
is a very
progressively
covering
each
currently
available
solution
in
greater
from VPWS. The objective of VPLS is to emulate Transparent LAN Service (TLS) in adetail.
packetbased network, which is typically seen in Layer 2 switched Ethernet networks. Instead of acting
as a point-to-point cross-connect between the attachment circuit and pseudowire, a VPLS PE
functions as an Ethernet bridge. When receiving an Ethernet frame from a CE, the PE looks up
the destination MAC address of the frame in its bridging table. If it finds a match, it forwards
the frame to the output interface that is specified in the bridging table. Otherwise, it learns and
stores the source MAC address in the bridging table, and it floods the Ethernet frame to all
output interfaces in the same broadcast domain. Whereas VPWS requires one dedicated
attachment circuit for each remote CE device, VPLS allows a single attachment circuit to
transmit frames from one CE to multiple remote CE devices. In this respect, VPLS resembles
the characteristics of Layer 3 VPN more than VPWS.

IP-only LAN Service (IPLS) is similar to VPLS, but it is tailored and simplified for carrying IP
Layer
VPN
Architectures
traffic only. In IPLS,
a 2CE
device
can be a host or a router but not a switch, whereas VPLS has
no such a restriction.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

Summary By
is an emerging
Publisher:
Cisco Press networking technology that aims at transitioning
traditional Layer 2 services
much
PSNs for operating cost reduction and new
Pub Date:to
March
10, leveraged
2005
value-added services.
ISBN: 1-58705-168-0
Table of
Pages:
Contents
Within
the network reference648
model, PE devices are the key components that provide
Index
pseudowire
emulation services. A PE device consists of the control plane that establishes and
maintains pseudowires among PE devices and the data plane that converts frames from their
native encapsulation to pseudowire encapsulation back and forth.
Master
world of Layer
2 VPNs
to provide enhanced
services
andexplained
enjoy
This chapter outlined
thethe
pseudowire
protocol
and encapsulation
layering.
It further
productivity
gains
the various stages
of processing
in a pseudowire emulation system, such as signaling, native
service, pseudowire encapsulation, and tunnel encapsulation.
Learndeployment
about Layerof2pseudowire
Virtual Private
Networks
Even with the fast-growing
emulation,
the(VPNs)
standardization process is
an ongoing effort. The IETF and its working groups are the most active and widely respected
Reduce that
costsdevelop
and extend
the reach
ofsolutions
your services
by unifyingemulation
your
standardization organizations
frameworks
and
for pseudowire
network
architecture
and Layer 2 VPN technology in general. This chapter compared the most debated proposals on
pseudowire emulation architectures and highlighted other Layer 2 VPN architectures that are
built on top of pseudowire emulation.
infrastructure.

Chapter 3. Layer 2 VPN Architectures

Cisco Press
the following
topics:
ISBN: 1-58705-168-0
Table of
private
network (VPN)
Legacy Layer 2 virtual
Pages:
648
Contents
Index
Any Transport over MPLS (AToM)
Layer 2 Tunnel Protocol version 3 (L2TPv3)
Master
the worlddifferent
of LayerLayer
2 VPNs
to provide
enhanced
services
The previous chapter
highlighted
2 VPN
architectures
proposed
byand
theenjoy
network
productivity
gainsTask Force (IETF) working groups. In the past few years,
industry and Internet
Engineering
significant progress has been made both in designing the Layer 2 VPN protocol specifications
and realizing such innovations in a suite of new products. Pseudowire emulation serves as the
fundamental building block for different Layer 2 VPN architectures.
A handful of network equipment vendors have developed products that support various levels
of pseudowire emulation. The deployment of pseudowire emulation has started growing in the
service provider space.
As part of the Unified VPN Suite Solution offering, Cisco IOS Software introduces two flavors of
pseudowire emulation:
AToM

L2TPv3
customers,
they and
have
some drawbacks.
Ideally,
with existing
To understand the
functionalities
characteristics
pertaining
tocarriers
these products,
you need to
legacyproperties
Layer 2 and
Layer
3 networks
like to or
move
toward
a single
first know the inherent
and
operations
of thewould
traditional,
legacy,
Layer
2 VPNs.
infrastructure.

Legacy Layer
2 VPNs
Many types of legacy

Layer 2Cisco
VPNs
exist. The most commonly seen legacy Layer 2 VPNs are
Publisher:
Press
based on the following
Pubtechnologies:
Table of
Frame Relay
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
ATM
Data-link switching (DLSw)

Virtual private
dial-up network
productivity
gains (VPDN)
about Layer 2 Virtual Private Networks (VPNs)

Frame Relay andLearn
ATM
Initially, Layer 2 VPNs network
were built
using leased lines. Frame Relay and ATM are the costarchitecture
effective alternatives to the expensive and dedicated leased line service. Service providers can
offer these lower cost services
to the
their
customers
becauseLayer
the Frame
and ATM
network
Gain from
first
book to address
2 VPNRelay
application
utilizing
infrastructure can be shared
among
many
both ATOM
and
L2TPcustomers
protocols while maintaining a comparable level of
functionality and guarantee as the leased line service. Frame Relay and ATM also provide link
Reviewcustomers
strategieslike
that
allow
large
enterprise
separations among different
the
leased
line
service. customers to enhance
One of the most appealing features that Frame Relay and ATM support is bandwidth
a majority
of Service
Providers,
a significant
portion of
their Relay
revenues
oversubscription,For
which
the leased
line service
normally
does not provide.
Frame
and
are still purchase
derived from
data and information
voice services
based
legacy
transport
ATM customers typically
a committed
rate
(CIR)on
that
allows
traffic burst
technologies.
AlthoughThe
Layer
MPLS
VPNs fulfill the
market
need for when
some the
to access the service
provider network.
CIR3 is
the guaranteed
minimal
bandwidth
customers,
they
have some
drawbacks. Ideally,
carriers
existing
network is congested.
With the
bandwidth
oversubscription
feature,
Framewith
Relay
and ATM
legacy
2 and than
Layerthe
3 networks
would
like
to move
toward
a single
customers can use
moreLayer
bandwidth
CIR during
traffic
bursts
as long
as the
network
backbone
while
new
carriers
would
like tocircuit
sell the
lucrative Layer
2
has available capacity.
Frame
Relay
and
ATM also
provide
multiplexing
capability
that
services
over circuits
their existing
cores. The
solution
these cases
a be
carries multiple logic
or virtual
over aLayer
single3physical
link,
and theinvirtual
circuitsiscan
technology
that would
allow Layer 2 transport over a Layer 3
used to connect to
different remote
sites.
infrastructure.
Frame Relay and ATM have been the most popular and expansive form of legacy Layer 2 VPN
VPN Architectures
introduces
readers
to Layer
2 Virtual
Private
deployment. TheyLayer
are a2huge
revenue-generating
source
for service
providers.
However,
(VPN) are
concepts,
and describes
Layer
2 VPNand
techniques
Frame Relay and Network
ATM networks
still relatively
expensive
to build
operate.via
Service
introductory
case
studies and parallel
comprehensive
design
scenarios.
This book
providers often have
to maintain
separate
networks
for Layer
2 and Layer
3 traffic.
assists
readers
looking
to meet
requirements
by explaining
Figure 3-1 illustrates
such
parallel
networks
that those
offer Layer
2 and Layer
3 services.the
IP cores. The
structure
of this
book is focused
Figure
3-1.
Parallel
Network
Infrastructures
progressively covering [View
eachfull
currently
size image]available solution in greater detail.

ISBN: 1-58705-168-0
Table of
Contents
Index
Pages: 648
productivity gains
When building a Layer 2 VPN in a Frame Relay or ATM network, you need to provision edge
switches that connect to customer devices with individual virtual circuit mappings, and
aboutedge-to-edge
Layer 2 Virtual
Private Networks
provision core switchesLearn
to provide
connectivity
for the (VPNs)
virtual circuits (VC). Figure
3-2 illustrates a Layer 2 VPN built using a Frame Relay or ATM network. The links that are
Reduce
costs
and extend
depicted in the diagram
represent
logical
connections.
Figure
both ATOM
andRelay
L2TP protocols
3-2.
Frame
or ATM-Based Layer 2 VPN

infrastructure.
Data Link Switching
DLSw provides a method to transport legacy and nonroutable protocolssuch as Systems
Network Architecture (SNA), Network Basic Input/Output System (NetBIOS), and NetBIOS
Extended User Interface (NetBEUI)over IP. It has better functionality and scalability than
Remote Source Route Bridging (RSRB), but it has limited protocol support.
Virtual Private Dial-Up Network

Many aspects of pseudowire emulation resemble those of VPDN. In this sense, you can think of
VPDN as the predecessor of the modern Layer 2 VPN architectures.
VPDNs are commonly used in wholesale remote-access environments. Without VPDNs,

enterprises have to purchase and manage dial-up lines and network access servers for their
employees to access internal enterprise resources remotely. The operating and upgrading cost
can be prohibitively
expensive for small and medium-sized companies. For large companies,
ByWei Luo, - CCIE
No. 13,291,
Carlos
Pignataro,dedicated
- CCIE No. 4619,
Dmitry
Bokotey,
- CCIE
VPDNs require a substantial
expense
when
deploying
remote
access
networks
in a
No. 4460,
Anthony Chan, - CCIE No. 10,266
widespread geographic
environment.
VPDNs enable enterprises
to Cisco
outsource
Publisher:
Press their remote access infrastructures and operations to
wholesale service providers.
The service
Pub Date: March
10, 2005 providers offer remote access facilities to enterprise
remote users from the nearest point of presence (PoP) and backhaul the remote access
ISBN: 1-58705-168-0
Table of to the enterprise home gateways. The enterprises only need to manage a small
connections
Pages:
648
Contents
number
of home gateways for all their remote users. Ultimately, VPDNs lower the overall
Indexoperating cost for the enterprises.
network
For service providers, VPDNs are a new source of revenue serving multiple business and
individual customers with the same remote access network infrastructure. When the total
Master theservice
world of
Layer 2 VPNs
to provide
enhanced
services
and enjoy
number of users increases,
providers
can add
or upgrade
their remote
access
network
productivity
gains because all users benefits from it. Figure 3-3 depicts a
capacity in a more
economic fashion
VPDN network topology.

Figure
3-3.
Virtual Private Dial-Up Network
network
architecture
[Viewprotocols
full size image]
both ATOM and L2TP
The protocols thattechnology
support VPDN
the following:
that include
would allow
Layer 2 transport over a Layer 3
infrastructure.
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Forwarding (L2F) Protocol
assists
readers
looking
to meet those requirements by explaining the
Layer 2 Tunnel
Protocol
Version
2 (L2TPv2)
the Cisco
suite:network
Any Transport
MPLS
(ATOM)
for MPLS- and
These protocols tunnel
PPPUnified
packetsVPN
between
access over
servers
and
home gateways,
based
cores and
Layer
2 Tunneling
Protocol
version
3 can
(L2TPv3)
for native
PPP is the only Layer
2 protocol
they
transport.
However,
because
PPP
encapsulate
cores. The
structure
of this book is
focused
on first (IPX),
introducing
the
multiple network IP
protocols,
such
as IP, Internetwork
Packet
Exchange
and AppleTalk,
to Layer
2 VPN benefits
many applicationsreader
find VPDN
sufficiently
useful. and implementation requirements and
Note
L2TPv2 is described in the IETF standard RFC 2661. It is a consensual product of the
L2TP Extension working group and is derived from the proprietary tunneling protocols
PPTP and L2F from Microsoft and Cisco, respectively.
The following is a brief description of how VPDN protocols operate:

1. A remote user
or Luo,
a remote
end13,291,
station
initiates
a -PPP
connection
to the
service
provider
ByWei
- CCIE No.
Carlos
Pignataro,
CCIE
No. 4619,Dmitry
Bokotey,
- CCIE
using eitherNo.
an4460,
analog
telephone
line
or
an
ISDN
line.
2. The network access server receives the connection request from the remote user.
Date: March
10, server
2005
3. (Optional) The Pub
network
access
authenticates the remote user using the specified
ISBN: 1-58705-168-0
authentication method,
such as Password Authentication Protocol (PAP), Challenge
Table of
Handshake Authentication
Pages: 648 Protocol (CHAP), or interactive terminal session.
Contents
Index
4. After the remote user is authenticated, an authorization process determines whether the
user should be locally terminated or tunneled to a home gateway.
5. If the remote user needs to be tunneled to a remote home gateway, one of the VPDN
protocols establishes a tunnel between the network access server and the home gateway,
productivity gains
and an optional authentication step can validate the identification of the tunnel endpoints.
6. The user PPP connection
is encapsulated
into Private
a VPDNNetworks
session from
the network access
Learn about
Layer 2 Virtual
(VPNs)
server to the home gateway.
7. The home gateway
authenticates
the remote user carried in the VPDN session. Upon
network
architecture
successful authentication, the home gateway terminates the PPP connection and grants
predefined network
access
to the
Gain
from privileges
the first book
to remote
addressuser.
8. Now PPP frames can pass between the remote user and the home gateway.
For detailed configuration
andofferings
examples
of the
legacy Layer
2 VPNs,
refer to Cisco.com.
theirtasks
service
while
maintaining
routing
control
Table 3-1 lists some characteristics of the legacy Layer 2 VPNs.
Table
3-1.Layer
Legacy
VPN Comparison
legacy
2 andLayer
Layer 32networks
would like to move toward a single
Legacy Layer services over their existing Layer 3 cores. The solution in these cases is a
technology
that would allow Layer
2 transport
over a Layer 3
2 VPN
Payload Type
Transport
Type
infrastructure.
Frame Relay
Bridged or routed
Frame Relay, ATM
Layer
2 VPN Architectures introduces readers to Layer 2 Virtual Private
encapsulation
ATM
Bridged or routed
ATM
introductory
case studies and comprehensive
design scenarios. This book
encapsulation
history
and implementation
details
the two
technologies
available from
DLSw
SNA, NetBIOS,
NetBEUI
IP,ofFrame
Relay,
Direct
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS*
VPDN
PPP cores and Layer 2 Tunneling
IP,Protocol
Frame Relay,
ATM
based
version
3 (L2TPv3)
for native
PPTP control
packets use IP
TCP and data
packets use IP
GRE. L2F
packets use IP
UDP. L2TPv2
packets use IP,
IP UDP, Frame
Relay, and
ATM.

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

Any Transport
over MPLS Overview
In recent years, Multiprotocol

Label
Switching (MPLS) has had a phenomenal growth in the
Publisher: Cisco
Press
service provider space,
where
Pub especially
Date: March 10,
2005 network infrastructures are based on ATM. One of the
driving forces for MPLS is to utilize dynamic routing protocols to establish end-to-end virtual
ISBN: 1-58705-168-0
Table of instead of manually provision ATM VCs hop by hop on each ATM switch. In classic
connections
Pages:
648
Contents
IP over
ATM, packets are forwarded based on the predefined ATM VC mappings instead of
Index
routing
algorithms, which results in suboptimal routing. MPLS resolves this problem by using
routing protocols to dynamically create ATM VCs.
MPLS also makes it easy to consolidate the parallel networks into a single MPLS-enabled
Master the
world
of Layer 2 VPNs
to provide
services
enjoy
network. This converged
MPLS
infrastructure
can provide
bothenhanced
Layer 2 and
Layerand
3 services
productivity
that previously had
to rely on gains
separate networks. This section examines how AToM replaces
legacy Layer 2 VPNs and the new features it offers.
Learn about
Layer 2 Virtual
(VPNs)
AToM is a pseudowire emulation
application
that isPrivate
part of Networks
the Unified
VPN Suite Solution that
Cisco offers to transport Layer 2 traffic over an MPLS network. Besides providing the end-toReduce costs and extend the reach of your services by unifying your
end connectivity of the same Layer 2 protocol, AToM is capable of interconnecting disparate
Layer 2 protocols through Layer 2 interworking. AToM derives from a series of efforts by
service providers and network equipment vendors in an attempt to minimize the impact to
existing Layer 2 VPN services and create new service offerings with MPLS-enabled networks.
In the Layer 2 VPN network reference model depicted in Chapter 2, "Pseudowire Emulation
Framework and Standards," AToM is enabled on the provider edge (PE) routers, which play a
similar role as the edge switches in Frame Relay or ATM-based L2VPNs or the network access
server in VPDN. In
aa
Frame
Relay
ATM-based
Layer
VPN, the portion
edge switch
maps
a Frame
For
majority
of or
Service
Providers,
a2
significant
of their
revenues
Relay or ATM VC are
connecting
to
the
customer
device
to
a
PVC
connecting
to
a
core
switch
still derived from data and voice services based on legacy transport by the
data-link connection
identifier
or virtual
identifier
(VPI)/virtual
connection
technologies.(DLCI)
Although
Layer 3path
MPLS
VPNs fulfill
the market
need for identifier
some
(VCI) values. In VPDN,
the
network
access
server
binds
a
PPP
connection
from
the remote user
to a VPDN session.
With Layer
AToM,2the
router
maps an attachment
any supported
legacy
andPE
Layer
3 networks
would like tocircuit
moveof
toward
a single
Layer 2 encapsulation
from while
the customer
edgewould
(CE) router
AToM
pseudowire.
backbone
new carriers
like to to
sellanthe
lucrative
Layer 2
An AToM pseudowire is made of a pair of MPLS label-switched paths (LSP). Because an MPLS
LSP is inherently unidirectional, to have bidirectional connectivity, a pseudowire is formed by
infrastructure.
establishing two LSPs in the opposite directions. Different MPLS applications might use different
ways to distributeLayer
labels.
Some
use the dedicated
Labelreaders
Distribution
Protocol
(LDP),
whereas
2 VPN
Architectures
introduces
to Layer
2 Virtual
Private
others use extensions
of existing
protocols,and
including
routing
protocols.
AToM utilizes
Network
(VPN) concepts,
describes
Layer
2 VPN techniques
via targeted
LDP sessions between
PE routers
exchange
labels thatdesign
are used
for pseudowires.
introductory
casetostudies
andMPLS
comprehensive
scenarios.
This bookYou
establish a targeted
LDP
session
by
sending
unicast
hello
packets
rather
than
multicast
assists readers looking to meet those requirements by explaining the hello
packets during the
LDP discovery
phase. LDP details
also supports
TCPtechnologies
message digest,
also known
history
and implementation
of the two
available
from as
TCP MD5, as its authentication
method.
Figure
3-4
illustrates
the
network
components
of
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSAToM.
Figure 3-4.
AToM
Components
progressively
covering
eachNetwork
currently available
solution in greater detail.

ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
The next
sections provide an overview of AToM from the following aspects:
Index
Label stacking hierarchy in AToM
Master
the world of Layer 2 VPNs to provide enhanced services and enjoy
Supported Layer
2 protocols
productivity gains
Decision factors whether to use AToM in your network, such as installation base,
advanced features, interoperability, and complexity.
Using Label Stacking

AToM
networkin
architecture
Gain
the
first applications
book to address
Layer
2 VPN
application
One common technique
thatfrom
many
MPLS
utilize
is label
stacking.
MPLSutilizing
label
both
ATOM
and
L2TP
protocols
stacking is documented in IETF RFC 3032, "MPLS Label Stack Encoding." The basic idea is to
create layers or hierarchies of MPLS labels; each label corresponds to a particular layer in the
Review strategies
that allow
large
enterprise and
customers
to enhance
network architecture. Creating
such hierarchies
allows
aggregation
multiplexing,
which
their
service
offerings
while
maintaining
routing
control
improve scalability. It also simplifies the operations on the transit routers, which make
forwarding decisions based on the topmost label in the label stack.
stillinderived
and
voice
services
based
on legacytotransport
The semantics of are
labels
a label from
stackdata
might
vary
from
one MPLS
application
another. For
technologies.
Although
Layer
3
MPLS
VPNs
fulfill
the
market need
some
example, in MPLS traffic engineering, the top label in the label stack represents
the for
trafficcustomers,
they
have
some
drawbacks.
Ideally,
carriers
with
existing
engineered path, and the bottom label represents the original Interior Gateway Protocol (IGP)
legacy
Layer
2 top
andlabel
Layerin3the
networks
would
like to move
a single
path. In MPLS Layer
3 VPN,
the
label stack
represents
the toward
IGP path
to the nextbackbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
hop Border Gateway Protocol (BGP) router, which is normally the PE router that originates
the
serviceslabel
overrepresents
their existing
Layer 3
The solution
in these
cases2isVPN,
a
VPN routes. The bottom
a specific
orcores.
aggregated
VPN route.
In Layer
that would
Layer
transport
a Layerand
3 the bottom
the LDP top label technology
usually represents
the allow
IGP path
to2the
peeringover
PE router,
infrastructure.
label represents a Layer 2 VPN forwarder on the peering PE router. A Layer 2 VPN forwarder is
an abstract entity that switches Layer 2 traffic back and forth between the pseudowire and
itself. In the context of pseudowire emulation, the Layer 2 VPN forwarder is usually some sort
of attachment circuit. Figure 3-5 shows the overview of an AToM packet.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSFigure 3-5. AToM Packet

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
The top label is usually known as the tunnel label or the IGP label. The bottom label is usually
known as the VC label Review
or the pseudowire
label.
Thelarge
optional
control customers
word is nottopart
of the
strategies that
allow
enterprise
enhance
MPLS label stack, but pseudowire
encapsulation.
their service
Note
The semantics
of labelswhile
in a label
stack might
belike
different
the previous
backbone
new carriers
would
to sell from
the lucrative
Layer 2
description when
multiple
MPLSexisting
applications
deployed
integrated
in the
same
services
over their
Layerare
3 cores.
Theand
solution
in these
cases
is a
MPLS network.
For example,
use AToM
conjunction
with over
MPLSatraffic
technology
that would
allowinLayer
2 transport
Layerengineering.
3
You can find infrastructure.
examples in Chapter 9, "Advanced AToM Case Studies."
Using label stacking
in AToM improves
scalability
when compared
to the
scalability
of legacy
introductory
case studies
and comprehensive
design
scenarios.
This
book
Layer 2 VPNs built
on topreaders
of Frame
Relaytoormeet
ATM.those
As you
learned in Chapter
2, every
assists
looking
requirements
by explaining
thetime you
add a new end-to-end
virtual
connection or relocate
anthe
existing
one to a different
edge
switch,
history
and implementation
details of
two technologies
available
from
you must ensure the
thatCisco
a virtual
pathVPN
extends
edge switch
to the
other. for
If none
exists,
Unified
suite:from
Any one
Transport
over MPLS
(ATOM)
MPLSyou need to provision
the
edge
and
core
switches
along
the
path.
With
a
large
number
of
virtual connections
a typical
Layer 2 VPN,
thisbook
taskisamounts
significant
portion
IP in
cores.
The structure
of this
focused to
onafirst
introducing
theof the
overall operation reader
cost structure.
to Layer 2 VPN benefits and implementation requirements and
Instead of statically
provisioning
the virtual
paths
hop by
hop, AToM
takes
of routing
progressively
covering
each
currently
available
solution
inadvantage
greater detail.
protocols to dynamically set up virtual paths across the core network. Only PE routers need to
maintain and manage the pseudowire labels for the virtual connections. The pseudowire labels
are at the bottom of the label stack, so they are not visible to the transit routers, also known
as the Provider (P) routers. The P routers forward packets using the top label and are unaware
of the existence of pseudowires.
Many pseudowires can be multiplexed in a single MPLS tunnel LSP. In such a way, the core
network is spared from managing and maintaining forwarding information for each pseudowire.
Layer 2 Protocols Supported by AToM

AToM supports a Layer
wide 2range
of Layer 2 protocols, including PPP, High-Level Data Link Control
VPN Architectures
(HDLC), Ethernet,ByFrame
Relay,
and13,291,
ATM.Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Wei Luo, - CCIE No.
PPP over MPLS operates in the transparent mode , in which case PPP sessions are between CE
routers, and PE routers do not terminate PPP sessions. In other words, CE routers are the only
PPP speakers that process
PPP frames through the PPP protocol stack, and PE routers do not
Pub Date:
March 10, 2005
participate in PPP protocol
exchange.
Table of
ISBN: 1-58705-168-0
over MPLS allowsPages:

HDLC
transportation
of Cisco HDLC frames over an MPLS network. Like PPP
648
Contents
over MPLS, HCLC over MPLS operates in the transparent mode, which is the only mode it
Index
supports.
Two types of Ethernet frames are supported in Ethernet over MPLS:
productivity
gains
Untagged Ethernet
frames
IEEE 802.1q tagged Ethernet VLAN frames
PE routers classify Ethernet frames that are received from CE routers into different
pseudowires based on the receiving interface or the VLAN tag carried in the Ethernet VLAN
frames. Bridging protocol support varies depending on the deployment model. Chapter 7, "LAN
Protocols over MPLS Case
studies
on2running
bridging protocols
GainStudies,"
from thehas
firstin-depth
book to case
address
Layer
VPN application
utilizing
over MPLS networks. both ATOM and L2TP protocols
With Frame Relay overReview
MPLS, PE
routers that
forward
Frame
frames
to different
pseudowires
strategies
allow
large Relay
enterprise
customers
to enhance
based on the receivingtheir
interface
andofferings
the DLCIwhile
value,
and they also
provide
Local Management
service
maintaining
routing
control
Interface (LMI) signaling to CE routers. To Frame Relay customers, the migration in the service
provider network For
is completely
The Frame
Relay header
is removed
the ingress
a majority transparent.
a significant
portion
of their at
revenues
PE router and added
back
at
the
egress
PE
router.
The
flags
in
the
Frame
Relay
headerssuch
as
backward explicittechnologies.
congestion notification
(BECN),
forward
explicit
congestion
notification
Although Layer 3 MPLS VPNs fulfill the market need for some
(FECN), discard eligible
(DE),they
and have
command/respose
(C/R)are
carried
in the
pseudowire
customers,
some drawbacks.
Ideally,
carriers
with
existing control
word, which is mandatory
for Frame
Relay 3
over
MPLS. would
The operation
details
are described
legacy Layer
2 and Layer
networks
like to move
toward
a single in
Chapter 6, "Understanding
overwould
MPLS."
backbone Any
whileTransport
new carriers
ATM over MPLS includes
two that
types
of ATM
services:
technology
would
allow
infrastructure.
ATM AAL5

ATM Cell
assists
readers
meet
those
requirements
by explaining
theinto ATM
With ATM AAL5, PE
routers
eitherlooking
receivetoATM
AAL5
packets
or reassemble
ATM cells
history
and
implementation
details
of
the
two
technologies
available
from
AAL5 packets from CE routers and forward them to different pseudowires based on the
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSreceiving interface and the VPI or VCI values. The ingress PE router drops all other packets
based
cores and Layer
2 Tunneling Protocol
version
(L2TPv3)
for native
except operations,
administration,
and maintenance
(OAM) cells.
The3ATM
flags, such
as
IP cores. The
structure
of this
book
focused
on(CLP),
first introducing
explicit forward congestion
indication
(EFCI)
and
cell is
loss
priority
are carriedthe
in the
reader
Layeris2 also
VPNmandatory
benefits and
andover
pseudowire control
word,towhich
forimplementation
ATM AAL5 overrequirements
MPLS. ATM Cell
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
MPLS can encapsulate a single ATM cell at a time or pack multiple ATM cells into one MPLS
covering
each
currently
available
in greater
detail.
packet. Both ATMprogressively
services can be
offered
in VC
mode, VP
mode, solution
or port mode.
These
modes
determine the granularity of how ATM packets and cells should be classified and mapped to
pseudowires.
Deciding Whether to Use AToM

When determining whether AToM is the right choice for your company, you need to consider
several factors, including the following:
Existing network installation base

Advanced network
services
Layer 2 VPN
Architectures
Interoperability
Network operation complexity

Pub Date:
March
10, 2005
The next sections describe
how
each
of these factors can help you determine whether AToM is
feasible for your networking
environment.
ISBN: 1-58705-168-0
Table of
Contents
Index
Pages: 648
Existing Network Installation Base

For those service providers that have separate parallel networks for Layer 2 and Layer 3
Master thenetwork
world ofisLayer
2 VPNs
to provide
enhanced services
and onto
enjoya
services, an MPLS-enabled
a natural
candidate
for converging
all services
productivity gains
single network infrastructure.
With appropriate software and hardware upgrades, many existing Frame Relay and ATM
Learn about
Layer
2 Virtual
Private
Networks
switches can readily support
dynamic
routing
protocols
and
perform (VPNs)
MPLS label switching. Such
a migration allows the service providers to expand their network capacity and service portfolios
Reduceon
costs
and extend
the reach
of your services
by unifying
your
and protect their investment
the existing
network
infrastructure.
Transitioning
to the
network
architecture
packet-based AToM pseudowire emulation has minimal impact to the existing Layer 2 VPN
services.
Advanced Network Review

Services
Besides the basic MPLS features such as routing optimization and network consolidation, AToM
For a majority
of Service
Providers,network
a significant
portion
of as
their
revenues
can leverage advanced
MPLS features
for enhanced
services,
such
MPLS
traffic
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
engineering, QoS guarantee, and fast rerouting.
customers,
they have
someutilizes
drawbacks.
Ideally,
carriers withhas
existing
The efficiency with
which a service
provider
its network
infrastructure
a significant
legacy
Layerof2its
and
Layer 3 The
networks
would like
touse
move
toward aresources,
single
impact on the cost
structure
business.
more efficient
the
of network
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
the less capital investment that a service provider has to make to provide the desired level of
services
over their aims
existing
Layer 3the
cores.
The solution
in these
a
service offering. Traffic
engineering
at solving
problem
that some
parts cases
of the is
network
technology
that would
allow Layer 2MPLS
transport
Layerengineering
3
are highly congested
while others
are underutilized.
solvesover
the a
traffic
infrastructure.
problem that plain
IP routing cannot solve by using MPLS constraint-based routing. Constraintbased routing is essentially a set of algorithms designed to find an optimal path with given
Layerconfined
2 VPN Architectures
introduces
readers to The
Layer
2 Virtual Private
routing metrics while
to the pre-established
constraints.
constraints
can be
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via does not
performance or administrative requirements imposed by network operators. This book
introductory
studiesisand
comprehensive
design
scenarios. This book
go into details about
why plaincase
IP routing
insufficient
for traffic
engineering.
Note
comparing
to those
Layer
3 based
VPNs, such
MPLS,
thento
If you are interested
in them
learning
more of
about
traffic
engineering,
youasmight
want
progressively
read the following
books: covering each currently available solution in greater detail.
MPLS and VPN Architecture s, Volume I, by Ivan Pepelnjak and Jim Guichard:
Cisco Press, 2000.
MPLS and VPN Architectures , Volume II, by Ivan Pepelnjak, Jim Guichard, and
Jeff Apcar: Cisco Press, 2003.
MPLS: Technology and Applications by Bruce S. Davie and Yakov Rekhter:
Morgan Kaufmann Publishers, 2000.
Traffic Engineering with MPLS

2002.
by Eric Osborne and Ajay Simha: Cisco Press,

MPLS traffic engineering helps redirect trafficincluding Layer 2 trafficto less congested parts of
the network. Layer 2 services typically come with service-level agreements (SLA). An SLA is a
Publisher:
Ciscoprovider
Press
service guarantee that
a service
agrees to offer to its customer on availability,
Pub
Date:
March
10, 2005 and so on. The service provider can use an MPLS QoS
guaranteed bandwidth, burst bandwidth,
ISBN:The
1-58705-168-0
guarantee to enforce SLAs.
level of service guarantee is usually associated with the
Table of
premium
that a customer
subscribes
to. For instance, an SLA with a higher premium might
Pages:
648
Contents
provide more guaranteed bandwidth than an SLA with a lower premium. MPLS constraint-based
Index
routing is again used to provide QoS guarantees. It allocates the necessary network resources,
such as buffer space and link bandwidth, along the specific path that is established through
traffic engineering. Although both MPLS traffic engineering and MPLS QoS guarantee use MPLS
constraint-based Master
routing,the
theworld
difference
is that
traffic
does not
require
allenjoy
the
of Layer
2 VPNs
to engineering
provide enhanced
services
and
bandwidth allocation
and
queuing
mechanisms
that
are
required
to
provide
QoS
guarantees.
productivity gains
Another important advanced MPLS feature that AToM can rely on is the ability to reroute traffic
to an alternate path in Learn
a short
period
when
a failure
occursNetworks
along the(VPNs)
original path, typically
about
Layer
2 Virtual
Private
within 50 ms. With hop-by-hop, destination-based plain IP routing, the network convergence
costs and
extend
the reach
services
by unifying
your
time is usually secondsReduce
upon network
failure,
which
resultsofinyour
packet
loss before
the network
network
architecture
converges. To reduce packet
loss
during routing transitions, MPLS fast rerouting constructs a
protection LSP in advance for a given link by explicitly establishing an alternate path that
Gain
fromlink.
the Because
first bookthe
to address
application
utilizing
circumvents the possible
failing
alternateLayer
path 2
is VPN
set up
prior to the
link
both
ATOM
and
L2TP
protocols
failure, rerouting can take place rather quickly.
Interoperability


A rapidly growingare
number
of service
providers
network
equipment
have become
still derived
from
data andand
voice
services
based onvendors
legacy transport
involved in the development
and
interoperability
testing
for
the
MPLS-based
pseudowire
emulation products.
AToM is the Ciscobackbone
product for
pseudowire
emulation
MPLS
networks.
As Layer
the protocol
while
new carriers
would over
like to
sell the
lucrative
2
specification and services
implementation
have
matured
over
the past
couple
of years,
thecases
standardsover their
existing
Layer
3 cores.
The
solution
in these
is a
based pseudowiretechnology
emulation that
products
different
vendors
have3achieved an
wouldfrom
allow
Layer 2equipment
transport over
a Layer
excellent level of infrastructure.
interoperability. In the service provider space, the deployment has gained
significant momentum.
introductory
case studies and comprehensive design scenarios. This book
Network Operation
Complexity
history
and implementation
details
of the
twoAToM
technologies
from
The previous sections
highlighted
the advanced
features
that
can offeravailable
as the MPLSthe
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSbased pseudowire emulation. However, they come with a substantial level of complexity in
based
cores and
Layer
2 Tunneling
Protocol
(L2TPv3)
for native
network design and
operation,
which
involves
more than
just version
enabling3 new
protocols
in the
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
network. Making effective use of these features requires fine-tuning on the networkthe
parameters
reader tocharacteristics.
Layer 2 VPN benefits and implementation requirements and
according to the network
progressively
covering
each
solution in greater
detail.
When an operating
problem occurs,
AToM
alsocurrently
requiresavailable
highly sophisticated
expertise
and skills
to troubleshoot the issue. For example, LDP is an out-of-band signaling protocol. For a single
pseudowire, the control packets might take a different path from the data packets. Therefore,
the liveliness of the control plane does not serve as a good indication for that of the data plane,
in which case you need more sophisticated diagnosis methods to verify the data plane
connectivity, such as MPLS ping.
Establishing AToM pseudowires successfully requires the maximum transmission unit (MTU)
settings of both attachment circuits connecting through the pseudowire to match. In addition,
the network MTU between the PE routers must accommodate the resulting MPLS-encapsulated
packets that carry Layer 2 payload. Because these packets generally do not have an IP header,
fragmentation is difficult. That is why packets exceeding the network MTU are dropped. MTU
settings need to be carefully engineered throughout the network to avoid connectivity
problems.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

Layer 2 Tunnel
Protocol Version 3 Overview
Although AToM can provide

2 VPN services with advanced network features, you might
Publisher:Layer
Cisco Press
need an alternative to
Layer
2 VPN services if your network is not MPLS enabled or you
Pubprovide
Date: March
10, 2005
do not want to deploy MPLS technologies. Like many other networking problems, you have
ISBN: 1-58705-168-0
Tableoptions.
of
multiple
Depending on your short-term and long-term goals, you can choose the
Pages:
Contents solution for your648
appropriate
needs.
Index
For example, if your goal is to move toward an MPLS-enabled network eventually but you need
a time-to-market solution to provide Layer 2 VPN services on top of the existing IP
infrastructure, you might choose AToM for Layer 2 VPN services, but you have to overlay AToM
the world
2 VPNs
to encapsulation
provide enhanced
services
and
pseudowires overMaster
IP tunnels,
such of
as Layer
generic
touting
(GRE)
tunnels.
Inenjoy
this way,
productivityLayer
gains2 VPN services in a relatively short period of time without
you can deploy MPLS-based
being forced to migrate the entire core infrastructure to MPLS immediately. However, if the
goal is to ultimately provide Layer 2 VPN services with a pure IP infrastructure, you have the
option of choosing an IP-based Layer 2 VPN solution: L2TPv3.
L2TPv2 was originally designed for remote access solutions, and it only supports one type of
Layer 2 frames: PPP. Retaining many protocol specifications of version 2, L2TPv3 enhances the
control protocol and optimizes the header encapsulation for tunneling multiple types of Layer 2
frames over a packet-based network. L2TPv3 and its supplementary specifications, such as the
Ethernet and Frame Relay extensions, describe the requirements and architectures that are
applicable to pseudowire
emulation
usingthat
L2TPv3.
Review
strategies
allow large enterprise customers to enhance
L2TPv3 consists of a control plane that uses an in-band and reliable signaling protocol to
manage the control
data connections
L2TP
endpoints,
and a of
data
plane
that is
Forand
a majority
of Service between
Providers,
a significant
portion
their
revenues
responsible for pseudowire
encapsulation
and
provides
a
best-effort
data-forwarding
service.
In
the L2TPv3 network
reference
models,
L2TPv3
is
implemented
and
deployed
between
a
pair
of
L2TP Control Connection
Endpoints
(LCCEs).
3-6 illustrates
the network
components of
customers,
they have
some Figure
drawbacks.
Ideally, carriers
with existing
L2TPv3. The LCCEs
are the
equivalent
of the
PE routerswould
in thelike
generic
Layer
2 VPN
legacy
Layer
2 and Layer
3 networks
to move
toward
a network
single
reference model. backbone
For the sake
of consistency,
this book
PEthe
router
in place
of "LCCE"
in the
while
new carriers would
likeuses
to sell
lucrative
Layer
2
context of L2TPv3.
infrastructure.
Figure
L2TPv3introduces
Network
Components
Layer
2 VPN 3-6.
Architectures
readers
to Layer 2 Virtual Private
full size
image]requirements by explaining the
assists readers looking[View
to meet
those
Because an L2TPv3 session is inherently bidirectional, an L2TPv3 pseudowire is essentially an

L2TPv3 session carrying a particular type of Layer 2 frame. In other words, a one-to-one
mapping exists between sessions and pseudowires. During the process of L2TPv3 session
establishment, the peering PE routers exchange session IDs. An L2TPv3 session ID is
equivalentto an AToM pseudowire label. A session or pseudowire consists of two session IDs.
Fundamentally, L2TPv3 pseudowires and AToM pseudowires are set up in a similar fashion. The
difference is that the baseline L2TPv3 protocol specification is responsible for constructing such
a bidirectional pseudowire, whereas AToM relies on an application-level mechanism that is built
2 VPNspecification
Architectures for the same function. From the end user's point of
on top of the LDPLayer
protocol
ByWei
- CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
view, this difference
is Luo,
insignificant.
Note
ISBN: 1-58705-168-0
Table of
Pages:
648
In
certain deployment scenarios
such as interworking between different Layer 2
Contents
AToM and L2TPv3 might carry Layer 3 packets directly. However, because
protocols,
Index
the forwarding decision is still based upon Layer 2 information, such cases belong to
the general Layer 2 VPN framework.
productivity gains
Besides using the L2TPv3 control messages to set up pseudowires dynamically, you can use
manual configuration to provision the necessary session parameters. When you use manual
Learn
about
Layer 2 Virtual
Networks
(VPNs)
configuration, you do not
need
to establish
control Private
connection
between
PE routers.
costsof
and
extend
thethe
reach
of youraspects:
services by unifying your
The next sections give Reduce
an overview
L2TPv3
from
following
L2TPv3 operations
Supported Layer 2 protocols
their service
offerings
maintaining
routing
control
Decision factors whether
to use
L2TPv3 while
in your
network, such
as installation
base,
advanced features, and complexity
L2TPv3 Operations
Even though L2TPbackbone
is labeledwhile
as annew
IP-based
technology,
in fact
a transport-independent
carriers
would like ittoissell
the lucrative
Layer 2
protocol. L2TPv2,services
which isover
mostly
deployed
remote
access
applications,
specifies
their
existingfor
Layer
3 cores.
The
solution in these
cases is a
mechanisms to tunnel
Layer that
2 frames
UDP,
ATM
AAL5, andover
Frame
Relay.
technology
wouldover
allow
Layer
2 transport
a Layer
3 L2TPv3 defines
the specificationsinfrastructure.
to tunnel Layer 2 frames over IP and UDP.
The tunneling mechanism
is essentially
accomplished
inserting
an L2TP
headerPrivate
between the
Layer 2 VPN
Architectures
introducesby
readers
to Layer
2 Virtual
IP or UDP headerNetwork
and the Layer
payload. and
A well-known
IP protocol
or UDP
(VPN) 2concepts,
describes Layer
2 VPNnumber
techniques
via port
number differentiates
L2TP packets
from other
types of IP traffic.
The scenarios.
destinationThis
IP address
introductory
case studies
and comprehensive
design
book of
an L2TP packet isassists
an address
of the
PE router
on those
the other
side of theby
tunnel.
Sessions
readers
looking
to meet
requirements
explaining
the that are
destined to the same
PE and
router
are multiplexed
by session
IDs into
a common
IP or UDP
history
implementation
details
of the two
technologies
available
from
header.
L2TP control packets
are transmitted
in-band
data packets.
IP cores.
The structure
of thisalong
bookwith
is focused
on first Therefore,
introducingthe
thetunnel
endpoints need toreader
have atodeterministic
to distinguish
one type from
the other. and
For L2TP
Layer 2 VPN way
benefits
and implementation
requirements
over UDP, the first
bit in the them
L2TP to
header
is a control
a data
comparing
thoseindicates
of Layer whether
3 based it
VPNs,
such aspacket
MPLS, or
then
packet. However,progressively
L2TP over IP covering
has a different
L2TP header
that does
not in
have
a field
for such
each currently
available
solution
greater
detail.
indication. Instead, the L2TP header uses the reserved session ID value zero for control
packets and nonzero session IDs for data packets.
The discrepancy of the two L2TP header formats is a result of optimization weighted toward
different deployment models. The UDP transport mode is friendlier for the cases that require
using IPsec to protect L2TP traffic, or traversing Network Address Translation (NAT) and
firewalls. The IP transport mode is more tailored for implementing L2TP packet processing and
forwarding in high-speed hardware architectures. Figure 3-7 shows an overview of the two
formats of an L2TPv3 packet.
Figure 3-7. L2TPv3 Packet Overview

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
L2TP implementsare
a low-overhead
reliable
delivery
mechanism
control
packets
at the
still derived from
data
and voice
services for
based
on legacy
transport
underlying transport
layerthat
is,
IP
or
UDP.
The
upper-level
functions
of
L2TP
do
technologies. Although Layer 3 MPLS VPNs fulfill the market neednot
forhave
someto
deal with retransmission
or
ordering
of
control
packets.
L2TP
also
uses
a
sliding
window
scheme for control
packet
transmission
to avoid
overwhelming
the
In addition,
legacy
Layer
2 and Layer
3 networks
would like
toreceiver.
move toward
a singleit
provides an optional
message
digest-based
authentication
guarantee
control
packet
backbone
while
new carriers
would like toto
sell
the lucrative
Layer
2
integrity, and an optional
to ensure
between
services keepalive
over their mechanism
existing Layer
3 cores.connectivity
The solution
in thesetunnel
cases is a
endpoints.
infrastructure.
Layer 2 VPN
Architectures
Layer 2 Protocols
Supported
byintroduces
L2TPv3readers to Layer 2 Virtual Private

L2TPv3 supports assists
the same
set oflooking
Layer 2to
protocols
thatrequirements
AToM does, including
PPP, HDLC,
readers
meet those
by explaining
the
Ethernet, Frame Relay,
and
ATM.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSPPP over L2TPv3 mostly operates in the transparent mode , in which case CE routers are the
only PPP speakers that process the PPP frames through the PPP protocol stack, and PE routers
merely forward PPP frames between the peering CE routers transparently.
comparing
those
of Layer
3 based
VPNs, such asofMPLS,
HDLC over L2TPv3
is similar them
to PPPtoover
L2TPv3.
It allows
transportation
Cisco then
HDLC frames
progressively
covering
each
currently
available
solution
in
greater
detail.
over an IP network in the transparent mode, which is the only mode it supports.
Two types of Ethernet encapsulation are supported in Ethernet over L2TPv3:
Untagged Ethernet frame
IEEE 802.1q tagged Ethernet VLAN frame
PE routers classify Ethernet frames that are received from the CE routers into different
pseudowires using the receiving interface or the VLAN tag. Bridging protocol support varies
depending on the deployment model. Chapter 11, "LAN Protocols over L2TPv3 Case Studies,"
discusses the details of running bridging protocols over the IP network.
VPN Architectures
With Frame RelayLayer
over2 L2TPv3,
PE routers forward Frame Relay frames to different
pseudowires based
on Luo,
the -receiving
interface
the DLCI
PE routers
provide
ByWei
CCIE No. 13,291,
Carlosand
Pignataro,
- CCIEnumber.
No. 4619,Dmitry
Bokotey,also
- CCIE
LMI signaling to CE
as ifChan,
they- are
Relay switches. Unlike Frame Relay over MPLS,
No.routers
4460,Anthony
CCIEFrame
No. 10,266
the Frame Relay header is kept intact at the ingress PE router with Frame Relay over L2TPv3;
therefore, the egress
PE router
does
Publisher:
Cisco
Pressnot need to reconstruct the Frame Relay header before
forwarding the packets
to the CE router.
ISBN: 1-58705-168-0
ATM over
L2TPv3 also supports
ATM AAL5 and ATM Cell services. With ATM AAL5, PE routers
Table of
Pages:
receive
ATM AAL5 packets or648
reassemble ATM cells into ATM AAL5 packets from CE routers and
Contents
forward
them to different pseudowires based on the receiving interface and the VPI or VCI
Index
numbers. The ATM flags, such as EFCI and CLP, are carried in the L2TPv3 ATM-specific
sublayer, which serves a similar purpose to the AToM control word. ATM Cell over L2TPv3 can
encapsulate a single ATM cell at a time or pack multiple ATM cells into one L2TPv3 packet. Both
the world
of Layer
VPNs to
enhanced
and enjoythe
ATM services canMaster
be offered
in VC mode,
VP2mode,
orprovide
port mode.
These services
modes determine
productivity
gains
granularity of how
ATM packets
and cells should be classified and mapped to pseudowires.
Deciding Whether to Use L2TPv3
For organizations and companies
that decide to stay with their existing IP-based network
infrastructures for the long term and do not intend to migrate to MPLS-enabled networks,
Gain from
firstservices
book to is
address
Layer
VPN application
utilizing
choosing L2TPv3 to provide
Layerthe
2 VPN
obvious.
For 2those
who have not
decided
both
ATOM
and
L2TP
protocols
which technology to choose, consider the following factors to gauge the feasibility and
applicability of using L2TPv3 for Layer 2 VPN services.
Existing Network
For Installation
a majority of Base
Service Providers, a significant portion of their revenues
technologies.
Although
Layer legacy
3 MPLSnetworks
VPNs fulfill
the
market
for some
For service providers
that do not
have parallel
and
those
thatneed
traditionally
customers,
some
carriers
withdoes
existing
provide only Layer
3 services,they
the have
problem
of drawbacks.
maintainingIdeally,
separate
networks
not apply to
legacythey
Layer
and
Layer
networkstowould
like toThey
move
toward
single to
them directly because
do 2not
have
the3problem
start with.
have
littleaincentive
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
invest in a new technology unless it brings new revenue opportunities.
As telecommunication
deregulation
has taken
place,2these
service
providers
started
technology
that would
allow Layer
transport
over
a Layer have
3
eyeing lucrative Layer
2 VPN services. The fastest and least expensive way to provide Layer 2
infrastructure.
VPN services in an IP-based infrastructure is to use L2TPv3. AToM relies on a ubiquitous MPLS
Layer
2 VPN
Architectures
introduces
2 Virtual
Private
presence throughout
the
network
infrastructure.
If the readers
networkto
is Layer
not already
MPLS
enabled, it
Network
(VPN)
and describes
2 VPN
techniques
has to be migrated
to MPLS
first.concepts,
L2TPv3 imposes
minimalLayer
impactif
anyon
the corevia
network
studies
andthat
comprehensive
design
scenarios.
book
infrastructure. It introductory
only requirescase
the PE
routers
provision Layer
2 VPN
servicesThis
to be
aware
assists
readers
looking
meet can
those
requirements
by explaining
the
of L2TPv3. In some
cases,
existing
edge to
routers
readily
provide Layer
2 VPN services
with
history and
implementation
of the
two technologies
from
proper software upgrades.
This
is particularlydetails
attractive
to service
providers available
that are interested
the Cisco
Unifiedwith
VPNminimal
suite: Any
Transport
over MPLS (ATOM) for MPLSin creating new revenue
streams
initial
investment.
Without L2TPv3, enterprises
rely
on service
providers
provision
their
Layer 2
IP cores. The
structure
of this
book isto
focused
on and
first manage
introducing
the
network connections
among
geographically
dispersed
locations. Not only
is the Layer
2 service
reader
to Layer
2 VPN benefits
and implementation
requirements
and
expensive, but interprovider
Layerto
2 those
circuits
be provisioned
when
thesethen
locations are
comparing them
ofmust
Layeralso
3 based
VPNs, such
as MPLS,
not covered by a progressively
single service covering
provider.each
The feasibility
of provisioning
interprovider
Layer 2
currently available
solution
in greater detail.
circuit is constrained by whether these providers have such an interprovider Layer 2
connectivity agreement.
L2TPv3 can be an attractive cost-cutting and easy-to-manage alternative. Instead of getting
expensive Layer 2 circuits from service providers, each site can purchase the best and least
expensive IP service from a local service provider without worrying about the interprovider
agreement issue because IP connectivity always exists among service providers. Each site then
enables L2TPv3 on a CPE router and provisions Layer 2 connections to other sites without
involving service providers.
Advanced Network Services

Because L2TPv3 uses IP or UDP as its transport layer, integrating with advanced IP-based
network services, such as IPSec, is easy. If service providers manage Layer 2 VPN services for
their customers, the strong security guarantee that is provided within the service provider
network can be sold as a value-added feature. If enterprises manage Layer 2 VPN services, this
Publisher:
Cisco site-to-site
Press
combination gives them
not only
Layer 2 connectivity but data integrity and privacy
Pub
Date:
March
10, 2005 across public or shared network infrastructures. With
when transporting sensitive information
ISBN:
1-58705-168-0 with an MPLS label stack, and there is no IP header in
AToM, Layer 2 frames are
encapsulated
Table of
theresulting packet. Therefore,
Pages: 648 it is quite difficult to apply IPSec features to AToM packets.
Contents
Index
Whenever possible, you should set the MTU of both attachment circuits that are connected
through a pseudowire to the same value, and set the network MTU to accommodate the
resulting L2TPencapsulated packets that carry the Layer 2 payload. If this is not possible, the
Cisco IOS L2TPv3Master
implementation
supports
Path
discovery
andservices
fragmentation
the world also
of Layer
2 VPNs
to MTU
provide
enhanced
and enjoy
options. These make
use
of
the
Don't
Fragment
(DF)
bit
in
the
IP
header
and ICMP messages
productivity gains
to discover appropriate MTU settings for pseudowires. When the resulting L2TP packets exceed
the pseudowire MTU, users can either choose to drop or fragment the packets.
Plain IP routing and forwarding do not provide advanced network features such as traffic
engineering and fast reroute.
deploying
IP differentiated
(diffserv),
classifying
ReduceBy
costs
and extend
the reach ofservices
your services
by unifying
your
different types of trafficnetwork
diligently,
overprovisioning network bandwidth strategically, and other
architecture
fine-tunings on routing, you can achieve a fairly high level of service guarantees for Layer 2
VPN services.
Interoperability

L2TPv2 is a widely
deployed
andofhighly
interoperable
especially
access,
For
a majority
Service
Providers, aprotocol,
significant
portion in
of remote
their revenues
wholesale dial and
broadband
networks.
It
has
a
large
vendor
support
base.
L2TPv3 evolved from
L2TPv2they
and has
many
of the major
characteristics
specifications
customers,
havekept
some
drawbacks.
Ideally,
carriers withand
existing
of L2TPv2. The control
plane
procedures
are
almost
identical
in
both
versions.
One
the main
legacy Layer 2 and Layer 3 networks would like to move toward a of
single
differences lies inbackbone
the L2TP header
format,
which
has
more
impact
on
the
data
plane.
while new carriers would like to sell the lucrative Layer 2 Another
significant changeservices
is that the
protocol
no longer
defines
the actions
for each
Layer
overbaseline
their existing
Layer
3 cores.
The solution
in these
cases
is a 2
protocol that is carried
in
L2TP.
Furthermore,
it
is
up
to
each
Layer
2
application
to
specify
the
appropriate actions.
Because
of
these
differences,
the
two
versions
of
L2TP
implementation
are
infrastructure.
not interoperable.
introductory
Network Operation
Complexity
history
and network
implementation
of the two
technologies
available from
L2TPv3 is a relatively
simple
protocoldetails
as compared
to the
more sophisticated
routing
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for MPLSprotocols and MPLS protocols. It requires little change to an existing IP-based network
and is
cores
Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
relatively easy to based
manage
andand
troubleshoot.
reader
to Layer
2 VPN
benefits
requirements
and
As described in the
previous
sections,
AToM
usesand
LDPimplementation
as the out-of-band
signaling protocol,
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
which means the control packets might take a different path from the data packets. Thus, the
progressively
covering
currently
available
greater
detail.
control plane connectivity
cannot
provideeach
a reliable
indication
for solution
the datainplane
connectivity.
L2TPv3 uses an in-band TCP-like reliable control connection to set up and tear down data
connections. That is why its liveliness serves as a good indication for that of the data plane.

Summary By
Prior to pseudowire Publisher:

emulation,
Layer
Cisco
Press2 VPN services were provided by legacy Layer 2 VPN
technologies, such as
ATM,
Relay,
Pub
Date:Frame
March 10,
2005 and VPDN, which rely on overlapping parallel network
infrastructures.
ISBN: 1-58705-168-0
Table of
Pages:
Contents emulation is the 648
Pseudowire
fundamental building block of the new generation of Layer 2 VPN
Index
architectures.
Many complex network applications that are to replace legacy Layer 2 VPNs or
facilitate new requirements are built on top of some form of pseudowire emulation. Cisco offers
AToM and L2TPv3 for pseudowire emulation. They are not designed as competing technologies;
rather they are optimized for MPLS- and IP-based network infrastructures, respectively. Before
Master
thetoworld
of consider
Layer 2 VPNs
to provide
enhanced
and find
enjoy
determining which
product
adopt,
the technical
and
businessservices
factors and
the
productivity
gains
right balance between
features
and manageability. Each has its own merits and implications,
some of which are outlined in Table 3-2.

Table 3-2. Cisco Pseudowire Emulation Products

Gain from Comparison
Product Name
AToM
L2TPv3
their
service offerings while maintaining
routing control
Network Infrastructure
IP/MPLS
IP
Signaling Protocol
Directed
LDP
For a majority
of Service
Providers, aL2TPv3
Transport Layer
MPLS label encoding
IPv4
Encapsulation
Layer
and Layer
3 networksPPP,
would
like to
move toward a single
Supported Layerlegacy
2
PPP, 2
HDLC,
Ethernet,
HDLC,
Ethernet,
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Protocols
Ethernet VLAN, Frame
Ethernet VLAN, Frame Layer 2
services Relay,
over their
Layer
3 cores.
solution
in these
ATMexisting
AAL5, ATM
Cell
Relay,The
ATM
AAL5, ATM
Cell cases is a
Authentication infrastructure.
TCP MD5
Shared Secret with
Message Digest
Keepalive Mechanism
Unreliable out-of-band
Reliable and simple inNetwork (VPN) concepts, and describes Layer 2 VPN techniques via
LDP keepalive; requires
band keepalive
new protocol extensions
for reliable connectivity
report
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores
and
Layer 2 Tunneling
Protocol
version
3 (L2TPv3)
for native
Advanced Services
Traffic
engineering,
QoS
IPSec, IP
Diffserv,
Path
IP cores.guarantee,
The structure
this book isMTU
focused
on firstIPintroducing the
fastof
rerouting
discovery,
reader to Layer 2 VPN benefits and implementation
fragmentation requirements and
Interoperability progressively
Wide vendor
carrier
vendor
andin
carrier
coveringand
each
currentlyLimited
available
solution
greater detail.
support, good and
support
improving interoperability

Part II: Layer 2 Protocol Primer

Chapter 4
Table of
Chapter 5
Contents
Index
LAN Protocols
ISBN: 1-58705-168-0
WAN Data-Link
Protocols
Pages:
648
productivity gains
infrastructure.

Chapter 4. LAN Protocols

Cisco Press
the following
topics:
ISBN: 1-58705-168-0
Table of
and
Ethernet background
Pages:
648encapsulation overview
Contents
Index
Metro Ethernet overview
Metro Ethernet service architectures
Master
the world
Layer 2 VPNs to provide enhanced services and enjoy
Understanding
Spanning
Treeof
Protocol
productivity gains
Pure Layer 2 Implementation
802.1q TunnelingLearn about Layer 2 Virtual Private Networks (VPNs)
Reduce
costs and extend
the behind
reach of
your2services
by pseudowire
unifying your
Now that you've learned
the fundamental
concepts
Layer
VPNs and
architecture you need to familiarize yourself with Layer 2
emulation described in network
Part I, "Foundation,"
protocols. This chapter describes LAN protocols. Here, you get an overview of Ethernet
Gainabout
from the
book to address
Layer 2
VPN application
utilizing
technology as well as read
the first
technological
and business
requirements
of both
both
ATOM
and
L2TP
protocols
enterprise customers and service providers that are driving the implementation of Metro
Ethernet. Finally, you discover the Layer 2 technologies that are available today for
transporting traffic over higher-bandwidth circuits.
infrastructure.

Ethernet Background
and Encapsulation Overview
The motivation behind

the development
of a computer network came from Xerox wanting to
Publisher:
Cisco Press
interconnect some ofPub
theDate:
firstMarch
personal
computers at its Palo Alto Research Center (PARC) and
10, 2005
the world's first laser printer so that all of the PARC's computers could print with the same
ISBN: 1-58705-168-0
Table
of to this, the number of computers at any single facility never exceeded two or
printer.
Prior
Pages:
648
three.Contents
This was the first instance in which hundreds of computers in the same building required
Index
intercommunication.
Ethernet solved two of Xerox's challenges:
The networkproductivity
had to connect
hundreds of computers within the same building.
gains
It had to be fast enough to support the fast, new laser printer.
Later on, because of the combined efforts of Digital Equipment, Intel, and Xerox, Ethernet
Reduceiscosts
extend the
reach
of your
by unifying your
became a standard. Ethernet
now and
the world's
most
widely
used services
LAN protocol.
Ethernet uses carrier sense multiple access collision detect (CSMA-CD). The different parts of
this protocol are as follows:
Carrier sense Before
transmitting
data,allow
stations
whether
other stations
are
Review
strategies that
largecheck
enterprise
customers
to enhance
already transmitting
the multiaccess
wire.
If other stations
not transmitting, the
theirover
service
offerings while
maintaining
routingare
control
station can transmit data or wait.
Multiple access
Allderived
stationsfrom
are connected
to a services
single physical
or a single
data path.
are still
data and voice
based wire
on legacy
transport
Collision detect
If a collision
is detected
because two
stations
transmitted
data into the
customers,
they have
some drawbacks.
Ideally,
carriers
with existing
wire simultaneously,
both2 stations
stop
transmitting,
back
and try
again alater
after a
legacy Layer
and Layer
3 networks
would
likeoff,
to move
toward
single
random delay.
The base of Ethernet
technology
the Ethernet
frame.
An IP datagram,
for instance,
is
technology
that is
would
allow Layer
2 transport
over a Layer
3
encapsulated andinfrastructure.
transmitted in a standard Ethernet (Type II) frame. The frame header is 14
bytes long6 bytes of destination address + 6 bytes of source address + 2 bytes of frame
typefollowed by the
data
portion
and completed
by 4 bytes
of the
frame 2check
sequence
Layer
2 VPN
Architectures
introduces
readers
to Layer
Virtual
Private (FCS).
Figure 4-1 shows Network
the fields(VPN)
of theconcepts,
original Ethernet
Type II
(Ethernet
frame format.
and describes
Layer
2 VPNII)
techniques
via
Figure
Ethernet
Type IIover
Frame
the Cisco
Unified4-1.
VPN suite:
Any Transport
[View full size
image]
reader to Layer 2 VPN benefits
and
implementation requirements and
The following explains the fields in an Ethernet II frame:

Destination Address The destination address can be a broadcast address
0xFFFFFFFFFFFF, a specific 48-bit unicast address based on the destination node's MAC
address, or a multicast address. You can discover this MAC address from the source
address field of a message during protocol synchronization.
Layer 2 The
VPN Architectures
Source Address
source address is the sender's 48-bit MAC address.
Ethernet Type
TheAnthony
Ethernet
field
is used for higher protocol identification.
No. 4460,
Chan,Type
- CCIE
No. 10,266
Data The Data field contains encapsulated data (such as an IP packet). The valid length
ranges for Ethernet II are between 46 and 1500 bytes.
1-58705-168-0
FCS of
The FCS field ISBN:
contains
a 32-bit cyclic redundancy check (CRC) value, which checks
Table
for damaged frames.
Pages:
648
Contents
Index
Note
productivity gains
Originally, Ethernet II was also referred to as DIX after its corporate sponsors Digital,
Intel, and Xerox.
The original Ethernet IInetwork
frame format
had some shortcomings. To allow collision detection, the
architecture
10-Mbps Ethernet required a minimum packet size of 64 bytes. That meant you needed to pad
Gain from
the firstprotocols
book to address
2 VPN
application
short frames with 0s. Thus,
higher-layer
needed Layer
to include
a Length
fieldutilizing
to
andpadding.
L2TP protocols
discriminate the actualboth
dataATOM
from the
As a consequence, the original Ethernet frame
was changed to include a Length field and to allow for Ethernet to interwork with other LAN
media.
Fortunately, the values assigned to the Ethernet Type field (0x0600 XNS [Xerox], 0x0800 IP
Forand
a majority
Service were
Providers,
a significant
of their revenues
[Internet Protocol],
0x6003of
DECNET)
always
higher thanportion
the maximum
frame size
are still
derived
and voice
services
based
transport
with a decimal value
of 1500.
Thefrom
802 data
committee
solution
to the
taskon
of legacy
providing
a standard
technologies.
Although
Layer 3 MPLS of
VPNs
fulfill
the protocols
market need
some
that did not depend
on the behavior
or characteristics
higher
layer
wasfor
802.3
.
customers,
they have
somea drawbacks.
Ideally,
existing an
802.3 replaced the
Ethernet Type
field with
2-octet length
field. carriers
The waywith
to distinguish
legacy
Layer
2 and
3 networks
would like to
Ethernet II from an
802.3
frame
is byLayer
inspecting
the Type/Length
field:
If the value technology
of the field is
higher
than
1500
decimal,
the field
represents
that
would
allow
Layer
2 transport
over
a Layer 3an Ethernet Type
and is Type infrastructure.
II.
If the value Layer
of the2field
lower than orintroduces
equal to 1500
decimal,
the 2
field
represents
VPNisArchitectures
readers
to Layer
Virtual
Private a
length and isNetwork
802.3. (VPN) concepts, and describes Layer 2 VPN techniques via
In addition, a newassists
form of
packetlooking
type field
was needed,
so a Logical by
Link
Control (LLC)
readers
to meet
those requirements
explaining
the header
with destination and
source
access point
(DSAP
andtwo
SSAP,
respectively)
and control
history
andservice
implementation
details
of the
technologies
available
from
fields follow the Length
fieldUnified
for higher-protocol
identification
(seeMPLS
Figure(ATOM)
4-2). for MPLSthe Cisco
VPN suite: Any
Transport over
Figure
4-2.
Frame
comparing
them to
those802.3
of Layer
3 basedFormat

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
The new fields are as follows:
Length Thisproductivity
is the length
of the frame excluding the preamble, FCS, addresses, and
gains
length field.
DSAP A value of Learn
0xAA indicates
Subnetwork
Access Protocol
about Layer
2 Virtual Private
Networks(SNAP).
(VPNs)
SSAP A value of 0xAA
indicates
SNAP.
Reduce
costs and
extend the reach of your services by unifying your
Control The Control field specifies the type of LLC frame.
Figure 4-2 also shows an
IEEE
802.3
format that is indicated by the DSAP and
both
ATOM
andSNAP
L2TPframe
protocols
SSAP values and includes the SNAP field. The SNAP header includes 3 bytes of vendor code and
2 bytes of local code. AReview
vendorstrategies
code of 0sthat
(0x000000)
indicates
thatcustomers
the local code
is an
allow large
enterprise
to enhance
Ethernet Type II for backward
compatibility.
This new
format moves
the
Ethernet Type field 8
their service
offerings while
maintaining
routing
control
bytes from its original location in Ethernet II.
Note
The Ethernetservices
Type II over
frame
format
is often
referred
to The
as ARPA
frame
The IEEE
their
existing
Layer
3 cores.
solution
in .these
cases is a
802.3 frametechnology
format is also
called
802.3
LLC
to
differentiate
it
from
802.3
that would allow Layer 2 transport over a Layer 3 SNAP.
infrastructure.

Note how the sizeNetwork
range for
the Data
field varies
betweenLayer
the different
encapsulations
(VPN)
concepts,
and describes
2 VPN techniques
via (see
Table 4-1).
Table 4-1.IPSize
ofThe
thestructure
Data Field
Different
Ethernet
cores.
of thisfor
book
is focused on
first introducing the
Encapsulations
reader to Layer
2 VPN benefits and implementation requirements and
Encapsulation
Minimum Size
Maximum Size
Ethernet II
46
1500
802.3 LLC
43
1497
802.3 SNAP
38
1492
Note that you can send IP datagrams smaller than 46 bytes over Ethernet II because IP
contains a Total Length field. When you are sending, for example, 36-byte IP datagrams using
Ethernet II encapsulation, a 10-byte trailer with all zeroes is appended to the IP datagram.
When you are sending the same IP datagram over 802.3 SNAP, the trailer is only 2 bytes,
because 8 bytes are used for the LLC + SNAP headers (1 DSAP + 1 SSAP + 1 Control + 3 OUI
+ 2 Ethertype). Layer 2 VPN Architectures
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

Metro Ethernet
Overview
The speed, cost, andPublisher:

availability
Ethernet makes it an attractive transport service option for
Ciscoof
Press
providers to offer to Pub
their
customers.
The Ethernet family of technologies operates at the
Date:
March 10, 2005
following rates:
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
10
Mbps
(Ethernet)
Index
100 Mbps (Fast Ethernet)

1000 Mbps (Gigabit
Ethernet)
Master the
world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
10,000 Mbps (Ten Gigabit Ethernet)
The total price per bit per
second
lower2for
Ethernet
compared
to other
technologies, such as
Learn
aboutisLayer
Virtual
Private
Networks
(VPNs)
Packet over SONET (POS).
Many providers alreadynetwork
offer Ethernet
connectivity to their customers; others are considering
architecture
Ethernet, either as a Layer 2 transport technology or to invest in their existing SONET, Frame
Relay, or ATM servicesGain
with from
IP virtual
private
(VPN)
offerings.
both cases,
providers
the first
booknetwork
to address
Layer
2 VPN In
application
utilizing
must consider the means
inATOM
which and
theyL2TP
can protocols
use Ethernet to better serve their customers.
both
Metro Ethernet is a service
to connect
physically
dispersed
Ethernetcustomers
LANs that belong
to the
Review
strategies
that allow
large enterprise
to enhance
same corporation. In the
metro
environment,
you can
use Ethernet
in the
following situations:
their
service
offerings while
maintaining
routing
control

To provide transparent
LAN from
services
for customers'
LAN connectivity
to their
are still derived
data(TLS)
and voice
services based
on legacy transport
remote sitestechnologies. Although Layer 3 MPLS VPNs fulfill the market need for some
To provide Layer
Ethernet
VPNs
that3virtually
unite
geographically
servers to
legacy2 Layer
2 and
Layer
networks
would
like to move dispersed
toward a single
appear as though
theywhile
are located
on thewould
samelike
LANto sell the lucrative Layer 2
backbone
new carriers
Enterprises might be interested in Ethernet VPNs because of their ability to offer faster
transport between campuses or a main campus and remote branches. This idea of joining
infrastructure.
geographically dispersed networks with Ethernet becomes possible because Ethernet VPNs are
mimicking the way
enterprises
today might use
their ATM,
private
line, or
Frame Relay
Layer
2 VPN Architectures
introduces
readers
to Layer
2 Virtual
Privateservice.
When Ethernet VPNs
are involved,
the enterprise
is serviced
with
a high-bandwidth
Network
(VPN) concepts,
and describes
Layer
2 VPN
techniques vianetwork
connection at both
ends of thecase
network.
introductory
studies and comprehensive design scenarios. This book
Metro Ethernet deployments offer enterprise customers an effective metropolitan-area network
(MAN) alternative to current WAN networks. The next sections detail some of the requirements
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSthat enterprises and providers impose on Metro Ethernet.

Metro Ethernet
Service Architectures
In the most general Publisher:

sense ofCisco
the term,
Press Metro Ethernet services are network services in which
connectivity is provided
to the
customers
Pub Date:
March
10, 2005 via a standard Ethernet User-to-Network Interface
(UNI). This is a broad definition because multiple technologies can provide Metro Ethernet
ISBN: 1-58705-168-0
Tablefrom
of
services
optical cross-connects (OXC), pure Layer 2 networks, or packet-switched
Pages:
648
Contents
networks.
Index
Because of the broad definition, it is critical to categorize these services. Several taxonomies
for Metro Ethernet produce an eclectic portfolio of services. You can categorize Metro Ethernet
services as follows:
productivity gains
Based on connectivity type:
LearnSimilar
about to
Layer
2 Virtual Private
Networks
(VPNs)
Point-to-point
a permanent
virtual circuit
(PVC).
costs
Multipoint Reduce
Similar to
a cloud.
Based on service types:
Wire services
port does
not have
multiplexing. A customer port connects to a
bothAATOM
and L2TP
protocols
single remote customer port. This is similar to a leased line.
Relay services
is available
based
on VLAN,
such that different
their Service
service multiplexing
offerings while
maintaining
routing
control
customer VLANs within a customer port can connect to different sites. This is similar
For a Relay
majority
of Service Providers, a significant portion of their revenues
to a Frame
port.
Combining these technologies.
two categorizations,
you
have3the
first
fourfulfill
sets of
Ethernet
services:
Although
Layer
MPLS
VPNs
theMetro
market
need for
some
Ethernet Wire
Service
(EWS)
A nonmultiplexed
service.
backbone
while
new carriers
would like point-to-point
Layer 2
Ethernet Relay Service (ERS) A VLAN-multiplexed point-to-point service.
infrastructure.
Ethernet Multipoint Service (EMS) A nonmultiplexed point-to-cloud service. An
example is Virtual Private LAN Service (VPLS), which is covered in Chapter 15, "Virtual
Private LAN Service."
Ethernet Relay Multipoint Service (ERMS) A VLAN-multiplexed point-to-cloud service.
The service provider cloud has VLAN mapping. An example is VPLS, which is covered in
Chapter 15.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased
cores and
2 Tunneling Protocol version 3 (L2TPv3) for native
Other Metro Ethernet
services
are Layer
as follows:
comparing
to Similar
those oftoLayer
based VPNs,
MPLS, at
then
Ethernet Private
Linethem
(EPL)
EWS 3service,
exceptsuch
it is as
provided
Layer 1 by
OXCs.
Layer 2 VPN access Layer 2 access to Multiprotocol Label Switching (MPLS) VPNs.
ATM to Ethernet over MPLS or Ethernet over L2TPv3 Interworking This topic is
covered in Chapter 14, "Layer 2 Interworking and Local Switching."
Frame Relay to Ethernet over MPLS or Ethernet over L2TPv3Interworking This
topic is covered in Chapter 14.
Table 4-2 summarizes the characteristics of different Metro Ethernet services.
Table 4-2. Metro Ethernet Services
Metro Ethernet
Service
Publisher:
Cisco Press
Architecture
Service Definition
Connectivity
Transparent
(nonmultiplexed)
Point-to-point
VPWS[1]
Transparent
(nonmultiplexed)
Point-to-point
VPWS
Multiplexed
Point-to-point
EPL
Layer 1
Table of
Contents
EWS
Index
ERS
ISBN: 1-58705-168-0
Pages: 648
Master the
world of LayerTransparent
2 VPNs to provide enhanced
services and enjoy
VPLS
Multipoint-toproductivity gains
(nonmultiplexed)
multipoint
EMS
ERMS
VPLS
Multiplexed
Multipoint-toLearn about Layer 2 Virtual Private Networksmultipoint
(VPNs)
ATM/Frame Relay
VPWScosts and extend
Multiplexed
Point-toReduce
the reach of your services
by unifying your
Ethernet Interworkingnetwork architecture
multipoint
[1]
both
ATOM
VPWS = Virtual Private
Wire
Serviceand L2TP protocols
Review
strategies thatbut
allow
large
enterpriseexist.
customers
enhance
All these categories vary
in implementation,
some
generalities
Table to
4-3
shows the
service
offerings
maintaining
control
interface type of the PEtheir
devices
both
toward while
the customer
and routing
toward the
core. The PE devices
can be logical devices that are distributed among different physical PEs. In such a case, the
For a majority
of the
Service
Providers, aPE
significant
portion of their revenues
user-facing PE is called
U-PE, and
network-facing
is called N-PE.
backbone
while
new carriers
wouldServices
Table
4-3.
Metro
Ethernet
Metro Ethernetinfrastructure.
Service
U-PE <-> Customer N-PE <-> Service Provider
EPL
QinQ[1]
WDM[2] wavelength
SONET/SDH[3] circuits
assists readers
requirements
by explaining the
EWS
QinQ looking to meet those
EoMPLS
[4]
ERS
the Cisco802.1q
UnifiedTrunk
VPN suite: Any EoMPLS
Transport over MPLS (ATOM) for MPLSbased
cores
and
Layer
2
Tunneling
Protocol
EMS
QinQ
Ethernet
orversion
EoMPLS3 (L2TPv3) for native
ERMS
EoMPLS
reader to802.1q
Layer Trunk
2 VPN benefits and
ATM/Frame Relay
Frame Relay or ATM
EoMPLS
Ethernet Interworking
[1]
QinQ = Stands for 802.1q in 802.1q and is also referred to as 802.1q tunneling
[2]
WDM = wavelength division multiplexing
[3]
SDH = Synchronous Digital Hierarchy
[4]
EoMPLS = Ethernet over MPLS
Note that the transparent services use QinQ facing the customer to provide "VLAN bundling" in
a port-based service and achieve transparency for customer bridge protocol data units
(BPDUs). On the other hand, the relay services use 802.1q trunking facing the customer in a
VLAN-based service
to provide the VLAN-multiplexed UNI; thus, they are opaque to customer
BPDUs.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

Understanding
Spanning Tree Protocol
The methods that enterprises

usePress
to deploy LAN networks have changed considerably over the
Publisher: Cisco
years. At the onset of
switching
technology
in the mid-1990s, enterprises used the so-called
Pub
Date: March
10, 2005
"VLANs everywhere" model in their network design. In this model, an enterprise would
ISBN: 1-58705-168-0
Tableits
of users into workgroups, with each workgroup assigned a VLAN of its own. For
separate
Pages:
648
Contents
instance,
networks would have an engineering VLAN, a marketing VLAN, a production VLAN,
Index
and so
on. Although clients in each VLAN could be located anywhere within the enterprise,
these VLANs had to span and be trunked across the entire network. Trunking enables traffic
from several VLANs to be carried over a point-to-point link between two devices. Today, the
use of VLANs is more restricted, and the "VLANs everywhere" model is no longer preferred.
Master the
world
of Layer
2 VPNsare
to preferred.
provide enhanced services and enjoy
Instead of campus-wide
VLANs,
Layer
3 switches
productivity gains
To facilitate this early design model, the Spanning Tree Protocol (STP) that is specified in the
IEEE 802.1d standard was used. STP and the spanning-tree algorithm protect Ethernet
networks from broadcast storms by detecting loops. The forwarding nature of Ethernet for
broadcasts, multicast, and unknown unicasts can create loops. Broadcast storms are caused by
loops. The scenario can become complex when using VLANs, so the role of STP is more critical
with VLANs. Loops occur when redundant paths are implemented on the network. Redundant
paths serve as a backup
in case
link
failure,
means
they2are
forutilizing
the overall
Gain
fromof
the
first
book which
to address
Layer
VPNimportant
application
health of the network. both
Unfortunately,
redundant
links
cause
packets
to
loop
between
the
switches that these links interconnect. To solve the loop problem, while preserving redundancy,
you can implement STP.
The next
sections
examine
spanning-tree
and
Review
strategies
that
allow large
enterpriseoperation
customers
to enhance
implementation drawbacks
bit more
closely.while maintaining routing control
their aservice
offerings

are still
derived from
data and voice services based on legacy transport
Spanning-Tree
Operation
Overview
When you use STP
on allLayer
switches
in Layer
an internetwork,
puts one
of move
the redundant
legacy
2 and
3 networks itwould
like to
toward alinks
single
between switchesbackbone
in a blocked
state,
whereas
the
other
stays
in
the
forwarding
state.
while new carriers would like to sell the lucrative Layer
2 As a
result, only one link
is operational
atexisting
any given
time.
After the
experiences
services
over their
Layer
3 cores.
Theforwarding
solution inlink
these
cases is a a
failure, STP recalculates
a
new
path,
and
a
formerly
blocked
link
takes
over.
infrastructure.
In a spanning-tree environment, the switches elect a root bridge. All subsequent decisions on
blocking or forwarding
of ports are made
from the
perspective
of 2
this
root bridge.
Layer states
2 VPN Architectures
introduces
readers
to Layer
Virtual
Private The
root selection is made
in
the
following
manner:
history
and
implementation
of the to
two
available
from
1. When the switch
first
comes
up, it sendsdetails
out a BPDU
itstechnologies
directly connected
neighbor
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSswitch.
IPBPDUs
cores. and
The create
structure
of own
this book
is to
focused
on first
theAs the
2. Switches link
their
BPDUs
propagate
STPintroducing
information.
reader
to Layeris2propagated
VPN benefits
and implementation
requirements
and
spanning-tree
information
through
the network, each
switch compares
the
comparing
them
toown.
thoseElection
of Layer
VPNs,issuch
MPLS,
then
BPDU from its
neighbors
to its
of3abased
root switch
the as
result
of this
each currently
available
solution
greater of
detail.
comparison.progressively
The lower thecovering
2-byte priority
of a switch,
the higher
theinchances
its
selection as root. Therefore, the switch that has the lowest priority becomes the root
bridge. The priority is a configurable value. When the priorities are the same, the 6-byte
or Root ID is used as a tiebreaker.
Consider the sample network in Figure 4-3, in which two redundant links connect switches 1
and 2. These redundant links create the possibility of bridging loops, because broadcast or
multicast packets that are transmitted from Station A and destined for Station B ping-pong
back and forth between both switches. When STP is enabled in both switches, one of the
parallel links is blocked, eliminating the possibility of bridging loops. The logical network with
the link blocked is shown in Figure 4-3.

ByWei Luo,
- CCIE No.
13,291,
Carlos Pignataro, - CCIE
No. 4619,Dmitry Bokotey, - CCIE
Figure
4-3.
Spanning-Tree
Scenario

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
A BPDU is defined in the IEEE 802.1d MAC Bridge Management protocol, which is the standard
implementation of STP.Gain
The from
IEEE the
802.1d
field consists
8 bits.
It is illustrated
first flag
bookortobit
address
Layer 2ofVPN
application
utilizingin
Figure 4-4, along with both
the complete
BPDU.
ATOM and
L2TP protocols
Figure 4-4. 802.1d BPDU Format

technologies. Although[View
Layer
MPLS
full 3
size
image]VPNs fulfill the market need for some
infrastructure.
The BPDU fields are as follows:

Protocol Identifier Identifies the spanning-tree algorithm and protocol, such as STP
(0x0000).
Protocol Version Identifier Identifies the protocol version, such as Spanning Tree,
Rapid Spanning Tree, and Multiple Spanning Tree.

BPDU TypeIdentifies the BPDU type, such as Configuration (0x00), Topology Change
2 VPN
Architectures
Notification Layer
(0x80),
and
Rapid/Multiple Spanning Tree (0x02).
Flags Bit flags

include
theChan,
following:
No. 4460,
Anthony
- CCIE No. 10,266
Bit 7 Topology Change Acknowledgement flag.
Pub Date:
March 10,
2005
Bit 0 Topology
Change
flag.
ISBN: 1-58705-168-0
Table of
Root Path Cost Multiple
Pages:
648of the root cost.
Contents
Index
Bridge Identifier MAC address of the bridge.

Port Identifier Port priority (smaller number denotes higher priority).
Master
the
world
of Layer
2 VPNs
to provide
and enjoy
Message Age,
Max
Age,
Hello
Time,
Forward
Delayenhanced
These fourservices
timer values
have
productivity
gains
times ranging from 0 to 256 seconds.
The root switch dictates that the root bridge will have all its ports in the forwarding mode. On
each LAN segment, the switches elect the designated switch that is used for transporting data
from that segment to the
root costs
switch.
Onextend
the designated
port that
connectsyour
to the
Reduce
and
the reachswitch,
of yourthe
services
by unifying
LAN segment that the switch
serves
is
put
in
a
forwarding
mode.
You
must
block
all
other
switch ports across the network. The blocking of ports concerns only a switch-to-switch
connection. Ports that Gain
are connected
to workstations
are not
involved
a spanning-tree
from the first
book to address
Layer
2 VPNin
application
utilizing
process and are left in both
a forwarding
mode.
ATOM and
L2TP protocols

their service offeringsImplementation
while maintaining routing
control
Drawbacks of a Spanning-Tree
in Today's
Networks
Although serving are
an important
purpose,
STPand
hasvoice
inherent
drawbacks.
STP
is CPU
intensive and
still derived
from data
services
based on
legacy
transport
vulnerable to network
volatility.
When
a
portion
of
the
VLAN
experiences
a
link
failure,
all
switches that carry
that
VLAN
have
to
learn,
process,
and
forward
BPDUs.
This
problem
escalates if several
VLANs
are 2
involved,
in which
case the
processor
can overload.
the
legacy
Layer
and Layer
3 networks
would
like to move
toward aIfsingle
processor overloads,
it might
start
dropping
BPDUs,
weakening
and destabilizing
the
backbone
while
new
carriers
would thereby
like to sell
the lucrative
Layer 2
network. STP alsoservices
has serious
convergence
issues
when
implemented
in
a
VLAN-concentrated
network with hightechnology
redundancy.
This
results
in Layer
poor scalability
of over
STP networks.
that
would
allow
2 transport
a Layer 3 STP is triggered
when some failure
prevents
the
neighbor
switch
from
receiving
the
periodic
BPDUs sent out by
infrastructure.
STP forwarding ports. The result is that STP must recalculate and redetermine the STP
topology.
To avoid STP issues,
one of the
more
successful
solutions that many
introductory
case
studies
and comprehensive
designenterprise
scenarios.customers
This book
implement is migration
to
Layer
3
switching
services,
made
possible
with
high-performance
assists readers looking to meet those requirements by explaining
the
Layer 3 switches history
(such asand
theimplementation
Cisco Catalyst 6500).
VLANs then
becamefrom
details Campus-wide
of the two technologies
available
obsolete.
With Layer 3 switching, you can forward network traffic based on the Layer 3 address (such as
the IP address). In this method, VLANs segment an IP subnet at Layer 2 by mapping a subnet
to a separate VLAN. User VLANs then terminate at a Layer 3 switch, and the LAN essentially
functions as a routed network.
Similarly, most service providers try to avoid using STP in their core infrastructure. They do
this by utilizing technologies such as AToM to route packets that contain Layer 2 frames in the
service provider core instead of switching them at Layer 2. This means terminating STP locally
on the edge-facing CE. The service provider core is then free of STP, utilizing a full mesh of
pseudowires with split-horizon forwarding to prevent loops. Each PE sees all the other PEs as in
a point-to-multipoint view. Even in these scenarios in which you avoid STP in the core by using
a full mesh of EoMPLS pseudowires and split horizon, you sometimes need STP in an
aggregation layer in the distributed PE between U-PE and N-PE.

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

Pure Layer
2 Implementation
It is important to understand
the Press
difference in challenges posed by Metro Ethernet versus
Publisher: Cisco
traditional Layer 2 network
Pub Date:technologies
March 10, 2005 from the service provider's standpoint. Ethernet has
little intelligence. If the source and destination are known, the packet is forwarded. If the
ISBN: 1-58705-168-0
Table of is unknown, the packet is flooded. If the source was previously unknown, the
destination
Pages:
648
Contents
address
is learned and the packet is forwarded. The rules look simple, but looks are deceiving.
Index
Forinstance,
if a loop occurs, a packet can keep traversing the network forever, which can
ultimately bring down the network.
As mentioned in the previous section, STP (IEEE 802.1d) protects the network against loops.
the world
of Layer
2 VPNs
toon
provide
enhanced
services
and
Although STP is aMaster
CPU-intensive
protocol
that
takes,
average,
30 to 50
seconds
toenjoy
gains accustomed to Frame Relay's convergence of up to 60
reconverge, manyproductivity
service providers
seconds will find it acceptable. Moreover, Cisco has developed several enhancements to STP,
and the new Rapid Spanning Tree Protocol that is specified in IEEE 802.1w can further
minimize the convergence period.
Metro-wide VLANs with STP require a careful implementation strategy. Ideally, this
implementation involves a deterministic topology with a small amount of redundant
connections and VLANs spanning as few switches as possible. Good planning, however, can
enable a Layer 2 Ethernet transport network for the MAN to offer reliable, high-bandwidth
services to the enterprise.
In the pure Layer 2 model, which is a switched (not routed) core, described in this section, the
enterprise network forwards untagged frames to the service provider.
Note
The term untagged means without an 802.1q header and refers to the Ethernet II
frame you saw in Figure 4-1 or the 802.3 frame you saw in Figure 4-2. 802.1q
encapsulation is discussed in the "802.1q Tunneling" section later in this chapter.
infrastructure.
In this scenario, the enterprise is not using STP through the service provider's core. The service
provider maps the enterprise's subnet to a VLAN. This VLAN is trunked throughout the entire
service provider network and ends at the destination enterprise. As far as the enterprise is
concerned, the routers appear directly connected, and the data transport is completely
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLStransparent. The upcoming "802.1q Tunneling" section of this chapter discusses this topic in
more detail.
reader
to Layer
VPN benefits
and
implementation
and
Utilizing pure Layer
2 solutions
for2 Metro
Ethernet
is relatively
simple requirements
and inexpensive.
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
Complications arise, however, when you deal with the inherent Layer 2 scalability issues.
each currently
available
solution
in greater detail.
Service providersprogressively
cannot affordcovering
to underestimate
cautious
planning
and deployment
when it
comes to spanning tree and VLAN distribution issues. Most likely, service providers will want to
implement redundancy. Because spanning tree is required to protect against loops in the
network, an increase in the number of customer VLANs and locations can spin out of control
and result in network failure. Furthermore, it can complicate troubleshooting of a problem.
Cisco has developed some tools to aid administrators with the Layer 2 management to resolve
some of the Layer 2 issues with VLANs, STP, and scalability. These tools include the following:
VLAN Trunking Protocol (VTP) VPT is a Layer 2 messaging protocol that manages the
addition, deletion, and renaming of VLANs on a networkwide basis. It voids the necessity
of having to do these tasks manually.
Dynamic Trunking
(DTP)
DTP
gives a- switch
ability
to- automatically
ByWei Luo, -Protocol
CCIE No. 13,291,
Carlos
Pignataro,
CCIE No.port
4619,the
Dmitry
Bokotey,
CCIE
negotiate the
method
other network device.
No.trunking
4460,Anthony
Chan, -with
CCIEthe
No. 10,266
STP Root Guard
STP root guard forces a Layer 2 LAN interface to become a designated
port. If any device that is accessible through the interface becomes the root bridge, STP
Root Guard puts the interface into the root-inconsistent (blocked) state.
ISBN: 1-58705-168-0
Table of
BPDU Guard BPDU
Pages:
648 is an enhancement to STP that capitalizes on the predictability
Guard
Contents
of
STP
in
certain
network
environments and disables BPDU forwarding on designated
Index
ports.
In addition, Cisco uses the highest performance processors available to handle the STP
processing. To avoid
the the
"VLANs
everywhere"
model,
service
provider
might offer
the
Master
world
of Layer 2 VPNs
to the
provide
enhanced
services
and enjoy
enterprise multiple
VLANs,
one
to
each
site.
productivity gains
The next section covers another Layer 2 technologyQinQthat can be used as a transport
Learn about
Layer 2 Virtual Private Networks (VPNs)
mechanism in Metro Ethernet
networks.
infrastructure.

802.1q Tunneling
One of the enterprise's

business
can entail sending multiple VLANs across the
Publisher:
Ciscorequirements
Press
service provider's Metro
Ethernet
network.
The enterprise can accomplish this via 802.1q
Pub Date:
March 10,
2005
tunneling, also known as QinQ. This chapter uses both names interchangeably.
ISBN: 1-58705-168-0
Table of
Pages:
648 mechanism that service providers can use to provide secure
Contents
802.1q
tunneling is a tunneling
IndexVPN services to their customers. Ethernet VPNs using QinQ are possible because of
Ethernet
the two-level VLAN tag scheme that QinQ uses. The outer VLAN tag is referred to as the
service provider VLAN and uniquely identifies a given customer within the network of the
service provider. The inner VLAN tag is referred to as the customer VLAN tag because the
theuse
world
of LayerVLAN
2 VPNs
toisprovide
services
and enjoy
customer assignsMaster
it. QinQ's
of double
tags
similar enhanced
to the label
stack used
in MPLS
gains2 VPNs. It is also possible for multiple customer VLANs to be
to enable Layer 3productivity
VPNs and Layer
tagged using the same outer or service provider VLAN tag, thereby trunking multiple VLANs
among customer sites. Note that by using two VLAN tagsouter and inner VLANyou achieve a
demarcation point between the domain of the customer and the domain of the service provider.
The service provider can use any VLAN scheme it decides upon to identify a given customer
within his provider network. Similarly, the enterprise customer can independently decide on a
VLAN scheme for the VLANs that traverse the service provider network without consulting the
service provider.

In summary, 802.1q tunneling allows service providers to use a single VLAN to support multiple
VLANs of customers, while
preserving
customer
VLAN
IDsenterprise
and keeping
traffic intodifferent
Review
strategies
that allow
large
customers
enhance
customer VLANs segregated.
At theofferings
same time,
it significantly
the number of VLANs
their service
while
maintaining reduces
routing control
required to support the VPNs. QinQ encapsulates the VLANs of the enterprise customers into a
VLAN of the service
Forprovider.
a majority of Service Providers, a significant portion of their revenues
QinQ accomplishes
the following:
technologies.
Enterprise customers receive transparent Layer 2 links between sites within a metro area,
such as a link from a branch office to a main campus.
technology
that would
allow Layer
transport
over a Layer
Service providers
can separate
or group
traffic2on
a per-customer
basis 3using outer VLAN
infrastructure.
tags as it traverses the common infrastructure so that the same infrastructure can
provide service to multiple customers.
(VPN) concepts,
describes
Layer
2 VPN
techniques
via
The VLAN IDNetwork
of the enterprise
and theand
VLAN
ID of the
service
provider
do not
have to
introductory
case
studies
and
comprehensive
design
scenarios.
This
book
match.
history
details of the in
two
technologies
The customers
can and
treatimplementation
the switching infrastructure
a remote
site asavailable
if it werefrom
part of
the
Cisco
Unified
VPN
suite:
Anyspace
Transport
overprotocols
MPLS (ATOM)
forSTP
MPLSthe local site.
They
can
use the
same
VLAN
and run
such as
across
cores and
Layer 2802.1q.
Tunneling Protocol version 3 (L2TPv3) for native
the providerbased
infrastructure
through
readerthe
to Layer
2 VPN
benefits
The QinQ model allows
customer
edge
switchand
on implementation
each side of the requirements
tunnel to viewand
the service
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as MPLS,sections
then
provider infrastructure as nothing more than a transparent bridge. The following
talk
coveringprocesses.
each currently available solution in greater detail.
about the 802.1qprogressively
tunneling underlying
802.1. q and 802.1p Tagging

802.1q tagging refers to modifications made to the original Ethernet frame described earlier in
the chapter. In 802.1q tagging, additional bytes are inserted into the Ethernet frame.
Altogether, the Ethernet frame is inserted with four additional bytes that turn it into the 802.1q
frame, and FCS is recalculated. The new fields are illustrated in Figure 4-5.

Figure
4-5. 802.1q Frame
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
Following are the new fields
inserted
by "tagging":
Gain from
the first
book to address Layer 2 VPN application utilizing
Ethertype 2 bytes that identify an 802.1q frame and equal 0x8100. Ethertype is also
called Tag Protocol Identifier (TPID).
TCI 2 bytes of Tag Control Information that in turn contain the following:
are3still
fromthe
data
and voice
on also
legacy
transport
Priority
bitsderived
that define
802.1p
user services
priority. based
They are
referred
to as the
technologies.
Although
Layer
3
MPLS
VPNs
fulfill
the
market
need
for some
class of service (CoS) bits.
legacy
Layer 2Format
and Layer
3 networks
would
like to move
toward
a single
CFI 1-bit
Canonical
Identifier
(CFI) for
compatibility
issues
between
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
Ethernet-type networks and Token Ringtype networks.
allow Layer
transport over a Layer 3
VLAN technology
ID A 12-bitthat
fieldwould
that identifies
the2VLAN.
infrastructure.
IEEE 802.1p is a supplement to the IEEE 802.1d specification. It is intended for QoS
Layer
2 VPN
Architectures
introduces
readers
toin
Layer
2 Virtual
Private
implementation on
LANs,
analogous
to the three
precedence
bits
IP. 802.1p
describes
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via of highmechanisms in switches for handling the time-sensitive traffic and reducing the impact
introductory
case
studies
and
comprehensive
design
scenarios.
This
book
bandwidth traffic within a LAN.
and
implementation
the two
technologies
availableprovide
from
The IEEE 802.1p history
is needed
because
Ethernet,details
unlike of
Token
Ring,
does not inherently
thelevels
CiscoinUnified
VPN
suite:
MPLS (ATOM)
forprovides
MPLS- an
support for priority
frames.
Based
onAny
the Transport
MAC frameover
information,
802.1p
basedmethod
cores and
Tunneling Protocol
3 (L2TPv3)
for native
in-band QoS signaling
for Layer
traffic 2classification.
802.1pversion
also provides
an optional
IP cores.
structure
of this book
is focusedframe
on first
introducing the
mechanism in switches
for The
supporting
end-to-end
time-critical
delivery.
Under IEEE 802.1p,
eight CoSs
aretosupported.
The higher
the
valuesuch
is, the
higher then
the priority of
comparing
them
those of Layer
3 based
VPNs,
as MPLS,
the frame. Zero, the
lowest, stands
for routine
service with
no priority
specified.
You
can
progressively
covering
each currently
available
solution
in greater
detail.
configure switches in a LAN and different ports of a switch for several different priority levels.
Sometimes high-speed LANs do not require QoS capabilities. However, when backbone
networks are involved, QoS methods become necessary on service provider and enterprise
networks. You will learn more of the QoS in Layer 2 VPN implementations in Chapters 9,
"Advanced AToM Case Studies," and 13, "Advanced L2TPv3 Case Studies." Now it is time to
examine the innerworkings of 802.1q tunneling.
Understanding How 802.1q Tunneling Works

A tunnel port is a Layer
port 2that
configured to support 802.1q tunneling. Each customer comes in
VPN is
Architectures
on a dedicated customer-facing
on the
service
provider
a VLAN
that is
ByWei Luo, - CCIE port
No. 13,291,
Carlos
Pignataro,
- CCIE switch
No. 4619,where
Dmitry Bokotey,
- CCIE
dedicated to tunneling
is
assigned.
The
service
provider
assigns
each
customer
an
outer VLAN
tag or a service provider VLAN tag that uniquely identifies him within the network. The service
provider VLAN also keeps the customer traffic isolated from other customer traffic that is
traversing the same service provider network. That service provider VLAN supports all the
VLANs of the customer.
Table of
ISBN: 1-58705-168-0
648
802.1q
tunneling refersPages:
to multiple
tagging of dot1Q frames as they enter a service provider
Contents
switch
from
a
client
switch.
QinQ
can
tag or untag any frames that it receives from the
Index
customer tag. 802.1q also has native VLAN frames that are untagged. The service provider
switch adds the outer VLAN tag.
Tagged and untagged

customer
traffic
comes
from to
a port
on aenhanced
customerservices
device and
Master
the world
of Layer
2 VPNs
provide
andenters
enjoy the
service-provider edge
switch
through
a
tunnel
port.
Each
customer
edge
port
that
is
connected
productivity gains
to an 802.1q tunnel port is typically configured as a trunk port. The customer trunk port is
unaware of the provider 802.1q tunnel and can communicate with all of its other trunk ports
Learn
about
Layer 2
PrivateasNetworks
(VPNs)
that are connected to the
metro
network
ofVirtual
the provider
if they were
directly connected.
This makes the process transparent to the switching network of the enterprise.
network
architecture
A hub customer edge might
have
connectivity to two remote spoke sites and have only half of
the VLANs from the hub site go to one site and the remaining to the second remote site. This is
Gainprovider
from theVLANs
first book
to address
Layer
2 VPN application
utilizing
possible using two service
for this
enterprise
customer
when certain
sites need
both
ATOM
and
L2TP
protocols
to see only some and not all of the VLAN traffic from the hub site.
Reviewtrunk
strategies
that
allow large
enterprise
customers
to enhance
The link between the 802.1q
port on
a customer
device
and the
tunnel port
is known as
theirend
service
offerings while
routing
control the other end is
an asymmetrical link. One
is designated
as an maintaining
802.1q trunk
port, whereas
configured as a tunnel port. The tunnel port is configured with an access VLAN ID that is unique
a majority
of 4-6.
to a customer, asFor
shown
in Figure
legacyPort
LayerDesignation
2 and Layer 3 networks
would like
to move Network
toward a single
Figure 4-6.
in a Service
Provider
technology that would [View
allowfullLayer
2 transport over a Layer 3
size image]
infrastructure.

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
When a tunnel port receives tagged customer traffic from an 802.1q trunk port, it does not
strip the existing VLANReview
tag (imposed
by the
switch)
from the
frame header.
Instead,
strategies
thatcustomer
allow large
enterprise
customers
to enhance
it leaves the 802.1q tag
intact
and adds
a 2-byte
field
(0x8100)
followed by a 2-byte
their
service
offerings
whileEthertype
maintaining
routing
control
field containing the priority (CoS) and the VLAN ID. The tunnel port treats the new tagged
frame as a Layer For
2 frame
whereof
the
Ethertype
is not a
known
to theportion
serviceofprovider
because it
a majority
Service
Providers,
significant
their revenues
is the bottom of the
tag
stack.
It
uses
the
outer
or
top
VLAN
tag
for
subsequent
switching
inside the servicetechnologies.
provider infrastructure.
The tagging
is demonstrated
in Figure
4-7.
Although Layer
3 MPLS process
VPNs fulfill
the market need
for some
First, you see an original
untagged
frame
(described
in
Figures
4-1
and
4-2),
followed
by
a
customer VLAN tagged
you see
the addition
oflike
a provider's
802.1q atag.
legacyframe.
Layer 2Finally,
and Layer
3 networks
would
to move toward
single
Figure 4-7. 802.1q Tag Addition
infrastructure.
[View
full size
image] Layer 2 VPN techniques via
Network (VPN) concepts,
and
describes
The tunnel port then puts the received customer traffic into the service provider VLAN that is
assigned to the tunnel port. Subsequently, that VLAN transports the customer traffic to the
next tunnel device. The customer VLAN (customer 802.1q tagged frames) is tunneled traffic
that is carried in a service provider VLAN 802.1q tunnel. The ports in the tunnel are the ingress
or egress points of the tunnel. The tunnel ingress and egress ports are not necessarily located
Layer
2 VPN
Architectures
on the same device.
To
reach
a remote site in the customer network in the egress tunnel port,
ByWei Luo,
- CCIE No.
13,291,Carlos
- CCIEnetwork
No. 4619,Dmitry
Bokotey,
- CCIE as
the tunnel can traverse
multiple
network
links Pignataro,
and multiple
devices
(as many
No. 4460,customer
Anthony Chan,
- CCIE No. 10,266
required for a particular
support).
When the frame reaches
the Cisco
other
end of the provider network, an egress tunnel port at the
Publisher:
Press
edge switch strips the
outermost tag before sending it to the customer network. Then the
switch transmits the traffic out of the egress tunnel port with the original 802.1q tag of the
ISBN: 1-58705-168-0
Table ofto an 802.1q trunk port on a customer device. The 802.1q trunk port on the
enterprise
Pages:
648
Contents
customer
device strips the 802.1q
tag and removes the traffic from the tunnel.
Index
Note
productivity gains
An 802.1q trunk has an untagged native VLAN. When the port is in 802.1q trunk
mode, the native VLAN is used for untagged traffic. Therefore, the native VLAN and
about
Layer
2 Virtual
(VPNs)
all VLANs need to Learn
stay the
same
on both
sidesPrivate
of the Networks
trunk.
from the firstand
book Restrictions
to address Layer 2 VPN application utilizing
802.1q TunnelingGain
Guidelines
When you are configuring 802.1q tunneling, keep the following in mind:
Because 802.1q tunneled packets are processed as non-IP packets, Layer 3 packet
a majority
of Service
a significant
portioncriteria
of their
revenues
classificationFor
does
not apply.
You canProviders,
consider only
Layer 2 match
(for
instance,
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
VLANs, source and destination MAC addresses, and 802.1p CoS bits) when filtering tunnel
technologies.
VPNs
fulfill
the to
market
need
for some
traffic. (Untagged
packetsAlthough
that are Layer
sent to3 aMPLS
tunnel
do not
have
adhere
to this
customers,
they
have
some
drawbacks.
Ideally,
carriers
with
existing
restriction inside the provider network.) Therefore, QoS for tunnel traffic can be provided
legacy
only for Layer
2. Layer 2 and Layer 3 networks would like to move toward a single
services
over
their existing
Layer
3 cores.
The solution
in these cases
is a
Dot1Q tunnel
ports are
essentially
access
ports
that support
double-tagging
of incoming
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
packets. Therefore, as far as Dynamic Trunking Protocol (DTP) is concerned, the port
mode of an infrastructure.
802.1q tunnel port is not negotiable. Hence, DTP does not work with
asymmetrical links because only one port on the link is configured as a trunk.
Network
concepts, and
describes
Layer
2 VPN To
techniques
via between
VTP does not
work on(VPN)
an asymmetrical
link
or through
a tunnel.
enable VTP
introductory
case
studies
and
comprehensive
design
scenarios.
This
book
two customer ports across a tunnel, configure the protocol tunneling on the tunnel
ports.
history
and
implementation
details
of the
two technologies available from
An asymmetrical
link
supports
the following
Layer
2 protocols:
andDetection
Layer 2 Tunneling
versionto
3 detect
(L2TPv3)
for anative
UniDirectional
Link
(UDLD)Protocol
Allows devices
when
IP cores.
The
structure
of this
book is focused
first
introducing
the loops,
unidirectional
link
exists.
Because
unidirectional
linkson
can
cause
spanning-tree
readerdown
to Layer
2 when
VPN benefits
and
implementation
requirements and
UDLD shuts
a link
it detects
unidirectional
traffic.
Port aggregation
(PAgP)
Used in
the automatic
of Fast
progressivelyprotocol
covering each
currently
available
solutioncreation
in greater
detail.
EtherChannel links.
Cisco Discovery Protocol (CDP) Disabled by default on a QinQ tunnel port to
prevent the service provider switch and the enterprise switch from seeing each
other. To use CDP between customer edge devices across the provider tunnel,
configure protocol tunneling for CDP on the tunnel ports.
As mentioned, traffic in the native VLAN is untagged and cannot be tunneled correctly.
Therefore, make sure that the native VLAN of the 802.1q trunk port in an asymmetrical
link does not carry traffic. Tag egress traffic in the native VLAN with 802.1q tags.
You can tunnel jumbo frames (that is, Ethernet frames in excess of the Ethernet frame
MTU and up to 9216 bytes in length) in the core. However, you need to support them in a
tunneled network
in 802.1q tunnel ports and trunk ports in the provider network)
Layer 2 (both
VPN Architectures
for tunnelingByto
work
correctly
with all packet sizes. Also, the total length of the frame
plus 802.1qNo.
tag4460,
cannot
exceed
the maximum frame size.
If the VLAN of the tunnel port does not match the native VLAN of the 802.1q trunk, CDP
Publisher:
Cisco Press Because the 802.1q tunnel feature does not require that
reports a native
VLAN mismatch.
Pub
Date:
March
10, 2005
the VLANs match, you can ignore
these messages in this case.
ISBN: 1-58705-168-0
Table of
Enterprise and service
provider
switches should not participate in each other's STPs. To
Pages:
648
Contents
ensure this does not happen, STP BPDU filtering is enabled by default on 802.1q tunnel
Index
ports and access ports on provider switches. This makes BPDUs from the enterprise
network invisible to the provider and vice versa. On the flip side, self-loops from back-toback connection of the tunnel ports go undetected. To resolve this, all those ports on
provider edge
switches
that interface
a customer
should
have services
the Rootand
Guard
feature
Master
the world
of Layer with
2 VPNs
to provide
enhanced
enjoy
enabled. This
way,
a
customer
switch
does
not
mistakenly
become
an
STP
root.
When
you
productivity gains
configure protocol tunneling on the customer edge ports, customer switches on either end
of the tunnel can see STP BPDUs from other switches of that customer.
The maximum number of VLANs that the 802.1q standard allows in a Layer 2 domain is
4096, because the
VLAN ID
field
is 12
bits and
therefore
permits
4096byvariations
(212 =
Reduce
costs
and
extend
the reach
of your
services
unifying your
4096). Thus, the network
entire pure
Layer 2 solution is bound to that number. It might or might
architecture
not become a significant hindrance depending on the requirements placed on a particular
service provider. Gain from the first book to address Layer 2 VPN application utilizing

infrastructure.

Summary By
Pure Layer 2 and 802.1q

tunneling
network architectures offer practical solutions for
Publisher:
Cisco Press
enterprises that are Pub
looking
receive
and service providers that are looking to offer Metro
Date: to
March
10, 2005
Ethernet connectivity. Examine carefully the inherent limitations of pure Layer 2
ISBN: 1-58705-168-0
Table of
implementation
if you are considering this type of service and creating its design. Even though
Pages:
648
Contentshave moved on from
enterprises
pure Layer 2 networks to those that are Layer 3 switched,
Index
Layer
2 still holds a great value for an Ethernet solution for a service provider.
Many enterprises and service providers are considering whether QinQ or 802.1q tunneling is
right for them. This technique solves the transparency problems for enterprises and enables
of Layer
to provide
enhanced
and
enjoy of
service providers Master
to offerthe
theworld
desired
Layer 22 VPNs
services
at the same
time. services
However,
because
productivity
gains
some of the issues
described in
this chapter, QinQ might not work for everyone.

infrastructure.

Chapter 5. WAN Data-Link Protocols

Cisco Press
the following
topics:
ISBN: 1-58705-168-0
Table of
encapsulation
Introducing HDLCPages:
648
Contents
Index
Introducing PPP encapsulation
Understanding Frame Relay
Master
Understanding
ATMthe world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Before proceeding with a detailed examination of Layer 2 Tunneling Protocol Version 3
(L2TPv3) and Any Transport over MPLS (AToM), it is critical to understand the protocols that
Learn about
LayerThe
2 Virtual
Private
these tunneling mechanisms
transport.
four WAN
dataNetworks
link layer(VPNs)
protocols covered include
High-Level Data Link Control (HDLC), PPP, Frame Relay, and ATM.
This chapter introducesnetwork
specificarchitecture
components of these Layer 2 protocols that are relevant to the
L2TPv3 and AToM pseudowire protocols explored later in this book. For each of these protocols,
the chapter examines the encapsulation format, any relevant control/management protocols
that the pseudowire protocols might have to emulate, and any inherent traffic-management
characteristics where applicable.

infrastructure.

Introducing
HDLC Encapsulation
In 1974, IBM developed

one Cisco
of the
first bit-oriented synchronous protocols, known as
Publisher:
Press
Synchronous Data Link
(SDLC).
Pub Control
Date: March
10, 2005After IBM submitted the protocol to the ISO for
international standardization, the ISO adapted the protocol and renamed it HDLC. HDLC is
ISBN: 1-58705-168-0
Tableunder
of
covered
the ISO standards ISO 3309 and ISO 4335. During the same period, the
Pages:
648
Contents Committee for Telegraph
Consultative
and Telephone (CCITT), now known as International
Index
Telecommunication
Union (ITU-T), adopted HDLC for the X.25 Link Access Procedure when
developing standards for X.25 Data Transmission.
The frame formats between the ISO and ITU-T versions of HDLC share many similarities and
the world
of Layer
2 VPNssuch
to provide
enhanced
services
have also served Master
as the basis
for future
protocols
as Frame
Relay and
PPP. and enjoy
productivity gains
HDLC was defined to operate in the following three modes:

Normal Response Mode (NRM) Employs a master/slave relationship, whereby
costs
and
extendonly
the reach
services
by unifying
secondary (slave)Reduce
station(s)
can
transmit
when of
theyour
primary
(master)
stationyour
permits.
Gain from the
first(ARM)
book to
Layer
VPN application
utilizing
Asynchronous Response
Mode
Isaddress
similar to
NRM2mode,
but it differs
in that the
both
ATOM
and
L2TP
protocols
secondary station(s) does not have to wait for permission from the primary station to
send data. The primary station is responsible for link initialization, link teardown, and
error recovery. Review strategies that allow large enterprise customers to enhance
Asynchronous Balanced Mode (ABM) All stations have equal status and do not require
For atheir
majority
Providers,
instruction from
peersoftoService
perform
a task. a significant portion of their revenues
Although
Layer
3 MPLS
VPNsthe
fulfill
the encapsulation
market need for
In addition to thetechnologies.
ITU-T and ISO
standards,
Cisco
modified
HDLC
andsome
have some drawbacks.
Ideally,
carriers
with existing
adapted it for usecustomers,
as a serial they
line encapsulation
protocol. The
Cisco
implementation
is used in
legacy Layer
and
Layer 3 in
networks
would
like to
toward aHDLC
single
full duplex point-to-point
links 2
and
operates
ABM mode.
Unlike
themove
standardized
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
implementation, the nonstandard Cisco version does not perform windowing or retransmission
services
over
their existing
Layer
cores. The solution in these cases is a
and uses an Ethertype
field
to indicate
the Layer
33
payload.
infrastructure.
Note
assists
readers
looking
meetformat
those as
requirements
by standard
explaining
the
This discussion
examines
the
HDLC to
frame
the ISO 3309
defines
history and
detailsthe
of ISO
the two
technologies
available from
it. Where applicable,
anyimplementation
differences between
standard
and Cisco
the are
Cisco
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSimplementation
highlighted.
comparing
those
of Layer
3 based
such
MPLS,
then over
AsChapter 8, "WAN
Protocolsthem
overto
MPLS
Case
Studies,"
and VPNs,
Chapter
12,as
"WAN
Protocols
progressively
each and
currently
solution
in greater
detail.to
L2TPv3 Case Studies"
highlight,covering
both L2TPv3
AToMavailable
interaction
with HDLC
are limited
HDLC frame transport when dealing with Layer 2 pseudowire emulation. As such, this HDLC
section focuses on the HDLC frame format. Figure 5-1 illustrates the HDLC frame structure.
Figure 5-1. HDLC Frame Format

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
Each field is described both
as follows:
Flag The beginning and end of every HDLC frame must contain a 1-byte Flag Sequence
field to delimit the frame. The flag sequence used is 01111110 (0x7E). Because these
flags must be
it is critical
thatProviders,
a 0x7E does
not show portion
up in the
To avoid
Forunique,
a majority
of Service
a significant
of Data
their field.
revenues
this scenarioare
onstill
synchronous
links,
HDLC
uses
a
method
known
as
bit
stuffing,
as
defined
derived from data and voice services based on legacy transport
inAmerican technologies.
National Standards
Institute
(ANSI)
T1.618,
to
differentiate
this
sequence
from a flag delimiter.
If they
five consecutive
1s are detected,
thecarriers
bit stuffing
customers,
Ideally,
withtechnique
existing inserts
a 0 bit to avoid
having
six
consecutive
1s
in
a
row.
Upon
inspection
of
the
frame,
the
legacy Layer 2 and Layer 3 networks would like to move toward
a single
receiving end
removes
the
0
bit
when
it
detects
five
consecutive
1s
to
restore
the
original
sequence. Two
alternate
flag
fields
include
0xFF
to
indicate
an
IDLE
flag
and
0x7F
services over their existing Layer 3 cores. The solution in these cases isfor
a an
Abort flag. technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Note
On asynchronous links, HDLC uses byte stuffing (sometimes referred to as character
stuffing or escaping ) to transform illegal byte values into a set of legal characters.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSThe receiving end reverses this mechanism to obtain the original values.
progressively
covering
each
currently
available
solutionon
in the
greater
detail.
Address The
Address field
uniquely
identifies
each
of the stations
HDLC
link.
Depending on the operational mode (NRM, ARM, or ABM), the Address field could contain
the primary or secondary station's address when sending command and response
messages. ISO standard 3309 can be referenced for more detail on the use of the
Address field.
In Cisco HDLC encapsulation, instead of uniquely identifying a station, the Address field
indicates the frame type.
Valid values include these:
0x0F for unicast frame

0x80 for broadcast frame
0x20 for
compressed
ByWei
Luo, - CCIE frame
No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
0x40 for padded frame

Control The Control
field contains sequence number information and command or
Pub Date:
March 10, 2005
response messages
depending
on the frame type. Three control frame types are defined
ISBN: 1-58705-168-0
in
HDLC
as
follows:
Table of
Pages: 648
Contents
Information frameFigure 5-2 lays out the Control field octet for an information
Index
frame. The first bit of the control octet set to 0 indicates that the frame is an
information frame. The N(S) and N(R) are 3-bit fields containing the transmitter's
send and receive sequence numbers respectively. The P/F bit indicates whether this
is a command
request
Master the
worldor
ofresponse.
productivity gains
Learn5-2.
aboutControl
Layer 2 Virtual
Networks (VPNs) Frame
Figure
FieldPrivate
FormatInformation
Supervisory frameFigure 5-3 lays out the Control field octet for a supervisory
frame. The supervisory frame has a similar format to the information frame except
that the first two bits are set to 0 and 1 to distinguish this frame as a supervisory
frame, and bits 3 and 4 are supervisory function bits. The remaining fields have the
same meaning as in the information frame.
infrastructure.
Figure 5-3. Control Field FormatSupervisory Frame

progressively
covering
each
currently
solution
greater
detail.
Unnumbered
frame
Figure 5-4
lays
out theavailable
Control field
octetinfor
an unnumbered
frame. The first two bits are set to 1 to distinguish this frame as an unnumbered
frame. The M bits convey different commands/responses. For information regarding
the different M-bit encoding for various command/response message types, refer to
the ISO 4335 standard. The P/F bit functions the same way as in other HDLC Control
fields.
Figure 5-4. Control Field FormatUnnumbered Frame

Cisco HDLC encapsulation

does not use the control octet. It sets it to 0.
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Protocol The Protocol field is specific to Cisco HDLC encapsulation. The value of the
Index
Protocol field identifies the upper-layer protocol stored in the succeeding Information
field. Cisco adopted standard Ethertype values to identify most protocols (see Table
5-1), but it also developed additional protocol values for Layer 3 protocols that
normally do not exist on Ethernet (see Table 5-2).
productivity gains
Table 5-1. Ethernet Standard Values for Cisco HDLC

Reduce costs and extend
the reach
Protocol
Fieldof your services by unifying your
Protocol Type
Protocol
Fieldutilizing
Value
Gain from the first book to address Layer 2 VPN
application
both Protocol
ATOM and
L2TP protocols
PARC Universal
(PUP)
0x0200
Review
strategies
that allow large enterprise0x0600
customers to enhance
Xerox Network
Systems
(XNS)
IP
0x0800
Chaos
0x0804
technologies.
Although Protocol
Layer 3 MPLS
RFC 826
Address Resolution
(ARP)VPNs fulfill the
0x0806
Virtual
Integrated
Service
(VINES)would
IP
legacy
Layer Network
2 and Layer
3 networks
like to0x0BAD
backbone
while
new
carriers
would
like
to
sell
the
lucrative
VINES ECHO
0x0BAF Layer 2
DECnet
Phase IV that would allow Layer 2 transport over
0x6003
technology
a Layer 3
infrastructure.
Apollo Domain
0x8019
2 Virtual Private
Cisco Layer
SLARP2 VPN Architectures introduces readers to Layer
0x8035
Digitalintroductory
Equipment Corporation
Bridge Spanning
0x8038
case studies (DEC)
and comprehensive
design
Tree Protocol
Apple Ethertalk
0x809b
cores and Layer 2 Tunneling Protocol version
3 (L2TPv3) for native
AppleTalk
ARP
0x80f3
Novellreader
Internetwork
(IPX)
0x8137
to LayerPacket
2 VPN Exchange
benefits and
implementation
requirements and
Multiprotocol Label Switching (MPLS) Unicast
0x8847
Table 5-2. Cisco Invented Values for Cisco HDLC Protocol

Field
No. 4460,
Protocol
Type
Protocol Field Value
Frame Relay ARP
0x0808
Pub Date:
March 10,
2005
IEEE Bridge
Spanning
Protocol
0x4242
ISBN: 1-58705-168-0
Table of Bridged Ethernet/802.3
Pages:
648
Contents
ISO
Connectionless
Network Protocol
Index
0x6558
0xFEFE
(CLNP)/International Organization for
Standardization (ISO) End System-to-Intermediate
System (ES-IS) destination service access point
(DSAP)/SSAP
productivity gains
Novell IPX, Standard Form
0x1A58
ES-IS
0xEFEF
RSRB Raw
0x1996
STUN Serialnetwork
Tunnel architecture
0x1997
Compressed TCP
0x1999

InformationThe Information field contains data that is to be transmitted and only
appears when
Control field
is set Providers,
to be an information
frame.
Theoflength
of this field is
Forthe
a majority
of Service
a significant
portion
their revenues
variable andare
depends
on thefrom
Layer
3 protocol
to services
be carried.
still derived
data
and voice
based on legacy transport
Frame check
sequence
(FCS)
FCS
value contains
a 2-carriers
or 4-octet
redundancy
customers,
they
haveThe
some
drawbacks.
Ideally,
withcyclic
existing
check (CRC).
If theLayer
receiver's
calculation
differs
from
the frame,
the
legacy
2 andCRC
Layer
3 networks
would
likethe
to value
move in
toward
a single
frame is flagged
in error.
backbone
while new carriers would like to sell the lucrative Layer 2
infrastructure.
Note

The Cisco version
of HDLC
canstudies
optionally
a simple keepalive
mechanism
introductory
case
andutilize
comprehensive
design scenarios.
Thisthat
book
tracks the sequence
numbers
of
messages
that
the
two
endpoints
generate
locally.
assists readers looking to meet those requirements by explaining
the
Although thishistory
control/management
protocol
exists,
neither
Layer 2 Tunnel
Protocol
and implementation
details
of the
two technologies
available
from
Version 3 (L2TPv3)
nor
Any
Transport
over
MPLS
(AToM)
interact
with
this
keepalive
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for
MPLSmechanism;based
instead,
they
carry
these
messagesProtocol
across transparently.
cores
and
Layer
2 Tunneling
version 3 (L2TPv3) for native

Introducing
PPP Encapsulation
In 1993, the Internet

Engineering
Task Force (IETF) defined the requirements for a serial line
Publisher:
Cisco Press
data encapsulation protocol
RFC10,1547.
Pub Date: in
March
2005 The protocol that eventually grew out of this RFC was
PPP. Following are some of the more important goals that RFC 1547 outlined:
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Protocol
multiplexing
PPP was required to support multiple higher level protocols. This,
Index
in turn, required PPP to support a Protocol field to allow for multiplexing several network
layer protocols over the same point-to-point link.
Error detection
PPP
beofable
to 2
detect
in theenhanced
encapsulated
frames.
Master
themust
world
Layer
VPNserrors
to provide
services
and enjoy
productivity gains
Network layer address negotiation PPP must support dynamic learning and
negotiation of network layer addresses.
Transparency PPP cannot restrict the network layer protocols to avoid certain characters
Reduce PPP
costs
andbe
extend
the reach of to
your
services
unifying your
or bit patterns. Instead,
must
fully transparent
higher
layerby
protocols.
architecture
Furthermore, PPPnetwork
must handle
any character or bit pattern restrictions through means
such as bit or escaping.
both ATOMfeatures
and L2TP
protocols
The finalized RFC also described
that
PPP explicitly did not require, such as these:

Error correctiontheir
PPP service
is not expected
perform
error correction,
only error detection.
offeringsto
while
maintaining
routing control
Instead, the error correction responsibility is left to upper transport layer protocols.
Flow control
not required
to support
a flow
control
mechanism;
instead,
it is
arePPP
stillisderived
from data
and voice
services
based
on legacy
transport
expected to technologies.
receive packets
at the full
rate
depending
the physical
layer
Although
Layer
3 possible
MPLS VPNs
fulfill theon
market
need for
some
protocol. The
transport they
layerhave
is leftsome
with drawbacks.
the responsibility
of carriers
end-to-end
control.
customers,
Ideally,
withflow
existing
Sequencing
Althoughwhile
somenew
network
layer
protocols
frame2 delivery,
backbone
carriers
would
like torequire
sell thesequenced
lucrative Layer
PPP is not required
deliver
in Layer
the same
orderThe
that
these frames
sent.
servicestoover
theirframes
existing
3 cores.
solution
in thesewere
cases
is a
To meet these requirements,
PPP's implementation is primarily composed of four components:
infrastructure.
Encapsulation method This is an encapsulation method (RFC 1662) based on HDLC for
datagram transmission over point-to-point links.
Link Control Protocol (LCP) LCP allows for establishment of link connectivity and
dynamic configuration and testing of the data link connection. RFC 1661 refers to this
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSphase as the Link Establishment phase.
IP cores.
The structure of
this
book is focused
on first
thewhereby
Authentication
phase[optional]
The
Authentication
phase
is anintroducing
optional step
reader to Layer
VPN benefits
and such
implementation
requirements
the peer is authenticated
via2 some
mechanism
as Challenge
Handshake and
comparing
to those
of Layer
3 based VPNs,
such as(PAP).
MPLS, then
Authentication
Protocolthem
(CHAP)
or Password
Authentication
Protocol
Network Control Protocol (NCP) An NCP is defined for each upper layer network
protocol to allow for dynamic negotiation of its properties. Internet Protocol Control
Protocol (IPCP) as defined in RFC 1332 is an example of an NCP for IP and negotiates
parameters such as IP address assignment. A host of other NCPs exist for alternate Layer
3 protocols such as IPXCP (IPX) and ATCP (AppleTalk). RFC 1661 refers to this phase as
the Network Protocol Phase.
You can find the IETF standards for PPP encapsulation in RFC 1661, "Point-to-Point Protocol
(PPP)," and RFC 1662, "PPP in HDLC-Like Framing." Subsequent RFCs were defined to augment
PPP's capabilities. RFC 1570 defines additional extensions to the LCP mechanism, and RFC 1990
defines Multilink PPP (MLPPP), which provides a means for link aggregation.
Note
This discussion primarily examines the basic format of PPP data encapsulation as
defined in RFCs 1661 and 1662. This discussion does not delve into the negotiation
ISBN: 1-58705-168-0
aspects
Table of of LCP and the various NCPs because the pseudowire emulation protocols do
Pages:
not
interact with PPP at 648
that level.
Contents
Index
Figure 5-5 shows the typical PPP frame structure.

productivity gains
Figure 5-5. PPP Frame Structure

infrastructure.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSEach component based
of the PPP
frame
is described
as follows:
cores
and Layer
2 Tunneling
Protocol version 3 (L2TPv3) for native
Flag The beginning and end of every PPP frame must contain a 1-byte Flag Sequence
field to delimit the frame. The flag value is 01111110 (0x7e). Like HDLC, PPP uses bit
stuffing on synchronous links to fulfill the requirement for network layer transparency.
Note
Similar to HDLC, PPP utilizes byte stuffing on asynchronous links.
Address The Address field is set to an All Stations address of 0xff.

2 VPNfield
Architectures
Control TheLayer
Control
is a single byte that is set to 0x03.
Note

ISBN: 1-58705-168-0
When
Table ofyou perform Address and Control Field Compression (ACFC), the Address and
Pages:
648 Furthermore, the Protocol field is reduced to a single octet
Control
Contents fields are omitted.
when
Index performing Protocol Field Compression (PFC). Both ACFC and PFC are
negotiated in the Link Establishment phase. You can obtain additional details on this
in RFC 1661.
productivity gains
Protocol The Protocol field is a 2-octet field which identifies the encapsulated protocol.
about
Layer 2 (IANA)
Virtual Private
Networks
(VPNs) PPP protocol
Internet AssignedLearn
Numbers
Authority
administers
the assigned
numbers. You can find the numbers at http://www.iana.org/assignments/ppp-numbers.
Reduce costs
and
extend values
the reach
of your
services
by unifying
your
Note that the IANA-assigned
PPP
protocol
do not
match
Cisco-assigned
protocol
network
architecture
values used in HDLC.
from thefield
first is
book
to address Layer
VPN contains
application
utilizing
Information TheGain
Information
a variable-length
field2 that
upper
layer
both
ATOM
and
L2TP
protocols
protocol data.
that allow
enterprise
customers
to enhance
FCS The FCS is a Review
2-octetstrategies
CRC calculated
over large
the Address,
Control,
Protocol,
Information,
their
service offerings
while
maintaining
routing
and Padding fields.
If negotiated,
PPP also
supports
a 4-octet
FCScontrol
field.
infrastructure.

Understanding
Frame Relay
During the late 1980s,

there Cisco
was Press
a rapid increase in demand for high-bandwidth WAN services.
Publisher:
The proliferation of LAN-based
end
and growth in high-bandwidth applications fueled
Pub Date: March
10,devices
2005
the need for higher speeds, low delay, and low-cost LAN interconnection.
ISBN: 1-58705-168-0
Table of
Pages:
Contents
Frame
Relay was developed 648
as a Layer 2 protocol that avoided some of the drawbacks of WAN
Indexat the time, as follows:
services
The increased availability of error-free transmission lines reduces the need for protocols
such as X.25Master
that perform
hop-by-hop
Frame
Relay
relies
on
the world
of Layer 2error
VPNscorrection.
to provide Instead,
enhanced
services
and
enjoy
higher level productivity
protocols to gains
perform end-to-end error correction and flow control.
Whereas X.25 requires packet processing at Layer 3, Frame Relay strictly operates at
Learnthe
about
Layer requirements
2 Virtual Private
Networks
(VPNs)
Layer 2. This reduces
switching
drastically
and
reduces per-hop delay.
Reduce
costs and
extend thecircuits,
reach ofwhich
your services
by unifying
your
Unlike time-division
multiplexing
(TDM)based
provide fixed
point-to-point
network
connectivity, Frame
Relay architecture
provides network connectivity via packet switching over logical
virtual circuits that are similar to X.25. Frame Relay accomplishes this by using a data-link
Gain(DLCI)
from the
first book
to addressvirtual
Layercircuits
2 VPN application
utilizing
connection identifier
to uniquely
distinguish
on a physical
link. This
both
ATOM
and
L2TP
protocols
allows for more flexibility and more efficient data transmission through statistical
multiplexing.
their service
while
maintaining
routing
control
Frame Relay has subsequently
beenofferings
extended
further
in the Frame
Relay
Forum (FRF)
standards body to support multiple features such as MultiLink Frame Relay (MLFR), defined in
ForRelay
a majority
of Servicedefined
Providers,
a significant
FRF.16, and Frame
Fragmentation,
in FRF.11
and FRF.12.
technologies.
3 MPLSL2TPv3
VPNs fulfill
the market
needoffor
some
As you will learn in
subsequent Although
chapters Layer
that explore
and AToM
transport
Frame
customers,
they interact
have some
Ideally,
carriers
with existing
Relay, both pseudowire
protocols
withdrawbacks.
three aspects
of Frame
Relay:
Frame Relayservices
encapsulation
to transport
the Frame
Relay
on the
pseudowire
over their
existing Layer
3 cores.
Theframe
solution
in these
cases is a
Control Management/Protocol
such as Operation, Administration, and Maintenance (OAM)
infrastructure.
to properly reflect attachment circuit and pseudowire state
Traffic management
emulate
Frameand
Relay's
inherent
traffic
management
Network to
(VPN)
concepts,
describes
Layer
2 VPN
techniques capabilities
via
This section explores
these
aspects
of Frame
Relay
as arequirements
reference forby
later
chapters.
assists
readers
looking
to meet
those
explaining
the
Encapsulation
reader
to Frame
Layer 2Relay
VPN provides
benefits and
implementation
and Frame
To better understand
how
its functionality,
thisrequirements
section examines
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
Relay Frame structure. The Frame Relay frame format is standardized in two separate standard
bodies:
Internationally via the ITU-T (formerly known at the CCITT) Q.922 Annex A specification
Domestically in the United States via the ANSI T1.618 specification
Figure 5-6 illustrates the basic Frame Relay encapsulation per the Q.922 Annex A specification.
Figure 5-6. Frame Relay Frame Structure

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
The Frame Relay fields are described as follows:
Flag Like HDLC and PPP, the beginning and end of every Frame Relay frame is delimited
with a 01111110 Review
(0x7E). strategies that allow large enterprise customers to enhance
Address The Address field is a 2-byte header that contains several subfields:
are still
fromfield
datathat
anduniquely
voice services
based
legacy
transporton the
DLCI The
DLCIderived
is a 10-bit
represents
a on
virtual
connection
technologies.
Although addressing
Layer 3 MPLS
VPNs a
fulfill
need address
for someis
physical
channel. If extended
is used,
17- the
andmarket
23-bit DLCI
supported.
CR Thebackbone
Command/Response
bit is not
defined
and
not
used.
while new carriers
would
like to
sell
the
lucrative Layer 2
EA Thetechnology
Extended Address
bit allow
is theLayer
last bit
in each header
that would
2 transport
over abyte.
LayerA 3value of 0
indicates
that
another
header
byte
follows,
whereas
a
value
of 1 indicates that this is
infrastructure.
the last header byte. This definition allows Frame Relay to support larger DLCI
values.Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
FECN introductory
(FE) The forward
explicit and
congestion
notification
bit is
set to 1 to
indicate
case studies
comprehensive
design
scenarios.
This
book to
the receiver
that
the
frame
encountered
network
congestion.
The
FECN
is
set
assists readers looking to meet those requirements by explaining the on
traffic history
sent from
sender to the details
receiver.
andthe
implementation
of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSBECN based
(BE) The
backward
explicit
congestion
notification
is set to 1for
to native
indicate to
cores
and Layer
2 Tunneling
Protocol
versionbit
3 (L2TPv3)
the sender
that
the
frame
encountered
network
congestion.
Because
the
BECN
bit is
set on reader
framesto
traveling
thebenefits
oppositeand
direction
of the frames
that experienced
Layer 2 in
VPN
implementation
requirements
and
congestion,
there them
must to
bethose
returnoftraffic
the
sender
from
the receiver
comparing
Layertoward
3 based
VPNs,
such
as MPLS,
then to
accomplish
this
feedback
loop.
Both
FECN
and
BECN
bits
should
signify
upper
progressively covering each currently available solution in greatertodetail.
layer protocols to perform some action upon indication of congestion.
DEThe discard eligible bit indicates whether this frame can be dropped in response
to network congestion. A value of 0 indicates a higher priority frame versus a frame
marked with a DE value of 1.
Information The Information field is a variable length field from 5 to 4096 octets that
contains upper layer protocol data.
FCS The FCS is a 16-bit CRC calculated against the Frame Header and Data fields to
detect errors.
One of the items lacking in the ITU-T Q.922 Annex A and ANSI T1.618 Frame Relay frame
2 VPN Architectures
structure is a fieldLayer
indicating
the type of Layer 3 data stored in the Information field. In RFC
1490 (made obsolete
RFC
2427),
the IETF
Relay
that was
ByWeiby
Luo,
- CCIE
No. 13,291,
Carlosextended
Pignataro, - the
CCIEFrame
No. 4619,
Dmitry structure
Bokotey, - CCIE
defined in previous
support
method
No.standards
4460,Anthonyto
Chan,
- CCIEaNo.
10,266 of multiprotocol transport on Frame Relay.
The Frame Relay format was extended, as illustrated in Figure 5-7.
Table ofFigure
Contents
Index
ISBN: 1-58705-168-0
5-7. RFC 2427, "Frame Relay Frame Structure"

Pages: 648
productivity gains
infrastructure.
In addition to theNetwork
Flag, Address,
FCS fields,
RFC
2427techniques
defines the
following
(VPN) Information,
concepts, andand
describes
Layer
2 VPN
via
fields:
Control The Control field contains a value of 0x03 to indicate that this is an Unnumbered
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSInformation (UI) frame unless it is negotiated otherwise.
Padding You can add an optional 1-byte pad to alter the frame size to an even value.
comparing
themIdentifier
to those of(NLPID)
Layer 3 The
based
VPNs,
such asthe
MPLS,
then
Network Layer
Protocol
NLPID
identifies
Layer
3 protocol
progressively
covering
each
currently
available
solution
in
greater
detail.
that is stored in the Information field. ISO/IEC TR 9577 defines the NLPID values.
The
NLPID is only 1-byte long, so the number of protocols that this field can represent is
limited.
In those cases in which the NLPID is not defined for a protocol, the NLPID is set to 0x80 and an
additional Subnetwork Access Protocol (SNAP) is added. Figure 5-8 illustrates the SNAP header
format.
Figure 5-8. SNAP Header

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
aredescribed
still derived
The SNAP fields are
as follows:
OUI The Organizationally
Identifier
is a 3-octet
identifying
the organization
legacy Layer 2Unique
and Layer
3 networks
would field
like to
move toward
a single
that administers
the succeeding
Identifier
(PID).
RoutedLayer
PDUs2use an OUI
backbone
while new 1-byte
carriersProtocol
would like
to sell the
lucrative
of 0x000000services
whereas
Bridged
useLayer
OUI of
0x0080C2.
over
their PDUs
existing
3 cores.
The solution in these cases is a
Protocol Identifier
(PID) PID is a 1-octet field managed by the organization identified
infrastructure.
in the preceeding OUI. The OUI and PID values together represent a unique protocol.
Cisco has an alternative
Frame
encapsulation
method
to identify
the Layer 3via
payload.
Network
(VPN)Relay
concepts,
and describes
Layer
2 VPN techniques
Instead of using an
NLPID, Cisco
uses
a Protocol
field to perform
a similar
function.
Figure
introductory
case
studies
and comprehensive
design
scenarios.
This
book 5-9
illustrates the Cisco
format.
The Protocol
field
is athose
2-byte
field that is by
equal
to the IEEE
assists
readers
looking to
meet
requirements
explaining
the
Ethertype or Cisco-invented
to represent
the protocol
that
is stored in available
the Information
history and codes
implementation
details
of the two
technologies
from
field.
Figure
5-9.
Cisco
Frame
Relay
Frame
Structure
comparing
them
to those
of Layer
3 based
VPNs,
such as MPLS, then

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
Gain
from the first book
to addressProtocol
Frame Relay Link
Management
Interface
The initial Frame Relay standards by ANSI and ITU-T failed to provide a means to allow the
Frame Relay network and the Frame device to communicate their status. In 1990, Cisco,
Nortel, DEC, and StrataCom (known as the Gang of Four) developed an interim specification
known as Local Management
Interface
(LMI)
to meet athis
requirement.
The
LMI was to
For a majority
of Service
Providers,
significant
portion
of goal
their of
revenues
primarily allow forare
thestill
exchange
of
information
regarding
the
link/device
status
and
the
notification of logical
circuit
status.
LMI
accomplishes
this
goal
by
having
the
Frame
Relay
end
device (data terminal
equipment,
or
DTE)
send
polls
while
the
Frame
Relay
network
(data
communication equipment,
or 2
DCE)
to these would
polls over
legacy Layer
and responds
Layer 3 networks
like atopredetermined
move toward aDLCI.
single
Although LMI refers
to
the
Gang
of
Four
specification,
it
is
also
the
general
for2this databackbone while new carriers would like to sell the lucrativeterm
Layer
link mechanism. The
ITU-T
(Annex
Q.933A)
and ANSI
(Annex-D
T1.617)
developed
services
over
theirAexisting
Layer
3 cores.
The solution
in these
casesand
is a
standardized subsequent
variations
of
LMI.
infrastructure.
This section explores the Gang of Four LMI implementation, sometimes referred to as Cisco
LMI, and later addresses
the differences
when
compared
to theto
ANSI
and
ITU-T standards.
Layer 2 VPN
Architectures
introduces
readers
Layer
2 Virtual
Private
The LMI message contains a 5-byte header, a 1-byte message type, one or more information
elements of variable length, and a 2-byte CRC as illustrated by Figure 5-10.
Figure 5-10. LMI Message Format

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
The first two bytes
of the header
areexisting
the same
as the
standard
Relay
header
shown
services
over their
Layer
3 cores.
The Frame
solution
in these
cases
is a in
Figure 5-9. They technology
contain the that
DLCI,
CR, FECN,
BECN,2DE,
and EAover
bits.aHowever,
would
allow Layer
transport
Layer 3 the Gang of
Four implementation
uses a fixed DLCI value of 1023 to communicate.
infrastructure.
The LMI MessageLayer
Format
fields
are describedintroduces
as follows:
2 VPN
Architectures
readers to Layer 2 Virtual Private
Control The Control field is fixed at 0x03 to indicate that this is an unnumbered frame.
Protocol The Protocol field is fixed at 0x09 to indicate that this is an LMI frame.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbasedThe
cores
Layer 2field
Tunneling
Protocol
version
3 0x00.
(L2TPv3) for native
Call Reference
Calland
Reference
is unused
and is
fixed at
reader
Layer 2 VPN
implementation
requirements
Message Type
ThetoMessage
Typebenefits
field is aand
1-byte
value corresponding
to theand
category of
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
message that is being sent.
The three common message types are as follows:
Status Enquiry 0x75
Status 0x7D
Update Status 0x7B
Information Element The Information Element is a variable length field that is
composed of three additional fields:
One Byte Information Element Identifier

One Byte
Length
field
Layer
2 VPN Architectures
ByWeilength
Luo, - CCIE
No. 13,291,Element
Carlos Pignataro,
CCIE No. 4619,Dmitry Bokotey, - CCIE
A variable
Information
Data -field
The type of Information Element passed depends on the preceding message type.
The type of Frame

Relay
interface
Pub Date:
March
10, 2005determines the LMI messages and the order of the
message exchange.
Two
types
of interfaces exist:
ISBN: 1-58705-168-0
Table of
Pages: 648
Contents
User-to-Network
Interface (UNI) A UNI connects a Frame Relay end device
Index (DTE) to the Frame Relay network device (DCE).
Network-to-Network Interface (NNI) An NNI connects two distinct Frame Relay

network devices (DCEs).
productivity
gains
In a UNI environment,
the DTE
periodically sends status enquiry messages, and the DCE end
responds with status messages. In an NNI environment, both devices send status enquiry and
status messages. An update status message is an optional message that the Frame Relay
Learn Relay
about device.
Layer 2The
Virtual
Networks
network sends to the Frame
nextPrivate
sections
describe(VPNs)
each message frame and
compare the Gang of Four LMI with the Annex A and Annex D formats.
Status Enquiry Message

Frame
Gain from
A status enquiry message requests two types of information from the Frame Relay network:
A link integrity verification record request, which requests a sequence number exchange
A full statusare
record
whichdata
requests
a status
report
on all
still request,
derived from
and voice
services
based
onlogical
legacypermanent
transport
virtual circuits
(PVC)
on
this
port,
in
addition
to
a
sequence
number
exchange
technologies. Although Layer 3 MPLS VPNs fulfill the market
need for some
Figure 5-11 shows
the format
a status
message.
legacy
Layer for
2 and
Layerenquiry
3 networks
Figure 5-11. Status Enquiry Message Frame
infrastructure.

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
services
their
existing
Layer 3iscores.
solution
in theseor
cases
a
Regardless of whether
theover
status
enquiry
message
a link The
integrity
verification
a fullisstatus
technology
allow
Layer
record, the message
containsthat
the would
following
three
components:
infrastructure.
LayerThis
2 VPN
Architectures
introduces
readers
to Layer
2 sent.
Virtual
Message Type
byte
field indicates
the type of
message
that is
InPrivate
the case of a
Network
(VPN)isconcepts,
and describes Layer 2 VPN techniques via
status enquiry,
this value
0x75.
Report Information
Element
Thetofirst
information
element identifies
the type
assists readers
looking
meet
those requirements
by explaining
theof
request: linkhistory
integrity
(0x01)details
or fullof
status
record
(0x00). available from
andverification
implementation
the two
technologies
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSKeepalive Information
Element
second Protocol
information
element
exchanges
the
based cores and
Layer 2The
Tunneling
version
3 (L2TPv3)
for native
sequence number
values.
The
Send
Sequence
octet
should
contain
the
sender's
IP cores. The structure of this book is focused on first introducing thecurrent
sequence number,
whereas
Receive
Sequence
octet contains
the last sequence
reader to
Layer 2the
VPN
benefits
and implementation
requirements
and
number thatcomparing
the senderthem
received.
Theof
Frame
endVPNs,
device
increments
sequence
to those
LayerRelay
3 based
such
as MPLS,itsthen
number withprogressively
every status covering
enquiry message
that isavailable
sent. Similarly,
Frame Relay
each currently
solutionthe
in greater
detail.
network device increments its sequence number with every status message that is sent.
Status Message Frame

Status messages have a similar format to status enquiry messages; however, the number of
information elements differs depending on the type of report information element. In response
to a link integrity verification request, the status message consists of a message type, a report
information element, and a keepalive information element. However, in response to a full
status record, PVC status information elements are also sent:

LayerThis
2 VPN
Architectures
Message type
1-byte
field indicates the type of message that is sent. In the case of
a status message,
this
value
0x7d.
ByWei Luo, - CCIE
No.is13,291,
Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Report information element The first information element identifies the type of
request: link integrity verification (0x01) or full status record (0x00).
Pub Date: March

10, 2005 The second information element exchanges the
Keepalive information
element
1-58705-168-0
sequence
number ISBN:
values
and contains the same information as described earlier in the
Table
of
status enquiry message.
Pages:
648
Contents
Index
PVC status information element In a full status record, an additional PVC status
information element is sent for each PVC on the port. In addition to the two octets after
the length, which dictate the DLCI that this information element is reporting on, an
additional octet
indicates
the of
PVC
status.
The to
first
4 bits enhanced
indicating services
PVC state
areenjoy
as
Master
the world
Layer
2 VPNs
provide
and
follows:
productivity gains
N New bit. The
New
bit indicates
if the PVC
wasNetworks
newly added
since the last full
Learn
about
Layer 2 Virtual
Private
(VPNs)
status report (1) or if the PVC was provisioned (0) since the last full status report.
D Deleted bit.
The Deleted
bit is not used in a status message.
network
architecture
A Active bit.Gain
The from
Activethe
bitfirst
indicates
whether
the
PVC 2isVPN
active
(1) or failed
(0).
book to
address
Layer
application
utilizing
R Receiver bit. The Receiver bit is an optional implementation that provides a simple
flow control Review
mechanism
to signal
endlarge
device
to stop sending
traffic
to this
strategies
thatthe
allow
enterprise
customers
to enhance
particular PVC.
The latter three
of the
PVC status
information
elementportion
are optional.
indicate
For aoctets
majority
of Service
Providers,
a significant
of theirThey
revenues
the bandwidth
of
the
PVC
and
are
specific
to
Gang
of
Four
LMI.
Figure 5-12 customers,
shows the format
of a some
statusdrawbacks.
message containing
a full status
record.
they have
Ideally, carriers
with existing
Figure
5-12.
Status
Frame
technology
that would
allow
Layer 2Message
transport over
a Layer 3
infrastructure.

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.
Update Status Message Frame

Unlike a status message, which is sent in response to a status enquiry, an update status
message (sometimes referred to as an asynchronous status update) can be sent from the
Frame Relay network device to the Frame Relay end device to convey changes in the
interface's PVC state.
2 VPN
Architectures
The format of an Layer
update
status
message is similar to a status message with a few minor
differences (see Figure
5-13).
The
status
message
consists
a message
ByWei Luo,
- CCIE
No.update
13,291,Carlos
Pignataro,
- CCIE
No. 4619,of
Dmitry
Bokotey, - type,
CCIE report
type information No.
element,
and a
PVC- CCIE
status
element for only those PVCs that have
4460,Anthony
Chan,
No.information
10,266
changed state. No keepalive information element exchanges sequence numbers. The Delete bit
in the PVC Status octet
is setCisco
in this
message to indicate PVC removal; however, the New bit
Publisher:
Press
cannot be set in the Pub
update
status.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Figure 5-13. Update Status Message Frame
productivity gains
infrastructure.
Comparing Gang of Four LMI with Annex A and Annex D

Several notable differences distinguish the Gang of Four LMI and Annex A and Annex D LMI:
The Gang of Four LMI uses DLCI 1023, whereas both Annex D and Annex A uses DLCI 0.
Reserved DLCI ranges differ among Annex A, Annex D, and the Gang of Four
ByWei For
Luo, a
- CCIE
No.DLCI
13,291,
Carlos Pignataro,
- CCIE
No.Annex
4619,Dmitry
Bokotey,
CCIE user
implementation.
10-bit
address,
Annex
A and
D define
a -DLCI
No. 4460,Anthony
Chan,
- CCIE
No.
range from 16991,
whereas
the
Gang
of10,266
Four range is 161007. Annex A and Annex D are
supported in an NNI environment, whereas the Gang of Four LMI is supported only on
UNI.
Annex A and Annex

D update status messages can contain only a single PVC status
ISBN: 1-58705-168-0
Table of
When multiple PVC states change, a separate update status
information element.
Pages: 648
Contents
message must be sent for each PVC that is affected.
Index
Gang of Four LMI supports optionally carrying the PVC bandwidth in the PVC status
information element.
theutilizes
world of
Layer error
2 VPNs
to provide
enhanced
services to
and
enjoy
The Gang ofMaster
Four LMI
a lower
threshold
timer
of 2, compared
the
Annex D
gainsvalue of 3 for failed status message replies. A full description
and Annex Aproductivity
threshold timer
of the different timers and their standard defined values for each LMI type is listed in
Table 5-3.
Table
5-3. Frame Relay LMI Timers
Cisco
Annex
Review
strategies that allow large
to enhance
Title
Description
LMIenterprise
D customers
Annex
A
N391 Full Status
Number of cycles at
6
6
6
offull
Service
Providers,
Polling Counter For a majority
which a
status
record a significant portion of their revenues
are still derived
request from
is made.
N392 Error Threshold
Number
of failed
events
2
3 carriers with
3 existing
customers,
they have
some
drawbacks.
Ideally,
out
of
N393
monitored
events
declaring
backbone
while before
new carriers
would like to sell the lucrative Layer 2
the
port
in
alarm.
that would
allow Layer 24transport over
a Layer
N393 Monitored technology
Number
of events
4
4 3
infrastructure.
Events Count
monitored by the port
used to determine port
Layer 2 VPN
Architectures
alarm
state.
introductory
studies and comprehensive
design
scenarios.
This book
T391 Link Integrity
Timecase
(in seconds)
10
10
10
assists readers
looking
meet those requirements by explaining the
Polling Verification
between
statusto
enquiry
history and
Timer
messages.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLST392 Polling
Timeand
interval
seconds) Protocol
15
15 3 (L2TPv3)
15
based cores
Layer(in
2 Tunneling
version
for native
Verification Timer
at
which
a
status
expected
reader tomessage
Layer 2 is
VPN
benefitsinand implementation requirements and
reply
to
a
status
comparing them to thoseenquiry
message.
If it is
not currently available solution in greater detail.
progressively
covering
each
received in time, an N392
error is logged.
Managing Traffic
Frame Relay services typically provide traffic throughput guarantees per PVC. To meet those
guarantees, it is critical that a mechanism be in place to provide traffic management
capabilities. Frame Relay employs Frame Relay policing to determine ingress traffic admission
policy and Frame Relay shaping for egress traffic management.
ByWei Luo,
- CCIE No. 13,291,Carlos Pignataro, Frame Relay Traffic
Policing
Frame Relay traffic policing is a quality of service (QoS) mechanism that is applied on ingress
Press
into the network as Publisher:
a means Cisco
of admission
control to limit the amount of traffic that an end
Pub
Date:
March
device can send into the network.10, 2005
Table of
ISBN: 1-58705-168-0
Frame
Relay policing can
be 648
represented as a token-based abstraction known as a leaky bucket
Pages:
Contents
model . Essentially, the leaky bucket model determines whether a frame is compliant or
Index
noncompliant based on the fate of a frame's associated token. The leak rate of these buckets
represents the admission rate of traffic.
To check for compliancy,

every
incoming
frame
hasto
anprovide
associated
token services
that is placed
in the
Master the
world
of Layer
2 VPNs
enhanced
and enjoy
bucket. If the incoming
rate
exceeds
the
leak
rate,
the
total
number
of
tokens
will
eventually
productivity gains
exceed the depth of the bucket. Nonconforming traffic occurs when the frame's associated
token exceeds this bucket depth. Noncompliant traffic is either dropped or tagged
appropriately. If the token
is about
allowed
to pass,
the associated
frame is(VPNs)
admitted. Frame Relay
Learn
Layer
2 Virtual
Private Networks
policing employs a similar model with dual buckets, known as a dual leaky bucket model. This
Reduce
costs and extend the reach of your services by unifying your
model utilizes the following
parameters:
CIR The time-averaged
leakthe
rate
that
theto
Frame
Relay
network
to support
a
Gain from
first
book
address
Layer
2 VPNagrees
application
utilizing
logical connection.
In the
dual
leaky
bucket
model, this is the leak rate of the first bucket.
both
ATOM
and
L2TP
protocols
Excess information
rate
(EIR) The
average
excess
rate allowed
aboveto
CIR.
In the dual
Review
strategies
that
allow large
enterprise
customers
enhance
leaky bucket model,
this
is theofferings
leak ratewhile
of the
second bucket.
their
service
maintaining
routing control
CommittedFor
Rate
Measurement
Interval
(Tc)
The time interval
the leaky
a majority
of Service
Providers,
a significant
portioninofwhich
their revenues
bucket is replenished
with committed
(Bc)/CIR
worth
of tokens:
Tc=Bc/CIR.
are still derived
from data burst
and voice
services
based
on legacy
transport
Bc The amount
of committed
traffic
allowed
during aIdeally,
Tc interval.
Thiswith
is represented
in
customers,
they have
some
drawbacks.
carriers
existing
the dual leaky
bucket
model
as Layer
part of3 the
depth would
of the like
first to
leaky
bucket:
Bc=
CIR*Tc.
legacy
Layer
2 and
networks
move
toward
a single
Excess burst
(Be) The
of excess
traffic
allowed
a Tc
interval.
Thisisisa
services
overamount
their existing
Layer
3 cores.
Theduring
solution
in these
cases
representedtechnology
in the dual that
leaky
bucket
model
as
part
of
the
depth
of
the
second
leaky
would allow Layer 2 transport over a Layer 3
bucket. Be can
be
set
to
0
to
cause
all
noncompliant
frames
in
the
second
bucket
to be
infrastructure.
discarded: Be=Tc*EIR.
In the dual leaky Network
bucket model,
and Be and
tokens
are replenished
at every
Tc interval
(VPN) Bc
concepts,
describes
Layer 2 VPN
techniques
via for the
first and second bucket
respectively.
When
receiving
a
frame
without
the
DE
bit
set,
introductory case studies and comprehensive design scenarios. ThisFrame
book
Relay policing checks
thereaders
frame for
compliancy
determining
whether
associated
assists
looking
to meetbythose
requirements
by the
explaining
the token of
the frame is admitted
through
the first bucket.
If theof
DE
bittwo
is set
to 1, Frame
Relay policing
history
and implementation
details
the
technologies
available
from
checks the framethe
for Cisco
compliancy
against
the
second
bucket.
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Frames that conform to the CIR of the first bucket are admitted into the network. Frames that
are not CIR conformant (that is, the associated token exceeds the depth of the first bucket) are
marked to be DE and are sent to the second bucket for EIR conformance.
progressively
covering for
each
currently
available
solution
in bucket.
greater If
detail.
Frames with the DE
bit set are checked
EIR
conformance
in the
second
the frame
is EIR rate compliant, it is queued for transmission; otherwise, the frame is discarded.
Figure 5-14 shows the Frame Relay policing model and illustrates the different outcomes based
on compliancy and token availability at the time.
Figure 5-14. Frame Relay Policing Leaky Bucket Model

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
Frame Relay TrafficReview
Shaping
Frame Relay traffic

is a of
traffic
management
offered
on a
basis on
Forshaping
a majority
Service
Providers,capability
a significant
portion
ofper-PVC
their revenues
egress. Whereas are
Frame
Relay
traffic
policing
is
an
ingress
admission
policy,
Frame
Relay
still derived from data and voice services based on legacy transport traffic
shaping is intended
to
smooth outgoing
a mean
ratefulfill
and,the
if necessary,
queue
traffic
technologies.
Although traffic
Layer to
3 MPLS
VPNs
market need
for some
for transmission. customers, they have some drawbacks. Ideally, carriers with existing
In Frame Relay traffic policing, the incoming rate of traffic was never adjusted and the packets
were never queued; instead, packets were admitted at their incoming rate based on token
availability. In the Frame Relay traffic policing case of noncompliancy, the traffic is potentially
dropped. Frame Relay traffic shaping, on the other hand, buffers packets for later transmission
infrastructure.
in the case of noncompliancy to enforce an average egress rate over time. Frame Relay traffic
shaping can be modeled
a Architectures
leaky bucket, as
shown inreaders
Figure 5-15.
Layer 2 as
VPN
introduces
Figure

5-15.
Frame
Relay Traffic
Shaping
Leaky
Bucket
Modelfrom
history
and implementation
details
of the two
technologies
available
full size
image]
IP cores. The structure[View
of this
book
is focused on first introducing the

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
Frames are sent through the shaper only if an associated token is available. If no tokens are
available, the shaping function queues the frame for later transmission. Tokens are leaked out
of the bucket at the CIR.
At every
(Bc/CIR)
interval,
Bc/CIR
worth(VPNs)
of tokens is replenished.
Learn
aboutTc
Layer
2 Virtual
Private
Networks
The maximum size of the bucket is Bc + Be. The Be component allows a burst capability above
the CIR rate. The result
of a potentially
rateofisyour
a smoothed
stream
of
Reduce
costs andbursty
extendingress
the reach
servicesoutput
by unifying
your
traffic.
Frame Relay traffic shaping
can also
its traffic
rates Layer
based2on
network
conditions.
For
Gain from
the adapt
first book
to address
VPN
application
utilizing
example, based on indicators
of network
congestion
both ATOM
and L2TP
protocolssuch as BECNs, the adaptive Frame Relay
traffic shaping can reduce the token replenish rate to similarly reduce its outgoing traffic rate.

infrastructure.

Understanding
ATM
ATM was developed Publisher:

as a high-speed
switching solution to handle a variety of traffic types
Cisco Press
ranging from bursty Pub
data
services
to 2005
delay and jitter-sensitive voice. Instead of using variable
Date:
March 10,
length frames, ATM utilizes fixed-length cells to transport data. Like Frame Relay, traffic is
ISBN: 1-58705-168-0
Table
carried
onoflogical circuits that are uniquely identified by virtual path and circuit identifier fields
Pages:
648
in theContents
header of each cell.
Index
ATM is probably most well known for its well-developed QoS support because of its strict traffic
class definitions. By utilizing a layered protocol architecture, ATM can transport voice, video,
and data on the network. Depending on their traffic characteristics, upper layer protocols are
Master
of Layer rules
2 VPNs
to provide
enhanced
services and enjoy
processed according
to athe
setworld
of adaptation
prior
to forming
each cell.
productivity gains
As subsequent chapters identify, L2TPv3 and AToM interact with three aspects of ATM:

ATM encapsulation to transport either ATM cells or ATM Adaption Layer (AAL) frames on
the pseudowire. Reduce costs and extend the reach of your services by unifying your
Control management/protocol, such as OAM, to properly reflect attachment circuit and
pseudowire state Gain from the first book to address Layer 2 VPN application utilizing
Traffic management features, such as ATM policing and ATM shaping, to emulate ATM's
Review strategies
that allow large enterprise customers to enhance
inherent traffic management
capabilities
The next section explores these three aspects of ATM as a reference for later chapters.
Encapsulation
To understand ATM
encapsulation,
it iscarriers
necessary
to describe
the
lower
layers
of the
backbone
while new
would
like to sell
the
lucrative
Layer
2 ATM
protocol stack illustrated
Figure
5-16
and progress
through
the
ATM stack
encapsulation
servicesin
over
their
existing
Layer 3 cores.
The
solution
in these
cases is a
from the ATM Adaptation
Layer
(AAL)
and
ATMLayer
layer2with
specific
focus
on AAL5
technology
that
would
allow
transport
over
a Layer
3 and ATM cell
formats. The lower
layers of the ATM protocol stack essentially consist of the following
infrastructure.
components:
Physical layer
The physical
is composed
of two sublayers:
introductory
caselayer
studies
and comprehensive
Transmission
Convergence
(TC)
The TC
handles functions
suchfrom
as cell
history and
implementation
details
of sublayer
available
delineation
and
error
detection/correction.
The
error
detection/correction
is
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSaccomplished
by adding
a 1-byte
CRC to the
ATM cell
header.
based cores
and Layer
2 Tunneling
Protocol
version
Physical Media-Dependent (PMD) The PMD sublayer is responsible for medium
dependent functions such as bit transmission and electro/optical conversion.
progressively
covering
each currently
available
solutioncell
in greater
detail.
ATM layer From
a data plane
perspective,
the ATM
layer handles
header (4
bytes)
generation and removal and VPI/VCI translation.
AAL The AAL, defined in ITU-T I.362 and ITU-T I.363, adapts data from various upper
layer protocols into the necessary ATM cell payload. The AAL consists of two additional
sublayers:
Convergence sublayer (CS) CS processes data from higher layer protocols into
variable length frames known as Convergence Sublayer Protocol Data Units (CSPDUs).
Segmentation and Reassembly (SAR) sublayer SAR is responsible for

segmenting the CS-PDUs into 48-byte payloads for an ATM cell.
No. 4460,Anthony
Chan,5-16.
- CCIE No.
10,266Protocol Stack
Figure
ATM
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
their service
offerings
whilelayer
maintaining
routing
control
The next few sections examine
the AAL
and ATM
with specific
focus
on AAL5 and ATM cell
formats.
ATM Adaptation
Layer
AAL defines multiple
AAL formats
depending
the traffic
the upper
layer
backbone
while new
carrierson
would
like totype
sell from
the lucrative
Layer
2 protocols.
They include the following:
infrastructure.
AAL1 AAL1 is intended to carry connection-oriented, constant bit rate traffic with specific
timing requirements. Typical AAL1 traffic is Circuit Emulation Services (ATM Forum
standard af-vtoa-0078.0000), such as transparently carrying DS-1 and E-1 circuits across
an ATM core.
AAL2 AAL2 supports payloads that have timing requirements similar to that of AAL1
traffic but that have bursty traffic patterns. Compressed voice and video are examples of
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSAAl2 traffic.
IP cores.
The structure
of this book and
is focused
AAL3/4 AAL3/4
supports
connection-oriented
connectionless
variable bitthe
rate traffic.
to of
Layer
2 VPN
benefits
and implementation
requirements
The primaryreader
function
AAL3/4
is to
carry Switched
MultiMegabit
Data Serviceand
(SMDS)
data.
AAL5 Because of AAL3/4's large overhead and complexity, AAL5 was developed as a
simpler and more efficient adaptation layer to carry connection-oriented and
connectionless traffic. AAL5 is the main format used today for carrying IP routed and
bridged data.
Figure 5-17 shows the CS-PDU and SAR-PDU structure for AAL5 and the processing involved
down to the ATM layer for cell header generation.
Figure 5-17. AAL5 PDU



ISBN: 1-58705-168-0
Table of
Contents
Index
Pages: 648
productivity gains
The CS-PDU is formed by appending a CS-PDU trailer to the CS-SDU. The CS-PDU is composed
of the following fields:
For
a majority
Providers,
a significant
portion
of their
Padding The
Padding
fieldof
is Service
added to
ensure that
the resulting
CS-PDU
sizerevenues
is a multiple
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
of 48 bytes to present to the SAR function.
customers,
they have
some drawbacks.
Ideally,
carriers The
withCPCS-UU
existing field
Common part
convergence
sublayer
user to user
(CPCS-UU)
Layer 2 and
Layerinformation
3 networks transparently
would like to move
a single An
allows upperlegacy
layer protocols
to send
to thetoward
AAL5 structure.
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2 C/R bit. In
example application is FRF 8.1, which uses this octet to transport Frame Relay
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
a
other cases such as RFC 2684, "Multiprotocol Encapsulation over ATM Adaptation is
Layer
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
5," this field is unused.
infrastructure.
Common part indicator (CPI) CPI provides alignment of the CPCS-PDU to 64 bits. The
2 VPN
Architectures
value of thisLayer
field is
set to
0x00.
case indicating
studies and
comprehensive
design scenarios.
This book
Length Thisintroductory
is a 2-byte field
the
length of the Payload
field.
details
of the
two technologies
available
CRC Cyclic redundancy
calculated over the
entire
CS-PDU
minus the 4-byte
CRCfrom
field.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSThe resulting CS-PDU
presented
to the2SAR
layer, Protocol
which segments
it (L2TPv3)
into 48-byte
basediscores
and Layer
Tunneling
version 3
for SARPDUs.
native
The ATM layer generates
a
4-byte
header
for
each
SAR-PDU.
To
correctly
identify
IP cores. The structure of this book is focused on first introducingthe
thelast cell
forming the original
AAL5
last cell
header's
third bit in the payload
type identifier
reader
toPDU,
Layerthe
2 VPN
benefits
and implementation
requirements
and
(PTI), a field in the
ATM cell them
header,
set. of
The
TC sublayer
fifth
to then
complete the
comparing
to is
those
Layer
3 based adds
VPNs,the
such
asbyte
MPLS,
5-byte header. progressively covering each currently available solution in greater detail.
ATM Cell Structure

As discussed in the previous section, the ATM layer and the TC sublayer are responsible for the
remaining cell header generation and removal. Depending on the interface type (UNI or NNI),
the format of the header is slightly different. Figure 5-18 shows the ATM cell format.
Figure 5-18. ATM Cell Format

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
The following are the fields in the ATM cell format:
Generic Flow
Control (GFC)
The Layer
GFC field
on the
UNIfulfill
header
flow for
control
technologies.
Although
3 MPLS
VPNs
the provides
market need
someon
the particular
logical
PVC.
This
field
is
set
to
0
and
is
not
fully
standardized.
Virtual path
identifier/virtual
connection
backbone
while new carriers
wouldidentifier
like to sell (VPI/VCI)
the lucrativeTogether,
Layer 2 the VPI
and the VCIservices
uniquelyover
identify
a
virtual
connection.
You
can
use
them
together
as ais a
their existing Layer 3 cores. The solution in these cases
switching identifier.
Alternately,
you
can
use
the
VPI
alone
as
a
switching
field
and
consider it ainfrastructure.
logical grouping of the VCIs in that scenario. Figure 5-19 illustrates the
difference between VP and VC switching.
5-19.toATM
and
VC Switching
assists Figure
readers looking
meetVP
those
requirements
by explaining the
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS[View full sizeProtocol
image]
based cores and Layer 2 Tunneling

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
PTI PTI is composed of 3 bits that characterize the type of cell and measure congestion.
Learn
about Layer
2 Virtual
Private Networks
The first bit indicates
whether
the cell
is a management
cell (1)(VPNs)
or contains user data (0).
The remaining two bits are interpreted differently in each of those cases, as follows:
network
architecture
User data cell
The second
bit, known as the explicit forward congestion indication
(EFCI) field, indicates congestion. The third bit is set to indicate whether this is the
Gain
from
last cell in an
AAL5
frame.
Management cellThe second bit identifies the cell as an OAM cell (0) or a resource
Review
strategies
that
allow
enterprise
to an
enhance
management
(RM) cell
(1). The
third
bit large
distinguishes
thecustomers
OAM cell as
F5 (OAM
service
offerings
while maintaining
routing control
cell used to their
convey
PVC status)
segment
(0) or F5 end-to-end
flow (1).
For a majority
of Service
significant
portion of their
revenues
Cell loss priority
(CLP) The
CLP bitProviders,
prioritizes athe
cell. In congestion
scenarios
in which
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
it is necessary to drop traffic, some devices could implement a selective discard
Although
Layerbe
3 MPLS
VPNs
fulfillcells
the market
for some
mechanism technologies.
whereby CLP set
cells would
dropped
before
without need
CLP marking.
legacy
Layer(HEC)
2 and The
Layer
networks
would
like
to move
toward
a single
Header error
control
TC3adds
the HEC
field,
which
provides
error
detection
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
and optionally bit error correction. It is calculated only for the ATM cell header.
infrastructure.

ATM Management
Protocols: ILMI and OAM
Similar to the FramePublisher:

Relay environment,
ATM provides a signaling mechanism to convey
Cisco Press
interface and PVC status.
The
two10,
main
Pub Date:
March
2005mechanisms used are Interim Local Management
Interface (ILMI) and OAM cells.
ISBN: 1-58705-168-0
Table of
Pages:
648 are encapsulated in AAL5 over VPI/VCI 0/16 to access ILMI
ILMI Contents
uses SNMP messages that
Index
MIB variables.
This mechanism allows for a variety of information to be conveyed, such as type
of signaling used, address registration, and interface and PVC management.
productivity gains
Note
about
Layer
Virtual
Networks (VPNs)
Although the ILMILearn
VPI/VCI
default
is 20/16,
thePrivate
ILMI specification
allows use of an
alternate VPI/VCI other than the default value. Also, in VP-tunnel applications, the
Reduce
VPI is set to the VPI
of thecosts
VP-tunnel.
both
andto
L2TP
protocols
In addition to ILMI, you
canATOM
use OAM
determine
logical circuit status. Two forms of OAM
cellsF5 and F4are used depending on the type of logical circuit you are dealing with.
their
service
offerings
whileF5
maintaining
control
In the case of a PVC, you
can
use and
send OAM
cells on therouting
same VPI
and VCI as the PVC.
The PTI field of a F5 cell not only differentiates the F5 OAM cell from a user data cell, but it
differentiates an end-to-end (ATM end-user device to end-user device) OAM or a segment (ATM
end-user device to ATM network device) OAM.
they convey
have some
drawbacks.
Ideally, carriers
F4 OAM cells, on customers,
the other hand,
the status
of a permanent
virtualwith
pathexisting
(PVP), a
legacy
Layer
2
and
Layer
3
networks
would
like
to
move
toward
a single
connection switched upon the VPI field alone. F4 OAM cells use the same VPI as the
PVP
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2 4 for endconnection that they are representing, but they use VCI 3 for segment OAM and VCI
to-end OAM.
infrastructure.
Figure 5-20 shows
the typical OAM cell format.

Figure 5-20. OAM Cell Format

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
both
ATOM
and L2TP
protocols
In addition to the typical
ATM
cell header
and
CRC field, the OAM fields include the following
fields:
OAM Type The OAM Type field determines the management cell's general role:
Fault management
customers,
Performance
management
Activation/deactivation
Function Type
The Function
Typeallow
field defines
specificover
function
of the
technology
that would
Layer 2 the
transport
a Layer
3 cell and is
interpreted differently
depending
on
the
OAM
type.
infrastructure.
Function Specific
Specific
field determines
payload
of thePrivate
OAM cell,
Layer 2 The
VPN Function
Architectures
introduces
readers the
to Layer
2 Virtual
which differsNetwork
based on
the OAM
Type and
and describes
Function Type
5-21 illustrates
the
(VPN)
concepts,
Layerfields.
2 VPNFigure
techniques
via
Function Specific
payloads
forstudies
an alarm
indication
signal (AIS),
end receive
introductory
case
and
comprehensive
designfar
scenarios.
Thisfailure
book
(FERF)/remote
defect
indication
(RDI),
and those
loopback
function type.
assists
readers
looking
to meet
requirements
by explaining the

Figure
5-21.
OAM AIS
and
Loopback
Format
IP cores.
The structure
of this
book
is focused Cell
on first
introducing the

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
theirand
service
offerings
Table 5-4 defines the OAM
Function
Typewhile
combinations.
OAM Type

customers,
have
someand
drawbacks.
Ideally,
carriers with existing
Table
5-4.they
OAM
Type
Function
Type
services over their existing Layer 3 cores. The solutionFunction
in these cases is a
OAM
Type
Type 3
Binary
technology
that
would allow Layer 2 transport over a Layer
Binary
Value
Function
Type
Value
infrastructure.
Fault Management
0001
AIS
0000
Network (VPN) concepts, RDI/FERF
and describes Layer 2 VPN techniques
via
0001
Loopback
assists readers looking toOAM
meetCell
those
requirements by1000
explaining the
details
of
the
two
technologies
Continuity Check
0100 available from
Protocol version 3 0000
(L2TPv3) for native
Performance
0010and Layer 2 Tunneling
Forward Monitor
Management
Backward
Reporting
0001
and implementation
requirements
and
comparing them to those Monitoring
of Layer 3 based
VPNs,
such
as
MPLS,
then
and Reporting
0010
Activation/Deactivation 1000
Performance Monitor
0000
Continuity Check
0001
From a fault management perspective, the AIS, RDI/FERF, and Loopback function types are of
particular importance in dealing with logical circuit status.
AIS and RDI/FERF indicate to the remote endpoints a failure within the ATM network and
function in a similar manner to SONET, DS3, and T1 alarms. An intermediate device that is
detecting a link failure to notify downstream nodes generates AIS. RDI/FERF is generated at
the intermediate node upon receiving AIS to alert upstream devices. To draw an analogy
between T1 alarming and ATM, AIS is similar to a blue alarm, whereas RDI is a yellow alarm.
If an individual VPC
or Luo,
VCC- fails
network,
similar- VP
orNo.
VC4619,
AISDmitry
and Bokotey,
FERF/RDI
alarms are
ByWei
CCIE in
No.the
13,291,
Carlos Pignataro,
CCIE
- CCIE
generated.Figure No.
5-22
illustrates
the- AIS
RDI/FERF behavior of ATM nodes and endpoints
4460,
Anthony Chan,
CCIEand
No. 10,266
when dealing with logical circuit failure. The intermediate ATM node, upon detection of a logical
circuit breakage, generates
the direction of the failure. The ATM endpoint in turn
Publisher:AIS
CiscoinPress
generates AIS RDI/FERF
when receiving the AIS alarm.
Table of
Contents
Index
Figure
ISBN: 1-58705-168-0
Pages: 648
5-22. Logical Circut Failure AIS and FERF/RDI Alarms

productivity gains
areare
stillalso
derived
voice services
based
on legacy
transport
OAM Loopback cells
usedfrom
as a data
fault and
management
feature
to confirm
logical
circuit
technologies.
Although cells
Layerare
3 MPLS
VPNs
fulfill the market
need for
some
status. When configured,
OAM loopback
sent and
a corresponding
loopback
cell
is
customers,
they have
carriers
with5-18.
existing
received in response.
The payload
of ansome
OAM drawbacks.
loopback cellIdeally,
is shown
in Figure
The
legacy
2 and
3 networks
would
like
to set
move
toward
a single
Loopback Indicator
field Layer
first bit
is setLayer
to 1 on
the outgoing
cell
and
to 0
to indicate
a looped
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2 received
response. The Correlation Tag field matches the outgoing OAM loopback cell with the
over
their existing
Layer
3 cores.
solution
in these
is ato the
response cells. A services
successive
number
of loopback
replies
notThe
being
returned
could cases
indicate
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
endpoint that the logical circuit should be declared unusable.
infrastructure.
Managing Traffic

looking
to meet that
those
requirements
explaining
the classes.
ATM is most well assists
known readers
for the QoS
capabilities
allow
it to carry by
a variety
of traffic
implementation
The following are history
the fourand
general
ATM traffic details
classes:
Constant bit
(CBR)
Used forof
real-time
traffic
that consumes
a fixed amount
IP rate
cores.
The structure
this book
is focused
the of
bandwidth. Typical
applications
include
real-time
voice and circuit
emulation. and
reader to
Layer 2 VPN
benefits
and implementation
requirements
Variable bit
rate (VBR) covering
Reservedeach
for applications
that consume
variable
progressively
currently available
solutiona in
greateramount
detail. of
bandwidth. VBR traffic that requires tightly constrained delay and delay variation is
classified as Real Time VBR (RT-VBR). VBR traffic that does not have such delay
requirements is defined as Non-Real Time VBR (NRT-VBR).
Available bit rate (ABR) Used for non-timecritical applications that support a flow
control mechanism to allow it to adjust the bandwidth used based on ATM network
characteristics. This traffic class is applicable to any data traffic applications that can take
advantage of this variable bandwidth allowed through closed loop feedback mechanisms.
Unspecified Bit Rate (UBR) Intended for non-realtime applications that are delay
tolerant. Typical applications include best-effort data transport.

ATM networks employ numerous traffic management mechanisms to maintain the necessary
Layer
2 VPN
Architectures
QoS guarantees for
each
customer
PVC or PVP.
ATM Traffic Policing

Date:
March 10,
2005 traffic agreements is a feature known as ATM policing
One of the methods Pub
used
to meet
those
ISBN:
1-58705-168-0
orusage parameter control
(UPC)
. ATM policing is a mechanism typically performed on ingress
Table of
into the ATM network to
ensure
that the traffic received on a logical connection conforms to the
Pages:
648
Contents
defined traffic parameters for that circuit. If the incoming traffic fails to conform, you can
Index
discard the data or tag it with a lower priority.
Like Frame Relay policing, ATM policing can be represented as a leaky bucket model, as shown
inFigure 5-23.
productivity gains
Figure
5-23.
LeakyNetworks
Bucket(VPNs)
Model
Learn
aboutATM
LayerPolicing
2 Virtual Private
infrastructure.
In a leaky bucket model, each ATM cell has an associated token whose fate determines
whether the ATM cell is considered compliant or noncompliant. The bucket represents the
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSnumber of tokens that can be stored. If the number of tokens exceeds the size of the bucket,
the associated cell is considered noncompliant, and appropriate action, such as discarding or
tagging the cell, is performed. The leak rate of the bucket represents the rate at which the
tokens are drained from the bucket. If the incoming token rate is greater than the leak rate,
the bucket will eventually overflow, and the incoming traffic will be considered noncompliant.
More complex traffic-policing contracts use a similar model but employ dual leaky buckets.
The ATM Forum Traffic Management 4.0 standard describes several conformance definitions
that determine the type of traffic that is regulated and the action that is performed for
compliancy/noncompliancy.Table 5-5 describes the traffic conformance definitions that will be
explored in more detail in the following sections: CBR.1, VBR.1, VBR.2, VBR.3, UBR.1, and
UBR.2. CBR.1, UBR.1, and UBR.2 can be represented as a single leaky bucket with a leak rate
that the peak cell rate (PCR) defines. The VBR.1, VBR.2, and VBR.3 definitions are modeled as
a dual leaky bucket, with the first and second bucket leak rate equal to the PCR and sustained
cell rate (SCR), respectively. The PCR flow and SCR flow columns define the traffic type that is
checked for conformance. For example, CLP (0+1) represents all cells, whereas CLP (0)
represents only cells with the CLP bit set to zero. The CLP tagging column defines whether the
nonconforming action for that bucket is tagged.
Table 5-5. Publisher:

ATM Forum
Traffic Management 4.0 Traffic
Cisco Press
Policing
Pub Date: March
10, 2005 Classes
Table of
ISBN: 1-58705-168-0
ATM
Forum
Contents
TM 4.0
IndexSpec.
PCR Flow
CLP Tagging
for PCR
SCR Flow
CLP Tagging
for SCR
CBR.1
CLP (0+1)
No
NA
NA
VBR.1
VBR.2
Pages: 648
CLP (0+1)
No
CLP (0+1)
No
CLP (0+1) gainsNo
CLP (0)
No
productivity
VBR.3
CLP (0+1)
UBR.1
Learn about No
Layer 2 Virtual Private
Networks (VPNs)
CLP (0+1)
NA
NA
UBR.2
Reduce costsNo
and extend the NA
by unifying your
CLP (0+1)
NA
CBR.1 Traffic
No
CLP (0)
Yes
Policing

The two values that define the CBR.1 traffic policing model are the cell delay variation tolerance
(CDVT) and the PCR. In this model, the PCR (0+1) is the leak rate for all cells, CLP 0 and CLP 1
marked cells. TheFor
CDVT
(0+1) isofthe
depthProviders,
of the bucket,
which allows
forofsome
a majority
Service
a significant
portion
theirvariation
revenuesin
the token rate. Ifare
thestill
token
rate
is
less
than
or
equal
to
the
PCR
(0+1),
the
tokens
will be
compliant and thetechnologies.
associated cells
will
be
allowed
into
the
ATM
network.
If
the
token
is
Although Layer 3 MPLS VPNs fulfill the market need forrate
some
consistently greater
than
the
PCR
(0+1)
rate,
the
CDVT
bucket
depth
will
eventually
be
exceeded and those
noncompliant
tokens,
their associated
cells,
will be
discarded.
Figure
legacy
Layer 2 and
Layer and
3 networks
would like
to move
toward
a single
5-24 illustrates this
process.while new carriers would like to sell the lucrative Layer 2
backbone
infrastructure.
Figure 5-24. CBR.1 Traffic Policing


Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
VBR.1 Traffic Policing

their service
offerings
while maintaining
routing
Unlike CBR.1, which employs
a single
leaky bucket
model, VBR.1
trafficcontrol
policing can be
modeled as a dual leaky bucket, as shown in Figure 5-25. The first leaky bucket acts like the
a majority
of Service
a significant
portion
of their
revenues
CBR single leaky For
bucket
with a PCR
(0+1) Providers,
leak rate and
a CDVT (0+1)
depth.
Noncompliant
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
tokens in the first bucket are discarded. All CLP 0 and CLP 1 compliant tokens are then checked
technologies.
Although
Layer
3 MPLS
fulfill
market
need for of
some
against the second
leaky bucket
whose leak
rate
is SCRVPNs
(0+1)
andthe
depth
is a function
customers,
they have
drawbacks. Ideally,
carriersbucket
with existing
maximum burst size
(MBS). Tokens
thatsome
are noncompliant
in the second
are discarded.
and Layer
networks
like to move toward a single
Compliant tokenslegacy
in the Layer
second2 bucket
are 3allowed
intowould
the network.
infrastructure.
Figure 5-25. VBR.1 Traffic Policing

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains

VBR.2 traffic policing isGain

modeled
dualbook
leakytobucket
and
operates
a similar manner
from as
theafirst
address
Layer
2 VPNinapplication
utilizingto
VBR.1. The difference between
theand
VBR.2
and
VBR.1 models is that the second bucket in VBR.2
both ATOM
L2TP
protocols
only checks CLP 0 cells. The compliant CLP 1 tokens from the first bucket are admitted into the
Reviewfor
strategies
that in
allow
enterprise
customers
enhancethese
network and are not checked
compliance
the large
second
bucket. Figure
5-26to
illustrates
their
service offerings while maintaining routing control
differences in the VBR.2
model.

technologies.
Although
3 MPLS
VPNsPolicing
fulfill the market need for some
Figure
5-26.Layer
VBR.2
Traffic
[View fullwould
size image]
infrastructure.

VBR.3 policing, illustrated in Figure 5-27, operates in the same manner as VBR.2 except that
noncompliant cells in the second bucket are tagged with CLP 1 and admitted into the network
instead of being discarded.
No. 4460,Figure
Anthony Chan,
- CCIE VBR.3
No. 10,266 Traffic Policing
5-27.
Pub Date: March 10, 2005[View full size image]
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
UBR.1 Traffic Policing

UBR.1 uses a single
leaky bucket
model with
rate
of PCR
(0+1)
and bucket
of
technologies.
Although
Layera 3leak
MPLS
VPNs
fulfill
the market
needdepth
for some
CDVT. Noncompliant
cells
are
discarded,
whereas
compliant
cells
are
admitted
into
the
network.Figure 5-28
shows
the2UBR.1
policing
model. would like to move toward a single
legacy
Layer
and Layer
3 networks
Figure 5-28. UBR.1 Traffic Policing
infrastructure.

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
UBR.2 Traffic Policing
As illustrated in Figure 5-29, UBR.2 operates in the same fashion as UBR.1 except that
For aare
majority
compliant CLP 0 cells
taggedoftoService
CLP 1. Providers, a significant portion of their revenues
Figure 5-29. UBR.2 Traffic Policing
infrastructure.

ATM Traffic Shaping

ATM traffic shaping is a QoS mechanism that is typically deployed on egress out of an ATM
ByWei
Luo,
CCIE No. 13,291,
Carlos Pignataro,
- CCIE
Dmitry Bokotey,
CCIE ATM
node or end device
used
to- enforce
a long-term
average
rateNo.
for4619,
a logical
circuit.- Unlike
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
traffic policing, in which noncompliant traffic is either dropped or marked to a lower priority,
ATM traffic shaping queues nonconforming traffic to restrain data bursts and smooth data rates
Press
to comply within thePublisher:
defined Cisco
traffic
contract.
Figure 5-30 illustrates the

general
concept as a leaky bucket model.
ISBN:
1-58705-168-0
Table of
Contents
Index
Pages: 648
Figure 5-30. ATM Traffic Shaping

productivity gains
infrastructure.
Figure 5-30 defines
three parameters:
Sustained cell
rate(VPN)
(SCR)concepts,
The average
cell rate that
traffic
should
conform
to. This is
Network
and describes
Layer
2 VPN
techniques
via
illustrated inintroductory
Figure 5-30 case
as the
rate at
which
tokens are replenished.
studies
and
comprehensive
Peak cell rate
(PCR)
maximum cell
rate that
the
traffic
cannot exceed.
This
is
history
and The
implementation
details
of the
two
technologies
available
from
representedthe
in the
model
as
the
maximum
rate
at
which
tokens
can
leak
out
of
the
Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS-token
bucket.
Maximum burst
(MBS)
Thebenefits
numberand
of cells
that the device
can transmit
up to at
readersize
to Layer
2 VPN
implementation
requirements
and
the PCR rate.
The
MBS
is
the
depth
of
the
token
bucket.
Similar to Frame Relay traffic shaping, cells are transmitted as long as a corresponding token
allowing the transmission is available. Traffic is queued for later transmission if a token is not
available. If the incoming rate is less than the SCR, tokens are accumulated up to the MBS
depth of the bucket. At some later time, if the incoming rate is bursty and exceeds the SCR for
a short time interval, the traffic can use the accumulated tokens to send up to the PCR rate. If
the incoming rate continues to exceed the SCR rate, the accumulated tokens will eventually be
depleted and the cells will only be able to send at SCR, the token replenish rate. Excess traffic
will need to be queued and potentially dropped if the incoming rate does not subside.
This generic model applies differently depending on the nature of the traffic class. VBR defines
a PCR, SCR, and MBS and follows the general leaky bucket model. On the other hand, CBR's
long-term average rate is defined as its PCR and has some form of transmission priority to
meet a strict CDVT based on the nature of the traffic it has to support: real-time applications.
Layer
VPN shaped
Architectures
UBR PVCs typically
are2 not
and burst up to the ATM port rate. However, you can
ByPCR
Wei Luo,
- CCIEthe
No. maximum
13,291,Carlostransmission
Pignataro, - CCIE
No. 4619,
Bokotey,
- CCIE
optionally define a
to limit
rate.
ABRDmitry
is unique
compared
to the
No. because
4460,Anthony
- CCIEto
No.adapt
10,266its traffic rate based on indicators of network
other traffic classes
of Chan,
its ability
congestion states such as EFCI or via RM cells. ABR shaping defines a PCR, a minimum cell rate
(MCR), the minimum
rate that
thePress
PVC can send at, and some additional parameters that
Publisher:
Cisco
define its rate adaptation
factors.
Pub Date:
March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

Summary By
This chapter reviewed

some Cisco
of the
basic properties of several Layer 2 protocols. As mentioned
Publisher:
Press
in the chapter introduction,
chapter
Pub Date:this
March
10, 2005 was not meant to be an exhaustive examination of
each of these protocols; instead, it examined the relevant aspects of HDLC, PPP, Frame Relay,
ISBN: 1-58705-168-0
Tablein
of the context of pseudowire emulation.
and ATM
Pages: 648
Contents
Index are several key aspects to take away from this chapter:
Following
HDLC uses a simple framing mechanism to encapsulate its data. Cisco HDLC
encapsulation
is a modified
of HDLC
and to
adds
a Protocol
Identifier
fieldand
to determine
Master
the worldform
of Layer
2 VPNs
provide
enhanced
services
enjoy
the Layer 3 productivity
protocol thatgains
is stored in the HDLC payload.
PPP utilizes a framing mechanism that is similar to HDLC. Although PPP has a rich set of
Learn
about
Layerdifferent
2 Virtualoptional
Private authentication
Networks (VPNs)
negotiation protocols
such
as LCP,
methods and various
NCPs, this was not discussed because they are transparent to the pseudowire emulation
protocols.
Frame Relay adopts an encapsulation format that is similar to HDLC and PPP. A DLCI
Gain from
first book
to address
Layer distinct
2 VPN application
utilizing
identifier in the Frame
Relaythe
header
distinguishes
logically
Frame Relay
circuits.
Frame Relay LMI conveys circuit status information between network devices through
periodic status messages.
Frame Relay has the option of performing Frame Relay policing to enforce a traffic
a majority
of Service
Providers,
a significant
portion ofYou
their
revenues
contract for For
traffic
that is inbound
to the
network
from the customer.
can
either
are still derived
datait and
services
based
on legacy
discard noncompliant
traffic from
or mark
withvoice
a lower
priority
by setting
the transport
DE bit.
Layershaping
3 MPLSon
VPNs
fulfill egress
the market
need
some
Conversely,technologies.
you can applyAlthough
Frame Relay
network
toward
thefor
customer.
customers,
theyishave
some drawbacks.
Ideally,
carriers
with existing
Shaping queues
traffic that
nonconforming
to meet
a long-term
average
rate.
backbone while
new stack
carriers
would
like
to sell
theprotocol
lucrativedata
Layer
2 processes
ATM has a well-defined
protocol
that
takes
upper
layer
and
services
over and
theirPhysical
existinglayers.
Layer 3
cores.
solution
in to
these
casesrepresent
is a
it through the
AAL, ATM,
ATM
alsoThe
uses
VPI/VCI
uniquely
technology
a logical ATM
circuit. that would allow Layer 2 transport over a Layer 3
infrastructure.
From a fault management perspective, ATM OAM indicates faults within the network and
Layer 2 VPN
Architectures
performs end-to-end
connectivity
checks.
ATM traffic policing
offerscase
a set
of admission
control options
to enforce
ingress
introductory
studies
and comprehensive
design
scenarios.
Thistraffic
book
contracts from
end readers
customer
devices.
You can
either
discard out-of-contract
assists
looking
to meet
those
requirements
by explainingtraffic
the or
mark it withhistory
a lowerand
priority
through thedetails
use of of
the
CLP
bit.
Conversely,available
ATM traffic
implementation
the
two
technologies
from
shaping enforces
an average
rate suite:
of traffic
egress toward
customer
devices
and can
the Cisco
Unified VPN
AnyonTransport
over MPLS
(ATOM)
for MPLSemploy queuing
forcores
nonconforming
based
and Layer 2traffic.
Tunneling Protocol version 3 (L2TPv3) for native

Part III: Any Transport over MPLS

Chapter 6
Table of
Chapter 7
Contents
Index
Chapter 8
Chapter 9
Understanding Any Transport over MPLS
ISBN: 1-58705-168-0
LAN Protocols
over MPLS Case Studies
Pages:
648
WAN Protocols over MPLS Case Studies

Advanced AToM Case Studies
productivity gains
infrastructure.

Chapter 6. Understanding Any Transport

over MPLS

ISBN: 1-58705-168-0

This chapter
Contents
Index
Pages: 648
Label Distribution Protocol (LDP)
AToM operations
To provide Layer productivity
2 VPN services
over an IP/Multiprotocol Label Switching (MPLS) network
gains
infrastructure, the Internet Engineering Task Force (IETF) developed a series of solution and
protocol specifications for various Layer 2 VPN applications, including pseudowire emulation.
Based on the pseudowire
emulation
specifications,
Any Transport
over
MPLS (AToM) is
Learn
about Layer
2 Virtual Private
Networks
(VPNs)
implemented as part of the Cisco Unified VPN Suite Solution. The Cisco solution also includes
costs
andLayer
extend
the reach
of your
services
by unifying
your 3,
alternative pseudowireReduce
emulation
using
2 Tunnel
Protocol
Version
3 (L2TPv3).
Chapter
network
architecture
"Layer 2 VPN Architectures,"
outlines
the benefits and implications of using each technology
and highlights some important factors that help network planners and operators determine the
appropriate technology.
This chapter starts with an overview of LDP used by pseudowire emulation over MPLS, followed
Review
strategies
that allow
enterprise
customers
to enhance
by an explanation of the
protocol
specifications
andlarge
operations
of AToM.
You learn
the general
their service
offerings
routingin
control
properties of the pseudowire
emulation
over while
MPLS maintaining
networks specified
IETF documents.
Additional features that AToM supports are also highlighted in this chapter.
infrastructure.


Introducing
the Label Distribution Protocol
One of the fundamental

tasks
in the
MPLS architecture is to exchange labels between label
Publisher:
Cisco
Press
switch routers (LSR)Pub
andDate:
define
the
of these labels. LSRs follow a set of procedures,
March
10,semantics
2005
known as label distribution protocol, to accomplish this task. A label distribution protocol can be
ISBN: 1-58705-168-0
Table of protocol with MPLS label extensions or a new protocol that is specifically designed
an existing
Pages:
648
Contents
for this
purpose. Although the MPLS architecture allows different label distribution protocols,
Index is used as the signaling protocol for AToM.
only LDP
Note
productivity gains
In most MPLS literature, it is common to refer to label distribution protocol in

Learn about
Layer
2 Virtual
Networks
(VPNs) procedures
lowercase when referring
to any
protocol
that Private
performs
label distribution
and reserve the abbreviation LDP for the specific protocol Label Distribution Protocol,
as defined in RFC 3036, "LDP Specification."
The next few sections review some fundamental LDP specifications and operations that are
relevant to AToM:
LDP protocol components
Discovery mechanisms
Session establishment
backbone
new carriers would like to sell the lucrative Layer 2
Label distribution
and while
management
LDP securitytechnology that would allow Layer 2 transport over a Layer 3
infrastructure.

LDP ProtocolLayer
Components
To have a firm understanding
of looking
the protocol
operations
of LDP, you need
to be familiar
assists readers
to meet
those requirements
by explaining
the with
the key terminology
and and
protocol
entities thatdetails
are defined
LDP.
history
implementation
of thein
two
technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSLDP peers are twobased
LSRscores
that use
to 2
exchange
label
information.
LSR might
more
andLDP
Layer
Tunneling
Protocol
version An
3 (L2TPv3)
forhave
native
than one LDP peer,
and
it
establishes
an
LDP
session
with
each
LDP
peer.
An
LDP
session
is
always bidirectional,
which
allows2both
peersand
to exchange
label information.
However,
reader
to Layer
VPN LDP
benefits
implementation
requirements
and
using a bidirectional
signaling
session
does of
not
make
label-switched
path
(LSP)
comparing
them
to those
Layer
3 the
based
VPNs, such as
MPLS,
then
bidirectional. As described
in
Chapter
3,
an
LSP
is
unidirectional,
and
a
pseudowire
progressively covering each currently available solution in greater consists
detail. of
two LSPs of the opposite directions. Besides directly connected LSRs, LDP sessions can be
established between non-directly connected LSRs, which are further explained in the later
section titled "LDP Extended Discovery."
Label space specifies the label assignment. The two types of label space are as follows:
Per-interface label space Assigns labels from an interface-specific pool of labels. This
space typically uses interface resources for labels. For example, a label-controlled ATM
interface uses virtual path identifiers (VPI) and virtual circuit identifiers (VCI) as labels.
Per-platform label space Assigns labels from a platform-wide pool of labels and
typically uses resources that are shared across the platform. Hop-by-hop best-effort
IP/MPLS forwarding is an example of using the per-platform label space.
Wei Luo,
- CCIE No.
13,291,Carlos
Pignataro,
- CCIE
No. 4619,To
Dmitry
Bokotey,
CCIE stack of
InChapter 3, the By
AToM
overview
explains
the use
of label
stacking.
recap,
thelabel
No. 4460,of
Anthony
Chan, - CCIE
No.label
10,266and pseudowire label. Tunnel labels can be
AToM typically consists
two labels:
tunnel
from either per-interface label space or per-platform label space depending on whether the
Publisher:
Cisco Press
LSRs perform IP/MPLS
forwarding
in cell mode or frame mode. Pseudowire labels are always
allocated from the general-purpose
label space.
Pub Date: March 10,per-platform
2005
ISBN: 1-58705-168-0
Table User
of
LDP uses
Datagram Protocol (UDP) and TCP to transport the protocol data unit (PDU) that
Pages: 648
Contents
carries
LDP messages. Figure 6-1 illustrates the structure of an LDP packet. Each LDP PDU is
Index
an LDP
header followed by one or more LDP messages. All LDP messages have a common LDP
message header followed by one or more structured parameters that use a type, length, value
(TLV) encoding scheme. The Value field of a TLV might consist of one or more sub-TLVs.
productivity gains
Figure 6-1. LDP Packet Structure

infrastructure.
IP cores.ofThe
this book
is focused
on first
introducing the
The LDP header consists
the structure
following of
fields,
as depicted
in Figure
6-2:
each
currentlythe
available
detail.The
Version Theprogressively
Version fieldcovering
is 2 octets
containing
versionsolution
numberin
ofgreater
the protocol.
current LDP version is version 1.
PDU Length The PDU Length field is a 2-octet integer specifying the total length of this
PDU in octets, excluding the Version and PDU Length fields. The maximum PDU Length
can be negotiated during LDP session initialization.
LDP Identifier An LDP Identifier consists of 6 octets and identifies an LSR label space.
The first 4 octets are a globally unique value that identifies the LSR. The globally unique
value is usually the 32-bit router ID of the LSR. The last 2 octets identify a specific label
space within the LSR. A zero value of the last 2 octets represents the platform-wide label
space. When an LSR uses LDP to advertise more than one label space to another LSR, it
creates a separate LDP session for each label space.
Figure 6-2. LDP Header

FormatPublisher: Cisco Press
ISBN: 1-58705-168-0
Version
Table of (2 Octets) [=1]
Contents
Index
Pages: 648
PDU Length (2 Octets)
LDP Indentifier (6 Octets)
Four categories exist
for LDP messages:
productivity
gains
Discovery messages
a mechanism
in whichNetworks
LSRs indicate
their presence in a
Learn Provide
about Layer
2 Virtual Private
(VPNs)
network by sending Hello messages periodically. Discovery messages include the LDP Link
Hello message and
the LDP
Targeted
Hello the
message.
You
learn
more about
discovery
Reduce
costs
and extend
reach of
your
services
by unifying
your
messages in the next
section
"Discovery
Mechanisms."
Session messages
disconnect
sessions
between LDP
peers.
GainEstablish,
from the maintain,
first book and
to address
Layer
2 VPN application
utilizing
Session messagesboth
are ATOM
LDP Initialization
messages and Keepalive messages. You learn
and L2TP protocols
more about session messages in the section "Session Establishment" later in this chapter.
Advertisement messages
update,
delete label
mappings.
their serviceCreate,
offerings
while and
maintaining
routing
control All LDP Address
messages and LDP Label messages belong to advertisement messages.
Notification
messages
Provide
advisory
and
signal
information
are
still derived
from data
and information
voice services
based
onerror
legacy
transport to LDP
peers.
Except for discovery
messages
UDP
as the underlying
transport,
messages
legacy
Layer 2that
anduse
Layer
3 networks
would like
to move LDP
toward
a singlerely on
TCP to ensure reliable
and in-order
delivery
of would
messages.
LDP
messages
backbone
while new
carriers
like toAllsell
the
lucrative have
Layerthe
2 format
that is depicted inservices
Figure 6-3.

infrastructure.
Figure 6-3. Network

LDP Message
(VPN) concepts, and describes Layer 2 VPN techniques via
Format
U

Message Type (15 Bits)
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased(2cores
and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Message Length
Octets)
Message ID
(4 Octets)
reader
comparing
them to those of Layer 3 based VPNs, such as MPLS, then
Mandatory Parameters
progressively
covering each currently available solution in greater detail.
(Variable Length)
Optional Parameters
(Variable Length)
The following fields make up the LDP message format:

Unknown Message Bit (U-Bit) The U-bit tells the receiver of the message what action
to take if he does not understand the message. If the U-bit is set to 0, the receiver needs
to respond to the originator of the message with a notification message. Otherwise, the
receiver should silently ignore this unknown message.
Message Type
type
of message.
ByWeiThe
Luo, Message
- CCIE No. Type
13,291,field
Carlosidentifies
Pignataro, -the
CCIE
No. 4619,
Message Length The Message Length field specifies the total number of octets of the
Message ID, Mandatory
Parameters, and Optional Parameters.
Message IDThe
Message ID field is a 4-octet value that identifies individual messages.
ISBN: 1-58705-168-0
Table of
Mandatory Parameters
Pages:
648 The Mandatory Parameters field is a set of required parameters
Contents
with
variable
lengths
that
pertain to this message. Some messages do not have
Index
mandatory parameters.
Optional Parameters The Optional Parameters field is a set of optional parameters that
have variable
lengths.
notto
have
optional
parameters.
Master
the Many
world messages
of Layer 2do
VPNs
provide
enhanced
services and enjoy
productivity gains
Most information that is carried in an LDP message is encoded in TLVs. TLV provides a generic
and extensible encoding scheme for existing and future applications that use LDP signaling. An
LDP TLV consists of a 2-bit
field,
a 14-bit
TypePrivate
field, and
a 2-octet
Length field, followed by
LearnFlag
about
Layer
2 Virtual
Networks
(VPNs)
a variable length Value field. Figure 6-4 shows the common TLV encoding scheme.
both ATOM
Figure 6-4. LDP
TLV and L2TP protocols
Encoding

U
F
Type (14 Bits)
Lengthare
(2 still
Octets)
Value
customers,
(Variable
Length) they have some drawbacks. Ideally, carriers with existing
Like the unknowntechnology
message bit,
the
unknown
bit2(U-bit)
tellsover
the receiver
that
would
allow TLV
Layer
transport
a Layer 3whether it should
send a notification
message
to
the
originator
if
the
receiver
does
not
understand the TLV. If the
infrastructure.
U-bit is set to 0, the receiver must respond with a notification message and discard the entire
message. Otherwise,
unknown
TLV is silently
ignored
and the
rest of2the
message
is
Layerthe
2 VPN
Architectures
introduces
readers
to Layer
Virtual
Private
processed as if the
unknown
TLVconcepts,
does not exist.
Network
(VPN)
The forward unknown
TLV
bit (F-bit)
applies
onlythose
when requirements
the U-bit is set
1 and thethe
TLV is
assists
readers
looking
to meet
bytoexplaining
unknown to the receiver.
If
the
F-bit
is
set
to
0,
the
unknown
TLV
is
not
forwarded.
Otherwise,
history and implementation details of the two technologies available
from
it is forwarded with
the
containing
message.
Discovery Mechanisms
progressively
covering
each possible
currentlyLDP
available
in discovery
greater detail.
LSRs use LDP discovery
procedures
to locate
peers.solution
The basic
mechanism identifies directly connected LDP peers. The extended discovery mechanism
identifies non-directly connected LDP peers. LSRs discover LDP peers by exchanging LDP Hello
messages. As you learned in the previous section, two types of LDP Hello messages exist. LDP
Link Hellos are used for LDP basic discovery, and LDP Targeted Hellos are used for LDP
extended discovery. Figure 6-5 illustrates where LDP basic discovery and LDP extended
discovery occur in an MPLS network.
Figure 6-5. LDP Basic and Extended Discovery



Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
LDP Basic Discovery

With LDP basic discovery enabled on an interface, an LSR periodically sends LDP Link Hello
Gain from
the first
book
address Layer
VPNpackets
application
utilizing
messages out the interface.
LDP Link
Hellos
aretoencapsulated
in 2UDP
and sent
to the
both
ATOM
and
L2TP
protocols
well-known LDP discovery port 646 with the destination address set to the multicast group
address 224.0.0.2. This multicast address represents all routers on this subnet.
their that
service
maintaining
routing control
An LDP Link Hello message
an offerings
LSR sendswhile
carries
the LDP identifier
for the label space that
the LSR intends to use for the interface and other information, such as Hello hold time. When
the LSR receives an LDP Link Hello on an interface, it creates a Hello adjacency to keep track of
a potential LDP peer reachable at the link level on the interface and learns the label space that
the peer intends to use for the interface.
LDP Extended services
Discovery
For some MPLS applications
such as AToM, exchanging label information between non-directly
infrastructure.
connected LSRs is necessary. Before establishing LDP sessions between non-directly connected
Layer 2inVPN
introduces
readers to sending
Layer 2 Targeted
Virtual Private
LSRs, the LSRs engage
LDPArchitectures
extended discovery
by periodically
Hello
Network
(VPN) LDP
concepts,
andHello
describes
Layerare
2 VPN
techniquesinvia
messages to a specific
address.
Targeted
messages
encapsulated
UDP packets
introductory
case
studies port
and comprehensive
design
scenarios.
This book
and sent to the well-known
LDP
discovery
646 with a specific
unicast
address.
An LDP Targeted history
Hello message
that an LSR sends
Identifier available
for the label
and implementation
detailscarries
of the the
twoLDP
technologies
fromspace
that the LSR intends
useUnified
and other
When theover
receiving
receives
an LDP
the to
Cisco
VPNinformation.
suite: Any Transport
MPLS LSR
(ATOM)
for MPLSTargeted Hello, itbased
creates
a Hello
with a potential
peer 3reachable
network
cores
andadjacency
Layer 2 Tunneling
ProtocolLDP
version
(L2TPv3)at
forthe
native
level and learns the
label space
that the peer
intends
use. on first introducing the
IP cores.
The structure
of this
book istofocused
When an LSR sends
LDP a Targeted
receiving
LSR,VPNs,
the receiving
LSR can
either
comparing
them to Hello
thosetoofaLayer
3 based
such as MPLS,
then
accept the Targeted
Hello or ignore
it. The
receiving
LSR
acceptssolution
the Targeted
Hellodetail.
by creating
progressively
covering
each
currently
available
in greater
a Hello adjacency with the originating LSR and periodically sending Targeted Hellos to it.
Session Establishment
After two LSRs exchange LDP discovery Hello messages, they start the process of session
establishment, which proceeds in two sequential phases:
1.
2.
1. Transport connection establishment

2. Session initialization
ByWei
Luo, - CCIE
No. 13,291,Carlos
Pignataro, - CCIE
No.is4619,
Dmitry Bokotey,
- CCIE TCP
The objective of the
transport
connection
establishment
phase
to establish
a reliable
No. 4460,
Chan, -IfCCIE
10,266
connection between
two Anthony
LDP peers.
bothNo.
LDP
peers initiate an LDP TCP connection, it might
result in two concurrent TCP connections. To avoid this situation, an LSR first determines
whether it should play
the active
passive role in session establishment by comparing its own
Publisher:
Cisco or
Press
transport address with
transport
address it obtains through the exchange of LDP Hellos. If
Pubthe
Date:
March 10, 2005
its address has a higher value, it assumes the active role. Otherwise, it is passive. When an
ISBN: 1-58705-168-0
Table ofthe active role, it initiates a TCP connection to the LDP peer on the well-known LDP
LSR plays
Pages:
648
Contents
TCP port
646.
Index
After the LSR establishes the TCP connection, session establishment proceeds to the session
initialization phase. In this phase, LDP peers exchange and negotiate session parameters such
as the protocol version, label distribution methods, timer values, label ranges, and so on.
productivity
gains
If an LSR plays the
active role,
it starts the negotiation of session parameters by sending an
Initialization message to its LDP peer. The Initialization message carries both the LDP Identifier
for the label space of the active LSR and the LDP Identifier of the passive LSR. The receiver
Learn with
about
Layer
Virtual Private
Networks
(VPNs)
compares the LDP Identifier
the
Hello2 adjacencies
created
during
LDP discovery. If the
receiver finds a match and the session parameters are acceptable, it replies with an
Initialization message with its own session parameters and a Keepalive message to
acknowledge the sender's parameters. When the sender receives an Initialization message with
acceptable session parameters, it responds with a Keepalive message.
When both LDP peers exchange Initialization and Keepalive messages with each other, the
session initialization phase is completed successfully and the LDP session is considered
operational.

are still derived
Label Distribution
and Management
they have
some
Ideally,
carriers with
existing
Label distributioncustomers,
and management
consist
ofdrawbacks.
different control,
retention,
and advertisement
legacy
Layer
2
and
Layer
3
networks
would
like
to
move
toward
a single a
modes. Even though it is possible to use an arbitrary permutation for an MPLS application,
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
certain combination of control, retention, and advertisement modes is usually more2preferable
overMPLS
their existing
Layer 3 cores. The solution in these cases is a
or appropriate forservices
a particular
application.
infrastructure.
The next few sections
explain the following aspects in label distribution and management:
Label binding
assists readers
looking to meet those requirements by explaining the
Label advertisement
message
Label advertisement
the Ciscomode
Label distribution
control
IP cores.
The mode
structure of this book is focused on first introducing the
Label retention
mode them to those of Layer 3 based VPNs, such as MPLS, then
comparing
Label Binding
The main focus of an MPLS application is the distribution and management of label bindings.
Label bindings are always the centerpiece of information in LDP signaling.
LDP associates a Forwarding Equivalence Class (FEC) with each LSP that it creates. An FEC
specifies which packets should be forwarded through the associated LSP. Each FEC is defined
as a collection of one or more FEC elements. Each FEC element identifies a set of packets that
are mapped to the corresponding LSP. For those who are familiar with IP routing, you can
consider an FEC as a set of IP routes following a common forwarding path, and an FEC element
as a specific IP route prefix.
A label binding is By
the
between
an FEC
and a- label
that
represents
a specific
Weiassociation
Luo, - CCIE No.
13,291,Carlos
Pignataro,
CCIE No.
4619,
Dmitry Bokotey,
- CCIE LSP.
The association isNo.
created
by placing
FEC
and a Label TLV in a label advertisement
4460,Anthony
Chan, - an
CCIE
No. TLV
10,266
message.Figure 6-6 depicts the FEC TLV encoding.
Table of
Contents
Figure
6-6.
Index
ISBN: 1-58705-168-0
FEC
Pages:
648
TLV Encoding
FEC (14 Bits) [=0x0100]

Length (2 Octets)
FECproductivity
Element 1 gains
Learnnabout Layer 2 Virtual Private Networks (VPNs)

FEC Element
For FEC element 1 to FEC element n, the first octet in the FEC element indicates the FEC
element type. The encoding
scheme
the
FECto
element
varies
on the FEC
element
Gain from
the of
first
book
address
Layerdepending
2 VPN application
utilizing
type, such as address prefix
and
host
address.
MPLS
pseudowire
emulation
applications
such as
AToM use the Pseudowire ID FEC element.
Several different typestheir
of Label
TLVofferings
encodings
are available,
including
following:
service
while
maintaining
routing the
control
Generic Label TLV
ATM Label TLV
Frame Relaylegacy
Label Layer
TLV 2 and Layer 3 networks would like to move toward a single
over
their
existing
Layer 3 cores.
Thespace
solution
cases
is a
Generic Label TLVservices
carries a
label
from
the platform-wide
label
andin
is these
the most
common
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
encoding among MPLS applications (see Figure 6-7).
infrastructure.
Figure
0

case studies
and comprehensive design scenarios. This book
6-7.introductory
Generic Label
TLV Encoding
Generic
(14VPN
Bits)
[=0x0200]
the
CiscoLabel
Unified
suite:
Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Length (2 Octets)
reader
to Layer
Label
(4 Octets)
Generic Label TLV has a type of 0x0200. A label is a 20-bit label value in a 4-octet Label field.
LDP Advertisement Message

Label bindings are exchanged through LDP advertisement messages. The advertisement
messages that are most relevant to pseudowire emulation over MPLS application are these
Label Mapping
Label Request
Label Withdraw
Label Release

Label Mapping messages
advertise label bindings to LDP peers. A Label Mapping message
Pub
Date:
March
10, 2005
contains one FEC TLV
and
one
Label
TLV. Each FEC TLV might have one or more FEC elements
ISBN:
1-58705-168-0
depending
on
the
type
of
application,
and each Label TLV has one label.
Table of
Contents
Pages: 648
When an LSR needs a label binding for a specific FEC but does not already have it, it can
Index
explicitly request this label binding from its LDP peer by sending a Label Request message. A
Label Request message contains the FEC for which a label is being requested. The receiving
LSR then responds to a Label Request message with a Label Mapping message for the
requested FEC if it
has such
binding.
Otherwise,
with a Notification
Master
the a
world
of Layer
2 VPNsittoresponds
provide enhanced
services message
and enjoy
indicating why it cannot
satisfy
the
request.
productivity gains
Whereas Label Mapping messages create the bindings between FECs and labels, Label
Withdraw messages break
them.
LSR sends
a Label
Withdraw
message
Learn
aboutAnLayer
2 Virtual
Private
Networks
(VPNs) to an LDP peer to
signal that the peer should not continue to use specified label bindings that the LSR previously
Reducemessage
costs andcontains
extend the
ofwhich
your services
unifying
your
advertised. A Label Withdraw
the reach
FEC for
the labelby
binding
is being
network
architecture
withdrawn and optionally
the originally
advertised label. If no Label TLV is included in a Label
Withdraw message, all labels that are associated with the FEC are to be withdrawn. Otherwise,
Gain from
the Label
first book
to to
address
only the label that is specified
in the
TLV is
be withdrawn.
An LSR that receives a Label Withdraw message must acknowledge it with a Label Release
strategies
that
allow large
enterprise
customers
to enhance
message. The LSR alsoReview
uses Label
Release
messages
to indicate
that
it no longer
needs specific
their
service offerings
while maintaining
routing
control
label bindings previously
requested
of or advertised
by its LDP peer.
A Label
Release message
contains the FEC for which the label binding is being released and optionally the originally
majority
significant
portionall
of labels
their revenues
advertised label. For
If noa Label
TLVof
is Service
includedProviders,
in a LabelaRelease
message,
that are
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
associated with the FEC are to be released. Otherwise, only the label that is specified
in the
Label TLV is to betechnologies.
released.
Label Advertisement
Mode
The MPLS architecture
specifies two label advertisement modes. If an LSR explicitly requests a
infrastructure.
label binding for a particular FEC from the next-hop LSR of this FEC, it uses downstream ondemand label advertisement
If an LSR
advertises
label bindings
LDP Private
peers that
Layer 2 VPN mode.
Architectures
introduces
readers
to Layerto2 its
Virtual
have not explicitlyNetwork
requested
them,
it uses and
downstream
unsolicited
advertisement
mode.
(VPN)
concepts,
describes
Layer 2 VPN
techniques via
Choosing which label
advertisement
mode
usethose
depends
on the characteristics
of the
a particular
assists
readers looking
to to
meet
requirements
by explaining
MPLS implementation
and
application.
Between
each
pair
of
LDP
peers,
they
must
have
the
same label advertisement
mode.
reader
to Layer
Label Distribution
Control
Mode
covering
each
currently
availableinitially,
solutionand
in greater
detail.
Label distributionprogressively
control determines
how
LSPs
are established
it has two
modes:
independent and ordered label distribution control.
With independent label distribution control, each LSR advertises label bindings to its peers at
any time. It does not wait for the downstream or next-hop LSR to advertise the label binding
for the FEC that is being distributed in the upstream direction. A consequence of using
independent mode is that an upstream label can be advertised before a downstream label is
received.
When an LSR is using ordered label distribution control, it cannot advertise a label binding for
an FEC unless it has a label binding for the FEC from the downstream or next-hop LSR. It has
to wait for the downstream LSR to advertise the label binding for the FEC that is being
distributed in the upstream direction. As a result, ordered control makes the label distribution
Layersequentially
2 VPN Architectures
of a given LSP occur
from the last hop of the LSP toward the first hop of the LSP.
Label Retention Mode

PubaDate:
10, 2005
When an LSR receives
labelMarch
binding
for an FEC from a peer that is not the next hop for the
1-58705-168-0
FEC, Table
it hasof the option toISBN:
either
store or discard the label binding based on the label retention
in use.
Pages: 648
mode
Contents
Index
Conservative label retention keeps only the label bindings that will be used to forward packets.
The main advantage is that only the labels that are required for data forwarding are allocated
and maintained. Because downstream on-demand advertisement mode is mainly employed
when the label space
is limited,
it isofnormally
used with
the conservation
label retention
mode.
Master
the world
Layer 2 VPNs
to provide
enhanced services
and enjoy
productivity gains
Withliberal label retention , an LSR keeps every label binding it receives from its LDP peers
regardless of whether the peers are the next-hop LSRs for the advertised label binding. The
main advantage is thatLearn
an LSP
can be
updated
quickly
when
the label
forwarding information is
about
Layer
2 Virtual
Private
Networks
(VPNs)
changed. Liberal label retention is mainly used where the label space is considered an
Reduce
and
extend
the reach
of your services
by unifying
your
inexpensive resource. When
it costs
is used
with
downstream
unsolicited
advertisement
mode,
liberal
label retention reducesnetwork
the totalarchitecture
number of label advertisement messages required to set up
LSPs. If an LSR is using conservative retention mode in this scenario, it has to send Label
Gain
from
book
to address
2 VPN application
utilizing
Request messages to the
peer
forthe
thefirst
label
bindings
that itLayer
has discarded
during the
initial label
both
ATOM
and
L2TP
protocols
advertisement if that peer becomes the next-hop LSR for the FECs that are being requested.
LDP Security


still derived
data and
voice
baseddoes
on legacy
transport
LDP uses TCP for are
transport
of LDPfrom
messages.
The
LDPservices
specification
not provide
its own
technologies.
Although
LayerTCP
3 MPLS
fulfill the mechanism
market needdefined
for some
security measures
but leverages
the existing
MD5 VPNs
authentication
in
customers,
theyinhave
Ideally, carriers
with existing
RFC 1321 and also
used by BGP
RFC some
2385. drawbacks.
MD5 authentication
uses a message
digest to
legacy Layer
2 and Layer
networks
validate the authenticity
and integrity
of an3LDP
message.
A message digestservices
is calculated
with the
MD5 Layer
hash algorithm
thatsolution
uses a in
shared
over their
existing
3 cores. The
thesesecret
cases key
is a and
the contents of the
TCP segment.
Unlikeallow
clear-text
digest
technology
that would
Layerpasswords,
2 transportmessage
over a Layer
3 prevents the
shared secret from
being snooped. In addition to protecting against spoofing, MD5
infrastructure.
authentication provides good protection against denial of service (DoS) and man-in-the-middle
attacks.

Understanding
AToM Operations
InChapter 3, you learned

how
AToM
achieves a high degree of scalability by using the MPLS
Publisher:
Cisco
Press
encoding method. You
of LDP in the previous section. Reading through
Pubalso
Date:read
Marchan
10,overview
2005
this section, you will develop a further understanding of how MPLS encapsulation, LDP
ISBN: 1-58705-168-0
Table of
signaling,
and pseudowire emulation work together.
Pages: 648
Contents
Index
The primary
tasks of AToM include establishing pseudowires between provider edge (PE)
routers and carrying Layer 2 packets over these pseudowires. The next sections cover the
operations of AToM from the perspectives of both the control plane and the data plane as
follows:
productivity gains
Pseudowire label binding

Establishing AToMLearn
pseudowires
Control word negotiation
Using sequence numbers
Pseudowire encapsulation
Pseudowire Label Binding

An AToM pseudowire
essentially
of and
two unidirectional
is represented
are still
derivedconsists
from data
voice services LSPs.
basedEach
on legacy
transportby a
pseudowire label,technologies.
also known as
a
VC
label.
The
pseudowire
label
is
part
of
the
label
stack
Although Layer 3 MPLS VPNs fulfill the market need for
some
encoding that encapsulates
Layer
2
packets
going
over
AToM
pseudowires.
Refer
to
Chapter
3
for an overview oflegacy
an AToM
packet.
Layer
2 and Layer 3 networks would like to move toward a single
The label distribution
procedures
that
are defined
specifications
manage
services
over their
existing
Layerin3 LDP
cores.
The solutiondistribute
in these and
cases
is a
the pseudowire labels.
To
associate
a
pseudowire
label
with
a
particular
Layer
2
connection,
you need a way to
represent such a Layer 2 connection. The baseline LDP specification only
infrastructure.
defines Layer 3 FECs. Therefore, the pseudowire emulation over MPLS application defines a
new LDP extensionthe
ID FEC elementthat
a pseudowire
identifier
Layer Pseudowire
2 VPN Architectures
introduces contains
readers to
Layer 2 Virtual
Privateshared
by the pseudowire
endpoints.
Figure
6-8 depicts
the Pseudowire
FEC
element encoding.
Network
(VPN)
concepts,
and describes
Layer 2ID
VPN
techniques
via
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSFigure
6-8. and
Pseudowire
ID FEC
Element
based cores
Layer 2 Tunneling
Protocol
requirements
and
Pseudowire IDreader
FEC to Layer 2 VPN benefits and implementation
Pseudowire
Info
C them
Pseudowire
Type
(153Bits)
comparing
to
those
of
Layer
based
VPNs,
such
as
MPLS,
then
(1 Octet) [=128]
Length (1 Octet)
Group ID (4 Octets)
Pseudowire ID (4 Octets)
Interface Parameters
(Variable Length)
The Pseudowire ID FEC element has the following components:
Pseudowire ID FEC The first octet has a value of 128 that identifies it as a Pseudowire
ID FEC element.
Control Word Bit (C-Bit) The C-bit indicates whether the advertising PE expects the
control word to be present for pseudowire packets. A control word is an optional 4-byte
field located between the MPLS label stack and the Layer 2 payload in the pseudowire
packet. The control word carries generic and Layer 2 payload-specific information. If the
Publisher:
Cisco Press PE expects the control word to be present in every
C-bit is set to 1,
the advertising
Pub
Date:
March
10, 2005
pseudowire packet on the pseudowire
that is being signaled. If the C-bit is set to 0, no
ISBN: 1-58705-168-0
control word is expected
to be present.
Table of
Pages: 648
Contents
Pseudowire Type PW Type is a 15-bit field that represents the type of pseudowire.
Index
Examples of pseudowire types are shown in Table 6-1.
Pseudowire Information Length Pseudowire Information Length is the length of the

Pseudowire ID field and the interface parameters in octets. When the length is set to 0,
this FEC element stands for all pseudowires using the specified Group ID. The Pseudowire
productivity gains
ID and Interface Parameters fields are not present.
Group ID The Group
field Layer
is a 32-bit
arbitrary
value
that is (VPNs)
assigned to a group of
LearnIDabout
2 Virtual
Private
Networks
pseudowires.
Pseudowire ID network
The Pseudowire
ID, also known as VC ID, is a non-zero, 32-bit identifier
architecture
that distinguishes one pseudowire from another. To connect two attachment circuits
through a pseudowire,
you need
to associate
each one
with2the
Pseudowire
ID.
Gain from
the first
book to address
Layer
VPNsame
application
utilizing
Interface Parameters The variable-length Interface Parameters field provides
attachment circuit-specific
information,
interface
MTU,customers
maximum to
number
of
Review strategies
that such
allowas
large
enterprise
enhance
concatenated ATM
cells,
interface
description,
and so on. Each
interface
their
service
offerings
while maintaining
routing
controlparameter uses a
generic TLV encoding, as shown in Figure 6-9.
Table
6-1.
Pseudowire
Types
legacy
Layer
2 and
Layer 3 networks
services Description
Pseudowire Type
infrastructure.
0x0001
Frame Relay data-link connection identifier (DLCI)
0x0002
0x0003
0x0004
0x0005
0x0006
0x0007
ATMArchitectures
AAL5 service data
unit (SDU)
virtual
channel
Layer 2 VPN
introduces
readers
to Layer
2 Virtual Private
(VCC)and describes Layer 2 VPN techniques via
Networkconnection
(VPN) concepts,
introductory
studies and
ATM case
Transparent
Cell comprehensive design scenarios. This book
history and
implementation
Ethernet
VLAN
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSEthernet
based cores
IP cores.High-Level
The structure
this Control
book is (HDLC)
focused on first introducing the
DataofLink
PPPthem to those of Layer 3 based VPNs, such as MPLS, then
comparing
Figure 6-9. Interface Parameter Encoding

Parameter
ID Luo,
(1 Octet)
Length
(1No.
Octet)
ByWei
- CCIE No. 13,291,Carlos Pignataro,
- CCIE
4619,Dmitry Bokotey, - CCIE
Parameter Value
(Variable Length)

ISBN: 1-58705-168-0
Table
of LDP allows multiple FEC elements encoded into an FEC TLV, only one FEC
Even
though
648
Contents PseudowirePages:
elementthe
ID FEC elementexists in each FEC TLV for the pseudowire emulation
MPLS
Index application.
over
EstablishingMaster
AToM
thePseudowires
productivity gains
Typically, two types of LDP sessions are involved in establishing AToM pseudowires. They are
the nontargeted LDP session and the targeted LDP session.
The nontargeted LDP session that is established through LDP basic discovery between a PE
Reduce costs
and extend
the
of your
services
byThe
unifying
router and its directly connected
P routers
is used
toreach
distribute
tunnel
labels.
label your
network
architecture
distribution and management of tunnel labels pertains to the deployment model of the
underlying MPLS network. It can be some combination of downstream on-demand or
Gain fromindependent
the first book
address
Layer 2and
VPN
application or
utilizing
unsolicited label advertisement,
ortoordered
control,
conservative
liberal
both
ATOM
and
L2TP
protocols
label retention. Neither pseudowire emulation nor AToM dictates any particular label
distribution and management mode for tunnel labels.
Note
customers,
they
have some
drawbacks.
existing
In some MPLS
deployment
scenarios,
tunnel
LSPs areIdeally,
set up carriers
throughwith
Resource
legacy
Layer
2
and
Layer
3
networks
would
like
to
move
toward
a single
Reservation Protocol Traffic Engineering (RSVP-TE) instead of nontargeted LDP
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
sessions.
infrastructure.
The other type of LDP sessions are established through LDP extended discovery between PE
routers. These sessions are known as targeted LDP sessions because they send periodic
Targeted Hello messages to each other. Targeted LDP sessions in the context of pseudowire
emulation distribute pseudowire labels. IETF documents on pseudowire emulation over MPLS
specify the use of downstream unsolicited label advertisement. In Cisco IOS Software, AToM
uses independent label control and liberal label retention to improve performance and
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSconvergence time on pseudowire signaling.
IP cores.
The structure
of this
an example
of AToM
deployment.
Figure 6-10. AToM Deployment Model


Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
The following steps explain the procedures of establishing an AToM pseudowire:
1. A pseudowire is provisioned with an attachment circuit on PE1.
productivity gains
2. PE1 initiates a targeted LDP session to PE2 if none already exists. Both PE routers receive
Learn about
Layerother
2 Virtual
Private Networks
(VPNs)
LDP Keepalive messages
from each
and complete
the session
establishment. They
are ready to exchange pseudowire label bindings.
3. When the attachment circuit state on PE1 transitions to up, PE1 allocates a local
pseudowire label corresponding to the pseudowire ID that is provisioned for the
pseudowire.
4. PE1 encodes the local
pseudowire
label
into
thelarge
Labelenterprise
TLV and the
pseudowire
ID into the
Review
strategies
that
allow
customers
to enhance
FEC TLV. Then it sends
labelofferings
binding while
to PE2maintaining
in a Label Mapping
message.
their this
service
routing control
For
a majority
ofmessage
Service Providers,
a significant
of their revenues
5. PE1 receives a
Label
Mapping
from PE2 and
decodes portion
the pseudowire
label and
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
pseudowire ID from the Label TLV and FEC TLV.
6. PE2 performs Steps 1 through 5 independently.
7. After PE1 andservices
PE2 exchange
the existing
pseudowire
labels
and validate
interface
parameters
over their
Layer
3 cores.
The solution
in these
cases is afor a
particular pseudowire
ID,that
the would
pseudowire
pseudowire
IDa is
considered
technology
allow with
Layerthat
2 transport
over
Layer
3
established. infrastructure.
(VPN)
and describes
LayerWithdraw
2 VPN techniques
If one attachmentNetwork
circuit on
one concepts,
PE router goes
down, a Label
messagevia
is sent to the
studies andlabel
comprehensive
designadvertised.
peering PE routerintroductory
to withdraw case
the pseudowire
that it previously
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSControl Word
Negotiation
During pseudowire
establishment,
Mappingand
messages
are sent in
both directions.
reader
to Layer 2 Label
VPN benefits
implementation
requirements
and To
enable the pseudowire,
you need
some
interface
parameters
to certain
values
that the
comparing
them to
to set
those
of Layer
3 based
VPNs, such
as MPLS,
then
peering PE routerprogressively
expects. When
a
mismatch
occurs,
fixing
the
problem
requires
manual
intervention or configuration changes. The protocol cannot correct the mismatch automatically.
For example, when the interface MTUs of the peering PE routers are different, the pseudowire
is not established.
You can negotiate the presence of the control word through protocol signaling. The control
word has 32 bits, as shown in Figure 6-11. If it is present, the control word is encapsulated in
every pseudowire packet and carries per-packet information, such as sequence number,
padding length, and control flags.
Figure 6-11. AToM Control Word

No. 13,291,
Carlos Pignataro, - CCIE No. 4619,
Reserved ByWei Luo, - CCIE Control
Flags
Length
- CCIE
(4 Bits) No. 4460,Anthony Chan,(6
Bits)No. 10,266
(6 Bits)
Sequence Number (16 Bits)

Table of
ISBN: 1-58705-168-0
Forcertain Layer 2 payload

that are carried over pseudowires, such as Frame Relay DLCI
Pages:types
648
Contents
and ATM AAL5, the control word must be present in the pseudowire encapsulation. That means
Index
you must set the C-bit in the pseudowire ID FEC element to 1 in both Label Mapping messages.
When you receive a Label Mapping message that requires the mandatory control word but has
a C-bit of 0, a Label Release message is sent with an Illegal C-bit status code. In this case, the
pseudowire is notMaster
enabled.
productivity gains
For other Layer 2 payload types, the control word is optional. If a PE router cannot send and
receive the optional control word, or if it is capable of doing that but prefers not to do so, the
C-bit in the Label Mapping
message
that the
PE router
sends
is set to
0. If a PE router is
Learn
about Layer
2 Virtual
Private
Networks
(VPNs)
capable of and prefers sending and receiving the optional control word, the C-bit in the Label
Mapping message it sends
is set
to 1.
When
twothe
PE routers
Labelby
Mapping
Reduce
costs
and
extend
reach ofexchange
your services
unifyingmessages,
your
one of the following scenarios
happen when the control word is optional:
networkcould
architecture
Both C-bits are set
to the
same
is, either 0 or 1. In this case, the pseudowire
both
ATOM
andvaluethat
L2TP protocols
establishment is complete. The control word is used if the common C-bit value is 1.
Otherwise, the control
word
is not used.
Review
strategies
A PE router receives a Label Mapping message but has not sent a Label Mapping message
for the pseudowire,
and the
C-bit
setting isadifferent
from
the remote
setting. If
For a majority
oflocal
Service
Providers,
significant
portion
of theirC-bit
revenues
the receivedare
Label
message
C-bit
set to based
1, in this
PE router
stillMapping
derived from
datahas
andthe
voice
services
on case,
legacythe
transport
ignores the technologies.
received LabelAlthough
MappingLayer
message
and VPNs
continues
wait
for the
next
3 MPLS
fulfillto
the
market
need
forLabel
some
message forcustomers,
the pseudowire.
If
the
received
Label
Mapping
message
has
the
C-bit
they have some drawbacks. Ideally, carriers with existing set to
0, the PE router
changes
local
C-bit
setting towould
0 for the
Mapping
message
legacy
Layer 2the
and
Layer
3 networks
like Label
to move
toward
a singleto be
sent. If the attachment
circuit
comes
up,would
the PElike
router
sends
Label Mapping
backbone while
new
carriers
to sell
the alucrative
Layer 2message
with the latest
local C-bit
services
over setting.
A PE router infrastructure.
has already sent a Label Mapping message, and it receives a Label Mapping
message from a remote PE router. However, the local C-bit setting is different from the
remote C-bitLayer
setting.
If the
received Label
Mapping
message
has the
C-bit set
to 1, in this
2 VPN
Architectures
introduces
readers
to Layer
2 Virtual
Private
case, the PENetwork
router ignores
the received
Mapping
message
and continues
(VPN) concepts,
andLabel
describes
Layer
2 VPN techniques
via to wait for
the next label
message for
thestudies
pseudowire.
If the receiveddesign
Label scenarios.
Mapping message
has
introductory
case
and comprehensive
This book
the C-bit setassists
to 0, the
PE router
sends
a Label
Withdraw
message
a Wrong
readers
looking
to meet
those
requirements
bywith
explaining
theC-bit
status code,history
followed
byimplementation
a Label Mapping
message
with
the
C-bit set toavailable
0. The pseudowire
and
details
of the
two
technologies
from
establishment
now Unified
complete,
and
the Any
control
word isover
not used.
theisCisco
VPN
suite:
Transport
To summarize theIPprevious
twostructure
scenarios,
the C-bit
settings
in the
two Label the
Mapping
cores. The
of when
this book
is focused
on first
introducing
messages do not reader
match,to
the
PE router
prefers
use of the option
control word
Layer
2 VPNthat
benefits
andthe
implementation
requirements
and
surrenders to thecomparing
PE router that
not prefer
it, and
the control
wordas
is MPLS,
not used.
themdoes
to those
of Layer
3 based
VPNs, such
then
Configuring whether the control word is to be used in an environment with many different
platforms is sometimes a tedious process. AToM automates this task by detecting the hardware
capability of the PE router. AToM always prefers the presence of the control word and utilizes
the control word negotiation procedures to reach a common C-bit value between PE routers.
Using Sequence Numbers

Because Layer 2 packets are normally transported over Layer 1 physical media directly, most
Layer 2 protocols assume that the underlying transport ensures in-order packet delivery. These
protocols might not function correctly if out-of-order delivery occurs. For instance, if PPP LCP
packets are reordered, the end-to-end PPP connection is unable to establish.
To avoid out-of-order
solution
is to engineer
reordering-free
ByWeipackets,
Luo, - CCIEthe
No.best
13,291,
Carlos Pignataro,
- CCIE No.a4619,
Dmitry Bokotey, -packet
CCIE
network. Even though
this
goalChan,
is not
always
easy to achieve, you should make it a priority
No. 4460,
Anthony
- CCIE
No. 10,266
because no matter what kind of remedy you might use, network performance suffers
significantly from out-of-order
delivery.
Publisher: Cisco
Press
Sequencing that is defined in pseudowire emulation mainly serves a detection mechanism for
ISBN: 1-58705-168-0
network
to troubleshoot
occasional out-of-order delivery problems. Implementations
Tableoperators
of
Pages:
648or reorder out-of-order packets when they are detected.
mightContents
choose to either discard
Because
Indexthe latter requires huge packet buffer space for high-speed links and has significant
performance overhead, AToM simply discards out-of-order packets and relies on the upper
layer to retransmit these packets.
Master
the world is
ofto
Layer
2 VPNs
to provide
enhanced
enjoy in
The first step in using
sequencing
signal
the presence
of the
controlservices
word, asand
described
productivity
gains
the previous section.
The control
word contains a 16-bit Sequence Number field. However, the
presence of the control word does not mandate sequencing. When sequencing is not used,
Sequence Number value is set to 0.
After negotiating the control word, the sequence number is set to 1 and increments by 1 for
Reduce
extend theIfreach
of your services
by unifying
your
each subsequent packet
that iscosts
beingand
transmitted.
the transmitting
sequence
number
network
architecture
reaches the maximum value 65535, it wraps around to 1 again.
Gain
from the
book to
Layer 2 VPN
utilizing
To detect an out-of-order
packet,
thefirst
receiving
PEaddress
router calculates
theapplication
expected sequence
both
ATOM
and
L2TP
protocols
number for the next packet by using the last receiving sequence number (which has an initial
value of 0) plus 1, and then mod (modulus) by 216 (216 = 65536). If the result is 0, the
Review
allow
large
enterprise
customers
to enhance
expected sequence number
is strategies
set to 1. A that
packet
that
is received
over
a pseudowire
is
their
service
offerings
while
maintaining
routing
control
considered in-order if one of the following conditions is met:
are
still derived
fromisdata
The receiving
sequence
number
0. and voice services based on legacy transport
customers,
haveissome
drawbacks.
Ideally, carriers
with
existing
The receiving
sequence they
number
no less
than the expected
sequence
number
and the
Layer
2 and Layer
3 networks
would
like tosequence
move toward
a single
result of thelegacy
receiving
sequence
number
minus the
expected
number
is less
than 32768.backbone while new carriers would like to sell the lucrative Layer 2
technology
would
Layer
transport sequence
over a Layer
3
The receiving
sequencethat
number
is allow
less than
the2 expected
number
and the result
infrastructure.
of the expected
sequence number minus the receiving sequence number is no less than
32768.
Network (VPN)
concepts,
describes
Layer 2out-of-order
VPN techniques
via
If none of these conditions
is satisfied,
the and
packet
is considered
and is
discarded.
Sometimes the sending
the receiving
routerthose
might
lose the last by
transmitting
receiving
assists or
readers
looking PE
to meet
requirements
explaining or
the
sequence numberhistory
because
ofimplementation
transient system
problems.
might want
to restart
and
details
of theThis
two router
technologies
available
from the
sequence numberthe
from
theUnified
initial value.
AToMAny
implements
set ofMPLS
signaling
procedures
to
Cisco
VPN suite:
Transporta over
(ATOM)
for MPLSreliably resynchronize
the
sequence
number.
Although
the
IETF
documents
do
not
specify
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for nativethese
procedures, the procedures
arestructure
interoperable
with
any
implementation.
IP cores. The
of this
book
is standard-compliant
focused on first introducing
the
The resynchronization
procedures
AToM
are asand
follows:
reader
to Layer 2in
VPN
benefits
If the transmitting PE router needs to reset the transmitting sequence number, it must
inform the receiving PE router to reset the receiving sequence number. AToM
accomplishes this by letting the transmitting PE router send a Label Release message to
the receiving PE router, followed by a Label Request message. Because the receiving PE
router interprets this as a pseudowire flapping, it resets the receiving sequence number.
If the receiving PE router needs to reset the receiving sequence number, it must inform
the receiving PE router to reset the transmitting sequence number. AToM does so by
letting the receiving PE router send a Label Withdraw message to the transmitting PE
router, followed by a Label Mapping message. Because the transmitting PE router
perceives this as a pseudowire flapping, it resets the transmitting sequence number.

Pseudowire By
Encapsulation
Wei Luo, - CCIE No. 13,291,Carlos Pignataro, -
To properly emulate Layer 2 protocols over pseudowires, you need to encapsulate each Layer 2
payload in such a way that Layer 2 characteristics are preserved as close to what they are in
the native form as possible.
ISBN:
1-58705-168-0
AsideTable
fromof the MPLS label
stack,
pseudowire encapsulation also contains payload-specific
Pages:
648
information
that
varies
on
a
per-transport
and per-packet basis. This section discusses the
Contents
payload-specific
part
of
the
encapsulation,
which includes the control word and the Layer 2
Index
payload.
The next few sections explain how the following Layer 2 protocols are encapsulated and
processed on PE routers:
productivity gains
ATM
Frame Relay
HDLC
PPP
Ethernet

ATM
aretypes
still derived
from datafor
and
voice
servicesATM
based
on legacy
transport
AToM supports two
of encapsulation
ATM
transport:
AAL5
common
part
technologies.
Although
Layer
3
MPLS
VPNs
fulfill
the
market
need
for some
convergence sublayer service data unit (CPCS-SDU) and ATM Cell.
legacy Layer
2 and Layer
3 networks
would like
to move
toward
a single
The ATM AAL5 CPCS-SDU
encapsulation
includes
a mandatory
control
word.
The ATM
AAL5
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2 ATM
CPCS-SDU encapsulation requires segmentation and reassembly (SAR) on the CE-PE
services
their existing
cores.
The
solution
initthese
cases is a
interface. When an
ingressover
PE router
receivesLayer
ATM 3
cells
from
a CE
router,
reassembles
them
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
into an AAL5 CPCS-SDU and copies ATM control flags from the cell header into the control word
before sending it infrastructure.
over a pseudowire. The AAL5 CPCS-SDU is segmented into ATM cells with
proper cell headers on the egress PE router. Figure 6-12 illustrates the AAL5 CPCS-SDU
pseudowire encapsulation.
the Cisco
Unified
VPN suite:Pseudowire
Any Transport over
MPLS (ATOM) for MPLSFigure 6-12.
AAL5
CPCS-SDU
Encapsulation
Reserved
Length and
reader
requirements
T to Layer
E 2 VPN Cbenefits and
U implementation
Rsv
(4 Bits)
(6 Bits)
comparing them to those of Layer 3 based VPNs, such as MPLS,
then
ATM AAL5 CPCS-SDU
(Variable Length)
The control flags in the control word are described as follows:

Transport Type (T-Bit) This bit indicates whether the packet contains an ATM
Operation, Administration, and Maintenance (OAM) cell or an AAL5 CPCS-SDU. If T = 1,

the packet contains an ATM OAM cell. Otherwise, it contains an AAL5 CPCS-SDU. Being
able to transport an ATM OAM cell in the AAL5 mode provides a way to enable
Layer
2 VPN Architectures
administrative
functionality
over AAL5 VC.
EFCI (E-Bit)
stores
value
of the EFCI bit of the last cell to be reassembled
No.The
4460,E-bit
Anthony
Chan, -the
CCIE
No. 10,266
when the payload contains an AAL5 CPCS-SDU or that of the ATM OAM cell when the
payload is an ATM
OAMCisco
cell Press
on the ingress PE router. The egress PE router then sets the
Publisher:
EFCI bit of all cells
to the value of the E-bit.
ISBN: 1-58705-168-0
CLP of(C-Bit) This is
set to 1 if the CLP bit of any cell is set to 1 regardless of whether the
Table
Pages:
648
cell is part of an AAL5 CPCS-SDU
or is an ATM OAM cell on the ingress PE router. The
Contents
egress PE router sets the CLP bit of all cells to the value of the C-bit.
Index
Command/Response Field (U-Bit) When FRF.8.1 Frame Relay/ATM PVC Service

Interworking traffic is being transmitted, the CPCS-UU Least Significant Bit of the AAL5
Mastercontain
the world
LayerRelay
2 VPNs
provide
enhanced
and enjoy
CPCS-SDU might
the of
Frame
C/Rtobit.
This flag
carriesservices
that bit from
the
productivity
ingress PE router
to the gains
egress PE router.
With the ATM Cell encapsulation, ATM cells are transported individually without SAR. The ATM
Learnofabout
Layer 2control
Virtual word
Private
Networks
(VPNs)
Cell encapsulation consists
the optional
and
one or more
ATM cells. Each ATM
cell has a 4-byte ATM cell header and a 48-byte ATM cell payload. Figure 6-13 illustrates the
ATM cell pseudowire encapsulation.
Figure 6-13. ATM Cell Pseudowire Encapsulation

Optional Control Word (4 Octets)
VPI (12 Bits)
VCI
(16and
Bits)
PTI on legacy
C transport
are still derived from
data
voice services based
(3
Bits)
customers, they
some
ATM have
Payload
(48drawbacks.
Octets)
backbone while new
carriers
would like to sell thePTI
lucrative Layer
2
VPI (12 Bits)
VCI
(16 Bits)
C
services over their existing Layer 3 cores. The (3
solution
Bits) in these cases is a
ATM Payload (48 Octets)
infrastructure.
introductory
comprehensive
design
scenarios.
book
The maximum number
of ATMcase
cellsstudies
that anand
ingress
PE router can
fit into
a single This
pseudowire
assists
readers
looking
to
meet
those
requirements
by
explaining
the
packet is constrained by the network MTU and the number of ATM cells that the egress PE
and
implementation
of thePEtwo
technologies
available
from
router is willing tohistory
receive.
This
is signaled to details
the ingress
router
through the
interface
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSparameter "maximum number of concatenated ATM cells" in the Label Mapping message.
Frame Relay comparing them to those of Layer 3 based VPNs, such as MPLS, then
Frame Relay DLCIs are locally significant, and it is likely that two Frame Relay attachment
circuits that are connected through a pseudowire have different DLCIs. Therefore, you do not
need to include DLCI as part of the Frame Relay pseudowire encapsulation. The control word is
mandatory. Control flags in the Frame Relay header are mapped to the corresponding flag
fields in the control word. Frame Relay payloads that are carried over pseudowires do not
include the Frame Relay header or the FCS. Figure 6-14 illustrates the Frame Relay pseudowire
encapsulation.
Figure 6-14. Frame Relay Pseudowire Encapsulation

Reserved
(4 Bits)
Length
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey,
- CCIE
B
F
D
C
Rsv
(6 Bits)
Frame
Pub Date: March 10,
2005 Relay PDU
Table of
Contents
Index
(Variable Length)
ISBN: 1-58705-168-0
Pages: 648
The Frame Relay control flags in the control word are described as follows:
Backward Explicit
Congestion
Notification
ingressservices
PE router
copies
Master the
world of Layer
2 VPNs to(B-Bit)
provideThe
enhanced
and
enjoythe
BECN field of
an
incoming
Frame
Relay
packet
into
the
B-bit.
The
B-bit
value
is
copied
to
productivity gains
the BECN field of the outgoing Frame Relay packet on the egress PE router.
Forward Explicit
Congestion
Notification
(F-Bit)Networks
The ingress
PE router copies the
Learn
about Layer
2 Virtual Private
(VPNs)
FECN field of an incoming Frame Relay packet into the F-bit. The F-bit value is copied to
the FECN field of Reduce
the outgoing
Relaythe
packet
onofthe
egress
PE router.
costs Frame
and extend
reach
your
services
by unifying your
Discard Eligibility (D-Bit) The ingress PE router copies the DE field of an incoming
Frame Relay packet
into
thethe
D-bit.
D-bit
value isLayer
copied
theapplication
DE field ofutilizing
the
Gain
from
firstThe
book
to address
2 to
VPN
outgoing Frame Relay
packetand
on the
egress
PE router.
both ATOM
L2TP
protocols
Command/Response
Thethat
ingress
router
copies the
C/R fieldtoofenhance
an incoming
Review(C-Bit)
strategies
allowPE
large
enterprise
customers
Frame Relay packet
into
the C-bit.
The C-bit
is copied
to thecontrol
C/R field of the
their
service
offerings
while value
maintaining
routing
outgoing Frame Relay packet on the egress PE router.
HDLC
HDLC mode provides port-to-port transport of HDLC encapsulated frames. The pseudowire
HDLC encapsulation consists of the optional control word, HDLC address, control and protocol
fields without HDLC flags, and the FCS.
infrastructure.
You can also use the HDLC mode to transport Frame Relay User-to-Network Interface (UNI) or
Network-to-Network Interface (NNI) traffic port-to-port transparently because they use HDLC
framing.
PPP
cores and
Layer 2 of
Tunneling
Protocol version
3 The
(L2TPv3)
for native
PPP mode provides
port-to-port
transport
PPP encapsulated
frames.
PPP pseudowire
IP cores.
Theoptional
structure
of this
book
is focused
on first
the
encapsulation consists
of the
control
word
and
the protocol
fieldintroducing
without media-specific
reader
to as
Layer
2 VPN
benefits
implementation
framing information,
such
HDLC
address
and and
control
fields or FCS.requirements and
When you enableprogressively
the Protocol Field
Compression
(PFC) available
option in solution
PPP, thein
Protocol
is
covering
each currently
greaterfield
detail.
compressed from two octets into a single octet. PFC occurs between CE routers and is
transparent to PE routers. PE routers transmit the protocol field in its entirety as it is received
from CE routers.
If the CE-PE interface uses HDLC-like framing, the ingress PE router always strips off HDLC
address and control fields from the PPP frames before transporting them over pseudowires.
Perhaps two CE routers negotiate Address and Control Field Compression (ACFC). The egress
PE router has no way of knowing that unless it snoops into the PPP LCP negotiation between
the CE routers, and that is normally undesirable because of system complexities and
performance overhead. Therefore, the egress PE router cannot determine whether it should
add HDLC address and control fields for PPP frames that are being sent to the CE router.
In Cisco IOS, AToM uses a simple solution to solve this problem without snooping. Basically,
Layersays
2 VPNthat
Architectures
the PPP specification
a PPP implementation that supports HDLC-like framing must
prepare to receive
frames
with
uncompressed
address
and
fields
at all
times
ByPPP
Wei Luo,
- CCIE
No. 13,291,
Carlos Pignataro,
- CCIE
No. control
4619,Dmitry
Bokotey,
- CCIE
regardless of ACFC.
So with
AToM,
egress
PE router always adds HDLC address and control
No. 4460,
Anthony
Chan,the
- CCIE
No. 10,266
fields back to the PPP packet if the egress CE-PE interface uses HDLC-like framing. For
interfaces that do not
use HDLC-like
Publisher:
Cisco Pressframing, such as PPP over Ethernet, PPP over Frame
Relay, and PPP over Pub
ATMDate:
AAL5,
the egress PE router does not add HDLC address and control
March 10, 2005
fields to the PPP packet.
Table of
Contents
Index
Ethernet
ISBN: 1-58705-168-0
Pages: 648
With the Ethernet pseudowire encapsulation, the preamble and FCS are removed from the
Ethernet frames on
the ingress
PE of
router
before
sending
themenhanced
over pseudowires,
andenjoy
they are
Master
the world
Layer
2 VPNs
to provide
services and
regenerated on the
egress
PE
router.
The
control
word
is
optional.
productivity gains
Ethernet pseudowires have two modes of operations:
Raw mode In raw
mode,costs
an Ethernet
frame
not haveby
anunifying
IEEE 802.1q
Reduce
and extend
themight
reachor
ofmight
your services
your
VLAN tag. If the frame
does
have
this
tag,
the
tag
is
not
meaningful
to
both
the ingress
and egress PE routers.
Tagged mode Inboth
tagged
mode,
must contain an IEEE 802.1q VLAN tag. The
ATOM
and each
L2TP frame
protocols
tag value is meaningful to both the ingress and egress PE routers.
To explain how ingresstheir
and service
egress PE
routerswhile
process
a VLAN tag,
it is control
necessary to define the
offerings
maintaining
routing
semantics for the VLAN tag first. For example, when the ingress PE receives an Ethernet frame
from a CE router For
andathe
frame of
contains
VLAN tag, athere
are two
possible
scenarios:
majority
Servicea Providers,
significant
portion
of their
revenues
The VLAN tag
is a service
delimiter.
The drawbacks.
provider uses
a service
delimiter
to distinguish
customers,
they
have some
Ideally,
carriers
with existing
one type of legacy
customer
traffic
from
another.
For
example,
each
service-delimiting
VLAN tag
Layer 2 and Layer 3 networks would like to move toward a single
can represent
a
different
customer
who
the
provider
is
serving
or
a
particular
network
service that services
the provider
to offer.Layer
Some3equipment
the provider
operates
over wants
their existing
cores. The that
solution
in these cases
is a
usually places
this
VLAN
tag
onto
the
Ethernet
frame.
infrastructure.
The VLAN tag is not a service delimiter. A CE router or some equipment that the customer
operates usually
VLAN tag. introduces
The VLAN tag
is nottomeaningful
to thePrivate
ingress PE
Layerplaces
2 VPN this
Architectures
readers
Layer 2 Virtual
router.

If an Ethernet pseudowire operates in raw mode, a service-delimiting VLAN tag, if present, is
removed from the Ethernet frame that is received from a CE router before the frame is sent
over the pseudowire. If the VLAN tag is not a service delimiter, it is passed across the
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSpseudowire transparently.
IP cores. The
structure
of thismode,
book is
focused
on first
introducing
theover the
If an Ethernet pseudowire
operates
in tagged
each
Ethernet
frame
that is sent
reader
to
Layer
2
VPN
benefits
and
implementation
requirements
and
pseudowire must have a VLAN tag, regardless of whether it is a service-delimiting VLAN tag.
progressively
covering
eachtags
currently
available
solution in greater
detail.
In both modes, the
service-delimiting
VLAN
have only
local significance.
That is,
these
tags are meaningful only at a particular CE-PE interface. When the egress PE router receives an
Ethernet frame from the pseudowire, it references the operation mode and its local
configuration to determine how to process this frame before transmitting it to the CE router. If
the egress PE is using raw mode, it might add a service-delimiting VLAN tag, but it will not
rewrite or remove a VLAN tag that is already present in the frame. If the egress PE is using
tagged mode, it can rewrite, remove, or keep the VLAN tag that is present in the frame.
In Metro Ethernet deployment, in which CE routers and PE routers are connected through an
Ethernet switched access network, packets that arrive at PE routers can contain two IEEE
802.1q VLAN tags. This type of packet is commonly known as a QinQ packet. When the outer
VLAN tag is the service-delimiting VLAN tag, QinQ packets are processed exactly like the ones
with a single VLAN tag in both raw mode and tagged mode. When the combination of the outer
Layeris2 used
VPN Architectures
and inner VLAN tags
for service-delimiting, it is processed as if it were a single VLAN
ByWei Luo,range
- CCIE of
No.values.
13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
tag but with an extended
If you need to take QoS into consideration, the ingress PE router can map the user priority bits
in the VLAN header to
the MPLS
Publisher:
CiscoEXP
Pressbits in the MPLS label stack. In this way, transit LSRs in
the MPLS network can
apply QoS policies to the Ethernet frames that are carried over
pseudowires.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

Summary By
This chapter first gave

an overview
of LDP, including LDP components and operations that are
Publisher:
Cisco Press
related to pseudowire
emulation
MPLS. Then the chapter explained the control signaling
Pub
Date: Marchover
10, 2005
and data switching details of AToM.
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Despite
multiple possible combinations
of label distribution and management modes for
Index
pseudowire
signaling, AToM implements the combination that uses LDP downstream unsolicited
advertisement, independent control, and liberal retention modes.

Pseudowire emulation over MPLS introduces new protocol extensions and signaling procedures,
Master ID
theFEC
world
of Layer
2 VPNs
provide
and
such as the Pseudowire
element
in the
FEC to
TLV
that isenhanced
defined toservices
represent
a enjoy
productivity
pseudowire that connects
twogains
attachment circuits on different PE routers, the negotiation of
the control word presence, and sequence number resynchronization.
LearnMPLS
aboutalso
Layer
2 Virtual
Networks
(VPNs) and data switching
Pseudowire emulation over
specifies
newPrivate
encapsulation
methods
procedures, such as the control word that is customized for carrying transport-specific
Reduceencapsulations,
costs and extend
the reach of processing
your services
by unifying
information, Layer 2 payload
ingress/egress
optimized
for your
network
architecture
transporting over pseudowires, and the sequence number for detecting out-of-order packets.
infrastructure.

Chapter 7. LAN Protocols over MPLS

Case Studies

ISBN: 1-58705-168-0

This chapter
Contents
Index
Pages: 648
Understanding Ethernet over MPLS technology

EoMPLS transport case studies
Common troubleshooting
techniques
productivity gains
Chapter 6, "Understanding Any Transport over MPLS," introduced you to the general concepts
of Any Transport over MPLS
In this
chapter,
you learn
operation
and configuration of
Learn (AToM).
about Layer
2 Virtual
Private
Networks
(VPNs)
Ethernet over MPLS (EoMPLS), one of the draft-martini-based AToM technologies. EoMPLS
offers a way to connectReduce
geographically
Ethernet
networks.
By deploying
EoMPLS
costs anddispersed
extend the
reach of
your services
by unifying
yourin
their core, service providers
canarchitecture
implement Ethernet VPN services.
network
This chapter outlines important
the EoMPLS
technology
and provides
step-by-step
Gain fromaspects
the firstofbook
to address
Layer 2 VPN
application
utilizing
configuration procedures
forATOM
enabling
primarily on the service provider's side. As you
both
and EoMPLS,
L2TP protocols
already know from previous chapters, the Layer 2 VPN is transparent to the end customer, so
Review
strategies
that allow
large
enterprise customers to enhance
the configuration required
for the
enterprise's
devices
is minimal.
The case studies included in this chapter do not concentrate on configuration specifics that are
a majority
of Service
a significant
portion for
of their
revenues
native to differentFor
platforms.
Instead,
theyProviders,
provide generic
configuration
routers
and
switches.
Note
This chapterinfrastructure.
relies heavily on knowledge and comprehension of concepts learned
from previous chapters, especially Chapter 6. In some cases, simple references to
these chapters
are2provided.
In other cases
(whenreaders
necessary),
certain
concepts
are
Layer
VPN Architectures
introduces
to Layer
2 Virtual
Private
reiterated. Network (VPN) concepts, and describes Layer 2 VPN techniques via

Understanding
Ethernet over MPLS Technology
EoMPLS, as specifiedPublisher:
in the draft-martini
discussed in Chapter 6, allows Layer 2 Ethernet
Cisco Press
frames to be transported
across
Multiprotocol
Label Switching (MPLS) core network. For the
Pub Date:
Marcha10,
2005
label switch router (LSR) to switch Layer 2 virtual circuits (VC), it must have IP connectivity to
ISBN: 1-58705-168-0
Table of
transport
any Layer 2 attachment services. Thus, the edge LSRs must have the capability to
Pages:
648
Contents
switch
Layer 2 VCs. EoMPLS has several mechanisms in place to support such transport. These
Index
mechanisms
are further explained in the following sections:
EoMPLS Label Stack
Supported VC
Types
productivity
gains
Label Imposition

Label Disposition
EoMPLS Label Stack

Most common EoMPLSs use a two-level label stack. (The VC label should always have at least
Review strategies
that(PSN)
allow label
largeshould
enterprise
to enhance
one label, and the packet-switched
network
havecustomers
zero or more
label stack
their
service
offerings
while
maintaining
routing
control
entries.) This means that
the
Ethernet
packets
transported
between
the
egress and ingress
LSRs are sent containing two labels: the top, or outer, and the bottom, or inner. The outer
a majority
of Service
Providers,
a significant
of their
revenues
label, also knownFor
as the
tunnel label
or Interior
Gateway
Protocol portion
(IGP) label,
sends
packets
are still derived
fromLSR
data
and voice
based
on legacy
over the MPLS backbone.
The egress
assigns
the services
inner label,
known
as the transport
VC label (or
technologies.
Although
Layer
3 MPLS VPNs
fulfillon
thethe
market
need
some
pseudowire) label).
The VC label
identifies
the attachment
circuit
egress
LSR.for
The
egress
customers,
have with
somethe
drawbacks.
carriers
with
LSR binds the Layer
2 egressthey
interface
configuredIdeally,
VC ID and
sends
theexisting
VC label to the
legacy
Layer
2 and the
Layer
3 networks
like to Protocol
move toward
single For
ingress provider edge
(PE)
by using
targeted
Layerwould
Distribution
(LDP)asession.
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
more information about a targeted LDP session, review the "Establishing AToM Pseudowires"
services
section of Chapter
6.
infrastructure.
The next two sections
describe the EoMPLS packet format and maximum transmission unit
(MTU) size requirements.
Packet Format introductory case studies and comprehensive design scenarios. This book
Figure 7-1 demonstrates
EoMPLS
format, but
also applies
other
forms of
the Ciscothe
Unified
VPNencapsulation
overitMPLS
(ATOM)tofor
MPLStransport over MPLS.
Figure
7-1. EoMPLS
Packet
Format
progressively
covering
each currently
available

ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
The bottom
VC
label
and
the
top tunnel label comprise the two levels of the label stack. The
Index
tunnel label switches packets from the ingress PE to the egress PE. The ingress LSR sets the VC
label's Time to Live (TTL) field to a value of 2 (in this case), and it sets the TTL of the tunnel
label to 255. To indicate that the VC label is at the bottom of the stack, the ingress PE marks
Master thebit
world
Layer
2 VPNs
the VC label's end-of-stack
withofthe
value
of 1. to provide enhanced services and enjoy
productivity gains
MTU Size Requirements

In the most common scenario,
the two
stack
stack append
Reduce costs
andlevel
extend
theentries
reach of the
yourEoMPLS
serviceslabel
by unifying
your 8
bytes to a Layer 2 frame
(4 bytes
each). In addition, an optional 4-byte control word is always
network
architecture
preferred in Cisco routers. Figure 7-2 shows the overhead introduced by the addition of the
Gain
from
first book
to address
VPN
application
utilizing
tunnel and the VC labels
plus
the the
optional
control
word on Layer
top of2the
original
Ethernet
frame
and the L2 header.

Figure 7-2. EoMPLS Label Stack Overhead

Layer
MPLS
full 3
size
image]VPNs fulfill the market need for some
infrastructure.
Assuming that Layer 2 in the packet-switched network (PSN) is Ethernet in Figure 7-2, the PSN
Layer 2 header contains the following:
the
Cisco Unified
VPN suite:
Any Transport
Destination
address
(DA)/source
address
(SA)12over
bits MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The
structure
Protocol Ethertype
0x88472
bytes
themwhich
to those
of Layer
3 the
based
VPNs,
such an
as MPLS
MPLS,unicast
then
The MPLS label iscomparing
set to 0x8847,
indicates
that
frame
carries
covering
currently available
in greater detail.
packet. If the PSNprogressively
uses a different
Layereach
2 technology,
the uppersolution
layer identification
specifies
an MPLS packet, such as Cisco High-Level Data Link Control (HDLC) Type or PPP Data Link
Layer protocol.
Note
The preceding fields describe the Layer 2 header in an Ethernet PSN. Do not confuse
them with the Ethernet header fields in the transported Layer 2 frame from the
customer edge (CE) device.

By7-2
Wei Luo,
- CCIE
No. 13,291,
Carlos
- CCIE
No. 4619,
Dmitry each
Bokotey,
- CCIE
In addition, Figure
shows
a label
stack
of 2Pignataro,
label stack
entries
(LSE),
containing
the
following:
20-bit label

3-bitofExperimentalISBN:
Field1-58705-168-0
(Exp)
Table
Pages:
648
Contents
1-bit Bottom of Stack Indicator (S)
Index
1-byte TTL
Finally,Figure 7-2 shows an optional 4-byte control word and the original Ethernet frame. The
original Ethernet frame's header from the CE device that is transported in EoMPLS is at least 14
productivity gains
bytes and contains the following:
DA/SA12 bits
Protocol EthertypeIndicates the upper-layer protocol
In the case of 802.1q Ethernet VLAN transport, the Ethernet overhead is 18 bytes, with the
addition of the 4-byte VLAN Tag header, also referred to as the 802.1q header. An Ethertype
with a value of 0x8100 indicates that there is a VLAN Tag header between the Ethernet and
upper-layer headers. The
802.1q
header that
is asallow
follows:
Review
strategies
large enterprise customers to enhance

3 priority (P) bits
Canonical Format Identifier (CFI) bit
12-bit VLANcustomers,
ID (VID) they have some drawbacks. Ideally, carriers with existing
backbone
new carriers
would like
to sell the
lucrative
Layer
2-byte Ethertype
field while
(indicates
the higher-layer
protocol,
such
as 0x0800
for2 IPv4)
technology
that wouldoutlined
allow Layer
Table 7-1 summarizes
the information
previously.
infrastructure.

introductory
case
comprehensive
Table 7-1.
Summary
ofstudies
Layerand
2 and
MPLS Components
Field
How
Comments
the Cisco UnifiedBits
VPN suite: Any Transport
over MPLS
(ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Destination MAC address
First 6 bytes.
FIB[1] lookup,
From ARP[2].
included in the
rewrite string.
progressively covering
currently
Source MAC address
Next 6 each
bytes.
MACavailable
address solution
Field in
is greater
always detail.
of the router or the same.
switch.
Ethertype
Next 2 bytes.
0x8847.
MPLS Unicast
indicated by
0x8847.
Tunnel labelMPLS label
20 bits (bits
019 after MAC
header).
Derived from
PSN label for
the remote
PE's FEC[3].
Information
can be
obtained
through FIB
lookup.
Tunnel labelEXP[4] bits
3 bits. Bits

2022 of tunnel
Pub Date: March label.
10, 2005
Experimental
bits in the
tunnel PSN.
ISBN: 1-58705-168-0
Table of
Contents
Index
Pages: 648
Intermediate
LSRs can
modify field
when switching
the packet
through the
PSN.
Tunnel labelS bit
1 bit. Bit 23 of 0.
The S bit in the
tunnel label.
Tunnel Label
Master the world of Layer 2 VPNs to provide enhanced
fieldservices
is alwaysand enjoy
productivity gains
set to 0 for the
tunnel label to
indicate that
another LSE[5]
follows.by unifying your
Reduce costs and extend the reach of your services
Tunnel labelTTL field network architecture

8 bits. Bits
Initially set to
This field is
2431 of tunnel 255 or can be
decremented
label.
derived from
in intermediate
the
LSRs by means
transported
IP
of TTL
Review strategies that allow large enterprise customers
to enhance
header.
processing.
their service offerings while maintaining
routing
control
VC labelMPLS label
20 bits. Bits
Derived from
VC label is
019 after
the incoming
associated with
tunnel label.
packet's VLAN
the egress
tag and the
attachment
ingress port
circuit and
(that is,
advertised
incoming
through LDP.
attachment
You obtain this
circuit).
information
infrastructure.
from the FIB
lookup.
Layer 2 VPN Architectures introduces readers to Layer
2 Virtual Private
and
describes
Layer
techniques
via
VC labelEXP bitsNetwork (VPN) concepts,
3 bits. Bits
20Same as
the 2 VPN
You
can
introductory case22
studies
and
comprehensive
design
scenarios.
This
book
of VC label. tunnel EXP
configure this
assists readers looking to meet those
requirements
by
explaining
the
bits.
field.
the Cisco Unified1VPN
over MPLS
(ATOM)
VC labelS bit
bit. suite:
Bit 23 Any
of Transport
1.
Because
thefor MPLSbased cores and VC
Layer
2 Tunneling Protocol versionVC
3 (L2TPv3)
for native
label.
label is the
IP cores. The structure of this book is focused on first
lastintroducing
label in thethe
reader to Layer 2 VPN benefits and implementationMPLS
requirements
and
label
comparing them to those of Layer 3 based VPNs, such
as
MPLS,
then
stack, the S bit
progressively covering each currently available solution
in greater
is always
set to detail.
1.
VC labelTTL field
[1]
FIB = Forwarding Information Base
8 bits. Bits
2431 of VC
label.
2.
This field is
always set to
2.
[2]
ARP = Address Resolution Protocol
[3]
FEC = forward error correction

EXP = Experimental
No. 4460,
[5] LSE = label stack
entryAnthony Chan, - CCIE No. 10,266
[4]
You can see a sample

EoMPLS
packet
Publisher:
Cisco
Press showing the fields from Example 7-1. The EoMPLS packet
over Ethernet PSN that
two-label
stack and control word transports an 802.1q VLAN
Pub contains
Date: Marcha10,
2005
frame that contains an Internet
Control
Message
Protocol (ICMP) echo request (ping) sent from
ISBN: 1-58705-168-0
Table of
a CE
device. The different layers of protocols are highlighted.
Contents
Index
Pages: 648
Example 7-1. EoMPLS Frame Sample (Ethernet Frame)

Ethernet II
productivity
gains
Destination:
00:03:a0:19:c0:c2
Source: 00:03:a0:19:c5:02
eType: MPLS Unicast (0x8847)
MultiProtocol Label Switching Header
MPLS Label: 16 Reduce costs and extend the reach of your services by unifying your
MPLS Experimental
Bits:
2
network
architecture
MPLS Bottom Of Label Stack: 0
MPLS TTL: 253 Gain from the first book to address Layer 2 VPN application utilizing
MultiProtocol Labelboth
Switching
Header
ATOM and
L2TP protocols
MPLS Label: 16
MPLS Experimental
Bits:
2
Review
strategies
MPLS Bottom Of their
Label
Stack:
1
service
offerings
MPLS TTL: 2
AToM EoMPLS Header
are still derived
AToM MPLS Control
Word: from
0x00000000
Ethernet II
customers,
Destination:
aa:aa:aa:aa:aa:aa
Source: bb:bb:bb:bb:bb:bb
backbone
while
carriers would like to sell the lucrative Layer 2
Type: 802.1Q
Virtual
LANnew
(0x8100)
802.1q Virtual services
LAN
technology
would allow
000. .... ....
.... that
= Priority:
0 Layer 2 transport over a Layer 3
infrastructure.
...0 .... ....
.... = CFI: 0
.... 0000 0110 0100 = ID: 100
Type: IP (0x0800)
Trailer: 00000000000000000000
Internet Protocol
Version: 4 assists readers looking to meet those requirements by explaining the
history
Header length:
20and
bytes
the Ciscofor
Unified
VPN suite: Any Transport over MPLS (ATOM) for MPLS! Output omitted
brevity
based
cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Time to live:
255
IP cores.
The structure of this book is focused on first introducing the
Protocol: ICMP
(0x01)
reader to
Layer 2(correct)
VPN benefits and implementation requirements and
Header checksum:
0xa3fd
comparing
them
to
those of Layer 3 based VPNs, such as MPLS, then
Source: 10.1.2.203 (10.1.2.203)
progressively
covering
Destination: 10.0.0.201 (10.0.0.201)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0xc15c (correct)
Identifier: 0x000f
Sequence number: 0x0000
Data (8 bytes)
The overhead incurred when Ethernet frames were transported over MPLS and rules and
restrictions were imposed on the MPLS network.
VPN Architectures
For instance, the Layer
MTU 2configuration
of the MPLS network should accommodate the largest
expected frame size
in Luo,
thelabel-switched
paths
(LSPs)- plus
header
(Ethernet
ByWei
CCIE No. 13,291,Carlos
Pignataro,
CCIEthe
No. 4619,
Dmitry
Bokotey, - frame
CCIE
header, in this case),
control
word,
8 additional
No. 4460,
Anthony
Chan,and
- CCIE
No. 10,266 label stack bytes. This includes
configuration of the CE and PE links.
Figure 7-3 illustrates a sample network over which you can see the MTU calculation for VLANPub Date: March 10, 2005
tunneled modes. (Both modes are discussed in the "Supported VC Types" section of this
ISBN: 1-58705-168-0
chapter.)
To verify these
calculations, you perform pings with different packet sizes from the
Table of
Pages:
648
CE R200
to the CE R204.
Contents
Index
Figure 7-3. Calculating MTU Requirements
productivity gains

Using the network depicted
in Figure
7-3, youwhile
can see
in Example
7-2 the
different results
their service
offerings
maintaining
routing
control
when sending pings with the don't fragment (DF) bit set from R200 to R204, with sizes of 1470
and 1471 bytes, respectively.
drawbacks.
Example 7-2.customers,
Probingthey
forhave
MTUsome
Limits
in EoMPLS
services over their
Layer 3 cores.
R200#ping ip 10.10.10.204
size existing
1470 timeout
1 df-bit
Type escape sequence
to abort.
infrastructure.
Sending 5, 1470-byte ICMP Echos to 10.10.10.204, timeout is 1 seconds:
Packet sent with
the2 VPN
DF bit
set
Layer
Architectures
!!!!!
Success rate isintroductory
100 percent
min/avg/max
24/28/32
msbook
case(5/5),
studiesround-trip
and comprehensive
design =scenarios.
This
R200#
R200#ping ip 10.10.10.204
size 1471 timeout
1 the
df-bit
details of
the Cisco
VPN suite: Any Transport over MPLS (ATOM) for MPLSType escape sequence
toUnified
abort.
based
cores
and
Layer
Protocol
versionis
3 (L2TPv3)
for native
Sending 5, 1471-byte ICMP Echos to2 Tunneling
10.10.10.204,
timeout
1 seconds:
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
Packet sent with the DF bit set
reader
to
Layer
2
VPN
benefits
and
implementation
requirements
and
.....
them
to those of Layer 3 based VPNs, such as MPLS, then
Success rate iscomparing
0 percent
(0/5)
progressively
covering
R200#
You can use the following formula to calculate MTU requirements for the core:
Core MTU >= Edge MTU + Transport Header + AToM Header + (MPLS Label Stack *
MPLS Header Size)
The Edge MTU is the MTU that is configured in the CE-facing PE's interface.
This formula uses the following values for VLAN transport and a two-label stack and provides
Layer to
2 VPN
Architectures
the core MTU needed
transport
1500-byte packets from the CE:
Core MTU >= 1470 + 18 + 4 + (2 * 4)

Core MTU >= 1500
You input the value of 1470 bytes in the preceding formula as the edge MTU because that is
ISBN: 1-58705-168-0
Table of unfragmented packet that was successfully transported. The result of the formula is
the largest
Pages:
648
Contents
a core
MTU that is greater than
or equal to 1500 bytes, which is the actual MTU that is
Index in the core.
configured
On the other hand, if you want to transport 1500-byte packets from the CE device, you can
substitute that value for the Edge MTU in the general formula to calculate the corresponding
Core MTU needed:
productivity gains
Core MTU >= Edge MTU + 18 + 4 + (2 * 4)
Core MTU >= 1500Learn
+ 18about
+ 4 +Layer
(2 *2 Virtual
4)
Core MTU >= 1530
In this case, you need to configure the MTU links to allow for 1530-byte packets.
Table 7-2 outlines the MTU calculation to show that the overhead is 30 bytes. That is why only
packets that are up to 1470 bytes with DF bit set are successfully transported in Example 7-2.
Table 7-2.are
Calculating
MTU
Requirements
forbased
Ethernet
still derived from
data
and voice services
on legacy transport
VLAN
Transport
Layer
Description
Core
Overhead
technology that would
allow
Layer 2 transport over
Layer 3
Transported
Ethernet
VLAN
18 abytes
infrastructure.
AToM
Control word
4 bytes
MPLS
MPLS stack
entries
* MPLS
2 headers
* 4 via
and
describes
Layer 2 VPN
techniques
size
bytes/header
introductory caseheader
studies
and comprehensive design
= 8by
bytes
assists readers looking to meet those requirements
explaining the
Total
30 bytes
reader
Layer 2 VPN
benefits
implementation
and
Keeping in mind that
theto
transport
overhead
for and
VLAN-tunneled
is 18 requirements
bytes, the transport
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
overhead for port-tunneled is 14 bytes, and that MPLS traffic engineering (TE) fast reroute
progressively
covering
each
currently
solution in greater
detail.
(FRR) uses an additional
label stack
entry,
you
can see available
the MTU calculations
for various
cases
inTable 7-3. (All values are in bytes.) Note that the sizes in square brackets indicate the
values when the optional control word is not used.
Table 7-3. Calculating MTU Requirements for EoMPLS Cases

Field
ByWei Luo, - CCIE No.

13,291,CarlosAToM
Pignataro, - CCIE
No. 4619,
Dmitry Bokotey,
- CCIE Total
Edge
Transport
MPLS
MPLS
MPLS
(Control Stack
Header
Word)
EoMPLS Port
Mode
1500
Table of
14
4 [0]
2 LSEs
4
8
bytes/LSE
1526
[1522]
ISBN: 1-58705-168-0
EoMPLS
VLAN
Contents
Mode
Index
1500 Pages: 648 18
4 [0]
2 LSEs
4
8
bytes/LSE
1530
[1526]
EoMPLS Port
+ TE FRR
1500
4 [0]
3 LSEs
4
8
bytes/LSE
1530
[1526]
EoMPLS VLAN
+ TE FRR
Master the world

VPNs
enhanced
services
1500
18of Layer 2 4
[0] to provide
3 LSEs
4
12 and enjoy
1534
productivity gains
bytes/LSE
[1530]
14

Under certain circumstances, the egress label edge router (LER) might receive a packet that
and extend
the reach
ofmight
your services
unifying
your
exceeds the MTU of theReduce
egresscosts
interface.
For instance,
a PE
receive abyjumbo
frame
that
network
architecture
exceeds the default 1500
MTU in
the core. The core must be able to transport larger frame
bytes.
both between
ATOM and
L2TP
protocols
If the MTU is not increased
the
PE and
P routers and the encapsulated packet on the
ingress PE exceeds the LSP MTU, the packet is dropped on the PE. Likewise, if a packet arrives
that
large
enterprise
customers
toitenhance
at the egress LSR that Review
exceedsstrategies
the MTU of
theallow
egress
Layer
2 interface
(VLAN),
is dropped.
their service
offerings
whilefragmentation
maintaining routing
In addition, the MPLS backbone
does
not support
of the control
Layer 2 packets.
Therefore, the MTU of all intermediate circuits must be able to handle the biggest Layer 2
packet that is transported.
technologies.
Although
3 MPLS
VPNsto
fulfill
the market
need
The MTU configuration
of the ingress
andLayer
egress
PEs needs
match.
Otherwise,
a for
VC some
customers,
they have
drawbacks.
carriers
with existing
negotiation occurs,
but it is rejected
andsome
the circuit
fails toIdeally,
come up.
Resolving
this issue
legacy
andparameters
Layer 3 networks
to move
toward
a single
requires configuring
the Layer
same 2
MTU
on eachwould
side. like
To avoid
packet
drops
in the core,
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
thempls mtunumber on interfaces must be increased on P and PE routers to meet2
requirements.
infrastructure.
Supported VC
Types
Layer
2 VPN Architectures

introductory
case studies
and can
comprehensive
design
scenarios.
This book
As mentioned in the
previous section,
EoMPLS
operate in two
modes:
port-tunneling
mode
assists
readers
looking toismeet
requirements
by explaining
the VLANand VLAN-tunneling
mode.
Port-tunneling
also those
referred
to as port-to-port
transport.
history
and
implementation
details
from
tunneled interfaces
are VC
type
4, or, 0x0004,
and port-tunneled
interfaces available
are VC type
5, or
the Cisco
VPN suite:
Anydevices
Transport
overboth
MPLSVC
(ATOM)
0x0005 (as specified
in theUnified
draft-martini).
Cisco
support
types. for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Note
The newest Cisco implementations provide for auto-sensing of the VC type.
In VLAN-tunneling mode, the ingress information for the VLAN is contained within the dot1Q
header of the packet. (Refer to Chapter 4, "LAN Protocols," for more information on dot1Q.) By
looking at the VLAN ID in the dot1Q header, the network processor (NP) can determine the
next step in processing, described in the "Label Imposition" section of this chapter.
In port-tunneling mode, the packet does not have ingress port information. For inclusion of
ingress information, the port-tunneled interface is put into the QinQ mode. A hidden VLAN is
then created and added onto the packet. A hidden VLAN is a VLAN that is numbered outside
2 VPN Architectures
the allowed rangeLayer
for VLAN
IDs. This is how the NP learns the ingress information. The hidden
ByWeito
Luo,
CCIE No.
13,291,Carlos
Pignataro,
- CCIE
4619,
Dmitry Bokotey,
CCIE
VLAN concept applies
a -switch
platform
(that
is, 6500
and No.
7600
platforms).
In- contrast,
No. 4460,
Anthony
- CCIE
No. 10,266
VLAN-tunneled mode
does
not Chan,
require
a hidden
VLAN. The NP can discern the ingress
information from the packet's dot1Q header.
A similar concept applies

to routers (VLAN stacking method). It involves the use of
subinterfaces.
ISBN: 1-58705-168-0
Table of
Pages:
648 port-tunneling mode and VLAN-tunneling mode is in the
Another
difference between the
Contents
handling
Indexof VLAN IDs. In port-tunneling mode, the VLAN ID is transparently passed from the
ingress PE to the egress PE over MPLS in a single VLAN. In VLAN-tunneling mode, however, the
VLAN ID at each end of the EoMPLS tunnel can be different. To overcome this, the egress side
of the tunnel that is mapped to a VLAN rewrites the VLAN ID in outgoing dot1Q packets to the
ID of the local VLAN.
productivity gains
Label ImpositionLearn about Layer 2 Virtual Private Networks (VPNs)

costsabout
and extend
the reach
your services
by unifying
Earlier in this chapter, Reduce
you learned
the format
of theofEoMPLS
label stack.
Addingyour
these
labels onto a packet is network
referred architecture
to as label imposition . You perform label imposition on the label
imposition router or an ingress PE. Routers receive a Layer 2 packet and encapsulates it for the
MPLS backbone.
Depending on whether the port-tunneling or VLAN-tunneling mode is used, the interfaces that
Review
strategies
allow port
largeinterfaces
enterpriseorcustomers
to enhance
receive the Layer 2 packets
can
be eitherthat
Ethernet
VLAN interfaces
(or
theirlabels
service
maintaining
routing
controla table, which
subinterfaces). To impose
on offerings
packets, while
the ingress
PE router
maintains
associates an EoMPLS tunnel with an interface/FEC. This table keeps the information needed
for sending the packet, such as the outgoing interface and encapsulation.
technologies.
Although
3 MPLS VPNs fulfill the market need for some
The label imposition
process involves
theLayer
following:
1. A two-level label
stack,
described
earlier
in the
Label
Stack"
section
of this
services
over
their existing
Layer
3 "EoMPLS
cores. The
solution
in these
cases
is a
chapter, is learned
via the
for allow
each VC.
An2NP
also provides
MAC 3
rewrite that
technology
thatLDP
would
Layer
transport
over aaLayer
contains theinfrastructure.
outgoing Layer 2 encapsulation in addition to the label stack that changes
the encapsulation of the packet to comply with the outgoing interface.
2. The label stack
and the
output
MAC encapsulation
prepended
to the packet,
Network
(VPN)
concepts,
and describesare
Layer
2 VPN techniques
via and the
packet is forwarded
to the
egress
interface
for transmission.
introductory
case
studies
and comprehensive
3. The outgoing
VC label's
TTL field is set to
2.
history
and implementation
details
Label Disposition
Label disposition refers to label removal from a packet. It is performed at the egress PE, or the
label disposition router. This router receives a packet, strips the bottom (VC) label (and the top
[PSN] label if it exists, in cases such as explicit-null), and sends the remaining Layer 2 frame
out of the egress attachment circuit interface.
After label imposition, the packets travel across the MPLS core network via standard label
switching and arrive at the egress PE. At that point, they might already have their tunnel label
removed and be left with only the VC label. This might have occurred because the next to last
(penultimate) router "popped" the tunnel label prior to transmitting the packet to the egress
PE. This process is commonly referred to as Penultimate Hop Popping (PHP) . If hop popping is
supported at the penultimate router, the egress PE requests it. It advertises an implicit null
label to its directly connected neighbor via BGP, which causes the neighbor to pop the tunnel
label when switching the packets to the egress PE.
2 VPN Architectures
When the egress Layer
PE receives
the packet with the VC label, it needs to select an appropriate
form of disposition.
ForLuo,
this,
the No.
egress
PE
checks
the label
information
base (LFIB).
ByWei
- CCIE
13,291,
Carlos
Pignataro,
- CCIEforwarding
No. 4619,Dmitry
Bokotey, - CCIE
The LFIB containsNo.
information
between the outgoing interface and a given VC
4460,Anthonyabout
Chan, - the
CCIEbinding
No. 10,266
ID, which was initially inserted into the LFIB with the VC label. The LFIB lookup informs the PE
that EoMPLS disposition
will be
performed
and finds the corresponding egress interface for the
Publisher:
Cisco
Press
VC. The VC label is then
popped, the VLAN ID is rewritten (if needed), and the frame is
transmitted to the proper outgoing interface.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Note
Master
the world
of the
Layer
2 VPNs
to provide
enhanced
serviceswith
and enjoy
The ingress and
egress
PEs are
only
two routers
in the
MPLS backbone
knowledge ofproductivity
the Layer 2gains
transport VCs. No other intermediate hops have table
entries for the Layer 2 transport VCs. Therefore, only PEs require EoMPLS
functionality.
network
architecture
Figure 7-4 illustrates the
process
of imposition and disposition, where traffic flow is bound first
from Site 1 to Site 2 and then in the opposite direction.
Figure
Label
Imposition
and routing
Disposition
their7-4.
service
offerings
while maintaining
control

[Viewand
full size
image]
voice
infrastructure.
The traffic flow over an EoMPLS VC, between the imposition and disposition PEs, follows the
same path across the MPLS backbone, unless routing changes within the network of the
provider cause the change.
Note
For an LSP to be present from PE to PE, routes from a PE that its neighbors discover
cannot be summarized. They must have a mask of /32.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

EoMPLS Transport
Case Studies
This section demonstrates

the
configuration
that is required to establish connectivity between the
Publisher:
Cisco
Press
customer sites usingPub
EoMPLS
transport.
Date: March
10, 2005Although it is impossible to cover all possible situations, a wide
range of EoMPLS scenarios is provided. The case studies do not concentrate on specific platforms;
ISBN: 1-58705-168-0
Table
of offer generic configuration for routers and switches. The beginning case studies show
rather,
they
Pages:
648
Contents
topologies
and configurations that involve routers and move on to case studies that involve switches.
Index
Figure 7-5 shows the general topology used throughout the case studies. Some variations from one case
study to the next require configuration or topology modifications. The goal that is common to all case
studies is to establish Layer 2 and higher connectivity between the two customer sites (Oakland and
Master
the 2world
of an
Layer
2 VPNs to provide
enhanced
services and
enjoy
Albany) by extending
Layer
across
MPLS-enabled
and routed
core network.
Routed
means that IP
gains
traffic is switchedproductivity
at Layer 2 and
not bridged across the core.
Figure
7-5.
Study
Topology
Reduce
costs
and EoMPLS
extend the Case
reach of
your services
by unifying your
[View
size image]
tofull
address

Prior to configuring
tasks thatthey
are have
specific
to each
case study,
youcarriers
must complete
configuration that is
customers,
some
drawbacks.
Ideally,
with existing
applicable to all case
studies.
configuration
involves
the three
provider
routers:
legacy
LayerThis
2 and
Layer 3 networks
would
like toservice
move toward
a core
single
SanFran, Denver,backbone
and NewYork.
tasks
as the
follows
(not necessarily
in this order):
while The
newconfiguration
carriers would
like are
to sell
lucrative
Layer 2
Assign IP addresses to all physical core links.
infrastructure.
Choose an interior IP routing protocol to propagate those networks.
Networkinterfaces.
(VPN) concepts,
and describes
2 VPN techniques
via no summarization
Configure loopback
Remember
to use theLayer
/32 subnet
mask because
introductory
case
studies
and
comprehensive
design
scenarios.
This
book
is allowed into an LDP-targeted session. For instance, the IP addresses that are employed
in the
assists
readers
looking
to
meet
those
requirements
by
explaining
the
case studies are 192.168.1.102 for SanFran, 192.168.1.101 for Denver, and 192.168.1.103 for
NewYork. history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased coresfor
and
Layer
Tunneling
Protocol
3 (L2TPv3)
for native
Enable CEF (necessary
MPLS
to 2work)
with the
ip cefversion
command.
(On some
higher-end router
IP cores.
The
structure
of this CEF
book[dCEF]
is focused
platforms, you
need to
enable
distributed
instead.)
comparing
tothe
those
of Layer
Configure MPLS
globallythem
using
mpls
ip command.
Configure LDP to tell the routers to exchange MPLS labels with the mpls label protocol ldp
command.
Specify the loopback interface for the LDP router ID selection via the mpls ldp router-id
loopback# [force] command.
Enable MPLS on the router-to-router interfaces by using the mpls ip and mpls label protocol ldp
interface commands.
Example 7-3 demonstrates the preceding configuration for SanFran, Denver, and NewYork, respectively.
Example 7-3. Required Preconfiguration

hostname SanFran
!
ip cef
mpls ip
Pub Date:
mpls label protocol
ldp March 10, 2005
ISBN: 1-58705-168-0
mpls Table
ldp ofrouter-id Loopback0
force
Pages: 648
Contents
!
Index
interface Loopback0
ip address 192.168.1.102 255.255.255.255
!
interface Serial6/0
ip address 10.1.1.102 255.255.255.0
productivity gains
no ip directed-broadcast
mpls label protocol ldp
mpls ip
!
router ospf 100
log-adjacency-changes detail
network 0.0.0.0 255.255.255.255
area
0 to address Layer 2 VPN application utilizing
Gain from the first
book
hostname Denver
!
ip subnet-zero
ip cef
mpls ip
mpls label protocol
ldp
For a majority
mpls ldp router-id
Loopback0
force
are still
derived from
!
interface Loopback0
ip address 192.168.1.101
legacy Layer 2255.255.255.255
!
interface Serial5/0
ip address 10.1.2.101
255.255.255.0
infrastructure.
Layer 2 VPN
mpls label protocol
ldp Architectures introduces readers to Layer 2 Virtual Private
mpls ip
!
interface Serial6/0
history and255.255.255.0
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSno ip directed-broadcast
based cores
mpls label protocol
ldp and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
tag-switching IP
ipcores. The structure of this book is focused on first introducing the
!
router ospf 100comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively
log-adjacency-changes
detail
network 0.0.0.0 255.255.255.255 area 0
hostname NewYork
!
ip subnet-zero
ip cef
mpls ip
mpls ldp router-id Loopback0 force
!
interface Loopback0
ip address 192.168.1.103 255.255.255.255
!
interface Serial5/0
ByWei Luo, - 255.255.255.0
CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony
mpls label protocol
ldp Chan, - CCIE No. 10,266
mpls ip
!
router ospf 100 Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Table of0.0.0.0 255.255.255.255 area 0
network
Contents
Index
Pages: 648
productivity gains
Normally, you would not use network 0.0.0.0 when configuring your OSPF statements. Here, it
is used strictly in a practice lab environment.
Note
network
architecture
At this point, you should
verify that
basic connectivity between the core devices works before moving on
to specific EoMPLS configuration. Apply the following verification and troubleshooting principles to each
router. For brevity, output for only one router is shown for each step.
Check that the routes are being received via an IGP, as shown in Example 7-4.
Example 7-4.For
show
ip route
ospf
Command
a majority
of Service
Providers,
SanFran#show ip route ospf
10.0.0.0/24 is subnetted, 2 subnets
O
10.1.2.0 [110/128] via 10.1.1.101, 00:11:11, Serial6/0
O
192.168.1.101 [110/65] via 10.1.1.101, 00:11:11, Serial6/0
O
192.168.1.103 [110/129] via 10.1.1.101, 00:11:11, Serial6/0
infrastructure.
Verify that the MPLS-enabled interfaces are operationalin other words, that MPLS is enabled on an
interface, as in Example 7-5.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSExample 7-5.based
show
mpls
interfaces
Command
cores
and Layer
2 Tunneling
reader
Denver#show mpls
interfaces
comparing
of Layer
Interface
IP them to those
Tunnel
Operational
progressively
covering
each
currently
available solution in greater detail.
Serial5/0
Yes (ldp) No
Yes
Serial6/0
Yes (ldp)
No
Yes
Ensure that the PE routers have discovered the P router via the show mpls ldp discovery command,
as shown in Example 7-6.
Example 7-6. show mpls ldp discovery Command
NewYork#show mpls ldp discovery

Local LDP Identifier:
192.168.1.103:0
Discovery Sources:
Interfaces:No. 4460,Anthony Chan, - CCIE No. 10,266
Serial5/0 (ldp): xmit/recv
Publisher:
Cisco Press
LDP Id:
192.168.1.101:0
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
You can
also confirm that LDP
sessions are established between the routers (see Example 7-7). You can
IndexNewYork has established a session with Denver.
see that
Example 7-7. show mpls ldp neighbor Command
productivity gains
NewYork#show mpls ldp neighbor
Peer LDP Ident: 192.168.1.101:0; Local LDP Ident 192.168.1.103:0
TCP connection: 192.168.1.101.646 - 192.168.1.103.11004
State: Oper; Msgs sent/rcvd: 10/10; Downstream
Up time: 00:02:00
LDP discovery sources:
Serial5/0,
Src
IP the
addr:
Gain
from
first 10.1.2.101
Addresses bound
to
peer
both ATOM and LDP
L2TPIdent:
protocols
10.1.2.101
192.168.1.101
10.1.1.101
Another way of verifying
whether
labelProviders,
forwardinga table
is builtportion
correctly
is to revenues
issue the show mpls
For a majority
of the
Service
significant
of their
forwarding-table
and
show
mpls
forwarding-table
detail
commands,
as
in
Example
are still derived from data and voice services based on legacy transport 7-8.
Example 7-8.legacy
show
mpls
forwarding-table
and
show
mpls
forwarding-table
Layer
2 and
Layer 3 networks would
like
to move
toward
a single
detailCommands
SanFran#show mpls
forwarding-table
infrastructure.
Local Outgoing
Prefix
Bytes tag Outgoing
Next Hop
tag
tag or VC
Tunnel
Id
switched
interface
Layer or
2 VPN
Architectures
introduces readers
16
Pop tag Network
10.1.2.0/24
0 describesSe6/0
point2point
(VPN) concepts, and
Layer 2 VPN techniques
via
17
Pop tag introductory
192.168.1.101/32
0 comprehensive
Se6/0 design scenarios.
point2point
case studies and
This book
18
17
0
Se6/0
assists192.168.1.103/32
readers looking to meet
those requirements
bypoint2point
explaining the
----------------------------------------------------------history and implementation details of the two technologies available from
SanFran#show mpls
forwarding-table
detail
the Cisco
Unified VPN suite:
Any Transport over MPLS (ATOM) for MPLSLocal OutgoingbasedPrefix
Bytes tag
Outgoing
Next Hop
cores and Layer 2 Tunneling
Protocol
version 3 (L2TPv3)
for native
tag
tag or VC
or
Tunnel
Id
switched
interface
16
Pop tag reader10.1.2.0/24
0 and implementation
Se6/0
point2point
to Layer 2 VPN benefits
requirements
and
MAC/Encaps=4/4,
MRU=1504,
Tag
Stack{}
comparing them
to those
of Layer
0F008847
No output feature configured
17
Pop tag
192.168.1.101/32 0
Se6/0
point2point
MAC/Encaps=4/4, MRU=1504, Tag Stack{}
0F008847
18
17
192.168.1.103/32 0
Se6/0
point2point
MAC/Encaps=4/8, MRU=1500, Tag Stack{17}
0F008847 00011000
You are now ready to begin the specialized EoMPLS case studies. They are as follows:
Case Study No.

7-1:
Router
toChan,
RouterPort
Based
4460,
Anthony
- CCIE No.
10,266
Case Study 7-2: Router to RouterVLAN Based
Pub
Date: Rewrite
March 10, 2005
Case Study 7-3:
VLAN
ISBN: 1-58705-168-0
Table of
Case Study 7-4: Switch
to SwitchVLAN Based
Pages:
648
Contents
Index
Case Study 7-5: Switch to SwitchPort Based
Case Study 7-6: VLAN Rewrite in Cisco 12000 Series Routers
Case Study 7-7: Map to Pseudowire
productivity gains
about
2 Virtual Private
Networks (VPNs)
Case Study 7-1: Learn
Router
toLayer
RouterPort
Based
In this case study, you build on the preconfigured portion of the service provider core routers by using
the topology presented in Figure 7-5. Your objective is to transport all customer traffic without utilizing
802.1q. In this case, CE
devices
You
CE 2switches
scenario utilizing
in Case Study 7-5,
Gain
from are
the routers.
first book
to explore
addressthe
Layer
VPN application
later in this chapter. both ATOM and L2TP protocols
The port transparency Review
feature strategies
is designed
for allow
Ethernet
port-to-port
transport, where
the entire Ethernet
that
large
to enhance
frame without the preamble
or FCS offerings
is transported
a single packet
based
on the VC type 5.
their service
while as
maintaining
routing
control

areTransparency
Configuring Port
they
have some
drawbacks.
Ideally,
carriers
existing
Port transparencycustomers,
configuration
involves
the two
PE routers:
SanFran
and with
NewYork.
Keep all settings
Layer
2 and the
Layer
3 networks
would like
to move
toward a single
from the previouslegacy
section
and issue
xconnect
peer-router
id vcid
encapsulation
mpls command
carriers would
to sell allows
the lucrative
for those Ethernetbackbone
links thatwhile
face new
the customer.
This like
command
you to Layer
make 2a connection to the
services
their existing
Layer
3 cores.
The solution
in these
cases
is a as the
peer PE routerthat
is, fromover
SanFran
to NewYork
and
vice versa.
peer-router-id
was
specified
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
loopback interface's address on each of the PEs. vcid is a unique identifier shared between the two PEs.
infrastructure.
Thevcid value must
match on both routers. The encapsulation mpls portion of the command
identifies MPLS instead of L2TPv3 as the tunneling method that encapsulates data in the pseudowire.
Network
(VPN)
concepts, on
andthe
describes
2 VPN techniques
Example 7-9 shows
the new
configuration
SanFranLayer
and NewYork
routers. via
and implementation details of the two technologies available from
Example 7-9.history
Configuring
Port Transparency
hostname SanFran
!
!
progressively
! Output omitted
for brevity
!
interface Ethernet0/0
xconnect 192.168.1.103 100 encapsulation mpls
description to Oakland
!
hostname NewYork
!
! Output omitted for brevity
!
description to Albany
!
Verifying and Troubleshooting
Port Transparency Operation
ISBN:to1-58705-168-0
You can
take several steps
ensure that your configuration is complete. First, you might want to check
Table of
the status
of
the
VCs
by
issuing
the show mpls l2transport vc command. Example 7-10 shows that
Pages:
648
Contents
VC 100
is
up
on
both
SanFran
and
NewYork.
Index
Example 7-10. show mpls l2transport vcCommand

productivity gains
SanFran#show mpls l2transport vc
Local intf
Local
circuit
Dest
address
VC(VPNs)
ID
Status
Learn
about Layer 2 Virtual
Private
Networks
------------- ----------------------- --------------- ---------- ---------Et0/0
Ethernet
100
UP
Reduce costs and extend192.168.1.103
by unifying
your
------------------------------------------------------------------------------network architecture
NewYorkshow mpls l2transport vc
both
Local intf
Local
circuit
Dest address
VC ID
Status
------------- ----------------------- --------------- ---------- ---------Review strategies that allow
large enterprise100
customers to
Et0/0
Ethernet
192.168.1.102
UPenhance

are still
derived from
data
andtype
voice
based
legacy transport
To view more detailed
information
on VC
100,
in services
the show
mplsonl2transport
vc 100 detail
technologies.
Although
MPLS
VPNs7-11.
fulfill From
the market
need for
command on either
of the PE routers,
as Layer
shown3in
Example
the output,
yousome
learn the VC and
customers,
some
drawbacks.
Ideally,
interface status, label
values,they
MTUhave
presets,
among
other useful
facts.
services
over
their existing
Layer 3 vc
cores.
Thedetail
solution
in these cases is a
Example 7-11.
show
mpls
l2transport
100
Command
infrastructure.
SanFran#show mpls l2transport vc 100 detail
Layer
2 VPN
Architectures
introduces
readers toup
Local interface:
Et0/0
up,
line protocol
up, Ethernet
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
Destination address: 192.168.1.103, VC ID: 100, VC status:
up
introductory
case
studies
and
comprehensive
design
scenarios.
This
book
Preferred path: not configured
assists
readers
looking
to
meet
those
requirements
by
explaining
the
Default path: active
history
implementation
Tunnel label:
17,and
next
hop point2point
the Cisco Se6/0,
Unified VPN
suite:label
Any Transport
over
MPLS (ATOM) for MPLSOutput interface:
imposed
stack {17
19}
cores and
2 Tunneling
Create time: based
00:07:06,
lastLayer
status
change Protocol
time: 00:06:27
IP cores. LDP,
The structure
of this book is focused
Signaling protocol:
peer 192.168.1.103:0
up
reader local
to Layer
2 VPN
benefits
MPLS VC labels:
19,
remote
19 and implementation requirements and
comparing
them to0those of Layer 3 based VPNs, such as MPLS, then
Group ID: local
0, remote
progressively
covering
MTU: local 1500, remote
1500 each currently available solution in greater detail.
Remote interface description: to Albany
Sequencing: receive disabled, send disabled
VC statistics:
packet totals: receive 45, send 45
byte totals:
receive 4806, send 4812
packet drops: receive 0, send 0
To check the VC type, you can turn on debugging with the debug mpls l2transport signaling
message command. Try using it immediately followed by the interface xconnect command. Your
output should match that in Example 7-12.
ByWei
Luo, - CCIE
No. 13,291,
Carlos Pignataro,signaling
- CCIE No. 4619,message
Dmitry Bokotey,Command
- CCIE
Example 7-12.
debug
mpls
l2transport
#SanFran#debug mpls
l2transport
Publisher:
Cisco Press signaling message
AToM LDP message Pub
debugging
Date: Marchis
10, on
2005
SanFran(config)#int e 0/0
ISBN: 1-58705-168-0
Table of
SanFran(config-if)#
Contents
Pages: 648
00:29:01:
%LDP-5-NBRCHG: LDP Neighbor 192.168.1.103:0 is UP
Index
00:29:01: AToM LDP [192.168.1.103]: Sending label mapping msg
vc type 5, cbit 1, vc id 100, group id 0, vc label 19, status 0, mtu 1500
00:29:01: AToM LDP [192.168.1.103]: Received label mapping msg, id 100
vc type 5, cbitMaster
1, vcthe
idworld
100,ofgroup
0, vc
label 19,
status
0, mtuand
1500
Layer id
2 VPNs
to provide
enhanced
services
enjoy
00:29:02: %SYS-5-CONFIG_I:
Configured from console by console
productivity gains

In addition, you can use the show mpls l2transport binding command to get similar information
without debugging.
Note

service
offerings
routing
control
With the output oftheir
some
commands,
youwhile
can maintaining
determine the
VC type.
The most common way
is by observing the configuration of the interface. A physical interface without a subinterface
Fortype
a majority
of Service
Providers,
a significant
of their
revenues
represents VC
5. A VLAN
or subinterface
means
VC typeportion
4. In newer
Cisco
IOS Software
are still
derived
from
data and
on legacy transport
implementations,
such
details
become
less voice
criticalservices
becausebased
of auto-negotiation
of the VC type.
backbone
while
new
carriers would
like to sell
theARP
lucrative
Layer
Finally, you should
be able to
verify
connectivity
by looking
at the
table of
the 2
CE routers and
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
is a
sending an ICMP message from one CE router to the other. Example 7-13 displays
the output
of these
that would
commands issuedtechnology
on the Oakland
router.
infrastructure.
Example 7-13.
show arpand pingCommands

Oakland#show arp
of the
two technologies
available from
Protocol Address
Age (min) details
Hardware
Addr
Type Interface
the Cisco Unified VPN suite:
Any
Transport over ARPA
MPLS (ATOM)
for MPLSInternet 192.168.100.1
00D0.0c00.6c00
Ethernet0/0
____________________________________________________________________________
Oakland#ping 192.168.100.2
reader to
toLayer
abort.
comparing
them
to those
of Layer 3 basedtimeout
VPNs, such
MPLS, then
Sending 5, 100-byte ICMP Echos
to 192.168.100.2,
is as
2 seconds:
progressively
covering
each
currently
available
solution
in
greater detail.
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/18/20 ms
_________________________________________________________
Oakland#show arp
Protocol Address
Internet 192.168.100.1
Internet 192.168.100.2
Oakland#
Age (min)
0
Hardware Addr
00D0.0c00.6c00
00D0.0c00.6f00
Type
ARPA
ARPA
Interface
Ethernet0/0
Ethernet0/0
InExample 7-13, notice the difference between the first and the second time that the show arp
command is used.Layer 2 VPN Architectures
Case Study 7-2: Router to RouterVLAN Based

This case study explains how to enable MPLS to transport Layer 2 VLAN packets between the two
ISBN: 1-58705-168-0
customer
sites. The configuration
is based on the topology from Figure 7-6.
Table of
Contents
Index
Pages: 648
Figure 7-6. Router-to-Router VLAN-Based Topology

productivity gains
Again, for this case study, you can use the preconfigured portion described earlier in the chapter.
However, instead of VCReview
type 5,strategies
as in the that
previous
study,
you will
use VC type
4.
allowcase
large
enterprise
customers
to enhance
For a majority
of Service
Providers,
Configuring VLAN-Based
EoMPLS
on
PE Routers
technologies.
Although
3 MPLS VPNs fulfill
the market
some
To configure VLAN-based
EoMPLS
on the Layer
imposition/disposition
routers,
followneed
thesefor
steps:
legacy
Layer
2 and Layer
3 facing
networks
Step Specify an
Ethernet
interface
that is
the would
customer.
backbone
while
new
carriers
would
like
to
sell
the lucrative Layer 2
1.
Step Specify the
Ethernet that
subinterface
on that
interface.
Set over
up the
subinterface
for the label
technology
would allow
Layer
2 transport
a Layer
3
2.
imposition.
infrastructure.
Layer 2encapsulation
VPN Architectures
readers
to Layer
2 Virtual Private
Specify 802.1q
for theintroduces
subinterface
with the
encapsulation
dot1Qvlan-id
Network
(VPN)
concepts,
describes
2 VPN techniques
command.
The vlan-id
value
shouldand
match
that ofLayer
the adjoining
CE router.via
assiststhe
readers
meet those
requirements
explaining
the peer-router
Step Finally, specify
VC forlooking
use to to
transport
the VLAN
packets by
with
the xconnect
history
and
implementation
details
of
the
two
technologies
available
from
4.
id vcid encapsulation mpls command. The purpose of the command was discussed
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSpreviously in Case Study 7-1. Its use and method of application are the same here.
reader to Layer
2 VPN benefits
and implementation
and
Example 7-14 demonstrates
the SanFran
and NewYork
configuration requirements
needed for this
case study.
Step
3.
Example 7-14. Configuring VLAN-Based EoMPLS on PE Routers

hostname SanFran
!
!
interface FastEthernet0/0
!
interface FastEthernet0/0.100
encapsulation dot1Q 100
!
hostname NewYork
!
!
!
ISBN: 1-58705-168-0
!
Table of
Pages:
648
interface
FastEthernet0/0.100
Contents
encapsulation
dot1Q
100
Index
no cdp enable
!
productivity gains

EoMPLS on CE Routers
VLAN-based EoMPLS also
requires
configuration of the CE routers. The CE routers must have the same
network
architecture
VLAN ID as the PE routers. Use the following configuration on the CE routers to transport Layer 2 VLAN
packets:
Step 1. Select an Ethernet interface that is facing the PE.
their serviceIt
offerings
whilethe
maintaining
routing
Step 2. Set up the subinterface.
should have
same VLAN
ID ascontrol
the adjacent PE.
Step 3. Give anare
IP address
to the
subinterface.
still derived
from
they have some
Ideally,along
carriers
Step 4. Specifycustomers,
an 802.1q encapsulation
fordrawbacks.
the subinterface,
withwith
the existing
VLAN ID, via the
legacy Layer
2 and
Layer
3 networks would like to move toward a single
encapsulation
dot1Q
vlan-id
command.
technology
that would allow
2 transport
over a Layer
3
Example 7-15 shows
the customer-side
routerLayer
configuration
of Oakland
and Albany.
infrastructure.
Layer
2 VPN Architectures
introducesEoMPLS
readers toon
Layer
Virtual Private
Example 7-15.
Configuring
VLAN-Based
CE2Routers

hostname Oakland
!
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSinterface Ethernet0/0
no ip address based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
!
interface Ethernet0/0.100
encapsulation progressively
dot1Q 100 covering each currently available solution in greater detail.
ip address 192.168.100.1 255.255.255.0
----------------------------------------------------------------------hostname Albany
!
no ip address
!
ip address 192.168.100.2 255.255.255.0
the Configuration
To ensure
the validity ofISBN:
your1-58705-168-0
configuration, you can use the same techniques as in Case Study 7-1. For
Table of
instance,
issue
show
mpls
l2transport
vc on one of the PE routers to check the status of the VC, as
Pages:
648
Contents
shown
in
Example
7-16.
Note
the
subinterface
in the Local intf column.
Index
Example 7-16. show mpls l2transport vcCommand

productivity gains
SanFran#show mpls l2transport vc
Local intf
Local
circuit
Dest
address
VC(VPNs)
ID
Status
Learn
Private
Networks
------------- ----------------------- --------------- ---------- ---------Et0/0.100
Eth VLAN
100costs and extend
192.168.1.103
UP
Reduce
the reach of your100
services by unifying
your
The show mpls l2transport
100 and
detail
command
output from Example 7-17 presents the .100
both vc
ATOM
L2TP
protocols
numbered subinterface, in addition to the Eth VLAN 100 up, indicating the use of the VLAN-based
EoMPLS. Compare it toReview
Ethernet
up from that
the same
command's
output
for port-based
EoMPLS used in
strategies
allow large
enterprise
customers
to enhance
Case Study 7-1.
are show
still derived
from
data and voicevc
services
on
legacy transport
Example 7-17.
mpls
l2transport
100 based
detail
Command
SanFran#show mpls
l2transport
1003 detail
legacy
Layer 2 andvc
Layer
networks would like to move toward a single
Local interface:
Et0/0.100
protocol
up,to Eth
VLAN
100 upLayer 2
backbone
whileup,
newline
carriers
would like
sell the
lucrative
Destination address:
192.168.1.103,
VC ID:
100, The
VC solution
status: inup
services over
their existing Layer
3 cores.
these cases is a
Preferred path:
not that
configured
technology
Default path:
active
infrastructure.
Tunnel label: 17, next hop point2point
Output interface:
Se6/0,
imposed introduces
label stack
{17 to
16}
Layer 2 VPN
Architectures
readers
Create time: Network
00:00:57,
last
statusand
change
time:
00:00:20
(VPN)
concepts,
describes
Layer
2 VPN techniques via
Signaling protocol:
LDP,
peer
192.168.1.103:0
up design scenarios. This book
introductory
case
studies
and comprehensive
MPLS VC labels:
remote
16 those requirements by explaining the
assists local
readers16,
looking
to meet
Group ID: local
0
history0,
andremote
implementation
MTU: local the
1500,
Ciscoremote
Unified1500
VPN suite: Any Transport over MPLS (ATOM) for MPLSRemote interface
description:
based cores
Sequencing: receive
send
disabled
IP cores. disabled,
The structure
of this
VC statistics:
packet totals:
receive
3,tosend
comparing
them
those3of Layer 3 based VPNs, such as MPLS, then
byte totals:
receivecovering
1627, send
1628
progressively
each currently
Theshow mpls forwarding-table command in Example 7-18 shows label 16 advertised to the remote
PE and used in disposition.
Example 7-18. show mpls forwarding-tableCommand
SanFran#show mpls forwarding-table

Local Outgoing
Prefix
Bytes tag
Outgoing
Next Hop
Layer 2or
VPNTunnel
Architectures
tag
tag or VC
Id
switched
interface
16
UntaggedByWei Luo,
l2ckt(100)
1603
Et0/0.100
point2point
- CCIE No. 13,291,Carlos
Pignataro, - CCIE
No. 4619,Dmitry Bokotey,
- CCIE
17
Pop tag No. 4460,
10.1.2.0/24
0
Se6/0
point2point
18
Pop tag
192.168.1.101/32 0
Se6/0
point2point
19
17
192.168.1.103/32 0
Se6/0
point2point

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Case Study 7-3: VLAN Rewrite

The VLAN rewrite feature is needed when The VLAN IDs on either side of the customer Ethernet network
do not match. The network scenario in Figure 7-7 illustrates such a situation.
productivity gains
Figure 7-7. VLAN Rewrite Topology

reach
[Viewthe
full size
image]
To compensate for
the
mismatch,
change
encapsulation
SanFran
to match
the VLAN ID of
are
still
derived from
dataVLAN
and voice
services on
based
on legacy
transport
NewYork. Following
Figure
7-7,
modify
the
Case
Study
7-2
configuration
on
the
Oakland
router to reflect
the new VLAN ID.customers, they have some drawbacks. Ideally, carriers with existing
Example 7-19 shows
the Oakland
and carriers
Albany interface
Note that
in 2comparison to Case
backbone
while new
would likeconfigurations.
Layer
Study 7-2, the settings
for
Albany
remain
the
same,
whereas
Oakland
displays
200
as its
services over their existing Layer 3 cores. The solution in these cases
is aVLAN ID for
the dot1Q encapsulation.
infrastructure.
Example 7-19.
Configuring
CE Routers
Layer
2 VPN Architectures
hostname Albanyassists readers looking to meet those requirements by explaining the
!
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS!
encapsulation reader
dot1Q to
100
ip address 192.168.100.2
255.255.255.0
comparing them
_______________________________________________________________________
hostname Oakland
!
!
ip address 192.168.100.1 255.255.255.0
On the PE side, reconfigure the VLAN ID for the subinterface to match that of its neighboring CE.
According to the topology
used in this case study, you do not need to change the VLAN ID on NewYork
ByWei
Luo, - CCIE No.
13,291,Carlos
Pignataro,
CCIE
No. 4619,
Dmitry Bokotey,
- CCIE
from your previous
configuration
because
the VLAN
ID -for
Albany
remains
100. However,
you need to
No. 4460,Anthony
- CCIEOakland's
No. 10,266 new ID.
reset the ID for SanFran
to 200Chan,
to equal
As previously mentioned,
vcid
values
Publisher:
Cisco
Pressof both PEs need to be the same. Therefore, they will remain 100
in the xconnect command,
rewriting the 200 VLAN to 100 to meet the requirement. The PE
Pub Date: thereby
March 10, 2005
configuration is illustrated in Example 7-20.
Table of
Contents
Index
Example
ISBN: 1-58705-168-0
Pages: 648
7-20. Configuring VLAN Rewrite on PE Routers
hostname SanFran
!
productivity gains
!
!
!
xconnect 192.168.1.103
100 the
encapsulation
mpls Layer 2 VPN application utilizing
Gain from
first book to address
----------------------------------------------------------------------both ATOM and L2TP protocols
hostname NewYork
!
! Output omitted for
brevity
their
!
!
!
encapsulation legacy
dot1Q Layer
100 2 and Layer 3 networks would like to move toward a single
backbone while
carriers would
xconnect 192.168.1.102
100 new
encapsulation
mpls
infrastructure.
The issue of VLAN mismatch is not as simple when switches are concerned. This is discussed further in
Case Study 7-6. Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
assists
readers looking
to meet those Based
Case Study 7-4:
Switch
to SwitchVLAN
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSIn this case study, the topology differs from the rest in that both PE and CE devices are switches instead
of routers. The PEs are 7600 routers with gigabit WAN interfaces facing the MPLS core. Both CE switches
connect to the PEs via 802.1q trunks.
The new topology is presented in Figure 7-8.
Figure 7-8. Switch to SwitchVLAN-Based Topology


Table of
Contents
Note
Index
ISBN: 1-58705-168-0
Pages: 648
EoMPLS can run either on a SUP720-3BXL-based system or a supervisor engine 2-based

system. With SUP720-3BXL-based systems, you can implement EoMPLS on either the
supervisor engine
on an
Flexwan
moduleenhanced
facing the
MPLS core
Master720
theor
world
of OSM
Layeror2 aVPNs
to provide
services
and network,
enjoy
whereas theproductivity
supervisor engine
2-based
system
must
be
equipped
with
an
OSM
module or a
gains
Flexwan module facing the MPLS core.

EoMPLS on PEs
To start, you do not need

tofrom
make
configuration
the 2
Denver
router of the
service provider
Gain
the
first book tochanges
addresson
Layer
VPN application
utilizing
network. The majority both
of the
SanFran
switches' configuration mirrors that of the SanFran
ATOM
and and
L2TPNewYork
protocols
and NewYork routers from previous case studies. Example 7-21 shows the configuration of the SanFran
and NewYork switches Review
prior tostrategies
the settings
needed
for this
case study.
Notice that
the serial interfaces
that
allow large
enterprise
customers
to enhance
changed to GE-WAN. their service offerings while maintaining routing control

are SanFran
still derivedand
fromNewYork's
data and voiceInitial
servicesConfiguration
Example 7-21.
hostname SanFran
!
ip cef
mpls ip
infrastructure.
mpls label protocol
ldp
mpls ldp router-id Loopback0
!
interface Loopback0
introductory case
ip address 192.168.1.102
255.255.255.255
!
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSinterface GE-WAN3/1
based cores
255.255.255.0
reader ldp
mpls label protocol
mpls ip
!
router ospf 100
network 0.0.0.0 255.255.255.255 area 0
__________________________________________________________
hostname NewYork
!
ip subnet-zero
ip cef
mpls ip

!
interface Loopback0
ByWei Luo, - CCIE255.255.255.255
ip address 192.168.1.103
!
interface GE-WAN3/1
Publisher:255.255.255.0
Cisco Press
mpls label protocol
ldpMarch 10, 2005
Pub Date:
ISBN: 1-58705-168-0
mplsTable
ip of
Pages: 648
! Contents
router
Indexospf 100
network 0.0.0.0 255.255.255.255 area 0
productivity gains
Now you can configure specific tasks for this case study.
Supervisor Engine 2-Based System Configuration
Assume that SanFran is a SUP2-based system. Follow these steps to configure SanFran for EoMPLS:
Step 1. Configure a VLAN
ID or VLAN
range
with the vlan {vlan-id | vlan-range } global command.
both ATOM
and L2TP
protocols
Activate the VLAN with the state active command.
service
offerings
while
control
Step 2. Configure thetheir
physical
port
facing the
CE maintaining
for switchingrouting
by issuing
the switchport interface
command.
Step 3. Set the trunk encapsulation to dot1Q when the interface is in trunking mode with the
switchport trunk encapsulation dot1q command.
Step 4. Changebackbone
the allowed
list new
for the
specified
VLANs
viasell
thethe
switchport
trunk2 allowed vlan list
while
carriers
would
like to
lucrative Layer
command.
Step 5. Specify infrastructure.
a trunking VLAN Layer 2 interface with the switchport mode trunk interface command.
2 interface
VPN Architectures
introducesvlan
readers
to Layer
2 Virtual Private
Step 6. Create aLayer
VLAN
with the interface
vlan-id
command.
Step 7. Specify assists
the VC readers
for transporting
the
Layer
2 VLAN
packets via
mpls l2transport
route
looking to
meet
those
requirements
bythe
explaining
the
destination
vc-id
command.
the
configuration
byfocused
following
steps.
IP cores. The
structure
of thisadded
book is
onthe
firstpreceding
introducing
the
Example 7-22.
SanFrancovering
Additional
Configuration
for SUP-2
progressively
each currently
available solution
in greater detail.
hostname SanFran
!
vlan 100
state active
!
interface GigabitEthernet1/4
no ip address
switchport
switchport trunk encapsulation dot1q

switchport trunk allowed vlan 100
switchport mode trunk
no shut
!
interface Vlan100
no ip address
no ip mroute-cache
mpls l2transport Pub
route
100
Date:192.168.1.103
March 10, 2005
no shut
Table of
! Contents
ISBN: 1-58705-168-0
Pages: 648
Index
SUP720-3BXLBased System Configuration
productivity gains
The following set of steps applies EoMPLS on the SUP720-3BXL-based system for the NewYork PE:
Step
1.
Disable VLAN Trunking

Protocol
using
the vtp
mode transparent
global command.
Learn about
Layer(VTP)
2 Virtual
Private
Networks
(VPNs)
Step
2.
Reduce
costs and
extend the
reach
your services by unifying your
Specify the Gigabit
Ethernet
subinterface
with
the of
interface
gigabitethernetslot/interface.subinterface
command. Make sure the subinterface on the
adjoining CE switch is on the same VLAN as this PE switch.
Enable the subinterface to accept 802.1q VLAN packets via the encapsulation dot1q vlan-id
command. TheReview
subinterfaces
between
the CE
switches
that are
runningtoEoMPLS
should be in
strategies
that allow
large
enterprise
customers
enhance
the same subnet.
Step
3.
For a majority
of Service
Providers,VC
a significant
portion ofcommand.
their revenues
Bind the attachment
circuit
to a pseudowire
with the xconnect
customers, the
theySUP720
have some
drawbacks.
carriers
existingsteps.
configuration,
asIdeally,
discussed
in thewith
preceding
services
over theirAdditional
existing LayerConfiguration
3 cores. The solution
these cases is a
Example 7-23.
NewYork's
forin
SUP-720
infrastructure.
!
hostname NewYork
!
vtp mode transparent
!
no ip address the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
no shut
!
interface GigabitEthernet2/4.1
comparing
encapsulation dot1Q
100 them to those of Layer 3 based VPNs, such as MPLS, then
progressively
each currently
xconnect 192.168.1.102 100covering
encapsulation
mpls available solution in greater detail.
no shut
!
Step
4.
Configuring VLAN-Based EoMPLS on the CE Switches

Example 7-24 shows the CE switches configuration for Oakland and Albany. Notice that the CE side is
the same, regardless of whether the PE system is SUP2- or SUP720-3BXL-based.
Example 7-24. Configuring CE Switches for VLAN-Based EoMPLS

hostname Oakland
!
negotiation auto
no cdp enable
ISBN: 1-58705-168-0
no shut
Table of
Pages: 648
! Contents
interface
GigabitEthernet1/0.100
Index
ip address 192.168.100.1 255.255.255.0
no cdp enable
no shut
productivity gains
!
_____________________________________________________________________
hostname Albany
!
negotiation auto
no cdp enable
no shut
!
encapsulation dot1QReview
100 strategies that allow large enterprise customers to enhance
ip address 192.168.100.2
255.255.255.0
their service
no cdp enable For a majority of Service Providers, a significant portion of their revenues
no shut
!

services over their existing
the Configuration
infrastructure.
This section describes
the verification techniques recommended for this case study.
VPN command
Architectures
readers
to the
Layer
2 Virtual
Private
Issue the gshowLayer
vlan 2brief
on aintroduces
PE to check
whether
interface
can
provide two-way
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
communication, as seen in Example 7-25.
Example 7-25.
show vlan briefCommand
IP cores.
SanFran#Show vlan
brief
VLAN Name
Status
Ports
comparing them to those of Layer
3 based
---- -------------------------------------------------------------progressively covering each currently
available
1
default
active
2
VLAN0100
active
Theshow mpls ldp discovery and show mpls ldp neighbor commands (as described earlier in the
opening paragraphs of the "Case Studies" section of this chapter), in addition to the show mpls
forwarding-table command, are useful. Although the show mpls forwarding-table command was
already displayed in Examples 7-6 and 7-16 of this chapter, what makes it different now is the line
highlighted in Example 7-26 showing the Layer 2 circuit (VLAN) configured in this case study.
Example 7-26. show mpls forwarding-tableCommand

SanFran#show mpls
forwarding-table
Local
tag
Outgoing
Prefix
Cisco Press
tag or VC Publisher:
or Tunnel
Id
Untagged
l2ckt(100)
ISBN: 1-58705-168-0
Table of
! Output
omitted
for
brevity
Pages:
648
Contents
Index
Bytes tag
switched
Outgoing
interface
Next Hop
133093
Vl100
point2point
You can check the status of your VCs by issuing the show mpls l2transport vc command.
Note the difference in the output of the show mpls l2transport vc command between Example 7-16
productivity gains
(earlier in this chapter) and Example 7-27. The local intf portion that showed Et0/0.100 before now
shows VLAN 100.
Reduce
costs and
extend the reach
Example 7-27. show
mpls
l2transport
vcCommand
SanFran#show mpls l2transport
Gain from thevc
first book to address Layer 2 VPN application utilizing
Local intf
Local circuit
Dest address
VC ID
Status
------------- ------------------------------------------------------Review strategies that allow large enterprise customers to
enhance
Vl100
Eth their
VLAN service
100
192.168.1.103
100 control UP
offerings while
maintaining routing

To view detailed information about your VC, issue the show mpls l2transport vc detail command, as
inExample 7-28.
Example 7-28.
show
mpls
l2transport
detail
Command
services
over
their existing
Layer 3 vc
cores.
The solution
in these cases is a
infrastructure.
SanFran#show mpls l2transport vc detail
Local interface: Vl100 up, line protocol up, Eth VLAN 100 up
Destination address: 192.168.1.103, VC ID: 100, VC status: up
Tunnel label: 17, next hop 192.168.1.101
Output interface: GE3/3, imposed label stack {17 16}
Create time: 00:00:57, last status change time: 00:00:20
Signaling protocol: LDP, peer 192.168.1.103:0 up
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSMPLS VC labels: local 16, remote 16
Group ID: local 71, remote 89
MTU: local 1500, remote 1500
Remote interface description:
VC statistics:
byte totals:
Case Study 7-5: Switch to SwitchPort Based
In this case study, you learn how to configure port-based EoMPLS in the switch-based environment. As
in the preceding case study, SanFran is a supervisor engine 2-based system and NewYork is a SUP7203BXL-based system. The configuration presented in this case study supports both QinQ and native
Layer 2 7-9
VPN shows
Architectures
Ethernet traffic. Figure
the topology for this case study.
Figure
Switch to SwitchPort-Based Topology
Publisher:7-9.
Cisco Press
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
Note
You could allow for port-based EoMPLS without 802.1q support. This would include all basic
configuration and Gain
exclude
allthe
dot1Q-related
Because
this
is application
a simpler approach
from
first book totasks.
address
Layer 2
VPN
utilizing with the
same basic configuration,
it does
its own case study in this book.
both ATOM
and not
L2TPwarrant
protocols
Configuring Port-Based
EoMPLS on the SanFran Switch
To set up the SanFran
SUP2-based
system
for port-based
EoMPLS
with
QinQ support,
technologies.
Although
Layer
3 MPLS VPNs
fulfill the
market
need for follow
some these
steps:
Step Enter thebackbone
VLAN ID with
vlan
{vlan_id
| vlan_range
command.
whilethe
new
carriers
would
like to sell }
the
lucrative Layer 2
1.
technology
allow
2 transport
over
a Layer
Step Enable dot1Q
taggingthat
for would
all VLANs
in Layer
a trunk
via the vlan
dot1q
tag3 native command.
infrastructure.
2.
Step
3.
Step
4.
Step
5.
Step
6.
Configure the physical port facing the CE for switching by using the switchport interface
command.
Set the trunking
mode tolooking
tunneling
with the
switchport
mode
dot1qtunnel
assists readers
to meet
those
requirements
by explaining
the interface
command.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSLayer
Tunneling
version
3 (L2TPv3)
for native access vlan
Specify abased
VLAN cores
whoseand
traffic
will2be
acceptedProtocol
by the port
through
the switchport
vlan_id command.
them data
to those
Layer filtering
3 based on
VPNs,
such as MPLS,
then
Configurecomparing
bridge protocol
unitof
(BPDU)
an interface
with the
spanning-tree
progressively
covering
each
currently
available
solution
in
greater
bpdufilter enable command to prevent a port from sending and receiving detail.
BPDUs to protect
the provider's side from potential spanning-tree attacks.
Step
7.
Create a virtual VLAN interface via the interface vlanvlan_id command.
Step
8.
Specify the VC to transport the VLAN traffic with the mpls l2transport routedestination vc_id
command.
Example 7-29 demonstrates the SanFran EoMPLS port-based configuration for transporting QinQ traffic
described in the preceding steps.

Example 7-29. SanFran Port-Based EoMPLS Configuration

hostname SanFran
!
vlan 100
!
ISBN: 1-58705-168-0
Table
of tag native
vlan
dot1q
Pages:
648
Contents
!
Index
interface
GigabitEthernet1/4
no ip address
switchport
switchport access vlan 100
Master
the world of Layer
switchport trunk
encapsulation
dot1q 2 VPNs to provide enhanced services and enjoy
productivity
gains
switchport mode dot1q-tunnel
no cdp enable
spanning-tree bpdufilter enable
no shut
!
interface Vlan100 network architecture
no ip address
no ip mroute-cache Gain from the first book to address Layer 2 VPN application utilizing
mpls l2transport route
192.168.1.103
100
both ATOM
and L2TP protocols
no shut

Note
Be careful when
enabling
BPDU
filtering
on an interface,
because
it effectively
legacy
Layer 2
and Layer
3 networks
would like
to move
toward a disables
single the
spanning tree
for that interface.
used incorrectly,
bridging
can occur.
backbone
while new If
carriers
would like to
sell theloops
lucrative
Layer 2
infrastructure.
Configuring Port-Based EoMPLS on the NewYork Switch

NewYork is a SUP720-3BXL-based
requires the following
introductory case system
studies that
and comprehensive
designconfiguration:
Step 1. Enter the
Gigabit
interface.
history
andEthernet
implementation
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSStep 2. Bind the
attachment
circuit
to2aTunneling
pseudowire
VC with
the xconnect
command,
as shown in
based
cores and
Layer
Protocol
version
3 (L2TPv3)
for native
previous
studies.
IP case
cores.
progressively
each
currently
available
solution in
greater
detail.
As you can see, essentially
two covering
commands
exist:
old (mpls
l2transport
route)
and
new (xconnect) to
enable port mode EoMPLS on a SUP720-3BXLbased system. This is because significant improvements
were made to the system in an effort to simplify command-line interface (CLI).
Example 7-30 demonstrates the needed configuration on the NewYork switch.
Example 7-30. NewYork Port-Based EoMPLS Configuration

hostname NewYork
!
no ip address
xconnect 192.168.1.102
100 encapsulation mpls
no shut
!
CE switches do not require special configuration. You have the choice of enabling or forgoing dot1Q on
ISBN: 1-58705-168-0
the CEs.
TableYou
of can review Example 7-24 from the preceding case study for Oakland and Albany's settings.
Contents
Pages: 648
To verify
Index your configuration, use the techniques described in Case Study 7-4. In the outputs of these
commands, you will not find specifics that indicate the difference between VLAN and port modes.
However, you will see whether your configuration is working.
Case Study
productivity
7-6:
VLANgains
Rewrite in Cisco 12000 Series Routers
As mentioned earlier inLearn

this chapter,
the VLAN
ID rewrite
on (VPNs)
routers and switches allows the use
about Layer
2 Virtual
Private feature
Networks
of different VLAN IDs on VLAN interfaces at two ends of the tunnel.
Some router platformsnetwork
performarchitecture
VLAN rewrites automatically on the disposition router on output;
therefore, no special configuration is needed. When you are using certain line card combinations of the
Gain from
the first
book to address
VPN application
Cisco 12000 routers, however,
manual
configuration
of theLayer
VLAN2rewrite
feature isutilizing
required. In this case
ATOMPEs
andare
L2TP
study, the SanFran andboth
NewYork
theprotocols
Cisco 12000 series routers. The topology is shown in
Figure 7-10.
For a majority
of Service
a significant
of their revenues
Figure
7-10. Providers,
VLAN ID
Rewriteportion
Topology
customers, they have some[View
drawbacks.
full size image]
infrastructure.
When you are configuring
the case
VLANstudies
rewriteand
on the
Cisco 12000design
series scenarios.
platforms, This
keepbook
in mind that
introductory
comprehensive
because of the difference
in functionality,
configuration
might
be requiredthe
if the ends of the
assists readers
looking toadditional
meet those
requirements
by explaining
EoMPLS connections
are and
not provisioned
with details
the same
linetwo
cards.
history
implementation
of the
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSSome examples of
the difference
system
flow between
different
line
withfor
VLAN
rewrite are
based
cores and in
Layer
2 Tunneling
Protocol
version
3 cards
(L2TPv3)
native
outlined next:
For example, a 4-port Gigabit Ethernet line card is used, traffic flows from VLAN 100 on Oakland to
VLAN200 on Albany. As the frame reaches the edge-facing line card of NewYork, the VLAN ID in
the dot1Q header changes to the VLAN ID that is assigned to VLAN 200. This is because the 4-port
Gigabit Ethernet line card performs a VLAN ID rewrite on the disposition side.
When a 3-port Gigabit Ethernet line card is used, traffic flows from VLAN 100 on Oakland to VLAN
200 on Albany. But, unlike the preceding example, as the frame reaches the edge-facing line card
of SanFran, the VLAN ID in the dot1Q header changes to the VLAN ID that is assigned to VLAN
200. This is because the 3-port Gigabit Ethernet line card performs VLAN ID rewrite on the
imposition side.
To configure VLAN rewrite on the PEs with the 3-port Gigabit Ethernet line card scenario, follow these
steps:
2 VPN Architectures
Step 1. Specify Layer
the Gigabit
Ethernet subinterface. Ensure that the subinterface on the adjoining CE
Byon
Weithe
Luo, same
- CCIE VLAN.
router is
Step 2. Enable the subinterface to accept 802.1q VLAN packets with the encapsulation dot1q
vlan_id command.
ISBN: 1-58705-168-0
StepTable
3. of
Bind the attachment
circuit to a pseudowire VC with the xconnect command.
Pages: 648
Contents
Index
Step
4. Enable the use of VLAN interfaces with different VLAN IDs at both ends of the tunnel via the
remote circuit idremote_vlan_id command.
Master
world
of Layer
2 VPNs toon
provide
enhanced
services and enjoy
Example 7-31 shows
thethe
VLAN
rewrite
configuration
SanFran
and NewYork.
productivity gains
Example 7-31. Configuring

VLAN
Rewrite
onNetworks
SanFran
and NewYork
Learn about Layer
2 Virtual
Private
(VPNs)
hostname SanFran
!
encapsulation dot1Qboth
100 ATOM and L2TP protocols
no cdp enable
xconnect 192.168.1.103
encapsulation
their 100
service
offerings whilempls
remote circuit id 200
no shut
!
hostname NewYork
!
no cdp enable
infrastructure.
remote circuit Layer
id 100
!
When you use the remote circuit id command, you are effectively enabling the VLAN Rewrite to be
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSperformed at imposition. In this case, the disposition (egress) PE router needs to inform the imposition
(ingress) PE router of the VLAN used in the attachment circuit by means of signaling. This remote VLAN
signaling is accomplished with the interface parameter Requested VLAN ID (parameter ID 0x06)
attached to the LDP mapping message.
progressively
coveringthe
each
currently
available
solution is
innot
greater
detail.
In newer Cisco IOS
Software releases,
remote
circuit
id command
required
in line cards
because the VLAN ID Rewrite feature is implemented automatically, and the 4-port Gigabit Ethernet line
card was enhanced to perform VLAN ID rewrite, either on imposition or disposition. This allows you to
configure EoMPLS in a consistent manner without checking for line card hardware dependencies.
Verifying and Troubleshooting the Configuration

To determine whether VLAN rewrite is enabled on Cisco 12000 series PEs, issue the show controllers
eompls forwarding-table [port] [vlan] command. To execute this command, open a session directly
to the line card. Example 7-32 shows the output of the command on SanFran and NewYork.
Example 7-32. show controllers eompls forwarding-tableCommand

SanFran
LC-CON0#show controllers eompls forwarding-table 0 100

Port # 0, VLAN-ID # ISBN:

100,1-58705-168-0
Table-index 100
Table of
EoMPLS
configured: Pages:
1
648
Contents
tag_rew_ptr
= D001BB58
Index
Leaf
entry?
= 1
FCR index
= 20
**tagrew_psa_addr
= 0006ED60
**tagrew_vir_addr
= 7006ED60
**tagrew_phy_addr
= F006ED60
productivity gains
[0-7] loq 8800 mtu 4458 oq 4000 ai 3 oi 04019110 (encaps size 4)
cw-size 4 vlanid-rew 200
gather A30 Learn
(bufhdr
size
32 2EoMPLS
(Control
Word) (VPNs)
Imposition profile 81)
about
Layer
Virtual Private
Networks
2 tag: 18 18
counters 1182,
10 costs
reported
1182,the
10.reach of your services by unifying your
Reduce
and extend
Local OutputQ (Unicast):
Slot:2 Port:0 RED queue:0 COS queue:0
Output Q (Unicast):
Port:0
RED queue:0 COS queue:0
_______________________________________________________________________________
NewYork
LC-CON0#show controllers eompls forwarding-table 0 200
Port # 0, VLAN-ID # 200, Table-index 200
For a majority
EoMPLS configured:
1
are still derived
tag_rew_ptr
= D0027B90
technologies.
Leaf entry?
= 1
customers,
FCR index
= 20
legacy Layer 2 and Layer
**tagrew_psa_addr
= 0009EE40
backbone
while
new
carriers
**tagrew_vir_addr
= 7009EE40
services
over
their
existing
Layer
**tagrew_phy_addr
= F009EE40 3 cores. The solution in these cases is a
technology
that
would
allow
Layer
over a(encaps
Layer 3 size 4)
[0-7] loq 9400 mtu 4458 oq
4000
ai 28transport
oi 84000002
infrastructure.
cw-size 4 vlanid-rew 100
gather A30 (bufhdr size 32 EoMPLS (Control Word) Imposition profile 81)
2 tag: Layer
17 18
Network
concepts,1182,
and describes
Layer 2 VPN techniques via
counters 1182,(VPN)
10 reported
10.
introductory
case
studies
and
comprehensive
design scenarios.
This book
Local OutputQ (Unicast):
Slot:5 Port:0 RED queue:0
COS queue:0
assists
readers
looking
to
meet
those
requirements
by
explaining
the
Output Q (Unicast):
Port:0
RED queue:0 COS queue:0
Note
Other platforms that do not require manual configuration do not provide VLAN ID rewrite
information in their output.
Port VLAN ID Inconsistency Issue

In EoMPLS using CE switches, Spanning Tree Protocol (described in Chapter 4) still runs between the
customer end devices, and it is transported across the MPLS core backbone. In a VLAN ID rewrite
scenario, Port VLAN ID (PVID) inconsistency stems from the Per VLAN Spanning Tree + (PVST+) BPDU
being received on a different VLAN than it was originated. Therefore, when the trunk port on Oakland
receives a PVST+ BPDU from the Albany's STP of VLAN 200 with a tag of VLAN 200, you get an error
2 VPN
Architectures
message as soon Layer
as the
circuit
comes up:
%SPANTREE-2-BLOCK_PVID_LOCAL : Blocking [chars] on [chars]. Inconsistent local vlan.

The listed STP instance

that
of the
native VLAN ID of the listed interface. The first [chars] is the
Pub is
Date:
March
10, 2005
interface, and the second
[chars]
is
the
STP instance. As a result, the trunk port is held in a blocking
ISBN: 1-58705-168-0
Table of
state
(for both VLAN 100 and VLAN 200) until the inconsistency is resolved.
Pages: 648
Contents
Index the interface, change the VLAN IDs on the CEs so that they match. When this is not possible
To unblock
and VLAN ID rewrite is required, you must turn off the STP. This alternative opens a door to bridging
loops; therefore, you should use it with extreme caution.
productivity gains
Case Study 7-7: Map to Pseudowire
Learn
about
Layer
2 Virtual
Private aNetworks
(VPNs)
For EoMPLS configuration,
you
might
choose
to configure
pseudowire
class template that consists of
configuration settings used by all attachment circuits that are bound to the class. Pseudowire was
costs and
extend the
reach of your
your
introduced in ChaptersReduce
2, "Pseudowire
Emulation
Framework
and Standards,"
and 6 and
is discussed in
network
architecture
further detail in the advanced configuration case studies of Chapter 9, "Advanced AToM Case Studies."
Gain from the
to in
address
Layer
VPN application utilizing
Example 7-33 shows configuration
offirst
the book
VC 100
Ethernet
port2 mode.
Example 7-33. Pseudowire

Class Configuration

hostname SanFran
!
pseudowire-class ethernet-port
encapsulation mpls
int GigabitEthernet1/4
services over100
theirpw-class
existing Layer
3 cores. The solution in these cases is a
xconnect 192.168.1.103
ethernet-port
!
infrastructure.

Common Troubleshooting
Techniques
This section introduces

you to
thePress
most common troubleshooting techniques for PEs in EoMPLS. You
Publisher:
Cisco
first learn the commands
andMarch
outputs
for the Cisco router PEs and then learn to troubleshoot Cisco
Pub Date:
10, 2005
7600 series switches.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Troubleshooting EoMPLS on Routers

The first common step in troubleshooting problems is attempting to discover failure by verifying the
Layerl2transport
2 VPNs to provide
status of a VC by Master
issuingthe
theworld
showofmpls
vc command.
productivity gains
Three conditions must be met so that the VC is UP:

The disposition interfaces are programmed if the VC has been configured and the CE interface
is UP.
If the IGP label exists, it can be implicit null in a back-to-back configuration.
The imposition interface
is programmed
if the disposition interface is programmed and you
both ATOM
and L2TP protocols
have a remote VC label and an IGP label (LSP to the peer).
If the status field is marked
DOWN offerings
(that is, the
VCmaintaining
is not readyrouting
to carrycontrol
traffic between the two VC
their service
while
endpoints), as shown in the output of Example 7-34, execute the show mpls l2transport vc detail
a majority
Providers,
command seen inFor
Example
7-35of
forService
more in-depth
information.
customers,
they have
some drawbacks.
Example 7-34.
show mpls
l2transport
vc Command
NewYork#show mpls
l2transport
services
over their vc
Local intf
Local circuit
Dest address
VC ID
Status
infrastructure.
------------- ----------------------- --------------- ---------- ---------Et0/0
Ethernet
192.168.1.102
100 2 VirtualDOWN
Layer
2 VPN Architectures introduces
readers to Layer
Private
Example 7-35.
show
l2transport
vcthe
detail
Command
history
and mpls
implementation
details of
two technologies
available from
NewYork#show mpls
l2transport
vc detail
IP cores.
The structure
Local interface:
Et0/0
up, line
up,implementation
Ethernet up requirements and
reader
to Layer
2 VPNprotocol
benefits and
192.168.1.102,
VC
ID:
100, VC
status:
comparing them to those of Layer 3 based
VPNs,
such asdown
MPLS, then
Preferred path:
not
configured
Output interface: Se5/0, imposed label stack {16 16}
MPLS VC labels: local 16, remote 16
MTU: local 1500, remote unknown
VC statistics:
byte totals:
receive 0, send 0
Layer 2receive
VPN Architectures
packet drops:
0, send 78
Table 7-4 describes some of the significant fields of the show mpls l2transport vc detail
command output.
ISBN: 1-58705-168-0
Table of
Contents
Index
Pages: 648
Table 7-4. show mpls l2transport vc detail Command

Output Fields
Field
productivity gains Description
Destination address
VC ID
The IP address of the remote router

specified for this VC as part of the mpls
l2transport route or xconnect
Reduce costs command.
The virtual circuit identifier assigned to
the interface on the router.

both ATOM and
L2TP
protocols
VC status
The
status
of the VC. The status can be
one of the following:
UPThe VC
is inmaintaining
a state in which
it can
while
routing
control
carry traffic between the two VC
endpoints.
A VC is
when both
For a majority of Service
Providers,
a UP
significant
imposition
disposition
interfaces
are
data andand
voice
services based
on legacy
transport
programmed.
technologies. Although
Layer 3 MPLS VPNs fulfill the market need for some
DOWNThe VC is not ready to carry traffic
between the two VC endpoints.
services over their ADMIN
existing Layer
3 cores.
The disabled
solution the
in these cases is a
DOWNA
user has
allow
Layer
2
transport
over
a
Layer
3
VC.
infrastructure.
Tunnel label
An IGP label that routes the packet over
the MPLS
backbonereaders
to the destination
introduces
router and
withdescribes
the egress
interface.
Layer
Output interface
The interface on the remote router that
has been enabled to transmit and receive
Layer 2 packets.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer
2 Tunneling
Protocol
version
3 (L2TPv3)
for native
Imposed label stack
A summary
of the
MPLS label
stack
that
IP cores. The structure
of this
focused
directs
the book
VC toisthe
PE router.
Signaling protocol
type
of protocol
thatVPNs,
sendssuch
the as
MPLS
comparing them toThe
those
of Layer
3 based
MPLS, then
labels.
The
output also
shows
the status
each
currently
available
solution
in greater detail.
of the peer router.
MPLS VC labels
The local VC label is a disposition label,

which determines the egress interface of
an arriving packet from the MPLS
backbone. The remote VC label is a
disposition VC label of the remote peer
router.
MTU
The maximum transmission unit specified

for the local and remote interfaces.
Sequencing

This field describes whether sequencing of
ByWei Luo, - CCIE No. 13,291,
Carlos Pignataro,
- CCIE
No. 4619,Dmitry
Bokotey, - CCIE
out-of-order
packets
is enabled
or
No. 4460,Anthony Chan, -disabled.
CCIE No. 10,266
Pub Date: Marchvc

10,detail
2005
In the show mpls l2transport
command output, pay attention to the remote unknown
ISBN:
next to the local MTU. One
of1-58705-168-0
the possible causes is a remote interface down or an MTU mismatch.
Table of
Verify
to make sure that
MTU648
on each side is the same. If an EoMPLS tunnel is still down after this
Pages:
Contents
and you cannot pass traffic, perform another check by issuing the show mpls forwarding-table
Index
command, as demonstrated in Example 7-36.
Example 7-36.
show
mplsofforwarding-table
Master
the world
Layer 2 VPNs to provideCommand
productivity gains
NewYork#show mpls forwarding-table
Local Outgoing
Prefix
BytesPrivate
tag Outgoing
Next Hop
Learn
Networks (VPNs)
tag
tag or VC
or Tunnel Id
switched
interface
the reachSe5/0
of your services
by unifying your
17
Untagged
10.1.1.0/24
0
point2point
network
architecture 0
18
Untagged
192.168.1.101/32
Se5/0
point2point
19
Untagged
192.168.1.102/32 0
Se5/0
point2point
Gain
from the first book
to address Et0/0.100
Layer 2 VPN application
utilizing
20
Untagged
l2ckt(100)
4592
point2point

service offerings
while
routing
control
The Untagged result intheir
the Outgoing
tag or VC
fieldmaintaining
indicates that
an MPLS
label might not be
exchanged between the PE and P (Denver) routers.
still derived
fromthe
data
and ip
voice
on legacy
transport
A couple possibleare
causes
exist. Either
mpls
hasservices
not beenbased
enabled
per interface,
or CEF is
technologies.
Although
Layer 3To
MPLS
VPNs
fulfill
the
market
need
some
disabled (or not enabled)
on the
P or PE router.
verify,
issue
the
show
mpls
ldpfor
discovery
customers,
command, as in Example
7-37.
services
over
their existing
Layer 3 cores.
Example 7-37.
show
mpls
ldp discovery
Command
infrastructure.
192.168.1.103:0
Discovery Sources:
Targeted Hellos:
details
of theactive/passive,
two technologies available
from
192.168.1.103
-> 192.168.1.102
(ldp):
xmit/recv
the Cisco
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSLDP
Id: 192.168.1.102:0
The output showscomparing
whether you
have
a direct
session
open
between
directly
MPLSthem
to those
of LDP
Layer
3 based
VPNs,
such as
MPLS,connected
then
enabled interfaces.
By observing
this behavior,
you canavailable
concludesolution
that MPLS
indeed was
not enabled
progressively
covering
each currently
in greater
detail.
per interface facing the core. To solve this problem, enable MPLS on an interface or check whether
CEF is enabled.
Two common issues result when the circuit does not come up:
The remote port is down or not configured.
The MTU is mismatched.
Examples 7-38 and 7-39 display the output of the show mpls l2transport vcvciddetail command
with the two conditions, respectively.
ByWei
Luo, - CCIEPort
No. 13,291,
Carlos or
Pignataro,
CCIE No. 4619,Dmitry Bokotey, Example 7-38.
Remote
Down
Not -Configured
CCIE
NewYork#show mplsPublisher:
l2transport
vc 10 detail
Cisco Press
Local interface: Pub
FastEternet0/0.10
Date: March 10, 2005 up, line protocol up, Eth VLAN 10 up
Destination address: 192.168.1.102, VC ID: 10, VC status: down
ISBN: 1-58705-168-0
Table of label: not ready
Tunnel
Pages:
648
Contents interface: unknown,
Output
imposed label stack {}
Index time: 22:31:53, last status change time: 04:02:56
Create
MPLS VC labels: local 19, remote unassigned
Group ID: local 0, remote unknown
worldunknown
of Layer 2 VPNs to provide enhanced services and enjoy
MTU: local Master
1500, the
remote
productivity
gains
VC statistics:
byte totals:
receivecosts
552557,
send the
550044
Reduce
and extend
reach of your services by unifying your
packet drops: network
receivearchitecture
0, send 7
Example 7-39. MTU Mismatch

NewYork#show mpls l2transport vc 10 detail
ForFastEternet0/0.10
a majority of Service up,
Providers,
a significant
portion
of their
Local interface:
line protocol
up,
Eth VLAN
10revenues
up
are still derived
from data and
on down
legacy transport
192.168.1.102,
VCvoice
ID: services
10, VC based
status:
technologies.
Tunnel label:
not ready
customers,
they have
some drawbacks.
Ideally,
Output interface:
unknown,
imposed
label stack
{} carriers with existing
Layer last
2 and status
Layer 3 change
networkstime:
would00:00:20
Create time: legacy
22:36:10,
backboneLDP,
whilepeer
new carriers
would like to
Signaling protocol:
192.168.1.102:0
upsell the lucrative Layer 2
services
over their
existing 21
MPLS VC labels:
local
19, remote
technology
that would
Group ID: local
0, remote
0 allow Layer 2 transport over a Layer 3
MTU: local infrastructure.
1500, remote 1000
Remote interface description: *** To SanFran ***
Layer 2 VPN
Architectures
Sequencing: receive
disabled,
send introduces
disabled readers to Layer 2 Virtual Private
Network
(VPN)
concepts,
and
describes Layer 2 VPN techniques via
VC statistics:
introductory
case
studies
and
comprehensive
assistsreceive
readers 168476,
looking tosend
meet155436
those requirements by explaining the
byte totals:
history
and implementation
packet drops:
receive
0, send 13 details of the two technologies available from
The highlighted portions
of Layer
Examples
7-38
and 7-39
attention to the
faulty conditions.
Compare
reader to
2 VPN
benefits
and call
implementation
requirements
and
the output to output
of the same
an operational
environment
7-40.
comparing
themcommand
to those ofinLayer
3 based VPNs,
such as from
MPLS,Example
then
Example 7-40. Working Example

NewYork#show mpls l2transport vc 10 detail
Local interface: FastEternet0/0.10 up, line protocol up, Eth VLAN 10 up
Output interface: Et1/0, imposed label stack {17 21}

Layer 2 VPN
Architectures
MPLS VC labels:
local
19, remote 21
ByWei Luo,
CCIE No. 13,291,
Group ID: local
0,- remote
0
4460,Anthony
Chan,
- CCIE No. 10,266
MTU: local No.
1500,
remote
1500
Remote interface description: *** To SanFran ***
Sequencing: receive
disabled,
Publisher:
Cisco Press send disabled
VC statistics: Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Table oftotals:
byte
Pages:
648
Contents drops: receive
packet
0, send 7
Index
Example 7-41 presents the verification and configuration sequence of enabling MPLS on the Serial
5/0 interface.
productivity gains

MPLS on an Interface
NewYork#show mpls interfaces
network
Interface
IP architecture
Tunnel
Operational
Se5/0
No
Yes
No
configure terminal both ATOM and L2TP protocols
interface serial 5/0
mpls ip
NewYork#show mpls interfaces
For a majority
Providers,
Interface
IP of Service
Tunnel
Operational
are still derived
data and voice
Se5/0
Yes fromYes
Yes services based on legacy transport
Next, check whether
MPLS is
directly
labelslike
andtoexchanging
LDP between
backbone
while
new receiving
carriers would
sell the lucrative
Layer 2the PE and the P
by reissuing the show
mpls
forwarding-table
command.
The solution
output isinprovided
in Example
7-42.
services
over
3 cores. The
these cases
is a
infrastructure.
Example 7-42. show mpls forwarding-table Command

NewYork#show mpls
forwarding-table
introductory
Local Outgoingassists
Prefix
Bytes
tagrequirements
Outgoing byNext
Hop the
readers looking to meet
those
explaining
tag
tag or VC
orand
Tunnel
Id
switched
history
implementation
details of theinterface
17
Pop tag the Cisco
10.1.1.0/24
Se5/0
Unified VPN suite:0Any Transport
over MPLS point2point
(ATOM) for MPLS18
Pop tag based192.168.1.101/32
0
Se5/0
cores and Layer 2 Tunneling Protocol version 3 point2point
(L2TPv3) for native
19
16
192.168.1.102/32
0 book is focused
Se5/0on first point2point
IP cores.
The structure of this
introducing the
20
Untaggedreaderl2ckt(100)
5310and implementation
Et0/0.100 requirements
point2point
and
To ensure that LDP xmit/recv (transmit/receive) is occurring in both directions, use the show mpls
ldp discovery command again, as in Example 7-43.
Example 7-43. show mpls ldp discovery Command

192.168.1.103:0
Discovery Sources:
Interfaces:
Layer(ldp):
2 VPN Architectures
Serial5/0
xmit/recv
LDPByWei
Id:Luo,
192.168.1.101:0
Targeted Hellos:
192.168.1.103 -> 192.168.1.102 (ldp): active/passive, xmit/recv
LDP Id:
192.168.1.102:0
Publisher:
Cisco Press
ISBN: 1-58705-168-0
Table of
Pages:
Example
7-44 shows that the648
VC is now ready and operational and should be able to send traffic
Contents
from
CE
to
Index CE.
Example 7-44. show mpls l2transport vc Command
productivity gains
NewYork#show mpls l2transport vc
Local intf
------------Et0/0
Local
circuit
Dest
address
VC(VPNs)
ID
Status
Learn
Private
Networks
----------------------- --------------- ---------- ---------Reduce costs and extend192.168.1.102
by unifying
your
Ethernet
100
UP
Verify with the show mpls
l2transport
vc protocols
detail command output (shown in Example 7-45) that
both ATOM
and L2TP
the packets are being sent and received.
Example 7-45. show mpls l2transport vc detail Command

technologies.
Although
NewYork#show mpls
l2transport
vc detail
customers,
theyline
haveprotocol
some drawbacks.
Ideally,up
Local interface:
Et0/0 up,
up, Ethernet
legacy Layer
wouldVC
likestatus:
to moveup
toward a single
192.168.1.102,
VC ID: 100,
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer 2
services
Default path:
active
technology
thathop
would
Tunnel label:
16, next
point2point
infrastructure.
Output interface:
Se5/0, imposed label stack {16 16}
Layer 2 VPN
Architectures
introduces readers
Signaling protocol:
LDP,
peer 192.168.1.102:0
up
Network
(VPN)
concepts,
and
describes
Layer
introductory
case
studies
and
comprehensive
design
assists
readers
looking
to
meet
those
requirements
by
explaining the
history and
Remote interface
description:
the Cisco disabled,
Unified VPNsend
suite:disabled
Any Transport over MPLS (ATOM) for MPLSSequencing: receive
VC statistics:
IP cores.
The structure
of this
packet totals:
receive
56, send
56 book is focused on first introducing the
readerreceive
to Layer6019,
2 VPN send
benefits
byte totals:
6014
comparing
them
to
those
of
Layer
Debugging EoMPLS Operation on PE Routers

You can use several useful debugging commands to verify and troubleshoot EoMPLS operation on PE
routers.
For dot1Q operation, look for VC type 4 in output generated by the debug mpls l2transport
signaling message command, as shown in Example 7-46.
Example 7-46. Debugging dot1Q

NewYork#debug mpls
l2transport
No. 4460,
Anthony Chan, - signaling
CCIE No. 10,266message
NewYork(config)#interface ethernet 0/1.100
NewYork(config-subif)#shutdown
Pub[192.168.1.102]:
00:19:51: AToM LDP
Sending label withdraw msg
ISBN:
vc type 4, cbit 1, vc
id1-58705-168-0
100, group id 0, vc label 20, status 0, mtu 1500
Table of
00:19:51:
AToM LDP Pages:
[192.168.1.102]:
Received label release msg, id 78
648
Contents
Index
NewYork(config-subif)#no shutdown
productivity gains
In troubleshooting the port-based EoMPLS operation, look for VC type 5 in the debug mpls
about command
Layer 2 Virtual
Private
Networks
(VPNs)7-47.
l2transport signalingLearn
message
output,
as shown
in Example
Example 7-47. Debugging Port to Port
NewYork#debug mpls l2transport signaling message
AToM LDP message debugging
is on that allow large enterprise customers to enhance
Review strategies
!
NewYork(config)#interface ethernet 0/0
NewYork(config-if)#shutdown
00:08:39: AToM are
LDPstill
[192.168.1.102]:
withdraw
derived from data Sending
and voicelabel
services
based onmsg
legacy transport
vc type 5, cbittechnologies.
1, vc id 100,
group
id
0,
vc
label
16,
status
0, need
mtu 1500
Although Layer 3 MPLS VPNs fulfill the
market
for some
00:08:39: AToM customers,
LDP [192.168.1.102]:
Received
label
release
msg,
id
34
vc type 5, cbitlegacy
1, vc
id 100,
0, vc label
16, to
status
0, mtua 0single
Layer
2 and group
Layer 3idnetworks
would like
move toward
00:08:41: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to
administratively down
infrastructure.
NewYork(config-if)#no
shutdown
2 VPN
introduces
readers
to Layer
2 Virtual
vc type 5, cbitLayer
1, vc
id Architectures
100, group id
0, vc label
20,
status
0, mtuPrivate
1500
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
00:08:44: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to upvia
introductory case studies
comprehensive
design Ethernet0/0,
00:08:45: %LINEPROTO-5-UPDOWN:
Line and
protocol
on Interface
changed
assists
readers
looking
to
meet
those
requirements
by
explaining the
state to up
Another helpful command
debug
acircuit
event
information
on all
attachment
IP cores. is
The
structure
of this
bookfor
is focused
on first
introducing
thecircuits, as
illustrated in Example
7-48.
reader
Example 7-48. debug acircuit event Command
NewYork#debug acircuit event

NewYork(config)#int e 0/0
NewYork(config-if)#no shutdown
00:12:59: ACLIB [192.168.1.102, 100]: SW AC interface UP for Ethernet interface
Et0/0
00:12:59: ACLIB [192.168.1.102, 100]: pthru_intf_handle_circuit_up() calling
acmgr_circuit_up
00:12:59: ACLIB [192.168.1.102, 100]: Setting new AC state to Ac-Connecting
00:12:59: ACLIB: Update switching plane with circuit UP status
2 VPN Architectures 100]: SW AC interface UP for Ethernet interface
00:12:59: ACLIBLayer
[192.168.1.102,
Et0/0
4460,Anthony Chan, - CCIE
No. 10,266
00:12:59: ACLIBNo.[192.168.1.102,
100]:
pthru_intf_handle_circuit_up() ignoring
up event. Already connected or connecting.
00:12:59: Et0/0 ACMGR:
Publisher:Receive
Cisco Press<Circuit Up> msg
00:12:59: Et0/0 ACMGR:
up event, SIP state chg fsp up to connected,
Pub Date:circuit
March 10, 2005
action is p2p up forwarded
ISBN: 1-58705-168-0
Table of ACLIB: pthru_intf_response hdl is 8C000002, response is 2
00:12:59:
Pages:
648
Contents ACLIB [192.168.1.102,
00:12:59:
100]: Setting new AC state to Ac-Connected
Index
00:12:59:
AToM LDP [192.168.1.102]: Sending label mapping msg
00:12:59: Et0/0 ACMGR: Rcv SIP msg: resp peer-to-peer msg, hdl 8C000002,
sss_hdlB4000003
theremote
world ofup
Layer
2 VPNs
provide enhanced
enjoyis
00:12:59: Et0/0Master
ACMGR:
event,
SIPtoconnected
state services
no chg, and
action
productivity
gains
ignore
00:13:01: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
00:13:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed
state to up
Use the debug mpls l2transport vc event command to see the AToM event messages about the
VCs, as shown in Example 7-49. Watch how the messages reflect the shutdown of the interface and
the healthy recovery.

Example 7-49. debug mpls l2transport vc event Command

NewYork#debug mpls
l2transport
vc Layer
event3 MPLS VPNs fulfill the market need for some
technologies.
Although
customers, they
have some
NewYork(config)#interface
ethernet
0/0drawbacks. Ideally, carriers with existing
legacy
Layer
2
and
Layer
NewYork(config-if)#shutdown
backbone
while
new
carriers
would
like end
to sell
the lucrative
Layer 2
00:14:37: AToM MGR [192.168.1.102, 100]:
Local
down,
vc is down
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases is a
00:14:37: AToM MGR [192.168.1.102, 100]: Unprovision SSM segment
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
00:14:37: AToM SMGR: Submit Imposition Update
00:14:37: AToM infrastructure.
SMGR: Submit Disposition Update
00:14:37: AToM SMGR [192.168.1.102, 100]: Event Imposition Disable
00:14:37: AToM SMGR [192.168.1.102, 100]: State [Imposition/Disposition Rdy->
Disposition Rdy]
00:14:37: AToM SMGR [192.168.1.102, 100]: Event Disposition Disable
00:14:37: AToM SMGR [192.168.1.102, 100]: State [Disposition Rdy->Provisioned]
00:14:37: AToM SMGR: Submit SSM event
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS00:14:37: AToM SMGR: Event SSM event
00:14:37: AToM SMGR [192.168.1.102, 100]: sucessfully teardown sss switch for pwid
5A000000
00:14:37: AToM SMGR [192.168.1.102, 100]: sucessfully processed ssm unprovisioning
for pwid 5A000000
00:14:39: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to administratively
down
00:14:40: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state
to down
00:15:16: AToM MGR [192.168.1.102, 100]: Local end up
00:15:16: AToM MGR [192.168.1.102, 100]: Validate vc, activating data plane
00:15:16: AToM SMGR: Submit Imposition Update
00:15:16: AToM SMGR: Submit Disposition Update
00:15:16: AToM SMGR [192.168.1.102, 100]: Event Imposition Enable, imp-ctrlflag

83, remote vc label 16
00:15:16: AToM SMGR [192.168.1.102, 100]: Imposition Programmed, Output Interface:
Se5/0
Wei Luo,
Pignataro,
- CCIE
No. 4619,Dmitry Bokotey, - CCIE Rdy]
00:15:16: AToM By
SMGR
[192.168.1.102,
100]:
State
[Provisioned->Imposition
4460,[192.168.1.102,
Anthony Chan, - CCIE No.
10,266 Event Disposition Enable, disp-ctrlflag
00:15:16: AToM No.
SMGR
100]:
3, local vc label 16
00:15:16: AToM SMGR
[192.168.1.102,
100]: State [Imposition Rdy->Imposition/
Publisher:
Cisco Press
Disposition Rdy]
00:15:16: AToM SMGR: Submit SSM event
ISBN: 1-58705-168-0
Table of AToM SMGR: Event SSM event
00:15:16:
Pages:
648
Contents AToM SMGR [192.168.1.102,
00:15:16:
100]: sucessfully processed ssm provision
Index
request
pwid 5A000000
00:15:16: AToM SMGR [192.168.1.102, 100]: Send COMPLETE signal to SSM
00:15:16: AToM SMGR [192.168.1.102, 100]: sucessfully setup sss switch for pwid
5A000000
worldSSM
of Layer
2 VPNs to provide enhanced services and enjoy
00:15:16: AToM Master
SMGR: the
Submit
event
productivity
gains
00:15:16: AToM SMGR: Event SSM event
00:15:16: AToM SMGR [192.168.1.102, 100]: sucessfully processed ssm bind for pw
id 5A000000
00:15:16: AToM MGR [192.168.1.102, 100]: Receive SSM dataplane up notification
00:15:16: AToM MGR Reduce
[192.168.1.102,
100]:the
Dataplane
activated
costs and extend
reach of your
00:15:18: %LINK-3-UPDOWN:
Interface
Ethernet0/0,
changed
state to up
state to up

To verify the flow of packets
across offerings
the Layerwhile
2 tunnel,
use therouting
debug control
mpls l2transport packet
their service
maintaining
data command, as shown in Example 7-50.
Caution legacy Layer 2 and Layer 3 networks would like to move toward a single
Make sure to use this testing technique in a lab environment only.
infrastructure.
Layer
2 VPN Architectures
introducespacket
readers to
LayerCommand
2 Virtual Private
Example 7-50.
debug
mpls l2transport
data
NewYork#debug mpls
packet
data
assistsl2transport
readers looking
to meet
00:17:44: ATOM history
disposition:
in Se5/0, details
size 60,
seq
0,technologies
control word
0x0 from
and implementation
of the
two
available
00:17:44: 00 00the
0CCisco
00 6C
00
00
00
0C
00
6C
00
90
00
00
00
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS^^^^^^^^^^^^^^^^^
^^^^^version 3 (L2TPv3) for native
based cores and ^^^^^^^^^^^^^^^^^
Layer 2 Tunneling Protocol
Dest.IPAddress
Source
Address
Etype
= LOOP the
cores. The structure of this book is focused=on0x9000
first introducing
00:17:44: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00:17:44: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00:17:44: 00 00 00 00 00 00 00 00 00 00 00 00
00:17:44: ATOM disposition:
00:17:44: 00 00 0C 00 6F 00
^^^^^^^^^^^^^^^^^
Dest. Address
in Se5/0, size 114, seq

00 00 0C 00 6C 00 08 00
^^^^^^^^^^^^^^^^^ ^^^^^
Source Address
|
Etype
0, control word 0x0

45 00
^^^^^...
Begins IP packet
= 0x0800 = IP
00:17:44: 00 64 00 0A 00 00 FF 01 72 3A C0 A8 64 01 C0 A8
00:17:44: 64 02 08 00 28 0D 0E D9 13 FC 00 00 00 00 00 10
00:17:44: 33 58 AB CD AB CD AB CD AB CD AB CD AB CD AB CD
00:17:44:
00:17:44:
00:17:44:
00:17:44:
00:17:44:
00:17:44:
AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD
AB CDLayer 2 VPN Architectures
Wei Luo, - CCIE No.
Carlossize
Pignataro,
- CCIE
4619,Dmitry
- CCIE word 0x0
ATOM By
imposition:
out13,291,
Se5/0,
130,
EXPNo.0x0,
seq Bokotey,
0, control
4460,
Chan,
CCIE00
No.01
10,266
0F 00No.88
47Anthony
00 01
00- FF
01 02 00 00 00 00
^^^^^ ^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^
HDLC
Publisher:
Cisco Label
Press
Tunn.
VC Label
Pub Date:
March
10, 2005 Label=16
Label=16
ISBN: 1-58705-168-0
Table of
Contents
Index
S=0
Pages: 648
Ctrl-word
S=1
TTL=255
TTL=2
etype = MPLS Unicast
00:17:44: 00 00 0C 00 6C 00 00 00 0C 00 6F 00 08 00 45 00
^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^ ^^^^^ ^^^^^...
Dest. Address Source Address
Begins IP packet
productivity gains
Etype = 0x0800 = IP
00:17:44:
00:17:44:
00:17:44:
00:17:44:
00:17:44:
00:17:44:
00:17:44:
00
64
33
AB
AB
AB
AB
64
01
58
CD
CD
CD
CD
00
00
AB
AB
AB
AB
0A 00 00 FF 01 72 3A C0 A8 64 02 C0 A8
Learn
2 Virtual
00 30about
0D 0ELayer
D9 13
FC 00Private
00 00 Networks
00 00 10(VPNs)
CD AB CD AB CD AB CD AB CD AB CD AB CD
CD AB
CD the
AB first
CD AB
CD toABaddress
CD AB Layer
CD AB2 VPN
CD application utilizing
Gain
from
book


Note that in customers,
Example 7-50,
offline
hand
decodingIdeally,
of the packets
shown
in bold.
theythe
have
some
drawbacks.
carriers is
with
existing
You can see in Example 7-50 that the disposition packets show only the EoMPLS Payload, whereas
the imposition packets also include the EoMPLS header.
infrastructure.
Note
In the first packet, the Ethertype of 0x9000 indicates a loopback packet. For this reason, the source
and destination MAC addresses are the same. The second packet shows an IP packet transported in
EoMPLS. Finally, in the third packet with the imposition operation, you can also see the Tunnel,
MPLS, and AToM headers. Specifically, the Layer 2 is Cisco HDLC with an HDLC type of 0x8847,
indicating that MPLS follows. A two-level MPLS stack includes the Tunnel label of 16 and a VC label of
16. Note that these two values do not need to be the same. The label stack is followed by a 4-byte
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLScontrol word and finally an Ethernet frame with an Ethertype of 0x0800 transporting an IP datagram
with an ICMP packet.
progressively
covering
currently available solution in greater detail.
Troubleshooting
EoMPLS
on each
Switches
Troubleshooting commands on switches are, for the most part, the same as those on routers.
However, the output might be different, as you learn in this section. For instance, use the output of
the command show mpls l2transport vc from Example 7-51 to get information about the VCs just
as you would use this command on routers.
Example 7-51. show mpls l2transport vc Command on a Switch
Metro-switch#show mpls l2transport vc

Transport Client
VC
Trans Local
VC ID
Intf
State Type VC Label
200
Vl200
UP
vlan 215
Remote
VC Label
215
Tunnel
Label
implc-null
Table 7-5 explains the

most pertinent
Publisher:
Cisco Press fields of the show mpls l2transport vc command.
Table of
Contents
Index
Table
ISBN: 1-58705-168-0
Pages: 648
7-5. Fields of the show mpls l2transport vc

Command
Field
VC ID
Master the world of Layer

Description
productivity gains
The VC ID configured by the mpls l2
route or xconnect command; must
Learn about Layer match
2 Virtual
Networks (VPNs)
onPrivate
both ends.
Client Intf
Indicates
2 interface
is unifying your
thewhich
reachLayer
of your
services by
being used.
VC State
shows
whether
VC
Gain from the first The
bookUP
tostate
address
Layer
2 VPNthe
application
utilizing
ever
saw traffic.
both ATOM and L2TP
protocols
Trans Type
The allow
available
results
include
vlan for to enhance
large
enterprise
customers
VLAN
based
and Etherrouting
for portcontrol
based.
while
maintaining
Local VC label
Indicates that the local VC label is

being used. For Cisco 7600 series
switches, the local label is derived
from the VLAN (local label = VLAN +
15).
would
like to sellby
the
lucrative
2
Remote VC labelbackbone while new carriers
The label
advertised
the
remote Layer
PE
Layer
3
cores.
The
solution
in
these
cases
is a
and used by this PE to reach the CE
technology that would allow
Layer
2
transport
over
a
Layer
3
on the other end of the LSP.
infrastructure.
Tunnel Label
Identifies the outer label used to
Layer 2 VPN Architecturesswitch
introduces
readers
to Layer
Virtual Private
the packets
between
the2 PEs.
Network (VPN) concepts,An
and
describes
Layer
2
VPN
techniques
via
implicit-null label is shown for the
introductory case studiesback-to-back
and comprehensive
design
scenarios.
This
book
connection.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSFor more in-depthbased
information
about
the2VCs,
use the
show mpls
l2transport
cores and
Layer
Tunneling
Protocol
version
3 (L2TPv3) vc
fordetail
native command,
as shown in Example
7-52.
Example 7-52.
show mpls
l2transport
vcavailable
detail solution
Command
progressively
covering
each currently
in greater detail.
Metro-switch#show mpls l2transport vc detail
vcid: 200, local groupid: 24, remote groupid: 102 (vc is up)
client: Vl200 is up, destination: 1.2.2.1, Peer LDP Ident: 1.2.1.1:0
local label: 215, remote label: 215, tunnel label: implc-null
outgoing interface: s0/0, next hop: point2point
Local MTU: 1500, Remote MTU: 1500
Remote interface description: Vlan 200
imposition: LC Programmed
current imposition/last disposition slot: 2/32

Packet totals(in/out): 6246/6159
byte totals(in/out): 536999/444722
Table 7-6 describes the various output fields.

ISBN: 1-58705-168-0
Table of
Pages:
Table
7-6. Fields
of 648
the show mpls l2transport vc detail
Contents
Command
Index
Field
groupid
Description
AToM group ID advertised in the VC
productivity gains
FEC
destination
IP address of the targeted LDP

session
outgoing interface

the of
reach
of interface
your services
by unifying your
Indication
which
is being
used to transmit
next hop
Gain from the first MAC

bookaddress
to address
Layer
2 VPN
application utilizing
of the
next
hop or
both ATOM and L2TP
protocols
point2point

allow on
large
enterprise
customers
remote interface description
Interface
remote
PE that
connectsto enhance
while
to the
CE maintaining routing control
For a majority of ServiceIndication
Providers,ofawhether
significant
of their revenues
theportion
line card
and
voice
services based
has
been
programmed
(thaton
is,legacy transport
3 MPLS
VPNsresolved)
imposition
rewrite
current imposition
of the
slotlike
performing
legacy Layer 2 and LayerIndication
3 networks
would
to move toward a single
imposition
VLAN
would for
likethis
to sell
last disposition
Indication of the last slot performing
disposition*
infrastructure.
imposition
packet or bytes in
Per VC counters for disposition
Network (VPN) concepts,Per
and
packet or bytes out
VCdescribes
counters Layer
for imposition
*7600 supports assists
per-destination
load
readers looking
sharing. If multiple
connections
to the
history
and implementation
MPLS cloud exist,
the
imposition
the
Cisco
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLStraffic can be transmitted
on and
one Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
based cores
interface, and the
disposition
IP cores. The traffic
for the same VLAN
can to
beLayer
received
in benefits and implementation requirements and
reader
2 VPN
another interface.

Summary By
In this chapter, you Publisher:

learned how
configure and troubleshoot EoMPLS. EoMPLS specifies
Cisco to
Press
transport of EthernetPub
frames
across
Date: March
10, an
2005MPLS core based on the draft-martini. Following are
some of the important EoMPLS points to remember:
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
To
establish
an
EoMPLS
circuit, you must designate a specific physical port for an
Index
enterprise customer on a PE.

EoMPLS VCs are point-to-point circuits.
Traffic sent productivity
between thegains
imposition/disposition routers (PEs) over an EoMPLS VC takes
the same path across the IP/MPLS backbone unless the LSP changes because of routing
changes inside the provider network.
A customer can have more than one EoMPLS VC per physical port. In this case, the PE
costs
and extend
the 802.1q
reach ofheaders
your services
byEoMPLS
unifyingVC.
your
should be able to Reduce
distinguish
between
specific
for each
infrastructure.

Chapter 8. WAN Protocols over MPLS

Case Studies

ISBN: 1-58705-168-0

This chapter
Contents
Index
Pages: 648
Setting up WAN over MPLS pseudowires

Introducing WAN protocols over MPLS
Configuring productivity
WAN protocols
over MPLS case studies
gains
Advanced WAN AToM case studies

This chapter covers the functional details and implementation of the transport and tunneling of
different WAN protocols
over Multiprotocol
Labelthe
Switching
(MPLS).
Building
the WAN
Reduce
costs and extend
reach of
your services
byupon
unifying
your
data-link protocol primer
introduced
in
Chapter
5,
"WAN
Data-Link
Protocols,"
and
the overview
of Any Transport over MPLS (AToM) introduced in Chapter 6, "Understanding Any Transport
over MPLS," this chapter
explores
thefirst
operation,
troubleshooting
of HighGain
from the
book toconfiguration,
address Layerand
2 VPN
Level Data Link Controlboth
(HDLC),
Relay, and AToM. It also covers the different
ATOMPPP,
andFrame
L2TP protocols
operational modes of these protocols.
Similarly to previous chapters,
this chapter
through the
different
building blocks and
their service
offeringswalks
whileyou
maintaining
routing
control
detailed configuration and operation aspects of WAN protocols over MPLS. Several case studies
Forprovider
a majority
Providers, aAlthough
significant
portion of
their revenues
present the service
sideofofService
the configuration.
customer
premise
still derived
data
and
voice
servicesLayer
based2 on
legacy transport
configurations areare
included,
they from
do not
vary
from
traditional
transport
technologies,
technologies.
Althoughto
Layer
3 MPLS
because WAN over
MPLS is transparent
the end
user.
infrastructure.


Setting UpBy
WAN over MPLS Pseudowires
In the most general Publisher:

sense, the
transport
and tunneling of Layer 2 WAN protocols is no different
Cisco
Press
from the transport ofPub
Ethernet
over
Date: March
10,MPLS.
2005 As discussed in detail in previous chapters, draftmartinibased technologies allow the transport of Layer 2 packets over an MPLS network over
ISBN: 1-58705-168-0
Table of
point-to-point
pseudowires. Although the underlying architecture does not change, several
Pages:
648
LayerContents
2-specific customizations from the architectural model allow the transport of specific
Index
Layer
2 WAN protocols. This section covers some of these similarities and differences.
Control Plane
productivity gains
The setup and maintenance of AToM pseudowires is based on the targeted (also referred to as
directed ) Label Distribution Protocol (LDP) session between a pair of provider edge (PE)
Learn
about
Layer 2 Virtual
Private
Networks
(VPNs)
routers. You can bind the
Layer
2 attachment
circuit
(AC) to
the label
by using the LDP Label
Mapping message. Several pseudowires that are signaled by the targeted LDP session between
Reducenetwork
costs and
extend
the label-switched
by unifying
PEs use one packet-switched
(PSN)
tunnel
path (LSP)
signaled your
by Link
network
architecture
LDP (IGP) or another label distribution protocol, such as Resource Reservation Protocol Traffic
Engineering (RSVP-TE).
both ATOM and
protocols
The fact that multiple pseudowires
useL2TP
the same
PSN tunnel and that only PE devices
participate in pseudowire signaling adds to the scalability of the AToM solution, given that only
PEs know about pseudowire to attachment circuit mappings (PW<->AC), whereas the core P
routers remain uninformed of them. The core only knows about Interior Gateway Protocol
(IGP) layer LSPs.For a majority of Service Providers, a significant portion of their revenues
Note
services
over(VC)
theirand
existing
Layer 3are
cores.
solution in these
cases is a
The terms virtual
circuit
pseudowire
usedThe
interchangeably
as the
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
mechanism that transports the elements of an emulated service between PE routers
infrastructure.
over the MPLS
PSN.
One of the special cases of setting up WAN over MPLS pseudowires is the use of specific
interface parameters in the Pseudowire ID FEC element, which you learned about in Chapter 6.
For example, whereas some interface parameters are applicable to multiple VC types or
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSemulated services (such as maximum transmission unit [MTU] and Interface Description),
others are valid only for specific VC types.
readeroftoconcatenated
Layer 2 VPN benefits
implementation
The maximum number
ATM cellsand
interface
parameterrequirements
is applicable and
only to the
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as MPLS,
thenindicates
different ATM cell transport modes. The Frame Relay DLCI length interface
parameter
covering
currently
available
solution
in Frame
greaterRelay
detail.
the length of the progressively
DLCI field in the
Frameeach
Relay
header and
pertains
only to
over
MPLS.
The following subsections explain more about the transport of WAN protocols over MPLS PSNs:
Pseudowire types used
Data plane encapsulation
Usage of the control word
MTU size requirements

Wei Luo, -Used
CCIE No. 13,291,Carlos Pignataro, Pseudowire By
Types
The 15-bit pseudowire type (or VC type) field identifies the type of pseudowire. The different
Cisco
VC types used in thePublisher:
transport
of Press
WAN protocols over MPLS are shown in Table 8-1.
ISBN: 1-58705-168-0
Table of
Contents
Index
Pages: 648
Table 8-1. Pseudowire Types Used in WAN Transport
Pseudowire
Master the world of Layer 2Usage
VPNs to provide enhanced services and enjoy
Type
Description
productivity gains
0x0001
Frame Relay DLCI
Frame Relay over MPLS DLCI Mode
0x0002
ATM AAL5
SDU
VCCLayer 2 Virtual
ATM over
MPLS
AAL5 SDU
Mode
Learn
about
Private
Networks
(VPNs)
0x0003
0x0006
ATM Transparent Cell

ATM over MPLS Cell Relay Port Mode
HDLC network architecture HDLC over MPLS
0x0007
PPP
0x0009
0x000A
PPPtoover
MPLSLayer 2 VPN application utilizing
address
ATM n-to-one VCC[1] cell
ATM over MPLS Cell Relay VC Mode
Review VPC
strategies
allow
large
enterprise
customers
ATM n-to-one
[2] cell that
ATM
over
MPLS
Cell Relay
VP Modeto enhance

[2] Virtual path connection
legacy Layer
and chapter
Layer 3 reference
networks these
would pseudowire
like to movetypes.
toward a single
The case study sections
later in2 this
Data Plane Encapsulation
infrastructure.
[1]
Virtual channel connection
2 VPN
Architectures
introduces
readers
to Layer 2inVirtual
Private
The encapsulationLayer
of Layer
2 WAN
protocol data
units (PDU)
is specified
the encapsulation
(VPN)
concepts,Emulation
and describes
Layer 2 VPN
techniques
via
martini draft and Network
subsequent
Pseudowire
Edge-to-Edge
(PWE3)
working
group
introductory
case
studies
and8-1).
comprehensive
scenarios.
book
derivative drafts spawned
from
it (see
Figure
Essentially, design
the Layer
2 PDU isThis
encapsulated
readers
to meet
requirements
by explaining
in an MPLS stack assists
where the
innerlooking
or bottom
labelthose
(the VC
label contained
in the VCthe
MPLS shim
and2implementation
details
two technologies
header) identifieshistory
the Layer
attachment circuit
andof
is the
advertised
in the LDPavailable
targetedfrom
session.
the
VPN suite:
Transport
over MPLS
MPLSThe tunnel header
is Cisco
in turnUnified
comprised
by 0 orAny
more
MPLS headers
from(ATOM)
the PSNfor
tunnel
control
plane.
progressively
covering each of
currently
solution
in MPLS
greater detail.
Figure
8-1. Encapsulation
WANavailable
Protocols
over

ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Note
that
the
depth
of
the
tunnel
header in terms of the number of MPLS shim headers can
Index
vary along the LSP. The tunnel header has 0 labels in the case of Penultimate Hop Popping
(PHP), whereby the egress PE advertises an implicit null label in the link LDP session. In the
most common case, the tunnel header is made of one label distributed by the core LDP session.
However, the tunnel
header
can contain
more
thanto
one
label in
cases such
as traffic
Master
the world
of Layer
2 VPNs
provide
enhanced
services
and enjoy
engineering (TE) productivity
with Fast Reroute
gains (FRR), MPLS-VPN Carrier Supporting Carrier (CSC), or
inter-AS (IAS) environments or when using the reserved Router Alert label of 1.
Learnreside
about between
Layer 2 Virtual
Networks
(VPNs)
A 32-bit control word might
the VCPrivate
label and
the WAN
Layer 2 PDU. The control
word negotiation and usage are covered in Chapter 6. The upcoming section discusses the
Reduce
costs
the reach
control word usage in the
context
of and
WANextend
protocols
over MPLS.
Usage of the Control

Word
both ATOM
and L2TP protocols
Review
strategies
allow
large
to enhance
During pseudowire setup,
the usage
of a that
control
word
is negotiated
by setting the
C bit in the
their service
while the
maintaining
routing
control
pseudowire ID FEC element.
Figure offerings
8-2 compares
control word
format
for different WAN
protocols over MPLS.
customers,
they
have some
drawbacks.
Ideally, carriers
existing
Figure 8-2.
Control
Word
Format
for Different
WAN with
Protocols
infrastructure.
The following describes each component from Figure 8-2:

All encapsulations
First Nibble
The Cisco
first four
Publisher:
Press bits are set to 0x0 to prevent aliasing with IP packets
over MPLS. For IP over MPLS (IPoMPLS), the first nibble coincides with the IP
Header's version field: 0x4 for IPv4 and 0x6 for IPv6.
ISBN: 1-58705-168-0
Table of
Pages:
648 two bits are fragmentation indicators that are used in PWE3
B- and E-Bits These
Contents
fragmentation
and
reassembly.
Index
Length The 6-bit Length field permits values from 0 to 64 only. You use this field
when the link layer protocol in the PSN requires a minimum frame length. If the
total length
ofthe
an AToM
payloadincluding
control services
wordis less
64
Master
world packet's
of Layer 2
VPNs to providethe
enhanced
andthan
enjoy
bytes, productivity
you set the Length
gains field to the length of the AToM packet's payload, including
the 4-byte control word. Otherwise, you set it to 0.
Layer also
2 Virtual
Private
Networks
(VPNs)
Frame Relay overLearn
MPLSabout
(FRoMPLS,
referred
to as
FRoPW in
Internet Engineering
Task Force [IETF] documents)
network
architecture
F-bit FR forward
explicit
congestion notification (FECN) bit.
Gain from
the first
book to notification
address Layer
2 VPN
B-bit FR backward
explicit
congestion
(BECN)
bit.
D-bit FR DE bit, which indicates the discard eligibility.
C-bit FR frame
(C/R)
bit.
theircommand/response
service offerings while
maintaining
routing control
AAL5 CPCS-SDU
referred
to asProviders,
AAL5 SDUaover
MPLS) portion of their revenues
For a (often
majority
of Service
significant
T-bit Transport
type.
Indicates
ATM3admin
orfulfill
AAL5the
payload.
technologies.
Although
Layer
MPLS cell
VPNs
E-bit Explicit
Forward
Congestion
Indicationwould
(EFCI)like
bit.to move toward a single
legacy Layer
2 and
Layer 3 networks
C-bit Cell loss priority (CLP) bit.
U-bit Command/Response field.
infrastructure.
Although the control word is optional for some encapsulations such as PPP, HDLC, and cell relay
(ATM cell mode transport), it is required for Frame Relay and ATM AAL5 over MPLS. This
requirement for Frame Relay and ATM AAL5 transport modes is because the control word
carries control information. This information is specific for the Layer 2 that is being emulated
that is not carried in the AToM payload. For example, you will see in the upcoming section
"Frame Relay over MPLS" that the Frame Relay Q.922 header is stripped at the ingress PE at
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSMPLS imposition, so the control word carries the FECN, BECN, and DE bits that were present in
the now-stripped header.
MTU Requirements
Every time you encapsulate a PDU with a new protocol header, you need to take into account
maximum transmission unit (MTU) considerations. In a Layer 2 VPN, PEs during imposition are
encapsulating a customer edge's (CE) Layer 2 PDU to be switched across an MPLS network.
You need to calculate a series of associated overheads to properly set up the core MTU. You
can subdivide these overheads into three categories:
Transport overhead This is the overhead that is associated with the specific Layer 2
that is being transported. Table 8-2 lists transport overheads for different WAN protocols.
Table 8-2.
Transport
Overhead
for Different
WAN
Protocols
ByWei
Luo, - CCIE No.
13,291,Carlos Pignataro,
- CCIE No. 4619,
Dmitry
Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE
No. 10,266
over
MPLS
Transport Type
Transport
Transport Header Reason [Bytes]
Pub Date:
March 10,Size
2005
Header
ISBN: 1-58705-168-0
Table of
Frame Relay DLCI,
2 648
bytes
Pages:
Contents
Cisco
Index
Ethertype [2]
encapsulation
Frame Relay DLCI, 2-8 bytes

SNAP => Control [1] + Pad [1] +
IETF encapsulation
NLPID [1] + OUI [3] + Ethertype [2]
Cisco HDLCproductivity
4 bytes
Address [1] + Control [1] + Ethertype
gains
[2]
PPP
2 about
bytes Layer 2 Virtual
PPPPrivate
DLL Protocol
[2](VPNs)
Learn
Networks
AAL5
0-32 bytes
Header
first book
toMPLS
address
Layeradd
2 VPN
application
utilizing
MPLS overheadGain
This from
is thethe
overhead
that
headers
(including
the VC
label). It
both
ATOM
L2TPofprotocols
is equal to 4 bytes
times
the and
number
MPLS headers included.
thatincurred
allow large
enterprise
to enhance
AToM overheadReview
This is strategies
the overhead
because
of thecustomers
control word.
It is equal to
4 bytes.
For
majority ofleft
Service
a In
significant
of their
revenues
ATM Cell transport
is adeliberately
out ofProviders,
Table 8-2.
ATM cellportion
relay over
MPLS
(CRoMPLS),
are transported
still derived are
fromofdata
andlength
voice services
based
on can
legacy
transport
the packets that are
a fixed
of 52 bytes.
They
be concatenated
Although
Layer
MPLS VPNsdifferent
fulfill thethan
market
need
forLayer
some 2
up to a maximumtechnologies.
number of cells,
making
MTU3calculation
for all
other
customers,
they have
some drawbacks.
Ideally,
carriers
withTransport"
existing covers
transports. The upcoming
section
"Encapsulations
and Packet
Format
for Cell
this topic.
Frame Relay withservices
IETF encapsulation
refers to
RFC 3
2427,
"Multiprotocol
over their existing
Layer
cores.
The solution Interconnect
in these casesover
is a
Frame Relay," which
makes RFC
For 2Frame
Relay
witha IETF
DLCI
technology
that 1490
wouldobsolete.
allow Layer
transport
over
Layerencapsulation
3
transport, the overhead
is considered variable; many packets have a transport overhead of 2
infrastructure.
bytes: the control byte of 0x03 and the Network Layer Protocol Identifier (NLPID). This is the
Layer
2 VPN Architectures
introduces
readers
to Layer
Virtual
minimum overhead
in Frame
Relay IETF. However,
in some
other
cases 2(such
as Private
when a
Layer
VPNindicates
techniques
viaa Subnetprotocol does notNetwork
have an (VPN)
NLPIDconcepts,
assigned),and
thedescribes
NLPID value
of 20x80
that
studies
and The
comprehensive
design
scenarios.
This book
work Attachment introductory
Point (SNAP)case
header
follows.
Organizationally
Unique
Identifier
(OUI) of
assists
to meet
those
by explaining
the
0x000000 indicates
that readers
a 2-bytelooking
Ethertype
follows.
In requirements
this case, in which
the upper
layer
historythe
andtransport
implementation
details
of the and
two you
technologies
available
fromcase
protocol has no NLPID,
overhead
is 8 bytes,
need to use
the worst
when setting the the
coreCisco
MTU.Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
On the other hand,
Frame
Ciscoofencapsulation,
a 2-byte
is always
IP for
cores.
TheRelay
structure
this book is focused
on Ethertype
first introducing
the used
instead of controlreader
and NLPID,
making
the
transport
permanently
2 bytes.and
to Layer
2 VPN
benefits
andoverhead
implementation
requirements
Tip
When you are studying the packet formats for the different WAN protocols in the
upcoming sections, a good exercise is to come back to Table 8-2 and identify the
different fields that make up the transport overhead.
You can use the following generic formula to calculate the core MTU from the edge MTU. The
edge MTU is the MTU configured in the interface of the CE-facing PE:
Core MTU
Edge
MTU- +CCIE
Transport
Header
+ AToM
Header
(MPLS
Label
Stack *
ByWei Luo,
No. 13,291,Carlos
Pignataro,
- CCIE
No. 4619,+Dmitry
Bokotey,
- CCIE
MPLS Header No.
Size)
4460,Anthony Chan, - CCIE No. 10,266
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

Introducing
WAN Protocols over MPLS
The following sections

detail Cisco
the different
WAN protocols over MPLS. This section presents
Publisher:
Press
fundamental concepts
the transport
of HDLC frames over MPLS (HDLCoMPLS), Point-toPubabout
Date: March
10, 2005
Point Protocol over MPLS (PPPoMPLS), FRoMPLS, and different flavors of Asynchronous Transfer
ISBN: 1-58705-168-0
Table
Mode
overofMPLS (ATMoMPLS).
Pages: 648
Contents
Index
HDLC over MPLS

the
Layer
VPNs to provide
enhanced
services
and enjoy
As you learned inMaster
Chapter
5,world
Cisco of
HDLC
is 2
proprietary.
It differs
from the
International
productivity gains
Organization for Standardization
(ISO) standard HDLC in that Cisco HDLC does not perform
windowing and retransmission. In addition, the higher layer protocol identification is not
standardized. Cisco HDLC uses the Ethernet Type value to identify the higher layer protocol that
Learn and
about
Layer 2 Virtual
Private
Networks
it carries. The frame format
bit-stuffing
techniques
used
in HDLC(VPNs)
are defined in the
American National Standards Institute (ANSI) T1.618 standard.
network
architecture
Figure 8-3 depicts the Cisco
HDLCoMPLS
frame format highlighting the fields that are stripped
and removed at AToM imposition.
Figure
8-3. Cisco HDLCoMPLS Packet Format

infrastructure.
You can see that, except for the start and the end of the frame flag equal to 0x7E and the
frame checksum carried
the
frame check introduces
sequence (FCS),
the
HDLC frame
Layer 2 in
VPN
Architectures
readers
tocomplete
Layer 2 Virtual
Private
including all header
fields
is
transported
unmodified.
Frame
flags
and
FCS
fields
Network (VPN) concepts, and describes Layer 2 VPN techniquesare
viaremoved at
ingress and re-created
at
egress.
All
header
fields
are
uninspected,
meaning
that
no one
introductory case studies and comprehensive design scenarios. This
book
attempts to interpret
the
header
and
make
assumptions.
At this point, you might be thinking that HDLC is too basic, so HDLCoMPLS is basic, too. Why
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSwould you want to use HDLCoMPLS? The answer to that question is specific: The strength of
HDLCoMPLS is its simplicity. Because someone checks only the flag and FCS fields, you can
transport an HDLC-like protocol by using HDLCoMPLS. As long as the Layer 2 protocol contains
a 0x7E flag and a frame checksum as a trailer, you can tunnel it by using HDLCoMPLS in a portcomparing them to those of Layer 3 based VPNs, such as MPLS, then
to-port or interface-to-interface mode. In fact, that is why you can transport Cisco HDLC over
HDLCoMPLS. As far as HDLCoMPLS is concerned, standard HDLC and Cisco HDLC frames are
indistinguishable. Other protocols that share HDLC-like framing and can be transported in a
port-mode fashion are Synchronous Data Link Control (SDLC), CCITT No. 7 signaling, IBM
Systems Network Architecture (SNA), PPP, Frame Relay, and X.25.
PPP over MPLS

Modeled after the HDLC frame with the addition of the protocol fields, PPP is a standard method
for transporting multiprotocol datagrams over point-to-point links.

The transportation of PPP frames over MPLS is quite similar to the transportation of HDLC
Layer 2 VPN
Architectures
frames. The two frames
share
many common characteristics, including the same control word
format.
In contrast to HDLCoMPLS, however, PPPoMPLS requires some interpretation of the PPP header.
Specifically, in addition
to the 0x7E flag and FCS fields being removed at imposition, the
Address (0xFF) and Control (0x03) fields are stripped at the imposition router. These fields are
not transported in PPPoMPLS packets (that information can be implicitly gleaned because the VC
ISBN: 1-58705-168-0
type is
PPP)
Table
of and re-created at the disposition PE before transmitting to the remote CE. Figure 8
Pages:
648format.
4 shows
the PPPoMPLS packet
Contents
Index
Figure 8-4. PPPoMPLS Packet Format
productivity gains

As you can see inservices
Figure 8-4,
media-specific
framing
information
is excluded
notis a
overall
their
existing Layer
3 cores.
The solution
in theseand
cases
transported. The technology
PPP PDU is transported
in
its
entirety,
including
the
Protocol
field
(whether
that would allow Layer 2 transport over a Layer 3
compressed usinginfrastructure.
Protocol Field Compression [PFC] or not).
As a result, the following
will not
work:
Layer 2 VPN
Architectures
FCS alternatives
implementation
Address andhistory
Controland
Field
Compression (ACFC)
cores
and Layer
2 Tunneling
Asynchronous
Control
Character
Map
(ACCM) Protocol version 3 (L2TPv3) for native
reader
PFC, however, will
work.to Layer 2 VPN benefits and implementation requirements and
Because in PPPoMPLS
the Address
and Control
fields areavailable
interpreted
and not
transported,
progressively
covering
each currently
solution
in greater
detail. CEs
should not negotiate ACFC. ACFC is not recommended anyway, because the performance
penalty in alignment is larger than the bandwidth savings. Using ACFC results in a 2-byte PPP
header, and using PFC results in a 3-byte PPP header; in both cases, the PPP PDU does not start
after a 32-bit-word. If you want the CEs to perform ACFC anyway, use HDLCoMPLS.
Note
Using either ACFC or PFC (both defined in RFC 1661, "The Point-to-Point Protocol
[PPP]") changes the alignment of the network data inside the frame, which in turn
decreases switching efficiency in both the ingress and egress CE.
Because the Protocol field is transported unmodified, you can negotiate PFC between PEs. That
is not recommendedPublisher:
though,Cisco
because
Press of the same word alignment reasons explained for ACFC.
One important aspect of the transport of PPPoMPLS is the PPP Finite State Machine (FSM)
ISBN: 1-58705-168-0
Table of specifically between which peers PPP negotiation (that is Link Control Protocol
negotiation,
Pages:
648
Contents
[LCP],
authentication, and Network
Control Protocols [NCP]) occur. In PPPoMPLS, the PPP
Index
negotiation
takes place directly between CE devices. In other words, PPP does not actually run
or terminate on the PE devices. After you configure an interface for PPP encapsulation in a PE
router, PPP leaves the closed state and tries to negotiate LCP and NCP. Then, when a
pseudowire is configured for PPPoMPLS, PPP enters a closed state, and LCP and NCP negotiation
Master
is nonexistent with
the CE.
productivity gains
Frame Relay over

MPLS
Learn
andofextend
reach of your
services
by unifying
your
At this point, you haveReduce
alreadycosts
learned
a way the
to transport
Frame
Relay frames
in port
mode
network
architecture
over an MPLS PSN: using HDLCoMPLS. When you are using HDLCoMPLS, Local Management
Interface (LMI) runs directly between CE devices and not between PE and CE. Therefore, if the
Gain from
the first
to Relay
address
utilizing
CE devices are Frame Relay
switches,
usebook
Frame
Network-to-Network
Interface
(NNI); if
both
ATOM
and
L2TP
protocols
the CE devices are routers, use Frame Relay data communication equipment-data terminal
equipment (DCE-DTE) LMI.
service
offerings
controlframes over MPLS,
There exists, however,their
a much
more
granularwhile
way maintaining
to transportrouting
Frame Relay
and that is by using Frame Relay DLCI mode. FRoMPLS DLCI mode enables you to transport a
specific Frame Relay VC over an MPLS cloud. Perhaps even more importantly, it provides the
framework for local management between PE and CE device by means of Frame Relay LMI. LMI
enables the exchange of Link Status by way of a keepalive mechanism using Status Enquiry and
Status messages, in addition to Frame Relay PVC or DLCI Status using a Full Status message.
In contrast to PPPoMPLS, FRoMPLS has some PE-CE management exchange because LMI runs
between PE and CE devices.
technology
allow
Layer
2 transport
Layer 3
As detailed in Chapter
5, youthat
can would
configure
two
different
Frame over
Relaya encapsulations
on a Cisco
infrastructure.
router: IETF and Cisco. Figure 8-5 depicts these two encapsulation methods.

Figure 8-5. FRoMPLS Packet Format
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS[View full size image]

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
FromFigure 8-5, you can see that for both encapsulation methods, and similarly to HDLCoMPLS
and PPPoMPLS, the Flag
of 0x7E
and
the FCS
are stripped
at imposition
and are not transmitted
Learn
about
Layer
2 Virtual
Private Networks
(VPNs)
over AToM. The 2-byte Q.922 header is also stripped at imposition and is not transported in
AToM. In consequence,Reduce
a mechanism
should
be the
in place
toof
inform
the remote
PE of theyour
value of
costs and
extend
reach
your services
by unifying
all the fields in the Q.922
header
so
that
the
remote
PE
can
re-create
it
and
send
a
Frame
Relay
packet to the remote CE without losing information. The following list details the different
methods for conveyingGain
the Q.922
FR first
header
information
the remote
PE:
from the
book
to addresstoLayer
2 VPN application
utilizing
DLCI PEs do not Review
exchange
the DLCIthat
at any
moment.
It is a local
PE responsibility
to map
strategies
allow
large enterprise
customers
to enhance
the local VC that is
exchanged
by LDP inwhile
the pseudowire
forward
error correction (FEC)
their
service offerings
maintainingID
routing
control
to the attachment circuit (that is, the Frame Relay DLCI). Remember that DLCIs are
locally significant,
and the of
PSN
is acting
as a Frame
Relay cloud.
For a majority
Service
Providers,
a significant
C/R The Command/Response
bit isLayer
sent in
the C-bit
in fulfill
the Frame
Relay need
over Pseudowire
3 MPLS
VPNs
the market
for some
(FRoPW) Header
(that
is,
control
word).
Refer
to
Figure
8-2.
FECN The FECN
bit is while
sent in
thecarriers
F-bit in would
the FRoPW
is, control
backbone
new
like toHeader
sell the(that
lucrative
Layer word).
2
BECN The BECN bit is sent in the B-bit in the FRoPW Header (that is, control word).
infrastructure.
DE The discard
eligible bit is sent in the D-bit in the FRoPW Header (that is, control word).
Layer 2 VPNestablishment,
Architectures PEs
introduces
readers
to Layer 2 Virtual
Private
EA During pseudowire
negotiate
the characteristic
of a Frame
Relay
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via Frame
PVC with respect to extended addressing. They do this by including the optional
introductory
case
studies and
comprehensive
design
scenarios.
This
book
Relay DLCI length
interface
parameter
in the
VC FEC element
in the
FEC TLV
inside
the
assists
readers
looking
to
meet
those
requirements
by
explaining
the
LDP Label Mapping message. The optional Frame Relay DLCI length interface parameter
history and
implementation
details
of the of
two
technologies
available
froma
(interface parameter
type
0x08) indicates
the length
the
FR Header and
can have
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSvalue of 2 or 4.
cores.
The
structure
of this
is focused
on first
introducing
In summary, the IP
C/R,
FECN,
BECN,
and DE
are book
sent on
the control
word
flags on a the
per-packet
to Layer
VPN benefits
and implementation
basis. In contrast,reader
LDP sends
the 2extended
addressing
characteristicsrequirements
of the FR PVCand
on
comparing
to thosethat
of Layer
3 based
VPNs,
suchPVC,
as MPLS,
then need to
pseudowire establishment
P.them
This implies
on a given
Frame
Relay
all packets
progressively
covering
currently
available
solution in(that
greater
detail.header
use normal addressing
(Q.922 header
ofeach
2 bytes)
or extended
addressing
is, Q.922
of 4 bytes), but not mixed.
Note
FRoMPLS requires the control word.
As shown in Figure 8-5, the difference between IETF and Cisco encapsulation for Frame Relay is
the upper layer protocol
identification. You can configure a Cisco router to run either of the two
encapsulations. ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
For IETF encapsulation, the format for routed frames allows an NLPID value of 0x80, indicating
that a SNAP header Publisher:
follows (see
CiscoFigure
Press 8-6). Because not all protocols have an NLPID value
assigned (NLPID space
limited),
you
have to use the SNAP form in such cases. Using the
Pubis
Date:
March 10,
2005
SNAP form increases the transport overhead for Frame Relay IETF to a total of 8 bytes.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Figure 8-6. Format of Routed Frames with SNAP Header

productivity gains
One of the direct infrastructure.
consequences of the dual encapsulation method using NLPID or SNAP is that
IP datagrams over Frame Relay can be encapsulated in two different ways:
Using an IP introductory
assigned NLPID
0xCC. This
is the preferreddesign
method
specified This
in RFC
2427
caseofstudies
and comprehensive
scenarios.
book
and also theassists
method
used
in
Cisco
routers.
readers looking to meet those requirements by explaining the
Using an NLPID value of 0x80 indicates that a SNAP header follows. A SNAP header
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSincludes an OUI of 0x000000 that indicates an Ethertype follows. The Ethertype of 0x0800
is for IP.
ATM over MPLS
You can categorize the transport of ATMoMPLS as follows:
ATM AAL5 over MPLS Transport of RFC 2684/1483 AAL5 SDUs over MPLS.
ATM Cell over MPLS Relay of ATM cells over MPLS. You can subcategorize ATM Cell Relay
over MPLS as follows:
Port Mode Transport of ATM cells from an ATM interface.
VP Mode Transport of ATM cells from an ATM virtual path (VP).

VC Mode
of ATM cells from an ATM virtual circuit (VC).
LayerTransport
2 VPN Architectures
ATMoMPLS presents three different degrees of transport granularity: granularity at the VC, VP,
or Port level. If a user wants to transport an ATM VC over MPLS, he has the option of doing
AAL5 over MPLS (AAL5oMPLS) or CRoMPLS VC mode. A user has to use CRoMPLS if the ATM
Publisher:
Press
frames transported over
the Cisco
VC are
not AAL5 but a different adaptation layer, such as AAL2. In
Pub
Date:
March
10,the
2005differences between the two. If a user wants to
the next section, you learn some of
ISBN:
1-58705-168-0
transport an ATM VP (for
example,
for virtual trunking applications) or an ATM port (for
Table of
trunking
or cell transport
applications),
the only mode available is CRoMPLS.
Pages:
648
Contents
Index
Encapsulations and Packet Format for AAL5 Transport

world ofthat
Layer
2 VPNsmore
to provide
enhanced
services
and
enjoy
ATM is the Layer Master
2 WAN the
technology
involves
data plane
complexity
than
the
others.
productivity
gainsprotocol stack includes the ATM Adaptation Layer (AAL) and
As detailed in Chapter
5, the ATM
the ATM layer. AAL is in turn divided into two sublayers:
Convergence sublayer (CS)
network
architecture
Segmentation and
reassembly
(SAR) sublayer
Gain
from the first
address
Layer
2 VPNthe
application
utilizing
The first AToM mode for
transporting
ATMbook
is thetoAAL5
mode,
in which
pseudowire
both
ATOM
and
L2TP
protocols
transports AAL5 common part convergence sublayer (CPCS) service data units (SDU).
Review
strategies
that allow
enterprise
customers
Figure 8-7 shows that the
AAL5
CPCS protocol
datalarge
unit (PDU)
is composed
of to
theenhance
CPCS-PDU
service
offerings
while
maintaininglength
routing
control
payload or CPCS-SDU,their
padding
to ensure
that
the CPCS-PDU
is an
integer multiple of 48
bytes for the SAR layer, and a CPCS-PDU trailer. The CPCS-PDU trailer in turn contains a 1-byte
For a majority
of Service
a significant
portion (CPI),
of theira revenues
User-to-User indication
(CPCS-UU)
field, a Providers,
1-byte common
part indicator
2-byte Length
are
still
derived
from
data
and
voice
services
based
on
legacy
transport check
indicator that specifies the length of the payload in octets, and a 4-byte cyclic redundancy
technologies. CPCS-PDU's
Although Layer
3 MPLS
fulfill the without
market need
for some
(CRC). Only the CPCS-SDUthe
payload
or VPNs
the CPCS-PDU
its padding
and
customers,
they
have
some
drawbacks.
Ideally,
carriers
with
existing
traileris transported in AAL5oMPLS SDU mode.
Figure 8-7. AAL5oMPLS Packet Format
infrastructure.

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
Gain from
theAAL5
first CPCS-SDU
book to address
LayerISO
2 VPN
application
utilizing
Figure 8-7 shows the format
of the
for routed
(such
as Connectionless
both
ATOM
and
L2TP
protocols
Network Service [CLNS]) and non-ISO (such as IP) protocols. These formats are useful in
understanding the different overheads that play for different protocols that are transported in
AAL5oMPLS.
The only supported AAL5 transport mode over MPLS is AAL5 SDU mode. In protocol layering or
protocol encapsulation, a service access point (SAP) exists between two layers (see Figure 8-8).
Each protocol sends (down direction) and receives (up direction) data via the SAP. The PDU at a
higher layer N+1 becomes the layer N SDU when traversing the SAP. At layer N, protocol
control information (PCI) is added to the SDU to form the PDU at that layer N, which in turn
becomes the SDU at layer N-1. In summary, at a given layer, PDU = PCI + SDU. PDU includes
the protocol control data (PCI) plus the carried data (SDU). The PDU at layer N is the SDU at
layer N-1. Any data that enters the AAL5 layer becomes an SDU for AAL5 CS.
infrastructure.

Figure(VPN)
8-8.concepts,
Understanding
PDU
Versus
SDU
Network
and describes
Layer
2 VPN techniques
via
In AAL5 SDU mode, the AToM payload's (AAL5 CPCS-SDU) length need not be an integer
multiple of 48 bytes, because the padding and trailer were stripped before AToM encapsulation.
In AAL5oMPLS, the ingress PE receives ATM cells from the customer premises equipment (CPE),
and it needs to reassemble them to send an AAL5 SDU over MPLS in a single packet. The cell
headers are not transported,
so it is critical to understand how the different ATM cell header
fields are conveyed
to
the
other
end. In AAL5oMPLS, the presence of a control word is required,
although its use isNo.
optional
(refer
to Figure 8-2). The following list enumerates the different ATM
cell header fields and how they are transported in AAL5 SDU mode:
Pub Date: March
10, 2005
Virtual path identifier
(VPI)
and virtual circuit identifier (VCI) PE routers do not
carry or exchange ISBN:
the VPI
and VCI. The PEs keep the VPI and VCI values in the state of
1-58705-168-0
Table of
the pseudowire, and
the
disposition PE router rewrites the VPI and VCI value.
Pages:
648
Contents
Index
Payload type identifier (PTI) The PTI contains three fields:

C This field indicates whether the cell contains user data or control (management)
data; you can loosely map this field to the transport bit (T-bit) in the AAL5 control
word. The T-bit indicates whether an AToM packet contains a cell or an AAL5 SDU.
productivity gains
OAM cells on an AAL5 pseudowire are sent as cells and set the T-bit.
EFCI The EFCI is transported in the E-bit in the control word.
End of packet (EOP) You do not need the end of the AAL5 packet bit because the
cells are reassembled in the ingress PE.
CLP The CLP-bit is carried in the C-bit in the control word.

In AAL5 SDU mode, the ingress PE reassembles the AAL5 CPCS-PDU, strips off the padding and
CPCS-PDU trailer, and sends the AAL5 CPCS-SDU in an AToM packet; at the other end, the
egress PE regenerates the PAD and AAL5 trailer. Each AAL5oMPLS packet contains an AAL5 SDU
or an OAM Cell. AAL5 SDU mode has less overhead compared to AAL5 PDU mode, because the
8-byte trailer andFor
padding
are not
transported.
The padding
can be
significant
for revenues
small packets,
a majority
of Service
Providers,
a significant
portion
of their
given that the smallest
TCP
packet
requires
at
least
two
cells
when
transported
natively
are still derived from data and voice services based on legacy transportover
ATM.

Encapsulationsbackbone
and Packet
for Cell
Transport
whileFormat
new carriers
would
technology
that would
allow
Layerat2 the
transport
overof
a the
Layer
3 reference
In contrast, the different
CRoMPLS
modes
operate
ATM layer
ATM
infrastructure.
model.Figure 8-9 depicts the encapsulation of n-to-one CRoMPLS by including two ATM cells in
an AToM packet. Cisco implementation of ATM CRoMPLS uses n-to-one cell transport modes.
assistsFigure
readers looking
to meet those
requirements
by explaining the
8-9. CRoMPLS
Packet
Format

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
FromFigure 8-9, you can
see about
that for
cell 2
relay,
thePrivate
controlNetworks
word is optional.
Learn
Layer
Virtual
(VPNs) However, Cisco
implementation of CRoMPLS advertises the disposition capability for the control word (C-bit in
pseudowire ID FEC) and
uses the
control
word whenever
(that is, when
the remote
Reduce
costs
and extend
the reachpossible
of your services
by unifying
your side
supports the control word
as
a
disposition
capability).
In n-to-one ATM cell transport,
complete
ATMtolayer
cell header
appended
afterutilizing
the control
Gain froma the
first book
address
Layer 2isVPN
application
word, followed by 48 bytes
ATMand
cell L2TP
payload.
both of
ATOM
protocols

Note

In the ATM reference
model,
the cellLayer
header
is only
4 bytes
the ATM
layer.
The
technologies.
Although
3 MPLS
VPNs
fulfilllong
the at
market
need
for some
Transmissioncustomers,
Convergence
(TC)
sublayer
calculates
and
appends
the
fifth
byte
(header error
control
[HEC]),
which
is 3a networks
checksumwould
of thelike
ATM
header
in the
ATM
legacy
Layer
2 and
Layer
tocell
move
toward
a single
physical layer.
The TC while
sublayer
such
as cell
and 2
error
backbone
newhandles
carriersfunctions
would like
to sell
the delineation
lucrative Layer
detection and
correction
adding
a 1-byte
Because
cell relayinacts
in the
ATM
services
overby
their
existing
LayerCRC.
3 cores.
The solution
these
cases
is a
layer, and for
alignmentthat
and would
efficiency
reasons,
HEC byte
is anot
included
in the
technology
allow
Layer 2the
transport
over
Layer
3
transport of infrastructure.
ATM cells over MPLS.
An ATM cell is transported
withcase
52 bytes
in and
the comprehensive
AToM payload out
of the
53 bytesThis
of the
ATM
introductory
studies
design
scenarios.
book
cell, thereby carrying
VPI,
VCI, PTI,
and to
CLP
fields.
assists
readers
looking
meet
Note
In contrast to
AAL5oMPLS,covering
in CRoMPLS,
for a solution
user cellinand
progressively
each encapsulation
currently available
greater detail.
management or OAM cell is the same.
The VPI field in ATM cell encapsulation is 12 bits long to accommodate the NNI ATM header
format's VPI range. The field is interpreted as VPI; therefore, if the cell is actually using UNI
ATM header format, the Generic Flow Control field (first nibble) is always 0.
In n-to-1 ATM CRoMPLS, an imposition PE can concatenate multiple ATM cells into a single AToM
PDU. Concatenation of cells (also called cell packing ) is optional in transmission at the ingress
PE and is supported in ATM cell port, VP, and VC modes. You can view the cell concatenation as
a disposition property, in which an egress PE can support disposition for concatenated cells up
to a certain number of cells. The imposition PE knows the maximum number of cells that can be
2 VPN Architectures
linked because it Layer
is indicated
during pseudowire establishment with a new interface parameter.
ByWei Luo,
- CCIE No. 13,291,
Carlos
Pignataro,
- CCIE
No. 4619,Dmitry
Bokotey, -parameter
CCIE
The Maximum Number
of concatenated
ATM
cells
interface
parameter
(interface
type
No.maximum
4460,Anthonynumber
Chan, - CCIE
No. 10,266
0x02) specifies the
of cells
in a single AToM PDU that you can process at
disposition.
Table of
Contents
Note
Index
ISBN: 1-58705-168-0
Pages: 648
Because the interface parameter is included in the Label Mapping LDP message at VC
setup, changing its value would tear down and resignal the pseudowire.
productivity gains
The Maximum Number of concatenated ATM cells interface parameter is required for all the
different ATM cell transport modes (port, VP, and VC modes). If the egress PE supports
about
Layer 2only
Virtual
(VPNs) Number of
concatenated cells, theLearn
ingress
PE should
link Private
cells upNetworks
to the Maximum
concatenated ATM cells interface parameter received from the remote PE in the pseudowire ID
FEC element.
Note

The Maximum Number of concatenated or "packed" cells is configurable and does not
need to be identical between the PE routers. The configuration and details for this
feature are included in the section titled "Case Study 8-8: Packed Cell Relay over
MPLS," later in this chapter.
Naturally, the cell concatenation encapsulation is more bandwidth efficient than single cell relay
(that is, sending one ATM cell per AToM packet), because multiple cells share the AToM
overhead. Each ATM cell that is encapsulated in an AToM frame is 52 bytes long, and each AToM
infrastructure.
packet is at least 64 bytes (52 bytes + two MPLS headers + control word). On the other hand,
the compromise is
that 2when
you are using cell
concatenation,
imposition
router
introduces
Layer
VPN Architectures
introduces
readers the
to Layer
2 Virtual
Private
more delay whenNetwork
waiting for
cells
to
be
packed.
Even
with
a
value
for
packed
cells
greater
than
1, OAM cells are transported
in
a
single
AToM
packet.
In ATM cell transport, the MTU considerations are different from all other Layer 2 transports. In
ATM cell transport, you can predict the maximum AToM PDU size differently than with the other
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSLayer 2 technologies, because the packet size is fixed for ATM cells. You can configure the
maximum number of cells to be packed into an MPLS packet up to the MTU of the interface
divided by 52 bytes for each ATM cell. Alternatively, you can easily calculate the maximum
length of an AToM packet from the following formula and set up the core MTU accordingly:
Max AToM packet = (52 * max number of packed cells) + AToM Header + (depth of
MPLS label stack * MPLS Header size)
In the formula, the AToM Header refers to the 4-byte control word.

Configuring
WAN Protocols over MPLS Case Studies
This section covers the

configuration
Publisher:
Cisco Pressrequired to enable Layer 2 transport using AToM for different
WAN protocols. Using
a Date:
case March
study10,approach,
this section covers configuration for HDLCoMPLS,
Pub
2005
PPPoMPLS, FRoMPLS, and ATMoMPLS, concentrating on generic configurations rather than
ISBN: 1-58705-168-0
Tablespecifics.
of
platform
Pages: 648
Contents
Index
After
the configuration, each case study also covers verification and some troubleshooting for
each WAN protocol over MPLS.

All case studies use the same underlying MPLS PSN, shown in Figure 8-10. The objective of all the
theLayer
world2of
Layer 2 connectivity
VPNs to provide
enhanced
services
and sites,
enjoy with
case studies is to Master
establish
transport
between
the two
customer
productivity
gains
host names Oakland
and Albany.
Figure 8-10.
WAN Protocols over MPLS Case Study Topology
All case studies require common configuration and verification of the MPLS core. The following list
details the required pre-AToM configuration steps on all P and PE routers:
infrastructure.
1. Create a loopback interface and assign a /32 IP address to it.
2. Enable IP Cisco
Express
Forwarding
(CEF)
Network
(VPN)
concepts,
andglobally.
assists readers
looking
those
requirements
by explaining
theloopback
3. Enable MPLS globally
and select
LDP to
as meet
the label
distribution
protocol.
Specify the
implementation
interface's IP history
addressand
as the
LDP Router ID.
Layer
2 Tunneling
Protocol
version
3 (L2TPv3)
for Link
native
4. Assign IP addresses
to all and
physical
links
connecting
the core
routers,
and enable
LDP on
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
them.
5. Enable an Interior
Gatewaycovering
Protocol each
(IGP)currently
among the
core routers
and
loopback
progressively
available
solution
in include
greater the
detail.
and the interfaces connecting P and PE routers. These case studies use Open Shortest Path
First (OSPF) with a single area 0.
The configuration for the SanFran router is shown in Example 8-1. The configuration for the other
two core routers is analogous to this one.
service timestamps debug datetime msec

service timestamps log datetime msec
!
hostname SanFran
!
ip cef
mpls ip
mpls ldp explicit-null
ISBN: 1-58705-168-0
mpls Table
force
Pages:
648
!
Contents
interface
Loopback0
Index
ip address 10.0.0.201 255.255.255.255
!
Master the255.255.255.0
productivity gains
mpls ip
!
router ospf 1
network 10.0.0.0 0.255.255.255 area 0
both
andtimestamps
L2TP protocols
InExample 8-1, you can
seeATOM
service
configured for logging and debug with the
msec option. This is done so that you have more time granularity in the debug and error message
output to better understand the protocols and ease troubleshooting.
Example 8-1 also shows mpls ldp explicit-null configured to advertise an IPv4 explicit null label
(a label with a value of 0) instead of the default implicit null (Pop label operation).
technologies.
Although
Layer 3
VPNs
the market
need
for some
Now you can verify
that the core
configuration
is MPLS
working
as fulfill
expected.
Use the
command
show
customers,
they have
some to
drawbacks.
Ideally,
carriers
withsessions
existing are UP.
mpls ldp neighbors
in the Denver
P router
confirm that
the two
link LDP
Layertwo
2 and
Layer
Implicitly, you arelegacy
validating
other
things:
technology
that would
Layer themselves.
2 transport over
a Layer 3 is performed by
First, that the
LDP neighbors
have allow
discovered
LDP discovery
sending LDPinfrastructure.
Hellos over UDP to the all-routers multicast address (224.0.0.2). It is a
prerequisite to LDP session establishment. You can check the LDP discovery status using the
Layermpls
2 VPNldp
Architectures
commandshow
discovery. introduces readers to Layer 2 Virtual Private
case
and
comprehensive
design
scenarios.
ThisLDP
book
Second, thatintroductory
IP routes for
thestudies
loopback
addresses
are being
propagated.
After
session
assists
readers
to meet
requirements
by explaining
discovery, you
establish
thelooking
LDP session
by those
setting
up a TCP session
between the
the addresses
history and
implementation
of the
technologies
available
that are advertised
in the
IPv4 Transportdetails
address
TLVtwo
in the
Hello messagein
thisfrom
case, the
Cisco Unified
VPN suite:
Any Transport
oversets
MPLS
for MPLS- to the
loopback IP the
addresses.
The higher
LDP session
ID (active)
up(ATOM)
a TCP connection
based cores
and Layer
2 Tunneling
Protocol
version
3 (L2TPv3)
lower LDP session
ID (passive)
at the
well-known
LDP port
of 646.
You can for
alsonative
check the IP
IP cores.using
The structure
of this
bookip
is route,
focusedand
on first
introducing
the
routing information
the command
show
verify
the LDP transport
reader
to Layer 2show
VPN benefits
and
implementation
address using
the command
mpls ldp
discovery
detail.requirements and
Example 8-2 shows
the Link LDP
sessions
highlighting
the state
is "operational."
progressively
covering
each
currentlythat
available
solution
in greater detail.
Example 8-2. Verifying the Core LDP Session

Denver#show mpls ldp neighbor
!This is NewYork PE
TCP connection: 10.0.0.203.11022 - 10.0.0.202.646
State: Oper; Msgs sent/rcvd: 47/48; Downstream
Up time: 00:34:06
LDP discovery sources:
Ethernet2/0, Src IP addr: 10.1.2.203
Layerbound
2 VPN Architectures
Addresses
to peer LDP Ident:
ByWei Luo, - CCIE10.1.2.203
10.0.0.203
No. 4460,10.0.0.201:0;
Anthony Chan, - CCIELocal
No. 10,266
Peer LDP Ident:
LDP Ident 10.0.0.202:0
!This is SanFran PE
TCP connection:
10.0.0.201.646
- 10.0.0.202.11006
Publisher: Cisco
Press
State: Oper;
Msgs
sent/rcvd:
46/46; Downstream
Pub Date:
March
10, 2005
Up time: 00:33:57
ISBN: 1-58705-168-0
Table LDP
of
discovery sources:
Pages:
648
Contents Ethernet1/0, Src
IP addr: 10.1.1.201
Index Addresses bound to peer LDP Ident:
10.0.0.201
10.1.1.201
Denver#
productivity gains
You can also verify the MPLS forwarding state in a PE and a P router (see Example 8-3).
Example 8-3. Verifying

the and
MPLS
Forwarding
Reduce costs
extend
the reach of State
Local Outgoing
Prefix
Bytes tag Outgoing
Next Hop
tag
tag or VC
or Tunnel Id
switched interface
16
0
10.1.2.0/24
10.1.1.202
Review
strategies that0allow large Et1/0
to enhance
17
0
10.0.0.202/32
Et1/0 routing10.1.1.202
their
service offerings 0while maintaining
control
18
16
10.0.0.203/32
0
Et1/0
10.1.1.202
SanFran#
are forwarding-table
Denver#show mpls
technologies.
3 MPLS
fulfill the Next
market
need for some
Local Outgoing
Prefix Although Layer
Bytes
tagVPNs
Outgoing
Hop
customers,
they
have
some
drawbacks.
Ideally,
carriers
with
existing
tag
tag or VC
or Tunnel Id
switched interface
legacy
Layer
2
and
Layer
3
networks
would
like
to
move
toward
16
0
10.0.0.203/32
1580313
Et2/0
10.1.2.203a single
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer 2
17
0
10.0.0.201/32
1614352
Et1/0
10.1.1.201
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases is a
Denver#
infrastructure.
2 VPNfor
Architectures
introduces
readers
to Layer
2 Virtual
Private The
At this point, youLayer
are ready
the specific Layer
2 WAN
protocols
transport
configuration.
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
upcoming sections detail the configuration and verification in the following case studies:
and over
implementation
Case Study history
8-1: HDLC
MPLS
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSCase Study based
8-2: PPP
over
MPLS
cores
and
Case Study reader
8-3: Frame
Relay
DLCIbenefits
over MPLS
to Layer
2 VPN
Case Study progressively
8-4: ATM AAL5
SDU over
MPLS
covering
each
Case Study 8-5: ATM Cell over MPLS
Case Study 8-1: HDLC over MPLS

This section describes the configuration and verification of HDLCoMPLS for transport of HDLC-like
frames, including HDLC and Cisco HDLC. See Figure 8-11 for the case study topology.
Figure 8-11. HDLCoMPLS Case Study Topology

ByWei Luo, - CCIE No. 13,291,Carlos
Pignataro,
[View full
size image]
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
InFigure 8-11, you can see that building from the generic topology in Figure 8-10, you will be
Master
theinworld
of Layer
2 VPNs
to provide
enhanced
services
using interfaces Serial
5/0
both PE
routers
(SanFran
and NewYork)
and
in bothand
CE enjoy
routers
productivity gains
(Oakland and Albany).
Configuring HDLCoMPLS
network
architecture
You know from previous
chapters
that the AToM states and all Layer 2 transport-specific
configuration exist only in the edge routers. This adds to the scalability of the whole AToM
Gain from
the first book
to Serial
address
Layer 2 VPN
application
solution. Start by configuring
HDLCoMPLS
on the
interfaces
in the
PE routersutilizing
SanFran and
both
ATOM
and
L2TP
protocols
NewYork, as shown in Example 8-4.
Example 8-4. HDLCoMPLS PE Configuration

SanFran#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SanFran(config)#interface Serial5/0
SanFran(config-if)#no shutdown
SanFran(config-if)#xconnect 10.0.0.203 50 encapsulation mpls
SanFran(config-if)#
*May 19 01:44:32.328: %LINK-3-UPDOWN: Interface Serial5/0, changed state to up
infrastructure.
*May 19 01:44:33.360: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial5/0,
changed state to up
SanFran(config-if)#end
SanFran#
NewYork#conf t assists readers looking to meet those requirements by explaining the
historycommands,
and implementation
thewith
two technologies
available from
Enter configuration
one per details
line. of
End
CNTL/Z.
Any Transport over MPLS (ATOM) for MPLSNewYork(config)#pseudowire-class
atom_hdlc
based cores and
Layer 2 Tunneling
NewYork(config-pw-class)#
sequencing
transmitProtocol version 3 (L2TPv3) for native
IP cores. Theencapsulation
structure of this mpls
NewYork(config-pw-class)#
NewYork(config-pw-class)#interface
Serial5/0
comparing
them
to
those
of
Layer
progressively
covering
each
currently
available
NewYork(config-if)#xconnect 10.0.0.201 50 pw-class
hdlc
NewYork(config-if)#end
NewYork#
InExample 8-4, the configurations that are applied to both PE routers are slightly different,
although both achieve the same result. NewYork uses the pseudowire-class configuration, which
is more versatile than the one liner xconnect configuration and allows for different characteristics
to be applied to a pseudowire in a class fashion. This way, you can reuse the pseudowire class
across multiple pseudowires.
Also note that the encapsulation for the Serial interfaces is not configured. This is because the
default of Cisco HDLC is used.
When you configure

the
xconnect
Discovery
(CDP)
is automatically
ByWei
Luo,
- CCIE No. command,
13,291,Carlos Cisco
Pignataro,
- CCIE No.Protocol
4619,Dmitry
Bokotey,
- CCIE
disabled on the interface
so
that
CDP
packets
are
not
sent
to
the
CE
router.
The
VC ID that is
used in the xconnect command (50 in this example) needs to match in both ends.
You will analyze the sequencing transmit configuration under the pseudowire class in the
subsequent "Troubleshooting
HDLCoMPLS" subsection.
Table of
ISBN: 1-58705-168-0
Pages:
The CE
configuration for
the 648
Oakland side is included in Example 8-5 for completeness. The far CE
Contents
is a mirror
of
this
configuration
except for the IP address.
Index
Example 8-5. HDLCoMPLS CE Configuration

productivity gains
Oakland#conf t
Learn about
Oakland(config)#interface
Serial5/0
Oakland(config-if)#ip address 192.168.5.1 255.255.255.252
Reduce
Oakland(config-if)#no
shutdown
Oakland(config-if)#end
Oakland#
Review
strategies
that
allow
large
enterprise
toLayer
enhance
At this point, all specific
configuration
and
states
that
pertain
to the customers
transport of
2 frames
service offerings
maintaining
routing
control
over MPLS reside in thetheir
PE devices.
You havewhile
not configured
the
P router
Denver.
Verifying HDLCoMPLS
When you configure
AToM,
the2targeted
LDP
session between
PE routers
established,
as shown
legacy
Layer
and Layer
3 networks
would like
to moveistoward
a single
inExample 8-6.Example
8-6while
highlights
the local
and peer
LDP
and Layer
the targeted
backbone
new carriers
would
like to
sellidentifiers
the lucrative
2
discovery source.services over their existing Layer 3 cores. The solution in these cases is a
infrastructure.
Example 8-6. Verifying the Targeted LDP Session

SanFran#show mpls
ldp neighbor
10.0.0.203
introductory
case studies
Peer LDP Ident:
Local
Ident
10.0.0.201:0
assists 10.0.0.203:0;
readers looking to
meetLDP
those
requirements
by explaining the
TCP connection:
- 10.0.0.201.646
history and 10.0.0.203.11007
implementation details
State: the
Oper;
sent/rcvd:
Downstream
CiscoMsgs
Unified
VPN suite:2215/2209;
Any Transport
over MPLS (ATOM) for MPLSUp time:
1d08h
LDP discovery
IP cores. sources:
Targeted
10.0.0.201
-> 10.0.0.203,
active,requirements
passive
readerHello
to Layer
2 VPN benefits
and implementation
and
Addresses
bound them
to peer
LDP of
Ident:
comparing
to those
Layer 3 based VPNs, such as MPLS, then
10.0.0.203
10.1.2.203
SanFran#
Local labels are assigned and distributed using the targeted LDP session. See Example 8-7, which
highlights the Layer 2 circuit (l2ckt) local and remote labels.
Example 8-7. AToM Label Distribution

Local Outgoing
Prefix
Bytes tag Outgoing Next Hop
tag
tag or VC
or Architectures
Tunnel Id
switched
interface
Layer 2 VPN
16
0
10.1.2.0/24
0
Et1/0
10.1.1.202
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry
Bokotey, - CCIE
17
0
10.0.0.202/32
0
Et1/0
10.1.1.202
18
16
10.0.0.203/32
0
Et1/0
10.1.1.202
19
Untagged
l2ckt(50)
149313
Se5/0
point2point
SanFran#show mpls l2transport binding 50
Destination Address:
10.0.0.203,
VC ID: 50
ISBN: 1-58705-168-0
Local
Table of Label: 19
Pages:
648
Cbit: 1,
VC Type:
HDLC,
GroupID: 0
Contents
MTU:
1500,
Interface
Desc:
n/a
Index
VCCV Capabilities: Type 1, Type 2
Remote Label: 19
Cbit: 1,
VC Type: HDLC,
GroupID: 0
Master the
world of Layer
VPNs to provide enhanced
services
MTU: 1500,
Interface
Desc: 2n/a
!-+ Signaled
as and enjoy
productivity gains
VCCV Capabilities:
Type 1, Type 2
!-+ Interface Parameter
SanFran#

costs
and mpls
extendforwarding-table,
unifying
your
From the output of theReduce
command
show
you canby
see
that local
label 19
network
architecture
was assigned for the Layer
2 circuit
(l2ckt). From the output of the command show mpls
l2transport binding, you can see that the remote VC label is also 19. The fact that label 19 is
Gain
from the first
address
Layer
2 VPN
application
utilizing
being used on both sides
is irrelevant.
Thebook
localto
and
remote
labels
are assigned
independently
and
both
ATOM
and
L2TP
protocols
do not need to match. This last command also shows that the VC Type for HDLC is 0x0006 (from
Table 8-1), the control word bit is set, the local and remote MTU are 1500, there is no interface
that
allow large
enterprise
enhance
description, and virtualReview
circuit strategies
connectivity
verification
(VCCV)
typescustomers
supportedto
are
type 1 and
their
service
offerings
while
maintaining
routing
control
type 2. These VCCV capabilities are as follows:
arecontrol
still derived
from data
voice
services
based
on legacy
Type 1 PWE3
word (0001b
as and
the first
nibble
in the
control
word) transport
customers,
they
have
some==
drawbacks.
Type 2 MPLS
Router Alert
label
(Label
1)
backbone
new carriers
would
like to
the lucrative
Layer 2in an LDP Label
The command show
mpls while
l2transport
binding
details
all sell
information
advertised
Mapping message.
infrastructure.
Both local and
remote
attachment
to match by
for explaining
the circuit the
to come
assists
readers
lookingcircuits'
to meetMTUs
thoseneed
requirements
up. The MTUhistory
is advertised
in the MTU interface
in the pseudowire
ID FEC
and implementation
details parameter
available
from
element through
the LDP
Label
Mapping
the Cisco
Unified
VPN
suite: message.
The interfaceIPdescription
also advertised
in anisinterface
If you add
cores. Theisstructure
of this book
focused parameter.
thean
interface description,
is not2 automatically
sentimplementation
to the remote peer,
because it
is
reader to itLayer
VPN benefits and
requirements
and
included in acomparing
label mapping.
the description
appear
in the
remote
PE, you
themFor
to those
of Layer 3to
based
VPNs,
such
as MPLS,
thenmust
force the resending
of the covering
label mapping,
for example,
by flapping
interfacedetail.
by
progressively
each currently
available
solutionthe
in greater
means of a shutdown followed by a no shutdown.
Note
Another useful command is show mpls l2transport vc 50 detail, displayed in Example 8-8. The
highlighted parts show the VC status and the label stack used in forwarding at imposition.
Example 8-8. Displaying AToM VC Details

Local interface: Se5/0 up, line protocol up, HDLC up
10.0.0.203, VC ID: 50, VC status: up
Preferred path:
not
configured
ByWei Luo, - CCIE
Default path:
active
Create time: 1d08h, last status change time: 00:37:20
ISBN: 1-58705-168-0
MPLS
Table ofVC labels: local 19, remote 19
Pages:
648
Group
0
Contents ID: local 0, remote
MTU:
local
1500,
remote
1500
Index
Sequence number: receive 0, send 0
VC statistics:
productivity
gains
packet totals:
receive
1363, send 1402
byte totals:
packet drops: receive 0, seq error 0, send 231
SanFran#
Among other things, the
VCfrom
status
is first
displayed
in address
the command
along with utilizing
the imposed
Gain
the
book to
Layer output
2 VPN application
label stack. In this case,
16 ATOM
is the and
IGP label
19 is the VC label. The VC can be in one of three
both
L2TP and
protocols
different statuses:
UP VC can carry data between the two endpoints. (Imposition and disposition are
programmed.)
conditions
need to
hold true:a significant portion of their revenues
For Two
a majority
of Service
Providers,
Disposition
interfacesAlthough
are programmed
The VC
is configured,
and the
CE for
interface
technologies.
Layer 3 MPLS
VPNs
fulfill the market
need
some is up.
Imposition
interfaces
programmed
The disposition
interface
is programmed,
legacy
Layer 2are
and
Layer 3 networks
would like to
move toward
a single and
you received
a remote
VC label
andwould
an IGP
label
(LSPthe
to lucrative
the peer).
backbone
while new
carriers
like
to sell
Layer 2
DOWN VC is not ready to carry traffic between the two VC endpoints.
infrastructure.
ADMINDOWN A user has disabled the VC.
A RAW adjacency, in which the protocol is shown as "raw" because no upper-layer adjacencies
exist between the PE and CE, is created out of the attachment circuit (see Example 8-9).
Example 8-9.the
AToM
HDLC VPN
RAW
Adjacency
Cisco Unified
suite:
IP cores. The
structure
this book is focused on first introducing the
SanFran#show adjacency
serial
5/0ofdetail
reader
to
Layer
2
VPN
benefits
Protocol Interface
Address
comparing
them
to
those
of
Layer
RAW
Serial5/0
point2point(4)
progressively covering each
currently
0 packets,available
0 bytessolution in greater detail.
Raw
Epoch: 0
never
SanFran#
Note that in the case of HDLCoMPLS, the adjacency contains a null encapsulation prepended to
the packet that is switched through this adjacency, because the complete HDLC header is
transported unmodified. Keep this in mind on the PPPoMPLS case study for comparison.
Finally, you can verify that connectivity between CE routers indeed exists (see Example 8-10).
Example 8-10. Testing Connectivity Between CE Routers
Type escape sequence to abort.

Sending 5, 100-byte
ICMP Echos to 192.168.5.2, timeout is 2 seconds:
ISBN: 1-58705-168-0
!!!!!Table of
648 (5/5), round-trip min/avg/max = 20/38/60 ms

Success
rate is 100Pages:
percent
Contents
Oakland#
Index
Master
Troubleshooting
HDLCoMPLS
productivity gains
So far, you have not configured an MTU in the network. All the PE and CE router's interfaces are
using the following default
MTU
settings:
Learn
about
MTU == 1500 by network
default for
Serial and Ethernet
architecture
MTU == 4470 by Gain
default
forthe
High-Speed
Interface
(HSSI),
and Packet
over
from
first bookSerial
to address
Layer
2 VPN ATM,
application
utilizing
SONET (POS)
Try to calculate the maximum
packet sizethat
thatallow
you large
can send
between
CEs withto
the
default
Review strategies
enterprise
customers
enhance
settings. You have the their
following
overheads
place:
service
offeringsinwhile

Transport Header 4 bytes for HDLC (refer to Table 8-2)
technologies.
AToM Header
4 bytes of Although
control word
2 and
Layer 3Size
networks
would
to move
toward
singleeach
MPLS Labellegacy
StackLayer
* MPLS
Header
8 bytes
fromlike
2 MPLS
headers
of 4a bytes
services
over
their
Layer
3 cores.
The solution
in these
cases
Based on the preceding
list,
you
canexisting
calculate
a total
of 16 bytes
of overhead
added
to is
CEa frames.
technology
would
Layer
transport
over
a Layer
3
This means that only
packetsthat
up to
1484allow
bytes
from2Oakland
can
reach
the remote
CE and vice
infrastructure.
versa. You can test
this theory by using an extended ping with a sweep range of sizes that allows
you to vary the sizes of the echo packets being sent and verbose output (see Example 8-11).
Example 8-11.
Probing for MTU Between CEs
Oakland#ping the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSProtocol [ip]: based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores.
Target IP address:
192.168.5.2
reader
Repeat count [5]:
1 to Layer 2 VPN benefits and implementation requirements and
Datagram size [100]:
progressively
Timeout in seconds
[2]: 1 covering each currently available solution in greater detail.
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]: y
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: v
Loose, Strict, Record, Timestamp, Verbose[V]:
Sweep range of sizes [n]: y
Sweep min size [36]: 1480

Sweep max size [18024]: 1490
Sweep interval [1]:
Layer 2 VPN
toArchitectures
abort.
Pignataro,
- CCIE No. 4619,Dmitry
Bokotey,
Sending 11, [1480..1490]-byte
ICMP Carlos
Echos
to 192.168.5.2,
timeout
is- CCIE
1 seconds:
No. 4460,
Anthony
- CCIE
No. 10,266
Reply to request
0 (40
ms)Chan,
(size
1480)
Reply to request 1 (48 ms) (size 1481)
Reply to request Publisher:
2 (28 ms)
Cisco(size
Press 1482)
Reply to request Pub
3 (64
Date:ms)
March(size
10, 20051483)
ISBN: 1-58705-168-0
Table 5
of timed out (size 1485)
Request
Pages:
648
Contents
Request
6 timed out (size 1486)
Index 7 timed out (size 1487)
Request
Request 8 timed out (size 1488)
the world
of Layerround-trip
2 VPNs to provide
enhanced
Success rate isMaster
45 percent
(5/11),
min/avg/max
= services
28/41/64and
msenjoy
productivity
gains
Oakland#

Only packets up to 1484 bytes make it to the other end and back. You either need to increase the
core MTU to 1516 bytes using the mtu command or reduce the CE interface's MTU to 1484. Make
sure you understand the implications to IGP protocols before you change the MTU value.
Finally, capture HDLCoMPLS AToM packets in the SanFran router, from an ICMP Echo (PING) from
the Oakland CE. The imposition refers to AToM packets that are sent toward the NewYork PE out
of the Ethernet interface, and disposition means AToM packets that are received from Denver and
sent to the Oakland CE. Use the command debug mpls l2transport packet data, as shown in
Example 8-12.
Example 8-12.
Capturing
and Decoding
HDLCoMPLS
technologies.
Although
Layer 3 MPLS
VPNs fulfill the Packets
SanFran#debug mpls
l2transport
backbone
while new packet
carriers data
AToM packet data
debugging
is
on
SanFran#
*May 19 02:51:21.095:
ATOM imposition: out Et1/0, size 130, EXP 0x0, seq 0,
infrastructure.
control word 0x0
*May 19 02:51:21.095:
XX Architectures
XX XX XX XX introduces
XX YY YY readers
YY YY YY
YY 882 47
00 01
Layer 2 VPN
to Layer
Virtual
Private
^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^
^^^^^
Network (VPN)
concepts, and describes
Layer 2 VPN ^^^^^
techniques
via
introductory
design scenarios.
This book
SA MAC
DA MAC
top_shim-->
assists readers looking to meet those requirements by
explaining
theUnicast
etype
= MPLS
*May 19 02:51:21.095:
FF 00
01suite:
31 02
00Transport
00 00 00over
0F MPLS
00 08(ATOM)
00 45 for
00 MPLSthe Cisco 00
Unified
VPN
Any
^^^^^
^^^^^^^^^^^
^^^^^^^^^^^
^^
^^
^^^^^
^^^^^...
VC_Label
Ctrl-word
Begins
IP<--top_shim
of this book
is focused|on |first| introducing
theIP Packet
| | requirements
etype = IPv4
readerLabel=16
to Layer 2Label=19
VPN benefits and implementation
and
S=0 them S=1
| Control
comparing
to those of Layer 3 based VPNs,
such as MPLS, then
TTL=255
TTL=2
Address
Frame
progressively covering each currently available
solution=inUnicast
greater detail.
*May 19 02:51:21.095:
*May 19 02:51:21.095:
*May 19 02:51:21.095:
*May 19 02:51:21.095:
*May 19 02:51:21.095:
*May 19 02:51:21.095:
*May 19 02:51:21.095:
*May 19 02:51:21.143:
word 0xB59
00 64 00 32 00 00
05 02 08 00 03 A7
72 D8 AB CD AB CD
AB CD AB CD AB CD
AB CD AB CD AB CD
AB CD AB CD AB CD
AB CD
ATOM disposition:
FF
00
AB
AB
AB
AB
01
06
CD
CD
CD
CD
30
00
AB
AB
AB
AB
13
04
CD
CD
CD
CD
C0
00
AB
AB
AB
AB
A8
00
CD
CD
CD
CD
05
00
AB
AB
AB
AB
01
00
CD
CD
CD
CD
C0
07
AB
AB
AB
AB
A8
C1
CD
CD
CD
CD
in Et1/0, size 104, seq 2905, control
*May 19 02:51:21.143: 0F 00 08 00 45 00 00 64 00 32 00 00 FF 01 30 13
^^ ^^ ^^^^^ ^^^^^...
| | |
Begins IP Packet
Layer 2 VPN|Architectures
| etype = IPv4
ByWei Luo, -| CCIE
Control
No. 4460,Anthony
Chan, -= CCIE
No. 10,266
Address
Unicast
Frame
*May 19 02:51:21.143: C0 A8 05 02 C0 A8 05 01 00 00 0B A7 00 06 00 04
*May 19 02:51:21.143:
00Cisco
00 Press
00 00 07 C1 72 D8 AB CD AB CD AB CD AB CD
Publisher:
*May 19 02:51:21.143:
ABMarch
CD AB
Pub Date:
10, 2005
*May 19 02:51:21.143: AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD
ISBN: 1-58705-168-0
Table
of
*May
19 02:51:21.143:
Pages:
648
*May Contents
19 02:51:21.143: AB CD AB CD AB CD AB CD
Index
Note
productivity gains
Note in Example 8-12 and in the following examples dealing with packet decoding that
Learn about
Layer
2 Virtual
Private
Networks (VPNs)
the offline hand decoding
of the
packets
is shown
in bold.
Analyzing the disposition as dumped in the SanFran PE, you can see that the control word has a
non-null value, whereas the control word in imposition is null. This is because you have configured
the NewYork endpoint to perform sequencing, and you can see the sequence number increasing in
the control word. The sequence
number in
theallow
control
word
is included
in the rightmost
2 bytes.
Review strategies
that
large
enterprise
customers
to enhance
FromExample 8-12, the
control
word
is 0x00000B59
so the sequence
their
service
offerings
while maintaining
routingnumber
control is 0x0B59. That
number is 2905 in decimal.

At disposition, only
AToM
payload
SDU
is displayed.
At imposition,
the complete
AToM
arethe
still
derived
fromor
data
and
voice services
based on legacy
transport
packet is dumped.
backbone
new
Case Study 8-2:
PPPwhile
over
MPLS
technology
would
allowto
Layer
2 transport
a Layer
3 you concentrate
The case study for
PPPoMPLSthat
is quite
similar
HDLCoMPLS.
In over
this case
study,
infrastructure.
on the differences with Case Study 8-1. For the PPPoMPLS case study, you use interfaces Serial
6/0 in all PEs and CEs (see Figure 8-12).
Figure 8-12. PPPoMPLS Case Study Topology
Configuring PPPoMPLS
The configuration for PPPoMPLS is analogous to HDLCoMPLS, except that the PPP encapsulation
needs to be specified in the Serial interface. Example 8-13 shows the configuration for the two PE
devices.
ByWei
Luo, - CCIE No. 13,291,
Carlos Pignataro, Example 8-13.
Configuring
PPPoMPLS
SanFran#show running-config
interface serial 6/0
Building configuration...
ISBN:
Current
: 1-58705-168-0
188 bytes
Table configuration
of
Pages: 648
! Contents
interface
Serial6/0
Index
description *** To Oakland Serial 6/0 ***
no ip address
encapsulation ppp
no cdp enable Master the world of Layer 2 VPNs to provide enhanced services and enjoy
xconnect 10.0.0.203
60 encapsulation
mpls
productivity
gains
end
SanFran#
NewYork#show running-config interface serial 6/0

Current configuration : 187 bytes
!
interface Serial6/0both ATOM and L2TP protocols
description *** To Albany Serial 6/0 ***
no ip address
encapsulation ppp
no cdp enable
end
NewYork#
It is important to technology
note, however,
after
you
configure
the xconnect
command
under the PE
that that
would
allow
Layer
2 transport
over a Layer
3
interface, PPP is closed.
That is, no LCP or NCP takes place between PE and CE, and no PPP state
infrastructure.
machine runs in the PE device. You can enable debug ppp negotiation in the PE to prove this
Layer8-14).
concept (see Example
assists
readers
looking
to meet those
by explaining the
Example 8-14.
Debug
PPP
Negotiation
in requirements
the PE Router
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbasedxconnect
cores and 10.0.0.203
Layer 2 Tunneling
Protocol version
SanFran(config-if)#
60 encapsulation
mpls
IP cores. Se6/0
The structure
of this is
book
*May 18 17:16:35.583:
LCP: State
Closed
reader to Se6/0
Layer 2PPP:
VPN Phase
benefitsisand
*May 18 17:16:35.583:
DOWN
comparing
them PPP:
to those
of Layer
3 based VPNs, such
as MPLS,
*May 18 17:16:35.583:
Se6/0
Phase
is ESTABLISHING,
Passive
Openthen
progressively
covering
each currently
*May 18 17:16:35.583:
Se6/0
LCP: State
is Listen
*May 18 17:16:35.583: Se6/0 LCP: State is Closed
*May 18 17:16:35.583: Se6/0 PPP: Phase is DOWN
*May 18 17:16:36.631: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial6/0,
changed state to up
SanFran(config-if)#do show interface serial 6/0
Serial6/0 is up, line protocol is up
Hardware is HD64570
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set
Keepalive set (10 sec)

Last input 00:03:10, output 00:00:06, output hang never
The output of theNo.

command
show
for the Serial 6/0 shows the encapsulation as PPP,
4460,Anthony
Chan,interface
- CCIE No. 10,266
but LCP and NCP are not indicated. For comparison, the same command shows LCP and NCPs
state in the CE device (see Example 8-15).

ISBN: 1-58705-168-0
Table of 8-15. PPP State in the PE Devices

Example
Contents
Index
Pages: 648
Oakland#show interfaces serial 6/0

Serial6/0 is up, line protocol is up
Hardware is HD64570
Master
Internet address
isthe
10.10.6.200/24
productivity
MTU 1500 bytes,
BW 1544gains
Kbit, DLY 20000 usec, rely 255/255, load 1/255
LCP Open
Open: OSICP, IPCP, CDPCP
Reduce
costs 00:00:02,
and extend the
reachhang
of your
Last input 00:00:02,
output
output
never
network
architecture
Last clearing of "show interface" counters never
The PPP negotiation happens between CE devices, and the core network acts as a transport.

PPPoMPLS
For a majority of Service
technologies.
Layer 3exists
MPLS was
VPNsshown
fulfill in
theExample
market 8-15.
need for
some
The first verification
that CE-CEAlthough
communication
From
the CE
customers,
theyof
have
drawbacks.
carriersshow
with existing
device, you can check
the status
PPP some
negotiation
using Ideally,
the command
interface.
From the PE device,
you can
verify
that
the VCwould
is up like
(seetoExample
backbone
while
new
carriers
sell the 8-16).
lucrative Layer 2
infrastructure.
Example 8-16.
Verifying the PPPoMPLS VC Status
SanFran#show mpls
l2transport
vc 60 and describes Layer 2 VPN techniques via
Network
(VPN) concepts,
Local intf
Local circuit
Dest address
VC ID
Status
------------- ----------------------- --------------- ---------- ---------history and implementation details of the two technologies available from
Se6/0
PPP
10.0.0.203
60
UP
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSSanFran#show mpls l2transport vc 60 detail
Local interface: Se6/0 up, line protocol up, PPP up
Remote interface description: *** To Albany Serial 6/0 ***
VC statistics:
byte totals:
receive 3577950, send 3403595
Layer 2receive
VPN Architectures
packet drops:
0, seq error 0, send 0
SanFran#
10, 2005
FromExample 8-16, Pub
youDate:
can March
see that
the VC is up and the interface parameters of MTU and
interface description have
been
advertised. The VC type is PPP, which has a value of 0x0007. You
ISBN:
1-58705-168-0
Table of
might
wonder, however,
how648
you can see the value of the VC type in real time when it is
Pages:
Contents
advertised. The answer is by using the debug command debug mpls l2transport signaling
Index
message. After you enable the debug in NewYork, you must bounce the remote interface to force
withdrawing and remapping of the label (see Example 8-17).
Example 8-17.
Debugging
productivity
gains AToM Signaling Messages
NewYork#debug mpls Learn

l2transport
signaling
about Layer
2 Virtualmessage
AToM LDP message debugging is on
NewYork#
SanFran(config)#int s 6/0
SanFran(config-if)#shut
bothAToM
ATOM
and[10.0.0.201]:
L2TP protocols Received label withdraw msg, id 1822,
*May 19 16:19:44.995:
LDP
graceful restart instance 2
*May 19 16:19:45.203: AToM LDP [10.0.0.201]: Sending label release msg
vc type 7, cbitFor
1,a vc
id 60,
group id
0, vc label
20, status
mtu revenues
0
majority
of Service
Providers,
a significant
portion 0,
of their
SanFran(config-if)#no
shutdown
NewYork#
customers,
theyLDP
have
some drawbacks.
Ideally, label
carriersmapping
with existing
*May 19 16:20:40.071:
AToM
[10.0.0.201]:
Received
msg, id 1825,
legacyinstance
Layer 2 and
graceful restart
2 Layer 3 networks would like to move toward a single
while
carriers
would
to sell
lucrative
2
vc type 7, cbitbackbone
1, vc id
60,new
group
id 0,
vc like
label
20,the
status
0, Layer
mtu 1500
infrastructure.
FromExample 8-17, you can see that when you shut down the interface in SanFran, an LDP label
Layer
2 VPN
Architectures
introduces
to Layer
2 Virtual
Private
withdraw message
is sent,
which
is acknowledged
with readers
an LDP label
release
message.
When you
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
enable the interface, an LDP label mapping message is sent, including the VC typevia
of 7. More
introductory
case studies
and Study
comprehensive
design
scenarios.
This book
details on this procedure
are covered
in "Case
8-6: Decoding
LDP
Label Mapping
and
assists
Pseudowire ID FEC
Elements."
Cisco PPPoMPLS
Unified VPN
suite:
Any Transport
over MPLS the
(ATOM)
for MPLS- You can
It is also useful tothe
capture
AToM
packets
to fully understand
encapsulation.
based cores
and Layer
Tunneling Protocol
3 shown
(L2TPv3)
for native8-18.
do this with the command
debug
mpls 2
l2transport
packet version
data, as
in Example
comparing
them to
those
of Layer 3of
based
VPNs, suchPackets
as MPLS, then
Example 8-18.
Capturing
and
Decoding
PPPoMPLS
SanFran#debug mpls l2transport packet data
*May 19 17:33:26.916: ATOM imposition: out Et1/0, size 128, EXP
control word 0x0
*May 19 17:33:26.916: XX XX XX XX XX XX YY YY YY YY YY YY 88 47
^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^ ^^^^^
SA MAC
DA MAC
|
etype
*May 19 17:33:26.916: 00 FF 00 01 41 02 00 00 00 00 00 21 45 00
0x0, seq 0,
00 01
^^^^^
top_shim-->
= MPLS Unicast
00 64
^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^ ^^^^^ ^^^^^...

<--top_shim VC_Label
Ctrl-word
|
Begins IP Packet
Label=16 Label=20
PPP DLL Protocol# = IPv4
Layer 2S=0
VPN Architectures
S=1
ByWei Luo,
- CCIE No.
TTL=255
TTL=2
No. 4460,Anthony
Chan,
CCIEFF
No.01
10,266
*May 19 17:33:26.916:
00 FA
00- 00
2D 4B C0 A8 06 01 C0 A8 06 02
*May 19 17:33:26.916: 08 00 6B C8 00 0F 00 02 00 00 00 00 0A E9 07 88
*May 19 17:33:26.916:
ABCisco
CD Press
AB CD AB CD AB CD AB CD AB CD AB CD AB CD
Publisher:
*May 19 17:33:26.916:
ABMarch
CD AB
Pub Date:
10, 2005
ISBN: 1-58705-168-0
Table
of
*May
19 17:33:26.916:
Pages:
648
*May Contents
19 17:33:26.932: ATOM disposition: in Et1/0, size 102, seq 0, control
Index0x0
word
*May 19 17:33:26.932: 00 21 45 00 00 64 00 FA 00 00 FF 01 2D 4B C0 A8
^^^^^ ^^^^^...
|
Begins IP Packet
Master the
world
Layer 2 VPNs
PPP
DLLofProtocol
# = to
IPv4
productivity
gains
*May 19 17:33:26.932: 06 02 C0 A8 06 01 00 00 73 C8 00 0F 00 02 00 00
*May 19 17:33:26.932: 00 00 0A E9 07 88 AB CD AB CD AB CD AB CD AB CD
*May 19 17:33:26.932:
AB CD
AB and
CD extend
AB CD AB
AB of
CDyour
AB services
CD AB CD
CD
Reduce
costs
the CD
reach
byAB
unifying
your
*May 19 17:33:26.932:
AB
CD
AB
CD
AB
CD
As noted before, the output of the debug command displays the complete packet for imposition
operations. It displays Review
only thestrategies
AToM payload
for disposition
actions.customers to enhance
that allow
large enterprise
Example 8-19 shows the new RAW adjacency that is created for PPPoMPLS.
Example 8-19.
PPPoMPLS
RAWLayer
Adjacency
technologies.
Although
SanFran#show adjacency
serial
6/0
detail
backbone while
new
carriers
Proocol Interface
Address
RAW
Serial6/0
point2point(4)
0 packets, 0 bytes
infrastructure.
FF03
never to Layer 2 Virtual Private
Layer 2 VPN Architectures Raw
introduces readers
0
Network (VPN) concepts,Epoch:
and describes
SanFran#
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSFromExample 8-19, you can see that the rewrite that was null for HDLCoMPLS has become
0xFF03. These two bytes are no more than the two bytes (Address and Control) from each PPP
packet that are stripped in imposition and regenerated at disposition. They make the
encapsulation that is prepended to the packet switched through this adjacency.
Case Study 8-3: Frame Relay DLCI over MPLS

This case study concentrates on Frame Relay DLCI mode over MPLS. This case study is
fundamentally different from the two previous case studies because control messaging interaction
occurs between PE and CE routers. This case study uses Frame Relay IETF encapsulation. The
topology is included in Figure 8-13.
Figure 8-13. Frame Relay DLCI over MPLS Case Study Topology


Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
In Frame Relay DLCI mode, PE and CE routers run Frame Relay LMI between them. If you instead
tunnel and transport Frame Relay in port mode using HDLCoMPLS, the LMI session runs between
Master
the world
LayerRelay
2 VPNs
to provide
enhanced
services
CE devices. If those
CE devices
areofFrame
switches,
configure
them
to run and
LMI enjoy
NNI. If the
productivity
CEs are routers, configure
onegains
end as LMI DCE and leave the other as the default LMI DTE.
Alternatively, configure both routers as LMI NNI so that the CE can provide status information
about its DLCIs to the PE.
Configuring Frame network

Relay DLCI
over MPLS
architecture
Gain from
to address
Layer
2 VPN
The general PE configuration
for athe
PEfirst
thatbook
is running
Frame
Relay
DLCIapplication
over MPLS utilizing
(also known as
both
ATOM
and
L2TP
protocols
Frame Relay DLCI-Mode AToM) is shown in Example 8-20. The configuration in the NewYork PE is
parallel to this one.
Example 8-20.
Configuration
For FRoMPLS
a majority ofPE
Service
SanFran#conf t
SanFran(config)#frame-relay switching
SanFran(config)#interface serial7/0
SanFran(config-if)#encapsulation frame-relay ietf
SanFran(config-if)#frame-relay intf-type dce
infrastructure.
SanFran(config-if)#exit
SanFran(config)#
SanFran(config)#connect frompls serial7/0 100 l2transport
SanFran(config-fr-pw-switching)#xconnect 10.0.0.203 70 encapsulation mpls
SanFran(config-fr-pw-switching)#end
SanFran#
to Layer
2 VPNframe-relay
benefits andswitching
implementation
requirements
and
InExample 8-20, reader
the global
command
is enabled.
This is required
so that
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
Frame Relay LMI types DCE or NNI can be enabled later.
Next, create a "switched" Frame Relay PVC by using the global command connect extended
with the l2transport keyword. You apply the xconnect command under the connect
configuration mode (fr-pw-switching).
Note
You can configure the MTU on a switched Frame Relay PVC (pseudowire endpoint) basis
by using the command mtu under the connect configuration mode.

ByWei aLuo,
- CCIECE
No.configuration
- CCIE
No. 4619,
Dmitry
Bokotey,Frame
- CCIE Relay
Example 8-21 depicts
typical
from the
Oakland
CE,
including
4460,parameters.
quality of service No.
(QoS)
Example 8-21. Pub

FRoMPLS
Configuration
Date: March CE
10, 2005
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents Serial7/0
interface
no ipIndex
address
encapsulation frame-relay IETF

!
interface Serial7/0.1 point-to-point
Master the world
255.255.255.252
productivity gains
frame-relay interface-dlci
100 IETF
class myfrpvc
map-class frame-relay myfrpvc
frame-relay cir 64000
frame-relay bc 8000
frame-relay be 0 network architecture
frame-relay mincir 32000
A Frame Relay map-class
is defined,
including
all the
desired
Frame
Relay parameter
values.
Review
strategies
that allow
large
enterprise
customers
to enhance
Then this map-class istheir
applied
to the
Framewhile
Relaymaintaining
PVC using the
classcontrol
command.
service
offerings
routing

data and
voice
services
on legacy transport
Frame
Relay
DLCI
overbased
MPLS
customers,
someverification
drawbacks.techniques
Ideally, carriers
withoutlined
existingfor the
For FRoMPLS DLCI
mode, youthey
can have
use most
that were
Layer
2 and Layer
3 networks
would
like toCE
move
toward
a single
previous two caselegacy
studies.
Checking
IP layer
connectivity
between
devices
is the
real
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
verification.
that
would allowsignaling
Layer 2 transport
over a Layer
3
The output of thetechnology
debug mpls
l2transport
message command
included
in Example 822 shows that forinfrastructure.
Frame Relay DLCI mode, the VC type is 0x0001.
Example 8-22.
VC Type for FRoMPLS
history
and implementation
details
SanFran#debug mpls
l2transport
signaling
message
the Cisco AToM
Unified
VPN
over
MPLS mapping
(ATOM) for
MPLS*May 19 18:10:25.119:
LDP
[10.0.0.201]:
Sending
label
msg
cores
version
3 (L2TPv3)
native
vc type 1, cbitbased
1, vc
id and
70, Layer
group2 Tunneling
id 0, vc Protocol
label 21,
status
0, mtufor
1500
You can use a fewprogressively
commands on
the PE each
routercurrently
to verifyavailable
the FRoMPLS
pseudowire
covering
solution
in greaterstatus.
detail.The
most often used commands are included in the upcoming examples. Example 8-23 shows the
show connection command output.
Example 8-23. Verifying the Status of the FRoMPLS Connection

SanFran#show connection all
ID
Name
Segment 1
Segment 2
State
===========================================================================
4
frompls
Se7/0 100
10.0.0.203 70
UP
SanFran#show connection
id 4
Wei Luo, - CCIE 4
No.-13,291,
FR/Pseudo-Wire By
Connection:
frompls
No.
4460,
Anthony
Chan,
CCIE
No. 10,266
Status
- UP
Segment 1 - Serial7/0 DLCI 100
Publisher:
Segment status:
UP Cisco Press
Line status: Pub
UP Date: March 10, 2005
PVC status: ACTIVE
ISBN: 1-58705-168-0
Table of
ACTIVE
NNI PVC status:Pages:
648
Contents
Segment
2 - 10.0.0.203 70
Index
Segment status: UP
Requested AC state: UP
PVC status: ACTIVE
NNI PVC status: ACTIVE
SanFran#
productivity gains

InExample 8-23, you can observe that a switched connection has two segments:
Segment 1 The local attachment circuit out of Serial 7/0 DLCI 100
Segment 2 The remote endpoint of the pseudowire in the NewYork PE
Example 8-24 shows the output of the show mpls l2transport vc command, which you have
seen in the previous case studies for other WAN protocols.
Example 8-24.
the Status
the
FRoMPLS
are Verifying
still derived from
data and of
voice
services
based VC
on legacy transport
SanFran#show mpls
l2transport
---would
70
legacy
Layer 2 and vc
Layeri3Local
networks
Local intf
Local circuit
Dest like
address
ID
Status
backbone
while new carriers would
to sell theVC
lucrative
Layer
2
------------- services
---------------------------------------------over their existing Layer
in these---------cases is a
Se7/0
FR DLCI 100
10.0.0.203
70 a Layer 3 UP
technology
2 transport over
SanFran#show mpls
l2transport vc 70 detail
infrastructure.
Local interface: Se7/0 up, line protocol up, FR DLCI 100 up
10.0.0.203,
ID: 70, readers
VC status:
up 2 Virtual Private
Layer 2 VPN
ArchitecturesVCintroduces
to Layer
Preferred path:
not
configured
Network
(VPN)
concepts, and describes Layer 2 VPN techniques via
Default path:
active case studies and comprehensive design scenarios. This book
introductory
Tunnel label:
16,readers
next hop
10.1.1.202
assists
looking
Output interface:
Et1/0,
imposed label
{16 technologies
21}
history and
implementation
detailsstack
of the two
available from
Create time: the
00:47:09,
lastVPN
status
time: 00:47:08
Cisco Unified
suite:change
Any Transport
over MPLS (ATOM) for MPLSSignaling protocol:
LDP,
10.0.0.203:0
up
based cores
andpeer
Layer
MPLS VC labels:
local
22, remote
21 book is focused on first introducing the
IP cores.
The structure
of this
Group ID: local
remote
0 benefits and implementation requirements and
reader 0,
to Layer
2 VPN
MTU: local comparing
1500, remote
them 1500
Remote interface
description:
progressively
VC statistics:
byte totals: receive 110374, send 119708
SanFran#
This output is similar to other Layer 2 protocols that are transported over MPLS, but the VC Type
is displayed as FR DLCI DLCI .
Example 8-25 shows the command show frame-relay pvc in PE and CE routers for comparison.
Wei Luo, - CCIE
Pignataro,
- CCIE No.
Dmitry
Bokotey,
- CCIEfor the PE)
See the differenceByhighlighted
inNo.
the13,291,
DLCICarlos
Usage
field (Local
for 4619,
the CE
and
Switched
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
and the additional counters on the PE side. This command also shows the PVC status.
Date: March the
10, 2005
Example 8-25. Pub
Verifying
Status of the FRoMPLS Frame Relay PVC
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
SanFran#show
frame-relay pvc interface serial 7/0 100
Index
PVC Statistics for interface Serial7/0 (Frame Relay DCE)

DLCI = 100, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial7/0
input pkts 358
output pkts 329
in bytes 121796
productivity gains
out bytes 112624
dropped pkts 0
in FECN pkts 0
in BECN pkts 0
out FECN pkts 0
out BECN pkts 0
in DE pkts 0
out
DE
pkts
0
out bcast pkts 0
out bcast bytes 0
switched pkts 358Reduce costs and extend the reach of your services by unifying your
Detailed packet drop
counters:
network
architecture
no out intf 0
out intf down 0
no out PVC 0
in PVC down 0
PVC book
down to0 address Layer
pkt
tooapplication
big 0
Gain fromout
the first
2 VPN
utilizing
pvc create time 00:48:13,
timeprotocols
pvc status changed 00:47:53
both ATOM last
and L2TP
SanFran#
Oakland#
their service
offerings while
maintaining
Oakland#show frame-relay
pvc interface
serial
7/0 100routing control
PVC Statistics For
fora majority
interface
Serial7/0
(Framea significant
Relay DTE)
of Service
Providers,
DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial7/0.1
customers, theyoutput
have some
Ideally,
with existing
input pkts 329
pktsdrawbacks.
358
in carriers
bytes 112624
legacy Layer 2 and
Layerpkts
3 networks
would like
move
toward
out bytes 121796
dropped
0
in to
FECN
pkts
0 a single
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
in BECN pkts 0
out FECN pkts 0
out BECN pkts 0 2
Layer
in DE pkts 0 services over their
out existing
DE pkts
0 3 cores. The solution in these cases is a
technology
thatout
would
allowbytes
Layer 120756
out bcast pkts
348
bcast
infrastructure.
pvc create time
2d04h, last time pvc status changed 00:47:56
Oakland#
The output of theassists
command
show
frame-relay
pvc inrequirements
the SanFran PE
shows
readers
looking
to meet those
by router
explaining
theone line of
DLCI Usage and PVC
Status.
This is because SanFran's
Serial
is configured
Frame
history
and implementation
details of the
twointerface
technologies
availableas
from
Relay DCE. If a Frame
Relay
interface
configured
for Frame
Relay
NNI(ATOM)
LMI, two
the Cisco
Unified
VPNissuite:
Any Transport
over
MPLS
forseparate
MPLS- fields
are displayed:
LOCAL PVCcomparing
STATUS Status
of those
the PVC
that is3locally
them to
of Layer
based configured
NNI PVC STATUS Status of the PVC as learned from the LMI peer
Table 8-3 lists the different values that the Usage and Status fields on the show frame-relay
pvc command output can take and what they mean.
Table 8-3. Meaning of Frame Relay PVC Usage and Status

Fields
Field
USAGE
No.
4460,Anthony Chan,
- CCIE No. 10,266
Value
Definition
LOCAL
If DLCI is configured on the router as a DTE

device.

Table of
Contents
Index
STATUS
SWITCHED
If DLCI is configured and the router is acting
ISBN: 1-58705-168-0
as a switch.
Pages: 648
UNUSED
If DLCI is not configured on the router but the

switch is reporting it.
STATIC
If keepalives (Frame Relay LMI) are disabled.
DELETED
If DLCI is defined on the router (Frame Relay
productivity gains
DTE) but not the switch (Frame Relay DCE).
INACTIVE
If DLCI is defined on the switch (Frame Relay
Learn about DCE)
Layerbut
2 Virtual
Private
(VPNs)
the PVC
is notNetworks
up (that is,
network,
AToM, VC failure).
ACTIVE
If DLCI is defined on the switch (Frame Relay
DCE) and is enabled.
Specific Frame Relay LMI

details
such as that
the LMI
type,
LMI
side, andcustomers
statistics are
available with
Review
strategies
allow
large
enterprise
to enhance
theshow frame-relaytheir
lmi service
and debug
frame-relay
lmi commands.
offerings
while maintaining
routing control
One specific command
for troubleshooting
Frame Relay
pseudowires
is debug
frame-relay
For a majority
a significant
portion
of their
revenues
pseudowire (seeare
Example
8-26).
legacy
Layer 2 andFrame
Layer 3 Relay
networks
Example 8-26.
Debugging
Pseudowires
NewYork(config-if)#do
debug
frame-relay
pseudowire
technology
that would
allow Layer
Frame Relay pseudowire
events
debugging
is
on
infrastructure.
NewYork(config-if)#no shut
NewYork(config-if)#
*Apr 27 14:16:51.247:
%LINK-3-UPDOWN:
Serial7/0,
changed state
to up
Network (VPN)
concepts, andInterface
describes Layer
2 VPN techniques
via
*Apr 27 14:16:51.247:
FRoPW
70]: Local up,
sending
acmgr_circuit_up
introductory
case[10.0.0.201,
design
scenarios.
This book
*Apr 27 14:16:51.247:
FRoPW looking
[10.0.0.201,
70]: requirements
Setting pw segment
UP the
assists readers
to meet those
by explaining
*Apr 27 14:16:51.263:
Se7/0
ACMGR: Receive
msg
history and
implementation
details<Circuit
of the two Up>
technologies
available from
*Apr 27 14:16:51.263:
circuit
up event,
SIP
state
chg for
fspMPLSup to
the Cisco Se7/0
UnifiedACMGR:
VPN suite:
Any Transport
over
MPLS
(ATOM)
connected, action
is
p2p
up
forwarded
*Apr 27 14:16:51.263:
[10.0.0.201,
70]:
PW nni_pvc_status
set ACTIVE
IP cores. FRoPW
The structure
of this book
is focused
the
*Apr 27 14:16:51.607:
Rcv SIP
resp peer-to-peer
msg,
hdl
reader to Se7/0
Layer 2ACMGR:
VPN benefits
andmsg:
implementation
requirements
and
78000004, sss_hdl
B000006
comparing
*Apr 27 14:16:51.607:
Se7/0
ACMGR:each
remote
up event,
SIP
connected
state
no chg,
progressively
covering
currently
available
solution
in greater
detail.
action is ignore
*Apr 27 14:16:52.267: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial7/0,
changed state to up
*Apr 27 14:17:01.271: FRoPW [10.0.0.201, 70]: SW AC update circuit state to up
*Apr 27 14:17:01.271: ACLIB: Update switching plane with circuit UP status
The highlighted lines show the different state transition changes starting from the attachment
circuit being set to up, the connect segment being set to up, the Frame Relay NNI PVC being set
to active, and the circuit state being set to up. Example 8-27 shows a capture and decode of an
FRoMPLS packet. The packet dump was generated in the same way as the other case studies by
using the command debug mpls l2transport packet data. Refer to Figure 8-5 for comparison
Layer
2 VPN Architectures
of the Frame Relay
packets.
Example 8-27. Capturing and Decoding of FRoMPLS DLCI Packets


ISBN: 1-58705-168-0
Table
of
*May
19 19:14:41.080:
ATOM imposition: out Et1/0, size 128, EXP 0x0, seq 0,
Pages:
648
Contents word 0x0
control
Index
*May
19 19:14:41.080: XX XX XX XX XX XX YY YY YY YY YY YY 88 47 00 01
^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^ ^^^^^ ^^^^^
SA MAC
DA MAC
|
top_shim-->
Master the
of Layer
VPNs
and enjoy
*May 19 19:14:41.080:
00world
FF 00
01 51202
00 to
00provide
00 00 enhanced
03 CC 45services
00 00 64
productivity
gains
^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^ ^^ ^^ ^^^^^...
<--top_shim VC_Label
Ctrl-word
| |
Begins IP Packet
Label=16 Label=21
| NLPID = IP (0xCC)
S=0
S=1
Control = 0x03
TTL=255
TTL=2
*May 19 19:14:41.080:
01 11
00 00 FF 01 2B 34 C0 A8 07 01 C0 A8 07 02
network
architecture
*May 19 19:14:41.080: 08 00 BC 31 00 14 00 03 00 00 00 00 0B 45 B6 BC
*May 19 19:14:41.080:
CD the
AB first
CD AB
CD toABaddress
CD AB Layer
CD AB2 CD
CD AB CDutilizing
GainAB
from
book
VPNAB
application
*May 19 19:14:41.080:
CD AB
AB protocols
CD AB CD AB CD AB CD AB CD AB CD
bothAB
ATOM
andCD
L2TP
*May 19 19:14:41.080:
AB CD
AB CD that
AB CD
AB large
CD ABenterprise
CD AB CDcustomers
AB CD ABtoCD
Review
strategies
allow
enhance
*May 19 19:14:41.104:
disposition:
inmaintaining
Et1/0, size
102,control
seq 0, control
theirATOM
service
offerings while
routing
word 0x0
For a majority
Service
a significant
of their
revenues
*May 19 19:14:41.104:
03 CCof45
00 00Providers,
64 01 11
00 00 FF portion
01 2B 34
C0 A8
are still derived
^^ ^^ from
^^^^^...
technologies.
| |Although
Begins Layer
IP Packet
customers,
have
drawbacks. Ideally, carriers with existing
| they
NLPID
= some
IP (0xCC)
legacy Layer
2 and=Layer
Control
0x033 networks would like to move toward a single
backbone
while
new
carriers
likeC4to 31
sell00
the14
lucrative
*May 19 19:14:41.104: 07 02 C0 A8 07 01would
00 00
00 03 Layer
00 002
services over
their
Layer
cores.
TheAB
solution
these
cases is a
*May 19 19:14:41.104:
00 00
0B existing
45 B6 BC
AB 3CD
AB CD
CD AB inCD
AB CD
technology
Layer
2 transport
over
Layer
*May 19 19:14:41.104:
ABthat
CD would
AB CD allow
AB CD
AB CD
AB CD AB
CD aAB
CD 3
AB CD
infrastructure.
*May 19 19:14:41.104:
Layer 2 VPN
*May 19 19:14:41.104:
AB Architectures
CD AB CD AB introduces
CD
You can see that history
the IP NLPID
of 0xCC is used.
For Frame
IETF encapsulation,
and implementation
details
of the Relay
two technologies
availableCisco
from IOS
uses the NLPID value
whenUnified
one is available;
it uses
a SNAP
NLPID 0x80.
the Cisco
VPN suite:otherwise,
Any Transport
over
MPLS header
(ATOM)with
for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
reader
to Layer
2 VPN
benefits
andMPLS
Case Study 8-4:
ATM
AAL5
SDU
over
The final two case studies explore the transport of ATMoMPLS. In particular, Case Study 8-4
analyzes AAL5 SDU over MPLS. The topology used is shown in Figure 8-14.
Figure 8-14. AAL5 SDU over MPLS Case Study Topology


ISBN: 1-58705-168-0
Configuring
AAL5oMPLS
Table of
Pages: 648
Contents
Index
The configuration
of AAL5oMPLS SDU mode only applies to an ATM VC. AAL5 VP or port modes are
nonexistent. To configure AAL5oMPLS, you create an ATM PVC with the l2transport keyword and
then apply the following two configuration steps under an ATM PVC configuration mode:
Step 1.
Master
world of Layer
2 VPNs to provide
Configure
thethe
encapsulation
as encapsulation
aal5.
productivity gains
Step 2.
Apply the xconnect command with the same format as before.

and extend
of your
services by
Example 8-28 shows aReduce
sample costs
configuration
for the reach
SanFran
and NewYork
PE unifying
nodes. your
Gain from the AAL5oMPLS
PEs Layer 2 VPN application utilizing
Review strategies
that allow
SanFran#show running-config
interface
ATM 4/0.1
Current configuration
: 230ofbytes
For a majority
!
interface ATM4/0.1
point-to-point
technologies.
description ***
AAL5
SDU
AToM
tosome
Oakland
***
customers,
they
have
drawbacks.
pvc 0/100 l2transport
encapsulationbackbone
aal5
xconnect 10.0.0.203
100 their
encapsulation
mpls
services over
existing Layer
!
end
infrastructure.
SanFran #

andATM
describes
NewYork#show running-config
interface
1/0.1 Layer 2 VPN techniques via
introductory
case
studies
and
comprehensive
: 229
bytes
history and
implementation
!
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSinterface ATM1/0.1
basedpoint-to-point
description ***
AAL5 SDU
AToM to of
Albany
***is focused on first introducing the
IP cores.
The structure
this book
encapsulationcomparing
aal5
xconnect 10.0.0.201
100 covering
encapsulation
mpls available solution in greater detail.
progressively
each currently
!
end
NewYork #
The CE configuration is no different than if the CE routers were connected to a traditional ATM
switch (see Example 8-29).
Example 8-29. Configuring AAL5oMPLS CEs

Oakland#show running-config interface ATM 3/0.1


!
interface ATM3/0.1
Pubpoint-to-point
ip address 192.168.1.1 255.255.255.252
ISBN: 1-58705-168-0
Table
of
pvc
0/100
Pages:
648
Contents manage
oam-pvc
! Index
end
Oakland #
Albany#show running-config
interface
Master the world
of Layer 2ATM
VPNs3/0.1
to provide enhanced services and enjoy
productivity gains
!
interface ATM3/0.1 point-to-point
Reduce255.255.255.252
pvc 0/100
oam-pvc manage
!
end
Albany#


In this case, the CEs
are configured
fordata
unspecified
bitservices
rate (UBR)
service-type
You can
are still
derived from
and voice
based
on legacy PVCs.
transport
change the service
type
and
traffic
parameters
either
by
explicit
configuration
under
the
PVC
mode or by defining
a
VC
class.
Example
8-29
shows
OAM
management
enabled
under
the
CE
PVCs, which will be
transported
raw
cells3 over
the AToM
pseudowire.
More
details
about OAM
legacy
Layer 2 as
and
Layer
networks
would
like to move
toward
a single
cell transport over
AAL5 SDU
Mode
pseudowires
are covered
in the
the lucrative
upcomingLayer
section
backbone
while
new
carriers would
like to sell
2 titled "Case
Study 8-9: Understanding
Different
ATM
Transfer
Modes."
infrastructure.
Verifying and Troubleshooting AAL5oMPLS

Network
concepts,
and describes
Layer
VPN techniques
via
The VC Type for ATM
AAL5(VPN)
SDU VCC
is 0x0002.
By enabling
the2debug
mpls l2transport
introductory
case
studies
and
comprehensive
design
scenarios.
This
book
signaling message command, you can see the targeted LDP label mapping message,
including
assists
readers
looking
to
meet
those
requirements
by
explaining
the
the VC Type in the pseudowire ID FEC TLV (see Example 8-30).
Example 8-30.
Checking the VC Type for AAL5oMPLS SDU Mode
comparing
them to those
of Layer
SanFran#debug mpls
l2transport
signaling
message
progressively
covering
each
currently
availablemsg,
solution
greater detail.
1d21h: AToM LDP [10.0.0.201]: Received label mapping
id in
3040
One of the first things you can verify is the pseudowire status and details. You can use the
commandshow mpls l2transport vc (see Example 8-31).
Example 8-31. Verifying the AAL5oMPLS SDU Mode VC
SanFran#show mpls l2transport vc 100

Local intf
Local
circuit
Dest address
VC ID
Status
Layer 2 VPN
Architectures
------------- ------------------------------------------------------ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
AT4/0.1
ATM
AAL5
0/100
10.0.0.203
100
UP
No. 4460,
Anthony
Local interface: AT4/0.1 up, line protocol up, ATM AAL5 0/100 up
Preferred path:
not configured
ISBN: 1-58705-168-0
Default
path: active
Table of
Tunnel label: 16,
Pages:
648 hop 10.0.1.203
next
Contents
Output
interface:
Fa0/0,
imposed label stack {16 21}
Index
Master 4,
theremote
world of3Layer 2 VPNs to provide enhanced services and enjoy
Group ID: local
gains
MTU: local productivity
4470, remote
4470
Remote interface description: *** AAL5 SDU AToM to Albany ***
VC statistics:
packet totals:
byte totals:
packet drops:
SanFran

Reduce
andsend
extend
receivecosts
8460,
8460
network
architecture
receive 0, send 1

their
offerings
while
maintaining
The VC Type is displayed
as service
ATM AAL5,
and the
VPI/VCI
pair is routing
includedcontrol
also. As usual, MTUs need
to match for the PVC to come up.
are l2transport
still derivedbindings,
from dataincluding
and voice
based
on legacythrough
transport
You can also see the
allservices
information
advertised
the
technologies.
Although
Layer
3 MPLS
VPNsmessage
fulfill the(see
market
need 8-32).
for some
targeted LDP session
for this FEC
in the LDP
label
mapping
Example
backbone
while new
carriers
would like SDU
to sellMode
the lucrative
Layer 2
Example 8-32.
Displaying
the
AAL5oMPLS
Binding
SanFran#show mpls
l2transport binding 100
infrastructure.
Destination Address: 10.0.0.203, VC ID: 100
Layer
Local Label:
20 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network
and describes
Layer
Cbit: 1,
VC(VPN)
Type:concepts,
ATM AAL5,
GroupID:
4 2 VPN techniques via
introductory
case studies
comprehensive
design
scenarios.***
This book
MTU: 4470,
Interface
Desc:and
***
AAL5 SDU AToM
to Oakland
assists readers Type
looking
meet2those requirements by explaining the
VCCV Capabilities:
1,toType
history
Remote Label:
21 and implementation details of the two technologies available from
the Cisco
MPLS (ATOM) for MPLSCbit: 1,
VC Unified
Type: VPN
ATM suite:
AAL5,Any Transport
GroupID: over
3
based cores
and Layer
2 Tunneling
Protocol
version
(L2TPv3)
MTU: 4470,
Interface
Desc:
*** AAL5
SDU AToM
to 3Albany
***for native
this book
VCCV Capabilities:
Type 1,ofType
2
SanFran
Together with FRoMPLS, AAL5 SDU mode requires the use of the control word. You can see in
Example 8-32 that the C-bit indicating control word disposition capability is set in both LDP
advertisements.
Example 8-33 displays the ATM VC information from the Oakland CE and the Albany PE to
compare them.
Example 8-33. Comparing the ATM PVCs in the CE and PE Routers
Oakland#show atm vc interface ATM 3/0.1 detail

2 VPN Architectures
ATM3/0.1: VCD: Layer
1, VPI:
0, VCI: 100
UBR, PeakRate: By
155000
AAL5-LLC/SNAP, No.
etype:0x0,
Flags:
0xC20,
VCmode: 0x0
4460,Anthony Chan,
- CCIE
No. 10,266
OAM frequency: 10 second(s)
InARP frequency: 15 minutes(s)
InPkts: 304, OutPkts: 222, InBytes: 16975, OutBytes: 15897
InPRoc: 304, OutPRoc: 222
ISBN: 1-58705-168-0
InFast:
Table 0,
of OutFast: 0, InAS: 0, OutAS: 0
Pages:
648
Giants:
0
Contents
OAM cells
received:
340
Index
OAM cells sent: 340
Status: UP
Oakland#
SanFran#show atm
vc interface
productivity
gains ATM 4/0.1 detail
ATM4/0.1: VCD: 1, VPI: 0, VCI: 100
UBR, PeakRate: 149760
AAL5 L2transport, etype:0xF,
Learn about Flags:
Layer 2 0x10000C2E,
Virtual Private VCmode:
Networks0x0
(VPNs)
OAM Cell Emulation: not configured
Reduce
Interworking Method:
like costs
to like
network
Remote Circuit Status
= No architecture
Alarm, Alarm Type = None
InPRoc: 0, OutPRoc:Gain
0 from the first book to address Layer 2 VPN application utilizing
both
ATOM
and L2TP
protocols
InFast: 156, OutFast: 216,
InAS:
0, OutAS:
0
InPktDrops: 0, OutPktDrops: 0
Review strategies
that allow large
CrcErrors: 0, SarTimeOuts:
0, OverSizedSDUs:
0 enterprise customers to enhance
Out CLP=1 Pkts: 0 their service offerings while maintaining routing control
OAM cells received: 340
OAM cells sent: 29
Status: UP
SanFran#
services
their
existing
Layer
cores.
The
solution
in these
is a the
By contrasting the
output over
of the
display
of ATM
PVC3 in
the PE
and
CE routers,
youcases
can see
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
following:
infrastructure.
Layer 2type
VPN that
Architectures
introduces
readers
to Layer 2 Virtual
Private
The encapsulation
is displayed
for the CE
is AAL5-LLC/SNAP
(although
it could have
Network
(VPN) concepts,
and describes
2 VPN
vial2transport.
been AAL5-MUX
or something
else), whereas
for theLayer
PE PVC
it is techniques
always AAL5
The CE PVC assists
shows OAM
configuration
(OAMthose
frequency),
whereas
PE PVC displays
OAM
readers
looking to meet
requirements
bythe
explaining
the
Cell Emulation
configuration.
You can enable
cell
by using the
commands
history
and implementation
details
of emulation
available
fromoam-ac
emulation-enable
oam-pvc
manage
that theover
PE locally
cells (as
the Ciscoand
Unified
VPN suite:
Any so
Transport
MPLS terminates
(ATOM) for OAM
MPLSopposed to transporting
them).
based cores and
The PE PVC reader
shows AToM-specific
such
as the remoterequirements
pseudowire status
to Layer 2 VPNinformation
benefits and
implementation
and and the
interworkingcomparing
type.
The OAM cells received and sent counters have a slightly different interpretation.
On the Oakland CE router, the OAM for cells received and sent display the total number of OAM
cells that are received and sent from and to the Albany CE. On the SanFran PE router, OAM
counter for received cells displays the total number of OAM cells from the Oakland CE. These cells
are encapsulated in an AToM packet as cells (setting the T-bit in the required AAL5oMPLS SDU
mode control word) and sent to the remote PE router NewYork. However, the OAM cells sent
counter in the PE router does not count the OAM cells received in AToM packets from the remote
NewYork PE and sent to the Oakland CE router. It counts the OAM cells that are generated from
the SanFran PE, which explains the number discrepancy (see Example 8-34).
Example 8-34. Alarm Indication Signal (AIS) OAM Cells

SanFran#
*May 19 16:51:40.207: AToM LDP [10.0.0.203]: Received label withdraw msg, id 3340
*May 19 16:51:40.207: ATM VC alarm condition: remote acircuit DOWN
Pub0/100
forATM4/0.1:VC#1
ISBN:
1-58705-168-0
*May Table
19 16:51:40.207:
atm_oam_setstate
- VCD#1, VC 0/100: newstate = AIS Xmitted
of
19 16:51:40.207:
Pages:
648
*May
F5
OAM
alarm:
AIS
sent, VC#1 0/100 ATM4/0.1
Contents
*May
19
16:51:40.207:
atm_oam_start_timer
VC = 1, curr_q_index = 19016 q_index =
Index
19047, freq = 1000, cnt = 0 div = 31
*May 19 16:51:40.207: atm_oam_start_timer VC = 1, q_index = 19047, freq = 1000cnt
= 0
*May 19 16:51:40.207:
ATM
VC of
alarm
remoteenhanced
acircuit
DOWN and enjoy
Master the
world
Layercondition:
2 VPNs to provide
services
forATM4/0.1:VC#1
0/100 gains
productivity

FromExample 8-34, you can see that when the pseudowire VC is withdrawn because of an MPLS
ReducePE
costs
andsends
extend
theAIS
reach
of to
your
network failure, the SanFran
router
OAM
cells
theservices
Oaklandby
CEunifying
router. your
The
network
attachment circuit, which
in thisarchitecture
case is the ATM PVC with VPI/VCI 0/100 in the sub-interface
ATM4/0.1 in SanFran, goes into a remote attachment circuit down alarm.
ATOM
andATM
L2TPattachment
protocols circuits and the relationship between
The fault managementboth
aspects
of the
pseudowire status and AIS signals are covered in the next case study.
Case Study 8-5:

Cell
over Providers,
MPLS a significant portion of their revenues
For a ATM
majority
of Service
technologies.
Layer
MPLS VPNs
fulfill
need
for some
The other mode of
transportingAlthough
ATMoMPLS
is to3 transport
raw
cellsthe
in market
Cell Relay
mode.
This
they have
some drawbacks.
Ideally,
with
existing
section presents acustomers,
detailed example
of CRoMPLS
in VC mode.
Thecarriers
topology
used
is shown in
Figure 8-15.
infrastructure.
Figure 8-15. CRoMPLS Case Study Topology
Network (VPN) concepts,[View
andfulldescribes
size image] Layer 2 VPN techniques via
Although this section focuses on CRoMPLS VC mode, it also presents some configuration and
verification examples for CRoMPLS in its other two modes of operation: VP mode and port mode.
Configuring CRoMPLS
The configuration steps to set up the cell relay transport of an ATM VC are similar to those
required to configure AAL5 transport. The difference is that under the l2transport PVC
configuration, the encapsulation is specified as aal0, implying no adaptation layer (raw cells).
Example 8-35 lists the configuration of both PE routers.

Example 8-35. Configuring CRoMPLS PEs

SanFran#show running-config interface ATM 4/0.2

Pub Date:
2005
: March
229 10,
bytes
ISBN: 1-58705-168-0
!
Table of
Pages:
648
interface
ATM4/0.2
point-to-point
Contents
description
***
Cell
VC
AToM to Oakland ***
Index
encapsulation aal0
!
end
productivity gains
SanFran#

NewYork#show running-config interface ATM 1/0.2
network
architecture
: 228
bytes
!
from the first book to address Layer 2 VPN application utilizing
interface ATM1/0.2 Gain
point-to-point
both
ATOM
protocols
description *** Cell VC AToMand
toL2TP
Albany
***
encapsulation aal0
!
end
NewYork#
infrastructure.
Note
Layer 2ofVPN
Architectures
introduces readers
to Cisco
Layer12000
2 Virtual
Private
In earlier versions
ATM
CRoMPLS implementations
on the
series
routers
Network
(VPN) concepts,
and describes
2 VPN techniques
via
with engine 2
ATM linecards,
the interface
command Layer
atm cell-relay
was required
as an
introductory
studies
andiscomprehensive
initial configuration
step. case
This initial
step
no longer required.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLScores and
Layerof2CRoMPLS
TunnelingbyProtocol
version
3 (L2TPv3)
for native
You can configurebased
the different
modes
applying
the xconnect
command
under the
IP cores.
The(see
structure
of this
book
is focused
firstxconnect
introducing
the
different configuration
modes
Example
8-36).
The
context on
of the
command
determines the mode:
VC mode Apply the xconnect command under pvc l2transport configuration submode
(cfg-if-atm-l2trans-pvc).
VP mode Apply the xconnect command under atm pvp l2transport configuration
submode (cfg-if-atm-l2trans-pvp).
Port mode Apply the xconnect command under the interface configuration mode.
Example 8-36. Configuring CRoMPLS in VC, VP, and Port Modes
! Configuring Cell Relay over MPLS VC Mode

interface ATM4/0.300
point-to-point
Layer 2 VPN
Architectures
encapsulation aal0
Publisher:
Press
! Configuring Cell
RelayCisco
over
MPLS VP Mode
interface ATM 5/0Pub Date: March 10, 2005
atm pvp 1 l2transport
ISBN: 1-58705-168-0
Table of
xconnect 10.0.0.200
Pages: 648
Contents
! Configuring
Cell Relay over MPLS Port Mode
Index
interface ATM 6/0
productivity gains
You can see from Example 8-36 that you only need the encapsulation aal0 command in VC
mode, where it is necessary to distinguish between AAL5 and cell transport.
Verifying CRoMPLSnetwork architecture
This section describes verification

of the
configuration.
verifyingutilizing
the circuit type
Gain from the
firstCRoMPLS
book to address
Layer 2Start
VPN by
application
of all the CRoMPLS transport
modes.
are the VC types used:
both ATOM
andFollowing
L2TP protocols

CRoMPLS VC Mode
their0x0009
service(9)
CRoMPLS VP
0x000A
(10)
ForMode
a majority
of Service
CRoMPLS Port
Mode 0x0003
(3) Layer 3 MPLS VPNs fulfill the market need for some
technologies.
Although
Thedebug mpls l2transport signaling message command output provides the circuit type
information (see Example 8-37).
Example 8-37.
Verifying the VC Type for All CRoMPLS Transport Modes
infrastructure.

! Configuring a remote Attachment Circuit for CRoMPLS Port Mode
SanFran#
*May 19 17:35:07.207: AToM LDP [10.0.0.203]: Received label mapping msg, id 3395
Cisco Unified
VPN suite:
Any Transport
overVP
MPLS
(ATOM) for MPLS! Configuring athe
remote
Attachment
Circuit
for CRoMPLS
Mode
SanFran#
IP cores. AToM
The structure
of this book isReceived
focused on
first introducing
the id 3397
*May 19 17:35:44.511:
LDP [10.0.0.203]:
label
mapping msg,
reader
to Layer
2 VPN
benefits
andvc
implementation
requirements
vc type 10, cbit
1, vc
id 400,
group
id 0,
label 18, status
0, mtu and
0
! Configuring aprogressively
remote Attachment
Circuit
for available
CRoMPLS solution
VC Modein greater detail.
covering each
currently
SanFran#
*May 19 17:36:28.411: AToM LDP [10.0.0.203]: Received label mapping msg, id 3400
InExample 8-37, the MTU that is advertised appears as null. The method and reason for this will
become clear in this section.
Given that the transport of cells is inherently different from the transport of packets, some
differences exist in the AToM pseudowire setup. See the output of the command show mpls
l2transport vc in Example 8-38.
ByWei
Luo, - CCIE No.
13,291,
Carlos
Pignataro,
- CCIE
No. 4619,
Example 8-38.
Verifying
the
ATM
Cell
over
MPLS
VCDmitry Bokotey, -
CCIE
SanFran#show mplsPublisher:
l2transport
vc 200
Cisco Press
Pub Date:
March 10, 2005
Local intf
Local
circuit
Dest address
VC ID
Status
ISBN: 1-58705-168-0
------------------------------------------------------------------Table of
Pages:
648 0/200
AT4/0.2
ATM VCC
CELL
10.0.0.203
200
UP
Contents
SanFran#show
mpls
l2transport
vc
200
detail
Index
Local interface: AT4/0.2 up, line protocol up, ATM VCC CELL 0/200 up
Default path:
active
Master
Tunnel label:
16, next
hop 10.0.1.203
productivity
gains
Output interface: Fa0/0, imposed label stack {16 20}
Create time: 1d23h, last status change time: 00:08:05
Learn
about
Layer
2 Virtual Private
Signaling protocol:
LDP,
peer
10.0.0.203:0
up Networks (VPNs)
costs 3
Group ID: localReduce
0, remote
network
architecture
MTU: local n/a, remote n/a
Remote interface description: *** Cell VC AToM to Albany ***
VC statistics:
byte totals:
receive 0, send 60

legacy
Layer
2 andfor
Layer
3 networks
would
to move
toward a as
single
The textual version
of the
VC Type
CRoMPLS
in Cisco
IOS like
Software
is displayed
follows:
VC mode ATM
VCC CELL
VPI/VCI
technology
that
infrastructure.
VP mode ATM VPC CELL VPI
Port mode Network
ATM CELL
Interface_name
(VPN)
Also note that the local and remote MTU values appear as not available (n/a). In all flavors of
CRoMPLS, the MTU value is not advertised in the LDP label mapping, because it does not apply.
This can also be noted in Example 8-39.
Example 8-39.
Verifying
Cell
over
MPLS Binding
reader
to Layer 2the
VPNATM
benefits
and
implementation
requirements and
Local Label: 19
Cbit: 1,
VC Type: ATM VCC CELL,
GroupID: 0
MTU: n/a,
Interface Desc: *** Cell VC AToM to Oakland ***
Max Concatenated ATM Cells: 1
Remote Label: 20
Cbit: 1,
GroupID: 3
MTU: n/a,
Interface Desc: *** Cell VC AToM to Albany ***
SanFran#

SanFran#
FromExample 8-39, you can see again that the MTU value does not apply to the transport of ATM
cells over MPLS. The pseudowire comes up even if the MTUs in the two attachment circuits differ.
However, a new interface parameter is advertised and displayed in the bindings. This new
interface parameter is the maximum number of concatenated ATM cells, also known as the
ISBN: 1-58705-168-0
maximum
Table ofnumber of cells packed (MNCP). This advertised parameter specifies the maximum
Pages:
648 egress PE can process in a single AToM packet disposition. The
number
of packed cells that the
Contents
MNCP
value
defaults
to
1,
meaning
that by default only one ATM cell is included in an AToM
Index
packet. This subject is covered in more detail in the upcoming section "Case Study 8-8: Packed
Cell Relay over MPLS."
From a fault management
perspective,
the 2
pseudowire
status enhanced
is conveyed
to the and
CE device's
Master the
world of Layer
VPNs to provide
services
enjoy ATM
endpoints by using
AIS of the gains
appropriate hierarchy. The following alarm indications are sent out
productivity
of the AC for each of the ATM transport modes if the VC label is withdrawn because of an MPLS
core network or remote AC failure:
ReduceAIS
costs
andcells
extend
the reach
your
services
your
VC Mode F5 (VC-level)
OAM
are sent.
Noteof
that
this
appliesby
to unifying
both AAL5oMPLS
and CRoMPLS VC network
Mode. architecture
Gain from
first
book
VP Mode F4 (VP-level)
AIS the
OAM
cells
areto
sent.
Port Mode Line (for example Layer 1 SONET-level) AIS is sent.
infrastructure.

AdvancedBy
WAN
AToM Case Studies
This section concentrates

on Cisco
advanced
Publisher:
Press concepts and techniques in deployments of AToM Layer 2
transport of WAN protocols.
covers
diverse in-depth topics that involve a higher degree of
Pub Date: It
March
10, 2005
complexity or understanding.
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents analyzes four additional
This section
case studies. The first two case studies present additional details
Index
about
LDP signaling of pseudowires and specifics about Cisco implementation, including techniques so
that you can understand hardware specifics and documentation matrices. Although these two case
studies use WAN transport over MPLS examples, they are applicable to all other Layer 2 transports.
Master
the world
of Layer cases
2 VPNs
provide enhanced
services
and enjoy
Finally, this section
includes
two advanced
ofto
ATMoMPLS,
namely ATM
cell packing
and a
productivity
gains
detailed comparison
of different
AToM transports for ATM VCs.
Case Study 8-6: Decoding LDP Label Mapping and Pseudowire ID FEC
Elements
Chapter 6 presented theoretical

the AToM
control
plane
and application
details on LDP
messages. You
Gain fromaspects
the firstofbook
to address
Layer
2 VPN
utilizing
have seen examples ofboth
using
LDP
to
provide
VC
label
mapping
throughout
Chapters
7,
"LAN Protocols
over MPLS Case Studies," and 8, "WAN Protocols over MPLS Case Studies." This section includes the
decoding of a real LDP Review
label mapping
message
captured
the HDLCoMPLS
in Case Study
strategies
that allow
large from
enterprise
customers signaling
to enhance
8-1. You can also capture
the
hexadecimal
dump
LDP messages
by using
the Cisco IOS debug
their
service
offerings
whileofmaintaining
routing
control
facility with the command debug mpls ldp session io all.Example 8-40 shows the decoding of the
LDP label mapping
message
for of
a pseudowire
(VC) FEC
highlighting
the LDP
message,
TLVs, and
For
a majority
Service Providers,
a significant
portion
of their
revenues
items in the VC FEC
Thefrom
decode
was
obtained
using ethereal
software.
areelement.
still derived
data
and
voice services
based on
legacy transport
legacy
Layer 2 and
networks
would like
to move toward
single
Example 8-40.
Decoding
anLayer
LDP3Label
Mapping
Message
for aaVC
Label Distribution
Protocol
technology
Version: 1 infrastructure.
PDU Length: 77
Layer 2 VPN
Architectures introduces readers to Layer 2 Virtual Private
LSR ID: 10.0.0.201
(10.0.0.201)
Label SpaceNetwork
ID: 0 (VPN) concepts, and describes Layer 2 VPN techniques via
introductory
Label Mapping
Messagecase studies and comprehensive design scenarios. This book
assists
looking tobit
meet
those
0... ....
= Ureaders
bit: Unknown
not
setrequirements by explaining the
implementation
details of
the two technologies available from
Messagehistory
Type:and
Label
Mapping Message
(0x400)
Cisco Unified
VPN suite: Any Transport over MPLS (ATOM) for MPLSMessagethe
Length:
67
Messagebased
ID: cores
0x000012d5
IP cores.
The structure
of thisTLV
Forwarding
Equivalence
Classes
reader
to =Layer
VPN benefits
and
implementation
requirements
and
00..
....
TLV 2Unknown
bits:
Known
TLV, do not
Forward (0x00)
comparing
them to those
of Layer 3 based
VPNs,
as MPLS, then
TLV
Type: Forwarding
Equivalence
Classes
TLVsuch
(0x100)
TLVprogressively
Length: 51covering each currently available solution in greater detail.
FEC Elements
FEC Element 1 VCID: 50
FEC Element Type: Virtual Circuit FEC (128)
1... .... = C-bit: Control Word Present
.000 0000 0000 0110 = VC Type: HDLC (0x0006)
VC Info Length: 43
Group ID: 5
VC ID: 50
Interface Parameter: MTU 1500
ID: MTU (0x01)

Length: 4
MTU: 1500
Layer 2 VPN
Architectures
Interface
Parameter: Description
ByWei Luo, - CCIE
13,291,CarlosDescription
Pignataro, - CCIE(0x03)
ID:No.
Interface
No. 4460,Anthony
Chan, - CCIE
Length:
31 No. 10,266
Description: *** To Oakland Serial 5/0 ***
Interface
Parameter: VCCV
Publisher:
Cisco Press
ID: 10,
VCCV
Pub Date: March
2005(0x0c)
Length: 4
ISBN: 1-58705-168-0
Table of
CC Type
Pages:
648
Contents
.... ...1 = PWE3 Control Word: True
Index
.... ..1. = MPLS Router Alert: True
CV Type
.... ...0 = ICMP Ping: False
.... ..1. = LSP Ping: True
Master the world....
of Layer
2 VPNs
to provide
.0..
= BFD:
False enhanced services and enjoy
productivity
gains
Generic Label TLV
00.. .... = TLV Unknown bits: Known TLV, do not Forward (0x00)
TLV Type: Generic Label TLV (0x200)
TLV Length: 4
Generic
Label:
19 and extend the reach of your services by unifying your
Reduce
costs
FromExample 8-40, you can see that the LDP label mapping message is sent from SanFran (LDP ID
10.0.0.201) and contains two type, length, value (TLV) triplets to provide the FEC-to-label mapping
(FEC <-> label):
FEC TLV The FEC TLV includes one FEC element of Type 128 (Virtual Circuit FEC), as discussed
inChapter 6. This FEC element includes the following information:
Control word present
legacy
Layer
VC Type
0x0006
for2HDLC
Group services
ID 5
VC ID infrastructure.
50
Layer
2 VPNparameters:
A set of
interface
MTU interface
parameter
introductory
Interface
description
history
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSVCCV capabilities
control
(CC) and
connectivity
verification
(CV)
based coresofand
Layerchannel
2 Tunneling
Protocol
version 3
(L2TPv3) for
native
Generic Label TLV This TLV advertises label 19 for the previously referenced FEC.
Note
It is interesting to note the value for the Group ID of 5. The Group ID is an arbitrary 32-bit
number that represents a group of pseudowires (a second degree of freedom by creating
groups in the VC ID space). These groups are per LDP peer, meaning that VC IDs with the
same Group ID belong to the same group if they belong to the same peer. The Group ID
provides a superficial incremental benefit when sending one LDP label withdrawal message
to a given peer for the group of VCs instead of multiple individual withdrawals for each VC.
Earlier releases of Cisco IOS Software used the Interface Index of the main hardware
interface descriptor block (IDB) as the Group ID. For example, for a VLAN attachment
circuit in interface Gigabit-Ethernet 1/0.100, the Group ID used to be the IfIndex for
Layer1/0.
2 VPN
Architectures
GigabitEthernet
This
way, wildcard label withdrawals or notifications could be sent on
Wei Luo, However,
- CCIE No. 13,291,
Carlos
- CCIE
No. 4619,
Bokotey, - withdrawal,
CCIE
physical portByfailure.
because
ofPignataro,
the limited
benefit
ofDmitry
the wildcard
No. 4460,
AnthonyIOS
Chan,
- CCIE No.set
10,266
current releases
of Cisco
software
the Group ID to 0 for all pseudowires, and
wildcard withdraw messages are not sent. For ATM ACs, a non-zero value is still used, but
wildcard withdrawals
are
notPress
sent.
Publisher:
Cisco
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Case Study 8-7: AToM Hardware Capabilities

Throughout this book, multiple case studies provide generic configuration but do not focus on
platform-specific differences. Although remaining hardware agnostic in the case studies is useful,
Master theisworld
of Layer
VPNs to
provideaenhanced
enjoyon specific
some platform information
required.
This 2section
provides
means of services
checkingand
support
gains
platforms withoutproductivity
actually listing
all platform restrictions.
This section presents an exec command that displays the AToM hardware capability and uses a c7200
about
Layer
2 Virtual
VXR series router with Learn
two ATM
port
adapters
(PA):
network
architecture
PA-A1 in slot 3 that
does not
support AToM
from
the first
to address
PA-A3 version 2.0Gain
in slot
4 that
doesbook
support
AToM Layer 2 VPN application utilizing
First issue the command specifying the ATM PA that does not support ATM transport. See Example 8Review
strategies
that refers
allow large
to enhance
41 for abbreviated output.
Core
functionality
to a core-facing
PE interface,
and Edge
their
service offerings
functionality refers to an
edge-facing
PE interface.
Example 8-41.
Unsupported AToM Layer 2 Transport Hardware Capability
legacyl2transport
Layer 2 and Layer
3 networks interface
would like toATM
move
C7206VXR#show mpls
hw-capability
3/0toward a single
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer 2
Interface ATM3/0
!Output omittedtechnology
for brevity
Transport type infrastructure.
ATM AAL5
Core functionality:
2 VPN Architectures
MPLS label Layer
disposition
supported introduces readers to Layer 2 Virtual Private
Network
(VPN) concepts,
Control word
processing
supported
introductory
case studies
Sequence number
processing
not supported
readers supported
VCCV Type 1assists
processing
Edge functionality:
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSNot supported
Transport type IP
ATM
CELL
cores.
Core functionality:
MPLS label comparing
disposition
supported
them
Control word
processing
not supported
Sequence number processing not supported
VCCV Type 1 processing not supported
Edge functionality:
Not supported
!Output omitted for brevity
Transport type ATM VCC CELL
Core functionality:
MPLS label disposition supported
Control word processing supported
VCCV Type 1 processing supported

Edge functionality:
Not supported
Transport type By
ATM
VPC CELL
Core functionality:
MPLS label disposition supported
Pub Date: Marchsupported
10, 2005
VCCV Type 1 processing
ISBN: 1-58705-168-0
Edge
functionality:
Table
of
Not supported Pages: 648
Contents
C7206VXR#
Index
You can see fromMaster

Example
that
is not
supported
for any services
ATM transport
type.
the8-41
world
of imposition
Layer 2 VPNs
to provide
enhanced
and enjoy
Therefore, the commands
to
configure
AToM
ATM
transport
do
not
appear
in
the
router
CLI. In
productivity gains
contrast, you can issue the same command against an ATM PA that does support AToM ATM transport
(seeExample 8-42).
Reduce costsAToM
and extend
the2reach
of your services
by unifying
your
Example 8-42. Supported
Layer
Transport
Hardware
Capability
from the first

book to address
Layer 2 VPN
utilizing
C7206VXR#show mpls Gain
l2transport
hw-capability
interface
ATM application
4/0
both
ATOM
and
L2TP
protocols
Interface ATM4/0
!Output omitted forReview
brevity
Transport type ATM AAL5
Core functionality:
MPLS label are
disposition
still derivedsupported
Control word
processing
supported
Sequence number
processing
not
supported
customers, they have
some
VCCV Type 1legacy
processing
supported
Edge functionality:
MPLS label services
imposition
supported
over their
Control word
processing
supported
Sequence number
processing not supported
infrastructure.
ATM AAL5 forwarding supported
F5 OAM cellLayer
forwarding
supported introduces readers to Layer 2 Virtual Private
2 VPN Architectures
CLP bit setting
supported
Network
CLP bit detecting
supported
introductory
EFCI bit setting
supported
EFCI bit detecting
history andsupported
Transport type the
ATMCisco
CELLUnified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased
Core functionality:
IP
cores.
The structure
MPLS label disposition
supported
reader
to
Layer
2
VPN
benefits
comparing
them
to
those
of
Layer
progressively
covering
each
currently
VCCV Type 1 processing supported
Edge functionality:
MPLS label imposition supported
ATM cell forwarding not supported
ATM cell packing not supported
F5 OAM cell forwarding supported
CLP bit setting not supported
CLP bit detecting not supported
EFCI bit setting not supported

EFCI bit detecting not supported
C7206VXR#
InExample 8-42, you can see that imposition functions are supported for all AToM ATM transport.
Specific information about ATM transport features is also included in the command output.
1-58705-168-0
This procedure
enables ISBN:
you to
check the hardware dependencies without having to check support
Table of
Pages:
648
matrices.
Contents
Index
Case Study 8-8: Packed Cell Relay over MPLS

The forthcoming two
sections gains
present advanced topics on ATM transport over MPLS. This section
productivity
introduces ideas and configuration examples on packed cell relay over MPLS, and the next section
compares different ATM transports from a data plane perspective.
The concept of cell packing that was presented previously in this chapter is straightforward. It
involves concatenatingReduce
multiplecosts
cellsand
intoextend
a single
AToM
packet.
The
tradeoff
also quite
direct:
the
reach
of your
services
byisunifying
your
bandwidth efficiency gained
by architecture
sharing the AToM and lower PCI overhead versus increased latency
network
and jitter.
This section presents aboth
caseATOM
study and
on packed
cell relay using the topology shown in Figure 8-16.
L2TP protocols
Figure 8-16. Packed Cell Relay Case Study Topology

MPLS
[View3full
size image]
infrastructure.

Configuring Cell
Packing
assists
thecell
Cisco
Unified
VPNtwo
suite:
Any Transport over MPLS (ATOM) for MPLSConfiguring packed
relay
involves
steps:
IPthree
cores.timers
The structure
of thisofbook
focused
first can
introducing
the to be
Step Specifying
for the length
timeisthat
a PE on
router
wait for cells
reader
to the
Layer
2 VPN
benefits
and
implementation
and(MCPT)
1.
concatenated
into
same
MPLS
packet.
The
maximum cell requirements
packing timeout
comparing
them toatthose
of Layer
3 based
configuration
is performed
the ATM
interface
level.
Step
2.
Specifying the maximum number of cells to be concatenated in an MPLS packet and the
timer that is available for use. You perform this step at the l2transport PVC configuration.
The configuration for the SanFran side is shown in Example 8-43. It highlights the specific cell packing
commands.
Example 8-43. Packed Cell Relay Configuration
SanFran#show running-config interface ATM 4/0

ByWei Luo, -: CCIE
179No.
bytes
!
interface ATM4/0
no ip address
load-interval 30Pub Date: March 10, 2005
atm mcpt-timers 500ISBN:
8001-58705-168-0
4095
end Table of
Pages: 648
Contents
SanFran#
Index
SanFran#show running-config interface ATM 4/0.3
: world
296 bytes
Master the
!
productivity gains
description *** Packed Cell VC AToM to Oakland ***
encapsulation aal0
Reduce costs2 and extend the reach of your services by unifying your
cell-packing 10 mcpt-timer
network
xconnect 10.0.0.203
300 architecture
encapsulation mpls
!
end
SanFran#
Three interface level
timers
are configured
with the atm
mcpt-timers
command.
They are shared by
For a
majority
a significant
portion
of their revenues
all Layer 2 transport
and VPsfrom
under
thatand
interface
and its subinterfaces.
are VCs
still derived
data
voice services
legacy Layer
2 and Layer 3and
networks
Verifying Cell Packing
Configuration
Operation
over
their
existing
Layer 3acores.
The solution
in these
is alabel
You advertise theservices
max cells
to be
packed
by adding
new interface
parameter
tocases
the LDP
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
mapping message (see Example 8-44). As mentioned earlier in the "Encapsulations and Packet
infrastructure.
Format for Cell Transport"
section, the MTU interface parameter does not apply to ATM Cell transport
and is not advertised.
Example 8-44.
Packed
Cell
Relay
Verification
assists
readers
looking
to meet
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSSanFran#show mpls l2transport binding 300
Local Label: 18
Cbit: 1,
GroupID: 5
MTU: n/a,
Interface Desc: *** Packed Cell VC AToM to Oakland ***
Remote Label: 18
Cbit: 1,
GroupID: 2
MTU: n/a, Interface Desc: *** Packed Cell VC AToM to Albany ***
SanFran#
To fully understand how cell relay packing works, you can perform a simple experiment. First
calculate the size of a ping that would fully occupy ten cells without padding. You can use the
following formula and refer to the packets shown in Figure 8-7:
Number of cellsNo.*4460,
48 Anthony
Bytes/cell
- AAL5
PDU Trailer
- SNAP Header for IP =
Chan, - CCIE
No. 10,266
Number of cells * 48 Bytes/cell - (UU + CPI + Length + CRC) - (LLC + OUI + etype) =
10
*
48
- (1 + 1 + 2 + 4)
- (3 + 3 + 2) = 464 Bytes
You can see that specifying

PING size of 464 bytes requires exactly ten ATM cells. The first part of
ISBN:a1-58705-168-0
Table of
the exercise consists ofPages:
sending
648 10,000 PING packets of 464 bytes and checking the average number
Contents
of cells per packet (see Example 8-45).
Index
Example 8-45. Packed Cell Relay Exercise Part 1

productivity gains
SanFran#ping
Protocol [ip]:
Target IP address: Learn
192.168.3.2
Repeat count [5]: 10000
464 costs and extend the reach of your services by unifying your
Reduce
Timeout in seconds network
[2]:
architecture
Extended commands [n]:
Gain
Sweep range of sizes
[n]:
both
and L2TP protocols
toATOM
abort.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!Output omitted fortheir
brevity
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
a majority
Service Providers,round-trip
a significantmin/avg/max
portion of their
Success rate isFor
100
percentof(10000/10000),
= revenues
1/2/16 ms
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
SanFran#show atm cell-packing
Layer 3 MPLS VPNs fulfill the
average
average
havenbr
some
Ideally,
existing MCPT
circuit customers, they
local
ofdrawbacks.
cells
peer carriers
nbr of with
cells
legacy Layer 2MNCP
and Layer
networks
wouldMNCP
like to
move
a single
type
rcvd3 in
one pkt
sent
intoward
one pkt
(us)
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
ATM4/0.3
vc 0/300
10
9
10
9
800
SanFran#
infrastructure.
2 VPN
Architectures
readers
Layer 2
Private
The counter fromLayer
Example
8-45
shows nine introduces
cells instead
of ten to
because
ofVirtual
OAM cells
bringing down
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via another 10,000
the average slightly. The second part of the exercise is to clear the counters and send
case studies
and comprehensive
design(see
scenarios.
This
book
PING packets butintroductory
now 1 byte longer
than before,
which is 465 bytes
Example
8-46).
the Packed
Cisco Unified
VPN
suite:Exercise
Any Transport
over
Example 8-46.
Cell
Relay
Part
2 MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
SanFran#clear counters
comparingcounters
them to those
of Layer
3 based VPNs,
such as MPLS, then
Clear "show interface"
on all
interfaces
[confirm]
progressively
covering
each
currently
available
solution
in greater detail.
SanFran#
*May 27 01:22:25.858: %CLEAR-5-COUNTERS: Clear counter on all interfaces by
console
SanFran#ping
Protocol [ip]:
Target IP address: 192.168.3.2
Repeat count [5]: 10000
Datagram size [100]: 465
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!Output omittedByWei
forLuo,
brevity
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
SanFran#show atm Publisher:
cell-packing
Cisco Press
average
average
circuit
local nbr of cells
peer nbr of cells
MCPT
ISBN: 1-58705-168-0
Tabletype
of
MNCP
rcvd
in
one
pkt
MNCP
sent
in
one
pkt
(us)
Pages: 648
Contents
ATM4/0.3
vc 0/300
10
5
10
5
800
Index
SanFran#
Master
of Layer
2 VPNs
to provide
services
enjoy directions
Example 8-46 shows
thatthe
theworld
average
number
of cells
packed enhanced
both in receive
andand
transmit
productivity
dropped drastically
to 5. This gains
is because each ICMP echo request and echo packets now require 11
cells instead of 10. Therefore, each PING packet is sent using two MPLS AToM packets, one with 10
cells and the other with just 1 cell, averaging a bit over 5 cells per MPLS packet. Note that the timers
Learn
aboutMPLS
Layerpacket
2 Virtual
Private
Networks
(VPNs)
are short enough that the
second
does
not have
10 cells.
In addition, the second packet
is sent with only one cell because the timer expires before the second echo request is received.
from the first book
to addressATM
Layer Transfer
2 VPN application
utilizing
Case Study 8-9: Gain
Understanding
Different
Modes
You have learned about the different AToM encapsulationsin particular the different modes of
Review
strategies
thatsingle
allowcell
large
enterprise
customers
to enhance
transporting an ATM PVC
(AAL5
CPCS-SDU,
relay,
and packed
cell relay).
This section
their
service
offerings
while
maintaining
routing
control
illustrates their similarities and differences with examples to solidify the concepts.
a majority
of Serviceamong
Providers,
significant
portion
of their revenues
You can highlightFor
some
of the differences
ATMatransfer
modes
by sending
a 36-byte ping from
are
still
derived
from
data
and
voice
services
based
on
legacy
the Oakland CE routers in the three modes and comparing the capture of those transport
AToM packets in the
3 MPLS
fulfill the
for some
link between the technologies.
Denver P and Although
NewYork Layer
P routers.
YouVPNs
can obtain
themarket
captureneed
as output
for the
customers,
they
have
some
drawbacks.
Ideally,
carriers
with
existing
commanddebug mpls l2transport packet data. All packets you capture share the same Layer 2
legacy
Layer
2 and Layer
networks
would
to move
toward aThey
single
encapsulation (source
and
destination
MAC3address
and
MPLSlike
unicast
Ethertype).
also share the
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
absence of a PSN label because of Penultimate Hop Popping (PHP) and a VC MPLS header with a
services
their existing
Layer
3 cores.
solution
in these
cases
is a
different label. Finally,
all over
the packets
share the
presence
ofThe
a control
word
that has
different
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
characteristics.
infrastructure.
AAL5 CPCS-SDU
Mode(VPN) concepts, and describes Layer 2 VPN techniques via
Network

assists
looking to
those
requirements
explaining
the
The first case is the
AAL5readers
SDU transport
of meet
the ICMP
PING.
The AAL5by
CPCS-SDU
consists
of the
history
and header.
implementation
details
of the two
available
from
IP/ICMP packet with
a SNAP
Therefore,
the contents
oftechnologies
the AToM packet
are 48
bytes: 4
the Cisco
Unified
VPN suite:
Any Transport
over MPLS
(ATOM)
for MPLSbytes of control word,
8 bytes
of LLC-SNAP
Header,
and 36 bytes
of IP/ICMP
packet.
The packet is
and Layer
2 Tunneling
Protocol
version 3 (L2TPv3)
for native
shown in Examplebased
8-47,cores
including
inline decoding.
The
AAL5 CPCS-SDU
is highlighted.
comparing
them to
thosePacket
of Layer 3
based VPNs, such as MPLS, then
Example 8-47.
AAL5 SDU
Mode
Decode
01:45:36: ATOM imposition: out Fa4/0, size 66, EXP 0x0, seq 0, control word
0x300000
01:45:36: 00 0C CF 55 24 08 00 04 4E 26 18 70 88 47 00 01
^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^ ^^^^^ ^^^^^
SA MAC
DA MAC
|
VC Label-->
01:45:36: 31 02 00 30 00 00 AA AA 03 00 00 00 08 00 45 00
^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^ ^^...

<--VC_Label Ctrl-word
SNAP
Begins IP Packet
Label=19
LLC: AAAA03
S=1
OUI: 000000
13,291,Carlos
Pignataro,
TTL=2 ByWei Luo, - CCIE No.
etype:
0x0800
(IP)- CCIE No. 4619,Dmitry Bokotey, - CCIE
4460,
Chan,
CCIE38
No.71
10,266
01:45:36: 00 24No.00
14Anthony
00 00
FF- 01
C0 A8 01 02 C0 A8
01:45:36: 01 01 00 00 27 F7 00 04 00 00 00 00 00 00 00 70
01:45:36: D7 94 Publisher: Cisco Press
^^^^^ Pub Date: March 10, 2005
Ends IP Packet
Table of
ISBN: 1-58705-168-0
Pages: 648 out Fa4/0, size 74, EXP 0x0, seq 0, control word
01:45:40:
Contents ATOM imposition:
0x8380000
Index
InExample 8-47, Master

you canthe
seeworld
that the
contents
of the
MPLS packets
are services
the 4-byte
of Layer
2 VPNs
to provide
enhanced
andcontrol
enjoy word plus
the 44-byte AAL5productivity
CPCS-SDU, gains
totaling 48 bytes. You can also see that the value of the control word is
0x00300000, which contains the length equal to 0x30 = 48 bytes.
For completeness, Example
also
includes
the Private
first lineNetworks
of the output
of the transport of ATM OAM
Learn8-47
about
Layer
2 Virtual
(VPNs)
cells in AAL5 CPCS-SDU mode. The value of the control word is now 0x08380000. This depicts a
length of 0x38 = 56 bytes
(52 costs
bytesand
of the
ATM the
cell reach
plus 4of
bytes
the control
word). The
Reduce
extend
yourofservices
by unifying
yourT-bit is set
to indicate that the contents
arearchitecture
an ATM cell. Remember this length to compare it to the single cell
network
relay and packed cell relay modes.
Single Cell Relay Mode

This section describes the ATM cell relay transport VC mode with single cell relay. In this case, the
complete AAL5 CPCS-PDU
is transported
is madeaofsignificant
the CPCS-SDU
plus
the 8-byte
CPCS-PDU
For a majority
of Serviceand
Providers,
portion
of their
revenues
trailer and padding
if
needed.
For
the
36-byte
PING,
the
CPCS-SDU
and
the
CPCS-Trailer
are still derived from data and voice services based on legacy transport total 52
bytes. Therefore,technologies.
the AAL5 PDUAlthough
is segmented
two VPNs
cells in
the the
SARmarket
layer and
padded
with 44
Layer into
3 MPLS
fulfill
need
for some
bytes (48 * 2 52).customers,
Because this
case
is
single
cell
relay,
two
AToM
packets
are
generated,
each
containing one ATM
cell (see
8-48).
For comparison,
the to
AAL5
CPCS-SDU
highlighted.
legacy
LayerExample
2 and Layer
3 networks
would like
move
toward aissingle
technology
allow
LayerPacket
2 transport
over a Layer 3
Example 8-48.
Singlethat
Cellwould
Relay
Mode
Decode
infrastructure.
SanFran#debug mpls
packetintroduces
data
Layer l2transport
2 VPN Architectures
02:27:46: ATOM Network
imposition:
Fa4/0,
74, EXP
0x0,
seqtechniques
0, control
(VPN) out
concepts,
andsize
describes
Layer
2 VPN
via word
0x380000
02:27:46: 00 0Cassists
CF 55readers
24 08 looking
00 04 to
4Emeet
26 18
70 requirements
88 47 00 01 by explaining the
those
^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^
^^^^^
details of the
two ^^^^^
SA MAC
MAC
|
VC MPLS
Label-->
the Cisco UnifiedDA
VPN
over
(ATOM) for MPLSetype
=
MPLS
based cores and Layer 2 Tunneling Protocol version 3 Unicast
(L2TPv3) for native
02:27:46: 21 02IP00
38 00
00 00 of
0Cthis
80 book
AA AA
03 00 00
cores.
The00
structure
is focused
on 00
^^^^^
^^^^^^^^^^^
reader
to Layer 2^^^^^^^^^^^
VPN benefits ^^^^^^^^^^^^^^^^^
<--VC_Labelcomparing
Ctrl-word
Cellof Layer
SNAP
them ATM
to those
Label=18progressively covering
Headereach currently
LLC: AAAA03
S=1
0/200
OUI: 000000
TTL=2
EoAAL5=0
etype: 0x0800 (IP)
02:27:46: 08 00 45 00 00 24 00 2F 00 00 FF 01 36 56 C0 A8
^^^^^^ ^^...
SNAP
Begins IP Packet
02:27:46: 02 02 C0 A8 02 01 00 00 8C DE 00 0E 00 00 00 00
02:27:46: 00 00 00 97 72 7C 00 00 00 00
^^...
CPCS-PDU Padding
02:27:46: ATOM imposition: out Fa4/0, size 74, EXP 0x0, seq 0, control word
0x380000
02:27:46: 00 0C CF 55 24 08 00 04 4E 26 18 70 88 47 00 01
^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^ ^^^^^ ^^^^^
SA MAC
DA MAC
|
VC Label-->
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - etype
CCIE No.=4619,
Dmitry
Bokotey, - CCIE
MPLS
Unicast
4460,
Chan,
CCIE0C
No.82
10,266
02:27:46: 21 02No.00
38Anthony
00 00
00- 00
00 00 00 00 00 00
^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^ ^^...
<--VC_Label Ctrl-word
ATM Cell
CPCS-PDU Padding
Label=18 Pub Date: March 10,
Header
2005
S=1
VPI=0; VCI = 200
ISBN: 1-58705-168-0
Table
of
TTL=2
EoAAL5
= 1
648
Contents 00 00 00 Pages:
02:27:46:
00 00 00 00 00 00 00 00 00 00 00 00 00
Index
02:27:46:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
02:27:46: 00 00 00 00 00 2C 2B F1 73 FD
...^^ ^^^^^^^^^^^^^^^^^^^^^^^
CPCS-PDU Pad CPCS-PDU Trailer
Master
UU = the
0; world
CPI =of0;
productivity
gains
Length = 0x2C = 44 Bytes
CRC = 0x2BF173FD

FromExample 8-48, you can see the 44 bytes of CPCS-PDU padding, the 8-byte CPCS-PDU trailer,
and 4 bytes for each of the ATM-Layer ATM cell headers. The value of the control word is
0x00380000, from which the length equals 0x38 = 56 bytes. These 56 bytes are 52 bytes of ATM cell
plus 4 bytes of control word.
Packed Cell Relay Mode

For a
of Service
Providers,
a significant
of their8-49).
revenues
This section includes
a majority
capture for
ATM packed
cell relay
VC modeportion
(see Example
In this case,
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
the two transported cells are concatenated into a single AToM packet.
Example 8-49.
Packed Cell Relay Mode Packet Decode
technology
that would
allow Layer
SanFran#debug mpls
l2transport
packet
data 2 transport over a Layer 3
infrastructure.
02:30:27: ATOM imposition: out Fa4/0, size 126, EXP 0x0, seq 0, control word 0x0
02:30:27: 00 0C CF 55 24 08 00 04 4E 26 18 70 88 47 00 01
introduces readers
^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^
^^^^^ ^^^^^
Network
(VPN)
concepts,
and
describes
Layer
2 VPN
techniques via
SA MAC
DA MAC
|
VC
Label-->
introductory case studies and comprehensive
design
scenarios.
etype = MPLS Unicast This book
assists
readers
looking
to
meet
those
requirements
02:30:27: 41 02 00 00 00 00 00 00 12 C0AA AA 03 00 00 00 by explaining the
history
and implementation
details
^^^^^
^^^^^^^^^^^
^^^^^^^^^^^
^^^^^^^^^^^^^^^^^
the
Cisco
Unified
VPN
suite:
Any
Transport
over MPLS (ATOM) for MPLS<--VC_Label Ctrl-word
ATM Cell
SNAP
based
cores
and
Layer
2
Tunneling
Protocol
Label=20
Header
LLC: AAAA03version 3 (L2TPv3) for native
IP
cores.
The
structure
of
this
book
S=1
0/300
OUI:is000000
reader
to
Layer
2
VPN
benefits
and
implementation
TTL=2
EoAAL5=0
etype: 0x0800 (IP)requirements and
comparing
them
to
those
of
Layer
VPNs,
such as MPLS, then
02:30:27: 08 00 45 00 00 24 00 3A 00 00 FF 3
01based
34 4B
C0 A8
progressively
covering
each
currently
available
solution
in greater detail.
^^^^^^ ^^...
SNAP
Begins IP Packet
02:30:27: 03 02 C0 A8 03 01 00 00 06 1C 00 12 00 00 00 00
02:30:27: 00 00 06 01 F3 D0 00 00 00 00 00 00 12 C2 00 00
...^^^^^^^^^^^ ^^^^^^^^^^^ ^^...
CPCS-PDU Padding ATM Cell
CPCS-PDU Padding
Header
VPI/VCI = 0/300
EoAAL5=1
02:30:27: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
02:30:27: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
02:30:27: 00 00 00 00 00 00 00 00 00 2C A6 9C AA FC
...^^ ^^^^^^^^^^^^^^^^^^^^^^^
Layer
2 VPN Architectures
CPCS-PDU
Pad CPCS-PDU Trailer
Carlos
UU13,291,
= 0;
CPIPignataro,
= 0; - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan,
- CCIE No.
10,266 = 44 Bytes
Length
= 0x2C
CRC = 0xA69CAAFC
ISBN: 1-58705-168-0
The format
Table of of the contents of this single AToM packet is similar to merging the contents of two AToM
Pages:
packets
in the previous case.648
That is, the two cells share the Layer 2, MPLS, and pseudowire (control
Contents
word)
overheads.
The control word presents a value of 0x00000000. The length is not included
Index
because it is 108 bytes (52 * 2 + 4), which is greater than 63 bytes, which is the maximum value the
length field can take with 6 bits (26 - 1 = 63).
The overhead is quite

significant
the
ATM2cell
transport
because
the size
of theand
userenjoy
data
Master
the worldinof
Layer
VPNs
to provide
enhanced
services
transported is small,
and there
is additional overhead from the ATM cell header and AAL5 padding and
productivity
gains
trailer.Table 8-4 lists all the fields of the AToM packet contents and their lengths for the three cases.
Table
network
architectureATM Transport Overheads
8-4.
Comparing
bothATM
Transport Control
Cell
LLCCPCS- CPCSstrategies
that allow
large enterprise
customers to
enhance
Type
Word Review
Header
SNAP
IP/ICMP
Pad
Trailer
Total
AAL5
4 bytes
0
8 bytes 36 bytes 0
0
48 bytes
CPCS-SDU
Single Cell 2 * 4 bytes 2 * 4
8 bytes 36 bytes 44
8 bytes
112 bytes
Relay
bytes
bytes
legacy Layer
Layer
3 networks
a single
Packed Cell 4 bytes
2 * 24 and 8
bytes
36 bytes would
44 like to8 move
bytes toward
108
bytes
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
Relay
bytes
bytes
infrastructure.
From this table, you can see that when you are transporting AAL5 packets, AAL5 CPCS-SDU mode is
more efficient, especially
when
the ATM AAL5
packets are
small.
are transporting
other
Layer 2 VPN
Architectures
introduces
readers
toWhen
Layeryou
2 Virtual
Private
AALs, such as AAL1
for
Circuit
Emulation
Services
(CES)
or
AAL2
for
Voice
over
ATM
(VoATM),
cell
relay is the only option.
Similarly,
CRoMPLS
is
the
only
option
when
you
are
trunking
using
VP
or
port
mode, because AAL5
mode
does
not
exist
for
VP
and
port
mode
ATM
transport.

Summary By

learned specifics
Cisco Pressabout the transport of Layer 2 WAN protocols over MPLS
using AToM. In particular,
this
chapter
presented theory, configuration, and verification of the
Pub Date:
March
10, 2005
transport of several WAN protocols over MPLS. The underlying control plane concept is the
ISBN: 1-58705-168-0
Table
of
same
as with
Ethernet over MPLS (EoMPLS); however, many encapsulation specifics are based
Pages:
648
Contents
on the
martini drafts when adapting AToM to the transport of HDLC, PPP, Frame Relay DLCIs,
AAL5
Index SDUs, and ATM cells.
ATM
This chapter discussed the importance of the MTU setting both in the edge devices and the
core. For all WAN protocol transport over MPLS except the transport of ATM cells, a pseudowire
world
of Layer
2 VPNs
provide
enhanced
services
and
requires matchingMaster
MTUs the
in both
ends
for it to
cometo
up.
Even when
matching
MTUs
in enjoy
the
productivity
gainsplane success, a conscientious MTU setting in the core is
attachment circuits
enable control
required to avoid data plane problems.
about
Layer 2 Virtual
PrivateIn
Networks
(VPNs)
This chapter concludedLearn
with four
additional
case studies.
these case
studies, you learned
what the exact format of LDP label mapping messages is, how to check for hardware
capabilities on a router, and how to decouple the platform specifics. You also learned about
packed cell relay over MPLS and the ins and outs of ATMoMPLS VC mode, including a detailed
comparison of three different ways of transporting an ATM VC using AToM.
infrastructure.

Chapter 9. Advanced AToM Case

Studies

ISBN: 1-58705-168-0

This chapter
Contents
Index
Pages: 648
Load sharing
Preferred path
AToM pseudowires
with MPLS
productivity
gains traffic engineering fast reroute
AToM pseudowire over GRE tunnel
Pseudowire emulation in multi-AS networks
LDP authentication
for pseudowire
signaling
network
architecture
Verifying pseudowire
Gaindata
fromconnectivity
Quality of service in AToM

So far, this book has explained the fundamentals of Any Transport over MPLS (AToM) and
discussed the basic pseudowire emulation case studies for LAN and WAN protocols. This
chapter takes an For
in-depth
look at
complex
scenarios
in which
routing
MPLS
a majority
ofmore
Service
Providers,
a significant
portion
ofprotocols,
their revenues
applications, and are
AToM
features
interact
with
one
another.
Because
the
advanced
deployment
scenarios cover atechnologies.
wide range ofAlthough
concepts,
the format
this fulfill
chapter
somewhat
Layer
3 MPLSofVPNs
thevaries
market
need for from
some
other case study customers,
chapters. they have some drawbacks. Ideally, carriers with existing
infrastructure.

Load Sharing
When more than one

path exists
the source and destination, load sharing often
Publisher:
Cisco between
Press
becomes an important
for better
Pubfactor
Date: March
10, 2005bandwidth utilization. You can deploy load sharing in
many different ways. Load sharing is sometimes completely transparent to pseudowire traffic if
ISBN: 1-58705-168-0
Table
of
it only
involves
core routers in the network. The case studies in this section focus on the load
Pages:
648
Contents
sharing
scenarios that involve provider edge (PE) routers performing pseudogwire emulation
Index
over
MPLS. More precisely, an ingress PE router sees more than one path to reach the egress
PE router for pseudowire traffic.
Service providers normally deploy standard-based routing protocols in the core networks, such
the (OSPF)
world ofand
Layer
2 VPNs to provide
enhanced services
and enjoy
as Open ShortestMaster
Path First
Intermediate
System-to-Intermediate
System
(IS-IS),
productivity
gains (ECMP) load sharing. With these routing protocols, only
which support Equal-Cost
Multipath
routes that have the least cost to a given destination are shown in the forwarding table. If
multiple equal-cost routes go to the same destination, all of them are installed in the
forwarding table. Depending on the traffic type and forwarding configuration, packets with the
same destination are distributed across these paths.
Note

The total number of equal-cost routes available depends on with Cisco IOS releases
and hardware platform specifications.
The load-sharing customers,
scheme used
in AToM
ensures
that packets
being
transmitted
over a given
they
have some
drawbacks.
Ideally,
carriers
with existing
pseudowire followlegacy
the same
path,
and
packets
of
different
pseudowires
are
spread
Layer 2 and Layer 3 networks would like to move toward a across
single all
available equal-cost
paths.
The first aspect of this scheme is to minimize the possibility of out-of-order packets because of
load sharing. Some Layer 2 protocols or higher layer protocols do not function or their
infrastructure.
performance is drastically penalized when packets are delivered out of order. Packets that are
transmitted over Layer
a single
pseudowire
are generally
considered
of the
same data
flow,
2 VPN
Architectures
introduces
readers part
to Layer
2 Virtual
Private
which is likely of the
same
protocol
or
application.
Putting
packets
of
the
same
flow
through
the
same path reduces
the
likelihood
that
they
will
be
misordered
in
the
core
network.
The second aspect of this scheme mandates that the load-sharing scheme used in AToM utilizes
a hashing algorithm to assign pseudowires to equal-cost paths. By default, the remote virtual
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLScircuit (VC) label of a pseudowire acts as the hash key to calculate the outgoing path. Because
of this, pseudowire packets that have the same remote VC label are sent through the same
path. Again, the rationale behind this is to keep these packets in the same data flow and to
minimize out-of-order packets.
covering
each
currently
available
solution
in PE2.
greater
detail.that
Figure 9-1 shows progressively
a network topology
with
multiple
paths
between
PE1 and
Suppose
the core network is configured with OSPF as the Interior Gateway Protocol (IGP).
Figure 9-1. Multipath Network Topology


Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
PE1 has an initial configuration, shown in Example 9-1.

productivity gains
Example 9-1. Initial Pseudowire Configuration

hostname PE1
!
ip cef
!
interface Loopback0Review strategies that allow large enterprise customers to enhance
ip address 10.1.1.1
255.255.255.255
their
!
no ip address are still derived from data and voice services based on legacy transport
!
dot1Q Layer
xconnect 10.1.1.2
100 while
encapsulation
mpls
backbone
new carriers
!
encapsulation infrastructure.
dot1Q 200
!
encapsulation introductory
dot1Q 300 case studies and comprehensive design scenarios. This book
xconnect 10.1.1.2
300
encapsulation
mplsthose requirements by explaining the
assists
readers
looking to meet
!
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSip address 10.23.12.1
255.255.255.0
based cores
mpls ip
!
interface Serial3/0
255.255.255.0
progressively
mpls ip
!
router ospf 1
network 10.1.1.1 0.0.0.0 area 0
network 10.23.11.0 0.0.0.255 area 0
network 10.23.12.0 0.0.0.255 area 0
The initial configuration on PE2 is shown in Example 9-2.
Example 9-2. PE2 Initial Pseudowire Configuration

hostname PE2 No. 4460,Anthony Chan, - CCIE No. 10,266

!
ip cef
ISBN: 1-58705-168-0
!
Table of
Pages:
648
interface
Contents Loopback0
ip address
10.1.1.2
255.255.255.255
Index
!
no ip address
!
productivity gains
!
!
xconnect 10.1.1.1 Review
300 encapsulation
strategies thatmpls
!
255.255.255.0
For a majority
mpls ip
!
interface Serial3/0
255.255.255.0
legacy Layer
mpls ip
!
router ospf 1 technology that would allow Layer 2 transport over a Layer 3
network 10.1.1.2
0.0.0.0 area 0
infrastructure.
network 10.23.21.0 0.0.0.255 area 0
network 10.23.23.0
area 0 introduces readers to Layer 2 Virtual Private
Layer 20.0.0.255
VPN Architectures
The following case
study and
sections
discuss howdetails
PE routers
path selection
decisions
for
history
implementation
of themake
two technologies
available
from
pseudowire trafficthe
when
these
types
of
forwarding
paths
are
present:
Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Case Study 9-1: Unequal-Cost Multipath
them Multipath
Case Study comparing
9-2: Equal-Cost
Case Study 9-1: Unequal-Cost Multipath

With open standard IGP routing protocols such as OSPF and IS-IS, only routes that have the
lowest cost are installed in the forwarding table. Therefore, for cases in which multiple paths
point to the same destinations but each has a different cost, only one path is selected for
packet forwarding. In Example 9-3, PE1 and PE2 are connected through P1 using T1 links and
through P2 and P3 using Ethernet links. By default, the OSPF cost is 64 for T1 links and 10 for
Ethernet links.
Example 9-3. SPF Costs on PE1 Interfaces

PE1#show ip ospf interface serial3/0

Serial3/0 is up, Publisher:
line protocol
Cisco Pressis up
Internet Address
Pub10.23.11.1/24,
Date: March 10, 2005 Area 0
Process ID 1, Router ID 10.1.1.1, Network Type POINT_TO_POINT, Cost: 64
Table of
ISBN: 1-58705-168-0
Pages: 648 ethernet1/0

PE1#show
ip ospf interface
Contents
Ethernet1/0
is
up,
line protocol is up
Index
Internet Address 10.23.12.1/24, Area 0
Process ID 1, Router ID 10.1.1.1, Network Type BROADCAST, Cost: 10
productivity gains
To reach the loopback interface on PE1 and PE2, you must take the cost of the loopback
interface into account, as shown in Example 9-4.
Reduce
and extend
the reach
Example 9-4. SPF
Costcosts
on PE1
Loopback
Interface
Gain fromloopback0
PE1#show ip ospf interface
both
ATOM
andis
L2TP
Loopback0 is up, line protocol
up protocols
Internet Address 10.1.1.1/32, Area 0
Review
that
allow large
customers
Process ID 1, Router
ID strategies
10.1.1.1,
Network
Typeenterprise
LOOPBACK,
Cost: 1to enhance
aregostill
derived
data PE2
and is
voice
legacy the
transport
The cost for PE1 to
through
P1from
to reach
64 +services
64 + 1 based
= 129,on
whereas
cost to go
technologies.
3 MPLS
VPNs fulfill
thethe
market
need for
some is
through P2 and P3
is 10 + 10 +Although
10 + 1 =Layer
31. The
least-cost
path to
destination
10.1.1.2
customers,
theybyhave
drawbacks.
with existing
through P2 and P3,
thus chosen
the some
routing
protocol toIdeally,
forwardcarriers
data packets.
You can
legacy
and Layer in
3 networks
observe this through
theLayer
show2 command
Example 9-5.
that
Layer 2 Interface
Example 9-5.technology
SPF Cost
towould
PE2 allow
Loopback
infrastructure.
Layer10.1.1.2
PE1#show ip route
Network
Routing entry for 10.1.1.2/32
introductory
case studies
comprehensive
design area
Known via "ospf 1", distance
110, and
metric
31, type intra
assists
readers
looking
to
meet
those
requirements
by
Last update from 10.23.12.2 on Ethernet1/0, 00:52:57 ago explaining the
history and
Routing Descriptor
Blocks:
Cisco
Unified VPN
suite: Any
Transport
over MPLS (ATOM) for MPLS* 10.23.12.2,the
from
10.1.1.2,
00:52:57
ago,
via Ethernet1/0
basedis
cores
Layer 2share
Tunneling
Protocol
Route metric
31,and
traffic
count
is 1 version 3 (L2TPv3) for native
Because Ethernet1/0
is the onlycovering
outgoing
interface
thatavailable
the routing
protocol
chooses
to reach
progressively
each
currently
solution
in greater
detail.
the destination, all AToM pseudowires on PE1 take that interface (see Example 9-6).
Example 9-6. A Single Lowest-Cost Path Selected on PE1

PE1#show mpls l2transport summary
Destination address: 10.1.1.2, total number of vc: 3
0 unknown, 3 up, 0 down, 0 admin down
3 active vc on MPLS interface Et1/0
2 VPN
Architectures
PE2 has a similar Layer
result
to PE1,
Example 9-7. A Single Lowest-Cost Path Selected on PE2

PE2#show mpls l2transport
summary
1-58705-168-0
Destination
address:ISBN:
10.1.1.1,
total number of vc: 3
Table of
Pages:
648
0 unknown,
3
up,
0
down,
0
admin
down
Contents
3 active
vc
on
MPLS
interface
Et1/0
Index
Case Study 9-2:
Equal-Cost Multipath
productivity gains
In the previous case study, all AToM pseudowires took a single outgoing path when all feasible
outgoing paths had different
costs. Layer
Example
9-8 uses
the same
topology
and configuration, but
Learn about
2 Virtual
Private
Networks
(VPNs)
the cost of the link between P2 and P3 is increased so that the overall cost for the path going
Reduce
coststoand
the reach
of your
services
by unifying
through P2 and P3 becomes
equal
theextend
one through
P1. As
a result,
the routing
tableyour
on PE1
now shows it has two equal-cost
paths to the destination.
Example 9-8.
both
ATOM and L2TP
protocols
Two
Equal-Cost
Paths
to PE2 Loopback Interface

PE1#show ip route 10.1.1.2
Routing entry for 10.1.1.2/32
For a1",
majority
of Service
a significant
portion
of their revenues
Known via "ospf
distance
110, Providers,
metric 129,
type intra
area
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
Last update from 10.23.12.2 on Ethernet1/0, 00:00:14 ago
technologies.
Although
Layer
3
MPLS
VPNs
fulfill
the
market
need
for some
Routing Descriptor Blocks:
customers,
they
have
some
drawbacks.
Ideally,
carriers
with
existing
* 10.23.11.2, from 10.1.1.2, 00:00:14 ago, via Serial3/0
legacyis
Layer
Layershare
3 networks
Route metric
129,2 and
traffic
countwould
is 1like to move toward a single
backbone
while
new
carriers
would
like
sell the lucrative Layer 2
10.23.12.2, from 10.1.1.2, 00:00:14 ago, viato Ethernet1/0
services
over
their
existing
Layer
3
cores.
Route metric is 129, traffic share count is The
1 solution in these cases is a
infrastructure.
Layer
VPN PE2
Architectures
introduces
InExample 9-9, you
see2 that
has a similar
result toreaders
PE1. to Layer 2 Virtual Private
Example 9-9.assists
Tworeaders
Equal-Cost
Paths to PE1 Loopback Interface
PE2#show ip route
10.1.1.1
IP cores.
Routing entry for
10.1.1.1/32
reader
Layer 2 VPN
benefits
and129,
implementation
and
Known via "ospf
1",to distance
110,
metric
type intrarequirements
area
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
Last update from 10.23.23.2 on Ethernet1/0, 00:00:41 ago
progressively
Routing Descriptor
Blocks:
* 10.23.21.1, from 10.1.1.1, 00:00:41 ago, via Serial3/0
Route metric is 129, traffic share count is 1
10.23.23.2, from 10.1.1.1, 00:00:41 ago, via Ethernet1/0
Route metric is 129, traffic share count is 1
When equal-cost paths are available, AToM attempts to distribute pseudowires among them.
On PE1 and PE2, the show mpls l2transport summary command demonstrates that AToM
pseudowires are assigned to different output interfaces, as shown in Example 9-10.
Example 9-10.
Pseudowires Load Share Across Equal-Cost Paths
- CCIE No. 10,266
summary
Destination address: 10.1.1.2, total number of vc: 3
0 unknown, 3 up,
0 down,
admin down
Publisher:
Cisco0Press
2 active vc on Pub
MPLS
interface
Se3/0
Date:
March 10, 2005
Table of
ISBN: 1-58705-168-0
Pages: 648summary
PE2#show
mpls l2transport
Contents
Destination
address:
10.1.1.1, total number of vc: 3
Index
0 unknown, 3 up, 0 down, 0 admin down
1 active vc on MPLS interface Se3/0
productivity gains
Notice that PE1 and PE2 come up with different ideas for how to load share the pseudowires.
For all three provisioned
pseudowires,
PE1
two Networks
of them to(VPNs)
the serial interface, which
Learn
about Layer
2 distributes
Virtual Private
takes P1 as the next-hop router towards PE2; PE2 distributes two of the pseudowires to the
Reduce
the router
reach of
your PE1.
services
unifying
Ethernet interface, which
takescosts
P3 asand
theextend
next-hop
toward
Thisby
means
thatyour
one of
network
architecture
the pseudowires selects
the path
through P1 in the direction from PE1 to PE2, but it takes the
path through P3 and P2 in the return direction from PE2 to PE1. For this particular pseudowire,
Gain
the first P1,
book
to PE2
address
Layer its
2 VPN
application
PE1 transmits its packets
tofrom
PE2 through
and
transmits
packets
to PE1 utilizing
through P3
both
ATOM
and
L2TP
protocols
and P2.
Review
that allow
large
enterprisebeing
customers
to enhance
This is not really a problem
or strategies
mistake. Packets
of this
pseudowire
transmitted
in each
service
while maintaining
routing control
direction still follow thetheir
same
path. offerings
IP/MPLS traffic
is generally considered
unidirectional, and
the routing protocol is free to choose different equal-cost paths for packets sent in different
For a majority
of Service
Providers,
a significant
portion
of their
revenues and
directions. It is normal
for the core
network
to route packets
under
the default
hop-by-hop
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
best-effort forwarding scheme. On the other hand, if the core network engages in traffic
technologies.
Although
Layer
3 MPLS
VPNs fulfilltraffic,
the market
needtofor
some
engineering techniques
and prefers
explicit
paths
for pseudowire
you need
associate
customers,
havepaths.
someThe
drawbacks.
Ideally,
carriers
with existing
AToM pseudowires
with thesethey
explicit
next section
discusses
preferred
paths in more
detail.
overscheme,
their existing
Layer
3 cores.
The solution
in these
cases is a
Under the defaultservices
forwarding
the show
mpls
l2transport
vc detail
command
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
reveals how the underlying load-sharing algorithm works when equal-cost paths are present
infrastructure.
(seeExample 9-11).
Example 9-11.
Load Sharing Selects Different Output Interfaces for
Pseudowires assists readers looking to meet those requirements by explaining the
the Cisco Unified
suite: Any Transport over MPLS (ATOM) for MPLSPE1#show mpls l2transport
vc VPN
detail
based
cores
and
Layer
Tunnelingup,
Protocol
3 (L2TPv3)
for native
Local interface: Et0/0.1 up, line 2protocol
Eth version
VLAN 100
up
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
reader
to
Layer
2
VPN
benefits
and
implementation
requirements
and
comparing
Default path:
activethem to those of Layer 3 based VPNs, such as MPLS, then
progressively
Tunnel label: 17, nextcovering
hop point2point
Create time: 2d10h, last status change time: 2d10h
Local interface: Et0/0.2 up, line protocol up, Eth VLAN 200 up
Layeractive
2 VPN Architectures
Default path:
ByWei17,
Luo, -next
CCIE No.
Tunnel label:
hop13,291,
10.23.12.2
No. 4460,Anthony
Chan,imposed
- CCIE No.label
10,266 stack {17 25}
Output interface:
Et1/0,
Signaling protocol:
LDP,
Publisher:
Ciscopeer
Press 10.1.1.2:0 up
MPLS VC labels:
local
22,
25
Pub Date:
March
10, remote
2005
ISBN: 1-58705-168-0
Table oflocal 1500, remote 1500
MTU:
Pages:
648
Contents interface description:
Remote
Index omitted for brevity
!Output
Preferred path:
configured
Master not
the world
Default path:
active gains
productivity
Learn
about
Layer change
2 Virtualtime:
Private2d10h
Networks (VPNs)
Create time: 2d10h,
last
status
and extend
MPLS VC labels:Reduce
local costs
23, remote
26 the reach of your services by unifying your
network
architecture

On PE1, AToM pseudowires of VC ID 100, 200, and 300 have a remote VC label of 22, 25, and
26 respectively. Because two equal-cost paths are available, the algorithm uses the remote VC
labels, such as the hash key, to calculate an index value for each pseudowire. Then the index
value maps to a hash bucket that corresponds to one of the two output paths. The hash
buckets for pseudowires of VC ID 100 and 300 map to the same output interface; therefore,
they take the same output path.
infrastructure.


Preferred By
Path
When a given destination

hasCisco
multiple
Publisher:
Press equal-cost paths, the load-sharing algorithm used in AToM
distributes pseudowires
to allMarch
available
paths by default, and users do not have the option of
Pub Date:
10, 2005
choosing which pseudowire goes through which output path.
ISBN: 1-58705-168-0
Table of
Pages:
Contents
If network
operators want to648
choose a particular output path for a given pseudowire, they can
Index a preferred path and associate it with the pseudowire. AToM provides two options to
configure
configure preferred paths for pseudowires: IP routing and MPLS traffic engineering.
Before starting the discussion on preferred path options, it is worthwhile to reiterate that the IP
Master
world ofip_address
Layer 2 VPNs
provide enhanced
services
androuter
enjoy ID
address configured
in thethe
xconnect
vc_idto command
must always
be the
productivity
gains
that the remote PE
router uses
for Label Distribution Protocol (LDP) signaling. The router ID is the
first four bytes in the LDP ID. The show mpls ldp neighbor and show mpls ldp discovery
commands display the LDP IDs of the local PE router and its neighbors (see Example 9-12).
Example 9-12. LDP

Neighbors
and Their LDP IDs
network
architecture
PE1#show mpls ldp neighbor
TCP connection:
- large
10.1.1.1.646
Review10.33.23.1.11000
strategies that allow
State: Oper;
Msgs
sent/rcvd:
Downstream
their
service
offerings 5548/5548;
while maintaining
routing control
Up time: 3d08h
LDP discovery
sources:
For a majority
Ethernet1/0,
Src IP
addr:
are still derived
from
data 10.23.12.2
and voice services based on legacy transport
Addresses
bound
to
peer
LDP
Ident:
10.33.23.1
10.23.12.2
customers, they
Peer LDP Ident:
Local
LDP Ident
legacy 10.23.11.2:0;
Layer 2 and Layer
3 networks
would10.1.1.1:0
TCP connection:
10.23.11.2.11142
- 10.1.1.1.646
backbone while
new carriers would
State: services
Oper; Msgs
sent/rcvd:
Downstream
over their
existing 125/126;
Layer 3 cores.
Up time:
01:30:57
LDP discovery
sources:
infrastructure.
Serial3/0, Src IP addr: 10.23.11.2
Addresses
peer LDP Ident:
Layerbound
2 VPN to
Architectures
10.23.11.2
10.43.11.2
Network (VPN)10.23.21.1
Peer LDP Ident:
10.1.1.2:0;
Local
Ident 10.1.1.1:0
introductory
case studies
andLDP
comprehensive
TCP connection:
10.1.1.2.11003
- those
10.1.1.1.646
assists readers
looking to meet
State: history
Oper; and
Msgs
sent/rcvd: 136/137;
Downstream
implementation
details of the
Up time:
the 01:30:53
Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSLDP discovery
sources:
based cores
Targeted
Hello
->this
10.1.1.2,
active,
IP cores. The10.1.1.1
structure of
book is focused
on passive
Addresses
bound
to peer
Ident:
reader
to Layer
2 VPNLDP
benefits
10.1.1.2
10.23.21.2
10.1.1.200
comparing them
to those of Layer10.23.23.1
3 based VPNs, such
as MPLS, then
10.1.1.201
PE1#show mpls ldp discovery
10.1.1.1:0
Discovery Sources:
Interfaces:
Ethernet1/0 (ldp): xmit/recv
LDP Id: 10.33.23.1:0
Serial3/0 (ldp): xmit/recv
LDP Id: 10.23.11.2:0
Targeted Hellos:
10.1.1.1 -> 10.1.1.2 (ldp): active/passive, xmit/recv
LDP Id: 10.1.1.2:0
Three LDP signaling sessions are available, as shown in the show mpls ldp neighbor command
output. PE1 establishes two nontargeted LDP sessions with P1 and P2 to exchange IGP labels,
which serve as tunnel labels for pseudowire packets. The targeted LDP session between PE1 and
PE2 is for pseudowire signaling. The first four bytes of the LDP ID for PE2 are 10.1.1.2, its router
ISBN: 1-58705-168-0
ID. The
targeted
LDP session
for pseudowire signaling uses the local and remote router IDs as the
Table
of
Pages:
648
source
and destination addresses.
When no preferred path is configured for a pseudowire, an
Contents
output
path is selected based on the remote router ID in the forwarding table for pseudowire
Index
packets.
The preferred path option not only allows pseudowire data packets to flow through a different
path from pseudowire
control
packets,
but it2 also
it possible
to provide
differentiated
Master
the world
of Layer
VPNsmakes
to provide
enhanced
services
and enjoy
services to pseudowires
with different
forwarding requirements. For example, you can place
productivity
gains
pseudowires that carry voice traffic to a special traffic-engineered path with low latency and
jitter; you can place pseudowires that remotely back up a large amount of data for file servers to
a best-effort path that Learn
allowsabout
high bursts.
Reduce
andneed
extend
the reach aofpseudowire
your services
byand
unifying
your it with
To configure a preferred
path, costs
you first
to configure
class
associate
networkclass
architecture
the pseudowire. A pseudowire
configures common attributes for a group of pseudowires. For
AToM pseudowires, the encapsulation for the pseudowire class is MPLS, as shown in Example 9Gain from the first book to address Layer 2 VPN application utilizing
13.

a Pseudowire
Class routing control
while maintaining

PE1(config)#pseudowire-class PE1-P1-PE2
PE1(config-pw-class)#encapsulation mpls
backbone with
whilea new
carriers class,
woulduse
likethe
to sell
the lucrative
Layer
2 xconnect
To associate a pseudowire
pseudowire
pw-class
keyword
in the
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
is a
command, as shown in Example 9-14.
infrastructure.
Example 9-14.
Configuring an xconnectCommand with a Pseudowire
Class
PE1(config)#interface Ethernet0/0.2
PE1(config-subif)#xconnect 10.1.1.2 200 pw-class PE1-P1-PE2
reader
to discuss
Layer 2 how
VPN to
benefits
implementation
requirements
and
The following case
studies
use IP and
routing
and MPLS traffic
engineering
to select
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
preferred paths for pseudowires.
Case Study 9-3: Configuring Preferred Path Using IP Routing

Whichever method is chosen to configure a preferred path, the basic and usually overlooked
prerequisite for a PE to establish network connectivity to a remote PE is a host route entry of the
remote PE and its corresponding label in its forwarding tables. The host route, also known as the
/32 route, and its label ensure that the local PE has an end-to-end contiguous label-switched path
(LSP) to the remote PE. Any non-host route, such as a subnet route or summary route, does not
guarantee the connectivity requirement even if a subnet or summary route network covers the
range to which the host route belongs.

Note
The label that corresponds

to the host route needs to be explicitly present in the MPLS
forwarding table. It cannot be derived from the recursive lookup of the host route's
next-hop route. "Case Study 9-9: BGP IPv4 Label Distribution with IBGP Peering,"
ISBN: 1-58705-168-0
explains
this topic in
more detail.
Table of
Contents
Index
Pages: 648
Host routes such as router IDs are typically configured on loopback interfaces. A relatively simple
way to specify a preferred path for AToM pseudowires is to configure multiple loopback interfaces
Master
with different host
addresses.
productivity gains
Thepreferred-path peerhost_address command configures a preferred path using a host
address. For example, 10.1.1.200 is a host route configured in a loopback interface on PE2, and
Learn about
Layer
2 Virtual
Private Networks
(VPNs)
PE1 configures a pseudowire
class that
takes
the preferred
path to reach
10.1.1.200. When
forwarding pseudowire packets to PE2, PE1 uses 10.1.1.200 instead of PE2's router ID 10.1.1.2 to
Reduce
and extend
the reach
of your services
look up the output interface
in costs
the forwarding
tables
(see Example
9-15). by unifying your

Path Using IP Routing
both ATOM andPreferred
L2TP protocols

PE1(config-pw-class)#preferred-path
peer 10.1.1.200
? portion of their revenues
For a majority of Service Providers,
a significant
disable-fallback
disable
fall
back
to
alternative
route
legacy
Layer
2 and
Layer 3 networks
wouldalike
to move
a single
Besides the preferred
path,
each
pseudowire
also computes
default
pathtoward
using the
remote
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
router ID that is configured in the xconnect command. If a preferred path is not found
or active,
over their
Layer 3path
cores.
The solutionfall
in back
thesetocases
is a
pseudowires that services
are configured
withexisting
the preferred
automatically
the default
technology option
that would
Layer
2 transport
over
a Layer
3
path. The disable-fallback
turnsallow
off this
default
behavior
so that
pseudowires
remain
infrastructure.
down until the preferred path becomes available.
Layer
2 VPN Architectures
introduces
readers
to Layer
2 VirtualtoPrivate
InCase Study 9-2,
the default
load-sharing hash
algorithm
assigns
pseudowires
different
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
output interfaces. The pseudowire with VC ID 100 takes Interface Serial3/0, pseudowire
200
introductoryand
case
studies and
comprehensive
design
scenarios.
This
takes Interface Ethernet1/0,
pseudowire
300
takes Interface
Serial3/0.
Figure
9-2book
shows two
assists readers
meet
those
requirements
by how
explaining
the a
available paths between
PE1 andlooking
PE2. Into
this
case
study,
you will learn
to configure
history
and
implementation
details
of
the
two
technologies
available
from
pseudowire to associate with a particular output path.
Figure 9-2. Preferred Path with IP Routing

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Assume that the initial configuration is identical to that in the "Load Sharing" section. In the
Mastersteps,
the world
of Layer 2 VPNs
to provide
enhanced
services
and
enjoy
following configuration
the pseudowire
with VC
ID 100 still
takes the
default
path
assigned
productivity
by the load-sharing
algorithm,gains
but pseudowire 200 takes the preferred path through P1, and
pseudowire 300 takes the path through P2 and P3, as shown in Figure 9-2.
Learn about
Layerinterfaces
2 Virtual Private
Networks
(VPNs)
Step Configure two additional
loopback
and host
addresses
on PE2:
1.
PE2(config)#interface
Loopback1
PE2(config-if)#ip address 10.1.1.200 255.255.255.255
PE2(config-if)#exit
both ATOMLoopback2
and L2TP protocols
PE2(config-if)#ip address 10.1.1.201 255.255.255.255
Step Add the host routes into the routing process on PE2:
2.
PE2(config)#router
ospf
1
technologies.
Although
PE2(config-router)#network
0.0.0.0
areacarriers
0
customers, they have10.1.1.200
some drawbacks.
Ideally,
with existing
PE2(config-router)#network
10.1.1.201
0.0.0.0
area
3 networks
would like
to 0move toward a single
Step Verify that technology
the host routes
present
the routing
tableover
on PE1:
that are
would
allow in
Layer
2 transport
a Layer 3
3.
infrastructure.
PE1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR
Layer 2is
VPN
benefits
Gateway ofreader
last toresort
not
set and implementation requirements and
10.0.0.0/8
is variably
10available
subnets,
2 masks
progressively
covering subnetted,
each currently
solution
in greater detail.
O
10.23.21.0/24 [110/128] via 10.23.11.2, 1d01h, Serial3/0
O
10.1.1.2/32 [110/129] via 10.23.11.2, 1d01h, Serial3/0
[110/129] via 10.23.12.2, 1d01h, Ethernet1/0
O
10.23.23.0/24 [110/128] via 10.23.12.2, 1d01h, Ethernet1/0
C
10.1.1.1/32 is directly connected, Loopback0
C
10.23.12.0/24 is directly connected, Ethernet1/0
C
10.23.11.0/24 is directly connected, Serial3/0
O
10.43.11.0/24 [110/74] via 10.23.11.2, 1d01h, Serial3/0
O
10.33.23.0/24 [110/118] via 10.23.12.2, 1d01h, Ethernet1/0
O
10.1.1.200/32 [110/129] via 10.23.11.2, 00:00:16, Serial3/0
[110/129] via 10.23.12.2, 00:00:16, Ethernet1/0

10.1.1.201/32 [110/129] via 10.23.11.2, 00:00:12, Serial3/0
[110/129] via 10.23.12.2, 00:00:12, Ethernet1/0
Step Associate each

host
routeChan,
with- one
No. 4460,
Anthony
CCIE particular
No. 10,266 output interface. You can achieve this in a
4.
couple ways, such as by using a static route, policy-based route, or inbound distribute list
in OSPF. The following
example
Publisher: Cisco
Press shows how to configure this with a static route:
1-58705-168-0
PE1(config)#ip ISBN:
route
10.1.1.200 255.255.255.255 10.23.11.2
Table of
PE1(config)#ip
route
10.1.1.201 255.255.255.255 10.23.12.2
Pages:
648
Contents
Index
Caution
productivity gains
When you are using a static route to associate a host route to an outgoing path,
configure the next-hop IP address (the IP address of the P router) instead of the
LearnUsing
aboutoutput
Layer interfaces
2 Virtual Private
(VPNs) to be unable to
output interface.
causes Networks
MPLS forwarding
resolve the outgoing tunnel label, which results in a broken LSP.
Step Verify that each network
host route
is associated with the desired output interface in the routing
architecture
5.
table, and each has a corresponding label in the MPLS forwarding table.
PE1#show ip route
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR
2 and
Gateway oflegacy
last Layer
resort
is Layer
not set
10.0.0.0/8
variably
subnetted,
10 subnets,
2 masks
services is
over
their existing
Layer 3 cores.
The solution
in these cases is a
O
10.23.21.0/24
10.23.11.2,
1d01h,
Serial3/0
technology that[110/128]
would allowvia
Layer
2 transport over
a Layer
3
O
10.1.1.2/32
[110/129] via 10.23.11.2, 1d01h, Serial3/0
infrastructure.
[110/129] via 10.23.12.2, 1d01h, Ethernet1/0
O
10.23.23.0/24
[110/128] introduces
via 10.23.12.2,
1d01h,
readers to
Layer 2Ethernet1/0
Virtual Private
C
10.1.1.1/32
isconcepts,
directlyand
connected,
Loopback0
Network (VPN)
describes Layer
C
10.23.12.0/24
isstudies
directly
connected, Ethernet1/0
introductory case
and comprehensive
C
10.23.11.0/24
directly
connected,
Serial3/0
assists readers is
looking
to meet
those requirements
by explaining the
O
10.43.11.0/24
[110/74] via
10.23.11.2,
Serial3/0
details
of the two 1d01h,
technologies
available from
O
10.33.23.0/24
[110/118]
Ethernet1/0
the Cisco Unified
VPN suite:via
Any 10.23.12.2,
Transport over1d01h,
MPLS (ATOM)
for MPLSS
10.1.1.200/32
10.23.11.2
based cores and[1/0]
Layer via
2 Tunneling
S
10.1.1.201/32
[1/0] via
10.23.12.2
of this
PE1#show mpls forwarding-table
Local Outgoing
Prefix
Bytes tag Outgoing
Next Hop
tag
tag or VC or Tunnel Id
switched
interface
16
Pop tag
10.23.21.0/24
0
Se3/0
point2point
17
20
10.1.1.2/32
0
Se3/0
point2point
17
10.1.1.2/32
0
Et1/0
10.23.12.2
18
Pop tag
10.33.23.0/24
0
Et1/0
10.23.12.2
19
18
10.23.23.0/24
0
Et1/0
10.23.12.2
20
Pop tag
10.43.11.0/24
0
Se3/0
point2point
21
Untagged
l2ckt(200)
557264
Et0/0.2
point2point
22
23
10.1.1.201/32
0
Et1/0
10.23.12.2
24
21
10.1.1.200/32
0
Se3/0
point2point
25
26
Untagged
Untagged
l2ckt(300)
l2ckt(100)
557264
557631
Et0/0.3
Et0/0.1
point2point
point2point
Step Configure preferred

in the
pseudowire-class
configuration
mode:
ByWei Luo, paths
- CCIE No.
13,291,
No. 4619,Dmitry
Bokotey, - CCIE
6.
PE1(config-pw-class)#encapsulation
mpls
peer 10.1.1.200
ISBN: 1-58705-168-0
PE1(config-pw-class)#exit
Table of
PE1(config)#pseudowire-class
PE1-P2-P3-PE2
Pages: 648
Contents
mpls
Index
PE1(config-pw-class)#preferred-path peer 10.1.1.201
Step Configure pseudowires

200 and
300 with
their
pseudowire
classes:
Master the world
of Layer
2 VPNs
torespective
provide enhanced
services
and enjoy
7.
productivity gains
PE1(config-subif)#xconnect 10.1.1.2 200 pw-class PE1-P1-PE2
PE1(config-subif)#exit
Ethernet0/0.3
Reduce costs
PE1(config-subif)#xconnect
10.1.1.2 300 pw-class PE1-P2-P3-PE2
Step Verify that pseudowires
200and
andL2TP
300 are
taking the preferred paths:
both ATOM
protocols
8.
PE1#show mpls l2transport vc detail
infrastructure.
Remote
interface
description:
Layer
2 VPN Architectures
Sequencing:
receive
send
disabled
Network
(VPN) disabled,
concepts, and
describes
VC statistics:
packet
totals:
receive
1536,
send
1538
assists
readers
looking
to meet
those
byte totals:
receive
572855,
send
history and implementation details of573600
packetthe
drops:
receive
send
0 Transport over MPLS (ATOM) for MPLSCisco Unified
VPN0,
suite:
Any
based cores
and Layer
Tunneling
Protocol
3 (L2TPv3)
Local interface:
Et0/0.2
up, 2line
protocol
up,version
Eth VLAN
200 up for native
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
readerpath:
to Layer
2 VPN benefits
Preferred
10.1.1.200,
active
comparing
Default
path: ready
progressively
each
Tunnel label: 21,covering
next hop
point2point
VC statistics:

byte totals:
Local interface:
Et0/0.3 up, line protocol up, Eth VLAN 300 up
Destination
address:
10.1.1.2, VC ID: 300, VC status: up
Preferred path: 10.1.1.201, active
Default path: ready
Pub Date: MarchEt1/0,
10, 2005 imposed label stack {23 26}
Output interface:
1-58705-168-0
time: ISBN:
1d01h,
last status change time: 1d01h
TableCreate
of
Pages:
648
Signaling
protocol:
LDP,
peer 10.1.1.2:0 up
Contents
MPLS
VC
labels:
local
25,
remote 26
Index
Sequencing:
disabled,
Masterreceive
the world
of Layer 2send
VPNs disabled
VC statistics:
productivity gains
byte totals:
Learn about
Layer
Virtual
packet drops:
receive
0, 2send
0 Private Networks (VPNs)
At the end of Step 8, the pseudowire with VC ID 100 is going through the default path, and
Gain
from the
book to
address
Layer
2 VPN application
utilizing
pseudowire 200 is going
through
the first
preferred
path
toward
10.1.1.200,
with the output
interface
both
ATOM
and
L2TP
protocols
Serial3/0 connected to P1. Pseudowire 300 is going through the preferred path toward
10.1.1.201, with the output interface Ethernet1/0 connected to P2.
their service
offeringson
while
control
Example 9-16 is the complete
configuration
PE1maintaining
for sending routing
pseudowire
traffic toward PE2
over preferred paths:
Example 9-16.
Configuration for Preferred Path Using IP Routing
hostname PE1 backbone while new carriers would like to sell the lucrative Layer 2
!
ip cef
infrastructure.
mpls label protocol
ldp
Layer
pseudowire-class
PE1-P1-PE2
Network
encapsulation mpls
introductory
preferred-path peer 10.1.1.200
assists
readers
!
history
and
implementation
pseudowire-class PE1-P2-P3-PE2
the
Cisco
Unified
VPN
suite:
Any Transport over MPLS (ATOM) for MPLSencapsulation mpls
based
cores
and
Layer
2
Tunneling
preferred-path peer 10.1.1.201
IP
cores.
The
structure
of
this
book
!
reader
to
Layer
2
VPN
benefits
and
implementation
requirements and
interface Loopback0
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as MPLS, then
ip address 10.1.1.1 255.255.255.255
progressively
covering
each
currently
available
solution
in greater detail.
!
no ip address
!
!
xconnect 10.1.1.2 200 pw-class PE1-P1-PE2

!
2 VPN
Architectures
encapsulation Layer
dot1Q
300
ByWei Luo,
CCIE No. 13,291,
xconnect 10.1.1.2
300- pw-class
PE1-P2-P3-PE2
!
Publisher:255.255.255.0
Cisco Press
mpls ip
!
ISBN: 1-58705-168-0
Table of Serial3/0
interface
Pages:
648
Contents
ip address
10.23.11.1 255.255.255.0
Index
mpls
ip
!
router ospf 1
network 10.1.1.1 0.0.0.0 area 0
Master 0.0.0.255
the world ofarea
Layer0 2 VPNs to provide enhanced services and enjoy
network 10.23.11.0
productivity
gains
network 10.23.12.0 0.0.0.255 area 0
!
ip route 10.1.1.200 255.255.255.255 10.23.11.2
ip route 10.1.1.201 255.255.255.255 10.23.12.2
If PE2 needs to send pseudowire traffic to PE1 over the same preferred path, repeat Steps 1
through 8 with appropriate parameters on PE2.

service offerings
while maintaining
Case Study 9-4: their
Configuring
a Preferred
Path routing
Usingcontrol
MPLS Traffic
Engineering For
Tunnels
In "Case Study 9-3:
Configuring
Preferred
Path3Using
Routing,"
PE1market
can select
output
technologies.
Although
Layer
MPLSIP
VPNs
fulfill the
needanfor
some
interface for a pseudowire
using
IP
routing,
but
it
cannot
control
how
P1,
P2,
and
P3
route
the
pseudowire traffic.
For example,
if P1Layer
also has
a link connecting
and toward
P3, as illustrated
legacy
Layer 2 and
3 networks
would liketotoP2
move
a single in
Figure 9-3, using backbone
IP routingwhile
to select
preferred
cannot
guarantee
newthe
carriers
wouldpath
like on
to PE1
sell the
lucrative
Layerthe
2 pseudowire
traffic always flows
from P1
to PE2.
is entirely
possible
that
the
traffic in
goes
through
services
over
their It
existing
Layer
3 cores.
The
solution
these
casesP1
is aand P3
and then finally arrives
at PE2.
technology
infrastructure.
Network
(VPN) concepts,
andwith
describes
Layer
2 VPNEngineering
techniques via
Figure
9-3. Preferred
Path
MPLS
Traffic
[Viewdetails
full size image]
The dynamic nature of IGP routing protocols makes it difficult to engineer explicit paths in a
meshed network, and it is not always feasible to configure static routes on all the routers along
the path. Explicit paths are useful when network operators know the traffic pattern of their
networks and want to direct certain traffic through predetermined paths. It takes the guesswork
Layer the
2 VPN
Architectures
out of predicting how
traffic
traverses across the network. An MPLS traffic engineering tunnel
ByWei
Luo, - fulfills
CCIE No.
13,291,
Carlos Pignataro,
with an explicit path
option
this
objective
precisely.
When real-time traffic is encapsulated inside pseudowires, pseudowire traffic must be able to
reserve and maintain
the bandwidth
Publisher:
Cisco Pressneeded to guarantee the service quality at a reasonable
level. When networkPub
operators
care more about reducing jitter and congestion for real-time traffic
than directing traffic through a predetermined path, an MPLS traffic engineering tunnel with
ISBN: 1-58705-168-0
Tablepath
of
dynamic
option is more appropriate; this means that as long as a path satisfies the specified
Pages:
Contentsrequirement, it is 648
bandwidth
considered a feasible path.
Index
Thepreferred-path interfacetunnel command configures a preferred path using the MPLS

traffic engineering tunnel interface, as shown in Example 9-17.
Example
Tunnel
productivity
gains Preferred Path Using Traffic Engineering
9-17.
Configuring
PE1(config-pw-class)#preferred-path interface Tunnel1 ?
disable-fallback Gain
disable
back
to toalternative
route
fromfall
the first
book
address Layer
2 VPN application utilizing

Note

The tunnel interface
that isAlthough
specifiedLayer
for the
preferred
be an MPLS
traffic
technologies.
3 MPLS
VPNspath
fulfillhas
thetomarket
need for
some
engineering customers,
tunnel. It cannot
be
any
other
type
of
tunnel,
such
as
GRE
over
IP.
"Case
Study 9-6: Configuring
AToM
Pseudowire
over GRE
Tunnel,"
describes
how toaconfigure
legacy Layer
2 and
Layer 3 networks
would
like to
move toward
single
AToM pseudowires
over
GREnew
tunnels.
backbone
while
infrastructure.
Thedisable-fallback option works the same way as in the previous case study, which disables
the use of the default
path whenintroduces
the preferred
path to
is unavailable.
Layerforwarding
2 VPN Architectures
readers
Assume that the initial
configuration
is identical
to Example 9-1.
In thescenarios.
following configuration
introductory
case studies
and comprehensive
design
This book
steps, two pseudowires
take
the
preferred
paths
set
up
by
MPLS
traffic
tunnels on
assists readers looking to meet those requirements byengineering
explaining the
PE1. Pseudowire with
VC
ID
200
goes
through
the
traffic
engineering
tunnel
with
an
history and implementation details of the two technologies availableexplicit
from path
through P1 and PE2,
and
pseudowire
300
goes
through
the
traffic
engineering
tunnel
with
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS- 5-Mbps
guaranteed bandwidth:
Step Enable MPLS
traffictoengineering
onand
PE1.
reader
Layer 2 VPNglobally
benefits
1.
progressively
covering each
PE1(config)#mpls
traffic-eng
tunnels
Step Configure MPLS-enabled interfaces to support RSVP traffic engineering signaling. For
2.
interface Ethernet1/0, reserve 8000-Kbps bandwidth. For interface Serial3/0, reserve
1200-Kbps bandwidth.
Ethernet1/0
- CCIE No. 10,266
PE1(config-if)#mpls traffic-eng tunnels
PE1(config-if)#ip rsvp bandwidth 8000
PE1(config-if)#exit
PE1(config)#interface Serial3/0
ISBN: 1-58705-168-0
PE1(config-if)#mpls
traffic-eng tunnels
Table
of
Pages:
648
PE1(config-if)#ip rsvp
bandwidth 1200
Contents
Index
Step Configure OSPF for MPLS traffic engineering.

3.
PE1(config)#router ospf 1
productivity gains
PE1(config-router)#mpls traffic-eng router-id Loopback0
PE1(config-router)#mpls traffic-eng area 0
Step Repeat Steps 1 through
3 on P1,
P3, and
in Step
2, substitute
the interface
Reduce costs
andP2,
extend
the PE2,
reachand
of your
services
by unifying
your
4.
and bandwidth parameters
accordingly. Configure RSVP bandwidth reservation on all MPLS
interfaces that the traffic engineering tunnels might traverse.
both
and L2TP
protocolstunnel with an explicit path through P1 and
Step On PE1, configure
an ATOM
MPLS traffic
engineering
5.
PE2, of which the addresses are 10.23.11.2 and 10.23.21.2, respectively. The bandwidth
Review
strategies
that allow
enterprise
requirement for this
traffic
engineering
tunnellarge
is 1000
Kbps. customers to enhance
For a majority
of Servicename
Providers,
a significant
PE1(config)#ip
explicit-path
P1-PE2
enable
are still derived from data and voice
PE1(cfg-ip-expl-path)#next-address
10.23.11.2
technologies.
Explicit Path
name P1-PE2:
customers, they
1: next-address
10.23.11.2
legacy Layer 2 and Layer 3 networks
PE1(cfg-ip-expl-path)#next-address
10.23.21.2
backbone
while
new
carriers
would
like
to sell the lucrative Layer 2
Explicit Path name P1-PE2:
services over10.23.11.2
1: next-address
technology that
2: next-address
10.23.21.2
infrastructure.
PE1(cfg-ip-expl-path)#exit
PE1(config)#interface Tunnel1
Layer 2 VPNunnumbered
ArchitecturesLoopback0
PE1(config-if)#ip
Network
(VPN)
concepts,
and
PE1(config-if)#tunnel destination 10.1.1.2
introductory
case
studies
and
comprehensive
PE1(config-if)#tunnel mode mpls traffic-eng
assists
readers
looking
to
meet
those
requirements
PE1(config-if)#tunnel mpls traffic-eng priority 7 7 by explaining the
details of
available from
PE1(config-if)#tunnel
mpls traffic-eng
bandwidth
1000
the Cisco Unified
VPN traffic-eng
over MPLS
(ATOM) for
MPLSPE1(config-if)#tunnel
mpls
path-option
1 explicit
name
P1-PE2
Step Verify the status of the MPLS traffic engineering tunnel with the explicit path using the
6.
show mpls traffic-eng tunnels command.
PE1#show mpls
traffic-eng
tunnels
Tunnel1- CCIE No. 4619,Dmitry Bokotey, - CCIE
ByWei Luo,
- CCIE No. 13,291,
Carlos Pignataro,
Name: PE1_t1
(Tunnel1) Destination: 10.1.1.2
Status:
Publisher: CiscoOper:
Press up
Admin: up
Path: valid
Signalling: connected
path option 1, type explicit P1-PE2 (Basis for Setup, path weight 128)
ISBN: 1-58705-168-0
Table of
Pages:
648
Config
Parameters:
Contents
Bandwidth:
1000
kbps (Global) Priority: 7 7
Index
Affinity: 0x0/0xFFFF
Metric Type: TE (default)
AutoRoute: disabled
LockDown: disabled Loadshare: 1000 bw-based
auto-bw: disabled
Active Path
Parameters:
MasterOption
the world
State:productivity
explicit gains
path option 1 is active
BandwidthOverride: disabled LockDown: disabled Verbatim: disabled

InLabel : OutLabel : Serial3/0, 16
RSVP Signalling Info:
Src 10.1.1.1, Dst 10.1.1.2, Tun_Id 1, Tun_Instance 9
RSVP Path Gain
Info:
My Address:
10.1.1.1
both ATOM
and L2TP protocols
Explicit Route: 10.23.11.2 10.23.21.2 10.1.1.2
Record Review
Route:
NONE that allow large enterprise customers to enhance
strategies
Tspec: ave
kbits,
burst=1000
bytes,
peak
rate=1000 kbits
theirrate=1000
service offerings
while
maintaining
routing
control
RSVP Resv Info:
Record
Route: of Service
NONE Providers, a significant portion of their revenues
For a majority
Fspec:
avederived
rate=1000
kbits,
bytes,
rate=1000
kbits
are still
from data
andburst=1000
voice services
based peak
on legacy
transport
Shortest
Unconstrained
Path
Info:
technologies.
Although
Layer
Path
Weight: they
30 (TE)
customers,
Explicit
Route:
10.23.12.1
10.23.12.2
10.33.23.2
10.33.23.3
legacy Layer
2 and
Layer 3 networks
would
like to move
toward a single
backbone while 10.23.23.2
new carriers 10.23.23.1
would like to 10.1.1.2
History:
Tunnel:
Time
since created: 14 minutes, 20 seconds
infrastructure.
Time since path change: 11 minutes, 9 seconds
Layer LSP:
Current
Network11
(VPN)
concepts,
Uptime:
minutes,
9 seconds
From the output
the implementation
show mpls traffic-eng
command, the
MPLS traffic
historyofand
details of tunnels
available
from
tunnel usesthe
theCisco
interface
Serial3/0
as
the
output
interface
and
takes
the
path to P1
Unified VPN suite: Any Transport over MPLS (ATOM)explicit
for MPLSand PE2. The
tunnel
takes
the
shortest
path
through
P2
and
P3
if
no
path
constraint
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native is
imposed onIPthe
tunnel.
cores.
Step Verify that the intermediate router P1 sets up the traffic engineering tunnel properly.
7.
Layer traffic-eng
2 VPN Architectures
P1#show mpls
tunnels
Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
LSP TunnelByWei
PE1_t1
is signalled, connection is up
InLabel : Serial2/0, 16
OutLabel : Serial3/0, implicit-null
Publisher:Info:
Cisco Press
RSVP Signalling
Pub
Date:
March
10, 10.1.1.2,
2005
Src 10.1.1.1, Dst
Tun_Id 1, Tun_Instance 8
RSVP Path Info:
ISBN: 1-58705-168-0
Table of
My Address:
Pages:10.23.11.2
648
Contents
Explicit Route: 10.23.21.2 10.1.1.2
Index
Record
Route:
NONE
Tspec: ave rate=1000 kbits, burst=1000 bytes, peak rate=1000 kbits
RSVP Resv Info:
Record
NONE
Master Route:
the world of
Fspec:
ave
rate=1000
kbits, burst=1000 bytes, peak rate=1000 kbits
productivity gains
Notice that the incoming

labelLayer
for the
tunnel Private
is 16 onNetworks
Serial2/0.
This should be the tunnel
Learn about
2 Virtual
(VPNs)
imposition label that PE1 uses for the pseudowires that are going through this traffic
engineering tunnel.
The outgoing
is implicit-null
Serial3/0,
means your
that the
Reduce
costs andlabel
extend
the reach ofon
your
serviceswhich
by unifying
interface is connected
directly
to
the
tunnel
tailend
PE2.
Gain
from the
firstengineering
book to address
VPN application
utilizing
Step On PE1, configure
an MPLS
traffic
tunnelLayer
with 2
5-Mbps
guaranteed
bandwidth.
both
ATOM
and
L2TP
protocols
8.
Tunnel2that allow large enterprise customers to enhance
Review strategies
PE1(config-if)#ip
unnumbered
Loopback0
their service
offerings
mode
mpls
traffic-eng
For a majority of
Service
Providers,
traffic-eng
7 7 on legacy transport
are still derivedmpls
from data
and voicepriority
services based
mpls traffic-eng
5000
Layer 3 MPLSbandwidth
VPNs fulfill the
mpls
traffic-eng
path-option
1 dynamic
customers, they have some drawbacks. Ideally, carriers
with existing
Step Verify the status
of the
engineering
tunnel
bysolution
using the
mpls is
trafficservices
overMPLS
theirtraffic
existing
Layer 3 cores.
The
in show
these cases
a
9.
eng tunnels
command.
technology
infrastructure.
PE1#show mpls traffic-eng tunnels Tunnel2
Network (VPN) concepts, and describes (Tunnel2)
Layer 2 VPNDestination:
techniques via10.1.1.2
Name: PE1_t2
introductory
case
studies
and
comprehensive
design
scenarios.
This book
Status:
assists
readers
looking
to
meet
those
requirements
by
explaining
Admin: up
Oper: up
Path: valid
Signalling:the
connected
path option
type VPN
dynamic
for Setup,
path (ATOM)
weight for
30)MPLSthe Cisco1,Unified
suite:(Basis
Any Transport
over MPLS
Config Parameters:
Bandwidth: 5000
kbps (Global) Priority: 7 7
Affinity: 0x0/0xFFFF
Metric Type: TE (default)
AutoRoute: disabled LockDown: disabled Loadshare: 5000
bw-based
auto-bw: disabled
Active Path Option Parameters:
State: dynamic path option 1 is active
BandwidthOverride: disabled LockDown: disabled Verbatim: disabled
InLabel : OutLabel : Ethernet1/0, 22
RSVP Path Info:
My Address: 10.23.12.1
Explicit Route: 10.23.12.2 10.33.23.2 10.33.23.3 10.23.23.2
10.23.23.1 10.1.1.2
Layer 2 VPN
Architectures
Record
Route:
NONE
ByWeiave
Luo, -rate=5000
CCIE No. 13,291,
Carlos Pignataro,
- CCIEbytes,
No. 4619,Dmitry
- CCIE kbits
Tspec:
kbits,
burst=1000
peakBokotey,
rate=5000
No. 4460,
RSVP Resv
Info:
Record
Route:
NONE
Fspec:Publisher:
ave rate=5000
Cisco Press kbits, burst=1000 bytes, peak rate=5000 kbits
Shortest Unconstrained
Pub Date: March 10, Path
2005 Info:
Path Weight: 30 (TE)
ISBN: 1-58705-168-0
Table ofExplicit Route: 10.23.12.1 10.23.12.2 10.33.23.2 10.33.23.3
Pages:
648
Contents
10.23.23.2 10.23.23.1 10.1.1.2
IndexHistory:
Tunnel:
Time since created: 9 minutes, 50 seconds
Time since path change: 6 minutes, 27 seconds
Master
Current
LSP:the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains 27 seconds
Uptime: 6 minutes,

Step Verify that the intermediate routers P2 and P3 set up the traffic engineering tunnel
10. properly.
P2#show mpls traffic-eng tunnels
LSP Tunnel PE1_t2
is signalled,
connection is up
both ATOM
and L2TP protocols
InLabel : Ethernet1/0, 22
Review strategies
OutLabel : Ethernet0/0,
22 that allow large enterprise customers to enhance
their Info:
RSVP Signalling
For a majority
RSVP Path
Info: of Service Providers, a significant portion of their revenues
are still derived
My Address:
10.33.23.2
technologies.
Layer10.23.23.2
3 MPLS VPNs10.23.23.1
fulfill the market
need for some
Explicit
Route:Although
10.33.23.3
10.1.1.2
customers,
they have
Record
Route:
NONEsome drawbacks. Ideally, carriers with existing
legacy
Layer
2 and Layer
3 networks
wouldbytes,
like to move
a single
Tspec:
ave
rate=5000
kbits,
burst=1000
peak toward
rate=5000
kbits
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
RSVP Resv Info:
servicesRoute:
over theirNONE
Record
technology
that
would
allow Layer
2 transport
over peak
a Layer
3
Fspec: ave rate=5000 kbits,
burst=1000
bytes,
rate=5000
kbits
infrastructure.
P3#show mpls traffic-eng tunnels
LSP Tunnel PE1_t2 is signalled, connection is up
InLabel : Ethernet0/0, 22
OutLabel : Ethernet1/0, implicit-null
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSRSVP Path Info:
My Address: 10.23.23.2
Explicit Route: 10.23.23.1 10.1.1.2
Record
Route:
NONE
RSVP Resv Info:
Record
Route:
NONE
Fspec: ave rate=5000 kbits, burst=1000 bytes, peak rate=5000 kbits
Notice that on P2, the incoming label for the tunnel is 22 on Ethernet1/0. This should be
the tunnel imposition label that PE1 uses for the pseudowires that are going through this
traffic engineering tunnel. On P3, the outgoing label is implicit-null on Ethernet1/0, which
means that the interface is connected directly to the tunnel tailend PE2.
Step Verify that the PE2 sets up both traffic engineering tunnels correctly as the tailend.
11.
Layer 2traffic-eng
VPN Architectures
PE2#show mpls
tunnels
LSP TunnelByWei
PE1_t1
is signalled, connection is up
InLabel : Serial3/0, implicit-null
OutLabel : Publisher:
Cisco Press
RSVP Signalling
Info:
Pub
Date:
March
2005
Src 10.1.1.1, Dst 10,
10.1.1.2,
Tun_Id 1, Tun_Instance 8
RSVP Path Info:
ISBN: 1-58705-168-0
Table of
My Address:
10.1.1.2
Pages:
648
Contents
Explicit Route: NONE
Index
Record
Route:
NONE
RSVP Resv Info:
RecordMaster
Route:
NONE
the world
Fspec:
ave
rate=1000
productivity gains kbits, burst=1000 bytes, peak rate=1000 kbits
LSP Tunnel PE1_t2 is signalled, connection is up

InLabel : Ethernet1/0, implicit-null
OutLabel : RSVP Signalling
Info:
Reduce
Src 10.1.1.1,
Dst 10.1.1.2, Tun_Id 2, Tun_Instance 16
RSVP Path Info:
My Address:
10.1.1.2
Gain from
Explicitboth
Route:
NONE
ATOM and
L2TP protocols
Record
Route:
NONE
Tspec: ave
rate=5000
kbits,
burst=1000
bytes, customers
peak rate=5000
kbits
Review
strategies
that allow
large enterprise
to enhance
RSVP Resv their
Info:
Record
Route:
NONE
For aave
majority
of Service
Providers,
a significant
portion
their revenues
Fspec:
rate=5000
kbits,
burst=1000
bytes,
peak ofrate=5000
kbits
have
drawbacks.
carriersthe
with
existing
Step Configure acustomers,
pseudowirethey
class
withsome
a preferred
path Ideally,
going through
explicit
path.
12.
PE1(config-pw-class)#preferred-path interface Tunnel1 disable-fallback
infrastructure.
2 VPN Architectures
introduces
readers
to Layer
Virtual
Private
Notice that Layer
the disable-fallback
option
is enabled
to prevent
the2traffic
from
taking the
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
default route when the traffic engineering tunnel becomes unavailable.
Step Configure ahistory
pseudowire
class that prefers
a high-bandwidth
path.
and implementation
details
available from
13.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 TunnelingHigh_Bandwidth
PE1(config-pw-class)#pseudowire-class
IP cores. The structure of this book
mplsis focused on first introducing the
reader to Layer 2 VPN benefits and
implementation
interface
Tunnel2requirements and
Because the disable-fallback option is not present, the traffic takes the default route when
the high-bandwidth traffic engineering tunnel becomes unavailable.
Step Provision the pseudowire of VC ID 200 with the explicit path and pseudowire 300 with the
14. high-bandwidth path.
Ethernet0/0.2
PE1(config-subif)#xconnect
10.1.1.2
No. 10,266200 pw-class PE1-P1-PE2
PE1(config-subif)#exit
PE1(config-subif)#xconnect 10.1.1.2 300 pw-class High_Bandwidth
Table of
ISBN: 1-58705-168-0
Verify that pseudowires

Pages: 648
Step
are active and taking the specified path by using the show mpls
Contents
15. Index
l2transport vc detail command.
PE1#show mpls l2transport vc detail

productivity gains
Tunnel label:
next
hop2 Virtual
10.23.12.2
Learn23,
about
Layer
Create time:Reduce
00:33:08,
lastextend
status
00:32:40
costs and
thechange
reach oftime:
your services
by unifying your
Signaling protocol:
LDP, peer 10.1.1.2:0 up
from
first book
Group ID: Gain
local
0, the
remote
0
ATOM
and L2TP
MTU: localboth
1500,
remote
1500protocols
strategies
thatsend
allow disabled
Sequencing: Review
receive
disabled,
VC statistics:
For a majority
of Service
Providers,
byte totals:
receive
12375,
send 12000
are
still
derived
from
data
and
voice
Local interface:
Et0/0.2
up,some
linedrawbacks.
protocol Ideally,
up, Ethcarriers
VLAN 200
customers,
they have
with up
existing
Destination
10.1.1.2,
VC ID: 200,
legacyaddress:
Layer 2 and
Layer 3 networks
wouldVC
likestatus:
to move up
toward a single
Preferred
path:
Tunnel1,
active
backbone
while
new carriers
Default
path:over
disabled
services
Tunnel
label: 3,
next
hop
point2point
technology
that
would
allow
Outputinfrastructure.
interface: Tu1, imposed label stack {16 24}
Layer
2 VPN Architectures
readers
Signaling
protocol:
LDP, peer introduces
10.1.1.2:0
up to Layer 2 Virtual Private
Network
(VPN)
concepts,
and describes
MPLS VC
labels:
local
17, remote
24
studies0and comprehensive design scenarios. This book
Group introductory
ID: local case
0, remote
assists 1500,
readersremote
looking1500
MTU: local
history
and implementation
Remote
interface
description:details of the two technologies available from
the Cisco
Unified
VPN suite:send
Any Transport
Sequencing:
receive
disabled,
disabled over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
VC statistics:
IP totals:
cores. The
structure
of this
packet
receive
32,
sendbook
30 is focused on first introducing the
reader to Layer
2 VPN12000,
benefitssend
and implementation
requirements and
byte totals:
receive
11250
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as MPLS, then
Preferred path: Tunnel2, active
Default path: ready
Output interface: Tu2, imposed label stack {22 25}

VC statistics:
ByWei
Luo, - CCIE
No. 13,291,
Carlos
Pignataro,
packet
totals:
receive
32,
send
32 - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony
Chan, - CCIE
No. 10,266
byte totals:
receive
12000,
send 12000
Note that the default
path for pseudowires 100 and 300 is established through LDP, not
ISBN: Protocol
1-58705-168-0
Resource
Reservation
(RSVP) Traffic Engineering. The default path is disabled for
Table
of
pseudowire 200 by
Pages:
648
using
the
disable-fallback
option.
Contents
Index
The traffic engineering tunnel labels for pseudowires 200 and 300 are 16 and 22,
respectively, which match the traffic engineering labels that P1 and P2 assign. Because the
traffic engineering tunnels are from PE1 to PE2, the forwarding process on PE1 perceives
the world
of Layer
2 VPNsthe
to provide
enhanced services
and
enjoy
PE2 as if it Master
were directly
connected
through
tunnel interfaces.
Therefore,
the
tunnel
label fields productivity
have a label gains
value of 3, which is the implicit-null label.
Learn
about
2 Virtual
Private
(VPNs)
Upon completion of these
steps,
theLayer
network
has two
MPLSNetworks
traffic engineering
tunnels established
from PE1 to PE2. Traffic engineering tunnels are always unidirectional. If you want the same
forwarding properties for pseudowire traffic from PE2 to PE1, PE2 needs to configure its own
traffic engineering tunnels toward PE1 by repeating Steps 5 through 15 with appropriate
parameters.
Caution


When you are using an MPLS traffic engineering tunnel as a preferred path for
pseudowires, you need to make sure that the tunnel endpoints (headend and tailend)
are on the PE routers that provision these pseudowires.
After you complete these steps, the configuration on PE1 is shown in Example 9-18.
infrastructure.
Example 9-18.
Configuration
for introduces
Preferred
Pathto
Using
MPLS
Layer
2 VPN Architectures
readers
Layer 2
VirtualTraffic
Private
Engineering Tunnel
hostname PE1 history and implementation details of the two technologies available from
!
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSip cef
mpls label protocol
ldp
IP cores.
mpls ldp router-id
readerLoopback0
mpls traffic-eng
tunnelsthem to those of Layer 3 based VPNs, such as MPLS, then
comparing
pseudowire-class
PE1-P1-PE2
progressively
encapsulation mpls
preferred-path interface Tunnel1 disable-fallback
!
pseudowire-class High_Bandwidth
encapsulation mpls
preferred-path interface Tunnel2
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interface Tunnel1
ip unnumbered Loopback0
tunnel destination 10.1.1.2
Layertraffic-eng
2 VPN Architectures
tunnel mode mpls
ByWei Luo, - CCIE
No. 13,291,7
Carlos
tunnel mpls traffic-eng
priority
7 Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthonybandwidth
Chan, - CCIE No.
10,266
1000
tunnel mpls traffic-eng path-option 1 explicit name P1-PE2
!
interface Tunnel2Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Table destination
of
tunnel
10.1.1.2
Pages:
648
Contents
tunnel
mode mpls traffic-eng
Index mpls traffic-eng priority 7 7
tunnel
tunnel mpls traffic-eng bandwidth 5000
tunnel mpls traffic-eng path-option 1 dynamic
!
no ip address productivity gains
!
xconnect 10.1.1.2 Reduce
100 encapsulation
mpls
costs and extend
!
encapsulation dot1Q
200
Gain
xconnect 10.1.1.2 both
200 ATOM
pw-class
and PE1-P1-PE2
L2TP protocols
!
encapsulation dot1Q
300
their
xconnect 10.1.1.2 300 pw-class High_Bandwidth
!
technologies.
255.255.255.0
mpls ip
legacy
mpls traffic-eng
tunnels
backbone
ip rsvp bandwidth 8000while new carriers would like to sell the lucrative Layer 2
!
interface Serial3/0
infrastructure.
255.255.255.0
mpls ip
Layertunnels
mpls traffic-eng
Network
ip rsvp bandwidth 1200
introductory
!
assists
readers
router ospf 1
history
and implementation
mpls traffic-eng
router-id
Loopback0 details of the two technologies available from
the Cisco
VPN suite: Any Transport over MPLS (ATOM) for MPLSmpls traffic-eng
area Unified
0
based
cores and
Layer
network 10.1.1.1
0.0.0.0
area
0 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores.
The structure
network 10.23.11.0
0.0.0.255
areaof0this book is focused on first introducing the
reader 0.0.0.255
to Layer 2 VPN
benefits
network 10.23.12.0
area
0
comparing
them
to
those
of
Layer
!
progressively
covering
each
currently
ip explicit-path name P1-PE2 enable
next-address 10.23.11.2
Besides using the preferred-path interface command, you can also direct pseudowire traffic to
an MPLS traffic engineering tunnel by using the preferred-path peer command. The net effect is
similar to using IP routing for the preferred path. The only difference is that the specified /32 host
route has a traffic engineering tunnel interface as the output interface instead of a physical
interface in the forwarding table.
When the traffic engineering tunnel is configured with the autoroute option, IGP can learn the
host route through the traffic engineering tunnel interface. As a result, IGP forwards both IP and
Layer
2 VPN Architectures
pseudowire packets
through
the traffic engineering tunnel for the routing prefixes it learns
through the tunnel.
To Luo,
enable
the
option,
configure
the
tunnel
mpls traffic-eng
ByWei
- CCIE
No.autoroute
13,291,Carlos
Pignataro,
- CCIE No.
4619,
Dmitry Bokotey,
- CCIE
autoroute announce
command
under
the
No. 4460,
Anthony Chan,
- CCIE
No.tunnel
10,266 interface configuration mode.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

Case Study
9-5: Protecting AToM Pseudowires with
MPLS Traffic
Engineering Fast Reroute
MPLS traffic engineering automatically establishes and maintains LSPs across the MPLS core
ISBN: 1-58705-168-0
Tableusing
of
network
RSVP. Such LSPs are created based on the resource constraints that are
Pages:
648 resources, such as bandwidth. IGP routing protocols such as
Contentsand available network
configured
Index
IS-IS
or OSPF announce available network resources using traffic engineering protocol
extensions along with link state advertisements throughout the network.
In any network, links, routers, or both can fail because of unexpected events. Network
the world
of Layerplanning
2 VPNs to
and
enjoyat
operators includeMaster
this factor
their network
byprovide
having enhanced
redundantservices
links and
routers
productivity
gains
the physical or logical
locations
where the failures are most likely to happen. When such failure
conditions occur, routers within the network might temporarily have inconsistent routing
information. They might need to exchange routing updates and come up with a new, consistent
Learn
aboutisLayer
2 Virtual
Private
Networks .(VPNs)
view of the network. This
process
known
as network
convergence
During network
convergence, routing loops and black holes can cause packet loss. The longer the convergence
takes, the larger the amount of packet loss.
The convergence time includes the amount of time for an adjacent router to detect the link (or
router) failure. It also includes the amount of time for this router to distribute the information
to all other routers and for all other routers to recalculate routes in the forwarding tables.
Detecting a link failure requires physical and link layerspecific mechanisms. MPLS traffic
engineering does not have a way to reduce the amount of time to detect failures. However, it
can reduce the time required to distribute the failure information and update the forwarding
tables by using MPLS
engineering
fast
reroutinga capability.
For atraffic
majority
of Service
Providers,
Prior to a failure, fast reroute calculates and establishes a protection traffic engineering tunnel
around the link or node that is deemed vulnerable. Upon detecting such a failure, the backup
tunnel takes over packet forwarding immediately. Rerouting typically takes less than 50 ms
upon failure detection, and packet loss is kept minimal.
Before you enable fast reroute for an AToM pseudowire, you need to configure an MPLS traffic
engineering tunnel as the preferred path, as shown in the previous case study. Then at the
infrastructure.
ingress PE where the traffic engineering tunnel headend is, you can use fast reroute options to
configure a backup traffic engineering tunnel to protect the primary traffic engineering tunnel.
InFigure 9-4, a pseudowire takes the explicit path from PE1 to PE2 through P1. Suppose that
the link between PE1 and P1 is considered vulnerable. PE1 provisions a fast reroute traffic
engineering tunnel through P2 and P1 to circumvent the possible failing link. To configure the
primary traffic engineering tunnel with the explicit path, refer to "Case Study 9-4: Configuring
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSa Preferred Path Using MPLS Traffic Engineering Tunnels."
Figureprogressively
9-4. Protect
AToM Pseudowire with Fast Reroute

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Assume that the pseudowire has been provisioned with a preferred path that uses MPLS traffic
Master
theas
world
of Layer
2 VPNs
provide
enhanced
services
and enjoy
engineering's explicit
path,
shown
in Case
Studyto
9-4.
The following
steps
describe
how to
productivity
gains traffic engineering tunnel.
enable fast reroute
on the primary
Step Add an explicit path on PE1 that originates from the PE, traverses through P2, and ends
1.
at P1.
architecture
PE1(config)#ipnetwork
explicit-path
name P2-P1 enable
PE1(cfg-ip-expl-path)#next-address 10.23.12.2
Explicit Path Gain
namefrom
P2-P1:
both
ATOM
and L2TP protocols
1: next-address 10.23.12.2
PE1(cfg-ip-expl-path)#next-address 10.33.23.1
Explicit Path Review
name P2-P1:
their
service
Step Provision a backup traffic engineering tunnel with the explicit path configured in Step 1.
2.
Note that the tailend of this backup tunnel is P1, and its IP address is 10.1.2.1.
services over their
Tunnel100
technologyunnumbered
that would allow
PE1(config-if)#ip
Loopback0
infrastructure. destination 10.1.2.1
PE1(config-if)#tunnel mode mpls traffic-eng
introduces
readers to
2 Virtual Private
mpls traffic-eng
priority
7 Layer
7
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
PE1(config-if)#tunnel mpls traffic-eng bandwidth 1000
introductory
case
studies
and
comprehensive
design
scenarios.
This
PE1(config-if)#tunnel mpls traffic-eng path-option 1 explicit namebook
P2-P1
Step Configure the primary traffic engineering tunnel with fast reroute protection. The initial
3.
tunnel interface configuration is as follows:
PE1#show
Building
running-config
Tunnel1- CCIE No. 4619,Dmitry Bokotey, - CCIE
ByWei Luo, - CCIE No.interface
configuration...

!
interface Tunnel1
ip unnumbered ISBN:
Loopback0
1-58705-168-0
Table of
Pages:
648
Contents
Index
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng priority 7 7
tunnel mpls
traffic-eng
name P1-PE2
Master
the world ofpath-option
Layer 2 VPNs 1to explicit
provide enhanced
services and enjoy
end
productivity gains
PE1#config t
PE1(config)#interface Tunnel1
mpls
traffic-eng
fast-reroute
Reduce costs
and
extend the reach
Step Configure the protected
linkthe
to first
use the
backup
tunnel.
The2interface
that connects
to the
Gain from
book
to address
Layer
VPN application
utilizing
4.
protected link onboth
PE1 ATOM
is Serial3/0.
and L2TP protocols

PE1(config)#interface Serial3/0
PE1(config-if)#mpls traffic-eng backup-path Tunnel100
Step Verify that the primary tunnel is protected by fast reroute and the backup tunnel is
5.
ready under normal conditions. Use the show mpls traffic-eng tunnels protection
andshow mpls interfaces commands.
services
over their existing
Layer
PE1#show mpls
traffic-eng
tunnels
protection
PE1_t1
infrastructure.
LSP Head,
Tunnel1, Admin: up, Oper: up
Src 10.1.1.1, Dest 10.1.1.2, Instance 31
Layer 2Protection:
VPN Architectures
Fast Reroute
Requested
Network
(VPN)
concepts,
and
Outbound: FRR Ready
introductory
case
studies
and
comprehensive
Backup Tu100 to LSP nhop
assists
readers
looking
to
meet
those
requirements
by explaining the
Tu100: out i/f: Et1/0, label: 16
and implementation
LSP history
signalling
info:
the Cisco Unified
VPN Se3/0,
suite: Any
Transport
over MPLS
(ATOM) for MPLSOriginal:
out i/f:
label:
16, nhop:
10.23.11.2
based
cores
andi/f:
LayerTu100,
2 Tunneling
Protocol
With
FRR:
out
label:
16
cores.
The
structure
of this
book is
focused on type:
first introducing
LSP IPbw:
1000
kbps,
Backup
level:
any-unlim,
any poolthe
PE1_t2
comparing
them
to those
Layer 3
LSP Head,
Tunnel2,
Admin:
up,ofOper:
upbased VPNs, such as MPLS, then
progressively
covering
each
currently
Fast Reroute Protection: None
PE1_t100
LSP Head, Tunnel100, Admin: up, Oper: up
PE1#show mpls interfaces Tunnel1 detail
Interface Tunnel1:
MPLS TE Tunnel Head
IP labeling not enabled
LSP Tunnel labeling not enabled

BGP labeling not enabled
MPLS not operational
Layer Switching
2 VPN Architectures
Fast
Vectors:
By
Weito
Luo,MPLS
- CCIEFast
No. 13,291,
Carlos Pignataro,
IP
Switching
Vector
No.
4460,Disabled
MPLS
MTU = 1496
Tun hd Untagged
0
Tu1
point2point
Publisher: Cisco
Press
MAC/Encaps=4/8,
MRU=1500,
Tag Stack{16}, via Se3/0
Pub Date: March 10,
2005
0F008847 00010000
ISBN: 1-58705-168-0
Table of
No
output feature configured
Pages:
648
Contents
Fast Reroute Protection via {Tu100, outgoing label 16}
Index
Notice that the fast reroute status for the primary tunnel is ready. This means that the
backup tunnel is operational and ready to protect the primary tunnel.
productivity
gains
Step Verify the status
of AToM
pseudowire with VC ID 200, which traverses the primary
6.
tunnel under normal conditions. Label 16 is the traffic engineering tunnel label.

PE1#show mpls l2transport vc 200 detail
Reduce
costs up,
and extend
the reach up,
of your
by unifying
your
Local interface:
Et0/0.2
line protocol
Ethservices
VLAN 200
up
architecture
Destination network
address:
10.1.1.2, VC ID: 200, VC status: up
Preferred path: Tunnel1, active
Gain from
Default path:
disabled
both
ATOM
andhop
L2TP
protocols
Tunnel label: 3, next
point2point
Output interface: Tu1, imposed label stack {16 24}
VC statistics:
byte totals:
infrastructure.
Step To verify the
effectiveness
of the fastand
reroute
capability,
a link failure
Network
(VPN) concepts,
describes
Layerintroduce
2 VPN techniques
via and use
7.
theshow mpls
traffic-eng
tunnels
protection
and
show
mpls
l2transport
vc
commands assists
to examine
the
fast
reroute
status
and
pseudowire
information.
the Cisco
Unified VPN
suite: Any
Transport over MPLS (ATOM) for MPLSPE1#show mpls
traffic-eng
tunnels
protection
PE1_t1
IP cores.
The structure
of this
bookup
LSP Head,
Tunnel1,
Admin: up,
Oper:
reader toDest
Layer
2 VPN benefits
and implementation
requirements and
Src 10.1.1.1,
10.1.1.2,
Instance
124
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as MPLS, then
Fast Reroute Protection: Requested
progressively
covering
each
currently
available
solution
in greater detail.
Outbound: FRR Active
Backup Tu100 to LSP nhop
Tu100: out i/f: Et1/0, label: 16
LSP signalling info:
Original: out i/f: Se3/0, label: 16, nhop: 10.1.2.1
With FRR: out i/f: Tu100, label: 16
LSP bw: 1000 kbps, Backup level: any-unlim, type: any pool
PE1_t2

PE1_t100
Layer 2 VPN
Architectures
Src 10.1.1.1,
Dest
10.1.2.1, Instance 19
ByWei Luo,
- CCIE No. 13,291,
Fast Reroute
Protection:
None
PE1#show mpls l2transport vc 200 detail

Pubpath:
Date: March
10, 2005 active
Preferred
Tunnel1,
ISBN: 1-58705-168-0
Table ofDefault path: disabled
Pages:
648 next hop point2point
Tunnel
label:
16,
Contents
Output
interface:
Tu100, imposed label stack {16 16 24}
Index
Group Master
ID: local
0, remote
the world
of Layer02 VPNs to provide enhanced services and enjoy
MTU: local
1500,gains
remote 1500
productivity
VC statistics:
Reducereceive
costs and
extendsend
the reach
byte totals:
33316,
32384of your services by unifying your
network
architecture
both
ATOM status
and L2TP
Notice that the fast
reroute
hasprotocols
changed from ready to active. The output
interface for the pseudowire has switched from Tunnel1 to Tunnel100, and the label
Review
strategies
large
enterprise
toso
enhance
stack has become
{16 16
24}. Thethat
top allow
label 16
is the
backup customers
tunnel label
that
theircan
service
offerings to
while
routing
controlthe backup traffic
pseudowire packets
be forwarded
the maintaining
tailend router
P1 through
engineering tunnel. The second label 16 is the primary tunnel label that P1 assigns. The
For
majority
offor
Service
last label 24
is a
the
VC label
the pseudowire.
The configuration on PE1 after finishing these steps is shown in Example 9-19.
Example 9-19.
Configuration
MPLS
RerouteProtected
technology
that would for
allow
Layer Fast
2 transport
over a Layer 3
Pseudowire infrastructure.
hostname PE1 Network (VPN) concepts, and describes Layer 2 VPN techniques via
!
ip cef
mpls label protocol
historyldp
mpls ldp router-id
Loopback0
the Cisco
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSmpls traffic-eng
tunnels
based
pseudowire-class
PE1-P1-PE2
IP cores.
mpls to Layer 2 VPN benefits and implementation requirements and
preferred-pathcomparing
interface
Tunnel1
disable-fallback
them
to those
!
pseudowire-class High_Bandwidth
encapsulation mpls
preferred-path interface Tunnel2
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interface Tunnel1
tunnel
tunnel
tunnel
tunnel
tunnel
mode
mpls
mpls
mpls
mpls
mpls traffic-eng
traffic-eng priority 7 7
traffic-eng bandwidth 1000
traffic-eng
path-option 1 explicit name P1-PE2
ByWei Luo, - CCIE
traffic-eng
fast-reroute

!
interface Tunnel2
tunnel destination
10.1.1.2
Pub Date:
March 10, 2005
ISBN: 1-58705-168-0
Table mpls
of
tunnel
traffic-eng priority 7 7
Pages:
648
Contents
tunnel
mpls traffic-eng bandwidth 5000
Index mpls traffic-eng path-option 1 dynamic
tunnel
!
interface Tunnel100
productivity
gains
tunnel destination
10.1.2.1
tunnel mpls traffic-eng priority 7 7
1 explicit
P2-P1
Reduce path-option
costs and extend
the reach name
of your
!
no ip address
!
encapsulation dot1Q
Review
xconnect 10.1.1.2 their
100 encapsulation
service offerings mpls
!
still derived
encapsulation are
dot1Q
200
technologies.
Although
xconnect 10.1.1.2
200 pw-class
PE1-P1-PE2
!
encapsulation backbone
dot1Q 300
services
their existing
xconnect 10.1.1.2
300over
pw-class
High_Bandwidth
!
infrastructure.
ip address 10.23.12.1 255.255.255.0
mpls ip
Network
mpls traffic-eng
tunnels
introductory
ip rsvp bandwidth 8000 case studies and comprehensive design scenarios. This book
!
interface Serial3/0
the Cisco Unified
VPN suite: Any Transport over MPLS (ATOM) for MPLSip address 10.23.11.1
255.255.255.0
mpls ip
IP cores.
mpls traffic-eng
tunnels
reader
to Layer 2 VPN
benefits and implementation requirements and
mpls traffic-eng
backup-path
Tunnel100
comparing
them
to
those
ip rsvp bandwidth 1200
progressively
covering
each
!
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
network 10.1.1.1 0.0.0.0 area 0
network 10.23.11.0 0.0.0.255 area 0
network 10.23.12.0 0.0.0.255 area 0
!
ip explicit-path name P1-PE2 enable
!
ip explicit-path name P2-P1 enable
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

Case Study
9-6: Configuring AToM Pseudowire over
GRE TunnelPublisher: Cisco Press
Typically, when AToM pseudowire packets traverse an MPLS network, they carry label stacks
ISBN: 1-58705-168-0
Table of
that have
more than one label. As described in Chapter 3, "Layer 2 VPN Architectures," each
Pages:
label Contents
represents an LSP. The 648
top label is responsible for delivering pseudowire packets from one
Index to another through a tunnel LSP; therefore, it is known as the tunnel label . The
PE router
tunnel label serves as an encapsulation header for the rest of the packet, which has little
dependency on the tunnel label. Analogically, the relationship is somewhat like the IP header of
an IP packet to the payload it carries. When an IP header or GRE/IP header replaces the tunnel
Master
the
world
of Layer
2 VPNs
to provide
enhanced
services and enjoy
label, the tunnel label
has
little
impact
on the
pseudowire
emulation
functionality.
productivity gains
This case study explores the deployment model of transporting AToM pseudowire packets over
GRE tunnels. Although this model enables you to deploy AToM pseudowires in any IP or MPLS
about Layer
2 efficient
Virtual Private
Networks
network, they are mostLearn
advantageous
and
in networks
that (VPNs)
do not have MPLS
forwarding. For example, the pseudowire endpoints are located in MPLS edge routers with a
plain IP core network or two separate MPLS networks connected by a transit network with plain
IP forwarding. With pseudowire emulation in MPLS networks, you should choose the native
MPLS tunnel label to reduce encapsulation overhead and leverage advanced features, such as
MPLS traffic engineering and fast reroute.
Forwarding pseudowire traffic over a GRE tunnel is quite similar to that over an MPLS traffic
engineering tunnel with the autoroute option, where both IP and pseudowire packets can go
through the same tunnel. You cannot use the preferred-path interface command with a GRE
tunnel interface. For a majority of Service Providers, a significant portion of their revenues
As illustrated in Figure 9-5, the PE routers are enabled with MPLS services, but the core
network runs plain IP forwarding only.
Figure
9-5.
AToM
over GRE
technology
that
would Pseudowire
allow Layer 2 transport
over Tunnel
a Layer 3
infrastructure.
[Viewintroduces
full size image]readers to Layer 2 Virtual Private
comparing
to those
of Layerto
3 based
VPNs,
such
as MPLS,
then a GRE
The following steps
configurethem
an AToM
pseudowire
traverse
the IP
network
through
tunnel:
Step Enable MPLS forwarding and set the MPLS label protocol to LDP in the global
1.
configuration mode on PE3.
PE3(config)#ip cef
PE3(config)#mpls ip
PE3(config)#mpls label protocol ldp
Step Create a loopback interface with a host IP address.

2.
Loopback0
PE3(config-if)#ip
address
172.16.1.1
255.255.255.255
Carlos Pignataro,
Step Configure a GRE tunnel interface on PE3, and set the tunnel source and destination
3.
addresses to be a routable address on PE3 and PE4, respectively.
ISBN: 1-58705-168-0
Table of
PE3(config-if)#interface
Tunnel1
Pages:
648
Contents
PE3(config-if)#ip unnumbered Loopback0
Index
PE3(config-if)#tunnel source Serial2/0

Step To avoid recursive routing loops, make sure the tunnel destination address does not use
productivity gains
4.
the tunnel interface as the outgoing interface. It can accomplish this by using static
route or dynamic routing protocols. Here, OSPF runs on the core facing network
interface.
PE3(config)#router ospf 1
PE3(config-router)#network 172.16.34.0 0.0.0.255 area 0
Step Enable MPLS forwarding on the GRE tunnel interface. This step is necessary so that MPLS
5.
applications see Review
the tunnel
interface
as allow
a feasible
interface
for MPLS
traffic.
strategies
that
largeoutgoing
enterprise
customers
to enhance
PE3(config-if)#interface Tunnel1
For a majority
PE3(config-if)#mpls
ipof Service Providers, a significant portion of their revenues
they have
some drawbacks.
carriers
with existing
Step Add a staticcustomers,
route to redirect
pseudowire
traffic intoIdeally,
the tunnel
interface.
6.
PE3(config)#ip
route
172.16.1.2
Tunnel1in these cases is a
services
over their
existing 255.255.255.255
Layer 3 cores. The solution
infrastructure.
Step Provision an AToM pseudowire on the CE-facing interface.
7.
PE3(config-subif)#encapsulation dot1Q 100
PE3(config-subif)#xconnect 172.16.1.2 100 encapsulation mpls
cores and
2 Tunneling
Protocol
Step Repeat Steps
1 through
7 onLayer
PE4 with
appropriate
parameters.
IP
cores.
The
structure
of
this
book
is
focused
8.
Step Verify the tunnel interface status and encapsulation using the show interface and
9.
show adjacency commands.
PE3#show interface
Tunnel1
ByWei Luo, - CCIE
Tunnel1 isNo.up,
line
4460,Anthonyprotocol
Chan, - CCIEis
No. up
10,266
Hardware is Tunnel
Interface is unnumbered. Using address of Loopback0 (172.16.1.1)
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, rely 255/255, load 1/255
Encapsulation TUNNEL, loopback not set
notISBN:
set1-58705-168-0
TableKeepalive
of
Pages:
648
Tunnel source 172.16.34.1
(Serial2/0), destination 172.16.44.1
Contents
Tunnel
protocol/transport
GRE/IP, sequencing disabled
Index
Tunnel TTL 255
Key disabled
Checksumming of packets disabled, fast tunneling enabled
Master
the worldoutput
of Layer00:00:00,
2 VPNs to provide
services and enjoy
Last input
00:00:00,
output enhanced
hang never
productivity
gains interface" counters never
Last clearing
of "show
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Learn
Output queue:
0/0about
(size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
25314 packets input, 2578630 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
26389 packets output, 2905870 bytes, 0 underruns
0 output Review
errors,
0 collisions,
0 large
interface
resets
strategies
that allow
enterprise
0 output their
buffer
failures,
output
buffers routing
swapped
out
service
offerings0 while
maintaining
control
adjacency Tunnel1 detail
Interface
Address
Tunnel1
point2point(5)
2148 packets, 856752 bytes
4500000000000000FF2F15ACAC102201
AC102C0100008847
TFIB
never
Epoch: 0
IP
Tunnel1
point2point(7)
infrastructure.
0 packets, 0 bytes
4500000000000000FF2F15ACAC102201
AC102C0100000800
CEF
expires: 00:02:16
refresh: 00:00:16
Epoch: 0
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSLayer 2command
Tunnelingcontains
Protocoltwo
version
3 (L2TPv3)
forThe
native
The output based
of the cores
show and
adjacency
adjacency
entries.
tag
IPfor
cores.
The
structure
focused ontraffic,
first introducing
adjacency is
MPLS
traffic,
such of
asthis
the book
AToMispseudowire
and the IPthe
adjacency
reader
to Layer
VPN
benefits
implementation
requirements
and
is for IP traffic.
Notice
that 2
the
GRE
tunnel and
encapsulation
for switching
MPLS traffic
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
consists of an IP header and a GRE header. The IP header contains an IP protocol type
progressively
covering
each
currently
available
in greater
detail.
47 (0x2F) indicating
a payload
GRE
packet,
and the
tunnelsolution
source and
destination
PE3#show
Protocol
TAG
addresses are in hex format (0xAC102201, 0xAC102C01). The GRE header has a
protocol type 0x8847 for MPLS unicast traffic.
Step Verify the pseudowire status by using the show mpls l2transport vc detail
1.
command.
PE3#show By
mpls
l2transport
vc Carlos
detail
Wei Luo,
- CCIE No. 13,291,
Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Local interface:
Et0/0.1
up,
line
protocol up, Eth VLAN 100 up
Preferred
path: not configured
Tunnel label: imp-null, next hop point2point
ISBN: 1-58705-168-0
Table of Output interface: Tu1, imposed label stack {16}
Pages:
648
Create time: 17:47:08,
last status change time: 17:46:36
Contents
Index Signaling protocol: LDP, peer 172.16.1.2:0 up
Master
the world
Remote
interface
description:
productivity
gains
Sequencing:
receive
disabled, send disabled
VC statistics:
Learn about
Layer
2 Virtualsend
Private
Networks (VPNs)
byte totals:
receive
398956,
398956
Notice that the output interface of the pseudowire is the GRE tunnel interface. The
Gain
from the
book
address
2 VPN
utilizing
tunnel label is the
implicit
null first
label,
as iftothe
two PELayer
routers
are application
connected directly.

After you complete these steps, view the configuration on PE3, as shown in Example 9-20.
Example 9-20.
Configuration
forvoice
AToM
Pseudowire
overtransport
GRE
are PE3
still derived
from data and
services
based on legacy
Tunnel
hostname PE3 backbone while new carriers would like to sell the lucrative Layer 2
!
ip cef
mpls label protocol
ldp
infrastructure.
!
interface Loopback0
255.255.255.255
Network (VPN)
!
interface Tunnel1
ip unnumbered history
Loopback0
mpls ip
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLStunnel source based
Serial2/0
tunnel destination
172.16.44.1
IP cores.
!
no ip address progressively covering each currently available solution in greater detail.
!
!
interface Serial2/0
ip address 172.16.34.1 255.255.255.0
!
router ospf 1
network 172.16.34.0 0.0.0.255 area 0
!
ip route 172.16.1.2 255.255.255.255 Tunnel1
The PE4 configuration

is Anthony
shownChan,
in Example
9-21.
No. 4460,
- CCIE No.
10,266
Example 9-21. Pub

PE4
Configuration for AToM Pseudowire over GRE
Tunnel
ISBN: 1-58705-168-0
Table of
Contents
hostname
Index PE4
Pages: 648
!
ip cef
!
productivity gains
interface Loopback0
ip address 172.16.1.2 255.255.255.255
!
interface Tunnel1 Learn about Layer 2 Virtual Private Networks (VPNs)
mpls ip
tunnel source Serial2/0
tunnel destinationGain
172.16.34.1
!
no ip address
!
encapsulation For
dot1Q
100
a majority
xconnect 172.16.1.1
100 encapsulation
are still derived
from data andmpls
voice services based on legacy transport
!
interface Serial2/0
legacy Layer255.255.255.0
!
router ospf 1 services over their existing Layer 3 cores. The solution in these cases is a
network 172.16.44.0
0.0.0.255
area
technology
that would
allow
!
infrastructure.
ip route 172.16.1.1 255.255.255.255 Tunnel1

Pseudowire
Emulation in Multi-AS Networks
When two attachment

circuits
(ACs)
should be connected by a pseudowire but the attached PE
Publisher:
Cisco
Press
routers are in different
the PE routers cannot exchange IGP routes with
Pubautonomous
Date: March 10, systems,
2005
each other. In multi-AS networks, autonomous system border routers (ASBRs) establish
ISBN: 1-58705-168-0
Table
of
Border
Gateway
Protocol (BGP) connections with each other to exchange routes between
Pages:
648
Contents
different
autonomous systems.
Index
Figure 9-6 illustrates an example of connecting ACs across the autonomous system boundary.
Suppose that the AC of Ethernet VLAN 100 on CE1 in AS100 needs to be connected to the one
on CE4 in AS200, and the AC of Ethernet VLAN 200 on CE2 in AS100 needs to be connected to
world
of Layer
2 studies
VPNs topresent
providethree
enhanced
services
and enjoy
the one on CE3 inMaster
AS200.the
The
following
case
different
solutions
to
productivity
gains has its own merits and applicable deployment scenarios.
accomplish the goal.
Each solution
Figure 9-6.
Pseudowire
Emulation
in of
Multi-AS
Networks
Reduce
costs and extend
the reach
your services
by unifying your
full to
sizeaddress
image]
Gain from the first[View
book

infrastructure.
Case Study 9-7: Interconnecting Pseudowires with Dedicated

Circuits
The configuration and routing that are necessary for forwarding IP traffic in a multi-AS
environment are complex, and adding pseudowire emulation services does not make network
operation much easier. However, the solution discussed in this case study takes a simplistic
approach.
Instead of building end-to-end pseudowires across the autonomous system boundary, each
ASBR acts as a PE router and provides pseudowire emulation services. Essentially, each ASBR
treats the peeringLayer
ASBR
in aArchitectures
different domain as a CE router and the links between the ASBRs
2 VPN
as ACs. In the pseudowire
emulation
architecture,
the connectivity
between
CE and
PE devices
Carlos Pignataro,
- CCIE No. 4619,
Dmitry Bokotey,
- CCIE
is at Layer 2. In theory,
Layer
3
connectivity
is
not
required
between
ASBRs
if
only
pseudowire
emulation services are required. However, ASBRs typically provide interdomain routing
services, too, so Layer 3 connectivity is configured in the example. MPLS forwarding is not
required between ASBRs in this deployment model.
1-58705-168-0
As shown
in Figure 9-7,ISBN:
a pseudowire
with VC ID 100 is provisioned between PE1 and ASBR1 in
Table of
Pages:
648
AS100.
A
pseudowire
with
VC
ID
100
is
also provisioned between PE4 and ASBR2 in AS200. To
Contents
have
end-to-end
connectivity
between
CE1
and CE4, ASBR1 and ASBR2 allocate a dedicated
Index
Ethernet VLAN 100 and use it as the common AC for both pseudowires. It is not mandatory for
both pseudowires to have the same VC ID, but it is a good self-documenting practice. Similarly,
CE2 and CE3 are connected by concatenating a pseudowire to a dedicated Ethernet VLAN 200
and then to another
pseudowire.
is configured
between
to exchange
Master
the worldBGP
of Layer
2 VPNs to
provideASBRs
enhanced
services interdomain
and enjoy
routing information,
but
it
is
not
essential
for
inter-AS
pseudowire
emulation
in this particular
productivity gains
case.

ReducePseudowire
costs and extend
the reach ofwith
your services
by unifying
your
Figure 9-7. Inter-AS
Emulation
Dedicated
Circuits

book
full size image]
infrastructure.
The following configuration examples give you some ideas of how to configure the PE and ASBR
routers to use dedicated circuits between autonomous systems to provide inter-AS pseudowire
connectivity.
On PE1, configure the pseudowire with VC ID 100 on the AC that connects to CE1, as shown in
Example 9-22.
Example 9-22. PE1 Pseudowire Configuration

hostname PE1 Layer 2 VPN Architectures
!
ip cef
mpls ldp router-id
Loopback0
Publisher:
Cisco Press
!
interface Loopback0
ISBN: 1-58705-168-0
Table of
ip address
10.1.1.1 255.255.255.255
Pages:
648
Contents
!
Index
interface
Ethernet0/0
no ip address
!
encapsulation Master
dot1Q the
100world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains
xconnect 10.1.1.3
100 encapsulation
mpls
!
ip address 10.23.12.1 255.255.255.0
mpls ip
!
interface Serial3/0
Gain 255.255.255.0
mpls ip
!
router ospf 1
network 10.1.1.1 0.0.0.0
areaofferings
0
their service
network 10.23.11.0 0.0.0.255 area 0
For a majority
of Service
network 10.23.12.0
0.0.0.255
area 0Providers, a significant portion of their revenues
On PE2, configurelegacy
the pseudowire
with
VC ID
200 on the
AC that
connects
to CE2,aas
shown in
Layer 2 and
Layer
3 networks
would
like to
move toward
single
Example 9-23. backbone while new carriers would like to sell the lucrative Layer 2
Example
9-23.
PE2 Pseudowire Configuration
infrastructure.

hostname PE2 Network (VPN) concepts, and describes Layer 2 VPN techniques via
!
ip cef
mpls label protocol
historyldp
mpls ldp router-id
Loopback0
the Cisco
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS!
interface Loopback0
ip address 10.1.1.2
255.255.255.255
reader to
!
no ip address
!
!
ip address 10.23.23.1 255.255.255.0
mpls ip
!
interface Serial3/0
ip address 10.23.21.2 255.255.255.0
mpls ip
!
router ospf 1 ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,
Anthony Chan,
CCIE No. 10,266
network 10.1.1.2
0.0.0.0
area- 0
network 10.23.21.0 0.0.0.255 area 0
network 10.23.23.0
0.0.0.255
area 0
Publisher:
Cisco Press
ISBN: 1-58705-168-0
Table of
Pages:
648
On PE3,
configure the pseudowire
with VC ID 200 on the AC that connects to CE3, as shown in
Contents
Example
9-24.
Index
productivity gains
hostname PE3
!
ip cef
mpls ldp router-id Reduce
Loopback0
network
architecture
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
no ip address
!
encapsulation are
dot1Q
still 200
xconnect 172.16.1.3
200 encapsulation
mpls
technologies.
Although Layer 3
MPLS VPNs fulfill the market need for some
!
interface Serial2/0
255.255.255.0
backbone while
mpls ip
!
router ospf 1 infrastructure.
network 172.16.1.1 0.0.0.0 area 0
network 172.16.34.0
0.0.0.255
area 0introduces readers to Layer 2 Virtual Private
Layer 2 VPN
Architectures
On PE4, configurehistory
the pseudowire
with VC ID details
100 onofthe
that
connects toavailable
CE4, as shown
and implementation
theAC
two
technologies
from in
Example 9-25. the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Example 9-25.
PE4
Configuration
reader
toPseudowire
hostname PE4
!
ip cef
!
interface Loopback0
ip address 172.16.1.2 255.255.255.255
!
no ip address
!
2 VPN
Architectures
encapsulation Layer
dot1Q
100
ByWei Luo,100
- CCIE
No. 13,291,Carlos Pignataro,
xconnect 172.16.1.3
encapsulation
mpls - CCIE No. 4619,Dmitry Bokotey, - CCIE
!
interface Serial2/0
255.255.255.0
Publisher: Cisco
Press
mpls ip
!
ISBN: 1-58705-168-0
Table
of
router
ospf
1
Pages:
648
Contents
network
172.16.1.2 0.0.0.0 area 0
Index 172.16.44.0 0.0.0.255 area 0
network
Master
the world
of Layer
2 VPNs
to provide
services and enjoy
When you are using
dedicated
circuits
between
ASBRs,
ensureenhanced
that the encapsulation
of these
productivity
gains
circuits matches that
of the ACs
between CE and PE routers, because the ASBRs effectively act
as PE routers. In this example, the connection between ASBR1 and ASBR2 is Ethernet.
Learn
about Layer
Virtual
Private
Networks
(VPNs)
On ASBR1, configure the
pseudowire
with2VC
ID 100
and the
pseudowire
with VC ID 200 on the
corresponding dedicated circuits, as shown in Example 9-26.
Example 9-26. ASBR1

Pseudowire
Gain from
the first bookConfiguration
hostname ASBR1
!
ip cef
mpls label protocol
ldp
For a majority
mpls ldp router-id
Loopback0
!
interface Loopback0
ip address 10.1.1.3
255.255.255.255
legacy Layer
!
description Connect
to that
ASBR2
in AS200
technology
would
ip address 172.16.100.1
255.255.255.0
infrastructure.
!
encapsulation Network
dot1Q 100
xconnect 10.1.1.1
100 encapsulation
mpls
introductory
case studies and
!
encapsulation the
dot1Q
200
Cisco
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSxconnect 10.1.1.2
200
encapsulation
mpls
based cores
and Layer 2 Tunneling
!
comparing255.255.255.0
mpls ip
!
router ospf 1
network 10.1.1.3 0.0.0.0 area 0
network 10.43.11.0 0.0.0.255 area 0
!
router bgp 100
no synchronization
neighbor 172.16.100.2 remote-as 200
no auto-summary
On ASBR2, configure the pseudowire with VC ID 100 and the pseudowire with VC ID 200 on the
corresponding dedicated
circuits, as shown in Example 9-27.
Example 9-27. ASBR2 Pseudowire Configuration

hostname ASBR2
ISBN: 1-58705-168-0
! Table of
Pages:
648
Contents
ip cef
Index
mpls
label protocol ldp
!
interface Loopback0
Master the255.255.255.255
productivity
gains
!
description Connect
to about
ASBR1 Layer
in AS100
Learn
2 Virtual Private Networks (VPNs)
ip address 172.16.100.2 255.255.255.0
!
xconnect 172.16.1.2
100
encapsulation
Gain
from
the first book mpls
!
Review
encapsulation dot1Q
their
service
offerings while
xconnect 172.16.1.1
200
encapsulation
mpls
!
are still derived
255.255.255.0
mpls ip
!
router ospf 1 legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone
while new
network 172.16.1.3
0.0.0.0
areacarriers
0
services
over
their
existing
Layer
network 172.16.24.0 0.0.0.255 area 0
!
router bgp 200 infrastructure.
no synchronization
Layer 2 VPN
Architectures
neighbor 172.16.100.1
remote-as
100 introduces readers to Layer 2 Virtual Private
Network
(VPN)
concepts,
no auto-summary
Unified VPN
suite:
Any Transport
over MPLS
(ATOM)
for MPLSWhen consideringthe
thisCisco
deployment
model
for inter-AS
pseudowire
emulation
services,
you need
based cores
and Layer
Tunneling
Protocol
to evaluate the following
restrictions
that2 are
associated
with version
it:
To be interconnected,
Layer
2 encapsulation
of the VPNs,
links between
must be
comparingthe
them
to those
of Layer 3 based
such as ASBRs
MPLS, then
identical to that
of the ACs.
progressively
The number of dedicated circuits or virtual circuits between ASBRs can be limited. For
example, ASBR1 and ASBR2 are connected through an Ethernet connection that can
support up to 4096 802.1q VLANs, which is 4096 dedicated circuits at most.
In the future, when you can replace dedicated circuits with pseudowires for inter-AS
pseudowire emulation services, these restrictions should be eliminated.
Note
A new pseudowire
emulation solution is being developed at press time to replace the
dedicated circuits between ASBRs with pseudowires. In other words, disjointed
pseudowiresBy
ofWei
different
autonomous systems can be interconnected through another
set of pseudowires that is established between ASBRs. You can imagine that the endto-end connectivity is provided by "stitching" several pseudowires together. By
Publisher:
Ciscowith
Presspseudowires, pseudowire emulation in multi-AS
replacing dedicated
circuits
Pub
Date:
March
10, 2005and scalability.
networks achieves better flexibility
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Case Study 9-8: BGP IPv4 Label Distribution with IGP Redistribution
To provide edge-to-edge network connectivity for pseudowires within a single autonomous
system, you need to have the /32 host routes of PE routers and the corresponding labels,
productivity gains
which you learn through IGP and LDP (or RSVP if you are using MPLS traffic engineering). One
solution for obtaining the same level of connectivity in a multi-AS environment is by using
external BGP (eBGP) toLearn
exchange
/322host
routes
of PE
devices and
the corresponding
aboutthe
Layer
Virtual
Private
Networks
(VPNs)
labels across the autonomous system boundaries and then redistributing the /32 host routes
learned through EBGP Reduce
into IGP.costs
From
theextend
point of
view
of the
PE routers,
is similaryour
to the
and
the
reach
of your
servicesthis
by unifying
single autonomous system
scenario
except that the /32 host routes appear to be of IGP
network
architecture
external types in the routing tables. Instead of using LDP, ASBRs piggyback IPv4 label
fromroute
the first
book to address
Layer
2 VPN
application
utilizing
information along with Gain
the host
advertisements
in BGP
update
messages
so that
ASBRs
both
ATOM
and for
L2TP
protocols
can set up LSPs between
one
another
these
host routes. Figure 9-8 illustrates such an
example.
For a majority
a significant
portion
of their revenues
Figure 9-8. Inter-AS
Pseudowire
Emulation
with IGP
Redistribution
customers, they have some
drawbacks.
[View full
size image] Ideally, carriers with existing
infrastructure.
To provide the same end-to-end inter-AS pseudowire emulation services, you configure PE1,
PE2, PE3, and PE4 identically to "Case Study 9-7: Interconnecting Pseudowires with Dedicated
Circuits," except the pseudowire endpoint addresses. On ASBR1 and ASBR2, BGP is configured
to announce /32 host routes of PE1, PE2, PE3, and PE4 to the remote autonomous system. To
Layerfor
2 VPN
Architectures
distribute IPv4 labels
these
routes, ASBR1 and ASBR2 specify the send-label keyword in
the BGP neighborBy
command.
The following configuration gives you some examples of how to configure the PE and ASBR
routers to use BGP IPv4
labelCisco
distribution
with IGP redistribution to provide inter-AS
Publisher:
Press
pseudowire connectivity.
ISBN: 1-58705-168-0
On PE1,
the router
ID and the pseudowire with VC ID 100 on the AC that connects to
Tableconfigure
of
Pages:
648
CE1, Contents
Index

productivity gains
interface Loopback0
ip address 10.1.1.1 255.255.255.255
Learn
encapsulation dot1Q
100about Layer 2 Virtual Private Networks (VPNs)
Gain from
the the
firstpseudowire
book to address
Layer
2 VPN
On PE2, configure the router
ID and
with VC
ID 200
onapplication
the AC thatutilizing
connects to
both
ATOM
and
L2TP
protocols
CE2, as shown in Example 9-29.

interface Loopback0
ip address 10.1.1.2 255.255.255.255
infrastructure.
On PE3, configure the router ID and the pseudowire with VC ID 200 on the AC that connects to
2 VPN
CE3, as shown in Layer
Example
9-30.
Example 9-30.
PE3 Pseudowire Configuration
interface Loopback0
IP cores. The
255.255.255.255
encapsulation comparing
dot1Q 200them to those of Layer 3 based VPNs, such as MPLS, then
progressively
covering eachmpls
xconnect 10.1.1.2 200 encapsulation
On PE4, configure the router ID and the pseudowire with VC ID 100 on the AC that connects to
CE4, as shown in Example 9-31.
interface Loopback0
ip address 172.16.1.2 255.255.255.255
2 VPN Architectures
encapsulation Layer
dot1Q
100
ByWei Luo,
CCIE No. 13,291,Carlos
xconnect 10.1.1.1
100- encapsulation
mpls
On ASBR1, configure BGP IPv4 label distribution and redistribute BGP routes into OSPF, as
shown in Example 9-32.
Table of
Contents
Index
Example
ISBN: 1-58705-168-0
Pages: 648
9-32. ASBR1 BGP and OSPF Configuration
hostname ASBR1
!
productivity gains
ip cef
!
interface Loopback0Learn about Layer 2 Virtual Private Networks (VPNs)
ip address 10.1.1.3 255.255.255.255
!
description Connect
to from
ASBR2
AS200
Gain
thein
first
ip address 172.16.100.1
255.255.255.0
!
their 255.255.255.0
mpls ip
!
router ospf 1 are still derived from data and voice services based on legacy transport
redistribute bgp
100 subnets
technologies.
network 10.1.1.3
0.0.0.0
area
0 some drawbacks. Ideally, carriers with existing
customers,
they
have
network 10.43.11.0
legacy 0.0.0.255
Layer 2 andarea
Layer03 networks would like to move toward a single
default-metricbackbone
20
!
router bgp 100 technology that would allow Layer 2 transport over a Layer 3
neighbor 172.16.100.2
remote-as 200
infrastructure.
!
address-familyLayer
ipv42 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN)
neighbor 172.16.100.2
activate
introductory
neighbor 172.16.100.2
send-label
no auto-summary
no synchronization
the Cisco
VPN suite: Any Transport over MPLS (ATOM) for MPLSnetwork 10.1.1.1
mask Unified
255.255.255.255
based
cores
network 10.1.1.2
mask
255.255.255.255
exit-address-family
On ASBR2, configure BGP IPv4 label distribution and redistribute BGP routes into OSPF, as
Example 9-33. ASBR2 BGP and OSPF Configuration

hostname ASBR2
!
ip cef

!
interface Loopback0
ByWei Luo, - 255.255.255.255
!
description Connect
to Cisco
ASBR1
in AS100
Publisher:
Press
ip address 172.16.100.2
255.255.255.0
Pub Date: March
10, 2005
!
ISBN: 1-58705-168-0
Table of Ethernet1/0
interface
Pages:
648
Contents
ip address
172.16.24.2 255.255.255.0
Index
mpls
ip
!
router ospf 1
redistribute bgp 200 subnets
Master 0.0.0.0
the worldarea
of Layer
network 172.16.1.3
0 2 VPNs to provide enhanced services and enjoy
productivity
gains
network 172.16.24.0 0.0.0.255 area 0
default-metric 20
!
router bgp 200
neighbor 172.16.100.1
remote-as
Reduce
costs and100
!
address-family ipv4
neighbor 172.16.100.1
Gain activate
neighbor 172.16.100.1
both send-label
no auto-summary
no synchronizationReview strategies that allow large enterprise customers to enhance
network 172.16.1.1their
mask
255.255.255.255
service
network 172.16.1.2 mask 255.255.255.255
exit-address-family
On ASBR1 and ASBR2,
/322addresses
PE routers
BGPtoward
routes,aas
shown in
legacythe
Layer
and Layerof
3 the
networks
wouldappear
like toas
move
single
Example 9-34. backbone while new carriers would like to sell the lucrative Layer 2
infrastructure.
Example 9-34.
Host Routes of PE Routers on ASBR1 and ASBR2

ASBR1#show ip route
bgp
Network
172.16.0.0/16
is variably
subnetted,
4 subnets, design
2 masks
introductory
case studies
and comprehensive
B
172.16.1.1/32
[20/75]
via to
172.16.100.2,
03:29:45 by explaining the
assists readers
looking
meet those requirements
B
172.16.1.2/32
[20/75]
via 172.16.100.2,
history and
implementation
details of the03:29:45
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSASBR2#show ip route bgp
B
10.1.1.2 [20/31] via 172.16.100.1, 03:31:51
B
10.1.1.1 [20/31] via 172.16.100.1, 03:31:51
These routes are redistributed into OSPF and appear as OSPF External type 2 routes in the
routing tables of the PE devices. Example 9-35 shows the routing table entries for PE1 in
AS100 and PE3 in AS200.
Example 9-35. Redistributed BGP Routes in OSPF Routing Table
PE1#show ip route ospf

O E2
172.16.1.1 [110/20] via 10.23.12.2, 03:16:11, Ethernet1/0
Layer 2[110/20]
VPN Architectures
O E2
172.16.1.2
via 10.23.12.2, 03:16:11, Ethernet1/0
- CCIE No.
- CCIE No.
10.0.0.0/8ByWei
is Luo,
variably
subnetted,
12 subnets,
2 4619,
masks
No. 4460,Anthony
Chan, - via
CCIE No.
10,266
O
10.23.21.0/24
[110/84]
10.23.12.2,
03:16:11, Ethernet1/0
O
10.1.2.1/32 [110/21] via 10.23.12.2, 03:16:11, Ethernet1/0
O
10.1.1.2/32
[110/31]
via 10.23.12.2, 03:16:11, Ethernet1/0
Publisher:
Cisco Press
O
10.1.1.3/32
[110/31]
via
Pub Date:
March 10,
200510.23.12.2, 03:16:11, Ethernet1/0
O
10.23.23.0/24 [110/30] via 10.23.12.2, 03:16:11, Ethernet1/0
ISBN: 1-58705-168-0
of
O Table 10.1.2.3/32
[110/21] via 10.23.12.2, 03:16:11, Ethernet1/0
Pages:
648
Contents
O
10.1.2.2/32 [110/11] via 10.23.12.2, 03:16:11, Ethernet1/0
O Index 10.43.11.0/24 [110/30] via 10.23.12.2, 03:16:11, Ethernet1/0
O
10.33.23.0/24 [110/20] via 10.23.12.2, 03:16:11, Ethernet1/0
PE3#show ip route ospf
172.16.0.0/16
isthe
variably
subnetted,
2 masksservices and enjoy
Master
world of Layer
2 VPNs 6tosubnets,
provide enhanced
O
172.16.44.0/24
[110/128]
via 172.16.34.2, 03:16:07, Serial2/0
productivity
gains
O
172.16.24.0/24 [110/74] via 172.16.34.2, 03:16:07, Serial2/0
O
172.16.1.3/32 [110/75] via 172.16.34.2, 03:16:07, Serial2/0
Learn
about Layer
Private Networks
(VPNs)
O
172.16.1.2/32
[110/129]
via2 Virtual
172.16.34.2,
03:16:07,
Serial2/0
Reduce costs
and extend the 03:16:07,
reach of your
O E2
10.1.1.2 [110/20]
via 172.16.34.2,
Serial2/0
network
architecture
O E2
10.1.1.1 [110/20] via 172.16.34.2, 03:16:07, Serial2/0
One caveat for this deployment model is that /32 host routes are injected into the IGP routing
Review strategies
that
allow
large router
enterprise
customers
enhance
domain through redistributions;
therefore,
every
transit
in the
same IGPtorouting
domain
theirAsservice
while
maintaining
routing
control
installs these host routes.
shownofferings
in Example
9-36,
transit routers
P1,
P2, and P3 all see the
host routes for PE3 and PE4 in their routing tables, and P4 has host routes for PE1 and PE2.
Example 9-36.
Transit
Routers
Learn
Host Routes
for PE1
and
PE2
customers,
they
have some
drawbacks.
Ideally, carriers
with
existing
backbone
P1#show ip route
ospf while new carriers would like to sell the lucrative Layer 2
services
their existing
172.16.0.0/32 is over
subnetted,
2 subnets
technology
that
would
allow
Layer 200:01:31,
transport over
a Layer 3
O E2
172.16.1.1 [110/20] via 10.43.11.2,
Ethernet1/0
infrastructure.
O E2
172.16.1.2 [110/20] via 10.43.11.2, 00:01:31, Ethernet1/0
O
O
O
O
O
O
O
10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks

10.1.1.2/32 [110/21] via 10.33.23.3, 08:34:35, Ethernet0/0
10.1.1.3/32 [110/11] via 10.43.11.2, 08:34:35, Ethernet1/0
10.23.23.0/24 [110/20] via 10.33.23.3, 08:34:35, Ethernet0/0
10.1.2.3/32 [110/11] via 10.33.23.3, 08:34:35, Ethernet0/0
10.1.2.2/32 [110/11] via 10.33.23.2, 08:34:35, Ethernet0/0
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS10.1.1.1/32 [110/21] via 10.33.23.2, 08:34:35, Ethernet0/0
10.23.12.0/24 [110/20] via 10.33.23.2, 08:34:35, Ethernet0/0
Case Study 9-9: BGP IPv4 Label Distribution with IBGP Peering
Using IGP redistribution of BGP routes, all transit routers in the IGP routing domain install the
routes to their routing tables. If the BGP routing database also contains Internet routes, the
number of entries that is redistributed into IGP is enormous. Applying route maps that only
allow PE host routes to be redistributed at ASBRs can mitigate the IGP routing table explosion.
However, when the number of host routes to be filtered increases, the configuration task
becomes quite tedious and the routing table size of the transit routers still grows. To solve this
problem, PE routers can establish internal BGP (IBGP) sessions with ASBRs within the same
autonomous system so that external routes are distributed via IBGP sessions. This confines the
external routes within the BGP routing domain, and the transit routers that do not participate
in BGP routing never see these external routes.
Figure 9-9 shows By

an
example
of No.
inter-AS
pseudowire
thatDmitry
usesBokotey,
IBGP peering.
PE1,
Wei
Luo, - CCIE
13,291,Carlos
Pignataro,emulation
- CCIE No. 4619,
- CCIE
PE2, and ASBR1 belong
the same
No. 4460,to
Anthony
Chan, - autonomous
CCIE No. 10,266system. PE1 and PE2 are configured with
IBGP peering to ASBR1 to learn host routes for PE3 and PE4. Similarly, PE3 and PE4 are
configured with IBGP
peeringCisco
to ASBR2
Publisher:
Press to learn host routes for PE1 and PE2.
Table of
Contents
Figure
Index
ISBN: 1-58705-168-0
Pages: 648
9-9. Inter-AS Pseudowire Emulation with IBGP Peering

productivity gains
infrastructure.
assists are
readers
looking these
to meet
those
requirements
by explaining
the tables
After the IBGP sessions
established,
host
routes
are still missing
in the routing
history
and
implementation
details
of
the
two
technologies
available
on PE devices. For example, the routing table on PE1 does not have the entry for PE4 from
(see
Example 9-37). the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Example 9-37.
Host Route for PE4 Not in IP Routing Table on PE1
PE1#show ip route
o - ODR
Gateway of last resort is not set
O
O
O
O
O
O
O
C
C
C
O
O

10.23.21.0/24 [110/84] via 10.23.12.2, 02:59:03, Ethernet1/0
10.1.2.1/32
[110/21]
via 10.23.12.2, 02:59:03, Ethernet1/0
Layer 2 VPN
Architectures
10.1.1.2/32 [110/31] via 10.23.12.2, 02:59:03, Ethernet1/0
10.1.1.3/32 [110/31] via 10.23.12.2, 02:59:03, Ethernet1/0
10.23.23.0/24 [110/30] via 10.23.12.2, 02:59:03, Ethernet1/0
10.1.2.3/32 [110/21] via 10.23.12.2, 02:59:03, Ethernet1/0
10.1.2.2/32
[110/11] via 10.23.12.2, 02:59:03, Ethernet1/0
Pub Date:
March 10, 2005
10.1.1.1/32
is directly
connected, Loopback0
ISBN:
1-58705-168-0
10.23.12.0/24
is
directly
connected, Ethernet1/0
Table of
Pages:
648
10.23.11.0/24
is
directly
connected,
Serial3/0
Contents
10.43.11.0/24
[110/30]
via
10.23.12.2,
02:59:03, Ethernet1/0
Index
10.33.23.0/24 [110/20] via 10.23.12.2, 02:59:03, Ethernet1/0
A closer examination
of the BGP
routing table on PE1 reveals the problem. The host route entry
productivity
gains
172.16.1.2 for PE4 exists in the BGP routing table, but its next-hop address, 172.16.100.2, is
inaccessible from PE1 (see Example 9-38).
Reduce
costs for
and PE4
extend
reach
of your services
Example 9-38. Host
Route
inthe
BGP
Routing
Table by
onunifying
PE1 your
PE1#show ip bgp 172.16.1.2
both ATOM
and L2TP protocols
BGP routing table entry
for 172.16.1.2/32,
version 68
Paths: (1 available, no best path)
Not advertised toReview
any peer
200
172.16.100.2 (inaccessible) from 10.1.1.3 (10.1.1.3)
For ametric
majority
of Service
Providers,
a significant
Origin IGP,
75,
localpref
100, valid,
internal
legacy Layer
andinterface
Layer 3 networks
would
like to move
a single
The address 172.16.100.2
is of2the
Ethernet0/0
on ASBR2,
whichtoward
announces
the host
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2 this host
route 172.16.1.2 with the next-hop address set to 172.16.100.2. When ASBR1 relays
services
over
existing
Layeris3kept
cores.
The by
solution
in these
cases is a
route to PE1 through
IBGP,
thetheir
next-hop
address
intact
default.
The interface
technology
that connected
would allowtoLayer
2 transport
over a Layer
3
Ethernet0/0 on ASBR1
is directly
the interface
Ethernet0/0
on ASBR2.
Typically,
IGP routing is notinfrastructure.
enabled on these interfaces, which means the interfaces are not reachable
from the PE routers through IGP routing. You can fix this problem in several ways. For
2 VPN
introduces
readers
to them
Layeras
2 Virtual
example, you canLayer
enable
IGP Architectures
routing on these
interfaces
and set
passivePrivate
interfaces, or
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
you can configure the ASBRs as the next hop in the IBGP peering. For the sake ofvia
simplicity,
introductory
design
This book for
the ASBRs are configured
withcase
the next-hop-self
keyword in the
BGPscenarios.
neighbor command
readers
the IBGP peers inassists
this case
study.
Cisco
Unified
suite: Anythrough
Transport
overinMPLS
(ATOM)
for MPLSPE1 sees that thethe
host
route
of PE4VPN
is reachable
ASBR1
its routing
table,
and transit
based
cores
and
Layer
2 Tunneling
Protocol
version
3 (see
(L2TPv3)
for native
routers such as P2
do not
have
these
host
routes in their
routing
table
Example
9-39).
comparing
them tofor
those
of Layer
based VPNs,
such as
Example 9-39.
Host Route
PE4
in IP3 Routing
Table
onMPLS,
PE1,then
But
progressively
covering
each
currently
available
solution
in
greater
detail.
Not on P2
PE1#show ip route
o - ODR

ByWei Luo,
- CCIE No.
13,291,
Carlos Pignataro,
B
172.16.1.1
[200/75]
via
10.1.1.3,
00:37:57
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
B
172.16.1.2 [200/75] via 10.1.1.3, 00:37:57
Publisher:
Cisco Pressvia 10.23.12.2, 04:25:50, Ethernet1/0
O
10.23.21.0/24
[110/84]
O
10.1.2.1/32
[110/21]
via
Pub Date:
March 10,
200510.23.12.2, 04:25:50, Ethernet1/0
O
10.1.1.2/32 ISBN:
[110/31]
via
1-58705-168-0 10.23.12.2, 04:25:50, Ethernet1/0
of
O Table 10.1.1.3/32
[110/31]
via 10.23.12.2, 04:25:50, Ethernet1/0
Pages: 648
Contents
O
10.23.23.0/24 [110/30] via 10.23.12.2, 04:25:50, Ethernet1/0
O Index 10.1.2.3/32 [110/21] via 10.23.12.2, 04:25:50, Ethernet1/0
O
10.1.2.2/32 [110/11] via 10.23.12.2, 04:25:50, Ethernet1/0
C
C
C
productivity gains
O
10.43.11.0/24 [110/30] via 10.23.12.2, 04:25:51, Ethernet1/0
O
10.33.23.0/24 [110/20] via 10.23.12.2, 04:25:51, Ethernet1/0
P2#show ip route
E1 - OSPF external
type
1, E2
- OSPF
external
E - EGP utilizing
Gain from
the first
book
to address
Layer type
2 VPN2,
application
i - IS-IS, su
IS-IS
summary,
L1
IS-IS
level-1,
L2
- IS-IS level-2
o - ODR
Service Providers,
a significant
10.0.0.0/8For
isa majority
variablyofsubnetted,
12 subnets,
2 masks
are still derived
fromvia
data10.33.23.1,
and voice services
based Ethernet0/0
on legacy transport
10.23.21.0/24
[110/74]
12:06:10,
technologies.
Although
Layer 3 MPLS 12:06:10,
VPNs fulfill the
10.1.2.1/32
[110/11]
via 10.33.23.1,
Ethernet0/0
customers,
they have
drawbacks.
Ideally, carriers
with existing
10.1.1.2/32
[110/21]
via some
10.33.23.3,
12:06:10,
Ethernet0/0
legacy [110/21]
Layer 2 and
Layer
3 networks 12:06:10,
would like to
10.1.1.3/32
via
10.33.23.1,
Ethernet0/0
backbone[110/20]
while new via
carriers
would like 12:06:10,
Layer 2
10.23.23.0/24
10.33.23.3,
Ethernet0/0
services
over
their
existing
Layer
3
cores.
The
solution
in
these
10.1.2.3/32 [110/11] via 10.33.23.3, 12:06:10, Ethernet0/0 cases is a
technology
that wouldconnected,
allow Layer Loopback0
10.1.2.2/32
is directly
infrastructure.
10.1.1.1/32 [110/11] via 10.23.12.1, 12:06:10, Ethernet1/0
Layer 2 VPN
Architectures
introduces readers
to Layer
2 Virtual Private
10.23.11.0/24
[110/74]
via 10.33.23.1,
12:06:10,
Ethernet0/0
Network (VPN)
concepts,
and
describes
Layer
2
VPN
techniques
[110/74] via 10.23.12.1, 12:06:10, Ethernet1/0via
introductory
case studies
and comprehensive
designEthernet0/0
O
10.43.11.0/24 [110/20]
via 10.33.23.1,
12:06:10,
assists
readers
looking
to
meet
those
requirements
by
explaining the
C
IP cores.inThe
structure
of thisofbook
is focused
first introducing
In previous case studies,
which
host routes
PE routers
are on
exchanged
throughthe
IGP, having
reader
to Layer 2 VPNlabels
benefits
and implementation
requirements
and In this
/32 host routes and
the corresponding
is sufficient
for establishing
pseudowires.
them
of Layer 3 label
basedtoVPNs,
such
MPLS,
then
example, PE1 hascomparing
a /32 route
and to
thethose
corresponding
PE4. If
the as
AToM
pseudowire
is
each
currentlythat
available
solution in functions
greater detail.
configured and itsprogressively
status is up, covering
it gives the
impression
the pseudowire
fully.
Based on the output of the show ip cef and show mpls l2transport vc commands in
Example 9-40, the pseudowire with VC ID 100 has a label stack of {27 16}. Label 27 is the
tunnel label, and label 16 is the VC label.
O
O
O
O
O
O
C
O
C
O
Example 9-40. Reachability Information for PE4 and Pseudowire

Status for VC ID 100
PE1#show ip cef 172.16.1.2

172.16.1.2/32, version 83, epoch 0, cached adjacency 10.23.12.2
0 packets, 0 bytes
Layerfrom
2 VPN Architectures
tag information
10.1.1.3/32, shared, all rewrites owned
local tag: By
28
No. 4460,Anthony
- CCIE
No. 10,266
fast tag rewrite
with Chan,
Et1/0,
10.23.12.2,
tags imposed {27}
via 10.1.1.3, 0 dependencies, recursive
next hop 10.23.12.2,
Ethernet1/0
via 10.1.1.3/32 (Default)
Publisher: Cisco
Press
valid cached Pub
adjacency
tag rewrite with Et1/0, 10.23.12.2, tags imposed {27}
Table of
ISBN: 1-58705-168-0
Pages: 648vc 100 detail

PE1#show
mpls l2transport
Contents
Local
interface:
Et0/0.1
up, line protocol up, Eth VLAN 100 up
Index
Tunnel label:
27,the
next
hop
10.23.12.2
Master
world
of Layer
Output interface:
Et1/0,
productivity
gainsimposed label stack {27 16}
about
2 Virtual
MPLS VC labels:Learn
local
21, Layer
remote
16
Reduce
costs
MTU: local 1500,
remote
1500
network
architecture
VC statistics:
byte totals: receive 0, send 728

When you send packets from CE1 to CE4, CE4 never receives anything even though the
counters for packets sent increase on PE1. Apparently, IP connectivity is fine between PE1 and
PE4, because the LDP session that is used for pseudowire signaling functions properly. With
that in mind, the problem might be related to how the pseudowire packets are forwarded.
services
over their
existing
Layerpath
3 cores.
these
cases is a
Tracking down the
pseudowire
packet
forwarding
fromThe
PE1solution
throughin
the
intermediate
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
routers and all the way to ASBR1, use the show mpls forwarding-table command to
infrastructure.
examine the MPLS
label forwarding actions. On Router P2, label 27 gets swapped with label 24,
which results in a new label stack {24 16} for the pseudowire packets (see Example 9-41).
Example 9-41.
Label
Operation
Label
on P2 Router
assists
readers
looking tofor
meet
those 27
requirements
by explaining the
the Cisco Unified VPN
suite:27
Any Transport over MPLS (ATOM) for MPLSP2#show mpls forwarding-table
labels
based
cores
and
Layer
2
Tunneling
Protocol
version 3Next
(L2TPv3)
Local Outgoing
Prefix
Bytes tag
Outgoing
Hop for native
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
tag
tag or VC
or Tunnel Id
switched
interface
reader
to
Layer
2
VPN
benefits
and
implementation
requirements
and
27
24
10.1.1.3/32
640453
Et0/0
10.33.23.1
On Router P3, the top label 24 is removed, which leaves the label stack at {16} (see Example
9-42). Note that label 16 is the VC label for the pseudowire packets.
Example 9-42. Label Operation for Label 24 on P3 Router

P3#show mpls forwarding-table labels 24
Local
tag
24
Outgoing
tag or VC
Pop tag
Prefix
or Tunnel Id
10.43.11.0/24
Bytes tag
switched
0
Outgoing
interface
Et0/0
Next Hop
10.33.23.1

When labeled pseudowire packets arrive at ASBR1, the last label 16 in the label stack is
removed according to the MPLS forwarding table, which leaves the pseudowire packets
unlabeled (see Example 9-43).
Table of
Contents
Example
Index
ISBN: 1-58705-168-0
Pages: 648
9-43. Label Operation for Label 16 on ASBR1 Router
ASBR1#show mpls forwarding-table labels 16

Local Outgoing
Prefix
Bytes tag Outgoing
Next Hop
Master
world of
VPNs to provide
tag
tag or VC
orthe
Tunnel
IdLayer 2switched
interface
gains
16
Pop tag productivity
10.33.23.0/24
0
Et1/0
10.43.11.1

Under normal operations, PE routers that are provisioned with pseudowires assign the VC
costs
extend
the reach
of that
yourremove
servicesthe
by VC
unifying
labels. Therefore, theyReduce
should be
theand
label
switching
routers
labelsyour
and
architecture
process the rest of the network
pseudowire
packets. In other words, intermediate label switching
routers should not remove VC labels from the label stack. ASBR1 does not act as a PE router in
Gain from
the first
to is
address
this case study, so removing
VC labels
onbook
ASBR1
a mistake.
The cause of the problem lies in the interaction between the routing process and the label
strategies
allow
customers
to enhance
distribution process. InReview
all previous
case that
studies,
a large
routerenterprise
that advertises
a given
route through
servicethe
offerings
while
maintaining
routing
a routing protocol also their
advertises
label that
is associated
with
that control
route through a label
distribution protocol, but that is not the case here. PE1 learns the host route 172.16.1.2 from
For awith
majority
of Service
Providers,
significant
of their
revenues
ASBR1 through IBGP
the next-hop
address
set toa ASBR1,
butportion
PE1 does
not learn
the label
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
that is associated with the host route from ASBR1. You can observe this behavior by using the
technologies.
Layer
3 MPLS 9-44.
show ip bgp labels
command,Although
as shown
in Example
Example 9-44.
Labels Learned Through BGP on PE1
PE1#show ip bgpinfrastructure.
labels
Network
Next Hop
In label/Out label
172.16.1.1/32
10.1.1.3
nolabel/nolabel
172.16.1.2/32
10.1.1.3
nolabel/nolabel
thelabel
Cisco
VPN suite:
Anyimpose
Transport
over MPLS
(ATOM)
forbecause
MPLS- IP
The absence of the
forUnified
172.16.1.2
does not
a problem
for IP
packets
based
cores and unlabeled
Layer 2 Tunneling
Protocol
version
(L2TPv3)
forhow
native
packets can always
be forwarded
in an MPLS
network.
This3fact
explains
PE1
IP cores.
The structure
of this
book
is focused
firstfor
introducing
the
and PE4 can establish
a targeted
LDP session
and
exchange
VC on
labels
the pseudowire.
On
reader
Layer
2 VPN
benefits and
implementation
requirements
andmeans
the other hand, PE1
doestonot
have
an end-to-end
contiguous
LSP to reach
PE4, which
them
to those
of Layer
VPNs,
such
MPLS,because
then PE1
the MPLS packetscomparing
cannot reach
PE4.
The partial
LSP3isbased
between
PE1
andas
ASBR1
progressively
covering
each
currently
available
solution
in
greater
detail.
does have an LSP to reach the next-hop address 10.1.1.3.
To eliminate the MPLS connectivity problem and create an end-to-end contiguous LSP, ASBR1
needs to send the corresponding label and the host route for 172.16.1.2 to PE1. In other
words, besides enabling IPv4 label distribution over the EBGP session between ASBR1 and
ASBR2, as described in "Case Study 9-8: BGP IPv4 Label Distribution with IGP Redistribution,"
the IBGP sessions between PE and ASBR also need to distribute IPv4 labels for the host routes
that are being advertised. After adding the send-label keyword to the BGP neighbor command
for the IBGP peers on PE and ASBR, PE1 obtains label 32 for the host route 172.16.1.2 from
IBGP (see Example 9-45).
Example 9-45. Labels Learned Through BGP on PE1 After Enabling

IPv4 Label Distribution
in IBGP
PE1#show ip bgpNo.label
Network
Next Hop
Cisco Press
172.16.1.1/32 Publisher:
10.1.1.3
172.16.1.2/32 Pub Date:
10.1.1.3
March 10, 2005
In label/Out label
nolabel/31
nolabel/32
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Index
From
the show ip cef and show mpls l2transport vc commands, the pseudowire with VC ID
100 now has a label stack of {27 32 16}. Label 16 is still the VC label, but to reach PE4, it
requires two labels: Label 27 is the IGP label to reach ASBR1 that has the address 10.1.1.3,
and label 32 is the BGP IPv4 label assigned by ASBR1 to reach PE4 that has the address
Master the
172.16.1.2 (see Example
9-46).
productivity gains
Example 9-46. Reachability

Information
forNetworks
PE4 and
Pseudowire
Learn about Layer
2 Virtual Private
(VPNs)
Status for VC ID 100 After Fixing the MPLS Connectivity Problem
PE1#show ip cef 172.16.1.2
172.16.1.2/32, version
0,book
cached
adjacency
Gain 85,
fromepoch
the first
to address
Layer 10.23.12.2
0 packets, 0 bytes both ATOM and L2TP protocols
tag information set, all rewrites owned
local tag: BGP Review
route head
their
service
offerings
while maintaining
routing{27
control
fast tag rewrite
with
Et1/0,
10.23.12.2,
tags imposed
32}
via 10.1.1.3, 0 dependencies, recursive
For a majority
a significant
next hop 10.23.12.2,
Ethernet1/0
via 10.1.1.3/32
(Default)
are adjacency
valid cached
Although
Layer 3tags
MPLSimposed
VPNs fulfill
the32}
tag rewritetechnologies.
with Et1/0,
10.23.12.2,
{27
100
detail
legacy Layer 2vc
and
Layer
Local interface:
Et0/0.1
up,new
line
protocol
VLAN
100 up Layer 2
backbone
while
carriers
wouldup,
like Eth
to sell
the lucrative
172.16.1.2,
VC Layer
ID: 100,
VC The
status:
up in these cases is a
services over
their existing
3 cores.
solution
Preferred path:
not
configured
Default path:
active
infrastructure.
Output interface:
Et1/0,
imposed introduces
label stack
{27 to
32Layer
16} 2 Virtual Private
Layer 2 VPN
Architectures
readers
Create time: Network
07:38:14,
last
statusand
change
time:
07:38:09
(VPN)
concepts,
describes
Layer
Signaling protocol:
LDP,
peer
172.16.1.2:0
up
introductory
case
studies
and comprehensive
MPLS VC labels:
remote
16 those requirements by explaining the
assists local
readers21,
looking
to meet
Group ID: local
0
history0,
andremote
implementation
MTU: local the
1500,
Ciscoremote
Unified1500
VPN suite: Any Transport over MPLS (ATOM) for MPLSRemote interface
description:
based cores
Sequencing: receive
send
disabled
IP cores. disabled,
The structure
of this
VC statistics:
packet totals:
receive
29,
send of
465
comparing
them
to those
Layer 3 based VPNs, such as MPLS, then
byte totals:
receivecovering
8308, send
176142 available solution in greater detail.
progressively
each currently
When sending packets from CE1 to CE4 again, they arrive at ASBR1 with a label stack {32 16}
this time. The show mpls forwarding-table command on ASBR1 further confirms that
pseudowire packets are properly forwarded to ASBR2 through an LSP, as shown in Example 947.
Example 9-47. Label Operation for Label 32 on ASBR1 Router

2 VPN Architectures labels 32
ASBR1#show mplsLayer
forwarding-table
Local OutgoingByWei Luo,
Prefix
Bytes
tag- CCIE
Outgoing
Hop
Pignataro,
No. 4619,DmitryNext
Bokotey,
- CCIE
tag
tag or VC
orAnthony
Tunnel
interface
No. 4460,
Chan,Id
- CCIE No.switched
10,266
32
17
172.16.1.2/32
36750
Et0/0
172.16.100.2
ISBN: 1-58705-168-0
After Table
you of
complete the configuration
on all PEs and ASBRs, you can accomplish the end-to-end
Pages:
648
inter-AS
pseudowire
connectivity
by
using
BGP IPv4 label distribution with IBGP peering.
Contents
Index
The following configuration gives you some examples of how to configure the PE and ASBR
routers to use BGP IPv4 label distribution with IBGP peering to provide inter-AS pseudowire
connectivity.
On PE1, configureproductivity
BGP IPv4 label
distribution with IBGP peering and the pseudowire with VC ID
gains
100, as shown in Example 9-48.
Example 9-48. PE1 BGP and Pseudowire Configuration
hostname PE1
!
ip cef
mpls ldp router-id Review
Loopback0
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
no ip address
!
infrastructure.
!
ip address 10.23.12.1 255.255.255.0
mpls ip
!
interface Serial3/0
ip address 10.23.11.1 255.255.255.0
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSmpls ip
!
router ospf 1
network 10.1.1.1 0.0.0.0 area 0
network 10.23.11.0 0.0.0.255 area 0
network 10.23.12.0 0.0.0.255 area 0
!
router bgp 100
neighbor 10.1.1.3 update-source Loopback0
!
address-family ipv4
neighbor 10.1.1.3 activate
neighbor 10.1.1.3 send-label
no auto-summary
no synchronization
exit-address-family
On PE2, configureNo.
BGP
IPv4
label
distribution
with IBGP peering and the pseudowire with VC ID
4460,
Anthony
Chan,
- CCIE No. 10,266
Example 9-49. PE2

BGP and Pseudowire Configuration
ISBN: 1-58705-168-0
Table of
Contents
hostname
Index PE2
Pages: 648
!
ip cef
MasterLoopback0
mpls ldp router-id
productivity gains
!
interface Loopback0
ip address 10.1.1.2 255.255.255.255
!
no ip address
!
!
ip address 10.23.23.1 255.255.255.0
mpls ip
!
interface Serial3/0
customers,255.255.255.0
mpls ip
!
router ospf 1 services over their existing Layer 3 cores. The solution in these cases is a
network 10.1.1.2
0.0.0.0
area
0 allow Layer 2 transport over a Layer 3
technology
that
would
network 10.23.21.0
0.0.0.255
area
0
infrastructure.
network 10.23.23.0 0.0.0.255 area 0
!
router bgp 100 Network (VPN) concepts, and describes Layer 2 VPN techniques via
neighbor 10.1.1.3
remote-as
introductory
case 100
neighbor 10.1.1.3
assistsupdate-source
readers lookingLoopback0
!
address-familythe
ipv4
Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSneighbor 10.1.1.3
basedactivate
neighbor 10.1.1.3
send-label
IP cores.
no auto-summary
no synchronization
exit-address-family
On PE3, configure BGP IPv4 label distribution with IBGP peering and the pseudowire with VC ID
Example 9-50. PE3 BGP and Pseudowire Configuration
hostname PE3
!
ip cef
Layer 2 VPN
mpls label protocol
ldpArchitectures
ByWei Luo,
mpls ldp router-id
Loopback0
!
interface Loopback0
Publisher:255.255.255.255
Cisco Press
!
ISBN: 1-58705-168-0
Table
of
no ip
address
Pages:
648
Contents
!
Index
interface
Ethernet0/0.2
!
interface Serial2/0
productivity255.255.255.0
gains
mpls ip
!
router ospf 1
network 172.16.1.1Reduce
0.0.0.0
area
costs
and0extend the reach of your services by unifying your
network 172.16.34.0
0.0.0.255
area 0
!
router bgp 200
neighbor 172.16.1.3
remote-as
both
ATOM and200
L2TP protocols
!
address-family ipv4
For a majority
neighbor 172.16.1.3
send-label
no auto-summary
no synchronization
exit-address-family
On PE4, configuretechnology
BGP IPv4 label
distribution
peering over
and the
pseudowire
with VC ID
that would
allow with
LayerIBGP
2 transport
a Layer
3
100, as shown in infrastructure.
Example 9-51.

Network
concepts,
and describes
Example 9-51.
PE4 (VPN)
BGP and
Pseudowire
Configuration
hostname PE4 history and implementation details of the two technologies available from
!
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSip cef
mpls label protocol
ldp
IP cores.
mpls ldp router-id
readerLoopback0
!
interface Loopback0
ip address 172.16.1.2 255.255.255.255
!
no ip address
!
!
interface Serial2/0
ip address 172.16.44.1 255.255.255.0
mpls ip
!
router ospf 1 ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,0.0.0.0
Anthony Chan,
- CCIE
network 172.16.1.2
area
0 No. 10,266
network 172.16.44.0 0.0.0.255 area 0
!
router bgp 200 Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Table of 172.16.1.3 update-source Loopback0
neighbor
Pages:
648
! Contents
Index
address-family
ipv4
no auto-summary
no synchronization
productivity gains
exit-address-family

On ASBR1, configure BGP IPv4 label distribution with both EBGP and IBGP peers, as shown in
Example 9-52.
Example 9-52. ASBR1

BGP
Configuration
both ATOM
and
L2TP protocols

hostname ASBR1
!
ip cef
mpls label protocol
are stillldp
mpls ldp router-id
Loopback0
technologies.
!
interface Loopback0
ip address 10.1.1.3
255.255.255.255
backbone
!
description Connect
to ASBR2 in AS200
infrastructure.
ip address 172.16.100.1 255.255.255.0
!
255.255.255.0
introductory
mpls ip
!
router ospf 1 the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSnetwork 10.1.1.3
0.0.0.0
area
0 2 Tunneling Protocol version 3 (L2TPv3) for native
based
cores and
Layer
network 10.43.11.0
0.0.0.255
area
IP cores. The structure of0this book is focused on first introducing the
!
router bgp 100 comparing them to those of Layer 3 based VPNs, such as MPLS, then
neighbor 10.1.1.1
remote-as
100 each currently available solution in greater detail.
progressively
covering
!
address-family ipv4
neighbor 10.1.1.1 next-hop-self

neighbor 172.16.100.2
send-label
no auto-summary
no synchronization
network 10.1.1.1 mask 255.255.255.255
network 10.1.1.2Publisher:
mask 255.255.255.255
Cisco Press
exit-address-family
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
On ASBR2,
configure
BGP
IPv4
label distribution with both EBGP and IBGP peers, as shown in
Index
Example 9-53.
Master
the world
Example 9-53.
ASBR2
BGPofConfiguration
productivity gains
hostname ASBR2
!
ip cef
mpls label protocolReduce
ldp costs and extend the reach of your services by unifying your
mpls ldp router-id network
Loopback0
architecture
!
interface Loopback0Gain from the first book to address Layer 2 VPN application utilizing
255.255.255.255
both ATOM
and L2TP protocols
!
their
description Connect
to service
ASBR1 offerings
in AS100while maintaining routing control
ip address 172.16.100.2 255.255.255.0
!
technologies.
255.255.255.0
mpls ip
!
router ospf 1 backbone while new carriers would like to sell the lucrative Layer 2
services
over their
existing
network 172.16.1.3
0.0.0.0
area
0
technology
that would
allow
network 172.16.24.0
0.0.0.255
area
infrastructure.
!
router bgp 200
Layer 2 VPN
Architectures
neighbor 172.16.1.1
remote-as
200
Network
(VPN)
concepts,
and
introductory
case
studies
and
comprehensive
assists
readers
looking
to
meet
those
requirements
by explaining the
history
and
implementation
details
of
the
two
technologies
available from
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for MPLS!
address-familybased
ipv4cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores.activate
neighbor 172.16.1.1
reader to
neighbor 172.16.1.1
next-hop-self
comparing
progressively
no auto-summary
no synchronization
network 172.16.1.1 mask 255.255.255.255
network 172.16.1.2 mask 255.255.255.255
exit-address-family

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

Case Study
9-10: Configuring LDP Authentication for
PseudowirePublisher:
Signaling
Cisco Press
In an MPLS network, where the trust relationship is assumed within the network boundary,
ISBN: 1-58705-168-0
Table of
authentication
for pseudowire signaling is usually absent. However, Cisco IOS still provides LDP
Pages:
Contents
authentication
when network648
operators consider it necessary. Like other MPLS applications that
Index AToM can also enable LDP authentication for pseudowire signaling.
use LDP,
LDP performs authentication through the TCP MD5 Signature Option, which is essentially a
message digest checksum to validate the integrity of the message. The checksum is calculated
Master
the transmitted
world of Layer
to provide
based on the content
being
and2aVPNs
shared
password.
productivity gains
To configure LDP authentication for pseudowire signaling, use the mpls ldp neighbor password
command under the global configuration mode. For example, PE1 and PE2 need to configure LDP
Learn
aboutpassword
Layer 2 Virtual
Networks
(VPNs)
authentication and have
a shared
l2vpn, Private
as shown
in Example
9-54.
Example 9-54. Configuring LDP Authentication
both
ATOM and
L2TP protocols
PE1(config)#mpls ldp
neighbor
10.1.1.2
password ?
LINE The password
<0-7> Encryption type (0 to disable encryption, 7 for proprietary)
PE1(config)#mpls ldp neighbor 10.1.1.2 password l2vpn
PE2#config t are still derived from data and voice services based on legacy transport
Enter configuration
commands,
one Layer
per line.
technologies.
Although
3 MPLSEnd
VPNswith
fulfillCNTL/Z.
the market need for some
PE2(config)#mpls
ldp
neighbor
10.1.1.1
password
l2vpn
To verify that thetechnology
LDP sessionthat
is enabled
with Layer
MD5 authentication,
use
the show
mpls ldp
would allow
2 transport over
a Layer
3
neighbor detail command,
as
shown
in
Example
9-55.
infrastructure.
Example 9-55.
Verify
That
LDP Authentication
Enabled
Network
(VPN)
concepts,
and describes LayerIs
2 VPN
techniques via
PE1#show mpls ldp
neighbor
10.1.1.2 detail
history
and implementation
Peer LDP Ident:
10.1.1.2:0;
LDP Transport
Ident 10.1.1.1:0
the Cisco Unified VPNLocal
suite: Any
over MPLS (ATOM) for MPLSTCP connection:
10.1.1.2.11035
10.1.1.1.646;
MD53 on
based cores and Layer 2 Tunneling Protocol version
(L2TPv3) for native
State: IP
Oper;
Msgs
sent/rcvd:
26/26;
Downstream;
Last
TIB rev the
sent 22
cores. The structure of this book is focused on first
introducing
Up time:
00:08:10;
Peer Id
reader
to LayerUID:
2 VPN5;
benefits
and2;
LDP discovery
sources:
comparing
Targeted
Hello
-> 10.1.1.2,
active,solution
passive;
progressively10.1.1.1
covering each
currently available
in greater detail.
holdtime: infinite, hello interval: 10000 ms
Addresses bound to peer LDP Ident:
10.23.23.1
10.1.1.2
10.23.21.2
Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab
Clients: Dir Adj Client
If a PE router has a password configured for a peer PE router, but the peer PE router does not
have the password configured, a message such as the following appears on the console of the PE
router:
00:53:41: %TCP-6-BADAUTH:
No MD5 digest from 10.1.1.2(11037) to 10.1.1.1(646)
If two PE routers have different passwords configured, a message such as the following appears
on the console:
ISBN: 1-58705-168-0
00:55:57:
Table of %TCP-6-BADAUTH: Invalid MD5 digest from 10.1.1.2(11041) to 10.1.1.1(646)
Contents
Index
Pages: 648
When the password is missing from one PE router or the passwords that are configured on two PE
routers do not match, the LDP session is not established.
productivity gains
infrastructure.

Verifying Pseudowire
Data Connectivity
Fault detection, isolation,

and
verification
techniques are critical for the deployment of MPLS
Publisher:
Cisco
Press
applications, including
emulation.
The ability to detect faults in the data plane or
Pubpseudowire
Date: March 10,
2005
forwarding path for pseudowire services in a packet-switched network is critical for network
ISBN: 1-58705-168-0
Table ofThis section explores virtual circuit connectivity verification (VCCV), which provides an
operators.
Pages:
648
Contents
answer
to pseudowire fault detection.
Index
The connectivity verification model for pseudowires consists mainly of two distinctive building blocks
that are specified in two different Internet drafts:
Advertising productivity
the VCCV capability
gains
Verifying data plane connectivity
Case Studies 9-11 and 9-12 describe both building blocks in detail.
You can verify the pseudowire
connectivity by creating a control channel within the
networkdataplane
architecture
pseudowire. This control channel is associated with the pseudowire, and data connectivity packets
Gain from
the first
book tohas
address
flow in this control channel.
The control
channel
two requirements:
To follow the pseudowire
data path that
as closely
as possible
Review strategies
allow large
To divert data connectivity verification packets so that they are processed by the receiving PE
device as opposed
to beingofforwarded
out to theaCE
devices portion of their revenues
For a majority
Service Providers,
significant
As you will see intechnologies.
"Case Study 9-11:
Advertising
VCCV
Capability,"
three control
channel
Although
Layer 3 the
MPLS
VPNs
fulfill the market
need for
some types
(CC types) provide
the
preceding
two
requirements.
After you define the
controlwhile
channel,
needwould
to specify
thesell
connectivity
verification
backbone
newyou
carriers
like to
the lucrative
Layer 2 packets and
protocols that willservices
use the over
control
channel.
You
can
use
multiple
protocols
over
the
control
their existing Layer 3 cores. The solution in these
cases
is a channel,
which have different
data
connectivity
verification
types
(CV
types).
The
three
currently
defined CV
types are IP-based
protocols.
infrastructure.

Network
(VPN) concepts,
andVCCV
describes
Case Study 9-11:
Advertising
the
Capability
The capability of VCCV is advertised as part of the MPLS Label Mapping message in the Pseudowire ID
FEC as an interface parameter. Example 9-56 shows a decoding example of the VCCV interface
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSparameter taken with Ethereal software.
Example 9-56.
VCCV them
Interface
Parameter
comparing
to those
Interface Parameter:
ID: VCCV (0x0c)
Length: 4
CC Type
.... ...1 = PWE3
.... ..1. = MPLS
.... .0.. = MPLS
CV Type
.... ...0 = ICMP
VCCV
Control Word: True

Router Alert: True
Inner Label TTL = 1: False
Ping: False
.... ..1. = LSP Ping: True

.... .0.. = BFD: False
The ID value 0x0C

that
this- CCIE
is a VCCV
interface parameter. It consists of two fields that have
No.indicates
4460,Anthony
Chan,
No. 10,266
various options:
Pub Date:
10,Defines
2005
Control Channel
(CC)March
type
a bitmask that indicates the types of control channel that
ISBN: CC
1-58705-168-0
can
be
used
to
receive
traffic
to
verify
connectivity. If more than one is specified, the router
Table of
agrees to accept control
traffic
at
any
time
over any control channel:
Pages:
648
Contents
Index
PWE3 Control Word (type 1) The control channel traffic is carried inband with data
traffic on the pseudowire being monitored using the same label stack. When you use this
control channel, a special format of the AToM control word instructs the PE router to
inspectMaster
the control
channel
traffic.
the world
of Layer
productivity gains
MPLS Router Alert Label (type 2) The control channel is created out-of-band from the
pseudowire, and it utilizes the reserved Router Alert (RA) label. The notion of "out-of-band"
comes fromLearn
the fact
thatLayer
the connectivity
verification
packet
has a slightly different MPLS
about
2 Virtual Private
Networks
(VPNs)
label stack than the actual pseudowire data packet.
MPLS Inner
Label TTL
= 1 (type 3) It is also known as TTL Expiry that sets the TTL of
network
architecture
the VC label to 1, which forces the control packet to be processed by the receiving PE
router.
Connectivity Verification (CV) type Defines a bitmask that indicates the types of CV packets
and protocols thatReview
can bestrategies
sent on the
specified
control
channel:
that
allow large
enterprise
Internet Control Message Protocol (ICMP) Ping ICMP-based Echo Request and Reply.
LSP Ping
MPLS-based
Echodata
Request
and Reply.
are still
derived from
and voice
BFD Bidirectional
Detection
provides
a continuous
and forward and
customers, Forwarding
they have some
drawbacks.
Ideally,
carriers monitoring
with existing
backward
defect
indication
and propagation.
legacy
Layer
2 and Layer
Table 9-1 compares the three control channel types.
infrastructure.
Table 9-1.
Comparing
VCCVand
Control
Channel
Types
Network
(VPN) concepts,
describes
Layer 2 VPN
techniques via

assists
readers looking to meet those requirements
Control
Channel
Cons andby explaining the
details of the two
Channel Type history
Type and implementation
Pros
Limitations
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSType 1PWE
Inband
VCCV2traffic
follows
Pseudowire
must use for native
based
cores and Layer
Tunneling
Protocol
version 3 (L2TPv3)
Control Word
the
same
path
as
the
control
word.
data
reader to Layer 2 pseudowire
VPN benefits
traffic.
comparing them to
Type 2MPLS
Out-of-band
Available even if the
VCCV traffic might
RA Label
control word is not
take a different path
present or cannot be
than the pseudowire
inspected.
data traffic.
Type 3MPLS
Inband
VC Label TTL =
1
VCCV traffic follows

the same path as
pseudowire data
traffic, and no control
word is necessary.
Might not work if the

penultimate hop
overwrites the TTL.
When you create an inband control channel of a pseudowire, the data flow and the control flow are
effectively multiplexed
over the same forwarding path, which is the most accurate picture of the data
Luo,
- CCIE methods
No. 13,291,Carlos
connectivity. ThisBy
isWei
why
inband
are preferred.
In contrast, the out-of-band control flow might follow a different forwarding path from the actual data
flow because of the Publisher:
ECMP load
sharing
Cisco
Press forwarding behavior described earlier in this chapter. There is
no impact, however,Pub
if the
pseudowire
path is free of ECMPs, although that is not a realistic
Date:
March 10, 2005
assumption. The out-of-band channel is created by using the reserved RA label. The RA label means
ISBN: 1-58705-168-0
Table ofrouter must examine the packet. With an RA label, all packets are punted to the route
that every
Pages:
648
Contents
processor
(RP) for processing; therefore, you can use this method to detect inconsistencies between
Index
the linecard
and the RP. In an intermediate router, after the packet that contains the RA label is
processed, if the packet needs to be forwarded further, the RA label is pushed back onto the label
stack before forwarding.
Master advertise
the world CC
of Layer
tobut
provide
enhanced
enjoy
Currently, Cisco routers
types 21 VPNs
and 2,
the Cisco
routerservices
prefers and
to use
the control
productivity
gains capabilities to traverse the same path as the pseudowire data
word CC type because
of its inband
plane. The only CV type that is currently supported is LSP Ping.
Learn
about Layer
2 Virtual Private
Networks
(VPNs)
You can display the VCCV
capability
advertisement
by using
the show
mpls l2transport binding
command.Example 9-57 provides output of this command.
Example 9-57. show

mpls
binding
Output
Gain from
thel2transport
Layer Command
2 VPN application
utilizing
binding that
300 allow large enterprise customers to enhance
Review strategies
Destination Address:
VC while
ID: 300
their 10.0.0.203,
service offerings
Local Label: 18
Cbit: 1,
VC Type:ofATM
VCC Providers,
CELL,
For a majority
Service
aGroupID:
significant5portion of their revenues
MTU: n/a,
Interface
Desc:
***
Packed
Cell VC
AToMonto
CE1 transport
***
are still derived from data and voice services
based
legacy
Max Concatenated
ATM
Cells:
10
VCCV Capabilities:
Type
2
customers, theyType
have1,
some
drawbacks.
Remote Label:
18 Layer 2 and Layer 3 networks would like to move toward a single
legacy
Cbit: 1,
VC while
Type:new
ATMcarriers
VCC CELL,
backbone
would likeGroupID:
to sell the2lucrative Layer 2
MTU: n/a,
Interface
Packed
Cell
AToM to
CE2 ***
services
over their Desc:
existing***
Layer
3 cores.
TheVC
solution
in these
cases is a
Max Concatenated
ATM
Cells:
10
VCCV Capabilities:
infrastructure. Type 1, Type 2

The VCCV CC types
that are displayed
withand
the comprehensive
show mpls l2transport
binding
command
introductory
case studies
design scenarios.
This
book are
displayed as typeassists
1 for the
control
word
and
type
2
for
the
MPLS
RA
label.
To understand the ECMP implications of using CC type 1 versus CC type 2, you need to be familiar
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSwith the ECMP procedures. To load share traffic between multiple paths with equal cost in traditional
IP networks, routers use a hashing algorithm performed on the source and destination IP addresses in
the IPv4 or IPv6 packet header to choose the outgoing path within the multiple paths. This minimizes
misordering of packets by sending IP flows on a single path.
progressively
covering
eachby
currently
available
solution
greater
detail.
MPLS networks adapted
the same
technique
inspecting
the payload
of in
MPLS
packets.
However,
because LDP is a stateful protocol and the MPLS header does not have an upper layer protocol
identification field, it uses a heuristic method to determine the payload type by inspecting the first
nibble of the MPLS payload. The first field in an IP packet is the IP version. Therefore, if the value of
the first nibble is 4, it is assumed that the payload is IPv4. If the first nibble is 6, however, it is
assumed that the payload is IPv6. Because pseudowire packets do not carry raw IP traffic and do not
guarantee that the first nibble is either 4 or 6, this can lead to undesired results, in which case
pseudowire packets from the same flow are sent in different paths.
To avoid mistreatment for pseudowire data packets, the first nibble in the control word is reserved
and set to 0. For VCCV traffic with control channel type 1, the control word is required. Its first nibble
is set to 1 to avoid aliasing the payload with an IPv4 or IPv6 packet. However, for VCCV label;
therefore, VCCV traffic can take a different path than pseudowire data traffic.
Case Study 9-12: Verifying Data Plane Connectivity

After the VCCV capability has been exchanged, each control channel distinguishes data and VCCV
packets as follows:
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
For
CC
type
1,
a
special
control word is used. The first nibble is set to 1 to indicate VCCV
Index
packets. The first nibble of the control word is set to 0 for all data packets.
For CC type 2, the RA label is placed immediately above the pseudowire label for VCCV packets,
and data packets
not
haveofthe
RA label
in the
MPLS label
stack. services and enjoy
Masterdothe
world
Layer
2 VPNs
to provide
enhanced
productivity gains
The special control word in CC type 1 also includes a protocol type field to indicate the protocol that is
being carried. The protocol type field that is used is the Internet Assigned Numbers Authority (IANA)
PPP Data Link Layer (DLL)
Protocol
Number.
Learn
about Layer
LSP Ping is currently the
only supported
type,the
where
MPLS
Echo
packets
IPv4 or
IPv6 User
Reduce
costs and CV
extend
reach
of your
services
byare
unifying
your
Datagram Protocol (UDP)
packets
using
the
IANA
assigned
well-known
UDP
port
of
3503.
These UDP
packets are possibly MPLS labeled. In an MPLS Echo Request, the source IP address is the originating
router's outgoing interface
expected,
the destination
IP application
address is within
the reserved
Gainaddress
from theasfirst
book tobut
address
Layer 2 VPN
utilizing
range of internal host loopback
addresses
127.0.0.0/8. The IP TTL of the MPLS Echo Request
both ATOM
and L2TPofprotocols
packet is set to 1 so that when all of the MPLS labels are popped, the underlying LSP Ping IP packet is
strategies
large enterprise
enhance
not forwarded, and theReview
RA option
is set inthat
theallow
IP header.
The formatcustomers
of an LSP to
Echo
packet is shown
inFigure 9-10.

technologies.
Although
3 MPLS
VPNs
fulfill the
Figure
9-10.Layer
MPLS
Echo
Packet
Format
infrastructure.
The message type is either 1 for MPLS Echo Request or 2 for MPLS Echo Reply. The reply mode can
specify no reply, reply via IPv4/IPv6 with or without RA option, or reply via application-level control
channel. The ability to specify the reply mode gives great flexibility to LSP Ping. You can use the
option with no reply to verify one-way connectivity by checking the Sequence Number field, or you
can gather SLA statistics by checking the TimeStamp Sent field. The mode of reply via the application
level control channel is currently not further defined. You can choose between the remaining two reply
modes of IP with and without RA option when issuing LSP Ping packets from the Cisco IOS command
Layer
2 VPN
Architectures
line. The difference
and
applicability
between these two reply modes are covered at the end of this
case study.
Currently, the five Type Length Values (TLV) defined are as follows:
Target FEC Stack
ISBN: 1-58705-168-0
Table of
Downstream Mapping
Pages:
648
Contents
Index
Pad
Error Code
Vendor Enterprise Code
productivity gains
In a pseudowire ping, you will use the Target FEC Stack TLV with a pseudowire sub-TLV to identify the
pseudowire. Optionally,
you will
useLayer
the Pad
TLV and
the Vendor
Enterprise
Learn
about
2 Virtual
Private
Networks
(VPNs) Code TLV with a Cisco
SMI enterprise number of 9.
Note
You can use the MPLS

Echo
procedures
many
different
FEC customers
types by specifying
a
Review
strategies
thatfor
allow
large
enterprise
to enhance
different sub-TLV their
in Target
FECofferings
stack TLV.
Besides
connectivity
verification
service
while
maintaining
routing
control for pseudowires,
you can use MPLS Echo to test the following FEC types: LDP signaled IPv4 and IPv6 prefix
FECs, RSVP-TE
IPv4
and IPv6Providers,
session FECs,
and VPN-IPv4
IPv6revenues
prefix FECs.
For signaled
a majority
of Service
a significant
portionand
of their
LSP Ping is used
to check
connectivity,
not only
ping mode,
but
in traceroute
are still
derived
from data and
voiceinservices
based
onalso
legacy
transport mode.
This section technologies.
concentrates on
pseudowire
testing.
Although
Layerconnectivity
3 MPLS VPNs
Example 9-58 shows
an MPLS
for a pseudowire.
services
overEcho
their Request
existing decoding
Layer 3 cores.
infrastructure.
Example 9-58. MPLS Echo Request Decoding

Ethernet II, Src:
xx:xx:xx:xx:xx:xx,
Dst:
yy:yy:yy:yy:yy:yy
introductory
case studies and
comprehensive
Destination:
yy:yy:yy:yy:yy:yy
assists
readers looking to(yy:yy:yy:yy:yy:yy)
Source: xx:xx:xx:xx:xx:xx
(xx:xx:xx:xx:xx:xx)
Type: MPLS the
label
switched
packet
Cisco
Unified VPN
suite:(0x8847)
Any Transport over MPLS (ATOM) for MPLSMultiProtocol Label
Switching
Header
based cores
and Layer
MPLS Label:IP Unknown
(17)
cores. The
MPLS Experimental
reader to Bits:
MPLS Bottomcomparing
Of Labelthem
Stack:
0
to those
MPLS TTL: 255
MultiProtocol Label Switching Header
MPLS Label: Unknown (22)
MPLS Experimental Bits: 0
MPLS Bottom Of Label Stack: 1
MPLS TTL: 2
MPLS PW Control Channel Header
Control Channel: 0x1
Reserved: 0x000
PPP DLL Protocol Number: IP (0x0021)
Internet Protocol, Src Addr: 10.0.0.201 (10.0.0.201), Dst Addr: localhost (127.0.0.1)
Version: 4
Header length: 24 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Layer100
2 VPN Architectures
Total Length:
ByWei Luo,
- CCIE No.
Identification:
0x0000
(0)13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
4460,Anthony
Flags: 0x04No.(Don't
Fragment)
Fragment offset: 0
Time to live:Publisher:
1
Cisco Press
Protocol: UDPPub
(0x11)
Header checksum: 0x5cba (correct)
ISBN: 1-58705-168-0
Table of
Source:
10.0.0.201 (10.0.0.201)
Pages:
648
Contents
Destination:
localhost (127.0.0.1)
Options:
Index
(4 bytes)
Router Alert: Every router examines packet
User Datagram Protocol, Src Port: 3503 (3503), Dst Port: 3503 (3503)
Source port: 3503 (3503)
world
DestinationMaster
port:the
3503
(3503)
productivity
gains
Length: 76
Checksum: 0x4f8f (correct)
Multiprotocol Label Switching Echo
Version: 1
MBZ: 0
Message Type: MPLS
Echo
Request (1)
network
architecture
Reply Mode: Reply via an IPv4/IPv6 UDP packet with Router Alert (3)
Return Code: NoGain
return
(0)book to address Layer 2 VPN application utilizing
fromcode
the first
Return Subcode:both
0 ATOM and L2TP protocols
Sender's Handle: 0xc8000033
Sequence Number:
1
Review
Timestamp Sent:their
2004-05-03
15:32:22.5040
UTC
service offerings
while maintaining
routing control
Timestamp Received: NULL
Target FEC For
Stack
are still derived
from(1)
Type: Target
FEC Stack
Length:technologies.
20
customers,
they
have some
FEC Element
1: L2
circuit
ID drawbacks. Ideally, carriers with existing
legacy
2 and
Type:
L2 Layer
cirtuit
IDLayer
(9) 3 networks would like to move toward a single
backbone
Length:
16 while new carriers would like to sell the lucrative Layer 2
services PE
over
their existing
Layer 3 cores.
Sender's
Address:
10.0.0.203
(10.0.0.203)
technology
that would
allow Layer(10.0.0.201)
Remote
PE Address:
10.0.0.201
VC infrastructure.
ID: 50
Encapsulation: HDLC (6)
Layer
MBZ:
0x0000
Network
Pad
introductory
Type: Pad (3)
assists
readers
Length: 8
historyDrop
and implementation
Pad Action:
Pad TLV from details
reply of
(1)
the ABCDABCDABCDAB
Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSPadding:
The highlighted lines
in Example
showof
how
an MPLS
Echo
packet
encapsulated
comparing
them9-58
to those
Layer
3 based
VPNs,
suchisas
MPLS, then in IP/UDP with
the RA option in the
IP header, covering
and in turn
MPLS-labeled.
You can
also see
a Pseudowire
Control
progressively
each
currently available
solution
in that
greater
detail.
Channel Header is included when using CC type 1.
To verify data connectivity using LSP Ping on Cisco routers, you can execute the ping mpls command
with the pseudowire keyword in the EXEC mode. Other available keywords are ipv4 for an LDP IPv4
FEC and traffic-eng for an RSVP-TE Tunnel FEC (see Example 9-59).
Example 9-59. ping mpls pseudowire Command Output
PE1#ping mpls pseudowire 10.0.0.201 100

Sending 5, 100-byte MPLS Echos to 10.0.0.201/0,
timeout is 2 seconds, send interval is 0 msec:
Codes: '!' - success,

'Q' - request not transmitted,
'.' - timeout,
'U' - unreachable,
'R' - downstream router but not target
Publisher:
Press
to Cisco
abort.
!!!!!
Success rate is 100 ISBN:
percent
(5/5), round-trip min/avg/max = 1/2/4 ms
1-58705-168-0
Table of
PE1#
Pages: 648
Contents
PE1#ping
mpls pseudowire 10.0.0.201 200
Index
Sending
5, 100-byte MPLS Echos to 10.0.0.201/0,
timeout is 2 seconds, send interval is 0 msec:
Codes: '!' - success, 'Q' - request not transmitted,

Master the
world
'.' - timeout,
'U'
- unreachable,
productivityrouter
gains but not target
'R' - downstream
QQQQQ
Success rate is 0 percent (0/5)
PE1#
network10.0.0.201
architecture200 reply mode ?
PE1#ping mpls pseudowire
ipv4
Send reply via IPv4
Gain
fromvia
the first
address
Layer
router-alert Send
reply
IPv4book
UDP towith
router
alert

their service
offerings
while
routing
controlis "!!!!!". The second test
The first test for the pseudowire
with
VC ID 100
is maintaining
successful, and
the result
for the pseudowire with VC ID 200 has a result of "QQQQQ", meaning "request not transmitted." The
a majority
Service
a significant
portion
ofRequest:
their revenues
following are the For
most
common of
reasons
forProviders,
not transmitting
an MPLS
Echo
The VC is down.
The peer does
not advertise
VCCV
capabilities.
backbone
while new
carriers
Theping mpls command
allows
different
reply modes
discussed
ipv4 and router-alert.
technology
thattwo
would
allow Layer
2 transport
over abefore:
Layer 3
The default is ipv4,
which is the option normally used. However, if an LSP Ping is unsuccessful and
infrastructure.
times out (resulting "....."), the failure might occur on the return path. In this case, retry the routeralert reply mode.Layer
This 2
mode
instructs all intermediate
routers in
return
path Private
to process the
VPN Architectures
introduces readers
to the
Layer
2 Virtual
packet. This option
is most(VPN)
usefulconcepts,
for isolating
switching
problems.
Network
andMPLS
describes
Layerpath
2 VPN
techniques via
If you do not get assists
a reply readers
to a ping
mplsto
pseudowire
the default
IPv4 reply the
mode, but you do
looking
meet those using
requirements
by explaining
get a successful reply
using
RA reply mode,
you can
infer
a switching
path problem
history
andthe
implementation
details
of the
twothat
technologies
available
from exists in
the return path, most
likely
a
CEF
inconsistency
between
the
linecard
and
the
RP
card
in an
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSintermediate node.
You
can
reach
this
conclusion
because
with
RA
reply
mode,
all
MPLS
Echo Reply
packets are punted
to
the
RP
to
be
processed
switched.

Quality of By
Service
in AToM
This final section of the

chapter
Publisher:
Ciscocovers
Press concepts and configuration on quality of service (QoS).
You review the common
QoSMarch
techniques
Pub Date:
10, 2005 that are applicable to all Layer 2 protocols over MPLS
and then explore the protocol-specific aspects. This section tries to be as platform-independent
ISBN: 1-58705-168-0
Table of However, you might find hardware-specific conditions that preclude support of
as possible.
Pages:
648
someContents
QoS features.
Index
The QoS model for AToM follows the Differentiated Services (DiffServ) QoS architecture in
Cisco IOS that uses the Modular QoS CLI (MQC). DiffServ defines a scalable QoS architecture
that relies on the separation of complex edge versus simple core behaviors. The edge
Master theinworld
of Layer
2 VPNs
to provide
enhanced
services
andpoint
enjoy
behaviors are summarized
a small
number
of classes
defined
in the DiffServ
code
productivity
gains is defined in RFC 3270. It uses the Experimental bits in the
(DSCP). MPLS support
for DiffServ
MPLS header, also referred to as class of service (CoS) bits for the few classes that DiffServ
uses to which LSPs are mapped.
The MQC model can be summarized as follows:
from the
book to
Layerclasses
2 VPN application
utilizing
1. Interesting trafficGain
is defined
andfirst
classified
asaddress
one or more
using the class-map
both
ATOM
and
L2TP
protocols
command.
strategies
thatdefined
allow large
customers
to enhance
2. Policies pertainingReview
to these
classes are
usingenterprise
the policy-map
command.
3. The policies are applied to either the input or output direction of the traffic flow using the
For acommand.
majority of Service Providers, a significant portion of their revenues
service-policy
Case Study 9-13:
Traffic
Marking
legacy Layer
2 and
Layer 3 networks would like to move toward a single
The first of the QoS
building
blocks
the marking
traffic The
by setting
the
services
over
theirisexisting
Layer of
3 cores.
solution
inMPLS
theseExperimental
cases is a
(Exp) bits. You apply
the Expthat
bit setting
to both
the 2
pseudowire
and tunnel
because of
technology
would allow
Layer
transport over
a Layerlabels
3
the possibility of PHP,
which removes the tunnel label at the penultimate hop. This traffic
infrastructure.
marking based on the Exp bits is meaningful if the core network performs differentiated
Layerclasses,
2 VPN Architectures
introduces
readers
Layerin2aVirtual
Private queue.
treatment of different
such as by queuing
highest
classto
traffic
strict priority
Example 9-60 shows
how to set
thestudies
Exp bits
forcomprehensive
an ATM AAL5 SDU
andscenarios.
Cell RelayThis
VC Mode
introductory
case
and
design
book
pseudowires on PE1
shown
in Figure
9-1.to meet those requirements by explaining the
assists
readers
looking
cores and
Layer
Example 9-60.
Setting
Exp
Bits
hostname PE1 comparing them to those of Layer 3 based VPNs, such as MPLS, then
!
class-map match-any all_traffic
match any
!
policy-map exp3
class all_traffic
set mpls experimental 3
!
policy-map exp5
class all_traffic
!
description *** AAL5 SDU AToM to CE1 ***
encapsulationByWei
aal5
No. 4460,100
Anthony
xconnect 10.1.1.2
encapsulation
mpls
service-policy input exp3
!
interface ATM4/0.2
Pubpoint-to-point
description *** Cell VC AToM to CE1 ***
ISBN: 1-58705-168-0
Table
of l2transport
pvc
0/200
Pages:
648
Contents
encapsulation
aal0
Index
xconnect
10.1.1.2 200 encapsulation mpls
service-policy input exp5
productivity
gains all traffic in which the corresponding service-policy is
Theclass-map all_traffic
matches
applied. Instead of defined class, you could have used the built-in class-default to obtain the
same results. The policy-map exp3 sets the Exp bits to 3 for all the classified traffic (that is,
Learn
about
Layer
2 Virtual
Private Networks
(VPNs)
all traffic). This policy is
applied
as an
input
service-policy
to the ATM
AAL5-SDU mode AC.
Similarly, the policy-map exp5 sets the Exp bits to 5 and is applied to the ATM Cell Relay VC
AC. Therefore, all traffic that is incoming into ATM PVC 0/100 and 0/200 is encapsulated with
the MPLS Exp bits set to 3 or 5, respectively. You can also perform traffic marking using
policing.
You can see this service policy working in Example 9-61 by enabling the debug mpls packets
in PE2 and sending 5 default size (100 Bytes) PING packets from CE1 to CE2 in each PVC. Do
not enable the debug mpls packets command in production networks.
Example 9-61.
Traffic
Marking
are QoS
still derived
from
data andVerification
PE2#
*Jun
*Jun
*Jun
*Jun
*Jun
PE2#
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
2
2
2
2
2
11:26:17.733:
MPLS:
recvd:
CoS=3,
TTL=2,
backbone
whileFa0/0:
new carriers
would
like to
sell theLabel(s)=19
lucrative Layer 2
11:26:17.737:
MPLS:
Fa0/0:
recvd:
CoS=3,
TTL=2,
Label(s)=19
services over their existing Layer 3 cores. The solution
in these cases is a
11:26:17.737:
MPLS:
recvd:
CoS=3,
TTL=2,
Label(s)=19
technology
thatFa0/0:
would allow
Layer
2 transport
over
a Layer 3
11:26:17.737:
MPLS: Fa0/0: recvd: CoS=3, TTL=2, Label(s)=19
infrastructure.
11:26:17.741: MPLS: Fa0/0: recvd: CoS=3, TTL=2, Label(s)=19
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2

11:26:26.793:
recvd:
CoS=5, Layer
TTL=2,
Label(s)=21
NetworkMPLS:
(VPN) Fa0/0:
concepts,
and describes
2 VPN
techniques via
11:26:26.793:
MPLS:
Fa0/0:
recvd:
CoS=5, TTL=2,
Label(s)=21
introductory
case
studies
and comprehensive
design
11:26:26.793:
MPLS: Fa0/0:
recvd:
CoS=5,
TTL=2, Label(s)=21
assists readers
looking to
meet those
requirements
by explaining the
11:26:26.793:
MPLS:
Fa0/0:
recvd:
CoS=5,
Label(s)=21
history and implementation details of theTTL=2,
two technologies
available from
11:26:26.793:
MPLS:
Fa0/0:
recvd:
TTL=2,
Label(s)=21
the Cisco
Unified
VPN suite:
AnyCoS=5,
Transport
over MPLS
(ATOM) for MPLS11:26:26.793:
MPLS:
CoS=5,
TTL=2,
Label(s)=21
based cores
andFa0/0:
Layer 2recvd:
Tunneling
Protocol
version
11:26:26.797:
MPLS:
Fa0/0:
recvd:
CoS=5,
TTL=2,
IP cores. The structure of this book is focused on Label(s)=21
11:26:26.797:
MPLS:
recvd: and
CoS=5,
TTL=2, Label(s)=21
reader to
LayerFa0/0:
2 VPN benefits
implementation
requirements and
11:26:26.797:
MPLS:
Fa0/0:
recvd:
CoS=5,
TTL=2,
comparing
them
to those
of Layer
3 based
VPNs, Label(s)=21
such as MPLS, then
11:26:26.797:
MPLS:covering
Fa0/0: each
recvd:
CoS=5,
TTL=2,solution
Label(s)=21
progressively
currently
available
in greater detail.
You can see from Example 9-61 that all the MPLS packets are arriving with the VC label only
because of PHP, and the TTL of the VC label is 2. The first five MPLS packets have the Exp bits
set to 3. These are the five 100-byte PING packets encapsulated in ATM AAL5-SDU mode, and
the Exp bits are set by the policy-map exp3 on PE1. The output of the debug command
shows the Exp value as CoS. After these five packets, you see 15 packets with the Exp set to 5.
2 VPN Architectures
These are the fiveLayer
100-byte
PING packets that are encapsulated in ATM Cell Relay VC mode
ByWei
Luo, -packet
CCIE No.
Carlos
- CCIE
No. 4619,
Bokotey,
- CCIE
without cell packing.
Each
is 13,291,
broken
intoPignataro,
three ATM
cells,
andDmitry
therefore
three
No. 4460,
AnthonyThe
Chan,
- CCIE
10,266
corresponding AToM
packets.
Exp
bitsNo.
are
set to 5 as defined in the policy-map exp5 on
PE1.
Table of
Contents
Note
Index
ISBN: 1-58705-168-0
Pages: 648
For ATM Cell Relay VP mode with QoS configuration, configure each ATM permanent
virtual path (PVP) into its own multipoint ATM subinterface, and apply the service
policy to the subinterface. This allows you to apply various service policies with
the
world
of Layer 2
to provide
enhanced
services
unique policyMaster
actions
such
as marking
orVPNs
policing
to the different
ATM
PVPs. and
In enjoy
productivity
gains
contrast to ATM
PVC configuration,
the atm pvp command-line interface (CLI)
command does not enable a configuration submode.

The case for other Layer 2 transports is analogous, applying the service-policy in the main
interface for ATM CRoMPLS Port mode, High-Level Data Link Control over MPLS (HDLCoMPLS),
PPP over MPLS (PPPoMPLS), Ethernet over MPLS (EoMPLS), and in the subinterface for EoMPLS
VLAN mode and ATM cell relay over MPLS (CRoMPLS) VP mode. The case for Frame Relay over
MPLS (FRoMPLS) is slightly different. It is covered in "Case Study 9-17: ===Layer 2-Specific
Matching and Setting."Review strategies that allow large enterprise customers to enhance
For a majority
Case Study 9-14:
Trafficof Policing
Policing CE traffic is similar to marking. The difference is the policy action taken with the
classified traffic. The following two modes support policing actions for Frame Relay, ATM, and
Ethernet:
that would
Layer against
2 transport
overcommitted
a Layer 3 information rate
Single-ratetechnology
policer Policed
trafficallow
is checked
a single
infrastructure.
(CIR).
Layer 2 Policed
VPN Architectures
introduces
readers
to Layer
Virtual
Private
policer
traffic is checked
against
two rates:
CIR2and
peak
information
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
This policer for IP networks is modeled after the Frame Relay policer.
assists can
readers
to meet those
requirements
by explaining the
The two policing modes
havelooking
color-awareness
enabled
or disabled:
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSColor-blindbased
All the
policed
equally
and version
policed 3
against
the for
same
rate or
cores
andtraffic
Layeris2 treated
Tunneling
Protocol
(L2TPv3)
native
rates.
Color-aware
A user-defined
criteria
policed
traffic
and
against
comparing
them to
those preclassifies
of Layer 3 based
VPNs,
such
aschecks
MPLS, itthen
different rates
depending covering
on the preclassification
To solution
this extent,
you can
use the
progressively
each currently result.
available
in greater
detail.
conform-action and exceed-action commands under the police configuration mode to
color traffic to be policed. Packets that are not classified under either the conformaction or exceed-action class belong to the violate-action class.
Dual-rate
rate (PIR).
Example 9-62 shows a single bucket color-blind policing action.
Example 9-62. Single Bucket, Color-Blind Policing
hostname PE1
!
class-map match-any all_traffic
match any
!
policy-map policing
class all_traffic
police cir 128000
conform-action
set-mpls-exp-transmit
5
Pub Date:
March 10, 2005
exceed-action drop
ISBN: 1-58705-168-0
! Table of
Pages:
648
Contents ATM4/0.2 point-to-point
interface
Index
description
*** Cell VC AToM to CE1 ***
encapsulation aal0
Master
service-policy
in policing
productivity gains
about
Layer 2 Virtual
Private
(VPNs)
A dual rate color-awareLearn
policer
configuration
is included
in Networks
Example 9-66
in Case Study 9-17.
Cisco IOS implements the single rate three-color policer based on RFC 2697 and the dual rate
three-color policer based on RFC 2698.
ATOM andand
L2TPShaping
protocols
Case Study 9-15:both
Queuing
Review
strategies
that allow
enterprise
customers
to enhance
In general, the following
features
are supported
forlarge
queuing
and shaping
actions:
Forqueuing
a majority
of Service
a significant
portion
their
revenues
Low-latency
(LLQ),
also Providers,
called priority
queuing
(PQ)ofThe
LLQ
is a strict
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
priority first-in, first-out (FIFO) queue. Strict priority queuing allows delay-sensitive data
Although
Layer 3 MPLS
VPNs
fulfill theand
market
needbefore
for some
to receive a technologies.
preferential queuing
treatment
by being
dequeued
serviced
any
other queues.
backbone
while
new
carriers(CBWFQ)
would likeCBWFQ
to sell the
lucrative
2 based on
Class-based
weighted
fair
queuing
provides
fair Layer
queuing
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
is a
defined classes with no strict priority. The weight for a packet that belongs to a specific
technology
that would that
allowyou
Layer
2 transport
a Layer 3
class is given
from the bandwidth
assigned
to theover
class.
infrastructure.
Byte-based weighted random early detection (WRED) WRED drops packets
Layer on
2 VPN
ArchitecturesThe
introduces
readers
to Layer 2
Virtual
Private
selectively based
IP precedence.
higher the
IP precedence,
the
less likely
packets
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
are to be dropped.
assists
readers
looking
to meet
those
requirements
by explaining
You can see egress
queuing
policies
to provide
CIR
guarantees
in Example
9-63. the
cores andConfiguration
Layer 2 Tunnelingfor
Protocol
version 3 (L2TPv3)
for native
Example 9-63.
Queuing
CIR Guarantees
in Frame
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
Relay Pseudowires
!
hostname PE1
!
class-map match-all CustomerA
match fr-dlci 100
class-map match-all CustomerB
match fr-dlci 200
!
policy-map CIR_guarantee
class CustomerA
bandwidth 128
class CustomerB
bandwidth 256
!
interface Serial3/1
no ip address No. 4460,Anthony Chan, - CCIE No. 10,266
service-policy output CIR_guarantee
encapsulation frame-relay
frame-relay intf-type
Pub Date:dce
March 10, 2005
!
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
In this example, customers use two seperate DLCIs in the same Frame Relay interface. Using a
different class-map for each DLCI allows you to apply CBWFQ with the bandwidth command
to each class for each DLCI. In addition, FRoMPLS supports traffic shaping and ATMoMPLS
Master
the world
of Layer
supports class-based
shaping
on ATM
VCs. 2 VPNs to provide enhanced services and enjoy
productivity gains
You can accomplish per-class traffic shaping for ATM PVC and PVP ACs with the ATM PVC and
PVP service type configuration using the following commands:
cbr {PCR}
ubr {PCR}
vbr-rt {PCR} {SCR}
[MBS]and L2TP protocols
both ATOM
vbr-nrt {PCR} {SCR}
Review[MBS]

Note
The distributed
forms
of these
supported
in like
distributed
legacy
Layer
2 andfeatures
Layer 3 are
networks
would
to moveswitching
toward a single
platforms, such
as the while
Cisco new
7500carriers
series. would like to sell the lucrative Layer 2
backbone
infrastructure.
All queuing and shaping features are applied in the outbound direction. Marking and policing
are input policies.Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
assists Intermediate
readers looking to Markings
Case Study 9-16:
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSIn this case study, you learn how to apply QoS actions on an egress interface based on
matching criteria used at the ingress interface. This can be useful, for example, to match traffic
based on MPLS Exp bits from the MPLS network and perform a policy action on packets going
out of the egress interface.
Two internal markings called qos-group and discard-class preserve the classification that
happened before the MPLS header popping operation. This classification would otherwise be
lost when applying an output service-policy on the AC. The QoS group ID identifies an internal
class, and the Discard Class identifies an internal precedence. These two intermediate markings
"remember" the classification from the MPLS network. You can use the intermediate step to
mark traffic from the MPLS network with a qos-group ID and use this qos-group ID to apply
policy actions on the egress interface. Example 9-64 shows you how to set the ATM CLP bit in
cells going toward the CE device based on the MPLS Exp bits received from the P router.
Example 9-64. Intermediate Marking

!
hostname PE1 ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
!
class-map match-all exp3
match mpls experimental
3 Press
Publisher: Cisco
class-map match-all
qosg_class
match qos-group 1
ISBN: 1-58705-168-0
Table of
!
Pages:
648
Contents clp1
policy-map
Index qosg_class
class
set atm-clp
policy-map qosg
class exp3
Master
set qos-group
1
productivity gains
!
interface Serial4/0
mpls ip
service-policy input
qosgcosts and extend the reach of your services by unifying your
Reduce
!
interface ATM5/0
no ip address
encapsulation aal5
xconnect 10.1.1.2Review
100 encapsulation
mpls large enterprise customers to enhance
service-policy out
clp1
their
!
!
You can see fromlegacy
Example
9-64
that Layer
the service-policy
qosg is
applied
to traffic
coming
into the
Layer
2 and
3 networks would
like
to move
toward
a single
PE device from the
P routerwhile
on interface
Serial4/0.
With
service-policy,
with
backbone
new carriers
would
likethis
to sell
the lucrativeMPLS
Layerpackets
2
Exp = 3 (from theservices
class exp3)
with
the3qos-group
1. On AC
over are
theirmarked
existing
Layer
cores. Theofsolution
in PVC
these0/100
casesinis a
ATM5/0, the outbound
service-policy
clp1
is applied.
serviceover
policy
sets the
technology
that would
allow
Layer 2This
transport
a Layer
3 ATM CLP bit for
cells that were previously
marked
with
a
qos-group
of
1.
With
this
internal
qos-group
ID
infrastructure.
marking, a classification is conveyed from one interface to another.
introductory
case
studies and Matching
comprehensive
design
Case Study 9-17:
Layer
2Specific
and
Setting
Different Layer 2 protocols comprise different characteristics and sometimes have an impact on
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSthe QoS configuration. This case study discusses the protocol-specific QoS characteristics and
configuration.Table 9-2 outlines the different matching and setting criteria based on Layer 2
protocol.
Table 9-2. Layer 2-Specific Matching and Marking Criteria

Layer 2 Protocol
Matching
Setting
13,291,Carlos Pignataro, - CCIE
Ethernet
match cos
match vlan
set cos
Frame Relay
Table of
ATMContents
Pub Date: Marchmatch

10, 2005 fr-de
match fr-dlci
ISBN: 1-58705-168-0
Pages: 648
match atm clp
set fr-de
set fr-fecn-becn
set atm-clp
Index
Ethernet over MPLS QoS

productivity
Ethernet frames that
use IEEEgains
802.1q encapsulation contain the 802.1p CoS bits, which you
can use for traffic classification (see Example 9-65).
Example 9-65. Traffic

ReduceClassification
hostname PE1
!
class-map match-any cos2
match cos 2
!
policy-map eompls3
class cos2 For a majority of Service Providers, a significant portion of their revenues
are still derived
set mpls experimental
3 from data and voice services based on legacy transport
class class-default
customers, they
0 have some drawbacks. Ideally, carriers with existing
!
services
over
description ***
To CE1
***
encapsulation technology
dot1Q 10 that would allow Layer 2 transport over a Layer 3
infrastructure.
xconnect 10.1.1.2
service-policy input eompls3
InExample 9-65, assists
the Expreaders
bits arelooking
set to 3tofor
traffic
matching
a CoS value
of 2, andthe
the rest of
meet
those
requirements
by explaining
the traffic alwayshistory
matches
the
default class, which
thetwo
Exptechnologies
bits to 0. Besides
traffic
and
implementation
detailssets
of the
available
from
marking, policingthe
is also
supported.
Cisco
In EoMPLS, the service
policy
applied on
EoMPLS
and in the
IP cores.
Theisstructure
of the
this main
book interface
is focusedfor
onport
firstmode
introducing
the
subinterface for VLAN
mode
EoMPLS.
reader
to Layer
Some platforms support
a match
vlan classification
directive
forsolution
a VLAN in
range,
as detail.
follows:
progressively
covering
each currently
available
greater
class-map match-any ethernet
match vlan 3-5
However, no platforms support a set vlan policy or include a set vlan command. The VLAN
rewrite configuration was covered in detail in Chapter 7, "LAN Protocols over MPLS Case
Studies."
Frame Relay over MPLS QoS

With FRoMPLS, you can match traffic using Frame Relay specific fields. The following QoS
directives are specific to Frame Relay:
Matching:
match fr-de
ISBN: 1-58705-168-0
Table ofmatch fr-dlci
Pages:
648
Contents
Index match fr-dlci range
Setting:
set fr-de
productivity gains
set fr-fecn-becn
about
Layer 2 Virtual
Private
(VPNs)
Example 9-66 shows a Learn
dual-rate
color-aware
policer
using Networks
Frame Relay-specific
fields.
Example 9-66.
Dual-Rate
Color-Aware Policer
hostname PE1
!
class-map match-anyReview
FR_DLCI_100
match fr-dlci 100their service offerings while maintaining routing control
class-map match-any FR_DE0
match not fr-de
!
policy-map FR_Policing
class FR_DLCI_100
police cir 64000 pir 128000
conform-color FR_DE0
conform-action set-mpls-exp-transmit 5
exceed-action set-mpls-exp-transmit 2
infrastructure.
violate-action drop
class class-default
history
details
the does
two technologies
from
In the FR_DE0 class,
theand
notimplementation
qualifier matches
trafficofthat
not have theavailable
DE bit set.
The
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSFR_DE0 class is used for the color.
cores. The
structure
of this
book
is focused
on first
This policer allowsIPpolicing
traffic
according
to the
color
classification
of introducing
whether thethe
discard
Layer 2Frame
VPN benefits
and implementation
requirements
and
eligible (DE) bit isreader
set in to
incoming
Relay frames.
With this policy,
only packets
that do
comparing
them toCIR
those
ofPIR.
Layer
3 based
VPNs,
suchthe
as MPLS,
not have DE set are
policed against
and
Packets
that
do have
DE bit then
set are not
progressively
covering
currently
available solution
inthey
greater
treated as conforming.
They are
policed each
against
PIR to determine
whether
are detail.
exceeding
or violating.
To apply this policy, you need to create a subinterface effectively to map to the Frame Relay
PVC. This is accomplished with the command switched-dlci in Cisco 12000 series router
platforms (see Example 9-67).
Example 9-67. Mapping a Subinterface to the Frame Relay PVC
interface POS4/0
encapsulation frame-relay cisco
!
interfacePOS4/0.1
point-to-point
switched-dlci By
100
4460,Anthony
service-policyNo.input
FR_Policing
!
connect frompls101
POS4/0
100
l2transport
Publisher:
Cisco
Press
xconnect 10.0.0.203
70 March
encapsulation
mpls
Pub Date:
10, 2005
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Indexthe FR_Policing policy to the point-to-point subinterface POS4/0.1 effectively applies
Applying
the policy to the local AC that is defined with the connect command.
ATM over MPLS
QoS
productivity gains
Currently, the only ATM-specific field for matching or setting is the cell loss priority (CLP) bit in
the ATM Cell header. For
ATMabout
over Layer
MPLS,2you
can Private
apply a Networks
service policy
under an interface, a
Learn
Virtual
(VPNs)
subinterface, or a PVC.
You can use the commands
match
atm clp and set atm-clp to match and set the ATM CLP
network
architecture
bit, respectively.
how to
use
these
two commands.
both ATOM
and
L2TP
protocols

their service
offerings
whileATM
maintaining
Example 9-68. Matching
and
Setting
CLP routing control
!
hostname PE1 technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
!
legacy not-clp
class-map match-all
backbone
match not atm clp
services
over
policy-map exp-4
class not-clptechnology that would allow Layer 2 transport over a Layer 3
infrastructure.
4
policy-map atm-clp
class class-default
set atm-clp Network (VPN) concepts, and describes Layer 2 VPN techniques via
!
interface ATM5/0
Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSencapsulationthe
aal5
based cores
and Layer 2 Tunneling
xconnect 10.1.1.2
100 encapsulation
mpls Protocol version 3 (L2TPv3) for native
IP cores.
service-policy
input The
exp-4
reader
to Layer
service-policy
output
atm-clp
comparing
them
!
progressively
covering
!
You can see in Example 9-68 that because of the qualifier not, the class-map not-clp matches
on all incoming ATM cells in PVC 0/100 that have the CLP bit clear. All AToM packets that
encapsulate these matched cells have the MPLS Exp bits set to a value of 4. In addition, the
service policy atm-clp that is applied in the same PVC in the outbound direction is setting the
ATM CLP bit for all cells out of the PVC, because the set atm-clp directive is applied to the
class-default for all outbound ATM cells.

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

Summary By
Deploying pseudowire
emulation
in MPLS networks can be a rather sophisticated task
Publisher:
Cisco services
Press
when you take factors
routing,
Pubsuch
Date:as
March
10, 2005network resource utilization, and path protection into
account. This chapter discussed some of the most common but complex deployment scenarios
ISBN: 1-58705-168-0
Table ofencounter when offering pseudowire emulation services, as follows:
you might
Contents
Index
Pages: 648
Load share across multiple equal-cost paths.

Forward pseudowire traffic through a preferred path using the IP Routing protocol.
Direct pseudowire
trafficgains
through an explicit path using an MPLS traffic engineering
productivity
tunnel.
Dynamically routeLearn
pseudowire
traffic2through
an MPLS
traffic engineering
tunnel with a
about Layer
Virtual Private
Networks
(VPNs)
specific bandwidth requirement.
Protect pseudowire
traffic architecture
from pocket loss with the MPLS traffic engineering fast reroute
network
capability.
Provide inter-AS pseudowire
connectivity
through dedicated circuits.
both ATOM and
L2TP protocols
Provide inter-AS pseudowire
connectivity
using
BGPenterprise
IPv4 label customers
distributiontoand
IGP
Review strategies
that allow
large
enhance
redistribution.
Provide inter-AS
and improve
scalability
with
label
For apseudowire
majority of connectivity
Service Providers,
a significant
portion
ofBGP
theirIPv4
revenues
distribution are
and still
IBGP
peering.
derived
Authenticatecustomers,
for pseudowire
they signaling.
Verify pseudowire
datawhile
connectivity
and provide
troubleshooting.
backbone
new carriers
would like
Configure general and protocol-specific pseudowire QoS.
infrastructure.
This is not intended to be an exhaustive list of all possible deployment scenarios for AToM.
Rather, it serves as a building block for more complex deployment of a large scale.

Part IV: Layer 2 Tunneling Protocol

Version 3
Table of
Contents
Chapter 10
Index
ISBN: 1-58705-168-0
Pages: 648
Understanding L2TPv3
Chapter 11
LAN Protocols over L2TPv3 Case Studies
Chapter 12
WAN Protocols over L2TPv3 Case Studies
MasterAdvanced
the worldL2TPv3
of Layer
2 VPNs
Chapter 13
Case
Studies
productivity gains
infrastructure.

Chapter 10. Understanding L2TPv3

Cisco Press
the following
topics:
ISBN: 1-58705-168-0
Table of
Interface
Universal Transport
Pages:
648
Contents
Index
L2TPv3
As mentioned in Chapter 3, "Layer 2 VPN Architectures," Layer 2 Tunnel Protocol Version 3

(L2TPv3) is an IP-based solution in the Cisco Unified VPN Suite that provides pseudowire
Masterofthe
world
of Layer 2including
VPNs to provide
enhanced
services
and enjoy
emulation for a variety
Layer
2 protocols,
Ethernet,
High-Level
Data Link
Control
productivity
gains
(HDLC), PPP, Frame Relay, and ATM. The base L2TPv3 protocol, which includes the control
protocol and data encapsulation, is defined in the Layer 2 Tunnel Protocol Extensions (l2tpext)
working group. At the time of this writing, the L2TPv3 base draft had not reached RFC status.
Supplemental specifications that are particular to the data link protocols such as ATM are
defined in separate drafts.
This chapter examines the base L2TPv3 protocol by first reviewing the history of its
development from its prestandard
beginnings.
exploration
theapplication
protocol's evolution
Gain from the
first book This
to address
Layerinto
2 VPN
utilizing is
then followed by an examination
of
L2TPv3's
data
encapsulation
and
control
channel
signaling.
infrastructure.

Universal By
Transport
Interface: L2TPv3's Predecessor
The prestandard predecessor

for L2TPv3
was a Cisco proprietary protocol known as Universal
Publisher: Cisco
Press
Transport Interface (UTI).
UTI's
was to provide a high-performance IP-based tunneling
Pub Date:
Marchgoal
10, 2005
mechanism for circuit-like Layer 2 connectivity (that is, pseudowire) over a packet-based core.
ISBN: 1-58705-168-0
Table
of inherent signaling mechanism. Layer 2 frames from the attachment circuits are
UTI has
no
Pages:
648
Contents with the necessary
encapsulated
UTI formatting and are forwarded towards the remote
Index After the received frame is validated, the original data-link payload is forwarded out
endpoint.
the appropriate attachment circuit. Figure 10-1 illustrates this connectivity model.
productivity
gains
Figure
10-1. UTI Connectivity Model
R1 and R2 are provider
routers
connectivity
each
IP core.
legacy edge
Layer(PE)
2 and
Layerwith
3 networks
wouldtolike
to other
move through
toward aan
single
These PE routers backbone
provide pseudowire
connectivity
via
two
separate
UTI
tunnels:
Tunnel
1 for
the serial line connectivity
between
the
customer
edge
(CE)
routers,
R3
and
R4,
and
Tunnel
services over their existing Layer 3 cores. The solution in these cases is a 2
for Ethernet connectivity
between
LAN 1allow
and LAN
2.2Assuming
serial
lines3are using Frame
technology
that would
Layer
transportthe
over
a Layer
Relay encapsulation,
a
Frame
Relay
frame
from
R3
is
encapsulated
with
a
UTI header for UTI
infrastructure.
Tunnel 1 and an IP header with the destination address of R2. After R2 verifies the UTI header
contents, it de-encapsulates
original Layer
2 payload
and sends
it to2R4.
Likewise,
LAN 1
Layer 2 VPN the
Architectures
introduces
readers
to Layer
Virtual
Private
and LAN 2 are essentially
across UTI
Tunnel
2 in aLayer
similar
fashion.
Network bridged
(VPN) concepts,
and
describes
2 VPN
techniques via
UTI also attemptsassists
to optimize
performance
by avoiding
suboptimal tunnel
identification
readers
looking to meet
those requirements
by explaining
the and
parsing schemes history
that areand
present
in
other
tunneling
protocols.
For
example,
generic
implementation details of the two technologies availablerouting
from
encapsulation (GRE)
tunnel
identification
requires
a lookup on
a combination
of the
source and
Any Transport
over
MPLS (ATOM)
for MPLSdestination address
paircores
or tunnel
key depending
on RFC
implementation:
RFC 2784,
RFC 1701,
based
and Layer
2 Tunneling
Protocol
version 3 (L2TPv3)
for native
or RFC 2890. UTI's
encapsulation
shown
in
Figure
10-2
is
designed
to
avoid
some
of
the
overhead that is required
tunnel
identification
and implementation
parsing by means
of a tunnel ID
reader toinLayer
2 VPN
benefits and
requirements
andthat
identifies the tunnel
context
on
the
de-encapsulating
system.
Figure 10-2. UTI Encapsulation

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
The UTI encapsulation consists of the following fields:
costs and
extend
theheader
reach of
your
services
your
Delivery HeaderReduce
The Delivery
Header
is the
that
carries
the by
UTIunifying
packet across
network
architecture
the packet core. Although this header can be an IPv4 or IPv6 header, the initial Cisco
implementation supports only an IPv4 header without IPv4 options and an IP protocol
number of 120. Fragmentation is not supported, so the IPv4 Don't Fragment (DF) bit is
set. Therefore, the IP MTU of any intermediate links along the tunnel path should be
sufficiently large to
carrystrategies
the largestthat
Layer
2 packet.
Review
allow
UTI Payload Independent Header The Payload Independent Header is composed of
the followingFor
two
subcomponents:
a majority
Tunnel Identifier The Tunnel Identifier, sometimes referred to as a Session
Identifier, is a 4-octet value that distinguishes the tunnel at the de-encapsulating
endpoint. The Tunnel Identifier represents a unidirectional session. A bidirectional
tunnel has two identifiers: a local and remote value. If the tunnel identifier does not
match the tunnel value on the de-encapsulating endpoint, the packet is discarded.
The UTI specification reserves value 0x00000000 and limits the user-defined tunnel
identifier to the first 10 bits, leaving 1023 available values.
infrastructure.
Tunnel Key The Tunnel Key is an 8-octet field used to avoid misconfiguration or
malicious attempts that lead to inserting unwanted traffic into the Layer 2 stream.
The tunnel key value must match on both ends of the de-encapsulating endpoint;
otherwise, the packet is discarded. The tunnel key is configured using a high key
(the most significant 4 bytes) and low key value (the least significant 4 bytes).
the Cisco Unified
VPN suite:
Transport over MPLS
(ATOM)
for any
MPLSUTI Payload-Dependent
Header
The Any
Payload-Dependent
Header
contains
payload
based
cores
and
Layer
2
Tunneling
Protocol
version
3
(L2TPv3)
for
native2
information that is essential for the egress PE to properly forward the original Layer
IP the
cores.
of this book isdoes
focused
on firstthis
introducing
the and is
frame toward
CE.The
Thestructure
Cisco implementation
not define
header value
reader
to
Layer
2
VPN
benefits
and
implementation
requirements
and
not used.
progressively
each
currently
available
in greater
detail.
UTI Alignment
Paddingcovering
Alignment
Padding
ensures
that solution
the payload
is aligned
to a
byte boundary that might assist implementations to more efficiently parse the payload.
Although this field is defined in the UTI specification, Alignment Padding was never used in
the initial Cisco implementation.
Payload Payload is the original data link layer frame transported by UTI. This can be a
Frame Relay, Ethernet, HDLC, or PPP frame.
Although UTI fulfilled its original goal of providing pseudowire connectivity, it had some
limitations. As mentioned earlier in this section, one of UTI's restrictions is that it does not
support IP fragmentation; therefore, the end-to-end packet-switched core MTU must be

greater than the size of the UTI encapsulated packet.
Layer 2 UTI
VPN eventually
Architectures added support for an optional keepalive mechanism, this
Furthermore, although
only detected whether
the -remote
was
no longer
reachable
and Bokotey,
had no -granularity
at
ByWei Luo,
CCIE No.endpoint
13,291,Carlos
Pignataro,
- CCIE
No. 4619,Dmitry
CCIE
a pseudowire level.
noChan,
inherent
No.Because
4460,Anthony
- CCIEsignaling
No. 10,266 method was available, UTI could not signal
an individual pseudowire state. For example, in Figures 10-1, if R3's Frame Relay permanent
virtual circuit (PVC) Publisher:
failed, the
PEPress
routers would not have a way to signal that information to
Cisco
each other so that R2
could signal that information via Local Management Interface (LMI) to
R4. Instead, R4 and R2 would consider the Frame Relay PVC to be active, and R2 would
ISBN: 1-58705-168-0
Tablesending
of
continue
Frame Relay traffic to the opposing PE router.
Pages: 648
Contents
Another
IndexUTI limitation was the lack of a signaling protocol, which required that Tunnel
Identifiers and Tunnel Keys be manually configured and preprovisioned on each PE router for
each pseudowire. Although some providers might prefer the simplicity of manual provisioning,
this can be operationally infeasible for large deployments.
gains protocol. As such, it prohibited multivendor interoperable
Finally, UTI was aproductivity
Cisco proprietary
implementations. An open standards-based IP pseudowire solution that overcame these
limitations was required.
infrastructure.

Introducing
L2TPv3
L2TPv3 is the IETF standard's

track
successor to UTI for Layer 2 Tunneling. To overcome some
Publisher: Cisco
Press
of the limitations that
UTI
possessed,
L2TPv3 built upon UTI's encapsulation format and
Pub
Date:
March 10, 2005
coupled it with an optional signaling mechanism that heavily borrowed from L2TPv2's control
ISBN: 1-58705-168-0
Table
of
plane
to provide
pseudowire connectivity (L2TPv2 is described in RFC 2661, "Layer 2 Tunneling
Pages:
648
Contents
Protocol
'L2TP'").
Index
Figure 10-3 shows the L2TPv3 connectivity model. L2TPv3's control messages are sent inband
using the same packet core path as the data traffic. Each pseudowire is maintained through
separate L2TPv3 data sessions similar to UTI tunnels: one for the Frame Relay PVC between R3
Mastersession
the world
Layer 2 VPNs
to provide
enhanced
and enjoy
and R4, and a separate
forof
connectivity
between
LAN 1
and LAN services
2.
productivity gains
Figure 10-3. L2TPv3 Connectivity Model
L2TPv3's signaling protocol is optional. Therefore, it can operate in the same way as UTI:
manually defined static sessions with or without a keepalive mechanism for dead peer
infrastructure.
detection. However, with its signaling protocol enabled, L2TPv3 can signal individual
attachment circuitLayer
states
per pseudowire
dynamically
negotiate
values
for Session
2 VPN
Architecturesand
introduces
readers
to Layer
2 Virtual
Private
Identifiers and Key
values
without
having
predefined
values
on
each
PE
router.
The
Network (VPN) concepts, and describes Layer 2 VPN techniques
viabase
L2TPv3 protocol essentially
accomplishes
this
by
extending
L2TPv2's
control
channel
introductory case studies and comprehensive design scenarios. Thissignaling
book
by supporting additional
attributes
that are
passed
in message
formats
to the
as Attributeassists readers
looking
to meet
those
requirements
by referred
explaining
Value Pairs (AVPs).
The next
two sections examine
data
encapsulation
and control
history
and implementation
detailsL2TPv3's
of the two
technologies
available
from
plane in more detail.
L2TPv3 Datareader
Encapsulation
progressively
covering each
currently
availableand
solution
in greater
As mentioned in Chapter
2, "Pseudowire
Emulation
Framework
Standards,"
thedetail.
IETF
Pseudowire Emulation Edge to Edge (PWE3) group laid some of the framework and specified
requirements for a pseudowire emulation protocol. One of the architecture aspects explored in
the PWE3 architecture draft was the Pseudowire Protocol Layering Model. To understand
L2TPv3's frame encapsulation, this section describes each of the encapsulation components of
L2TPv3 and, where applicable, relates it to the Pseudowire Emulation Protocol Layer subset
shown in Figure 10-4.
Figure 10-4. Pseudowire

Emulation
Protocol
Layers
Layer
2 VPN Architectures
No. 4460,Anthony
Packet-Switched
Network
(PSN Layer)
Demultiplexing Sublayer
Encapsulation Sublayer
(Optional)
ISBN: 1-58705-168-0
Table of
Contents
Index
Pages: 648
Payload
Packet-Switched Network Layer
productivity gains
Unlike Any Transport over MPLS (AToM), which uses an outer MPLS label-to-label switch traffic
to the far-end PE, L2TPv3 expects an IP-based packet core (IPv4 or IPv6). The L2TPv3 draft
specifies two alternative
delivery
header
Figure 10-5:
Learn
about
Layerencapsulations,
2 Virtual Privateillustrated
Networksin
(VPNs)
Plain IP
IP/UDP
Figure 10-5.
L2TPv3
Packet-Switched
Layer
their service
offerings
while maintainingNetwork
routing control

[Viewand
full size
image]
voice
infrastructure.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSL2TPv3 with IPv4based
encapsulation
uses
a standard
20-byte
IPv4version
header3without
options,
using an
cores and
Layer
2 Tunneling
Protocol
(L2TPv3)
for native
IP protocol ID of 115.
Unlike
UTI,
however,
L2TPv3
does
support
fragmentation
utilizing
IP cores. The structure of this book is focused on first introducing the a Path
Maximum Transmission
(PMTU)
discovery
This mechanism
is discussed
reader Unit
to Layer
2 VPN
benefitsmechanism.
and implementation
requirements
and in
Chapter 13, "Advanced
L2TPv3
Case
Studies."
comparing
them
to those
L2TPv3 with an IPv4/UDP encapsulation uses a standard 20-byte IPv4 header without options
and contains an IP protocol value of 17 to signify a UDP payload. The IP header is then followed
by a UDP header with the requirement that the UDP destination port be 1701 for initial control
channel signaling. The IP or IP/UDP header in L2TPv3 satisfies the packet-switched network
(PSN) layer mentioned in Chapter 2.
Compared to IPv4 encapsulation, one of the advantages of using IPv4/UDP encapsulation is
that it is friendlier to applications such as Network Address Translation (NAT). Furthermore,
IPv4 encapsulation provides only a header checksum, whereas UDP also offers a checksum that
verifies payload integrity. This could be an issue especially when you are dealing with and
confirming the reliability of L2TPv3 control messages, which are covered in the section "L2TPv3
Control Connection," later in this chapter.
Note
The Cisco implementation of L2TPv3 only supports IPv4 header encapsulation for the
L2TPv3 Delivery Header. As such, the remainder of this chapter focuses on the IPv4
ISBN: 1-58705-168-0
L2TPv3
Table of implementation.
Contents
Index
Pages: 648
The L2TPv3 Demultiplexing
Sublayer
productivity
gains field allows the IPv4 tunnel (an IPv4 source and
destination pair) to carry and demultiplex multiple pseudowires. This field is the equivalent of
the Demultiplexing Sublayer described in Chapter 2. L2TPv3 supports demultiplexing through a
Learn
about Layer
2 Virtual
Private
Networks
(VPNs)
combination of a Session
Identifier
and Cookie
values
shown
in Figure
10-6.
Figure 10-6. L2TPv3 Demultiplexer Field

infrastructure.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSNote
the L2TPv3
field for an IP implementation.
The
reader to Layer
2 VPN Demultiplexer
benefits and implementation
requirements and
L2TPv3 Demultiplexer
in to
anthose
IP/UDP
contains
in addition
comparingfield
them
of implementation
Layer 3 based VPNs,
suchfields
as MPLS,
then to
the Session Identifier
and covering
Cookie toeach
differentiate
coexistsolution
with other
Layer 2detail.
progressively
currentlyand
available
in greater
tunneling protocols such as L2TPv2 and Layer 2 Forwarding (L2F).
The Session Identifier is a 4-byte field with a nonzero value that identifies a specific L2TPv3
session between two tunnel endpoints. A Session ID value of 0 is reserved for control channel
communication. Like the Tunnel Identifier in UTI, the Session Identifier is locally significant;
therefore, it utilizes a local and remote value to represent a bidirectional session.
The Cookie field fulfills the same role as the UTI Tunnel Key. It is an optional layer containing a
variable length field (maximum of 64 bits) that protects against inadvertent insertion of Layer 2
frames into the tunnel through either misconfiguration or malicious blind attacks. When the
Cookie field is negotiated through the control channel, it is consistent throughout the duration
of the session. Layer 2 VPN Architectures
From a security perspective,

the
Cookie
provides
No. 4460,Anthony
Chan,
- CCIE
No. 10,266a lightweight security option on the L2TPv3
payload; therefore, it covers just a small subset of attacks known as blind insertion attacks .
The blind insertion attack
assumes
that the attacker can inject data into the core but cannot
Publisher:
Cisco Press
sniff out data within Pub
the Date:
PSN March
core.10,
Assuming
that the Session Identifier is predictable, the only
2005
barrier restricting the attacker from injecting traffic into a Layer 2 stream is to guess this
ISBN: 1-58705-168-0
Table
of
random
Cookie
value. The maximum field length is 64 bits because such a value makes it
Pages:
648
Contents
infeasible
from a resource perspective
to perform a brute force attack. For example, a brute
Index
force
attack to insert a 40-byte spoofed packet into a tunnelassuming the attacker can inject
data at an OC-192 ratewould require approximately 18,000 years.
The Cisco implementation allows for the Session Identifier and Cookie to be either manually
Master
the
world oforLayer
2 VPNsover
to provide
enhanced
services
and
enjoy
predefined on each
tunnel
endpoint
negotiated
the L2TPv3
control
channel.
The
Cookie
productivity
gains
field can be negotiated
to a 0-,
4-, or 8-byte field size, depending on the platform restrictions.
Encapsulation Sublayer
network
architecture
L2TPv3 uses an optional
field, referred
to as an Layer 2-Specific Sublayer, to convey
information that is not carried in the Layer 2 Payload but that is required for the tunnel defrom thereconstruct
first book to
address
2 VPN
utilizing
encapsulating endpointGain
to properly
the
Layer 2Layer
Payload
andapplication
send the frame
to the
both
ATOM
and
L2TP
protocols
CE device. This field is the equivalent of the optional Encapsulation Sublayer that is defined in
the Pseudowire Emulation Protocol Layers.
service
offerings
while
maintaining
routing
control in Figure 10-7
The L2TPv3 base draft their
specifies
a default
Layer
2-Specific
Sublayer
illustrated
that you use if it meets the Layer 2 Payload requirements. Otherwise, you can define alternate
For a majority
of Service
Providers,
a significant
of their revenues
Layer 2-Specific Sublayers
and use
them as
negotiated
through anportion
Layer 2-Specific
Sublayer
are
still
derived
from
data
and
voice
services
based
on
legacy
transport to
Type AVP control message. A Data Sequencing AVP is signaled during session negotiation
technologies.
Layer
3 MPLS
fulfillneeds
the market
need for some
determine whether
sequencing Although
is required
or what
typeVPNs
of traffic
to be sequenced.
services
over
their existing
Layer
3 cores.
The solution
in these cases is a
Figure
10-7.
L2TPv3
Default
Layer
2-Specific
Sublayer
infrastructure.
A Sequence bit (S-bit) set to 1 indicates that the 24-bit Sequence Number field contains a valid
value. When the S-bit is not set, the de-encapsulating endpoint must ignore the Sequence
Number field. The Sequence Number in the remainder of the default Layer 2-Specific Sublayer
is a 24-bit field containing a free-running counter that starts at 0.
Layer 2 VPN
Architectures
If sequencing is enabled,
the
current expected sequence number on the receiving device is
equal to the previous
ofCarlos
the Pignataro,
last in-order
plus
1.Bokotey,
Sequenced
ByWeisequence
Luo, - CCIEnumber
No. 13,291,
- CCIEpacket
No. 4619,
Dmitry
- CCIEL2TPv3
data is accepted ifNo.the
stored
sequence
number
is equal to or greater than the current
4460,
Anthony
Chan, - CCIE
No. 10,266
expected sequence number. Any other packets that do not fit this description are either out-oforder or duplicate packets
and
are
discarded. Because of the finite range of sequence numbers,
Publisher:
Cisco
Press
you must take the wrapping
of the field into account by tracking a window of sequence
numbers greater than the current expected value. The recommended default range is equal to
ISBN: 1-58705-168-0
Table
half of
theofavailable sequence number space (224/2=8388608). For example, assuming a
Pages:
Contents
sequence
number field of 24 648
bits, the window range of "new" sequence numbers for the current
Index number of 10,040,243 is 10,040,244 through 1,677,216 and 0 through 3,303,269.
sequence
The Sequence Field allows you to detect lost, duplicate, or out-of-order packets for an
individual session. However, the criticality of preserving the correct ordering depends on the
Master the world
of Layer
2 VPNs
provide
enhanced
enjoy
sensitivity of the encapsulated
Layer
2 traffic.
If thetoLayer
3 traffic
in theservices
Layer 2 and
tunneled
productivity
gains might handle out-of-sequence packets. Therefore, the
frame is IP, the upper
layer protocol
aforementioned Data Sequencing AVP supports the following three options:

No sequencing.
network
architecture
Non-IP data requires
sequencing.
Gain from
All data packets require
sequencing.
The Cisco sequencing implementation only drops out-of-order frames and does not attempt to
Review
strategies
that allow
large enterprise
customers
to behavior
enhance prior
reorder out-of-sequence
packets.
You should
understand
the implications
of this
service
offerings
to enabling sequencingtheir
relative
to the
Layer 2while
protocol.
L2TPv3 Control
Connection
technologies.
L2TPv3 supports an
optional
mechanism,
peer capability
legacy
Layercontrol
2 and connection
Layer 3 networks
would which
like tohandles
move toward
a single
negotiation and detection
addition
pseudowire
maintenance,
teardown.
This
backboneinwhile
newto
carriers
wouldcreation,
like to sell
the lucrativeand
Layer
2
section explores L2TPv3's
control
connection
by examining
control messages
are is a
services over
their
existing Layer
3 cores. how
The solution
in these cases
encapsulated andtechnology
what the different
negotiation
phases
are for control
channel
that would
allow Layer
2 transport
over a Layer
3 initialization and
session negotiation.
infrastructure.
Unlike AToM, which
uses
link Layer
Distribution
Protocolreaders
(LDP) for
LSP tunneling
tunnel
Layer
2 VPN
Architectures
introduces
to Layer
2 Virtual(PSN
Private
signaling) and directed
LDP
for virtual
circuit
(VC)
label distribution
(pseudowire/PE
Network
(VPN)
concepts,
and
describes
Layer 2 VPN
techniques via
maintenance), L2TPv3
utilizescase
a single
reliable,
inband control plane
both purposes.
This
introductory
studies
and comprehensive
designfor
scenarios.
This book
control plane setup
phase
beginslooking
with anto
L2TP
Control
(sometimes
referred
assists
readers
meet
those Connection
requirements
by explaining
the to in
L2TP terminologyhistory
as the and
L2TPimplementation
tunnel) establishment
phase
for advertising
and
negotiating
details of
the two
technologies
available
from
capabilities between
After the
L2TP
Control
Connection
is established,
individual
the peers.
Cisco Unified
VPN
suite:
Any Transport
over
MPLS (ATOM)
for MPLSpseudowire sessions
(referred
to in
L2TP2terminology
as L2TPversion
sessions)
are set up
the
based
cores and
Layer
Tunneling Protocol
3 (L2TPv3)
forinnative
Session Negotiation
phase The
as needed
based
on book
the attachment
IP cores.
structure
of this
is focused circuit
on firststate.
introducing the
Note
There are three variations on the control plane implementation of L2TPv3. L2TPv3 in
its simplest mode of operation, known as Manual Mode , obviates the need for a
control plane protocol and simply requires predefined session IDs and cookies. The
second variation, called Manual Mode with Keepalive , negotiates the Control
Connection phase but not the Session Negotiation phase. This offers a simple deadpeer detection mechanism that is similar to what is available in UTI with keepalives.
Dynamic Mode negotiates both the Control Connection phase as well as the Session
Negotiation phase for each pseudowire session.

ByWeiinLuo,
CCIE No. "Introducing
- CCIE
No. 4619,
Dmitry Bokotey,
- CCIE from
As mentioned earlier
the- section
L2TPv3,"
L2TPv3
essentially
borrowed
No. 4460,Anthony
Chan,and
- CCIE
No. 10,266upon it by defining additional AVPs. These
L2TPv2's control channel
signaling
expanded
AVPs are used as an extensible mechanism to identify message types within the control
channel. In additionPublisher:
to identifying
the nature of the PW session or control channel, the control
Cisco Press
messages can indicate
define
operational state of the attachment circuits. The next
Pubor
Date:
Marchthe
10, 2005
sections describe control message encapsulation and control channel signaling in more detail.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Control Message Encapsulation

Because the L2TPv3 control channel is sent inband with L2TPv3 data packets, it is necessary to
have some method
of differentiating
from data
packets.
Toenjoy
Master
the world of control
Layer 2channel
VPNs tomessages
provide enhanced
services
and
understand how this
is
accomplished,
you
must
examine
the
control
message
formatting.
productivity gains
Figure 10-6 and 10-7 examined the encapsulation for L2TPv3 data messages only. The
formatting of L2TPv3 control messages over IP differs slightly, as shown in Figure 10-8.
Figure
architecture
10-8.network
L2TPv3
Control Channel Encapsulation over IP
infrastructure.
Figure 10-8 illustrates the encapsulation for L2TPv3 Control Messages, assuming that an IPv4
header is used. As described in the earlier "Demultiplexing Sublayer" section, L2TPv3 data
packets utilize a nonzero Session Identifier. The Session Identifier value of 0 is reserved for
Layer 2 VPNand
Architectures
control channel messages
distinguishes data packets from control messages. The
ByWei
Luo, - to
CCIE
No.control
13,291,Carlos
Pignataro,
- CCIE No. 4619,
Dmitry
- CCIE
remaining fields are
unique
the
message
encapsulation
and
areBokotey,
examined
individually:
T, L, S You must set the Type bit (T-bit) to 1 to indicate that this is a control message.
You must also set the Length bit (L-bit) and Sequence bit (S-bit) to 1 to indicate that
ISBN: 1-58705-168-0
length
Table
of and sequence numbers are present in the L2TPv3 control message header. Do not
Pages:
648
confuse the sequence numbers
with the Sequence Number field in the Layer 2-Specific
Contents
Sublayer. The former are sequence numbers that are used in the control message header
Index
for reliable delivery.
Version The Version field indicates which version of L2TP is in use. Set this value to 3 to
indicate L2TPv3.
productivity gains
Length The Length field indicates the total size of the control message calculated from
the beginning of the message starting with the T-bit.
Control Connection IDThe Control Connection Identifier contains a locally significant
costs
and extend
the tunnel).
reach of The
yournonzero
servicesControl
by unifying
your
field to represent Reduce
the control
channel
(L2TPv3
Connection
network
IDs are exchanged
during architecture
the L2TP Control Channel phase by using the Assigned Control
Connection ID AVP.
both ATOM
andsent,
L2TP indicates
protocolsthe sequence number for this control
Ns Ns, or the sequence
number
message. This field begins at 0 and increments by 1 for each control message that is sent
to the peer.
Nr Nr is the sequence number expected to be received in the next control message. Ns
For aa simple
majority
of Service
Providers,
a significant
their revenues
and Nr provide
sliding
window
mechanism
to handleportion
controlofmessage
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
transmission, retransmission, and detection of lost or duplicate control message
packets.
customers,
they
haveare
some
Ideally,
with existing
Following the control
message
header
onedrawbacks.
or more AVPs.
Eachcarriers
AVP follows
a consistent
legacy
2 and
format that contains
theLayer
following
fields:
M When thetechnology
Mandatory that
bit (M-bit)
is set,Layer
it indicates
that the
associated
would allow
2 transport
over
a Layer 3Control
Connection or
PW Session must be shut down if the recipient does not recognize this AVP.
infrastructure.
If a Control Connection occurs, a Stop Control Connection (STOPCCN) message is sent. If
Layer
2 VPN
Architectures
readers
Layer 2isVirtual
a PW Session
occurs,
a Call
Disconnectintroduces
Notification
(CDN) to
message
sent. Private
H The Hidden
bit (H-bit) case
indicates
to the
whetherdesign
the AVP
content This
is passed
introductory
studies
andrecipient
comprehensive
scenarios.
book in
clear text orassists
obfuscated
in some
manner
to those
hide sensitive
information.
For thisthe
AVP
readers
looking
to meet
requirements
by explaining
encryption to
occur,and
a shared
secret must
be defined
endpoints,
Control from
Message
history
implementation
details
of the on
twoboth
technologies
available
Authentication
enabled,
a Random
Vector over
AVP must
sent. for MPLSthe must
Ciscobe
Unified
VPNand
suite:
Any Transport
MPLS be
(ATOM)
AVP Length
AVPThe
Length
field indicates
the is
length
of the
entire
AVP, as highlighted
in
IPThe
cores.
structure
of this book
focused
on first
introducing
the
Figure 10-8.reader to Layer 2 VPN benefits and implementation requirements and
Vendor ID progressively
The Vendor IDcovering
is a 2-byte
field
that follows
Internet
Assigned
Numbers
each
currently
available
solution
in greater
detail.
Authority (IANA) assigned values that are defined in RFC 1700 in the "SMI Network
Management Private Enterprise Codes" section. This allows vendors to define private
Attribute Types. A Vendor ID field of 0 represents that this Attribute Type is an Internet
Engineering Task Force (IETF) adopted attribute value that is defined in the L2TPv3 base
draft.
Attribute Type The Attribute Type contains a 2-byte field representing the Attribute
Message. You must interpret this field's value relative to the Vendor ID field.
Attribute Value The Attribute Value contains the actual content of the defined Vendor ID
Attribute Type. The length of this field is the Attribute Length minus 6 bytes for Attribute
Header fields.
Wei Luo, - CCIE
No. 13,291,Carlos Pignataro, L2TPv3 ControlByChannel
Signaling
Control channel signaling operates in two phases: control connection establishment followed by
session establishment
(optional).
1-58705-168-0
Figure 10-9 builds uponISBN:
the network
layout in Figure 10-3 and shows the control connection
Table of
establishment
that is required
to build the control channel between the two L2TPv3 endpoints,
Pages:
648
Contents
R1 and R2, and subsequent control channel messages.
Index
Figure
10-9.
Connection
Phase
Master the
worldL2TPv3
of Layer 2Control
VPNs to provide
enhanced
services and enjoy
productivity gains

infrastructure.
Layer 2establishment
VPN Architectures
introduces
readers to
The Control Connection
begins
with a three-way
handshake:
1. After the L2TPv3
peer
defined on the PE
router,
thetwo
Start-Control-Connection-Request
history
andisimplementation
details
of the
(SCCRQ) is sent
to initiate
theVPN
control
channel
to the peer
PEMPLS
device
and tofor
advertise
the Cisco
Unified
suite:
Any Transport
over
(ATOM)
MPLS- the
capabilities that
the
local
PE
can
support.
Several AVPs
must to
beLayer
sent with
this
controland
message.
Two noteworthy
AVPs are
reader
2 VPN
benefits
implementation
requirements
andAssigned
Control Connection
ID, them
whichto
defines
locally
Control
Connection
ID value
comparing
those the
of Layer
3 significant
based VPNs,
such as
MPLS, then
shown in Figure
10-8, andcovering
Pseudowire
List, which
defines
pseudowire
progressively
eachCapabilities
currently available
solution
in the
greater
detail.
types that the local PE router can support. The Pseudowire Capabilities AVP values are
drawn from the MPLS-based Layer 2 pseudowire type described in Chapter 6,
"Understanding Any Transport over MPLS." Table 6-1 illustrates the associated values that
are also used for the L2TPv3 Pseudowire Capabilities List AVP.
2. The peer PE router responds with a Start-Control-Connection-Reply (SCCRP) advertising
its own capability set. The SCCRP message is sent in response to an accepted SCCRQ
message and indicates that the Control Connection establishment can continue. A similar
set of AVPs to those sent in SCCRQ are sent in the SCCRP message. One mandatory AVP
is Assigned Control Connection ID, which identifies the Control Connection ID value that
3.
the peer PE router has selected.

3. Finally, the Start-Control-Connection-Connected (SCCCN) is sent in reply to the SCCRP.
2 VPNacknowledges
Architectures
The SCCCN Layer
message
that the SCCRP was accepted and that the Control
Connection establishment
is complete.
ByWei Luo, - CCIEphase
No. 13,291,
After the Control Connection is established, both peers send hello messages as keepalive
mechanisms during Publisher:
regular intervals
to detect dead peers. If these maintenance messages are
Cisco Press
not received within a hold time period, the PE router can consider the peer unreachable and
send a teardown message for the Control Channel. Because the hello message is
ISBN: 1-58705-168-0
representative
of the Control
Channel, the Session Identifier value in the encapsulation of the
Table of
Pages:
Control
Message is set to 0. 648
Contents
Index
Whether because of hello timer expiration or some other critical error (such as unrecognized
Mandatory AVP), you use a Stop-Control-Connection-Notification (StopCCN) to tear down the
Control Channel. The StopCCN message must contain the Assigned Control Connection ID if
Masterafter
the world
of Layer
2 VPNsmessage.
to provideIncluding
enhanced
services
enjoyID
you send the teardown
an SCCRQ
or SCCRP
the
Controland
Channel
gains that you need to disable. If you send a StopCCN
explicitly defines productivity
the Control Channel
message, not only must you tear down the Control Channel, but you also must implicitly clear
all the associated active sessions that you might have subsequently negotiated.
One of the optional features negotiated during Control Channel establishment is a lightweight
Reduce
costs
and extend
the reach. of
your
security option known as
Control
Message
Authentication
This
authentication
providesyour
peer
network
architecture
authentication and integrity checking against all control messages. Control Message
Authentication performs a one-way hash against the header and body of the control message
Gainbegins
from the
first
to address
Layer
2 VPN
application
(with L2TPv3 over IP, this
after
thebook
Session
Identifier
of 0),
a shared
secretutilizing
both
ATOM
and
L2TP
protocols
preconfigured on both PE routers, and a local and remote nonce value that is passed via the
Control Message Authentication Nonce AVP during Control Connection establishment.

Note
customers,
they have
existing
Earlier versions
of the L2TPv3
basesome
draft drawbacks.
described aIdeally,
form of carriers
Control with
Connection
legacy
Layer
2
and
Layer
3
networks
would
like
to
move
toward
a single
Authentication using a Challenge Handshake Authentication Protocol (CHAP)-like
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
mechanism. The differences between this mechanism and the newer form of Control
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
Message Authentication described earlier will be explored in more detail in Chapteris a
11.
infrastructure.
Note
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSWhennonce is used in relation to cryptography, it refers to a random value
generated for onetime use to protect against replay attacks.
each currently
available
in the
greater
detail.
The result of this progressively
hash is passedcovering
via a Message
Digest AVP,
whichsolution
contains
digest
type
specifying the hashing mechanism and a Message Digest field, containing the resultant hash
output.
Upon receipt of the Message Digest AVP, the PE router must perform the same hashing
mechanism and compare the locally computed value to the Message Digest field value it
obtains from the remote PE. If the locally computed value does not match, the PE router must
discard the entire control message. Prior to utilizing or reacting to any of the information from
the control messages, the PE router must validate the Message Digest AVP.
To perform peer authentication, you must configure the shared secret between the PE routers.
However, if a shared secret is undefined, you can still perform control message integrity
checking by using the hash against an empty shared secret.
This Control Message

scheme
L2TPv3
is similar
toDmitry
the mechanism
you use
ByWeiAuthentication
Luo, - CCIE No. 13,291,
Carlosfor
Pignataro,
- CCIE
No. 4619,
Bokotey, - CCIE
for Tunnel Authentication,
which
is defined
in10,266
L2TPv2. However, the primary difference is that
No. 4460,Anthony
Chan,
- CCIE No.
unlike L2TPv2, you perform the hashing mechanism against the entire control message. This
provides the added benefit
providing
Publisher:ofCisco
Press a checksum-like functionality for control messages in
the case of L2TPv3 over
IP, where the IP Checksum is only computed for the IP header.
ISBN: 1-58705-168-0
The second
Table of phase of control connection signaling is an optional Session establishment phase,
Pages:
648pseudowire sessions. The Session establishment phase can
whichContents
dynamically establishes
involve
incoming call requests (that is, receiving a call) and outgoing call requests (that is,
Index
asking to place an outbound call). The Cisco implementation supports only incoming call
messages for pseudowire session establishment. Figure 10-10 illustrates the various messages
that are used in session negotiation, maintenance, and teardown. Similar to the Control
Master the
worldthe
of Layer
2 VPNs
to provide
enhanced services
and enjoy
Connection establishment
phase,
Session
negotiation
establishment
uses a three-way
productivity gains
handshake mechanism.
Figure
10-10. L2TPv3 Session Negotiation
full size image]
book

infrastructure.
assists readers
looking
Following is the three-way
handshake
process:
1. When the attachment
circuit
transitions
tobook
an active
state,on
thefirst
PE introducing
router exchanges
IP cores. The
structure
of this
is focused
the
parameter information
about
sending
an Incoming-Call-Request
(ICRQ) to
reader to Layer
2 the
VPNsession
benefitsbyand
implementation
requirements and
the remote PE.
Some of the noteworthy required AVPs passed in this request include Local Session ID,
which defines the locally significant Session Identifier value, and Serial Number, which is a
unique identifier of the attachment circuit.
A few of the optional AVPs that you can pass include Assigned Cookie, which determines
the value used in the Cookie field, and L2-Specific Sublayer, which defines whether an
Layer 2-Specific Sublayer field is used in the L2TPv3 encapsulation. Refer to Figure 10-7
to see the Cookie field and Layer 2-Specific Sublayer.
2. After the remote PE receives the ICRQ message, it sends an Incoming-Call-Reply (ICRP)
3.
2.
to indicate that the ICRQ was accepted. Similar AVPs are sent in the ICRP reply to pass
relevant properties with regard to the L2TPv3 session.
3. An Incoming-Call-Connected
(ICCN) message is sent in reply to the received ICRQ to
indicate thatBythe
is fully
established.
Wei pseudowire
Luo, - CCIE No.session
13,291,Carlos
Pignataro,
This three-way session negotiation mechanism occurs for each pseudowire that needs to be
dynamically built. ToPublisher:
signal an
individual session state, any PE can send Set-Link-Info (SLI)
Cisco Press
messages to indicate attachment circuit status changes. For example, if a Frame Relay PVC
changes to down, a PE can send an SLI message to the remote PE to indicate this change in
ISBN: 1-58705-168-0
state.Table
Theofremote PE can
use this information to inform the end devices via Frame Relay LMI
Pages:
648
that the
PVC is no longer usable.
Contents
Index
A peer can also tear down individual pseudowire sessions by using Circuit-Disconnect-Notify
(CDN) messages. When the peer receives this message, it must silently tear down this session
and its associated resources.
productivity gains

infrastructure.

Summary By
This chapter explored

how L2TPv3
evolved into a pseudowire emulation protocol by examining
Publisher:
Cisco Press
its evolution from itsPub
prestandard
implementation,
its Data Plane encapsulation, and its Control
Date: March 10,
2005
Plane Signaling.
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Following
are several key aspects
to take away from this chapter:
Index
L2TPv3 borrowed heavily from UTI's encapsulation format and L2TPv2's control plane to
provide pseudowire emulation.
L2TPv3 supports
IP encapsulation
using an IP protocol value of 115, whereas UTI uses an
productivity
gains
IP protocol value of 120.
Although the baseLearn
L2TPv3
draft
supports
bothPrivate
IP andNetworks
IP/UDP encapsulation,
the Cisco
about
Layer
2 Virtual
(VPNs)
initial implementation supports only IP encapsulation.
The Cisco L2TPv3network
data packet
encapsulation essentially is composed of an IP header,
architecture
Session ID, cookie, an optional Layer 2-Specific Sublayer, and the Layer 2 payload.
The Cisco L2TPv3both
control
packet
ATOM
and encapsulation
L2TP protocolsis composed of an IP header, Session ID,
Control Message Header, and AVPs if necessary. The Control Message header includes a
Review T-,
strategies
allow
large enterprise
customers
to enhance
12-octet field containing
L-, andthat
S-bits;
Version
field; Length
field; Control
Connection
service
offerings
while maintaining
routing control
ID; and Sequencetheir
Number
sent
and received
fields.
For a channel
majorityisofinband
Service
Providers,
a significant
portion to
of AToM.
their revenues
L2TPv3's control
along
the data
path, as opposed
Control Connection
IDs are
locally significant
values
to identify
specific need
Control
technologies.
Although
Layer 3 MPLS
VPNs
fulfill thea market
for Channel.
some
One Controlcustomers,
Channel usually
exists
between
a
pair
of
PE
routers.
Session IDs backbone
are locallywhile
significant
values would
that identify
specific
pseudowire
session.
new carriers
like to asell
the lucrative
Layer
2
AVPs are antechnology
extensible method
of defining
individual
parameters
each3 of the control
that would
allow Layer
2 transport
over a in
Layer
messages. infrastructure.
When you have
Control
signalingintroduces
enabled, you
mustto
first
build
the Control
Channel
Layer
2 VPN Plane
Architectures
readers
Layer
2 Virtual
Private
between theNetwork
PE devices
using
SCCRQ/SCCRP/SCCCN
messages.
You negotiate
(VPN)
concepts,
and describes Layer
2 VPN techniques
viaany
subsequent introductory
pseudowire sessions
that and
you comprehensive
need to build through
similar three-way
case studies
design ascenarios.
This book
handshake using
ICRQ/ICRP/ICCN
messages.

Although L2TPv3 has a defined control plane, the signaling is entirely optional. You can
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSreduce it to just Control Channel negotiation or Control and Session Negotiation.

Chapter 11. LAN Protocols over L2TPv3

Case Studies

ISBN: 1-58705-168-0

This chapter
Contents
Index
Pages: 648
Introducing the L2TPv3 configuration syntax
LAN protocols over L2TPv3 case studies

The previous chapter
examined
the Layer 2 Tunneling Protocol Version 3 (L2TPv3) data and
productivity
gains
control planes. You learned the details of the L2TPv3 data plane and how the Layer 2 data link
payload is encapsulated and uniquely identified for proper session demultiplexing. You can
statically define or maintain
through
the use of
an optional L2TPv3
Learn these
aboutL2TPv3
Layer 2sessions
Virtual Private
Networks
(VPNs)
control plane protocol.
Now that you understand
the operation
of the protocol, this chapter focuses on LAN transport
network
architecture
using L2TPv3, beginning with an introduction to the configuration syntax and how it relates to
Gain model.
from the
first book
to are
address
VPNthe
application
the pseudowire connection
Following
this
case Layer
studies2 for
two typesutilizing
of point-toboth
ATOMsupports:
and L2TPEthernet
protocolsport emulation and VLAN emulation.
point LAN transport that
L2TPv3

infrastructure.

Introducing
the L2TPv3 Configuration Syntax
One of the design goals

of the
Layer
Publisher:
Cisco
Press2 pseudowire command-line interface (CLI) is to provide a
consistent and flexible
for configuring
pseudowires. Because all pseudowire
Pubsyntax
Date: March
10, 2005
realizationsincluding AToM and L2TPv3provide the same functionality, it was natural for these
ISBN: 1-58705-168-0
Table to
of share a uniform configuration model. Before delving into the CLI, review Figure 11protocols
Pages:
648
Contents
1, which
shows the L2TPv3 connectivity model that was introduced in Chapter 10,
Index
"Understanding
L2TPv3." The original model has been modified slightly to illustrate two specific
L2TPv3 Ethernet pseudowire types: port tunneling and VLAN tunneling.
productivity
Figure gains
11-1. L2TPv3 Connectivity Model
InFigure 11-1, the
two provider
edge
(PE)
routers,
R1 andIdeally,
R2, arecarriers
L2TPv3with
endpoints
providing
customers,
they
have
some
drawbacks.
existing
Layer 2 connectivity
between
of like-to-like
circuits
separate
L2TPv3
legacy
Layer each
2 andpair
Layer
3 networksattachment
would like to
movevia
toward
a single
pseudowire sessions.
Ethernet
802.1q
trunks exist
R3 the
andlucrative
R1 and between
backbone
while
new carriers
wouldbetween
like to sell
Layer 2 R2 and R4.
Although each 802.1q
trunk
is capable
of transporting
multiple
100 cases
is used
services
over
their existing
Layer 3 cores.
The VLANs,
solutionVLAN
in these
is in
a
Figure 11-1 to demonstrate
VLAN
tunneling
pseudowire.
The VLAN
100
attachment
circuit on
technologyathat
would
allow Layer
2 transport
over a
Layer
3
R3's E1/0.100 subinterface
is attached to R4's E1/0.100 subinterface via L2TPv3 pseudowire
infrastructure.
session 1. When you are per-forming VLAN tunneling, only 802.1q Ethernet frames with VLAN
Layer
2 VPN
Architectures
introduces
readers to Layer
Virtual
Private onto
IDs that match the
VLAN
ID value
defined by
the local attachment
circuit2 are
transported
Network
describes
Layer
2 VPN techniques
via
the pseudowire. When
the(VPN)
VLAN concepts,
IDs for theand
local
and remote
attachment
circuits differ,
the far
introductoryfor
case
studiesthe
andVLAN
comprehensive
design scenarios.
book
end PE device is responsible
rewriting
tag on the outgoing
Ethernet This
frame.
In contrast, L2TPv3
pseudowire
session 2 is an
example
of two
a port
tunneling pseudowire
that
history
and implementation
details
of the
technologies
available from
stitches together the
R3'sCisco
E0/0Unified
Ethernet
interface
on LAN1
to R4's
E0/0
Ethernet
interface
on
VPN
suite: Any
Transport
over
MPLS
(ATOM)
for MPLSLAN2. Unlike VLAN
tunneling,
any Layer
Ethernet
frame that
is received
on Ethernet
interface
E0/0 is
based
cores and
2 Tunneling
Protocol
version
3 (L2TPv3)
for native
transported on the
and replicated
the is
far-end
attachment
circuit. Therefore,
IPpseudowire
of thison
book
focused
the
regardless of whether
the
untagged,
has
an implementation
802.1q tag, or has
a QinQ tag,and
the frame
reader
toframe
Layer is
2 VPN
benefits
and
requirements
is replicated transparently
onthem
the outgoing
circuit.
comparing
to those attachment
of Layer 3 based
All LAN and WAN (covered in Chapter 12, "WAN Protocols over L2TPv3 Case Studies") L2TPv3
pseudowire sessions can be defined statically or have an optional control channel exist between
the L2TPv3 endpoints to negotiate session details (such as session IDs and sequencing) and
endpoint information (that is, control channel authentication and hidden Attribute-Value Pairs
[AVP]).
From a configuration perspective, you need a method to tie the attachment circuit to the
pseudowire session. For scalability purposes, the CLI should also allow multiple sessions to
share the same session characteristic's template (that is, sequencing and source IP address)
and multiple dynamic sessions to share the same control channel parameters. Essentially, the
L2TPv3 configuration syntax fulfills these requirements through the use of the xconnect,
pseudowire-class, and l2tp-class command syntax and configuration modes.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, xconnect Command
Syntax
In the case of Ethernet transport, L2TPv3 supports two types of attachment circuits, as
described in the previous section:
ISBN: 1-58705-168-0
Table of
Port tunneling on Pages:
Ethernet
648 interface
Contents
Index
VLAN tunneling on Ethernet VLAN subinterface
Thexconnect command that is configured under these interface types locally binds the
attachment circuit to the pseudowire session and employs the following syntax:
productivity gains
xconnectpeer-ip-address vcid pseudowire-parameters
[sequencing
{transmit receive
both}]
Learn
The following list explains the arguments in the syntax:
bothpeer-ip-address
ATOM and L2TPargument
protocolsidentifies the remote PE router where the
peer-ip-address The
AC resides. This IP address should reference a virtual interface such as a loopback
interface, whose reachability depends solely on its administrative state.
vcid The 32-bit virtual circuit identifier, vcid, acts as a unique per-peer-address identifier
of the pseudowire. You should configure the matching VC ID on the remote L2TPv3
endpoint's attachment circuit to associate the pseudowire session to the attachment
circuit.
legacy LayerThis
2 and
Layer 3 networks
would like the
to move
toward a and
single
pseudowire-parameters
placeholder
syntax represents
encapsulation
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
pseudowire session parameters when defining the xconnect command. As briefly
theircan
existing
Layer
3 cores.
The solution
described inservices
Chapter over
10, you
configure
L2TPv3
in three
modes:in these cases is a
infrastructure.
Manual mode
Manual mode requires all session characteristics to be configured on each
end of the L2TPv3 endpoint. In this setting, the attachment circuit state cannot be
Layer
2 VPNend,
Architectures
introduces
readers
Layer 2endpoint
Virtual Private
signaled to the
remote
and reachability
to the
remotetoL2TPv3
is not
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
monitored.
assists
readers
looking
to meet
those
requirements
by explaining
the
Manual mode
with
keepalive
Manual
mode
with
keepalive operates
in the same
history
and
implementation
details
of
the
two
technologies
available
from
manner as manual mode but enables a simple peer keepalive mechanism for dead
peer
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSdetection.
IP cores.
The structure
of this
book
is focused
onfor
first
introducing
Dynamic mode
Dynamic
mode utilizes
the
control
channel
peer
capabilitythe
and
Layer 2 VPN
and preconfiguration
implementation requirements
and
pseudowire reader
sessionto
negotiation
so benefits
that manual
is unnecessary.
progressively
covering
each currently
solution
greater detail.
Because of these
variations,
the xconnect
syntaxavailable
must handle
bothinmanually
defined
and dynamically negotiated sessions. As described earlier, the pseudowire-parameters
field is merely a placeholder for an expanded set of command options. pseudowireparameters takes the following form:
encapsulation {l2tpv3 [manual]

{pseudowire-class-name}
mpls} pw-class
The following list explains the syntax:

encapsulation {l2tpv3 [manual] | mpls} The encapsulation command defines the
Layer 2 VPN
Architectures
tunneling method
used.
The manual keyword indicates that session negotiation is
nonexistent.ByConfiguring
the
into Pignataro,
manual -mode
forces
user
into- aCCIE
config-ifWei Luo, - CCIE
No.session
13,291,Carlos
CCIE No.
4619,the
Dmitry
Bokotey,
xconn configuration
submode
manual
definition of session parameters, such as session
No. 4460,Anthony
Chan,for
- CCIE
No. 10,266
cookies and session IDs. The case studies in this chapter discuss the various modes in
more detail. Publisher: Cisco Press
pw-class {pseudowire-class-name } The pw-class option references a pseudowire-class

ISBN: 1-58705-168-0
template
that defines
whether a control channel is used in addition to other shared
Table
of
Pages:
session characteristics, 648
which are explored later in this section. The pw-class command
Contents
is a mandatory argument when L2TPv3 manual mode is selected as the encapsulation
Index
method.
sequencing {transmit | receive | both}Thesequencing syntax is an optional
Master
the primarily
world of Layer
VPNs to provide
and transmit
enjoy
argument that
is used
when 2
configuring
L2TPv3enhanced
in manualservices
mode. The
gains sequencing of L2TPv3 data packets sent and received over
andreceiveproductivity
options configure
the pseudowire, respectively. Selecting both enables transmit and receive sequencing.
Packets received from the pseudowire session that are considered out of order are
dropped.
pseudowire-class Command Syntax
ATOM and
L2TP
protocols
Thepseudowire-classboth
command
defines
a named
template containing a series of session
characteristics. The pseudowire adopts these session characteristics when the xconnect pwReviewargument
strategiesrefers
that allow
large
enterprise
customers
enhance
classpseudowire-class-name
to the
respective
template.
The to
syntax
has the
following format:
pseudowire-class
pseudowire-class-name
]
are[still
derived from data and voice
legacy is
Layer
2 and
Layer 3 networks
would like
move
toward
a single
pseudowire-class-name
a locally
significant,
unique identifier
ofto
the
template.
When
you
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2 the
enter this argument, the CLI enters into config-pw-class configuration submode, and
following options services
are available:
infrastructure.
encapsulation {l2tpv3 | mpls} The encapsulation option defines the tunneling method
that is used.Layer
After2you
the pseudowire-class
template
and enter
the config-pwVPNdefine
Architectures
introduces readers
to Layer
2 Virtual
Private
class submode,
this is
the only
command
is initially
available
to the uservia
because the
Network
(VPN)
concepts,
and that
describes
Layer
2 VPN techniques
remaining options
depend
on the
encapsulation
that you choose.
introductory
case
studies
and comprehensive
ip local interface
The ip
local of
interface
command defines
the from
source
historyinterface-name
and implementation
details
available
address of the
L2TPv3
control
and
data
packets.
The
encapsulation
and
ip
local
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSinterface definitions
areand
minimum
a complete
L2TPv3
pseudowire-class.
based cores
Layer 2arguments
Tunneling for
Protocol
version
3 (L2TPv3)
for native
protocol {l2tpv3
| none}[l2tp-class-name
] The
protocol syntax
defines whether
reader to
Layer 2 VPN benefits and
implementation
requirements
and the
L2TPv3 signaling
protocol
is used
for session
If you
prefer
dynamic
session
comparing
them
to those
of Layernegotiation.
3 based VPNs,
such
as MPLS,
then
negotiation,progressively
configure protocol
l2tpv3
and
optionally
reference
an
l2tp-class
template
so
that multiple sessions can share the same control channel characteristics. If no session
negotiation is required, select protocol none. If no definition is made, the default
assumes that protocol l2tpv3 is configured and that dynamic session negotiation will
occur.
sequencing {transmit | receive | both} The sequencing configuration follows the
same format as previously defined in the xconnect syntax.
ip dfbit set By enabling this option, the don't fragment (DF) bit is set on the IP packet
header of the L2TPv3 packets.
ip pmtu L2TPv3 supports the discovery of path maximum transmission unit (MTU) to
reach the remote L2TPv3 endpoint. This topic is explored in more detail in Chapter 13,
"Advanced L2TPv3
Case
Studies."
Layer 2 VPN
Architectures
ByWei
Luo,|- reflect}
CCIE No. 13,291,
Carlos
Pignataro,
CCIE
No.option
4619,Dmitry
Bokotey,
- CCIE
ip tos {value
value
When
enabled,
theip
tos
uses
the configured
type
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
of service (ToS) value in the IP header of the L2TPv3 packet. If the payload of the Layer 2
frame is IP, the reflect option reflects the ToS value that is stored in the inner IP header
Cisco
tothe outer IP Publisher:
header. If
ip Press
tos value and ip tos reflect are configured simultaneously,
March
2005
the configured Pub
ToSDate:
value
is 10,
used
on the outer IP header when the Layer 2 frame payload
is not IP, while reflection
would
occur
when the payload is IP.
ISBN: 1-58705-168-0
Table of
Pages: 648
Contents
ip ttlvalue The IP Time to Live (TTL) of the outer IP packet is configured with the defined
Index
TTL value that is configured in this command.
ip protocol {l2tp | uti} To allow for interoperability with Universal Transport Interface
(UTI), you can adjust the IP protocol field to identify the IP packet as either L2TPv3 using
Master
the using
world IP
of protocol
Layer 2 VPNs
IP protocol 115
or UTI
120. to provide enhanced services and enjoy
productivity gains
Note
It is highly recommended as a best practice that every xconnect command
reference a pseudowire-class
template
so to
that
the source
of the L2TPv3
Gain from the
first book
address
Layeraddress
2 VPN application
utilizing
packets is definedboth
to a ATOM
virtualand
interface,
such
as
a
loopback
interface.
If you do not
L2TP protocols
define a source address using the ip local interface command, the source address is
not deterministic;Review
it uses strategies
the PE's egress
interface
thatcustomers
is closest to
that allow
largeaddress
enterprise
to the
enhance
destination, whichtheir
might
change
depending
onmaintaining
the network
topology.
service
offerings
while
routing
control
l2tp-class Command
Syntax
Similar to the pseudowire-class
command,
template
of pseudowire
backbone while new
carrierswhich
wouldacts
like as
to a
sell
the lucrative
Layer 2 session
characteristics, the
l2tp-class
command
defines
containing
seriesisofa
services
over their
existing
Layera 3named
cores.template
The solution
in thesea cases
control channel characteristics,
such
as
control
channel
authentication
and
hidden
AVPs. You
can reference theinfrastructure.
l2tp-class command in the pseudowire-class definition via the protocol
l2tpv3 syntax for dynamic session negotiation or via the config-if-xconn configuration
submode when defining
manual
L2TPv3 session
with keepalive
This chapter
Layer 2aVPN
Architectures
introduces
readers tosupport.
Layer 2 Virtual
Private
examines the latter
case in(VPN)
moreconcepts,
detail in "Case
Study 11-2:
Ethernet
Port-to-Portvia
Manual
Network
and describes
Layer
2 VPN techniques
Session with Keepalive"
and "Case
Ethernet Port-to-Port
Session."
The
introductory
case Study
studies11-3:
and comprehensive
design Dynamic
scenarios.
This book
following syntax is
used when
defining
the
assists
readers
looking
to l2tp-class:
the Cisco Unified]VPN suite: Any Transport over MPLS (ATOM) for MPLSl2tp-class [ l2tp-class-name
comparing
to those
3 based VPNs,
such asthis
MPLS,
then
l2tp-class-name is
the locallythem
unique
name of
forLayer
this template.
Configuring
places
the user in
progressively
covering
each
currently
available
solution
in
greater
detail.
a config-l2tp-class configuration submode. When the user is in this mode, several control
channel parameters are available, falling into four categories, as follows:
Local cookie size
Control channel timing
Control channel authentication and integrity checking
Control channel maintenance
The optional L2TPv3 local cookie size contains a single command and has the following form:
cookie size [4 | 8] [size] The cookie size defines the size of the locally unique cookie
ByWei Luo, -negotiated
CCIE No. 13,291,
Carlos Pignataro,
- CCIE
No.shares
4619,Dmitry
- CCIE
for each dynamically
pseudowire
session
that
thisBokotey,
l2tp-class
template.
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
Only two options are offered: a 4- or 8-byte cookie value. The default assumes a 0-byte
cookie (that is, no local cookie is defined). As such, the local peer does not pass a Cookie
Publisher:
AVP to the remote
peer.Cisco Press
L2TPv3 control channel ISBN:

timing
parameters include the following options:
1-58705-168-0
Table of
Pages: 648
Contents
Index
receive-window [size] The L2TPv3 control channel utilizes a sliding window
implementation using Ns, the sequence number found in the L2TPv3 control message that
was sent, and Nr, the sequence number expected in the next L2TPv3 control message to
be received. The receive window value determines the number of outstanding messages
Master
the world
of Layer
2 receiving
VPNs to provide
enhanced services
that the remote
device
can send
before
an acknowledgement
fromand
theenjoy
local
productivity gains
device.
retransmit {initial retriesinitial-retries | retriesretries | timeout {max | min}
Learn about
Layer
2 Virtual
Private
Networks
(VPNs)of retransmission
timeout } The retransmit
retries
retries
interval
defines
the number
attempts before declaring the remote end as unresponsive. More specifically, initial
retriesinitial-retries defines the number of Start-Control-Connection Request (SCCRQ)
attempts made when trying to initialize the control channel. The first retransmission is
sent at the timeout mintimeout value after the first unacknowledged request. The time
between each subsequent retransmission increases exponentially until it reaches the
value specified in the timeout maxtimeout configuration.

timeout setup [seconds ] This specifies the maximum amount of time permitted to set
up the control channel.
L2TPv3 control channel authentication and integrity checking parameters implement two forms
of control channel authentication. The old implementation utilized a simple Challenge
Handshake Authentication Protocol (CHAP) mechanism borrowed from L2TPv2, which utilizes
challenge and challenge response messages for peer authentication. Cisco later extended
L2TPv3 to implement a new authentication method that utilizes a control message hash. This
new authentication system follows the method described in Chapter 10's "L2TPv3 Control
Channel Signaling" section. One advantage of the new authentication mechanism is that this
feature performs the cryptographic hash against the entire L2TPv3 control message, whereas
infrastructure.
the old mechanism performed the hash only against specific AVPs. Another benefit is that the
control message hashing
feature
includes the
resultant readers
hash output
referred
to asPrivate
the message
Layer 2 VPN
Architectures
introduces
to Layer
2 Virtual
digest in all L2TPv3
control(VPN)
messages.
The and
old mechanism
only 2
exchanged
challenge
Network
concepts,
describes Layer
VPN techniques
via and
challenge responses
against SCCRQ
and Start-Control-Connection
Reply
(SCCRP)This
messages.
introductory
case studies
scenarios.
book
The L2TPv3 control connection authentication and integrity checking parameters contain the
following options:
IP cores.
structure
thisold
book
is focused
the
authentication
This The
option
enablesofthe
CHAP-like
lightweight
control channel
reader
to Layer
authentication
between
peers.
progressively
covering
each currently
available
solution
greater
detail.
hostname [host
name ] The
hostname
option explicitly
defines
theinhost
name
to identify
the local device in the old CHAP-like control channel authentication. If you do not explicitly
use the hostname command, the host name of the router is used.
password {encryption-type}[password ] The password definition establishes the
predefined shared secret between peers used in the old CHAP-like control channel
authentication mechanism. This value along with several other fields is hashed, and the
resultant value is passed to the peer for control message authentication. If this value is
not specified, the password value is taken from the globally configured username
[username ]password [password ] value, where username is the host name of the local
device.
digest [secret [0 | 7]password ] [hash {md5 | sha}] The digest secret defines the
Layer
2 VPN
Architectures
shared secret
and
hashing
mechanism used in the new control message hashing
authentication
mechanism.
The
[0 |Carlos
7] input
type- option
theBokotey,
format- of
the
ByWei
Luo, - CCIE No.
13,291,
Pignataro,
CCIE No.defines
4619,Dmitry
CCIE
password that
defined.
A 0 indicates
the subsequent password is entered in
No. is
4460,
Anthony Chan,
- CCIE No. that
10,266
plaintext, whereas a 7 indicates that the password is encrypted. The hash {md5 | sha}
option defines Publisher:
the hashing
that calculates the message digest. The default
Ciscomechanism
Press
assumes a 0 input
type option and hash md5. Both peers should use the same shared
digest secret and hashing mechanism for the control message.
ISBN: 1-58705-168-0
Table of
Pages:
648 check enables validation of the contained message digest. By
digest check The digest
Contents
default, this option is enabled. You can disable it only when digest secret is not
Index
configured to obtain a slight performance improvement by obviating the checking for a

message digest.
Master
the world
Layer keyword
2 VPNs toinprovide
enhanced
services
and enjoy
hidden When
you define
the of
hidden
a l2tp-class,
AVPs
are encoded
to hide
productivity
sensitive information.
If gains
the hidden keyword is not configured, AVPs are sent in the clear.
The Cookie AVP that protects against blind insertion attacks is an example of an AVP that
would be hidden when the hidden keyword is configured along with a digest secret
Learnofabout
Layer 2AVP
Virtual
Private from
Networks
(VPNs)AVP because of
command. The length
the hidden
is different
the original
potential padding and additional overhead in the process of hiding the AVP.
Note
Reviewsecret
strategies
thatyou
allow
large enterprise
customers
to enhance
When you use a digest
option,
perform
control connection
authentication
their
service
offerings
while
maintaining
routing
control
of the remote peer. In this case, the message digest is calculated against the L2TPv3
control message content along with the configured digest secretpassword and the
local and remote Control Message Authentication Nonce.
technologies.
Although
Layer
3 MPLSby
VPNs
fulfill
the market
need
for some
However, you
can configure
the digest
keyword
itself
to simply
perform
a control
customers,
they
have
some
drawbacks.
Ideally,
carriers
with
existing
connection integrity check. In this scenario, the message digest is calculated against
legacy message
Layer 2 and
Layerand
3 networks
like to move
towardcheck.
a single
the L2TPv3 control
content
provideswould
a unidirectional
integrity
infrastructure.
L2TPv3 control channel
maintenance parameters involve the following option:
Network
(VPN)interval
concepts,
and describes
Layer
2 VPN techniques
via
hello [interval
] The hello
defines
the interval
in seconds
between Hello
introductory
case
studies
and
comprehensive
design
scenarios.
This
messages after the control channel is initialized. The hello mechanism provides abook
simple
assists readers
looking
todefaults
meet those
requirements
explaining
the
dead peer detection
mechanism
and
to 60
seconds if it by
is not
configured
explicitly. history and implementation details of the two technologies available from

LAN Protocols
over L2TPv3 Case Studies
Now that you understand

some
the CLI concepts, the subsequent sections examine how to use these
Publisher:
CiscoofPress
CLI components to provide
L2TPv3
Layer 2 VPN service focusing on two specific types of Ethernet
Pub Date:an
March
10, 2005
pseudowire transport:
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Ethernet
port-to-port
emulation
Index
Ethernet VLAN-to-VLAN emulation

Some optional L2TPv3
concepts
willofbe
introduced
studiesservices
to reinforce
your understanding
Master
the world
Layer
2 VPNs in
tovarious
providecase
enhanced
and enjoy
of their functionality.
productivity gains
To help explain some of the concepts in an L2TPv3 LAN environment, each case study in this chapter is
based on a single IP lab
topology
The
service provider
Learn
aboutshown
Layerin
2 Figure
Virtual 11-2.
Private
Networks
(VPNs) has chosen a pure IP-based
packet switched network (PSN) to provide Layer 2 services to its customer. The IP PSN consists of two PE
costs and
the called
reach of
your services
by unifying
your
routers called SanFranReduce
and NewYork
andextend
a P router
Denver.
The PE and
P routers
are connected to
network
architecture
each other via Cisco-HDLC
(C-HDLC)
Serial links addressed with a /30 prefix. Each core device also has a
/32 loopback configured.
Review
strategies
that allow
large enterprise
customers toCase
enhance
Figure 11-2.
L2TPv3
Ethernet
Port-to-Port
Emulation
Study

infrastructure.
assists
readers
looking for
to meet
those
Table 11-1 lists the
relevant
addressing
the case
study.
Table 11-1. Address Space for IP Case Study Topology

Device
PE
P
PE
Table of
links
PE-P
Contents
Index
Site
Subnet
ByWei Luo, - CCIE
No. 13,291,Carlos Pignataro, - CCIE No.
SanFran (Loopback 0)
Publisher: Cisco
Press(Loopback 0)
Denver
NewYork (Loopback 0)
ISBN: 1-58705-168-0
Point-to-point links in IP PSN

Pages: 648
CE
CE
CE
10.1.1.102/32
10.1.1.101/32
10.1.1.103/32
core
/30s out of
10.1.2.0/24 block
Oakland (Loopback 0)
192.168.1.108/32
Albany (Loopback 0)
192.168.1.111/32
192.168.1.113/32
productivity Hudson
gains (Loopback 0)
CE-CE pseudowire links
Point-to-point links between

/30s out of
CE devices
192.168.2.0/24
block
The following list describes the required steps in establishing the IP PSN core:
both ATOM
and and
L2TPassign
protocols
Step 1. Create a loopback
interface
a /32 IP address to it.
Step 2. Enable IP CEF
globally.
Depending
on themaintaining
platform type,
configure
distributed CEF (dCEF) to
their
service
offerings while
routing
control
further improve switching performance.
areaddresses
still derived
from
data and
voice
on routers.
legacy transport
Step 3. Assign IP
to all
physical
links
thatservices
connect based
the core
In this chapter, /30
3 MPLS
subnetstechnologies.
are allocatedAlthough
for each Layer
core serial
link.
Layer
2 and Layer
3 networks
wouldthe
likecore
to move
toward
a single
Step 4. Enable legacy
an Interior
Gateway
Protocol
(IGP) among
devices.
In this
chapter, OSPF is
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
configured as a single area 0.
infrastructure.
Example 11-1 includes
the base configuration of the SanFran PE router. Denver and NewYork are
configured equivalently to the SanFran router, with adjustments to the interface IP addressing.
Example 11-1.
SanFran
Preconfiguration
assists
readersRequired
looking to meet
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLShostname SanFran
!
ip cef
!
interface Loopback0
progressively
255.255.255.255
!
interface Serial6/0
ip address 10.1.2.1 255.255.255.252
!
router ospf 1
network 10.1.1.0 0.0.0.255 area 0
network 10.1.2.0 0.0.0.255 area 0
!
The highlighted lines indicate the relevant IP addressing specific to the SanFran router that would change
in the respective configuration in the Denver and NewYork devices.
No.proper
4460,Anthony
Chan,
- CCIE
No.distributed,
10,266
To confirm that the
routes
are
being
Example 11-2 captures the IP routing table of the
IP PSN network.
Example 11-2. SanFran

Preconfiguration Verification
ISBN: 1-58705-168-0
Table of
Pages: 648
Contents
Index
SanFran#show
ip route

Master
the world
of Layer
provide enhanced
E1 - OSPF
external
type
1, E22-VPNs
OSPFtoexternal
type 2,services
E - EGPand enjoy
productivity
gains
o - ODR
Reduce
costs subnetted,
and extend the
reach of your
10.0.0.0/8 is
variably
5 subnets,
2 masks
network
architecture
C
O
10.1.2.4/30 [110/96] via 10.1.2.2, 00:07:50, Serial6/0
C
O
10.1.1.103/32 [110/97] via 10.1.2.2, 00:07:50, Serial6/0
O
10.1.1.101/32
Serial6/0to enhance
Review[110/49]
strategiesvia
that10.1.2.2,
allow large 00:07:50,

The highlighted routes are NewYork and Denver loopback addresses that are learned through Open
Shortest Path First (OSPF). Both addresses are reachable from SanFran via the Serial 6/0 interface.
have some
The next sectionscustomers,
present thethey
following
case studies:
over their
existing Layer
3 cores.
Case Study services
11-1: Ethernet
Port-to-Port
Manual
Session
Case Study infrastructure.
11-2: Ethernet Port-to-Port Manual Session with Keepalive
VPN Architectures
Case Study Layer
11-3: 2Ethernet
Port-to-Portintroduces
Dynamic Session
Case Study introductory
11-4: Ethernet
VLAN-to-VLAN
Dynamic Session
case
the Cisco
Unified VPN
over Session
MPLS (ATOM) for MPLSCase Study 11-1:
Ethernet
Port-to-Port
Manual
In this case study, the customer has requested that the service provider supply transparent Layer 2
Ethernet port-to-port connectivity between the Oakland and Albany routers, as shown in Figure 11-3.
Because the service provider has chosen an IP-based core, L2TPv3 is used to meet the customer's
requirements. In the section "xconnect Command Syntax," you learned about manual, manual with
keepalive, and dynamic modes. These three modes are relevant and applicable to all L2TPv3 sessions
emulating LAN or WAN protocols. However, because this section is the introduction to configuring these
sessions, it examines each mode using Ethernet port-to-port emulation as an example starting with the
simplest case: a manual L2TPv3 Ethernet port-to-port session, as illustrated in Figure 11-3.
Figure 11-3. CE Ethernet Port-to-Port Connectivity

ISBN: 1-58705-168-0
Tablein
of this case study is to provide Layer 2 Ethernet port-to-port connectivity over an IP-based PSN
The goal
Pages: 648
Contents
between Oakland's CE router E0/0 interface and Albany's CE router E0/0 interface. The subsequent
Indexexamine the necessary configuration, verification, and data plane details of this environment.
sections
Manual
Master the
world Configuration
productivity gains
To provision an Ethernet port-to-port manual pseudowire, the SanFran and NewYork PE devices will
configure the following to act as L2TPv3 endpoints for the customer:
1. Define a pseudowire-class
template.
Gainonfrom
first bookinterface
to address
2 VPN application
utilizing
2. Define an xconnect
the the
appropriate
withLayer
the necessary
preconfigured
manual attributes
Example 11-3 shows the relevant configuration for the SanFran PE device.
Example 11-3. Ethernet Port-to-Port Manual Session Configuration on

SanFran
hostname SanFran
!
backbone
pseudowire-class
pw-manual
services
over
encapsulation l2tpv3
technology
that
protocol none
infrastructure.
ip local interface Loopback0
!
interface Loopback0
Network (VPN)
255.255.255.255
introductory
case
!
assists
readers
looking
history
and
implementation
no ip address
the
Cisco
Unified
VPN
suite:
Any Transport over MPLS (ATOM) for MPLSno cdp enable
based
cores
and
Layer
2
Tunneling
Protocol
version
3 (L2TPv3)
for native
xconnect 10.1.1.103 33 encapsulation l2tpv3
manual
pw-class
pw-manual
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
l2tp id 245 329
reader 8to957344
Layer 2 9379092
l2tp cookie local
comparing
them to
l2tp cookie remote
8 76429
945
Example 11-4 shows the equivalent configuration for NewYork.
Example 11-4. Ethernet Port-to-Port Manual Session Configuration on

NewYork
hostname NewYork
ip cef
!
Layer
2 VPN Architectures
pseudowire-class
pw-manual
encapsulation By
l2tpv3
protocol none No. 4460,Anthony Chan, - CCIE No. 10,266
!
interface Loopback0
ip address 10.1.1.103 255.255.255.255
ISBN: 1-58705-168-0
! Table of
Pages:
648
Contents Ethernet0/0
interface
Indexaddress
no ip
no cdp enable
xconnect 10.1.1.102 33 encapsulation l2tpv3 manual pw-class pw-manual
l2tp id 329 245
Master8the
world945
l2tp cookie local
76429
productivity
gains
l2tp cookie remote 8 957344 9379092
As mentioned earlier in the section, both PE routers should configure a pseudowire-class template first.
San Francisco's and New York's pseudowire-class template is called pw-manual, as highlighted in the
example. Although defining a pseudowire-class is an optional step, it is a highly recommended best
practice at least to define the L2TPv3 local interface to a loopback interface. This forces the source address
for the L2TPv3 session to use a virtual interface that otherwise would never go down unless it was shut
administratively.

In the case of the pw-manual template, both PE routers tie the local interface to their respective Loopback
0. Because you are configuring a manual L2TPv3 session, the template also defines protocol none to
disable L2TPv3 from
a of
control
channel
connection
to the portion
peer. Keep
in mind
that this pw-manual
For initiating
a majority
Service
Providers,
a significant
of their
revenues
template can be referenced
from
multiple
xconnect
statements.
This
example
happens
are still derived from data and voice services based on legacy transportto have only one
xconnect defined.

The second major configuration task is defining the xconnect statement. In SanFran's configuration, the
xconnect command is defined underneath the relevant attachment circuit, which is the Ethernet major
interface, Ethernet 0/0, because this example uses Ethernet port-to-port emulation. The xconnect
statement defines the peer address as NewYork's loopback address of 10.1.1.103 and defines a virtual
circuit (VC) ID of 33. The VC ID uniquely identifies the attachment circuit on a per-peer basis. Equivalently
infrastructure.
NewYork'sxconnect statement defines the peer address to be SanFran's loopback address of 10.1.1.102.
You must use theLayer
VC ID2 value
of 33 on NewYork
so thatreaders
the pseudowire
VPN Architectures
introduces
to Layer 2session
Virtualbetween
Private the PEs can
identify which ACNetwork
to bind to.

As highlighted in the xconnect configuration line in both PE router examples, the manual keyword after
theencapsulation l2tpv3 syntax defines this pseudowire as a manually defined session and references
thepw-manual pseudowire-class template via the pw-class pw-manual configuration. After you enter
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSthexconnect command with the manual keyword, the configuration is placed into config-if-xconn
submode configuration, which requires the user to manually define the necessary attributes of the session.
Table 11-2 summarizes the manually defined session and cookie values in decimal and hexadecimal forma
from SanFran's perspective. These hexadecimal values are referenced later in the verification and data
plane examination of this case study to assist in decoding captured output.
Table 11-2. L2TPv3 Manual Configuration Values for

Ethernet
Manual Session
Layer 2 VPN Port-to-Port
Architectures
- CCIE No. 10,266
Local
Remote
245
329
Session ID
(0x000000F5)
(0x00000149)
957344
76429
(0x000E9BA0)
(0x00012A8D)
ISBN: 1-58705-168-0
Table of
Cookie
Size
Contents
Index
Pages: 648
Cookie Value (Low)
9379092
945
productivity gains
Cookie Value (High)
(0x008F1D14)
(0x000003B1)

and extend
reach of
your defines
servicesthe
by local
unifying
yourID as 245 and
Because every session Reduce
requirescosts
a Session
ID, thethe
SanFran
router
Session
architecturethis example uses L2TPv3 cookies to protect the pseudowire
the remote Session ID network
as 329. Optionally,
session from blind insertion attacks. Preconfigure the Session ID and optionally the cookie definition and
Gain
from thethe
firstfar-end
book topeer
address
Layer
2 VPN application
use agreed upon values;
otherwise,
will not
recognize
the L2TPv3utilizing
encapsulation. The
both
ATOM
and
L2TP
protocols
NewYork configuration, as highlighted in Example 11-4 underneath the xconnect command, configures
the identical values in the reverse position to appropriately match the local and remote values from
NewYork's perspective.
The two CE routers, Oakland and Albany, are configured without knowledge that the Ethernet port
connectivity is provided over an L2TPv3 service. Figure 11-4 illustrates that the Layer 3 CE-to-CE
connectivity exists between Oakland and Albany as if their Ethernet ports were connected back to back.
Figureservices
11-4. over
CE Routers
Oakland and Albany Layer 3 Connectivity
infrastructure.

Verifying Ethernet Port-to-Port Manual Session
Severalshow commands are useful for determining the state of the manual Ethernet port-to-port L2TPv3
session. This section describes the following:
show l2tun
show l2tun session all
show sss circuits
Theshow l2tun command shows summarized information regarding all defined tunnels and sessions on
Layer
2 VPN Architectures
the local device, as
demonstrated
in Example 11-5. As mentioned in Chapter 10, the term L2TP tunnel
refers to the L2TPv3
control
connection.
highlighted
Example
11-5,
can- see
ByWei
Luo, - CCIE
No. 13,291,As
Carlos
Pignataro, -in
CCIE
No. 4619,
Dmitryyou
Bokotey,
CCIEthe term tunnel in
this context. Because
this
case Chan,
study- CCIE
configures
a manual session, no L2TPv3 control connection is
No. 4460,
Anthony
No. 10,266
established, and the total tunnels is 0. However, one session does exist, which happens to be the Ethernet
port-to-port manualPublisher:
session defined
between Oakland and Albany.
Cisco Press
ISBN: 1-58705-168-0
Table of 11-5. SanFran show l2tunOutput

Example
Pages: 648
Contents
Index
SanFran#show l2tun
Tunnel and Session Information Total tunnels 0 sessions 1
Tunnel control packets dropped due to failed digest 0
LocID
RemIDproductivity
TunID
Username, Intf/
State
gains
Vcid, Circuit
245
329
0
33, Et0/0
est
The final line of the Example
11-5
output provides summarized information regarding each of the sessions.
network
architecture
The output includes the local and remote session IDs, which in SanFran's case are 245 and 329,
Gain
to address Layer
application
utilizing
respectively. The defined
VCfrom
ID isthe
33,first
andbook
the attachment
circuit2isVPN
Ethernet
0/0. Also
notice that the
ATOM
andID
L2TP
protocols the control connection ID defined in Chapter 10.
tunnel ID in this case isboth
0. The
tunnel
is essentially
Normally, this would be a negotiated value; however, because the pseudowire session is in manual mode,
Review
allow large
customers
to enhance
no control channel is used
andstrategies
no controlthat
connection
ID isenterprise
necessary.
Finally, the
state of the session
their
service that
offerings
while maintaining
control
shows established (est),
indicating
this pseudowire
sessionrouting
is active.
For a majority
Service Providers,
a significant
portion ofall
their
revenues
You can glean additional
sessionofattributes
from the show
l2tun session
output
shown in Example
11-6.
legacy
Layer 2 show
and Layer
3 networks
Example 11-6.
SanFran
l2tun
all Output
technology
thatall
SanFran#show l2tun
session
infrastructure.
Session Information
Total tunnels 0 sessions 1
Session id 245 is up, tunnel id 0
Call serial number is 0
Remote tunnel name is
Internet address is 10.1.1.103
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSSession is manually signalled
Session state is established, time since change 00:53:09
692 Packets sent, 693 received
66992 Bytes sent, 66981 received
Receive packets dropped:
out-of-order:
0
total:
0
Send packets dropped:
exceeded session MTU:
0
total:
0
Session vcid is 33
Session Layer 2 circuit, type is Ethernet, name is Ethernet0/0
Circuit state is UP
Remote session id is 329, remote tunnel id 0
DF bit off, ToS reflect disabled, ToS value 0, TTL value 255
Session cookie information:

local cookie, size 8 bytes, value 00 8F 1D 14 00 0E 9B A0
remote cookie, size 8 bytes, value 00 00 03 B1 00 01 2A 8D
Layer 2information:
VPN Architectures
FS cached header
encap size By
=Wei
32Luo,
bytes
No. 4460,Anthony
Chan, - 00000000
CCIE No. 10,266
00000000 00000000
00000000
00000000 00000000 00000000 00000000
Sequencing is off

ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Theshow l2tun session all command displays more detailed information for every session that exists on
Index
the PE device. Like the show l2tun session command, the capture from Example 11-6 shows the local
and remote session ID as 245 and 329 respectively, the VCID of 33, a local TunID of 0, the attachment
circuit interface of E0/0, and the session state of established.
Theshow l2tun session all command also displays the peering address as New York's loopback address
productivity gains
of 10.1.1.103, the session type of manually signaled, and timers since the previous session state change.
The session state timer is followed by counters for packets and bytes sent and received. The sent
packets/bytes are fromLearn
the perspective
circuit
frames(VPNs)
that are encapsulated with an L2TPv3
about Layerof2attachment
Virtual Private
Networks
header and sent onto the pseudowire session. Conversely, the received packets/bytes are from the
perspective of receivedReduce
L2TPv3costs
packets
are the
from
the session
be sent
theyour
attachment circuit.
andthat
extend
reach
of your to
services
bytoward
unifying
The size and hexadecimal
valuearchitecture
of local and remote cookies is also displayed for the session.
network
Finally, the local L2TPv3

encapsulation
overhead
to transport
Ethernet
frame is displayed as
Gain
from the first
book to required
address Layer
2 VPN this
application
utilizing
encap size = 32 bytes.both
As described
in L2TP
Chapter
10's "L2TPv3 Data Encapsulation" section, the L2TPv3
ATOM and
protocols
overhead is composed of a 20-byte IP header, a 4-byte session ID, an optional and variable-length cookie,
Review
strategies
that case
allowstudy,
large enterprise
customers
to enhance
and an optional L2-Specific
Sublayer.
In this
an 8-byte cookie
is defined
on both PE routers,
their service
whileismaintaining
routing
controlthe 32-byte encapsulation is
and no L2-Specific Sublayer
is used.offerings
(Sequencing
not enabled.)
Therefore,
derived from the 20-byte IP header, the 4-byte remote session ID of 329, and the 8-byte remote cookie.
still derived
fromhighlighted
data and voice
based
on legacy
transport
The encapsulationare
details
are further
in theservices
show sss
circuits
output
listed in Example 11-7.
legacy
Layer 2 show
and Layer
3 networks
Example 11-7.
SanFran
sss
circuitswould
Output
technology
SanFran#show sss
circuits
infrastructure.
Current SSS Circuit Information: Total number of circuits 1
introduces
to Layer
Virtual Private
Common Circuit Layer
ID 0 2 VPN Architectures
Serial
Num 5 readers
Switch
ID 2
22074136
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
--------------------------------------------------------------------------introductory
case
studies
and
comprehensive
design
scenarios.
This
book
Status Encapsulation
assists
readers
looking
to
meet
those
requirements
by
explaining
the
UP flg len dump
Y AES 0 history and implementation details of the two technologies available from
Cisco Unified
VPN suite:
Any Transport
MPLS (ATOM) for MPLSY AES 32 the
45000000
00000000
FF73A4BC
0A010166 over
0A010167
based00000149
cores and 000003B1
Layer 2 Tunneling
Protocol
version
00012A8D
covering
each
currently
available
in greater
detail.
The first 20 bytesprogressively
are the IP packet
header
with
a source
addresssolution
of SanFran's
loopback
of 10.1.1.102
(0x0A010166) and a destination address of 10.1.1.103 (0x0A010167). The IP header is then followed by
the remote session ID of 329 (0x00000149) and the 8-byte remote cookie (cookie value high =
0x000003B1, cookie value low = 00012A8D).
You can perform a final verification by passing traffic between the CE routers to the next-hop interface
address. As shown in Example 11-8, a ping is executed from the Oakland CE router to the E0/0 IP address
on the Albany CE router of 192.168.2.2, indicating successful connectivity.
Example 11-8. Ethernet Port-to-Port Manual Session CE Verification


!!!!!
Success rate is 100
percent (5/5), round-trip min/avg/max = 24/34/48 ms
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Ethernet
Index Port-to-Port L2TPv3 Data
Plane Details
Chapter 10 discussed at length the L2TPv3 encapsulation format for encapsulating data. In this case study
correlating the encapsulated packet with the preconfigured details for the pseudowire session should be
Master the
world
2 VPNs
to provide
enhanced
services
and enjoy
fairly simple. An L2TPv3
frame
thatofisLayer
captured
in the
IP PSN core
is shown
in Example
11-9.
productivity gains
Example 11-9. Ethereal

Decode
Capture
of Oakland
Learn about
Layer 2 and
Virtual
Private Networks
(VPNs)to Albany ICMP Ping
Cisco HDLC
Address: Unicast (0x0f)
Protocol: IP (0x0800)
Internet Protocol, both
Src ATOM
Addr: and
10.1.1.102
(10.1.1.102), Dst Addr: 10.1.1.103 (10.1.1.103)
L2TP protocols
Version: 4
Header length: Review
20 bytes
! IP header DSCP,
detail,
offset and
TTLcontrol
omitted for brevity
theirFlags
service
offeringsFragment
while maintaining
routing
Protocol: Layer 2 Tunneling (0x73)
For a majority
Header checksum:
0x6858of(correct)
are still derived
Source: 10.1.1.102
(10.1.1.102)
technologies.
Although
Destination:
10.1.1.103
(10.1.1.103)
customers,
theyversion
have some
Layer 2 Tunneling
Protocol
3 drawbacks. Ideally, carriers with existing
Session ID:legacy
329 Layer 2 and Layer 3 networks would like to move toward a single
Cookie: 000003B100012A8D
services
over their existing Dst:
Layer 00:00:0c:00:6f:00
Ethernet II, Src:
00:00:0c:00:6c:00,
technology
that would allow
Destination:
00:00:0c:00:6f:00
(00:00:0c:00:6f:00)
infrastructure.
Source: 00:00:0c:00:6c:00
(00:00:0c:00:6c:00)
Type: IP (0x0800)
Layer Src
2 VPN
Architectures
introduces
readers to Layer
Virtual
Private
Internet Protocol,
Addr:
192.168.2.1
(192.168.2.1),
Dst 2
Addr:
192.168.2.2
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
(192.168.2.2)
introductory
case
studies
and
comprehensive
design
scenarios.
This
book
Version: 4
assists
readers
looking
to
meet
those
requirements
by
explaining
the
implementation
details ofoffset
the two and
technologies
available
! IP headerhistory
DSCP,and
Flags
detail, Fragment
TTL omitted
for from
brevity
the Cisco
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSProtocol: ICMP
(0x01)
based cores
and (correct)
Header checksum:
0x31d7
IP cores. The
Source: 192.168.2.1
(192.168.2.1)
reader
to Layer 2 (192.168.2.2)
Destination:
192.168.2.2
comparing
them
to
progressively
covering
Type: 8 (Echo (ping) request) each currently available solution in greater detail.
Code: 0
Checksum: 0x9d07 (correct)
Identifier: 0x0009
Data (72 bytes)
0000 0f 00 08 00 45 00 00 92 3b d2 00 00 ff 73 68 58
^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cisco HDLC IPv4 Delivery Header (IP Protocol L2TPv3)
0010 0a 01 01 66 0a 01 01 67 00 00 01 49 00 00 03 b1
^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^
IPv4 Delivery Header
L2TPv3 Header
0020 00 01 2a 8d 00 00 0c 00 6f 00 00 00 0c 00 6c 00
Layer ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2 VPN Architectures
^^^^^^^^^^
ByWeiL2TPv3
Luo, - CCIE
No. 13,291,
Carlos Pignataro,
L2TPv3 Header
Payload
(Ethernet
II - Frame)
No. 4460,
Anthony
- CCIE
0030 08 00 45 00
00 64
04 Chan,
6e 00
00 No.
ff 10,266
01 31 d7 c0 a8
^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Ethertype
IPv4
Hdr
(ICMP packet)
Publisher:
Cisco
Press
March
0040 02 01 c0 a8 Pub
02 Date:
02 08
0010,
9d2005
07 00 09 00 00 00 00
ISBN: 1-58705-168-0
^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Table of
IPv4 Hdr (ICMP packet)
Pages: 648
ICMP packet
Contents
!remainder
omitted
for
brevity
Index
Note
productivity gains
Note that in Examples

offline
hand decoding
of the packets
Learn11-9,
aboutthe
Layer
2 Virtual
Private Networks
(VPNs)is shown in bold font.
Example 11-9 includes the full Ethereal decode of the packet followed by the hexadecimal capture of the
Gain
fromofthe
book to
address
Layer 2 VPN
utilizing
frame. Each highlighted
section
thefirst
Ethereal
decode
corresponds
to aapplication
highlighted
hexadecimal field. The
both
ATOM
and
L2TP
protocols
decode captures a Cisco-HDLC frame between the SanFran PE router and the Denver P router that
contains an L2TPv3 packet. This L2TPv3 packet payload contains an Ethernet frame from the previous CE
Review strategies
that allow
large
enterprise
customers
enhance
verification ICMP ping executed
from Oakland's
E0/0
interface
to Albany's
E0/0to
interface.
Notice that the capture has two Layer 2 frame headers. The first Layer 2 frame is the Cisco-HDLC frame
For aand
majority
of routers.
Service Providers,
a significant
portion
of their
revenues
between the SanFran
Denver
This is followed
by the IP
delivery
header
that is part of the
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
L2TPv3 packet. Because the L2TPv3 endpoints are the PE routers, the source and destination IP addresses
technologies.
Layer
MPLS VPNsLoopback
fulfill the 0market
need respectively.
for some
in the outer IP delivery
header Although
are SanFran
and3 NewYork's
addresses,
An IP
customers,
they have
some
Ideally,
carriers
with The
existing
protocol type of 0x73,
115, indicates
that
the drawbacks.
IP payload is
an L2TPv3
packet.
session ID is
legacy
Layer 2isand
networks
would
like session
to moveID
toward
a single
0x00000149, which
in decimal
329Layer
and is3 equal
to the
remote
configured
on SanFran that
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
uniquely identifies the session on NewYork. Following the session ID is the 8-byte remote
cookie value,
serviceswhich
over was
theirconfigured
existing Layer
3 cores.as
The
thesevalue.
cases is a
0x000003B100012A8D,
on SanFran
thesolution
remoteincookie
infrastructure.
The L2TPv3 payload
follows the L2TPv3 header and is the second Layer 2 frame header. In this case, the
L2TPv3 payload is a standard Ethernet Version II untagged frame minus the frame check sequence (FCS)
Layer 2 VPN
Architectures
readersfrom
to Layer
2 Virtual
Private
sent to Albany's Ethernet
port,
MAC addressintroduces
0000.0c00.6f00,
Oakland's
Ethernet
port, MAC address
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
0000.0c00.6c00. Further inspection shows that this Ethernet frame is carrying an via
IP payload that is
introductory
case studies
and IP
comprehensive
design scenarios.
This book
sourced from Oakland's
E0/0 interface,
whose
address is 192.168.2.1
(0xc0a80201),
to Albany's E0/0
assists
readers
looking
to
meet
those
requirements
by
explaining
the
interface, whose IP address is 192.168.2.2 (0xc0a80202).
therouter
Cisco receives
Unified VPN
Any
Transport
overIP
MPLS
(ATOM)
for MPLSWhen the NewYork
this suite:
L2TPv3
frame,
the outer
header
and L2TPv3
header are stripped
based
cores and
Layer
2 Tunneling
Protocol
version
(L2TPv3)router
for native
off. The session ID
and cookie
value
in the
L2TPv3 header
provide
the3NewYork
with enough
IP cores.
The structure
of thisand
book
is focused
on first
information to properly
demultiplex
the frame
associate
it with
the introducing
appropriate the
egress attachment
reader
to Layer 2frame
VPN benefits
and implementation
circuit. In this case,
the Ethernet
is forwarded
out of NewYork'srequirements
Ethernet 0/0and
interface and destined
comparing
to Albany's Ethernet
port. them to those of Layer 3 based VPNs, such as MPLS, then
The nature of the Ethernet port-to-port session is that any valid Ethernet frame minus the FCS is
transported across the pseudowire to be replayed on the far-end attachment circuit. Because of this, the
Ethernet port-to-port session is oblivious to the fact that tagged or untagged frames might be received on
Oakland's E0/0 interface. In an alternate scenario in which the Oakland and Albany routers are sending
802.1q tagged frames, the Ethernet port-to-port emulation would be oblivious to the 802.1q tag. It would
transport the tagged Ethernet II frame across the pseudowire transparently, leaving the 802.1q tag
untouched.
Case Study 11-2: Ethernet Port-to-Port Manual Session with Keepalive
Although a manually
Ethernet port-to-port session fulfills the original goal for Layer 2 connectivity,
Layerdefined
2 VPN Architectures
one of the disadvantages
is
that
the13,291,
PE devices
cannot -detect
whether
theBokotey,
remote
peer is responding. If
Carlos Pignataro,
CCIE No.
4619,Dmitry
- CCIE
connectivity is lost
to
the
NewYork
PE,
the
SanFran
router
would
not
tear
down
the
pseudowire; it would
continue sending data packets on the session. In fact, the pseudowire session state for a manual session
always shows established, as shown in the show l2tun session output, regardless of the state of the
peer PE router.
This case
study exploresISBN:
the 1-58705-168-0
configuration, verification, and control plane details for an Ethernet port-toTable of
Pages:
648
port manual
session
with
keepalives.
Because the addition of the keepalives affects only the control plane,
Contents
the data
plane
details
are
the
same
as
in Case Study 11-1 and are not reexamined.
Index
Ethernet Port-to-Port Manual Session with Keepalive Configuration
productivity
gains
Recognizing the drawback
of no
peer detection, the service provider has decided to adjust the original
configuration to support a simple keepalive mechanism. This keepalive mechanism is essentially an L2TPv3
control channel maintained
the PE
devices.
This case
study (VPNs)
adjusts the control connection and
Learnbetween
about Layer
2 Virtual
Private
Networks
management timers so that you can understand how they function. To provision this service, Example 1110 contains the new configuration
applied
to thethe
SanFran
router.
Reduce costs
and extend
reach PE
of your
Gain from the
Layer
2 VPN application
utilizing
Example 11-10. Ethernet
Port-to-Port
Manual
Session
with Keepalive
both
ATOM
and
L2TP
protocols
Configuration on SanFran
hostname SanFran
!
l2tp-class l2-keepalive
hello 30
technologies.
retransmit retries
5
customers,
retransmit timeout
max 4
legacy min
Layer
retransmit timeout
backbone
while
retransmit initial retries new
3
services
over
their
existing
retransmit initial timeout max 7
technology
that
would
allow
retransmit initial timeout min 2
infrastructure.
!
pseudowire-class pw-manual
encapsulation Layer
l2tpv3
Network
protocol none
introductory
assists
readers
!
history
and
implementation
the
Cisco
Unified
VPN
suite:
Any Transport over MPLS (ATOM) for MPLSno ip address
based
cores
and
Layer
2
Tunneling
no cdp enable
IP
cores.
The
structure
of
this
book
focused
xconnect 10.1.1.103 33 encapsulation l2tpv3 is
manual
pw-class
pw-manualthe
l2tp id 245 329
comparing
them to
l2tp cookie local
8 957344
9379092
progressively
covering
l2tp cookie remote 8 76429 945 each currently available solution in greater detail.
l2tp hello l2-keepalive
Example 11-11 contains the new configuration applied to the SanFran PE router.
Example 11-11. Ethernet Port-to-Port Manual Session with Keepalive

Configuration on NewYork
hostname NewYork
!
l2tp-class l2-keepalive
hello 30
No. 4460,5Anthony Chan, - CCIE No. 10,266
retransmit retries
retransmit timeout max 4
Publisher:
Press
retransmit timeout
min Cisco
2
retransmit initial
retries
Pub Date:
March 3
10, 2005
retransmit initial ISBN:
timeout
max
7
1-58705-168-0
Table of
retransmit
initialPages:
timeout
min
2
648
Contents
!
Index
pseudowire-class pw-manual
protocol none
Master Loopback0
ip local interface
productivity gains
!
no ip address
no cdp enable
xconnect 10.1.1.102 33 encapsulation l2tpv3 manual pw-class pw-manual
l2tp id 329 245
l2tp cookie local 8 76429 945
l2tp cookie remote
8 957344
Gain
from the9379092
first book to address Layer 2 VPN application utilizing
l2tp hello l2-keepalive

Although thecustomers,
ip cef andthey
interface
Loopback
0 definitions
not shown,
these commands are
have some
drawbacks.
Ideally,are
carriers
with existing
still requiredlegacy
in the Layer
configuration.
They3 were
removed
from
example
to reduce
the
2 and Layer
networks
would
likethe
to move
toward
a single
redundancy backbone
in the example
whileconfigurations.
infrastructure.
Following are the primary steps involved in defining an L2TPv3 manual session with keepalives:
Note

Define an
l2tp-class
template.
Optionally
modifyLayer
L2TPv3
control
channelvia
timers.
Network
(VPN)
concepts,
and describes
2 VPN
techniques
readers looking
Step
Define a assists
pseudowire-class
template.
2.
the
Cisco Unified
VPN
suite: Anyinterface
Transport
over
(ATOM)
for MPLS- manual
Step
Define an
xconnect
on the
appropriate
with
theMPLS
necessary
preconfigured
based
cores
and
Layer
2
Tunneling
Protocol
version
3
(L2TPv3)
for native
3.
attributes. In the config-if-xconn submode, reference the l2tp-class template
using the l2tp
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
hello syntax.
progressively
covering
each
currently
available
solution
in greater
detail. In this example,
The first step to enabling
a manual
session
with
keepalives
involves
defining
an l2tp-class.
Step
1.
an l2tp-class was defined named l2-keepalive that consists of a series of timer modifications. The Hello
message keepalive timer was modified from the default 60 seconds to 30 seconds via the hello 30 syntax
If a Hello message is not acknowledged, the control channel attempts five retries per the retransmit
retries configuration. The retransmit retries min configuration defines the first retry interval at 2
seconds and doubles per interval up to the retransmit retries max value. After the pseudowire session
fails, the L2TPv3 endpoints try to restore the control channel by sending the initial SCCRQ message. In the
same manner, the number of SCCRQ retries and time between retry attempts are dictated by the
retransmit initial retries,retransmit initial min, and retransmit initial max configured values.
Thepseudowire-class pw-manual definition is reused from the previous "Ethernet Port-to-Port Manual
Session" section of Case Study 11-1. As mentioned in that case study, defining a pseudowire-class
template is a highly recommended best practice to make the source address of L2TPv3 packets
deterministic.
Thexconnect configuration
then
references
l2tp-class by name in the config-if-xconn submode as a
No. 4460,Anthony
Chan,
- CCIE No.this
10,266
template to use for its keepalive mechanism via the l2tp hello l2-keepalive command. The control
channel negotiation Publisher:
and keepalive
are examined in more detail in the subsequent "Ethernet Port-to-Port
Cisco Press
Manual Session withPub
Keepalive
Control Plane Details" section.
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Ethernet
Port-to-Port Manual Session
Index
with Keepalive Verification
Because of the use of the control channel in this case study, additional output is available from several
show commands used to monitor the health of the L2TPv3 control channel and sessions. They include the
following commands:
productivity gains
show l2tun

show l2tun tunnel all
Example 11-12 lists thenetwork
output architecture
for the show l2tun command.

l2tun
Output
both ATOM show
and L2TP
protocols
SanFran#show l2tun their service offerings while maintaining routing control
Tunnel controlFor
packets
dropped
due Providers,
to faileda significant
digest 0 portion of their revenues
a majority
of Service
LocID RemID Remote Name State Remote Address Port Sessions L2TPclass
37528 27854 NewYork
est
10.1.1.103
0
0
l2-keepalive
legacy Layer
2 and Username,
Layer 3 networks
LocID
RemID
TunID
Intf/ would like to move toward a single
State
backbone while new
carriers
would
Vcid, Circuit like to sell the lucrative Layer 2
their 33,
existing
Layer 3 cores. The solution in these cases
245
329 services over
37528
Et0/0
estis a
infrastructure.

Theshow l2tun tunnel
displaysand
three
sectionsLayer
of output:
Networkcommand
(VPN) concepts,
describes
Total tunnel and session information
the Cisco
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSTunnel summary
information
IP cores.
Session summary
information
them
to those
3 based 11-5
VPNs,output
such as
then 11-1: Ethernet
When comparing comparing
the Example
11-12
outputoftoLayer
the Example
in MPLS,
"Case Study
progressively
covering
available
solution
in greater
detail.that were not
Port-to-Port Manual
Session," you
noticeeach
that currently
highlighted
fields contain
additional
details
previously shown in manually defined sessions. In the first section of output, referred to as the total tunne
and session information section, the total tunnels value is now 1. Configuring a manual session with
keepalive initiates an L2TPv3 tunnel, also referred to as an L2TPv3 control channel, which explains the one
tunnel count.
In the second portion of the show l2tun output, described as the tunnel summary section, the L2TP class
field refers to the l2-keepalive template for this L2TPv3 tunnel. Also note that the tunnel ID, also referred
to as the control connection ID, in the session summary section is now a nonzero value of 37528 that was
negotiated as part of the control channel establishment. The method by which the control channel is
established and the way the tunnel ID is negotiated are explored in more detail in the "Ethernet Port-to-
Port Manual Session with Keepalive Control Plane Details" section of this case study.
Note
In the first section

of output from the show l2tun tunnel command, the total tunnels value is
1, as is the total sessions count. However, note that in tunnel summary information, the
Sessions field is listed as 0 for the one tunnel in the case study with local tunnel ID 37528. The
ISBN: 1-58705-168-0
reason
Table of for this apparent discrepancy is that the first section of output lists the global session
Pages:
count,
both manually and dynamically negotiated sessions. The Sessions field
Contentswhich consists of648
only dynamic sessions negotiated against that specific L2TPv3 tunnel. Because this case
counts
Index
study examines a manually defined session, the Sessions field does not register it against the
tunnel.
productivity gains
Theshow l2tun tunnel all output shown in Example 11-13 captures additional details for the L2TPv3
control channel.

show l2tun tunnel allOutput
SanFran#show l2tun tunnel all
Tunnel Information Total tunnels 1 sessions 1
Tunnel control packets
due
toallow
failed
0 customers to enhance
Reviewdropped
strategies
that
largedigest
enterprise
service offerings
while maintaining
routing control
Tunnel id 37528 is their
up, remote
id is 27854,
0 active sessions
Tunnel state is established, time since change 00:52:10
For a majority
Tunnel transport
is IP (115)
are
still
derived
Remote tunnel name is NewYork
technologies.
Although
Layer03 MPLS VPNs fulfill the market need for some
Internet Address 10.1.1.103, port
customers,
they
have
some
Local tunnel name is SanFran
legacy
Layer
2
and
Layer
3
networks
Internet Address 10.1.1.102, port 0
backbone
while
new
carriers
would
like
Tunnel domain is
services
over
their
existing
Layer
3
cores.
VPDN group for tunnel is technology
that
would
allow
Layer
2
transport
over a Layer 3
L2TP class for tunnel is l2-keepalive
infrastructure.
0 packets sent, 0 received
0 bytes sent, 0 received
Control Ns 105, Nr 106
Local RWS 1024 (default), Remote RWS 1024 (max)
Tunnel PMTU checking disabled
Retransmission time 1, max 2 seconds
Unsent queuesize 0, max 0
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSResend queuesize 0, max 1
Total resends 0, ZLB ACKs sent 105
Current nosession queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Sessions disconnected due to lack of resources 0
Control message authentication is disabled
Example 11-13 displays both the local and remote tunnel IDs that were negotiated during control channel
establishment and the current tunnel state and tunnel timer since the last state change. Because L2TPv3 is
used instead of UTI, the IP protocol tunnel transport type is set to 115. Also, as a part of the control
channel establishment, the remote and local tunnel names and negotiated receive window sizes (RWS) are
displayed. The RWS is the maximum number of control messages that can be sent before the L2TPv3
control connection must wait for an acknowledgement. The negotiated window size allows for a sliding
window mechanism for control channel messages, as described in Chapter 10.

Note
Theshow l2tun
session all command output is essentially the same as in "Case Study 11-1:
Ethernet Port-to-Port Manual Session." Therefore, it is not reviewed in this case study.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Ethernet Port-to-Port Manual Session with Keepalive Control Plane Details

As mentioned earlier, the use of keepalives for dead peer detection initiates a control connection between
the L2TPv3 PE endpoints.
Following
two2debug
that you can
use toand
display
Master the
world ofare
Layer
VPNs commands
to provide enhanced
services
enjoythe control
connection establishment:
productivity gains
debug vpdn l2x-events
debug vpdn l2x-packets

debug vpdn l2x-events displays general L2TP protocol events, whereas debug vpdn l2xpackets
displays parsed L2TP control
packets.
Example
11-14
captures
SanFran
PE router
debug output for the
Gain from
the first
book to
address
Layerthe
2 VPN
application
utilizing
L2TPv3 control connection
NewYork.
bothto
ATOM
and L2TP protocols

their service
offerings
while maintaining
routing
control
debug
vpdn
l2x-events
Output
on Control
Connection Initialization

technologies.
Layer
MPLS
the market
need for some
*Nov 17 11:27:42.460:
L2X:Although
Parse AVP
0,3len
8,VPNs
flagfulfill
0x8000
(M)
customers,
theyParse
have some
*Nov 17 11:27:42.460:
L2X:
SCCRQdrawbacks. Ideally, carriers with existing
legacy
Layer 2AVP
and 6Layer
3 networks
wouldCisco
like to AVP
move
single and
! AVP 2 Protocol
Version,
Firmware
Version,
8 toward
Vendora Name,
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
Cisco AVP 10 Vendor AVP version omitted for brevity
services over
existing
Layer
The solution
in these cases is a
*Nov 17 11:27:42.460:
L2X:their
Parse
AVP 7,
len3 cores.
13, flag
0x8000 (M)
technology
thatHostname
would allow
*Nov 17 11:27:42.460:
L2X:
NewYork
infrastructure.
*Nov 17 11:27:42.460:
L2X: Parse AVP 10, len 8, flag 0x8000 (M)
*Nov 17 11:27:42.460: L2X: Rx Window Size 1024
Layer 2 VPN
Architectures
introduces
Layer0x8000
2 Virtual
Private
*Nov 17 11:27:42.460:
L2X:
Parse Cisco
AVP 1, readers
len 10,toflag
(M)
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
*Nov 17 11:27:42.460: L2X: Assigned Control Connection ID 27854
introductory
case
studies
and
comprehensive
design
scenarios.
This
*Nov 17 11:27:42.460: L2X: Parse Cisco AVP 2, len 22, flag 0x8000 (M) book
assists readers
looking to
meet
those requirements
*Nov 17 11:27:42.460:
L2X: Pseudo
Wire
Capabilities
List: by explaining the
history
and
implementation
details
of
the
two
available [0003],
from
*Nov 17 11:27:42.460: L2X:
FR-DLCI [0001], ATM-AAL5technologies
[0002], ATM-Cell
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLS*Nov 17 11:27:42.460: L2X:
Ether-Vlan [0004], Ether [0005], HDLC [0006],
based cores
and Layer
2 Tunneling
Protocol version
*Nov 17 11:27:42.460:
L2X:
PPP [0007],
ATM-VCC-Cell
[0009],
IP cores. L2X:
The structure
of this book
is focused
*Nov 17 11:27:42.460:
ATM-VPC-Cell
[000A],
IP on
[000B]
reader to L2X:
LayerNo
2 VPN
benefits
andin
implementation
requirements and
*Nov 17 11:27:42.460:
missing
AVPs
SCCRQ
comparing
them
to
those
of
Layer
3
based
VPNs,
such
MPLS,
*Nov 17 11:27:42.460: L2X: I SCCRQ, flg TLS, ver 3, len 122,astnl
0, then
ns 0, nr 0
progressively
covering
each
currently
available
solution
in
greater
detail.
contiguous pak, size 122
*Nov 17 11:27:42.460:
*Nov 17 11:27:42.460:
passed.
*Nov 17 11:27:42.460:
address 10.1.1.103
*Nov 17 11:27:42.460:
*Nov 17 11:27:42.460:
ns 0, nr 1
*Nov 17 11:27:42.460:
L2TP: I SCCRQ from NewYork tnl 27854

Tnl37528 L2TP: Control connection authentication skipped/
Tnl37528 L2TP: New tunnel created for remote NewYork,
Tnl37528 L2TP: O SCCRP to NewYork tnlid 27854
Tnl37528 L2TP: O SCCRP, flg TLS, ver 3, len 122, tnl 27854,
Tnl37528 L2TP: Control channel retransmit delay set to 2
seconds
*Nov 17 11:27:42.460: Tnl37528 L2TP: Tunnel state change from idle to wait-ctlreply
Layer 2 VPNTnl37528
Architectures
*Nov 17 11:27:42.536:
L2TP: Parse AVP 0, len 8, flag 0x8000 (M)
ByWei Luo, -Tnl37528
CCIE No. 13,291,
Carlos
Pignataro,
*Nov 17 11:27:42.536:
L2TP:
Parse
SCCCN
No. 4460,Anthony
Chan, - L2TP:
CCIE No.No
10,266
*Nov 17 11:27:42.536:
Tnl37528
missing AVPs in SCCCN
*Nov 17 11:27:42.536: Tnl37528 L2TP: I SCCCN, flg TLS, ver 3, len 20, tnl 37528,
ns 1, nr 1 contiguous
pak,Press
size 20
Publisher: Cisco
*Nov 17 11:27:42.536:
Tnl37528
L2TP: I SCCCN from NewYork tnl 27854
Pub Date:
March 10, 2005
*Nov 17 11:27:42.536: Tnl37528 L2TP: Control connection authentication skipped/
ISBN: 1-58705-168-0
Table of
passed.
Pages:
648
*Nov Contents
17 11:27:42.536: Tnl37528 L2TP: Tunnel state change from wait-ctl-reply to
Index
established
*Nov 17 11:27:42.536: Tnl37528 L2TP: O ZLB ctrl ack, flg TLS, ver 3, len 12, tnl
27854, ns 1, nr 2
*Nov 17 11:27:42.536: Tnl37528 L2TP: SM State established
Master the
Layer 2omitted
VPNs to provide
! world
Debugofoutput
for brevity
productivity
gains
*Nov 17 11:28:12.552: Tnl37528 L2TP: O Hello to NewYork tnlid 27854
*Nov 17 11:28:12.552: Tnl37528 L2TP: O Hello, flg TLS, ver 3, len 20, tnl 27854,
ns 1, nr 3
! Debug output omitted for brevity
*Nov 17 11:28:12.600:
Tnl37528
L2TP:
I ZLB
flg
TLS, ver
3, lenyour
12, tnl
Reduce costs and
extend
the ctrl
reach ack,
of your
services
by unifying
37528, ns 3, nr 2network architecture
*Nov 17 11:28:42.568:
L2TP:
O Hello
to Layer
NewYork
tnlid
27854 utilizing
GainTnl37528
from the first
book
to address
2 VPN
application
*Nov 17 11:28:42.568:
O Hello, flg TLS, ver 3, len 20, tnl 27854,
bothTnl37528
ATOM andL2TP:
L2TP protocols
ns 2, nr 3

Note
The hexadecimal
output
eachLayer
control
messagewould
from the
vpdn
l2x-packets
legacy
Layerfor
2 and
3 networks
likedebug
to move
toward
a single command
has been removed
from
Example
11-14 and
anylike
subsequent
vpdn
l2x-packets
captures
backbone
while
new carriers
would
to sell thedebug
lucrative
Layer
2
in future examples.
infrastructure.
The debug outputLayer

shows
the typical
three-way
handshake,
SCCRQ/SCCRP/SCCCN
(Start-Control2 VPN
Architectures
introduces
readers
Connection Connected),
control
channeland
initialization,
described
in Chapter 10.
Networkfor
(VPN)
concepts,
describes as
Layer
2 VPN techniques
via The SanFran router
receives an inbound
SCCRQ (Icase
SCCRQ)
from
NewYork
with multiple
AVPs,
such asThis
Hostname
introductory
studies
and
comprehensive
design
scenarios.
book and RWS.
The control connection
that NewYork
is 27854,
which corresponds
to the
assistsID
readers
looking allocates
to meet those
requirements
by explaining
theremote tunnel ID
from the show l2tun
tunnel
all output demonstrated
in the
Port-to-Port
history
and implementation
details of the
two"Ethernet
technologies
availableManual
from Session with
Keepalive Verification"
section
of this
case
study.
notice over
that MPLS
the Pseudowire
Capabilities
List AVP
the Cisco
Unified
VPN
suite:
AnyAlso
Transport
(ATOM) for
MPLSincludes Ethernetbased
VLAN cores
and Ethernet
port
pseudowires.
Upon
receipt
of
the
SCCRQ,
SanFran
creates
a new
tunnel that has a IP
local
control
connection
ID
of
37528
and
replies
with
an
SCCRP
message.
NewYork
completes the negotiation
the control
connection
sending an SCCCN
message,and
which SanFran (I
reader to of
Layer
2 VPN benefits
andby
implementation
requirements
SCCCN) receives.comparing
SanFran acknowledges
SCCCN3 message
withsuch
a Zero
Lengththen
Body (ZLB) message.
them to thosethe
of Layer
based VPNs,
as MPLS,
After the control connection is established, Hello messages are sent periodically from each L2TPv3
endpoint and serve as a keepalive mechanism for dead peer detection. The Hello messages are
acknowledged through the use of ZLB messages. Note that the time between the first Outbound Hello
message (sent at 11:28:12) and the second Hello message (11:28:42) is 30 seconds. The 30-second
interval coincides with the hello 30 configuration line defined in the SanFran PE router l2-keepalive
template.
The purpose of configuring keepalives in this case study is to provide a means of detecting L2TPv3 peer
loss. Whereas Example 11-14 illustrates control connection initialization, the next example demonstrates a
control connection teardown for a different L2TPv3 tunnel with a local tunnel ID of 40786 and remote
tunnel ID of 22379. More specifically, Example 11-15 shows the debug vpdn l2x-events output from the
SanFran router during a core link failure, where it loses connectivity to its L2TPv3 peer, NewYork.
ByWei SanFran
Luo, - CCIE No.
13,291,Carlos
Pignataro,
- CCIE No. 4619,
Dmitry Bokotey,
- CCIEConnection
Example 11-15.
debug
vpdn
l2x-events
Output
Control
Teardown
SanFran#
*Nov 20 15:11:55.979:
Tnl40786
L2TP: O Hello to NewYork tnlid 22379
ISBN:
1-58705-168-0
Table of
*Nov
Tnl40786 L2TP: Control channel retransmit delay set to 2
20 15:11:55.979:
Pages: 648
Contents
seconds
Index
*Nov
20 15:11:57.999: Tnl40786 L2TP: O Resend Hello, flg TLS, ver 3, len 20, tnl
22379, ns 97, nr 98
*Nov 20 15:11:57.999: Tnl40786 L2TP: Control channel retransmit delay set to 4
seconds
*Nov 20 15:12:01.999: Tnl40786 L2TP: O Resend Hello, flg TLS, ver 3, len 20, tnl
productivity gains
22379, ns 97, nr 98
22379, ns 97, nr Learn
98
22379, ns 97, nr Reduce
98
*Nov 20 15:12:13.999:
Tnl40786
L2TP: O Resend Hello, flg TLS, ver 3, len 20, tnl
network
architecture
22379, ns 97, nr 98
*Nov 20 15:12:17.999:
L2TP:
O StopCCN
toLayer
NewYork
22379utilizing
GainTnl40786
from the first
book
to address
2 VPNtnlid
application
*Nov 20 15:12:17.999:
Tunnel state change from established to
bothTnl40786
ATOM andL2TP:
L2TP protocols
shutting-down
Review
strategies
thatShutdown
allow largetunnel
*Nov 20 15:12:23.019:
Tnl40786
L2TP:
theirTnl/Sn0/245
service offerings
while
maintainingsession
routing control
*Nov 20 15:12:23.019:
L2TP:
Destroying
Note
InExample 11-15,
SanFran's
Hello messages
are
unacknowledged
via ZLB
technology
that would
allow Layer
2 transport
over a Layer
3 messages because of
the loss of connectivity
to NewYork. To display ZLB acknowledgements or the lack thereof,
infrastructure.
enabledebug vpdn l2x-packets in Example 11-15.
to meet those
requirements
by explaining
Initially, SanFran assists
sends areaders
Hello atlooking
15:11:55.979.
Unfortunately,
because
of the linkthe
failure, the Hello
details
available
from
message is not acknowledged
via a ZLB message.
Asofconfigured
in retransmit
retries
5, five
thesent
Cisco
VPN suite:
Any Transport
over MPLS (ATOM)
for MPLS-and
retransmissions are
atUnified
15:11:57.999,
15:12.01.999,
15:12:05.999,
15:12:10.019,
coresl2-keepalive
and Layer 2template
Tunneling
Protocol version
15:12:13.999. Inbased
SanFran's
configuration,
the retransmission
intervals are bounded
IP retries
cores. The
structure
of this bookretries
is focused
on4first
introducing
the
by the retransmit
min
2 and retransmit
max
values.
Any subsequent
retries use the
reader
to Layer
2 VPN
and implementation
requirements
max value when it
is reached.
After
the benefits
final retransmission,
the control
channel is and
torn down and a Stopcomparing them
to those ofmessage
Layer 3 based
such as MPLS,
then the loss of
Control-Connection-Notification
(STOPCCN)
is sentVPNs,
at 15:12:17.999.
Because
progressively
covering
available
solution
greater
detail.
connectivity to NewYork
is detected,
noteach
only currently
is the tunnel
shut down,
butinits
associated
sessions are, too.
Example 11-16 captures the debug vpdn l2x-events output for SanFran's attempt to reinitialize the
L2TPv3 control connection after it detects peer loss.
Example 11-16. SanFran debug vpdn l2x-eventsOutput on Control

Connection Reinitialization
*Nov 20 15:12:33.099: Tnl/Sn0/245 L2TP: Create session

*Nov 20 15:12:33.099: Tnl52029 L2TP: SM State idle
*Nov 20 15:12:33.099: Tnl52029 L2TP: O SCCRQ
Layer 2 VPNTnl52029
Architectures
*Nov 20 15:12:33.099:
L2TP: Control channel retransmit delay set to 2 seconds
CCIE No. 13,291,
Carlos
Pignataro,
- CCIEchange
No. 4619,Dmitry
CCIE
*Nov 20 15:12:33.099:
L2TP:
Tunnel
state
fromBokotey,
idle -to
wait-ctl-reply
No. 4460,Anthony
Chan, - L2TP:
CCIE No.SM
10,266
*Nov 20 15:12:33.099:
Tnl52029
State wait-ctl-reply
*Nov 20 15:12:33.099: Tnl/Sn0/245 L2TP: L2TP: INSTALL: Manually configured
session using tunnel
for keepalive support
Publisher:52029
Cisco Press
*Nov 20 15:12:33.099:
Tnl/Sn0/245
Pub Date:
March 10, 2005 L2TP: Session state change from idle to waitfor-tunnel
ISBN: 1-58705-168-0
Table
of
*Nov
20 15:12:35.119:
Tnl52029 L2TP: O Resend SCCRQ, flg TLS, ver 3, len 122,
Pages:
648
tnlContents
0, ns 0, nr 0
Index
*Nov
20 15:12:35.119: Tnl52029 L2TP: Control channel retransmit delay set to 4 seconds
*Nov 20 15:12:39.119: Tnl52029 L2TP: O Resend SCCRQ, flg TLS, ver 3, len 122, tnl
0, ns 0, nr 0
*Nov 20 15:12:39.119: Tnl52029 L2TP: Control channel retransmit delay set to 7 seconds
Master the
world of Layer
to provide
services
and
enjoy
*Nov 20 15:12:46.119:
Tnl52029
L2TP: 2OVPNs
Resend
SCCRQ,enhanced
flg TLS,
ver 3,
len
122,
productivity
gains
tnl 0, ns 0, nr 0
*Nov 20 15:12:53.119: Tnl52029 L2TP: O StopCCN
*Nov 20 15:12:53.119: Tnl52029 L2TP: Tunnel state change from wait-ctl-reply to
shutting-down
*Nov 20 15:12:58.139:
Tnl52029
L2TP:
Shutdown
tunnel
Reduce
costs and
extend
the reach
*Nov 20 15:12:58.139:
Tnl/Sn0/245
L2TP:
Destroying
session
InExample 11-16, SanFran attempts to reinitialize the control channel by sending an SCCRQ request at
15:12:33.099. Although
this isstrategies
the continuation
of the
debug
outputcustomers
from Example
11-15 where SanFran's
Review
that allow
large
enterprise
to enhance
local tunnel ID is 40786,
theservice
SanFran
PE router
is attempting
initialize
a new control connection and has
their
offerings
while
maintainingtorouting
control
allocated a new local tunnel ID of 52029. Unfortunately, because connectivity to NewYork has not been
restored yet, the For
SCCRQ
is not acknowledged,
and three
SCCRQ attempts
sent
at 15:12:35.119,
a majority
a significant
portion ofare
their
revenues
15:12:39.119, and
15:12:46.119
based
on
the
retransmit
retries
initial
3
configuration.
These
retransmissions begin
with
the
retransmit
retries
initial
min
2
and
double
per
retransmission
up to the
retransmit retries
initial
max
7.
Because
all
three
attempts
fail,
a
STOPCCN
is
sent
to
tear
down
the
control channel atlegacy
15:12:53.119.
technology
that would
allow Layer 2 transport
overSession
a Layer 3
Case Study 11-3:
Ethernet
Port-to-Port
Dynamic
infrastructure.
Although a manually
defined
with keepalive
provides
some
added
this method still has
Layer
2 VPN session
Architectures
introduces
readers
to Layer
2 benefit,
Virtual Private
some drawbacks.Network
From a management
perspective,
manual
sessions
require
the
administrator
to predefine
the session IDs and
cookies
on
each
peer,
whereas
dynamic
sessions
automatically
negotiate
them.
Furthermore, dynamic
sessions
signal
pseudowire
session
states.
assists
readerscan
looking
toindividual
meet those
requirements
by explaining
the

This case study covers the configuration, verification, and control plane details of an Ethernet port-to-port
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSdynamic session. Because the change from a manual to dynamic session primarily affects the control
plane, the data plane details are the same as in Case Study 11-1 and are not reexamined.
Note
Although L2TPv3 dynamic sessions could signal the session state, the attachment circuit must
have some management mechanism to indicate the health of its circuit to the CE device.
Unfortunately, Ethernet presently does not have a management mechanism to signal individual
Ethernet VLAN failures or Ethernet port failures outside of disabling the port, unlike Frame Relay
or ATM. Therefore, although a pseudowire might have failed with dynamically negotiated
sessions, the attachment circuits would not fail because Ethernet inherently does not support this
capability.
Layer 2 VPN
Architectures
Dynamic
Configuration
No. 4460,Anthony
Chan, - configurations
CCIE No. 10,266 to dynamically negotiate the pseudowire sessions. The
This case study modifies
the L2TPv3
SanFran router configuration is shown in Example 11-17. A similar configuration exists on NewYork.

Configuration
ISBN: 1-58705-168-0
Table of
Contents
Index SanFran
hostname
Pages: 648
!
l2tp-class l2-dyn
authentication
password i8spr42
cookie size 8 productivity gains
!
pseudowire-class pw-dynamic
protocol l2tpv3 l2-dyn
ip local interfacenetwork
Loopback0
architecture
!
no ip address
no cdp enable
xconnect 10.1.1.103
33 service
pw-class
pw-dynamic
their
offerings

The general stepstechnologies.
to provisioning
a dynamic
L2TPv3
session
are similar
to those
in Ethernet
Although
Layer
3 MPLS
VPNs fulfill
the market
need
for some port-to-port
manual session with
keepalives.
However,
a
few
differences
are
worth
highlighting.
Because the session is
no longer manual,legacy
config-if-xconn
submode
is not
xconnect command
Layer 2 and
Layer 3configuration
networks would
likerequired.
to move Instead,
toward athe
single
references a pseudowire-class
called
in this
backbone while
newpw-dynamic
carriers would
like example.
to sell theWhereas
lucrativepreviously
Layer 2 the protocol type
was none, it is now
configured
protocol
l2tpv3,
indicates
that aninL2TPv3
control
is
services
over as
their
existing
Layerwhich
3 cores.
The solution
these cases
is channel
a
requested with dynamic
session
the protocol
technology
thatnegotiation.
would allowOptionally,
Layer 2 transport
over a l2tpv3
Layer 3command can also reference
an l2tp-class template.
In this case, because the service provider wants to implement an 8-byte L2TPv3
infrastructure.
cookie, an l2tp-class called l2-dyn is defined with those characteristics. To revert to the default control
channel timers, the
explicit
timer
commandsintroduces
for Hello messages
control
message
retransmits have
Layer
2 VPN
Architectures
readers toand
Layer
2 Virtual
Private
been removed. Another
difference
with theand
l2-dyn
template
is the
use techniques
of authentication.
To provide control
Network
(VPN) concepts,
describes
Layer
2 VPN
via
channel authentication,
this case
study
employs
a shared secret
by enabling
the authentication
keyword
introductory
case
studies
and comprehensive
design
scenarios.
This book
and defining a shared
secret
via the
password
configuration.
assists
readers
looking
to meetshared-secret
those requirements
by explaining the
and Layer
2 Tunneling
Dynamic
Session
Verification
The same show commands that were used in the verification of manual session case studies are reused in
this example. The show commands include the following:
show l2tun
show l2tun tunnel all
show l2tun session all
In fact, the majority of the output of the show l2tun and show l2tun tunnel all commands is similar,
with only a few minor differences. Example 11-18 captures the output from the show l2tun command.
Example 11-18. SanFran show l2tunOutput

SanFran#show l2tun
Tunnel and Session
Total
tunnels 1 sessions 1
No. 4460,Information
Anthony Chan, - CCIE
No. 10,266
Publisher:
Press Remote Address Port Sessions L2TPclass
LocID RemID Remote
Name Cisco
State
Pub
Date:
March
10, 200510.1.1.103
33819 41993 NewYork
est
0
1
l2-dyn
Table of
LocID
ISBN: 1-58705-168-0
RemID
Contents
Index
23878
36820
TunID
Pages: 648
33819
Username, Intf/
Vcid, Circuit
33, Et0/0
State
est
Master
thethe
world
of Layer
2 VPNs
provide
enhanced
enjoy
One of the differences
with
previous
case
is theto
session
count.
As in services
Example and
11-12,
both the total
productivity
gains
tunnels and sessions
values are
equal to 1 in the first line of output. However, in the tunnel summary
information, the Sessions field is also 1. That is because this pseudowire session is negotiated dynamically
against the L2TPv3 tunnel. Also notice that in the session summary information, the local LocID and
RemID fields represent the local and remote session IDs. Unlike the manual session case studies, in which
session IDs were configured explicitly under the xconnect command in the config-if-xconn submode,
these values were negotiated dynamically via the control channel. The dynamic creation of the session and
the negotiation of the session ID are examined in detail in the control plane negotiation.
Example 11-19 captures the output from the show l2tun tunnel all command.

show
l2tun
Output routing control
their service
offerings
whileall
maintaining

SanFran#show l2tun
tunnel
all
are still
derived
Tunnel Information
Total
tunnels
1 sessions
3 MPLS 1VPNs fulfill the market need for some
Tunnel controlcustomers,
packets dropped
due
to
failed digest
0 carriers with existing
they have some drawbacks.
Ideally,
Layer
2 andid
Layer
networks
would like
Tunnel id 33819legacy
is up,
remote
is 341993,
1 active
sessions
backbone
while
new
carriers
would
like
to
sell
the
lucrative Layer 2
Tunnel state is established, time since change 00:02:05
services
over
their
existing
Layer
3
cores.
The
solution
in these cases is a
Tunnel transport is IP (115)
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
infrastructure.
Tunnel domain is
VPDN group for tunnel is assists readers looking to meet those requirements by explaining the
L2TP class for tunnel is l2-dyn
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS3720 bytes sent, 3556 received
Control Ns 6, Nr 4
Unsent queuesize 0, max 0
Resend queuesize 0, max 2
Total resends 0, ZLB ACKs sent 2
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Sessions disconnected due to lack of resources 0
Control message authentication is disabled
As highlighted in Example 11-19, because the pseudowire session is negotiated dynamically in the tunnel,
one session is listed as active. The last line indicates that control message authentication is disabled. As
described in the section "l2tp-class Command Syntax," the two methods of control channel authentication
Layer a
2 VPN
Architectures
are an old style using
CHAP-like
mechanism and a new style using message digests. The last line of
Byrefers
Wei Luo,to
- CCIE
No. 13,291,
Pignataro,
CCIE study
No. 4619,
Dmitry Bokotey,the
- CCIE
highlighted output
the new
style.Carlos
Because
thecase
implements
old style of control
No. 4460,the
Anthony
Chan, - shows
CCIE No.the
10,266
channel authentication,
message
authentication as disabled.
The major differences

in output
the manual and dynamic session case studies are reflected in the
Publisher:
Ciscobetween
Press
show l2tun session
all command. Example 11-20 captures the output from the show l2tun session al
command on the SanFran PE router.
Table of
Contents
Index
Example
ISBN: 1-58705-168-0
Pages: 648
11-20. SanFran show l2tun session allOutput
SanFran#show l2tun session all

Master the
world
of Layer1 2sessions
VPNs to provide
Session Information
Total
tunnels
1
gains
Tunnel controlproductivity
packets dropped
due to failed digest 0
Session id 23878 isLearn

up, tunnel
id 33819
about Layer
Remote tunnel name Reduce
is NewYork
Internet address network
is 10.1.1.103
architecture
Session is L2TP signalled
Session state is Gain
established,
time
since
changeLayer
00:02:11
from the first
book
to address
39 Packets sent,
38ATOM
received
both
and L2TP protocols
Receive packetsReview
dropped:
out-of-order:their service offerings
0
total:
0
For dropped:
Send packets
still derived
exceeded are
session
MTU: from 0
total: technologies. Although
0 Layer 3 MPLS VPNs fulfill the market need for some
Session vcid customers,
is 33
Layer 2 and
3 networks name
wouldis
likeEthernet0/0
Session Layerlegacy
2 circuit,
typeLayer
is Ethernet,
backbone
while
new
carriers
would
like
to
sell
the
lucrative Layer 2
Circuit state is UP
services
over
their
existing
Layer
3
cores.
The
solution
in these cases is a
technology
that
would
allow
Layer
2
transport
over
a
Layer
DF bit off, ToS reflect disabled, ToS value 0, TTL value 255 3
infrastructure.
Session cookie
information:
local cookie, size 8 bytes, value 34 D4 9E 24 6B AF AF CE
Layer size
2 VPN 8Architectures
introduces
readers
Layer
remote cookie,
bytes, value
F5 6A 1F
7F 1Ato7B
12 2
BFVirtual Private
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
FS cached header information:
introductory
case
studies
and
comprehensive
design
scenarios.
This
book
encap size = 32 bytes
assists
readers
looking
to
meet
those
requirements
by
explaining
the
00000000 00000000 00000000 00000000
history and
implementation
00000000 00000000
00000000
00000000
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSSequencing isbased
off cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
The local session progressively
ID of 23878 and
the remote
session ID
of 36820
is shown
in the output.
covering
each currently
available
solution
in greater
detail. The second
highlighted line in Example 11-20 lists the call serial number of 2931100006, which is a shared value
between the L2TPv3 endpoints that uniquely references this pseudowire session. Finally, you can see that
8-byte session cookies are negotiated per the cookie size 8 command in the l2-dyn template. The session
IDs, call serial number, and cookie values are also negotiated dynamically during session negotiation.
Ethernet Port-to-Port Dynamic Session Control Plane Details

Dynamic negotiation of the control plane takes place in two phases:
Control connection (tunnel) establishment

Layer 2 VPN establishment
Architectures
Session (pseudowire)
Although the debug

vpdn
l2x-events
command
No. 4460,
Anthony
Chan, - CCIE
No. 10,266 displays these events, you can obtain further detail with
thedebug vpdn l2x-packets command, which displays the AVPs contained in each control message. The
debug output from the
control connection establishment phase is captured on the SanFran router and
displayed in Example 11-21.
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents 11-21. SanFran
Example
debug vpdn l2x-eventsand debug
Index for Control Connection Establishment Phase
Output
vpdn l2x-packet
SanFran#
Master the
world of Layer
*Nov 22 07:34:46.445:
Tnl33819
L2TP:2OVPNs
SCCRQ
productivity
gains L2TP: O SCCRQ, flg TLS, ver 3, len 144, tnl 0,
*Nov 22 07:34:46.445:
Tnl33819
ns 0, nr 0
*Nov 22 07:34:46.445: Tnl33819 L2TP: Control channel retransmit delay set to
1 seconds
*Nov 22 07:34:46.445: Tnl33819 L2TP: Tunnel state change from idle to wait-ctlReduce costs and extend the reach of your services by unifying your
reply
*Nov 22 07:34:46.445: Tnl33819 L2TP: SM State wait-ctl-reply
*Nov 22 07:34:46.525:
L2TP:
Parse
AVP 0,Layer
len 28,
flag
0x8000 utilizing
(M)
GainTnl33819
from the first
book
to address
VPN
application
*Nov 22 07:34:46.525:
Tnl33819
L2TP:
Parse
SCCRP
! AVP 2 Protocol Version, AVP 6 Firmware Version, AVP 10 Rx Window Size, Cisco AVP
8 Vendor Name, and
Ciscostrategies
AVP 10 that
Vendor
AVP
version
omitted
for brevity
Review
allow
large
enterprise
customers
to enhance
*Nov 22 07:34:46.525:
L2TP: Parse
AVP 7, lenrouting
13, flag
0x8000 (M)
theirTnl33819
service offerings
while maintaining
control
*Nov 22 07:34:46.525: Tnl33819 L2TP: Hostname NewYork
*Nov 22 07:34:46.525:
Tnl33819
L2TP:Providers,
Parse AVP
11, len portion
22, flag
0x8000
(M)
For a majority
of Service
a significant
of their
revenues
*Nov 22 07:34:46.525:
Tnl33819
Chlng
are still derived
fromL2TP:
data and
*Nov 22 07:34:46.525:
Tnl33819
L2TP:
Parse
AVPVPNs
13, fulfill
len the
22, market
flag 0x8000
technologies.
Although
Layer
3 MPLS
need for(M)
some
*Nov 22 07:34:46.525:
Tnl33819
L2TP:
Chlng
Resp
*Nov 22 07:34:46.525:
Tnl33819
L2TP:3 Parse
Cisco
AVP
10,
flaga 0x8000
legacy Layer
2 and Layer
networks
would
like1,tolen
move
toward
single (M)
*Nov 22 07:34:46.525:
Assigned
Connection
ID 41993
backboneTnl33819
while newL2TP:
carriers
would likeControl
to sell the
lucrative Layer
2
*Nov 22 07:34:46.525:
Tnl33819
L2TP: Parse
len 22,
flagcases
0x8000
services over
their existing
Layer 3Cisco
cores.AVP
The 2,
solution
in these
is a (M)
*Nov 22 07:34:46.525:
Tnl33819
L2TP:
Capabilities
List:
technology
that would
allowPseudo
Layer 2Wire
transport
over a Layer
3
! Pseudo Wire Capabilities
infrastructure. List omitted for brevity
*Nov 22 07:34:46.525: Tnl33819 L2TP: No missing AVPs in SCCRP
Layer 2 VPN
Architectures
to Layer
2 Virtual
Private
*Nov 22 07:34:46.525:
Tnl33819
L2TP: introduces
I SCCRP, readers
flg TLS,
ver 3,
len 166,
tnl 33819,
Network (VPN)
ns 0, nr 1 contiguous
pak,concepts,
size 166
introductory
case studies
comprehensive
*Nov 22 07:34:46.525:
Tnl33819
L2TP:and
I SCCRP
from NewYork
assists readers
looking
to meet
requirements
by explaining
the
*Nov 22 07:34:46.525:
Tnl33819
L2TP:
Got those
a challenge
in SCCRP,
NewYork
history and
implementation
details
of the two in
technologies
available
from
*Nov 22 07:34:46.525:
Tnl33819
L2TP: Got
a response
SCCRP, from
remote
peer
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSNewYork
based cores
and Layer
2 Tunneling
version 3 success
(L2TPv3) for native
*Nov 22 07:34:46.525:
Tnl33819
L2TP:
Tunnel Protocol
Authentication
IP cores. Tnl33819
The structure
of this
book isconnection
focused on first
introducing theskipped/
*Nov 22 07:34:46.525:
L2TP:
Control
authentication
passed.
comparing
them to those
Layer 3state
based change
VPNs, such
as wait-ctl-reply
MPLS, then
*Nov 22 07:34:46.525:
Tnl33819
L2TP:ofTunnel
from
to
established
*Nov 22 07:34:46.525: Tnl33819 L2TP: O SCCCN to NewYork tnlid 41993
*Nov 22 07:34:46.525: Tnl33819 L2TP: O SCCCN, flg TLS, ver 3, len 42, tnl 41993,
ns 1, nr 1
1 seconds
*Nov 22 07:34:46.525: Tnl33819 L2TP: SM State established
In this case, SanFran initiates the control channel request by sending out an SCCRQ. SanFran's debug
output shows the outbound SCCRQ request in addition to the dynamically chosen tunnel ID of 33819.
Although it is not shown in this outbound message, the SCCRQ contains SanFran's Challenge AVP sent to
NewYork. The Challenge AVP contains a random value used in the CHAP-like control channel authentication
Layer 2 VPN
mechanism. In response
to Architectures
the SCCRQ, NewYork sends an SCCRP message. SanFran receives this
Wei Luo,output
- CCIE No.
Carlos Pignataro,
- CCIE No. 4619,
Dmitry
Bokotey, - Two
CCIE notable AVPs include
message, and theBydebug
lists13,291,
the various
AVPs contained
in the
message.
No. 4460,
Chan, - CCIEChallenge
No. 10,266 Response AVP. In this case, NewYork's Challenge
NewYork's Challenge
AVPAnthony
and NewYork's
Response AVP contains the output of the hashing function performed against SanFran's Challenge AVP
value and the shared
secret.Cisco
For the
Publisher:
Presscontrol channel message to be validated properly, the SanFran router
performs the same hashing
Pub Date:mechanism
March 10, 2005and compares the output to the received Challenge Response AVP
value. If the shared secret
from both peers is equal, the two values are equivalent. Another AVP that is
ISBN: 1-58705-168-0
Table of
sent
Control Connection ID value of 41993, which matches the output from the
in the SCCRP is NewYork's
Pages: 648
showContents
l2tun tunnel command. To complete the three-way handshake, SanFran responds with an SCCCN.
Index
The SCCCN
contains a Challenge Response AVP that is not shown in outbound debugs. The SCCCN
Challenge Response AVP is sent in reply to NewYork's Challenge AVP sent in the SCCRP.
Example 11-22 contains the debug output from the second part of the negotiation: the session
establishment phase.
productivity gains

l2x-events
and
debug vpdn l2x-packet
Learn aboutdebug
Layer 2 vpdn
Virtual Private
Networks
(VPNs)
Output for Session Establishment Phase
SanFran#
*Nov 22 07:34:46.525:
ICRQ2 VPN
to NewYork
41993/0
Gain Tnl/Sn33819/23878
from the first book to L2TP:
addressO Layer
application
utilizing
*Nov 22 07:34:46.525:
L2TP: O ICRQ, flg TLS, ver 3, len 94, tnl 41993,
bothTnl/Sn33819/23878
lsid 23878, rsid 0, ns 2, nr 1
*Nov 22 07:34:46.525:
Tnl/Sn33819/23878
L2TP:
state
changetofrom
wait-for-tunnel
Review
largeSession
enterprise
customers
enhance
to wait-reply
*Nov 22 07:34:46.573: Tnl33819 L2TP: Early authen passing ZLB
For a majority
of Service
a significant
portion
their
*Nov 22 07:34:46.573:
Tnl33819
L2TP:Providers,
I ZLB ctrl
ack, flg
TLS, ofver
3,revenues
len 12, tnl 33819,
ns 1, nr 3
technologies.
Although
Layer
3 MPLSearly
VPNs fulfill
the market
for some for ICRP
*Nov 22 07:34:46.665:
Tnl33819
L2TP:
Perform
message
digestneed
validation
customers,
they have
someParse
drawbacks.
withflag
existing
*Nov 22 07:34:46.665:
Tnl33819
L2TP:
CiscoIdeally,
AVP 3,carriers
len 10,
0x8000 (M)
legacy Layer
2 and Layer
networks
would like
*Nov 22 07:34:46.665:
Tnl33819
L2TP:3 Local
Session
ID 36820
backbone
while
new
carriers
would
like
to
sell
the
Layer 2 skipped/passed.
*Nov 22 07:34:46.665: Tnl33819 L2TP: Control connection lucrative
authentication
services over
their existing
Layer 3AVP
cores.
in these
cases
*Nov 22 07:34:46.665:
Tnl33819
L2TP: Parse
0, The
len solution
8, flag
0x8000
(M)is a
technology
that would
allowParse
Layer ICRP
*Nov 22 07:34:46.665:
Tnl33819
L2TP:
infrastructure.
*Nov 22 07:34:46.665:
Tnl33819 L2TP: Parse Cisco AVP 3, len 10, flag 0x8000 (M)
*Nov 22 07:34:46.665: Tnl33819 L2TP: Local Session ID 36820
Layer 2 VPN
Architectures
readers
Virtual
*Nov 22 07:34:46.665:
Tnl33819
L2TP: introduces
Parse Cisco
AVP to
4,Layer
len 2
10,
flagPrivate
0x8000 (M)
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
*Nov 22 07:34:46.665: Tnl33819 L2TP: Remote Session ID 23878
introductory
case studies
comprehensive
This
book (M)
*Nov 22 07:34:46.665:
Tnl33819
L2TP:and
Parse
Cisco AVP design
5, lenscenarios.
14, flag
0x8000
assists
readers
looking
to
meet
those
requirements
by
explaining
the
*Nov 22 07:34:46.665: Tnl33819 L2TP: Assigned Cookie
F5 6A history
1F 7F and
1A implementation
7B 12 BF
the Cisco Unified
VPNL2TP:
suite: Any
Transport
over7,
MPLS
for 0x8000
MPLS- (M)
*Nov 22 07:34:46.665:
Tnl33819
Parse
Cisco AVP
len(ATOM)
8, flag
based cores
and Layer
2 Tunneling
version
*Nov 22 07:34:46.665:
Tnl33819
L2TP:
PseudoProtocol
Wire Type
5 3 (L2TPv3) for native
IP cores. The
structure
of this
is focused
introducing the
*Nov 22 07:34:46.665:
Tnl33819
L2TP:
Nobook
missing
AVPson
infirst
ICRP
reader to Tnl/Sn33819/23878
Layer 2 VPN benefits L2TP:
and implementation
*Nov 22 07:34:46.665:
I ICRP, flg requirements
TLS, ver 3,and
len 62, tnl 33819,
comparing
of Layer pak,
3 based
VPNs,
lsid 23878, rsid
0, ns them
1, nrto3those
contiguous
size
62such as MPLS, then
progressively
covering each currently
in greater
detail.
*Nov 22 07:34:46.665:
Tnl/Sn33819/23878
L2TP:available
O ICCN solution
to NewYork
41993/36820
*Nov 22 07:34:46.665: Tnl/Sn33819/23878 L2TP: O ICCN, flg TLS, ver 3, len 50, tnl 41993,
lsid 23878, rsid 36820, ns 3, nr 2
*Nov 22 07:34:46.665: Tnl33819 L2TP: Control channel retransmit delay set to 1 seconds
*Nov 22 07:34:46.665: Tnl/Sn33819/23878 L2TP: Session state change from wait-reply to
established
After successfully initiating a control channel, the session negotiation begins. SanFran sends an IncomingCall Request (ICRQ), which contains several AVPs, including a dynamically assigned Session ID of 23878,
Cookie, End Identifier, and Serial Number AVP that is not shown in the outbound debug output. The End
Identifier AVP equals the VC ID that is configured on the xconnect command, 33. This AVP allows the
pseudowire to associate itself to the necessary attachment circuit. The Serial Number is equivalent to the
Layer
2 VPN
Architectures
Call Serial Number
field
identified
in the show l2tunn sess all output. It serves as an identifier for the
ByWei Luo,on
- CCIE
session that is consistent
bothNo.
peers.
In response to the ICRQ, NewYork sends an Incoming-Call Reply (ICRP) message with several AVPs. The
ICRP contains a Local
Session
ID Press
AVP of 36820, a Remote Session ID AVP of 23878, an Assigned Cookie
Publisher:
Cisco
AVP of 0xF56A1F7F1A7B12BF,
and a Pseudowire Type AVP. A Pseudowire Type AVP is included to identify
the type of pseudowire that is being negotiated, which in this case is 0x0005 for type Ethernet. Keep in
ISBN: 1-58705-168-0
mind Table
that ofthe Local and Remote Session ID values and the Assigned Cookies in the ICRP message are from
Pages:
648
Contentsperspective. When
NewYork's
you compare them to SanFran's show l2tunn sess all output in Example
Index
11-20,
the values correspond to appropriate SanFran fields (that is, SanFran's Local Session ID equals
NewYork's Remote Session ID). Finally, SanFran completes this three-way handshake with the IncomingCall Connected (ICCN) message. After the ICCN message is sent, the pseudowire session is fully
established.
productivity gains
Case Study 11-4: Ethernet VLAN-to-VLAN Dynamic Session

In this case study, the customer has modified his design. The Oakland hub site now needs to have
costs
andand
extend
the reach
of your services
by unifying
connectivity to branch Reduce
offices in
Albany
Hudson.
The customer
would like
to use a your
dot1Q trunk from
network
architecture
the Oakland router to connect a separate VLAN to each branch office site.
from the first

book toprovider
address has
Layer
2 VPN to
application
utilizing
To meet the customer Gain
requirements,
the service
decided
utilize L2TPv3
to transport the
both
ATOM
and
L2TP
protocols
necessary VLANs. You can see an illustration of the new design in Figure 11-5. Oakland's VLAN 201
attachment circuit is connected via a pseudowire session to VLAN 201 at Albany. Similarly, Oakland's VLAN
200 attachment circuit is connected to VLAN 140 at Hudson. In the latter case, the NewYork router must
rewrite the original VLAN header tag with the value of 140 so that the Ethernet frames are properly
understood at Hudson.
Figurelegacy
11-5.
L2TPv3
Ethernet
VLAN-to-VLAN
Session
Case
Study
Layer
2 and Layer
3 networks
would like to move
toward
a single
infrastructure.
comparing
to those of
Layer 3 based
VPNs,
such
as MPLS,
This case study explores
the them
configuration,
verification,
control
plane
details,
and then
data plane details for an
progressively
covering
Ethernet VLAN-to-VLAN
dynamic
session.
Ethernet VLAN-to-VLAN Dynamic Configuration
Similar to "Case Study 11-3: Ethernet Port-to-Port Dynamic Session," the SanFran and NewYork PE
routers use dynamically negotiated VLAN L2TPv3 sessions with 8-byte cookies. To introduce a new concept
in this case study, the PE routers are configured to use the new control channel authentication by utilizing
message digests.
Example 11-23 shows the relevant configuration in the SanFran routers.

Example 11-23. SanFran VLAN-to-VLAN Dynamic Configuration

hostname SanFran
!
l2tp-class l2-dynPub Date: March 10, 2005
digest secret p7jd8ge
ISBN: 1-58705-168-0
Table size
of
cookie
8
Pages:
648
Contents
!
Index
pseudowire-class
pw-dynamic
protocol l2tpv3 l2-dyn
productivity gains
no ip address
no cdp enable
encapsulation dot1Q
200 architecture
network
no cdp enable
both
and L2TP
protocols
xconnect 10.1.1.103
33 ATOM
pw-class
pw-dynamic
!
their
encapsulation dot1Q
201
no cdp enable For a majority of Service Providers, a significant portion of their revenues
are still derived
from data
xconnect 10.1.1.103
34 pw-class
pw-dynamic
backbone
new carriers
would
like to router.
Example 11-24 contains
thewhile
configuration
for the
NewYork
infrastructure.
Example 11-24.
NewYork VLAN-to-VLAN Dynamic Configuration

hostname NewYork
!
l2tp-class l2-dyn
digest secret history
p7jd8ge
cookie size 8 the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
!
IP cores.
pseudowire-class
pw-dynamic
l2tpv3to Layer 2 VPN benefits and implementation requirements and
comparing
protocol l2tpv3
l2-dyn them to those of Layer 3 based VPNs, such as MPLS, then
progressively
!
no ip address
no cdp enable
!
no cdp enable
xconnect 10.1.1.102 34 pw-class pw-dynamic
!
no ip address ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
no cdp enable
!
ISBN: 1-58705-168-0
Tabledirected-broadcast
of
no ip
Pages:
648
Contents
no cdp
enable
Index
xconnect
10.1.1.102 33 pw-class pw-dynamic
!
gains
The general stepsproductivity
to provisioning
a dynamic Ethernet VLAN-to-VLAN session are similar to those in the
Ethernet port-to-port dynamic session. The major difference is that the attachment circuit in this case
study is the Ethernet VLAN. Therefore, the xconnect statements are configured under the appropriately
Learn about
Layer 2 Virtual
Private 11-23
Networks
tagged Ethernet subinterfaces,
as highlighted
in Example
and (VPNs)
11-24.
Reduce
coststhe
andnew
extend
your services
by unifying
Because this case study
introduces
formthe
of reach
controlofchannel
authentication,
theyour
digest secret
network
architecture
password configuration is applied underneath the l2tp-class command.
Ethernet VLAN-to-VLAN Dynamic Session Verification

their
while maintaining
routing
control
Theshow l2tun tunnel
andservice
show offerings
l2tun session
output is similar
to the
previous dynamic port-to-port
session.Example 11-25 contains the show l2tun tunnel output detail for SanFran.
technologies.
Although
Layer 3 MPLSDynamic
VPNs fulfill Session
the market need
for some
Example 11-25.
SanFran
VLAN-to-VLAN
show
l2tun tunnel
Output
services
SanFran#show l2tun
tunnel
technology
that
would allow
Layer 2 transport
over a Layer 3
Tunnel Information Total
tunnels
1 sessions
2
infrastructure.
LayerName
2 VPN Architectures
introduces
Layer 2 Virtual
Private
LocIDRemID Remote
State Remote
Addressreaders
Port toSessions
L2TPclass
Network (VPN)
and describes Layer
2 2VPN techniques
via
417968769 NewYork
estconcepts,
10.1.1.103
0
l2-dyn
Notice in Examplethe
11-25
that
the number
of sessions
is two because
of the
two pseudowire
Cisco
Unified
VPN suite:
Any Transport
over MPLS
(ATOM)
for MPLS- sessions for
the two VLANs in based
this case
study.
The
two
sessions
are
negotiated
against
the
same
tunnel; therefore,
they are listed against
the
L2TPv3
tunnel
with
a
local
ID
of
41796.
Example 11-26 captures
the them
showtol2tun
show
l2tunnel
session
detail for VCID 34.
comparing
thosesession
of Layerand
3 based
VPNs,
such as
MPLS, all
then
Example 11-26. SanFran VLAN-to-VLAN Dynamic Session

Output
show l2tun session
SanFran#show l2tun session

Session Information Total tunnels 1 sessions 2
LocID
RemID
TunID
Username,
Intf/
State
23944
23945
36877
36878
41796
41796
Vcid, Circuit
34, Et0/0.201:201
33, Et0/0.200:200
est
est
SanFran#show l2tun
session all vcid 34
Session Information
Pressid 41796
Session id 23944 Publisher:
is up, Cisco
tunnel
Call serial number
2931100013
Pubis
Date:
March 10, 2005
Remote tunnel name is
NewYork
ISBN:
1-58705-168-0
Table of
Internet
address Pages:
is 10.1.1.103
648
Contents
Session
is L2TP signalled
Index
Session
state is established, time since change 00:13:11
out-of-order:
0
productivity gains
total:
0
exceeded session
0 2 Virtual Private Networks (VPNs)
LearnMTU:
about Layer
total:
0
Session vcid is 34
Session Layer 2 circuit,
type is Ethernet Vlan, name is Ethernet0/0.201:201
Circuit state is UP
from
the first
book tunnel
to address
Remote session Gain
id is
36877,
remote
id Layer
8769 2 VPN application utilizing
both ATOM
and L2TPToS
protocols
DF bit off, ToS reflect
disabled,
value 0, TTL value 255
Review
strategies
that allow
enterprise
customers
to enhance
local cookie, size
8 bytes,
value
E9 B8large
78 B2
C2 6C 8E
16
offerings
maintaining
remote cookie, their
size service
8 bytes,
valuewhile
88 9E
DD 75 03routing
A0 39control
75
a majority
encap size For
= 32
bytes of Service Providers, a significant portion of their revenues
are
still
from00000000
00000000 00000000derived
00000000
technologies.
Although
00000000 00000000 00000000 00000000
Sequencing islegacy
off Layer 2 and Layer 3 networks would like to move toward a single
The primary differences
in the output when compared to Case Study 11-3 are related to the attachment
infrastructure.
circuit type. In the show l2tun session output in Example 11-26, notice the two session lines for the two
VCIDs 34 and 33 Layer
and their
corresponding
Et0/0.200,
2 VPN
Architecturesattachment
introducescircuits
readersEt0/0.201
to Layer 2and
Virtual
Privaterespectively.
Theshow l2tun session
all vcid
output
includes
more specific
details
about This
that book
particular
introductory
case 34
studies
and
comprehensive
design
scenarios.
attachment circuit.
Unlike
the
manual
case
studies,
Example
11-26
shows
the
session
assists readers looking to meet those requirements by explaining theas L2TP signaled,
indicating that thehistory
pseudowire
was negotiateddetails
dynamically.
Also,
as highlighted
midway
in the show l2tun
and implementation
of the two
technologies
available
from
session all vcid the
34 Cisco
output,
the
type
of
pseudowire
session
is
Ethernet
VLAN,
whereas
in
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS- previous
Ethernet port-to-port
case
studies,
the pseudowire
was just
Ethernet.
based cores and Layer
2 Tunnelingtype
Protocol
version
Dynamic
Session
Control
comparing them
to those
of Layer
3 basedPlane
VPNs, Details
such as MPLS, then
As with any dynamically negotiated L2TPv3 session, the control channel setup and session negotiation can
be monitored via debug vpdn l2x-events and debug vpdn l2x-packets.Example 11-27 captures this
debug output for SanFran's control channel establishment phase.
Example 11-27. SanFran debug vpdn l2x-eventsand debug vpdn l2x-packets

on Control Connection Initialization
SanFran#
*Nov 22 13:19:04.312: Tnl41796 L2TP: SM State idle
Layer 2 VPNTnl41796
Architectures
*Nov 22 13:19:04.312:
L2TP: O SCCRQ
CCIE No. 13,291,
Carlos
CCIETLS,
No. 4619,
Dmitry
- CCIEtnl 0,
*Nov 22 13:19:04.312:
L2TP:
O Pignataro,
SCCRQ, - flg
ver
3,Bokotey,
len 167,
ns 0, nr 0 No. 4460,Anthony Chan, - CCIE No. 10,266
1 seconds
*Nov 22 13:19:04.312:
Tnl41796
L2TP: Tunnel state change from idle to
Pub Date:
March 10, 2005
wait-ctl-reply
ISBN: 1-58705-168-0
Table
of
*Nov
22 13:19:04.312:
Tnl41796 L2TP: SM State wait-ctl-reply
Pages:
648
*Nov Contents
22 13:19:04.312: L2X: L2TP: Received L2TUN message <Connect>
Index
*Nov
22 13:19:04.312: Tnl/Sn41796/23945 L2TP: Session state change from idle to
wait-for-tunnel
*Nov 22 13:19:04.312: Tnl41796 L2TP: SM State wait-ctl-reply
Master the
world of Layer
VPNs to
provide
enhanced
services
enjoy
*Nov 22 13:19:04.372:
Tnl41796
L2TP: 2Parse
AVP
0, len
8, flag
0x8000and
(M)
productivity
gains
*Nov 22 13:19:04.372: Tnl41796 L2TP: Parse SCCRP
*Nov 22 13:19:04.372: Tnl41796 L2TP: Parse Cisco AVP 12, len 23, flag 0x8000 (M)
*Nov 22 13:19:04.372: Tnl41796 L2TP: Message Digest
! Message Digest hex output omitted for brevity
*Nov 22 13:19:04.372:
Tnl41796
L2TP:
Parse
AVP
13,
len 22,
flag 0x8000
Reduce
costs and
extend
the Cisco
reach of
your
services
by unifying
your (M)
*Nov 22 13:19:04.372:
Tnl41796
L2TP:
CC
Auth
Nonce
D7 6E BB ED 3D 01 33 31 0E 45 1A E7 67 24 4E A1
! AVP 2 Protocol Version
,AVP
Firmware
AVP 210
Rxapplication
Window Size,
Cisco
Gain from
the6first
book to Version,
address Layer
VPN
utilizing
AVP 8 Vendor Name,
and
Cisco
10protocols
Vendor AVP version omitted for brevity
both
ATOM
andAVP
L2TP
*Nov 22 13:19:04.372: Tnl41796 L2TP: Parse AVP 7, len 13, flag 0x8000 (M)
*Nov 22 13:19:04.372:
Tnl41796
L2TP:
Review
strategies
thatHostname
allow largeNewYork
*Nov 22 13:19:04.372:
L2TP: Parse
Cisco AVP routing
1, lencontrol
10, flag 0x8000 (M)
theirTnl41796
service offerings
while maintaining
*Nov 22 13:19:04.372: Tnl41796 L2TP: Assigned Control Connection ID 8769
For a majority
of Service
a significant
of their
*Nov 22 13:19:04.372:
Tnl41796
L2TP:Providers,
Parse Cisco
AVP 2,portion
len 22,
flagrevenues
0x8000 (M)
are still derived
fromL2TP:
data and
voiceWire
services
based on legacy
transport
*Nov 22 13:19:04.372:
Tnl41796
Pseudo
Capabilities
List:
Layer 3 for
MPLS
! Pseudo Wire Capabilities
List omitted
brevity
customers,
they have
someNo
drawbacks.
*Nov 22 13:19:04.372:
Tnl41796
L2TP:
missing Ideally,
AVPs incarriers
SCCRP with existing
legacy Layer
2 and Layer
like to
move
a single
*Nov 22 13:19:04.372:
Tnl41796
L2TP:3 Inetworks
SCCRP, would
flg TLS,
ver
3, toward
len 167,
tnl 41796,
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
ns 0, nr 1 contiguous pak, size 167
services over
their existing
Layer
3 cores.
solution in these cases is a
*Nov 22 13:19:04.372:
Tnl41796
L2TP: I
SCCRP
from The
NewYork
technology
that would
allowMessage
Layer 2 transport
over aperformed,
Layer 3
*Nov 22 13:19:04.372:
Tnl41796
L2TP:
digest match
passed.
infrastructure.
*Nov 22 13:19:04.372:
Tnl41796 L2TP: Control connection authentication skipped/
passed.
Layer 2 VPN
Architectures
readers
to Layer
2 Virtual
Private
*Nov 22 13:19:04.372:
Tnl41796
L2TP: introduces
Tunnel state
change
from
wait-ctl-reply
to
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
established
introductory
case studies
comprehensive
design
scenarios.
*Nov 22 13:19:04.372:
Tnl41796
L2TP:and
O SCCCN
to NewYork
tnlid
8769 This book
assists
readers
looking
to
meet
those
requirements
by
explaining
*Nov 22 13:19:04.372: Tnl41796 L2TP: O SCCCN, flg TLS, ver 3, len 43,the
tnl 8769,
ns 1, nr 1 history and implementation details of the two technologies available from
the Cisco Tnl41796
Unified VPN
suite:Control
Any Transport
over
MPLS (ATOM)
for MPLS*Nov 22 13:19:04.372:
L2TP:
channel
retransmit
delay
set to
1 seconds
IP cores. Tnl41796
The structure
of this
is focused
*Nov 22 13:19:04.372:
L2TP:
SM book
State
established
One notable difference in the control channel establishment is that a few additional AVPs are used during
the SCCRQ/SCCRP/SCCCN three-way handshake. As is typical, the three-way handshake begins with
SanFran sending an SCCRQ message. The SCCRQ contains a Message Digest and a Control Message
Authentication Nonce AVP. As described in Chapter 10, these AVPs are used in control channel
authentication. More specifically, they are used in the newer form of control channel authentication, unlike
Case Study 11-3, which uses the CHAP-like mechanism.
The second step in the three-way handshake involves SanFran sending an SCCRP reply. This SCCRP
message, like the SCCRQ message, contains a Message Digest and a Control Message Authentication
Nonce AVP, as highlighted in Example 11-27. All subsequent control channel messages will contain the
Message Digest AVP.

The third and final step in the control channel initialization is an SCCCN message sent from SanFran.
Example 11-28 captures

this
debug
output
for Pignataro,
SanFran's
session
establishment
ByWei Luo,
- CCIE
No. 13,291,
Carlos
- CCIE
No. 4619,
Dmitry Bokotey,phase.
- CCIE
Example 11-28.
SanFran
debug vpdn l2x-eventsand debug vpdn l2x-packets
Publisher:
Cisco Press
on Session Initialization
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
SanFran#
Index
*Nov
22 13:19:04.372: Tnl/Sn41796/23944 L2TP: O ICRQ to NewYork 8769/0
*Nov 22 13:19:04.372: Tnl/Sn41796/23944 L2TP: O ICRQ, flg TLS, ver 3, len 117,
tnl 8769, lsid 23944, rsid 0, ns 2, nr 1
*Nov 22 13:19:04.372: Tnl/Sn41796/23944 L2TP: Session state change from
Master
wait-for-tunnel
to the
wait-reply
productivity
gains L2TP: Perform early message digest validation
*Nov 22 13:19:04.420:
Tnl41796
for ACK
*Nov 22 13:19:04.420: Tnl41796 L2TP: Parse Cisco AVP 12, len 23, flag 0x8000 (M)
*Nov 22 13:19:04.420: Tnl41796 L2TP: Message Digest
! Message Digest hex output omitted for brevity
*Nov 22 13:19:04.420: Tnl41796 L2TP: Message digest match performed, passed.
*Nov 22 13:19:04.420: Tnl41796 L2TP: Control connection authentication skipped/
passed.
*Nov 22 13:19:04.420:
Parse AVP 0, len 8, flag 0x8000 (M)
bothTnl41796
ATOM andL2TP:
L2TP protocols
*Nov 22 13:19:04.420: Tnl41796 L2TP: Parse ICRP
*Nov 22 13:19:04.420:
Tnl41796
L2TP:
Ciscoenterprise
AVP 12, customers
len 23, flag
0x8000 (M)
Review
strategies
thatParse
allow large
to enhance
*Nov 22 13:19:04.420:
L2TP: Parse
Cisco AVP routing
3, lencontrol
10, flag 0x8000 (M)
theirTnl41796
service offerings
while maintaining
*Nov 22 13:19:04.420: Tnl41796 L2TP: Local Session ID 36877
*Nov 22 13:19:04.420:
Tnl41796
L2TP:Providers,
Parse Cisco
AVP 4,portion
len 10,
flagrevenues
0x8000 (M)
For a majority
of Service
a significant
of their
*Nov 22 13:19:04.420:
Tnl41796
Remote
23944
are still derived
fromL2TP:
data and
voiceSession
services ID
based
on legacy transport
*Nov 22 13:19:04.420:
Tnl41796
L2TP:
Parse
Cisco
5,the
len
14, flag
technologies.
Although
Layer
3 MPLS
VPNsAVP
fulfill
market
need 0x8000
for some(M)
*Nov 22 13:19:04.420:
Tnl41796
L2TP:
Assigned
Cookie
88 9E legacy
DD 75 Layer
03 A02 and
39 75
*Nov 22 13:19:04.420:
Parse
7, lucrative
len 8, flag
(M)
backboneTnl41796
while newL2TP:
carriers
wouldCisco
like to AVP
sell the
Layer0x8000
2
*Nov 22 13:19:04.420:
Tnl41796
L2TP: Pseudo
Wire Type
4
services over
their existing
Layer 3 cores.
The solution
in these cases is a
*Nov 22 13:19:04.420:
Tnl41796
L2TP:
missing
AVPs in
technology
that would
allowNo
Layer
2 transport
overICRP
a Layer 3
*Nov 22 13:19:04.420:
Tnl/Sn41796/23944 L2TP: I ICRP, flg TLS, ver 3, len 85,
infrastructure.
tnl 41796, lsid 23944, rsid 0, ns 1, nr 3 contiguous pak, size 85
Layer 2 VPN
Architectures introduces
2 Virtual
Private
*Nov 22 13:19:04.420:
Tnl/Sn41796/23944
L2TP: readers
O ICCN to
toLayer
NewYork
8769/36877
Network (VPN)
VPN TLS,
techniques
vialen 73,
*Nov 22 13:19:04.420:
Tnl/Sn41796/23944
L2TP: O Layer
ICCN,2 flg
ver 3,
introductory
case 36877,
studies and
comprehensive
tnl 8769, lsid
23944, rsid
ns 4,
nr 2
assists readers
looking to meetL2TP:
those requirements
by explaining
the
*Nov 22 13:19:04.420:
Tnl/Sn41796/23944
Session state
change from
wait-reply tohistory
established
After the control channel
is Layer
authenticated,
the session
negotiation occurs.
Because this
reader to
2 VPN benefits
and implementation
requirements
and case study utilizes
two pseudowires,comparing
two three-way
are
initiated.
the sake
of brevity, Example
themICRQ/ICRP/ICCN
to those of Layerphases
3 based
VPNs,
such For
as MPLS,
then
11-28 only captures
the three-way
session
negotiation
for VCID 34.
As highlighted
the output, SanFran
progressively
covering
each
currently available
solution
in greater in
detail.
sends an ICRQ message for local session ID 23944. In response, SanFran receives an ICRP message from
NewYork. The ICRP message contains NewYork's local session ID of 36877. The pseudowire type is type 4
for Ethernet VLAN. Also notice that the Message Digest AVP is contained in the ICRP message. In fact, the
Message Digest AVP is also contained in the ICRQ and ICCN messages, but the debug output does not
show this level of detail for outbound messages. Finally, SanFran sends an ICCN to NewYork to fully
establish the pseudowire session.
Ethernet VLAN-to-VLAN Frame Encapsulation
The L2TPv3 data frame encapsulation for a VLAN-emulated session is comparable to the port-emulated
session except that the Ethernet frame carries the Ethernet frames that are specific to the attachment
circuit VLAN ID. Example
11-29
captures an Ethereal decode and the hexadecimal capture of an L2TPv3
Layer 2 VPN
Architectures
frame from the Oakland Ethernet subinterface E0/0.201 to Albany E0/0.201.
Example 11-29. Ethereal Decode and Capture of Oakland to Albany ICMP Ping
Cisco HDLC
ISBN: 1-58705-168-0
Table of
Address: Unicast
(0x0f)
Pages:
648
Contents
Protocol: IP (0x0800)
Index
Internet Protocol, Src Addr: 10.1.1.102 (10.1.1.102), Dst Addr: 10.1.1.103 (10.1.1.103)
Version: 4
! IP headerMaster
DSCP,the
Flags
offset enhanced
and TTL services
omitted and
forenjoy
brevity
worlddetail,
of Layer Fragment
2 VPNs to provide
Protocol: Layer
2
Tunneling
(0x73)
productivity gains
Header checksum: 0x3a3e (correct)
Source: 10.1.1.102 (10.1.1.102)
Destination: 10.1.1.103
Learn about(10.1.1.103)
Layer 2 Tunneling Protocol version 3
Session ID: 36877
Cookie: 889EDD7503A03975
Ethernet II, Src: 00:00:0c:00:6c:00, Dst: 00:00:0c:00:6f:00
Destination: 00:00:0c:00:6f:00
(00:00:0c:00:6f:00)
both
ATOM
and
L2TP
protocols
Source: 00:00:0c:00:6c:00 (00:00:0c:00:6c:00)
Type: 802.1Q Virtual LAN (0x8100)
802.1q Virtual LAN Review strategies that allow large enterprise customers to enhance
offerings0 while maintaining routing control
000. .... .... their
.... service
= Priority:
...0 .... .... .... = CFI: 0
.... 0000 1100 1001 = ID: 201
Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.2.1 (192.168.2.1), Dst Addr: 192.168.2.2
(192.168.2.2)
Version: 4
! IP header DSCP, Flags detail, Fragment offset and TTL omitted for brevity
Protocol: ICMP (0x01)
infrastructure.
Header checksum: 0x31be (correct)
Source: 192.168.2.1 (192.168.2.1)
Destination: 192.168.2.2 (192.168.2.2)
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0xb7fa (correct)
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSIdentifier: 0x000e
Data (72 bytes)
0000 0f 00 08 00 45 00 00 96 69 e8 00 00 ff 73 3a 3e
^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cisco HDLC IPv4 Delivery Header (IP Protocol L2TPv3)
0010 0a 01 01 66 0a 01 01 67 00 00 90 0d 88 9e dd 75
^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^
IPv4 Delivery Header
L2TPv3 Header
0020 03 a0 39 75 00 00 0c 00 6f 00 00 00 0c 00 6c 00
^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
L2TPv3 Header L2TPv3 Payload (Ethernet II Frame)
0030 81 00 00 c9 08 00 45 00 00 64 04 87 00 00 ff 01
^^^^^ ^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Ethertype .1q VLANID
0040 31 be c0 a8 02 01 c0 a8 02 02 08 00 b7 fa 00 0e
^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^
ICMP packet
Layer 2for
VPN Architectures
!remainder omitted
brevity
Because the Ethereal capture was performed between the SanFran and Denver routers, the first Layer 2
header is the HDLC frame. The outer IP Delivery header is sourced from SanFran's loopback address of
10.1.1.102 (0x0a010166), destined to NewYork's address of 10.1.1.103 (0x0a010167). The L2TPv3
ISBN: 1-58705-168-0
header
consists
of NewYork's
local session ID of 36877 (0x0000900d) and a cookie value of
Table
of
Pages:
648
0x889edd7503a03975.
Following
the L2TPv3 header is the Ethernet II frame destined to Albany's MAC
Contents
address
Indexof 0x00000c006c00 and sourced from Oakland's Ethernet port with MAC address 0x00000c006f00
In this particular case, the Ethernet frame is an 802.1q tagged frame that contains the VLAN tag protocol
ID of 0x8100, a 3-bit VLAN CoS field of 0, a 1-bit VLAN canonical format indicator of 0, and the VLAN ID
tag of 201. Because the far-end router's attachment circuit also uses a dot1Q tag of 201, NewYork does
MasterVLAN
the world
ofbefore
Layer 2
VPNs toit provide
enhanced
services and
enjoy
not change the original
ID tag
sending
to the CE
device. However,
in the
case of an
productivity
Ethernet frame from
Oakland gains
to Hudson, the original VLAN ID tag of 200 would have to be rewritten to the
far-end attachment circuit VLAN ID value of 140.
Learn
about Layer
2 Virtual Private
Networks
(VPNs) scenarios in which the VLAN
Case Study 11-2 focused
on providing
VLAN-to-VLAN
emulation.
It examined
header was transported unmodified (that is, between Oakland and Albany) and in which the VLAN header
and extend
the reach
yourtoservices
byseveral
unifying
your issues when
was rewritten (that is, Reduce
betweencosts
Oakland
and Hudson).
Youofneed
consider
design
network
architecture
deploying such a solution.
Gain study,
from the
bookprovider
to address
Layerthe
2 VPN
application
utilizing
In this VLAN-to-VLAN case
thefirst
service
dictates
VLAN
values. From
a customer
both
ATOM
and
L2TP
protocols
perspective, this might be a heavy restriction. In such a scenario, the customer can use QinQ to alleviate
this requirement. In essence, the customer can use the inner 802.1q tag in QinQ to represent the
customer VLANs and then set the outer 802.1q tag to equal the value that the service provider requires.
This allows for flexibility on the customer's behalf to use any VLAN rewrite.
Another consideration when dealing with VLAN-to-VLAN transport revolves around spanning tree. In the
Oakland-to-Hudson scenario, the respective L2TPv3 endpoints rewrite the VLAN header as needed.
Although the VLAN header is rewritten, the BPDU payload also contains a field known as the Per VLAN ID
(PVID), which is not rewritten. If spanning tree is enabled in such a VLAN rewrite scenario, the BPDUs
show a mismatch and the ports are blocked. The only solution is to avoid this rewrite scenario so that the
BPDU payload matches the expected VLAN ID value on either end.
infrastructure.

Summary By
This chapter examined

how L2TPv3
emulates LAN protocols. The first section began with an
Publisher:
Cisco Press
exploration of the l2tp-class,
pseudowire-class,
and xconnect syntax. This CLI introduction
Pub Date: March
10, 2005
served as the basis for examining the two modes of Ethernet emulation L2TPv3 supports: portISBN: 1-58705-168-0
Table
of
to-port
emulation
and VLAN-to-VLAN emulation.
Pages: 648
Contents
Index are several key aspects to take away from this chapter:
Following
Thel2tp-class definition serves as a template for the L2TP control channel.

pseudowire-class
templates
attributes.
The xconnect
statements
Master the
world ofcontain
Layer 2session
VPNs to
provide enhanced
services
and enjoybind
attachment productivity
circuits to the
necessary pseudowire.
gains
You can configure L2TPv3 pseudowires for manual mode, manual mode with keepalive,
Learn
about Layer
Virtual
Private
Networks
(VPNs) port-to-port model
and dynamic mode.
Although
these 2
modes
were
shown
in the Ethernet
only, they are relevant for any L2TPv3 LAN and WAN session type.
networksession
architecture
An Ethernet port-to-port
emulates any frame that is received on the respective PE
ports and transports it to the far-end device transparently. The payload could be tagged
Gain from
theCE
first
or untagged depending
on the
devices.
An Ethernet VLAN-to-VLAN session emulates any frame that is received on the respective
Review
strategies
allow large
enterprise
customers
to not
enhance
VLAN to the far-end
PE. If
the VLANthat
ID values
on the
attachment
circuit do
match,
their
offerings
while maintaining
routingrewrite.
control
the remote PE has
the service
responsibilty
of performing
VLAN header

infrastructure.

Chapter 12. WAN Protocols over L2TPv3

Case Studies

ISBN: 1-58705-168-0

This chapter
Contents
Index
Pages: 648
WAN Protocols over L2TPv3 Technology Overview

Configuring WAN Protocols over L2TPv3 Case Studies
Verifying control
and data
planes for WAN protocols over L2TP3
productivity
gains
In this chapter, you learn the functional aspects and configuration of the transport and
tunneling of WAN protocols
Layer
2 Tunnel
Protocol
3 (L2TPv3).
Learnover
about
Layer
2 Virtual
PrivateVersion
Networks
(VPNs) Building on
Chapter 5, "WAN Data-Link Protocols," and Chapter 10, "Understanding L2TPv3," this chapter
presents the configuration,
verification,
troubleshooting
High-Level
Link Control
Reduce
costs andand
extend
the reach of of
your
services Data
by unifying
your
(HDLC), PPP, Frame Relay,
andarchitecture
ATM protocols over L2TPv3. This chapter also presents multiple
network
case studies describing the different L2TPv3 configurations for the multiple WAN protocols that
are transported.

infrastructure.

WAN Protocols
over L2TPv3 Technology Overview
Chapter 11, "LAN Protocols

Case Studies," presented the configuration steps for
Publisher:over
CiscoL2TPv3
Press
LAN protocols over L2TPv3.
the10,
broadest
sense, the configuration, transport, and tunneling
Pub Date:In
March
2005
of WAN protocols over L2TPv3 are analogous to what was explored in Chapter 11; however,
ISBN: 1-58705-168-0
Table of and special cases exist. When you transport WAN protocols using L2TPv3, the
differences
Pages:
648
Contents control plane does
fundamental
not change. Different virtual circuit (VC) types indicate the
Index
specific
attachment circuit technology. This section presents some opening ideas about the
transport of WAN protocols using L2TPv3.
Control Plane
productivity gains
All the control plane concepts covered in Chapter 10 are applicable to the transport and
Learn On
about
Layernegotiation,
2 Virtual Private
Networks
(VPNs) circuit is indicated
tunneling of WAN protocols.
session
the type
of attachment
in the Pseudowire Type AVP (currently Cisco AVPusing a Structure of Management Information
Reduce
andofextend
the reach
of your services
by unifying
yourthe
[SMI] enterprise code of
9Typecosts
7) part
the Session
Management
AVPs. The
values that
network
architecture
Pseudowire Type AVP can take for WAN protocols are enumerated in Table 12-1.
Table 12-1. Pseudowire

Type AVP Values Used in WAN
Transport

are still derived
from data and voice
Pseudowire Type
Description
Usage
customers,
theyRelay
haveDLCI
some
Ideally,
carriers
with existing
0x0001
Frame
[1]drawbacks.
FRoL2TPv3
[2] DLCI
mode
0x0002
ATM
AAL5
SDU
[3]
ATMoL2TPv3
SDU Layer 2
backbone
while
new
carriers
would
like to sell[5]
theAAL5
lucrative
VCC
[4]
mode
technology
would allow
Layer
2 transport Cell
overPort
a Layer
3
0x0003
ATMthat
Transparent
Cell
ATMoL2TPv3
mode
infrastructure.
0x0006
HDLC
HDLCoL2TPv3[6]
0x0007
PPPoL2TPv3
NetworkPPP
(VPN) concepts, and describes
Layer[7]
introductory
case
studies
and
comprehensive
design
This book
0x0009
ATM n-to-one VCC cell ATMoL2TPv3 Cell VCscenarios.
mode
0x000A
ATMimplementation
n-to-one VPC[8]
ATMoL2TPv3
Cell VP modeavailable from
history and
details
the Ciscocell
reader
to Layer
[1] DLCI = data-link
connection
identifier
[2] FRoL2TPv3 =progressively
Frame Relay overcovering
L2TPv3 each currently available solution in greater detail.
[3]
SDU = service data unit
[4]
VCC = virtual channel connection
[5]
ATMoL2TPv3 = ATM over L2TPv3
[6]
HDLCoL2TPv3 = HDLC over L2TPv3
[7]
PPPoL2TPv3 = PPP over L2TPv3
[8]
VPC = virtual path connection
Note
Although the values for the pseudowire type AVP from Table 12-1 are numerically the
same as the ones used in Any Transport over MPLS (AToM) for the pseudowire type
forward error correction
(FEC) field, they belong to different registries. You can find
ISBN: 1-58705-168-0
the
for "L2TPv3
Pseudowire Types" at the Internet Assigned Numbers
Tableregistry
of
Authority (IANA) at
Pages:
648
http://www.iana.org/assignments/l2tp-parameters.
Contents
Index
These pseudowire types are also included in the Pseudowire Capabilities List AVP part of the
Control Connection
Management
to indicate
Layer 2 enhanced
payload types
that and
a sender
Master
the worldAVPs
of Layer
2 VPNsthe
to provide
services
enjoycan
support.
productivity gains
Data Plane
The transport of WAN protocols
over L2TPv3 follows the base specification Internet document
for L2TPv3, plus the additional companion documents for each WAN technology. Cisco
Gain from
book
to address
Layer115.
2 VPN
application
utilizing
implemented L2TPv3 directly
overthe
IP first
using
IP protocol
number
Figure
12-1 shows
the data
both
ATOM
and
L2TP
protocols
plane encapsulation for the transport of WAN protocols over L2TPv3.
Figure 12-1. Encapsulation of WAN Protocols over L2TPv3 over IP

Layer
full size image]
infrastructure.

progressively
each
currently
available
solution
in greater
InFigure 12-1, you
can see the covering
data plane
packet
that goes
directly
encapsulated
indetail.
IP. The
L2TP session header consists of a 32-bit session ID and an optional cookie. In addition, an
optional 32-bit L2-specific sublayer exists, referred to as Pseudowire Control Encapsulation.
Figure 12-1 shows the default Layer 2-Specific Sublayer header. The presence of the Layer 2Specific Sublayer is indicated in the Layer 2-Specific Sublayer AVP part of the session
management AVPs.
A NULL session ID identifies L2TPv3 control messages over IP, as shown in Figure 12-2.
Figure 12-2. L2TPv3 Control Message Header Over IP



Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
The fields from Figure 12-2 are as follows:

productivity gains
T-Bit A field setting of 1 indicates that it is a control message.
L-Bit A field setting
of 1about
indicates
that
the length
field
is present.
Learn
Layer
2 Virtual
Private
Networks
(VPNs)
S-Bit A field setting
of 1 indicates
sequence
numbers
are
present.
Reduce
costs andthat
extend
the reach
of your
services
by unifying your
Ver The version is set to 3 for L2TPv3.
LengthThis is the total length of the message in octets.
Control Connection ID This contains an identifier for the "tunnel" or control connection.
Ns This contains the sequence number for this control message.

Nr This indicates the sequence number that is expected in the next control message to be
received.
Using the Layer
2-Specific
backbone
while newSublayer
technology
that
would allow
2 transport
over
a Layer
3 discussed in
The Layer 2-Specific
Sublayer
is equivalent
to Layer
the control
word in
AToM
that was
Chapter 8, "WAN infrastructure.
Protocols over MPLS Case Studies," and carries control and payload-specific
fields. During session establishment, the use of an Layer 2-Specific Sublayer is negotiated by
Layer
2 VPN Architectures
Layer 2 Virtual
Private
means of the Layer
2-Specific
Sublayer AVP introduces
part of thereaders
Sessionto
Management
AVPs.
The Layer
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via values:
2-Specific Sublayer AVP type is an unsigned 16-bit integer that can take the following
history and
implementation
0 No Layer 2-Specific
Sublayer
is present.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS1 The default
Layer
2-Specific
Sublayer
is used.Protocol version 3 (L2TPv3) for native
based
cores
and Layer
2 Tunneling
2 The ATM Layer
Sublayer
is used.
reader2-Specific
to Layer 2
VPN benefits
Note
The first two values are defined and assigned in the base "Layer Two Tunneling
Protocol (Version 3)" IETF document, whereas the third value is defined in the "ATM
Pseudo-Wire Extensions for L2TP" IETF document. ATM AAL5 transport needs an
ATM-Specific Sublayer to transport ATM cell header fields that would otherwise be
lost; other transported protocols, however, rely on the default Layer 2-Specific
Sublayer.
If the usage of the

Layer
2-Specific
Sublayer header has been negotiated, the L2TP Control
Layer
2 VPN
Architectures
Connection Endpoint (LCCE) must include the specified Layer 2-Specific Sublayer in all outgoing
data messages. Figure 12-3 details the two currently defined Layer 2-Specific Sublayer
formats: default and ATM-Specific.
ISBN: 1-58705-168-0
Figure
Table of 12-3. Layer 2-Specific Sublayer Usage for WAN Protocols
Contents
Index
Pages: 648
productivity gains
Gain12-3
fromare
thedefined
first book
The fields shown in Figure
as follows:
All Layer 2-Specific
Sublayers:
Review
S-Bit The Sequence bit is set to indicate that the Sequence Number field contains a
valid sequence
number
for this sequenced
and itportion
is cleared
otherwise.
When
For a majority
of Service
Providers, aframe,
significant
of their
revenues
the field
cleared,
youfrom
must
ignore
contents
of based
the Sequence
Number.
areisstill
derived
data
andthe
voice
services
on legacy
transport
Sequence
Number
The
Sequence
Number field
contains
a free-running
counter of
customers,
they
have
some drawbacks.
Ideally,
carriers
with existing
224 sequence
numbers.
AsLayer
opposed
to AToM,
the sequence
number
begins
at 0,
legacy Layer
2 and
3 networks
would
like to move
toward
a single
which is
a valid sequence
backbone
while newnumber.
X-Bitstechnology
Set the Reserved
bits allow
to 0 on
transmission
and
ignore
them3 on reception.
that would
Layer
2 transport
over
a Layer
infrastructure.
ATM-Specific Sublayer:
T-Bit The Transport bit indicates whether the L2TPv3 packet contains an ATM admin
cell (when T is set) or an AAL5 payload (when T is cleared). OAM cells are examples
of admin cells.
history
and implementation
details
of the two
technologies
available
from
G-Bit The
Explicit
Forward Congestion
Indication
(EFCI)
bit indicates
congestion.
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSThe LCCE sets the G bit if the EFCI bit of the final cell of the incoming AAL5 payload
Layer
2 Tunneling
Protocol
or the based
(EFCI)cores
in theand
single
ATM
cell is set to
1.
reader
Layer
2 VPN
benefits
C-Bit The
cellto
loss
priority
(CLP)
bit inand
the implementation
ATM cell headerrequirements
indicates cell and
loss priority.
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as MPLS,
then
The LCCE sets the C bit if any of the CLP bits of any of the incoming
ATM
cells of the
progressively
covering
currently
AAL5 payload
or of the
single each
ATM cell
is set available
to 1.
U-Bit The U-bit carries the Command/Response (C/R) bit, which is used with
FRF.8.1 "Frame Relay/ATM PVC Service Interworking."
Note
Bits 2 and 3 in both Layer 2-Specific Sublayers indicate fragmentation as negated
Beginning and End of fragment bits.

ByWeiLayer
Luo, - CCIE
No. protocols
13,291,Carlos
Pignataro,
- CCIErequirements
No. 4619,Dmitry Bokotey,
CCIE 2Different transported
2 WAN
have
different
for the- Layer
4460,
Anthony Chan,
- CCIEthe
No. 10,266
Specific Sublayer.No.
Two
situations
require
use of the Layer 2-Specific Sublayer:
AAL5 The transport and tunneling of ATM AAL5 CPCS-SDU require the usage of an ATM
Specific Sublayer that carries the EFCI, CLP, and C/R and identifies AAL5 CPCSSDU versus
ISBN:
1-58705-168-0
ATM ofCell. Otherwise,
those
fields would be lost because the cell header is not transported.
Table
Pages: 648
Contents
Sequencing
Sequencing
for all Layer 2 protocols transported requires an Layer 2-Specific
Index
Sublayer that carries the Sequence Number.
For all other cases, an Layer 2-Specific Sublayer is optional. In contrast to the transport of
Frame Relay overMaster
MPLS, the
which
requires
the2control
word,
FRoL2TPv3
does
not require
the
world
of Layer
VPNs to
provide
enhanced
services
and enjoy
Layer 2-Specific Sublayer,
which
is
equivalent
to
the
control
word.
The
difference
lies
in
the fact
productivity gains
that Frame Relay over MPLS (FRoMPLS) does not transport the Q.922 header, and the only
way to transport control bits is by piggybacking them in the control word. In FRoL2TPv3, the
Learn about
Layerthe
2 Virtual
Private Networks
(VPNs)
Q.922 header is transported;
therefore,
Layer 2-Specific
Sublayer
header is not needed.
MTU Considerations
both
ATOM and
L2TP
protocols
When you tunnel a Layer
2 protocol
data
unit
(PDU) by means of encapsulation, you need to
factor the additional overheads associated with this tunneling scheme into packet sizes and
strategies
allow large the
enterprise
enhance
maximum transmissionReview
unit (MTU).
Whenthat
encapsulating
Layer 2customers
PDU to beto
transported
service offeringsnetwork
while maintaining
using L2TPv3 across antheir
IP packet-switched
(PSN), yourouting
need tocontrol
take into account a
series of overheads that are added. This section details all the associated overheads.
arethese
still derived
from
You can categorize
overheads
asdata
follows:
Transport Overhead
The
overhead
is associated
themove
specific
Layer
2 being
legacy Layer
2 and
Layer that
3 networks
would with
like to
toward
a single
transported.backbone
Table 12-2while
lists new
this overhead
for the
and
tunneling
of different
carriers would
liketransport
to sell the
lucrative
Layer
2
WAN protocols.
infrastructure.
Table
12-2.(VPN)
Transport
for
Different
WAN via
Network
concepts,Overhead
and describes
Layer
2 VPN techniques
introductory case
studies and
comprehensive
Protocols
over
L2TPv3 design scenarios. This book
Transport
Transport
Header
Reasonfor MPLSthe Cisco Unified
VPN suite: Any Transport
over
MPLS (ATOM)
Transportbased
Type cores and
Header
Size
[Bytes]
IP DLCI,
cores. The 4
structure
is focused
on [2]
first+introducing
the
Frame Relay
bytes of this bookQ.922
Header
Ethertype [2]
Cisco encapsulation
Frame Relay
DLCI,
10
bytes each currently
Q.922
Headersolution
[2] + SNAP
[2] =>
progressively
covering
available
in greater
detail.
IETF[1] encapsulation
Control [1] + Pad [1] + NLPID[3]
[1] + OUI[4] [3] + Ethertype [2]
Cisco HDLC
4 bytes
Address [1] + Control [1] +

Ethertype [2]
PPP
2 bytes
PPP DLL[5] Protocol [2]
AAL5
0-32 bytes
Header
[1]
IETF = Internet Engineering Task Force
SNAP = Subnetwork Access Protocol

[3] NLPID = Network Layer Protocol Identifier
[4] OUI = Organizationally Unique Identifier
[2]
[5]
Publisher:
DLL = Data
Link LayerCisco Press
ISBN: 1-58705-168-0
Table
of
L2TPv3
Overhead The tunneling overhead that is associated with the L2TP data
Pages:
648
Contents
message headers. It can
be further subdivided into the following:
Index
L2TP Session Overhead The overhead that is associated to the L2TP Session
Header:
Sessionproductivity
ID The 4-byte
overhead that is always present
gains
Cookie Optional overhead that can be NULL, 4 bytes, or 8 bytes
L2-Specific Overhead An optional overhead that is associated with the Layer 2ReduceItcosts
and
extend
theor
reach
of your
serviceson
bywhether
unifyingthe
your
Specific Sublayer.
can be
either
NULL
4 bytes,
depending
field
is present. network architecture
from the
first
book to that
address
Layer 2 VPN
utilizing
Delivery (IPv4)Gain
Overhead
The
overhead
is associated
withapplication
the outer IP
header
both ATOMprotocol
and L2TP
protocols
without options identifying
type
115 for L2TPv3. It is always 20 bytes.
Review
strategies
that
allow
large enterprise
customers
enhance
You can see the transport
overhead
for all
WAN
protocols
over L2TPv3
in Tableto
12-2.
ATM Cell
their
offerings
while
maintaining
control(CRoL2TPv3), the
transport is deliberately
left service
out of Table
12-2.
In ATM
cell relayrouting
over L2TPv3
packets transported are of a fixed length of 52 bytes. You can concatenate them up to a
For
majority
of Service
a significant
portion
maximum number
of apacked
cells,
makingProviders,
MTU calculation
different
from of
alltheir
otherrevenues
Layer 2
transports.
Note
You can compare
transport overheads for L2TPv3 in Table 12-2 with the AToM
infrastructure.
transport overheads and draw the conclusion that the only different overhead is for
2 Relay
VPN Architectures
introduces
readers
to header
Layer 2isVirtual
Private
transportingLayer
Frame
DLCI mode. In
L2TPv3, the
Q.922
transported
and describes
Layer 2 VPN
techniques
via
but is not in Network
AToM. A (VPN)
2-byteconcepts,
Q.922 header
without extended
addressing
is assumed.
From the differentthe
overheads
presented,
you can
total
overhead
and
the
Cisco Unified
VPN suite:
Any calculate
Transportthe
over
MPLS
(ATOM)
forinfer
MPLSMTU in the provider
edge
(PE)and
andLayer
provider
(P) routers
toward
the PSN
(Core MTU)
based
cores
2 Tunneling
Protocol
version
3 (L2TPv3)
for from
nativethe
MTU in the PE attachment
interface
MTU).
The following
equations
calculateg
the
IP cores. circuit
The structure
of(Edge
this book
is focused
on first
introducing
the
core MTU for different
WAN
protocols:
reader
to Layer
Core MTU
Edge MTU + Transport Header + L2TPv3 Header + IPv4 Header
Where
L2TPv3 Header = L2TP Session Header + Layer 2-Specific Sublayer Header
L2TP Session Header = Session ID (4 bytes) + Cookie (0, 4 or 8 bytes)
Layer 2-Specific Sublayer Header = 0 or 4 bytes
In addition to the transport overhead, the maximum overhead that IP and L2TPv3oIP add is 36
bytes (20 bytes from the IP header, 4 bytes of the L2TPv3 Session ID, 8 bytes of Cookie, and 4
bytes of the Layer 2-Specific Sublayer Header). The minimum overhead is 24 bytes, skipping
the Cookie and Layer 2-Specific Sublayer fields. This minimum overhead is the default for the
transport of WAN protocols over L2TPv3. By default, cookies and sequencing are nonexistent,
except for AAL5 SDU transport, in which the ATM-Specific Sublayer is required.
HDLC and PPP over L2TPv3

You can transport HDLC pseudowire that is defined in an L2TPv3 companion Internet document
using L2TPv3 by including all HDLC data and control fields (address, control, and protocol
fields)
andofstripping theISBN:
flag 1-58705-168-0
and frame check sequence (FCS) fields. From Chapter 5, you know
Table
Pages:
648
that Cisco
routers use a proprietary
version of HDLC referred to as Cisco HDLC. It differs from
Contents
standard
Index HDLC in that the higher layer protocol identification is performed using the Ethernet
type.
Because the behavior of an HDLC pseudowire is to function in a port-mode fashion, removing
the flag and FCS during
and
transporting
complete
packetservices
over theand
pseudowire
Master imposition
the world of
Layer
2 VPNs tothe
provide
enhanced
enjoy
without inspecting
it, Cisco HDLC
is also transported over an HDLC pseudowire. In fact, therein
productivity
gains
is one of the most important facets of the HDLC pseudowire: it can transport transparently in
an interface-to-interface mode all protocols that contain HDLC-like framing (meaning 0x7E flag
Layer 2
Private
Networks
and FCS). This includesLearn
but isabout
not limited
toVirtual
PPP, Frame
Relay,
X.25,(VPNs)
Synchronous Data Link
Control (SDLC), and so on.
network
architecture
The transport of PPP frames
over
L2TPv3 pseudowires is quite similar to the transport of HDLC
frames. This coincides with the fact that PPP was modeled after HDLC with the addition of
Gainmultiprotocol
from the firstdatagrams
book to address
utilizing
protocol fields to transport
over point-to-point
links.
Differences and optimizations exist, however, traceable to the fact that PPPoL2TPv3 has some
Review
strategies that
allow large
enterprise
customers
to fields
enhance
Layer 2 packet inspection.
At imposition,
the Address
(0xFF)
and Control
(0x03)
of the
their
service
maintaining
routing
control
PPP frame are removed,
leaving
theofferings
first fieldwhile
transported
as the
PPP DLL
Protocol Number. The
IANA assigns these PPP DLL Protocol Numbers. You can check them at
http://www.iana.org/assignments/ppp-numbers.
technologies.
Although
3 MPLS
VPNs
the market
need
for some
Figure 12-4 shows
the encapsulation
andLayer
packet
formats
for fulfill
HDLCoL2TPv3
and
PPPoL2TPv3.
services
over
3 cores.
The solution in
these
cases is a
Figure 12-4.
HDLC
Pseudowire
and PPP
Pseudowire
over
L2TPv3
Packet Formats
infrastructure.


Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
Because the Address and Control fields are stripped at imposition and not transported over
L2TPv3, FCS Alternatives (specify different FCS formats or no FCS at all by means of the LCP
configuration option) and Address and Control Field Compression (ACFC) do not work. In
contrast, the protocol field is transported so that Protocol Field Compression (PFC) works.
Frame Relay over L2TPv3

At this point, you already know that you can transport and tunnel Frame Relay in a port-mode
fashion using an HDLC pseudowire because Frame Relay frames employ HDLC-like framing.
The PE configuration for Frame Relay Port mode does not specify the encapsulation as Frame
Relay, but it leaves the default of HDLC. In this case, however, Local Management Interface
(LMI) is also tunneled over the pseudowire; therefore, you need to properly configure the
customer edge (CE) devices for LMI:
infrastructure.
If the CE devices are Frame Relay switches, use Frame Relay Network-to-Network
Layer
2 VPN
Architectures
Interface (NNI)
LMI
in both
ends.
introductory
caseRelay
studies
and comprehensive
design
This book
If the CE devices
are Frame
routers,
use Frame Relay
datascenarios.
terminal equipment
assists
readers
looking
to
meet
those
requirements
by
explaining
theconfigure
(DTE) LMI in one end and Frame Relay DCE LMI in the other end. Alternatively,
history
and
implementation
details
of
the
two
technologies
available
from
Frame Relay NNI LMI to run between routers to better indicate the DLCI status between
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSCE and CE.
IP transporting
of this
book is
firstuses
introducing
the
Another method of
Frame Relay
frames
at focused
the DLCIonlevel
the pseudowire
reader
to Layer
2 VPN benefits
and implementation
requirements
type of 0x0001. This
method
to provide
Frame Relay
pseudowires is specified
in an and
L2TPv3
IETF companion document.
When you use Frame Relay pseudowire DLCI mode, the Frame Relay PDU is transported in its
entirety. Only the opening and closing HDLC flags of 0x7E and the FCS field are stripped at
imposition, and the complete Frame Relay frameincluding the Q.922 headeris transported.
When you are using different DLCIs at both ends, the DLCI value is rewritten at the disposition
(egress) PE (see Figure 12-5).
Figure 12-5. Frame Relay Pseudowire over L2TPv3 Packet Formats

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
FromFigure 12-5,Master
you can
see
bothofFrame
IETF
encapsulation
andservices
Frame Relay
Cisco
the
world
LayerRelay
2 VPNs
to provide
enhanced
and enjoy
encapsulation. They
differ
in
the
upper-layer
protocol
identification.
You
can
configure
Cisco
productivity gains
routers for either type of encapsulation.
Because the complete Learn
Q.922 about
header
is transported,
you doNetworks
not need(VPNs)
to transport the
Layer
2 Virtual Private
Command/Response (C/R), forward explicit congestion notification (FECN), backward explicit
and extend
the reach
your
services by
unifying
your with
congestion notificationReduce
(BECN),costs
and discard
eligibility
(DE) of
bits
separately,
as was
the case
network
architecture
FRoMPLS. However, the
DLCIs can
be different at both ends of the Frame Relay pseudowire, so
you must rewrite the Frame Relay DLCI at disposition.
ATM over L2TPv3

The tunneling and transport of ATM over L2TPv3 presents two operational modes:
ATM AAL5-SDU
Mode The
ingressLayer
LCCE3performs
reassembly
the AAL5
CPCSSDU
technologies.
Although
MPLS VPNs
fulfill the and
market
need for
some is
transported customers,
over the ATM
pseudowire.
The
EFCI,
CLP,
and
C/R
bits
are
transported
they have some drawbacks. Ideally, carriers with existing in the
required ATM-Specific
Sublayer.
The egress
LCCEwould
performs
legacy Layer
2 and Layer
3 networks
like segmentation.
ATM Cell Mode
No reassembly
occurs Layer
at the 3ingress
and ATM-Layer
ATM cells
services
over their existing
cores. LCCE,
The solution
in these cases
is a are
transported technology
over the ATM
pseudowire.
The
ATM-Specific
Sublayer
is
optional.
Two
operational infrastructure.
submodes are also supported:
Single Network
cell relay(VPN) concepts, and describes Layer 2 VPN techniques via
Cell concatenation
history
and implementation
details
fromThe
Figure 12-6 shows
a graphical
definition of the
AAL5 of
CPCS-SDU
transported available
over L2TPv3.
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSpayload that is transported in AAL5 CPCS-SDUs over L2TPv3 is the same as the one
based
cores andover
Layer
2 Tunneling
Protocol
version
3 (L2TPv3)
for native
transported in AAL5
CPCS-SDUs
MPLS.
From Figure
12-6,
you can
see that the
ATM cell
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
headers are not transported, which is why it is necessary to add the ATM-Specific Sublayer.
Figure 12-6. AAL5 CPCS-SDU over L2TPv3 Packet Formats


Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
ATM cell mode over L2TPv3
also allows
multiple
granularities with three different services:
both ATOM
and L2TP
protocols
ATM VCC Cell-Relay Service
ATM VPC Cell-Relay Service
are still derived
ATM Port Cell-Relay
Service from data and voice services based on legacy transport
customers,
they single-cell
have somerelay
drawbacks.
Ideally,
These three modes
exist for both
mode and
cell concatenation
mode. Figure
legacyformat
Layer 2
and
3 networks
to cells
move
toward
a single
12-7 shows the packet
for
theLayer
transport
of two would
packedlike
ATM
over
L2TPv3.
infrastructure.
Figure
12-7. Cell Relay over L2TPv3 Packet Formats

Note
In ATM cell mode, ATM layer cells are transported. This translates to a 4-byte ATM
cell header plus a 48-byte cell payload. The fifth byte in the ATM cell header contains
the header error control (HEC) and is appended by the Transmission Convergence
Layer
2 VPN
Architectures
(TC) sublayer
in the
ATM
physical layer. The HEC byte is not transported over an
L2TPv3 ATM By
pseudowire.
Because the transport

ATM
over
has unique characteristics compared to other
PubofDate:
March
10,L2TPv3
2005
protocols that are transported, the control plane needs to signal these attributes that only
ISBN: 1-58705-168-0
Table
pertain
to ofATM attachment circuits. To that effect, the following are two new AVPs defined for
Pages:
648
Contents
transport
of ATM over L2TPv3 that are not present for other protocols:
Index
ATM Maximum Concatenated Cells AVP This AVP only applies to ATM cell relay
pseudowire types. It consists of a 16-bit value that indicates the maximum number of
Master
the world
Layer
VPNs
to provide
services
and enjoy
concatenated
or packed
ATM of
cells
that2the
sending
LCCEenhanced
can process
at disposition.
Using
productivity
gainsthe bandwidth efficiency given that multiple cells share the
cell concatenation
increases
same L2TPv3 tunneling overhead; the expense is additional latency incurred while waiting
for cells to be concatenated in a single L2TPv3 packet.
OAM Emulation Required AVP This AVP can be used in AAL5 CPCS-SDU mode to
Reduce This
costsisand
extend
thethe
reach
your services
bynot
unifying
your
request OAM emulation.
helpful
when
ATMofpseudowire
does
support
the
network
architecture
transport of OAM cells (by setting the T-bit) in an AAL5 ATM pseudowire; therefore, you
can terminate OAM cells in the LCCE. For it to work, you must use OAM emulation in both
ends simultaneously. This AVP has a NULL value. The mere presence of this AVP indicates
that OAM emulation is required.

infrastructure.

Configuring
WAN Protocols over L2TPv3 Case Studies
This section discusses

the configuration
Publisher:
Cisco Press steps required to enable Layer 2 tunneling transport of WAN
protocols using L2TPv3.
Several
studies cover configuration and verification examples for HDLCoL2TP
Pub Date:
Marchcase
10, 2005
PPPoL2TPv3, FRoL2TPv3, and ATMoL2TPv3.
ISBN: 1-58705-168-0
Table of
Pages:
EveryContents
one of the case studies648
uses the same IP PSN, shown in Figure 12-8. The goal is to demonstrate the
Index
configuration
steps, verification, and troubleshooting stages required to set up Layer 2 connectivity betwee
CE devices over the IP network.
productivity
gains
Figure
12-8.
WAN Protocols over IP Case Study Topology

from data
and voice
services The
based
transport
The first step is toare
setstill
up derived
the common
underlying
IP network.
IP on
PSNlegacy
consists
of a PE router with host
technologies.
Layer Denver
3 MPLS which,
VPNs fulfill
the is
market
need to
forasome
name SanFran connected
to a PAlthough
router named
in turn,
connected
second PE router
customers,
theyhave
haveasome
drawbacks.
Ideally, and
carriers
with existing
NewYork. The three
core devices
/32 loopback
configured
advertised
through an Interior
2 and
3 networks
likePath
to move
a single
Gateway Protocollegacy
(IGP).Layer
(These
caseLayer
studies
use Openwould
Shortest
First toward
[OSPF].)
In these examples, the
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
PE-P links are point-to-point Cisco HDLC (C-HDLC) links with IP addresses unnumbered
to the loopback
servicesThis
overeffectively
their existing
Layer
3 cores.
The
solution
in core
these
cases The
is a following list
interfaces' IP addresses.
results
in just
one IP
address
per
device.
technology
describes the required
steps:that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2interface
VPN Architectures
readerstotoit.Layer 2 Virtual Private
Create a loopback
and assignintroduces
a /32 IP address
Enable IP CEF
globally. case studies and comprehensive design scenarios. This book
introductory
Assign IP addresses
(unnumbered
to thedetails
loopbacks)
alltechnologies
physical linksavailable
that connect
history and
implementation
of theto
two
from the core routers
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSEnable an IGP
among
the
core
routers.
These case
studies
use OSPF
with a for
single
area 0.
based
cores
and
Layer
2 Tunneling
Protocol
version
3 (L2TPv3)
native
Example 12-1 shows the required configuration for the SanFran PE router. The configuration for the other
two core routers is equivalent to this one.

!
hostname SanFran
!
ip cef
!
interface Loopback0
ip address 10.0.0.201 255.255.255.255

!
interface Serial10/0
2 VPN Architectures
ip unnumbered Layer
Loopback0
!
router ospf 1 No. 4460,Anthony Chan, - CCIE No. 10,266
network 10.0.0.201
0.0.0.0
area 0
Publisher:
Cisco Press
!
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
The highlighted
lines
show
how
you are using only one /32 IP address in the SanFran PE. You can now veri
Index
that IP routes are being distributed.
The routes highlighted are learned through OSPF. You can see in Example 12-2 that the 10.0.0.202/32 pre
with cost 65 (64 of
1544 the
kbps
link of
+1
of loopback)
and
the 10.0.0.203/32
prefixand
withenjoy
cost 129 (2 * 64 of 2
Master
world
Layer
2 VPNs to
provide
enhanced services
1544 kbps links +productivity
1 of loopback)
are reachable from SanFran through Serial 10/0.
gains
Learn about Layer 2 Virtual

Example 12-2. Preconfiguration
Verification
SanFran#show ip route
Gain
first book O
to -address
VPN application
D - EIGRP, EX
- from
EIGRPthe
external,
OSPF, Layer
IA - 2OSPF
inter areautilizing
both
ATOM
and
L2TP
protocols
o - ODR For a majority of Service Providers, a significant portion of their revenues
still derived
from
Gateway of lastare
resort
is not
set
10.0.0.0/32
is subnetted,
3 some
subnets
customers,
they have
O
10.0.0.202
viaLayer
10.0.0.202,
6d22h,
Serial10/0
legacy[110/65]
Layer 2 and
3 networks
would like
O
10.0.0.203
[110/129]
viacarriers
10.0.0.202,
6d22h,
backbone
while new
would like
to sellSerial10/0
C
10.0.0.201
is over
directly
connected,
services
their existing
Layer Loopback0
SanFran#
SanFran#traceroute
10.0.0.203
infrastructure.
to abort.
Layer 2 VPN
Tracing the route
to
Network10.0.0.203
1 10.0.0.202 introductory
20 msec 20case
msecstudies
28 msec
assists
readers
looking
to
2 10.0.0.203 56 msec 20 msec 20 msec
history
and
implementation
SanFran#
reader
to Layer
VPN benefits
The next subsections
present
the 2following
case studies:
Case Study 12-1: HDLC over L2TPv3 with Static Session
Case Study 12-2: PPP over L2TPv3 with Dynamic Session
Case Study 12-3: Frame Relay DLCI over L2TPv3 with Dynamic Session
Case Study 12-4: AAL5 SDU over L2TPv3 with Dynamic Session
Case Study 12-5: ATM Cell Relay over L2TPv3 with Dynamic Session
Case Study 12-1: HDLC over L2TPv3 with Static Session

Layer
2 VPN
Architectures
In this section, you
learn
how
to configure HDLCoL2TPv3 according to the topology shown in Figure 12-9.
FigurePublisher:
12-9.Cisco
HDLCoL2Tv3
Static Session Case Study Topology
Press
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
The IP PSN provides the transport of HDLC connecting Serial 5/0 interface in the Oakland and Albany CE
routers.
Configuring HDLCoL2TPv3
Review
thatrequired
allow large
customers
enhance
InChapter 11, you learned
the strategies
configuration
for enterprise
static L2TPv3
sessionstofor
Ethernet pseudowires.
service offerings
while maintaining
controlthe protocol none statemen
recap, the creation of atheir
pseudowire
class is required
because it routing
must include
for a static session. A static session has no signaling protocol.
are stillpseudowires
derived fromisdata
and voice services
based
transport
The pillar of configuring
the xconnect
command,
and on
thislegacy
case is
no exception. For
technologies.
Although is
Layer
MPLS the
VPNs
fulfill the market
HDLCoL2TPv3, the
xconnect command
used3under
attachment
circuit, need
whichfor
is some
the Serial 5/0
customers,
have some
carriers
existing
interface on the PE
routers. Itthey
specifies
the IPdrawbacks.
address andIdeally,
pseudowire
ID with
of the
peer PE. This case study
legacy
Layer
2 and
3 networks
would
like
toofmove
toward
a single
uses a pseudowire
ID (also
known
asLayer
the VC
ID or remote
end
ID)
50. The
VCID
binds L2TP sessions to
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
given attachment circuit (virtual circuit, interface, or interface bundle). For a static 2L2TPv3 session, enter t
their existingl2tpv3
Layer 3statement.
cores. TheYou
solution
is the
a previously
manual keywordservices
after theover
encapsulation
needin
tothese
followcases
it with
technology
defined pseudowire
class.
infrastructure.
These steps are shown for the SanFran endpoint in Example 12-3.
introductory
case studies
and comprehensive
design
Example 12-3.
HDLCoL2TPv3
Static
Configuration
in SanFran
hostname SanFran
!
reader
pseudowire-class
hdlc-v3-manual
l2tpv3
protocol none progressively covering each currently available solution in greater detail.
!
interface Serial5/0
no ip address
xconnect 10.0.0.203 50 encapsulation l2tpv3 manual pw-class hdlc-v3-manual
l2tp id 221 238
l2tp cookie local 4 286331153
l2tp cookie remote 8 572662306 572662306
!
FromExample 12-3, you can see the specification of protocol none for a static session under the hdlc-v3
manual pseudowire-class.
You must set the ip local interface directive to a loopback interface. For
Wei Luo,
- CCIEisNo.
13,291,Carlos
Pignataro,followed
- CCIE No.by
4619,
Bokotey,
- CCIE The encapsulatio
dynamic sessions,Bythe
protocol
specified
as l2tpv3
anDmitry
optional
l2tp-class.
Chan,command
- CCIE No. 10,266
manual directiveNo.
in 4460,
the Anthony
xconnect
instructs the LCCE that no signaling is to be used in the L2TP
control channel (or to only use the control channel for keepalives) and enters the xconnect configuration
submode to configure
the L2TPv3
static session parameters.
Publisher:
Cisco Press
By entering the xconnect command specifying the encapsulation as l2tpv3 with the manual keyword, yo
ISBN: 1-58705-168-0
Table of
aretaken
into the config-if-xconn configuration mode. In this new lower-level configuration mode, you
Pages:
648
Contents
specify
L2TP manual configuration commands using the l2tp keyword, such as local and remote session ID
Index
local
and remote cookie size and value, and hello control messages.
Table 12-3 summarizes the values chosen from the SanFran perspective and configured in Example 12-3.
Note that the values are simple in hexadecimal to facilitate the decoding. Table 12-3 also shows the
hexadecimal values.
productivity gains
Table 12-3. L2TPv3

Manual Configuration Values for
HDLCoL2TPv3
Gain
from the first book to address
Local
RemoteLayer 2 VPN application utilizing
221
238
Review
strategies that allow(0x000000EE)
Session ID
(0x000000DD)
Cookie Size
4
8
286331153
572662306
are still derived
from data and voice
Cookie Value (Low)
(0x11111111)
(0x22222222)
technologies. Although Layer 3 MPLS
customers,
N/Athey have some drawbacks.
572662306
legacy Layer 2 and Layer 3 networks
Cookie Value (High)
(0x22222222)
FromTable 12-3, infrastructure.
you can see that the local cookie value does not have a high-order part, because it is only
4 bytes. Example 12-4 shows the configuration in the NewYork PE router.
introductory
case studies
and comprehensive
design
Example 12-4.
HDLCoL2TPv3
Static
Configuration
in NewYork
!
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLShostname NewYork
!
pseudowire-class
hdlc-v3-manual
reader
l2tpv3
protocol none progressively covering each currently available solution in greater detail.
!
interface Serial5/0
no ip address
xconnect 10.0.0.201 50 encapsulation l2tpv3 manual pw-class hdlc-v3-manual
l2tp id 238 221
l2tp cookie local 8 572662306 572662306
l2tp cookie remote 4 286331153
!
Because in a static
session
protocol is involved to signal the L2TPv3 parameters such as session ID,
Layer
2 VPN no
Architectures
cookie size, and cookie
value,
you
manually
configure
values
the -local
ByWei Luo, - CCIE No.must
13,291,
Carlos Pignataro,
- CCIEthese
No. 4619,
Dmitry for
Bokotey,
CCIEand remote session
endpoints. For dynamic
sessions,
only
the
local
cookie
size
is
configured.
The
session
ID and cookie value a
dynamically assigned at the local LCCE. For dynamic sessions, the remote values are signaled in L2TPv3
AVPs.
Pub Date:
2005 you can see that the manually configured local and remote session
By comparing Examples
12-3March
and10,
12-4,
ISBN: 1-58705-168-0
IDs, cookie
Table of sizes, and cookie values mirror each other. The local session ID, cookie size, and cookie value
Pages:
648are the remote ones in NewYork and vice versa. To emphasize, this case
that are
configured
in
SanFran
Contents
study
also
shows
that
although
the local cookie size that is configured in an LCCE needs to match the remo
Index
cookie size that is configured in the peer LCCE, the cookie sizes do not need to match in both endpoints. Th
is because the local cookie size in SanFran is 32 bits, whereas the local cookie size in NewYork is 64 bits.
productivity gains
Verifying HDLCoL2TPv3
The first verification step
is toabout
issueLayer
the command
(see (VPNs)
Example 12-5).
Learn
2 Virtual show
Privatel2tun
Networks

the HDLCoL2TPv3 PE
SanFran#show l2tun both ATOM and L2TP protocols
due
toallow
failed
Reviewdropped
strategies
that
largedigest
enterprise
LocID RemID Remote Name State Remote Address Port Sessions L2TPclass
LocID
RemID
TunID from
Username,
State
are still derived
data and Intf/
Vcid,
Circuit
Layer
221
238 customers,
0 they have
50,some
Se5/0
est
SanFran#
infrastructure.
Note

The term tunnel
in this chapter
refers and
to the
optional L2TPv3
control
connection.
L2TPv3 negotiates
introductory
case studies
comprehensive
design
scenarios.
This book
a session forassists
each pseudowire.
Usually,
two those
L2TPv3
speaking peers
have a single
readers looking
to meet
requirements
by explaining
the tunnel and
multiple sessions.
FromExample 12-5,
you to
can
see one
session
andand
no tunnels,
becauserequirements
you only have
an HDLCoL2TPv3 stat
reader
Layer
2 VPN
benefits
implementation
and
session. You can also
see thethem
localto
and
remote
session
ID values
you
comparing
those
of Layer
3 based
VPNs,that
such
asconfigured
MPLS, thenand a Null Tunnel ID
because no tunnel
is available for
a staticeach
session
without
keepalives.
Theinstate
is established.
This is
progressively
covering
currently
available
solution
greater
detail.
expected because control plane signaling does not exist, and the state is established even if the remote PE
goes down. You can view more details about the L2TPv3 session using the command show l2tun session
all, as in Example 12-6.
Example 12-6. HDLCoL2TPv3 Session Details


ByWei Luo,
Remote tunnel name
is - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No.
4460,
Internet address isAnthony
10.0.0.203
Session is manually signalled
Publisher:
Cisco Press time since change 00:25:39
Session state is
established,
180 Packets sent,
180
received
Pub Date:
March
10, 2005
12666 Bytes sent,
12640
received
ISBN: 1-58705-168-0
Table of
dropped:
Receive packetsPages:
648
Contents
out-of-order:
0
Index
total:
0
0
total:
0
Session vcid is 50
productivity gains
Session Layer 2 circuit, type is HDLC, name is Serial5/0
Circuit state is UP
Remote session Learn
id isabout
238, Layer
remote
tunnel
id 0 Networks (VPNs)
2 Virtual
Private
local cookie, size
4 bytes,
value 11 11 11 11
network
architecture
remote cookie, size 8 bytes, value 22 22 22 22 22 22 22 22
FS cached header Gain
information:
encap size = 32both
bytes
00000000 00000000 00000000 00000000
Review
strategies
00000000 00000000
00000000
00000000
Sequencing is off
SanFran#
FromExample 12-6,
you Layer
can see
all the
session
parameters
statically
The local
legacy
2 and
Layer
3 networks
wouldlocally
like toand
move
towardconfigured.
a single
session ID is 221,backbone
and the remote
session
ID iswould
238. like
Bothtothe
remote
tunnel
while new
carriers
selllocal
the and
lucrative
Layer
2 IDs are shown as 0,
because no tunnel
or tunnel
ID their
exists.
You can
also3see
thatThe
thesolution
session in
is manually
signaled,
and the VC I
services
over
existing
Layer
cores.
these cases
is a
that would be advertised
in
the
End
Identifier
AVP
for
dynamic
sessions
is
50.
The
Type
is
HDLC
using
Pseudowire Type infrastructure.
0x0006 from Table 12-1.
Theshow l2tun session

all command
displays
local and
remote
You can see a 32-bit
Layer 2 VPN
Architectures
introduces
readers
to cookie
Layer 2information.
Virtual Private
local cookie of 0x11111111
and aconcepts,
64-bit remote
cookie ofLayer
0x2222222222222222.
Finally, the local
Network (VPN)
and describes
encapsulation size
(added to HDLC
frames and
tunneled
over L2TPv3
toward
the NewYork
PE) is 32 bytes. This
introductory
case studies
comprehensive
design
scenarios.
This book
20 bytes of the IPassists
header,
4
bytes
of
the
remote
session
ID
of
238
(0x000000EE),
and
readers looking to meet those requirements by explaining the 8 bytes of the remo
cookie of 16 hexadecimal
number
2s. Example
12-7 depicts
thistechnologies
overhead using
the command
show sss
history and
implementation
details
of the two
available
from
circuits.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS-
Example 12-7.
HDLCoL2TPv3
Encapsulation
Details from
SanFran
reader
and implementation
requirements
and
SanFran#show sss circuits
Common Circuit ID 0
Serial Num 2
Switch ID 18797112
--------------------------------------------------------------------------Status Encapsulation
UP flg len dump
Y AES 0
Y AES 32 45000000 00000000 FF73A5F7 0A0000C9 0A0000CB
000000EE 22222222 22222222
SanFran#
The SanFran 32-byte
encapsulation consists of the following:
Delivery (IPv4)
Header
Publisher:
CiscoThis
Pressis the 20-byte IP header indicating IP protocol 115 (0x73) for L2TPv3.
L2TPv3 Session Header This includes the remote session ID (4 bytes) and optional cookie (8 bytes
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Similarly,
the NewYork side shows
a 28-byte encapsulation consisting of the following:
Index
Delivery (IPv4) Header This is a 20-byte IP header indicating IP protocol 115 (0x73) for L2TPv3.
L2TPv3 Session
This
a 4-byte
remoteenhanced
session IDservices
of 221 (0x000000DD)
and a 4-by
MasterHeader
the world
of includes
Layer 2 VPNs
to provide
and enjoy
remote cookie
of
0x11111111.
productivity gains
Example 12-8 shows the NewYork HDLCoL2TPv3 encapsulation details using the command show l2tun
session all.
Example 12-8.
HDLCoL2TPv3
Encapsulation Details from NewYork
ATOM
and L2TP protocols
NewYork#show l2tun both
session
all
Reviewdropped
strategies
that
largedigest
enterprise
due
toallow
failed
Session id 238 For
is aup,
tunnel
id 0 Providers, a significant portion of their revenues
majority
of Service
Call serial number
is
0
Remote tunnel name
is
technologies.
Internet address
is
10.0.0.201
customers,
Session is manually
signalled
legacy Layer
Session statebackbone
is established,
time since
1w0d
while new carriers
wouldchange
like to sell
70767 Packets
sent,
70757
received
4940396 Bytes
sent, that
4949086
technology
wouldreceived
Receive packets
dropped:
infrastructure.
out-of-order:
0
total: Layer 2 VPN Architectures
0
Network
(VPN)
concepts,
and
introductory
case
studies
and
comprehensive
0
assists
readers
looking
to
meet
those
requirements
by explaining the
total:
0
history
and
implementation
details
of
the
two
technologies
available from
Session vcid is 50
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for MPLSSession Layer 2 circuit, type is HDLC, name is Serial5/0
based
cores
and
Layer
2
Tunneling
Protocol
version
3
(L2TPv3)
for native
Circuit state is UP
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
reader
to
Layer
2
VPN
benefits
and
implementation
requirements
and
comparing
Session cookie
information:
progressively
covering
each currently
solution
local cookie, size 8 bytes,
value
22 22 22available
22 22 22
22 22in greater detail.
remote cookie, size 4 bytes, value 11 11 11 11
00000000 00000000 00000000 00000000
00000000 00000000 00000000
Sequencing is off
NewYork#show sss circuits
Common Circuit ID 0
Serial Num 1
Switch ID 18785464
UP flg len Layer
dump2 VPN Architectures
Y AES
0 ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony
Chan, - CCIE
No. 10,266
Y AES
28 45000000
00000000
FF73A5F7
0A0000CB 0A0000C9
000000DD 11111111
NewYork#
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Note
As a reminder, the data message format consists of the following:
productivity gains
Delivery Header The IPv4 header that transports the L2TPv3 packets across the IP
backbone network.
L2TPv3 Session Header The header that uniquely identifies tunneled traffic among multiple
Reduce It
costs
and extend
the reach
L2TP data sessions.
is further
subdivided
into of
theyour
following:
Session ID 4 bytes.
Cookie 0,
4, ATOM
or 8 bytes.
both
and L2TP protocols
L2-SpecificReview
Sublayer
The control
fields large
that facilitate
tunneling
of each
frame (that is,
strategies
that allow
enterprise
customers
to enhance
sequencing, their
flags).
L2 Payload
The DataofLink
LayerProviders,
payload to
be transported
over
For a majority
Service
a significant
portion
ofL2TPv3.
their revenues
The ultimate verification
involves
checking
connectivity
between
devices,
as shown
in Example 12-9.
legacy Layer
2 and
Layer 3
networks would
like CE
to move
toward
a single
Successful pings are
highlighted.
backbone
infrastructure.
Example 12-9.
Verifying the HDLCoL2TPv3 CE

!!!!!
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSSuccess rate is 100 percent (5/5), round-trip min/avg/max = 20/22/32 ms
Oakland#
Data Plane Details
Because this is a static session, it is not possible to show control plane information exchange. However, yo
can capture and decode the data plane packets of the ping in Example 12-9 from the SanFran PE using the
commandsdebug vpdn packet and debug vpdn packet detail. See Example 12-10.
Example 12-10. Capturing and Decoding HDLCoL2TPv3 Packets
SanFran#
SanFran#debug vpdn packet
VPDN packet debugging is on
SanFran#debug vpdn
packet detail
ByWei Luo,
- CCIE No. 13,291,
VPDN packet details
debugging
is onCarlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
SanFran#
02:01:13: L2TP:(Tnl0:Sn221):FS/CEF Into tunnel (SSS): Sending pak
02:01:13: L2TP:(Tnl0:Sn221):FS/CEF
Into tunnel: Sending 136 byte pak
contiguous pak, size
136March 10, 2005
Pub Date:
45 00 00 88ISBN:
06 1-58705-168-0
4E 00 00 FF 73 9F 21 0A 00 00 C9
Table of^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^...
Pages: 648
Contents
IPv4 Delivery Header (IP protocol L2TPv3)
Index
0A 00 00 CB 00 00 00 EE 22 22 22 22 22 22 22 22
...^^^^^^^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^
IPv4 Delivery Header Session Id Cookie (Remote)
Master the
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
productivity
L2TPgains
Session Header
0F 00 08 00 45 00 00 64 00 2D 00 00 FF 01 72 17
^^ ^^ ^^^^^ ^^^^^...
Learn
aboutIP
Layer
| | |
Begins
Packet
| | etype = IPv4
| Control
Address = Unicast Frame
Gain
the02
first
to address
Layer
VPN application utilizing
C0 A8 64 01
C0from
A8 64
08book
00 FC
51 00 09
00 200
both
ATOM
and
L2TP
protocols
00 00 00 00 24 3F 5D B0 ...
02:01:13: L2TP:(Tnl0:Sn221):CEF Into tunnel (SSS): Pak send successful
Review
strategies
that allow
02:01:13: L2X:CEF From
tunnel:
Received
136large
byteenterprise
pak
their
136
majority
significant
0F 00 For
08 a00
45 00 of
00Service
84 05 Providers,
72 00 00 aFD
73 A2 01
are still derived
^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^...
technologies.
Although
Layer(IP
3 MPLS
VPNs fulfill
HDLC L2
IPv4 Delivery
Header
protocol
L2TPv3)
0A 00 legacy
00 CB Layer
0A 002 and
00 C9
00 300networks
00 DD 11
11 like
11 11
Layer
would
...^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^
^^^^^^^^^^^
would like
IPv4
Delivery
Header
Session
CookieThe
(Local)
services
over their
existing
LayerId3 cores.
^^^^^^^^^^^^^^^^^^^^^^^
L2TP Session Header
infrastructure.
0F 00 08 00 45 00 00 64 00 2D 00 00 FF 01 72 17
^^ ^^ Layer
^^^^^2 VPN
^^^^^...
| | Network
|
Begins
IP Packet
(VPN) concepts,
| | case
etype
= IPv4
introductory
studies
| Control
assists readers
Address
= Unicast Frame
history
and implementation
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSC0 A8 64 02 C0 A8 64 01 00 00 04 52 00 09 00 00
00 00 00 00 24 3F 5D B0 ...
02:01:13: L2TP:(Tnl0:Sn221):CEF From tunnel: Pak send successful
SanFran#
Note
Note that in Example 12-10 and several of the following examples that deal with packet decoding,
the offline hand decoding of the packets is shown in bold.
Example 12-10 shows two packets captured in the SanFran PE. The highlighted portion indicates the
overhead added to the HDLC frames that are transported. The first packet labeled "Into tunnel" is an ICMP
Echo received from Oakland and forwarded to the L2TPv3 tunnel. The second one labeled "From tunnel" is
the ICMP Echo Reply received from Denver P and forwarded to the Oakland CE. It is worth noting that the
ByWei
Luo,
CCIE"Into
No. 13,291,
Carlospackets)
Pignataro, display
- CCIE No.
4619,
Dmitry
Bokotey,
- CCIE
imposition packets
(that
is,- the
tunnel"
the
IPv4
and
L2TPv3
headers in addition to t
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
HDLC payload, whereas the disposition packets (that is, the "From Tunnel" packets) also include the datalink layer header (C-HDLC) between the PE and P routers.
The L2TPv3 portion of

the
first
packet
contains the following fields:
Pub
Date:
March
10, 2005
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Session ID: 238
Index
Cookie: 2222222222222222
productivity gains
Note
Learn about
Layer 2protocol
Virtual Private
Networks
(VPNs)
Similar to AToM, L2TPv3
is a stateful
in which
the PE device
stores the state of interaction
after connection initialization. This implies that it is impossible to perform a nonheuristic decode by
costs
andout
extend
the reach
your services
unifying your
mere inspection ofReduce
a single
packet
of context
and of
lacking
the stateby
information.
Example 12-10 shows this behavior. Without the state information, you do not know the cookie
Gain
from theoffirst
book to
address Sublayer,
Layer 2 VPN
application
utilizing
size (0, 4, or 8), the
presence
an Layer
2-Specific
or the
encapsulated
Layer 2
both
ATOM
and
L2TP
protocols
protocol. For AToM, you do not know the presence of the control word or the Layer 2 protocol that
is being tunneled.
majority
of Service
Providers,
significant
portion
of their
revenues
You can see that For
the a
HDLC
frames
are transported
in atheir
entirety,
including
the following:
customers,
they
Address 0x0F
for unicast
frame
Control 0x00
Ethertype 0x0800
for IPv4
technology
infrastructure.
IPv4 packet The HDLC payload is the IPv4 packet of the CE. It contains the ICMP echo request, whi
is often referred
IP-framed
because
it is IP transported
over a2 Layer
frame over L2TPv3.
Layerto
2 as
VPN
Architectures
introduces
readers to Layer
Virtual2 Private
The 0x7E flags and
FCS are stripped
at imposition
and regenerated
at scenarios.
disposition.This book
introductory
case studies
and comprehensive
design
the Cisco
Unified
VPNL2TPv3
suite: Anywith
Transport
over MPLS
(ATOM) for MPLSCase Study 12-2:
PPP
over
Dynamic
Session
Both static and manual L2TPv3 sessions are limited in that they are prone to configuration errors and do n
allow for dynamic pseudowire status notifications. You can use them, however, in small deployments or wh
a peer does not support dynamic sessions. Static sessions with keepalives are an intermediate stage betwe
static and dynamic sessions that was explored in Chapter 11. The real scalability and manageability
advantages of L2TPv3 occur in dynamic sessions. This section presents a case study of PPPoL2TPv3 with
dynamic sessions using the topology shown in Figure 12-10.
Figure 12-10. PPPoL2TPv3 Dynamic Session Case Study Topology


ISBN: 1-58705-168-0
Table of
Configuring
PPPoL2TPv3
Pages: 648
Contents
Index
You can divide the configuration for the PE routers of SanFran and NewYork into four separate yet related
steps:
Step
1.
Using theMaster
l2tp-class
command,
create
an to
L2TP
class enhanced
to serve as
a template
for L2TPv3 sessions,
the world
of Layer
2 VPNs
provide
services
and enjoy
and configure
the
required
parameters.
This
case
study
specifies
authentication
and a cookie size o
productivity gains
4 bytes. This step is optional.
Step
2.
Learn about Layer

2 Virtual create
Privatea Networks
(VPNs)
Using the pseudowire-class
command,
pseudowire
class that specifies L2TPv3
encapsulation. In this pseudowire class, specify the protocol as l2tpv3 for a dynamic session
Reduce
costs
and extend
reach
referencing the
l2tp-class
template
fromthe
Step
1. of your services by unifying your
Step
3.
Configure the Gain

attachment
circuit.
In this
youLayer
are limited
configuring
PPP encapsulation usi
from the
first book
to case,
address
2 VPN to
application
utilizing
theencapsulation
ppp
command
under
the
Serial
interface
and
disabling
CDP.
Step
4.
Review
strategiesunder
that allow
large enterprise
to enhance
Apply an xconnect
statement
the attachment
circuitcustomers
(serial interface)
from the Step 3
service
offerings
while
maintaining
routing
control
interface. The their
statement
should
specify
the
remote peer,
VC ID,
and pseudowire class from Step 2

are still
from data and
voice services
on legacy
In this example, you
also derived
enable sequencing
processing
in bothbased
directions
undertransport
the xconnect command in
technologies.
Although Layer
3 MPLS
VPNs fulfillclass.
the market
need for12-11
somefor the required
Step 4. You can also
configure sequencing
under
the pseudowire
See Example
customers,
configuration in the
SanFran they
PE. have some drawbacks. Ideally, carriers with existing
Example 12-11.
Configuring PPPoL2TPv3
infrastructure.
!
hostname SanFran
!
l2tp-class l2tpv3-wan
authenticationassists readers looking to meet those requirements by explaining the
password 0 cisco
cookie size 4 the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
!
IP cores.
pseudowire-class
wan-l2tpv3-pw
l2tpv3to Layer 2 VPN benefits and implementation requirements and
comparing
protocol l2tpv3
l2tpv3-wan
progressively
!
interface Serial6/0
no ip address
encapsulation ppp
no cdp enable
xconnect 10.0.0.203 60 pw-class wan-l2tpv3-pw sequencing both
!
It is interesting to observe in Example 12-11 under the l2tp-class l2tpv3-wan that the password controls n
only Challenge Handshake Authentication Protocol (CHAP) authentication but also the AVP hiding. You can
configure the hidden command under the l2tp-class to hide AVPs in control messages by encrypting AVP
values with a shared secret between LCCEs that derive a unique shared key via an HMAC-MD5 keyed hash
ByWei
Luo,
- CCIE
No. 13,291,
Pignataro, - CCIE The
No. 4619,
Dmitry
Bokotey,
- CCIE
You can also specify
the
host
name
used Carlos
for authentication.
router
host
name
is the default.
It is important to note that PPP runs transparently between CE devices, and the PEs do not participate in P
negotiation. After you
enter the
command in the PE interface, the PPP state machine goes into a
Publisher:
Ciscoxconnect
Press
closed state. Example
12-12
was captured
using the debug ppp negotiation command.
Pub
Date: March
10, 2005
Table of
Contents
Example
Index
ISBN: 1-58705-168-0
Pages: 648
12-12. PPP Negotiation in a PE Device
SanFran(config-if)#xconnect 10.0.0.203 60 pw-class wan-l2tpv3-pw sequencing both

SanFran(config-if)#
world of Layer
2 VPNs
provide
00:03:53: Se6/0Master
LCP: the
O TERMREQ
[Open]
id 4 to
len
4
productivity
gains
00:03:53: Se6/0 LCP: State is Closed
00:03:53: Se6/0 PPP: Phase is DOWN
SanFran(config-if)#
Verifying PPPoL2TPv3
both ATOM
L2TP protocols
The L2TPv3 Layer 2 transport
and and
tunneling
feature includes multiple commands that present different
information about L2TPv3 tunnels and sessions. The first command you can check is show l2tun. It displa
tunnel and session summary information (see Example 12-13).
Example 12-13.
Displaying
the
L2TPv3
are still
derived from
data
and voiceTunnel
services and
basedSession
on legacySummary
transport
SanFran#show l2tun
LocID RemID Remote
Name
State Remote Address Port Sessions L2TPclass
infrastructure.
61936 64821 NewYork
est
10.0.0.203
0
1
l2tpv3-wan
LocID
RemID
TunID
Username, Intf/
State
Vcid, Circuit
54459
51837
61936
60, Se6/0
est
221
238
0
50, Se5/0
est
SanFran#
to Layer
2 VPN
benefits
and
implementation
You can see that,reader
as opposed
to Case
Study
12-1,
a tunnel
now existsrequirements
(because youand
have a dynamic
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as MPLS, then
session), in addition to a new session.
You can divide the output of the show l2tun command into three areas:
Tunnel and session summary information
Tunnel (control connection) summary information
Session summary information
In the tunnel summary information in Example 12-13, you can see that the local tunnel ID is 61936. This
number will become significant in the next section, "Control Plane Negotiation," when you analyze debug
command output. The tunnel state is established, and it is using the l2tpv3-wan L2TP class as configured.
You can also see that one session is negotiated in this Control Connection because the first session is static
Layer
2 VPN
Architectures
Finally, the remote
port
is as
0 because the current implementation supports L2TPv3 directly over IP, whic
means there is noByport.
You can see two sessions in the session summary information. The session that uses VC ID 50 indicates a
Tunnel ID of 0 because
it is static
(HDLCoL2TPv3). The session with VC ID 60 uses tunnel ID 61936 (contro
Publisher:
Cisco Press
connection) with local
and remote session IDs of 54459 and 51837, respectively. The attachment circuits a
serial interfaces, because in both sessions you configured a port-to-port type of tunneling service.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Note
MasterL2TPv3
the world
of Layer
2 VPNs to
provide
enhanced
services
and LCCEs
enjoy or PE
Normally, a single
Control
Connection
(tunnel)
exists
between
two peer
productivity
routers. It advertises
andgains
negotiates capabilities and sessions.
To have multiple tunnels between PE routers, you can set up multiple loopback addresses. Multiple
Learn about
Layer 2using
Virtual
Privateloopback
Networks
(VPNs) (also referred to as multiple
tunnels between different
PE routers
multiple
interfaces
tunnel loopbacks in this context) provide multipath load sharing in the IP core network.
network
architecture
You can even configure
two
loopback addresses (loopback 1 and loopback 2) in a single router and
create two L2TPv3 endpoints in two attachment circuits in the same router. To achieve this, you
Gain from
theloopback
first book2 to
address
Layer
2 VPN
application
can build an xconnect
toward
and
VCID 100
using
loopback
1 as utilizing
ip local interface in
both
ATOM
and
L2TP
protocols
thepseudowire-class template 1, and the other endpoint xconnect toward loopback 1 using
loopback 2 as ip local interface in the pseudowire-class template 2. By using two loopback IP
Review
strategies
that allow
large(mirror
enterprise
customers
to enhance
addresses, you can
have two
local L2TPv3
tunnels
to each
other) with
one hairpinning or
their
service
offerings
while
maintaining
routing
control
local switching (linking two attachment circuits in the same router) connection. This hairpinning
configuration is unique to L2TPv3. It is not allowed in AToM.
You can find the remaining commands that provide more detailed information or different group summarie
hanging off the show l2tun exec parser tree by adding different keywords. In particular, you can choose
between tunnel or session information. In either case, the all keyword displays all details. Example 12-14
shows detailed tunnel information.
infrastructure.
Example 12-14.
L2TPv3
Control
Connection
LayerDisplaying
2 VPN Architectures
introduces
readers
to Layer 2Information
Virtual Private
SanFran#show l2tun tunnel all
Tunnel Information Total tunnels 1 sessions 2
Tunnel id 61936IPis
up, The
remote
id is
64821,
cores.
structure
of this
book1 isactive
focusedsessions
Tunnel state reader
is established,
time
sinceand
change
00:04:37 requirements and
to Layer 2 VPN
benefits
implementation
Tunnel transport
is IPthem
(115)
comparing
progressively
covering
Remote tunnel name is NewYork each currently available solution in greater detail.
Tunnel domain is
VPDN group for tunnel is L2TP class for tunnel is l2tpv3-wan
3306 bytes sent, 3644 received
Control Ns 6, Nr 8

Layer 20,
VPNmax
Architectures
Unsent queuesize
0
ByWei Luo,
CCIE1No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Resend queuesize
0, -max
4460,
Anthony
Chan,
- CCIE
Total resendsNo.0,
ZLB
ACKs
sent
7 No. 10,266
Retransmit timePublisher:
distribution:
Cisco Press 0 0 0 0 0 0 0 0 0
Sessions disconnected
due 10,
to 2005
lack of resources 0
Pub Date: March
SanFran#
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Example 12-14 shows the local and remote tunnel IDs, the encapsulation of L2TPv3oIPv4 (with IPv4 protoc
number 115) that the tunnel is using, the remote and local tunnel names (the name equals the router host
name by default) and IP addresses, the L2TP class used, and the control sequence numbers.
Following are the productivity
control sequence
gains numbers:
Ns Sequence number
(my
sequence
number).
is the (VPNs)
sequence number for the particular
Learnsent
about
Layer
2 Virtual
PrivateThis
Networks
control message. It is incremented by 1 for each message sent.
Nr Sequence number
received
(your sequence number seen plus 1). This is the sequence number
network
architecture
expected to be received in the next control message. It is set to the Ns of the last message received
order plus 1.

Note

are still derived
from
data and
services
legacy transport
The control message
sequence
numbers
Nsvoice
and Nr
in the based
controlon
message
header are included for
technologies.
Although
Layerdelivery
3 MPLSof
VPNs
fulfill
the market
for somethese
all control messages
and ensure
reliable
control
messages.
Doneed
not mistake
customers,
have some
Ideally,incarriers
with existing
sequence numbers
with they
the optional
datadrawbacks.
plane sequencing
the L2-Specific
Sublayer in data
Layer 2by
and
Layer
networks would
packets thatlegacy
is configured
using
the3sequencing
command.
infrastructure.
SeeExample 12-15
for the PPPoL2TPv3 session details.
Network
(VPN) concepts,
and describes
Example 12-15.
Displaying
L2TPv3
SessionLayer
Information
history
and implementation
SanFran#show l2tun
session
all vcid 60details of the two technologies available from
the Cisco
Unified
VPN suite:
Any Transport
over MPLS (ATOM) for MPLSSession Information
Total
tunnels
1 sessions
2
coresdropped
and Layer
2 Tunneling
Protocol
version
Tunnel controlbased
packets
due
to failed
digest
0
reader
to Layer
2 VPN
Session id 54459
is up,
tunnel
id benefits
comparing
them
to
those
progressively
covering
each
out-of-order:
0
total:
0

0
total:
0
Session vcid is 60
2 VPN Architectures
Session LayerLayer
2 circuit,
type is PPP, name is Serial6/0
Circuit stateByWei
is Luo,
UP - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,
Chan, - CCIE
No. 10,266
Remote session
idAnthony
is 51837,
remote
tunnel id 64821
Session cookie Publisher:
information:
Cisco Press
local cookie,Pub
size
bytes,
value 5B AD 54 4D
Date:4March
10, 2005
remote cookie, size 4 bytes, value 9B 16 16 5E
ISBN: 1-58705-168-0
Table
of
FS
cached
header information:
Pages:
648
Contents size = 32 bytes
encap
00000000
Index
00000000 00000000 00000000
00000000 00000000 00000000 00000000
Sequencing is on
Ns 83, Nr 84,
0 out
of order
packets
received
Master
the world
of Layer
2 VPNs
SanFran#
productivity gains

FromExample 12-15, you can see that the output of the show l2tun session all vcid 60 command is
Reduce
costs and
extend
reach
of your services
by dynamically
unifying yournegotiated. You
similar to a static session.
However,
many
of thethe
values
displayed
have been
network
can see that the session
is L2TParchitecture
signaled. The output shows the local and remote session and tunnel IDs,
local and remote cookie sizes, and values. The session (pseudowire) state is established and the circuit
Gainisfrom
the end
first of
book
address output
Layer 2displays
VPN application
utilizing
(attachment circuit) state
UP. The
the to
command
sequencing
information.
As usual, the definitive verification is to test connectivity between CE devices. See Example 12-16 for a pin
Review strategies
thatpings.
from the Oakland CE highlighting
successful
Example 12-16.
Connectivity Verification from the CEs
towhile
abort.
backbone
Sending 5, 100-byte
ICMP
to 192.168.101.2,
is 2
services
overEchos
their existing
Layer 3 cores. timeout
The solution
in seconds:
these cases is a
!!!!!
Success rate isinfrastructure.
100 percent (5/5), round-trip min/avg/max = 20/24/32 ms
Oakland#
Control Plane Negotiation
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSThis section demonstrates the following two L2TPv3 control plane negotiations from the SanFran PE router
debug output:
comparing
themestablishment
Control connection
(tunnel)
Session (pseudowire) establishment
The debugs that are enabled are debug vpdn l2x-events and debug vpdn l2x-packets. They display
L2TP protocol events and packets, including AVP parsing.
Example 12-17 shows the debug output for the control connection establishment, highlighting the L2TPv3
messages and their respective state transitions. The output includes all the L2TP events, but only some of
the more interesting packet and AVP details. The AVPs that were removed for brevity are indicated.
Example 12-17. L2TPv3 Control Channel (Tunnel) Negotiation

SanFran#
00:05:58: L2X: By
Parse
0,No.
len
8, Carlos
flagPignataro,
0x8000- CCIE
(M) No. 4619,Dmitry Bokotey, - CCIE
Wei Luo,AVP
- CCIE
13,291,
00:05:58: L2X: No.
Parse
SCCRQChan, - CCIE No. 10,266
4460,Anthony
! AVP 2 Protocol Version and AVP 6 Firmware Version omitted for brevity
00:05:58: L2X: Parse
AVPCisco
7, Press
len 13, flag 0x8000 (M)
Publisher:
00:05:58: L2X: Hostname
NewYork
! AVP 8 Vendor Name, AVP 10 Rx Window Size, AVP 11 Chlng omitted for brevity
ISBN: 1-58705-168-0
! AVPTable
13 ofChlng Resp, Cisco AVP 10 Cisco Draft omitted for brevity
Pages:
648
Contents L2X: Parse Cisco
00:05:58:
AVP 1, len 10, flag 0x8000 (M)
Index
00:05:58:
L2X: Assigned Control Connection ID 64821
00:05:58: L2X: Parse Cisco AVP 2, len 22, flag 0x8000 (M)
00:05:58: L2X: Pseudo Wire Capabilities List
00:05:58: L2X:
FR-DLCI [0001], ATM-AAL5 [0002], ATM-Cell [0003],
the world[0004],
of Layer Ether
2 VPNs [0005],
to provideHDLC
enhanced
services and enjoy
00:05:58: L2X: Master
Ether-Vlan
[0006],
gains ATM-VCC-Cell [0009],
00:05:58: L2X: productivity
PPP [0007],
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
SanFran#
L2X:
ATM-VPC-Cell [000A], IP [000B]
L2X: I SCCRQ, flg TLS, ver 3, len 144, tnl 0, ns 0, nr 0
L2TP: I SCCRQ from NewYork tnl 64821
Tnl61936 Reduce
L2TP: Got
challenge
in reach
SCCRQ,
SanFran
costsa and
extend the
of your
Tnl61936 network
L2TP: Control
connection
authentication
skipped/passed.
architecture
Tnl61936 L2TP: New tunnel created for remote NewYork, address 10.0.0.203
Tnl61936 Gain
L2TP:
O SCCRP
tobook
NewYork
tnlidLayer
64821
from
the first
to address
Tnl61936 both
L2TP:
O SCCRP,
flgprotocols
TLS, ver 3, len 166, tnl 64821, ns 0, nr 1
ATOM
and L2TP
Tnl61936 L2TP: Control channel retransmit delay set to 1 seconds
Tnl61936 Review
L2TP: Tunnel
state
change
from
idle tocustomers
wait-ctl-reply
strategies
that allow
large
enterprise
to enhance
Tnl61936 their
L2TP:service
Parseofferings
AVP 0, while
len 8,
flag 0x8000
(M)
maintaining
routing
control
Tnl61936 L2TP: Parse SCCCN
For a L2TP:
majority
Service Providers,
Tnl61936
Noofmissing
AVPs in SCCCN
are still
derived
from data
voice
services
based
transport
Tnl61936
L2TP:
I SCCCN,
flgand
TLS,
ver
3, len
42, on
tnllegacy
61936,
ns 1, nr 1
technologies.
LayerNewYork
3 MPLS VPNs
Tnl61936
L2TP: IAlthough
SCCCN from
tnl 64821
customers,
some drawbacks.
Ideally,
Tnl61936
L2TP: they
Got have
a response
in SCCCN,
from carriers
remote with
peerexisting
NewYork
legacyL2TP:
Layer Tunnel
2 and Layer
3 networks would
Tnl61936
Authentication
success
backbone
while
new carriers
would like
Layer 2
Tnl61936
L2TP:
Control
connection
authentication
skipped/passed.
services
overTunnel
their existing
3 cores.
solution in these
is a
Tnl61936
L2TP:
state Layer
change
from The
wait-ctl-reply
to cases
established
technology
would
allow
Layer
a Layer
Tnl61936
L2TP:that
O ZLB
ctrl
ack,
flg2 transport
TLS, ver over
3, len
12,3tnl 64821, ns 1, nr 2
infrastructure.
Tnl61936
L2TP: SM State established

The prefix to the assists
debug output
from
L2X tothose
TnlXXXX
L2TP when
information
readersvaries
looking
to meet
requirements
bymore
explaining
the is known or
negotiated.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSFigure 12-11 shows
the cores
control
connection
(tunnel) establishment
as 3
seen
from SanFran
PE, which is a
based
and
Layer 2 Tunneling
Protocol version
(L2TPv3)
for native
graphical representation
of
the
debug
output
from
Example
12-17.
Figure 12-11. L2TPv3 Control Connection (Tunnel) Establishment


Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
Reducefrom
costs
and extend
the
of your services
by in
unifying
You can correlate the output
Example
12-17
toreach
the corresponding
steps
Figure your
12-11:
1 SCCRQ In the first

thefirst
three-way
the2SanFran
PE receives
a Start-ControlGainpart
fromofthe
book tohandshake,
address Layer
VPN application
utilizing
Connection Request
(SCCRQ).
At L2TP
this point,
the local tunnel is shown as 0 because it has not been
both
ATOM and
protocols
created yet. Ns is also 0, because this is the first message sent from NewYork, and Nr is 0 because
that
allow
large enterprise
customers
NewYork has not Review
receivedstrategies
messages
from
SanFran.
The remote
tunnel IDtoisenhance
64821, as shown earlier
theirremote
servicetunnel
offerings
whileSanFran's
maintaining
routing control
Example 12-13. This
ID from
perspective
is shown as Assigned Control
Connection ID in the message received from NewYork in Example 12-17. A local tunnel is created with
For
majority
of itService
a significant
portion
of AVPs
their in
revenues
the tunnel ID
ofa61936,
and
movesProviders,
onto the next
step. Some
of the
the SCCRQ message a
as follows: are still derived from data and voice services based on legacy transport
they0)
Controlcustomers,
Message (AVP
Hostname
NewYork
backbone
Assigned
Control Connection
64821
technology
that would ID
allow
infrastructure.
Pseudowire Capabilities List
2 SCCRP InNetwork
the second
part
of the three-way
handshake,
PE sendsvia
a Start-Control-Connect
(VPN)
concepts,
and describes
Layer 2SanFran
VPN techniques
Reply (SCCRP).
The
remote
tunnel
ID
in
the
message
sent
is
64821.
The
Ns
is
because this is the fi
introductory case studies and comprehensive design scenarios. This0 book
message sent
from
SanFran,
but
Nr
is
now
1
because
of
the
SCCRQ
received
from
assists readers looking to meet those requirements by explaining the NewYork in Step 1
with Ns of 0.history
The tunnel
state changes to
wait-ctl-reply.
and implementation
details
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS3 SCCCN In the third part of the three-way handshake, the SanFran PE receives a Start-Controlbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Connection Connected (SCCCN). The tunnel ID in the packet received equals the local tunnel ID of
61936. Both Nr and Ns are 1. Nr is 1 because the Ns received in SCCRP is 0; Ns is 1 because the
previous Ns sent in SCCRQ message was 0. At this point, the tunnel is established.
4 ZLB The SanFran PE sends a Zero Length Body (ZLB) message as an acknowledgment. Ns is 1
(which is Ns in SCCRP sent plus 1), and Nr is 2 (which is Ns received in SCCCN received plus 1).
Note
Both in the tunnel and session establishment, many of the new AVPs that are defined for L2TPv3 in
the base IETF L2TPv3 specification are sent with the Cisco Systems vendor ID of 9 (SMI Network
Management Private Enterprise Codes from http://www.iana.org/assignments/enterprisenumbers). This is because the AVP types are yet to be assigned. When IANA assigns Cisco routers,
the routers send the AVPs with IETF Vendor ID of 0 and accept both IETF and Cisco AVPs, giving
Layer
2 VPN Architectures
priority to IETF
AVPs.
The second control plane

negotiation
Publisher:
Cisco Pressshown is the session (pseudowire) establishment. The debug output f
the session establishment
is March
shown
Example 12-18, highlighting the L2TPv3 messages and their respecti
Pub Date:
10,in
2005
state transitions.
Table of
Contents
Index
Example
ISBN: 1-58705-168-0
Pages: 648
12-18. L2TPv3 Session Negotiation
00:05:58: Tnl61936 L2TP: Parse ICRQ

the world
of Layer
2 VPNs Number
to provide
enhanced
! AVP 0 ControlMaster
Message
and AVP
15 Serial
omitted
forservices
brevityand enjoy
productivity
00:05:58: Tnl61936
L2TP: gains
Parse Cisco AVP 3, len 10, flag 0x8000 (M)
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
Tnl61936 L2TP: Local Session ID 51837

Tnl61936 L2TP: Parse Cisco AVP 4, len 10, flag 0x8000 (M)
Tnl61936 L2TP: Remote Session ID 0
Tnl61936 Reduce
L2TP: Parse
Cisco
AVP the
5, reach
len 10,
flag
0x8000
costs and
extend
of your
services
by(M)
unifying your
Tnl61936 network
L2TP: Assigned
Cookie
architecture
9B 16 16 5E
00:05:58: Tnl61936 Gain
L2TP:
Parse
Cisco
AVP
len 8,
flag
0x8000
(M) utilizing
from
the first
book
to 7,
address
Layer
2 VPN
application
00:05:58: Tnl61936 both
L2TP:
Pseudo
Type 7
ATOM
and Wire
L2TP protocols
00:05:58: Tnl61936 L2TP: Parse Cisco AVP 6, len 8, flag 0x0
00:05:58: Tnl61936 Review
L2TP: End
Identifier
60 large enterprise customers to enhance
strategies
that allow
! Cisco AVP 9 Session
Breaker,
AVPwhile
39 Seq
Required
omitted
for brevity
theirTie
service
offerings
maintaining
routing
control
00:05:58: Tnl61936 L2TP: No missing AVPs in ICRQ
For a L2TP:
majority
Service
portion
of their revenues
00:05:58: Tnl61936
I of
ICRQ,
flgProviders,
TLS, vera significant
3, len 96,
tnl 61936,
ns 2, nr 1
are still
derived
from from
data and
voice services
00:05:58: Tnl61936
L2TP:
I ICRQ
NewYork
tnl 64821
3 MPLS
VPNs fulfill
00:05:58: Tnl/Sn61936/54459
L2TP: Layer
Session
sequencing
enabled
customers, they L2TP:
have some
drawbacks.
with to
existing
00:05:58: Tnl/Sn61936/54459
Session
state Ideally,
change carriers
from idle
wait-connect
legacy Layer 2 and
Layer
3 networks
would
likesession
to movecreated
toward a single
00:05:58: Tnl/Sn61936/54459
L2TP:
Accepted
ICRQ,
new
backbone while new
carriers
would
like to
sell thefrom
lucrative
Layer 2
00:05:58: Tnl/Sn61936/54459
L2TP:
Session
state
change
wait-connect
to wait-for
service-selection-icrq
Layer
3 len 12, tnl 64821,
00:05:58: Tnl/Sn61936/54459
L2TP: allow
O ZLB
ctrl2 transport
ack, flg over
TLS,a Layer
ver 3,
infrastructure.
lsid 54459, rsid
51837, ns 1, nr 3
00:05:58: Tnl/Sn61936/54459 L2TP: Started service selection, peer IP address
Layer 60
10.0.0.203, VCID
Network
(VPN) concepts,
and describes
2 VPN
techniques
via
00:05:58: Tnl/Sn61936/54459
L2TP: Session
state Layer
change
from
wait-for-serviceintroductory
case
studies
and
comprehensive
design
scenarios.
This
book
selection-icrq to wait-connect
assists readers looking
requirements
by explaining the
00:05:58: Tnl/Sn61936/54459
L2TP: to
O meet
ICRP those
to NewYork
64821/51837
details
of the
two
technologies
available
from lsid 54459,
00:05:58: Tnl/Sn61936/54459
L2TP: O ICRP,
flg
TLS,
ver
3, len 64,
tnl 64821,
the1,
Cisco
VPN suite: Any Transport over MPLS (ATOM) for MPLSrsid 51837, ns
nr Unified
3
basedL2TP:
cores and
Layer
00:05:58: Tnl61936
Parse
ICCN
cores. The
structure
of this Speed
book isomitted
focused on
introducing the
! AVP 0 ControlIP Message
AVP
24 Connect
forfirst
brevity
readerL2TP:
to Layer
2 VPN
benefits
requirements
00:05:58: Tnl61936
Parse
Cisco
AVP and
4, implementation
len 10, flag 0x8000
(M) and
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
00:05:58: Tnl61936 L2TP: Remote Session ID 54459
progressively
covering
each
currently
available
solution
in
greater
detail.
00:05:58: Tnl61936 L2TP: No missing AVPs in ICCN
00:05:58: Tnl/Sn61936/54459 L2TP: I ICCN, flg TLS, ver 3, len 50, tnl 61936, lsid 54459,
rsid 51837, ns 3, nr 2
00:05:58: Tnl/Sn61936/54459 L2TP: O ZLB ctrl ack, flg TLS, ver 3, len 12, tnl 64821,
lsid 54459, rsid 51837, ns 2, nr 4
00:05:58: Tnl/Sn61936/54459 L2TP: I ICCN from NewYork tnl 64821, cl 51837
00:05:58: Tnl/Sn61936/54459 L2TP: Session state change from wait-connect to established
SanFran#
You can see the session establishment messaging in Figure 12-12.

ByWei Luo,
- CCIE No.
13,291,Carlos
Pignataro,Session
- CCIE No. 4619,
Figure
12-12.
L2TPv3
Establishment

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains

The session establishment also consists of three-way messaging:
1. ICRQ In thecustomers,
first part ofthey
the have
three-way
SanFran
PE receives
an Incoming-Call-Reque
some handshake,
drawbacks. the
Ideally,
carriers
with existing
(ICRQ) message
from
the2NewYork
PE.
The tunnel
ID is like
61936,
negotiated
At this point, the
legacy
Layer
and Layer
3 networks
would
to move
towardearlier.
a single
session state
machinewhile
changes
wait-connect,
andtoa sell
newthe
session
withLayer
session
backbone
newtocarriers
would like
lucrative
2 ID 54459 is created.
You can seeservices
the localover
session
for SanFran
54459 The
in Example
The
tunnel
theirID
existing
Layer of
3 cores.
solution12-13.
in these
cases
is aand session IDs
are now prefixed
to the that
debug
output
forLayer
message
correlation.
SanFran
PE responds in Step 2.
technology
would
allow
2 transport
over The
a Layer
3
Some of theinfrastructure.
most significant AVPs shown in the debug output for the ICRQ message are as follows:
Local Layer
Session
IDArchitectures
51837Example
12-18 shows
thisto
value
in 2the
received
message from the
2 VPN
introduces
readers
Layer
Virtual
Private
NewYork
PE. In(VPN)
Example
12-13, and
this describes
same fieldLayer
is shown
as techniques
the remotevia
session ID from SanFran
Network
concepts,
2 VPN
perspective,
because
thestudies
AVP is and
withcomprehensive
respect to the NewYork
PE.
introductory
case
design scenarios.
This book
Remote
Session
ID 0 The remotedetails
session
unknown
to NewYork
at this
point.
history
and implementation
of ID
theistwo
technologies
available
from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSAssigned
Cookie
9B 16
16 2
5E
This is the
cookie version
value that
was assigned
in the NewYork PE fo
based
cores and
Layer
Tunneling
Protocol
3 (L2TPv3)
for native
this session.
It
is
displayed
in
Example
12-18
as
the
parsed
AVP
value
in
the
IP cores. The structure of this book is focused on first introducing the incoming message
from NewYork.
Pseudo Wire Type 7 This indicates PPP (Pseudowire Type 0x0007 from Table 12-1).
End Identifier 60 This is the VC ID configured.
Sequencing Required This indicates that sequencing for the pseudowire is on.
2. ICRPIn the second part of the three-way handshake, the SanFran PE sends an Incoming-Call-Reply
(ICRP) message to the NewYork PE, and the session state machine advances to the wait-connect stat
This message includes SanFran's local session ID of 54459.
3. ICCN In the third part of the three-way handshake, the SanFran PE receives an Incoming-Call-
3.
Connected (ICCN) message from the NewYork PE, and the session state moves to established.
From the debug output and Figure 12-12, you can track the Ns and Nr values. Ns is always set to the
2 VPN
previous Ns sent Layer
plus 1.
ForArchitectures
example, an ICRQ sent from NewYork contains Ns 2, and an ICCN sent from
NewYork containsByNs
Nr- is
always
set to
thePignataro,
previous
Ns received
plus Bokotey,
1. For example,
an ICRQ received
Wei3.
Luo,
CCIE
No. 13,291,
Carlos
- CCIE
No. 4619,Dmitry
- CCIE
in SanFran contains
Ns 2,
and an
ICRP
sent
No. 4460,
Anthony
Chan,
- CCIE
No.from
10,266SanFran contains Nr 3.
Data Plane DetailsPub Date: March 10, 2005

Table of
ISBN: 1-58705-168-0
This section discusses some

Pages: data
648 plane details, such as encapsulation, imposition and disposition actions, a
Contents
a data plane packet decode. You first see the PPPoL2TPv3 encapsulation details from the SanFran PE using
Index
theshow sss circuits CLI command (see Example 12-19).
Example 12-19.
PPPoL2TPv3
Encapsulation
Details
from
SanFran
Master
the world of Layer
2 VPNs to provide
enhanced
services
and enjoy
productivity gains
extendNum
the 2reach of yourSwitch
servicesID
by18797112
unifying your
Common Circuit ID 0Reduce costs and
Serial
network
architecture
UP flg len dump
Y AES 2
FF03
Y AES 32 45000000 00000000 FF73A5F7 0A0000C9 0A0000CB
0000CA7D 9B16165E 00000000
SanFran#

FromExample 12-19, observe that the encapsulation of PPP frames into the tunnel is 32 bytes long,
consisting of the following:
services
over their
Layer 3
The
solutionIP
in protocol
these cases
a
Delivery (IPv4)
header
This existing
is the 20-byte
IPcores.
header
indicating
115 is
(0x73)
for L2TPv3.
infrastructure.
L2TPv3 Session
Header This is 8 bytes, including the following:
Layer
2 VPN ID
Architectures
introduces
readers to
Virtual
Remote
Session
4 bytes equal
to 0x0000CA7D
or Layer
51837.2 You
canPrivate
see this in Example 12-1
Network
(VPN)
concepts,
and describes
Layer
2 VPN techniques
via output as rsid 51837.
in the show
l2tun
command
output,
in addition
to Example
12-18 debug
Remote
Cookie
4 bytes
equal
0x9B16165E.
You can see
value inthe
Example 12-15 in the
assists
readers
looking
toto
meet
those requirements
by this
explaining
outputhistory
of the command
show l2tun
session
alltwo
vcid
60 displaying
session
details, and in
and implementation
details
of the
technologies
available
from
Example
as theAny
Assigned
Cookie
the Cisco
5 in the ICRQ
the12-18
Cisco debug
Unifiedoutput
VPN suite:
Transport
overvalue
MPLSin(ATOM)
forAVP
MPLSmessage
thatcores
SanFran
based
and received.
L2-Specificreader
Sublayer
The Default
L2-Specific
is used requirements
because sequencing
has been
to Layer
2 VPN benefits
and Sublayer
implementation
and
configured. The
show sss
circuit
command
4 bytes
and
fills in the bytes for ea
comparing
them
to those
of Layerdisplays
3 basedthe
VPNs,
suchas
asNULL
MPLS,
then
packet with progressively
the appropriate
value. each currently available solution in greater detail.
covering
InExample 12-19, the PPP header address (0xFF) and control (0x03) fields are removed at imposition.
Toward the attachment circuit, the encapsulation is 2 bytes long. It includes the following two fields that
were removed at imposition and need to be prepended at disposition:
PPP Address 1 byte equal to 0xFF.
PPP Control 1 byte equal to 0x03.
To see the encapsulation in action, Example 12-20 captures two packets from the ping messages in Examp
12-16. Use the two debug commands: debug vpdn packet and debug vpdn packet detail. The former
one provides packet summary information, whereas the latter one displays a hexadecimal dump of the firs
Layer
2 VPN
Architectures
bytes of the packet
(see
Example
12-20).
Example 12-20. Capturing and Decoding PPPoL2TPv3 Packets

SanFran#
ISBN: 1-58705-168-0
Table of L2TP:(Tnl0:Sn54459):FS/CEF Into tunnel (SSS): Sending pak
00:17:15:
Pages:
648
Contents L2TP:(Tnl0:Sn54459):FS/CEF
00:17:15:
Into tunnel: Sending 134 byte pak
Index
contiguous
pak, size 134
45 00 00 86 01 D7 00 00 FF 73 A3 9A 0A 00 00 C9
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^...
0A 00 productivity
00 CB 00 00
CA 7D 9B 16 16 5E 40 00 00 A0
gains
...^^^^^^^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^
IPv4 Delivery Header Rem. Sess Id Rem. Cookie L2-Specific Sublayer
Learn
about Layer 2 Virtual Private
Networks (VPNs)
^^^^^^^^^^^^^^^^^^^^^^^
S (Sequence
flag) = 1
L2TP Session Header
Sequence Number = 160 (0xA0)
00 21 45 00
00 64architecture
00 05 00 00 FF 01 70 3F C0 A8
network
^^^^^ ^^^^^...
GainIP
from
|
Begins
Packet
bothDLL
ATOM
and L2TP
protocols
PPP
Protocol
Number
- 0x0021 (IPv4)
65 01 C0 A8
65 02
08 00 9B
51allow
00 01
00 enterprise
00 00 00 customers to enhance
Review
strategies
that
large
00 00 00 0F
E2 service
E8 AB offerings
CD ... while maintaining routing control
their
00:17:15: L2TP:(Tnl0:Sn54459):CEF Into tunnel (SSS): Pak send successful
00:17:15: L2X:CEF From tunnel: Received 138 byte pak
contiguous pak, size 138
0F 00 08 00 45 00 00 86 01 AC 00 00 FD 73 A5 C5
^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^...
HDLC L2 IPv4 Delivery Header (IP protocol L2TPv3)
0A 00 technology
00 CB 0A that
00 00
C9 00
00 Layer
D4 BB2 transport
5B AD 54 over
4D a Layer 3
would
allow
...^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^ ^^^^^^^^^^^
infrastructure.
IPv4 Delivery Header Loc.Sess Id Cookie (Local)
^^^^^^^^^^^^^^^^^^^^^^^
L2TP
Header
andSession
describes
40 00 00 A1 00 21 45 00 00 64 00 05 00 00 FF 01
^^^^^^^^^^^ ^^^^^ ^^^^^...
|
|
Begins IP Packet
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS|
PPP DLL Protocol Number - 0x0021 (IPv4)
L2-Specific Sublayer: S = 1; Sequence Number = 161 (0xA1)
2 VPN
benefits
70 3F reader
C0 A8 to
65Layer
02 C0
A8 65
01 00and
00implementation
A3 51 00 01 requirements and
comparing
them
to
those
of
Layer
3
based
00 00 00 00 00 00 00 0F ...
progressively
covering
each
currently
available
solution
in greater detail.
00:17:15: L2TP:(Tnl0:Sn54459):CEF From tunnel: Pak send
successful
Example 12-20 shows two packets captured in the SanFran PE. The highlighted portion of the hexadecimal
dump indicates the overhead added to the PPP frames that are transported. The first packet labeled "Into
tunnel" is an ICMP Echo that SanFran receives from Oakland and forwards into the L2TPv3 tunnel toward
New York. The second packet labeled "From tunnel" is the ICMP Echo Reply received from Denver P and
forwarded to Oakland CE. As before, the imposition packets (that is, the "Into tunnel" packets) display the
IPv4 and L2TPv3 headers plus the PPP payload, whereas the disposition packets (that is, the "From Tunnel
packets) also include the data link layer header (HDLC in the case of the SanFran PE to the Denver P link).
The L2TPv3 portion of the first packet contains the following fields:
Layer 2 Tunneling
Protocol
version
ByWei Luo,
- CCIE No.
13,291,3Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Session ID: 51837

Cookie: 9B16165E
Default L2-SpecificISBN:
Sublayer
1-58705-168-0
Table of
Pages: 648
Contents
.1.. .... = S-bit: True
Index
Sequence Number: 160

You can see that the payload contains part of the PPP frame, including the following:
productivity gains
PPP DLL Protocol Number 0x0021 for IPv4.
about Layer
Virtual
Private
Networks
(VPNs)
IPv4 Packet TheLearn
PPP payload
is the2 CE's
IPv4
packet
containing
the ICMP Echo request.
Reduce costs
However, the payload excludes
the following:
Address 0xFF
Control 0x03

As shown in Example 12-19,
the Address
andwhile
Control
fields withrouting
combined
values of 0xFF03 are appended
their service
offerings
maintaining
control
a disposition encapsulation before the packet is forwarded onto the CE, and so are the 0x7E flag and
recalculated FCS.For a majority of Service Providers, a significant portion of their revenues
Case Study 12-3:
Frame Relay DLCI over L2TPv3 with Dynamic Session
This case study covers
theover
configuration
and Layer
verification
required
to tunnel
Framecases
RelayisPVCs
over L2TPv3
services
their existing
3 cores.
The solution
in these
a
You learned a way
to
configure
Frame
Relay
transport
port-to-port
using
HDLCoL2TPv3
in
Case
Study 12-1
This case study deals
with
the
DLCI-to-DLCI
mode
of
FRoL2TPv3.
Only
two
octet
Frame
Relay
headers
(tha
infrastructure.
is, 10-bit DLCI) are supported in DLCI-to-DLCI mode. A requirement for 4-octet Frame Relay headers (tha
is, 23-bit DLCI) can
be 2
accommodated
only introduces
in port mode
using to
HDLCoL2TPv3.
Cisco
routers do not suppor
Layer
VPN Architectures
readers
Layer 2 Virtual
Private
Frame Relay extended
addressing
with 23-bit
as CELayer
devices.
The
topology is
shown in Figure 12-13.
Network
(VPN) concepts,
andDLCIs
describes
2 VPN
techniques
via
Figure 12-13.
FRoL2TPv3
DLCI
Dynamic
Case
the Cisco
Unified VPN
suite:Mode
Any Transport
overSession
MPLS (ATOM)
forStudy
MPLS- Topology
size image]
reader to Layer 2 VPN benefits[View
andfullimplementation
requirements and
You will be using different DLCIs at both ends to observe the DLCI rewrite.
Configuring FRoL2TPv3
2 VPN Architectures
The configurationLayer
for FRoL2TPv3
is slightly different from the other case studies. This is the first case in
ByWei circuit
Luo, - CCIE
13,291,
Carlos Pignataro,
- CCIE
Dmitry Bokotey,
- CCIE
which the attachment
is aNo.
virtual
circuit
as opposed
toNo.
an4619,
interface.
The configuration
of an
Anthony
Chan, - CCIE
attachment circuitNo.in4460,
a PVC
as opposed
to No.
an 10,266
interface is accomplished by executing the xconnect comma
under a connect and not under the interface. In fact, after you set the encapsulation to frame-relay in a
Serial or Packet overPublisher:
SONET Cisco
(POS)
interface, the interface no longer accepts the xconnect command. The
Press
attachment circuit occurs
by March
creating
the l2transport endpoint with the connect configuration command.
Pub Date:
10, 2005
This effectively generates a switched DLCI under the main interface with DLCI specified in the connect
ISBN: 1-58705-168-0
Table ofYou can configure the switched DLCI by using the frame-relay interface-dlci command with t
command.
Pages:
648
Contents
switched
keyword.
Index
This is also the first case study in which signaling messaging between PE and CE takes place. In particular,
Frame Relay LMI runs on the links between PE and CE, providing a link keepalive mechanism and PVC stat
exchange. To achieve this, you configure the PE interfaces as Frame Relay LMI DCE after you enable the
Master the
frame-relay switching
command.
productivity gains
The configuration for the SanFran PE is included in Example 12-21.

the
Frame
Relay
DLCI
over the
L2TPv3
Reduce costs and
extend
the reach
of your
services
by unifying
yourPE
!
hostname SanFran
!
l2tp-classl2tpv3-wan
authentication
password 0 cisco
cookie size 4 are still derived from data and voice services based on legacy transport
!
pseudowire-class
wan-l2tpv3-pw
customers,
l2tpv3
protocol l2tpv3
l2tpv3-wan
backbone
ip local interface
Loopback0
services
!
interface Serial7/0
infrastructure.
no ip address
encapsulation Layer
frame-relay
dce concepts, and describes Layer 2 VPN techniques via
Network (VPN)
!
connect l2tpv3-fr-dlci
Serial7/0
l2transport
assists readers
looking100
to meet
xconnect 10.0.0.203
70 pw-class
wan-l2tpv3-pw
history and
implementation
!
Note
Configuring the xconnect statement under a connect as opposed to under a new subinterface
saves memory and enhances the scalability of DLCI-to-DLCI mode by not requiring a Cisco IOS
Software interface descriptor block (IDB) for each attachment circuit pseudowire in the PE device.
The same is true for ATM PVC and permanent virtual path (PVP) modes by configuring the
xconnect command under the PVC and PVP configuration mode, respectively. That assumes that
the PVC or PVP are on the main interface, but it is not true for VLAN transport, in which a new
subinterface is needed for each VLAN.
The CE configuration
in Example 12-22. It does not differ if the Oakland CE is connected to a
Layeris2 included
VPN Architectures
traditional Frame By
Relay
switch.
Example 12-22.
Configuring
Publisher:
Cisco Press the Frame Relay DLCI over the L2TPv3 CE
ISBN: 1-58705-168-0
!
Table of
Pages:
648
hostname
Oakland
Contents
! Index
interface Serial7/0
no ip address
!
interface Serial7/0.1
point-to-point
productivity
gains
ip address 192.168.102.1 255.255.255.252
frame-relay interface-dlci 100
!
Verifying FRoL2TPv3
For the Frame Relay DLCI over L2TPv3 (FR_DLCIoL2TPv3) verification, first check the connection in the
Review
SanFran PE (see Example
12-23).
For a Verifying
majority of Service
Providers, a significant
Example 12-23.
the FR_DLCIoL2TPv3
Connection
ID
Name
Segment
1 carriers would like
Segment
backbone
while new
to sell2the lucrative LayerState
2
===========================================================================
1
l2tpv3-fr-dlci
Se7/0
70 a Layer 3
UP
technology
that100
would allow Layer 210.0.0.203
transport over
infrastructure.
name l2tpv3-fr-dlci
2 VPN Architectures
FR/Pseudo-Wire Layer
Connection:
1 - l2tpv3-fr-dlci
Network
(VPN)
concepts,
and
Status - UP
introductory
case
studies
and
comprehensive
assists UP
Segment status:
history
Line status:
UP and implementation details of the two technologies available from
Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSPVC status:the
ACTIVE
based cores
NNI PVC status:
ACTIVE
IP cores. The70
Segment 2 - 10.0.0.203
reader UP
Segment status:
comparing
Requested AC
state: them
UP to those of Layer 3 based VPNs, such as MPLS, then
progressively
PVC status: ACTIVE
SanFran#
You can display the two connection segments or endpoints by using the show connection command. The
first segment is the attachment circuit, and the second segment is the pseudowire remote endpoint identifi
by peer IPv4 address and VC ID. You can see that all respective statuses and states are ACTIVE and UP.
Next, you can verify the switched DLCI created in the PE devices by using the connect command (see
Example 12-24).
Example 12-24. Verifying FR_DLCIoL2TPv3 DLCI

SanFran#show frame-relay pvc summary

Frame-Relay VC Summary
ActiveISBN: 1-58705-168-0
Inactive
0 Pages: 648
0
1
0
0
0
Table of
Local
Contents
Switched
Index
Unused
SanFran#
SanFran#show frame-relay pvc 100
Deleted
0
0
0
Static
0
0
0
the world of
Layer 2 VPNs
to provide
services and enjoy
PVC Statistics Master
for interface
Serial7/0
(Frame
Relay enhanced
DCE)
productivity gains
DLCI = 100, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial7/0
input pkts 335

output
335Private Networks
in bytes
119650
Learn about
Layer pkts
2 Virtual
(VPNs)
out bytes 119320
dropped pkts 0
in FECN pkts 0
in BECN pkts 0
out and
FECN
pktsthe
0 reach of your
outservices
BECN pkts
0
Reduce costs
extend
by unifying
your
in DE pkts 0
out
DE
pkts
0
out bcast pkts 0
out bcast bytes 0
switched pkts 335Gain from the first book to address Layer 2 VPN application utilizing
Detailed packet drop
counters:
both ATOM
and L2TP protocols
no out intf 0
out intf down 0
no out PVC 0
Review strategies
allow
customers
in PVC down 0
out PVCthat
down
0 large enterprise
pkt too
big 0 to enhance
their service
offerings
routing
control
pvc create time 05:29:16,
last
time while
pvc maintaining
status changed
05:27:13
SanFran#
InExample 12-24customers,
using the summary
you can see
that carriers
one switched
DLCI is in the active state.
they have keyword,
some drawbacks.
Ideally,
with existing
Using the DLCI oflegacy
100, the
command
displays
Frame Relay
PVC
which
enables
you to see that the
Layer
2 and Layer
3 networks
would
likedetails,
to move
toward
a single
DLCI with switched
usage iswhile
created
the main
interface
7/0.
The restLayer
of the
backbone
newincarriers
would
like toSerial
sell the
lucrative
2 command output
includes comprehensive
counters.
servicesPVC
over
The next step is to
verify the FR_DLCIoL2TPv3 session. You use the same command, show l2tun session
infrastructure.
introducing the brief keyword (see Example 12-25).
introductory
case the
studies
Example 12-25.
Verifying
FR_DLCIoL2TPv3
Session
SanFran#show l2tun
session
brief
the Cisco
Unified
VPN suite: Any Transport over MPLS (ATOM) for MPLSSession Information
Total
tunnels
sessions
3
based cores and Layer 2 1
Tunneling
Protocol
Tunnel controlIPpackets
dropped
due
to
failed
digest on
0 first introducing the
cores. The structure of this book is focused
LocID
TunID
Peer-address
State
Username, Intf/
sess/cir Vcid, Circuit
54459
61936
10.0.0.203
est,UP
60, Se6/0
54467
61936
10.0.0.203
est,UP
70, Se7/0:100
221
0
10.0.0.203
est,UP
50, Se5/0
SanFran#
You can see that the session is established, the circuit is UP, and it is displayed as Se7/0:100 because the
attachment circuit is now the logical connection with DLCI 100 in interface Serial 7/0. The details of the
L2TPv3 session are shown in Example 12-26.
Example 12-26. FR_DLCIoL2TPv3 Session Details

ByWei Luo,
- CCIE No.
SanFran#show l2tun
session
all13,291,
vcidCarlos
70 Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
Session Information Total tunnels 1 sessions
3
10, 2005
Session id 54467 Pub
is Date:
up, March
tunnel
id 61936
ISBN:
1-58705-168-0
Call Table
serial
number
is
3084400001
of
648York
Remote
tunnel name Pages:
is New
Contents
Internet
address
is
10.0.0.203
Index
491480 Bytes
sent,
Master
the490120
world ofreceived
Receive packets
dropped:
productivity gains
out-of-order:
0
total:
0
0
Reduce costs and
total:
0 extend the reach of your services by unifying your
network
architecture
Session vcid is 70
Session Layer 2 circuit, type is Frame Relay, name is Serial7/0:100
Circuit state is Gain
UP from the first book to address Layer 2 VPN application utilizing
both
ATOM
and remote
L2TP protocols
Remote session id is
51845,
tunnel id 64821
local cookie, size 4 bytes, value 58 47 4E 42
remote cookie,
4 bytes,
value
E6 FC aCF
51
For a size
majority
of Service
Providers,
significant
FS cached header
information:
encap size technologies.
= 28 bytes Although Layer 3 MPLS VPNs fulfill the market need for some
00000000 00000000
00000000
00000000
customers,
they have
some drawbacks. Ideally, carriers with existing
00000000 00000000
00000000
Sequencing isbackbone
off
SanFran#

infrastructure.
You can see all the details of the session in Example 12-26. It is important to note that the encapsulation s
is 28 bytes: 24 bytes minimum from IPv4 encapsulation plus the session ID, plus 4 bytes of cookie that wa
specified in the l2tpv3-wan l2tp-class. The circuit type is Frame Relay DLCI, which corresponds to 0x0001
fromTable 12-1.
history
and implementation
detailsCE,
of the
two technologies
available
from
Finally, you can test
connectivity
from the Oakland
highlighting
successful
pings (see
Example 12-27).
Example 12-27.
FR_DLCIoL2TPv3 Checking Connectivity from the CEs
!!!!!
Oakland#
Data Plane Details
To conclude the FRoL2TPv3

case study, this section explains FRoL2TPv3 data plane encapsulation details b
capturing and decoding FRoL2TPv3 packets. However, before the actual packet decoding, you learn the
details of the Frame Relay Q.922 encoding and its values as it pertain to this case study.
Figure 12-14 shows the 2-byte Q.922 header that was first introduced in Figure 12-5 in a reorganized
Publisher:
Press
format. It also calculates
theCisco
Q.922
header value for the two DLCI values used in this case studynamely 10
Pub
Date:
March
10, 2005
and 101.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Figure 12-14. Frame Relay Q.922 Header Encoding

productivity gains

FromFigure 12-14,
you can
see2 that
the C/R,
FECN, BECN,
DEmove
bits are
set to
the value for the
legacy
Layer
and if
Layer
3 networks
would and
like to
toward
a 0,
single
Q.922 header with
DLCI 100
is 0x1841.
The value
forlike
thetoFrame
Relay
header
with2DLCI 101 is 0x1851. Th
backbone
while
new carriers
would
sell the
lucrative
Layer
is achieved by expressing
the DLCI
as a
10-bit
binary The
number
and in
dragging
the DLCI
services over
theirvalue
existing
Layer
3 cores.
solution
these cases
is a High and DLCI
Low fields into their
respective
positions
in theLayer
header.
technology
that
would allow
infrastructure.
You are now ready to capture FRoL2TPv3 packets from the ping shown in Example 12-27. To accomplish th
capture, you use Layer
the commands
debug vpdn
packet and
debug
vpdn2packet
detail (see Example 122 VPN Architectures
introduces
readers
to Layer
Virtual Private
28).
history
and implementation
details ofFR_DLCIoL2TPv3
the two technologies available
from
Example 12-28.
Capturing
and Decoding
Packets
SanFran#
*Jun 28 19:07:17.405:
Into tunnel (SSS):
Sending
reader to L2TP:(Tnl0:Sn54467):FS
Layer 2 VPN benefits and implementation
requirements
andpak
*Jun 28 19:07:17.405:
L2TP:(Tnl0:Sn54467):FS/CEF
tunnel:
132 byte pak
comparing
them to those of Layer 3 basedInto
VPNs,
such as Sending
MPLS, then
contiguous pak,progressively
size 132 covering each currently available solution in greater detail.
45 00 00 84 1A 20 00 00 FF 73 8B 53 0A 00 00 C9
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^...
0A 00 00 CB 00 00 CA 85 E6 FC CF 51 18 41 08 00
...^^^^^^^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^ ^^^^^ ^^^^^
IPv4 Delivery Header Rem.Sess Id Rem. Cookie |
etype = IPv4
^^^^^^^^^^^^^^^^^^^^^^^ Q.922 Header
L2TP Session Header
DLCI = 100
45 00 00 64 00 27 00 00 FF 01 6E 1D C0 A8 66 01
^^^^^...
Begins IP Packet
Wei02
Luo,08
- CCIE
Carlos
- CCIE
C0 A8 By
66
00 No.
47 13,291,
A0 00
07 Pignataro,
00 04 00
00 No.
004619,
00 Dmitry Bokotey, - CCIE
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
09 07 2D 98 AB CD AB CD ...
*Jun 28 19:07:17.405: L2TP:(Tnl0:Sn54467):CEF Into tunnel (SSS): Pak send successful
Publisher:
Cisco Press
*Jun 28 19:07:17.437:
L2X:CEF
From tunnel: Received 136 byte pak
136March 10, 2005
Pub Date:
0F 00 08 00ISBN:
45 1-58705-168-0
00 00 84 19 ED 00 00 FD 73 8D 86
Table of
^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^...
Pages: 648
Contents
HDLC L2
Index
0A 00 00 CB 0A 00 00 C9 00 00 D4 C3 58 47 4E 42
...^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^
IPv4 Delivery Header Session Id Cookie (Local)
Master the world of Layer 2 VPNs to provide enhanced services^^^^^^^^^^^^^^^^^^^^^^^
and enjoy
productivity gains
L2TP Session Header
18 51 08 00 45 00 00 64 00 27 00 00 FF 01 6E 1D
^^^^^ ^^^^^ ^^^^^...
|
|
Begins IP Packet
|
etype = IPv4
Q.922 Header: DLCI = 101
C0 A8 66 02 C0 A8 66 01 00 00 4F A0 00 07 00 04
Gain
the98
first
00 00 00 00
09 from
07 2D
...
both
ATOM
and
L2TP
protocols From tunnel: Pak send successful
*Jun 28 19:07:17.437: L2TP:(Tnl0:Sn54467):CEF
SanFran#
a can
majority
of Service
Providers,
a significant
of theirPE.
revenues
InExample 12-28,For
you
see two
FRoL2TPv3
packets
captured inportion
the SanFran
The portion highlighted
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
in the hexadecimal dump corresponds to the overhead added to the Frame Relay frames that are being
transported.
legacy
Layer 2 the
andfirst
Layer
3 networks
to move
a single
Similarly to previous
examples,
packet
labeledwould
"Into like
tunnel"
is an toward
ICMP Echo
that SanFran receive
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2 labeled "From tunne
from Oakland and forwards to the L2TPv3 tunnel toward New York. The second packet
over
existing
Layer and
3 cores.
The solution
in theseCE.
cases
a
is the ICMP Echo services
Reply that
thetheir
Denver
P receives
forwards
to the Oakland
Theisimposition
packet
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
that is sent into the tunnel displays the IPv4 and L2TPv3 headers. In contrast, the disposition packet that i
infrastructure.
coming from the tunnel
and is later sent out of the attachment circuit also includes the data link layer
header, IPv4, and L2TPv3.
Network
concepts,
and the
describes
Layer
The L2TPv3 portion
of the (VPN)
first packet
contains
following
fields:
Session ID: history
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSCookie: E6FCCF51
You can see that reader
the payload
corresponds
to theand
complete
Frame Relay
frames thatand
in turn carry IPv4 traff
to Layer
2 VPN benefits
implementation
requirements
containing the following:
Q.922 Header 2 bytes, including the following:
DLCI 10 bits with a value of 100 (Higher DLCI: 0x06; Lower DLCI: 0x04)
C/R 1 bit with a value of 0
BECN 1 bit with a value of 0
FECN 1 bit with a value of 0
DE 1 bit with a value of 0

EA Bits 2 bits with value of 0 for the first octet and 1 for the second octet.
Ethertype 0x0800
indicating
ByWei Luo,
- CCIE No. IPv4
IPv4 Packet The IP packet from the CE being transported inside the Frame Relay encapsulation
Cisco Press
Because you did notPublisher:
specify IETF
Frame Relay encapsulation in the CE devices Oakland and Albany, the
Pub
Date:
March
10, 2005
default of Cisco Frame Relay encapsulation
is used (refer to Figure 12-5). The Ethertype is used as the
ISBN: 1-58705-168-0
upper-layer
protocol
identifier.
Table of
Pages: 648
Contents
In the first packet sent out of SanFran toward New York, the Q.922 header equals 0x1841, indicating DLCI
Index
100. The DLCI field is rewritten to 101 before the Frame Relay frame is sent out of the New York PE towar
the Albany CE. In contrast, in the second packet received in the SanFran PE from the Denver P, the Q.922
header is 0x1851, designating a DLCI of 101 that the New York PE received from the Albany CE. The
SanFran PE rewrites
this the
DLCI
fieldof
toLayer
a value
of 100
sending
the services
frame toand
the enjoy
Oakland CE.
Master
world
2 VPNs
tobefore
provide
enhanced
productivity gains
Case Study 12-4:Learn

AAL5
SDU over L2TPv3 with Dynamic Session
This case study explains

the configuration
and verification
of your
AAL5services
SDU transport
over your
L2TPv3
Reduce
costs and extend
the reach of
by unifying
(AAL5_SDUoL2TPv3). The
attachment
circuits
are
the
ATM
PVC
with
VPI/VCI
0/100
in
interface
ATM5/0 on
the SanFran end and the ATM PVC 0/100 in interface ATM5/0 on the New York PE. As you have learned, th
ATM cell header including
VPI
andthe
VCI
is not
transported
AAL52mode.
It is regenerated
Gain
from
first
book
to addressinLayer
VPN application
utilizingon segmentation
the disposition router before
forwarding
the protocols
packet to the CE. You use the same VPI/VCI values to support
both ATOM
and L2TP
transport of raw ATM cells, such as ATM OAM cells, over the AAL5 pseudowire. The topology is shown in
Review
large enterprise
customers
tothe
enhance
Figure 12-15. As you will
learnstrategies
in Chapterthat
13, allow
"Advanced
L2TPv3 Case
Studies,"
implication of using
offerings
control
different VPI/VCI pairstheir
with service
AAL5 SDU
mode while
is thatmaintaining
you cannotrouting
transport
OAM cells over the pseudowire, a
you need to use OAM emulation.
customers,
they have some drawbacks.
Ideally,
carriers Case
with existing
Figure 12-15.
AAL5_SDUoL2TPv3
Dynamic
Session
Study Topology
services over their existing Layer
[View3fullcores.
size image]
infrastructure.

of this
book is Session
Configuring AAL5_SDUoL2TPv3
with
Dynamic
them totothose
of Layer
based VPNs,
such as MPLS,
thenthe xconnect
The configurationcomparing
steps are similar
the ones
from3previous
case studies.
You apply
progressively
covering
each
currently
available
solution
in
greater
command under the L2transport ATM PVC configuration mode. To specify the AAL5 detail.
SDU mode of tunneling
and transport, configure the encapsulation as aal5 (see Example 12-29).
Example 12-29. Configuring AAL5_SDUoL2TPv3 in the SanFran PE

!
hostname SanFran
!
pseudowire-class pw-l2tpv3-atm
!
!
interface ATM5/0
no ip address
encapsulation aal5
xconnect 10.0.0.203 27 pw-class pw-l2tpv3-atm
ISBN: 1-58705-168-0
! Table of
Pages:
648
Contents
!
Index
Example 12-29 uses the default l2tp-class (l2tp_default_class), which means no authentication and no
the
world
Layer
2 VPNs
to the
provide
enhancedSublayer
services is
and
enjoy
cookie. However,Master
because
you
are of
using
AAL5
mode,
ATM-Specific
mandatory.
productivity gains
Example 12-30 shows the normal configuration of the CE device from the Oakland CE. OAM management i
disabled.

the Oakland CE for the ATM PVC
!
hostname Oakland
!
ip address 192.168.103.1 255.255.255.252
pvc 0/100
oam-pvc 0
encapsulationtechnologies.
aal5snap Although Layer 3 MPLS VPNs fulfill the market need for some
!
!
allow
transport
over ato
Layer
3
The configurationtechnology
in the Newthat
Yorkwould
PE and
the Layer
Albany2 CE
is analogous
Examples
12-29 and 12-30,
infrastructure.
respectively.
Verifying AAL5_SDUoL2TPv3
history
and
implementation
details
the two
from
To verify the status
of the
tunneling
and transport
ofof
AAL5
SDUtechnologies
frames over available
L2TPv3, confirm
the l2tun
Cisco Unified
VPN suite:
Any of
Transport
over
MPLS (ATOM)
for MPLSsession using thethe
summary
and detailed
versions
the show
command
(see Example
12-31).
reader
to Layer 2 the
VPN benefits
and implementation
requirements and
Example 12-31.
Verifying
AAL5_SDUoL2TPv3
Session
SanFran#show l2tun session
LocID
RemID
TunID
43729
28232
23520
SanFran#
Username, Intf/
Vcid, Circuit
27, AT5/0:0/100
State
est

Session id 43729
isLuo,
up,
tunnel
id 23520
ByWei
- CCIE
No. 13,291,
Call serial number
isAnthony
2763400000
No. 4460,
Remote tunnel name is New York
Internet address
is 10.0.0.203
Publisher:
Cisco Press
ISBN: 1-58705-168-0
Session
state is established,
time since change 00:57:57
Table of
0 Packets sent,Pages:
0
received
648
Contents
Index
out-of-order:
0
total:
0
Send packets
dropped:
exceeded productivity
session MTU:
0
gains
total:
0
Session vcid is 27
Learn about
Layer
Virtual
Private
(VPNs)
type
is 2ATM
AAL5,
nameNetworks
is ATM5/0:0/100
Circuit state is UP
costs and
extendtunnel
the reach
Remote session Reduce
id is 28232,
remote
id of
60864
DF bit off, ToS reflect
disabled, ToS value 0, TTL value 255
No session cookie information available
FS cached header Gain
information:
both
ATOM
and L2TP protocols
00000000 00000000 00000000 00000000
00000000 00000000 00000000
Sequencing is off
SanFran#
have someand
drawbacks.
carriers
with
existing
You can see that customers,
the session they
is established,
similar toIdeally,
Frame Relay
DLCI
mode,
the attachment circuit
legacy Layer 2 and
3 networks
would like
move toward
a single
shown as interface:virtual_circuit
(in Layer
this case
AT5/0:0/100).
Theto
detailed
information
shows the tunnel
backbone
while
carriers
would
sell the
lucrative
Layer
signaled and established
using
VCnew
ID 27.
The type
is like
ATMtoAAL5
using
VC Type
(PW2Type) 0x0002 from Tab
services
overFinally,
their existing
Layer 3 cores.
solution
these
cases is a to the following
12-1 for ATM AAL5
SDU VCC.
the encapsulation
sizeThe
is 28
bytes, in
which
corresponds
infrastructure.
Transport (IPv4) Header (20 bytes)
Network
(VPN)
concepts,
and
describes
Layer 2 VPN Sublayer
techniques
via (mandatory 4 bytes
L2TPv3 Header
including
Session
ID (4
bytes)
and ATM-Specific
Header
As usual, the definitive
is CE-CE
connectivity
(see Example
12-32).
assiststest
readers
looking
to meet those
requirements
by explaining the
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbasedVerifying
cores and Layer
2 Tunneling
Protocol version 3 (L2TPv3)
for native
Example 12-32.
CE-to-CE
AAL5_SDUoL2TPv3
Connectivity
SanFran#ping 192.168.103.2
!!!!!
SanFran#
You can also display ATM PVC information. It is interesting to see how the ATM PVC information differs
between the CE and PE routers (see Example 12-33).
Example 12-33. ATM PVC Summary in the Oakland CE and the SanFran PE
Oakland#show atm
pvc Anthony
interface
6/0.1
No. 4460,
Chan, - ATM
CCIE No.
10,266
VCD /
Interface
Name
VPI
VCI
Type
6/0.1
1 Pub Date: March 10, 02005 100
PVC
Oakland#
Table of
Peak
Encaps
Kbps
SNAP
149760
Avg/Min Burst
Kbps Cells
N/A
Sts
UP
ISBN: 1-58705-168-0
Pages:
648
SanFran#show
atm pvc
interface
ATM 5/0
Contents
VCD
/
Peak Avg/Min Burst
Index
Interface
Name
VPI
VCI
Type
Encaps
Kbps
Kbps Cells
5/0
1
0
100
PVC
AAL5
149760
N/A
SanFran#
productivity gains
Sts
UP
In the Oakland CE, the encapsulation is AAL5SNAP because you normally configure on an ATM PVC.
However, in the SanFran
side,
the encapsulation
just AAL5,
meaning
AAL5 SDU L2Transport and tunnelin
Learn
about
Layer 2 VirtualisPrivate
Networks
(VPNs)
You can see the same distinction displaying PVC details in Example 12-34.
Example 12-34. ATM PVC Details in the Oakland CE and the SanFran PE
Oakland#show atm vc interface ATM 6/0.1 detail
Review
ATM6/0.1: VCD: 1, VPI:
0, strategies
VCI: 100that allow large enterprise customers to enhance
AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0
OAM frequency: For
0 second(s)
are
stillminutes(s)
InARP frequency: 15
technologies.
Transmit priority 4
customers,
they have540,
someOutBytes:
drawbacks.540
InPkts: 5, OutPkts:
5, InBytes:
legacy 5
InPRoc: 5, OutPRoc:
backbone
InFast: 0, OutFast:
0, while
InAS:new
0, carriers
OutAS: would
0
services
over
their
existing
Layer
3
technology
that
would
allow
Layer
2
over a Layer 3
CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: transport
0
infrastructure.
Out CLP=1 Pkts: 0
OAM cells sent: 125
Status: UP
Oakland#
SanFran#show atm
interface
ATMsuite:
5/0 Any
detail
the vc
Cisco
Unified VPN
Transport over MPLS (ATOM) for MPLSATM5/0: VCD: 1,based
VPI:cores
0, VCI:
100
UBR, PeakRate: IP
149760
AAL5 L2transport,
etype:0xF,
0x10000C2E,
VCmode: 0x0
reader
to Layer 2 Flags:
VPN benefits
and implementation
requirements and
OAM Cell Emulation:
not them
configured
comparing
Interworking Method:
like covering
to like each currently available solution in greater detail.
progressively
Remote Circuit Status = No Alarm, Alarm Type = None
InFast: 5, OutFast: 5, InAS: 0, OutAS: 0
CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0
Out CLP=1 Pkts: 0
OAM cells sent: 125
Status: UP
SanFran#
Besides the encapsulation

difference,
you No.
can10,266
see that the SanFran PE L2transport PVC indicates OAM Cell
No. 4460,Anthony
Chan, - CCIE
Emulation status and Interworking method. Chapter 13 describes OAM Cell Emulation. Chapter 14, "Layer
Interworking and Local Switching," covers interworking methods.

ISBN: 1-58705-168-0
Table Plane
of
Control
Details
Contents
Index
Pages: 648
This section presents a complete session establishment control plane negotiation for L2TPv3 AA15 SDU
transport. As before, the complete three-way handshake session establishment is shown highlighting the
L2TPv3 control messages and AVPs that are specific to the pseudowire type. In all cases, all AVPs in the
messages are parsed. Then the control message is accepted (see Example 12-35).
productivity gains
Example 12-35. ATM AAL5 over L2TPv3 Session Establishment Control Plane
Details
SanFran#
SanFran#
GainTnl23520
from the first
book
to address
VPN
application
*Jun 29 08:18:21.587:
L2TP:
Parse
AVP 0,Layer
len 28,
flag
0x8000 utilizing
(M)
both
ATOM
and
L2TP
protocols
*Jun 29 08:18:21.587: Tnl23520 L2TP: Parse ICRQ
*Jun 29 08:18:21.587: Tnl23520 L2TP: Parse AVP 15, len 10, flag 0x8000 (M)
Review
strategies
thatSerial
allow large
enterprise
*Jun 29 08:18:21.587:
Tnl23520
L2TP:
Number
-1531567296
theirTnl23520
service offerings
while maintaining
*Jun 29 08:18:21.587:
L2TP: Parse
Cisco AVP routing
3, lencontrol
10, flag 0x8000 (M)
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
29
29
29
29
29
29
29
29
29
08:18:21.587: Tnl23520 L2TP: Local Session ID 28232

For a majority
of Service
a significant
of their
08:18:21.587:
Tnl23520
L2TP:Providers,
Parse Cisco
AVP 4,portion
len 10,
flagrevenues
0x8000 (M)
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
08:18:21.587: Tnl23520 L2TP: Remote Session ID 0
technologies.
Although
Layer
3 MPLS
VPNsAVP
fulfill
market
need0x8000
for some
08:18:21.587:
Tnl23520
L2TP:
Parse
Cisco
7,the
len
8, flag
(M)
customers,
they
have
some
drawbacks.
Ideally,
carriers
with
existing
08:18:21.587: Tnl23520 L2TP: Pseudo Wire Type 2
legacy Layer
2 and Layer
networks
would
like6,tolen
move
single
08:18:21.587:
Tnl23520
L2TP:3 Parse
Cisco
AVP
8,toward
flag a
0x0
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
08:18:21.587: Tnl23520 L2TP: End Identifier 27
services over
their existing
Layer 3Cisco
cores.AVP
The 9,
solution
in these
is a (M)
08:18:21.587:
Tnl23520
L2TP: Parse
len 14,
flagcases
0x8000
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
08:18:21.587: Tnl23520 L2TP: Session Tie Breaker
6A 57 infrastructure.
1F 5A B3 1F 10 93
*Jun 29 08:18:21.587: Tnl23520 L2TP: Parse AVP 47, len 10, flag 0x0
*Jun 29 08:18:21.587: Tnl23520 L2TP: L2 Specific Sublayer 2
*Jun 29 08:18:21.587: Tnl23520 L2TP: No missing AVPs in ICRQ
*Jun 29 08:18:21.587: Tnl23520 L2TP: I ICRQ, flg TLS, ver 3, len 90, tnl 23520, ns 2, nr
*Jun 29 08:18:21.587: Tnl23520 L2TP: I ICRQ from New York tnl 60864
*Jun 29 08:18:21.587: Tnl/Sn23520/43729 L2TP: Session state change from idle to waitthe Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSconnect
*Jun 29 08:18:21.587: Tnl/Sn23520/43729 L2TP: Accepted ICRQ, new session created
*Jun 29 08:18:21.587: Tnl/Sn23520/43729 L2TP: Session state change from wait-connect
to wait-for-service-selection-icrq
*Jun 29 08:18:21.591: Tnl/Sn23520/43729 L2TP: Started service selection, peer IP
address 10.0.0.203, VCID 27
*Jun 29 08:18:21.591: Tnl/Sn23520/43729 L2TP: Session state change from wait-forservice-selection-icrq to wait-connect
*Jun 29 08:18:21.591: Tnl/Sn23520/43729 L2TP: O ICRP to New York 60864/28232
*Jun 29 08:18:21.591: Tnl/Sn23520/43729 L2TP: O ICRP, flg TLS, ver 3, len 58, tnl 60864,
lsid 43729, rsid 28232, ns 1, nr 3
*Jun 29 08:18:21.591: Tnl23520 L2TP: Control channel retransmit delay set to 1 seconds
*Jun 29 08:18:21.607: Tnl23520 L2TP: Parse ICCN
*Jun 29 08:18:21.607: Tnl23520 L2TP: Connect Speed 0

*Jun 29 08:18:21.607: Tnl23520 L2TP: Parse Cisco AVP 3, len 10, flag 0x8000 (M)
*Jun 29 08:18:21.607: Tnl23520 L2TP: Cisco AVP 3 is not for ICCN
Layer 2 VPNTnl23520
Architectures
*Jun 29 08:18:21.607:
L2TP: Parse Cisco AVP 4, len 10, flag 0x8000 (M)
CCIE No. 13,291,
Carlos
Pignataro,
- CCIE No.ID
4619,
*Jun 29 08:18:21.607:
L2TP:
Remote
Session
43729
No. 4460,Anthony
Chan, - L2TP:
CCIE No.Parse
10,266 AVP 47, len 10, flag 0x0
*Jun 29 08:18:21.607:
Tnl23520
*Jun 29 08:18:21.607: Tnl23520 L2TP: L2 Specific Sublayer 2
*Jun 29 08:18:21.607:
Tnl23520
Publisher:
Cisco PressL2TP: No missing AVPs in ICCN
*Jun 29 08:18:21.607:
Tnl/Sn23520/43729
L2TP: I ICCN, flg TLS, ver 3, len 60, tnl 23520,
Pub Date:
March 10, 2005
lsid 43729, rsid 28232, ns 3, nr 2
ISBN: 1-58705-168-0
Table
of
*Jun
29 08:18:21.607:
Tnl/Sn23520/43729 L2TP: I ICCN from New York tnl 60864, cl 28232
Pages:
648
*Jun Contents
29 08:18:21.607: Tnl/Sn23520/43729 L2TP: Session state change from wait-connect
Index
to
established
SanFran#
productivity
gains
You can note in Example
12-35
the following messages and AVPs:
Layer 2 Virtual
PrivateThe
Networks
(VPNs)
1 ICRQ The first Learn
way inabout
the three-way
handshake.
New York
PE sends the SanFran PE an ICRQ
message. The tunnel ID is 23520, as shown earlier in Example 12-31. At this point, the session state
costs and and
extend
thelocal
reach
of your
services
byID
unifying
machine changesReduce
to wait-connect,
a new
session
with
session
43729your
(also shown in
architecture
Example 12-31) isnetwork
created.
Some of the most significant AVPs for AAL5 SDU shown in the debug outp
for the ICRQ message are as follows:
and L2TP
Pseudowire both
Type ATOM
2 indicates
ATMprotocols
AAL5 SDU VCC (pseudowire type 0x0002 from Table 12-1).
Review
that is
allow
End Identifier
27 is strategies
the VC ID that
configured.
Layer 2-Specific Sublayer 2 indicates the mandatory ATM-Specific Sublayer.
still derived
from
data and handshake.
voice services
on legacy
transport
2 ICRP Theare
second
way in the
three-way
Thebased
SanFran
PE sends
an ICRP message to the
technologies.
Although
3 MPLS
VPNs to
fulfill
the market need
New York PE,
and the session
state Layer
machine
advances
a wait-connect
state.for some
3 ICCN Thelegacy
third way
in 2the
three-way
handshake.
Thelike
New
PEtoward
sends a
the
SanFran PE an ICCN
Layer
and
Layer 3 networks
would
toYork
move
single
message, and
the session
established.
Again,
Layer Layer
2-Specific
Sublayer AVP
backbone
whilestate
newmoves
carrierstowould
like to sell
the the
lucrative
2
contains a value
of 2,over
indicating
that theLayer
ATM 3
Layer
2-Specific
Sublayer
is used.
services
their existing
cores.
The solution
in these
cases is a
infrastructure.
Data Plane Details

This section includes the decode of AAL5oL2TPv3 packets captured in the SanFran PE using the commands
debug vpdn packet and debug vpdn packet detail.Example 12-36 captures 36-byte pings to identify t
end of the IPv4 packet.
Example 12-36.
Capturing
andofDecoding
Packets
IP cores.
The structure
this book isAAL5_SDUoL2TPv3
focused on first introducing
the
SanFran#
*Jun 29 09:23:44.271: L2TP:(Tnl0:Sn43729):FS Into tunnel (SSS): Sending pak
*Jun 29 09:23:44.271: L2TP:(Tnl0:Sn43729):FS/CEF Into tunnel: Sending 72 byte pak
particle pak, size 72
45 00 00 48 02 D9 00 00 FF 73 A2 D6 0A 00 00 C9
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^...
0A 00 00 CB 00 00 6E 48 00 00 00 00 AA AA 03 00
...^^^^^^^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^...
IPv4 Delivery Header Sess Hdr
|
SNAP: LLC: AAAA03
Sess Id
ATM-Specific Sublayer
00 00 08 00 45 00 00 24 00 19 00 00 FF 01 6C 6B
...^^^^^^^^^^^
^^...
Layer 2 VPN
Architectures
|
Begins
IP Packet
SNAP:
OUI:
000000; etype: 0x0800 (IPv4)
C0 A8 67 01 C0 A8 67 02 08 00 78 3F 00 05 00 00
Press
00 00 00Publisher:
00 00 Cisco
67 7F
54
Pub Date: March^^^^^
10, 2005
ISBN: 1-58705-168-0
Table of
Ends IP Packet
Pages:
648
Contents
*Jun
29
09:23:44.271:
L2TP:(Tnl0:Sn43729):CEF
Into tunnel (SSS): Pak send successful
Index
*Jun 29 09:23:44.283: L2X:CEF From tunnel: Received 76 byte pak

0F 00 08 00 45 00 00 48 02 DB 00 00 FE 73 A3 D4
^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^...
Master the
HDLC L2
IPv4
Delivery Header (IP protocol L2TPv3)
productivity gains
0A 00 00 CB 0A 00 00 C9 00 00 AA D1 00 00 00 00
...^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^
Learn about Layer^^^^^^^^^^^
2 Virtual Private
Networks (VPNs)
IPv4 Delivery Header Sess Id
AA AA 03 00 00 00 08 00 45 00 00 24 00 19 00 00
^^^^^^^^^^^^^^^^^^^^^^^ ^^...
|
Begins IP Packet
SNAP: LLC: AAAA03; OUI: 000000; etype: 0x0800 (IPv4)
FF 01 6C 6B C0 A8 67 02 C0 A8 67 01 00 00 80 3F
Review
strategies
that
00 05 00 00
00 00
00 00 00
...
theirL2TP:(Tnl0:Sn43729):CEF
service offerings while maintaining
routing control
*Jun 29 09:23:44.283:
From tunnel:
Pak send successful

Although
Layer
3 MPLS
fulfill the market
need
for some
Cells incoming to technologies.
the SanFran PE
from the
Oakland
CE VPNs
are reassembled,
and the
AAL5
CPCS SDU (strippin
customers,
they
have some
drawbacks. in
Ideally,
carriers
with in
existing
the AAL5 CPCS-PDU
trailer and
padding)
is encapsulated
L2TPv3,
as shown
Figure 12-6, and sent ove
Layer
and
Layer 3 networks
would
like to
move
toward
toward New York.legacy
You can
see 2the
ATM-Specific
Sublayer
Header
being
used
with aa single
NULL value because al
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2 also see the AAL5
significant ATM cell header bits are 0, and you have not enabled sequencing. You can
servicesheader,
over their
existingan
Layer
cores. The
solution in the
these
cases data-link
is a
LLC/SNAP encapsulation
indicating
IPv43packet.
At disposition,
C-HDLC
layer
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
encapsulation between the SanFran PE and the Denver P is included in the debug output.
infrastructure.
The L2TPv3 portion of the first packet contains the following fields:
Layer 2 Tunneling
Protocol
Version
3Session
ID: 28232 design scenarios. This book
introductory
case
studies
and comprehensive
ATM-Specific
Sublayer
history
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS.0.. ....based
= S-bit:
False
cores
.... 0... = T-bit: False
.... .0.. = G-bit: False
.... ..0. = C-bit: False
.... ...0 = U-bit: False
Sequence Number: 0
The payload shows part of the AAL5 frame including the LLC header:
Logical-Link Control
DSAP: SNAP (0xaa)

IG Bit:Layer
Individual
2 VPN Architectures
SSAP: SNAP (0xaa)

CR Bit: Command
Control Field:
U, func=UI
(0x03)
Pub Date:
March 10, 2005
ISBN: 1-58705-168-0
Table ofOrganization Code: Encapsulated Ethernet (0x000000)
Pages:
648
Contents
Index Type: IP (0x0800)
In contrast to transporting AAL5 frames over the AAL5PW, you enable OAM cell management in the Oaklan
CE by using the PVC configuration mode command oam-pvc manage and capture an OAM cell that is bein
the
transported (see Master
Example
12-37).
productivity gains
Example 12-37. Capturing

and Decoding OAM Cells over an AAL5_SDUoL2TPv3
Session
SanFran#
*Jun 29 10:25:16.719:
IntoLayer
tunnel
(SSS):
Sending
pak
GainL2TP:(Tnl0:Sn43729):FS
from the first book to address
2 VPN
application
utilizing
*Jun 29 10:25:16.719:
L2TP:(Tnl0:Sn43729):FS/CEF
Into
tunnel:
Sending
80
byte pak
45 00 00 50
04 D3strategies
00 00 FF
73allow
A0 D4
0A enterprise
00 00 C9 customers to enhance
Review
that
large
0A 00 00 CB
00 service
00 6E offerings
48 08 00while
00 00
00 00 06routing
4A
their
maintaining
control
^^^^^^^^^^^ ^^^^^^^^^^^
Cell Header:
= 0/100; PTI: 101b
For a majority of Service Providers,| aATM
significant
portion ofVPI/VCI
their revenues
ATM-Specific
Sublayer:
T-bit
= 1 transport
and voice services
based
on legacy
18 01 technologies.
00 00 00 01Although
FF FF FF
FF 3
FFMPLS
FF FF
FF fulfill
FF FF
Layer
VPNs
FF FF customers,
FF FF FF they
FF FFhave
FF some
FF FFdrawbacks.
FF FF FF Ideally,
FF 6A 6A
6A 6A legacy
6A 6A Layer
6A 6A2 and
6A 6A
6A 3...
Layer
networks would like to move toward a single
*Jun 29 10:25:16.719:
tunnel
(SSS):Layer
Pak 2send successful
backboneL2TP:(Tnl0:Sn43729):CEF
while new carriers would likeInto
to sell
the lucrative
infrastructure.
FromExample 12-37, you can see that the OAM cell is encapsulated using Cell Relay over L2TPv3.
The ATM-Specific Sublayer has the Transport bit set, an indication that it is carrying an ATM cell.
An ATM Cell Header is included in the payload. The payload type identifier (PTI) value of 101 binary
indicates an end-to-end OAM F5 flow cell.
Note
In AAL5 SDU mode, OAM cells that are received over the attachment circuit are sent immediately
and might not maintain the relative cell order with respect to cells that comprise an AAL5 frame
that is being reassembled.
The complete L2TPv3 encapsulation that indicates an admin cellincluding the T-bit in the ATM-Specific
Sublayercontains the following fields:
Layer 2 Tunneling Protocol Version 3Session ID: 28232

.0.. ....By=Wei
S-bit:
Luo, - False
.... 1... = T-bit: True
Cisco Press
.... .0.. =Publisher:
G-bit: False
ISBN:
1-58705-168-0
.... ..0. = C-bit:
False
Table of
Pages:
648
Contents
.... ...0 = U-bit: False
Index
Sequence Number: 0
The first two nibbles in the OAM cell payload are 0x18. The OAM type 0x1 indicates a Fault Management, a
thespecifies
world of an
Layer
2 Cell
VPNsLoopback.
to provideThe
enhanced
services
enjoyindicator (LBI),
the OAM FunctionMaster
type 0x8
OAM
next byte
is the and
loopback
productivity
gains
and a value of 0x01 indicates that the cell must be looped back. It contains a 4-byte correlation tag (CTag)
of 1 because you captured the first OAM cell after enabling OAM management. It follows with 16 bytes of
binary ones for the location
which
designates
end-to-end
loopback.
LearnID,
about
Layer
2 Virtualan
Private
Networks
(VPNs)Unused bytes are filled with a
0x6A padding. Refer to the ITU-T Recommendation I.610, "B-ISDN Operation and Maintenance Principles a
Functions," for ATM OAM
details.
Reduce
from
the first
bookover
to address
Layer with
2 VPN application
Case Study 12-5:Gain
ATM
Cell
Relay
L2TPv3
Dynamicutilizing
Session
Case Study 12-5 concentrates

on ATM Cell
Relay
over
L2TPv3
(ATM_CRoL2TPv3).
Using the topology show
Review strategies
that
allow
large
enterprise
inFigure 12-16, you learn
toservice
configure
and verify
operation routing
of ATM control
VCC Cell transport over L2TPv3.
their
offerings
whilethe
maintaining
Figure

12-16.
ATM VCC
Cell Relay
Case Study
technologies.
Although
Layer 3over
MPLS L2TPv3
VPNs fulfillDynamic
the market Session
need for some
customers, they have some drawbacks.
Topology
[View3fullcores.
size image]
services over their existing Layer
infrastructure.

As shown in Figure 12-16, the attachment circuits are now the PVCs with VPI/VCI pair of 0/200 in the
ATM5/0 interfaces of the SanFran and New York PE routers.
Configuring ATM_CRoL2TPv3 with Dynamic Session
The configuration steps that are required to provision ATM_CRoL2TPv3 in VC mode are similar to the ones
you just learned in Case Study 12-4. However, one difference is needed to specify ATM Cell Relay service a
opposed to ATM AAL5 service. This difference involves specifying the encapsulation as aal0, meaning "no
ATM Adaptation Layer," under the attachment circuit PVC (see Example 12-38).
Example 12-38. Configuring ATM_CRoL2TPv3 in the SanFran PE
!
hostname SanFran
!
interface ATM5/0
encapsulation aal0
xconnect 10.0.0.203
28March
pw-class
Pub Date:
10, 2005 pw-l2tpv3-atm
!
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
You can see that Example 12-38 uses the same pseudowire class for comparison. The CE router's
configuration is analogous to the previous case study and is the same as normal ATM PVC configuration us
VPI/VCI 0/200.
productivity gains
Verifying ATM_CRoL2TPv3
To verify the correct functioning of the L2TPv3 pseudowire, use the show l2tun session command (see
Example 12-39).
Gain from the
first
book to address LayerSession
the
ATM_CRoL2TPv3
that
SanFran#show l2tun Review
sessionstrategies
all vcid
28allow large enterprise customers to enhance
their
service
offerings
while maintaining
routing control
Session Information
Total
tunnels
1 sessions
2
Session id 43738
tunnel
23520
areis
stillup,
derived
fromid
data
Call serial number
is
2763400001
Remote tunnel name
is New
York
customers,
they
Internet address
10.0.0.203
legacyis
Layer
Session is L2TP
signalled
backbone
Session stateservices
is established,
time since
00:00:44
over their existing
Layer 3change
cores. The
0 Packets sent,
0 received
technology
0 Bytes sent,
0 received
infrastructure.
out-of-order:
0
total: Network (VPN) concepts,
0
introductory
Send packets
dropped:case studies and comprehensive design scenarios. This book
readers
exceeded assists
session
MTU: looking
0 to meet those requirements by explaining the
total: history and implementation
0
Session vcid the
is Cisco
28 Unified VPN suite: Any Transport over MPLS (ATOM) for MPLScores andtype
Layer
Tunneling
Protocol
version
Session Layerbased
2 circuit,
is2 ATM
VCC CELL,
name
is ATM5/0:0/200
cores.
Circuit stateIP is
UP The structure of this book is focused on first introducing the
readeridto is
Layer
2 VPNremote
benefitstunnel
and implementation
requirements and
Remote session
28241,
id 60864
comparing
them
to those of
Layer
3 based
VPNs,
such255
as MPLS, then
DF bit off, ToS
reflect
disabled,
ToS
value
0, TTL
value
progressively
covering
No session cookie
information
available
00000000 00000000 00000000 00000000
00000000 00000000
Sequencing is off
SanFran#
Theshow l2tun session command for the session with the VC ID of 28 as configured in Example 12-38
shows that the session is signaled and established. The VC Type (pseudowire type) is ATM VCC Cell using
pseudowire type 0x0009 for ATM n-to-one VCC cell from Table 12-1. The encapsulation size is now 24 byte
which is the minimum possible encapsulation size. In ATM_CRoL2TPv3, you do not use the ATM-Specific
2 VPNcell
Architectures
Sublayer becauseLayer
the ATM
headers are actually carried. The ATM L2TPv3 companion document specifie
ByWei the
Luo, Default
- CCIE No.or13,291,
CarlosLayer
Pignataro,
- CCIE No.
4619,Dmitry
Bokotey,
- CCIECisco IOS routers sign
that, if needed, either
the ATM
2-Specific
Sublayer
can
be used.
4460,Anthony
- CCIE Sublayer
No. 10,266 if sequencing is required.
a request for the No.
Default
Layer Chan,
2-Specific
You can also compare
the ATM
L2transport
PVCs in the SanFran PE (see Example 12-40).
Publisher:
Cisco
Press
ISBN: 1-58705-168-0
Table of 12-40. Verifying ATM over L2TPv3 PVC

Example
Pages: 648
Contents
Index
SanFran#show atm pvc interface ATM 5/0

VCD /
Peak
Avg/Min Burst
Interface
Name
VPI
VCI
Type
Encaps
Kbps
Kbps Cells
Master
the world of0Layer
2 VPNs
services and
5/0
1
100
PVCto provide
AAL5 enhanced
149760
N/Aenjoy
productivity
gains 0
5/0
2
200
PVC
AAL0
149760
N/A
SanFran#
Sts
UP
UP

Reduce
costs and
the reach
of your
services
by unifying
your
Using the show atm pvc
command,
theextend
encapsulation
is now
shown
as AAL0,
meaning
ATM Cell Relay.
network
architecture
From the CE router standpoint, the PVCs that are transported as AAL5 or Cell are the same.
Gain
theoffirst
to address
Example 12-41 displays
the from
details
the book
Cell Relay
PVC 0/200.
Example 12-41. ATM_CRoL2TPv3

PVC maintaining
Details routing control
their service offerings while

SanFran#show atm vc interface aTM 5/0 detail
ATM5/0: VCD: 2, VPI: 0, VCI: 200
AAL0-Cell Relay, etype:0x10, Flags: 0x10000C2D, VCmode: 0x0
Interworking Method: like to like
InBytes: 17179868768, OutBytes: 0
infrastructure.
Cell-packing Disabled
OAM cells received:
Layer 2104
VPN Architectures introduces readers to Layer 2 Virtual Private
OAM cells sent:Network
104
Status: UP
SanFran#

the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLScores
Layer 2Relay.
Tunneling
3 (L2TPv3)
forshowing
native OAM cell
The encapsulationbased
is shown
asand
AAL0-Cell
Also Protocol
note thatversion
the next
three lines
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
emulation, interworking, and remote circuit status are specific to ATM pseudowires and do not appear for a
PVC in a CE device.
Cell Relay Details

The ATM Cell Relay tunneling and transport using L2TPv3 encompass three operational modes:
VC mode
VP mode
Port mode
VP and Port mode do not support AAL5 transport because cells from different PVCs are interleaved and
Layer
2 VPN Architectures
cannot be properly
reassembled.
To configure the different

ATM CR
operational
modes, use the same xconnect command with the same
No. 4460,Anthony
Chan,
- CCIE No. 10,266
parameters and keywords. The difference is the context in which the command is applied, which in Cisco IO
CLI means the configuration
mode. The configuration modes are as follows:
1-58705-168-0
ATMofCR VC ModeISBN:
Create
the xconnect under pvc l2transport configuration mode.
Table
Pages:
648
Contents
ATM CR VP Mode Create the xconnect under atm pvp l2transport configuration mode.
Index
ATM CR Port Mode Create the xconnect under ATM interface configuration mode.
Example 12-42 shows an example of each case.
productivity gains
Example 12-42. Configuring Different ATM_CRoL2TPv3 Modes

! ATM Cell Relay VCReduce
Mode Configuration
interface ATM5/0
encapsulation aal0
xconnect 10.0.0.203
pw-class
pw-l2tpv3-atm
both28
ATOM
and L2TP
protocols
!
! ATM Cell Relay VPtheir
Mode
Configuration
service
interface ATM5/0
atm pvp 5 l2transport
xconnect 10.0.0.203
5 pw-class
pw-l2tpv3-atm
are still derived
from data
!
! ATM Cell Relay Port Mode Configuration
interface ATM3/0
!
!
infrastructure.

Network
(VPN) concepts,
andmode,
describes
Layerto
2 specify
VPN techniques
via
One key configuration
difference
is that in VC
you need
the encapsulation
as aal0 for Cell
introductory
case
studies
and
comprehensive
design
scenarios.
This
book
Relay, because AAL5 SDU is also supported on VC mode. This extra step is not needed
in VP and Port mod
historyvpdn
and implementation
details
the
two
technologies
available
from AVPs in the deb
By enabling the debug
l2x-packets, you
can of
see
the
control
messages
and parsed
theyou
Cisco
VPN
suite:
Any Transport
over
MPLS
(ATOM)
MPLS- CRoL2TPv3 mod
output. From here,
canUnified
compare
the
different
pseudowire
types
used
for thefor
different
cores7.and
Layer 2
Tunneling
version
(L2TPv3)
for native
by inspecting the based
Cisco AVP
Compare
the
values inProtocol
Example
12-43 3with
the following
pseudowire types
fromTable 12-1: IP cores. The structure of this book is focused on first introducing the
progressively
covering
each for
currently
available
Example 12-43.
Pseudowire
Type
Different
ATM_CRoL2TPv3
Modes
! ATM Cell Relay VC Mode PW Type

*Jun 29 10:32:00.071: Tnl23520 L2TP: Pseudo Wire Type 9
! ATM Cell Relay VP Mode PW Type

*Jun 29 10:40:09.839: Tnl23520 L2TP: Pseudo Wire Type 10
Layer
2 VPNMode
Architectures
! ATM Cell Relay
Port
PW Type
*Jun 29 10:43:29.767:
L2TP:
Parse
Cisco
AVP
flag- CCIE
0x8000 (M)
CCIE No. 13,291,
Carlos
Pignataro,
- CCIE
No. 7,
4619,len
Dmitry8,
Bokotey,
*Jun 29 10:43:29.767:
Tnl23520
Wire Type 3
No. 4460,Anthony
Chan, - L2TP:
CCIE No.Pseudo
10,266
ISBN: 1-58705-168-0
0x0009 ATM n-to-one
VCC cell (ATMoL2TPv3 Cell VC mode)
Table of
Pages:
648
Contents
0x000A ATM n-to-one VPC cell (ATMoL2TPv3 Cell VP mode)
Index
0x0003 ATM Transparent cell (ATMoL2TPv3 Cell Port mode)
To conclude this section, Example 12-44 shows how these pseudowire types and attachment circuits for th
different CRoL2TPv3 modes are displayed.
productivity gains
Example 12-44. Pseudowire

Type
Display
for
Different
ATM_CRoL2TPv3 Modes
Learn about Layer
2 Virtual
Private
Networks
(VPNs)
SanFran#show l2tun network
sessionarchitecture
dropped
duebook
to failed
digest
Gain from
the first
to address
LocID
RemID
TunID
Username, Intf/
State
Vcid,
Circuit
43729
28232
27, AT5/0:0/100
est
their23520
service offerings
43739
28242
23520
28, AT5/0:0/200
est
43746
28249
23520
5,
AT5/0:5
est
43756
28259
23520 from data
3, AT3/0:
are still derived
and voice services based on legacy transport est
SanFran#
SanFran#! ATM AAL5
SDU Mode
customers,
SanFran#show l2tun
all Layer
vcid 327networks
| include
type
legacysession
Layer 2 and
would
like is
Session Layerbackbone
2 circuit,
is ATM would
AAL5,like
name
is the
ATM5/0:0/100
whiletype
new carriers
to sell
lucrative Layer 2
SanFran#
technology
SanFran#! ATM Cell
Relaythat
VCCwould
Mode allow Layer 2 transport over a Layer 3
infrastructure.
SanFran#show l2tun session all vcid 28 | include type is
Session Layer 2 circuit, type is ATM VCC CELL, name is ATM5/0:0/200
SanFran#
introductory
SanFran#! ATM Cell
Relay case
VPC Mode
assistssession
readers all
looking
to meet
those requirements
SanFran#show l2tun
vcid
5 | include
type is by explaining the
and implementation
of the two
available from
Session Layerhistory
2 circuit,
type is ATMdetails
VPC CELL,
nametechnologies
is ATM5/0:5
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSSanFran#
SanFran#! ATM Cell
Relay
Modeof this book is focused on first introducing the
IP cores.
ThePort
structure
SanFran#show l2tun
vcid
3 | include
type is requirements and
readersession
to Layerall
2 VPN
benefits
and implementation
Session Layercomparing
2 circuit,
type
is ATM
CELL,
name is
ATM3/0:
them
to those
of Layer
3 based
VPNs,
such as MPLS, then
SanFran#

Summary By

learned the
and practical configuration, verification, and
Ciscoconcepts
Press
troubleshooting steps
ofDate:
the March
tunneling
and transport of Layer 2 WAN protocols over an IPv4
Pub
10, 2005
infrastructure using L2TPv3. You worked through multiple case studies, including static and
ISBN: 1-58705-168-0
Tableconfiguration
of
dynamic
of L2TPv3 sessions and transport of multiple WAN protocols such as
Pages:
648
Contents
HDLC,
PPP, Frame Relay, and different flavors of ATM.
Index
This chapter compared and contrasted L2TPv3 to transport diverse WAN protocols, in addition
to L2TPv3 and AToM as pseudowire technology for WAN protocol transport. You learned L2TPv3
control plane theory and practice through multiple messaging exchange examples, data plane
Master the
VPNs to provide
enhanced
characteristics including
the world
use of of
anLayer
Layer22-Specific
Sublayer,
packet services
decodes,and
andenjoy
MTU
considerations. productivity gains

infrastructure.

Chapter 13. Advanced L2TPv3 Case

Studies

ISBN: 1-58705-168-0

This chapter
Contents
Index
Pages: 648
L2TPv3 path MTU discovery

Advanced ATM transport over L2TPv3
Quality of service
productivity gains
This chapter concentrates on advanced concepts and techniques in Layer 2 Tunnel Protocol
Version 3 (L2TPv3) transport
deployments.
Building
from the
concepts
and configurations
Learn about
Layer 2 Virtual
Private
Networks
(VPNs)
covered in Chapters 10, "Understanding L2TPv3," through 12, "WAN Protocols over L2TPv3
Case Studies," this chapter
covers
topicsthe
andreach
case of
studies
that involve
a higheryour
degree
Reduce
costsdiverse
and extend
your services
by unifying
of complexity than previous
chapters.
Because the advanced deployment scenarios cover a
network
architecture
wide range of concepts, the format of this chapter varies somewhat from other case study
chapters.
This chapter starts by explaining path maximum transmission unit discovery (PMTUD), the
Review strategies
allow large
customers
to learn
enhance
problem it solves, the rationale
behind itsthat
operation,
and enterprise
multiple examples.
You
details
their
service
offerings
while
maintaining
routing control
about combining PMTUD
with
setting
the DF bit
in the
delivery header.
a majority
of Service
Providers,
a significant
of their revenues
This chapter also For
covers
two advanced
cases
of ATM over
L2TPv3:portion
ATM Operation,
areMaintenance
still derived from
data
and voice
based
on legacy
transport
Administration, and
(OAM)
emulation
andservices
ATM cell
packing.
This chapter
technologies.
3 in
MPLS
VPNs
fulfill
the market
need for some
concludes by describing
qualityAlthough
of serviceLayer
(QoS)
L2TPv3
and
explaining
configuration
examples.
infrastructure.

Case Study
13-1: L2TPv3 Path MTU Discovery
In this section, you learn

theCisco
PMTUD
Publisher:
Pressand fragmentation issues that are present with large packets in
L2TPv3 networks. Just
any
other
encapsulation protocol, L2TPv3 adds a series of overheads or
Publike
Date:
March
10, 2005
protocol control information (PCI) to a service data unit (SDU) that is being encapsulated to create the
ISBN: 1-58705-168-0
Table
of
L2TPv3
protocol
data unit (PDU). This section uses the network and L2TPv3 pseudowire shown in Figure
Pages:
648
13-1 Contents
to cover PMTUD. The maximum transmission unit (MTU) is left as 1500 bytes default for all serial
Index
links
in the network.
Master theFigure
world of13-1.
Layer 2L2TPv3
VPNs to provide
enhanced
services and enjoy
PMTUD
Topology
productivity gains

The Problem:
MTU andAlthough
Fragmentation
technologies.
Layer 3 MPLSwith
VPNs L2TPv3
With any tunneling
protocol,
packet
that
results from
the like
encapsulation
is N bytes
longer than the
legacy
Layerthe
2 and
Layer
3 networks
would
to move toward
a single
original Layer 2 frame
beingwhile
tunneled.
With L2TPv3
IP sell
as the
protocol,
backbone
new carriers
wouldover
like to
thetunneling
lucrative Layer
2 the value of N has
a range of 4 to 16services
bytes, not
including
the outermost
IP header.
The exact
value cases
depends
over
their existing
Layer 3 cores.
The solution
in these
is aon the cookie
size and the presence
of Layer
2-Specific
Sublayer.
such, theover
combined
sizes
technology
that
would allow
Layer As
2 transport
a Layer
3 of the encapsulated
frame plus the encapsulation
data might exceed the packet-switched network (PSN) path MTU, leading to
infrastructure.
the ingress PE performing fragmentation and the egress PE performing reassembly. The reassembly
Layer 2 VPN
introduces
readers
to Layer
2 Virtual
Private
operation is an expensive
oneArchitectures
in terms of processing
power.
Avoid
it in the
PE device
whenever possible.
Network
(VPN) concepts,
and describes
Layer fragmentation
2 VPN techniques
Cisco IOS has several
configurations
and features
that prevent
andvia
reassembly in the
introductory
studies
switching path if you
adjust orcase
"tune"
the MTU.
Note
An L2TP node
that exists
at either
endof
ofLayer
an L2TP
control
connection
referred
to as L2TP
comparing
them
to those
3 based
VPNs,
such asisMPLS,
then
control connection
endpointcovering
(LCCE) .each
An LCCE
can either
be an
L2TP access
concentrator
(LAC)
progressively
currently
available
solution
in greater
detail.
when tunneled frames are processed at the data link layer (Layer 2) or an L2TP network server
(LNS) when tunneled frames are processed at the network layer (Layer 3). A LAC crossconnects an L2TP session directly to a data link and is analogous to a Pseudowire Emulation
Edge to Edge (PWE3) provider edge (PE). This chapter uses the terms LCCE, LAC (from L2TP
nomenclature), and PE (from pseudowire name assignment) interchangeably to refer to an
L2TPv3 tunnel endpoint, unless specifically noted.
You configure an L2TPv3 HDLC pseudowire with a remote and local cookie size of 4 bytes and with
sequencing enabled. The configuration for the SanFran end is shown in Example 13-1. The NewYork PE
configuration is analogous to this one.
ByWei
Luo, - CCIE
No. 13,291,
Carlos Pignataro, -(HDLCPW)
CCIE No. 4619,Dmitry
Bokotey, - CCIE
Example 13-1.
L2TPv3
HDLC
Pseudowire
Configuration
!
hostname SanFran Pub Date: March 10, 2005
!
ISBN: 1-58705-168-0
Table of l2tpv3-wan
l2tp-class
Pages:
648
Contents
cookie
size 4
! Index
pseudowire-classwan-l2tpv3-pw
sequencing both
Master
protocol l2tpv3
l2tpv3-wan
productivity
gains
!
interface Serial5/0
no ip address
no cdp enable
xconnect 10.0.0.203
50 pw-class
wan-l2tpv3-pw
network
architecture
!
You can see in ExampleReview
13-2 that
the L2TPv3
session
is UP,
and thecustomers
encapsulation
size is 32 bytes. The
strategies
that allow
large
enterprise
to enhance
commandshow sss circuit
also displays
thewhile
encapsulation
size.
their service
offerings
maintaining
routing control

are L2TPv3
still derived
from data Verification
Example 13-2.
HDLCPW
SanFran#show l2tun
all Layer
vcid 350networks
| include
Session
is|state|encap
legacysession
Layer 2 and
would
like to move
toward a single
Session is L2TP
signalled
backbone
Session stateservices
is established,
time Layer
since 3change
00:05:41
over their existing
cores. The
Circuit statetechnology
is UP
encap size infrastructure.
= 32 bytes
SanFran#
The encapsulationassists
size ofreaders
32 bytes
comestofrom
following:
looking
meetthe
those
the Cisco
Unified
VPN suite: Any Transport over MPLS (ATOM) for MPLS20 bytes of IPv4
Delivery
header
IP cores.
The structure
4 bytes of L2TPv3
Session
ID
comparing
4 bytes of L2TPv3
cookie
4 bytes of the default Layer 2-Specific Sublayer header used for sequencing
You also need to add the transport overhead for High-Level Data Link Control (HDLC), which is constant
and equal to 4 extra bytes. Refer to Chapter 12 for details about MTU considerations.
In the transport and tunneling of HDLC frames over HDLC pseudowires (HDLCPW), encapsulating an
HDLC frame received from a customer edge (CE) in L2TPv3 over IP adds 36 bytes in the core to the
enclosed IP packet that the CE device sends. Before you can address what would happen if you were to
send IP packets that were larger than the core MTU minus 36 bytes, you would need a baseline sample
for comparison.
Start by sending 500 Internet Control Message Protocol (ICMP) ping packets that total 1464 bytes, which
is exactly 1500 bytes (core MTU) - 36 bytes (total encapsulation overhead) from the Oakland CE to the
Architectures
Albany CE. While Layer
these2 VPN
packets
are being sent, profile the IP Input IOS process by using the command
show processesBycpu,
which
displays
detailed
CPU utilization
on
Cisco -IOS
Wei Luo, - CCIE No. 13,291,
Carlos Pignataro,
- CCIE No.statistics
4619,Dmitry
Bokotey,
CCIEprocesses. The IP
Input process takes
care
of
process
switching
received
IP
packets
in
Cisco
IOS.
Example
13-3 shows the
CPU profile for the IP Input process when the packets are being transferred.
Example 13-3. Baseline

IP Input CPU Profile
ISBN: 1-58705-168-0
Table of
Pages: 648
Contents
NewYork#show
processes
cpu | include util|PID|IP Input
Index
CPU utilization for five seconds: 5%/0%; one minute: 5%; five minutes: 5%
PID Runtime(ms) Invoked
uSecs
5Sec
1Min
5Min TTY Process
18
5368
648
8283 0.07% 0.08% 0.12%
0 IP Input
NewYork#
productivity gains
Learn
about
Layer
2 Virtual
Private CPU
Networks
(VPNs)
You can see from Example
13-3
that
the IP
Input process
utilization
is low. That is consistent with
the fact that those L2TPv3 packets from the HDLC-PW are being Cisco Express Forwarding (CEF)
Reduceincosts
andpath
extend
your services
switched. They are switched
the fast
andthe
notreach
in theofprocess
path. by unifying your
Perform a similar experiment with packets that are larger than the core MTU minus the encapsulation
Gain
from theand
firstCisco
bookDiscovery
to addressProtocol
Layer 2(CDP)
VPN application
utilizing so that you
overhead. Disable HDLC
keepalives
on the CE devices
both
ATOM
and
L2TP
protocols
have an accurate count of packets existing in the core routers (see Example 13-4).
Example 13-4. CE Configuration

!
hostname Oakland
!
interface Serial5/0
backbone while
ip address 192.168.105.1
255.255.255.252
services
over
their
no keepalive
technology
that
would
serial restart-delay 0
infrastructure.
no cdp enable
!

assists
readers
looking
to meet
those
requirements
bythan
explaining
the minus 36 bytes)
Next, send 500 ICMP
echo
packets
that total
1465
bytes
(1 byte larger
1500 bytes
history
andbit
implementation
detailsfrom
of the
two
technologies
available
from
and the don' fragment
(DF)
set in the IP header
the
Oakland
CE (see
Example
13-5).
IP cores.
The structure
of thisfrom
book is
focused
on firstCE
introducing the
Example 13-5.
1465-Byte
Packets
the
Oakland
available
repeat each
500 currently
size 1465
df-bitsolution in greater detail.
Packet sent with the DF bit set
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!
Oakland#
Note that even though the DF bit is set and the packets do not fit, the pings are successful. Although the
DF bit is set in packets
that are sent from the Oakland CE device, they are further encapsulated in
ByThe
Wei Luo,
CCIE
No. 13,291,
CCIE No. is
4619,
Dmitry
- CCIEthese oversized
L2TPv3 over IPv4.
DF -bit
in this
outerCarlos
IPv4Pignataro,
delivery- header
not
set.Bokotey,
Therefore,
No. 4460,Anthony
CCIE over
No. 10,266
packets that are carrying
ICMP Chan,
over- IPv4
HDLC over L2TPv3 over IPv4 are being fragmented after
tunnel encapsulation.
Check the CPU utilization

forMarch
the IP
Pub Date:
10,Input
2005 process in the NewYork PE device (see Example 13-6).
Table of
Contents
Example
Index
ISBN: 1-58705-168-0
Pages: 648
13-6. IP Input CPU Profile During IP Fragmentation Reassembly
NewYork#show processes cpu | include util|PID|IP Input

CPU utilization for five seconds: 20%/0%; one minute: 6%; five minutes: 1%
Master
the world of Layer
2 VPNs
to provide
services
and enjoy
PID Runtime(ms)
Invoked
uSecs
5Sec
1Min enhanced
5Min TTY
Process
productivity
gains
18
1700
199
8542 16.04% 3.54% 0.41%
0 IP Input
NewYork#

Reduce costs
andseconds
extend shows
the reach
your
services
by unifying
your
The line labeled CPU utilization
for five
thatofthe
CPU
utilization
was 20 percent,
and 0
network
architecture
percent was spent at the interrupt level. This means that the process level used all the CPU, and the IP
Input process added the delta. The reason for this huge difference is the reassembly of the fragmented IP
packets carrying L2TPv3. Not surprisingly, the CPU utilization for the IP Input process jumps around 15
percent when compared to the CPU baseline profile shown in Example 13-3.
Although this case study shows numbers for the CPU utilization and its variation because of
reassembly, consider the numbers qualitatively and not quantitatively. The impact of
reassembly in CPU performance varies significantly across platforms and traffic patterns. The
intent of this case study is to show the effect of reassembly in a router CPU, although the actual
variation usually deviates from the sample values shown.
infrastructure.
Note

In essence, IP fragmentation that is defined in RFC 791, "Internet Protocol," involves breaking up an IP
datagram into several pieces that are sent in different IP packets and reassembling them later. The fact
that fragmentation and reassembly is occurring is proven in Example 13-7 using the command show ip
traffic.
Example 13-7.
IP Fragmentation
and
Reassembly
in NewYork
IP cores.
The structure of this
book
is focused on first
introducing PE
the
NewYork#show ip traffic | include IP stat|frag|reass
IP statistics:
Frags: 500 reassembled, 0 timeouts, 0 couldn't reassemble
501 fragmented, 0 couldn't fragment
NewYork#
A Cisco IOS router does not attempt to reassemble all IP fragments; it only fragments those that are
destined to the router that need to be reassembled before decapsulation. Several issues could make you
want to avoid IP fragmentation and reassembly. In a router, reassembly is an expensive operation. A
router architecture is designed to switch packets as quickly as possible. Holding a packet for a relatively
long period of time is not what a router is intended for; it is more of a host operation. When fragmenting
a packet, a router needs to make copies of the original IP packet. When fragments are received, a Cisco
Layer
2 VPN
Architectures
IOS device chooses
the
largest
buffer of 18 KB because the length of the total packet is unknown when
Luo, - CCIE
13,291,coalescing
Carlos Pignataro,
CCIE No. 4619,This
Dmitry
- CCIE use of the buffers,
the first fragmentByisWei
received
andNo.
before
the- fragments.
isBokotey,
an inefficient
No. 4460,Anthony
CCIEIP
No.
10,266 are process switched (process level switching path or
but even more important
is theChan,
fact -that
packets
slow path) for reassembly. This can degrade throughput and performance and increase CPU utilization.
Table of
Contents
Note
Index
ISBN: 1-58705-168-0
Pages: 648
In Cisco IOS, multiple fragments from an IP packet are counted as a single IP packet.
Therefore, the counters from Example 13-7 and Example 13-8 indicate 500 packets.
gains
Example productivity
13-8. IP Reassembly
Is Process Switched
Learn aboutSerial
Layer 25/0
Virtual
NewYork#show interfaces
stats
Serial5/0
Switching path
Pkts In
Chars In
Pkts Out Chars Out
Processor
0
0
500
734500
Route cache
500
734500
0
0
Total
500
734500
500
734500
NewYork#show interfaces Serial 5/0 switching
Serial5/0
Throttle
0
their count
service offerings while
Drops
RP
0
SP
0
SPD Flushes
Fast
0
SSE
0
SPD Aggress
Fastfrom data and
0 voice services based on legacy transport
are still derived
SPD Priority
Inputs
0
technologies. Although Layer03 MPLS Drops
VPNs fulfill the market
need for some
Protocol
Path
Pkts In
Chars In
Pkts Out Chars Out
Other
Process
0
0
500
734500
Cache misses
0
Fast
500
734500
0
0
Auton/SSE
0
0
0
0
infrastructure.
NewYork#
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSTo verify that the reassembly process takes place in the process path, you can use these two show
interface commands from the NewYork PE: show interfaces stats and show interfaces switching.
These commands are hidden in some IOS releases (see Example 13-8).
comparing
them to
thoseinto
of Layer
3 based
VPNs,and
such
as MPLS,
then
Example 13-8 shows
that packets
coming
Serial5/0
interface
sent
into the
tunnel are fast
progressively
covering
each
currently
available
solution
in
greater
switched (CEF switched), but packets that are sent out of interface Serial5/0 comingdetail.
from the L2TPv3
session and sent to Albany CE are process switched (switched in the process level switching path by a
software process level component). You can see that the 500 IP packets sent from the Oakland CE and
fragmented by the SanFran PE are process switched at the NewYork PE because of reassembly and then
sent to the Albany CE device.
In summary, stay away from reassembly by avoiding fragmentation by means of MTU tuning. As you will
learn in the upcoming examples, Sweep Ping is a useful tool to identify fragmentation issues and their
boundary conditions.
The Solution: Path MTU Discovery

Layer
2 VPN
The solution to the
MTU
andArchitectures
fragmentation problem is L2TPv3 PMTUD, which is defined in RFC 1191. To
ByWei
CCIE No. edge
13,291,routers,
Carlos Pignataro,
- CCIE
No. 4619,
Dmitry
- CCIE adjust the Session
prevent reassembly
byLuo,
the- L2TPv3
PMTUD
allows
the PE
to Bokotey,
dynamically
No. 4460,Anthony
Chan, - CCIE
No. 10,266
MTU and is only supported
for dynamic
sessions.
Understanding PMTUD
Table of
ISBN: 1-58705-168-0
648 further enables a set of new behaviors, as follows:

Enabling
PMTUD in the Pages:
PE device
Contents
Index
The ingress LCCE copies the DF bit from the IP header in the CE IPv4 packet into the IPv4 delivery
header. The DF bit is reflected from the inner IP header to the tunnel IP header.
The ingress LCCE listens to ICMP Unreachable messages with code 4 to find out the path MTU and
productivity gains
records the discovered path MTU for the session.
The ingress LCCELearn
inspects
theLayer
IPv4 packet
inside
theNetworks
Layer 2 frame
it receives from the CE. If the
about
2 Virtual
Private
(VPNs)
IPv4 packet has the DF bit cleared and the resulting L2TPv3 packet exceeds the discovered MTU, it
determines the number
fragments
so that
fragment
the encapsulation
overhead is
Reduceofcosts
and extend
theeach
reach
of your plus
services
by unifying your
smaller than the path
MTU.
It
fragments
the
CE
IPv4
packet,
copies
the
original
Layer
2 header and
appends it into each of the generated fragments, and sends multiple L2TPv3 packets. This
procedure effectively
thefirst
computational
expensive
reassembly
the receiving CE
Gainpushes
from the
book to address
Layer IPv4
2 VPN
applicationinto
utilizing
device and relieves
theATOM
PE from
centralized reassembly point. Note that this action occurs
both
andbeing
L2TP aprotocols
only after the path MTU is discovered.
The ingress LCCEtheir
generates
unreachable
messages routing
to the CE
device when the IPv4 CE packet
serviceICMP
offerings
while maintaining
control
contains the DF bit set and the resulting L2TPv3 packet exceeds the discovered MTU. The MTU value
majority
of Service
Providers,
a significant
portion
of their revenues
informed byFor
theaPE
to the CE
in this ICMP
unreachable
is called
the adjusted
MTU . The adjusted MTU
are still
derived
from data
andcore
voiceminus
services
onoverhead
legacy transport
is the discovered
path
MTU (PMTU)
in the
the based
L2TPv3
(IPv4 header, Session
technologies.
Although
Layer 3 MPLS
VPNs fulfill
the
market MTU
needplus
for some
ID, cookie, and
Layer 2-Specific
Sublayer).
Consequently,
this
adjusted
the L2TPv3
customers,
some drawbacks.
Ideally, PMTUD
carriers applications
with existingin the customer (C)
overhead adds
up to thethey
corehave
discovered
PMTU and enables
legacy
Layer 2 and
3 networks
wouldonly
like to
move
a single
network to work
correctly.
NoteLayer
that this
action occurs
after
the toward
path MTU
is discovered.
If the path MTU
has not
the 3ingress
performs
actions
services
overbeen
theirdiscovered,
existing Layer
cores. LCCE
The solution
in only
thesethe
cases
is a in the first two
bulleted points.
infrastructure.

Note
With PMTUDhistory
enabled,
the
PE device decodes
ICMP
Destination
Unreachable
(Typefrom
3) messages
and
implementation
details
of the
two technologies
available
with code 4 ("The
datagram
is
too
big.
Packet
fragmentation
is
required,
but
the
DF
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS-bit in the IP
header is set"
) andcores
updates
session
MTU accordingly.
This ICMP
message
also referred to
based
and the
Layer
2 Tunneling
Protocol version
3 (L2TPv3)
forisnative
as the Datagram
Too
Big
message
and
is
defined
in
RFC
792,
"Internet
Control
Message
Protocol." reader to Layer 2 VPN benefits and implementation requirements and
To illustrate the behavior and the new rules, compare a sample network behavior with and without
PMTUD.Figure 13-2 shows a sample network where the PMTUD feature is disabled.
Figure 13-2. Processing with L2TPv3 PMTUD Disabled


Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
The operational procedures are as follows:
the that
world
Layer 2 VPNs
1. CE1 sends anMaster
IP packet
is of
encapsulated
in to
HDLC.
productivity gains
2. PE1 encapsulates the Layer 2 frame in L2TPv3 and sends the single L2TPv3 packet onto P1. The
outer IPv4 header always has the DF bit cleared.
3. P1 determines thatReduce
the MTU
of the
outgoing
interface
than the
costs
and
extend the
reach is
ofsmaller
your services
byL2TPv3
unifyingover
yourIPv4 packet
size. Because the DF
bit in the
delivery header is cleared, P1 fragments the packet and sends two
network
architecture
fragments of an IPv4 packet to P2.
both
ATOM and
4. P2 switches the two
fragments
thatL2TP
PE2 protocols
receives. PE2 reassembles the IPv4 packet that contains the
L2TPv3 packet and decapsulates the reassembled L2TPv3 packet.
5. PE2 sends the Layer 2 PDU that contains the CE IPv4 packet toward CE2.

Note
The process services
that is described
inexisting
Step 4 is
the reassembly
post-fragmentation
because
it
over their
Layer
3 cores. Theofsolution
in these cases
is a
fragments the
IPv4 delivery
The prefix
is used
in reference
technology
that packet.
would allow
Layer "post"
2 transport
over
a Layer 3 to encapsulation.
Therefore,post-fragmentation
means fragmentation after L2TPv3 encapsulation. PE2 carries
infrastructure.
out processor-intensive reassembly in Step 4.
In contrast, Figure
13-3 presents
the case
which
PMTUD
is enabled.
assumes
that PE1 has already
assists
readers looking
to in
meet
those
requirements
byThis
explaining
the
discovered the path
MTUand
by processing
an ICMP
unreachable
too available
big" message
history
implementation
details
of the two"datagram
technologies
from from the core
P1 router, and the
session
hasVPN
been
updated
with a value
equal
to (ATOM)
1400 bytes.
the
Cisco MTU
Unified
suite:
Any Transport
over
MPLS
for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Figure
13-3.
with
L2TPv3
Enabled
comparing
them Processing
to those of Layer
3 based
VPNs,PMTUD
such as MPLS,
then

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
The following steps take place when PMTUD is enabled:
1. CE1 sends an IP packet that is encapsulated in HDLC.
2. PE1 determines that
the resulting
L2TPv3 over IPv4 packet is greater than the path that MTU
network
architecture
discovered. PE1 proceeds to fragment the IPv4 CE packet inside the HDLC frame and appends a copy
of the HDLC headerGain
to the
seconds
fragment.
The result
is that
twoapplication
Layer 2 frames
are passed onto
from
the first
book to address
Layer
2 VPN
utilizing
L2TPv3 for encapsulation
and two
over IPv4 packets are sent onto P1.
both ATOM
and L2TPv3
L2TP protocols
3. P1 router does not Review
need tostrategies
perform fragmentation.
4. PE2 receives the
L2TPv3ofdata
packets,
and asa far
as PE2 knows,
are revenues
from two different
For two
a majority
Service
Providers,
significant
portionthey
of their
Layer 2 frames.
PE2
then
decapsulates
the
two
L2Tpv3
packets
to
end
up
with
two Layer 2 frames
containing two
fragments
of
a
single
IPv4
packet
from
CE1.

5. PE2 sends twolegacy
LayerLayer
2 PDUs
toward
CE2,
each containing
a fragment
the CE
IPv4 packet. CE2
2 and
Layer
3 networks
would like
to move of
toward
a single
reassembles the
two fragments
into
an IPv4
packet.
backbone
while new
carriers
would
infrastructure.
case in
studies
comprehensive
design scenarios.
book the data
The process introductory
that is described
Step 2and
is called
prefragmentation
because itThis
fragments
assists readers
meet
those
requirements
by explaining
the
and not the delivery
header looking
packet.to
The
prefix
"pre"
is used in reference
to encapsulation.
details of the
two technologies
available from
Therefore,pre-fragmentation
means fragmentation
before
L2TPv3 encapsulation.
CE2 carries
the Cisco Unified
VPN suite:
Any5.Transport over MPLS (ATOM) for MPLSout processor-intensive
reassembly
in Step
them
those of Layerreassembly
3 based VPNs,
such as
then CE device. In
You can see that comparing
PMTUD forces
thetoCPU-intensive
to happen
in MPLS,
the receiving
progressively
covering
each
available
solution
in greater
detail.
essence, fragmentation
of IP packets
from
thecurrently
CE occurs
before data
enters
the pseudowire
(prefragmentation). The goal is that tunneled L2TPv3 packets are not fragmented along the way through
the IP PSN, so the receiving PE does not perform reassembly. You have learned that the default behavior
is to fragment L2TPv3 packets that are larger than the MTU.
Note
Note
Another important aspect of MTU handling is that the Layer 2 frames being tunneled should fall
within the MTU of the remote attachment circuit. In a bidirectional communication, this means
that attachment circuit MTUs need to match. As opposed to Any Transport over MPLS (AToM),
where pseudowires do not come up if an MTU mismatch occurs between the attachment
2 VPN Architectures
circuits, the Layer
attachment
circuit MTU is not advertised or enforced in L2TPv3.
Implementing PMTUD
ISBN:the
1-58705-168-0
Now that
have learned
operational procedures of PMTUD, it is time to see it in action. Example
Table you
of
Pages:
13-9 Contents
shows the configuration648
changes that are required to enable PMTUD. This configuration is applied in
the SanFran
and NewYork PE devices.
Index
Example 13-9. Enabling PMTUD
productivity gains
!
hostname SanFran
!
pseudowire-classwan-l2tpv3-pw-pmtu
sequencing both
protocol l2tpv3 l2tpv3-wan
ip pmtu
!
interface Serial5/0their service offerings while maintaining routing control
no ip address
no cdp enable are still derived from data and voice services based on legacy transport
no clns route-cache
xconnect 10.0.0.203
50 they
pw-class
wan-l2tpv3-pw-pmtu
customers,
have some
!
Example 13-9 shows the ip pmtu command added into a new pseudowire class for the L2TPv3
infrastructure.
pseudowire. The ip pmtu command can also hard-code the maximum path MTU for the session by
adding the max keyword
andArchitectures
the maximumintroduces
path MTU value
to to
theLayer
ip pmtu
command.
Layer 2 VPN
readers
2 Virtual
PrivateThis is most
useful to account Network
for the extra
overheads
when
the
core
network
has
further
encapsulations.
Example
13-10 highlights a
new
line
of
output
that
specifies
that
PMTUD
is
enabled
for
the
session.
Example 13-10.
Verifying
PMTUD
the Cisco
Unified VPN
suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
SanFran#show l2tun session all vcid 50
out-of-order:
0
total:
0
2 VPN Architectures
exceeded Layer
session
MTU:
0
total: ByWei Luo, - CCIE No. 13,291,
0 Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Session vcid No.
is4460,
50 Anthony Chan, - CCIE No. 10,266
Circuit state is
UP
Publisher:
Cisco Press
Remote session
isMarch
5399,
remote tunnel id 51995
Pubid
Date:
10, 2005
Session PMTU enabled, path MTU is not known
ISBN: 1-58705-168-0
Table
DF
bit ofoff, ToS reflect disabled, ToS value 0, TTL value 255
Pages:
648
Contents cookie information:
Session
local
Index
cookie, size 4 bytes, value 0B B4 A2 90
remote cookie, size 4 bytes, value BA 12 10 7F
Master the
world of Layer
00000000 00000000
00000000
00000000
productivity
gains
00000000 00000000 00000000 00000000
Sequencing is on
Learn
2 Virtual
Ns 0, Nr 0, 0 out
ofabout
orderLayer
packets
received
SanFran#
Gain from
book
toisaddress
Layer 2because
VPN application
utilizing
Session PMTU is now enabled,
butthe
thefirst
path
MTU
still unknown
the PE has
not received an ICMP
both
ATOM
and
L2TP
protocols
unreachable "packet too big" message yet. Nevertheless, until the path MTU is known, the default
behavior is the same as before. Fragmentation is not possible until the MTU is known; therefore, if you
Review
strategies
that
allow
largesetup,
enterprise
customers
were to perform the initial
experiment
with
this
current
the result
wouldto
beenhance
analogous to before.
To trigger the path MTU to be discovered and the session PMTU to be updated, you need to send an IP
For a majority
a significant
portion
of their
revenues
packet from the Oakland
CE thatofisService
at leastProviders,
1465 bytes
long and has
the DF
bit set
that will be copied
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
over to the delivery header. Meanwhile, enable debug ip icmp. This example uses the same network
technologies.
fromFigure 13-1 (see
Example 13-11).
Example 13-11.
Triggering PMTU Discovery
infrastructure.
Oakland#debug ip
icmp
ICMP packet debugging is on
size 1465 introduces
df-bit
introductory
to abort.
assists readers
looking
meet those requirements
the
Sending 5, 1465-byte
ICMP Echos
toto192.168.105.2,
timeout by
isexplaining
2 seconds:
history
implementation
Packet sent with
the and
DF bit
set
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS.MMMM
cores and
Success rate isbased
0 percent
(0/5)
Oakland#
implementation
requirements
andrcv
02:13:02: ICMP:reader
dst (192.168.105.1)
frag.and
needed
and DF set
unreachable
192.168.105.2comparing them to those of Layer 3 based VPNs, such as MPLS, then
covering each
currently
available
solution
in greater detail.
02:13:02: ICMP:progressively
dst (192.168.105.1)
frag.
needed
and DF
set unreachable
rcv
192.168.105.2
02:13:02: ICMP: dst (192.168.105.1) frag. needed and DF set unreachable rcv
192.168.105.2
02:13:02: ICMP: dst (192.168.105.1) frag. needed and DF set unreachable rcv
192.168.105.2
Oakland#
from
from
from
from
You can see in the Oakland CE that the first ping times out ("." ). This is because the SanFran PE drops
the first ping packet in the P network, which triggers the ICMP unreachable message that the SanFran PE
absorbs, inspects, and uses to discover the path MTU. For the remaining four ICMP echo packets, you see
an M character standing for MTU, which means "Could not fragment." The four M characters correspond
Layer 2needed
VPN Architectures
to the four ICMP frag.
and DF set unreachable messages sent by the SanFran PE, received by the
Wei Luo,
CCIE
No. 13,291,
CarlosAlthough
Pignataro, -the
CCIE
No. 4619,
Bokotey,
CCIE
Oakland CE, and By
shown
in -the
debug
output.
source
forDmitry
these
ICMP- unreachables
is
No. SanFran
4460,Anthony
- CCIE No.
10,266
192.168.105.2, the
PEChan,
generates
these
ICMP unreachable messages by using a source IP
address that is equal to the destination IP address in the ICMP echo packets.
The first ping that is Pub

dropped
triggers an ICMP packet too big unreachable in the core that is sent toward
and terminated in the SanFran PE, because the DF bit is copied onto the IPv4 core delivery header. In the
ISBN: 1-58705-168-0
of
basicTable
network
in Figure 13-1, the ICMP error is sent from SanFran to SanFran because all the MTUs are
Pages:
Contents
the same
and equal to 1500 648
bytes. After the first ping is dropped, the PMTU is discovered. Example 13-12
Index
shows
the respective output in the SanFran PE with debug ip icmp and debug vpdn l2x-events
enabled.
Example 13-12.
Discovering PMTUD in the SanFran PE
productivity gains
SanFran#debug ip icmp
ICMP packet debugging is on
SanFran#debug vpdn l2x-events
L2X protocol events debugging is on
SanFran#
*Jul 6 03:09:47.799:
dstfirst
(10.0.0.203)
frag.
needed
DF set utilizing
unreachable sent
GainICMP:
from the
book to address
Layer
2 VPNand
application
to 10.0.0.201
*Jul 6 03:09:47.835: ICMP: dst (10.0.0.201) frag. needed and DF set unreachable rcv
from 10.0.0.201
*Jul 6 03:09:47.835:
L2TP: Socket
MTU changed
tocontrol
1500
theirTnl46820
service offerings
while maintaining
routing
SanFran#
SanFran#show l2tun
session of
all
vcid Providers,
50 | include
PMTU portion of their revenues
For a majority
Service
a significant
Session PMTU are
enabled,
pathfrom
MTU data
is 1500
bytes
still derived
and voice
SanFran#
You can also see services
the ICMPover
unreachables
thatLayer
the SanFran
generates
a sweep
their existing
3 cores.PE
The
solution with
in these
casesping
is a with verbose
output. This is, intechnology
fact, how devices
in
the
C
network
learn
about
the
adjusted
path
MTU
when they
perform their owninfrastructure.
PMTUD by setting the DF bit (see Example 13-13).

Network
(VPN)
Layerthe
2 VPN
techniques
Example 13-13.
ICMP
Unreachables
Sent from
SanFran
PEvia
with PMTUD
introductory
case
studies
and
comprehensive
design
scenarios.
This
book
Enabled
Oakland#ping the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSProtocol [ip]: based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Target IP address:
192.168.105.2
IP cores.
Repeat count [5]:
1 to Layer 2 VPN benefits and implementation requirements and
reader
Timeout in seconds
[2]:
progressively
Source address or interface:
Set DF bit in IP header? [no]: y
Loose, Strict, Record, Timestamp, Verbose[none]: v

Sweep interval [1]:
Sending 11, [1460..1470]-byte
ICMP Echos to 192.168.105.2, timeout is 2 seconds:
ByWei
Luo,DF
- CCIE
Packet sent with
the
bitNo.
set
No. 4460,
Anthony
- CCIE
No. 10,266
Reply to request
0 (20
ms)Chan,
(size
1460)
Reply to request Publisher:
2 (36 ms)
Cisco(size
Press 1462)
Reply to request Pub
3 (20
Date:ms)
March(size
10, 20051463)
ISBN: 1-58705-168-0
Table of
Unreachable
from 192.168.105.2, maximum MTU 1464 (size 1465)
Pages:
648
Contents
Unreachable
Index
Unreachable
Unreachable from 192.168.105.2, maximum MTU 1464 (size 1468)
the world
of Layerround-trip
2 VPNs to provide
enhanced
Success rate isMaster
45 percent
(5/11),
min/avg/max
= services
20/24/36and
msenjoy
productivity
gains
Oakland#

To prove the benefits of PMTUD, perform the original experiment sending 500 1465-byte packets from
the Oakland CE to the Albany CE and checking the NewYork PE and Albany CE counters. First clear all
counters (see Example 13-14).
Example 13-14. 1465-Byte Packets from the Oakland CE with PMTUD

Oakland#ping 192.168.105.2 size 1465 repeat 500
For a majority
to abort.
are
still
derived
data
voice services timeout
based on is
legacy
transport
Sending 500, 1465-byte ICMP from
Echos
to and
192.168.105.2,
2 seconds:
technologies.
Although
Layer
3
MPLS
VPNs
fulfill
the
market
need
for some
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
customers,
they
have
some
drawbacks.
Ideally,
carriers
with
existing
!!!!!!!!!!
while new
carriers would
like to sell
the lucrative
2
Success rate isbackbone
100 percent
(500/500),
round-trip
min/avg/max
= Layer
16/32/360
ms
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
is a
Oakland#
infrastructure.
Layerthe
2 VPN
Architectures
introduces
readersPE.
Example 13-15 shows
switching
statistics
in the NewYork
Example 13-15.
Switching Statistics in the NewYork PE
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased coresSerial
and Layer
5/02 Tunneling
stats
Serial5/0
reader path
to Layer 2Pkts
VPN benefits
and implementation
Switching
In
Chars
In Pkts Out requirements
Chars Out and
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as MPLS,
Processor
0
0
0
0 then
progressively
covering
each
currently
available
solution
in
greater
Route cache
500
734500
1000
746500 detail.
Total
500
734500
1000
746500
NewYork#
NewYork#show interfaces Serial 5/0 switching
Serial5/0
Throttle count
0
Drops
RP
0
SP
0
SPD Flushes
Fast
0
SSE
0
SPD Aggress
Fast
0
SPD Priority
Inputs
0
Drops
0
Protocol
Path
Pkts In
Chars In
Pkts Out
Chars Out
Other
Process
0
0
0
0
Cache misses
0
Layer 2 VPN
Architectures 500
Fast
734500
1000
746500
By
Wei Luo, - CCIE No. 13,291,0
Carlos Pignataro, - 0CCIE No. 4619,Dmitry Bokotey,
- CCIE
Auton/SSE
0
0
NewYork#
Example 13-15 shows that from the 500 packets that the Oakland CE sent and the SanFran PE received,
ISBN: 1-58705-168-0
the NewYork
Table of PE received 1000 packets from the Denver PE and sent them to the Albany CE. This is twice
Pages:
as many.
The CE IPv4 packet648
inside each frame that was received from SanFran was divided into two
Contents
fragments
Index and sent to two separate HDLC over L2TPv3 packets with their respective HDLC transport
overhead. See Example 13-16 for the SanFran PE statistics.
Master
worldFragmentation
of Layer 2 VPNs to and
provide
enhanced
services and
enjoySanFran
Example 13-16.
CEthe
IPv4
Packet
Statistics
in the
productivity
gains
PE
Learn about
Layer IP
2 Virtual
SanFran#show ip traffic
| include
stat|frag|reass
IP statistics:
SanFran#
SanFran#show l2tun both
session
vcid
50
ATOMpackets
and L2TP
protocols
due
toallow
failed
Reviewdropped
strategies
that
largedigest
enterprise
their
service offerings
while maintaining
controlBytes-Out
RemID
TunID
Pkts-In
Pkts-Out routing
Bytes-In
64786
48966
1000
1001
746500
748001
legacy
Layer
and Layer
3 networks
would
like
to move
toward
a fragmented
single
Example 13-16 shows
that
5002packets
were
fragmented.
One
packet
could
not be
but
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
triggered PMTUD. From the 500 fragmented IPv4 CE packets, 1000 L2TPv3 packets were sent into the
services
over
their
existing
Layer
3 cores.
The solution
these
is fragments
a
tunnel. You can also
validate
the
results
using
debug
ip packet
so that in
you
can cases
see the
in the
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
CE device, as shown in Example 13-17.
infrastructure.
LocID
4437
SanFran#
Example 13-17.
IP Fragments in the Oakland CE

assists
Oakland#debug ip
packet
history
andon
IP packet debugging is
the
Cisco
Unified
VPN1465
suite:repeat
Any Transport
over MPLS (ATOM) for MPLSOakland#ping 192.168.105.2 size
1
based
cores
and
Layer
2
Tunneling
Protocol
IP
cores.
The
structure
of
this
book
is
focused
on firstis
introducing
the
Sending 1, 1465-byte ICMP Echos to 192.168.105.2, timeout
2 seconds:
!
them (1/1),
to thoseround-trip
of Layer 3 based
VPNs, such
MPLS, then
Success rate iscomparing
100 percent
min/avg/max
= as
32/32/32
ms
progressively
covering
each
currently
available
solution
in
greater detail.
Oakland#
03:41:58: IP: s=192.168.105.1 (local), d=192.168.105.2 (Serial5/0), len 1465, sending
03:41:58: IP: s=192.168.105.1 (local), d=192.168.105.2 (Serial5/0), len 1465, sending
full packet
03:41:58: IP: s=192.168.105.2 (Serial5/0), d=192.168.105.1, len 44, rcvd 2
03:41:58: IP: recv fragment from 192.168.105.2 offset 0 bytes
03:41:58: IP: s=192.168.105.2 (Serial5/0), d=192.168.105.1, len 1441, rcvd 2
03:41:58: IP: recv fragment from 192.168.105.2 offset 24 bytes
03:41:58: ICMP: echo reply rcvd, src 192.168.105.2, dst 192.168.105.1
Oakland#
Notice in Example 13-17 that although the Oakland and Albany CE devices send full unfragmented IP
packets, they receive fragmented IP packets. You can see an IP packet composed of two fragments of
Wei1441
Luo, - bytes.
CCIE No.
13,291,Carlosthe
Pignataro,
- CCIE
No. 4619,Dmitry
Bokotey,
CCIE make the 1465lengths 44 bytes By
and
Coalescing
two and
removing
the extra
IP -header
No. 4460,
Chan, -20
CCIE
No. 10,266
byte packet (44 bytes
+ Anthony
1441 bytes
bytes
= 1465 bytes).
The most important Publisher:
thing, however,
Cisco Pressis that the NewYork PE device does not perform reassembly, and the
1000 packets are switched
the fast
switching path, which is CEF-switched in this case. As far as the
Pub Date:inMarch
10, 2005
NewYork PE and the Albany
CE
can
see,
it is as if the Oakland CE fragmented the packets. The CPUISBN: 1-58705-168-0
Table reassembly
of
intensive
is now pushed onto the Albany CE (see Example 13-18).
Contents
Index
Pages: 648
Example 13-18. Fragmentation Statistics in the Albany CE

the|world
of Layer
VPNs to provide enhanced services and enjoy
Albany#show ip Master
traffic
include
IP 2
stat|frag|reass
productivity
gains
IP statistics:
Albany#
You can see from Example 13-18 that the Albany CE reassembles the 500 packets. This is the goal of
prefragmentation: to effectively push the costly reassembly operation to the CE device.

their with
serviceDF
offerings
Combining PMTUD
Bit while maintaining routing control
As powerful as the PMTUD feature is, by itself it contains the weakest link. The key to the correct
functioning of PMTUD is the discovery of the path MTU. As you have seen already, to discover the path
MTU, you need to have a large packet with the DF bit set sent from the CE device, which means the
whole process is controlled by the CE. Moreover, after a specified timer that defaults to 10 minutes, the
path that MTU discovers is restored to a default value (see Example 13-19).
Example 13-19.
PMTUD Timeout
infrastructure.
SanFran#
*Jul 6 03:19:47.852: L2X: Restoring default pmtu for peer 10.0.0.203
IP cores.
structure
of this
book
focused
first
introducing
the
Also, PE devices that
have The
PMTUD
enabled
but do
notishave
the on
path
that
MTU discovered
copy the DF bit
to Layer
2 VPN
benefits
and
implementation
and
from the inner CEreader
IPv4 header
into
the outer
IPv4
delivery
header butrequirements
otherwise act
as if PMTUD is
comparing
thembut
to those
of Layer
based
VPNs, such
then
disabled. If PMTUD
is configured
the path
MTU is3 not
discovered
andas
CEMPLS,
packets
do not have the DF
progressively
covering
each
currently
available
solution
in
greater
detail.
bit set, the reassembly occurs in the PE device (see Example 13-20).
Example 13-20. PMTU Not Discovered

SanFran#show l2tun session all vcid 50 | include PMTU
SanFran#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!Output omittedByWei
forLuo,
brevity
!!!!!!!!!!
Oakland#
NewYork#show l2tun
vcid 50 | include Packets
Pubsession
Date: Marchall
10, 2005
500 Packets sent,
500
received
ISBN: 1-58705-168-0
Table of
NewYork#show
interface
Serial5/0
stats
Pages:
648
Contents
Serial5/0
Index
Switching path
Pkts In Chars In Pkts Out Chars Out
Processor
0
0
500
734500
Route cache
500
734500
0
0
Total
500
734500
500
734500
NewYork#
productivity gains

You can see in Example 13-20 that PMTU is not discovered and reassembly occurs in the NewYork PE. If
you trigger the discovery
of path
MTU
and
perform
same
exercise,
IP fragmentation
reassembly is
Reduce
costs
and
extend
thethe
reach
of your
services
by unifying your
pushed onto the CE device
(see
Example
13-21).
both ATOM
and L2TP protocols
Example 13-21. PMTU
Discovered
Oakland#
! Triggering PMTUD
For a majority of
Service
a significant
size
1465Providers,
df-bit repeat
1
to abort.
technologies.
ICMP
Echos
192.168.105.1,
timeout
is 2with
seconds:
customers,
they
haveto
some
drawbacks. Ideally,
carriers
existing
Packet sent with
the
DF
bit
set
.
Success rate isservices
0 percent
(0/1)
over their
technology thatsize
would1465
allowrepeat
Layer 2500
infrastructure.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!Output omittedNetwork
for brevity
introductory
!!!!!!!!!!
assists
readers
to meet
those requirements
by explaining
the ms
Success rate is 100 percent looking
(500/500),
round-trip
min/avg/max
= 8/31/252
history
and
implementation
details
of
the
two
technologies
available
from
Oakland#
NewYork#show l2tun
session
all vcid
50 |book
include
Packets
IP cores.
The structure
of this
is focused
1000 Packets
sent,
1500 2received
reader
to Layer
NewYork#show interface
stats
comparingSerial5/0
them to those
Serial5/0
Switching path
Pkts In
Chars In Pkts Out Chars Out
Processor
0
0
500
734500
Route cache
1000
1469000
1000
746500
Total
1000
1469000
1500
1481000
NewYork#
Observe in Example 13-21 that the 1465-byte packet with the DF bit set triggers PMTUD, and the 500
packets that the Oakland CE sends to the Albany CE are received as 1000 packets in the NewYork PE and
then switched in the fast path. The highlighted Route cache line in the show interface stats command
shows that these packets are fast switched. On the other hand, PMTUD is not triggered in the other
direction (return path from the Albany CE to the Oakland CE); therefore, only 500 packets are sent from
Layer
VPN Architectures
the NewYork PE to
the2SanFran
PE on the way back, and the SanFran PE does the reassembly.
Note

ISBN: 1-58705-168-0
Because
of this reason
and to add predictability to the PMTUD process and decouple the CE
Table of
Pages:
devices
process, use PMTUD in conjunction with the DF bit set. Otherwise,
Contents from driving the648
are not prefragmented. They are post-fragmented unless the CE device sends a large
packets
Index
packet with the DF bit set to trigger PMTUD as usual. Combining PMTUD with setting the DF bit
allows the PE to obtain the PMTU more quickly and predictably.
productivity gains
The PE device can take a more active role in the PMTUD process and strengthen the whole concept. You
can bring this about by setting the DF bit in all packets in the outer delivery IPv4 header. As a result,
Learn
about
Layer 2 The
Virtual
Private
Networks (VPNs)
reassembly is prevented
in the
PE devices.
required
configuration,
shown in Example 13-22, is
accomplished by using the ip dfbit set command in the pseudowire class. You create a new pseudowire
class exactly like the previous one, with the addition of the ip dfbit set command, which you use in the
Serial 5/0 xconnect.
Example 13-22. PMTUD Combined with DF Bit Setting Configuration

!
hostname SanFran
!
pseudowire-class
wan-l2tpv3-pw-pmtu-df
technologies.
encapsulation customers,
l2tpv3
sequencing both
protocol l2tpv3
l2tpv3-wan
backbone
ip local interface
Loopback0
services
ip pmtu
ip dfbit set infrastructure.
!
interface Serial5/0
no ip address Network (VPN) concepts, and describes Layer 2 VPN techniques via
no cdp enable introductory case studies and comprehensive design scenarios. This book
xconnect 10.0.0.203
50 pw-class
assists readers
lookingwan-l2tpv3-pw-pmtu-df
!
Caution progressively covering each currently available solution in greater detail.
Before you enable PMTUD, make sure that end-to-end PMTUD works. If it does not work, you
could break applications just by setting the DF bit. PMTUD might not operate correctly if ICMP
unreachables are blocked or end devices are noncompliant.
You can see the DF bit configuration in the show l2tun session command output, as shown in Example
13-23.
Example 13-23. PMTUD Combined with DF Bit Setting Verification

SanFran#show l2tun
session all vcid 50
Session Information

ISBN: 1-58705-168-0
Table
of
Remote
tunnel
name is NewYork
Pages:
648
Contents address is 10.0.0.203
Internet
Index
Session
is L2TP signalled
Master dropped:
Receive packets
productivity gains
out-of-order:
0
total:
0
0
total:
0
Session vcid is 50
Circuit state is Gain
UP from the first book to address Layer 2 VPN application utilizing
Remote session both
id is
38115,
tunnel id 47670
ATOM
and remote
L2TP protocols
DF bit on, ToS reflect
ToSallow
value
0, enterprise
TTL value
255
Review disabled,
strategies that
large
customers
to enhance
local cookie, size 4 bytes, value 17 72 1D 8B
remote cookie,
size 4 bytes,
value
3D 49 a99
2F
For a majority
of Service
Providers,
significant
FS cached header
information:
are still
encap size technologies.
= 32 bytes Although Layer 3 MPLS VPNs fulfill the market need for some
00000000 00000000
00000000
00000000
customers,
they have
00000000 00000000
00000000
00000000
legacy Layer
2 and Layer
Sequencing is on
Ns 0, Nr 0, 0 out of order packets received
SanFran#
infrastructure.

With this configuration, the PE sets the DF bit in the IPv4 delivery header and participates in PMTUD
regardless of the DF bit setting in the packets it receives. If the CE devices do not set the DF bit in IPv4
packets, the session PMTU is still discovered and acted upon.
the Cisco example
Unified VPN
suite: Any
Transport
over
for MPLSNext, examine a complete
of PMTUD
when
the PE has
ipMPLS
dfbit(ATOM)
set explicitly
configured. Example
based
cores
and
Layer
2
Tunneling
Protocol
version
3
(L2TPv3)
for native
13-24 shows 500 1465-byte IP packets without the DF bit set sent from the Oakland
CE to the Albany
CE.
Example 13-24. PMTUD Combined with DF Bit Setting Operation


..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!
Oakland#
You can see that By

only
the No.
500
pings
arePignataro,
successful.
The
outline
Wei498
Luo, -ofCCIE
13,291,
Carlos
- CCIE
No.following
4619,Dmitrysteps
Bokotey,
- CCIE the process:
1. The Oakland CE sends the first IP/ICMP request packet over HDLC. The SanFran PE receives it,
encapsulates it with
the L2TPv3 and IPv4 delivery headers, and sends it to the IP layer. The SanFran
PE sets the DF bit in the delivery header because of the ip dfbit set command.
ISBN: 1-58705-168-0
Table
2. The
IPofpacket is dropped in the SanFran PE in the IP layer because it is too big and has the DF bit set.
Pages: 648
Contents
This
triggers an ICMP type 3 code 4 message that is used to discover the path MTU. The ICMP type 3
code
Index4 packet is generated source from and destined to the SanFran PE; the source IP address is
from the outgoing interface of the originating device, and the destination address comes from the
source IP address of the dropped L2TPv3 packet. In the general case, the ICMP type 3 code 4 packet
would be sourced from a router in the IP cloud that is destined to the PE device. Note that as far as
Master the
of was
Layer
2 VPNs
to provide
andThis
enjoy
L2TPv3 is concerned,
thisworld
packet
sent
and will
show upenhanced
in L2TPv3services
counters.
packet times out
productivity
gains
in the Oakland CE.
3. The Oakland CE sends

theabout
second
IP packet
over
HDLC.
The SanFran
PE prefragments (before
Learn
Layer
2 Virtual
Private
Networks
(VPNs)
encapsulation) this packet and sends two L2TPv3 packets to the NewYork PE and onto the Albany CE.
4. The Albany CE reassembles
the IP packet and replies with a 1465-byte ICMP Echo reply, which is
encapsulated in L2TPv3 in the NewYork PE but later dropped at the IP layer in the NewYork PE. This
Gain
from 4
the
first book
to is
address
2 VPN
triggers an ICMP type
3 code
message
that
used toLayer
discover
theapplication
path MTU utilizing
on the NewYork PE for
both
ATOM
and
L2TP
protocols
the return path. The ICMP type3 code 4 packet is generated source from and destined to the NewYork
PE. The source IP address is from the outgoing interface of the originating device, and the destination
address comes from the source IP address of the dropped L2TPv3 packet. This packet times out in
the Oakland CE.

5. The Oakland CE
a third from
IP packet
HDLC.services
The SanFran
it, prefragments it, and
aresends
still derived
data over
and voice
based PE
on receives
legacy transport
sends it as two
L2TPv3
packets
to
the
NewYork
PE
and
as
two
IPv4
over
HDLC
technologies. Although Layer 3 MPLS VPNs fulfill the market needfragments
for some to the
Albany CE.
new carriers
would
likewith
to sell
lucrative
Layer
2
6. The Albany CEbackbone
performswhile
the reassembly
and
replies
an the
ICMP
Echo reply
message.
The NewYork
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
is aand sends two
PE, which now knows the PMTU, receives this reply, prefragments the IPv4 CE packet,
technology
that would
allow
Layer 2PEtransport
over
Layerover
3 HDLC frames to the
L2TPv3 packets
to the SanFran
PE. The
SanFran
sends the
twoa IPv4
Oakland CE. infrastructure.
7. The Oakland CE receives the two fragments, reassembles the IP packet, and receives the ping reply.
This third ping is successful.
8. The remaininghistory
497 packets
follow the same
process
as this
packet. available from
and implementation
details
of the
two third
technologies
This complete process
is depicted
in Figure
13-4.
IP cores.
The structure
of this
Figure 13-4. Processing with L2TPv3 PMTUD and DF Bit Setting Enabled

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
For
a majority
of counters
Service Providers,
significant
of their
revenues
You can also track
various
packet
along the away,
startingportion
from the
SanFran
PE (see Example
13-25).
legacy
Layer 2 and
3 networks
wouldinlike
to SanFran
move toward
Example 13-25.
PMTUD
andLayer
DF Bit
Counters
the
PEa single
would allow
SanFran#show iptechnology
traffic that
| include
IP stat|frag|reass
IP statistics: infrastructure.
499 fragmented,
1 couldn't fragment
Network
(VPN)
concepts,
and
SanFran#show l2tun session packet vcid 50
introductory
case
studies
and
comprehensive
assists
readers
looking
to
meet
those
requirements
by explaining the
LocID
RemID
Pkts-In
Pkts-Out
Bytes-In
Bytes-Out
the Cisco TunID
Unified VPN suite:
Any Transport
over MPLS
(ATOM) for
MPLS12967
49396
62563
996
999
743514
746508
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for
native
SanFran#
In the output of the show ip traffic command, you can see that the SanFran PE could not fragment one
packet: packet number 1.
This packet also shows up in the L2TPv3 session counters. The SanFran PE fragmented the remaining 499
packets, creating 2 * 499 = 998 L2TPv3 packets. These 999 (1 + 998) packets are shown as packets
sent out and into the tunnel in the L2TPv3 session packet counters. Example 13-26 shows the respective
counters in the NewYork PE, including the 998 L2TPv3 packets that are counted as packets from the
SanFran PE.
Example 13-26. PMTUD and DF Bit Counters in the NewYork PE

2 VPN Architectures
NewYork#show ipLayer
traffic
| include IP stat|frag|reass
IP statistics: ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Frags: 0 reassembled,
0 Chan,
timeouts,
0 10,266
couldn't reassemble
No. 4460,Anthony
- CCIE No.
NewYork#show l2tun
session
vcid 50
Publisher:
Ciscopacket
Press
Session Information
Table of
LocID
Contents RemID
49396
12967
Index
NewYork#
ISBN: 1-58705-168-0
Pages:
648
TunID
35876
Pkts-In
998
Pkts-Out
997
Bytes-In
745007
Bytes-Out
745015
The output of theproductivity
command show
gains ip traffic from the NewYork PE shows that one packetthe reply to
packet number 2could not be fragmented. The remaining 498 packets (from packet 3 through packet
500) were prefragmented, creating 996 L2TPv3 packets that you can see in Example 13-25 in the
SanFran PE as packetsLearn
in from
the tunnel
thePrivate
NewYork
PE. These
997 (1 + 996) packets appear as
about
Layer 2from
Virtual
Networks
(VPNs)
packets out, meaning into the L2TPv3 tunnel in the output of the command show l2tun session packet
in NewYork.
Gain from and
the first
to address Layer
2 VPN
application
Example 13-27. PMTUD
DFbook
Bit Counters
in the
Albany
CE utilizing
Review
strategies
Albany#show ip traffic
| i
IP stat|frag|reass|ICMP|echo
IP statistics:
For a majority
of Servicefragment
0 fragmented,
0 couldn't
are
still
derived
from
data
ICMP statistics:
technologies.
Although
Layer
MPLS VPNs0 fulfill
market need
for some
499 echo, 0 echo reply, 0 mask 3
requests,
maskthe
replies,
0 quench
customers,
they have some
Sent: 0 redirects,
0 unreachable,
0 drawbacks.
echo, 499 Ideally,
echo reply
Albany#
infrastructure.
The new configuration
effectively pushes the reassembly into the CE devices. Albany reassembled 499
packets (all except packet number 1) from ICMP Echo messages and replied to them.
Network
concepts,
and
Layer
Example 13-28 shows
the (VPN)
IP traffic
counters
fordescribes
the Oakland
CE.
history
and implementation
of the two
technologies
available
Example 13-28.
PMTUD
and DF Bitdetails
Counters
in the
Oakland
CE from
IP cores.
The structure
of this book
PMTUD and DF Bit
Counters
in the Oakland
CE is focused on first introducing the
to Layer
VPN
Oakland#show ipreader
traffic
| i 2IP
stat|frag|reass|ICMP|echo
IP statistics: comparing them to those of Layer 3 based VPNs, such as MPLS, then
each currently
available
Frags: 498 reassembled,
0 timeouts,
0 couldn't
reassemble
ICMP statistics:
0 echo, 498 echo reply, 0 mask requests, 0 mask replies, 0 quench
Sent: 0 redirects, 0 unreachable, 500 echo, 0 echo reply
Oakland#
You can see that the Oakland CE reassembled 498 packets from the 498 respective Echo replies (all
except packets 1 and 2, which were dropped in the core to discover the PMTU).

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

AdvancedBy
ATM
Transport over L2TPv3
The previous sectionPublisher:

coveredCisco
PMTUD
Pressthat applies to the transport of all Layer 2 protocols over L2TPv3.
This section covers the
tunneling of ATM over L2TPv3. First you learn about ATM OAM
Pub transport
Date: March and
10, 2005
local emulation mode for AAL5 CPCS-SDU Transport. Then you learn about ATM cell packing for cell
ISBN: 1-58705-168-0
Table
relay
(CR)ofover L2TPv3.
Contents
Index
Pages: 648
Case Study 13-2: ATM OAM Emulation

Masterexist
the world
of Layer OAM
2 VPNs
to in
provide
enhanced
and enjoy
Two operational modes
for managing
cells
an AAL5
L2TPv3 services
pseudowire:
productivity gains
OAM transparent mode In this mode, PE devices transport OAM cells transparently across the
about
Layer
Virtual
Private Networks
pseudowire. TheyLearn
do this
via the
use2of
the Transport
bit (T-bit)(VPNs)
in the mandatory ATM-Specific
Sublayer to indicate that the L2TPv3 packet contains an ATM admin cell.
network
architecture
OAM local emulation
mode
In this mode, PE devices do not transport OAM cells over the
pseudowire. Instead, they locally terminate and process VC OAM cells (F5 OAM cells).
both ATOM andof
L2TP
protocols
You can see a graphic representation
these
two operational modes for OAM flows in Figure 13-5.

Figure 13-5. Operational Modes for OAM Flows in L2TPv3

infrastructure.
You might wonder when you would use ATM OAM local emulation. You can use OAM emulation to
locally terminate or loop the OAM cells in two realistic scenarios:
When a PE device does not support the transport of OAM cells across the AAL5 L2TPv3 session.
When you are using different virtual path identifier (VPI) or virtual circuit identifier (VCI) values at
both ends of an AAL5 L2TPv3 pseudowire. Rewriting the VPI/VCI values for admin cells that are
transported over AAL5 SDU L2TPv3 sessions is not supported.
Layer
VPN learn
Architectures
In this case study,
you2 will
OAM emulation in L2TPv3 using the topology shown in Figure 13-6.
Note that the VPI/VCI
different
in both
of the
ByWei pair
Luo, -isCCIE
No. 13,291,
Carlosendpoints
Pignataro, - CCIE
No.pseudowire.
Figure
13-6.
L2TPv3 OAM Emulation Topology
Pub Date: March
10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
In AAL5 SDU L2TPv3 sessions, the VPI/VCI pair that makes up the attachment circuits for the PVCs can
Gain from
first book
to However,
address Layer
application
utilizing The
be different at both endpoints,
asthe
in Figure
13-6.
such 2a VPN
scenario
has a limitation:
both
ATOM
and
L2TP
protocols
VPI/VCI cannot be rewritten for cells that are transported over the AAL5 pseudowire. This limitation
exists only for ATM cells that are transported over the AAL5 SDU pseudowire; it does not pose a
strategies
that over
allowit.large
enterprise transport
customersoftoraw
enhance
problem for AAL5 SDUsReview
that are
transported
For successful
ATM cells (such as
their
service
offerings
while
maintaining
routing
control
F5 OAM cells) over an AAL5 SDU pseudowire, the VPI/VCI pair needs to match at both ends. The only
way of supporting OAM management of CE PVCs with different VPI/VCIs is by enabling OAM local
emulation. With OAM local emulation, OAM cells are looped back or terminated and acted upon in the
PE's attachment circuit. They are not transported over the pseudowire.
Note
infrastructure.
When an L2TPv3
PE that is configured for OAM emulation receives an OAM cell indicating an
alarm condition such as OAM AIS, a Set-Link-Info (SLI) message is triggered to notify the
2 VPN instead
Architectures
introduces
readers
tosession.
Layer 2 This
Virtual
Private
remote PE ofLayer
the defect
of tearing
down the
L2TPv3
in turn
triggers the
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
generation of OAM alarm signals in the remote end of the L2TPv3 session and
toward the
introductory
studies alarm
and comprehensive
design scenarios.
Thisasbook
remote CE. This
achievescase
end-to-end
indication, maintaining
the session
UP but
assists
readers
looking
to
meet
those
requirements
by
explaining
the
alarmed.
IP cores.
The structure
of this
is focused
on first
introducing
thedevices.
Example 13-29 shows
the L2TPv3
sessions
usedbook
in both
the SanFran
and
NewYork PE
Example 13-29. OAM Emulation Sessions
SanFran#show l2tun session circuit vcid 27 | begin Loc

LocID
TunID
Peer-address
Type Stat Username, Intf/
Vcid, Circuit
10314
22650
10.0.0.203
ATM UP
27, AT5/0:0/100
SanFran#
NewYork#show l2tun session circuit vcid 27 | begin Loc
LocID
TunID
Peer-address
38764
45445
10.0.0.201
NewYork#
Type Stat Username, Intf/

Vcid, Circuit
ATM UP
27, AT5/0:0/101
Now enable OAM PVC management in the Oakland and Albany PVCs with the command oam-pvc
manage.Example 13-30 shows the configuration for the Oakland endpoint.
Table of
Contents
Example
Index
ISBN: 1-58705-168-0
Pages: 648
13-30. OAM PVC Management Configuration in the CEs
!
hostname Oakland
!
productivity
gains
interface ATM6/0.1
point-to-point
ip address 192.168.103.1 255.255.255.252
pvc 0/100
oam-pvc manage
!
encapsulation aal5snap
ATOM
L2TP
protocols
The CE PVCs go into a both
DOWN
stateand
when
OAM
cells that are looped back are not received (see Example
13-31).
Example 13-31.
PVCsofGo
DOWN
Without
OAM-AC
Emulation
For a CE
majority
Service
Providers,
a significant
portion
of their revenues
Oakland#show atm pvc interface ATM 6/0.1
VCD /
Peak Avg/Min Burst
Interface
Name
VPI
VCI Type
Encaps
Kbps
Kbps Cells Sts
6/0.1
1
0
100 PVC
SNAP
149760
N/A
DOWN
infrastructure.
You can use the command show atm vc to display the OAM state and counters (see Example 13-32).
Example 13-32.
CE PVCs DOWN and OAM Counters
the vc
Cisco
Unified VPN
Any
Transport over MPLS (ATOM) for MPLSOakland#show atm
interface
ATMsuite:
6/0.1
detail
cores
Layer
ATM6/0.1: VCD: based
1, VPI:
0,and
VCI:
UBR, PeakRate: IP
149760
to Layer
2 VPN 0xC20,
benefits VCmode:
and implementation
requirements and
AAL5-LLC/SNAP, reader
etype:0x0,
Flags:
0x0
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as MPLS, then
OAM frequency: 10 second(s)
progressively
covering
each
currently
available
solution
in greater detail.
Transmit priority 4
Out CLP=1 Pkts: 0
OAM cells sent: 16
Status: DOWN
The command show

presents
enhanced
statistics
counters,
including
the fact that the
ByWeiatm
Luo, -pvc
CCIE
No. 13,291,
Carlos Pignataro,
- CCIEand
No. 4619,
Dmitry Bokotey,
- CCIE
ATM PVC state is No.
managed
by
OAM
events
(see
Example
13-33).
Example 13-33.
CE PVCs DOWN and Enhanced OAM Counters
Table of
ISBN: 1-58705-168-0
Pages:
648
Oakland#show
atm pvc
0/100
Contents
ATM6/0.1:
VCD:
1,
VPI:
0,
VCI: 100
Index
AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0
OAM frequency: 10 second(s), OAM retry frequency: 1 second(s)
Master 3,
theOAM
world
of Layer
2 VPNs
to provide
OAM up retry count:
down
retry
count:
5
productivity
OAM Loopback status:
OAM gains
Sent
OAM VC state: Not Verified
ILMI VC state: Not Managed
VC is managed by OAM.

Transmit priority 4Reduce costs and extend the reach of your services by unifying your
architecture
InPkts: 0, OutPkts:network
0, InBytes:
0, OutBytes: 0
0, OverSizedSDUs:
0 enterprise customers to enhance
Review strategies
that allow large
Out CLP=1 Pkts: 0 their service offerings while maintaining routing control
F5 InEndloop: 0,
InSegloop:
0, F5Providers,
InAIS: 0,
F5 InRDI:
0
ForF5
a majority
of Service
a significant
portion
of their revenues
OAM cells sent:are
16still derived from data and voice services based on legacy transport
F5 OutEndloop: technologies.
16, F5 OutSegloop:
0, F53OutAIS:
0, fulfill
F5 OutRDI:
0 need for some
Although Layer
MPLS VPNs
the market
OAM cell drops:customers,
0
Status: DOWN, State:
NOT_VERIFIED
legacy Layer
Oakland#
infrastructure.
By comparing Example 13-32 and Example 13-33, you can see the difference in output between the
oldshow atm vc Layer
command
the new show
atm pvc
command.
The2latter
contains
2 VPNand
Architectures
introduces
readers
to Layer
Virtual
Privatemuch more
detailed information
than
the
former.
For OAM emulation to work effectively, you must enable it in both ends simultaneously. The L2TPv3
extensions for ATM pseudowires define the new OAM Emulation Required Attribute-Value Pair (AVP) to
be used in AAL5 CPCS-SDU mode to signal OAM Emulation. OAM Emulation AVP is a boolean AVP that
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLShas no attribute value. Its mere presence or absence indicates a TRUE or FALSE value, respectively.
IP cores.
The structure
of this on
book
is side,
focused
firstLCCE
introducing
thesupport it, which
If OAM cell emulation
is configured
or detected
one
theon
other
also must
reader
to
Layer
2
VPN
benefits
and
implementation
requirements
and
is the purpose of the OAM Emulation Required AVP signaling method. If the other LCCE cannot support
comparing
those
of the
Layer
3 based L2TP
VPNs,session
such asvia
MPLS,
then
the OAM cell emulation,
you them
must to
tear
down
associated
a Call-Disconnect-Notify
progressively
covering
each
currently
available
solution
in
greater
detail.
(CDN) message.
Example 13-34 shows the command to enable OAM emulation in the SanFran PE.
Example 13-34. Enabling OAM Emulation in the SanFran PE

interface ATM5/0
oam-ac emulation-enable 2
encapsulation aal5
!
The rate in seconds at which OAM alarm indication signal (AIS) cells are sent follows the command
oam-ac emulation-enable.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Note
After you enable OAM emulation with the oam-ac emulation-enable command, you can
make the usual
OAMthe
Management
commands
such
as oam-pvc
manage
in the
Master
world of Layer
2 VPNs to
provide
enhanced
servicesavailable
and enjoy
Layer 2 transport
PVC.
A
Layer
2
transport
PVC
(attachment
circuit)
that
has
been
configured
productivity gains
for OAM emulation can periodically send OAM loopback cells toward the CE router and
manage the Layer 2 transport PVC status based on the reply to those OAM loopback cells.
At this point, you havenetwork
enabled architecture
OAM emulation only at one endin the SanFran PE. As you have learned
already in this section, this tears down the session with a CDN message because the OAM emulation
Gain
from
theExamples
first book13-33
to address
Layer
2 VPN
application
utilizingin the
value does not match at
both
ends.
through
13-35
show
the L2X debugs
both
ATOM
and
L2TP
protocols
SanFran and NewYork PEs. The debugs that are enabled are debug vpdn l2x-errors,debug vpdn
l2x-events, and debug vpdn l2x-packets. L2X means that the command is applicable to both Layer
strategies
that allow
largeprotocols.
2 Forwarding (L2F) andReview
Layer 2
Tunnel Protocol
(L2TP)
Example 13-35 shows an Incoming-Call-Request (ICRQ) message that the SanFran PE receives. It has
For2 afor
majority
of Service
Providers,
significant
of their revenues
a pseudowire Type
AAL5 SDU
and a VC
ID (end aidentifier)
ofportion
27.
Example 13-35.
Mismatch OAM-AC Emulation ConfigurationICRQ
services
SanFran#debug vpdn
l2x-errors
technology
that would
L2X protocol errors debugging
is on
infrastructure.
SanFran#debug vpdn l2x-packets
L2X control packets debugging is on
SanFran#
SanFran#show debugging
VPN:
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSL2X protocol events debugging is on
L2X control packets debugging is on
L2X protocol errors debugging is on
SanFran#
*Jul 6 18:27:26.792: Tnl56204 L2TP: Parse AVP 0, len 8, flag 0x8000 (M)
*Jul 6 18:27:26.792: Tnl56204 L2TP: Parse ICRQ
*Jul 6 18:27:26.792: Tnl56204 L2TP: Parse Cisco AVP 7, len 8, flag 0x8000 (M)
*Jul 6 18:27:26.792: Tnl56204 L2TP: Pseudo Wire Type 2
*Jul 6 18:27:26.792: Tnl56204 L2TP: Parse Cisco AVP 6, len 8, flag 0x0
*Jul 6 18:27:26.792: Tnl56204 L2TP: End Identifier 27
*Jul 6 18:27:26.792: Tnl56204 L2TP: Parse AVP 47, len 10, flag 0x0
*Jul 6 18:27:26.792: Tnl56204 L2TP: L2 Specific Sublayer 2
The ICRQ message also includes the Layer 2-Specific Sublayer AVP specifying the ATMSpecific Sublayer
2 VPN Architectures
with a value of 2.Layer
No OAM
Emulation Required AVP is available because it has not been configured in
ByWei Luo, 13-36
- CCIE No.
13,291,
Carlos
Pignataro, - CCIE No. 4619,
Dmitry
Bokotey, - in
CCIE
the NewYork PE. Example
shows
the
Incoming-Call-Reply
(ICRP)
message
reply as received
by the NewYork PE.
Pub
Date: March 10,OAM-AC
2005
Example 13-36.
Mismatch
Emulation ConfigurationICRP
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
NewYork#debug
vpdn l2x-errors
Index
L2X protocol
errors debugging is on
NewYork#debug vpdn l2x-events

NewYork#debug vpdn l2x-packets
Master debugging
the world ofis
Layer
L2X control packets
on 2 VPNs to provide enhanced services and enjoy
productivity
gains
NewYork#
NewYork#
*Jul 12 06:19:12.309:
Tnl65533
L2TP:
ParsePrivate
ICRP Networks (VPNs)
Learn
about Layer
2 Virtual
*Jul 12 06:19:12.313:
Tnl65533
L2TP:
Local
ID 12575
Reduce
costs and
extend
the Session
reach of your
*Jul 12 06:19:12.313:
Tnl65533
L2TP:
Parse
Cisco
AVP
4, len 10, flag 0x8000 (M)
*Jul 12 06:19:12.313: Tnl65533 L2TP: Remote Session ID 38123
*Jul 12 06:19:12.313:
L2TP:
Parse
Cisco Layer
AVP 7,
lenapplication
8, flag 0x8000
GainTnl65533
from the first
book
to address
2 VPN
utilizing (M)
*Jul 12 06:19:12.313:
Pseudo Wire Type 2
bothTnl65533
ATOM andL2TP:
L2TP protocols
Review
strategies
thatOAM
allow
large enterprise
*Jul 12 06:19:12.313:
Tnl65533
L2TP:
Emulation
Required
theirTnl65533
service offerings
while maintaining
routing
*Jul 12 06:19:12.313:
L2TP: Parse
AVP 47, len
10, control
flag 0x0
*Jul 12 06:19:12.313: Tnl65533 L2TP: L2 Specific Sublayer 2
For a majority
of Service
a significant
*Jul 12 06:19:12.313:
Tnl65533
L2TP:Providers,
No missing
AVPs inportion
ICRP of their revenues
are still derived
from data and voice
based on Required
legacy transport
*Jul 12 06:19:12.313:
Tnl/Sn65533/38123
L2TP:services
OAM Emulation
AVP in ICRP
technologies.
Although
Layer down
3 MPLS
VPNs
contradicts with
local config.
Tearing
the
session.
FromExample 13-36,
you over
can see
that
the ICRP
as 3received
from
NewYork
contains
a pseudowire
Type
services
their
existing
Layer
cores. The
solution
in these
cases
is a
2 for AAL5 and the
Layer 2-Specific
Sublayer
value
of 2 for
ATM.
In addition,
the ICRP contains
technology
that would
allow with
Layera 2
transport
over
a Layer
3
the OAM Emulation
Required AVP because it has been configured in the SanFran PE. The OAM
infrastructure.
Emulation Required AVP uses Cisco AVP 108 waiting for IANA assignment.
Example 13-36 shows
the (VPN)
mismatch
of OAM
emulation
configuration
in the
Network
concepts,
and
describes
Layer 2 VPNdetected
techniques
via NewYork PE. The
NetYork PE tears introductory
down the session
by sending
CDN message design
(see Example
13-37).
case studies
and acomprehensive
scenarios.
This book
the Cisco
Unified VPN
suite: Any
Transport over
MPLS (ATOM) for MPLSExample 13-37.
Mismatch
OAM-AC
Emulation
ConfigurationCDN
SanFran#
*Jul 6 18:27:26.812:
Tnl56204
L2TP:ofParse
CDN
comparing
them to those
Layer 3
*Jul 6 18:27:26.812:
Tnl56204
L2TP:
AVPavailable
1, len solution
10, flag
0x8000 detail.
(M)
progressively
covering
eachParse
currently
in greater
*Jul 6 18:27:26.816: L2X: Result code(4): 4: Call failed, not enough resources
(temporary)
*Jul 6 18:27:26.816:
Error code(0): No error
*Jul 6 18:27:26.816: Tnl56204 L2TP: Local Session ID 38123
*Jul 6 18:27:26.816: Tnl56204 L2TP: Remote Session ID 12575
*Jul 6 18:27:26.816: Tnl56204 L2TP: No missing AVPs in CDN
*Jul 6 18:27:26.816: Tnl/Sn56204/12575 L2TP: I CDN from NewYork tnl 65533, cl 38123
*Jul 6 18:27:26.816: Tnl/Sn56204/12575 L2TP: Destroying session
*Jul 6 18:27:26.816: Tnl/Sn56204/12575 L2TP: Session state change from wait-connect

to idle
FromExample 13-37,
youAnthony
can see
that
theNo.
SanFran
No. 4460,
Chan,
- CCIE
10,266 PE receives the CDN that destroys the session.
The CDN message contains the Result Code AVP (IETF AVP 1) as defined in RFC 2661, "Layer Two
Tunneling Protocol 'L2TP.'" The result code of 4 indicates that the call failed because appropriate
facilities were not available (temporary condition). Error code 0 specifies no general error.
ISBN: 1-58705-168-0
Because
Tablethe
of L2TPv3 pseudowire is down, ATM OAM AIS cells are sent out of the attachment circuits
Pages:
648 reply with remote defect indication (RDI) OAM cells that the PE
toward
the
CEs.
The
CEs
in turn
Contents
receives
(see
Example
13-38).
Index
Example 13-38. OAM AIS and RDI Cells

productivity gains
SanFran#show atm pvc 0/100
ATM5/0: VCD: 3, VPI: 0, VCI: 100
AAL5 L2transport, etype:0xF, Flags: 0x30000C2E, VCmode: 0x0
costsF5and
extend AIS
the reach
your services
by unifying your
OAM Cell Emulation:Reduce
enabled,
End2end
Xmit of
frequency:
2 second(s)
network
architecture
Remote Circuit Status = Undefined, Alarm Type = Undefined
Gain from the
bookfrequency:
to address Layer
OAM frequency: 0 second(s),
OAMfirst
retry
1 second(s)
both
ATOM
and
L2TP
protocols
OAM up retry count: 3, OAM down retry count: 5
OAM Loopback status: OAM Disabled
OAM VC state: Not Managed - AIS Xmitted
InPkts: 21, OutPkts:
0, InBytes:
1680,
OutBytes:
0
For a majority
of Service
Providers,
a significant
InPRoc: 0, OutPRoc:
0
InFast: 0, OutFast:
0, InAS:
0, OutAS:
technologies.
Although
Layer 3
InPktDrops: 0, customers,
OutPktDrops:
0
0, OverSizedSDUs:
legacy Layer 2 and
Layer 3 networks 0would like to move toward a single
Out CLP=1 Pkts:backbone
0
OAM cells received:
73over their existing Layer 3 cores. The solution in these cases is a
services
F5 InEndloop: 21,
F5 InSegloop:
F5 InAIS:
0, F5 InRDI:
technology
that would0,allow
Layer 2 transport
over a52
Layer 3
OAM cells sent:infrastructure.
52
F5 OutEndloop: 0, F5 OutSegloop: 0, F5 OutAIS: 52, F5 OutRDI: 0
OAM cell drops:Layer
Status: UP
SanFran#
history
Oakland#show atm
pvc and
0/100
VPN
suite: Any Transport over MPLS (ATOM) for MPLSATM6/0.1: VCD: the
1, Cisco
VPI: Unified
0, VCI:
100
UBR, PeakRate: based
149760
of this book
is focused
AAL5-LLC/SNAP, IP
etype:0x0,
Flags: 0xC20,
VCmode:
0x0 on first introducing the
to Layer 2 OAM
VPN retry
benefitsfrequency:
and implementation
requirements and
OAM frequency: reader
10 second(s),
1 second(s)
comparing
them
to those
of Layer
3 based
OAM up retry count:
3, OAM
down
retry
count:
5
progressively
OAM Loopback status:
OAM Sent
OAM VC state: AIS/RDI
VC is managed by OAM.
Transmit priority 4

Out CLP=1 Pkts: 0
Layer
Architectures
F5 InEndloop: 0,
F52 VPN
InSegloop:
0, F5 InAIS: 52, F5 InRDI: 0
OAM cells sent:ByWei
73 Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
4460,
Chan, - CCIE0,
No.F5
10,266
F5 OutEndloop: No.
21,
F5Anthony
OutSegloop:
OutAIS: 0, F5 OutRDI: 52
OAM cell drops: 0
Status: DOWN, State:
NOT_VERIFIED
Publisher:
Cisco Press
Oakland#
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Example
13-38
shows
that
OAM
emulation is enabled for the AAL5 Layer 2 transport pseudowire in
Index
SanFran. The SanFran attachment circuit has sent 52 AIS cells (F5 OutAIS) toward the Oakland CE
because the L2TPv3 session is down, and it has received 52 RDI cells (F5 InRDI) from the Oakland CE.
OAM AIS cells are equivalent to a blue alarm, and OAM RDI cells are equivalent to a yellow alarm.
the
world
Layerthe
2 VPNs
to provide
enhanced
services
and enjoy
Consistently, the Master
Oakland
CE's
PVCofshows
receipt
of 52 OAM
AIS cells
(F5 InAIS)
from the SanFran
productivity
gains(F5 OutRDI) generated toward the SanFran PE. The Oakland OAM
PE, which resulted
in 52 RDI cells
PVC status is now DOWN because of AIS/RDI.
Learn about
Layer 2 Virtual
Private
(VPNs)
To conclude the OAM emulation
configuration,
enable
OAMNetworks
emulation
in the NewYork PE and verify that
the L2TPv3 session comes up. The Oakland PVC receives end-to-end loopback cells and comes up (see
Example 13-39).
Example 13-39. Oakland

both ATOM CE
and PVC
L2TP UP
protocols

Oakland#show atm pvc interface ATM 6/0.1
VCD /
Peak Avg/Min Burst
Interface
Name
VPI
VCI
Type
Encaps
Sts
For a majority of Service Providers, a significantKbps
portion ofKbps
theirCells
revenues
6/0.1
1
0
100
PVC
SNAP
149760
N/A
UP
Oakland#
Oakland#show atm
pvc 0/100
customers,
ATM6/0.1: VCD: legacy
1, VPI:
0, 2VCI:
100 3 networks would like to move toward a single
Layer
and Layer
UBR, PeakRate: backbone
149760 while new carriers would like to sell the lucrative Layer 2
AAL5-LLC/SNAP, services
etype:0x0,
Flags:
0xC20,
VCmode:
0x0
over their
existing
Layer
3 cores.
OAM frequency: technology
10 second(s),
OAM
retry
frequency:
1 second(s)
that would allow Layer 2 transport
over a Layer 3
OAM up retry count:
3,
OAM
down
retry
count:
5
infrastructure.
OAM Loopback status: OAM Received
OAM VC state: Verified
ILMI VC state: Network
Not Managed
VC is managed by
OAM.
introductory
InARP frequency:
15 minutes(s)
assists
Transmit priority
history
InPkts: 0, OutPkts:
0, Unified
InBytes:
OutBytes:
0
the Cisco
VPN0,
suite:
Any Transport
over MPLS (ATOM) for MPLSInPRoc: 0, OutPRoc:
0
InFast: 0, OutFast:
0, The
InAS:
0, OutAS:
IP cores.
structure
of this 0book is focused on first introducing the
InPktDrops: 0, reader
OutPktDrops:
0,toOverSizedSDUs:
0
comparing them
those of Layer 3 based
Out CLP=1 Pkts:progressively
0
F5 InEndloop: 9, F5 InSegloop: 0, F5 InAIS: 153, F5 InRDI: 0
OAM cells sent: 183
OAM cell drops: 0
Status: UP
Oakland#
Case Study 13-3: ATM Cell Packing

The second ATM advanced
pertains to the cell transport over L2TPv3 (CRoL2TPv3). The cell
Layer 2 VPNtopic
Architectures
packing feature, also
called
ATM
cell13,291,
concatenation,
consists
orBokotey,
concatenating
multiple ATM
Carlos Pignataro,
- CCIE of
No.packing
4619,Dmitry
- CCIE
cells into a single No.
L2TPv3
packet
from
a
minimum
of
one
cell
(that
is,
no
cell
packing
performed)
to the
maximum allowed by the MTU. Refer to Chapter 12 if you need a refresher about cell relay over
L2TPv3.
Pub Date: March

2005
In contrast to OAM emulation,
you10,can
configure the cell packing feature independently in each
ISBN:
1-58705-168-0
endpoint
using
different
values.
You
will
learn to configure and verify cell packing using the topology
Table of
Pages:
648
shown
in
Figure
13-7.
Contents
Index
Figure 13-7. L2TPv3 ATM Cell Packing Topology

productivity gains

their
service
maintaining
control
To configure cell packing,
you
must offerings
configurewhile
the maximum
cellrouting
packing
timeout (MCPT) timers in the
main ATM interface. You have three different timers to pick from when configuring cell packing in the
For or
a majority
of Service
Providers,
a significant
portion
of their
revenues
ATM port or all PVCs
PVPs within
the physical
interface.
To configure
these
three
timers, shut down
are
stillExample
derived 13-40).
the main interface
(see
legacy
Layer 2 and Layer
3 networks
Example 13-40.
Configuring
MCPT
Timerswould like to move toward a single
SanFran#conf t technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Enter configuration
commands, one per line. End with CNTL/Z.
SanFran(config)#interface ATM 5/0
SanFran(config-if)#shutdown
Network (VPN)
concepts,100
and 1000
describes
SanFran(config-if)#atm
mcpt-timers
4095Layer 2 VPN techniques via
introductory
case
studies
and
comprehensive
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbasedpreconfigured
cores and Layer
2 Tunneling
Protocol
version
3 (L2TPv3)
forin
native
With the MCPT timers
in Example
13-40,
you can
enable
cell packing
both the SanFran
cores.
structure
of this book
is focused
on number
first introducing
the can be packed
and NewYork PEs.IPThe
oneThe
mandatory
argument
is the
maximum
of cells that
(seeExample 13-41).
Example 13-41. Configuring Cell Packing

!
hostname SanFran
!
interface ATM5/0
atm mcpt-timers 100 1000 4095
encapsulation aal0
cell-packing 14 mcpt-timer 3
!
InExample 13-41, you have enabled cell packing for the pseudowire with attachment circuit, with
VPI/VCI 0/200 in the SanFran PE specifying a maximum number of cells to be packed equal to 14 cells,
and using the third preconfigured timer. Although you can configure a different value in the remote PE,
ISBN: 1-58705-168-0
you can
Tablealso
of configure a maximum number of cells packed (MNCP) of 14 cells in the NewYork PE.
Contents
Pages: 648
The value
Index of MNCP is signaled in the ATM Maximum Concatenated Cells AVP. MNCP indicates how many
concatenated cells (maximum value) the LCCE node can process as a disposition capability. The values
that are advertised in both directions do not need to match. Furthermore, the absence of this AVP
indicates no cell packing. This AVP and cell packing in general apply only to ATM Cell Relay pseudowire
types (see Example
13-42).
Master
productivity gains
Example 13-42. ATM Maximum Concatenated Cells AVP
SanFran#
network
architecture
*Jul 1 10:45:09.119:
Tnl22650
L2TP: Parse AVP 0, len 8, flag 0x8000 (M)
*Jul 1 10:45:09.119: Tnl22650 L2TP: Parse ICRQ
!Output omitted forGain
brevity
both
ATOM
andL2TP:
L2TP protocols
*Jul 1 10:45:09.123: Tnl22650
Parse Cisco AVP 7, len 8, flag 0x8000 (M)
*Jul 1 10:45:09.123: Tnl22650 L2TP: Pseudo Wire Type 9
*Jul 1 10:45:09.123:
Tnl22650
L2TP:Providers,
ATM Maximum
Numberportion
of cells
that
can be packed 14
For a majority
of Service
a significant
of their
revenues
*Jul 1 10:45:09.123:
Tnl22650
L2TP:
No
missing
AVPs
in
ICRQ
legacy
Layer
and LayerConcatenated
3 networks would
move toward
a single
Example 13-42 shows
the
ATM2Maximum
Cells like
AVPto
included
in the ICRQ
and using Cisco
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
AVP 11. You can verify the configuration of ATM cell packing from the SanFran PE. 2
See Example 13-43,
services
their
existing
Layer
3 cores.
which shows the local
andover
remote
MNCP
values
of 14
cells. The solution in these cases is a
infrastructure.
Example 13-43.
Verification
LayerATM
2 VPNCell-Packing
Architectures introduces
average
average
circuit
local nbr of cells
peer nbr of cells
MCPT
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLStype
MNCP rcvd in one pkt MNCP sent in one pkt (us)
ATM5/0
vc 0/200
14
0
14
0
4095
SanFran#
As you know, each ATM cell carries 48 bytes of payload. When you concatenate 14 cells, you can carry
an SDU of 48 bytes/cell * 14 cells = 672 bytes. You configured the Oakland and Albany CE's PVCs with
AAL5-LLC/SNAP encapsulation, which means that an IP packet would have 16 bytes of encapsulation
overhead as follows: 8 bytes of CPCS-PDU trailer plus 8 bytes of LLC/SNAP header. Therefore, the
largest IP packet that you can fit into a single L2TPv3 Cell Relay packet that is concatenating 14 cells is
672 bytes 16 bytes = 656 bytes.
To verify these calculations, send 100 656-bytes packets from the Oakland CE to the Albany CE. Then
display the average number of cells sent and received per packet (see Example 13-44).
Example 13-44. Optimal Cell-Packing Utilization

Oakland#ping ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Protocol [ip]: No. 4460,Anthony Chan, - CCIE No. 10,266
Repeat count [5]:Publisher:
100
Cisco Press
656March 10, 2005
Pub Date:
Timeout in seconds [2]:
ISBN: 1-58705-168-0
Table of commands [n]:
Extended
Pages:
648
SweepContents
range of sizes [n]:
Index
Type
escape sequence to abort.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
productivity gains
Oakland#
average
average
Reduce costs
and
extend
the reach ofpeer
your services
by unifyingMCPT
your
circuit
local
nbr
of cells
nbr of cells
type
MNCP rcvd in one pkt
MNCP sent in one pkt (us)
ATM5/0
vc 0/200 14
14
14
14
4095
SanFran#

their13-44
service
offerings
while maintaining
routing
that
the average
number of cells
sentcontrol
and received in one packet
equals 14 cells, which is the optimal usage for the pseudowire overhead.
are still
derived
from
data
and voice
services
basedSee
on Example
legacy transport
Consider what would
happen
if you
used
a slightly
larger
IP packet.
13-45, which uses
657-byte packets.technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
backbone
while new carriers
would like
Example 13-45.
Suboptimal
Cell-Packing
Utilization
Oakland#ping infrastructure.
Protocol [ip]:
Layer 192.168.104.2
Target IP address:
Network
Repeat count [5]: 100 (VPN) concepts, and describes Layer 2 VPN techniques via
introductory
657 case studies and comprehensive design scenarios. This book
assists
Timeout in seconds
[2]:
history
Extended commands
[n]:
Cisco
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSSweep range of the
sizes
[n]:
based cores
to abort.
IP cores. ICMP
The structure
of this
book is focused
on first is
introducing
the
Echos to
192.168.104.2,
timeout
2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
covering
each currently
available
solution in=greater
detail. ms
Success rate isprogressively
100 percent
(100/100),
round-trip
min/avg/max
108/108/112
Oakland#
circuit
type
ATM5/0
SanFran#
local
MNCP
vc 0/200 14
average
nbr of cells
rcvd in one pkt
7
average
peer nbr of cells
MCPT
MNCP sent in one pkt (us)
14
7
4095
You can see in Example 13-45 that the average number of cells sent and received per L2TPv3 packet
drastically dropped
to 7 bytes. Each IP packet now needs 15 ATM cells; thus, it uses a first L2TPv3
ByWei
Luo,
CCIE No.L2TPv3
13,291,Carlos
Pignataro,
- CCIE
No. 4619,
Dmitry
Bokotey,
- CCIE to 7 cells per
packet with 14 cells
and
a -second
packet
with just
1 cell.
The
average
equates
l2TPv3 packet. No. 4460,Anthony Chan, - CCIE No. 10,266
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

Quality of By
Service
In this section, you learn

concepts
and configuration of QoS in L2TPv3 networks. Although there
Publisher:
Cisco Press
are some L2TPv3 specific
edge
QoS
L2TPv3 runs over an IP PSN; therefore, all IP QoS
Pub Date:
March
10, services,
2005
models apply. Specifically, you explore the IP differentiated services (DiffServ) model, whose
ISBN: 1-58705-168-0
Table of is defined in RFC 2475, "An Architecture for Differentiated Services."
architecture
Pages: 648
Contents
Indexseparates edge behaviorssuch as classification, marking, policing, metering, and complex
DiffServ
per-user and per-application tasksfrom core functions or per-hop behaviors (PHB)including

queuing, shaping, dropping, and simple tasks. DiffServ partitions IP traffic into a small number of
classes (eight classes per RFC are recommended) and allocates resources on a per-class basis. At
Master theinformation
world of Layer
2 VPNs to provide
enhanced
services
and enjoy
the edge, the classification
is summarized
in the DiffServ
code
point (DSCP),
which
productivity
gains
gives a new interpretation
to the
type of service (ToS) IPv4 header octet and IPv6 traffic class
octet as defined in RFC 2474, "Definition of the Differentiated Services Field (DS Field) in the IPv4
and IPv6 Headers."
The configuration of IP QoS in Cisco IOS follows the Modular QoS CLI (MQC) model. You can break
down the MQC configuration into three distinctive steps:
Step
1.
Step
2.
ClassificationTraffic
is classified
with to
a class-map.
Gain from
the first book
Policy creationPolicies are applied to the traffic classes that were defined previously in
a policy-map. Review strategies that allow large enterprise customers to enhance
Step
3.
Policy applicationThe policies that were defined previously are applied in a direction to
a majority
of Service or
Providers,
significant
of their
revenues
a specificFor
interface,
subinterface,
ATM andaFrame
Relayportion
VCs using
a service
policy.
The following case studies explain examples of different QoS modules, including traffic marking,
traffic policing, queuing and shaping, and Layer 2-specific matching and setting.
Case Study 13-4:
Traffic Marking
infrastructure.
Layer 2pieces
VPN Architectures
readers
to Layer
2 Virtual
Privatespecific
One of the constitutive
of the DiffServintroduces
model is traffic
marking.
Before
exploring
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
traffic marking methods, this section presents a historical perspective on the IPv4via
header TOS
introductory
case
and
comprehensive
design
scenarios.
ThisIPv4
book
octet that was defined
originally
in studies
RFC 791.
The
ToS byte is the
second
byte in the
header
assists
readers
looking
to
meet
those
requirements
by
explaining
the
and can be interpreted in multiple ways. Figure 13-8 shows the evolution of the ToS octet in
history
andthat
implementation
details
of the two
frombits, and
different RFCs. You
can see
the three most
significant
bits technologies
are called theavailable
precedence
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSthey correspond to the class selector in the DSCP.
comparing
them to
of Layer
3 based
VPNs,Octet
such asEvolution
MPLS, then
Figure
13-8. Type
ofthose
Service
IPv4
Header

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
Note
Traffic marking alone

does
nothing for
QoS.
PHBs
need
to existcustomers
in the coretonetwork
Review
strategies
that
allow
large
enterprise
enhanceto
apply different policies
to the traffic
thatwhile
is marked
in different
classes.
their service
offerings
maintaining
routing
control

technologies.
Layerto
3 perform
MPLS VPNs
fulfill
the market
for methods
some
In the next sections,
you learn Although
different ways
traffic
marking.
The need
first two
customers,
haveone
some
drawbacks.
are L2TPv3 specific,
whereasthey
the third
is a
generic marking.
ToS Setting services over their existing Layer 3 cores. The solution in these cases is a
infrastructure.
The first method for marking traffic consists of setting the ToS value under a pseudowire class for
all L2TPv3 IP packets.
carry
out this configuration
the to
command
ip tos value
Layer You
2 VPN
Architectures
introduces with
readers
Layer 2 Virtual
Private{value } as
shown in ExampleNetwork
13-46. (VPN) concepts, and describes Layer 2 VPN techniques via
Example 13-46.
ToS
Configuration
history
andSetting
implementation
!
hostname SanFran
!
pseudowire-class wan-l2tpv3-pw-pmtu-df
sequencing both
ip pmtu
ip dfbit set
ip tos value 96
!
Example 13-46 shows the ToS set to a value of 96 (0x60 in hexadecimal). This is the value for the
complete ToS byte. The number 96 that is represented in binary equals 01100000, from which
you can infer thatLayer
the 2IPVPN
precedence
is 011b or 3 (flash). To verify this configuration, configure
Architectures
inbound (that is, packets received) IP accounting by IP precedence in the NewYork PE in the
interface that connects to the Denver P (see Example 13-47).

Example 13-47.
IP Accounting Configuration in the NewYork PE
Table of
ISBN: 1-58705-168-0
!
Pages: 648
Contents
hostname NewYork
Index
!
interface Serial10/0
ip accounting Master
precedence
input
the world
!
productivity gains

Now send 1000 ping packets from the Oakland to the Albany CEs, which use the default
precedence of 0. CheckReduce
the IP accounting
information
thatof
has
been
collected
(see Example
costs and extend
the reach
your
services
by unifying
your 1348).
Example 13-48.
both ATOM
and Verification
L2TP protocols in the NewYork PE
ToS
Setting

their service
precedence
Serial10/0
Input
derived
from 140000
data andbytes
Precedence are
3: still
1000
packets,
Although
Precedence technologies.
6: 2 packets,
88 bytes
NewYork#
You can see that,technology
as expected,
1000
packets
withover
an IP
of 3. You also
that
would
allow were
Layerreceived
2 transport
a precedence
Layer 3
see a couple of IPinfrastructure.
precedence 6 packets that correspond to routing updates.
Note
Although IP the
accounting
can beVPN
useful
andAny
is aTransport
quick wayover
to gather
Cisco Unified
suite:
MPLS per-precedence
(ATOM) for MPLSaccounting information,
it
suffers
from
performance
limitations.
example,
based cores and Layer 2 Tunneling Protocol version For
3 (L2TPv3)
forIPnative
accounting isIPnot
supported
in
distributed
CEF
(dCEF).
It
forces
packets
to
be
cores. The structure of this book is focused on first introducing process
the
switched in distributed
platforms,
as the
Cisco
7500 and 12000
series routers.
reader to Layer
2 VPNsuch
benefits
and
implementation
requirements
and
Whenever possible,
usethem
NetFlow
to collect
statistics
in aVPNs,
more such
scalable
way. IP
comparing
to those
of Layer
3 based
as MPLS,
then
accounting isprogressively
a great proofcovering
of concept
tool,
but youavailable
should not
use itin
ingreater
distributed
each
currently
solution
detail.
platforms.
ToS Reflection
Another traffic-marking feature that is specific to L2TPv3 is called ToS reflection . In ToS reflection
marking, the ToS octet is copied over or reflected from the inner CE IP packet header into the
outer IP tunnel packet header. This behavior cannot be mimicked with MQC.
To configure TOS reflection, you can use the pseudowire-class command ip tos reflect. The
commandip tos {reflect | value} appears only in pseudowire-class configuration when the
encapsulation is set
to2L2TPv3
(see Example 13-49).
Layer
VPN Architectures
Example 13-49. ToS Reflection Configuration


!
hostname SanFran
ISBN: 1-58705-168-0
Table of
!
Pages:
648
Contents
pseudowire-class wan-l2tpv3-pw-pmtu-df
Index
sequencing both
ip local interface
Master Loopback0
ip pmtu
productivity gains
ip dfbit set
ip tos reflect
!
To verify the ToS reflection functioning, generate 1000 packets with IP precedence 5 (critical)
from the Oakland CE toGain
the from
Albany
Use
an extended
command,
in which utilizing
you must
theCE.
first
book
to addressping
Layer
2 VPN application
specify the ToS octet value.
You can
express
an IP precedence of 5 in binary as 101. Therefore,
both ATOM
and
L2TP protocols
the binary representation of the ToS is 10100000, which is 0xA0 or 160 (see Example 13-50).
Example 13-50. Generating Precedence 5 Traffic Between CEs

Oakland#ping iptechnologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers,
Target IP address:
192.168.105.2
legacy
Repeat count [5]:
1000
services
Timeout in seconds
[2]:
technology
Extended commands
[n]: ythat would allow Layer 2 transport over a Layer 3
Source address infrastructure.
or interface:
Type of service [0]: 0xa0
Layer
2 VPN Architectures
Set DF bit in IP
header?
[no]:
Network
(VPN)
concepts,
and
introductory
case
studies
and
comprehensive
assists
readers
looking
to
meet
those
requirements
by explaining the
Loose, Strict, Record, Timestamp, Verbose[none]:
history
and
implementation
details
of
the
two
technologies
available from
Sweep range of sizes [n]:
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for MPLSType escape sequence to abort.
based cores
and Echos
Layer 2to
Tunneling
Protocol version
3 (L2TPv3)
for native
ICMP
192.168.105.2,
timeout
is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!Output omittedreader
for brevity
comparing
!!!!!!!!!!!!!!!!!!!!
progressively
covering
each currently
available
solution in greater
detail. ms
Success rate is 100 percent
(1000/1000),
round-trip
min/avg/max
= 16/21/52
Oakland#
Using the same IP accounting method, verify the precedence in the packets sent over the IP PSN
and received by the NewYork PE (see Example 13-51).
Example 13-51. ToS Reflection Verification in the NewYork PE
NewYork#show interfaces precedence

Serial10/0
Input
Wei Luo,
- CCIE
No. 13,291,
Carlos Pignataro,
Precedence By
3:
1000
packets,
140000
bytes - CCIE No. 4619,Dmitry Bokotey, - CCIE
Anthony
Chan, - CCIE
No. 10,266
Precedence No.
5:4460,
1000
packets,
140000
bytes
Precedence 6: 40 packets, 2352 bytes
NewYork#
ISBN: 1-58705-168-0
Table of
Pages:
648received with precedence 5. The precedence 5 was copied over
You can
see 1000 new packets
Contents
from
the TS byte in the CE IP packet.
Index
You can also configure both ip tos actions of value and reflect into a single pseudowire class. In
that case, the ToS value in the outer IP header defaults to the fixed set value but is overwritten
the world
of Layer
2 VPNs to
provide
enhanced
with the reflectedMaster
value when
the Layer
2 tunneled
frame
contains
an IPservices
packet. and enjoy
productivity gains
MQC IP PrecedenceLearn
or DSCP
Setting
The third traffic-marking
mechanism
uses
MQC. the
Thereach
MQC set
ip precedence
and setyour
ip dscp
Reduce
costs and
extend
of your
policy commands havenetwork
been extended
to include the tunnel keyword to indicate that the policy
architecture
applies to the outer L2TPv3 tunnel IPv4 delivery header.
When you are using MQC
toATOM
perform
with L2TPv3, only the inbound direction (that is,
both
andmarking
L2TP protocols
coming from the CE device) is meaningful for classification; therefore, the classification criterion
Review
strategies
thatcircuit.
allow large
customers
to classified
enhance traffic
needs to be Layer 2 fields
at the
attachment
A PE enterprise
device normally
marks
their
service
offerings
while
maintaining
control
with a tunnel as IP DSCP.
The
primary
goal for
tunnel
marking routing
is to control
QoS for a particular
tunneled customer within the provider core network. Customer-specific PHB should be pushed out
majority ofExample
Service 13-52
Providers,
a significant
portion required
of their revenues
to the CE devices.For
Fora simplicity,
shows
the configuration
to perform
are astill
derived from
and voice
services
on legacy
transport
tunnel marking with
precedence
of 2 data
(immediate)
using
MQCbased
to classify
all traffic
incoming into
technologies.
Although
VPNs
fulfill the market
need for some
the attachment circuit.
Apply the
service Layer
policy3inMPLS
a Layer
2 transport
ATM PVC.
backbone
whileMarking
new carriers
would
like Configuration
Example 13-52.
Tunnel
with
MQC
infrastructure.
!
hostname SanFran
!
Network
class-map match-all
all_traffic
introductory
match any
assists
readers
!
policy-map prec-2
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSclass all_traffic
based cores
and 2Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
set ip precedence
tunnel
!
interface ATM5/0
oam-ac emulation-enable
2
encapsulation aal5
service-policy in prec-2
!
!
Now generate 500 packets by using an extended ping command from the Oakland CE to the
Albany CE, and check the MQC policy-map counters (see Example 13-53).
Example 13-53.
Tunnel Marking with MQC Verification in the SanFran
PE
SanFran#show policy-map interface

ATM5/0: VC 0/100Publisher:
Cisco Press
Service-policy input: prec-2 (1330)

ISBN: 1-58705-168-0
Table of
Class-map: all_traffic
Pages:
648 (match-all) (1331/3)
Contents
Index
5 minute offered rate 4000 bps, drop rate 0 bps

Match: any (1332)
QoS Set
ip precedence
tunnel
2 Layer 2 VPNs to provide enhanced services and enjoy
Master the
world of
Packets
marked
500
productivity gains
Class-map: class-default (match-any) (1334/0)

0 packets, 0 bytes
Match: any (1335)
0 packets, 0network
bytes architecture
5 minute rate 0 bps
SanFran#

You can see that 500 packets
were offerings
classified while
and marked
with tunnel
2. You can also
their service
maintaining
routingprecedence
control
check the PE-P interface in the NewYork PE for IP accounting statistics after you clear the counters
(seeExample 13-54).
customers,
they
have some
drawbacks.
Ideally, carriersin
with
existing
Example 13-54.
Tunnel
Marking
with
MQC Verification
the
NewYork
PE
precedence
technology that
Serial4/0
infrastructure.
Input
2 VPN
Architectures
Precedence Layer
2: 500
packets,
70000 introduces
bytes
NewYork#
You can configurethe
theCisco
threeUnified
marking
methods
simultaneously.
In that
the for
relative
priority
VPN
suite: Any
Transport over
MPLScase,
(ATOM)
MPLSfrom highest to lowest
is
as
follows:
comparing them
to those
1. MQCset ip {precedence
| dscp}
tunnel
2. ToS reflection
3. ToS setting
For this reason, it is recommended that you use the MQC configuration in favor of the legacy ToS
setting or marking. The policy for setting the IP precedence or DSCP in an L2TPv3 tunnel can be
selected as a policing action by using the keywords set-prec-tunnel-transmit or setd-scptunnel-transmit.
Case Study 13-5: Traffic Policing

Layer 2you
VPN can
Architectures
Using the MQC model,
configure traffic policing using single- or dual-rate policers that
have multiple conform,
exceed,
violate
actions.
Example
13-55
the possible
ByWei Luo, - CCIE and
No. 13,291,
Carlos
Pignataro,
- CCIE No.
4619,shows
Dmitry Bokotey,
- CCIE actions for
conforming traffic,
including
the
highlighted
tunnel
marking.
The
same
actions
are
available for
exceeding and violating traffic.
Example 13-55. Traffic-Policing

Actions
ISBN: 1-58705-168-0
Table of
Pages: 648
Contents
SanFran(config-pmap-c-police)#conform-action
?
Index
drop
drop packet
set-clp-transmit
set atm clp and send it
set-cos-transmit
set cos and send it
Master the world of Layer 2
VPNs
to provide enhanced
services
set-discard-class-transmit
set
discard-class
and send
it and enjoy
productivity gains
set-dscp-transmit
set dscp and send it
set-dscp-tunnel-transmit
rewrite tunnel packet dscp and send it
set-frde-transmit
set FR DE and send it
Learn about Layer 2 set
Virtual
Private
Networks
(VPNs)and send it
set-mpls-exp-imposition-transmit
exp
at tag
imposition
set-prec-transmit
rewrite packet precedence and send it
set-prec-tunnel-transmit
rewrite tunnel packet precedence and send it
set-qos-transmit
set qos-group and send it
transmit
transmit packet
SanFran(config-pmap-c-police)#conform-action

Example 13-56 shows the configuration of a policer with marking actions.
technologies.
Although Layer
Example 13-56.
Traffic-Policing
Configuration
!
hostname SanFran
!
infrastructure.
class-map match-all
all_traffic
match any
!
policy-mapmy_policer
class all_traffic
assists pir
readers
police cir 64000
128000
history
and
implementation
details of5the two technologies available from
conform-action set-prec-tunnel-transmit
the
Cisco
Unified
VPN
suite:
Any Transport
over MPLS (ATOM) for MPLSexceed-action set-prec-tunnel-transmit
1
based cores
violate-action
drop and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
interface ATM5/0
comparing them
2 to those of Layer 3 based VPNs, such as MPLS, then
progressively
covering
encapsulation aal5
service-policy in my_policer
!
!
MQC is versatile enough through the use of nested or hierarchical policies to allow the
configuration of ATM Forum Traffic Management 4.0 (TM 4.0) policers using the policy police rate.
With this capability, a PE device can behave like a traditional ATM switch. In particular, you can
configure the following policing policies:
CBR Policing
Using
single
and
police
statement.
ByWei
Luo, a
- CCIE
No.class
13,291,
Carlos
Pignataro,
VBR.1 Policing Using hierarchical policies:

A parent policy
includes a police statement to policy at peak cell rate (PCR) for all
cells.
ISBN: 1-58705-168-0
Table of
A child policy
includes
Pages:
648 a police statement to policy at sustained cell rate (SCR) for all
Contents
cells.
Index

A parent policy includes a police statement to policy at PCR for all cells.
gains
A childproductivity
policy includes
a police statement to policy at SCR for all cell loss priority of
zero (CLP0) cells classified under a new class-map.

A parent policy includes a police statement to policy at PCR for all cells.
A child policy includes a police statement to policy at SCR for all CLP0 cells that are
classified under a new class-map, and mark as exceeded any cells with CLP1.
UBR.1 Policing Using a single class and police statement.
theirATMF
service
while
maintainingincluding
routing control
Example 13-57 shows the
TM offerings
4.0 policer
configuration,
tunnel IP precedence
marking using the policy set ip precedence tunnel. The highlighted policy-maps are to be
applied as input service policies under the ATM PVC.
Example 13-57.
ATM
4.0Layer
Policers
legacy
LayerTM
2 and
!
class-map match-all CLP0
infrastructure.
match not atm clp
!
!
policy-map CBR.1
class class-default
police rate 10000 cps delay-tolerance 500
conform-action transmit
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSexceed-action drop
set ip precedence tunnel 5
policy-map VBR.1_child
class class-default
police rate 5000 cps atm-mbs 1000
exceed-action drop
policy-map VBR.1
class class-default
exceed-action drop
service-policy VBR.1_child
policy-map VBR.2_child
class CLP0
Layer 2 VPN
Architectures
exceed-action
drop
policy-map VBR.2
class class-default
conform-action
transmit
Publisher:
Cisco Press
exceed-action
Pubdrop
ISBN: 1-58705-168-0
Table of
service-policy
VBR.2_child
Pages:
Contents VBR.3_child 648
policy-map
Index CLP0
class
exceed-action set-clp-transmit
policy-map VBR.3
productivity gains
class class-default
exceed-action drop
set ip precedence
tunnel
2 and extend the reach of your services by unifying your
Reduce
costs
service-policy VBR.3_child
policy-map UBR.plus
class class-default
police rate 10000
cps
delay-tolerance
2000
both
ATOM
and L2TP protocols
exceed-action Review
drop strategies that allow large enterprise customers to enhance
set ip precedence
tunnel
1 offerings while maintaining routing control
their
service
!
The ATMF TM4.0 customers,
specificationthey
useshave
the PCR
the rate in Ideally,
the firstcarriers
bucket and
delay variation
someasdrawbacks.
withcell
existing
tolerance (CDVT)legacy
as the Layer
height2of
theLayer
first bucket.
It also
defines
themove
use of
the SCR
as the rate in
and
3 networks
would
like to
toward
a single
the second bucket
and a function
of maximum
burst like
size to
(MBS)
as the
heightLayer
of the
backbone
while new
carriers would
sell the
lucrative
2 second
bucket.
You can see that,infrastructure.
as specified in ATMF TM4.0, Example 13-57 uses the PCR and CDVT combination
in the first bucket specified by the parent policy and uses the SCR and MBS combination in the
second bucket specified
the
child policy for
VBR service
types.
Layer 2by
VPN
Architectures
introduces
readers
Note
Some platforms do not support the atm-mbs keyword. In those cases, you should
define the SCR only in the child policies.
On some platforms, Layer 2 marking is supported only in the outbound direction. In these
platforms, you cannot implement VBR.3 because it cannot use set atm-clp in an input policy.
However, you can usually configure around this by marking with a new tunnel IP precedence
instead of ATM CLP at ingress. You can map the tunnel IP precedence back to ATM CLP at egress
with an intermediate qos-group:
Ingress PE In the ingress PE, perform VBR.2 policing as an inbound policy but set a
different tunnel IP precedence or DSCP for the exceed-action in the VBR.3_child policymap
instead of performing a drop action. This effectively performs an IP marking. You can refer to
this IP precedence as CLP precedence .
Layer
Architectures
Egress PE In
the2 VPN
egress
PE, at ingress from the P router, match the CLP precedence tunnel
IP precedence
with
an
inbound
policy
andPignataro,
set the -qos-group.
traffic that will
ByWei
Luo,
- CCIE
No. 13,291,
Carlos
CCIE No. 4619,This
Dmitryclassifies
Bokotey, - CCIE
later be marked
with
CLP.Chan,
At egress
attachment circuit that is outbound toward the
No. 4460,
Anthony
- CCIE in
No.the
10,266
CE, match the qos-group and set atm-clp.
Two local markings exist: qos-group and discard-class. They preserve the marking tunnel IP
precedence or DSCP information (or MPLS Experimental bits in AToM) before tunnel or label
ISBN: 1-58705-168-0
disposition.
Table of Used as an input feature, the qos-group ID identifies or selects a class, and the
Pages:
648 precedence. These two local markings are important when input
discard-class
identifies a drop
Contents
Layer
2 marking is not supported. They allow you to match on PSN information, such as IP DSCP
Index
or MPLS EXP, while acting on them at egress on an attachment circuit when that PSN class
information is lost because of disposition.
of Layer
VPNs conveys
to provide
enhanced
enjoy
The intermediate Master
step is the world
qos-group
ID,2which
the
receivedservices
class to and
the output
productivity
gains
interface. A qos-group
and discard-class
are required when you use the input PHB marking to
classify packets on the output interface. Example 13-58 shows a sample configuration setting the
ATM CLP at attachment circuit egress based on the tunnel IP precedence at ingress from the P
router.
Example 13-58. Conveying Class Classification from Egress to Egress

!
hostname NewYork
!
class-map match-all pre1
match ip precedence
1
For a majority
class-map match-all
qosg
match qos-group
1
technologies.
!
!
policy-map clp backbone while new carriers would like to sell the lucrative Layer 2
class qosg services over their existing Layer 3 cores. The solution in these cases is a
set atm-clp technology that would allow Layer 2 transport over a Layer 3
policy-map qosginfrastructure.
class pre1
set qos-group
Layer
!
interface Serial4/0
ip unnumbered assists
Loopback0
service-policyhistory
inputand
qosg
!
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSinterface ATM5/0
no ip address IP cores. The structure of this book is focused on first introducing the
2 to those of Layer 3 based VPNs, such as MPLS, then
comparing them
encapsulationprogressively
aal5
service-policy out clp
!
!
You can see that the Serial4/0 interface coming into the NewYork PE from the Denver P has the
inbound service policy qosg. The qosg policy-map classifies traffic with IP precedence of 1 in the
class-map pre1 and sets the qos-group to 1 for the classified packets.
At egress and toward the attachment circuit, the PVC 0/101 in interface ATM5/0 has the outbound
service policy clp. The policy-map clp sets the ATM CLP bit for traffic that is classified with the qosg
class-map that matches
qos-group
1. In effect, you are applying an outbound policy in the
Layer 2 VPN
Architectures
outgoing interface from an inbound classification in the incoming interface. The qos-group
marking and matching acts like the middle man. Example 13-59 shows the verification for this pair
of service policies.
Example 13-59.
Verifying the QoS Group Configuration
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
NewYork#show
policy-map
interface
Index
Serial4/0
Service-policy input: qosg (1581)
the world of Layer

Class-map: Master
pre1 (match-all)
(1582/9)
productivity
gains
5 packets,
700 bytes
Match: ip precedence 1 (1583)
QoS Set
qos-group 1
Packets marked 5
0 packets, 0 Gain
bytes
both
ATOM
L2TP
protocols
5 minute offered rate 0and
bps,
drop
rate 0 bps
Match: any (1586)
0 packets, Review
0 bytes
their0 service
5 minute rate
bps offerings while maintaining routing control
ATM5/0: VC 0/101 For a majority of Service Providers, a significant portion of their revenues
still derived
Service-policy are
output:
clp (1561)
Class-map: qosg
(match-all)
(1562/8)
customers,
they have
5 packets, legacy
560 bytes
5 minute offered
rate
0 new
bps,carriers
drop rate
bpsto sell the lucrative Layer 2
backbone
while
would0like
Match: qos-group
1
(1570)
QoS Set
atm-clp infrastructure.
Packets marked 5
0 packets, 0 bytes
Match: any (1566)
0 packets, 0 bytes
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS5 minute rate 0 bps
NewYork#
currently
available
greater detail.
The input service progressively
policy qosg incovering
Serial4/0each
matches
5 packets
andsolution
sets theinqos-group
to 1. In
turn, the output service policy clp in ATM5/0 VC 0/101 matches these 5 packets by qos-group
and sets the atm-clp.
Case Study 13-6: Queuing and Shaping

MQC supports multiple queuing and shaping of outbound features in L2TPv3 environments. Some
of these features are as follows:
Low-latency queuing (LLQ) The LLQ is a strict priority first-in, first out (FIFO) queue.
Strict priority queuing allows delay-sensitive data to receive a preferential queuing treatment
Layer 2 VPN
Architectures
by being dequeued
and
serviced before other queues.
Class-based
weighted fair queuing (CBWFQ) CBWFQ provides a fair queuing based on
defined classes with no strict priority. The weight for a packet that belongs to a specific class
is given from the bandwidth that you assigned to the class when you configured it.
Pub Date:
MarchDetection
10, 2005
Weighted Random
Early
(WRED) WRED drops packets selectively based on IP
ISBN: 1-58705-168-0
precedence.
The
higher
the
IP
precedence,
the less likely the packets are to be dropped.
Table of
Pages: 648
Contents
Example 13-60 shows an example of egress queuing policies to provide committed information
Index
rate (CIR) guarantees.
Example 13-60.
Queuing
Frame
Relay
Pseudowires
Master
the world Configuration
of Layer 2 VPNs tofor
provide
enhanced
services
and enjoy
productivity gains
!
hostname SanFran
!
class-map match-allReduce
cust1 costs and extend the reach of your services by unifying your
match fr-dlci 100network architecture
class-map match-all cust2
match fr-dlci 101Gain from the first book to address Layer 2 VPN application utilizing
!
policy-map cir_guarantee
class cust1
bandwidth 128 their service offerings while maintaining routing control
class cust2
bandwidth 256
!
interface Serial3/1
no ip address customers, they have some drawbacks. Ideally, carriers with existing
Layer
service-policylegacy
output
cir_guarantee
backbone
while
encapsulation frame-relay new carriers would like to sell the lucrative Layer 2
services over
dcetheir existing Layer 3 cores. The solution in these cases is a
technology
!
infrastructure.

NetworkFrame
(VPN)Relay
concepts,
describes
Layer
2 VPN techniques
viathe bandwidth
Example 13-60 matches
DLCIsand
in two
different
class-maps
and applies
introductory
case
studies
and
comprehensive
design
scenarios.
This
book
policy to each class. Example 13-60 does not show the two pseudowires in Serial 3/1 configured
assists
readers
looking
to
meet
those
requirements
by
explaining
the
with the global connect command with attachment circuits of DLCI 100 and 101, respectively.
theper-class
Cisco Unified
VPN
suite:for
Any
Transport
over
MPLS (ATOM)
MPLSYou can accomplish
traffic
shaping
ATM
PVC and
permanent
virtualfor
path
(PVP)
based
andand
Layer
2 Tunneling
version
3 configuration
(L2TPv3) for native
attachment circuits
withcores
the pvc
atm
pvp modeProtocol
ATM service
type
using the
following commands:
CBR {PCR}progressively covering each currently available solution in greater detail.
UBR {PCR}
VBR-RT {PCR} {SCR} [MBS]
VBR-NRT {PCR} {SCR} [MBS]
Case Study 13-7: Layer 2-Specific Matching and Setting
L2TPv3 transports and tunnels multiple and diverse Layer 2 technologies. It is reasonable that
MQC supports different matching and setting criteria for different Layer 2 protocols. Table 13-1
summarizes some of these Layer 2 technology-specific criteria.
Publisher:
Cisco Press Matching and Marking Criteria
Table 13-1. Layer
2-Specific
Layer
2 of
Table
Contents
Ethernet
Index
Frame Relay
ATM
ISBN: 1-58705-168-0
Matching
Setting
Pages: 648
match cos
match vlan (including VLAN ranges)
set cos
match fr-de
set fr-de
match fr-dlci
set fr-fecn-becn
productivity
match atmgains
clp
set atm-clp

With these combinations, you can configure the following:
Input service policies Matching on the Frame Relay DE bit, the ATM CLP bit, or Ethernet
802.1P CoS bits coming
from
the
attachment
circuit, Layer
and setting
IP tunnelutilizing
precedence or
Gain from
the
first
book to address
2 VPN the
application
DSCP into the L2TPv3
tunnel
accordingly.
Output service policies
Matching that
on aallow
qos-group
or discard-class
conveying
the input
Review strategies
large enterprise
customers
to enhance
IP tunnel precedence
DSCP offerings
that is incoming
from the IProuting
PSN, and
setting the Frame Relay
theiror
service
while maintaining
control
DE or forward explicit congestion notification/backward explicit congestion notification
(FECN/BECN)
ATM CLP
or 802.1P
CoS bits
as desired
toward
attachment
Forbits,
a majority
ofbit,
Service
Providers,
a significant
portion
ofthe
their
revenues circuit.
For FECN/BECN marking,
both FECN
andLayer
BECN3bits
areVPNs
set when
are above
the
technologies.
Although
MPLS
fulfill they
the market
need
formarking
some
threshold.
Example 13-61 shows an inbound service policy applied to an ATM PVC attachment circuit that
sets the tunnel IP precedence to 2 (immediate) for ATM packets that do not have the CLP bit set.
infrastructure.
Example 13-61. Matching on ATM CLP

!
hostname SanFran
!
class-map match-all
not-clp
the Cisco
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSmatch not atmbased
clp cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
policy-map prec-2
class not-clpreader to Layer 2 VPN benefits and implementation requirements and
set ip precedence
tunnel
comparing
them2to those of Layer 3 based VPNs, such as MPLS, then
!
interface ATM5/0
oam-ac emulation-enable 2
encapsulation aal5
service-policy in prec-2
!
!
Example 13-62 shows how to set the ATM CLP bit for all traffic.
Example 13-62.
on13,291,
ATMCarlos
CLP-Configuration
ByWei Setting
Luo, - CCIE No.
Pignataro, - CCIE No. 4619,Dmitry Bokotey, -
CCIE
!
hostname NewYork Publisher: Cisco Press
!
1-58705-168-0
class-map match-all ISBN:
everything
Table of
match
any
Pages:
648
Contents
policy-map atm-clp
Index
class everything
set atm-clp
interface ATM5/0
2
productivity gains
encapsulation aal5
Learn
service-policy out
atm-clp
!
!
ATOM and results
L2TP protocols
Example 13-63 Shows both
the verification
in the NewYork PE when sending 200 pings from the
Oakland CE to the Albany CE.
Example 13-63. Setting on ATM CLPVerification

technologies.
NewYork#show policy-map
interface
customers,
ATM5/0: VC 0/101
Service-policy
output:
atm-clp
(1132)would like to sell the lucrative Layer 2
backbone
while
new carriers
Class-map: everything (match-all) (1133/1)
infrastructure.
Match: any (1134)
QoS Set
atm-clp
Packets marked 200
and implementation
details
Class-map: history
class-default
(match-any)
(1136/0)
the0Cisco
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS0 packets,
bytes
cores
and 0Layer
Tunneling
5 minute based
offered
rate
bps,2 drop
rateProtocol
0 bps version 3 (L2TPv3) for native
IP cores.
Match: any
(1137)
reader0 to
0 packets,
bytes
comparing
5 minute rate 0 them
bps to those of Layer 3 based VPNs, such as MPLS, then
progressively
NewYork#
NewYork#show atm pvc 0/101
ATM5/0: VCD: 3, VPI: 0, VCI: 101
AAL5 L2transport, etype:0xF, Flags: 0x32000C2E, VCmode: 0x0
OAM Cell Emulation: enabled, F5 End2end AIS Xmit frequency: 2 second(s)
OAM frequency: 0 second(s), OAM retry frequency: 1 second(s)
OAM up retry count: 3, OAM down retry count: 5
OAM Loopback status: OAM Disabled

OAM VC state: Not Managed
Layer 2 VPN200,
Architectures
InPkts: 200, OutPkts:
ByWei Luo,
InPRoc: 0, OutPRoc:
0 - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony
- CCIE
10,266 0
InFast: 200, OutFast:
200,Chan,
InAS:
0,No.
OutAS:
OverSizedSDUs: 0
Publisher: Cisco0,
Press
Out CLP=1 Pkts: 200
ISBN: 1-58705-168-0
Table of
F5 InEndloop:
0, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0
Pages:
648
Contents sent: 0
OAM cells
Index
F5 OutEndloop:
0, F5 OutSegloop: 0, F5 OutAIS: 0, F5 OutRDI: 0
OAM cell drops: 0
Status: UP
NewYork#
productivity gains
You can see from both the policy-map and ATM PVC counters that 200 packets were marked with
CLP1.
infrastructure.

Summary By
This chapter explored

variousCisco
L2TPv3
Publisher:
Press advanced concepts and topics through the use of case
studies. It covered the
theoretical
and practical operation of PMTUD in L2TPv3. It also
Pubdetailed
Date: March
10, 2005
highlighted the more theoretical aspects of MTU handling and PMTUD with "the life of a packet"
ISBN: 1-58705-168-0
Table of
scenarios
and figures both with and without PMTUD. When you are adding encapsulation
Pages:
648
Contents
headers
to an SDU, MTU and fragmentations issues arise in the IP PSN. PMTUD combined with
DF bitIndex
setting provides a practical approach to solving the core MTU and IP reassembly
processing problems.
You learned the control plane and data plane considerations of ATM OAM cell emulation and
the world
ofwere
Layerpresented
2 VPNs todetailing
provide their
enhanced
services and enjoy
ATM cell packing.Master
New L2TPv3
AVPs
use, functionality,
and
productivity gains
interaction.
In the final few pages of this chapter, you learned QoS essentials, configuration, and QoS
Learn about
Layer
2 Virtual
Private
Networks
(VPNs)
particulars regarding L2TPv3.
You saw
how
to configure
and
apply traffic
marking, policing,
queuing, shaping, and advanced QoS matching and setting criteria for each Layer 2 technology
that is tunneled and transported using L2TPv3.
infrastructure.

Part V: Additional Layer 2 VPN

Architectures
Table of
Contents
Chapter 14
Index
Chapter 15
ISBN: 1-58705-168-0
Pages: 648
Layer 2 Interworking and Local Switching

Virtual Private LAN Service
productivity gains
infrastructure.

Chapter 14. Layer 2 Interworking and

Local Switching

ISBN: 1-58705-168-0

This chapter
Contents
Index
Pages: 648
Layer 2 Interworking technology overview

Layer 2 Interworking case studies
Layer 2 localproductivity
switching gains
Layer 2 local switching with interworking

Understanding advanced interworking and local switching
This chapter comprisesnetwork
important
topics that are part of the Cisco Unified VPN Suite. The first
architecture
part covers Layer 2 any-to-any pseudowires (also known as interworking [IW]), by which a
pseudowire links two attachment
circuits
data-link
can
Gain from the
first with
bookdifferent
to address
Layer 2layer
VPNprotocols.
applicationYou
utilizing
provision Layer 2 any-to-any
IW circuits
using
either Any Transport over MPLS (AToM) in
both ATOM
and L2TP
protocols
Multiprotocol Label Switching (MPLS) packet-switched networks (PSNs) or Layer 2 Tunnel
Protocol Version 3 (L2TPv3)
instrategies
IP cores. This
covers
both scenarios.
Review
that chapter
allow large
enterprise
The second part of this chapter details Layer 2 local switching, which allows you to switch Layer
2 packets between
two
interfaces
the
same router.
Layer 2 portion
local switching
is not a
For
a majority
of within
Service
Providers,
a significant
of their revenues
pseudowire technology
pseudowire
plane
signaling
is not
involved.
are stillper-say
derivedbecause
from data
and voicecontrol
services
based
on legacy
transport
However, local switching
is considered
part
of the
LayerVPNs
2 virtual
network
technologies.
Although
Layer
3 MPLS
fulfillprivate
the market
need(VPN)
for some
solution because customers,
operators who
implement
Layer
2 VPNs come
across
situations
in which local
they
have some
drawbacks.
Ideally,
carriers
with existing
switching is required.
The final part of this
chapter
consists
of a section
Layer
local switching
IWisand
services
over
their existing
Layerabout
3 cores.
The2 solution
in thesewith
cases
a a
section on advanced
topics that
related
toLayer
Layer22 transport
IW and local
technology
thatare
would
allow
overswitching.
a Layer 3
infrastructure.
The case studies in this chapter explain how to configure and manage Layer 2 IW, Layer 2 local
switching, and mixed
IW plus local switching
scenarios.
They
provide
extensive
LayerLayer
2 VPN2 Architectures
introduces
readers to
Layer
2 Virtual
Private
examples using multiple
circuit and
technology
combinations.
Networkattachment
(VPN) concepts,
describes

Layer 2 Interworking
Technology Overview
Previous chapters dealt

with Cisco
a diverse
Publisher:
Press variety of AToM and L2TPv3 examples on what is
sometimes referred to
like-to-like
attachment circuits . As the name implies, like-to-like
Pubas
Date:
March 10, 2005
means that the two attachment circuits use the same Layer 2 technology (that is, either two
ISBN: 1-58705-168-0
TableVLAN
of
Ethernet
attachment circuits or two Frame Relay attachment circuits). This section offers
Pages:
648
you aContents
mechanism and the underlying theory to configure any-to-any IW pseudowires. IW
Index perform the translation and adaptation necessary to interconnect disparate
functions
attachment circuits by means of a native service processor (NSP) function. The NSP requires
knowledge of the semantics of the payload to be adapted. It resides between the pseudowire
termination and the attachment circuit.
Following are theproductivity
two types ofgains
Layer 2 VPN IW:
LearnInternetworking
Private
Networks
(VPNs)
Bridged (Ethernet)
Ethernet
frames
that are
extracted from the
attachment circuit are sent over the pseudowire. In the case of 802.1q, the VLAN tag is
Reduce costs
and extend
the reach
of your
services
by unifying
yourand
removed. The pseudowire
functions
in Ethernet
(VC type
0x0005)
like-to-like
mode,
network
architecture
the IW function at the NSP performs the required adaptation based on the attachment
circuit technology. Non-Ethernet frames are dropped.
both ATOM and L2TP
protocols
Routed (IP) Internetworking
IP packets
that are extracted from the attachment
circuit are sent over the pseudowire. The pseudowire functions in IP Layer 2 Transport
(VC type 0x000B) like-to-like mode, and the IW function (NSP) performs the required
adaptation based on the attachment circuit technology. Non-IPv4 packets are dropped.

In general, you use Layer 2 IW to connect different Layer 2 technologies at both attachment
circuits by means of a pseudowire. The actual type of IW typically depends on the end-to-end
application type, such as bridged or routed. If you want to interconnect different attachment
circuit technologies and carry protocols other than IP, the only current option is bridged IW.
infrastructure.
Note
2 VPN
introduces
readers toattachment
Layer 2 Virtual
Private
Although theLayer
real use
of Architectures
any-to-any is to
connect dissimilar
circuit
types,
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
no rule states that the circuit types need to be different. You can configure a via
bridge
introductory
caseATM
studies
andcircuit
comprehensive
design circuits.
scenarios.
This book
IW pseudowire
between two
virtual
(VC) attachment
However,
assists
readers
looking
to
meet
those
requirements
by
explaining
the
just because you can do it does not mean you should, because not using the native
history
and
implementation
details
of
the
two
technologies
available
VC type has disadvantages, as you learn in the next sections. Specifically, only a from
Cisco Unified
suite:inAny
over
MPLS
(ATOM)
for MPLSsubset of thethe
possible
packetsVPN
received
theTransport
attachment
circuit
can
be transported.
comparing
them
to those
Layer
3 based
VPNs,
such as
In the IW case, the
pseudowire
consists
of of
two
endpoints
with
the same
VCMPLS,
type. then
With Ethernet
progressively
covering
each
currently
available
solution
in
greater
detail.
IW, the two pseudowire endpoints advertise a VC type of 5 for Ethernet. In contrast,
with IP
IW, the two pseudowire endpoints advertise a VC type of 11 for IP Layer 2 Transport. The
attachment circuits can be different, however, so an IW function deals with processing the
native service. The consequence is of paramount importance: Unlike the like-to-like case in
which the attachment circuit is transported transparently and unmodified, in the IW case, the
attachment circuits are terminated locally. The behavior of locally terminating attachment
circuits imposes some limitations, as you learn in the next two sections.
Another consequence is that the maximum transmission unit (MTU) considerations for IW
scenarios differ from the like-to-like ones, not only because the PDU that is transported is
different, but also because various interface types might have diverse default MTU values.
Bridged Interworking
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, -
In the Ethernet IW case, Ethernet frames are bridged across the pseudowire. The customer
edge (CE) devices can either be running native Ethernet bridging or using Integrated Routing
and Bridging (IRB) or Routed Bridge Encapsulation (RBE), for example, on ATM subinterfaces.
This scenario shows you one of the usages for bridged IW: when a customer wants to bridge
ISBN: 1-58705-168-0
between
Tabletwo
of sites with LAN segments but the service provider access technology in one of the
Pages:
sites Contents
is either ATM or Frame 648
Relay.
Index
Bridged IW has some Layer 2-specific encapsulation behaviors, specifically when carrying
bridged protocols over ATM or Frame Relay. With Ethernet over ATM, two translations by the
NSP are supported when using Logical Link Control (LLC) of 0xAA-AA-03, indicating a
Subnetwork Access
Protocol
(SNAP)
an to
Organizationally
Unique
Identifier
(OUI) of
Master
the world
ofheader
Layer 2and
VPNs
provide enhanced
services
and enjoy
0x00-80-C2, which
means bridged
productivity
gains protocols. The same two translations by the NSP are
supported for Ethernet over Frame Relay using Control of 0x03; Pad of 0x00; Network Layer
Protocol Identifier (NLPID) of 0x80, indicating a SNAP header; and an OUI of 0x00-80-C2,
indicating bridged protocols:
PID 0x0007 802.3/Ethernet
without preserved frame check sequence (FCS)
Gainprotocol
from the
firstunit
book
to address
Layer 2
application
utilizing
PID 0x000E Bridge
data
(BPDU),
as defined
byVPN
802.1
or 802.1(g).
Figure 14-1 shows the bridged Ethernet/802.3 frame encapsulation over Frame Relay and ATM.
For aBridged
majority of
Service Providers, aFrame
significant
Figure 14-1.
Ethernet/802.3
Encapsulation
over
are still derived Frame
from data
and
voice
services
based
on legacy transport
Relay and ATM
3 full
networks
[View
size image]
infrastructure.
Figure 14-2 shows the BPDU encapsulation over Frame Relay and ATM.
Figure 14-2. BPDU Encapsulation over Frame Relay and ATM

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
The encapsulation of bridged Ethernet over Frame Relay and ATM is defined in RFC 2427
(which obsoletes RFC 1490 and RFC 1294), "Multiprotocol Interconnect over Frame Relay," and
RFC 2684 (which obsoletes
RFCcosts
1483),
Encapsulation
over ATM
Adaptation
Layer
Reduce
and"Multiprotocol
extend the reach
of your services
by unifying
your
5," respectively.
Routed
Interworking

In the routed IW case, their
only service
IPv4 packets
are while
sent over
the pseudowire.
Any non-IPv4 packets
offerings
maintaining
routing control
are dropped. Depending on the Layer 2 technology being used, IPv4 packets are identified by a
specific upper layer
identification
eitheraEthertype
dynamic
link
Forprotocol
a majority
of Service field:
Providers,
significant(0x0800),
portion ofPPP
their
revenues
library (DLL) (0x0021),
or
NLPID
(0xCC)
for
Ethernet,
PPP,
and
Frame
Relay,
respectively.
Because Layer 2 technologies
IP datagrams
differently,
NSP IW
function
is
technologies.encapsulate
Although Layer
3 MPLS VPNs
fulfill thethe
market
need
for some
required to perform
translation.
Only IP packets are
transported;
therefore,
address
are dropped.
backbone
while new
carriers
would resolution
like to sell packets
the lucrative
Layer 2 Address
resolution is handled
differently
in
diverse
Layer
2
technologies:
infrastructure.
Ethernet Using
Address Resolution protocol (ARP)
Layer
2 ATM
VPN Architectures
Frame Relay
and
Using Inverseintroduces
ARP
introductory
caseControl
studiesProtocol
and comprehensive
PPP Using Internet
Protocol
(IPCP)
history and
implementation
details
of the
two
technologies
available
from
These address resolution
packets
are dropped,
because
they
are
not IPv4 packets.
The
protocol
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLStype in all cases isthe
asCisco
follows:
ARP Ethertype
0x0806
defined
in RFC
reader
to Layer
2 VPN
benefits
Inverse ARP
Ethertype 0x0806
defined
in RFC 2390
progressively
covering
each currently
IPCP PPP DLL Protocol number 0x8021 defined in RFC 1332
In consequence, you need to give specific considerations to address resolution. Following are
some tips for routed IW:
General consideration Because the address resolution mechanisms and packets are
different, no direct translation is possible other than an NSP function involving address
resolution termination and signaling.
Ethernet With native Ethernet, the provider edge (PE) device acts as a proxy-ARP to all
ARP requests received from the CE.
Point-to-point
ATM and Frame Relay Inverse ARP does not run by default in point-toWei Luo,
CCIEsubinterfaces,
No. 13,291,Carlos Pignataro,
CCIE
4619,Dmitry
- CCIE
point FrameBy
Relay
or -ATM
because- the
IPNo.
address
andBokotey,
subnet
mask define
No. prefix.
4460,Anthony
Chan, - CCIE
No. 10,266
the connected
Therefore,
no configuration
is required in the CE devices.
Multipoint ATM
and Frame
Relay Inverse ARP is enabled and runs by default in
Publisher:
Cisco Press
multipoint ATMPub
andDate:
Frame
Relay
subinterfaces. Because routed IW simply drops inverse
March
10, 2005
ARP packets and does not support inverse ARP, the IPv4 address at the remote end of an
ISBN: 1-58705-168-0
Table
ATM ofor Frame Relay permanent virtual circuit (PVC) cannot be discovered dynamically.
Pages:
648
Contents
Therefore, in this case, manual configuration of static IPv4 to PVC mapping is needed in
Index
the CE devices.
PPP For PPP attachment circuits, manual configuration of the remote CE's IPv4 address
for IPCP negotiation is needed in the PE device configuration.
productivity gains
Note
Reduce
costs and extend
the reach to
of routed
your services
by unifying
your
The address resolution
considerations
are applicable
IW because
address
network
architecture
resolution packets are not transported end-to-end over the pseudowire.
Review
Interworking MTU
Considerations
As you learned in Chapter 6, "Understanding Any Transport over MPLS," in all Layer 2 VPN IW
using AToM cases except the transport of ATM cells, MTUs need to match in both attachment
circuits for the pseudowire to come up. The MTU value is advertised in the MTU interface
parameter.
This prerequisite takes a new meaning with IW because different interface types have different
default MTU values. The default MTU values in Cisco IOS are shown in Table 14-1.
infrastructure.
Table 14-1.
Default MTU Values for Different Medias

meet those
Interface Typeassists readers looking to
Default
MTU requirements by explaining the
Serial
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS1500 bytes
Ethernet
HSSI
ATM
4470 bytes
POS
When you are configuring pseudowires between interfaces that have default MTU values (such
as Packet over SONET [POS] to Ethernet), the MTU values need to match. Frame Relay has a
special circumstance that is covered in the case studies.

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

Layer 2 Interworking
Case Studies
This section covers case

studies
Layer 2 VPN IW. Multiple variations of Ethernet and IP IW using
Publisher:
Ciscoof
Press
both AToM and L2TPv3
Pub are
Date:covered
March 10,using
2005 the network shown in Figure 14-3.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Figure 14-3. L2VPN IW Case Study Topology

productivity gains
Note

The LDP and targeted LDP configuration and sessions apply only to the AToM cases.
All case studies use a common initial configuration, which includes the following:
infrastructure.
Create a loopback
interface and assign a /32 IP address to it.
Layer
2 VPN Architectures
introduces
Enable IP Cisco
Express
Forwarding (CEF)
globally.
introductory
case studies
design scenarios.
book
For AToM cases,
enable MPLS
globallyand
andcomprehensive
select Label Distribution
ProtocolThis
(LDP)
as the label
readers
looking
to meetinterface's
those requirements
the ID.
distribution assists
protocol.
Specify
the loopback
IP addressby
asexplaining
the LDP router
By using point-to-point
serial VPN
interfaces
are running
Cisco
High-Level
Link Control
the Cisco Unified
suite: that
Any Transport
over
MPLS
(ATOM) Data
for MPLS(HDLC) between
and and
P routers,
unnumber
interfaces'
to native
the previously
basedPE
cores
Layer 2
Tunnelingthose
Protocol
versionIP
3 addresses
(L2TPv3) for
defined loopback.
This
effectively
the number
of IP
to one for
IP cores.
The
structurereduces
of this book
is focused
onaddresses
first introducing
theall core routers.
For AToM cases,
enablethem
LDP in
PE-to-P
interfaces.
comparing
to all
those
of Layer
Enable an Interior Gateway Protocol (IGP) among the core routers. These case studies use Open
Shortest Path First (OSPF) with a single area 0.
The initial configuration including MPLS is shown for the SanFran PE router. The Denver and New York
configurations are analogous to this one (see Example 14-1).
!
hostname SanFran
!
ip cef
mpls ip
No. 4460,ldp
mpls label protocol
mpls ldp router-id Loopback0 force
!
interface Loopback0
ip address 10.0.0.201 255.255.255.255
ISBN: 1-58705-168-0
! Table of
Pages:
648
Contents Serial10/0
interface
Index
ip unnumbered
Loopback0
mpls ip
!
router ospf 1
productivity
gains
network 10.0.0.201
0.0.0.0
area 0

The configuration for Layer 2 IW transport requires the use of a pseudowire class and involves the use
of the command interworking {ip | ethernet}. In the upcoming sections, you will learn the
configuration and verification for the following IW case studies:
both
Ethernet (Bridged)
IW:ATOM and L2TP protocols
large
Case Study Review
14-1: Ethernet-to-VLAN
Using
AToM
Case Study 14-2: Ethernet-to-VLAN Using L2TPv3
are still
derived
data and voice
Case Study
14-3:
ATMfrom
AAL5-to-VLAN
Usingservices
AToM based on legacy transport
IP (Routed) customers,
IW:
Case Study
14-4:while
Frame
Relay-to-VLAN
AToM
backbone
new
carriers wouldUsing
like to
Case Study
14-5: that
Frame
Relay-to-PPP
Using
L2TPv3 over a Layer 3
technology
would
allow Layer
2 transport
infrastructure.
Case Study 14-6: IP L2-Transport MTU Considerations
Case Study
14-7:
Frame
Relay-to-ATM
Interworking
Best
Network
(VPN)
concepts,
and describes
Layer 2
VPNPractices
techniques via
history and
implementation Case
details of
Ethernet (Bridged)
Interworking
Studies
cores
and Layer
2 Tunneling
Protocol
version
3 (L2TPv3)
In this section, you
learn
to configure
bridged
IW using
both AToM
and
L2TPv3. for native
Case Study 14-1:
Ethernet-to-VLAN
Using
AToMavailable solution in greater detail.
progressively
covering each
currently
The first case study covers Ethernet-to-VLAN bridged IW using AToM. The topology used is shown in
Figure 14-4.
Figure 14-4. Ethernet-to-VLAN Bridged IW Using AToM


ISBN: 1-58705-168-0
Table of
Pages:
648
In theContents
case of IW, the attachment circuit configuration required in a PE device does not mirror the
Index
remote
PE device configuration.
Example 14-2 shows the configuration for the Ethernet side in the SanFran PE.
productivity gains
Example 14-2. Ethernet Side Configuration for Ethernet IW Using AToM

!
hostname SanFran
!
pseudowire-class atom-iw-eth-vlan
encapsulation mplsGain from the first book to address Layer 2 VPN application utilizing
interworking ethernet
!
no ip address
no cdp enable
For a majority
of Service
xconnect 10.0.0.203
1 pw-class
atom-iw-eth-vlan
!
FromExample 14-2,
you canwhile
see that
specific
configuration
the interworking
ethernet
backbone
new the
carriers
would
like to sell requires
the lucrative
Layer 2
command in the pseudowire-class
configuration
submode.
is applied
services over their
existing Layer
3 cores.The
Thexconnect
solution indirective
these cases
is a to the
Ethernet interface.
Also note that
that would
the noallow
cdp Layer
enable
commandover
was aentered
technology
2 transport
Layer 3to prevent the PE from
sending CDP packets
to the CE. The PE device does not discover the CE device as a Cisco Discovery
infrastructure.
Protocol (CDP) neighbor, because the PE device does not inspect CDP packets coming from the CE;
instead, these packets
transported
over introduces
the pseudowire.
However,
did not
disable CDP in the
Layer are
2 VPN
Architectures
readers
to Layerif2you
Virtual
Private
attachment circuit,
the PE (VPN)
sends concepts,
CDP packets
the attachment
circuit,
and the via
local CE discovers the
Network
andout
describes
Layer 2 VPN
techniques
PE in addition to the
remote CE.
You
disable
CDP
to prevent thedesign
CE from
"seeing"This
the book
PE device.
introductory
case
studies
and
comprehensive
scenarios.
Example 14-3 shows
the and
configuration
for thedetails
802.1qofVLAN
sidetechnologies
in the NewYork
PE. from
history
implementation
the two
available
IP cores.
The
structure
of this book isfor
focused
on firstInterworking
introducing the Using
Example 14-3.
VLAN
Side
Configuration
Ethernet
AToM
!
hostname NewYork
!
pseudowire-class atom-iw-eth-vlan
encapsulation mpls
!
no ip address
no cdp enable
!
no cdp enable Layer 2 VPN Architectures
ByWei Luo,1- pw-class
CCIE No. 13,291,
xconnect 10.0.0.201
atom-iw-eth-vlan
!
The VLAN PE side is similar to the Ethernet side, except that the xconnect command is applied to the
ISBN:
1-58705-168-0
dot1Q
subinterface.
Also,
remember
to disable CDP in the Ethernet main interface and subinterface so
Table
of
Pages:
648
that you
do not send CDP packets
to the CE device.
Contents
Index
The CE configuration is included in Example 14-4 for both Oakland and Albany CEs for comparison.
Master
the world of Layer 2 CE
VPNs
Example 14-4.
Ethernet-to-VLAN
Configuration
productivity gains
! Oakland CE Ethernet attachment circuit configuration
!
hostname Oakland
!
ip address 192.168.27.1 255.255.255.0
!
! Albany CE VLAN attachment
circuit
configuration
Review strategies
that
!
hostname Albany
!
no ip address technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
!
dot1Q 1 while new carriers would like to sell the lucrative Layer 2
ip address 192.168.27.2
services over255.255.255.0
!
infrastructure.

Example 14-5 shows
that the
AToM
L2transport
circuit is UP.
It 2
also
shows
other detailed
information
Network
(VPN)
concepts,
and describes
Layer
VPN
techniques
via
captured from theintroductory
NewYork side.
Example 14-5.
Bridged
Interworking
Verification
the AToM
Cisco Unified
VPN suite:
Any Transport
over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
NewYork#show mpls
l2transport
vc benefits and implementation requirements and
reader
to Layer 2 VPN
comparing
them
to
those of Layer
based VPNs,VC
such
then
Local intf
Local circuit
Dest 3address
IDas MPLS,
Status
progressively
covering
each
currently
available
solution
in
greater
detail.
---------------------------------------------------- ---------Et0/0.1
Eth VLAN 1
10.0.0.201
1
NewYork#show mpls l2transport vc detail
MPLS VC type is Ethernet, interworking type is Ethernet
UP

Layer 2 VPN
Group ID: local
0, Architectures
remote 0
Wei Luo,remote
- CCIE No.
MTU: local By
1500,
1500
No. 4460,Anthony
Remote interface
description:
Sequence number:
receive
send 0
Publisher:
Cisco0,
Press
VC statistics: Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Table oftotals:
byte
Pages:
648
Contents drops: receive
packet
0, seq error 0, send 0
Index
NewYork#
The first verification
is performed
using the command show mpls l2transport vc to check that the
productivity
gains
L2transport VC is UP. You can note some important points using the detail keyword of that command
in the NewYork side (VLAN side). The following list explains the first three lines of the output:
Local interface and
state
Et0/0.1
up, line
protocol
up.
Note
that line
Reduce
costs
and extend
the
reach of
your
services
byprotocol
unifyingcannot
your be
detected in the PEnetwork
Ethernet
interfaces
because
that
would
imply
generating
loop
packets
out of
architecture
the attachment circuit toward the CE device and intercepting them. Instead, all Ethernet packets
received are transported
without
inspection.
Gain from
the first
Attachment circuit type and state Eth VLAN 1 up. Note that this refers only to the local
attachment circuitReview
type. strategies that allow large enterprise customers to enhance
VC type Ethernet (VC type 0x0005). Although the attachment circuit (AC) is Ethernet VLAN, the
VC type is always
Ethernetof
forService
bridged
IW. Bridged
IW uses this
VC type
for revenues
all AC technologies.
For a majority
Providers,
a significant
portion
of their
Interworking
type Ethernet
(bridged)
the market
pseudowire-class
atomiwtechnologies.
Although
Layeras
3 configured
MPLS VPNsunder
fulfill the
need for some
eth-vlan template.
This
triggers
the
use
of
the
Ethernet
VC
Type.
10.0.0.201backbone
This is thewhile
remote
router
ID configured
thelucrative
xconnect
command.
newPE's
carriers
would
like to sellinthe
Layer
2
VC ID 1 as configured in the xconnect command. The VC ID needs to match in both PEs.
infrastructure.
VC status: UP The VC status UP means that the VC can carry data between the two endpoints.
(Imposition and disposition are programmed.) Two conditions need to hold true:
Disposition interfaces programmed The VC has been configured and the CE interface is
up.
historyinterfaces
and implementation
details
of disposition
from and there
Imposition
programmed
The
interface isavailable
programmed,
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSis a remote VC label and an IGP label (label-switched path to the peer). Note that for the
based
cores and
Layer
2 Tunnelingthe
Protocol
version
3 (L2TPv3)
native
imposition
interface
to be
programmed,
disposition
interface
must for
have
been
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
programmed previously.
comparing
to those
of Layer
3 based
VPNs, such
asisMPLS,
then
Even though the first
line of them
the output
shows
that the
attachment
circuit
the Ethernet
VLAN with a
progressively
covering
each
currently
available
solution
in
greater
detail.
VLAN ID of 1, the VC type that is signaled is Ethernet because of the IW type Ethernet.
You can also
see this in Example 14-6.
Example 14-6. Checking the AToM Bindings

NewYork#show mpls l2transport binding
Local Label: 18
Cbit: 1,
VC Type: Ethernet,
GroupID: 0
MTU: 1500,
Interface Desc: n/a
Layer 18
2 VPN Architectures
Remote Label:
ByWei Luo,
CCIE No.Ethernet,
- CCIE0No. 4619,Dmitry Bokotey, - CCIE
Cbit: 1,
VC- Type:
GroupID:
No. 4460,Anthony
Chan, - Desc:
CCIE No.n/a
10,266
MTU: 1500,
Interface
NewYork#

ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
In all the pseudowire endpoints that use Ethernet IW, the VC type is 0x0005 for Ethernet regardless of
Index
whether the attachment circuits are 802.1q VLAN, ATM AAL5, or Frame Relay.
Each endpoint does behave differently, however, because the attachment circuits differ:
productivity
gains
Ethernet The
Ethernet attachment
circuit behaves exactly as described in Chapter 7, "LAN
Protocols over MPLS Case Studies." There is no difference in imposition or disposition of Ethernet
frames or in CLI command output. In fact, the Ethernet side is completely unaware that a remote
IW function exists, so its state is no different.
802.1q VLAN The VLAN attachment circuit performs the IW function by the NSP both at
imposition and disposition. For example, at disposition, Ethernet frames that are received from
the pseudowire are
inserted
with
thebook
4-byte
802.1q header
source MAC
address. These
Gain
from the
first
to address
Layer 2after
VPN the
application
utilizing
extra 4 bytes include
the
2-byte
Ethertype
value
of
0x8100,
indicating
802.1q/802.1p
VLAN,
followed by the 2 bytes of tag control information (3 bits of class of service [CoS], 1 bit of
Canonical FormatReview
Identifier
[CFI], and
bits large
of VLAN
ID equalcustomers
to 1 in this
strategies
that12
allow
enterprise
toexample).
enhance Following
these 4 bytes, thetheir
nextservice
2 bytes
are the while
ones that
originally
came control
after the source MAC
offerings
maintaining
routing
addressthat is, Ethertype for Ethernet II and length in the case of 802.3. This new packet is sent
over the attachment
circuitoftoService
the CEProviders,
device. a significant portion of their revenues
For a majority
It is also worth noting
that ARPAlthough
is end-to-end,
in Ethernet
IW,market
ARP packets
aresome
just Ethernet
technologies.
Layer because
3 MPLS VPNs
fulfill the
need for
frames with Ethertype
0x0806.
You can see in Figure
14-5 the
way
the
encapsulation
changes
packet Layer
traverses
from the
backbone
while
new
carriers
would like
to sell as
thethe
lucrative
2
Oakland CE through
the
AToM
network
to
the
Albany
CE
and
vice
versa.
infrastructure.
Figure 14-5.Layer
Ethernet-to-VLAN
Bridged
Interworking
2 VPN Architectures AToM
introduces
readers
to Layer 2 VirtualEncapsulation
Private
Network (VPN) concepts, and Details
full size
history and implementation[View
details
of image]

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
You can see that the NewYork PE inserts the 802.1q header at imposition and removes it at disposition.
The 802.1q header is not
carried
over
the
pseudowire.
Youofcan
also
see that
LAN FCS
Reduce
costs
and
extend
the reach
your
services
bythe
unifying
youris not
transported over the pseudowire.
The
PE
routers
need
to
regenerate
it
at
disposition
and
remove it at
imposition.
Case Study 14-2: Ethernet-to-VLAN Using L2TPv3

This case study presents a similar example to Case Study 14-1 but uses L2TPv3 as the pseudowire
technology. The topology
is included
in Figure
14-6. Note
that MPLS
is notofconfigured.
For a majority
of Service
Providers,
a significant
portion
their revenues
Figure
14-6.
IW
Using
L2TPv3
legacy
Layer Ethernet-to-VLAN
2 and Layer 3 networks Bridged
would like to
move
toward
a single
infrastructure.
You can view the IP
configuration
required for
this book
case is
study
as a on
like-to-like
L2TPv3 the
configuration with
of this
focused
first introducing
the additional pseudowire
interworking
ethernet. You
can also view
reader toclass
Layercommand
2 VPN benefits
and implementation
requirements
andit as the same
configuration as Case
Study them
14-1, to
using
theofpseudowire
classVPNs,
encapsulation
l2tpv3
comparing
those
Layer 3 based
such as MPLS,
thencommand plus
any additional L2TPv3
settings.covering each currently available solution in greater detail.
progressively
Example 14-7 shows the configuration required for the SanFran PE. To highlight the specific IW
commands, this example uses default L2TPv3 dynamic configuration under the l2tpv3-iweth-vlan
pseudowire-class. Therefore, it employs the L2TP class l2tp_default_class.
Example 14-7. Ethernet Side Configuration for Ethernet IW Using L2TPv3

!
hostname SanFran
!
pseudowire-class l2tpv3-iw-eth-vlan
2 VPN Architectures
encapsulation Layer
l2tpv3
No. 4460,Loopback0
ip local interface
!
no ip address
no cdp enable
ISBN: 1-58705-168-0
Table of 10.0.0.203 2 pw-class
xconnect
l2tpv3-iw-eth-vlan
Pages:
648
Contents
!
Index
Example 14-8 shows the configuration required for the NewYork PE, where the attachment circuit is
Master subinterface.
configured in an 802.1q
productivity gains
Example 14-8. VLAN

Side Configuration for Ethernet IW Using L2TPv3
!
hostname NewYork
!
pseudowire-class l2tpv3-iw-eth-vlan
ip local interfacetheir
Loopback0
!
no cdp enable technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
!
dot1Q 2 while new carriers would like to sell the lucrative Layer 2
no cdp enable services over their existing Layer 3 cores. The solution in these cases is a
xconnect 10.0.0.201
2 pw-class
technology
that would l2tpv3-iw-eth-vlan
!
infrastructure.
The CE configuration
is analogous
the previous
case study. You
can scenarios.
perform verifications
introductory
caseto
studies
and comprehensive
design
This book using
different permutations
of
the
command
show
l2tun
session
(see
Example
14-9).
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSExample 14-9.
L2TPv3
Bridged
Verification
based
cores and
Layer 2 IW
Tunneling
NewYork#show l2tun session
LocID
RemID
TunID
Username, Intf/
Vcid, Circuit
2, Et1/0.1:2
39772
21748
12926
NewYork#
NewYork#show l2tun session all
State
est

Remote tunnel name is SanFran
ByWeisignalled
Session is L2TP
4460,
Anthony Chan, - CCIE
No.since
10,266 change 08:33:51
Session stateNo.is
established,
time
Cisco Press
200195 Bytes Publisher:
sent, 13658
received
Receive packets
dropped:
Pub Date:
March 10, 2005
out-of-order: ISBN: 1-58705-168-0
0
Table
of
total:
0
Pages: 648
Contents
Send
packets dropped:
Index
0
total:
0
Session vcid Master
is 2 the world of Layer 2 VPNs to provide enhanced services and enjoy
Session Layerproductivity
2 circuit,
type is Ethernet Vlan, name is Ethernet1/0.1:2
gains
Circuit state is UP
L2TP VC type is Ethernet, interworking type is Ethernet
Layer
2 Virtual
Private
(VPNs)
Remote session Learn
id isabout
21748,
remote
tunnel
id Networks
48316
costs and
No session cookieReduce
information
available
architecture
FS cached header network
information:
Gain00000000
from the first
00000000 00000000
00000000
both
ATOM
and
L2TP
protocols
00000000 00000000
Sequencing is off
NewYork#

are show
still derived
datawithout
and voice
servicesorbased
on legacy
transport
Using the command
l2tun from
session
keywords
arguments
displays
summary
AlthoughYou
Layer
3 see
MPLS
VPNs
for some
information abouttechnologies.
the L2TPv3 sessions.
can
that
thefulfill
statethe
for market
the onlyneed
session
is established.
customers,
havedetailed
some drawbacks.
Ideally,
carriers withtells
existing
You can use the keyword
all they
to obtain
information.
This information
you that the session
legacy Layerusing
2 and
Layer
3 networks
like 2
tocircuit
move type
toward
a single VLAN, and
was established successfully
L2TP
signaling,
thatwould
the Layer
is Ethernet
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
that the VC type is Ethernet. Like Ethernet IW using AToM, the VC type is always 0x0005
for Ethernet
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
is a
despite the attachment circuit technology, which is Ethernet VLAN in this case. This command
clearly
technology
shows that the IW
type is Ethernet.
infrastructure.
Another command that uses the interworking keyword presents IW-specific information. Refer to
Layer
2 VPN Architectures
introduces
Layer
2 Virtual Private
Example 14-10, and
compare
the differences
in output readers
from thetotwo
PE routers.
Example 14-10.
Displaying IW Details in L2TPv3
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbasedsession
cores andinterworking
SanFran#show l2tun
IP cores.Total
The structure
book is focused
Session Information
tunnelsof1this
sessions
1
to Layer
2 VPNdue
benefits
and implementation
requirements and
Tunnel controlreader
packets
dropped
to failed
digest 0
LocID
TunID
Peer-address
Type IWrk Username, Intf/
Vcid, Circuit
21750
48316
10.0.0.203
ETH 2, Et1/0
SanFran#
NewYork#show l2tun session interworking
LocID
TunID
Peer-address
Type IWrk Username, Intf/
39772
NewYork#
12926
10.0.0.201
VLAN ETH
Vcid, Circuit
2, Et1/0.1:2

FromExample 14-10, you can see that in the SanFran end, the type is represented as ETH for
Ethernet, because that is the attachment circuit type. The IW type (Iwrk) is dashed out, meaning that
an NSP IW function is nonexistent, or to be more precise, a NULL IW function exists between Ethernet
and Ethernet.
Table of
ISBN: 1-58705-168-0
Pages:
648 is oblivious about the remote NSP IW function. For all the SanFran side
As you
know, the Ethernet
side
Contents
knows,
the
remote
end
might
also be Ethernet.
Index
In contrast, the NewYork side shows the type as VLAN because that is the attachment circuit type. The
NSP IW type is shown as ETH for Ethernet, making explicit the fact that there is an NSP function.
ARP packets are also
handled gains
end-to-end just the same way as in the AToM bridged IW Case Study 14productivity
1. As a final note that is applicable to both AToM and L2TPv3 Ethernet VLAN attachment circuits, you
can use the command show interface to display xconnect statistics (see Example 14-11).
Reduce costs and

extend the
reach of your
by unifying
your
Example 14-11. Displaying
Xconnect
Statistics
in services
the Ethernet
VLAN
Gain from
the first
ethernet
1/0.1
both
ATOM
and
L2TP
Ethernet1/0.1 is up, line protocol isprotocols
up
Hardware is Lance, address is 0000.0c00.cb01 (bia 0000.0c00.cb01)
Review
that1000
allowusec,
large enterprise
customers
enhance
MTU 1500 bytes, BW
10000strategies
Kbit, DLY
rely 255/255,
loadto1/255
their Virtual
service offerings
whileID
maintaining
routing control
Encapsulation 802.1Q
LAN, Vlan
2.
ARP type: ARPA, ARP Timeout 04:00:00
Xconnect switched:
areChars
still derived
from data
voice
services
on legacy transport
Pkts In 556,
In 75990,
Pktsand
Out
795,
Chars based
Out 91196
technologies.
Although
Layer
3
MPLS
VPNs
fulfill
the
NewYork#
Case Study 14-3:
ATM AAL5-to-VLAN
Using
technology
that would allow
LayerAToM
infrastructure.
This bridged IW case study shows Ethernet IW between ATM AAL5 and Ethernet VLAN attachment
Layer
2 VPN
Architectures
introduces
to Layer
Virtual Private
circuits using AToM.
The
objective
is to present
a minorreaders
difference
and to2 emphasize
concepts. See
Network
(VPN)ATM
concepts,
and describes
Example 14-12 for
the SanFran
AAL5-specific
configuration.
history
and Side
implementation
details offor
the Ethernet
two technologies
available
from
Example 14-12.
ATM
Configuration
IW Using
AToM
!
hostname SanFran
!
pseudowire-class
atom-iw-atm-vlan
progressively
encapsulation mpls
!
mtu 1500
xconnect 10.0.0.203 500 pw-class atom-iw-atm-vlan
!
The highlighted lines

outline
the No.
configuration
is specific
to the
ByWei
Luo, - CCIE
13,291,Carlos that
Pignataro,
- CCIE No.
4619,AAL5
Dmitry attachment
Bokotey, - CCIEcircuit with
bridged IW. ATM No.
IW 4460,
endpoints
are
sensible
only
using
ATM
AAL5
attachment
circuits, not cell relay.
Note the MTU setting in the ATM4/0.500 subinterface to match the FastEthernet subinterface MTU and
enable the Layer 2 circuit to come up. Some output refers to the Layer 2 circuit as L2Ckt . The other PE
Pub Date:
March 10, 14-13.
2005
configuration is included
in Example
Table of
Contents
Example
Index
ISBN: 1-58705-168-0
Pages: 648
14-13. VLAN Side Configuration for Ethernet IW Using AToM
!
hostname NewYork
!
productivity gains
pseudowire-class atom-iw-atm-vlan
encapsulation mpls
!
interface FastEthernet0/0.500
network
encapsulation dot1Q
500 architecture
xconnect 10.0.0.201 500 pw-class atom-iw-atm-vlan
!

their servicecommands
offerings while
maintaining
routing control
You can use the usual verification
of show
mpls l2transport
vc and show mpls
l2transport binding to confirm control plane status (see Example 14-14).
Example 14-14.
Bridged IW Verification
backbone
while new
SanFran#show mpls
l2transport
vccarriers
500 would like to sell the lucrative Layer 2
Local intf
Local circuit
Dest 2address
VC aID
technology
transport over
Layer 3 Status
------------- infrastructure.
----------------------- --------------- ---------- ---------AT4/0.500
ATM AAL5 0/500
10.0.0.203
500
UP
Layerl2transport
2 VPN Architectures
SanFran#show mpls
vc 500 introduces
detail
Network
(VPN) up,
concepts,
describes
VPN 0/500
techniques
Local interface:
AT4/0.500
line and
protocol
up,Layer
ATM 2AAL5
up via
caseinterworking
MPLS VC type introductory
is Ethernet,
type is Ethernet
assists readers
looking toVC
meet
10.0.0.203,
ID:those
500,requirements
VC status: by
upexplaining the
history not
and configured
Preferred path:
the Cisco
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSDefault path:
active
based
cores and next
Layer hop
2 Tunneling
Tunnel label:
imp-null,
10.0.1.203
IP cores. Fa0/0,
The structure
of this
bookstack
is focused
Output interface:
imposed
label
{16 on
25}first introducing the
to Layer
2 VPN
benefits
and implementation
Create time: reader
00:14:22,
last
status
change
time: 00:14:22requirements and
comparing
them
to those
of Layer 3 based
Signaling protocol:
LDP,
peer
10.0.0.203:0
up
progressively
each25
MPLS VC labels:
local covering
17, remote
VC statistics:
byte totals:
receive 0, send 0

Local Label: 17
ByWei Luo,
CCIE No.Ethernet,
- CCIE No.5 4619,Dmitry Bokotey, - CCIE
Cbit: 1,
VC- Type:
GroupID:
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
MTU: 1500,
Interface Desc: n/a
Cisco Press
Remote Label:Publisher:
25
Cbit: 1, Pub Date:
VC Type:
Ethernet,
GroupID: 0
March 10,
2005
MTU: 1500, ISBN:
Interface
Desc:
n/a
1-58705-168-0
Table of
VCCV Capabilities:
Pages:
648 Type 1, Type 2
Contents
SanFran#
Index
From the output of the command show mpls l2transport vc 500, you can see that the local circuit is
world
of Layer
VPNs to provide
enhanced
services
enjoysee that
an ATM AAL5 VC Master
and thethe
status
is UP.
When2 appending
the detail
keyword,
you and
can also
productivity
gains
although the attachment circuit is ATM AAL5 0/500, the MPLS VC type (PW Type) is 0x0005 for
Ethernet. The IW type is also Ethernet. Finally, using the command show mpls l2transport binding
500, you can further prove that for both the ATM AAL5 VC and Ethernet VLAN attachment circuits, the
VC type is Ethernet and the MTU that is advertised is 1500 bytes.
InFigure 14-7, the encapsulation changes as the packet traverses from the Oakland CE as bridged
Ethernet/802.3 PDUs over AAL5, through the AToM network as Ethernet over MPLS, to the Albany CE
as a tagged Ethernet frame
and vice
versa.
Gain from
the first
Figure 14-7. ATM

AAL5
toofferings
VLAN while
AToM
Bridgedrouting
IW Encapsulation
Details
their
service
maintaining
control
[Viewvoice
full sizeservices
image]
are still derived from data and
infrastructure.
You can see that the NewYork PE inserts the 802.1q header at imposition and removes it at disposition.
The LAN FCS is not transported over the pseudowire. The NewYork PE needs to regenerate the LAN
FCS at disposition and remove it at imposition. For a bridged frame over AAL5, the organization code is
0x0080C2 for 802.1. Only the PID of 0x0007 indicating 802.3/Ethernet without preserved FCS is
supported. Therefore, no LAN FCS exists in the AAL5 attachment circuit.
Ethernet-VLAN IW Switch Environment Considerations

You need to take Layer
specific
considerations
2 VPN
Architectures into account in a switched environment, as shown in Figure
14-8, that are not present in a router environment.
Figure 14-8. Switch Environment Topology

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
You can see from Figure 14-8 that you have an IW scenario between Ethernet and VLAN in a LAN
Learn
about14-8,
Layer
Virtual
Private
Networks
(VPNs)
switch environment. From
Figure
SP2 SW
1 and
SP SW
2 are service
provider switches, and CE
SW 1 and CE SW 2 are customer switches. The PSN can be either MPLS with AToM pseudowire or IP
with L2TPv3 pseudowire.
In this case, you are using bridged IW between Ethernet and VLAN attachment circuits and allowing
Gain
the first
book toofaddress
2 VPN application
utilizing
per-VLAN spanning tree
plusfrom
(PVST+).
Because
the NSPLayer
IW function,
the VLAN tag
is modified,
both
ATOM
and
L2TP
protocols
removed, or added. Spanning Tree Protocol (STP) BPDUs sent from the switch contain the source VLAN
that the BPDU is sent on in the 802.1q header, but PVST+ also contains the Port VLAN ID (PVID) TLV
Review
strategies
that
allow
large enterprise
customers
to enhance
(type, length, value) field
inside
the BPDU
that
identifies
the VLAN number
of the
source port. The
their
offerings awhile
maintaining
routing
control
result is that the remote
CE service
switch received
BPDU
with an outer
802.1q
VLAN tag that is different
from the VLAN number in the PVID TLV field in the PVST+ BPDU, or even missing. Because of this
a majority
ofport
Service
a significant
portion
of their
inconsistency, theFor
BPDU
puts the
into Providers,
a PVID-inconsistent
state,
blocking
therevenues
traffic in that VLAN
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
to prevent forwarding loops. This error condition is a result of violating one of the
PVST+ rules,
technologies.
Although
3 MPLS
fulfill the market
need forasome
ensuring a consistent
native VLAN
on all Layer
bridges.
WhenVPNs
the inconsistency
is detected,
switch logs
customers,
they
have
some
drawbacks.
Ideally,
carriers
with
existing
error messages such as %SPANTREE-2-RX_1QPVIDERR, % SPANTREE-2-RX_BLKPORTPVID,
or others
Layer
2 and Layer
networks
wouldThese
like toerrors
moveindicate
toward ainconsistency
single
depending on thelegacy
specific
configuration
and3traffic
direction.
while tag.
newThis
carriers
would likealso
to sell
the lucrative
Layer Ethernet
2
between the PVIDbackbone
and the VLAN
consideration
applies
to like-to-like
VLAN mode
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
is a tag needs
pseudowires with VLAN rewrite and Frame Relay or ATM to VLAN bridged IW, where a VLAN
to be inserted or removed.
infrastructure.
Routed Interworking

assists
readers looking
by explaining
theuses a new VC
This section explores
configuring
routed to
IWmeet
usingthose
both requirements
AToM and L2TPv3.
Routed IW
history
andwas
implementation
details
the two
technologies
available
from
type of 11 (0x000B),
which
not used before.
TheofAToM
imposition
function
directly
encapsulates a
the AToM.
Cisco Unified
Any of
Transport
(ATOM)
for MPLSraw IP packet inside
That is VPN
why suite:
the name
VC typeover
11 isMPLS
IP Layer2
Transport.
Case Study 14-4:
Frame Relay-to-VLAN Using AToM
This case study involves configuring and verifying IP IW between Frame Relay and VLAN attachment
circuit endpoints. This topology is included in Figure 14-9.
Figure 14-9. Frame Relay-to-VLAN Routed IW Using AToM


Table of
ISBN: 1-58705-168-0
SanFran
and Oakland use
Frame
Pages:
648 Relay Internet Engineering Task Force (IETF) encapsulation. SanFran
Contents
is the LMI data communication equipment (DCE) (Frame Relay switch behavior), and Oakland is the
Index
Local Management Interface (LMI) data terminal equipment (DTE). In the case of IP IW, the
configuration command that directs the use of IP VC type and consequent transport of IP only is
interworking ip.Example 14-15 shows the configuration for the SanFran PE.
productivity gains
Example 14-15. Frame Relay Side Configuration for IP IW Using AToM

!
hostname SanFran
!
!
pseudowire-class atom-iw-fr-vlan
encapsulation mpls
interworking ip
!
interface Serial5/0
no ip address For a majority of Service Providers, a significant portion of their revenues
still derivedIETF
encapsulation are
frame-relay
technologies.
Although
frame-relay intf-type dce
customers,
they
have
some
!
legacy
Layer
2
and
Layer
3
networks
connect fr-vlan Serial5/0 100 l2transport
backbone
while
new
carriers
would
like
xconnect 10.0.0.203 100 pw-class atom-iw-fr-vlan
services
over
their
existing
Layer
3
cores.
!
technology
that
would
allow
Layer
2
transport
over a Layer 3
!
infrastructure.

Network
(VPN)
concepts,
and
describes
Layer so
2 VPN
via
Example 14-15 shows
Frame
Relay
switching
globally
enabled,
thattechniques
you can configure
the Serial5/0
introductory
case
studies
and
comprehensive
design
scenarios.
This
book
in the SanFran PE as LMI DCI. In general terms, the configuration is similar to the like-to-like
assists
readers
looking
to meet those
requirements by
explaining the
examples, with the
addition
of the
interworking
ip pseudowire-class
configuration
mode command.
Note
progressively
eachcircuits,
currently
available
in greater
detail.
On IP IW with
Frame Relaycovering
attachment
both
NLPID solution
(0xCC) and
SNAP with
Ethertype
(0x0800) encapsulations identifying IP as upper layer are recognized.
Because it is necessary to specify the encapsulation (either MPLS or L2TPv3) and the IW type (either
Ethernet or IP) in all Ethernet and IP IW cases, the use of a pseudowire-class is mandatory.
The rest of the configuration uses the global connect command with the l2transport keyword to enter
the fr-pw-switching configuration mode and then the actual xconnect. See Example 14-16 for the
NewYork side of the configuration.
Example 14-16. VLAN Side Configuration for IP IW Using AToM

!
hostname NewYork
!
pseudowire-class atom-iw-fr-vlan
encapsulation mpls
ISBN: 1-58705-168-0
Table of
interworking
ip
Pages:
648
Contents
!
Index
interface
Ethernet2/0
no ip address
no cdp enable
!
gains
encapsulation productivity
dot1Q 2
no cdp enable
xconnect 10.0.0.201 100 pw-class atom-iw-fr-vlan
!
The configuration is similar to the Ethernet VLAN like-to-like case, with the addition of the
interworking ip directive. The CE configuration uses a point-to-point Frame Relay subinterface in the
Oakland router and does not need inverse ARP or static mapping (see Example 14-17).

Example 14-17. CE Configuration for IP IW Using AToM

Oakland#
! Oakland CE configuration
Oakland#show running-config
interface
serial 5/0.100
legacy Layer 2 and
Layer 3 networks
services over
their
: 153
bytes
infrastructure.
!
Layer 2 VPNpoint-to-point
ip address 192.168.29.1
255.255.255.252
Network (VPN)
IETFand comprehensive design scenarios. This book
introductory case100
studies
end
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSAlbany#
! Albany CE configuration
Albany#show running-config
ethernet
2/0.2
reader to Layerinterface
2 VPN benefits
and implementation
requirements and
!
ip address 192.168.29.2 255.255.255.252
end
Oakland#
Albany#
You can issue the usual verification shown in Example 14-18 from the SanFran side. You can use the
commanddebug frame-relay pseudowire to display events and errors that occur, binding a Frame
Relay data-link connection identifier (DLCI) to a pseudowire.
Example
No. 4460,
AnthonyRouted
Chan, - CCIE
No. 10,266
14-18.
AToM
IW
Verification
SanFran#show mplsPub
l2transport
Date: March 10, vc
2005100
1-58705-168-0
LocalTable
intf
LocalISBN:
circuit
Dest address
VC ID
Status
of
Pages:
648
------------------------------------------------------------------Contents
Se5/0
FR
DLCI
100
10.0.0.203
100
UP
Index
Local interface: Se5/0 up, line protocol up, FR DLCI 100 up
MPLS VC type is IP, interworking type is IP
ID: 100,
VC status:
upservices and enjoy
Master the10.0.0.203,
world of LayerVC
2 VPNs
to provide
enhanced
Preferred path:
not configured
productivity
gains
Learn
about Layer
2 Virtual
Private
Output interface:
Se10/0,
imposed
label
stackNetworks
{16 19}(VPNs)
Reduce
extend the reach
Signaling protocol:
LDP,costs
peerand
10.0.0.203:0
up of your services by unifying your
network
architecture
VC statistics:
packet totals:
receive of
14,
send Providers,
19
For a majority
Service
byte totals:
receiveAlthough
1512, send
technologies.
Layer2052
packet drops:
receive
0,
seq
error
0, send Ideally,
0
customers, they have some
drawbacks.
Local Label: 20
Cbit: 1,
VC Type: IP,
GroupID: 0
infrastructure.
MTU: 1500,
Interface Desc: n/a
VCCV Capabilities:
Type 1, Type
2
introduces
Remote Label:
19 (VPN) concepts, and describes Layer 2 VPN techniques via
Network
Cbit: 1,
VC Type:
GroupID:
0
introductory
case IP,
studies and
comprehensive
MTU: 1500,
Interface
Desc:
n/a
VCCV Capabilities:
Type 1, Type
2
details
SanFran#
In the SanFran PE, the command show mpls l2transport vc shows that the VC is UP and the
attachment circuit is FR DLCI 100. When you use the detail keyword, the VC type of IP (using
0x000B) and the IW type of IP become explicit. The command show mpls l2transport binding
displays the VC type as IP for both the local and remote endpoints.
Note
In routed IW, no attachment circuit natively uses the VC type of IP, unlike bridged IW, where
Ethernet interfaces use the VC type of Ethernet. As a consequence, the l2transport VCs in
both PEs always perform the IP IW function. This is to say that for routed IW, two NSPs are
needed. You can see this with the output of the command show mpls l2transport vc
detail, by verifying that the attachment circuit type does not match the VC type in either PE.
To see the VC type being advertised, you can use the debug command debug mpls l2transport
signaling message,
as shown
Example 14-19.
Publisher:
CiscoinPress
ISBN: 1-58705-168-0
Table of 14-19. Displaying the IP Layer 2 Transport VC Type

Example
Pages: 648
Contents
Index
SanFran#debug mpls l2transport signaling message

AToM LDP message debugging is on
SanFran#
the world of Layer
2 VPNs label
to provide
enhanced
22:44:46: AToM Master
LDP [10.0.0.203]:
Sending
mapping
msg services and enjoy
productivity
gains
vc type 11, cbit
1, vc id
100, group id 0, vc label 20, status 0, mtu 1500
22:45:19: AToM LDP [10.0.0.203]: Received label mapping msg, id 3141, graceful restart
instance 0
The highlighted sections of Example 14-19 show the use of the IP Layer 2 transport VC type with a
value of 11, both for the LDP label mapping received and sent.
Because you are using a switched Frame Relay DLCI attachment circuit created by means of the
connect command, you can utilize the show connection command to view connection status and
information. The show connection command is also a troubleshooting tool (see Example 14-20).

Example 14-20.
Using the
connection
Command
technologies.
Although
Layer 3 MPLS
servicesSegment
over their1 existing Layer 3 cores.
The2 solution in these State
cases is a
ID
Name
Segment
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
===========================================================================
1
fr-vlan infrastructure.
Se5/0 100
10.0.0.203 100
UP
fr-vlan introduces readers to Layer 2 Virtual Private
Layer 2 VPN name
Architectures
FR/Pseudo-Wire Connection: 1 - fr-vlan
Status
- UP
Segment status: UP
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSLine status: UP
PVC status: ACTIVE
Segment 2 - 10.0.0.203 100
Segment status: UP
Requested AC state: UP
PVC status: ACTIVE
Interworking - ip
SanFran#
Without keywords, you can see that show connection command displays a summary of connections
with their respective state. You can also see that a connection has two segments: segment 1 and
segment 2. Identifying a specific connection by connection name or ID gives the connection details. In
particular, it lists the status of each segment, including the segment status, line or attachment circuit
status, PVC status, and NNI status. The PVC status refers to the local DLCI status, and the NNI status
Layer
VPNDLCI
Architectures
refers to the status
of 2the
as learned through NNI from the CE device.
The detailed version

of the
show
connection
command also shows that the IW type is IP between
No. 4460,
Anthony
Chan,
- CCIE No. 10,266
segment 1, which is the local Frame Relay DLCI, and segment 2, which is the pseudowire plus the
remote endpoint attachment
circuit
of the pseudowire connection identified by the remote peer IP
Publisher: Cisco
Press
address and VC ID. Pub Date: March 10, 2005
ISBN: 1-58705-168-0
In theTable
earlier
of section titled "Interworking MTU Considerations," you learned that because IW
Pages:
648
pseudowires
they are more prone toward MTU mismatches between attachment
Contents use diverse interfaces,
circuits.
IndexIn a FR-VLAN IW case, the Frame Relay attachment circuit might be located in a POS interface
with a default MTU of 4470, and the VLAN might reside in an Ethernet subinterface with a default MTU
of 1500. To solve this problem, you might be tempted to consider changing the MTU in the POS
interface to match the 1500 bytes. However, that would affect every DLCI on that interface, including
worldattachment
of Layer 2 VPNs
and enjoy
the IW DLCIs thatMaster
have athe
remote
circuittoinprovide
an ATMenhanced
interface services
with a default
MTU of 4470.
productivity
gains solution for this problem, achieved by modifying the MTU per DLCI
Example 14-21 presents
the optimal
under connect mode.
Example 14-21. Changing

FR DLCI
Reduce coststhe
and MTU
extendper
the reach
SanFran(config)#connect POS_to_Ethernet POS 8/0 200 l2transport
SanFran(config-fr-pw-switching)#mtu 1500
SanFran(config-fr-pw-switching)#xconnect 10.0.0.203 200 encapsulation mpls
SanFran(config-fr-pw-switching)#end
SanFran#

Note
Specifying the MTU under the connect configuration mode is Frame Relay specific, because
thexconnect command is not applied to a subinterface for Frame Relay DLCI attachment
circuits. In other attachment circuit types such as Ethernet or ATM, the MTU can be changed
infrastructure.
under the subinterface where the xconnect command is applied and affect a single
pseudowire. Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
To finalize this case
study,
capture
an IP IW AToM
packet
thetechnologies
C-HDLC linkavailable
between from
the SanFran PE
history
and
implementation
details
of theintwo
router and the Denver
P
router
using
the
debug
command
debug
mpls
l2transport
packet
data.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSSeeExample 14-22,
including
an
inline
decode.
Example 14-22.
Capturing
an IP
IW such
Packet
comparing
them toand
thoseDecoding
of Layer 3 based
VPNs,
as MPLS, then
22:43:38: ATOM imposition: out Se10/0, size 116, EXP 0x0, seq 0, control word 0x0
22:43:38: 0F 00 88 47 00 01 00 FF 00 01 31 02 00 00 00 00
^^ ^^ ^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^
| | |
top_shim
VC_Label
Ctrl-word
| | |
Label=16
Label=19
| | |
S=0
S=1
| | |
TTL=255
TTL=2
| | +-etype = IPv4
| +-Control
+-Address = Unicast Frame

22:43:38: 45 00 00 64 00 13 00 00 FF 01 00 32 C0 A8 1D 01
^^^ ...
Begins
IP Packet
4460,
Chan,
CCIE00
No.03
10,266
22:43:38: C0 A8No.1D
02Anthony
08 00
0B- B7
00 04 00
22:43:38: 04 E0 6D AC AB CD AB CD AB CD AB CD AB
Publisher:
22:43:38: AB CD AB
CD ABCisco
CD Press
AB CD AB CD AB CD AB
22:43:38: AB CD AB
ABMarch
CD 10,
AB 2005
CD AB CD AB CD AB
PubCD
Date:
22:43:38: AB CD AB CD
AB
CD
AB
CD AB CD AB CD AB
ISBN: 1-58705-168-0
Table of
22:43:38:
AB CD AB Pages:
CD
648
Contents
22:43:38:
ATOM disposition: in Se10/0, size 100,
Index
22:43:38:
45 00 00 64 00 13 00 00 FF 01 00 32 C0
^^^ ...
Begins IP Packet
22:43:38:
22:43:38:
22:43:38:
22:43:38:
22:43:38:
22:43:38:
C0
04
AB
AB
AB
AB
00
CD
CD
CD
CD
00
AB
AB
AB
AB
00
CD
CD
CD
CD
seq 0, control word 0x0

A8 1D 02
A8productivity
1D 01 00 gains
00 13 B7 00 03 00 04 00 00 00 00
E0 6D AC AB CD AB CD AB CD AB CD AB CD AB CD
CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD
2 Virtual
CD AB Learn
CD ABabout
CD ABLayer
CD AB
CD ABPrivate
CD AB Networks
CD AB CD(VPNs)
CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD
CD AB Reduce
CD

Note that in Example 14-22, the offline hand decoding of the packets is shown in bold font.
customers,
have
some
Ideally,
carriers
with
existing
FromExample 14-22,
you canthey
clearly
see
thatdrawbacks.
after the control
word,
raw IP
is transported.
Remember
legacy that
Layer
and Layer 3
networks
would like
to move
toward a whereas
single at
from previous chapters
at2disposition,
only
AToM Payload
or SDU
is displayed,
backbone
while
new carriers
imposition, the complete
AToM
packet
is dumped.
technology
that the
would
allow Layer changes
2 transport
overpacket
a Layer
3
You can see in Figure
14-10 how
encapsulation
as the
traverses
from the Oakland
infrastructure.
CE as a Frame Relay
encapsulated IP datagram (RFC 2427), through the AToM network to the Albany
CE as a tagged-Ethernet encapsulated IP datagram and vice versa.
assists
readers
looking
to meet
those requirements
by explaining
the
Figure 14-10.
Frame
Relay
DLCI
to VLAN
AToM Routed
IW Encapsulation
Details
IP cores. The structure of this
Note

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
You can see that only the raw IP datagram is transported over the AToM pseudowire. The PE routers
remove the complete Layer
2 encapsulation
at imposition
re-create
it at
Reduce
costs and extend
the reach and
of your
services
bydisposition.
unifying your
Gain from
the first book
to address
Case Study 14-5: Frame
Relay-to-PPP
Using
L2TPv3
In this case study, you learn the configuration and verification of IP IW between Frame Relay and PPP
endpoints using L2TPv3 on the topology included in Figure 14-11.

Figure
14-11. Frame
Relay-to-PPP
Routed
IW
Using
L2TPv3
technologies.
Although
Layer 3 MPLS VPNs
fulfill the
market
need
for some
infrastructure.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSThis case study includes specific details on address resolution in IP IW both in Frame Relay DLCI and
PPP port attachment circuits. These details apply to both AToM and L2TPv3 pseudowires. Example 14IP cores. The structure of this book is focused on first introducing the
23 shows the configuration for the SanFran PE side.
Example 14-23. Frame Relay Side Configuration for IP IW Using L2TPv3

!
hostname SanFran
!
!
pseudowire-class fr-ppp-l2tpv3
interworking ip
!
interface Serial6/0
no ip address ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
encapsulation No.
frame-relay
frame-relay intf-type dce
!
connect fr-ppp Serial6/0
60 l2transport
Pub Date: March
10, 2005
xconnect 10.0.0.203 60 pw-class fr-ppp-l2tpv3
ISBN: 1-58705-168-0
! Table of
Pages:
648
Contents
!
Index
The routed IW behavior is configured explicitly with the interworking ip command. As usual with
the world
of Layer
VPNs to provide
services
and enjoy
Frame Relay DLCIMaster
attachment
circuits,
this 2
configuration
uses enhanced
the connect
command
and the crossgainsconfiguration mode.
connect inside theproductivity
fr-pw-switching
Example 14-24 shows the configuration in the NewYork side.
Example 14-24. PPP

Side Configuration for IP IW Using L2TPv3
!
hostname NewYork
!
pseudowire-class fr-ppp-l2tpv3
interworking ip
ip local interface
are stillLoopback0
!
interface Serial6/0
no ip address legacy Layer 2 and Layer 3 networks would like to move toward a single
ppp
ppp ipcp address
proxy
192.168.30.1
services
over
xconnect 10.0.0.201
60
pw-class
technology that
would fr-ppp-l2tpv3
!
infrastructure.
The configuration in Example 14-24 is similar to a normal L2TPv3 session configuration, with the
addition of the interworking ip directive. However, an additional command exists under the PPP
interface. The command ppp ipcp address proxy specifies the remote CE's IP address, which is the
IP address of the Oakland CE. This is necessary because ARP mediation does not take place.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLScores
and
Layer
2 Tunneling
version
3 (L2TPv3)
In the like-to-likebased
scenario
with
PPP
pseudowires,
PPPProtocol
negotiations
including
IPCPfor
arenative
between the two
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
CE devices. In IP IW, Layer 2 from the CE is terminated in the PE. Therefore, in thethe
case of a PPP
reader
2 VPN
benefits
implementation
requirements
andPE and CE
attachment circuit,
IPCP to
asLayer
specified
in RFC
1332and
needs
to be negotiated
between the
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
because PPP is terminated at the PE. IPCP negotiation includes the exchange of IP addresses, but the
progressively
eachIPcurrently
solution
inthe
greater
detail.
NewYork PE has no
knowledge covering
of Oakland's
address.available
The Oakland
CE is
IP peer
to the Albany
CE. You need to manually assign Oakland's IP address in the NewYork PE so that it can be included in
IPCP packets in the IPCP IP-Address Configuration option (type number 3). In this case, the PE device
acts as an IPCP address proxy for the remote CE.
IPCP has a PPP DLL protocol number of 0x8021 and terminates on the PE. Only IP packets that have a
PPP DLL protocol number of 0x0021 are transported over the pseudowire.
When the PE performs address resolution with the local CE, you can achieve the same result without
configuring the PE device by using the command peer default ip address in the local CE, indicating
the remote CE's IP address.

The next two examples show the CE router configuration. Example 14-25 starts with the Oakland
configuration.
Example 14-25. Frame Relay CE Configuration

!
ISBN: 1-58705-168-0
Table ofOakland
hostname
Pages:
648
Contents
!
Index
interface
Serial6/0
no ip address
!
Master themultipoint
productivity gains
ip address 192.168.30.1
255.255.255.252
frame-relay map ip 192.168.30.2 60 broadcast
!
You can see from Example 14-25 that you are now using a multipoint subinterface. This is to show the
difference in configuration between using point-to-point versus multipoint subinterfaces. You do not
need the frame-relay map configuration in a point-to-point subinterface, because the IP address and
mask already define the connected prefix. The main interface has multipoint behavior, and you need to
configure a frame-relay map (or inverse ARP when possible) for DLCIs in the main interface.
Example 14-25 shows the usage of the command frame-relay map instead of frame-relay
interface-dlci. The frame-relay map command creates a DLCI but also maps it to a next-hop
network protocol address. The example shows DLCI 60 mapped to the IP address 192.168.30.2 (the
remote CE's IP on the PPP side) and specifies that broadcast packets such as routing protocol updates
are to be sent over the DLCI.
Example 14-26 shows the configuration at the PPP-speaking Albany CE.
infrastructure.
Example 14-26. PPP CE Configuration

!
hostname Albany
!
interface Serial6/0
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSip address 192.168.30.2 255.255.255.252
encapsulation ppp
!
This configuration is the same as previous PPP-CE configurations.
Next, verify functionality and connectivity. Start the checks in the SanFran PE, as shown in Example
14-27.
Example 14-27. L2TPv3 IP IW Pseudowire Verification
SanFran#show l2tun session interworking vcid 60

LocID
11756
ByWei Luo, -Peer-address

CCIE No. 13,291,CarlosType
Pignataro,
- CCIE
No. 4619,Dmitry
Bokotey, - CCIE
TunID
IWrk
Username,
Intf/
Vcid, Circuit
51283
10.0.0.203
FR IP
60, Se6/0:60

SanFran#
ISBN: 1-58705-168-0
SanFran#show
l2tun session
all ip-addr 10.0.0.203 vcid 60
Table of
L2TP Contents
Session
Pages: 648
Index

Master
Internet address
isthe
10.0.0.203
productivity
gains
Session is L2TP
signalled
500 Bytes sent,Learn
500 about
received
out-of-order:
0
total:
0
0
total:
0
Session vcid is 60
type
is Frame
name routing
is Serial6/0:60
their service
offerings
whileRelay,
maintaining
control
Circuit state is UP
L2TP VC type For
is aIP,
interworking
is IPa significant portion of their revenues
majority
of Service type
Providers,
Remote session
id
is
9875,
remote
tunnel
id 15753
are still derived from data and voice services
DF bit off, ToS
reflect
disabled,
ToS
value
0, TTL
value
255
technologies. Although Layer 3 MPLS VPNs
fulfill
the market
need for some
No session cookie
information
available
FS cached header
legacyinformation:
encap size backbone
= 24 bytes
00000000 00000000
00000000
00000000
services over
their existing
00000000 00000000
Sequencing isinfrastructure.
off
SanFran#
The command show
l2tun
session
withtothe
interworking
keywordby
displays
the fact
assists
readers
looking
meet
those requirements
explaining
the that although
the attachment circuit
type
is
Frame
Relay
(and
PPP
on
the
NewYork
end),
the
IW
type
is IP. The same
command with the
all
keyword
displays
the
details
of
the
dynamic
L2TPv3
pseudowire,
including
the
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSfollowing:
The dynamic session is L2TP signaled.
The session progressively
state is established.
The circuit state is UP.
The VC type is IP (0x000B), as is the IW type.
You can use the show connection command in the Frame Relay end (see Example 14-28).
Example 14-28. Using the show connectionCommand
SanFran#show connection name fr-ppp

FR/Pseudo-Wire Layer
Connection:
4 - fr-ppp
2 VPN Architectures
Status
- UP
Segment 1 - Serial6/0
DLCI 60
Segment status: UP
Line status: UP
PVC status: ACTIVE
Pub Date:
March 10, 2005
NNI PVC status:
ACTIVE
ISBN: 1-58705-168-0
Segment
Table of 2 - 10.0.0.203 60
Segment status:Pages:
UP 648
Contents
Requested
AC
state:
UP
Index
PVC status: ACTIVE
Interworking - ip
SanFran#
productivity gains
After you check the PELearn
devices,
do not
forget
that the
goalNetworks
is to provide
CE-CE IP connectivity using
about
Layer
2 Virtual
Private
(VPNs)
disparate Layer 2 access technologies; therefore, check the CE devices. Example 14-29 shows some
Reduce
captures from the Oakland
CE.costs and extend the reach of your services by unifying your
Gain from
the first
book
Example 14-29. Frame
Relay
CE
Verification

For a majority
of Service
Providers, a significant
of their revenues
Sending 5, 100-byte
ICMP Echos
to 192.168.30.2,
timeoutportion
is 2 seconds:
!!!!!
Although
3 MPLS VPNs
fulfill the =
market
need ms
for some
Success rate istechnologies.
100 percent
(5/5),Layer
round-trip
min/avg/max
20/28/36
customers, they
Oakland#show frame-relay
map have some drawbacks. Ideally, carriers with existing
legacy point-to-point
Layer 2 and Layerdlci,
3 networks
like to move toward
a single IETF
Serial5/0.100 (up):
dlci would
100(0x64,0x1840),
broadcast,
backbone
while
status
defined,
active
services
their existing
Layer
in these cases is a
Serial6/0.60 (up):
ip over
192.168.30.2
dlci
60(0x3C,0xCC0),
static,
technology
broadcast,
infrastructure.
CISCO, status defined, active
Oakland#

Example 14-29 shows that IP connectivity exists between CE devices using ping. It also shows the
output of the show frame-relay map command. You can see that DLCI 60 in interface Serial 6/0.60,
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSwhich uses Frame Relay Cisco encapsulation, has a static map to 192.168.30.2 as configured, is active,
and allows broadcasts. You can compare it to the map created in Case Study 14-4 using Frame Relay.
In that case, a map is defined automatically for point-to-point subinterfaces, because the router can
infer the mapping given the IP address and the subnet mask.
Note
The command show frame-relay map includes two hexadecimal numbers between
parentheses beside the DLCI. The first number is the DLCI in hexadecimal representation.
The second number is the 2-byte Q.922 header with the BECN, FECN, and DE bits zeroed
out.
Next, analyze the PPP interface at the Oakland CE (see Example 14-30).
Example
No. 4460,
Anthony Chan,
- CCIE No. 10,266
14-30.
PPP-CE
Verification
Albany#show interfaces
Pub Date:s6/0
March 10, 2005
Serial6/0 is up, line
protocol
is up
ISBN: 1-58705-168-0
Table of is M4T
Hardware
648
Contents address Pages:
Internet
is 192.168.30.2/30
Index
MTU
1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
LCP Open
Open: IPCP Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains 00:00:02, output hang never
Last input 00:00:02,
output
Last clearing of "show interface" counters never
Input queue: 0/75/0/0
(size/max/drops/flushes);
Total output
Learn about
Layer 2 Virtual Private Networks
(VPNs) drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0
(size/max
total/threshold/drops)
Reduce costs
and extend
!Output omitted fornetwork
brevity
architecture
Albany#
Albany#show ip route
connected
| include
Gain
from the first
book to Serial6/0
C
192.168.30.0/24
is directly
Serial6/0
both ATOM
and L2TPconnected,
protocols
C
Albany#

You can use the command
show from
interfaces
to voice
see that
Link Control
Protocol
and IPCP are in an
are still derived
data and
services
based on
legacy(LCP)
transport
open state, whichtechnologies.
means they have
been
negotiated
successfully,
and
that
the
/32
connected
Although Layer 3 MPLS VPNs fulfill the market need for some route to
Oakland's IP address
was
installed
through
IPCP.
customers, they have
some
In the routed IW backbone
case, onlywhile
IPv4 is
transported,
and like
Layer
terminates
in the
PE device.
From
new
carriers would
to 2sell
the lucrative
Layer
2
Chapters 8, "WANservices
Protocols
over
MPLS
Case Layer
Studies,"
and 12,
Protocols
over
L2TPv3
over
their
existing
3 cores.
The"WAN
solution
in these
cases
is a Case
Studies," you learned
that in that
the like-to-like
does notover
run a
inLayer
the PE3 device. It goes into a
technology
would allowcases,
Layer PPP
2 transport
closed state wheninfrastructure.
the xconnect command is entered. That is to say, in the like-to-like case, PE
devices do not participate in PPP negotiation.
You can verify whether
PPP
runs concepts,
in the PE by
enabling
debug
negotiation
the NewYork PE
Network
(VPN)
and
describes
Layerppp
2 VPN
techniquesinvia
(seeExample 14-31).
Example 14-31.
PPPUnified
Running
at the
PPP-PE
Verification
the Cisco
VPN suite:
Any
Transport
NewYork#
*Jun 10 01:42:41.394:
%LINK-3-UPDOWN:
Interface
Serial6/0,
comparing
them to those of Layer
3 based
VPNs, suchchanged
as MPLS,state
then to up
*Jun 10 01:42:41.394:
Se6/0
PPP:
Treating
connection
as
a
dedicated
line
progressively covering each currently available solution in greater
detail.
*Jun 10 01:42:41.394: Se6/0 PPP: Phase is ESTABLISHING, Active Open
*Jun 10 01:42:41.394: Se6/0 LCP: O CONFREQ [Closed] id 226 len 10
*Jun 10 01:42:41.394: Se6/0 LCP:
MagicNumber 0xC0A64078 (0x0506C0A
*Jun 10 01:42:41.418: Se6/0 LCP: I CONFREQ [REQsent] id 6 len 10
*Jun 10 01:42:41.418: Se6/0 LCP:
MagicNumber 0xC0A60E24 (0x0506C0A60E24)
*Jun 10 01:42:41.418: Se6/0 LCP: O CONFACK [REQsent] id 6 len 10
*Jun 10 01:42:41.418: Se6/0 LCP:
MagicNumber 0xC0A60E24 (0x0506C0A60E24)
*Jun 10 01:42:41.418: Se6/0 LCP: I CONFACK [ACKsent] id 226 len 10
*Jun 10 01:42:41.418: Se6/0 LCP:
MagicNumber 0xC0A64078 (0x0506C0A64078)
*Jun 10 01:42:41.418: Se6/0 LCP: State is Open
*Jun 10 01:42:41.418: Se6/0 PPP: XCONNECT has gated NCP starts

*Jun 10 01:42:41.418: Se6/0 PPP: Phase is UP
*Jun 10 01:42:41.418: Se6/0 PPP: XCONNECT is preventing NCP starts
Layer 2 VPNSe6/0
Architectures
*Jun 10 01:42:41.438:
PPP XCONNECT request to START IPCP using 0.0.0.0
ByWei Luo, -Se6/0
CCIE No.
13,291,O
Carlos
Pignataro,
- CCIE No. id
4619,8Dmitry
- CCIE
*Jun 10 01:42:41.438:
IPCP:
CONFREQ
[Closed]
lenBokotey,
10
No. 4460,Anthony
Chan,
- CCIE No.Address
10,266
*Jun 10 01:42:41.438:
Se6/0
IPCP:
192.168.30.1 (0x0306C0A81E01)
*Jun 10 01:42:41.470: Se6/0 IPCP: I CONFACK [REQsent] id 8 len 10
*Jun 10 01:42:41.470:
Se6/0
IPCP:
Address 192.168.30.1 (0x0306C0A81E01)
Publisher:
Cisco Press
*Jun 10 01:42:42.454:
%LINEPROTO-5-UPDOWN:
Line protocol on Interface Serial6/0,
Pub Date:
March 10, 2005
changed state to up
ISBN: 1-58705-168-0
Table
of
*Jun
10 01:42:43.454:
Se6/0 IPCP: TIMEout: State ACKrcvd
Pages:
648
*Jun Contents
10 01:42:43.454: Se6/0 IPCP: O CONFREQ [ACKrcvd] id 9 len 10
Index
*Jun
10 01:42:43.454: Se6/0 IPCP:
Address 192.168.30.1 (0x0306C0A81E01)
*Jun 10 01:42:43.454: Se6/0 IPCP: I CONFREQ [REQsent] id 7 len 10
*Jun 10 01:42:43.454: Se6/0 IPCP:
Address 192.168.30.2 (0x0306C0A81E02)
*Jun 10 01:42:43.454: Se6/0 IPCP: O CONFACK [REQsent] id 7 len 10
Master the
worldIPCP:
of Layer 2Address
VPNs to provide
enhanced
services and enjoy
*Jun 10 01:42:43.454:
Se6/0
192.168.30.2
(0x0306C0A81E02)
productivity
gains
*Jun 10 01:42:43.470: Se6/0 IPCP: I CONFACK [ACKsent] id 9 len 10
*Jun 10 01:42:43.470: Se6/0 IPCP:
Address 192.168.30.1 (0x0306C0A81E01)
*Jun 10 01:42:43.470: Se6/0 IPCP: State is Open
NewYork#
6/0extend the reach of your services by unifying your
Reduceserial
costs and
Serial6/0 is up, line
protocol
is
up
Hardware is M4T
MTU 1500 bytes, BW
1544
Kbit,
DLYbook
20000
usec, rely
load 1/255
Gain
from
the first
to address
Layer 255/255,
2 VPN application
utilizing
Encapsulation PPP,
loopback
not
setprotocols
both
ATOM and
L2TP
LCP Open
Open: IPCP
Last input 00:00:00, output 00:00:00, output hang never
a majority
!Output omittedFor
for
brevityof Service Providers, a significant portion of their revenues
NewYork#
You can see that backbone
LCP and IPCP
are
terminated
at thelike
PE router,
IPv4
is transported,
while
new
carriers would
to sell the
lucrative
Layer 2 and everything
else is dropped. Example
shows
that all
the debug
information
before
and including
services 14-31
over their
existing
Layer
3 cores.
The solution
in these
cases is athe
timestamp of Juntechnology
10 01:42:41.418
is LCP
negotiation
that succeeds
the 3LCP state being open. The
that would
allow
Layer 2 transport
over with
a Layer
debug information
after and including the timestamp of Jun 10 01:42:41.438 pertains to the only NCP
infrastructure.
that is IPCP negotiation and concludes with the open state for IPCP. You can also use the command
show interface Layer
in the 2PE
device
and see that
in contrast
to thetolike-to-like
case,Private
LCP and IPCP are
VPN
Architectures
introduces
readers
Layer 2 Virtual
now open at the PE
attachment
Network
(VPN)circuit.
Regarding the data
planereaders
encapsulation
canrequirements
see in Figureby
14-12
how the
encapsulation
assists
looking details,
to meetyou
those
explaining
the
changes as the packet
traverses
from the Oakland
Frame
Relayencapsulated
datagram (RFC
history
and implementation
detailsCE
of as
thea two
technologies
available IP
from
2427), through the
IP
service
provider
network
over
L2TPv3,
to
the
Albany
CE
as
a
PPP-encapsulated
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSIP datagram (RFCbased
1661)cores
and vice
versa.2 Tunneling Protocol version 3 (L2TPv3) for native
and Layer
Figure 14-12.
Frame Relay
DLCI-to-PPP
Routed
Encapsulation
progressively
covering
each currently L2TPv3
available solution
in IW
greater
detail.
Details

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
You can see that only the raw IP datagram is transported over the L2TPv3 pseudowire, and the PE
routers remove the complete Layer 2 encapsulation at imposition and re-create it at disposition. Non-IP
datagrams coming from
the CE
device
are2 dropped
at the Networks
PE.
Learn
about
Layer
Virtual Private
(VPNs)
architecture
Case Study 14-6: IPnetwork
L2-Transport
MTU Considerations
This section presents the important and recurring topic of MTU as it pertains to IP IW, both in the AToM
and L2TPv3 cases. IP IW is the most efficient from an overhead perspective. It holds the best-case
scenario in regards to MTU
adjustments
only
rawenterprise
IP is transported,
and
2 overhead
Review
strategies because
that allow
large
customers
to Layer
enhance
does not exist. For IP IW,
Layerofferings
2 from the
CE maintaining
is terminated
at the control
PE and not transported;
theirthe
service
while
routing
therefore, no additional overhead is present.
Table 14-2 summarizes
different
addedservices
in the PE
router
an IP transport
packet received from
are stillthe
derived
fromoverheads
data and voice
based
ontolegacy
the CE device. Table
14-2
lists
the
overheads
for
both
AToM
and
L2TPv3,
including
overhead
technologies. Although Layer 3 MPLS VPNs fulfill the market need the
for some
definition and thecustomers,
actual overhead
value
from
Case
Studies
14-4
and
14-5,
respectively.
Table 14-2.
MTU Considerations for IP Layer 2 Transport
infrastructure.
LayerPSN
2 VPN
Architectures
introduces readers
Tunnel
Demultiplexer
Layer 2to Layer 2 Virtual Private
Network
(VPN)
concepts,
and
describes
Layer 2 VPN techniques
via
PSN
Overhead
Overhead
Specific
Total
AToM
MPLS
Tunnel
MPLS
VC those requirements
Control word by explaining the
assists
readers
looking
to meet
(Case Study 14header
headerdetails of the two technologies
history
and implementation
from
12 available
bytes
4)
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS4 bytes
4 bytes
4 bytes
IP cores.
The structure
of thisID
book
IP header
Session
+ is focused
L2-Specific
L2TPv3
reader
to Layer
2 VPNcookie
requirements and
without
options
Sublayer
(Case Study 1424MPLS,
bytesthen
comparing them to those of Layer 3 based VPNs, such as
20 bytes covering
4 each
bytescurrently
+0
0 bytes solution in greater detail.
5)
progressively
available
bytes
FromTable 14-2, you can see that the IP IW AToM Case Study 14-4 has 12 bytes of overhead,
whereas the IP IW L2TPv3 Case Study 14-5 has 24 bytes of overhead (because of the cookie absence
and because sequencing is disabled).
Knowing these overheads, you can calculate the largest IP packet that can be sent from the CE and
make it unfragmented, where all interfaces have a default MTU of 1500 bytes:
AToM 1500 bytes 12 bytes = 1488 bytes

Layer
2 VPN
Architectures
L2TPv3 1500
bytes
24
bytes = 1476 bytes
To prove the preceding

the following experiment:
No. 4460,calculations,
Anthony Chan, - perform
CCIE No. 10,266
Cisco
Press
For AToM, sendPublisher:
extended
ping
from the Oakland CE while setting the don't fragment (DF) bit in
Pub
Date:
March
10, 2005
the IP header and using "Sweep
range of sizes" and verbose output.
ISBN: 1-58705-168-0
Table of
the
For L2TPv3, configure
Pages:
648 L2TPv3 session to set the DF bit in the IP header, adding ip dfbit set
Contents
in the fr-ppp-l2tpv3 pseudowire class, as explained in Chapter 13, "Advanced L2TPv3 Case
Index
Studies." In this case, the extended ping from the Oakland CE does not need to set the DF bit,
because the DF bit that will be used in the cloud is the one in the L2TPv3 IPv4 delivery header.
SeeExample 14-32 for the results of these tests.

productivity gains
Example 14-32. MTU Considerations with IP IW

Oakland#
! Now test the AToMnetwork
IP interworking
architecturecase study 14-4
Oakland#ping
Protocol [ip]:
Target IP address: both
192.168.29.2
Repeat count [5]: 1
Timeout in seconds their
[2]: service
1
majority of Service Providers, a significant portion of their revenues
Source address For
or ainterface:
Type of serviceare
[0]:
technologies.
Although
Set DF bit in IP
header? [no]:
y Layer 3 MPLS VPNs fulfill the market need for some
Validate reply customers,
data? [no]:
new carriers
would like to vsell the lucrative Layer 2
Loose, Strict, backbone
Record, while
Timestamp,
Verbose[none]:
services
over
their
existing
Layer
technology
that
would
allow
Layer
infrastructure.
Sweep interval Layer
[1]: 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network
(VPN)
Type escape sequence to
abort.
introductory
case
and comprehensive
design timeout
scenarios.is
This
book
Sending 11, [1480..1490]-byte studies
ICMP Echos
to 192.168.29.2,
1 seconds:
assists
readers
looking
to
meet
those
requirements
by
explaining
the
history
andms)
implementation
Reply to request
1 (24
(size 1481)details of the two technologies available from
the
Cisco
Unified
VPN suite:
Reply to request 2 (32 ms) (size
1482)Any Transport over MPLS (ATOM) for MPLSbased
cores
and
Layer
IP
cores.
The
structure
reader
to Layer
2 VPN 1485)
Reply to request
5 (36
ms) (size
comparing
them
to those
Reply to request
6 (28 ms)
(size
1486)
progressively
covering
each
Reply to request 7 (48 ms) (size 1487)currently available solution in greater detail.
Oakland#
Oakland#
Oakland#
Oakland#
! Now test the L2TPv3 IP interworking case study 14-5
Oakland#ping
Protocol [ip]:
Layer12 VPN Architectures
Repeat count [5]:
No. 4460,
Timeout in seconds
[2]:
Source address orPublisher:
interface:
Cisco Press
Set DF bit in IP header? [no]:
ISBN: 1-58705-168-0
Table ofreply data? [no]:
Validate
Pages:
648
Data Contents
pattern [0xABCD]:
IndexStrict, Record, Timestamp, Verbose[none]: v
Loose,
the world
Sweep max size Master
[18024]:
1480 of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains
Sweep interval [1]:
Sending 11, [1470..1480]-byte ICMP Echos to 192.168.30.2, timeout is 2 seconds:
Reply to request 1 Reduce
(20 ms)costs
(size
and1471)
Reply to request 2 network
(32 ms)architecture
(size 1472)
Reply to request 4 Gain
(24 ms)
1474)
from (size
the first
Reply to request 5 both
(28 ATOM
ms) (size
1475)
and L2TP
protocols
Request 7 timed outReview
(size strategies
1477)
Request 8 timed outtheir
(size
1478)
service
For out
a majority
Request 10 timed
(size of
1480)
derived(7/11),
from dataround-trip
and voice services
based on
legacy transport
Success rate isare
63still
percent
min/avg/max
= 20/25/36
ms
Oakland#
You can concludeservices
that theover
calculation
is correct.
From
Example
you
learn that
inisthe
their existing
Layer
3 cores.
The 14-32,
solution
in these
cases
a AToM case,
the largest IP packet
that makes
through
is Layer
1488 bytes
because
of athe
12-byte
overhead. In
technology
that it
would
allow
2 transport
over
Layer
3
contrast, in the L2TPv3
case, the largest IP packet that makes it through is 1476 bytes because of the
infrastructure.
24-byte overhead.
By knowing the IPNetwork
MTU limitation
and calculation
with IP IW,
you
can tune
the core
(VPN) concepts,
and describes
Layer
2 VPN
techniques
viaMTU based on the
largest expected introductory
IP datagram case
from studies
the CE device.
theFrame
Cisco Unified
VPN suite:Interworking
Any Transport over
(ATOM) for MPLSCase Study 14-7:
Relay-to-ATM
BestMPLS
Practices
IP study,
cores. The
thisbest
bookpractices
is focused
on first
introducing
the Frame Relay
In this last IW case
you structure
will learn of
some
about
routed
IW between
reader to Layer
2 VPN
benefits and
implementation
requirements
andis not FRF.8,
and ATM. First, understand
that IP
IW pseudowire
between
Frame Relay
and ATM VCs
comparing
them
to those of Implementation
Layer 3 based VPNs,
such as MPLS,
"Frame Relay/ATM
PVC Service
Interworking
Agreement,"
(SIW) then
in which an IW
progressively
covering
each
currently
available
solution
in
detail.
function (IWF) translates between RFC 2427 encapsulated Frame Relay andgreater
RFC 2684
encapsulated
AAL5 with a null SSCP. Only IP packets are transported over the IP IW pseudowire.
In contrast to FRF.8 SIW, which supports address resolution translation, inverse ARP is not supported
in IP IW pseudowires; therefore, the ATM and Frame Relay CEs need to be configured on point-to-point
subinterfaces or use static maps if they are on multipoint subinterfaces.
In the ATM attachment circuit, only AAL5 SDU VC mode is supported, and the ATM PVC encapsulation
can either be AAL5SNAP or AAL5MUX (in which no translation is required because LLC/SNAP is
nonexistent, and only one protocol is carried). Either AAL5SNAP or AAL5MUX needs to be configured in
both the CE and PE devices under the PVC configuration mode. The encapsulations of AAL0 or AAL5 are
not valid for IP IW, because AAL5 terminates at the PE device, and the PE device needs to know the
AAL5 encapsulation type. However, in contrast to the CE configuration, when using AAL5MUX
Layer
2 VPN
Architectures
encapsulation in the
PE
Layer
2 PVC, you do not need to specify ip as the protocol carried.
A typical configuration
for
a CE Chan,
that -has
multipoint
No. 4460,
Anthony
CCIE
No. 10,266 subinterfaces is included in Example 14-33.
Example 14-33.
CE
Configuration
with Multipoint ATM Subinterfaces
Pub
Date:
March 10, 2005
Table of
Contents
!
Index Oakland
hostname
ISBN: 1-58705-168-0
Pages: 648
!
interface ATM3/0.27 multipoint
ip address 192.168.31.1 255.255.255.0
pvc 0/270
productivity gains
protocol ip 192.168.31.2
broadcast
!
!
interface ATM3/0.28 multipoint
ip address 192.168.32.1 255.255.255.0
pvc 0/271
protocol ip 192.168.32.2
Gain from broadcast
encapsulation aal5mux
ip
both ATOM
and L2TP protocols
!
!

Note that both AAL5SNAP
and AAL5MUX
IP PVC
encapsulations
are supported.
protocol to VC
are still derived
from data
and voice
services based
on legacy The
transport
mapping is achieved
with
the
PVC
mode
command
protocol.
Example
14-34
shows
how
to verify ATM
technologies. Although Layer 3 MPLS VPNs fulfill the market need for
some
protocol to VC mappings.
Example 14-34.
Verifying
Maps
services
over theirATM
existing
infrastructure.
Oakland#show atm map
Map list ATM3/0.27pvc10E
: PERMANENT introduces readers to Layer 2 Virtual Private
ip 192.168.31.2Network
maps to
VC 4,
VPI 0,and
VCIdescribes
270, ATM3/0.27
(VPN)
concepts,
, broadcast
assists readers
Map list ATM3/0.28pvc10F
: PERMANENT
history
and
implementation
details
of the
ip 192.168.32.2 maps to VC 9, VPI 0, VCI
271,
ATM3/0.28
the
Cisco
Unified
VPN
suite:
Any
Transport
over MPLS (ATOM) for MPLS, broadcast, aal5mux
Oakland #
You can see that IP addresses map to ATM VCs in a permanent way, meaning manually or statically
configured. The broadcast keyword indicates pseudobroadcasting.

Layer 2 Local
Switching
The local switching feature

another
Publisher:isCisco
Press building block of the Cisco Unified VPN suite. Layer 2 local
switching allows youPub
to switch
Layer
2 frames between two different attachment circuits on the same
Date: March
10, 2005
PE. The following permutations are supported, some of which do not require IW because the
ISBN: 1-58705-168-0
Table of circuit technologies are the same, whereas others do because they use different
attachment
Pages:
648
Contents circuit technologies:
attachment
Index
Interfaces of the same type:

ATM-to-ATM
productivity gains
Frame Relay-to-Frame Relay
Ethernet-to-Ethernet/VLAN-to-VLAN
Interfaces of different
types:
Reduce
ATM-to-Ethernet/VLAN
ATM-to-Frame
Relay
both
Frame Relay-to-Ethernet/VLAN
Local switching is not a pseudowire technology by the rigorous definition because a signaling protocol
(such as LDP or L2TPv3)
is not involved.
local
switching portion
is a useful
tool revenues
in the Layer 2 VPN
For a majority
of ServiceHowever,
Providers,
a significant
of their
solutions.
The main buildingcustomers,
block of the
local
switching
configuration
is the connect
command,
they
have
some drawbacks.
Ideally,
carriers with
existingwhich allows
you to create locally
switched
legacy
Layer cross
2 andconnections.
This section covers local switching between interfaces of the same type, and a later section details
local switching between interfaces of different types. (See the section titled "Layer 2 local switching
with interworking.") In this section, you learn the configuration and verification for the following local
infrastructure.
switching case studies:

Case Study 14-8: Frame Relay-to-Frame Relay Local Switching
readers looking
toSwitching
Case Study assists
14-9: ATM-to-ATM
Local
Cisco
Unified VPN suite: Any
Transport
over MPLS (ATOM) for MPLSCase Study the
14-10:
Ethernet-to-Ethernet
Local
Switching
Case Study 14-8:
Frame
Relay
Local
Switching
comparing
them Relay-to-Frame
to those of Layer 3 based
VPNs,
such as
MPLS, then
Frame Relay-to-Frame Relay local switching is a feature that was introduced before the development
of the complete Layer 2 VPN local switching suite and was welcomed as part of that. This Frame
Relay-to-Frame Relay local switching case study uses the topology shown in Figure 14-13, introducing
the SanJose node.
Figure 14-13. Frame Relay-to-Frame Relay Local Switching Topology

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master
the
world of Layer
VPNs
to provide
Example 14-35 shows
the
configuration
for 2
the
SanFran
PE. enhanced services and enjoy
productivity gains
Example 14-35. Frame

Relay-to-Frame
Relay
Local (VPNs)
Switching
Learn about
Networks
!
hostname SanFran
!
!
interface Serial7/0Review strategies that allow large enterprise customers to enhance
no ip address
switched
For a majority of70
Service
dce from data and voice services based on legacy transport
are still derived
!
interface Serial8/0
no ip address legacy Layer 2 and Layer 3 networks would like to move toward a single
frame-relay
dcetheir existing Layer 3 cores. The solution in these cases is a
services over
!
connect fr_local_sw
Serial7/0 70 Serial8/0 80
infrastructure.
!
!
FromExample 14-35,
youand
canimplementation
see that the global
configuration
for frame-relay
switching
history
details
available
from is a
requirement. Youthe
canCisco
also see
a
switched
Frame
Relay
interface
DLCI
configured
in
interface
Serial
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS7/0 but not for interface
Serial
8/0.
Configuring
the
switched
DLCI
is
an
optional
step.
If
the
switched
DLCI is not created
the interface,
it is created
with is
the
connect
command.
IP in
cores.
The structure
of this book
focused
on first
introducing the
The heart of the configuration
is into
the
connect
command,
which
youascreate
connection
comparing them
those
of Layer
3 based by
VPNs,
such
MPLS,the
then
namedfr_local_sw,
which
ties
up
DLCI
70
in
Serial
7/0
to
DLCI
80
in
Serial
8/0.
All
the commands
and tools that were covered in this and previous chapters regarding Frame Relay LMI, DLCI, maps,
and connections are applicable to this case. For completeness, Example 14-36 includes the output of
the command show connection.
Example 14-36. show connection Command in Local Switching

SanFran#show connection name fr_local_sw
3
fr_local_sw
Se7/0 70
Se8/0 80
UP
SanFran#
With Frame RelayByattachment

circuits,
you
canPignataro,
use thedebug
command
Wei Luo, - CCIE
No. 13,291,
Carlos
CCIE No.
4619,Dmitrydebug
Bokotey, -frame-relay
CCIE
pseudowire to troubleshoot
problems.
Case Study 14-9:

ATM-to-ATM
Pub Date:
March 10, 2005 Local Switching
Table of
ISBN: 1-58705-168-0
The case of ATM-to-ATM

local648
switching is quite similar to Frame Relay-to-Frame Relay local
Pages:
Contents
switching. However, specific considerations are necessary, the most important ones related to the
Index
PVC encapsulation. Only two types of PVC encapsulation are supported in ATM-to-ATM local switching:
AAL5 Using encapsulation aal5
SCR Single productivity
Cell Relay VCgains
mode using encapsulation aal0
When you are using Single Cell Relay in some platforms, the virtual path identifier and virtual channel
identifier (VPI/VCI) pair must match in both endpoints of the local switched connection.
When you are using AAL5, VPI/VCI values do not need to match in both endpoints. However, if you
are transporting OAM cells over the local switched connection, the VPI/VCI must match because OAM
cells are transported asGain
cells,
andthe
youfirst
have
theto
same
limitation
single cell
relay (SCR).
from
book
address
Layer stated
2 VPN for
application
utilizing
Besides the local switching of ATM PVCs, some platforms support the local switching of ATM
permanent virtual paths
(PVP)strategies
and packed
cellallow
relaylarge
(PCR)
for local customers
switching of
PVCs and ATM
Review
that
enterprise
toATM
enhance
PVPs. In addition, localtheir
switching
ofofferings
ATM PVCs
and maintaining
ATM PVPs inrouting
the same
port is supported. The
service
while
control
configuration is analogous to this case study, using the same ATM interface for both connection
endpoints.
Example 14-37 shows
a sampleAlthough
configuration
PVC ATM-to-ATM
local
switching.
technologies.
Layerfor
3 MPLS
VPNs fulfill the
market
need for some
Example 14-37.
ATM-to-ATM
Localwould
Switching
Configuration
backbone
while new carriers
like to sell
!
infrastructure.
hostname SanFran
!
interface ATM1/0
encapsulationassists
aal5 readers looking to meet those requirements by explaining the
!
interface ATM2/0
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSpvc 0/200 l2transport
encapsulationIPaal5
!
connect aal5_local_sw
atm
1/0to0/100
atm
2/030/200
comparing
them
those of
Layer
Notice that Example 14-37 shows cross-connecting PVCs with different VPI/VCI values, and the
configuration uses encapsulation AAL5. Observe that the ATM PVCs are created using the
l2transport keyword to identify the PVC as switched and not as terminated. The connection
configuration is analogous to the Frame Relay-to-Frame Relay example, using VPI/VCI instead of
DLCI.
Another similarity with Frame Relay-to-Frame Relay local switching is that you can enter the connect
command without previously configuring the ATM PVCs, in which case the PVCs are created
automatically in the respective interfaces that are specified (see Example 14-38).
Example 14-38. ATM-to-ATM Local Switching with Automatic PVCs

SanFran(config)#connect atm_local ATM 4/0 0/40 ATM 3/0 0/40

SanFran(config-connection)#
ISBN: 1-58705-168-0
of
ID Table
Name
Segment
1
Segment 2
State
Pages:
648
Contents
===========================================================================
1 Index
atm_local
AT4/0 CELL 0/40
AT3/0 CELL 0/40
UP
SanFran#
SanFran#show connection id 1
Connection: 1 -Master
atm_local
gains
Current State:productivity
UP
Segment 1: ATM4/0 CELL 0/40 u
Segment 2: ATM3/0 CELL 0/40 up
SanFran#
Gain14-38
from the
book
addresscommand
Layer 2 VPN
application
thatfirst
only
the to
connect
is entered,
and utilizing
it automatically
bothconnection.
ATOM and L2TP
protocols
creates the local switched
Note from
the show connection output that the default
encapsulation for automatically created l2transport PVCs is AAL0that is, VC Cell Relay mode. Example
Review
thatcreated
allow large
enterprise
customers
enhance
14-39 shows how to check
for strategies
automatically
l2transport
PVCs
and theirtodefault
encapsulation.
Example 14-39.
Displaying Automatic PVCs
customers,
they have
SanFran#show atm
vc | include
40|some
VC drawbacks. Ideally, carriers with existing
legacy
a single
VCD / Layer 2 and Layer 3 networks would like to move
Peaktoward
Avg/Min
Burst
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2 Cells Sts
Interface
Name
VPI
VCI Type
Encaps
Kbps
Kbps
services
over their 0
existing40
Layer
3 cores.
The solution
in these N/A
cases is a UP
3/0
11
PVC-A
AAL0
155000
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
4/0
19
0
40 PVC-A
AAL0
149760
N/A
UP
infrastructure.
SanFran#
SanFram#show atm pvc 0/40 | begin ATM4/0
Layer
2 VPN
ATM4/0: VCD: 19,
VPI:
0, Architectures
VCI: 40
Network
(VPN)
concepts,
and
introductory
case
studies
and
comprehensive
design
AAL0-Cell Relay, etype:0x10, Flags: 0x10000C2D, VCmode:
0x0
assists
readers
looking
to
meet
those
requirements
by
explaining the
history
and
implementation
details
of
the
two
technologies
available from
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for MPLSRemote Circuit Status = No Alarm, Alarm Type = None
based
cores
and
Layer
2
Tunneling
Protocol
version
3
(L2TPv3)
for native
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
Cell-packing Disabled
reader
to
Layer
2
VPN
benefits
and
implementation
requirements
and
comparing
them to those
Layer 31,
based
VPNs, such
F5 InEndloop: 0,
F5 InSegloop:
0, F5ofInAIS:
F5 InRDI:
0 as MPLS, then
progressively
covering
each
currently
available
solution
in greater detail.
OAM cells sent: 1
OAM cell drops: 0
Auto-created by Connection Manager
Status: UP
W2N-7.11-c7206VXR-A#m
Displaying the ATM PVC summary, you can see that the PVC type is PVC-A, which stands for PVC
automatically created. You can also see that the encapsulation is AAL0 single-cell relay by default,
which works fine for like-to-like ATM-to-ATM connections but does not work for IW ones. A detailed
list of valid and default encapsulations for IW and local switching ATM VC attachment circuits is
2 VPN
Architectures
included in "Case Layer
Study
14-12:
ATM Attachment Circuits and Local Switching."
With ATM PVC attachment

circuits,
can
the debug command debug atm l2transport as a
No. 4460,Anthony
Chan,you
- CCIE
No.use
10,266
troubleshooting tool.
Case
Study 14-10:
Local Switching
ISBN:
1-58705-168-0
Table of
Contents
Pages: 648
This case
Index study shows Ethernet-to-Ethernet port mode local switching. The same configuration and
verification presented here is analogous to Ethernet dot1Q VLAN-to-VLAN local switching using
subinterfaces instead of the main interface. This topology is included in Figure 14-14.
productivity gains
Figure 14-14. Ethernet-to-Ethernet Local Switching

technology
that would
allow Layer
transportones
overusing
a Layer
The actual configuration
required
is equivalent
to the2 previous
the3connect command (see
infrastructure.
Example 14-40).
Example 14-40.
Local Switching
introductory
!
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLShostname SanFran
!
connect eth-ethIP Ethernet3/0
Ethernet4/0
reader
to
Layer
2
VPN
benefits
!
comparing
them
to
those
of
Layer
!
The configuration that is required at the PE is to activate the Ethernet interfaces with a no shutdown
and issue the connect command. You can verify that the local switched connection is working (see
Example 14-41).
Example 14-41. Ethernet-to-Ethernet Local Switching Verification
SanFran#show connection name eth-eth

Connection: 4 - eth-eth
Current State: UP
Segment 1: Ethernet3/0 up
ByWei Luo, - CCIE
Segment 2: Ethernet4/0
up No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
SanFran#
SanJose#ping 192.168.51.1
Type escape sequenceISBN:

to 1-58705-168-0
abort.
Table 5,
of 100-byte ICMP Echos to 192.168.51.1, timeout is 2 seconds:
Sending
Pages: 648
!!!!!Contents
Index rate is 100 percent (5/5), round-trip min/avg/max = 24/28/36 ms
Success
SanJose#
productivity
For the sake of argument,
yougains
can use the local switching feature without configuring IP addresses in
the PE device, because no signaling is involved. An interface or a router that does not have an IP
address does not process IP packets; therefore, it cannot process signaling messages carried over IP,
about Layer
2 Virtual
Private Networks
(VPNs)
as is the case with LDPLearn
and L2TPv3.
This idea
emphasizes
the point that
no signaling protocol is
implicated in local switching.
network
architecture
You can witness this fact
when enabling
the debug command debug acircuit event to debug events
that occur on the attachment circuits (see Example 14-42).
Example 14-42. Debugging

Attachment
Circuit
for a
Local Switched
Review strategies
that allow large
enterprise
customers
to enhance
Connection
SanFran(config)#do
debug
acircuit
event
are still
derived
from data
Attachment Circuit
events
debugging
is 3
onMPLS VPNs fulfill the market need for some
SanFran(config)#interface
Ethernet
3/0
SanFran(config-if)#no
shutdown
legacy Layer
SanFran(config-if)#
00:28:44: ACLIBservices
[0.0.0.0,
0]: SW
AC interface
UP for
over their
existing
Layer 3 cores.
The Ethernet
solution in interface
these cases Et3/0
is a
00:28:44: ACLIB:
Added circuit
to allow
retry
queue,
type 6,
id a5,
idb3 Et3/0
technology
that would
Layer
2 transport
over
Layer
00:28:44: ACLIBinfrastructure.
[0.0.0.0, 0]: pthru_intf_handle_circuit_up() calling acmgr_circuit_up
00:28:44: ACLIB [0.0.0.0, 0]: Setting new AC state to Ac-Connecting
00:28:44: ACLIB:
Update
plane
with circuit
UPLayer
status
Layer
2 VPN switching
Architectures
introduces
readers to
2 Virtual Private
00:28:44: ACLIBNetwork
[0.0.0.0,
SW AC and
interface
UPLayer
for 2
Ethernet
interface
(VPN)0]:
concepts,
describes
VPN techniques
via Et3/0
00:28:44: ACLIBintroductory
[0.0.0.0, case
0]: studies
pthru_intf_handle_circuit_up()
ignoring
event.
and comprehensive design scenarios.
Thisup
book
Already connected
connecting.
assists or
readers
00:28:44: ACLIBhistory
[0.0.0.0,
0]: pthru_intf_handle_circuit_up()
ignoring
event.
and implementation
details of the two technologies
availableupfrom
Already connected
or Unified
connecting.
the Cisco
VPN suite: Any Transport over MPLS (ATOM) for MPLS00:28:44: Et3/0based
ACMGR:
Receive
<Circuit
Up> Protocol
msg
cores
and Layer
2 Tunneling
00:28:44: Et3/0IPACMGR:
circuit
up of
event,
SIPisstate
chg
to connected,
action
cores. The
structure
this book
focused
on fsp
first up
introducing
the
is p2p up forwarded
00:28:44: ACLIB:
pthru_intf_response
is 37F000012,
response
is 2 then
comparing
them to those ofhdl
Layer
based VPNs,
such as MPLS,
00:28:44: ACLIBprogressively
[0.0.0.0, covering
0]: Setting
new AC state
to solution
Ac-Connected
each currently
available
in greater detail.
00:28:44: Et4/0 ACMGR: Receive <Remote Up Notification> msg
00:28:44: Et4/0 ACMGR: remote up event, FSP state chg fsp up to connected, action
is respond forwarded
00:28:44: ACLIB: pthru_intf_response hdl is 41000016, response is 2
00:28:44: ACLIB [0.0.0.0, 0]: Setting new AC state to Ac-Connected
00:28:46: %LINK-3-UPDOWN: Interface Ethernet3/0, changed state to up
state to up
SanFran(config-if)#
You can see by inspecting [0.0.0.0, 0] that the IP address of the remote peer is displayed as 0.0.0.0,
and the VC ID is shown
as 0. This is because it is a local switching connection.
Note

ISBN: 1-58705-168-0
Table
of
A
consequence
of no pseudowire signaling protocol being involved in local switching cases is
Pages:
648
Contents
that
MTU mismatches
between
the attachment circuits do not prevent the circuit from
coming
Index
up. The downside is that a circuit not coming up might trigger you to revisit the MTU
settings.
productivity gains
infrastructure.

Layer 2 Local
Switching with Interworking
This section brings together

previous sections of IW and local switching to provide
Publisher: the
Ciscotwo
Press
another building block
theMarch
Cisco10,
Unified
PubofDate:
2005 VPN suite: any-to-any local switching. The
configuration aspect also uses the two core commands of each of the previous sections: the
ISBN: 1-58705-168-0
Table command
of
connect
and the interworking keyword.
Pages: 648
Contents
Index
In this
section, you learn the configuration and verification of the following case studies:
Case Study 14-11: Ethernet-to-VLAN Local Switching

Case Study productivity
14-12: ATM gains
Attachment Circuits and Local Switching

Case Study 14-11:
Ethernet-to-VLAN Local Switching
This section discusses the
mechanisms
to implement local switching between Ethernet and
network
architecture
Ethernet VLAN attachment circuits, using the topology shown in Figure 14-15.
strategies
that allow large enterprise
FigureReview
14-15.
Ethernet-to-VLAN
Local Switching

infrastructure.
Cisco
Unified in
VPN
AnyPE
Transport
MPLS (ATOM)
The configurationthe
that
is required
thesuite:
SanFran
is shownover
in Example
14-43.for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
reader
to Layer 2 VPNEthernet-to-VLAN
Example 14-43.
Configuring
Localrequirements
Switchingand
!
hostname SanFran
!
no ip address
!
no ip address
!
!
Layer
2 VPN Architectures
connect eth-vlan
Ethernet2/0
Ethernet3/0.1 interworking ethernet
!
!
You can see that this example uses the global command connect with diverse interfaces, and
ISBN: 1-58705-168-0
it prompts
Table ofyou for the IW type. The IW types are also IP or Ethernet.
Contents
Pages: 648
You can
Indexperform connection verification from the SanFran PE and connectivity checking from
the SanJose CE (see Example 14-44).
Master
the world of
Layer 2 VPNs to provide
enhanced
services and enjoy
Example 14-44.
Verifying
Ethernet-to-VLAN
Local
Switching
productivity gains
SanFran#show connection name eth-vlan
Connection: 4 - eth-vlan
Current State: UP
Reduce
Segment 1: Ethernet2/0
upcosts and extend the reach of your services by unifying your
network
architecture
Segment 2: Ethernet3/0.1 up
Interworking Type: ethernet
SanFran#
SanJose#ping 192.168.52.1
to service
abort.offerings while maintaining routing control
their
!!!!!
Success rate isare
100
(5/5),
min/avg/max
= 24/29/36
ms
stillpercent
derived from
dataround-trip
and voice services
based on
legacy transport
SanJose#
Theshow connection
command
shows
the IW
type
as Ethernet.
services
over their
existing
Layer
3 cores.
infrastructure.
Case Study 14-12: ATM Attachment Circuits and Local Switching

This section deals with Layer 2 VPN local switching with IW and goes over some details and
ideas that are helpful when using ATM PVC attachment circuits.
history and
implementation
details
of the two
technologies
available
from
When you are configuring
ATM-to-Ethernet
Local
Switching
Interworking
(LSIW)
or ATM-tothe
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSEthernet-VLAN LSIW, both IP and Ethernet types of IW are supported. With IP IW, you can
cores
andAAL5SNAP
Layer 2 Tunneling
version
3 (L2TPv3)
native
configure the ATMbased
PVC for
either
(in whichProtocol
translation
takes
place) or for
AAL5MUX
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
(without translation because the AAL5 packet begins with raw IP). On the other hand, when
readerIW,
to Layer
2 VPN benefits
and implementation
requirements and
you are using Ethernet
only AAL5SNAP
PVC encapsulation
is supported.
covering
eachyou
currently
available
solution
in greater
detail.
Creating the ATMprogressively
PVC is not required.
When
enter the
connect
command
without
the
existing PVC, the PVC-A is created automatically and assigned AAL5SNAP encapsulation. If,
however, you create the ATM PVC, you need to specify the l2transport keyword to indicate
that it is a switched PVC and not a terminating PVC.
When you are configuring ATM-to-Frame Relay IW, only IP IW is supported. The ATM PVC
encapsulation can either be AAL5SNAP or AAL5NLPID.
Table 14-3 summarizes the PVC encapsulation options while using ATM local switching with and
without IW.
Layer 2 PVC
VPN Architectures
Table 14-3. ATM
Encapsulation Usage for IW and Local
ByWei Luo, - CCIE No.Switching
13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, -
CCIE
Segment 1
(Attachment
Circuit)
Table of
Contents
Index
ATM
PVC
ATM PVC
Segment 2
(Attachment
Circuit)
Interworking
(IW) Type
ATM PVC
Encapsulations
N/A
aal0 (default)
ISBN: 1-58705-168-0
ATM Pages:
PVC 648
aal5
Ethernet/VLAN
Ethernet
aal5snap
IP
aal5snap (default)
productivity gains
aal5mux
ATM PVC
Frame Relay DLCI

IP
aal5snap(default)
aal5nlpid
infrastructure.

Understanding
Advanced Interworking and Local
Switching Publisher: Cisco Press
This final section covers two topics:
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
connect
command
You
learn about the different behaviors of this command.
Index
Encapsulation You learn detailed information about the encapsulations of IW and local
switching.
productivity gains
connect Command
At this point, you know how to use the connect command in multiple contexts. You used it to
create AToM and L2TPv3
pseudowire
endpoints
Frame
DLCI
attachment
circuits
to
Reduce
costs and
extend in
the
reachRelay
of your
services
by unifying
your
perform local switchingnetwork
and Frame
Relay local switching. This section compares the different
architecture
modes of this command using examples.
You have used the connect
command
in three
different contexts and created different
both ATOM
and L2TP
protocols
configuration modes. Example 14-45 shows the connect command that performs Frame Relay
pseudowire switching. Review strategies that allow large enterprise customers to enhance
For a connect
majority of Command
Service Providers,
significant
portion
of their revenues
Example 14-45.
and aFrame
Relay
Pseudowire
Switching
legacy Layerfr-vlan
2 and Layer
3 networks
SanFran(config)#connect
Serial5/0
100 would
l2transport
backbone
while
new
carriers
would
like
to
sell
SanFran(config-fr-pw-switching)#
infrastructure.
When you use the connect command with the l2transport keyword, you are taken into
Layer configuration
2 VPN Architectures
introduces
readers
to Layer
2 Virtual
Private that
config-fr-pw-switching
mode. Example
14-46
shows
the connect
command
Network
(VPN)
performs local Frame
Relay
switching.
history
and implementation
details
the two Relay
technologies
available from
Example 14-46.
connect
Command
andofFrame
Switching
IP cores. The
structure of this
book7/0
is focused
on first
the
fr_local_sw
serial
70 serial
8/0introducing
80
SanFran(config-fr-switching)#
When you use the connect command to cross connect two local Frame Relay DLCIs, you are
taken into config-fr-switching configuration mode. Example 14-47 shows the connect
command that performs local cross connection between two attachment circuits.
Example 14-47. connect Command for Local Switching Connections

SanFran(config)#connect eth-eth ethernet 3/0 ethernet 4/0
SanFran(config)#connect eth-fr ethernet 3/0 serial 7/0 100 interworking ip
ByWei Luo, - CCIE
No. 13,291,
Carlos Pignataro,
No. 4619,4/0.1
eth-eth
ethernet
3/0.1- CCIE
ethernet
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
SanFran(config-connection)#exit
atm_local
ATM 4/0 0/40 ATM 3/0 0/40
Publisher: Cisco
Press
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Example
14-47
shows
various
cases used throughout this chapter. In the case of any-to-any
Index
(not like-to-like) attachment circuits, the IW option is presented. These different configuration
submodes also present different commands that are applicable to the specific function that is
being performed. (For example, the local switching submodes have no xconnect command.)
productivity gains
Encapsulation
This section introduces you to encapsulation details for some of the case studies presented in
Reduce
costs anddetails,
extend use
the Subscriber
reach of your
services
by unifying
your
this chapter. To view the
encapsulation
Service
Switch
(SSS) exec
network
commands. The connections
arearchitecture
represented as attachment circuit session types to SSS. All
the examples use the command show sss circuits, which provides the status, encapsulation
Gainhexadecimal
from the first
bookfor
to the
address
Layer
2 encapsulation
VPN application
utilizing
length, and encapsulation
dump
circuits.
The
that
is
both
ATOM
and
L2TP
protocols
presented as output of this command, also called rewrite, indicates data that is added to the
packet.
their
service
maintaining
control processes and
This section's goal is that
you
obtainofferings
a betterwhile
understanding
of routing
the underlying
protocols in the case studies. The following examples are presented:
technologies.
Although Layer
3 MPLS VPNs
fulfill the
Encapsulation
1: Ethernet-to-VLAN
Local Switching
Ethernet
IW market need for some
Encapsulation
2: Frame
IP IW Using
AToM
legacy
LayerRelay-to-VLAN
would
Encapsulation
3: VLAN-to-Ethernet
Bridged
services
over their existing
LayerIW
3 Using
cores. L2TPv3
Encapsulation
4: Frame Relay-to-PPP IP-IW Using L2TPv3
infrastructure.
(VPN) concepts,Local
and describes
Layer
2 VPN techniques
via
Encapsulation Network
1: Ethernet-to-VLAN
Switching
Ethernet
IW
assists
readers
looking toCase
meetStudy
those14-10in
requirements
by explaining
thebetween
This scenario presents
the
local switching
the SanFran
PE router
history
and
implementation
details
of
the
two
technologies
available
from
Ethernet 2/0 and VLAN 27 in Ethernet 3/0.1 (see Example 14-48).
Example 14-48.
SSS Circuit Encapsulation for Ethernet-to-VLAN
Local Switching
Ethernet-IW
Common Circuit ID 0
Serial Num 5
Switch ID 18796512
UP flg len dump
Y AES 0
Y AES
SanFran#
8100001B

Focusing on the encapsulation,

you know
in Ethernet IW, Ethernet frames are sent over
- CCIE that
No. 10,266
the Layer 2 circuit. Therefore, the Ethernet endpoint has no specific encapsulation, as denoted
in the encapsulation length of 0.
Pub Date: March

10, 2005
For the VLAN side, however,
the encapsulation
includes the 4-byte VLAN tag. In this example,
ISBN: 1-58705-168-0
the encapsulation
is
represented
as
0x8100001B,
from which you see the following:
Table of
Contents
Index
Pages: 648
The 802.1q VLAN Ethertype of 0x8100

The 802.1p CoS bits of 0 and CFI of 0
The VLAN ID of 0x1B or 27 as configured
productivity gains
Encapsulation 2: Frame
IP IW
Using
AToM (VPNs)
Learn Relay-to-VLAN
Private
Networks
costs
andCase
extend
the14-4
reach
of your
by unifying
your
This scenario presents Reduce
the AToM
IP IW
Study
from
bothservices
the SanFran
and New
York
network
architecture
PE routers. The scenario starts from the SanFran PE router, in which the local cross-connection
is Frame Relay-to-AToM (see Example 14-49).
Example 14-49. SSS

Circuit
Encapsulation
Frame
Relay IP-IW
Review
strategies
that allow large for
enterprise
customers
to enhance
Using AToM
SanFran#show sss
are circuits
technologies.
AlthoughTotal
Layer 3
MPLS VPNs
fulfill the 5
Current SSS Circuit Information:
number
of circuits
!Output omittedlegacy
for brevity
while new carriers
lucrative
2
Common Circuit backbone
ID 0
Serial would
Num 3like to sell the
Switch
ID Layer
18796912
--------------------------------------------------------------------------technology that would allow Layer 2 transport over a Layer 3
UP flg len infrastructure.
dump
Y AES 4
184103CC
Y AES 0 Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
SanFran#
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSTheshow sss circuits command in the SanFran PE shows the encapsulations that are local to
this PE router; it does not show the remote VLAN encapsulation. In IP IW, only raw IP packets
are sent over the pseudowire; therefore, the rewrite includes the complete Layer 2
encapsulation.
covering
each
currently
in greater
detail.
You can see that progressively
the encapsulation
for the
Frame
Relayavailable
endpointsolution
is 4 bytes
in length,
is equal
to 0x184103CC, and is made out of the following:
The first 2 octets represent the Q.922 header:
The leftmost 6 bits of the first octet are equal to 000110 and form the high-order
DLCI; the leftmost 4 bits of the second octet are equal to 0100 and make up the
low-order DLCI. Therefore, the 10-bit DLCI is expressed in binary 0001100100 or
100 in decimal, which is the DLCI that is configured in Case Study 14-4.
The least significant bit of the second byte is set to 1, to indicate the lack of an
extended address (EA).
Layer
VPNencapsulation
Architectures
The third octet
in2the
is the control of 0x03.
The last octet

theAnthony
NLPIDChan,
value
of the
IP Protocol that is equal to 0xCC.
No.is
4460,
- CCIE
No. 10,266
Because IP is received over the pseudowire, after you append this 4-byte encapsulation and set
the values of FECN, BECN, and DE, you send the packet over the Frame Relay attachment
circuit. Toward the AToM
side, the encapsulation is always shown as NULL.
Table of
ISBN: 1-58705-168-0
648 presents the VLAN side of the AToM routed IW pseudowire

The second
example
Contents part of thisPages:
from
the
New
York
PE,
in
which
the local cross connection is VLAN to AToM (see Example 14 Index
50).
Master
the Circuit
world of Layer
2 VPNs to provide
enhanced
services
and enjoy
Example 14-50.
SSS
Encapsulation
for VLAN
IP-IW
Using
productivity gains
AToM
New York#show sss circuits
Current SSS CircuitReduce
Information:
of of
circuits
4
costs andTotal
extendnumber
the reach
your services
by unifying your
[snip]
Common Circuit ID 0Gain from the first
Serial
3
ID 18796912
book Num
to address
Layer 2Switch
VPN application
utilizing
--------------------------------------------------------------------------both ATOM and L2TP protocols
UP flg len dumpReview strategies that allow large enterprise customers to enhance
Y AES 18 FFFFFFFF
FFFF000C
CF552408
their service
offerings
while 81000002
maintaining0800
routing control
Y AES 0
!Output omittedFor
for
brevityof Service Providers, a significant portion of their revenues
a majority
New York#
backbone
newcommand
carriers would
toYork
sell the
lucrative Layer
To reiterate, the show
sss while
circuits
in thelike
New
PE illustrates
the 2
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
is a
encapsulations that are local to this PE router and does not show the remote Frame
Relay
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
encapsulation. In IP IW, only raw IP packets are transmitted over the pseudowire; therefore,
infrastructure.
the VLAN side should
show a complete 18-byte VLAN rewrite.
Layer
VPN Architectures
readers
to routed
Layer 2IW,
Virtual
Private
When you compare
the2VLAN
encapsulation introduces
for both bridged
and
you see
the
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
following:
history
and implementation
details
the twothe
technologies
available
Bridged The
encapsulation
is only 4 bytes
and of
includes
802.1q header
only. from
This is
Cisco frame
UnifiedisVPN
suite:over
Anythe
Transport
over MPLS
(ATOM)
for802.1q
MPLSbecause an the
Ethernet
received
pseudowire,
and adding
the
based
cores andVLAN
Layer
header creates
a complete
frame.
Routed Thereader
encapsulation
bytes
and and
includes
the complete
Layer 2 encapsulation,
to Layer is
2 18
VPN
benefits
implementation
requirements
and
including Ethernet
II and
802.1q
headers.
This3isbased
because
an such
IP datagram
is then
received over
comparing
them
to those
of Layer
VPNs,
as MPLS,
the pseudowire,
so appending
the 18-byte
encapsulation
creates
a complete
frame.
progressively
covering
each currently
available
solution
in greaterVLAN
detail.
You can see that the encapsulation length is 18 bytes and is composed of the following:
The first 6 bytes are the destination MAC address where 0xFFFFFFFFFFFF is a broadcast
Ethernet address, meaning that the PE has not yet learned the CE's MAC address. This
MAC address is changed to the actual value after it is learned.
The next 6 bytes are the source MAC address.
The next 4 bytes are the VLAN tag, including the following:
VLAN etype of 0x8100
CoS and
CFILuo,
of -0 CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
ByWei
VLAN ID of 2 as configured

The final two bytes
are the IP Ethertype of 0x0800.
ISBN: 1-58705-168-0
Prepending this encapsulation
to an IP packet that is received over the pseudowire and setting
Table of
CoS bits appropriately Pages:
makes648
a valid frame to be sent out of the Ethernet 2/0.1 interface in the
Contents
New York PE.
Index
Figure 14-16 shows the encapsulation added in both SanFran and New York PEs for this
scenario. The fields in gray represent the rewrite that has been described verbally.
productivity gains
Figure 14-16. Frame Relay DLCI-to-VLAN AToM Routed IW

Learn about
Networks (VPNs)
Encapsulation
Details
infrastructure.
readers looking toBridged
meet those
by explaining the
Encapsulation assists
3: VLAN-to-Ethernet
IW requirements
Using L2TPv3
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSThis scenario presents the L2TPv3 Ethernet IW Case Study 14-2 from the VLAN attachment
circuit in the New York PE router. The local cross-connection in the New York router is VLAN-toIP cores. The structure of this book is focused on first introducing the
L2TPv3 (see Example 14-51).
Example 14-51. SSS Circuit Encapsulation for VLAN Ethernet-IW

Using L2TPv3
Common Circuit ID 0
Serial Num 2
Switch ID 18797112
UP flg
Y AES
Y AES
New York#
len dump
4
81000002
28 45000000 00000000 FF73A5F7 0A0000CB 0A0000C9
Layer 2000058FB
VPN Architectures
00000000
Pub Date:
March
10, 2005
The local encapsulations
to the
New
York PE router are VLAN toward the attachment circuit and
L2TPv3 toward the PSN.ISBN:
The 1-58705-168-0
attachment circuit side is equivalent to previous encapsulation
Table of
scenario
1. Because this
is bridged
IW and Ethernet frames are received over the pseudowire,
Pages:
648
Contents
no other encapsulation is needed.
Index
However, the PSN side that uses L2TPv3 is new and shows an encapsulation length of 28 bytes,
consisting of the following:
productivity
20 bytes of IPv4
header,gains
including the following:
Version 4 Header length 5 32-bit words
Protocol 115 (0x73) for L2TPv3
network
architecture
Source address
10.0.0.203
from
Destination Gain
address
10.0.0.201
4 bytes of L2TPv3 Session Header (0x000058FB): 32-bit Session ID of 22779
their Sublayer
service offerings
whilewas
maintaining
routing control
4 bytes of L2-Specific
(sequencing
configured):
For a
Sequence
bitmajority
clear of Service Providers, a significant portion of their revenues
technologies.
Sequence
number cleared
Note
infrastructure.
You can also display the L2TPv3 encapsulation by using the show adjacency detail
command inLayer
the pseudowire
IP adjacency.
2 VPN Architectures
An Ethernet frame
is encapsulated.
After you details
complete
the two
empty
fields, such
as DSCPfrom
in the IP
history
and implementation
of the
technologies
available
Header and sequencing
information
in the
L2-Specific
Sublayer,
can(ATOM)
send the
the Cisco
Unified VPN
suite:
Any Transport
overyou
MPLS
forL2TPv3
MPLSpacket toward thebased
PSN. cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
to those ofIP-IW
Layer Using
3 basedL2TPv3
Encapsulation comparing
4: Frame them
Relay-to-PPP
This scenario presents the L2TPv3 Ethernet IW Case Study 14-5 from the SanFran and New
York PE routers. The discussion starts from the SanFran PE router, in which the local cross
connection is Frame Relay to L2TPv3 (see Example 14-52).
Example 14-52. SSS Circuit Encapsulation for Frame Relay IP-IW

Using L2TPv3


Wei0Luo, - CCIE No. 13,291,
Carlos Pignataro,
Dmitry Bokotey,
- CCIE
Common Circuit By
ID
Serial
Num 4 - CCIE No. 4619,
Switch
ID 18796712
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
UP flg len dump
Y AES 4
0CC103CC
Y AES 24 45000000
00000000 FF73A5F7 0A0000C9 0A0000CB
ISBN: 1-58705-168-0
Table of
0000269D
Pages: 648
Contents
Index
SanFran#
The Frame Relay Master

attachment
circuit
L2TPv3
encapsulation
in SanFran
PE are and
similar
to the
the world
ofand
Layer
2 VPNs
to provide enhanced
services
enjoy
previous examples,
where yougains
can see the following for the Frame Relay attachment circuit:
productivity
The first 2 octets Learn
represent
the
Q.922
header:
DLCI =
111100b(VPNs)
= 60.
about
Layer
2 Virtual
Private
Networks
The third octet inReduce
the encapsulation
is the control
of 0x03.
costs and extend
the reach
The last octet is the NLPID value of IP Protocol, equal to 0xCC.
The Frame Relay encapsulation
is a
fullL2TP
Frame
Relay header that, when appended to the
both ATOM
and
protocols
received raw IP datagram, creates a complete Frame Relay frame carrying IP.
The L2TPv3 side showstheir
an encapsulation
length
of maintaining
24 bytes, because
is not enabled
service offerings
while
routingsequencing
control
and no L2-Specific Sublayer exists:
20 bytes of IPv4
header, including
following:
technologies.
Althoughthe
Layer
Version 4 Header Length 5 32-bit words
Sourcetechnology
address 10.0.0.201
infrastructure.
Destination address 10.0.0.203
Network
(VPN)Header
concepts,
4 bytes of L2TPv3
Session
(0x0000269D):
32-bit assists
Sessionreaders
ID of 9885
The second part of
this
scenario
presents
the Any
PPP side
of theover
L2TPv3
routed
IW pseudowire
the
Cisco
Unified
VPN suite:
Transport
MPLS
(ATOM)
for MPLSfrom the New York
PE, in
which
the
local2cross-connection
is PPP-to-L2TPv3
(see for
Example
based
cores
and
Layer
Tunneling Protocol
version 3 (L2TPv3)
native1453).
progressively
covering
each currently available
solution
in greater
Example 14-53.
SSS Circuit
Encapsulation
for PPP
IP-IW
Usingdetail.
L2TPv3
Common Circuit ID 0
Serial Num 4
Switch ID 18796712
---------------------------------------------------------------------------
Status
UP flg
Y AES
Y AES
Encapsulation
len dump
4
FF030021
2 VPN Architectures
24 Layer
45000000
00000000 FF73A5F7 0A0000CB 0A0000C9
ByWei Luo,
000058FA
4460,brevity
!Output omittedNo.for
New York#

ISBN: 1-58705-168-0
Table of
You can see in the NewPages:

York 648
PE that the encapsulation length for the PPP side is 4 bytes,
Contents
comprising a full PPP header, and contains the following:
Index
Address of 0xFF
Control of 0x03
productivity gains
PPP DLL protocol number of 0x0021 for IPv4
Learn about
2 Virtual
Networks
(VPNs)
Prepending this encapsulation
to anLayer
IP packet
that Private
is received
over the
pseudowire creates a
PPP frame to be sent out of the Serial 6/0 interface in the New York PE. The L2TPv3 side is
equivalent to the analysis in the SanFran PE with mirror source and destination IP addresses
and a different Session ID. The L2TPv3 encapsulation includes the following:
both ATOM
and L2TP
protocols
20 bytes of IPv4 header,
including
the following:
Review
strategies
that words
Version 4 Header
Length
5, 32-bit
still derived
from data
and voice
services
Sourceare
address
10.0.0.203,
destination
address
10.0.0.201
customers,
they
have some
drawbacks.
Ideally,
carriers
with
existing
4 bytes of L2TPv3
Session
Header
(0x000058FA):
32-bit
Session
ID of
22778
Figure 14-17 shows
the encapsulations
added would
in bothlike
thetoSanFran
New York
backbone
while new carriers
sell the and
lucrative
LayerPEs
2 for this
scenario in addition
to theover
L2TPv3
encapsulation
added
to the
PDU.
The fields
services
their
existing Layer
3 cores.
Thecarried
solution
in these
casesinisgray
a
represent the rewrite
that has
been
described
verbally.
technology
that
would
allow Layer
infrastructure.
Figure

Network (VPN)
concepts,
describes Layer
2 VPN techniques
14-17.
Frame
Relayand
DLCI-to-PPP
L2TPv3
Routed via
IW
introductory case
studies
and
comprehensive
design
scenarios.
This book
Encapsulation Details
Any
over MPLS (ATOM) for MPLS[View full
sizeTransport
image]

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

Summary By

learned the
Ciscotheory,
Press operation, and configuration of Layer 2 bridged and
routed IW pseudowires
the
Pub through
Date: March
10, use
2005 of a technology overview and case studies. You then
learned about like-to-like and any-to-any (IW) local switching. This chapter concluded with
ISBN: 1-58705-168-0
Table of
advanced
topics in Layer 2 IW and local switching, including encapsulation details related to
Pages:
648
someContents
of the chapter's case studies.
Index
productivity gains
infrastructure.

Chapter 15. Virtual Private LAN Service

Cisco Press
the following
topics:
ISBN: 1-58705-168-0
Table of
fundamentals
Understanding VPLS
Pages:
648
Contents
Index
VPLS deployment models
VPLS configuration case studies
Master the world

Layer
2 VPNs
to provide
enhanced
services
The Layer 2 VPN architectures
thatofhave
been
discussed
in this
book so far
shareand
oneenjoy
common
productivity
gains
characteristic: They
provide only
point-to-point connectivity.
Virtual Private LAN Service (VPLS), on the other hand, is a Layer 2 VPN architecture that was
Learn about
2 Virtual Private
Networks (VPNs)
built for multipoint connectivity
andLayer
has broadcast
capability.
costs and
extend edge
the reach
your services
by unifying
your
Like other Layer 2 VPNReduce
architectures,
customer
(CE) of
routers
are connected
through
network
architecture
provider edge (PE) routers and pseudowires, but they no longer have the point-to-point
peering relationship. Instead, VPLS enables CE routers to communicate with one another as if
they were attached to a common LAN.
Interestingly, pseudowires that are used in VPLS are the same type of pseudowire as that used
in the point-to-point Layer 2 VPN architectures. The point-to-point versus multipoint behavior is
determined by the data packet forwarding behaviors of a given Layer 2 VPN architecture. This
also implies that the pseudowire encapsulation is orthogonal to the functionality that VPLS
provides. In theory, both Multiprotocol Label Switching (MPLS) and L2TP pseudowires satisfy
the forwarding requirements of VPLS. In reality, the rapid growth of MPLS network deployment
drives the momentum behind the MPLS-based VPLS in terms of standardization activities and
product implementations. Therefore, this chapter focuses on VPLS concepts and examples that
involve MPLS pseudowires.
This chapter begins with an overview of VPLS that describes the service definitions, signaling
protocols, and more importantly the concept of virtual switch and its data forwarding
infrastructure.
characteristics. Then it describes VPLS deployment issues of network topology, complexity, and
scalability. VPLS configuration case studies conclude the chapter.

Understanding
VPLS Fundamentals
VPLS is generating considerable

with enterprises and service providers because it
Publisher: Ciscointerest
Press
offers the Transparent
PubLAN
Date:Service
March 10,(TLS).
2005 Previously, TLS was available only in Ethernetswitched networks and had limited geographic reach. VPLS not only overcomes the distance
ISBN: 1-58705-168-0
Table of
limitation
of Ethernet-switched networks, but it also enables new value-added features and
Pages:
648
Contents
services
by leveraging advanced MPLS features, such as traffic engineering.
Index
The inherent broadcast nature of Ethernet makes it easy for networked devices to discover one
another. VPLS extends that broadcast capability to the reach that is possible only with a WAN
infrastructure. In VPLS, end users perceive that the network devices are connected directly to a
Masterwhich
the world
Layer
2 VPNs toLAN
provide
enhanced
services
and enjoy
common LAN segment,
is in of
fact
an emulated
created
by VPLS,
also known
as a
productivity gains
VPLS domain .
Figure 15-1 shows the VPLS network reference model, where PE devices act as virtual switches
about Layer
Virtualappear
PrivatetoNetworks
(VPNs)bridged Ethernet
such that CE routers ofLearn
a particular
VPLS 2
domain
be on a single
network. CE routers can connect to PE routers either through direct links or through an access
network.
Figure 15-1. VPLS Network Reference Model


infrastructure.
As a multipoint architecture,
VPLS
allowseach
a single
physical
or logical
CE-PE
to bedetail.
used for
progressively
covering
currently
available
solution
inlink
greater
transmitting Ethernet packets to multiple remote CE routers. Therefore, fewer connections are
required to get full connectivity among customer sites. To provide the same level of
connectivity with a point-to-point architecture, more connections are required. The "VPLS
Configuration Case Studies" section later in this chapter examines the magnitude of such
savings.
What makes VPLS particularly attractive to service providers is its plug-and-play nature. After
you provision PE routers with multipoint connectivity for VPLS customers, you need to
reconfigure only the directly attached PE router when adding, removing, or relocating a CE
router within a Layer 2 VPN. In contrast, you must reconfigure every peering PE router if the
Layer 2 VPN is based on a point-to-point architecture. With VPLS, packets are no longer
forwarded based on the one-to-one mapping between an attachment circuit and a pseudowire
on a PE router. Rather, a PE router uses a Layer 2 forwarding table to determine the outgoing
Layer
2 VPN Architectures
paths based on the
destination
MAC addresses. A Layer 2 forwarding table is populated
ByWeiaddresses
Luo, - CCIE No.
Carlos interfaces
Pignataro, - CCIE
No. 4619,
Bokotey,
- CCIE The
dynamicallywith MAC
and13,291,
next-hop
through
theDmitry
learning
process.
4460,Anthony
Chan, of
- CCIE
No. 10,266
next few sectionsNo.
explain
the types
service
that VPLS provides, protocol signaling, and
packet forwarding behaviors.
ISBN: 1-58705-168-0
Service
Definitions
Table of
Contents
Pages: 648
VPLS
offers two types of service:
Index
TLS
Ethernet Virtual
Connection
Service (EVCS)
productivity
gains
The services are differentiated by the way that MAC addresses are learned and the way that
bridging protocol data Learn
units (BPDU)
are processed.
TLS performs
unqualified
about Layer
2 Virtual Private
Networks
(VPNs) learning, in which
all customer VLANs of a Layer 2 VPN are treated as if they were in the same broadcast domain.
Source MAC addressesnetwork
are learned
and forwarding entries are populated in the same Layer 2
architecture
forwarding table regardless of whether they are tagged or untagged. This means that MAC
addresses have to be unique
among
customer
VLANs. Overlapping
addresses
can
Gain from
the all
first
book to address
Layer 2 VPNMAC
application
utilizing
cause confusion in the both
LayerATOM
2 forwarding
and result in loss of customer packets.
and L2TPtable
protocols
Besides tagged and untagged
a PE
router
that provides
TLS also
forwards
Review Ethernet
strategiespackets,
that allow
large
enterprise
customers
to enhance
BPDUs that it receives their
from service
the CE-facing
interface
to other interfaces
pseudowires without
offerings
while maintaining
routing or
control
processing. Such transparency in BPDU forwarding makes the CE routers perceive that they
For a through
majorityan
of Ethernet
Service Providers,
a significant
ofof
their
revenues
are connected directly
hub instead
of throughportion
a series
virtual
switches,
are still
derived
and voice
based
transport
which you learn more
about
in thefrom
nextdata
section.
Virtualservices
switches,
like on
reallegacy
physical
switches,
technologies.
Although
terminate and process
BPDUs by
default.Layer 3 MPLS VPNs fulfill the market need for some
anLayer
example
ofLayer
TLS. 3 networks would like to move toward a single
legacy
2 and
infrastructure.
Figure 15-2. TLS Example

and
describes
[View
full size
image] Layer 2 VPN techniques via
For customers who want to keep a separate broadcast domain for each VLAN, EVCS is a more
appropriate choice. In EVCS, the outer VLAN tag on the Ethernet packet differentiates one
customer VLAN instance from another. Each VLAN has its own MAC address space, which
allows qualified learning. In qualified learning, MAC addresses of different VLANs might overlap
with one another, and each VLAN has a separate Layer 2 forwarding table.
EVCS keeps the broadcast domain on a per-VLAN basis and does not extend the spanning tree
across the MPLS network. BPDU packets from CE routers are dropped or processed at PE
routers. In such cases, CE routers do not see each other directly in the spanning tree. Figure
15-3 shows an example of EVCS. Suppose that a VPLS customer has four sites that form two
ByWei
Luo, - CCIE
No.and
13,291,
Carlos
Pignataro,
- CCIE
No. 4619,
Dmitry Bokotey,
- CCIEto
separate broadcast
domains.
CE1
CE2
connect
to the
same
PE router
but belong
No.domains.
4460,Anthony
Chan,
- CCIE No.
10,266
different broadcast
IEEE
802.1q
VLAN
encapsulation is used between the CE routers
and PE router to separate the traffic of different broadcast domains.
ISBN: 1-58705-168-0
Table of
Contents
Index
Figure
Pages: 648
15-3. EVCS Example

productivity gains
Note

If it is necessary to exchange Layer 3 traffic among different broadcast domains, PE
routers can provide Layer 3 connectivity using the Integrated Routing and Bridging
(IRB) capability. Layer 2 traffic cannot be forwarded from one broadcast domain to
another.
infrastructure.
Virtual Switch

Each service that is defined in the previous section is offered by a virtual switch inside a PE
router. When provisioned to support multiple VPLS customers, the PE router effectively is
partitioned into multiple virtual switches. A given PE router has at most one virtual switch for
every VPLS domain.
and Layer
2 Tunneling
Protocol
3 (L2TPv3)
for native
A virtual switch consists
of a bridge
module,
an emulated
LANversion
interface,
and a virtual
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
forwarding instance (VFI), as shown in Figure 15-4. CE routers are connected to the
bridge
reader
to
Layer
2
VPN
benefits
and
implementation
requirements
and
module through attachment circuits. Each bridge also has one emulated LAN interface that
connects to the VFI.
Figure 15-4. Virtual Switch


Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
The bridge module in a virtual switch has the equivalent role of that in a physical Ethernet
switch. It makes no distinction between the emulated LAN interface and any physical LAN
interface in terms of bridging functions, such as MAC address learning and aging, and packet
flooding. Besides For
the abridge
module
maintaining
a forwarding
table
that maps
MAC
addresses
majority
of Service
Providers,
a significant
portion
of their
revenues
to attachment circuits,
it
can
run
spanning-tree
protocols
on
them.
A VFI has similar functionality to a bridge but performs bridging operations on pseudowires
instead of attachment circuits. It maintains a forwarding table that maps MAC addresses to
pseudowires. The forwarding table is populated through the MAC address learning process
based on packets it receives on pseudowires. It never learns the MAC addresses of the packets
it receives on attachment circuits.
infrastructure.
Note
assists virtual
readersswitching
looking to
meet those
by explaining
the
In some literature,
instance
(VSI)requirements
is used in place
of VFI. They
are
history
and
implementation
details
of
the
two
technologies
available
from
inter-changeable terms.
to Layer
2 of
VPN
benefits
and implementation
requirements
and
Conceptually, thereader
forwarding
table
a bridge
module
and that of a VFI
are different
entities.
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
In practice, VPLS implementations can choose either to create separate tables for each or
progressively
covering
each
available
in greater
detail.
combine them into
a single table.
Because
thecurrently
actual form
of thesolution
data structures
does
not
affect VPLS operations, this chapter assumes a single Layer 2 forwarding table for every VPLS
domain for the sake of simplicity.
VPLS Forwarding and Flooding

In a point-to-point Layer 2 VPN architecture, an attachment circuit and a pseudowire have a
one-to-one mapping. Packets that are received from a CE router are forwarded to only one
pseudowire based on the attachment circuit that packets arrive on.

In VPLS, attachment circuits and pseudowires are connected through a virtual switch. Because
Layer 2 VPN circuit
Architectures
more than one attachment
and pseudowire can attach to the same virtual switch, the
correlation between
attachment
circuits
and
pseudowires
becomes
many-to-many.
ByWei
Luo, - CCIE No.
13,291,
Carlos
Pignataro, - CCIE
No. 4619,
The forwarding decision is made in two stages in VPLS, as follows:

ISBN:
1. A packet is mapped
to a1-58705-168-0
virtual switch and its corresponding Layer 2 forwarding table
Table of
based on the attachment
Pages: 648circuit or pseudowire that the packet arrives on.
Contents
Index
2. The virtual switch looks up the forwarding table using the destination MAC address and
determines the proper forwarding action. Unless a policy is in place to block this particular
packet, the forwarding action can be either broadcast or unicast.
Initially, the Layer 2 forwarding table does not include dynamically learned entries.
productivity gains
When packets arrive on attachment circuits or pseudowires, MAC address learning takes place
as part of the forwarding
process.
the source
MAC
address
is not present
Learn
aboutIfLayer
2 Virtual
Private
Networks
(VPNs) in the forwarding
table, it is added to the table with the arriving attachment circuit or pseudowire as the outgoing
interface. Also, an aging
timer costs
is started
for the the
newreach
forwarding
If the
MAC
Reduce
and extend
of yourentry.
services
bysource
unifying
your
address is already in the
forwarding
table,
no
new
entry
is
created,
and
the
aging
timer
is
refreshed so that an active MAC address is not flushed out prematurely.
Unlike Layer 3 forwarding,
which
packets
are dropped if no forwarding entry matches the
bothin
ATOM
and
L2TP protocols
Layer 3 destination address, VPLS employs a flooding process when the virtual switch receives
a packet that has an unknown
destinationthat
MAC
address.
flooding
process also
applies to
Review strategies
allow
large The
enterprise
customers
to enhance
multicast and broadcast
packets.
Resembling
that of
a real bridge,
VPLS
flooding also has its
their
service
offerings while
maintaining
routing
control
distinct nuances that pertain to pseudowires. Depending on whether the packet receives on an
of Service
Providers,
portion
of their flooding
revenues
attachment circuitFor
or aa majority
pseudowire
and whether
Layera 2significant
split horizon
is enabled,
can
are still
take different courses
of action.
When a packet with
an unknown
addressIdeally,
arrives carriers
on an attachment
circuit, it is
customers,
theydestination
have some MAC
drawbacks.
with existing
flooded to all other
attachment
and3all
pseudowires
boundtoward
to the virtual
legacy
Layer 2circuits
and Layer
networks
wouldthat
likeare
to move
a singleswitch.
When Layer 2 split
horizon is
enabled
on a pseudowire,
thatlucrative
arrive on
this pseudowire
backbone
while
new carriers
would likepackets
to sell the
Layer
2
are flooded to all services
attachment
but notLayer
a pseudowire.
When
Layerin
2 these
split horizon
overcircuits,
their existing
3 cores. The
solution
cases isisa
disabled, packetstechnology
are floodedthat
to all
otherallow
pseudowires
and all attachment
circuits
that are
would
Layer 2 transport
over a Layer
3
bound to the virtual
switch.
infrastructure.
Layer 2 split horizon
is a
prevention mechanism
specifically
forwarding
Layer
2 loop
VPN Architectures
introduces
readers todevised
Layer 2for
Virtual
PrivateVPLS
traffic over pseudowires.
switches
of a VPLSLayer
domain
are interconnected
NetworkWhen
(VPN)virtual
concepts,
and describes
2 VPN
techniques via by a fully
meshed network introductory
of pseudowires,
mustand
enable
Layer 2 splitdesign
horizon
on all pseudowires
caseyou
studies
comprehensive
scenarios.
This book to
prevent forwarding
loops.
Servicelooking
providers
typically
dorequirements
not run spanning-tree
protocols
assists
readers
to meet
those
by explaining
the over
pseudowires. Thehistory
"VPLS Deployment
Models" details
sectionoflater
this
chapter examines
the
and implementation
the in
two
technologies
available
from
correlations between
split horizon
deployment
the Cisco
Unified and
VPNdifferent
suite: Any
Transport models.
VPLS Signaling
Chapter 2, "Pseudowire Emulation Framework and Standards," explained two MPLS pseudowire
emulation frameworks, known as draft-martini and draft-kompella, in the context of point-topoint Layer 2 VPN architectures. Each architecture defines a signaling protocol to establish and
manage pseudowires. Just as the networking community debates which signal protocol is
superior in the point-to-point Layer 2 VPN architectures, a similar debate arose when VPLS
debuted as a multipoint Layer 2 VPN architecture. The two competing proposals that were
made to the networking community are based on the same ideas as in draft-martini and draftkompella, where one is based on Label Distribution Protocol (LDP) and the other is based on
Border Gateway Protocol (BGP). Despite being applied to a new architecture like VPLS, the
fundamental property of each protocol still remains.
The LDP-based VPLS solution, like its point-to-point counterpart, receives much wider
acceptance in terms of vendor implementation and network deployment. The VPLS solution
that Cisco IOS offered
an Architectures
LDP-based solution.
Layer 2isVPN
To comprehend the details of the BGP-based VPLS solution, refer to the relevant documents of
the Layer 2 VPN working group at the IETF web site (http://www.ietf.org). This chapter focuses
on the LDP-based VPLS solution and its deployment scenarios. Note that both solutions have
Publisher:
Cisco Press
the same data forwarding
specifications
despite the difference in signaling.
The procedure of settingISBN:

up pseudowires
1-58705-168-0 for VPLS is quite similar to that for point-to-point
Table of
Ethernet
over MPLS (EoMPLS).
Pages: 648 First, a targeted LDP session is created between each pair of PE
Contents
routers that participate in a given VPLS domain. In a full-mesh deployment model, N * (N 1) /
Index
2 LDP sessions need to be established, where N is the number of PE routers participating in
VPLS. These LDP sessions can be shared among different VPLS domains. In other words, you
can use a single LDP session between a pair of PE routers to establish pseudowires for all VPLS
domains that are Master
provisioned
on the
routers.
the world
of PE
Layer
productivity gains
After LDP sessions are established among participating PE routers, the next step is to create
pseudowires to interconnect the virtual switches. Again, in a full-mesh deployment model, each
VPLS domain requires N
* (Nabout
1) / 2Layer
pseudowires
the network,
Learn
2 Virtualthroughout
Private Networks
(VPNs)where N is the
number of virtual switches.
Note
As part of the deployment

planning,that
you allow
should
calculate
the number
of signaling
Review strategies
large
enterprise
customers
to enhance
sessions and pseudowires
to beofferings
established
the
network
to measure the
their service
whilethroughout
maintaining
routing
control
scale of VPLS deployment. One benefit of VPLS architecture is that the numbers stay
For a customer
majority of
Service
a significant
portion
of their
revenues
the same if more
sites
needProviders,
to be attached
to existing
virtual
switches.
The protocol messages
encodings
that 3are
used forwould
VPLS like
signaling
aretoward
identical
to those
legacyand
Layer
2 and Layer
networks
to move
a single
that are describedbackbone
in Chapter
6, "Understanding
Any like
Transport
overlucrative
MPLS." The
Pseudowire
while
new carriers would
to sell the
Layer
2
Type field in the Pseudowire
IDtheir
FEC element
is Ethernet
for The
VPLS,
which in
is these
the same
asisfor
services over
existing Layer
3 cores.
solution
cases
a the
point-to-point EoMPLS.
infrastructure.
The Pseudowire ID field in the Pseudowire ID FEC element serves the binding of two remotely
located entities, such
circuitsintroduces
or VFIs. For
point-to-point
2 VPNs,
the
Layeras2 attachment
VPN Architectures
readers
to LayerLayer
2 Virtual
Private
Pseudowire ID only
needs (VPN)
to be unique
between
a pair of Layer
PE routers.
VPLS Layer
Network
concepts,
and describes
2 VPNFor
techniques
via 2 VPNs,
each VPLS domain
is identifiedcase
by astudies
globally
unique
VPN ID, which
means
that you
have
to
introductory
and
comprehensive
design
scenarios.
This
book
provision VFIs of assists
the same
VPLS looking
domain to
with
thethose
samerequirements
VPN ID on allby
participating
readers
meet
explaining PE
therouters.
When you are setting
up and
pseudowires
for a VPLS
domain,
of VC IDs or
Pseudowire
history
implementation
details
of theinstead
two technologies
available
from IDs
of individual point-to-point
pseudowires,
you have
the VPN ID
in the
Pseudowire
ID MPLSfield.
the Cisco Unified
VPN suite:
Any Transport
over
MPLS
(ATOM) for
Because point-to-point
VPLS
shareProtocol
the same
Pseudowire
ID space,
you need
based and
cores
and Layer
Layer 22 VPNs
Tunneling
version
3 (L2TPv3)
for native
to ensure that VPN
that
arestructure
used in VPLS
dobook
not overlap
with
IDs that
IP IDs
cores.
The
of this
is focused
onPseudowire
first introducing
the are used
in point-to-point Layer
VPNs.
reader2to

VPLS Deployment
Models
Compared to point-to-point
2 VPNs, deploying multipoint Layer 2 VPNs that are built on
Publisher:Layer
Cisco Press
the VPLS architecture
is Date:
far more
complicated.
One of the reasons is that a point-to-point Layer
Pub
March 10,
2005
2 VPN resembles a traditional Frame Relay-or ATM-based network in areas such as topologies
ISBN: 1-58705-168-0
Table of
and forwarding
characteristics. For this reason, it is natural to overlap a point-to-point Layer 2
Pages:
648
Contents
VPN on
top of the WAN-based core network.
Index
LAN services, as the name suggests, are designed for networks that are confined to a local or
metropolitan area. One fundamental assumption that many LAN services make is that plenty of
cheap bandwidth is available in the local or metro-area network (MAN). Many LAN services also
Master
worldto
offunction
Layer 2 properly.
VPNs to provide
servicesgrowth
and enjoy
rely on broadcasting
andthe
flooding
Despiteenhanced
the phenomenal
in
productivity
gains
building high-speed
network infrastructures,
WAN bandwidth has always been one of the most
expensive pieces in the overall network cost. Without carefully engineered VPLS deployment,
new VPLS services will not be the only ones to suffer. Broadcast storms seen in a LAN
environment can propagate to the multiservice backbone and affect other non-VPLS services.
This section examines a few deployment issues, with considerations to loop-free forwarding,
broadcast traffic, and scalability.
Basic
Topologicboth
Models

In a given VPLS domain, virtual switches are interconnected by pseudowires. The topology
formed by these pseudowires plays a critical role in loop-free forwarding and contributes to the
overall scalabilityFor
andaperformance.
A VPLSProviders,
domain can
have the following
majority of Service
a significant
portion offorms:
their revenues
Full mesh technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Hub and spoke
Partial meshservices over their existing Layer 3 cores. The solution in these cases is a
infrastructure.
Full Mesh

The "Understanding
VPLS Fundamentals"
briefly addressed
thescenarios.
forwardingThis
andbook
signaling
introductory
case studiessection
and comprehensive
design
characteristics of assists
a full-mesh
VPLS
topology,
which
is
the
most
common
deployment
model
today. In a full-mesh
model,
every virtual switch
hasofexactly
one
pseudowireavailable
to everyfrom
other
history
and implementation
details
the two
technologies
virtual switch in the
same
VPLS
domain.
The
loop-free
forwarding
is
guaranteed
by
enabling
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSLayer 2 split horizon
on cores
every and
pseudowire
in this topology.
Split
horizon
preventsfor
packets
based
Layer 2 Tunneling
Protocol
version
3 (L2TPv3)
nativethat
are received on one
pseudowire
from
being
sent
to
any
other
pseudowire.
It
applies
to normal
forwarding if the destination
MAC2address
matches
entry in the forwarding
table,and
and it also
reader to Layer
VPN benefits
andan
implementation
requirements
applies to flooding
if the packet
has
unknown
unicast,
multicast,
or broadcast
comparing
them
toan
those
of Layer
3 based
VPNs, such
as MPLS,destination
then
MAC address.
A full-mesh model provides loop-free full connectivity among all virtual switches. It also
eliminates the need to run spanning-tree protocols over the backbone, which saves valuable
WAN bandwidth. However, such benefits come at the cost of other network resources.
Remember from the previous section that the number of signaling sessions and pseudowires
grows exponentially when the number of PE routers and virtual switches increases. Supporting
numerous signaling sessions and pseudowires requires more bandwidth for exchanging protocol
messages and more processing power on PE routers for signaling and packet forwarding. The
forwarding performance also degrades when flooding has been performed on a large number
pseudowires.
Hub and Spoke

ByWei
Luo, - CCIE
No. 13,291,
Carlos
Pignataro,
- CCIE
No. as
4619,
Bokotey, - CCIE
In a hub-and-spoke
model,
exactly
one PE
router
that is
acting
a Dmitry
hub connects
all other PE
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
routers that act as spokes in a given VPLS domain. The virtual switch on a spoke PE router has
exactly one pseudowire connecting to the virtual switch on the hub PE router. No pseudowire
Publisher:
Cisco Press
interconnects the virtual
switches
on spoke PE routers. A hub-and-spoke topology by definition
is loop-free, so it does
need
to10,
enable
Pubnot
Date:
March
2005 spanning-tree protocols or split horizon on
pseudowires. To provideISBN:
Layer
2
connectivity
among the virtual switches on spoke PE routers,
1-58705-168-0
Table of
the hub
PE router mustPages:
turn 648
off split horizon on the pseudowires. When split horizon is
Contents
disabled,
you can forward or flood packets among different pseudowires at the hub PE router.
Index
The simplicity of a hub-and-spoke model makes it an attractive choice for small VPLS
deployment. Realize, though, that the hub PE router is a single point of failure. Because all
traffic has to go through the hub PE router, the router requires ample processing power to
relay and flood packets across pseudowires.
productivity gains
Partial Mesh
Reduce
costs
extend
the
of your
servicesforwarding
by unifyinginyour
The most flexible topologic
model
is and
partial
mesh.
Toreach
guarantee
loop-free
an
network
architecture
arbitrary partial-mesh model, you need to run spanning-tree protocols on pseudowires
throughout the backbone. Spanning-tree protocols are typically chatty and take a considerable
amount of expensive WAN bandwidth. In addition, deploying spanning-tree protocols in a largeboth ATOM and L2TP protocols
scale network is always a great challenge. Network design considerations such as root bridge
selection, redundancy, and load balancing are highly complex, which means they are more
vulnerable to configuration and operation mistakes. Service providers typically do not deploy a
partial-mesh model because they want to avoid running spanning-tree protocols in the core
network.
Hierarchical customers,
VPLS they have some drawbacks. Ideally, carriers with existing
while
new basic
carriers
would like
to sell
themitigating
lucrative Layer
2
Aiming at having backbone
the benefits
of both
topologic
models
while
their problems,
a
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
hybrid between the full-mesh and hub-and-spoke models is now available, known as is a
thatVPLS
wouldconsists
allow Layer
2 transport
over
a Layer
hierarchical VPLS .technology
A hierarchical
of a top
tier and a
bottom
tier.3Depending on
infrastructure.
the type of network that is deployed at the bottom tier, hierarchical VPLS comes in two forms:
(VPN)
HierarchicalNetwork
VPLS with
MPLSconcepts,
access network
readers
Hierarchicalassists
VPLS with
QinQlooking
access to
network
cores
and Layer
2 Tunneling
Hierarchical VPLS
with
MPLS
Access
Network
As shown in Figure
15-5, for them
a given
switches
in the
tier then
are fully
comparing
to VPLS
those domain,
of Layer virtual
3 based
VPNs, such
astop
MPLS,
meshed through pseudowires.
Each
virtual
switch
in
the
bottom
tier
has
exactly
one
pseudowire that connects to a top-tier virtual switch, which is effectively a hub-and-spoke
model. This form of hierarchical VPLS is known as hierarchical VPLS with MPLS access . PE
routers in the top tier and bottom tier are also known as network-facing PE (N-PE) routers and
user-facing PE (U-PE) routers, respectively. To ensure loop-free forwarding, an N-PE router
must enable Layer 2 split horizon on all pseudowires that connect to other N-PE routers and
disable split horizon on all pseudowires that connect to U-PE routers. On an N-PE router,
packets are forwarded to other pseudowires only if they arrive on a pseudowire that connects a
U-PE router. Packets that arrive on a pseudowire that connects an N-PE router can be
forwarded to pseudowires that connect to U-PE routers only.
Figure 15-5. Hierarchical VPLS with MPLS Access

[View
size image]
No.full
10,266
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
Hierarchical VPLS with QinQ Access Network
Hierarchical VPLS has an alternate form that uses Ethernet QinQ tunnels between U-PE and NPE routers, as depicted in Figure 15-6. It is also known as hierarchical VPLS with QinQ access .
Instead of a pseudowire, you can use an Ethernet QinQ tunnel between a U-PE router and an
N-PE router. Despite the absence of pseudowires in the bottom tier, the overall bridging
architecture is still
based
on twooflogically
where portion
an N-PEofrouter
forwards
For
a majority
Serviceseparated
Providers,layers,
a significant
their revenues
packets to pseudowires
that
connect
to
other
N-PE
routers
only
if
they
arrive
on
QinQ
tunnels
that connect to U-PE
routers.
The
hierarchical
VPLS
models
significantly
reduce
the
total
number of signaling
sessions they
and pseudowires;
therefore,Ideally,
they improve
network
scalability and
customers,
carriers
with existing
performance. Thelegacy
scalability
surfaces
whenwould
you add
a PE router.
Layerbenefit
2 and also
Layer
3 networks
like or
to relocate
move toward
a singleIf the
object is an N-PE backbone
router, you
need
to reconfigure
only
other
N-PE
If Layer
the object
is a Uwhile
new
carriers would
like
to sell
therouters.
lucrative
2
PE router, you need
to
reconfigure
only
the
attached
N-PE
router.
infrastructure.
Figure
Hierarchical
VPLSreaders
with QinQ
Access
Layer 215-6.
VPN Architectures
introduces
to Layer
2 Virtual Private
full size
image]requirements by explaining the
assists readers looking[View
to meet
those
Like point-to-point Layer 2 VPN architectures, you can deploy VPLS in an inter-autonomous
system (AS) or multidomain environment using a hierarchical model. In their simplest form,
the peering VPLS PE routers of different administrative domains operate in such a fashion that
each PE router treats itself as an N-PE router, and treats the peering PE as a U-PE router in the
hierarchical model.
VPLS Redundancy

ISBN: 1-58705-168-0
of
In theTable
hierarchical
VPLS model, an N-PE router can still be a single point of failure for attached
648
U-PE Contents
routers. To solve Pages:
this problem,
each U-PE can connect to multiple N-PE routers through
Index pseudowires or QinQ tunnels. This method for providing redundancy is also known
redundant
asmultihoming . In this case, Layer 2 split horizon alone is no longer sufficient for providing
loop-free forwarding. You need to enable spanning-tree protocols between U-PE and N-PE
routers.
gains
In Metro Ethernetproductivity
deployment,
you can view each metro area as an island of which U-PE and
N-PE routers are closely located and are connected through a LAN. You can view VPLS as a
collection of islands interconnected by pseudowires. When you confine spanning-tree protocols
Learn
Layer
2 Virtual
Privatespanning-tree
Networks (VPNs)
within individual islands,
eachabout
island
becomes
a separate
domain of which the
boundary stays within the LAN, and the core network does not suffer bridging protocolrelated
problems such as bandwidth inefficiency, operation complexity, and other drawbacks.
When a U-PE router multihomes with N-PE routers, you must enable spanning-tree protocols
on the U-PE router for all the pseudowires or QinQ tunnels that exist between the U-PE and Nboth ATOM and L2TP protocols
PE routers. However, an N-PE router can choose whether to participate in spanning-tree
protocols. If it does, it Review
behavesstrategies
like an Ethernet
bridge
that
exchanges
and processes
BPDUs
that allow
large
enterprise
customers
to enhance
with U-PE and other N-PE
the same
island.
If it does routing
not, it acts
as an Ethernet hub
theirrouters
serviceofofferings
while
maintaining
control
that simply relays BPDUs without processing. In the next section, a case study shows how to
achieve VPLS redundancy
using of
multihoming.
For a majority
infrastructure.

VPLS Configuration
Case Studies
The feature requirements

forCisco
VPLS
originated from service providers that were deploying Metro
Publisher:
Press
Ethernet services and
wanted
to extend
Pub
Date: March
10, 2005 the coverage beyond the boundary of a metro using
their WAN infrastructure. As part of the Cisco Metro Ethernet service portfolio, the integrated
ISBN: 1-58705-168-0
Table
of
VPLS
solution
in Cisco IOS fulfills such requirements.
Pages: 648
Contents
Index
This section
describes how to configure VPLS on a Cisco router. The case studies that are
commonly seen in Metro Ethernet deployment, which are by no means exhaustive, can help
you further understand the Cisco VPLS solution. Configuration examples in this section are
based on the Cisco 7600 series router. Refer to Cisco.com to obtain the information on the
Master
the world
latest platform and
hardware
support.
productivity gains
Case Study 15-1:Learn

Basic
Configuration
about
Reduce
extend that
the reach
of your
by unifyingare
your
Before you configure VPLS,
youcosts
needand
to ensure
IP routing
andservices
MPLS forwarding
network
architecture
configured properly and that the minimal Layer 2 VPN connectivity requirements are met:
both
ATOM andinterface
L2TP protocols
Every PE router has
a loopback
that is configured with an IP address and a /32
network mask. This address is used as the Router ID in LDP signaling for the PE router.
their
service offerings
routing tables
controlcontain those host
PE routers have IP
connectivity
to each while
other,maintaining
and the IP routing
routes that were previously configured on the loopback interfaces. This ensures that you
For
a LDP
majority
of Service
Providers,signaling.
a significant
of their
revenues for
can establish
the
sessions
for pseudowire
You portion
can verify
the reachability
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
the host routes by using the show ip route command.
customers,
theyswitched
have some
drawbacks.
Ideally,
carriers
with This
existing
PE routers have
MPLS label
paths
(LSPs) for
those host
routes.
ensures that
legacy Layer
2 and Layer
3 networks
would
like
to move
toward by
a single
MPLS encapsulated
pseudowire
packets
are not sent
to a
black
hole caused
a broken
backbone
while
new carriers
would
like
Layer 2
LSP. You can
verify this
by using
the show
mpls
forwarding-table
command.
technology
allow Layer
transport
over
a Layer 3
The next few sections
discussthat
the would
tasks involved
for 2baseline
VPLS
configuration,
demonstrate
infrastructure.
with a complete example,
and verify the configuration results.
Network (VPN)
Configuring Attachment
Circuit
Attachment circuits
that and
are used
in VPLS candetails
be Layer
2 switch-port
interfaces,
Gigabit
history
implementation
of the
two technologies
available
from
Ethernet interfaces
on
intelligent
line
cards,
or
other
interfaces
with
bridged
encapsulation.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSBecause of the low
cost cores
and high
density,
Layer Protocol
2 switchport
interfaces
are the
based
andport
Layer
2 Tunneling
version
3 (L2TPv3)
for most
native
commonly deployed
attachment
circuits.
Before going into the configuration steps for Layer 2 switchport interface, it is necessary to
explain the difference and the correlation between a service-delimiting VLAN tag and an
internal VLAN tag. Chapter 6 introduced the concept of a service-delimiting VLAN tag. To recap,
service providers use service-delimiting VLAN tags to identify different types of customer
traffic. Because a service-delimiting VLAN tag usually has only local significance, it is removed
at the ingress PE router. The egress PE router might have a different service-delimiting VLAN
tag, which is added to the packets that are sending to a CE router.
An internal VLAN tag identifies a bridge domain on a PE router. In the context of VPLS, it is the
virtual switch. Conceptually, service-delimiting VLAN tags and internal VLAN tags are two
independent entities. A bridge domain, represented by an internal VLAN tag, might have
multiple attachment circuits, where each is provisioned with a different service-delimiting VLAN
tag. Such independence allows service providers to offer multiple value-added services to a
single VPLS customer using the same physical connection. Currently, this provisioning model is
available only on interfaces of high-end intelligent access line cards.
Traffic from VPLSBy

customers
does
always
service-delimiting
VLAN
tags,- such
Wei Luo, - CCIE
No.not
13,291,
Carloshave
Pignataro,
- CCIE No. 4619,Dmitry
Bokotey,
CCIE as
untagged customer
In addition,
having
an 802.1q VLAN tag in the packet does not
No. traffic.
4460,Anthony
Chan, - CCIE
No. 10,266
automatically make it a service-delimiting VLAN tag. Later in this section, you will study the
characteristics of a service-delimiting
Publisher: Cisco Press VLAN tag and an internal VLAN tag when used in different
switchport modes of Pub
theDate:
Layer
2 switchport interface.
March 10, 2005
ISBN: 1-58705-168-0
A Layer
2 of
switchport interface
can operate in one of three mutually exclusive switchport
Table
Pages:
648 how each mode is used in normal bridging applications:
modes.
The following list recaps
Contents
Index
access The interface sends and accepts untagged Ethernet packets only. Tagged
Ethernet VLAN packets are dropped.
trunk The interface
sends
and receives tagged Ethernet VLAN packets and native VLAN
productivity
gains
packets.
dot1q-tunnel Any
packet,
tagged
untagged,
is forwarded
Learn
about
Layeror
2 Virtual
Private
Networksthrough
(VPNs) a QinQ tunnel. A
QinQ tunnel is identified by the access VLAN tag that is configured on the Layer 2
Reduce
and
extend
the
reachtoofthe
your
services
by ingress
unifyingtunnel
your
switchport interface.
The costs
access
VLAN
tag is
added
packet
at the
network
architecture
interface and removed
at the
egress tunnel interface, which means that the VLAN tags
must be identical at both interfaces for a given QinQ tunnel.
ATOM
andinL2TP
protocols
In VPLS, the switchportboth
modes
work
a similar
fashion from an end user's perspective, but
some of the internal operations vary slightly.
their steps
service
offerings
while
maintaining routing
The following configuration
highlight
how
service-delimiting
VLANcontrol
tags and internal VLAN
tags are used in each switchport mode.
Configuring thetechnologies.
Access Mode
The access mode backbone
in VPLS iswhile
identical
that inwould
normal
bridging.
Only
untagged
Ethernet
newto
carriers
like
to sell the
lucrative
Layer
2
packets are sent and
received
on
the
Layer
2
switchport
interface,
and
the
Ethernet
header
services over their existing Layer 3 cores. The solution in these cases
is a is
sent over the pseudowire
unmodified
because
no
service-delimiting
VLAN
tag
exists.
You
can
configure the access
mode
as
follows:
infrastructure.
Step 1. Configure
the2interface
as a switchport:
Layer
VPN Architectures
introductory case studies and
comprehensive
VPLS-PE1(config)#interface
FastEthernet
4/3design scenarios. This book
assists
readers
looking
to
meet
those
requirements
by explaining the
VPLS-PE1(config-if)#switchport
history
and
implementation
details
of
the
two
technologies
available from
VPLS-PE1(config-if)#
IP the
cores.
The structure
this book
Step 2. Configure
switchport
as an of
access
mode:
mode access
progressively covering each currently
Step 3. Assign the Layer 2 switchport interface to a bridge domain, which is represented by
an internal VLAN tag:
access
vlan
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro,
- CCIE
No. 2
Pub Date:after
Marchthese
10, 2005
The interface configuration
steps is shown in Example 15-1.
Table of
Contents
Example
Index
ISBN: 1-58705-168-0
Pages: 648
15-1. Access Mode Interface Configuration
no ip address Master the world of Layer 2 VPNs to provide enhanced services and enjoy
switchport
productivity gains
switchport mode access
Configuring the
network
architecture
Trunk
Mode
When you configure a Layer
2 switchport
interface
as trunk mode in VPLS, the VLAN tag maps
both ATOM
and L2TP
protocols
packets received from a CE router to a bridge domain. In other words, the VLAN tag in the
customer traffic is considered
service-delimiting
VLANenterprise
tag. A Layer
2 switchport
interface
Review the
strategies
that allow large
customers
to enhance
does not support a configurable
service-delimiting
tag; therefore,
the service-delimiting
their service
offerings while VLAN
maintaining
routing control
VLAN tag has to match the internal VLAN tag of the bridge domain for a given VPLS customer.
a majority
of multiple
Service Providers,
significant
portionVPLS
of their
revenues
Because the trunkFor
mode
supports
VLAN tags,a traffic
of different
customers
can
are still
data andinterface.
be sent and received
overderived
a Layerfrom
2 switchport
In trunk mode, a customers,
PE router removes
thesome
service-delimiting
VLAN tag
on the
Ethernet
header
they have
drawbacks. Ideally,
carriers
with
existing
before applying the
pseudowire
For the would
opposite
PE applies
the
legacy
Layer 2 encapsulation.
and Layer 3 networks
likedirection,
to move atoward
a single
internal VLAN tagbackbone
to the Ethernet
header
afterwould
the pseudowire
is removed
from
while new
carriers
like to sellencapsulation
the lucrative Layer
2
the pseudowire packet.
Use
thetheir
following
steps
to configure
the solution
trunk mode
on a cases
Layer is
2a
services
over
existing
Layer
3 cores. The
in these
switchport interface:
infrastructure.
Step 1.
Configure the interface as a switchport:
introductory case studies and FastEthernet
comprehensive 4/3
Step 2.
Configure the interface to use 802.1q VLAN encapsulation:
comparing them to those of Layer trunk
3 basedencapsulation
VPNs, such as MPLS,
dot1q then
progressively
covering
each
currently
available
solution
in
greater
detail.
Step 3.
(Optional) Assign a list of VLANs allowed on this trunk, such as VLAN 2 to VLAN 10:
VPLS-PE1(config-if)#switchport trunk allowed vlan 2-10
Step 4.
Configure the switchport as trunk mode:

mode trunk
Cisco Press
Example 15-2 showsPublisher:
the interface
configuration after you complete the steps for the trunk
Pub
Date:
March
10, 2005
mode.
Table of
Contents
Example
Index
ISBN: 1-58705-168-0
Pages: 648
15-2. Trunk Mode Interface Configuration
no ip address Master the world of Layer 2 VPNs to provide enhanced services and enjoy
switchport
productivity gains
switchport trunk allowed vlan 2-10
Configuring dot1q-tunnel
Mode
QinQ tunneling is an Ethernet native tunneling mechanism that stacks VLAN tags together in a
similar fashion to the MPLS
labels.
The outer
that
is addedcustomers
at the tunnel
ingress
Review
strategies
that VLAN
allow tag
large
enterprise
to enhance
interface is the access their
VLANservice
tag that
is configured
on the Layerrouting
2 switchport
offerings
while maintaining
controlinterface. The
purpose of the outer VLAN tag is similar to that of the tunnel label in an MPLS-encapsulated
ForThe
a majority
of Service
Providers,
significant
portion
their revenues
pseudowire packet.
outer VLAN
tag is to
forward athe
packet from
the of
ingress
tunnel
are still
derived
from data
services
based
on legacy
transport
endpoint to the egress
tunnel
endpoint
and and
hidevoice
the inner
VLAN
tag from
the transit
network.
In VPLS, the transit
network they
is an have
MPLSsome
network,
and a tunnel
label
is used
to existing
move packets
customers,
drawbacks.
Ideally,
carriers
with
from the LSP ingress
endpoint
the Layer
egress3 endpoint.
the
of an a
outer
VLAN
legacy
Layer 2toand
networks Because
would like
to function
move toward
single
tag is effectively replaced
an MPLS
tunnel label,
VLAN
is no longer
backboneby
while
new carriers
wouldthe
likeouter
to sell
the tag
lucrative
Layer 2added to
the Ethernet header
whenover
the Layer
2 switchport
configured
as these
dot1q-tunnel
services
their existing
Layerinterface
3 cores. is
The
solution in
cases is mode.
a
That is the main difference
the would
way dot1q-tunnel
mode
operates
normal
technologyinthat
allow Layer 2
transport
overinaVPLS
Layerversus
3
bridging.
infrastructure.
The following is an
example
configuring a introduces
Layer 2 switchport
interface
dot1q-tunnel
Layer
2 VPNofArchitectures
readers to
Layer 2as
Virtual
Private
mode:
Step 1. Configure the interface as a switchport:

FastEthernet 4/3
Step 2. Configure the switchport as dot1q-tunnel mode:

ISBN: 1-58705-168-0
Table of
mode dot1q-tunnel
Pages:
648
Contents
Index
Step 3. Assign the Layer 2 switchport interface to a bridge domain, which is represented by
an internal VLAN tag:
productivity gains
VPLS-PE1(config-if)#switchport access vlan 2
network
architecture mode is shown in Example 15-3.
for dot1q-tunnel
Example 15-3. dot1q-tunnel Mode Interface Configuration

no ip address
switchport
services
overare
their
Layer interface
3 cores. The
these cases and
is a new
Layer 2 switchport
interfaces
theexisting
predominant
typesolution
in VPLSindeployment,
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
attachment circuit types are being added as the VPLS solution is being enhanced. Refer to
infrastructure.
Cisco.com to obtain
the latest attachment circuit support.
Configuring VFI
When you configure
AToM
or implementation
L2TPv3 pseudowire
emulation,
thetechnologies
pseudowire available
portion offrom
the
history
and
details
of the two
configuration is done
from the
attachment
circuit
mode.
example,
interface
the Cisco
Unified
VPN suite:
Anyconfiguration
Transport over
MPLSFor
(ATOM)
for MPLSmode is used for based
PPP and
HDLC
pseudowires,
PVC mode
for ATM
AAL5,
and connect
mode for
cores
and
Layer 2 Tunneling
Protocol
version
3 (L2TPv3)
for native
Frame Relay data-link
connection
identifier
(DLCI).
implicitly
the one-to-one
IP cores.
The structure
of this
bookThis
is focused
onbuilds
first introducing
the
mapping betweenreader
an attachment
and a pseudowire.
to Layer 2circuit
VPN benefits
VPLS needs to build
a many-to-many
mapping
for eachavailable
VPLS domain.
Forinthe
pseudowire
progressively
covering
each currently
solution
greater
detail.
portion of the configuration, VPLS uses the VFI configuration mode to specify a set of
pseudowires and associated properties for a given VPLS domain. Before enabling any other
command, configure the VFI needs with a VPN ID. As explained earlier in the "VPLS Signaling"
section, a VPN ID identifies a VPLS domain throughout the network. It is encoded in the
Pseudowire ID field of the protocol messages. The VFI configuration mode also specifies the
addresses of the peering PE routers, the type of pseudowire signaling, and the encapsulation
method for each peer.
The following steps show an example of configuring a VFI:
Step
1.
Create a multipoint VFI by enabling the VFI configuration mode:

VPLS-PE1(config)#l2
vfi blue manual
VPLS-PE1(config-vfi)#
The keyword manual indicates that you will enter the peering relationship with remote
PE routers manually.
1-58705-168-0
StepTable
Configure
a VPNISBN:
ID for
the VFI:
of
Pages:
648
2. Contents
Index
VPLS-PE1(config-vfi)#vpn id 100
Master
the worldinofthe
Layer
VPNs
to provideinteger.
enhanced
enjoy
The VPN ID
is configured
form2 of
an unsigned
Theservices
range ofand
values
is
productivity
gains
from 1 to 4294967295, or 0xFFFFFFFF in hex.
Step
3.
Specify the peering

router
ID and
pseudowire
LearnPE
about
Layer
2 Virtual
Privateencapsulation:
Networks (VPNs)
VPLS-PE1(config-vfi)#neighbor 10.0.0.2 encapsulation mpls
Step
4.
Repeat Step 3 for every peering PE router.

Currently, the
manual mode
the some
only provisioning
customers,
they is
have
drawbacks. option
Ideally,available
carriers for
withmultipoint
existing
VFI. When an
autodiscovery
mechanism
is introduced
forlike
VPLS
in thetoward
future, aa single
VFI
legacy
Layer 2 and
Layer 3 networks
would
to move
can be provisioned
automatically.
backbone
infrastructure.
Example 15-4 shows an example of a VFI configuration.
introductory
Example 15-4.
VFI Configuration
l2 vfi blue manual
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSvpn id 100
neighbor 10.0.0.2
encapsulation
IP cores.
The structurempls
neighbor 10.0.0.3
readerencapsulation
to Layer 2 VPN mpls
neighbor 10.0.0.4
encapsulation
mpls
comparing
them to those
Note
Associating Attachment Circuits to the VFI

The final step in building the many-to-many mapping involves how to associate attachment
circuits to a VFI in configuration.
In the switchport mode configuration steps, a bridge domain or an internal VLAN is assigned to
attachment circuits for a given VPLS domain. For example, Layer 2 switchport interfaces in
access and dot1q-tunnel mode use the command switchport access vlan to specify the
bridge domain explicitly. Those in trunk mode use the service-delimiting VLAN tags instead.
Layerinterface
2 VPN Architectures
You can view a VLAN
as a virtual interface representation of a bridge domain. By
associating the VFI
under
VLAN
interface
mode,
the
many-to-many
ByWei
Luo, the
- CCIE
No. 13,291,
Carlosconfiguration
Pignataro, - CCIE
No. 4619,
Dmitry
Bokotey, - CCIE
association is finally
accomplished.
configure
the VFI under a VLAN interface, use the
No. 4460,
Anthony Chan,To
- CCIE
No. 10,266
following steps:
Step
1.
Create or access
a VLAN
also known as a switched virtual interface:
Pub Date:
Marchinterface,
10, 2005
ISBN: 1-58705-168-0
Table of
Pages:
648
vlan 2
Contents
Index
Note that the VLAN ID needs to be identical to the service-delimiting VLAN tag when
using Layer 2 switchport trunk mode. Otherwise, it can be the tag value of an unused
VLAN.
productivity gains
Step
2.
Attach the VFI to the VLAN interface:

VPLS-PE1(config-if)#xconnect
vfithe
blue
reach of your services by unifying your
You must have a valid VFI configured before this command can be accepted.
The next section showstheir
the complete
configuration
example and
ways to
verify whether it is
service offerings
while maintaining
routing
control
working.
Configuration Example
legacy
Layer 2 and
Layer blocks,
3 networks
would
like to move
toward a fairly
single
With the basic VPLS
configuration
building
network
operators
can construct
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
sophisticated multipoint Layer 2 VPNs. Figure 15-7 shows an example of a full-mesh VPLS
over their
existing
Layer 2 VPN with services
four CE routers
of the
sameLayer
VPLS3customer.
infrastructure.
Figure 15-7. VPLS Configuration Example
To illustrate the flexibility of how you can connect CE devices, the configuration example uses
different switchport modes and service-delimiting VLAN tags on each PE router as follows:
CE1 sends and

receives
untagged
Ethernet
packetsthat
is, 4619,
null Dmitry
service-delimiting
ByWei
Luo, - CCIE
No. 13,291,
Carlos Pignataro,
- CCIE No.
Bokotey, - CCIE VLAN
tags. PE1 configures
the
switchport
mode
as
dot1q-tunnel
to
forward
packets that have
an unmodified Ethernet header. The internal VLAN that is associated with the switchport is
2.
CE2 sends and Pub
receives
tagged Ethernet VLAN packets of which the service-delimiting
1-58705-168-0
VLANof tag is 4. PE2ISBN:
configures
the switchport mode as a trunk to remove or add the
Table
service-delimitingPages:
648
VLAN
tag
accordingly.
The internal VLAN that is associated with the
Contents
switchport
is
4.
Index
CE3 sends and receives untagged Ethernet packetsthat is, null service-delimiting VLAN
tags. PE2 configures the switchport mode as access to forward all untagged packets. The
internal VLAN
that is
associated
with the
switchport
is 8. enhanced services and enjoy
Master
the
world of Layer
2 VPNs
to provide
productivity gains
CE4 sends and receives tagged Ethernet VLAN packets of which the service-delimiting
VLAN tag is 10. PE4 configures the switchport mode as a trunk to remove or add the
Layer 2 Virtual
service-delimitingLearn
VLANabout
tag accordingly.
The Private
internalNetworks
VLAN that(VPNs)
is associated with the
switchport is 10.
network
architecture
Example 15-5 shows the
configuration
on PE1.
Example 15-5.
bothConfiguration
PE1

hostname PE1
!
For a majority
mpls label protocol
ldp
are
still
derived
mpls ldp logging neighbor-changes
technologies.
Although
!
l2 vfi l2vpn manual
vpn id 1
services
over their existing
neighbor 10.0.0.2
encapsulation
mpls Layer 3 cores. The solution in these cases is a
technology
that
would
neighbor 10.0.0.3 encapsulation mpls
infrastructure.
!
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
interface POS3/1
ip address 10.0.1.1 255.255.255.252
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSmpls ip
!
no ip address
switchport
!
interface Vlan2
no ip address
xconnect vfi l2vpn
Example 15-6 shows the configuration on PE2.
Example 15-6. PE2 Configuration

hostname PE2 ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
!
Cisco Press
mpls ldp logging Publisher:
neighbor-changes
mpls ldp router-id
PubLoopback0
!
ISBN: 1-58705-168-0
Table of
l2 vfi
l2vpn manualPages: 648
vpn Contents
id 1
Index
neighbor
10.0.0.1 encapsulation mpls
!
interface Loopback0
productivity gains
ip address 10.0.0.2 255.255.255.255
!
interface POS3/1
ip address 10.0.2.1 255.255.255.252
mpls ip
!
no ip address
switchport
Review strategies
switchport trunk allowed
vlan 4 that allow large enterprise customers to enhance
!
interface Vlan4For a majority of Service Providers, a significant portion of their revenues
xconnect vfi l2vpn
services
over their existing
Example 15-7 shows
the configuration
on PE3.
infrastructure.
Example 15-7. PE3 Configuration

hostname PE3 introductory case studies and comprehensive design scenarios. This book
!
historyldp
mpls label protocol
the neighbor-changes
Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSmpls ldp logging
basedLoopback0
mpls ldp router-id
!
l2 vfi l2vpn manual
vpn id 1
progressively
covering mpls
neighbor 10.0.0.1
encapsulation
!
interface Loopback0
ip address 10.0.0.3 255.255.255.255
!
interface POS3/1
ip address 10.0.3.1 255.255.255.252
mpls ip
!
no ip address
switchport
ByWei Luo,
- CCIE
switchport access
vlan
8 No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,
switchport mode
access
!
interface Vlan8 Publisher: Cisco Press
no ip address
xconnect vfi l2vpn
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Example 15-8 shows the configuration on PE4.
Master
Example 15-8.
PE4the
Configuration
productivity gains
hostname PE4
!
mpls ldp logging neighbor-changes
architecture
mpls ldp router-id network
Loopback0
!
l2 vfi l2vpn manual
vpn id 1
neighbor 10.0.0.1 Review
encapsulation
strategiesmpls
neighbor 10.0.0.2 their
encapsulation
mpls while maintaining routing control
service offerings
!
interface Loopback0
ip address 10.0.0.4
255.255.255.255
technologies.
!
interface POS3/1
ip address 10.0.4.1
255.255.255.252
backbone
mpls ip
!
infrastructure.
no ip address
switchport
switchport trunk
encapsulation
dot1q
Network
(VPN) concepts,
switchport trunk
allowedcase
vlan
10
introductory
studies
switchport mode
trunk
assists
!
interface Vlan10
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSno ip address based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
xconnect vfi l2vpn
You can examine the VFI using the command show vfi (see Example 15-9).
Example 15-9. Verifying the VFI Status

PE1#show vfi l2vpn
VFI name: l2vpn, state: up
Local attachment circuits:
Vlan2
Neighbors connected via pseudowires:

10.0.0.2 10.0.0.3 10.0.0.4
Table 15-1 lists the

addresses
are
with each CE router. When a CE router
No. MAC
4460,Anthony
Chan, that
- CCIE
No.associated
10,266
also functions as an Ethernet switch, it bridges customer Ethernet traffic toward the attached
PE router. In that scenario, the PE router learns multiple source MAC addresses from the CE
router.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Table 15-1. MAC Addresses from CE Routers
Router
CE1
CE2
CE3
CE4
MAC Address
productivity
gains
000b.5fb5.0080
000b.5fad.e580
000b.5fb1.5780
000b.5fb1.5480
ATOM and
L2TP all
protocols
After full connectivity isboth
established
among
CE routers, every PE router should learn all MAC
addresses from the CE routers. To verify the learning process on each PE router, use the
Review strategies
thatasallow
large
enterprise
commandshow mac-address-table
vlan,
shown
in Example
15-10.
Example 15-10.
Verifying the Learning Process on Each PE Router
customers, theyvlan
have2some drawbacks. Ideally, carriers with existing
PE1#show mac-address-table
legacy entry
Legend: * - primary
vlan
mac address
learn Layer 3 cores.ports
services overtype
their existing
------+---------------+-------+-----+----------------------technology that would allow Layer 2 transport over a Layer 3
*
2 000b.5fb5.0080
dynamic Yes
Fa4/2
infrastructure.
*
2 000b.5fad.e580 dynamic Yes
*
2 000b.5fb1.5780
dynamic
Yes introduces readers to Layer 2 Virtual Private
Layer 2 VPN
Architectures
*
2 000b.5fb1.5480
dynamic
Yes and describes Layer 2 VPN techniques via
Network (VPN)
concepts,
assists readers vlan
looking
PE2#show mac-address-table
4 to meet those requirements by explaining the
historyentry
Legend: * - primary
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSvlan
mac address
typeLayer
learn
ports
based cores and
------+----------------+-------+-----+----------------------IP cores. The structure of this book is focused on first introducing the
*
4 000b.5fb5.0080
dynamic
reader to Layer
2 VPN Yes
*
4 000b.5fad.e580
dynamic
Yesof Layer
Fa4/2
comparing them
to those
*
4 000b.5fb1.5780
dynamic
progressively
coveringYes
*
4 000b.5fb1.5480 dynamic Yes
PE3#show mac-address-table vlan 8
Legend: * - primary entry
vlan
mac address
type
learn
ports
------+----------------+-------+-----+----------------------*
*
8 000b.5fad.e580 dynamic Yes
*
Fa4/2
000b.5fb1.5480
dynamic
Yes
PE4#show mac-address-table vlan 10

Legend: * - primary entry
ByWei Luo, - CCIE
No. 13,291,
vlan
mac address
type
learn
ports
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
------+----------------+-------+-----+-----------------------*
Publisher: Cisco
Press Yes
*
10 000b.5fad.e580
dynamic
*
10 000b.5fb1.5780
dynamic
Pub Date: March
10, 2005Yes
*
10 000b.5fb1.5480
dynamic
Fa4/2
ISBN: 1-58705-168-0 Yes
Table of
Contents
Index
Pages: 648
To display the status of the pseudowires that interconnect the virtual switches, use the
commandshow mpls l2transport vc on PE routers, as shown in Example 15-11.
productivity gains
Example 15-11. Displaying the Status of the Pseudowires

PE1#show mpls l2transport vc
Local intf
------------VFI l2vpn
VFI l2vpn
VFI l2vpn
costs and extend

the reach of your
services Status
by unifying your
LocalReduce
circuit
Dest address
VC ID
network
architecture
-------------------- --------------- ---------- ---------VFI
10.0.0.2
1
UP
to address Layer
utilizing
VFI Gain from the first book
10.0.0.3
1 2 VPN application
UP
both
ATOM
and
L2TP
protocols
VFI
10.0.0.4
1
UP
For a majority
of Service
Providers,
a significant
Case Study 15-2:
Per-VLAN
MAC
Address
Limiting
Although
LayerVPLS
3 MPLS
VPNs fulfill
the market
need
for some
Service providerstechnologies.
are concerned
that a rogue
customer
will take
too much
system
and
customers,
have
some drawbacks.
Ideally, carriers
existingsystem
network resources
and affectthey
normal
services
for other customers.
One ofwith
the limited
legacy
LayerVPLS
2 and
Layer 3 networks
like to
move toward
resources on which
different
customers
compete would
is the MAC
address
table. a single
services
over
existing
Layer
3 cores.
The solution
is a
Generally speaking,
the size
of their
the MAC
address
table
on a given
systeministhese
finite,cases
and the
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
portion allocated for each bridge domain directly impacts the forwarding performance. The
larger the portioninfrastructure.
allocated is, the less likely a packet is subject to flooding. Flooding is always
an expensive operation in terms of processing power and the network bandwidth it takes; it
Layer 2 forwarding
VPN Architectures
penalizes overall packet
performance.
introductory
studies
and comprehensive
design basis,
scenarios.
Thismacbook
To limit the maximum
numbercase
of MAC
address
entries on a per-VLAN
use the
assists
readers
looking
to
meet
those
requirements
by
explaining
the
address-table limit command, as shown in Example 15-12. Cisco VPLS allows setting a limit
history which
and implementation
of the two
for each bridge domain,
is represented details
by an internal
VLAN.
IP cores.
The structure of this book
is focused
Example 15-12.
mac-address-table
limit
Command
each
currently
available
PE1(config)#mac-address-table
limit
vlan
2 maximum
1000
PE1(config)#
To display the MAC address limiting status for a VLAN, use the show mac-address-table
limit vlan command, as shown in Example 15-13.
Example 15-13. show mac-address-table limit vlan Command
PE1#show mac-address-table limit vlan 2

vlan
module
action
maximum Total entries
flooding
-------+--------+-----------+-------+--------------+-----------2
2 ByWei Luo,
warning
1000Carlos Pignataro,
0 - CCIE No. 4619,
enabled
- CCIE No. 13,291,
2
4 No. 4460,
warning
enabled
Anthony Chan, - 1000
CCIE No. 10,266 0
Case
Study 15-3: ISBN:
Quality
of Service
1-58705-168-0
Table of
Contents
Pages: 648
On Cisco
Index 7600 series routers, Layer 2 switchport interfaces use Policy Feature Card (PFC)based
QoS configuration, and the core-facing interfaces use Modular QoS CLI (MQC). The general
topics on PFC-based and MQC-based configuration alone warrant a book. This book does not
cover the details on these topics. Refer to Cisco.com for the PFC-based and MQC-based QoS
commands and examples.
This
QoS
study
shows
an example
that isservices
related and
to VPLS.
Master the
world
ofcase
Layer
2 VPNs
to provide
enhanced
enjoy
productivity gains
Per-VLAN traffic shaping in VPLS specifies the shaping rate of individual MPLS uplinks for a
given bridge domain, not the aggregated rate of all MPLS uplinks. For example, if a VLAN is
Learn
about
2 Virtual
Private
Networks
(VPNs) toward the MPLS
configured with a shaping
rate
of 10Layer
Mbps,
and there
are two
MPLS uplinks
core network, the shaper allows up to 20 Mbps of VPLS traffic forwarded into the core network.
InExample 15-14, PE1 network
matchesarchitecture
all traffic coming from CE1 and shapes the VPLS traffic on
each core-facing interface to 10 Mbps.
Example 15-14. VPLS

Per-VLAN Traffic Shaping
hostname PE1
!
are stillall-traffic
class-map match-all
technologies.
match any
customers,
they
!
legacy
Layer
2
and
policy-map vpls-policy
backbone
while
new
class all-traffic
services
over
their
existing
shape average 1000000 4000 4000 Layer 3 cores. The solution in these cases is a
!
interface Vlan2infrastructure.
no ip address
xconnect vfi l2vpn
service-policy output vpls-policy
the Cisco Unified
Any policy-map
Transport over
MPLS (ATOM)
for MPLSTo verify QoS configuration
status,VPN
use suite:
the show
interface
command,
as shown
inExample 15-15.based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Example 15-15.
Verifying QoS Status
PE1#show policy-map interface
Vlan2
Service-policy output: vpls-policy
Class-map: all-traffic (match-all)
Match: any
queue size 0, queue limit 0

packets output 6, packet drops 0
tail/random drops 0, no buffer drops 0, other drops 0
Layer 2 VPNcir
Architectures
shape (average)
1000000 bc 4000 be 4000
ByWei Luo,
- CCIE
target shape
rate
1000000
4460,Anthony Chan,(match-any)
- CCIE No. 10,266
Class-map: No.
class-default
0 packets, 0 bytes
5 minute offered
0 bps, drop rate 0 bps
Publisher:rate
Cisco Press
Match: any Pub Date: March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Case Study 15-4: Layer 2 Protocol Tunneling

Layer 2 protocol tunneling allows Layer 2 PDUs, such as Cisco Discovery Protocol (CDP),
Master (STP),
the world
Layer
2 VPNs Protocol
to provide
enhanced
enjoyan
Spanning-Tree Protocol
andof
VLAN
Trunking
(VTP),
to be services
tunneledand
through
productivity
gains Layer 2 protocol tunneling, Layer 2 switchport interfaces
Ethernet-switched
network. Without
drop STP and VTP packets and process CDP packets.
Learn
about
Layer
2 Virtual
Private
(VPNs) the interfaces on
To allow CE1 and CE3 in
Figure
15-7
to view
each other
asNetworks
CDP neighbors,
PE1 and PE3 that connect to CE1 and CE3 respectively need to enable Layer 2 protocol
tunneling (see ExampleReduce
15-16).
Example 15-16. Enabling

Layer 2 Protocol Tunneling

PE1(config)#interface FastEthernet 4/2
PE1(config-if)#l2protocol-tunnel cdp
For a majority
of Service 4/2
FastEthernet
PE3(config-if)#l2protocol-tunnel
cdp and voice services based on legacy transport
To verify the effectiveness,
use the
command
show like
cdpto
neighbors
on the CE
devices,
as
backbone while
new
carriers would
sell the lucrative
Layer
2
demonstrated in Example
15-17.
services over
infrastructure.
Example 15-17. Verifying CDP Neighbors with the show cdp

neighborsCommand

CE1#show cdp neighbors
history
implementation
details
of theBtwo
technologies
Capability Codes:
R -and
Router,
T - Trans
Bridge,
- Source
Routeavailable
Bridge from
the Cisco
Unified VPN
Any
MPLS (ATOM)
MPLSS - Switch,
H -suite:
Host,
I Transport
- IGMP, rover
- Repeater,
P -forPhone
Device ID
Local The
Intrfce
Capability
IP cores.
structure ofHoldtme
this book is focused
on firstPlatform
introducingPort
the ID
CE3
Fas to
0/1
157 and implementation
R S I
WS-C3550-2Fas
reader
requirements
and0/1
CE3#show cdp neighbors
progressively
covering
currently
available
solution
in greater
detail.
Capability Codes:
R - Router,
T - each
Trans
Bridge,
B - Source
Route
Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID
CE1
Local Intrfce
Fas 0/1
Holdtme
170
Capability
R S I
Platform Port ID
WS-C3550-2Fas 0/1
For STPs, a separate spanning tree is created at each customer site if Layer 2 protocol
tunneling is not enabled on PE routers. Using the network shown in Figure 15-7 as an example,
bridging devices at Site 1including CE1build a spanning tree solely for Site 1 without
considering convergence parameters of other customer sites. In this particular example, the
disjointed spanning tree domains do not lead to potential forwarding loops because of the use
of Layer 2 split horizon in the service provider network. However, if the customer sites have
2 VPN Architectures
backdoor links, it Layer
is imperative
that you have a single spanning-tree domain for the VPLS
Wei Luo, - CCIE
No. 13,291,
Pignataro,
customer to avoidByforwarding
loops
in theCarlos
customer
network.
Figure 15-8 shows a backdoor link that connects CE1 and CE2. A possible forwarding loop
exists between CE1 Publisher:
and CE2 Cisco
when
packets can be sent over the links that are connected to the
Press
service provider andPub
theDate:
backdoor
link. To identify the possible forwarding loop, examine the
March 10, 2005
spanning-tree status on both CE routers.
ISBN: 1-58705-168-0
Table of
Contents
Index
Pages: 648
Figure 15-8. VPLS with Backdoor Link

Master the world of Layer
VPNs
[View2full
size image]
productivity gains
On CE1, the interface FastEthernet0/1 connected to PE1 acts as a designated port for VLAN 2
For a majority
of Service
Providers,
a significant
portiontoofSite
their
revenues
and is in the forwarding
state. The
interface
FastEthernet0/3
connected
1 is
a root port
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
for VLAN 2 and is also in the forwarding state (see Example 15-18).
Example 15-18.
VLAN 2 Spanning-Tree Status on CE1 Before the
Forwarding Loop
Is over
Fixed
services
infrastructure.
CE1#show spanning-tree vlan 2

VLAN0002
(VPN)
concepts,
Spanning treeNetwork
enabled
protocol
ieee
introductory
case
studies
and
Root ID
Priority
32770
assists
readers
looking
to
meet
Address
000b.5fadfie580 those requirements by explaining the
Cost
19
the Cisco Unified
VPN suite: Any Transport over MPLS (ATOM) for MPLSPort
3 (FastEthernet0/3)
basedTime
cores and
Layer
2 Tunneling
Protocol
version
3 (L2TPv3)
Hello
2 sec
Max
Age 20 sec
Forward
Delay
15 sec for native
Bridge ID Priority
32770
(priority
32768
sys-id-ext requirements
2)
reader to Layer
2 VPN
benefits and
implementation
and
Address
000b.5fb5.0080
comparing them
Hello
Time
2 sec Max
Age
20 secavailable
Forwardsolution
Delay in
15greater
sec detail.
progressively
covering
each
currently
Aging Time 300
Interface
---------------Fa0/1
Fa0/3
Role
---Desg
Root
Sts
--FWD
FWD
Cost
--------19
19
Prio.Nbr
-------128.1
128.3
Type
-------------------------------P2p
P2p
CE2 is the root bridge for VLAN 2 because it has a lower bridge address than CE1 when both
have the same bridge priority. Both the interface FastEthernet0/1 that connects to PE2 and the
interface FastEthernet0/3 that connects to Site 2 have a role of designated port for VLAN 2,
and they are both in the forwarding state (see Example 15-19).
No. 4460,
Anthony2
Chan,
- CCIE No. 10,266
15-19.
VLAN
Spanning-Tree
Status on CE2 Before the
Example
Forwarding Loop Is Fixed

CE2#show spanning-tree
2
ISBN:vlan
1-58705-168-0
Table of
Pages: 648
VLAN0002
Contents
Spanning
tree
enabled
protocol ieee
Index
Root ID
Priority
32770
Address
000b.5fadfie580
This bridge is the root
Master
the world
of Layer
VPNs
provide
enhanced
Hello
Time
2 sec
Max 2
Age
20 to
sec
Forward
Delayservices
15 sec and enjoy
productivity gains
Bridge ID Priority
32770 (priority 32768 sys-id-ext 2)
Address
000b.5fadfie580
Hello Time
2 secLayer
Max 2Age
20 Private
sec Forward
Delay
15 sec
Learn about
Virtual
Networks
(VPNs)
Aging Time 300
Interface
Role
Sts Cost
network
architecturePrio.Nbr Type
---------------- ---- --- --------- -------- -------------------------------Fa0/1
Desg
19the first book
128.1
P2p Layer 2 VPN application utilizing
GainFWD
from
to address
Fa0/3
Desg
19 and L2TP128.3
bothFWD
ATOM
protocols P2p

Because the spanning-tree status on all four ports is in the forwarding state for VLAN 2, the
forwarding loop isFor
inevitable.
The
apparentlyaissignificant
caused byportion
the twoofports
a majority
ofproblem
Service Providers,
theirconnected
revenues
through the pseudowire
that
cannot
exchange
BPDUs.
To fix this problem,
PE routers
need
to configure
Layer 2 protocol
tunneling
forexisting
STP traffic (see
customers,
they
have
some drawbacks.
Ideally, carriers
with
Example 15-20). legacy Layer 2 and Layer 3 networks would like to move toward a single
Example 15-20.
Configuring
2 Protocol
Tunneling
for
technology
that wouldLayer
allow Layer
2 transport
over a Layer
3 STP
infrastructure.
Traffic
PE1(config)#intNetwork
FastEthernet4/2
PE1(config-if)#l2protocol-tunnel
stpand comprehensive design scenarios. This book
introductory case studies
PE2(config)#int FastEthernet4/2
PE2(config-if)#l2protocol-tunnel stp
reader to Layer
2 and
VPN PE2
benefits
and implementation
requirements
on PE1
is shown
in Example 15-21.
Notice that and
the VLAN
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as be
MPLS,
then from the
that is configured on the dot1q-tunnel interface is an internal VLAN. It can
different
VLAN that is usedprogressively
in customer traffic.
Example 15-21. PE1 and PE2 Interface Configuration

no ip address
no keepalive
switchport

l2protocol-tunnel stp
To display Layer 2 protocol tunneling status on PE routers, use the show l2protocol-tunnel
command, as in Example 15-22.

ISBN: 1-58705-168-0
Table of 15-22. Displaying the Layer 2 Protocol Tunneling Status

Example
Contents
Index
Pages: 648
PE1#show l2protocol-tunnel summary

COS for Encapsulated Packets: 5
Drop Threshold for Encapsulated Packets: 0
Port
Protocol
Shutdown
Drop
Status
productivity
gains
Threshold
Threshold
(cdp/stp/vtp)
(cdp/stp/vtp)
------- -----------Learn
---------------------------------------about Layer 2 Virtual
Private Networks
(VPNs)
Fa4/2
--- stp --- ----/----/-------/----/---up
After you enable LayerGain
2 protocol
tunneling
on to
PE1
and PE2,
the 2forwarding
loop no
longer
from the
first book
address
Layer
VPN application
utilizing
exists. On CE1, the interface
FastEthernet0/3
is now in the blocking state for VLAN 2, and
both ATOM
and L2TP protocols
packets in VLAN 2 are forwarded through the interface FastEthernet0/1 only (see Example 15Review strategies that allow large enterprise customers to enhance
23).
For a VLAN
majority
Service Providers, Status
a significant
of their
revenues
Example 15-23.
2ofSpanning-Tree
on portion
CE1 After
the
Forwarding Loop Is Fixed
legacy Layer
2 and
CE1#show spanning-tree
vlan
2 Layer 3 networks would like to move toward a single
VLAN0002
Spanning treetechnology
enabled that
protocol
would ieee
Root ID
Priority
32770
infrastructure.
Address
000b.5fad580
Cost
19
Port
1 (FastEthernet0/1)
Network (VPN)
Hello
Time case
2 sec
Max and
Age comprehensive
20 sec Forward
Delay
15 sec This book
introductory
studies
design
scenarios.
Bridge ID Priority
32770 (priority 32768 sys-id-ext 2)
Address
000b.5fb5.0080
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSHello Time
2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
reader
Layer
2 VPN benefits
and implementation
requirements and
Interface
Roleto Sts
Cost
Prio.Nbr
Type
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as MPLS, then
---------------- ---- --- --------- -------- -------------------------------progressively
covering
each
currently
available
solution
in greater detail.
Fa0/1
Root FWD 19
128.1
P2p
Fa0/3
Altn BLK 19
128.3
P2p
Case Study 15-5: Multihoming

With the basic VPLS deployment models, each CE router has a single connection with a PE
router. If the PE router fails or is taken out of service for maintenance, the CE router loses
connectivity to the rest of the VPLS service. Likewise, in a hierarchical model, a U-PE router has
only a single connection with an N-PE router, which makes the N-PE router a single point of
failure.
Layermore
2 VPN than
Architectures
By multihoming with
one PE or N-PE router, a CE or U-PE router can achieve fault
tolerance throughBythe
connections.
redundant
Ethernet
connections
exist,
Wei redundant
Luo, - CCIE No.
13,291,Carlos Whenever
Pignataro, - CCIE
No. 4619,Dmitry
Bokotey,
- CCIE
bridging loops form
a Anthony
result.Chan,
Layer
2 split
No. as
4460,
- CCIE
No. horizon
10,266 is not designed to deal with redundant
connections; therefore, STPs need to be enabled to create loop-free forwarding paths.
As described in the "VPLS Redundancy" section, each metro area or island consists of a group
of U-PE and N-PE routers that are connected through a LAN. Figure 15-9 shows a network with
ISBN: 1-58705-168-0
threeTable
separate
islands. The
goal is to run STPs within each island for redundancy while
of
Pages:
648from spreading across the WAN. In a Metro Ethernet
preventing
Contentsthe spanning trees
environment,
devices from different network vendors are often deployed and required to work
Index
together, which means the network needs to run standard network protocols. For STPs, IEEE
802.1S Multiple Spanning Tree Protocol (MSTP) fits the purpose.
productivity gains
Figure 15-9. VPLS Redundancy Using Multihoming

Both U-PE1 and U-PE2
peered
with
N-PE1
and N-PE2.
To like
reduce
the amount
legacyare
Layer
2 and
Layer
3 networks
would
to move
towardof
a complexity
single
and processing power
required,
and N-PE2
do like
not to
runsell
STPs
but simply
relay
backbone
whileN-PE1
new carriers
would
thethemselves
lucrative Layer
2
BPDUs from one link
to another.
To prevent
leaking
to the WAN,
youcases
need is
toa
services
over their
existing BPDUs
Layer 3from
cores.
The solution
in these
separate customer
traffic from
thewould
BPDUs
thatLayer
originated
in each
island.
In this
technology
that
allow
2 transport
over
a Layer
3 case study, you
accomplish this by
marking these two types of traffic with different service provider VLAN tags.
infrastructure.
After the two types of traffic are separated into different VLANs, you can configure N-PE
routers in such a Layer
way that
only
VLAN traffic introduces
that is marked
as customer
traffic
can
be
2 VPN
Architectures
readers
to Layer 2
Virtual
Private
forwarded to other
islands.(VPN)
VLANconcepts,
traffic that
is marked
asLayer
BPDU2isVPN
onlytechniques
forwardedvia
to other NNetwork
and
describes
PE routers of the introductory
same island. case studies and comprehensive design scenarios. This book
In Island A, two separate
forwarding
loops exist:
history and
implementation
From U-PE1 to N-PE1, N-PE2, and back to U-PE1
From U-PE2 to N-PE1, N-PE2, and back to U-PE2.
progressively
covering
each connections,
currently available
solution
in greater
detail.
Because U-PE1 and
U-PE2 do not
have direct
they can
construct
separate
spanning trees.
On U-PE1, MST traffic is carried in the native VLAN for which the tag value is 200. VLAN 2
carries customer traffic for a particular VPLS customer. The configuration on U-PE1 is shown in
Example 15-24.
Example 15-24. U-PE1 Configuration
hostname U-PE1
spanning-tree mode mst
!
spanning-tree mst configuration
name MST-1
revision 1
instance 1 vlan 2
!
vlan dot1q tag native
!
ISBN: 1-58705-168-0
Table of
interface
FastEthernet0/1
Pages:
648
Contents
switchport
trunk encapsulation dot1q
Index
switchport
trunk native vlan 200
switchport trunk allowed vlan 2,200
no ip address
!
productivity gains
switchport trunk native
vlan Layer
200 2 Virtual Private Networks (VPNs)
Learn about
no ip address
On U-PE2, MST traffic is carried in the native VLAN for which the tag value is 400. VLAN 2
carries the customer traffic.
The
configuration
on U-PE2
shown in customers
Example 15-25.
Review
strategies
that allow
large is
enterprise
to enhance
For a U-PE2
majorityConfiguration
Example 15-25.
hostname U-PE2 customers, they have some drawbacks. Ideally, carriers with existing
legacymst
spanning-tree mode
!
services
spanning-tree mst
configuration
name MST-2
infrastructure.
revision 1
instance 1 vlan 2
!
vlan dot1q tag Network
native (VPN) concepts, and describes Layer 2 VPN techniques via
introductory
!
history
and implementation
switchport trunk
encapsulation
dot1q details of the two technologies available from
the Cisco
Unified
switchport trunk
native
vlanVPN
400suite: Any Transport over MPLS (ATOM) for MPLSbased
cores and
Layer
switchport trunk
allowed
vlan
2,400
IP cores.
switchport mode
trunk The structure of this book is focused on first introducing the
no ip address reader to Layer 2 VPN benefits and implementation requirements and
!
switchport trunk native vlan 400
no ip address
STPs are disabled on N-PE1 and N-PE2. To relay BPDUs for each MST instance transparently, in
addition to configuring Layer 2 protocol tunneling N-PE1 and N-PE2, you must configure a
dedicated VFI for each MST instance, where the neighbors are N-PE routers in the same island.
The configuration on N-PE1 is shown in Example 15-26.
ByWei N-PE1
Luo, - CCIEConfiguration
No. 13,291,Carlos Pignataro, Example 15-26.
hostname N-PE1
!
ISBN: 1-58705-168-0
Table
mpls
Pages:
648
Contents
!
Indexl2vpn manual
l2 vfi
vpn id 1
Master
the world of Layer
neighbor 10.0.0.4
encapsulation
mpls
productivity
gains
!
l2 vfi mst-1 manual
vpn id 1001
!
l2 vfi mst-2 manualnetwork architecture
vpn id 2001
neighbor 10.0.0.2 Gain
encapsulation
mpls
from the first
!
no spanning-tree vlan 2,200,400
!
vlan dot1q tag native
!
interface Loopback0
are still derived
ip address 10.0.0.1
255.255.255.255
!
interface POS3/1
legacy Layer
ip address 10.0.1.1
255.255.255.252
backbone
while
mpls ip
!
no ip address infrastructure.
no keepalive
switchport
Network
(VPN) concepts,
switchport trunk
encapsulation
dot1q
introductory
case
studies
and
assists
readers
looking
to
meet
history
switchport mode
trunk
the Cisco
l2protocol-tunnel
stp Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
!
switchport
progressively
covering
switchport trunk
encapsulation
dot1q
no cdp enable
!
interface Vlan2
no ip address
xconnect vfi l2vpn
!
interface Vlan200
no ip address
xconnect vfi mst-1
!
interface Vlan400
no ip address
xconnect vfi mst-2
ISBN: 1-58705-168-0
Table of
Pages:
648
The configuration
on N-PE2 is
Contents
Index
Example 15-27. N-PE2 Configuration

hostname N-PE2 productivity gains
!
mpls ldp router-id Learn
Loopback0
!
l2 vfi l2vpn manualReduce costs and extend the reach of your services by unifying your
vpn id 1
!
l2 vfi mst-1 manualtheir service offerings while maintaining routing control
vpn id 1001
neighbor 10.0.0.1
mpls
For a encapsulation
majority of Service
!
l2 vfi mst-2 manual
vpn id 2001 customers, they have some drawbacks. Ideally, carriers with existing
neighbor 10.0.0.1
mpls
legacyencapsulation
Layer 2 and Layer
!
no spanning-tree
vlan over
2,200,400
services
!
vlan dot1q tag infrastructure.
native
!
interface Loopback0
ip address 10.0.0.2
Network255.255.255.255
!
interface POS3/1
ip address 10.0.2.1
255.255.255.252
history and
mpls ip
switchport
switchport trunk
encapsulation
dot1q
progressively
covering
!
no ip address
switchport

!
interface Vlan2ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
xconnect vfi l2vpn
!
interface Vlan200Pub Date: March 10, 2005
no ip address
ISBN: 1-58705-168-0
Table of vfi mst-1
xconnect
Pages:
648
Contents
!
Index
interface
Vlan400
no ip address
xconnect vfi mst-2
productivity gains
To verify that MSTP removes the forwarding loops, use the show spanning-tree mst
command on U-PE1 and U-PE2 (see Example 15-28). Notice that each router is the root bridge
Learn
Layer
2 Virtual Private
Networks
(VPNs) port and is in a
for its own MST instance,
theabout
interface
FastEthernet0/1
acts
as a designated
forwarding state, and the interface FastEthernet0/2 acts as a backup port and is in a blocking
state.
Example 15-28. MST

Instance
Status
on U-PE Routers
both ATOM
and L2TP
protocols

U-PE1#show spanning-tree
mst 1offerings while maintaining routing control
their service
###### MST01
vlans mapped: 2
For a majority
of Service priority
Providers, 32769
a significant
portion
of 1)
their revenues
Bridge
address
000b.5fb5.0080
(32768
sysid
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
Root
this switch for MST01
customers,
they
have some
drawbacks.
Interface
Role Sts
Cost
Prio.Nbr
Type
legacy
Layer
and Layer 3-------networks -------------------------------would like to move toward a single
--------------------- 2--------backbone
while
new carriers
would like
Fa0/1
Desg FWD
200000
128.1
P2pto sell the lucrative Layer 2
services
existing128.2
Layer 3 cores.
Fa0/2
Back over
BLK their
200000
P2p The solution in these cases is a
infrastructure.
U-PE2#show spanning-tree
mst 1
VPN Architectures
###### MST01 Layer 2vlans
mapped:
2introduces readers to Layer 2 Virtual Private
Network
(VPN) concepts,
and describes
2 VPN
techniques
via
Bridge
address
000b.5fad580
priority
32769 Layer
(32768
sysid
1)
introductory
caseMST01
Root
this
switch for
Interface
Roleand
Sts
Cost
Prio.Nbr
history
implementation
details ofType
------------------------------------------------------------------the Cisco Unified VPN suite: Any Transport
over MPLS (ATOM) for MPLSFa0/1
Desg
FWDand
200000
128.1
P2p
based
cores
Layer 2 Tunneling
Protocol
Fa0/2
Back BLK
200000 of this
128.2
IP cores.
The structure
book isP2p

Summary By
Extending LAN services

across
multiple
Publisher:
Cisco
Press metropolitan areas is one of the critical requirements
for large Metro Ethernet
deployment.
Service providers want to leverage their existing Layer 3
Pub Date:
March 10, 2005
WAN infrastructure to bridge the distance gap of LAN services.
ISBN: 1-58705-168-0
Table of
Pages:
648 architecture designed to fulfill such a requirement with
VPLSContents
is a multipoint Layer 2 VPN
Index
considerations
to scalability and performance. Comparing point-to-point Layer 2 VPN
architectures, VPLS is relatively more complex in both implementation and deployment.

This chapter started with an overview of VPLS architecture that defined the service
Master the
of and
Layer
2 VPNs to provide
enhanced
and enjoy
requirements, explained
the world
concept
components
of a virtual
switch,services
and identified
the
gainsplane and data plane.
characteristics of productivity
the VPLS control
When it comes to topologic models, VPLS is quite flexible depending on the size and complexity
Learn
Virtualinclude
Privatefull-mesh
Networksand
(VPNs)
of individual deployment.
Theabout
basicLayer
VPLS 2
models
hub-and-spoke, and the
more advanced hierarchical VPLS is a hybrid of both basic models. Hierarchical VPLS can have
Reduceorcosts
extend the
reach of your
services
bypriority
unifying
either MPLS access networks
QinQand
networks.
Redundancy
is always
a top
foryour
service
network
architecture
providers. You can accomplish VPLS redundancy by using multihoming and STPs. In a Metro
Ethernet deployment, you should limit the scope of spanning trees within individual islands for
bandwidth efficiency and network stability in the backbone.
This chapter showed basic VPLS configuration step-by-step and gave a VPLS example that used
different switchport modes on the interfaces connecting to customer networks. The case
studies highlighted the scenarios commonly seen in VPLS deployment, such as per-VLAN MAC
address limiting, QoS, Layer 2 protocol tunnel, backdoor links, and multihoming.
infrastructure.


Appendix 1. L2TPv3 AVP Attribute Types

Publisher:
Cisco Press between the Attribute-Value Pair (AVP) attribute types
This appendix presents
a comparison
Pub
Date:
March
2005
that Cisco routers use prior to the10,
Internet
Assigned Numbers Authority (IANA) assignment of
ISBN:
1-58705-168-0
the values
and
the
IANA
assigned
values.
The
message types in which those AVPs are present
Table of
arealso
included
(see
Table
A-1).
Pages:
648
Contents
Index
Table A-1.
L2TPv3
AVP
Attribute
Types
MasterComparing
the world of Layer
2 VPNs
to provide
enhanced
services and enjoy
productivity gains
Cisco
IETF[1]
AVP
AVP
Messages
Extended Vendor ID AVP
N/A
58
All messages
Message Digest
12
59
All messages
AVP Name
Router ID
N/A first book

60 to address
SCCRQ
[2], SCCRP
Gain from the
Layer
2 VPN[3]
both
ATOM
and
L2TP
protocols
Assigned Control Connection
1
61
SCCRQ, SCCRP, StopCCN[4]
ID

their
routing control
Pseudowire Capabilities
Listservice
2 offerings
62while maintaining
SCCRQ, SCCRP
Local Session IDFor a majority of3 Service 63
[5], ICRPportion
[6], ICCN
, revenues
Providers,ICRQ
a significant
of[7]
their
CDN
[8]
,
WEN
[9]
,
SLI
[10]
Remote Session ID
4
64
ICRQ, ICRP, ICCN, CDN, WEN,
SLI
new carriers
like toICRP
Assigned Cookie backbone while 5
65 wouldICRQ,
Remote End ID technology that 6would allow
66 Layer 2
ICRQ
infrastructure.
Application Code [Unused]
N/A
67
Not defined

Pseudowire TypeLayer 2 VPN Architectures
7
68introduces
ICRQ
Layer 2-Specific introductory
Sublayer
Uses
ICRQ, ICRP,
ICCNscenarios. This book
case
studies 69
and comprehensive
design
IETF
of the ICRP,
two technologies
available from
Data Sequencinghistory and implementation
N/A
70 details ICRQ,
ICCN
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSCircuit Status based cores and8Layer 2 Tunneling
71
ICRQ,
ICRP,
ICCN,
SLI
Protocol
version
3 (L2TPv3)
for native
Preferred Language
N/A
72
SCCRQ, SCCRP
to those73
of Layer 3
based VPNs,
Control Messagecomparing them13
SCCRQ,
SCCRPsuch as MPLS, then
progressively
covering
each
currently
available
Authentication Nonce
Tx Connect Speed
N/A
74
ICRQ, ICRP, ICCN
Rx Connect Speed
N/A
75
ICRQ, ICRP, ICCN
Session Tie Breaker
N/A
ICRQ
ATM Maximum Concatenated

Cells
11
N/A
ICRQ, ICRP, SLI
OAM Emulation Required
108
N/A
ICRQ, ICRP, SLI
ATM Alarm Status
109
N/A
SLI

IETF = Internet
Task No.
Force
ByEngineering
Wei Luo, - CCIE
[2] SCCRQ = Start-Control-Connection-Request
[1]

SCCRP = Start-Control-Connection-Reply
[4] StopCCN = Stop-Control-Connection-Notification
ISBN: 1-58705-168-0
Table of
Pages:
648
[5] ICRQ = Incoming-Call-Request
Contents
[3]
Index
[6] ICRP = Incoming-Call-Reply
[7]
ICCN = Incoming-Call Connected
[8]
CDN = Circuit-Disconnect-Notify
[9]
WEN = WAN-Error-Notify
productivity gains
[10]
SLI = Set-Link-Info Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce
and extend
thenumbers
reach ofmanaged
your services
byIANA
unifying
You can find a complete
list of costs
L2TP registries
and
by the
at your
http://www.iana.org/assignments/l2tp-parameters.
infrastructure.
Index
[SYMBOL] [A] [B] [C] [D] [E]Pub

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.
Index

[F] [G]
[H]March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
Table of
802.1p
tagging 2nd
Contents
802.1q tagging 2nd
Index
802.1q tunneling
asymmetrical links
restrictions
tagging process
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.
Index

[F] [G]
[H]March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
AAL(ATM Adaptation Layer) Pages: 648
Contents
AAL5
Index
CPCS-SDU mode
packet cell relay mode
single cell relay mode
AAL5_SDUoL2TPv3
configuring 2nd
productivity gains
control plane
data plane
verifying configuration 2nd Learn about Layer 2 Virtual Private Networks (VPNs)
AAL5oMPLS, case study configuration
ABM (Asynchronous BalancedReduce
Mode) costs and extend the reach of your services by unifying your
ABR (available bit rate)
access mode, VPLS configuration
Gain
ACFC (Address and Control Field
Compression)
Address field
Frame Relay frames
HDLC frames
PPP frames
adjusted MTU
For
a majority
advertisement messages
(LDP)
2nd
are
still
derived
advertising VCCV
technologies.
Although
any-to-any local switching
ATM attachment circuits
Ethernet-to-VLAN legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone
ARM (Asynchronous Response
Mode)
services
over
associating VPLS attachment circuits to VFI
technology
that
asymmetrical links
infrastructure.
ATM (Asynchronous Transfer Mode)
AAL5 CPCS-SDU mode
AAL5oMPLS, case study configuration
ATMoMPLS
AAL5 transport
cell transport
cell format
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLScell packing
Cell Relay operational modes, configuring
CRoMPLS, case study configuration
encapsulation
ILMI
interaction with pseudowire protocols
legacy Layer 2 VPNs
OAM
OAM emulation
packet cell relay mode
traffic management
traffic policing
traffic shaping
ATM Forum Traffic Management 4.0 standard
ATM layer (ATM)

ATM transport over L2TPv3
ATM-to-ATM local switching
ATMoMPLS, cell packing
configuring
verifying configuration
AToM (Any Transport over Publisher:
MPLS) 2ndCisco Press
control word negotiation Pub Date: March 10, 2005
encapsulation
ISBN: 1-58705-168-0
Table of
ATM
Pages:
648
Contents
Ethernet
Frame
Index Relay
HDLC
PPP
hardware support, verifying
label stacking
productivity gains
LDP
LDP peers
packets
pseudowire label binding
pseudowires
establishing
QoS
intermediate markings Gain from the first book to address Layer 2 VPN application utilizing
queuing
traffic marking
traffic policing
selection criteria
advanced network services
For a majority
existing network installation
base
interoperability are still derived from data and voice services based on legacy transport
network operationtechnologies.
complexity
sequence numbers customers, they have some drawbacks. Ideally, carriers with existing
supported Layer 2 protocols
attachment circuits
associating to VFI services over their existing Layer 3 cores. The solution in these cases is a
ATM and local switching
infrastructure.
Layer 2 local switching
ATM-to-ATM
Network
Frame Relay-to-Frame
Relay (VPN) concepts, and describes Layer 2 VPN techniques via
introductory
like-to-like
assists
readers
VPLS configuration
auto-discovery mechanism
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSAVPs (Attribute-Value Pairs)
Index

[F] [G]
[H]March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
basic LDP discovery
Pages:
648
Contents
BGP IPv4 label distribution with IGP redistribution
Index
BGP-based VPLS
BPDU Guard
BPDUs
bridged IW
ATM AAL5-to-VLAN using AToM, case study
productivity gains
case study
environment considerations
MTU
using AToM, case study
using L2TPv3, case study Reduce costs and extend the reach of your services by unifying your
byte stuffing
infrastructure.
Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
calculating
Pages:
648
Contents
EoMPLS MTU size requirements
Index
required LDP sessions for VPLS deployment
case studies
AAL5_SDUoL2TPv3
configuring
control plane
productivity gains
data plane
ATM_CoL2TPv3
configuring
verifying configuration Reduce costs and extend the reach of your services by unifying your
EoMPLS transport
port-based 2nd
Gain from
port-based, switch configuration
2nd the first book to address Layer 2 VPN application utilizing
both
pseudowire class template
configuration
VLAN rewrite 2nd
VLAN-based
VLAN-based, switch configuration
Equal-Cost Multipath
configuring
data plane
HDLC over L2TPv3 legacy Layer 2 and Layer 3 networks would like to move toward a single
configuring 2nd backbone while new carriers would like to sell the lucrative Layer 2
data plane detailsservices over their existing Layer 3 cores. The solution in these cases is a
infrastructure.
IW
bridged
bridged using AToM 2nd
bridged using L2TPv3
routed
point-to-point L2TPv3 transport
Ethernet port-to-port dynamic session
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSEthernet port-to-port manual session
Ethernet port-to-port manual session with keepalive
Ethernet VLAN-to-VLAN dynamic session
IP topology
PPP over L2TPv3
configuring
control plane negotiation
data plane
Unequal-Cost Multipath
WANs over L2TPv3
ATM transport
configuring
control plane
data plane
Frame Relay transport

HDLC pseudowire transport
L2-Specific Sublayer
MTU considerations
PPP transport ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
WANs over MPLS, configuring
AAL5oMPLS
CRoMPLS
FRoMPLS
HDLCoMPLS
ISBN: 1-58705-168-0
Table of
PPPoMPLS
Pages:
648
Contentsbit rate)
CBR (constant
Index
CBR.1
traffic policing
CE routers
vlan-based EoMPLS transport, configuring
cell format (ATM)
cell packing
productivity gains
configuring
Cell Relay modes (ATM), configuring
character stuffing
Cisco 12000 series routers, VLAN
rewrite,costs
configuring
Reduce
port VLAN ID inconsistencynetwork
issue
architecture
Cisco HDLC versus standard HDLC
Cisco LMI
Cisco Unified VPN suite
local switching
ATM attachment circuits Review strategies that allow large enterprise customers to enhance
ATM-to-ATM
Ethernet-to-VLANFor a majority of Service Providers, a significant portion of their revenues
are still
Relayderived from data and voice services based on legacy transport
CLP field (ATM cells) technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
combining PMTUD andcustomers,
DF bit
commands
connect
debug acircuit eventservices over their existing Layer 3 cores. The solution in these cases is a
technology
debug mpls 12transport
signaling message
infrastructure.
debug mpls l2transport
packet data
debug mpls l2transport signaling message
interworking
l2tp-class
pseudowire-class introductory case studies and comprehensive design scenarios. This book
remote circuit id
show arp
show connection the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
show ip traffic
IP vc
cores.
show mpls 12transport
2nd 3rd
reader2nd
show mpls forwarding-table
show mpls ldp discovery
show mpls ldp neighbor
show processes cpu
show sss circuits
xconnect
comparing EoMPLS modes
configuring
AAL5_SDUoL2TPv3
control plane
data plane
ATM, Cell Relay modes

ATM_CoL2TPv3
ATMoMPLS, cell packing
ByWei
Luo,
AToM pseudowire over
GRE
tunnel
cell packing
EoMPLS transport, case studies 2nd
Ethernet port-to-port dynamic
session
Publisher:
Cisco Press
data plane details
ISBN: 1-58705-168-0
Tableport-to-port
of
Ethernet
manual session
Pages:
648
Contents
data
plane details
verifying
Index configuration
data plane details
Master
thesession
dynamic
productivity
gains
control plane details
frame encapsulation
data plane
verifying configuration network architecture
HDLCoL2TPv3
data plane details
verifying configuration both ATOM and L2TP protocols
L2TPv3
l2tp-class command
pseudowire-class command
xconnect command
For
a majority
LDP authentication for
pseudowire
signaling
OAM emulation
PPPoL2TPv3
data plane 2nd legacy Layer 2 and Layer 3 networks would like to move toward a single
preferred path
with IP routing technology that would allow Layer 2 transport over a Layer 3
with MPLS Trafficinfrastructure.
Engineering tunnels
pseudowires
QoS
input service policies
queuing
traffic marking assists readers looking to meet those requirements by explaining the
traffic policing
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSVPLS
access mode
attachment circuits
dot1Q-tunnel mode
example configuration
Layer 2 protocol tunneling
multihoming
per-VLAN MAC address limiting
QoS
trunk mode
VFI
WAN protocols MPLS
AAL5oMPLS
CRoMPLS
FRoMPLS
HDLCoMPLS
PPPoMPLS
WAN protocols over L2TPv3
WANs over MPLS pseudowires
control plane
control word negotiation
data plane encapsulation
MTU requirements Publisher: Cisco Press
pseudowire types
connect command
ISBN: 1-58705-168-0
Table of
conservative
label retention mode
Pages:
648
controlContents
connection mechanism (L2TPV3)
Index
control
channel signaling
Control Message Authentication
control message to encapsulation
Control field (Frame Relay frames)
Control field (HDLC frames)
productivity gains
Control field (PPP frames)
Control Message Authentication (L2TPv3)
control messages, L2TPv3
control packets, L2TPv3
control plane
configuring WAN protocols network
over MPLS architecture
pseudowires
L2TPv3
PE device system architecture
AToM
configuring WAN protocols Review
over MPLS
pseudowiresthat allow large enterprise customers to enhance
strategies
criteria
for AToM selection
advanced networkFor
services
are still base
interoperability technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
network operationcustomers,
complexity
for L2TPv3 selectionlegacy Layer 2 and Layer 3 networks would like to move toward a single
advanced networkbackbone
services
servicesbase
interoperability technology that would allow Layer 2 transport over a Layer 3
network operationinfrastructure.
complexity
CRoL2TPv3
Layer 2
VPN
CRoMPLS (cell relay transport
over
MPLS)
Network
(VPN)
case study configuration
introductory
case
CS (convergence sublayer) PDUs
assists
readers
looking
CS-PDU
CSMA-CD
Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
dataencapsulation, L2TPv3 Pages: 648
Contents
Demultiplexing Sublayer field
Index
Encapsulation Sublayer field
packet-switched network layer
data plane
connectivity, verifying
encapsulation, configuring WAN protocols over MPLS pseudowires
productivity gains
debug acircuit event command
debug mpls l2transport packetLearn
data command
debug mpls l2transport signaling message command 2nd
debugging EoMPLS on PE routers
2nd costs and extend the reach of your services by unifying your
Reduce
decoding LDP label mapping messages
network2nd
architecture
Demultiplexing Sublayer field (L2TPv3)
DF bit, combining with PMTUDGain from the first book to address Layer 2 VPN application utilizing
DiffServ
discovery mechanisms (LDP)
discovery messages (LDP) Review strategies that allow large enterprise customers to enhance
displaying VPLS pseudowire status
DLCIs
DLSw, legacy Layer 2 VPNs
areconfiguration
dot1Q-tunnel mode, VPLS
technologies.
Although
downstream on demand label advertisement
mode
draft-kompella
draft-martini
DTE (data terminal equipment)
DTP (Dynamic Trunkingservices
Protocol) over their existing Layer 3 cores. The solution in these cases is a
technology
dual leaky bucket model
infrastructure.
dynamic protocol signaling

Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
ECMP
(Equal-Cost Multipath) Pages: 648
Contents
encapsulation
Index
ATM
AAL
cell format
AToM
for ATM transport
productivity gains
for Ethernet transport
for Frame Relay transport
for HDLC transport
for PPP transport
for Ethernet-to-VLAN local switching
IW extend the reach of your services by unifying your
ReduceEthernet
costs and
for Frame Relay-to VLAN IPnetwork
IW using AToM
architecture
for Frame Relay-to-PPP-IW using L2TPv3
Gain
for VLAN-to-bridged IW using
L2TPv3
IW
UTI, fields
Review
encapsulation layer (pseudowire
emulation)
Encapsulation Sublayer field (L2TPv3)
enhanced Layer 2 VPNs
AToM
EoMPLS (Ethernet overare
MPLS)
technologies.
debugging on PE routers
label disposition
label imposition
label stack
MTU size requirements
calculating
infrastructure.
packets
fields
format
supported VC types
transport, case studies
port-based
port-based, switch configuration
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSpreconfiguration requirements
pseudowire class template configuration
VLAN rewrite 2nd
VLAN-based
VLAN-based, switch configuration
troubleshooting
on routers
on switches
Equal-Cost Cost Multipath 2nd
establishing AToM pseudowires
Ethernet
CSMA-CD
frames
Metro Ethernet
port-to-port dynamic session
configuring
data plane details
port-to-port manual session
configuring 2nd ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
data plane detailsNo.
2nd4460,Anthony Chan, - CCIE No. 10,266
verifying configuration 2nd
VLAN-to-VLAN dynamicPublisher:
session Cisco Press
configuring
control plane details
ISBN: 1-58705-168-0
Tableencapsulation
of
frame
Pages:
648
Contents
verifying
configuration
Index
Ethernet
II frames
Ethernet IW
ATM AAL5-to-VLAN using AToM, case study
case study
environment considerations
productivity gains
MTU
using AToM, case study
using L2TPv3, case study
Ethernet-to-Ethernet local switching 2nd
Ethernet-to-VLAN local switching
EVCS (Ethernet Virtual Connection
Service)
network
architecture
evolution of L2TPv3
example VPLS configuration Gain from the first book to address Layer 2 VPN application utilizing
extended LDP discovery

infrastructure.
Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
F-bit(forward unknown TLV bit)
Pages:
648
Contents
Fast Reroute
Index
FCS field
Frame Relay frames
HDLC frames
PPP frames
FEC (Forwarding Equivalence Class)
productivity gains
fields
of LDP messages
of UTI encapsulation
Flag field
Frame Relay frames
HDLC frames
PPP frames
flooding, VPLS
forwarding, VPLS
fragmentation
adjusted MTU
avoiding in L2TPv3 networks
PMTUD
post-fragmentation For a majority of Service Providers, a significant portion of their revenues
prefragmentation are still derived from data and voice services based on legacy transport
frame format
HDLC
PPP
Frame Relay
encapsulation
frame format
infrastructure.
FRoMPLS
legacy Layer 2 VPNs
LMI
message format
status enquiry messages
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSstatus messages
update status messages
over L2TPv3
configuring
data plane
traffic management
traffic policing
traffic shaping
Frame Relay-to-Frame Relay local switching
frames, Ethernet
FRoMPLS, case study configuration
full-mesh VPLS topological model

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.
Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
Gang
of Four
Pages:
648
Contents
LMI implementation versus Annex A/D
Index
Generic Label TLV encoding
GFC (Generic Flow Control) field (ATM cells)
goals of RFC 1547
productivity gains
infrastructure.
Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
hardware
support for AToM, verifying
Pages:
648
Contents
HDLC
Index
Cisco implementation
frame format
modes of operation
over L2TPv3
configuring
productivity gains
data plane details
pseudowire transport
HDLCoMPLS
case study configuration Reduce costs and extend the reach of your services by unifying your
HDLCPW configuration
HEC field (ATM cells)
hidden VLANs
hierarchical VPLS
with MPLS access network
with QnQ access network Review strategies that allow large enterprise customers to enhance
hop popping
hub-and-spoke VPLS topological model

infrastructure.
Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
IEEE 802.3 SNAP frame format
Pages:
648
Contents
IETF working groups, IETF standardization
Index
draft-kompella
draft-martini
"Illegal C-bit" status code
ILMI (Interim Local Management Interface)
implementing PMTUD
productivity gains
Information field
Frame Relay frames
HDLC frames
PPP frames
input service policies, configuring
inter-AS pseudowire emulationnetwork
with IGP redistribution
architecture
intermediate markings, AToM
internal VLAN tags
interworking command
IP accounting
Review
strategies
IP topology for point-to-point L2TPv3
transport
case studies
IPLS (IP-only LAN Service) their service offerings while maintaining routing control
ISO 3309 standard, HDLC frame format
IW (interworking)
bridged
case study
case studies
connect command legacy Layer 2 and Layer 3 networks would like to move toward a single
encapsulation
services
over their
existing
for Ethernet-to-VLAN
local switching
Ethernet
IW
technology
that
would
allow
for Frame Relay-to VLAN IP IW using AToM
infrastructure.
for Frame Relay-to-PPP-IW using L2TPv3
for VLAN-to-bridged IW using L2TPv3
MTU
routed
case study
Frame Relay-to-ATM, case study
Frame Relay-to-PPP using L2TPv3, case study
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSFrame Relay-to-VLAN using AToM, case study
MTU considerations

Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
Table of
jumbo
frames
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.
Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
L2-Specific
Sublayer
Pages:
648
Contents
l2tp-class command, syntax
Index
L2TPv3 2nd
AAL5_SDUoL2TPv3
configuring
control plane
data plane
productivity gains
ATM transport
CRoL2TPv3
OAM emulation
ATM_CoL2TPv3
configuring
AVPs
configuring
l2tp-class command
pseudowire-class command
xconnect command
connectivity model
control connection For a majority of Service Providers, a significant portion of their revenues
control channel signaling
Control Message technologies.
Authentication
customers,
control message to
encapsulationthey have some drawbacks. Ideally, carriers with existing
control messages legacy Layer 2 and Layer 3 networks would like to move toward a single
control packets
control plane
data encapsulation technology that would allow Layer 2 transport over a Layer 3
infrastructure.
field
Encapsulation Sublayer field
packet-switched network layer
evolution of
fragmentation, avoiding
configuring
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSdata plane 2nd
HDLC transport
configuring
data plane details
LCCEs
MTU considerations
operation
over WAN protocols, configuring
PMTUD
avoiding fragmentation
combining with DF bit
implementing
switching statistics, displaying

triggering
point-to-point LAN transport 2nd
Layer
2 VPNsession
Architectures
dynamic
ByWei
Luo,session
manual
No.manual
4460,Anthony
- CCIE No.
sessionChan,
with keepalive
2nd10,266
Ethernet VLAN-to-VLAN dynamic session 2nd
verifying configurationPublisher: Cisco Press
PPP transport
configuring
ISBN: 1-58705-168-0
Table plane
of
control
negotiation
Pages:
648
Contents
data
plane
verifying
Index configuration
QoS
queuing
traffic marking Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
traffic policing
selection criteria
existing network installation base
interoperability
network operation complexity
session negotiation
supported Layer 2 protocolsGain from the first book to address Layer 2 VPN application utilizing
label advertisement mode (MPLS)
label bindings
label disposition
label distribution control mode their
(MPLS)service offerings while maintaining routing control
label distribution protocol
label imposition
Label Mapping messages
decoding
label retention mode (MPLS)
label spaces
label stacking
AToM
Label TLV encodings technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Label Withdraw messages
Layer 2 local switching
ATM-to-ATM
Ethernet-to-EthernetNetwork (VPN) concepts, and describes Layer 2 VPN techniques via
introductory
Relay
assists
readers
Layer 2 protocol tunneling, configuring for VPLS
history
Layer 2 protocols supported
by L2TPv3
Layer 2 VPN forwarderthe Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased
Layer 2-specific matching
and setting
ATM over MPLS QoS
Ethernet over MPLSreader
QoS
comparing
Frame Relay over MPLS QoS
progressively
Layer 3 VPNs
limitations of
LCCEs (L2TP Control Connection Endpoints) 2nd
LDP (Label Distribution Protocol)
authentication for pseudowire signaling, configuring
discovery
label advertisement mode
label bindings
label distribution control mode
label mapping messages, decoding 2nd

LSRs
discovery mechanisms
messages
fields
packets
peers
security
ISBN: 1-58705-168-0
Table offield (LDP packets)
LDP Identifier
Pages:
648
Contents
LDP-based
VPLS
Index model
leaky bucket
ATM
legacy Layer 2 VPNs
ATM
DLSw
productivity gains
Frame Relay
VPDNs
liberal label retention mode
like-to-like attachment circuits
limitations
of Layer 3 VPNs
of STP
LMI (Local Management Interface)
message format
status enquiry messages
status messages
update status messages their service offerings while maintaining routing control
load sharing
Equal-Cost Cost Multipath
preferred path, configuring
Unequal Cost Multipath
local emulation mode (OAM)
local switching
ATM attachment circuits
ATM-to-ATM
Ethernet-to-Ethernettechnology that would allow Layer 2 transport over a Layer 3
Ethernet-to-VLAN infrastructure.
Frame Relay-to-Frame Relay
loopback cells (OAM) Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
LSPs, FEC
LSRs
LDP discovery mechanisms
Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
manual
pseudowire configuration
Pages:
648
Contents
messages
Index
LDP
advertisement
fields
LMI
status
productivity gains
status enquiry
update status
Metro Ethernet
MPLS
AToM
ATM encapsulation
Ethernet encapsulation Gain from the first book to address Layer 2 VPN application utilizing
Frame Relay encapsulation
HDLC encapsulation
label stacking
PPP encapsulation
pseudowires
pseudowires, establishing
selection criteria technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
sequence numbers
supported Layer 2legacy
protocolsLayer 2 and Layer 3 networks would like to move toward a single
backbone
HDLCoMPLS
services
over
LDP
technology
that
infrastructure.
discovery mechanisms
label advertisement mode
label bindings
label distribution and management
label distribution control mode
label space
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSmessages
packets
security
traffic engineering
Fast Reroute 2nd
tunnels, preferred path configuration
WAN protocol over pseudowire configuration control plane
data plane encapsulation
MTU requirements
pseudowire types
MQC (Modular QoS CLI) configuration
traffic marking
MSTP (Multiple Spanning Tree Protocol)
MTU
adjusted MTU
IP IW considerations 2nd
L2TPv3 transport overhead
requirements
4460,Anthony
Chan,
- CCIE No. 10,266
configuring WAN No.
protocols
over MPLS
pseudowires
for EoMPLS
multi-AS networks, pseudowire
emulation
Publisher:
Cisco Press
interconnecting psuedowires
with dedicated
Pub Date:
March 10,circuits
2005 2nd
multihoming VPLS 2nd
ISBN: 1-58705-168-0
Table
of
multipoint
connectivity,
VPLS
Pages:
648
Contents
configuring
Index
EVCS
flooding
forwarding
full-mesh topologicalMaster
model the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains
hierarchical VPLS
hub-and-spoke topological model
multihoming 2nd
network reference model Reduce costs and extend the reach of your services by unifying your
partial-mesh topological model
per-VLAN MAC address limiting
QoS
redundancy
signaling
TLS
topological models
virtual switches

infrastructure.
Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
native
emulation)
service processing (pseudowire
Pages:
648
Contents
NLPID field (Frame Relay frames)
Index
notification messages (LDP)
NRM (Normal Response Mode)
productivity gains
infrastructure.
Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
OAM 2nd
Pages:
648
Contents
loopback cells
Index
operational modes
OAM emulation
OUI field (Frame Relay frames)
out-of-order packets, sequencing
productivity gains
infrastructure.
Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
packet
cell relay mode (ATM) Pages: 648
Contents
packet-switched network layer (L2TPv3)
Index
packets
EoMPLS
fields
label disposition
label imposition
productivity gains
LDP
out-of-order, sequencing
Padding field (Frame Relay frames)
PARC (Palo Alto Research Center)
partial-mesh VPLS topologicalReduce
model
payload layer (pseudowire emulation)
PDU Length field (LDP packets)
PE device system architectureGain from the first book to address Layer 2 VPN application utilizing
control plane
data plane
PE routers
their
debugging EoMPLS operation
2ndservice offerings while maintaining routing control
VLAN rewrite configuration
Fortransport
a majority
VLAN-based EoMPLS
configuration
are
still
derived
PE switches, VLAN-based EoMPLS configuration
technologies.
Although
PEP (pseudowire encapsulation processor)
per-interface label space
per-platform label space
PHP (Penultimate Hop backbone
Popping)
services
over
physical layer (ATM)
technology
that
PID field (Frame Relay frames)
infrastructure.
PMTUD (path maximum transmission unit discovery)
combining with DF bit
fragmentation, avoiding
implementing
switching statistics, displaying
triggering
point-to-point LAN transport 2nd
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSEthernet port-to-port dynamic session
configuring
data plane details
Ethernet port-to-port manual session
data plane details
verifying 2nd
data plane details
Ethernet VLAN-to-VLAN dynamic session, configuring
policing
ATM traffic
CBR.1
UBR.1
UBR.2
VBR.1
VBR.2
VBR.3
Frame Relay
No. 4460,
- CCIEtransport
No. 10,266
port transparency, configuring
forAnthony
EoMPLSChan,
port-based
port-based EoMPLS transport, port-based EoMPLS transport configuration
case study
switch configuration case
study
Pub
port-tunneling mode (EoMPLS)
ISBN: 1-58705-168-0
Table of
post-fragmentation
Pages:
648
Contents
PPP (Point-to-Point
Protocol)
Index
encapsulation
frame format
PPPoMPLS
PPP over L2TPv3
productivity gains
configuring
data plane
pre-fragmentation
preferred path
configuring
with IP routing, configuring Gain
2nd from the first book to address Layer 2 VPN application utilizing
with MPLS Traffic Engineering
tunnels,
configuring
both
ATOM
and L2TP protocols
Protocol field (HDLC frames)
Protocol field (PPP frames) Review strategies that allow large enterprise customers to enhance
protocol layers of pseudowire emulation
2nd
their service
pseudowire class template configuration, case study
For also
a majority
pseudowire emulation [See
pseudowires]
auto-discovery mechanism
configuring
in multi-AS networkscustomers, they have some drawbacks. Ideally, carriers with existing
legacy Layer
2 and Layer
interconnecting psuedowires
with dedicated
circuits 3 networks would like to move toward a single
backbone
while
new
native service processing
network reference model
infrastructure.
control plane
data plane
PEP
protocol layers
standardization
draft-kompella assists readers looking to meet those requirements by explaining the
draft-martini
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSIETF working groups
transporting over PSN
IP cores.
Pseudowire ID FEC element
encoding
comparing
pseudowire-class command,
syntax them to those of Layer 3 based VPNs, such as MPLS, then
progressively
pseudowires
and VCs
AToM 2nd
connectivity verification model
data plane connectivity, verifying
VCCV
IW
bridged
case studies
MTU
routed
routed, case study
label mapping messages, decoding
PSN layer
VPLS, configuring ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
4460,
Anthony Chan,
- CCIE No. 10,266
WAN protocols overNo.
MPLS
pseudowires,
configuring
PSN layer (packet-switched network)
PTI field (ATM cells)
pure Layer 2 model
PVCs
ISBN: 1-58705-168-0
of
PWE3 Table
(Pseudowire
Emulation Edge to Edge) group
Pages:
648
Contents
Index
productivity gains
infrastructure.
Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
QinQ
Pages:
648
Contents
asymmetrical links
Index
restrictions
tagging process
QoS
ATM traffic management
configuring for VPLS
productivity gains
in AToM
intermediate markings
queuing
traffic marking
traffic policing
queuing
traffic marking, configuring Gain from the first book to address Layer 2 VPN application utilizing
traffic policing
configuring
traffic shaping
queuing
configuring
in AToM
infrastructure.
Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
Rapid
Spanning Tree Protocol Pages: 648
Contents
redundancy, VPLS multihoming
Index
remote circuit id command
required EoMPLS transport preconfiguration
restrictions of 802.1Q
RFC 1547
goals of
productivity gains
RFC 1661, PPP encapsulation
routed IW
Frame Relay-to-ATM, caseLearn
study about Layer 2 Virtual Private Networks (VPNs)
Frame Relay-to-PPP using L2TPv3, case study
Frame Relay-to-VLAN usingReduce
AToM, case
study
costs
MTU considerations 2nd network architecture
routers, EoMPLS
configuration case studies Gain from the first book to address Layer 2 VPN application utilizing
port-based transport
VLAN-based transport
debugging on PE routers Review strategies that allow large enterprise customers to enhance
troubleshooting

infrastructure.
Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
security,
LDP
Pages:
648
Contents
selection criteria for L2TPv3
Index
existing network installation base
interoperability
network operation complexity
sequence numbers
productivity gains
service providers
service-delimiting VLAN tags
session establishment (LDP) Learn about Layer 2 Virtual Private Networks (VPNs)
session messages (LDP)
session negotiation, L2TPv3 Reduce costs and extend the reach of your services by unifying your
shaping ATM traffic
show arp command
show connection command Gain from the first book to address Layer 2 VPN application utilizing
show ip traffic command
show mpls forwarding-table command 2nd
Review
show mpls l2transport vc command
2nd strategies that allow large enterprise customers to enhance
show mpls l2transport vc commands
show mpls ldp discovery command
show mpls ldp neighborFor
command
are
show processes cpu command
technologies.
show sss circuits command
signaling, VPLS
single cell relay mode (ATM)
backbone
SNAP (Subnetwork Access
Protocol)while new carriers would like to sell the lucrative Layer 2
services
over
existing
standardizing pseudowire emulation,
IETFtheir
working
groups Layer 3 cores. The solution in these cases is a
technology
that
would
draft-kompella
infrastructure.
draft-martini
status enquiry messages (LMI)
status messages (LMI)
StopCCN (Stop-Control-Connection-Notification)
STP (Spanning Tree Protocol)
limitations of
operation overview
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSRapid Spanning Tree Protocol
STP Root Guard
SUP7203BXL-based systems, configuring VLAN-based EoMPLS
switches
EoMPLS configuration case studies
port-based transport
VLAN-based transport
troubleshooting EoMPLS
Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
tagging
process, 802.1Q
Pages:
648
Contents
targeted LDP sessions
Index
TCP MD5
TLS (Transparent LAN Service) 2nd
topological models (VPLS)
full mesh
hierarchical VPLS
productivity gains
with MPLS access network
with QinQ access network
hub and spoke
partial mesh
ToS reflection
traffic management
ATM
traffic policing
traffic shaping
Frame Relay
traffic policing
traffic shaping
traffic marking
in AToM
intermediate markings
MQC
setting ToS value customers, they have some drawbacks. Ideally, carriers with existing
ToS reflection
traffic policing
configuring
in AToM
infrastructure.
traffic shaping
transparent mode (OAM)
transporting pseudowire traffic over PSN
triggering PMTUD
troubleshooting
EoMPLS
on routers
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSon switches
HDLCoMPLS configuration
port transparency for EoMPLS port-based transport
PPPoMPLS configuration
VLAN rewrite on Cisco 12000 series routers
VLAN-based EoMPLS on switches
VLAN-based EoMPLS transport
trunk mode, VPLS configuration
tunnel labels
tunnel ports
tunneling
802.1q
asymmetrical links
restrictions
tagging process
L2TPv3 mechanisms

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.
Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
U-bit (unknown message bit) Pages: 648
Contents
UBR (unspecified Bit Rate)
Index
UBR.1 traffic policing
UBR.2 traffic policing
Unequal Cost Multipath
UPC (usage parameter control)
update status messages (LMI)
productivity gains
UTI (Universal Transport Interface)

infrastructure.
Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
VBR (variable bit rate)
Pages:
648
Contents
VBR.1 traffic policing
Index
VCCV (virtual circuit connectivity verification)
advertising
data plane connectivity, verifying
productivity gains
VCs (virtual circuits)
and pseudowires
label mapping messages, decoding
PVCs
verifying
AAL5_SDUoL2TPv3 configuration
AAL5oMPLS case study configuration
ATM_CRoL2TPv3 configuration
AToM hardware support both ATOM and L2TP protocols
cell packing configuration
CRoMPLS configuration Review strategies that allow large enterprise customers to enhance
Ethernet port-to-port configuration
Ethernet port-to-port dynamic session configuration
For dynamic
a majority
session
are
still
derived
FRoL2TPv3 configuration
technologies.
Although
FRoMPLS configuration
HDLCoL2TPv3 configuration
HDLCoMPLS configuration
PPPoL2TPv3 configuration
PPPoMPLS configuration
Version field (LDP packets)
VFI, VPLS configurationinfrastructure.
viewing encapsulation details
virtual switches
VLAN rewrite, configuring on Cisco 12000 series routers, case study 2nd
VLAN-based EoMPLS transport
configuring, case study
switch configuration, case study 2nd
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLStroubleshooting
VLAN-tunneling mode (EoMPLS)
VLANs, STP
limitations of
operation overview
VPDNs, legacy Layer 2 VPNs
VPI/VCI field (ATM cells)
VPLS (Virtual Private LAN Service) 2nd [See also hierarchical VPLS]
access mode, configuring
attachment circuits
associating to VFI
configuring
configuring
domains
dot1Q-tunnel mode, configuring
EVCS
flooding
forwarding
multihoming
network reference model
per-VLAN MAC addressPublisher:
limiting Cisco Press
pseudowires, displaying Pub
status
QoS
ISBN: 1-58705-168-0
Table of multihoming
redundancy,
Pages:
648
Contents
signaling
Index
TLS
topological models
full mesh
hierarchical VPLS
hub and spoke Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
partial mesh
trunk mode, configuring
VFI, configuring
virtual switches
VPWS
VTP
infrastructure.
Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
ISBN: 1-58705-168-0
Table of
WANs
Pages:
648
Contents
AAL5_SDUoL2TPv3
Index
configuring
control plan
control plane
data plan 2nd
productivity gains
ATM
AAL
AAL5 CPCS-SDU mode Learn about Layer 2 Virtual Private Networks (VPNs)
cell format
encapsulation
ILMI 2nd
OAM
packet cell relay mode both ATOM and L2TP protocols
traffic management
traffic policing
traffic shaping
ATM_CoL2TPv3
configuring
ATMoMPLS
AAL5 transport legacy Layer 2 and Layer 3 networks would like to move toward a single
cell transport
Frame Relay
encapsulation
infrastructure.
frame format
LMI
over L2TPv3, configuring
traffic management
traffic policing
traffic shaping
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSFRoMPLS
HDLCoMPLS
over L2TPv3
ATM transport
configuring
control plane
data plane
L2-Specific Sublayer
MTU considerations
PPP transport
over MPLS case studies
AAL5oMPLS
CRoMPLS
FRoMPLS
HDLCoMPLS
PPPoMPLS
PPP encapsulation Layer 2 VPN Architectures
frame format
PPPoMPLS

Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.
Index

[F] [G]
[H] March
[I] [J] [L]
[N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]
Date:
10,[M]
2005
Table of
xconnect
command, syntax
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
productivity gains
infrastructure.

Cisco Press Layer 2 VPN Architectures Mar 2005 eBook-LiB CHM PDF

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Cisco Press Layer 2 VPN Architectures Mar 2005 eBook-LiB CHM PDF

Caricato da

Copyright:

Formati disponibili

Layer 2 VPN Architectures

Layer 2 VPN Architectures

Layer 2 VPN Architectures

Publisher: Cisco Press

Cisco Press offers excellent

Master the world of LayerJohn

Executive Editor Learn about Layer 2Brett

Review strategies that

Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private

Asia Pacific Headquarters

Layer 2 VPN Architectures

About the Authors

Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private

Layer 2 VPN Architectures

About the Technical Reviewers

Aamer Akhter, CCIE

Layer 2 VPN Architectures

Layer 2 VPN Architectures

This Book Is Safari Enabled

Learn about Layer 2 Virtual Private Networks (VPNs)

For a majority of Service Providers, a significant portion of their revenues

Layer 2 VPN Architectures

Cisco Systems uses Publisher:

Layer 2 VPN Architectures

The conventions used

Review strategies that allow large enterprise customers to enhance

Layer 2 VPN Architectures

Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private

Layer 2 VPN Architectures

The goal of this bookPublisher:

Compares Layer 3 versus Layer 2 provider provisioned VPNs.

assists readers looking to meet those requirements by explaining the

Layer 2 VPN Architectures

Although this book could

Layer 2 VPN Architectures

Pub Date: March 10, 2005

Understanding Layer 2 VPNs

Layer 2 VPN Architectures

Layer 2 VPN Architectures

Chapter 1. Understanding Layer 2 VPNs

Layer 2 VPN Architectures

This section offers examples

Legacy Layer 2 VPNs

Layer 3 VPNsLayer 2 VPN Architectures

introduces readers to Layer 2 Virtual Private

Figure 1-1. Private BGP Network with Private IP Addresses

Layer 2 VPN Architectures

Review strategies that allow large enterprise customers to enhance

Challenges of Traditional VPNs

Layer 2 VPN Architectures

A solution has been Publisher:

For a majority of Service Providers, a significant portion of their revenues

Learn about Layer 2 Virtual Private Networks (VPNs)

On the customer side,

Provide connectivity of non-IP protocols, both routable and bridged

Figure 1-4. Enhanced Layer 2 VPN Example

For a majority of Service Providers, a significant portion of their revenues

Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private

Layer 2 VPN Architectures

The enhanced LayerPublisher:

Learn about Layer 2 Virtual Private Networks (VPNs)

Layer 2 VPN Architectures