L2 VPNs.

Pseudowires, AToM.
Virtual Private LAN Services (VPLS).

Petr Grygárek

© 2009 Petr Grygarek, Advanced Computer Networks Technologies 1

 Layer 2 VPNs

© 2009 Petr Grygarek, Advanced Computer Networks Technologies 2

 Usages of L2 VPNs
•Server farms/clusters and other L2-dependent
applications
•redundancy and load-balancing implementations
dependent on L2 connectivity (single broadcast
domain)
•multisite datacenter L2 extension
•Virtual leased lines / Virtual Private LANs (multipoint)
•Links of overlay networks with customer routing
separated from the SP routing
•If SP reaches L3 VPN scalability limits
© 2009 Petr Grygarek, Advanced Computer Networks Technologies 3
 L2VPN Services (1)
•Pseudowires
•P2P, Muxed or unmuxed UNI
•Muxed UNI allows to terminate multiple
(separate) VCs on the same physical interface
•Muxed UNI possible only if L2 framing
differentiates between traffic flows
•802.1q, FR, ATM
•Various framing options
•Ethernet (including 802.1q) – most cases
•Frame Relay
•HDLC, PPP
•ATM (AAL5 and Cell Relay)
•+ interworking
© 2009 Petr Grygarek, Advanced Computer Networks Technologies 4
 L2VPN Services (2)
•Virtual Private LAN Service (VPLS)
•Ethernet Relay
•Muxed or unmuxed UNI
•With muxed UNI, user can connect to
multiple VPLS instances (MPLS-cloud-wide virtual switch
instances) using a single physical attachment

Formal L2VPN service classification does not

dictate how is the service implemented in the
SP core network (EoMPLS, AToM, QinQ, ...)
© 2009 Petr Grygarek, Advanced Computer Networks Technologies 5
 Any Transport over MPLS
(AToM)
•AToM Technical Overview
•http://www.informit.com/library/content.aspx?
b=Troubleshooting_VPNs&seqNum=61

© 2009 Petr Grygarek, Advanced Computer Networks Technologies 6

 Specifications
•“The AToM framework and transport options for the various Layer 2 protocols are
defined in RFC 4447, RFC 4385, RFC 4448, RFC 4717, RFC 4618, and RFC 4619. In
addition to these methods to transport Layer 2 protocols, RFC 4553 and RFC 4842 define
methods to transport TDM-based services, such as T1/E1, T3/E3, and SONET/SDH,
over a core MPLS network.” -Tiso, John (2011-10-31). Designing Cisco Network Service
Architectures (ARCH) Foundation Learning Guide: (CCDP ARCH 642-874) (3rd Edition) (
•RFCs:
•draft-martini-l2circuit-trans-mpls-07.txt: Transport of Layer 2 Frames over
MPLS
•draft-martini-l2circuit-encap-mpls-03.txt: Encapsulation Methods for
Transport of Layer 2 Frames over MPLS

© 2009 Petr Grygarek, Advanced Computer Networks Technologies 7

 AToM Usages and Advantages
•Provides traditional L2 P2P connectivity using MPLS
core
•Ethernet/FR/ATM/HDLC/PPP circuits
•Transparent to users
•All techniques of MPLS TE and MPLS QoS may be
applied to reach desirable characteristics of pseudowires
•allows provisioning of QoS-aware virtual leased lines
•May utilize traffic-engineering tunnels
•802.1p, FR DE and ATM CLP may be also
transferred
© 2009 Petr Grygarek, Advanced Computer Networks Technologies 8
 L2 Protocols Supported by AToM
•Ethernet (including 802.1q)
•ATM AAL5 PDUs + OAM cells
•Frame Relay + LMI
•ATM Cell Relay
•PPP
•HDLC
•Protocol Interworking
•e.g. FR PVCs<->Ethernet VLANs
•See example at
http://www.debugall.co.uk/2009/08/03/frame-relay-to-
vlan-interworking-atom/
© 2009 Petr Grygarek, Advanced Computer Networks Technologies 9
 AToM (Pseudowore) Operation
•Frames are encapsulated with 2-level label stack
•Transport label identifies egress PE
•VC label identifies virtual switch instance (VSI) /outgoing interface on the egress PE
•Multiple VCs may exist between a pair of PEs
•Directed LDP session between PEs is used to
distribute VC (inner) labels (Martini specification)
•New LDP TLVs to signal Label-to-VCID mapping and VC type were defined
•Alternatively
BGP may be used to distribute label-to-
VC mapping (Kompella specification)
•In addition, PE autodiscovery is possible using BGP RRs (special AF)
•Data plane: 2 unidirectional LSPs
•Encapsulation type on both sides must match
•Even trunk (802.1q)/non-trunk access circuit interface type is negotiated
© 2009 Petr Grygarek, Advanced Computer Networks Technologies 10
 AToM Control Word
•Carried after label(s) instead of the original L2 header
•Special bits of original L2 headers
•FECN, BECN and DE for Frame Relay
•CLP for ATM
•L2 header is reconstructed on the egress PE
•May carry sequence number to avoid out-of-order frame delivery
•Out-of-order frames are discarded
•Mandatory for FR and ATM AAL5, optional for other
protocols
•PEs use special LDP TLV to negotiate whether Control Words will be
present in data frames

© 2009 Petr Grygarek, Advanced Computer Networks Technologies 11

 EoMPLS
•May be considered subset of AToM
•Ethernet frames over MPLS LSP
•virtual circuit service
–No L2 destination MAC address lookup
–No L2 address learning
–Port-based or VLAN-based (like Muxed E-LINE)

© 2009 Petr Grygarek, Advanced Computer Networks Technologies 12

 Virtual Private LAN Service (VPLS)
See also
http://www.h3c.com/portal/Products___Solutions/Technology/MPLS/
VPLS/200701/195598_57_0.htm

© 2009 Petr Grygarek, Advanced Computer Networks Technologies 13

 Virtual Private LAN
•Ethernet-based any-to-any communication over IP/MPLS
core
•Simulates single Ethernet broadcast domain
•virtual distributed switch which connects together customer's geographically
dispersed LANs
•Simulates “real” Ethernet bridge over WAN
•self-learning of MAC addresses, flooding (headend replication) of BUM
frames , MAC address withdrawal after topology change (new LDP TLV)
•Multiple VPLS instances can coexist on the same MPLS core
•Even reachable from single muxed UNI
•Sites are connected by pseudowires (PW)
•EoMPLS (alternatively L2TPv3 – not used too much)
•Much faster convergence in case of failure in SP network (LSP
rerouting) comparing with STP
© 2009 Petr Grygarek, Advanced Computer Networks Technologies 14
 VPLS Advantages
•For service providers:
•May provide a new (potentially QoS-aware) L2 service on the
existing MPLS core
•Flexible bandwidth allocation
•Compare with core built using 100Mb/1 Gb/10Gbps
Ethernet-switch-based provider infrastructures
•No STP issues
•For customers:
•Simple and well-known Ethernet technology
•The same technology in the carrier network and in customer's
LAN

© 2009 Petr Grygarek, Advanced Computer Networks Technologies 15

 Implementaiton of Virtual Distributed
Ethernet Switch (1)
•VFIs (Virtual Forwarding Instances) of the same L2 VPN
(VPLS instance) on PE switches constitute broadcast domain
•VFI is also called VSI (Virtual Switching Instance)
•Similar concept as VRF (routing instance) but on L2
•VFI may also handle multiple separate broadcast domains if
VLAN tagging is used (like VLAN-aware switch)
•Full mesh of pseudowires between PE routers
•PWs signalled using BGP (Kompella specification) or
directed LDP (Martini specification)
•Not very scalable
© 2009 Petr Grygarek, Advanced Computer Networks Technologies 16
 Implementaiton of Virtual Distributed
Ethernet Switch (2)
•Control plane
•Autodiscovery – finding of other PE LSRs
participating in the same VPN
•BGP or other autodiscovery protocols (DNS, ...)
•Signalling
•process of establishing pseudowires – BGP or
LDP
•BGP (RFC 4761)
•LDP (RFC 4762)
© 2009 Petr Grygarek, Advanced Computer Networks Technologies 17
 VPLS MAC Address Learning
•Learning from data frames' source MACs
•Unqualified mode (default): all VLANs share MAC address space
•problem with L3 devices that share same MAC address on different
VLANs
•Qualified mode (optional): per-VLAN MAC addresses learning
•Standard aging timers
•Optional MAC Address Withdrawal LDP message
•e.g. when access circuit fails

© 2009 Petr Grygarek, Advanced Computer Networks Technologies 18

 Pseudowire Implementation
•stack of two MPLS headers
•Outer (transport) label identifies target PE
•Inner label identifies pseudowire terminated on
that PE
•PEs associate inner label with particular VPLS
instance (Virtual Switching Instance)
•Multiple VSIs may exist on the same PE device
•Inner label is generated by egress switch for
particular configured VCID during PW setup
(control plane)
© 2009 Petr Grygarek, Advanced Computer Networks Technologies 19
 VPLS Forwarding Loop Avoidance
•A frame received from PEx is never forwarded to
PEz by PEy
•but only to PEy's attachment circuits (to CEs)
•analogy of Split Horizon rule
•requires full mesh of PWs
•Solutions to avoid loops across sites with multiple
attachment circuits exists (ICCP) but is not
standardized
•Spanning Tree may be still applied as an
alternative, not recommended
© 2009 Petr Grygarek, Advanced Computer Networks Technologies 20
 Problems of VPLS Scaling
•Full mesh of PWs between PEs is needed
•Both for data and control traffic
•route reflector may help for signalling via IBGP
•static configuration of LDP directed sessions is always
unscalable
•Signalling and packet replication overhead (in PE)
•especially broadcasts and unknown unicast flooding
•One solution is to establish a hierarchy, i.e. divide a
VPLS VPN into 2 tiers
•Multiple customers are aggregated in 2-nd level and
connected to the same PE router => hierarchical VPLS (H-
VPLS)
© 2009 Petr Grygarek, Advanced Computer Networks Technologies 21
 Hierarchical VPLS

© 2009 Petr Grygarek, Advanced Computer Networks Technologies 22

 H-VPLS (1)
•2-tier architecture
•analogical to a star topology of spoke switches connected to a
core switch (without local switching in spokes)
•High-performance core tier
•Limited number of PEs
•Stable full mesh of virtual circuits between PEs
•Packet replication and switching function occurs only in the core
•MPLS or (cheaper) QinQ Ethernet-based access tier in
POPs
•U-PE faces to the customer
•N-PE faces to the core
© 2009 Petr Grygarek, Advanced Computer Networks Technologies 23
 H-VPLS (2)
•1st layer of H-VPLS hierarchy can be also
implemented on MPLS cloud
•pseudowires over MPLS coud
•switching function only in N-PE router

© 2009 Petr Grygarek, Advanced Computer Networks Technologies 24

 H-VPLS Advantages
•Limited size of the PW full-mesh in the core
•Cheaper QinQ-based (possibly Metro Ethernet)
technology in POPs' access networks
•Expansion of POP network does not require
configuration change of core PEs (N-PEs)

© 2009 Petr Grygarek, Advanced Computer Networks Technologies 25

 802.1q and MPLS Tags (labels)
in H-VPLS
•Customer tag (802.1q)
•Optional, for customers that needs to transport 802.1q-
tagged traffic
•Service-provider tag (802.1q)
•Appended by ingess QinQ access-layer Ethernet switch
•Converted to (inner) MPLS tag on ingres core PE router
•Identifies VFI on the target PE router(s)
•Transport tag (MPLS)
•Identifies egress core PE router

© 2009 Petr Grygarek, Advanced Computer Networks Technologies 26