The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Virtual Private LAN
Services (VPLS) enables enterprises to link together their Ethernet-based LANs
from multiple sites via the infrastructure provided by their service provider.
This module explains
VPLS and how to configure it.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information,
see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module,
and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature
Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Virtual
Private LAN Services
Before you configure Virtual Private LAN Services (VPLS), ensure that the network is configured as follows:
Configure IP
routing in the core so that provider edge (PE) devices can reach each other via
IP.
Configure
Multiprotocol Label Switching (MPLS) in the core so that a label switched path
(LSP) exists between PE devices.
Configure a
loopback interface for originating and terminating Layer 2 traffic. Ensure that
PE devices can access the loopback interface of the other device. Note that the
loopback interface is not required in all cases. For example, tunnel selection
does not need a loopback interface when VPLS is directly mapped to a traffic
engineering (TE) tunnel.
Identify peer PE
devices and attach Layer 2 circuits to VPLS at each PE device.
Restrictions for Virtual
Private LAN Services
The following general
restrictions apply to all transport types under Virtual Private LAN Services
(VPLS):
If you do not enable the EFP feature template, then there is no traffic flow between EFP and VFI (when EFP is with Split Horizon
group and VFI is default). But when you enable the EFP feature template, then there is traffic flow between EFP and VFI because
of design limitations.
Supported maximum values:
Total number of virtual forwarding instances (VFIs): 4096 (4 K)
Software-based
data plane is not supported.
The Border Gateway
Protocol (BGP) autodiscovery process does not support dynamic, hierarchical
VPLS.
Load sharing and
failover on redundant customer-edge-provider-edge (CE-PE) links are not
supported.
Point to Multipoint (P2MP) Resource Reservation Protocol (RSVP) for MPLS Traffic Engineering (MPLS-TE) is not supported over
VPLS on the Cisco RSP2 and RSP3 routers.
Traffic drops are observed for lower sized MPLS pseudowire packets.
Information About Virtual Private LAN Services
VPLS Overview
Virtual Private LAN Services (VPLS) enables enterprises to link together their Ethernet-based LANs from multiple sites via
the infrastructure provided by their service provider. From the enterprise perspective, the service provider’s public network
looks like one giant Ethernet LAN. For the service provider, VPLS provides an opportunity to deploy another revenue-generating
service on top of the existing network without major capital expenditures. Operators can extend the operational life of equipment
in their network.
VPLS uses the provider core to join multiple attachment circuits together to simulate a virtual bridge that connects the multiple
attachment circuits together. From a customer point of view, there is no topology for VPLS. All customer edge (CE) devices
appear to connect to a logical bridge emulated by the provider core (see the figure below).
Figure 1. VPLS Topology
Full-Mesh Configuration
A full-mesh configuration requires a full mesh of tunnel label switched paths (LSPs) between all provider edge (PE) devices
that participate in Virtual Private LAN Services (VPLS). With a full mesh, signaling overhead and packet replication requirements
for each provisioned virtual circuit (VC) on a PE can be high.
You set up a VPLS by first creating a virtual forwarding instance (VFI) on each participating PE device. The VFI specifies
the VPN ID of a VPLS domain, the addresses of other PE devices in the domain, and the type of tunnel signaling and encapsulation
mechanism for each peer PE device.
The set of VFIs formed by the interconnection of the emulated VCs is called a VPLS instance; it is the VPLS instance that
forms the logic bridge over a packet switched network. After the VFI has been defined, it needs to be bound to an attachment
circuit to the CE device.
The VPLS instance is assigned a unique VPN ID.
PE devices use the VFI to establish a full-mesh LSP of emulated VCs to all other PE devices in the VPLS instance. PE devices
obtain the membership of a VPLS instance through static configuration using the Cisco IOS CLI.
A full-mesh configuration allows the PE device to maintain a single broadcast domain. When the PE device receives a broadcast,
multicast, or unknown unicast packet on an attachment circuit (AC), it sends the packet out on all other ACs and emulated
circuits to all other CE devices participating in that VPLS instance. The CE devices see the VPLS instance as an emulated
LAN.
To avoid the problem of a packet looping in the provider core, PE devices enforce a “split-horizon” principle for emulated
VCs. In a split horizon, if a packet is received on an emulated VC, it is not forwarded on any other emulated VC.
The packet forwarding decision is made by looking up the Layer 2 VFI of a particular VPLS domain.
A VPLS instance on a particular PE device receives Ethernet frames that enter on specific physical or logical ports and populates
a MAC table similarly to how an Ethernet switch works. The PE device can use the MAC address to switch these frames into the
appropriate LSP for delivery to the another PE device at a remote site.
If the MAC address is not available in the MAC address table, the PE device replicates the Ethernet frame and floods it to
all logical ports associated with that VPLS instance, except the ingress port from which it just entered. The PE device updates
the MAC table as it receives packets on specific ports and removes addresses not used for specific periods.
Static VPLS
Configuration
Virtual Private LAN
Services (VPLS) over Multiprotocol Label Switching-Transport Profile (MPLS-TP)
tunnels allows you to deploy a multipoint-to-multipoint layer 2 operating
environment over an MPLS-TP network for services such as Ethernet connectivity
and multicast video. To configure static VPLS, you must specify a static range
of MPLS labels using the
mpls label range command with the
static keyword.
H-VPLS
Hierarchical VPLS
(H-VPLS) reduces signaling and replication overhead by using full-mesh and
hub-and-spoke configurations. Hub-and-spoke configurations operate with split
horizon to allow packets to be switched between pseudowires (PWs), effectively
reducing the number of PWs between provider edge (PE) devices.
Note
Split horizon is
the default configuration to avoid broadcast packet looping.
Supported Features
Multipoint-to-Multipoint Support
In a multipoint-to-multipoint network,
two or more devices are associated over the core network. No single device is designated as the Root node; all devices are
considered as Root nodes. All frames can be exchanged directly between the nodes.
Non-Transparent Operation
A virtual Ethernet connection (VEC) can be transparent or non-transparent with respect to Ethernet protocol data units (PDUs).
The VEC non-transparency allows users to have a Frame Relay-type service between Layer 3 devices.
Circuit Multiplexing
Circuit multiplexing allows a node to participate in multiple services over a single Ethernet connection. By participating
in multiple services, the Ethernet connection is attached to multiple logical networks. Some examples of possible service
offerings are VPN services between sites, Internet services, and third-party connectivity for intercompany communications.
MAC-Address Learning, Forwarding, and Aging
Provider edge (PE) devices
must learn remote MAC addresses and directly attached MAC addresses on ports that face the external network. MAC address learning
accomplishes this by deriving the topology and forwarding information from packets originating at customer sites. A timer
is associated with stored MAC addresses. After the timer expires, the entry is removed from the table.
Jumbo Frame Support
Jumbo frame support provides support for frame sizes between 1548 and 9216 bytes. You use the CLI to establish the jumbo frame
size for any value specified in the above range. The default value is 1500 bytes in any Layer 2/VLAN interface. You can configure
jumbo frame support on a per-interface basis.
Q-in-Q Support and Q-in-Q to EoMPLS VPLS Support
With 802.1Q tunneling (Q-in-Q), the customer edge (CE) device issues VLAN-tagged packets and VPLS forwards these packets to
a far-end CE device. Q-in-Q refers to the fact that one or more 802.1Q tags may be located in a packet within the interior
of the network. As packets are received from a CE device, an additional VLAN tag is added to incoming Ethernet packets to
segregate traffic from different CE devices. Untagged packets originating from a CE device use a single tag within the interior
of the VLAN switched network, whereas previously tagged packets originating from the CE device use two or more tags.
VPLS Services
Transparent LAN Service
Transparent LAN Service (TLS) is an extension to the point-to-point port-based Ethernet over Multiprotocol Label Switching
(EoMPLS), which provides bridging protocol transparency (for example, bridge protocol data units [BPDUs]) and VLAN values.
Bridges see this service as an Ethernet segment. With TLS, the PE device forwards all Ethernet packets received from the customer-facing
interface (including tagged and untagged packets, and BPDUs) as follows:
To a local Ethernet interface or an emulated virtual circuit (VC) if the destination MAC address is found in the Layer 2 forwarding
table.
To all other local Ethernet interfaces and emulated VCs belonging to the same VPLS domain if the destination MAC address is
a multicast or broadcast address or if the destination MAC address is not found in the Layer 2 forwarding table.
Note
You must enable Layer 2 protocol tunneling to run the Cisco Discovery Protocol (CDP), the VLAN Trunking Protocol (VTP), and
the Spanning-Tree Protocol (STP).
Ethernet Virtual Connection Service
Ethernet Virtual Connection Service (EVCS) is an extension to the point-to-point VLAN-based Ethernet over MPLS (EoMPLS) that
allows devices to reach multiple intranet and extranet locations from a single physical port. With EVCS, the provider edge
(PE) device forwards all Ethernet packets with a particular VLAN tag received from the customer-facing interface (excluding
bridge protocol data units [BPDUs]) as follows:
To a local Ethernet interface or to an emulated virtual circuit (VC) if the destination MAC address is found in the Layer
2 forwarding table.
To all other local Ethernet interfaces and emulated VCs belonging to the same Virtual Private LAN Services (VPLS) domain if
the destination MAC address is a multicast or a broadcast address or if the destination MAC address is not found in the Layer
2 forwarding table.
Note
Because it has only local significance, the demultiplexing VLAN tag that identifies a VPLS domain is removed before the packet
is forwarded to the outgoing Ethernet interfaces or emulated VCs.
How to Configure Virtual Private LAN Services
Provisioning a Virtual Private LAN Services (VPLS) link involves provisioning the associated attachment circuit and a virtual
forwarding instance (VFI) on a provider edge (PE) device.
In Cisco IOS XE Release 3.7S, the L2VPN Protocol-Based CLIs feature was introduced. This feature provides a set of processes
and an improved infrastructure for developing and delivering Cisco IOS software on various Cisco platforms. This feature introduces
new commands and modifies or replaces existing commands to achieve a consistent functionality across Cisco platforms and provide
cross-Operating System (OS) support.
This section consists of tasks that use the commands existing prior to Cisco IOS XE Release 3.7S and a corresponding task
that uses the commands introduced or modified by the L2VPN Protocol-Based CLIs feature.
Configuring PE Layer 2 Interfaces on CE Devices
You can configure the Ethernet flow point (EFP) as a Layer 2 virtual interface. You can also select tagged or untagged traffic
from a customer edge (CE) device.
Configuring 802.1Q Access
Ports for Tagged Traffic from a CE Device
Note
When Ethernet
Virtual Connection Service (EVCS) is configured, a provider edge (PE) device
forwards all Ethernet packets with a particular VLAN tag to a local Ethernet
interface or emulated virtual circuit (VC) if the destination MAC address is
found in the Layer 2 forwarding table.
SUMMARY STEPS
enable
configure
terminal
interfacetype
number
noipaddress [ip-address mask] [secondary]
negotiation
auto
serviceinstancesi-idethernet
encapsulationdot1qvlan-id
bridge-domainbd-id
end
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Device> enable
Enables
privileged EXEC mode.
Enter your password if
prompted.
Step 2
configure
terminal
Example:
Device# configure terminal
Enters global
configuration mode.
Step 3
interfacetype
number
Example:
Device(config)# interface gigabitethernet 0/0/1
Specifies an
interface and enters interface configuration mode.
Step 4
noipaddress [ip-address mask] [secondary]
Example:
Device(config-if)# no ip address
Disables IP
processing.
Step 5
negotiation
auto
Example:
Device(config-if)# negotiation auto
Enables the
autonegotiation protocol to configure the speed, duplex, and automatic flow
control of the Gigabit Ethernet interface.
Step 6
serviceinstancesi-idethernet
Example:
Device(config-if)# service instance 10 ethernet
Specifies the
service instance ID and enters service instance configuration mode.
Step 7
encapsulationdot1qvlan-id
Example:
Device(config-if-srv)# encapsulation dot1q 200
Defines the
matching criteria to map 802.1Q frames ingress on an interface to the
appropriate service instance.
Ensure that the
interface on the adjoining customer edge (CE) device is on the same VLAN as
this PE device.
Step 8
bridge-domainbd-id
Example:
Device(config-if-srv)# bridge-domain 100
Binds a service
instance to a bridge domain instance.
Step 9
end
Example:
Device(config-if-srv)# end
Exits service
instance configuration mode and returns to privileged EXEC mode.
Configuring 802.1Q Access
Ports for Tagged Traffic from a CE Device: Alternate Configuration
Note
When Ethernet
Virtual Connection Service (EVCS) is configured, the PE device forwards all
Ethernet packets with a particular VLAN tag to a local Ethernet interface or an
emulated virtual circuit (VC) if the destination MAC address is found in the
Layer 2 forwarding table.
Device(config-bdomain)# member gigabitethernet0/4/4 service-instance 1000
Binds a
service instance to a bridge domain instance.
Step 12
end
Example:
Device(config-bdomain)# end
Exits
bridge-domain configuration mode and returns to privileged EXEC mode.
Configuring Q-in-Q
EFP
Note
When a
thread-local storage (TLS) is configured, the provider edge (PE) device
forwards all Ethernet packets received from the customer edge (CE) device to
all local Ethernet interfaces and emulated virtual circuits (VCs) that belong
to the same Virtual Private LAN Services (VPLS) domain if the MAC address is
not found in the Layer 2 forwarding table.
SUMMARY STEPS
enable
configureterminal
interfacetype
number
noipaddress [ip-address mask] [secondary]
negotiation
auto
serviceinstancesi-idethernet
encapsulationdot1qvlan-idsecond-dot1qvlan-id
bridge-domainbd-id
end
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Device> enable
Enables
privileged EXEC mode.
Enter your password if
prompted.
Step 2
configureterminal
Example:
Device# configure terminal
Enters global
configuration mode.
Step 3
interfacetype
number
Example:
Device(config)# interface gigabitethernet 0/0/2
Specifies an
interface and enters interface configuration mode.
Step 4
noipaddress [ip-address mask] [secondary]
Example:
Device(config-if)# no ip address
Disables IP
processing.
Step 5
negotiation
auto
Example:
Device(config-if)# negotiation auto
Enables the
autonegotiation protocol to configure the speed, duplex, and automatic flow
control of the Gigabit Ethernet interface.
Step 6
serviceinstancesi-idethernet
Example:
Device(config-if)# service instance 10 ethernet
Specifies a
service instance ID and enters service instance configuration mode.
Defines the
matching criteria to map Q-in-Q ingress frames on an interface to the
appropriate service instance.
Ensure
that the interface on the adjoining CE device is on the same VLAN as this PE
device.
Step 8
bridge-domainbd-id
Example:
Device(config-if-srv)# bridge-domain 100
Binds a service
instance or a MAC tunnel to a bridge domain instance.
Step 9
end
Example:
Device(config-if-srv)# end
Exits service
instance configuration mode and returns to privileged EXEC mode.
Configuring Q-in-Q EFP:
Alternate Configuration
Note
When a
thread-local storage (TLS) is configured, the provider edge (PE) device
forwards all Ethernet packets received from the customer edge (CE) device to
all local Ethernet interfaces and emulated virtual circuits (VCs) belonging to
the same Virtual Private LAN Services (VPLS) domain if the MAC address is not
found in the Layer 2 forwarding table.
Device(config-bdomain)# member gigabitethernet0/0/2 service-instance 1000
Binds a
service instance to a bridge domain instance.
Step 12
end
Example:
Device(config-bdomain)# end
Exits
bridge-domain configuration mode and returns to privileged EXEC mode.
Configuring MPLS on a PE Device
To configure Multiprotocol Label Switching (MPLS) on a provider edge (PE) device, configure the required MPLS parameters.
Note
Before configuring MPLS, ensure that IP connectivity exists between all PE devices by configuring Interior Gateway Protocol
(IGP), Open Shortest Path First (OSPF), or Intermediate System to Intermediate System (IS-IS) between PE devices.
SUMMARY STEPS
enable
configureterminal
mpls
label protocol {ldp | tdp}
mpls ldp logging neighbor-changes
mpls ldp discovery hello holdtime seconds
mpls ldp router-id interface-type-number [force]
end
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Device> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configureterminal
Example:
Device# configure terminal
Enters global configuration mode.
Step 3
mpls
label protocol {ldp | tdp}
Example:
Device(config)# mpls label protocol ldp
Specifies the label distribution protocol for the platform.
Step 4
mpls ldp logging neighbor-changes
Example:
Device(config)# mpls ldp logging neighbor-changes
(Optional) Generates system error logging (syslog) messages when LDP sessions go down.
Configures the interval between the transmission of consecutive LDP discovery hello messages or the hold time for an LDP
transport connection.
Step 6
mpls ldp router-id interface-type-number [force]
Example:
Device(config)# mpls ldp router-id loopback0 force
Specifies a preferred interface for the LDP router ID.
Step 7
end
Example:
Device(config)# end
Exits global configuration mode and returns to privileged EXEC mode.
Configuring a VFI on a PE
Device
The virtual
forwarding interface (VFI) specifies the VPN ID of a Virtual Private LAN
Services (VPLS) domain, the addresses of other provider edge (PE) devices in
the domain, and the type of tunnel signaling and encapsulation mechanism for
each peer.
Note
Only
Multiprotocol Label Switching (MPLS) encapsulation is supported.
Note
You must configure BDI on the bridge domain that has the association with the VFI.
Specifies the
type of tunnel signaling and encapsulation mechanism for each VPLS peer.
Note
Split horizon
is the default configuration to avoid broadcast packet looping and to isolate
Layer 2 traffic. Use the
no-split-horizon keyword to disable split horizon
and to configure multiple VCs per spoke into the same VFI.
Step 6
bridge-domainbd-id
Example:
Device(config-vfi)# bridge-domain 100
Specifies a
bridge domain.
Step 7
end
Example:
Device(config-vfi)# end
Exits VFI
configuration mode and returns to privileged EXEC mode.
Configuring a VFI on a PE Device: Alternate Configuration
SUMMARY STEPS
enable
configure terminal
l2vpn vfi contextname
vpn idid
memberip-address [vc-id] encapsulationmpls
exit
bridge-domainbd-id
membervfivfi-name
end
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Device> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configure terminal
Example:
Device# configure terminal
Enters global configuration mode.
Step 3
l2vpn vfi contextname
Example:
Device(config)# l2vpn vfi context vfi110
Establishes a L2VPN VFI between two or more separate networks, and enters VFI configuration mode.
Step 4
vpn idid
Example:
Device(config-vfi)# vpn id 110
Configures a VPN ID for a Virtual Private LAN Services (VPLS) domain. The emulated virtual circuits (VCs) bound to this Layer
2 virtual routing and forwarding (VRF) instance use this VPN ID for signaling.
Step 5
memberip-address [vc-id] encapsulationmpls
Example:
Device(config-vfi)# member 172.16.10.2 4 encapsulation mpls
Specifies the devices that form a point-to-point Layer 2 VPN (L2VPN) virtual forwarding interface (VFI) connection and Multiprotocol
Label Switching (MPLS) as the encapsulation type.
Step 6
exit
Example:
Device(config-vfi)# exit
Exits VFI configuration mode and returns to global configuration mode.
Step 7
bridge-domainbd-id
Example:
Device(config)# bridge-domain 100
Specifies a bridge domain and enters bridge-domain configuration
mode.
Step 8
membervfivfi-name
Example:
Device(config-bdomain)# member vfi vfi110
Binds a VFI instance to a bridge domain instance.
Step 9
end
Example:
Device(config-bdomain)# end
Exits bridge-domain configuration
mode and returns to privileged EXEC mode.
Configuring Static Virtual
Private LAN Services
To configure static
Virtual Private LAN Services (VPLS), perform the following tasks:
Configuring a
Pseudowire for Static VPLS
Configuring VFI
for Static VPLS
Configuring a
VFI for Static VPLS: Alternate Configuration
Configuring an
Attachment Circuit for Static VPLS
Configuring an
Attachment Circuit for Static VPLS: Alternate Configuration
Configuring an
MPLS-TP Tunnel for Static VPLS with TP
Configuring a
VFI for Static VPLS: Alternate Configuration
Configuring a Pseudowire for
Static VPLS
The configuration
of pseudowires between provider edge (PE) devices helps in the successful
transmission of the Layer 2 frames between PE devices.
Use the pseudowire
template to configure the virtual circuit (VC) type for the virtual path
identifier (VPI) pseudowire. In the following task, the pseudowire will go
through a Multiprotocol Label Switching (MPLS)-Tunneling Protocol (TP) tunnel.
The pseudowire
template configuration specifies the characteristics of the tunneling mechanism
that is used by the pseudowires, which are:
Encapsulation
type
Control
protocol
Payload-specific options
Preferred path
Perform this task
to configure a pseudowire template for static Virtual Private LAN Services
(VPLS).
Note
Ensure that you
perform this task before configuring the virtual forwarding instance (VFI)
peer. If the VFI peer is configured before the pseudowire class, the
configuration is incomplete until the pseudowire class is configured. The
show
running-config command displays an error stating that
configuration is incomplete.
Device# show running-config | sec vfi
l2 vfi config manual
vpn id 1000
! Incomplete point-to-multipoint vfi config
Configures an
Any Transport over MPLS (AToM) static pseudowire connection by defining local
and remote circuit labels.
Step 12
end
Example:
Device(config-if)# end
Exits interface
configuration mode and returns to privileged EXEC mode.
Configuring VFI for Static
VPLS
Note
Ensure that you
perform this task after configuring the pseudowire. If the VFI peer is
configured before the pseudowire, the configuration is incomplete until the
pseudowire is configured. The output of the
show
running-config command displays an error stating that
configuration is incomplete.
Device# show running-config | sec vfi
l2 vfi config manual
vpn id 1000
! Incomplete point-to-multipoint vfi config
Specifies
that no signaling protocol will be used in Layer 2 Tunneling Protocol Version 3
(L2TPv3) sessions.
Step 7
exit
Example:
Device(config-pw-class)# exit
Exits
pseudowire class configuration mode and returns to global configuration mode.
Step 8
l2vfivfi-namemanual
Example:
Device(config)# l2 vfi static-vfi manual
Establishes a
Layer 2 VPN (L2VPN) virtual forwarding interface (VFI) between two or more
separate networks, and enters Layer 2 VFI manual configuration mode.
Configures an
AToM static pseudowire connection by defining local and remote circuit labels.
Step 15
mplscontrol-word
Example:
Device(config-vfi)# mpls control-word
(Optional)
Enables the MPLS control word in an AToM static pseudowire connection.
Step 16
end
Example:
Device(config-vfi)# end
Exits Layer 2
VFI manual configuration mode and returns to privileged EXEC mode.
Configuring a VFI for Static
VPLS: Alternate Configuration
Note
Ensure that you
perform this task after configuring the pseudowire. If the VFI peer is
configured before the pseudowire, the configuration is incomplete until the
pseudowire is configured. The output of the
show
running-config command displays an error stating that
configuration is incomplete.
Device# show running-config | sec vfi
l2 vfi config manual
vpn id 1000
! Incomplete point-to-multipoint vfi config
Configures an
Any Transport over MPLS (AToM) static pseudowire connection by defining local
and remote circuit labels.
Step 10
control-word {include
|
exclude}
Example:
Device(config-if)# control-word include
(Optional)
Enables the Multiprotocol Label Switching (MPLS) control word in an AToM
dynamic pseudowire connection.
Step 11
exit
Example:
Device(config-if)# exit
Exits
interface configuration mode and returns to global configuration mode.
Step 12
bridge-domainbd-id
Example:
Device(config)# bridge-domain 24
Specifies the
bridge domain ID and enters bridge-domain configuration mode.
Step 13
membervfivfi-name
Example:
Device(config-bdomain)# member vfi vpls1
Binds a
service instance to a bridge domain instance.
Step 14
end
Example:
Device(config-bdomain)# end
Exits
bridge-domain configuration mode and returns to privileged EXEC mode.
Configuring an Attachment
Circuit for Static VPLS
SUMMARY STEPS
enable
configureterminal
interfacegigabitethernetslot/interface
serviceinstancesi-idethernet
encapsulationdot1qvlan-id
rewriteingresstagpopnumber[symmetric]
bridge-domainbd-id
end
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Device> enable
Enables
privileged EXEC mode.
Enter your
password if prompted.
Step 2
configureterminal
Example:
Device# configure terminal
Enters global
configuration mode.
Step 3
interfacegigabitethernetslot/interface
Example:
Device(config)# interface gigabitethernet 0/0/1
Specifies an
interface and enters interface configuration mode.
Ensure
that the interfaces between the customer edge (CE) and provider edge (PE)
devices that run Ethernet over MPLS (EoMPLS) are in the same subnet. All other
interfaces and backbone devices do not need to be in the same subnet.
Step 4
serviceinstancesi-idethernet
Example:
Device(config-if)# service instance 100 ethernet
Configures an
Ethernet service instance on an interface and enters service instance
configuration mode.
Step 5
encapsulationdot1qvlan-id
Example:
Device(config-if-srv)# encapsulation dot1q 200
Defines the
matching criteria to map 802.1Q frames ingress on an interface to the
appropriate service instance.
Ensure
that the interface on the adjoining CE device is on the same VLAN as this PE
device.
Step 6
rewriteingresstagpopnumber[symmetric]
Example:
Device(config-if-srv)# rewrite ingress tag pop 1 symmetric
(Optional)
Specifies the encapsulation adjustment to be performed on a frame ingressing a
service instance and the tag to be removed from a packet.
Step 7
bridge-domainbd-id
Example:
Device(config-if-srv)# bridge-domain 24
(Optional) Binds
a service instance or a MAC tunnel to a bridge domain instance.
Step 8
end
Example:
Device(config-if-srv)# end
Exits service
instance configuration mode and returns to privileged EXEC mode.
Configuring an Attachment
Circuit for Static VPLS: Alternate Configuration
Specifies an
interface and enters interface configuration mode.
Ensure
that the interfaces between the customer edge (CE) and provider edge (PE)
devices that are running Ethernet over MPLS (EoMPLS) are in the same subnet.
All other interfaces and backbone devices do not need to be in the same subnet.
Step 4
serviceinstancesi-idethernet
Example:
Device(config-if)# service instance 10 ethernet
Specifies a
service instance ID and enters service instance configuration mode.
Step 5
encapsulationdot1qvlan-id
Example:
Device(config-if-srv)# encapsulation dot1q 200
Defines the
matching criteria to map 802.1Q frames ingress on an interface to the
appropriate service instance.
Ensure
that the interface on the adjoining CE device is on the same VLAN as this PE
device.
Step 6
rewriteingresstagpopnumber[symmetric]
Example:
Device(config-if-srv)# rewrite ingress tag pop 1 symmetric
(Optional)
Specifies the encapsulation adjustment to be performed on a frame ingressing a
service instance and the tag to be removed from a packet.
Step 7
exit
Example:
Device(config-if-srv)# exit
Exits service
instance configuration mode and returns to interface configuration mode.
Step 8
exit
Example:
Device(config-if)# exit
Exits
interface configuration mode and returns to global configuration mode.
Step 9
bridge-domainbd-id
Example:
Device(config)# bridge-domain 100
Specifies the
bridge domain ID and enters bridge-domain configuration mode.
Device(config-if)# mpls tp link 10 tx-mac 0100.0c99.8877
Configures
Multiprotocol Label Switching (MPLS) transport profile (TP) link parameters.
Step 21
end
Example:
Device(config-if)# end
Exits
interface configuration mode and returns to privileged EXEC mode.
Configuring a VFI for Static
VPLS: Alternate Configuration
Note
Ensure that you
perform this task after configuring the pseudowire. If the VFI peer is
configured before the pseudowire, the configuration is incomplete until the
pseudowire is configured. The output of the
show
running-config command displays an error stating that
configuration is incomplete.
Device# show running-config | sec vfi
l2 vfi config manual
vpn id 1000
! Incomplete point-to-multipoint vfi config
Configures an
Any Transport over MPLS (AToM) static pseudowire connection by defining local
and remote circuit labels.
Step 10
control-word {include
|
exclude}
Example:
Device(config-if)# control-word include
(Optional)
Enables the Multiprotocol Label Switching (MPLS) control word in an AToM
dynamic pseudowire connection.
Step 11
exit
Example:
Device(config-if)# exit
Exits
interface configuration mode and returns to global configuration mode.
Step 12
bridge-domainbd-id
Example:
Device(config)# bridge-domain 24
Specifies the
bridge domain ID and enters bridge-domain configuration mode.
Step 13
membervfivfi-name
Example:
Device(config-bdomain)# member vfi vpls1
Binds a
service instance to a bridge domain instance.
Step 14
end
Example:
Device(config-bdomain)# end
Exits
bridge-domain configuration mode and returns to privileged EXEC mode.
Configuration Examples for Virtual Private LAN Services
Example: Configuring 802.1Q
Access Ports for Tagged Traffic from a CE Device
This example shows
how to configure the tagged traffic:
Device(config)# interface GigabitEthernet 0/0/1
Device(config-if)# no ip address
Device(config-if)# negotiation auto
Device(config-if)# service instance 10 ethernet
Device(config-if-srv)# encapsulation dot1q 200
Device(config-if-srv)# bridge-domain 100
Device(config-if-srv)# end
Example: Configuring 802.1Q
Access Ports for Tagged Traffic from a CE Device: Alternate Configuration
The following example
shows how to configure the tagged traffic:
Device(config)# interface GigabitEthernet 0/0/1
Device(config-if)# no ip address
Device(config-if)# negotiation auto
Device(config-if)# service instance 10 ethernet
Device(config-if-srv)# encapsulation dot1q 200
Device(config-if-srv)# exit
Device(config-if)# exit
Device(config)# bridge-domain 100
Device(config-bdomain)# member gigabitethernet0/0/1 service-instance 1000
Device(config-bdomain)# end
Example: Configuring Access
Ports for Untagged Traffic from a CE Device
The following example
shows how to configure access ports for untagged traffic:
Device(config)# interface gigabitethernet 0/0/0
Device(config-if)# no ip address
Device(config-if)# negotiation auto
Device(config-if)# service instance 10 ethernet
Device(config-if-srv)# encapsulation untagged
Device(config-if-srv)# bridge-domain 100
Device(config-if-srv)# end
The following example
shows a virtual forwarding interface (VFI) configuration:
The output of the
show mpls 12transport
vc command displays various information related to a provide edge
(PE) device. The VC ID in the output represents the VPN ID; the VC is
identified by the combination of the destination address and the VC ID as shown
in the command output. The output of the
show mpls l2transport vc
detail command displays detailed information about virtual
circuits (VCs) on a PE device.
Device# show mpls l2transport vc 201
Local intf Local circuit Dest address VC ID Status
------------- -------------------- --------------- ---------- ----------
VFI VPLSA VFI 10.11.11.11 110 UP
VFI VPLSA VFI 10.33.33.33 110 UP
VFI VPLSA VFI 10.44.44.44 110 UP
The following sample
output from the
show vfi
command displays the VFI status:
Device# show vfi VPLSA
VFI name: VPLSA, state: up
Local attachment circuits:
Vlan2
Neighbors connected via pseudowires:
Peer Address VC ID Split-horizon
10.11.11.11 110 Y
10.33.33.33 110 Y
10.44.44.44 110 Y
Device# show vfi VPLSB
VFI name: VPLSB, state: up
Local attachment circuits:
Vlan2
Neighbors connected via pseudowires:
Peer Address VC ID Split-horizon
10.99.99.99 111 Y
10.12.12.12 111 Y
10.13.13.13 111 N
Example: Configuring Access
Ports for Untagged Traffic from a CE Device: Alternate Configuration
The following example
shows how to configure the untagged traffic.
Device(config)# interface GigabitEthernet 0/4/4
Device(config-if)# no ip address
Device(config-if)# negotiation auto
Device(config-if)# service instance 10 ethernet
Device(config-if-srv)# encapsulation untagged
Device(config-if-srv)# exit
Device(config-if)# exit
Device(config)# bridge-domain 100
Device(config-bdomain)# member GigabitEthernet0/4/4 service-instance 10
Device(config-if-srv)# end
Example: Configuring Q-in-Q
EFP
The following example
shows how to configure the tagged traffic.
Device(config)# interface GigabitEthernet 0/0/2
Device(config-if)# no ip address
Device(config-if)# negotiate auto
Device(config-if)# service instance 10 ethernet
Device(config-if-srv)# encapsulation dot1q 200 second-dot1q 400
Device(config-if-srv)# bridge-domain 100
Device(config-if-srv)# end
Use the
show spanning-tree
vlan command to verify that the ports are not in a blocked state.
Use the
show vlan id
command to verify that a specific port is configured to send and receive
specific VLAN traffic.
Example: Configuring
Q-in-Q in EFP: Alternate Configuration
The following example
shows how to configure the tagged traffic:
Device(config)# interface GigabitEthernet 0/4/4
Device(config-if)# no ip address
Device(config-if)# nonegotiate auto
Device(config-if)# service instance 10 ethernet
Device(config-if-srv)# encapsulation dot1q 200 second-dot1q 400
Device(config-if-srv)# exit
Device(config-if)# exit
Device(config)# bridge-domain 100
Device(config-bdomain)# member GigabitEthernet0/4/4 service-instance 1000
Device(config-bdomain)# end
Use the
show spanning-tree
vlan command to verify that the port is not in a blocked state.
Use the
show vlan id
command to verify that a specific port is configured to send and receive a
specific VLAN traffic.
Example: Configuring MPLS on a PE Device
The following example shows a global Multiprotocol Label Switching (MPLS) configuration:
The following sample output from the show ip cef command displays the Label Distribution Protocol (LDP) label assigned:
Device# show ip cef 192.168.17.7
192.168.17.7/32, version 272, epoch 0, cached adjacency to POS4/1
0 packets, 0 bytes
tag information set
local tag: 8149
fast tag rewrite with PO4/1, point2point, tags imposed: {4017}
via 10.3.1.4, POS4/1, 283 dependencies
next hop 10.3.1.4, POS4/1
valid cached adjacency
tag rewrite with PO4/1, point2point, tags imposed: {4017}
Example: VFI on a PE
Device
The following example
shows a virtual forwarding instance (VFI) configuration:
The
show mpls 12transport
vc command displays information about the provider edge (PE)
device. The
show mpls l2transport vc
detail command displays detailed information about the virtual
circuits (VCs) on a PE device.
Device# show mpls l2transport vc 201
Local intf Local circuit Dest address VC ID Status
------------- -------------------- --------------- ---------- ----------
VFI test1 VFI 209.165.201.1 201 UP
VFI test1 VFI 209.165.201.2 201 UP
VFI test1 VFI 209.165.201.3 201 UP
The show vfi
vfi-name command displays VFI status. The VC ID in
the output represents the VPN ID; the VC is identified by the combination of
the destination address and the VC ID as in the example below.
Device# show vfi VPLS-2
VFI name: VPLS-2, state: up
Local attachment circuits:
Vlan2
Neighbors connected via pseudowires:
Peer Address VC ID Split-horizon
10.1.1.1 2 Y
10.1.1.2 2 Y
10.2.2.3 2 N
Example: VFI on a PE Device:
Alternate Configuration
The following example
shows how to configure a virtual forwarding interface (VFI) on a provider edge
(PE) device:
Device(config)# l2vpn vfi context vfi110
Device(config-vfi)# vpn id 110
Device(config-vfi)# member 172.16.10.2 4 encapsulation mpls
Device(config-vfi)# member 10.33.33.33 encapsulation mpls
Device(config-vfi)# member 10.44.44.44 encapsulation mpls
Device(config-vfi)# exit
Device(config)# bridge-domain 100
Device(config-bdomain)# member vfi vfi110
Device(config-bdomain)# end
The following example
shows how to configure a hub-and-spoke VFI configuration:.
Device(config)# l2vpn vfi context VPLSA
Device(config-vfi)# vpn id 110
Device(config-vfi)# member 10.9.9.9 encapsulation mpls
Device(config-vfi)# member 172.16.10.2 4 encapsulation mpls
Device(config-vfi)# exit
Device(config)# bridge-domain 100
Device(config-bdomain)# member vfi VPLSA
Device(config-bdomain)# member GigabitEthernet0/0/0 service-instance 100
Device(config-bdomain)# member 10.33.33.33 10 encapsulation mpls
Device(config-bdomain)# end
The
show l2vpn atom
vc command displays information about the PE device. The command
also displays information about Any Transport over MPLS (AToM) virtual circuits
(VCs) and static pseudowires that are enabled to route Layer 2 packets on a
device.
Device# show l2vpn atom vc
Local intf Local circuit Dest address VC ID Status
------------- ----------------------- --------------- ---------- ----------
Et0/0.1 Eth VLAN 101 10.0.0.2 101 UP
Et0/0.1 Eth VLAN 101 10.0.0.3 201 DOWN
The
show l2vpn vfi
command displays the VFI status. The VC ID in the output represents the VPN ID;
the VC is identified by the combination of the destination address and the VC
ID as in the example below.
In a full-mesh
configuration, each provider edge (PE) device creates a
multipoint-to-multipoint forwarding relationship with all other PE devices in
the Virtual Private LAN Services (VPLS) domain using a virtual forwarding
interface (VFI). An Ethernet or a VLAN packet received from the customer
network can be forwarded to one or more local interfaces and/or emulated
virtual circuits (VCs) in the VPLS domain. To avoid a broadcast packet loop in
the network, packets received from an emulated VC cannot be forwarded to any
emulated VC in the VPLS domain on a PE device. Ensure that Layer 2 split
horizon is enabled to avoid a broadcast packet loop in a full-mesh network.
Figure 2. Full-Mesh VPLS
Configuration
PE 1 Configuration
The following
examples shows how to create virtual switch instances (VSIs) and associated
VCs:
The following
example shows how to configure the CE device interface (there can be multiple
Layer 2 interfaces in a VLAN).
interface GigabitEthernet 0/0/1
no ip address
negotiation auto
service instance 10 ethernet
encapsulation dot1q 200
bridge-domain 100
!
The following
sample output from the
show mpls l2 vc
command provides information about the status of the VC:
Device# show mpls l2 vc
Local intf Local circuit Dest address VC ID Status
------------- -------------------- --------------- ---------- ----------
VFI PE1-VPLS-A VFI 10.2.2.2 100 UP
VFI PE1-VPLS-A VFI 10.3.3.3 100 UP
The following
sample output from the
show vfi
command provides information about the VFI:
Device# show vfi PE1-VPLS-A
VFI name: VPLSA, state: up
Local attachment circuits:
Vlan200
Neighbors connected via pseudowires:
10.2.2.2 10.3.3.3
The following
sample output from the
show mpls 12transport
vc command provides information about virtual circuits:
Device# show mpls l2transport vc detail
Local interface: VFI PE1-VPLS-A up
Destination address: 10.2.2.2, VC ID: 100, VC status: up
Tunnel label: imp-null, next hop point2point
Output interface: Se2/0, imposed label stack {18}
Create time: 3d15h, last status change time: 1d03h
Signaling protocol: LDP, peer 10.2.2.2:0 up
MPLS VC labels: local 18, remote 18
Group ID: local 0, remote 0
MTU: local 1500, remote 1500
Remote interface description:
Sequencing: receive disabled, send disabled
VC statistics:
packet totals: receive 0, send 0
byte totals: receive 0, send 0
packet drops: receive 0, send 0
In a full-mesh
configuration, each provider edge (PE) router creates a
multipoint-to-multipoint forwarding relationship with all other PE routers in
the Virtual Private LAN Services (VPLS) domain using a virtual forwarding
interface (VFI). An Ethernet or virtual LAN (VLAN) packet received from the
customer network can be forwarded to one or more local interfaces and/or
emulated virtual circuits (VCs) in the VPLS domain. To avoid broadcasted
packets looping in the network, no packet received from an emulated VC can be
forwarded to any emulated VC of the VPLS domain on a PE router. That is, Layer
2 split horizon should always be enabled as the default in a full-mesh network.
Figure 3. VPLS Configuration
Example
PE 1 Configuration
The following
example shows how to create virtual switch instances (VSIs) and associated VCs
and to configure the CE device interface (there can be multiple Layer 2
interfaces in a VLAN):
interface gigabitethernet 0/0/0
service instance 100 ethernet
encap dot1q 100
no shutdown
!
l2vpn vfi context PE1-VPLS-A
vpn id 100
neighbor 10.2.2.2 encapsulation mpls
neighbor 10.3.3.3 encapsulation mpls
!
bridge-domain 100
member gigabitethernet0/0/0 service-instance 100
member vfi PE1-VPLS-A
PE 2 Configuration
The following
example shows how to create VSIs and associated VCs and to configure the CE
device interface (there can be multiple Layer 2 interfaces in a VLAN):
interface gigabitethernet 0/0/0
service instance 100 ethernet
encap dot1q 100
no shutdown
!
l2vpn vfi context PE2-VPLS-A
vpn id 100
neighbor 10.1.1.1 encapsulation mpls
neighbor 10.3.3.3 encapsulation mpls
!
bridge-domain 100
member gigabitethernet0/0/0 service-instance 100
member vfi PE2-VPLS-A
PE 3 Configuration
The following
example shows how to create of the VSIs and associated VCs and to configure the
CE device interface (there can be multiple Layer 2 interfaces in a VLAN):
interface gigabitethernet 0/0/0
service instance 100 ethernet
encap dot1q 100
no shutdown
!
l2vpn vfi context PE3-VPLS-A
vpn id 100
neighbor 10.1.1.1 encapsulation mpls
neighbor 10.2.2.2 encapsulation mpls
!
bridge-domain 100
member gigabitethernet0/0/0 service-instance 100
member vfi PE3-VPLS-A
The following
sample output from the
showmplsl2vc command provides information on the status of
the VC:
Device# show mpls l2 vc
Local intf Local circuit Dest address VC ID Status
------------- -------------- --------------- ---------- ----------
VFI PE3-VPLS-A VFI 10.2.2.2 100 UP
VFI PE3-VPLS-A VFI 10.3.3.3 100 UP
The following
sample output from the
showl2vpnvfi command provides information about the VFI:
The following
sample output from the
showl2vpnatomvc command provides information on the virtual
circuits:
Device# show l2vpn atom vc
Local intf Local circuit Dest address VC ID Status
------------- ----------------------- --------------- ---------- ----------
Et0/0.1 Eth VLAN 101 10.0.0.2 101 UP
Et0/0.1 Eth VLAN 101 10.0.0.3 201 DOWN
Feature Information for
Configuring Virtual Private LAN Services
The following table
provides release information about the feature or features described in this
module. This table lists only the software release that introduced support for
a given feature in a given software release train. Unless noted otherwise,
subsequent releases of that software release train also support that feature.
Use Cisco Feature
Navigator to find information about platform support and Cisco software image
support. To access Cisco Feature Navigator, go to
www.cisco.com/go/cfn.
An account on Cisco.com is not required.
Table 1. Feature Information for Configuring Virtual
Private LAN Services
Feature
Name
Releases
Feature
Information
Configuring
Virtual Private LAN Services
Cisco IOS XE
Release 3.13.0S
This feature
was introduced on the Cisco ASR 920 Routers (ASR-920-12CZ-A, ASR-920-12CZ-D,
ASR-920-4SZ-A, ASR-920-4SZ-D).
Layer 2 Protocol
Tunneling
Customers at different sites connected across a service-provider network need to use various Layer 2 protocols to scale their
topologies to include all remote sites, as well as the local sites. STP must run properly, and every VLAN should build a proper
spanning tree that includes the local site and all remote sites across the service-provider network. Cisco Discovery Protocol
(CDP) must discover neighboring Cisco devices from local and remote sites.
VLAN Trunking Protocol (VTP) must provide consistent VLAN configuration throughout all sites in the customer network that
are participating in VTP. Similarly, DTP, LACP, LLDP, PAgP, and UDLD can also run across the service-provider network.
When protocol tunneling is enabled, edge switches on the inbound side of the service-provider network encapsulate Layer 2
protocol packets with a special MAC address (0100.0CCD.CDD0) and send them across the service-provider network. Core switches
in the network do not process these packets but forward them as normal (unknown multicast data) packets. Layer 2 protocol
data units (PDUs) for the configured protocols cross the service-provider network and are delivered to customer switches on
the outbound side of the service-provider network. Identical packets are received by all customer ports on the same VLANs
with these results:
Users on each of a customer's sites can properly run STP, and every VLAN can build a correct spanning tree based on parameters
from all sites and not just from the local site.
CDP discovers and shows information about the other Cisco devices connected through the service-provider network.
VTP provides consistent VLAN configuration throughout the customer network, propagating to all switches through the service
provider that support VTP.
Customers use Layer 2 protocol tunneling to tunnel BPDUs through a service-provider network without interfering with internal
provider network BPDUs.
Note
Layer 2 protocol tunneling is supported on EFPs, but not on switchports.
Note
EFP with Xconnect is enhanced to transparently forward the Layer 2 Control Protocol (L2CP) frames at the hardware level. Use
the following command to forward the L2CP frames except the CFM frames:
mac-address-table evc-xconnect l2pt-forward-all
In addition to the listed L2CP frames, 802.1x (0x888E) frames and MACSec (0x88E5) frames can be forwarded over EoMPLS by
enabling this command globally.
In figure below, Customer X has four switches in the same VLAN, which are connected through the service-provider network.
If the network does not tunnel PDUs, switches on the far ends of the network cannot properly run STP, CDP, and other Layer
2 protocols. For example, STP for a VLAN on a switch in Customer X, Site 1, will build a spanning tree on the switches at
that site without considering convergence parameters based on Customer X's switch in Site 2. This could result in the topology
shown in figure below.
In a service-provider network, you can use Layer 2 protocol tunneling to enhance the creation of EtherChannels by emulating
a point-to-point network topology. When you enable protocol tunneling (PAgP or LACP) on the service-provider switch, remote
customer switches receive the PDUs and can negotiate the automatic creation of EtherChannels.
For example, in figure below, Customer A has two switches in the same VLAN that are connected through the SP network. When
the network tunnels PDUs, switches on the far ends of the network can negotiate the automatic creation of EtherChannels without
needing dedicated lines
Figure 6. Layer 2 Protocol Tunneling for EtherChannels
Use the
l2protocol tunnelprotocol
service-instance configuration command to enable Layer 2 protocol tunneling on
a service instance
Valid protocols
include CDP, LACP, LLDP, PAgP, STP, UDLD, and VTP. If a protocol is not
specified for a service instance, the protocol frame is dropped at the
interface.
This is an example of
Layer 2 protocol tunneling configuration:
Feedback