Академический Документы
Профессиональный Документы
Культура Документы
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Pub Date: March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Copyright
Wei Luo
Table of
Contents
Carlos
Pignataro
Index
ISBN: 1-58705-168-0
Pages: 648
Dmitry Bokotey
Anthony Chan
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
gains
Copyright 2005productivity
Cisco Systems,
Inc.
Published by:
Cisco Press
Learn about Layer 2 Virtual Private Networks (VPNs)
800 East 96th Street
Indianapolis, IN 46240 USA
Reduce costs and extend the reach of your services by unifying your
network architecture
All rights reserved. No part of this book may be reproduced or transmitted in any form or by
any means, electronic or mechanical, including photocopying, recording, or by any information
Gain from the first book to address Layer 2 VPN application utilizing
storage and retrieval system, without written permission from the publisher, except for the
both ATOM and L2TP protocols
inclusion of brief quotations in a review.
Review strategies that allow large enterprise customers to enhance
Printed in the United States of America 1 2 3 4 5 6 7 8 9 0
their service offerings while maintaining routing control
First Printing February 2005
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
Library of Congress Cataloging-in-Publication Number: 2003109688
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
ISBN: 1-58705-168-0
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
Warning and Disclaimer
services over their existing Layer 3 cores. The solution in these cases is a
technology
thatinformation
would allowabout
LayerLayer
2 transport
over
a Layer 3
This book is designed
to provide
2 VPN
architectures.
Every effort
has been made toinfrastructure.
make this book as complete and as accurate as possible, but no warranty or
fitness is implied.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
(VPN)
and describes
Layer
2 VPN
techniques
The information isNetwork
provided
on anconcepts,
"as is" basis.
The author,
Cisco
Press,
and Ciscovia
Systems,
introductory
and comprehensive
scenarios.
This book
Inc., shall have neither
liabilitycase
nor studies
responsibility
to any persondesign
or entity
with respect
to any
assists from
readers
to meet
those requirements
byfrom
explaining
loss or damages arising
thelooking
information
contained
in this book or
the usethe
of the discs
and implementation
details of the two technologies available from
or programs that history
may accompany
it.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSThe opinions expressed
in thisand
book
belong
to the author
and version
are not 3necessarily
those
of Cisco
based cores
Layer
2 Tunneling
Protocol
(L2TPv3) for
native
Systems, Inc.
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
Trademark Acknowledgments
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
All terms mentioned in this book that are known to be trademarks or service marks have been
appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of
this information. Use of a term in this book should not be regarded as affecting the validity of
any trademark or service mark.
Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value.
Each book is crafted with care and precision, undergoing rigorous development that involves
the unique expertise of members from the professional technical community.
Readers' feedback is a natural continuation of this process. If you have any comments
regarding how we could improve the quality of this book, or otherwise alter it to better suit
your needs, you can
us through e-mail at feedback@ciscopress.com. Please make sure
Layercontact
2 VPN Architectures
to include the book title and ISBN in your message.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,
Anthony
Chan, - CCIE No. 10,266
We greatly appreciate
your
assistance.
Publisher: Cisco
Press
Corporate and Government
Sales
Pub Date: March 10, 2005
For sales outside the U.S. please contact: International Sales international@pearsoned.com
www-europe.cisco.com
Tel: 31 0 20 357 1000
Fax: 31 0 20 357 1100
Layer 2 VPN Architectures
Americas Headquarters
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Cisco Systems, Inc.
No. 4460,Anthony Chan, - CCIE No. 10,266
170 West Tasman Drive
San Jose, CA 95134-1706
Publisher: Cisco Press
USA
Pub Date: March 10, 2005
www.cisco.com
ISBN: 1-58705-168-0
Table526-7660
of
Tel: 408
Pages:
648
Fax: Contents
408 527-0883
Index
For
a majority
of Service
Providers,
a significant
portion
of their
revenues
Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam
are still derived from data and voice services based on legacy transport
Zimbabwe
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
they have
some
drawbacks.
carriers
existing
Copyright 2003customers,
Cisco Systems,
Inc. All
rights
reserved.Ideally,
CCIP, CCSP,
thewith
Cisco
Arrow logo,
Layer
2 and
networksVerified
would like
toCisco
moveUnity,
toward
a single
the Cisco Poweredlegacy
Network
mark,
theLayer
Cisco3Systems
logo,
Follow
Me
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
Browsing, FormShare, iQ Net Readiness Scorecard, Networking Academy, and ScriptShare
are
services
over Inc.;
their Changing
existing Layer
3 cores.
The solution
in these
cases is
a
trademarks of Cisco
Systems,
the Way
We Work,
Live, Play,
and Learn,
The
technology
wouldQuotient,
allow Layer
transport
over
Layer 3marks of Cisco
Fastest Way to Increase
Yourthat
Internet
and2iQuick
Study
area service
infrastructure.
Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the
Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco
Layer 2 VPN
Architectures
introduces
readers
to Layerthe
2 Virtual
Private
Systems, Cisco Systems
Capital,
the Cisco Systems
logo,
Empowering
Internet
Generation,
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient,
IOS,
introductory
case
studies andMGX,
comprehensive
design scenarios.
This book
IP/TV, iQ Expertise,
the iQ logo,
LightStream,
MICA, the Networkers
logo, Network
assists
readers looking
to meet those
requirements
explaining
the
RegistrarPacket, PIX,
Post-Routing,
Pre-Routing,
RateMUX,
Registrar,by
SlideCast,
SMARTnet,
history
and
implementation
details
of
the
two
technologies
available
StrataView Plus, Stratm, SwitchProbe, TeleRouter, TransPath, and VCO are registeredfrom
the Systems,
Cisco Unified
suite:
Any Transport
(ATOM)
for MPLStrademarks of Cisco
Inc. VPN
and/or
its affiliates
in the over
U.S. MPLS
and certain
other
countries.
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores.
The structure
of this book
is focused
onthe
firstproperty
introducing
the
All other trademarks
mentioned
in this document
or Web
site are
of their
reader
to Layer
VPN benefits
and implementation
requirements
and
respective owners.
The use
of the2word
partner does
not imply a partnership
relationship
comparing
to those
of Layer 3 based VPNs, such as MPLS, then
between Cisco and
any otherthem
company.
(0303R)
progressively covering each currently available solution in greater detail.
Printed in the USA
Dedications
Wei Luo: This book is dedicated to my mother, Ximen, in loving memory for her everlasting
selfless devotion and belief in me. This book is also dedicated to my father, Jiyang Luo, my
sister and brother-in-law, Michelle and Tong Ge, and my lovely nephew and niece, Jesse and
Lauren, for all their sacrifices and support over the years and their enduring love.
Carlos Pignataro: I dedicate this book to my son, Luca, and my wife, Veronica, for filling my
Layer
2 VPN Architectures
life with joy. I also
dedicate
this book to my mother, Elena Renee Goenaga, in loving memory,
and to my father,By
Juan
Carlos,
with
heartfelt
gratitude
deepest
Wei Luo,
- CCIE
No. 13,291,
Carlos
Pignataro, -and
CCIE
No. 4619,love.
Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Dmitry Bokotey: To dear friends Tom Kladek, Kevin Taylor, and Carlos Pignataro who opened
all the doors.
Publisher: Cisco Press
Pub Date: March 10, 2005
Anthony Chan: Dedicated
to my wonderful parents, Foon and Sin Ying Chan, my brother and
ISBN:and
1-58705-168-0
sister-in-law,
Johnny Chan
Diana Chu, and to the memory of my grandmother, Fung Yu
Table of
Pages:
648
Choy,
for
their
guidance
and
wisdom.
I also dedicate this book to my niece, Alicia. May your
Contents
future
be
bright
and
filled
with
opportunities.
Index
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Cisco
Press
Wei Luo, CCIE No. Publisher:
13,291, is
a technical
leader at Cisco Systems, Inc. Since joining Cisco in
Pub
Date:
March
10, 2005and development initiatives in remote-access
1998, Wei has led many product design
ISBN:technologies.
1-58705-168-0 He is the principle designer and developer for Cisco
networks,
WANs, and MPLS
Table of
Pseudowire
Emulation
and
Layer
Pages:
648 2 VPN products, such as AToM and VPLS. He actively
Contents
participates
in
IETF
standardization
processes, contributing to and authoring various RFCs and
Index
Internet drafts in the IETF working groups. Wei has B.S. and M.S. degrees in computer science.
Carlos Pignataro, CCIE No. 4619, is a senior engineer in the Escalation Team for Cisco
Systems, Inc. In this
rolethe
he world
is responsible
handling
difficult
and complex
escalations,
Master
of Layer for
2 VPNs
to provide
enhanced
services
and enjoy
working on critical
or
stalled
software
defects,
and
participating
in
the
new
product
and
productivity gains
development process. Carlos has a B.S. in electrical engineering and an M.S. in
telecommunications and networking. Carlos has contributed to IETF Internet drafts, is an active
speaker at Net-workersLearn
conventions,
and 2has
authored
Cisco
Multiservice
Switching Networks
about Layer
Virtual
Private
Networks
(VPNs)
also by Cisco Press.
Reduce costs and extend the reach of your services by unifying your
Dmitry Bokotey, CCIE
No. 4460,
holds a quadruple CCIE title in the fields of Routing and
network
architecture
Switching, ISP Dial, Security, and Service Provider. He is a network consulting engineer with
Gain
the
first book
to address
2 VPN
utilizing
the Central Engineering
andfrom
Metro
Ethernet
team
of Cisco Layer
Systems.
Forapplication
the past twelve
years,
both ATOM and
L2TPnetworking
protocols environments for various large
he has designed and implemented
diverse
enterprise and service provider customers. Over the course of his career, he has presented
strategies
that allow
large
enterprise
customers
to enhance
seminars on numerousReview
advanced
networking
subjects.
He
is coauthor
on two other
books
their
service
offerings
while
maintaining
routing
controlStudies: Remote
published by Cisco Press:
CCIE
Practical
Studies:
Security
and CCNP
Practical
Access .
For a majority of Service Providers, a significant portion of their revenues
are still Provider
derived from
and voice
based
on legacy
transport
Anthony Chan, Service
CCIEdata
No. 10,266,
is services
a network
consulting
engineer
for Cisco
technologies.
Although
Layer 3 MPLS
VPNs fulfill
the market
need for
Systems' Advanced
Services Central
Engineering
organization.
Anthony
participates
in some
MPLS
customers,
they
have
some drawbacks.
Ideally,
carriers with
existing
and routing technology
teams,
which
provide
focused design
and proactive
support
to service
legacy customers.
Layer 2 andHe
Layer
3 networks
would
like in
to electrical
move toward
a single from
provider and enterprise
holds
a bachelor's
degree
engineering
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
Northwestern University and has previously worked at Ford Motor Company and International
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
is a
Network Services.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Publisher:
Press
Archana Sharma, CCIE
No.Cisco
3080,
has over five years of troubleshooting experience with the
Pub
Date:
March
10,been
2005 working on the Catalyst switches since they were first
campus switched networks and has
ISBN:has
1-58705-168-0
released
by Cisco. Archana
been troubleshooting and resolving customer issues since 1995
Table of
she joined Cisco Pages:
when
as
a
support
engineer in the RTP TAC team supporting the Cisco campus
648
Contents
switching
product
line.
She
has
extensive
troubleshooting experience with both Layer 2
Index
switching and Layer 3 switching and provides escalation support for these in her role as team
lead and as a Cisco diagnostic engineer.
from
first book
address
Layer
VPNSystems,
application
utilizing
John Chang, CCIE No.Gain
2736,
is athe
solution
test to
lead
engineer
at 2
Cisco
Inc.
In this
both ATOM
and L2TP
protocols
role, John provides technical
leadership
to verify
the function, scalability, and performance of
remote access and IP VPN solutions. With over 20 years of network engineering experience, he
Review
allowof
large
customers
enhance
has designed, developed,
and strategies
supported that
a variety
LANenterprise
and WANs.
John has to
B.S.
and M.S.
their service offerings while maintaining routing control
degrees in electrical engineering.
ForNo.
a majority
Service Providers,
significantteam
portion
of their
revenues
Wen Zhang, CCIE
4302, is of
a member
of the TACaescalation
at Cisco
Systems.
He
still derived
from technologies.
data and voiceWith
services
on legacy
currently focuses are
on VPN
and security
Ciscobased
since 1997,
Wentransport
was a regular
Although
3 his
MPLS
VPNs
market
need for some
contributor to thetechnologies.
Cisco Open Forum.
He Layer
earned
B.S.
andfulfill
M.S. the
degrees
in electrical
they have some drawbacks. Ideally, carriers with existing
engineering from customers,
Clemson University.
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Acknowledgments
Publisher:
Cisco
Wei Luo: I would like
to thank
allPress
the people from Cisco Press who helped make this book
Pub
Date:
March
2005
possible, and special thanks go to10,
our
Executive Editor Brett Bartow for putting up with us.
Table of
ISBN: 1-58705-168-0
I want
to thank Greg Burns,
Gary Green, and other colleagues at Cisco Systems for the
Pages: 648
Contents
unreserved support, wisdom, and insight. Without all of your talent and excellence in making
Index
the Layer 2 VPN technology a reality, this book would not have been possible.
This book is a true work of collaboration. I want to thank my coauthors for all their hard work
and devotion. I cannot thank my coauthors without giving my special gratefulness to Dmitry
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Bokotey for opening the door for me and always being there.
productivity gains
Carlos Pignataro: I would like to thank my coauthors for their teamwork and talent that
made this book possible.
Thanks
toLayer
our reviewers
all their
helpful(VPNs)
comments. I also want to
Learn
about
2 Virtual for
Private
Networks
thank all the people at the Cisco Systems family that in one way or another make these
technologies a reality. Reduce costs and extend the reach of your services by unifying your
network architecture
Special thanks to W. Mark Townsley for his most valued insight, openness, and for giving me a
great opportunity to learn,
myfirst
colleague
Wen
Zhang
for always
helping me utilizing
find answers
Gain and
fromtothe
book to
address
Layer
2 VPN application
to my questions with his
expertise
and L2TP
experience.
both
ATOM and
protocols
I would like to thank asReview
well our
Executive
Editor
Brett
Bartow
and our
Development
Editor
strategies
that
allow
large
enterprise
customers
to enhance
Dayna Isley for their professionalism
and patience,
along with all
the Cisco
Press team.
their service offerings
while maintaining
routing
control
Finally, I want to For
thank
all the design
engineers,
network
architects,
and NOC
engineers
that
a majority
of Service
Providers,
a significant
portion
of their
revenues
keep Layer 2 VPNare
networks
running
smoothly.
still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Dmitry Bokotey:
This book they
is a product
of collective
effort.
I would
like to
thank
my
customers,
have some
drawbacks.
Ideally,
carriers
with
existing
coauthors, Anthony
Chan,
Wei2Luo,
Carlos
Pignataro,
for like
theirtoenormous
talent
and
legacy
Layer
andand
Layer
3 networks
would
move toward
a single
expertise.
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
As always, I'm grateful to my wife, Alina, for her help with writing and editing my chapters.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
I would also like to thank Brett Bartow and others at Cisco Press for another fruitful
collaboration. Your patience is truly appreciated.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Big thanks to my Cisco Systems family for the opportunity to explore and implement the
introductory case studies and comprehensive design scenarios. This book
technology that became the basis for this book.
assists readers looking to meet those requirements by explaining the
andmom
implementation
of thefor
two
available
from
Finally, I want to history
thank my
and dad for details
being there
metechnologies
and my little
Alyssa for
letting
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSme be there for her.
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
cores.toThe
this
book
is focused
on first introducing
the entire
Anthony Chan: IP
Thanks
my structure
coauthorsoffor
their
continued
perseverance
during this
reader to Layer 2 VPN benefits and implementation requirements and
process.
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively
covering
currently
available
solution
in greater
detail.
Thanks to Brett Bartow
and Dayna
Isley each
and others
from
Cisco Press
for their
patience
despite
my numerous requests for extensions along the way.
I would also like to thank all Cisco engineering and architecture team who developed and
supported L2TPv3 and UTI for creating an equivalent IP pseudowire solution.
Publisher:
Cisco Press
Enabled
The Safari
icon on the cover of your favorite technology book
Pub
Date:
March
10, 2005 through Safari Bookshelf. When you buy this
means the book is available
ISBN: 1-58705-168-0
Table of book, you get free access to the online edition for 45 days.
Contents
Index
Pages: 648
Safari Bookshelf is an electronic reference library that lets you easily search thousands of
technical books, find code samples, download chapters, and access technical information
whenever and wherever you need it.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
To gain 45-day Safari
Enabledgains
access to this book:
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Boldface
indicates
commands
and keywords that are entered literally as shown. In actual
Index
configuration examples and output (not general command syntax), boldface indicates
commands that are manually input by the user (such as a show command).
Italics indicate
arguments
forof
which
you
supply
values.
Master
the world
Layer
2 VPNs
to actual
provide
enhanced services and enjoy
productivity gains
Vertical bars (|) separate alternative, mutually exclusive elements.
Square brackets [Learn
] indicate
aboutoptional
Layer 2elements.
Virtual Private Networks (VPNs)
Braces { } indicate
a required
Reduce
costs choice.
and extend the reach of your services by unifying your
network architecture
Braces within brackets [{ }] indicate a required choice within an optional element.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Introduction
Publisher:
Cisco Press
Until recently, the VPN
landscape
has been quite complex as service providers have struggled
Pub
Date:
March
10, 2005 access technologies (such as, dial, Frame Relay, and
with how best to accommodate traditional
ISBN:
1-58705-168-0
ATM)Table
along
with new ones
(like,
Ethernet and wireless) and Layer 3 VPNs over a common
of
network
infrastructure.
A
new
solution,
enabling service providers to converge Layer 2 and
Pages:
648
Contents
Layer
3
services
and
provide
legacy
data
services over an IP or MPLS backbone, promises to
Index
simplify matters, benefiting both service providers and enterprises.
The historical disconnect between legacy Layer 2 and Layer 3 VPN solutions has forced service
providers to build,
operate,
maintain
separate
to accommodate
various
Master
theand
world
of Layer
2 VPNs infrastructures
to provide enhanced
services and
enjoy VPN
access technologies.
However,
this
costly
proposition
is
no
longer
necessary.
As
part
of
its new
productivity gains
Unified VPN Suite, Cisco Systems now offers next-generation Layer 2 VPN services like Layer 2
Tunneling Protocol version 3 (L2TPv3) and Any Transport over MPLS (AToM) that enable
service providers to offer
Frame
Relay,
ATM,
Ethernet,
andNetworks
leased line
services over a common
Learn
about
Layer
2 Virtual
Private
(VPNs)
IP/MPLS core network. By unifying multiple network layers and providing an integrated set of
Reduce costs tools
and extend
theinfrastructure,
reach of your services
unifying
your
software services and management
over this
the Ciscoby
Layer
2 VPN
network
architecture
solution enables established
carriers,
IP-oriented ISP/CLECs, and large-enterprise customers
(LECs) to reach a broader set of potential VPN customers and offer truly global VPNs.
Gain from the first book to address Layer 2 VPN application utilizing
ATOM
protocols
Although Layer 3 MPLSboth
VPNs
fulfilland
the L2TP
market
need for some customers, they have some
drawbacks. Namely, Layer 3 MPLS VPNs only handle IP traffic, and they require the customer
Review strategies
thatfrom
allow
to enhance
to change their usual CPE/subscriber
model
a large
Layerenterprise
2 peering customers
model to interfacing
with
offerings
while
maintaining
routing
control
the service provider attheir
Layerservice
3. Ideally,
carriers
with
existing legacy
Layer
2 and Layer 3
networks would like to move towards a single backbone while new carriers would like to sell the
a majority
of Service
Providers,
a significant portion of their revenues
lucrative Layer 2 For
services
over their
existing
Layer 3 cores.
are still derived from data and voice services based on legacy transport
technologies.
Layer
MPLS VPNs
the market
for3some
The solution in these
cases is aAlthough
technology
that3allows
Layer fulfill
2 transport
over need
a Layer
customers,
theyreaders
have some
drawbacks.
Ideally,
carriers with
infrastructure. This
book assists
looking
to meet those
requirements
byexisting
explaining the
legacy Layer
2 andofLayer
3 networks
would
like to move
toward
a single
history and implementation
details
the two
technologies
available
from the
Cisco
Unified VPN
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
suite: AToM for MPLS-based cores and L2TPv3 for native IP cores.
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Contents
Index
Pages: 648
Part I: Foundation The book begins by explaining the existing market drivers for Layer
2 VPNs and explores where each of the various types of VPNs exist. It introduces the
architectural framework and choices for Layer 2 VPNs and delves into pseudowire
Master the and
world
of Layer
VPNsalso
to provide
enhanced
services and
enjoy
emulation realizations
details.
This2 part
describes
the architectural
reference
productivity gainsprocess of Layer 2 VPNs and pseudowire technologies, and
model and standardarization
introduces you to AToM and L2TPv3.
about Layer 2
Virtual
Private Networks
(VPNs)
Chapter 1, Learn
"Understanding
Layer
2 VPNs":
This chapter
introduces L2VPNs and
its motivations. It also compares Layer 2 versus Layer 3 VPNs.
Reduce costs and extend the reach of your services by unifying your
architecture
Chapter 2, network
"Pseudowire
Emulation Framework and Standards" This chapter
presents the pseudowire emulation reference model and architectural components,
from theand
firstexplains
book to the
address
Layer
VPN applicationofutilizing
defines key Gain
terminology,
history
and2standardization
pseudowire
both
ATOM
and
L2TP
protocols
emulation in the IETF.
that allow largeThis
enterprise
enhance
Chapter 3, Review
"Layerstrategies
2 VPN Architectures"
chaptercustomers
introducesto
AToM
and
service
offerings
maintaining
routing
control when choosing
L2TPv3 and their
presents
business
andwhile
technical
factors to
be considered
a Layer 2 VPN technology.
For a majority of Service Providers, a significant portion of their revenues
are still
derived from
data
and
voice
services
based on overview
legacy transport
Part II: Layer
2 Protocol
Primer
This
part
provides
a complete
of Layer 2
technologies.
Although
Layer
3
MPLS
VPNs
fulfill
the
market
need for some
LAN and WAN technologies.
customers, they have some drawbacks. Ideally, carriers with existing
legacy
LayerProtocols"
2 and LayerThis
3 networks
like
to overview
move toward
a single
Chapter
4, "LAN
chapter would
includes
and
of LAN
protocols,
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
such as Ethernet II and 802.3, Ethernet dot1Q, Ethernet QinQ, spanning2tree, and
over their existing Layer 3 cores. The solution in these cases is a
relatedservices
technologies.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Chapter
5, "WAN Data-Link Protocols" This chapter outlines different WAN
protocols including HDLC, PPP, Frame Relay, and ATM.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network
(VPN)over
concepts,
VPNcover
techniques
via
Part III: Any
Transport
MPLSand
Thedescribes
chaptersLayer
in this2part
the theoretical
and
case
studies
and
comprehensive
design
scenarios.
This book
operational introductory
details of MPLS
and
LDP as
they
pertain to AToM,
analyze
the control
plane
readers
to meet
requirements
by explaining
theand
(pseudowireassists
signaling)
and looking
data plane
(datathose
encapsulation),
describe
the design
history
and implementation
details
of the
two
technologies
available
implementation
of AToM
technologies, and
provide
LAN
and
WAN protocols
over from
MPLS and
the Cisco
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSadvanced AToM
case studies.
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Chapter
6, "Understanding
Any
over on
MPLS"
This chapterthe
details
IP cores.
The structure of
thisTransport
book is focused
first introducing
AToM and
LDPtooperations
for benefits
pseudowire
and describes
AToM pseudowire
reader
Layer 2 VPN
and signaling
implementation
requirements
and
encapsulation.
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Chapter 7, "LAN Protocols over MPLS Case Studies" This chapter presents the
underlying theory and case studies for LAN protocols over MPLS including port-toport and dot1Q modes.
Chapter 8, "WAN Protocols over MPLS Case Studies" This chapter presents the
underlying theory and case studies for all WAN protocols over MPLS and their
various modes of operation.
Chapter 9, "Advanced AToM Case Studies" This chapter concludes the AToM
section with advanced case studies such as load sharing, preferred path selection,
AToM with traffic engineering (TE), AToM over GRE, inter-AS AToM, VCCV and QoS.
Part IV: Layer 2 Tunneling Protocol Version 3 This part discusses the theory on
Layer 2 over
VPN Architectures
Layer 2 protocols
Layer 2 Tunneling Protocol version 3 (L2TPv3) in IP networks,
analyzes theBycontrol
protocol
interactions
and4619,
data
plane
encapsulation
Wei Luo, plane
- CCIE L2TPv3
No. 13,291,
Carlos Pignataro,
- CCIE No.
Dmitry
Bokotey,
- CCIE
details, and No.
provides
LAN Chan,
and WAN
4460,Anthony
- CCIEprotocols
No. 10,266 and advanced case studies.
Chapter Publisher:
10, "Understanding
L2TPv3" This chapter starts with Universal
Cisco Press
Transport Interface (UTI) history and evolvement into L2TPv3; it then details
Pub Date: March 10, 2005
L2TPv3 control plane including tunnels, sessions, cookies, AVPs, control plane
ISBN: 1-58705-168-0
Table ofmessages and message formats, as well as the L2TPv3 data plane including the data
Pages:
packet formats. 648
Contents
Index
Chapter 11, "LAN Protocols over L2TPv3 Case Studies" This chapter presents
the underlying theory and case studies for LAN protocols over L2TPv3 including
static sessions, static sessions with keepalives, and dynamic sessions for Ethernet
Masterand
theVLAN
worldmodes
of Layer
2 VPNs
to provide
enhanced
port-to-port
with
and without
VLAN
rewrite.services and enjoy
productivity gains
Chapter 12, "WAN Protocols over L2TPv3 Case Studies" This chapter presents
the fundamental theory and case studies for all WAN protocols over L2TPv3 including
Virtual
Networks
HDLC, PPP, Learn
Frameabout
RelayLayer
(DLCI2and
portPrivate
modes),
and ATM(VPNs)
(AAL5 and the various
Cell Relay modes).
Reduce costs and extend the reach of your services by unifying your
network
architecture
Chapter 13,
"Advanced
L2TPv3 Case Studies" This chapter details advanced
case studies for L2TPv3 networks including Path MTU Discovery, ATM OAM Emulation
Gain from
the first book to address Layer 2 VPN application utilizing
and cell packing,
and QoS.
both ATOM and L2TP protocols
Part V: Additional Layer 2 VPN Architectures This part presents Any-to-Any Layer 2
strategiesand
thatVirtual
allow large
enterprise
customers
enhance
VPN interworking,Review
local switching,
Private
LAN Service
(VPLS).toThe
part
their service
while
maintaining
routing
control and design case
includes both architectural
andofferings
theoretical
frameworks,
and
configuration
studies.
For a majority of Service Providers, a significant portion of their revenues
are14,
still"Layer
derived2from
data and voice
based on legacy
transport
Chapter
Interworking
andservices
Local Switching"
This chapter
technologies.
Although
3 MPLS VPNs of
fulfill
the2market
for some
introduces
the related
Layer 2Layer
VPN architectures
Layer
IP and need
Ethernet
customers,
have some
drawbacks.
Ideally, carriers
with existing
interworking
(thatthey
is, routed
and bridged
interworking,
respectively),
Layer 2 local
legacy
2 and Layer 3ofnetworks
would
likelocal
to move
toward
a single
switching,
andLayer
the combinations
interworking
with
switching.
This
chapter
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
includes details and case studies for both AToM and L2TPv3.
services over their existing Layer 3 cores. The solution in these cases is a
technology
that would
allow
Layer
2 transport
over a Layer
3
Chapter
15, "Virtual
Private
LAN
Service"
This chapter
introduces
the VPLS
infrastructure.
application
with theory, configuration, and multiple case studies.
Layer
2 VPN
Architectures
introduces readers
toand
Layer
2 Virtual
The book concludes
with
an appendix
that summarizes
the Cisco
IETF
L2TPv3Private
AVP
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
attribute types.
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Part I: Foundation
Publisher: Cisco Press
Chapter 1
Table of
Chapter 2
Contents
Index
Chapter 3
ISBN: 1-58705-168-0
Pseudowire
Emulation Framework and Standards
Pages:
648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
A virtual private network (VPN) is a data network that utilizes a portion of a shared public
network to extend a customer's private network. This provides private communications
Master
world ofoffices
Layer and
2 VPNs
to provide enhanced
services
and enjoy
between end users,
suchthe
as remote
telecommuters.
VPNs can
be broadly
productivity
gains
categorized as either Layer 2 VPNs or Layer 3 VPNs.
This chapter begins with an overview of traditional VPNs, both Layer 2 and Layer 3, followed by
Learn about Layer 2 Virtual Private Networks (VPNs)
a more in-depth look at enhanced Layer 2 VPN solutions over IP/Multiprotocol Label Switching
(MPLS) and the factors that motivated their evolution. This chapter also covers the different
Reduce costs and extend the reach of your services by unifying your
types of Layer 2 VPNs available today.
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Pages: 648
about Layer
Virtual
Private
Networks
(VPNs)
Since its introduction inLearn
the 1990s,
Frame2Relay
has
dominated
the field
of early VPN
technologies. Frame Relay has enabled service providers to offer the same basic connectivity to
costslines,
and extend
the reach
your services
by unifying
their customers as withReduce
the leased
except instead
of of
provisioning
a dedicated
lineyour
for
network
architecture
each customer, they have been able to use a shared line and allocate a virtual circuit for each
customer to keep each customer's traffic separate. The virtual circuits are referred to as
Gain(PVC).
from the
first book toPVCs,
address
2 VPN
application
utilizing
permanent virtual circuits
By configuring
the Layer
data-link
connection
identifiers
both
ATOM
and
L2TP
protocols
(DLCI) associated with various devices are established. This builds a tunnel for customer traffic
to follow a dedicated path through the service provider's shared network.
Review strategies that allow large enterprise customers to enhance
their
service the
offerings
maintaining
control in the Layer 3
A service provider merely
supplies
Layer while
2 connectivity
androuting
is not involved
aspects of the customer's traffic (hence the name, Layer 2 VPNs). The advantage of Layer 2
For a majority of Service Providers, a significant portion of their revenues
VPNs is the independence that customers have in terms of controlling their Layer 3 network
are still derived from data and voice services based on legacy transport
design for routing, addressing, and so on.
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they
some
Ideally,
withchoice
existing
Frame Relay's independence
fromhave
all Layer
3 drawbacks.
protocols has
made carriers
it a popular
for LANlegacy
Layer
2
and
Layer
3
networks
would
like
to
move
toward
a single VPNs
to-LAN connections and intranet communications. Service providers also offer ATM-based
while
new carriers
like to
sellservice
the lucrative
Layer
2 Layer 2
as a higher-speedbackbone
alternative
to Frame
Relay. would
Currently,
most
providers
offer
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
is a
VPNs using Frame Relay, ATM, or combinations of the two.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
ISBN: 1-58705-168-0
Pages: 648
In an MPLS VPN, the customer edge (CE) router peers up with the PE router at Layer 3 instead
of the other CE routers (as is the case with enhanced Layer 2 VPNs), providing the PE router
Master the information
world of Layer
VPNs
to provide
enhanced
andcollects
enjoy
with routing and forwarding
for 2the
private
network.
The PE services
router then
productivity
gainscustomer and stores the tables along with the public Internet
one private routing
table for each
routing information.
about Layer
2 Virtual
Private
Networks
(VPNs)
InFigure 1-2, not all ofLearn
the customer's
private
networks
are
passed on
to the global routing
table.
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
Figure
1-2.
PE/CE
Relationship
in an MPLS VPN
both
ATOM
and L2TP
protocols
which private networks are built. To support a customer's Layer 3 traffic, a separate Layer 3
network has to be built. This results in service providers having to maintain separate networks
for Layer 2 and Layer 3 traffic, which is difficult and costly.
Layer 2 VPN Architectures
Another challengeBythat
traditional
service
providers
is that
if Bokotey,
they have
to expand
Wei Luo,
- CCIE No.Layer
13,291,2Carlos
Pignataro,
- CCIEface
No. 4619,
Dmitry
- CCIE
their networks, the
speeds
can
to with ATM in the core is OC48. They cannot
No.highest
4460,Anthony
Chan,they
- CCIE
No.go
10,266
grow to higher speeds or make use of more cost-effective technologies, such as Ethernet.
Therefore, service providers
havePress
been searching for ways to maximize the efficiency and cost
Publisher: Cisco
of their infrastructures
and simplify management.
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
TheseTable
goals
of can be achieved in an environment in which multiple Layer 2 services can be
Pages:
648
transported
IP/MPLS backbone. Newly developed IP-based services allow
Contents across a common
customers
Index to minimize their network expenses while improving their productivity and
competitiveness. For service providers, these new developments mean an opportunity to offer
savings to their customers, which, in turn, can prompt an increase in customer base and
service revenue.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
The following types
of servicegains
providers would benefit from such a solution:
Learnoffer
about
Layer
2 Virtual Private
Networks
(VPNs) and would like to
Carriers that currently
only
circuit-based
Layer 2
infrastructures
expand Layer 3 infrastructure to sell more services
Reduce costs and extend the reach of your services by unifying your
architecture
Service providersnetwork
that currently
offer only Layer 3 infrastructure and would like to cost
effectively expand their offering of Layer 2 services
Gain from the first book to address Layer 2 VPN application utilizing
andoffer
L2TPcircuit-based
protocols
Service providersboth
that ATOM
currently
Layer 2 and IP-based Layer 3 services
throughout separate infrastructures and would like to join the two to increase profitability
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Reduce costs and extend the reach of your services by unifying your
Figure 1-3 illustrates a sample topology with Layer 2 VPN service. Instead of building a
network architecture
separate, private IP network and running traffic across it, enhanced Layer 2 VPNs take existing
Layer 2 traffic and send it through point-to-point tunnels on the IP/MPLS network backbone.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
Figure
1-3.offerings
Layer 2-Based
VPN Services
their service
while maintaining
routing control
efficiency and scalability are achieved because service decisions are made at the VPN and
tunnel endpoints and switched without requiring additional provisioning.
Layer22 VPN
Architectures
With enhanced Layer
VPNs,
service providers can offer such services as VPNs with managed
Internet, intranet,Byand
extranet
complexity
required
in the -past.
Wei Luo,
- CCIE without
No. 13,291,the
Carlos
Pignataro, - that
CCIE they
No. 4619,
Dmitry Bokotey,
CCIE The new
Layer 2 VPN services
do Anthony
not require
equipment spending because they are available
No. 4460,
Chan, -additional
CCIE No. 10,266
by upgrading Cisco IOS Software. By reducing customer networking complexity and cost, the
new Layer 2 VPNs allow
service
to expand their customer base to small and mediumPublisher:
Ciscoproviders
Press
sized businesses.
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
LayerTable
2 services
have proven
to be steady revenue-generating resources because the provider
of
Pages:
is notContents
required to participate 648
in customer Layer 3 services. Therefore, although service
providers
Index are branching into IP/MPLS-based core networks, they continue to maintain an
extensive network of Layer 2-based equipment and services. By combining Layer 2 transport
with Layer 3, enhanced Layer 2 VPNs offer an attractive alternative and convergence point for
Layer 2 and Layer 3 infrastructures.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity of
gains
Some of the key advantages
enhanced Layer 2 VPNs over other VPN techniques include the
following:
investments represent expenses not only in equipment, but also in configuration (such as
creating circuits, security, and service levels). Although new Layer 2 VPNs offer high return on
investment (ROI) when you are buying a routing platform because they integrate with the
Layer 2 they
VPN Architectures
existing infrastructure,
also help maximize the ROI on the existing infrastructure by
ByWei Luo,
- CCIE
No. 13,291,
Carlos
Pignataro, - CCIE
No.from
4619,Dmitry
CCIE or
working with it, rather
than
replacing
it. By
aggregating
traffic
ATM, Bokotey,
Frame -Relay,
No. 4460,Anthony
Chan, - and
CCIEconfiguration
No. 10,266
Ethernet edge platforms,
equipment
investments continue to generate
revenue, rather than create more cost or end their return.
Publisher: Cisco Press
With enhanced Layer 2 VPNs, customers can independently maintain their routing and security
policies. DeployedMaster
edge platforms
to customer
networks
continue
to create
the
the world connecting
of Layer 2 VPNs
to provide
enhanced
services
and enjoy
circuits and interface
with
customer
networks,
whereas
the
Layer
2
VPN-enabled
IP/MPLS
productivity gains
routing platform essentially creates an intelligent "pipe" to move the traffic through the core,
emulating the customer circuit. A VPN that is based on Layer 2 eliminates the need for end
Learn
about Layer
2 Virtual
Networks
(VPNs) the network
users to exchange routing
information
with
servicePrivate
providers,
thus reducing
management, complexity, and associated costs. Additional investment in equipment is
Reduce
costs
and extend
the reach
of your services by unifying your
unnecessary because the
existing
customer
hardware
is sufficient.
network architecture
Some of the features of enhanced Layer 2 VPNs are as follows:
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
The configuration is simplified because only two endpoints must be configured and the
Review
thatwith
allow
large enterprise
enhance
rest is signaled across
thestrategies
core, unlike
traditional
Layer 2 customers
networks intowhich
you
their
must provision hop
by service
hop. offerings while maintaining routing control
Forfrom
a majority
of Service
a significant
portion
of their
revenues
The transition
a traditional
LayerProviders,
2 VPN from
the customer's
point
of view
is
are still derived from data and voice services based on legacy transport
uncomplicated.
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
The customer
is responsible
itssome
own routing.
All the
provider
needs
to existing
show is that CEcustomers,
they for
have
drawbacks.
Ideally,
carriers
with
to-CE connection
single2hop.
legacyisLayer
and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
Because theservices
service provider
not take
part
in theThe
routing
process,
the cases
customer's
over theirdoes
existing
Layer
3 cores.
solution
in these
is a
routing privacy
is
preserved
from
the
provider.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN does not require storing a routing table for each site on the service provider's
end.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
A misbehaving
CE can, atcase
worst,
flap its
as opposed
to scenarios.
an MPLS VPN,
introductory
studies
andinterface,
comprehensive
design
This whereby
book
an interfaceassists
flapping
can
affect
performance
of
the
provider's
edge
router
because
readers looking to meet those requirements by explaining the of BGP
peering.
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSSeveral enhanced Layer 2 VPN techniques have been developed. One such technique, defined
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
in an IETF draft, is known as Any Transport over MPLS (AToM), which has been designed to
IP cores. The structure of this book is focused on first introducing the
allow an MPLS-enabled network to transport Layer 2 frames. Another emerging technology
reader to Layer 2 VPN benefits and implementation requirements and
within the IETF is the Layer 2 Tunneling Protocol Version 3 (L2TPv3).
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively
covering
each
currently
available solution
in greater detail.
Both AToM and L2TPv3
have the
common
objective
of transmitting
packet-switched
traffic
(Frame Relay, ATM, and Ethernet) across a packet-switched network (PSN). What separates
the two is the fact that AToM transports Layer 2 traffic over an MPLS-enabled network,
whereas L2TPv3 transports it over a native IP network core. Both L2TPv3 and AToM are offered
as part of the new Cisco Unified VPN Suite.
Figure 1-4 shows a sample enhanced Layer 2 VPN topology. The Layer 2 VPN tunnels provide
the transport to make routers 3 and 4 appear to be directly connected to Packet over SONET
(POS) interfaces (interfaces 1 and 4).
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Supported Layer 2 encapsulations
High-Level
Data Link Control
Learn aboutinclude
Layer 2802.1Q
Virtual VLAN,
PrivateCisco
Networks
(VPNs)
(HDLC), Ethernet, Frame Relay, POS, ATM, and PPP.
Reduce costs and extend the reach of your services by unifying your
The first phase of Layernetwork
2 VPN development
architecture in Cisco IOS Software supports like-to-like
connectivity. This requires that the same transport type be at each end of the network. In the
second phase, Layer 2 Gain
VPNsfrom
werethe
enhanced
to to
provide
interworking
functions
thatutilizing
can connect
first book
address
Layer 2 VPN
application
disparate transport types
atATOM
each end,
such protocols
as Frame Relay at one end connecting to Ethernet
both
and L2TP
VLAN at the other.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Note
investments and revenues. Development of the new Layer 2 VPN technologies such as AToM
and L2TPv3 enables the consolidation of Layer 2 and 3 networks while building the value-added
IP service portfolios.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Contents
Index
Pages: 648
Pseudowire emulation
is essentially
a mechanism that re-creates the characteristics of a Layer
Publisher:
Cisco Press
1 or Layer 2 circuit service,
multiplexing (TDM) or Frame Relay, over a
Pub Date:such
Marchas
10,time-division
2005
packet-switched network (PSN). Pseudowires are emulated circuits that carry service-specific
ISBN: 1-58705-168-0
Tabledata
of
protocol
units (PDU) from one customer device to another through the service provider
Pages:
648
Contents
network.
To end customers and their devices, it is transparent that the circuit service is
Index through pseudowire emulation. In other words, if the transit network is migrated from
provided
a circuit-based legacy network to a packet-based IP/MPLS network, end customers do not
perceive any change in services offered by the service provider.
Master
the world
of Layer
2 VPNs
to provide
enhanced
and enjoy
The motivation for
pseudowire
emulation
comes
from
the desire
to haveservices
a converged
network
productivity
that delivers multiple
servicesgains
that are currently provided by parallel or overlay networks. Each
of these parallel networks offers a specific service. Parallel networks are not only expensive in
terms of capital expense and operational costs, but they also make it difficult to expand and
Learn about Layer 2 Virtual Private Networks (VPNs)
maintain network infrastructure and services.
Reduce costs and extend the reach of your services by unifying your
Because IP traffic has increasingly become the majority of the overall network communication,
network architecture
many service providers realize the benefit of investing in packet-based core networks either by
expanding the existing PSNs or migrating from their legacy circuit-based networks. Although
Gain from the first book to address Layer 2 VPN application utilizing
aiming at providing new packet-based services such as voice over IP (VoIP) and video on
both ATOM and L2TP protocols
demand with this new network infrastructure, service providers also look for ways to migrate
the existing services toReview
the new
infrastructure
to maximize
the return
on capital
strategies
that allow
large enterprise
customers
toand
enhance
operational investmenttheir
without
impact
to thewhile
existing
revenue streams.
Pseudowire emulation
service
offerings
maintaining
routing control
makes it possible to achieve this objective.
For a majority of Service Providers, a significant portion of their revenues
The next sectionsare
describe
the fundamental
concepts
pseudowire
the
still derived
from data and
voice of
services
basedemulation
on legacyand
transport
processes involved
in
its
deployment,
as
follows:
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
Network reference model
backbone while new carriers would like to sell the lucrative Layer 2
services
over their
existing Layer 3 cores. The solution in these cases is a
Protocol layer
and system
architecture
technology that would allow Layer 2 transport over a Layer 3
Transportinginfrastructure.
over PSNs
Pseudowire Layer
setup 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
Network Reference
Model
history and
implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSDespite different based
Layer 2cores
VPN and
solutions
deployment
models,
a common
network
reference
Layerand
2 Tunneling
Protocol
version
3 (L2TPv3)
for native
model can be applied
to
illustrate
the
general
properties
of
pseudowire
and
other
network
IP cores. The structure of this book is focused on first introducing the
components in the
pseudowire
emulation
architecture,
as shown in Figure
2-1.
reader
to Layer
2 VPN benefits
and implementation
requirements
and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Pages: 648
A provider edge (PE) device is in the service provider administrative domain. It provides
Master
the world
Layer 2 edge
VPNs(CE)
to provide
services
pseudowire emulation
service
to a of
customer
deviceenhanced
that belongs
to theand enjoy
productivity
gains
administrative domain
of the customer.
One or more attachment circuits are used to connect a CE to the PE. An attachment circuit can
about
Layera 2PPP
Virtual
Private
Networks Data
(VPNs)
be an Ethernet port, anLearn
Ethernet
VLAN,
session,
a High-Level
Link Control (HDLC)
link, a Frame Relay data-link connection identifier (DLCI), an ATM virtual path identifier
Reduce
costs
and extend
the reach of your services by unifying your
(VPI)/virtual connection
identifier
(VCI),
and so on.
network architecture
A pseudowire is a virtual circuit between two PE devices that interconnects two attachment
Gain
from the
first book
to address
2 VPNsignaling.
application
utilizing
circuits. You can set it up
through
manual
configuration
orLayer
automatic
After
you
both
ATOM
and
L2TP
protocols
establish a pseudowire between two PE devices, native frames received from an attachment
circuit are encapsulated into pseudowire PDUs and sent over pseudowire to the peering PE.
Review
that allow
large enterprise
customers
to into
enhance
When pseudowire PDUs
arrive strategies
at the receiving
PE device,
they are changed
back
the native
their
service
offerings
while
maintaining
routing
control
form and forwarded to the corresponding attachment circuit.
For form
a majority
of Service Providers,
a significant
portion
of their to
revenues
Provider (P) devices
the packet-switched
core network
and are
transparent
CE devices.
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
They are unaware of pseudowires and pseudowire traffic, which PE devices manage. This kind
technologies.
Although
Layer 3 MPLS
fulfill the Therefore,
market need
forcan
some
of transparency alleviates
the design
complexity
of theVPNs
core network.
you
customers,
they
have
some
drawbacks.
Ideally,
carriers
with
existing
optimize the core network for core routing and packet forwarding performance without being
legacy
Layer 2ofand
Layer
3 networks
would like toalso
move
toward
a single
constrained by the
complexity
edge
services.
This transparency
helps
to scale
the
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
number of emulated circuits. You need to provision only the edge devices for new circuits;
you
services
their existing Layer 3 cores. The solution in these cases is a
can leave the core
devicesover
alone.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Protocol Layer
and
System
Architecture
Layer
2 VPN
Architectures
introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory
studies
andlayers:
comprehensive design scenarios. This book
Pseudowire emulation
involvescase
three
protocol
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
PSN layer the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Pseudowire IP
encapsulation
layer
cores. The structure
of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
Payload layer
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
The PSN layer specifies the network addressing information of PE devices, which can be IPv4
addresses, IPv6 addresses, or MPLS labels. Network devices use the PSN layer to determine
the forwarding path of pseudowire packets. You can think of this path as a packet-switched
tunnel that carries pseudowire packets.
The pseudowire encapsulation layer consists of a pseudowire demultiplexing sublayer and an
encapsulation sublayer. The pseudowire demultiplexing sublayer provides a means to carry
multiple pseudowires over a single packet-switched tunnel. Each pseudowire has a
demultiplexing value that is unique within a tunnel. The encapsulation sublayer carries payload
encapsulation information that is removed at the ingress PE device so that the receiving PE
device can reconstruct the payload into its native form before sending it to the attached CE
device. For example, when the sublayer is transporting Frame Relay traffic over MPLS
networks, it removes the Frame Relay header. Payload encapsulation information, such as the
2 VPN Architectures
backward explicitLayer
congestion
notification (BECN) bit and discard eligible (DE) bit, must be
ByWei Luo, - sublayer.
CCIE No. 13,291,
Carlos Pignataro,
CCIE No. 4619,
Bokotey,
- CCIE numbers
placed in the encapsulation
If necessary,
this- sublayer
alsoDmitry
carries
sequence
4460,Anthony
Chan,
- CCIE No. 10,266
that are used for No.
in-order
packet
delivery.
The payload layer carries
theCisco
pseudowire
payload in various forms. For example, it can be
Publisher:
Press
Frame Relay packetsPub
in the
native form or simplified form, ATM AAL5 packets, ATM cells,
Date: March 10, 2005
Ethernet packets, and so on.
ISBN: 1-58705-168-0
Table of
Pages:
648
Figure
2-2 illustrates the interaction
of pseudowire protocol layers that reside on two peering
Contents
PE devices.
Each layer on one PE communicates with the same layer on the other PE through
Index
the lower layers, and the lower layers provide services to the upper layers.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains
Figure
2-2. Pseudowire
Emulation Protocol Layers
Learn about Layer[View
2 Virtual
Private Networks (VPNs)
full size image]
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
PE devices play the
key role incase
pseudowire
emulation.
In fact, the
conversion
between
native
introductory
studies and
comprehensive
design
scenarios.
This book
circuits and emulated
circuits
is
performed
mostly
inside
PE
devices.
Therefore,
you
can
assists readers looking to meet those requirements by explaining the benefit
from having a high-level
understanding
of thedetails
system
of a PE device.
Figure
2-3
history and
implementation
ofarchitecture
the two technologies
available
from
shows an example
of
the
general
system
architecture.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
Figure 2-3.
PEthose
Device
System
Architecture
comparing
them to
of Layer
3 based
VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
[View full size image]
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies
that into
allow
large
enterprise
customers
enhance
The PE device system architecture
is divided
the
control
plane and
the datatoplane.
The
service
offerings while maintaining routing control
data plane componentstheir
include
the following:
For a majority of Service Providers, a significant portion of their revenues
are still derived
from
voice services
based
on forth
legacy
Physical interfaces
Convert
bitsdata
into and
electronic
signals back
and
ontransport
the physical
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
media.
customers, they have some drawbacks. Ideally, carriers with existing
Device drivers
Serve
as2the
layer that
constructs
media-specific
framing
legacy
Layer
andintermediate
Layer 3 networks
would
like to move
toward a single
for the physical
interface
and
provides
a media-independent
the upper
layer.
backbone
while
new
carriers
would like to sell theinterface
lucrativetoLayer
2
services over their existing Layer 3 cores. The solution in these cases is a
Native service
processor
and pseudowire
encapsulation
that deal
technology
that would
allow Layer 2
transport over System
a Layer modules
3
with the data
packet manipulation, which is discussed in detail in the following sections.
infrastructure.
Network forwarding
When aintroduces
data packet
is passed
to the
forwarding
Layer 2 VPNengine
Architectures
readers
to Layer
2 network
Virtual Private
engine fromNetwork
the pseudowire
encapsulation
module, a
destination
network address
is also
(VPN) concepts,
and describes
Layer
2 VPN techniques
via
provided. Depending
on the
of the
PSN
that carries the
pseudowire
traffic,
introductory
casetype
studies
and
comprehensive
design
scenarios.
This the
book
network forwarding
engine looking
looks uptothe
address
the IPv4, IPv6,
or MPLS forwarding
assists readers
meet
thoseinrequirements
by explaining
the
tables. If it finds
anand
outgoing
interface, itdetails
encapsulates
thetechnologies
packet with available
the appropriate
history
implementation
of the two
from
link encapsulation
andUnified
sends VPN
the packet
out of
the output
interface.
Otherwise,
it discards
the Cisco
suite: Any
Transport
over
MPLS (ATOM)
for MPLSthe data packet.
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
The control planereader
components
include
following:
to Layer
2 VPNthe
benefits
and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Link layer protocol controller Performs line protocol signaling, such as Frame Relay
Local Management Interface (LMI) and ATM Integrated Local Management Interface
(ILMI), which is needed for setting up attachment circuits.
Pseudowire protocol processor and network protocol processor Perform
pseudowire and routing protocol signaling procedures respectively. PE devices use these
procedures to establish pseudowires and packet forwarding paths, as illustrated in Figure
2-2. The forwarding information that is obtained through the signaling procedures is
distributed to the data plane so that the forwarding table can be populated.
Contents
Pages: 648
The native
Index service processor (NSP) can manipulate packets in whichever way is necessary as
the packets pass through it. For example, when a PPP packet arrives from a PPP attachment
circuit that uses HDLC framing, the NSP removes the HDLC header so that the remaining PPP
payload can be in a media-independent format. When the pseudowire encapsulated PPP
the world
of Layer
2 payload
VPNs to provide
enhanced
services
andpseudowire
enjoy
payload arrives atMaster
the far-end
PE device,
the
is passed
to the NSP
after the
productivity
gains
encapsulation is removed.
Then
the NSP associated with the outgoing attachment circuit
determines whether media-specific framing needs to be applied to the PPP payload.
Learn
2 Virtual
Privatethey
Networks
When Ethernet VLAN tags
areabout
used Layer
as service
delimiter,
usually(VPNs)
have only local
significance. The role of NSP is to remove the service-delimiting VLAN tag when receiving a
Reduce costs
and extend
your services by unifying
packet from the VLAN attachment
circuit
and to the
add reach
a localofservice-delimiting
VLAN tagyour
when it
network
architecture
receives a packet from the pseudowire.
Gain
from control
the firstinformation
book to address
Layer native
2 VPN packet
application
utilizing
The NSP also normalizes
certain
in different
encapsulation
both
ATOM
and
L2TP
protocols
into a unified representation for pseudowire operation. For example, besides the Ethernet
native frame format, Ethernet packets from CE devices can arrive in other native
Review
that bridged
allow large
enterprise customers
to enhance
encapsulations, such as
Framestrategies
Relay or ATM
encapsulations.
By normalizing
the
their
service
offerings
while
maintaining
routing
control
different forms of native packets into a single Ethernet frame format, you reduce the
complexity of pseudowire processing.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Pseudowire Encapsulation
Processing
customers, they
have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone
while new
carriers would
like to is
sell
the lucrative
Layer 2
After going through
native service
processing,
the payload
ready
for pseudowire
services over
theirmight
existing
Layer
3 cores.
The solutioncontrol
in these
cases is a and
encapsulation processing.
The NSP
gather
some
payload-specific
information
technology
that would allow
Layer(PEP),
2 transport
over
a Layer
pass it to the pseudowire
encapsulation
processor
typically
through
an3out-of-band
infrastructure.
mechanism. The rationale
behind the out-of-band mechanism is that in this way, the PEP can
treat the payload as an opaque data object; therefore it is relieved from payloadLayer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
protocolspecific operation.
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory
case
studies
comprehensive
book
The payload control
information
is used
forand
per-packet
signalingdesign
that isscenarios.
necessaryThis
for certain
readers looking
to meet those
requirements
byinclude
explaining
thefor realservices. Besides assists
this information,
the pseudowire
encapsulation
might
timing
history and
details of the two technologies available from
time traffic or sequencing
for implementation
out-of-order detection.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSFor point-to-pointbased
pseudowire
emulation,
one-to-one
relationship
exists
between
cores and
Layer 2 aTunneling
Protocol
version
3 (L2TPv3)
forattachment
native
circuits and pseudowires.
In
other
words,
given
an
attachment
circuit,
the
PEP
has
a
IP cores. The structure of this book is focused on first introducing the
corresponding pseudowire
vice
versa.
A pseudowire
consists of arequirements
transmitting and
reader to and
Layer
2 VPN
benefits
and implementation
and a
receiving demultiplexer.
Thethem
transmitting
is applied
theas
payload
comparing
to thosedemultiplexer
of Layer 3 based
VPNs, to
such
MPLS, along
then with
other control information
and sent
to theeach
network
forwarding
engine
for the
remotedetail.
PE device
progressively
covering
currently
available
solution
in greater
to identify the pseudowire. When the network forwarding engine passes a pseudowire packet to
the PEP, the PEP uses the receiving demultiplexer in the packet header to determine to which
attachment circuit and NSP it needs to redirect after removing the pseudowire encapsulation.
pseudowire packets, but it also usually determines the format of the pseudowire demultiplexer.
For instance, if you use IP as the underlying transport, the demultiplexer can be some kind of
IP tunnel protocol field that provides demultiplexing capability. If you are using MPLS, you can
Layer 2inVPN
employ an MPLS label
theArchitectures
label stack for such a purpose.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Pages:
648
That Contents
is usually because of the
existence of a hybrid IP and MPLS network infrastructure for
Index
administrative
or migration purposes. In this case, pseudowires use MPLS labels as the
demulitplexer but IP as the PSN. The protocol details of transporting pseudowire over IP and
MPLS are discussed in Chapter 3, "Layer 2 VPN Architectures."
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Setting Up a Pseudowire
aboutservice,
Layer 2you
Virtual
(VPNs) between two PE
Prior to establishing anLearn
emulated
needPrivate
to set Networks
up a pseudowire
devices. You can trigger this setup through one of the following methods:
Reduce costs and extend the reach of your services by unifying your
network architecture
Manual configuration
Gain from the first book to address Layer 2 VPN application utilizing
ATOM and L2TP protocols
Dynamic protocolboth
signaling
strategies that allow large enterprise customers to enhance
An autodiscoveryReview
mechanism
their service offerings while maintaining routing control
The manual setup process is much like provisioning ATM permanent virtual circuits (PVC) in
For a Layer
majority
of Service
Providers,
a significant
portion
of their
traditional ATM-based
2 VPNs.
Essentially,
network
operators
determine
all revenues
parameters
are
still
from data
voice
services
based
transport
that are needed to
set
upderived
pseudowires.
Thenand
they
configure
them
on on
thelegacy
PE devices
manually
technologies.
Although
Layer
3 MPLS
VPNs fulfill the process.
market need for some
or through network
management
tools. This
can
be a labor-intensive
customers, they have some drawbacks. Ideally, carriers with existing
Dynamic protocollegacy
signaling
relieves
from many
the operations
that are
Layer
2 andnetwork
Layer 3 operators
networks would
like toofmove
toward a single
required in the manual
setup
by exchanging
and negotiating
backbone
while
new carrierspseudowire
would like information
to sell the lucrative
Layer 2 the
parameters automatically.
Some
initial
provisioning
to be
done
manually
even
with is a
services over
their
existing
Layer 3has
cores.
The
solution
in these
cases
dynamic protocoltechnology
signaling, such
addresses
of peering
PE devices
identification
of
that as
would
allow Layer
2 transport
over and
a Layer
3
remote attachment
circuits.
infrastructure.
An auto-discoveryLayer
mechanism
utilizes an existing
network
distribution
that
is designed
2 VPN Architectures
introduces
readers
to Layerscheme
2 Virtual
Private
for large-scale network
operation
and management,
suchLayer
as a distributed
directory
Network
(VPN) concepts,
and describes
2 VPN techniques
viadatabase or
an interdomain routing
protocol
likestudies
BGP, to
advertise
the emulated
services.
When
devices
introductory
case
and
comprehensive
design
scenarios.
ThisPE
book
learn about the emulated
services
from each
other,
they
automatically
pseudowires
assists readers
looking
to meet
those
requirements
byestablish
explaining
the
among them accordingly.
Ideally,
an auto-discovery
mechanism
has the minimal
amount
history and
implementation
details of
the two technologies
available
fromof
manual involvement
pseudowire
setup.
Although
auto-discovery
definitely
helps
in some
the for
Cisco
Unified VPN
suite:
Any Transport
over MPLS
(ATOM)
for MPLSsituations, especially
during
migration,
the nature
of Layer
2 services
always
incurs a
based
coresservice
and Layer
2 Tunneling
Protocol
version
3 (L2TPv3)
for native
fair amount of manual
provisioning
compared
Layer
services.
IP cores.
The structure
of thistobook
is 3
focused
on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
Pseudowire setupcomparing
often requires
protocols
or extending
existing
protocols
themcreating
to thosenew
of Layer
3 based
VPNs, such
as MPLS,
then to
signal pseudowireprogressively
information. covering
Creating each
and extending
pseudowire
emulation
protocols
is a
currently available
solution
in greater
detail.
hotly debated area in the networking industry and standardization bodies, as described in the
next section.
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents emulation is no exception.
Pseudowire
Organizations such as Internet Engineering Task Force
Index
(IETF),
IEEE, International Telecommunication Union (ITU), ATM Forum, and MPLS Forum have
produced many technical proposals and documents on pseudowire emulation. Because the
majority of vendor and operator support and activity of pseudowire emulation happen in the
IETF, this section focuses on the standard process of the IETF.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Both drafts addressed the question of how to achieve pseudowire emulation over packet-based
networks, but the solutions that each proposed were vastly different. The two drafts were
focused on achieving
emulation over MPLS-based packet networks, and each
Layerpseudowire
2 VPN Architectures
solution had its advantages and disadvantages. Members of the networking community quickly
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
divided themselves into two camps based on the different design philosophies that were
No. 4460,Anthony Chan, - CCIE No. 10,266
embedded in the two drafts.
Publisher: Cisco Press
Pub Date: March 10, 2005
Table of
Note
Contents
ISBN: 1-58705-168-0
Pages: 648
Index
The terms draft-martini and draft-kompella have become synonyms for the two
different network architectures that they represent. The actual drafts do not exist in
IETF anymore, but the ideas behind them are making their ways toward becoming
standards. However,
these
informal
names
aretostill
widelyenhanced
used in the
networking
Master the
world
of Layer
2 VPNs
provide
services
and enjoy
community to
identify
the
doctrine
of
each
vendor
implementation.
This
section lists
productivity gains
the pros and cons of each architecture and does not intend to advertise one method
over the other.
Learn about Layer 2 Virtual Private Networks (VPNs)
draft-martini
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
The most significant characteristic
of draft-martini
is its simplicity and straightforwardness.
both ATOM and
L2TP protocols
UsingFigure 2-1 as reference, the draft describes how to establish a pseudowire between two
attachment circuits that
are located
on two
peering
PE devices.
It also
specifiestothe
Review
strategies
that
allow large
enterprise
customers
enhance
encapsulation methodstheir
for each
Layer
2 service.
The
Label Distribution
Protocol (LDP)
service
offerings
while
maintaining
routing control
distributes MPLS labels for various MPLS applications, including pseudowire emulation. The
For a majority
of Service
significant
portion of their
revenues
architecture is concerned
with creating
andProviders,
managingaindividual
point-to-point
pseudowires,
are still derived
from data and voice services based on legacy transport
which have no correlation
to one another.
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Before initiating acustomers,
pseudowirethey
to ahave
remote
PE,drawbacks.
you need toIdeally,
provision
the local
with a virtual
some
carriers
withPE
existing
circuit (VC) ID or legacy
pseudowire
shared
by 3both
the local
andlike
remote
attachment
circuit,
LayerID
2 and
Layer
networks
would
to move
toward a
singleand
an IP address of the
remotewhile
PE. Because
the baseline
LDP
not lucrative
readily have
the
backbone
new carriers
would like
todoes
sell the
Layer
2 necessary
protocol element services
for pseudowire
signaling,
draft3 defines
a pseudowire
forisLDP.
over their
existingthe
Layer
cores. The
solution inextension
these cases
a A
pseudowire is considered
established
when
theLayer
peering
PE devices
exchange
information
technology
that would
allow
2 transport
over
a Layer label
3
for the pseudowire.
Using LDP terminology, this means that each PE device sends and receives
infrastructure.
a label mapping message for a given pseudowire.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network operators
can provision
pseudowires
using the
architecture
that is defined
Network
(VPN) concepts,
andby
describes
Layer
2 VPN techniques
via in draftmartini manually introductory
or through some
of network
management
system.
It is much
like
case sort
studies
and comprehensive
design
scenarios.
This
book
provisioning traditional
Relay
or ATM
PVCbased
2 VPNs. by
However,
someone
assistsFrame
readers
looking
to meet
those Layer
requirements
explaining
the could
perceive this as either
a good
attribute or a bad
one.of
Some
liketechnologies
the architecture
because
this is
history
and implementation
details
the two
available
from
a familiar business,
much
of the
experience
and
tools developed
in (ATOM)
the traditional
Layer 2
theand
Cisco
Unified
VPN
suite: Any
Transport
over MPLS
for MPLSVPNs can be leveraged.
Others
think
the2architecture
suffers the
same
of problems,
such as
based cores
and
Layer
Tunneling Protocol
version
3 set
(L2TPv3)
for native
scalability, as those
of the The
traditional
Layer
2 VPNs.
IP cores.
structure
of this
book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
This Layer 2 VPN comparing
architecture
supports
point-to-point
Layer 2
services,
them
to those
of Layer 3 based
VPNs,
such including
as MPLS, Frame
then Relay,
ATM AAL5, ATM Cell,
Ethernet, covering
Ethernet each
VLAN,
PPP, andavailable
HDLC, insolution
additioninto
Layer detail.
1 service,
progressively
currently
greater
such as TDM.
draft-kompella
The architecture that is proposed in draft-kompella does not resemble that of the draft-martini
or the traditional Layer 2 VPNs. To a certain degree, it shares some characteristics of Layer 3
dynamic routing. Unlike draft-martini, it involves complex signaling procedures and algorithms,
and the provisioning scheme, which is somewhat tricky, works better with some Layer 2
In addition, every time you add a new CE device or move an existing CE device to attach to a
Pub Date: March 10, 2005
different PE device, you must reconfigure all the PE devices that are participating in this VPN to
ISBN: 1-58705-168-0
maintain
Table the
of full-mesh connectivity. This can become a dauntingly labor-intensive task for
Pages:
network
operators. The draft648
attempts to solve the scaling problem by over-provisioning the
Contents
number
Indexof attachment circuits needed for current CE devices so that the existing CE and its PE
devices do not need to be reconfigured when adding a new CE to a VPN. The basic premise for
over-provisioning is that the attachment circuits between CE and PE devices are relatively
cheap.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains
To provision a Layer
2 VPN using
the architecture that is defined in draft-kompella, each CE
that belongs to the VPN is given a CE ID, and each CE is configured with a maximum number
of CE devices that it can connect to. This is also known as the CE range . Each attachment
Learn
Layer
Virtual
Private
Networks
(VPNs)
circuit between a CE and
a PEabout
is given
an 2index
value,
which
corresponds
to a particular remote
CE ID in this VPN. By such an arrangement, each CE can derive which attachment circuit
Reduce
costs PE
and
the reachwith
of your
by unifying
your
connects to which remote
CE. Each
is extend
then configured
the services
VPNs in which
it participates.
network
architecture
Each VPN is denoted by a VPN ID. The PE is provisioned with a list of CE devices that are
members of a given VPN. The PE also knows the CE ID, CE range, and the index values for the
Gain from the first book to address Layer 2 VPN application utilizing
attachment circuits of each CE.
both ATOM and L2TP protocols
When a PE is configured with all the necessary information for a CE, it allocates a contiguous
Review strategies that allow large enterprise customers to enhance
range of MPLS labels that corresponds to the CE range. The smallest value in this label range is
their service offerings while maintaining routing control
called the label base . For each CE, the PE then advertises its own router ID, VPN ID, CE range,
and label base through
BGP update
messages,
which aare
broadcast
to all other
PErevenues
devices.
For a majority
of Service
Providers,
significant
portion
of their
Even though some
PE
devices
might
not
be
part
of
the
VPN,
they
can
receive
and
keep
this
are still derived from data and voice services based on legacy transport
information just in
case
a
CE
that
is
connected
to
the
PE
joins
the
VPN
in
the
future.
Because
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
the baseline BGP customers,
does not readily
have some
the necessary
protocol
element
forwith
pseudowire
they have
drawbacks.
Ideally,
carriers
existing
signaling, the draft
defines
a
pseudowire
extension
for
BGP.
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
This architecture solves the scaling problem by making the provisioning task of adding a new
services over their existing Layer 3 cores. The solution in these cases is a
CE device a local matter. That is, whenever a new CE device is added, only the CE and the PE
technology that would allow Layer 2 transport over a Layer 3
to which it is attached need to be configured. Remote CE and PE devices do not need
infrastructure.
reconfiguration because they can calculate which spare attachment circuit should be used to
communicate with
the new
CE.
Remote PE devices
can readers
also learn
new CE
through
Layer
2 VPN
Architectures
introduces
to about
Layer the
2 Virtual
Private
BGP update messages.
The
broadcast
nature
of
BGP
makes
it
easy
to
automatically
Network (VPN) concepts, and describes Layer 2 VPN techniques viadiscover PE
devices that are participating
Layer
2 VPNs,
further reduces
configuration
on PE
introductory in
case
studies
and which
comprehensive
designthe
scenarios.
This book
devices.
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
The weakness of this architecture comes from the validity of the assumptions it is based on.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSFor example, the low cost of attachment circuits is valid when the CE and PE are directly
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
connected through virtual circuits such as Frame Relay and ATM PVCs, but not when they are
IP cores. The structure of this book is focused on first introducing the
connected through a switched Frame Relay or ATM network, or the attachment circuits are
reader to Layer 2 VPN benefits and implementation requirements and
individual physical links and ports, such as PPP and HDLC links. In the latter case in which the
comparing them to those of Layer 3 based VPNs, such as MPLS, then
cost of individual attachment circuits is expensive, over-provisioning becomes impractical. Also,
progressively covering each currently available solution in greater detail.
the typical Layer 2 VPNs deployed today are rarely fully meshed because having a fully meshed
flat network creates scaling problems for Layer 3 routing, where hierarchy is desired. If a Layer
2 VPN consists only of sparse point-to-point connections, advertising the information of a CE to
all other PE devices and keeping it on these PE devices waste network resources because such
information is only interesting to a single remote PE.
Not exhaustively, Table 2-1 compares the most noticeable characteristics of the two Layer 2
VPN architectures that are defined by draft-martini and draft-kompella.
Network
topology
Individual point-to-point
pseudowires
Publisher:
Cisco Press
Complexity
High
Table of
Contents
Index
Scalability
Applicability
Signaling
protocol
Discovery
protocol
Support base
ISBN: 1-58705-168-0
Gain from
the first
book to address
Layer 2 VPN application utilizing
Standardization Proceed
to PWE3
working
Obsolete
bothdocument
ATOM andstatus
L2TP protocols
progress
group
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Even though draft-martini has made a lot of progress in standardization and deployment, its
primitivenesssuchFor
as athe
lack of of
support
inProviders,
Layer 2 VPN
autodiscoveryis
New
majority
Service
a significant
portionrecognized.
of their revenues
solutions have since
been
worked
on
to
overcome
the
issues
found
throughout
product
are still derived from data and voice services based on legacy transport
development andtechnologies.
network deployment.
find 3out
more
about
thethe
latest
development
in the
AlthoughTo
Layer
MPLS
VPNs
fulfill
market
need for some
standardization process,
refer
to
the
IETF
web
site
at
http://www.ietf.org.
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services
their existing Layer 3 cores. The solution in these cases is a
Other Layer 2
VPN over
Architectures
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
The Layer 2 VPN architectures on pseudowire emulation generally define the procedures for
setting up individual pseudowires and encapsulation methods for different Layer 2 services.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
They are the foundation and building blocks for other types of Layer 2 VPN architectures.
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
VPWS is directly derived from pseudowire emulation. A VPWS is essentially a network of pointassists readers looking to meet those requirements by explaining the
to-point pseudowires that interconnect CE devices of a Layer 2 VPN. Besides the basic
history and implementation details of the two technologies available from
pseudowire emulation service, VPWS defines the specifications for point-to-point Layer 2 VPN
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSservice in broader terms, such as quality of service (QoS), security, redundancy, VPN
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
membership discovery, and so on. VPWS in some way is designed as a replacement for the
IP cores. The structure of this book is focused on first introducing the
traditional Frame Relay or ATM-based Layer 2 VPN.
reader to Layer 2 VPN benefits and implementation requirements and
comparing
them to those
of Layer
3 based
VPNs,
suchdifferent
as MPLS,architecture
then
VPLS also uses the
basic pseudowire
emulation
service,
but it
is a very
progressively
covering
each
currently
available
solution
in
greater
from VPWS. The objective of VPLS is to emulate Transparent LAN Service (TLS) in adetail.
packetbased network, which is typically seen in Layer 2 switched Ethernet networks. Instead of acting
as a point-to-point cross-connect between the attachment circuit and pseudowire, a VPLS PE
functions as an Ethernet bridge. When receiving an Ethernet frame from a CE, the PE looks up
the destination MAC address of the frame in its bridging table. If it finds a match, it forwards
the frame to the output interface that is specified in the bridging table. Otherwise, it learns and
stores the source MAC address in the bridging table, and it floods the Ethernet frame to all
output interfaces in the same broadcast domain. Whereas VPWS requires one dedicated
attachment circuit for each remote CE device, VPLS allows a single attachment circuit to
transmit frames from one CE to multiple remote CE devices. In this respect, VPLS resembles
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pseudowire emulation
is an emerging
Publisher:
Cisco Press networking technology that aims at transitioning
traditional Layer 2 services
much
PSNs for operating cost reduction and new
Pub Date:to
March
10, leveraged
2005
value-added services.
ISBN: 1-58705-168-0
Table of
Pages:
Contents
Within
the network reference648
model, PE devices are the key components that provide
Index
pseudowire
emulation services. A PE device consists of the control plane that establishes and
maintains pseudowires among PE devices and the data plane that converts frames from their
native encapsulation to pseudowire encapsulation back and forth.
Master
world of Layer
2 VPNs
to provide enhanced
services
andexplained
enjoy
This chapter outlined
thethe
pseudowire
protocol
and encapsulation
layering.
It further
productivity
gains
the various stages
of processing
in a pseudowire emulation system, such as signaling, native
service, pseudowire encapsulation, and tunnel encapsulation.
Learndeployment
about Layerof2pseudowire
Virtual Private
Networks
Even with the fast-growing
emulation,
the(VPNs)
standardization process is
an ongoing effort. The IETF and its working groups are the most active and widely respected
Reduce that
costsdevelop
and extend
the reach
ofsolutions
your services
by unifyingemulation
your
standardization organizations
frameworks
and
for pseudowire
network
architecture
and Layer 2 VPN technology in general. This chapter compared the most debated proposals on
pseudowire emulation architectures and highlighted other Layer 2 VPN architectures that are
Gain from the first book to address Layer 2 VPN application utilizing
built on top of pseudowire emulation.
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Master
the worlddifferent
of LayerLayer
2 VPNs
to provide
enhanced
services
The previous chapter
highlighted
2 VPN
architectures
proposed
byand
theenjoy
network
productivity
gainsTask Force (IETF) working groups. In the past few years,
industry and Internet
Engineering
significant progress has been made both in designing the Layer 2 VPN protocol specifications
and realizing such innovations in a suite of new products. Pseudowire emulation serves as the
Learn about Layer 2 Virtual Private Networks (VPNs)
fundamental building block for different Layer 2 VPN architectures.
Reduce costs and extend the reach of your services by unifying your
A handful of network equipment vendors have developed products that support various levels
network architecture
of pseudowire emulation. The deployment of pseudowire emulation has started growing in the
service provider space.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
As part of the Unified VPN Suite Solution offering, Cisco IOS Software introduces two flavors of
pseudowire emulation:
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
AToM
ISBN: 1-58705-168-0
Pages: 648
ATM
Table of
Contents
Index
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
When building a Layer 2 VPN in a Frame Relay or ATM network, you need to provision edge
switches that connect to customer devices with individual virtual circuit mappings, and
aboutedge-to-edge
Layer 2 Virtual
Private Networks
provision core switchesLearn
to provide
connectivity
for the (VPNs)
virtual circuits (VC). Figure
3-2 illustrates a Layer 2 VPN built using a Frame Relay or ATM network. The links that are
Reduce
costs
and extend
the reach of your services by unifying your
depicted in the diagram
represent
logical
connections.
network architecture
Figure
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM
andRelay
L2TP protocols
3-2.
Frame
or ATM-Based Layer 2 VPN
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
[View full size image]
Pages:
648
Contents
number
of home gateways for all their remote users. Ultimately, VPDNs lower the overall
Indexoperating cost for the enterprises.
network
For service providers, VPDNs are a new source of revenue serving multiple business and
individual customers with the same remote access network infrastructure. When the total
Master theservice
world of
Layer 2 VPNs
to provide
enhanced
services
and enjoy
number of users increases,
providers
can add
or upgrade
their remote
access
network
productivity
gains because all users benefits from it. Figure 3-3 depicts a
capacity in a more
economic fashion
VPDN network topology.
Figure
3-3.
Virtual Private Dial-Up Network
network
architecture
Gain from the first book to address Layer 2 VPN application utilizing
[Viewprotocols
full size image]
both ATOM and L2TP
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
The protocols thattechnology
support VPDN
the following:
that include
would allow
Layer 2 transport over a Layer 3
infrastructure.
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Layer 2 Forwarding (L2F) Protocol
introductory case studies and comprehensive design scenarios. This book
assists
readers
looking
to meet those requirements by explaining the
Layer 2 Tunnel
Protocol
Version
2 (L2TPv2)
history and implementation details of the two technologies available from
the Cisco
suite:network
Any Transport
MPLS
(ATOM)
for MPLS- and
These protocols tunnel
PPPUnified
packetsVPN
between
access over
servers
and
home gateways,
based
cores and
Layer
2 Tunneling
Protocol
version
3 can
(L2TPv3)
for native
PPP is the only Layer
2 protocol
they
transport.
However,
because
PPP
encapsulate
cores. The
structure
of this book is
focused
on first (IPX),
introducing
the
multiple network IP
protocols,
such
as IP, Internetwork
Packet
Exchange
and AppleTalk,
to Layer
2 VPN benefits
many applicationsreader
find VPDN
sufficiently
useful. and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Note
L2TPv2 is described in the IETF standard RFC 2661. It is a consensual product of the
L2TP Extension working group and is derived from the proprietary tunneling protocols
PPTP and L2F from Microsoft and Cisco, respectively.
1. A remote user
or Luo,
a remote
end13,291,
station
initiates
a -PPP
connection
to the
service
provider
ByWei
- CCIE No.
Carlos
Pignataro,
CCIE
No. 4619,Dmitry
Bokotey,
- CCIE
using eitherNo.
an4460,
analog
telephone
line
or
an
ISDN
line.
Anthony Chan, - CCIE No. 10,266
2. The network access server receives the connection request from the remote user.
Publisher: Cisco Press
Date: March
10, server
2005
3. (Optional) The Pub
network
access
authenticates the remote user using the specified
ISBN: 1-58705-168-0
authentication method,
such as Password Authentication Protocol (PAP), Challenge
Table of
Handshake Authentication
Pages: 648 Protocol (CHAP), or interactive terminal session.
Contents
Index
4. After the remote user is authenticated, an authorization process determines whether the
user should be locally terminated or tunneled to a home gateway.
5. If the remote user needs to be tunneled to a remote home gateway, one of the VPDN
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
protocols establishes a tunnel between the network access server and the home gateway,
productivity gains
and an optional authentication step can validate the identification of the tunnel endpoints.
6. The user PPP connection
is encapsulated
into Private
a VPDNNetworks
session from
the network access
Learn about
Layer 2 Virtual
(VPNs)
server to the home gateway.
Reduce costs and extend the reach of your services by unifying your
7. The home gateway
authenticates
the remote user carried in the VPDN session. Upon
network
architecture
successful authentication, the home gateway terminates the PPP connection and grants
predefined network
access
to the
Gain
from privileges
the first book
to remote
addressuser.
Layer 2 VPN application utilizing
both ATOM and L2TP protocols
8. Now PPP frames can pass between the remote user and the home gateway.
Review strategies that allow large enterprise customers to enhance
For detailed configuration
andofferings
examples
of the
legacy Layer
2 VPNs,
refer to Cisco.com.
theirtasks
service
while
maintaining
routing
control
Table 3-1 lists some characteristics of the legacy Layer 2 VPNs.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
Table
3-1.Layer
Legacy
VPN Comparison
legacy
2 andLayer
Layer 32networks
would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
Legacy Layer services over their existing Layer 3 cores. The solution in these cases is a
technology
that would allow Layer
2 transport
over a Layer 3
2 VPN
Payload Type
Transport
Type
infrastructure.
Frame Relay
Bridged or routed
Frame Relay, ATM
Layer
2 VPN Architectures introduces readers to Layer 2 Virtual Private
encapsulation
Network (VPN) concepts, and describes Layer 2 VPN techniques via
ATM
Bridged or routed
ATM
introductory
case studies and comprehensive
design scenarios. This book
encapsulation
assists readers looking to meet those requirements by explaining the
history
and implementation
details
the two
technologies
available from
DLSw
SNA, NetBIOS,
NetBEUI
IP,ofFrame
Relay,
Direct
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS*
VPDN
PPP cores and Layer 2 Tunneling
IP,Protocol
Frame Relay,
ATM
based
version
3 (L2TPv3)
for native
IP cores. The structure of this book is focused on first introducing the
PPTP control
reader to Layer 2 VPN benefits and implementation requirements and
packets use IP
comparing them to those of Layer 3 based VPNs, such as MPLS, then
TCP and data
progressively covering each currently available solution in greater detail.
packets use IP
GRE. L2F
packets use IP
UDP. L2TPv2
packets use IP,
IP UDP, Frame
Relay, and
ATM.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pages:
648
Contents
IP over
ATM, packets are forwarded based on the predefined ATM VC mappings instead of
Index
routing
algorithms, which results in suboptimal routing. MPLS resolves this problem by using
routing protocols to dynamically create ATM VCs.
MPLS also makes it easy to consolidate the parallel networks into a single MPLS-enabled
Master the
world
of Layer 2 VPNs
to provide
services
enjoy
network. This converged
MPLS
infrastructure
can provide
bothenhanced
Layer 2 and
Layerand
3 services
productivity
that previously had
to rely on gains
separate networks. This section examines how AToM replaces
legacy Layer 2 VPNs and the new features it offers.
Learn about
Layer 2 Virtual
(VPNs)
AToM is a pseudowire emulation
application
that isPrivate
part of Networks
the Unified
VPN Suite Solution that
Cisco offers to transport Layer 2 traffic over an MPLS network. Besides providing the end-toReduce costs and extend the reach of your services by unifying your
end connectivity of the same Layer 2 protocol, AToM is capable of interconnecting disparate
network architecture
Layer 2 protocols through Layer 2 interworking. AToM derives from a series of efforts by
service providers and network equipment vendors in an attempt to minimize the impact to
Gain from the first book to address Layer 2 VPN application utilizing
existing Layer 2 VPN services and create new service offerings with MPLS-enabled networks.
both ATOM and L2TP protocols
In the Layer 2 VPN network reference model depicted in Chapter 2, "Pseudowire Emulation
Review strategies that allow large enterprise customers to enhance
Framework and Standards," AToM is enabled on the provider edge (PE) routers, which play a
their service offerings while maintaining routing control
similar role as the edge switches in Frame Relay or ATM-based L2VPNs or the network access
server in VPDN. In
aa
Frame
Relay
ATM-based
Layer
VPN, the portion
edge switch
maps
a Frame
For
majority
of or
Service
Providers,
a2
significant
of their
revenues
Relay or ATM VC are
connecting
to
the
customer
device
to
a
PVC
connecting
to
a
core
switch
still derived from data and voice services based on legacy transport by the
data-link connection
identifier
or virtual
identifier
(VPI)/virtual
connection
technologies.(DLCI)
Although
Layer 3path
MPLS
VPNs fulfill
the market
need for identifier
some
(VCI) values. In VPDN,
the
network
access
server
binds
a
PPP
connection
from
the remote user
customers, they have some drawbacks. Ideally, carriers with existing
to a VPDN session.
With Layer
AToM,2the
router
maps an attachment
any supported
legacy
andPE
Layer
3 networks
would like tocircuit
moveof
toward
a single
Layer 2 encapsulation
from while
the customer
edgewould
(CE) router
AToM
pseudowire.
backbone
new carriers
like to to
sellanthe
lucrative
Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
An AToM pseudowire is made of a pair of MPLS label-switched paths (LSP). Because an MPLS
technology that would allow Layer 2 transport over a Layer 3
LSP is inherently unidirectional, to have bidirectional connectivity, a pseudowire is formed by
infrastructure.
establishing two LSPs in the opposite directions. Different MPLS applications might use different
ways to distributeLayer
labels.
Some
use the dedicated
Labelreaders
Distribution
Protocol
(LDP),
whereas
2 VPN
Architectures
introduces
to Layer
2 Virtual
Private
others use extensions
of existing
protocols,and
including
routing
protocols.
AToM utilizes
Network
(VPN) concepts,
describes
Layer
2 VPN techniques
via targeted
LDP sessions between
PE routers
exchange
labels thatdesign
are used
for pseudowires.
introductory
casetostudies
andMPLS
comprehensive
scenarios.
This bookYou
establish a targeted
LDP
session
by
sending
unicast
hello
packets
rather
than
multicast
assists readers looking to meet those requirements by explaining the hello
packets during the
LDP discovery
phase. LDP details
also supports
TCPtechnologies
message digest,
also known
history
and implementation
of the two
available
from as
TCP MD5, as its authentication
method.
Figure
3-4
illustrates
the
network
components
of
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSAToM.
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Figure 3-4.
AToM
Components
progressively
covering
eachNetwork
currently available
solution in greater detail.
[View full size image]
Master
the world of Layer 2 VPNs to provide enhanced services and enjoy
Supported Layer
2 protocols
productivity gains
Decision factors whether to use AToM in your network, such as installation base,
advanced features, interoperability, and complexity.
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
Gain
the
first applications
book to address
Layer
2 VPN
application
One common technique
thatfrom
many
MPLS
utilize
is label
stacking.
MPLSutilizing
label
both
ATOM
and
L2TP
protocols
stacking is documented in IETF RFC 3032, "MPLS Label Stack Encoding." The basic idea is to
create layers or hierarchies of MPLS labels; each label corresponds to a particular layer in the
Review strategies
that allow
large
enterprise and
customers
to enhance
network architecture. Creating
such hierarchies
allows
aggregation
multiplexing,
which
their
service
offerings
while
maintaining
routing
control
improve scalability. It also simplifies the operations on the transit routers, which make
forwarding decisions based on the topmost label in the label stack.
For a majority of Service Providers, a significant portion of their revenues
stillinderived
and
voice
services
based
on legacytotransport
The semantics of are
labels
a label from
stackdata
might
vary
from
one MPLS
application
another. For
technologies.
Although
Layer
3
MPLS
VPNs
fulfill
the
market need
some
example, in MPLS traffic engineering, the top label in the label stack represents
the for
trafficcustomers,
they
have
some
drawbacks.
Ideally,
carriers
with
existing
engineered path, and the bottom label represents the original Interior Gateway Protocol (IGP)
legacy
Layer
2 top
andlabel
Layerin3the
networks
would
like to move
a single
path. In MPLS Layer
3 VPN,
the
label stack
represents
the toward
IGP path
to the nextbackbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
hop Border Gateway Protocol (BGP) router, which is normally the PE router that originates
the
serviceslabel
overrepresents
their existing
Layer 3
The solution
in these
cases2isVPN,
a
VPN routes. The bottom
a specific
orcores.
aggregated
VPN route.
In Layer
that would
Layer
transport
a Layerand
3 the bottom
the LDP top label technology
usually represents
the allow
IGP path
to2the
peeringover
PE router,
infrastructure.
label represents a Layer 2 VPN forwarder on the peering PE router. A Layer 2 VPN forwarder is
an abstract entity that switches Layer 2 traffic back and forth between the pseudowire and
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
itself. In the context of pseudowire emulation, the Layer 2 VPN forwarder is usually some sort
Network (VPN) concepts, and describes Layer 2 VPN techniques via
of attachment circuit. Figure 3-5 shows the overview of an AToM packet.
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSFigure 3-5. AToM Packet
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
The top label is usually known as the tunnel label or the IGP label. The bottom label is usually
known as the VC label Review
or the pseudowire
label.
Thelarge
optional
control customers
word is nottopart
of the
strategies that
allow
enterprise
enhance
MPLS label stack, but pseudowire
encapsulation.
their service
offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Note
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
The semantics
of labelswhile
in a label
stack might
belike
different
the previous
backbone
new carriers
would
to sell from
the lucrative
Layer 2
description when
multiple
MPLSexisting
applications
deployed
integrated
in the
same
services
over their
Layerare
3 cores.
Theand
solution
in these
cases
is a
MPLS network.
For example,
use AToM
conjunction
with over
MPLSatraffic
technology
that would
allowinLayer
2 transport
Layerengineering.
3
You can find infrastructure.
examples in Chapter 9, "Advanced AToM Case Studies."
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Using label stacking
in AToM improves
scalability
when compared
to the
scalability
of legacy
introductory
case studies
and comprehensive
design
scenarios.
This
book
Layer 2 VPNs built
on topreaders
of Frame
Relaytoormeet
ATM.those
As you
learned in Chapter
2, every
assists
looking
requirements
by explaining
thetime you
add a new end-to-end
virtual
connection or relocate
anthe
existing
one to a different
edge
switch,
history
and implementation
details of
two technologies
available
from
you must ensure the
thatCisco
a virtual
pathVPN
extends
edge switch
to the
other. for
If none
exists,
Unified
suite:from
Any one
Transport
over MPLS
(ATOM)
MPLSyou need to provision
the
edge
and
core
switches
along
the
path.
With
a
large
number
of
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
virtual connections
a typical
Layer 2 VPN,
thisbook
taskisamounts
significant
portion
IP in
cores.
The structure
of this
focused to
onafirst
introducing
theof the
overall operation reader
cost structure.
to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Instead of statically
provisioning
the virtual
paths
hop by
hop, AToM
takes
of routing
progressively
covering
each
currently
available
solution
inadvantage
greater detail.
protocols to dynamically set up virtual paths across the core network. Only PE routers need to
maintain and manage the pseudowire labels for the virtual connections. The pseudowire labels
are at the bottom of the label stack, so they are not visible to the transit routers, also known
as the Provider (P) routers. The P routers forward packets using the top label and are unaware
of the existence of pseudowires.
Many pseudowires can be multiplexed in a single MPLS tunnel LSP. In such a way, the core
network is spared from managing and maintaining forwarding information for each pseudowire.
PPP over MPLS operates in the transparent mode , in which case PPP sessions are between CE
routers, and PE routers do not terminate PPP sessions. In other words, CE routers are the only
Publisher: Cisco Press
PPP speakers that process
PPP frames through the PPP protocol stack, and PE routers do not
Pub Date:
March 10, 2005
participate in PPP protocol
exchange.
Table of
ISBN: 1-58705-168-0
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains
Untagged Ethernet
frames
IEEE 802.1q tagged Ethernet VLAN frames
Learn about Layer 2 Virtual Private Networks (VPNs)
PE routers classify Ethernet frames that are received from CE routers into different
Reduce costs and extend the reach of your services by unifying your
pseudowires based on the receiving interface or the VLAN tag carried in the Ethernet VLAN
network architecture
frames. Bridging protocol support varies depending on the deployment model. Chapter 7, "LAN
Protocols over MPLS Case
studies
on2running
bridging protocols
GainStudies,"
from thehas
firstin-depth
book to case
address
Layer
VPN application
utilizing
over MPLS networks. both ATOM and L2TP protocols
With Frame Relay overReview
MPLS, PE
routers that
forward
Frame
frames
to different
pseudowires
strategies
allow
large Relay
enterprise
customers
to enhance
based on the receivingtheir
interface
andofferings
the DLCIwhile
value,
and they also
provide
Local Management
service
maintaining
routing
control
Interface (LMI) signaling to CE routers. To Frame Relay customers, the migration in the service
provider network For
is completely
The Frame
Relay header
is removed
the ingress
a majority transparent.
of Service Providers,
a significant
portion
of their at
revenues
PE router and added
back
at
the
egress
PE
router.
The
flags
in
the
Frame
Relay
headerssuch
as
are still derived from data and voice services based on legacy transport
backward explicittechnologies.
congestion notification
(BECN),
forward
explicit
congestion
notification
Although Layer 3 MPLS VPNs fulfill the market need for some
(FECN), discard eligible
(DE),they
and have
command/respose
(C/R)are
carried
in the
pseudowire
customers,
some drawbacks.
Ideally,
carriers
with
existing control
word, which is mandatory
for Frame
Relay 3
over
MPLS. would
The operation
details
are described
legacy Layer
2 and Layer
networks
like to move
toward
a single in
Chapter 6, "Understanding
overwould
MPLS."
backbone Any
whileTransport
new carriers
like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
ATM over MPLS includes
two that
types
of ATM
services:
technology
would
allow
Layer 2 transport over a Layer 3
infrastructure.
ATM AAL5
Interoperability
Pages: 648
MPLS traffic engineering helps redirect trafficincluding Layer 2 trafficto less congested parts of
the network. Layer 2 services typically come with service-level agreements (SLA). An SLA is a
Publisher:
Ciscoprovider
Press
service guarantee that
a service
agrees to offer to its customer on availability,
Pub
Date:
March
10, 2005 and so on. The service provider can use an MPLS QoS
guaranteed bandwidth, burst bandwidth,
ISBN:The
1-58705-168-0
guarantee to enforce SLAs.
level of service guarantee is usually associated with the
Table of
premium
that a customer
subscribes
to. For instance, an SLA with a higher premium might
Pages:
648
Contents
provide more guaranteed bandwidth than an SLA with a lower premium. MPLS constraint-based
Index
routing is again used to provide QoS guarantees. It allocates the necessary network resources,
such as buffer space and link bandwidth, along the specific path that is established through
traffic engineering. Although both MPLS traffic engineering and MPLS QoS guarantee use MPLS
constraint-based Master
routing,the
theworld
difference
is that
traffic
does not
require
allenjoy
the
of Layer
2 VPNs
to engineering
provide enhanced
services
and
bandwidth allocation
and
queuing
mechanisms
that
are
required
to
provide
QoS
guarantees.
productivity gains
Another important advanced MPLS feature that AToM can rely on is the ability to reroute traffic
to an alternate path in Learn
a short
period
when
a failure
occursNetworks
along the(VPNs)
original path, typically
about
Layer
2 Virtual
Private
within 50 ms. With hop-by-hop, destination-based plain IP routing, the network convergence
costs and
extend
the reach
services
by unifying
your
time is usually secondsReduce
upon network
failure,
which
resultsofinyour
packet
loss before
the network
network
architecture
converges. To reduce packet
loss
during routing transitions, MPLS fast rerouting constructs a
protection LSP in advance for a given link by explicitly establishing an alternate path that
Gain
fromlink.
the Because
first bookthe
to address
application
utilizing
circumvents the possible
failing
alternateLayer
path 2
is VPN
set up
prior to the
link
both
ATOM
and
L2TP
protocols
failure, rerouting can take place rather quickly.
Interoperability
packets that carry Layer 2 payload. Because these packets generally do not have an IP header,
fragmentation is difficult. That is why packets exceeding the network MTU are dropped. MTU
settings need to be carefully engineered throughout the network to avoid connectivity
Layer 2 VPN Architectures
problems.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Pub Date: March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pages:
Contents solution for your648
appropriate
needs.
Index
For example, if your goal is to move toward an MPLS-enabled network eventually but you need
a time-to-market solution to provide Layer 2 VPN services on top of the existing IP
infrastructure, you might choose AToM for Layer 2 VPN services, but you have to overlay AToM
the world
2 VPNs
to encapsulation
provide enhanced
services
and
pseudowires overMaster
IP tunnels,
such of
as Layer
generic
touting
(GRE)
tunnels.
Inenjoy
this way,
productivityLayer
gains2 VPN services in a relatively short period of time without
you can deploy MPLS-based
being forced to migrate the entire core infrastructure to MPLS immediately. However, if the
goal is to ultimately provide Layer 2 VPN services with a pure IP infrastructure, you have the
Learn about Layer 2 Virtual Private Networks (VPNs)
option of choosing an IP-based Layer 2 VPN solution: L2TPv3.
Reduce costs and extend the reach of your services by unifying your
L2TPv2 was originally designed for remote access solutions, and it only supports one type of
network architecture
Layer 2 frames: PPP. Retaining many protocol specifications of version 2, L2TPv3 enhances the
control protocol and optimizes the header encapsulation for tunneling multiple types of Layer 2
Gain from the first book to address Layer 2 VPN application utilizing
frames over a packet-based network. L2TPv3 and its supplementary specifications, such as the
both ATOM and L2TP protocols
Ethernet and Frame Relay extensions, describe the requirements and architectures that are
applicable to pseudowire
emulation
usingthat
L2TPv3.
Review
strategies
allow large enterprise customers to enhance
their service offerings while maintaining routing control
L2TPv3 consists of a control plane that uses an in-band and reliable signaling protocol to
manage the control
data connections
L2TP
endpoints,
and a of
data
plane
that is
Forand
a majority
of Service between
Providers,
a significant
portion
their
revenues
responsible for pseudowire
encapsulation
and
provides
a
best-effort
data-forwarding
service.
In
are still derived from data and voice services based on legacy transport
the L2TPv3 network
reference
models,
L2TPv3
is
implemented
and
deployed
between
a
pair
of
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
L2TP Control Connection
Endpoints
(LCCEs).
3-6 illustrates
the network
components of
customers,
they have
some Figure
drawbacks.
Ideally, carriers
with existing
L2TPv3. The LCCEs
are the
equivalent
of the
PE routerswould
in thelike
generic
Layer
2 VPN
legacy
Layer
2 and Layer
3 networks
to move
toward
a network
single
reference model. backbone
For the sake
of consistency,
this book
PEthe
router
in place
of "LCCE"
in the
while
new carriers would
likeuses
to sell
lucrative
Layer
2
context of L2TPv3.
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Figure
L2TPv3introduces
Network
Components
Layer
2 VPN 3-6.
Architectures
readers
to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
full size
image]requirements by explaining the
assists readers looking[View
to meet
those
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Fundamentally, L2TPv3 pseudowires and AToM pseudowires are set up in a similar fashion. The
difference is that the baseline L2TPv3 protocol specification is responsible for constructing such
a bidirectional pseudowire, whereas AToM relies on an application-level mechanism that is built
2 VPNspecification
Architectures for the same function. From the end user's point of
on top of the LDPLayer
protocol
ByWei
- CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
view, this difference
is Luo,
insignificant.
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Note
ISBN: 1-58705-168-0
Table of
Pages:
648
In
certain deployment scenarios
such as interworking between different Layer 2
Contents
AToM and L2TPv3 might carry Layer 3 packets directly. However, because
protocols,
Index
the forwarding decision is still based upon Layer 2 information, such cases belong to
the general Layer 2 VPN framework.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Besides using the L2TPv3 control messages to set up pseudowires dynamically, you can use
manual configuration to provision the necessary session parameters. When you use manual
Learn
about
Layer 2 Virtual
Networks
(VPNs)
configuration, you do not
need
to establish
control Private
connection
between
PE routers.
costsof
and
extend
thethe
reach
of youraspects:
services by unifying your
The next sections give Reduce
an overview
L2TPv3
from
following
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
L2TPv3 operations
both ATOM and L2TP protocols
Supported Layer 2 protocols
Review strategies that allow large enterprise customers to enhance
their service
offerings
maintaining
routing
control
Decision factors whether
to use
L2TPv3 while
in your
network, such
as installation
base,
advanced features, and complexity
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
L2TPv3 Operations
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
Even though L2TPbackbone
is labeledwhile
as annew
IP-based
technology,
in fact
a transport-independent
carriers
would like ittoissell
the lucrative
Layer 2
protocol. L2TPv2,services
which isover
mostly
deployed
remote
access
applications,
specifies
their
existingfor
Layer
3 cores.
The
solution in these
cases is a
mechanisms to tunnel
Layer that
2 frames
UDP,
ATM
AAL5, andover
Frame
Relay.
technology
wouldover
allow
Layer
2 transport
a Layer
3 L2TPv3 defines
the specificationsinfrastructure.
to tunnel Layer 2 frames over IP and UDP.
The tunneling mechanism
is essentially
accomplished
inserting
an L2TP
headerPrivate
between the
Layer 2 VPN
Architectures
introducesby
readers
to Layer
2 Virtual
IP or UDP headerNetwork
and the Layer
payload. and
A well-known
IP protocol
or UDP
(VPN) 2concepts,
describes Layer
2 VPNnumber
techniques
via port
number differentiates
L2TP packets
from other
types of IP traffic.
The scenarios.
destinationThis
IP address
introductory
case studies
and comprehensive
design
book of
an L2TP packet isassists
an address
of the
PE router
on those
the other
side of theby
tunnel.
Sessions
readers
looking
to meet
requirements
explaining
the that are
destined to the same
PE and
router
are multiplexed
by session
IDs into
a common
IP or UDP
history
implementation
details
of the two
technologies
available
from
header.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
L2TP control packets
are transmitted
in-band
data packets.
IP cores.
The structure
of thisalong
bookwith
is focused
on first Therefore,
introducingthe
thetunnel
endpoints need toreader
have atodeterministic
to distinguish
one type from
the other. and
For L2TP
Layer 2 VPN way
benefits
and implementation
requirements
over UDP, the first
bit in the them
L2TP to
header
is a control
a data
comparing
thoseindicates
of Layer whether
3 based it
VPNs,
such aspacket
MPLS, or
then
packet. However,progressively
L2TP over IP covering
has a different
L2TP header
that does
not in
have
a field
for such
each currently
available
solution
greater
detail.
indication. Instead, the L2TP header uses the reserved session ID value zero for control
packets and nonzero session IDs for data packets.
The discrepancy of the two L2TP header formats is a result of optimization weighted toward
different deployment models. The UDP transport mode is friendlier for the cases that require
using IPsec to protect L2TP traffic, or traversing Network Address Translation (NAT) and
firewalls. The IP transport mode is more tailored for implementing L2TP packet processing and
forwarding in high-speed hardware architectures. Figure 3-7 shows an overview of the two
formats of an L2TPv3 packet.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
L2TP implementsare
a low-overhead
reliable
delivery
mechanism
control
packets
at the
still derived from
data
and voice
services for
based
on legacy
transport
underlying transport
layerthat
is,
IP
or
UDP.
The
upper-level
functions
of
L2TP
do
technologies. Although Layer 3 MPLS VPNs fulfill the market neednot
forhave
someto
deal with retransmission
or
ordering
of
control
packets.
L2TP
also
uses
a
sliding
window
customers, they have some drawbacks. Ideally, carriers with existing
scheme for control
packet
transmission
to avoid
overwhelming
the
In addition,
legacy
Layer
2 and Layer
3 networks
would like
toreceiver.
move toward
a singleit
provides an optional
message
digest-based
authentication
guarantee
control
packet
backbone
while
new carriers
would like toto
sell
the lucrative
Layer
2
integrity, and an optional
to ensure
between
services keepalive
over their mechanism
existing Layer
3 cores.connectivity
The solution
in thesetunnel
cases is a
endpoints.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN
Architectures
Layer 2 Protocols
Supported
byintroduces
L2TPv3readers to Layer 2 Virtual Private
depending on the deployment model. Chapter 11, "LAN Protocols over L2TPv3 Case Studies,"
discusses the details of running bridging protocols over the IP network.
VPN Architectures
With Frame RelayLayer
over2 L2TPv3,
PE routers forward Frame Relay frames to different
pseudowires based
on Luo,
the -receiving
interface
the DLCI
PE routers
provide
ByWei
CCIE No. 13,291,
Carlosand
Pignataro,
- CCIEnumber.
No. 4619,Dmitry
Bokotey,also
- CCIE
LMI signaling to CE
as ifChan,
they- are
Relay switches. Unlike Frame Relay over MPLS,
No.routers
4460,Anthony
CCIEFrame
No. 10,266
the Frame Relay header is kept intact at the ingress PE router with Frame Relay over L2TPv3;
therefore, the egress
PE router
does
Publisher:
Cisco
Pressnot need to reconstruct the Frame Relay header before
forwarding the packets
to the CE router.
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
ATM over
L2TPv3 also supports
ATM AAL5 and ATM Cell services. With ATM AAL5, PE routers
Table of
Pages:
receive
ATM AAL5 packets or648
reassemble ATM cells into ATM AAL5 packets from CE routers and
Contents
forward
them to different pseudowires based on the receiving interface and the VPI or VCI
Index
numbers. The ATM flags, such as EFCI and CLP, are carried in the L2TPv3 ATM-specific
sublayer, which serves a similar purpose to the AToM control word. ATM Cell over L2TPv3 can
encapsulate a single ATM cell at a time or pack multiple ATM cells into one L2TPv3 packet. Both
the world
of Layer
VPNs to
enhanced
and enjoythe
ATM services canMaster
be offered
in VC mode,
VP2mode,
orprovide
port mode.
These services
modes determine
productivity
gains
granularity of how
ATM packets
and cells should be classified and mapped to pseudowires.
Reduce costs and extend the reach of your services by unifying your
network architecture
For organizations and companies
that decide to stay with their existing IP-based network
infrastructures for the long term and do not intend to migrate to MPLS-enabled networks,
Gain from
firstservices
book to is
address
Layer
VPN application
utilizing
choosing L2TPv3 to provide
Layerthe
2 VPN
obvious.
For 2those
who have not
decided
both
ATOM
and
L2TP
protocols
which technology to choose, consider the following factors to gauge the feasibility and
applicability of using L2TPv3 for Layer 2 VPN services.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Existing Network
For Installation
a majority of Base
Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies.
Although
Layer legacy
3 MPLSnetworks
VPNs fulfill
the
market
for some
For service providers
that do not
have parallel
and
those
thatneed
traditionally
customers,
some
carriers
withdoes
existing
provide only Layer
3 services,they
the have
problem
of drawbacks.
maintainingIdeally,
separate
networks
not apply to
legacythey
Layer
and
Layer
networkstowould
like toThey
move
toward
single to
them directly because
do 2not
have
the3problem
start with.
have
littleaincentive
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
invest in a new technology unless it brings new revenue opportunities.
services over their existing Layer 3 cores. The solution in these cases is a
As telecommunication
deregulation
has taken
place,2these
service
providers
started
technology
that would
allow Layer
transport
over
a Layer have
3
eyeing lucrative Layer
2 VPN services. The fastest and least expensive way to provide Layer 2
infrastructure.
VPN services in an IP-based infrastructure is to use L2TPv3. AToM relies on a ubiquitous MPLS
Layer
2 VPN
Architectures
introduces
2 Virtual
Private
presence throughout
the
network
infrastructure.
If the readers
networkto
is Layer
not already
MPLS
enabled, it
Network
(VPN)
and describes
2 VPN
techniques
has to be migrated
to MPLS
first.concepts,
L2TPv3 imposes
minimalLayer
impactif
anyon
the corevia
network
studies
andthat
comprehensive
design
scenarios.
book
infrastructure. It introductory
only requirescase
the PE
routers
provision Layer
2 VPN
servicesThis
to be
aware
assists
readers
looking
meet can
those
requirements
by explaining
the
of L2TPv3. In some
cases,
existing
edge to
routers
readily
provide Layer
2 VPN services
with
history and
implementation
of the
two technologies
from
proper software upgrades.
This
is particularlydetails
attractive
to service
providers available
that are interested
the Cisco
Unifiedwith
VPNminimal
suite: Any
Transport
over MPLS (ATOM) for MPLSin creating new revenue
streams
initial
investment.
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Without L2TPv3, enterprises
rely
on service
providers
provision
their
Layer 2
IP cores. The
structure
of this
book isto
focused
on and
first manage
introducing
the
network connections
among
geographically
dispersed
locations. Not only
is the Layer
2 service
reader
to Layer
2 VPN benefits
and implementation
requirements
and
expensive, but interprovider
Layerto
2 those
circuits
be provisioned
when
thesethen
locations are
comparing them
ofmust
Layeralso
3 based
VPNs, such
as MPLS,
not covered by a progressively
single service covering
provider.each
The feasibility
of provisioning
interprovider
Layer 2
currently available
solution
in greater detail.
circuit is constrained by whether these providers have such an interprovider Layer 2
connectivity agreement.
L2TPv3 can be an attractive cost-cutting and easy-to-manage alternative. Instead of getting
expensive Layer 2 circuits from service providers, each site can purchase the best and least
expensive IP service from a local service provider without worrying about the interprovider
agreement issue because IP connectivity always exists among service providers. Each site then
enables L2TPv3 on a CPE router and provisions Layer 2 connections to other sites without
involving service providers.
Because L2TPv3 uses IP or UDP as its transport layer, integrating with advanced IP-based
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
network services, such as IPSec, is easy. If service providers manage Layer 2 VPN services for
No. 4460,Anthony Chan, - CCIE No. 10,266
their customers, the strong security guarantee that is provided within the service provider
network can be sold as a value-added feature. If enterprises manage Layer 2 VPN services, this
Publisher:
Cisco site-to-site
Press
combination gives them
not only
Layer 2 connectivity but data integrity and privacy
Pub
Date:
March
10, 2005 across public or shared network infrastructures. With
when transporting sensitive information
ISBN:
1-58705-168-0 with an MPLS label stack, and there is no IP header in
AToM, Layer 2 frames are
encapsulated
Table of
theresulting packet. Therefore,
Pages: 648 it is quite difficult to apply IPSec features to AToM packets.
Contents
Index
Whenever possible, you should set the MTU of both attachment circuits that are connected
through a pseudowire to the same value, and set the network MTU to accommodate the
resulting L2TPencapsulated packets that carry the Layer 2 payload. If this is not possible, the
Cisco IOS L2TPv3Master
implementation
supports
Path
discovery
andservices
fragmentation
the world also
of Layer
2 VPNs
to MTU
provide
enhanced
and enjoy
options. These make
use
of
the
Don't
Fragment
(DF)
bit
in
the
IP
header
and ICMP messages
productivity gains
to discover appropriate MTU settings for pseudowires. When the resulting L2TP packets exceed
the pseudowire MTU, users can either choose to drop or fragment the packets.
Learn about Layer 2 Virtual Private Networks (VPNs)
Plain IP routing and forwarding do not provide advanced network features such as traffic
engineering and fast reroute.
deploying
IP differentiated
(diffserv),
classifying
ReduceBy
costs
and extend
the reach ofservices
your services
by unifying
your
different types of trafficnetwork
diligently,
overprovisioning network bandwidth strategically, and other
architecture
fine-tunings on routing, you can achieve a fairly high level of service guarantees for Layer 2
Gain from the first book to address Layer 2 VPN application utilizing
VPN services.
both ATOM and L2TP protocols
Interoperability
L2TPv2 is a widely
deployed
andofhighly
interoperable
especially
access,
For
a majority
Service
Providers, aprotocol,
significant
portion in
of remote
their revenues
wholesale dial and
broadband
networks.
It
has
a
large
vendor
support
base.
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
L2TPv3 evolved from
L2TPv2they
and has
many
of the major
characteristics
specifications
customers,
havekept
some
drawbacks.
Ideally,
carriers withand
existing
of L2TPv2. The control
plane
procedures
are
almost
identical
in
both
versions.
One
the main
legacy Layer 2 and Layer 3 networks would like to move toward a of
single
differences lies inbackbone
the L2TP header
format,
which
has
more
impact
on
the
data
plane.
while new carriers would like to sell the lucrative Layer 2 Another
significant changeservices
is that the
protocol
no longer
defines
the actions
for each
Layer
overbaseline
their existing
Layer
3 cores.
The solution
in these
cases
is a 2
protocol that is carried
in
L2TP.
Furthermore,
it
is
up
to
each
Layer
2
application
to
specify
the
technology that would allow Layer 2 transport over a Layer 3
appropriate actions.
Because
of
these
differences,
the
two
versions
of
L2TP
implementation
are
infrastructure.
not interoperable.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory
case studies and comprehensive design scenarios. This book
Network Operation
Complexity
assists readers looking to meet those requirements by explaining the
history
and network
implementation
of the two
technologies
available from
L2TPv3 is a relatively
simple
protocoldetails
as compared
to the
more sophisticated
routing
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for MPLSprotocols and MPLS protocols. It requires little change to an existing IP-based network
and is
cores
Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
relatively easy to based
manage
andand
troubleshoot.
IP cores. The structure of this book is focused on first introducing the
reader
to Layer
2 VPN
benefits
requirements
and
As described in the
previous
sections,
AToM
usesand
LDPimplementation
as the out-of-band
signaling protocol,
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
which means the control packets might take a different path from the data packets. Thus, the
progressively
covering
currently
available
greater
detail.
control plane connectivity
cannot
provideeach
a reliable
indication
for solution
the datainplane
connectivity.
L2TPv3 uses an in-band TCP-like reliable control connection to set up and tear down data
connections. That is why its liveliness serves as a good indication for that of the data plane.
facilitate new requirements are built on top of some form of pseudowire emulation. Cisco offers
AToM and L2TPv3 for pseudowire emulation. They are not designed as competing technologies;
rather they are optimized for MPLS- and IP-based network infrastructures, respectively. Before
Master
thetoworld
of consider
Layer 2 VPNs
to provide
enhanced
and find
enjoy
determining which
product
adopt,
the technical
and
businessservices
factors and
the
productivity
gains
right balance between
features
and manageability. Each has its own merits and implications,
some of which are outlined in Table 3-2.
AToM
L2TPv3
Review strategies that allow large enterprise customers to enhance
their
service offerings while maintaining
routing control
Network Infrastructure
IP/MPLS
IP
Signaling Protocol
Directed
LDP
For a majority
of Service
Providers, aL2TPv3
significant portion of their revenues
are still derived from data and voice services based on legacy transport
Transport Layer
MPLS label encoding
IPv4
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Encapsulation
customers, they have some drawbacks. Ideally, carriers with existing
Layer
and Layer
3 networksPPP,
would
like to
move toward a single
Supported Layerlegacy
2
PPP, 2
HDLC,
Ethernet,
HDLC,
Ethernet,
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Protocols
Ethernet VLAN, Frame
Ethernet VLAN, Frame Layer 2
services Relay,
over their
Layer
3 cores.
solution
in these
ATMexisting
AAL5, ATM
Cell
Relay,The
ATM
AAL5, ATM
Cell cases is a
technology that would allow Layer 2 transport over a Layer 3
Authentication infrastructure.
TCP MD5
Shared Secret with
Message Digest
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Keepalive Mechanism
Unreliable out-of-band
Reliable and simple inNetwork (VPN) concepts, and describes Layer 2 VPN techniques via
LDP keepalive; requires
band keepalive
introductory case studies and comprehensive design scenarios. This book
new protocol extensions
assists readers looking to meet those requirements by explaining the
for reliable connectivity
history and implementation details of the two technologies available from
report
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores
and
Layer 2 Tunneling
Protocol
version
3 (L2TPv3)
for native
Advanced Services
Traffic
engineering,
QoS
IPSec, IP
Diffserv,
Path
IP cores.guarantee,
The structure
this book isMTU
focused
on firstIPintroducing the
fastof
rerouting
discovery,
reader to Layer 2 VPN benefits and implementation
fragmentation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Interoperability progressively
Wide vendor
carrier
vendor
andin
carrier
coveringand
each
currentlyLimited
available
solution
greater detail.
support, good and
support
improving interoperability
Chapter 4
Table of
Chapter 5
Contents
Index
LAN Protocols
ISBN: 1-58705-168-0
WAN Data-Link
Protocols
Pages:
648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Master
the world
Layer 2 VPNs to provide enhanced services and enjoy
Understanding
Spanning
Treeof
Protocol
productivity gains
Pure Layer 2 Implementation
802.1q TunnelingLearn about Layer 2 Virtual Private Networks (VPNs)
Reduce
costs and extend
the behind
reach of
your2services
by pseudowire
unifying your
Now that you've learned
the fundamental
concepts
Layer
VPNs and
architecture you need to familiarize yourself with Layer 2
emulation described in network
Part I, "Foundation,"
protocols. This chapter describes LAN protocols. Here, you get an overview of Ethernet
Gainabout
from the
book to address
Layer 2
VPN application
utilizing
technology as well as read
the first
technological
and business
requirements
of both
both
ATOM
and
L2TP
protocols
enterprise customers and service providers that are driving the implementation of Metro
Ethernet. Finally, you discover the Layer 2 technologies that are available today for
Review strategies that allow large enterprise customers to enhance
transporting traffic over higher-bandwidth circuits.
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pages:
648
three.Contents
This was the first instance in which hundreds of computers in the same building required
Index
intercommunication.
Ethernet solved two of Xerox's challenges:
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
The networkproductivity
had to connect
hundreds of computers within the same building.
gains
It had to be fast enough to support the fast, new laser printer.
Learn about Layer 2 Virtual Private Networks (VPNs)
Later on, because of the combined efforts of Digital Equipment, Intel, and Xerox, Ethernet
Reduceiscosts
extend the
reach
of your
by unifying your
became a standard. Ethernet
now and
the world's
most
widely
used services
LAN protocol.
network architecture
Ethernet uses carrier sense multiple access collision detect (CSMA-CD). The different parts of
Gain from the first book to address Layer 2 VPN application utilizing
this protocol are as follows:
both ATOM and L2TP protocols
Carrier sense Before
transmitting
data,allow
stations
whether
other stations
are
Review
strategies that
largecheck
enterprise
customers
to enhance
already transmitting
the multiaccess
wire.
If other stations
not transmitting, the
theirover
service
offerings while
maintaining
routingare
control
station can transmit data or wait.
For a majority of Service Providers, a significant portion of their revenues
Multiple access
Allderived
stationsfrom
are connected
to a services
single physical
or a single
data path.
are still
data and voice
based wire
on legacy
transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Collision detect
If a collision
is detected
because two
stations
transmitted
data into the
customers,
they have
some drawbacks.
Ideally,
carriers
with existing
wire simultaneously,
both2 stations
stop
transmitting,
back
and try
again alater
after a
legacy Layer
and Layer
3 networks
would
likeoff,
to move
toward
single
random delay.
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
The base of Ethernet
technology
the Ethernet
frame.
An IP datagram,
for instance,
is
technology
that is
would
allow Layer
2 transport
over a Layer
3
encapsulated andinfrastructure.
transmitted in a standard Ethernet (Type II) frame. The frame header is 14
bytes long6 bytes of destination address + 6 bytes of source address + 2 bytes of frame
typefollowed by the
data
portion
and completed
by 4 bytes
of the
frame 2check
sequence
Layer
2 VPN
Architectures
introduces
readers
to Layer
Virtual
Private (FCS).
Figure 4-1 shows Network
the fields(VPN)
of theconcepts,
original Ethernet
Type II
(Ethernet
frame format.
and describes
Layer
2 VPNII)
techniques
via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
Figure
Ethernet
Type IIover
Frame
the Cisco
Unified4-1.
VPN suite:
Any Transport
MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
[View full size
image]
reader to Layer 2 VPN benefits
and
implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
address, or a multicast address. You can discover this MAC address from the source
address field of a message during protocol synchronization.
Layer 2 The
VPN Architectures
Source Address
source address is the sender's 48-bit MAC address.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Ethernet Type
TheAnthony
Ethernet
field
is used for higher protocol identification.
No. 4460,
Chan,Type
- CCIE
No. 10,266
Data The Data field contains encapsulated data (such as an IP packet). The valid length
Publisher: Cisco Press
ranges for Ethernet II are between 46 and 1500 bytes.
Pub Date: March 10, 2005
1-58705-168-0
FCS of
The FCS field ISBN:
contains
a 32-bit cyclic redundancy check (CRC) value, which checks
Table
for damaged frames.
Pages:
648
Contents
Index
Note
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Originally, Ethernet II was also referred to as DIX after its corporate sponsors Digital,
Intel, and Xerox.
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
The original Ethernet IInetwork
frame format
had some shortcomings. To allow collision detection, the
architecture
10-Mbps Ethernet required a minimum packet size of 64 bytes. That meant you needed to pad
Gain from
the firstprotocols
book to address
2 VPN
application
short frames with 0s. Thus,
higher-layer
needed Layer
to include
a Length
fieldutilizing
to
andpadding.
L2TP protocols
discriminate the actualboth
dataATOM
from the
As a consequence, the original Ethernet frame
was changed to include a Length field and to allow for Ethernet to interwork with other LAN
Review strategies that allow large enterprise customers to enhance
media.
their service offerings while maintaining routing control
Fortunately, the values assigned to the Ethernet Type field (0x0600 XNS [Xerox], 0x0800 IP
Forand
a majority
Service were
Providers,
a significant
of their revenues
[Internet Protocol],
0x6003of
DECNET)
always
higher thanportion
the maximum
frame size
are still
derived
and voice
services
based
transport
with a decimal value
of 1500.
Thefrom
802 data
committee
solution
to the
taskon
of legacy
providing
a standard
technologies.
Although
Layer 3 MPLS of
VPNs
fulfill
the protocols
market need
some
that did not depend
on the behavior
or characteristics
higher
layer
wasfor
802.3
.
customers,
they have
somea drawbacks.
Ideally,
existing an
802.3 replaced the
Ethernet Type
field with
2-octet length
field. carriers
The waywith
to distinguish
legacy
Layer
2 and
3 networks
would like to
move toward a single
Ethernet II from an
802.3
frame
is byLayer
inspecting
the Type/Length
field:
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
If the value technology
of the field is
higher
than
1500
decimal,
the field
represents
that
would
allow
Layer
2 transport
over
a Layer 3an Ethernet Type
and is Type infrastructure.
II.
If the value Layer
of the2field
lower than orintroduces
equal to 1500
decimal,
the 2
field
represents
VPNisArchitectures
readers
to Layer
Virtual
Private a
length and isNetwork
802.3. (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
In addition, a newassists
form of
packetlooking
type field
was needed,
so a Logical by
Link
Control (LLC)
readers
to meet
those requirements
explaining
the header
with destination and
source
access point
(DSAP
andtwo
SSAP,
respectively)
and control
history
andservice
implementation
details
of the
technologies
available
from
fields follow the Length
fieldUnified
for higher-protocol
identification
(seeMPLS
Figure(ATOM)
4-2). for MPLSthe Cisco
VPN suite: Any
Transport over
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
Figure
4-2.
Frame
comparing
them to
those802.3
of Layer
3 basedFormat
VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
[View full size image]
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Length Thisproductivity
is the length
of the frame excluding the preamble, FCS, addresses, and
gains
length field.
DSAP A value of Learn
0xAA indicates
Subnetwork
Access Protocol
about Layer
2 Virtual Private
Networks(SNAP).
(VPNs)
SSAP A value of 0xAA
indicates
SNAP.
Reduce
costs and
extend the reach of your services by unifying your
network architecture
Control The Control field specifies the type of LLC frame.
Gain from the first book to address Layer 2 VPN application utilizing
Figure 4-2 also shows an
IEEE
802.3
format that is indicated by the DSAP and
both
ATOM
andSNAP
L2TPframe
protocols
SSAP values and includes the SNAP field. The SNAP header includes 3 bytes of vendor code and
2 bytes of local code. AReview
vendorstrategies
code of 0sthat
(0x000000)
indicates
thatcustomers
the local code
is an
allow large
enterprise
to enhance
Ethernet Type II for backward
compatibility.
This new
format moves
the
Ethernet Type field 8
their service
offerings while
maintaining
routing
control
bytes from its original location in Ethernet II.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
Note
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
The Ethernetservices
Type II over
frame
format
is often
referred
to The
as ARPA
frame
The IEEE
their
existing
Layer
3 cores.
solution
in .these
cases is a
802.3 frametechnology
format is also
called
802.3
LLC
to
differentiate
it
from
802.3
that would allow Layer 2 transport over a Layer 3 SNAP.
infrastructure.
46
1500
802.3 LLC
43
1497
802.3 SNAP
38
1492
Note that you can send IP datagrams smaller than 46 bytes over Ethernet II because IP
contains a Total Length field. When you are sending, for example, 36-byte IP datagrams using
Ethernet II encapsulation, a 10-byte trailer with all zeroes is appended to the IP datagram.
When you are sending the same IP datagram over 802.3 SNAP, the trailer is only 2 bytes,
because 8 bytes are used for the LLC + SNAP headers (1 DSAP + 1 SSAP + 1 Control + 3 OUI
+ 2 Ethertype). Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Pub Date: March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pages:
648
Contents
networks.
Index
Because of the broad definition, it is critical to categorize these services. Several taxonomies
for Metro Ethernet produce an eclectic portfolio of services. You can categorize Metro Ethernet
services as follows:
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Based on connectivity type:
LearnSimilar
about to
Layer
2 Virtual Private
Networks
(VPNs)
Point-to-point
a permanent
virtual circuit
(PVC).
costs
and extend the reach of your services by unifying your
Multipoint Reduce
Similar to
a cloud.
network architecture
Based on service types:
Gain from the first book to address Layer 2 VPN application utilizing
Wire services
port does
not have
multiplexing. A customer port connects to a
bothAATOM
and L2TP
protocols
single remote customer port. This is similar to a leased line.
Review strategies that allow large enterprise customers to enhance
Relay services
is available
based
on VLAN,
such that different
their Service
service multiplexing
offerings while
maintaining
routing
control
customer VLANs within a customer port can connect to different sites. This is similar
For a Relay
majority
of Service Providers, a significant portion of their revenues
to a Frame
port.
are still derived from data and voice services based on legacy transport
Combining these technologies.
two categorizations,
you
have3the
first
fourfulfill
sets of
Ethernet
services:
Although
Layer
MPLS
VPNs
theMetro
market
need for
some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
Ethernet Wire
Service
(EWS)
A nonmultiplexed
service.
backbone
while
new carriers
would like point-to-point
to sell the lucrative
Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
Ethernet Relay Service (ERS) A VLAN-multiplexed point-to-point service.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Ethernet Multipoint Service (EMS) A nonmultiplexed point-to-cloud service. An
example is Virtual Private LAN Service (VPLS), which is covered in Chapter 15, "Virtual
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Private LAN Service."
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
Ethernet Relay Multipoint Service (ERMS) A VLAN-multiplexed point-to-cloud service.
assists readers looking to meet those requirements by explaining the
The service provider cloud has VLAN mapping. An example is VPLS, which is covered in
history and implementation details of the two technologies available from
Chapter 15.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased
cores and
2 Tunneling Protocol version 3 (L2TPv3) for native
Other Metro Ethernet
services
are Layer
as follows:
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing
to Similar
those oftoLayer
based VPNs,
MPLS, at
then
Ethernet Private
Linethem
(EPL)
EWS 3service,
exceptsuch
it is as
provided
Layer 1 by
progressively covering each currently available solution in greater detail.
OXCs.
Layer 2 VPN access Layer 2 access to Multiprotocol Label Switching (MPLS) VPNs.
ATM to Ethernet over MPLS or Ethernet over L2TPv3 Interworking This topic is
covered in Chapter 14, "Layer 2 Interworking and Local Switching."
Frame Relay to Ethernet over MPLS or Ethernet over L2TPv3Interworking This
topic is covered in Chapter 14.
Table 4-2 summarizes the characteristics of different Metro Ethernet services.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Metro Ethernet
Service
Publisher:
Cisco Press
Architecture
Service Definition
Connectivity
Transparent
(nonmultiplexed)
Point-to-point
VPWS[1]
Transparent
(nonmultiplexed)
Point-to-point
VPWS
Multiplexed
Point-to-point
EPL
Layer 1
Table of
Contents
EWS
Index
ERS
ISBN: 1-58705-168-0
Pages: 648
Master the
world of LayerTransparent
2 VPNs to provide enhanced
services and enjoy
VPLS
Multipoint-toproductivity gains
(nonmultiplexed)
multipoint
EMS
ERMS
VPLS
Multiplexed
Multipoint-toLearn about Layer 2 Virtual Private Networksmultipoint
(VPNs)
ATM/Frame Relay
VPWScosts and extend
Multiplexed
Point-toReduce
the reach of your services
by unifying your
Ethernet Interworkingnetwork architecture
multipoint
Gain from the first book to address Layer 2 VPN application utilizing
[1]
both
ATOM
VPWS = Virtual Private
Wire
Serviceand L2TP protocols
Review
strategies thatbut
allow
large
enterpriseexist.
customers
enhance
All these categories vary
in implementation,
some
generalities
Table to
4-3
shows the
service
offerings
maintaining
control
interface type of the PEtheir
devices
both
toward while
the customer
and routing
toward the
core. The PE devices
can be logical devices that are distributed among different physical PEs. In such a case, the
For a majority
of the
Service
Providers, aPE
significant
portion of their revenues
user-facing PE is called
U-PE, and
network-facing
is called N-PE.
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone
while
new carriers
wouldServices
like to sell the lucrative Layer 2
Table
4-3.
Metro
Ethernet
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
Metro Ethernetinfrastructure.
Service
U-PE <-> Customer N-PE <-> Service Provider
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
EPL
QinQ[1]
WDM[2] wavelength
Network (VPN) concepts, and describes Layer 2 VPN techniques via
SONET/SDH[3] circuits
introductory case studies and comprehensive design scenarios. This book
assists readers
requirements
by explaining the
EWS
QinQ looking to meet those
EoMPLS
[4]
history and implementation details of the two technologies available from
ERS
the Cisco802.1q
UnifiedTrunk
VPN suite: Any EoMPLS
Transport over MPLS (ATOM) for MPLSbased
cores
and
Layer
2
Tunneling
Protocol
EMS
QinQ
Ethernet
orversion
EoMPLS3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
ERMS
EoMPLS
reader to802.1q
Layer Trunk
2 VPN benefits and
implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
ATM/Frame Relay
Frame Relay or ATM
EoMPLS
progressively covering each currently available solution in greater detail.
Ethernet Interworking
[1]
QinQ = Stands for 802.1q in 802.1q and is also referred to as 802.1q tunneling
[2]
[3]
[4]
Note that the transparent services use QinQ facing the customer to provide "VLAN bundling" in
a port-based service and achieve transparency for customer bridge protocol data units
(BPDUs). On the other hand, the relay services use 802.1q trunking facing the customer in a
Layer 2 VPN Architectures
VLAN-based service
to provide the VLAN-multiplexed UNI; thus, they are opaque to customer
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
BPDUs.
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Pub Date: March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pages:
648
Contents
instance,
networks would have an engineering VLAN, a marketing VLAN, a production VLAN,
Index
and so
on. Although clients in each VLAN could be located anywhere within the enterprise,
these VLANs had to span and be trunked across the entire network. Trunking enables traffic
from several VLANs to be carried over a point-to-point link between two devices. Today, the
use of VLANs is more restricted, and the "VLANs everywhere" model is no longer preferred.
Master the
world
of Layer
2 VPNsare
to preferred.
provide enhanced services and enjoy
Instead of campus-wide
VLANs,
Layer
3 switches
productivity gains
To facilitate this early design model, the Spanning Tree Protocol (STP) that is specified in the
IEEE 802.1d standard was used. STP and the spanning-tree algorithm protect Ethernet
Learn about Layer 2 Virtual Private Networks (VPNs)
networks from broadcast storms by detecting loops. The forwarding nature of Ethernet for
broadcasts, multicast, and unknown unicasts can create loops. Broadcast storms are caused by
Reduce costs and extend the reach of your services by unifying your
loops. The scenario can become complex when using VLANs, so the role of STP is more critical
network architecture
with VLANs. Loops occur when redundant paths are implemented on the network. Redundant
paths serve as a backup
in case
link
failure,
means
they2are
forutilizing
the overall
Gain
fromof
the
first
book which
to address
Layer
VPNimportant
application
health of the network. both
Unfortunately,
redundant
links
cause
packets
to
loop
between
the
ATOM and L2TP protocols
switches that these links interconnect. To solve the loop problem, while preserving redundancy,
you can implement STP.
The next
sections
examine
spanning-tree
and
Review
strategies
that
allow large
enterpriseoperation
customers
to enhance
implementation drawbacks
bit more
closely.while maintaining routing control
their aservice
offerings
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
A BPDU is defined in the IEEE 802.1d MAC Bridge Management protocol, which is the standard
implementation of STP.Gain
The from
IEEE the
802.1d
field consists
8 bits.
It is illustrated
first flag
bookortobit
address
Layer 2ofVPN
application
utilizingin
Figure 4-4, along with both
the complete
BPDU.
ATOM and
L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Pub Date:
March 10,
2005
Bit 0 Topology
Change
flag.
ISBN: 1-58705-168-0
Table of
Root Path Cost Multiple
Pages:
648of the root cost.
Contents
Index
Master
the
world
of Layer
2 VPNs
to provide
and enjoy
Message Age,
Max
Age,
Hello
Time,
Forward
Delayenhanced
These fourservices
timer values
have
productivity
gains
times ranging from 0 to 256 seconds.
The root switch dictates that the root bridge will have all its ports in the forwarding mode. On
Learn about Layer 2 Virtual Private Networks (VPNs)
each LAN segment, the switches elect the designated switch that is used for transporting data
from that segment to the
root costs
switch.
Onextend
the designated
port that
connectsyour
to the
Reduce
and
the reachswitch,
of yourthe
services
by unifying
LAN segment that the switch
serves
is
put
in
a
forwarding
mode.
You
must
block
all
other
network architecture
switch ports across the network. The blocking of ports concerns only a switch-to-switch
connection. Ports that Gain
are connected
to workstations
are not
involved
a spanning-tree
from the first
book to address
Layer
2 VPNin
application
utilizing
process and are left in both
a forwarding
mode.
ATOM and
L2TP protocols
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
It is important to understand
the Press
difference in challenges posed by Metro Ethernet versus
Publisher: Cisco
traditional Layer 2 network
Pub Date:technologies
March 10, 2005 from the service provider's standpoint. Ethernet has
little intelligence. If the source and destination are known, the packet is forwarded. If the
ISBN: 1-58705-168-0
Table of is unknown, the packet is flooded. If the source was previously unknown, the
destination
Pages:
648
Contents
address
is learned and the packet is forwarded. The rules look simple, but looks are deceiving.
Index
Forinstance,
if a loop occurs, a packet can keep traversing the network forever, which can
ultimately bring down the network.
As mentioned in the previous section, STP (IEEE 802.1d) protects the network against loops.
the world
of Layer
2 VPNs
toon
provide
enhanced
services
and
Although STP is aMaster
CPU-intensive
protocol
that
takes,
average,
30 to 50
seconds
toenjoy
gains accustomed to Frame Relay's convergence of up to 60
reconverge, manyproductivity
service providers
seconds will find it acceptable. Moreover, Cisco has developed several enhancements to STP,
and the new Rapid Spanning Tree Protocol that is specified in IEEE 802.1w can further
Learn about Layer 2 Virtual Private Networks (VPNs)
minimize the convergence period.
Reduce costs and extend the reach of your services by unifying your
Metro-wide VLANs with STP require a careful implementation strategy. Ideally, this
network architecture
implementation involves a deterministic topology with a small amount of redundant
connections and VLANs spanning as few switches as possible. Good planning, however, can
Gain from the first book to address Layer 2 VPN application utilizing
enable a Layer 2 Ethernet transport network for the MAN to offer reliable, high-bandwidth
both ATOM and L2TP protocols
services to the enterprise.
Review strategies that allow large enterprise customers to enhance
In the pure Layer 2 model, which is a switched (not routed) core, described in this section, the
their service offerings while maintaining routing control
enterprise network forwards untagged frames to the service provider.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
Note
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
The term untagged means without an 802.1q header and refers to the Ethernet II
services over their existing Layer 3 cores. The solution in these cases is a
frame you saw in Figure 4-1 or the 802.3 frame you saw in Figure 4-2. 802.1q
technology that would allow Layer 2 transport over a Layer 3
encapsulation is discussed in the "802.1q Tunneling" section later in this chapter.
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
In this scenario, the enterprise is not using STP through the service provider's core. The service
introductory case studies and comprehensive design scenarios. This book
provider maps the enterprise's subnet to a VLAN. This VLAN is trunked throughout the entire
assists readers looking to meet those requirements by explaining the
service provider network and ends at the destination enterprise. As far as the enterprise is
history and implementation details of the two technologies available from
concerned, the routers appear directly connected, and the data transport is completely
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLStransparent. The upcoming "802.1q Tunneling" section of this chapter discusses this topic in
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
more detail.
IP cores. The structure of this book is focused on first introducing the
reader
to Layer
VPN benefits
and
implementation
and
Utilizing pure Layer
2 solutions
for2 Metro
Ethernet
is relatively
simple requirements
and inexpensive.
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
Complications arise, however, when you deal with the inherent Layer 2 scalability issues.
each currently
available
solution
in greater detail.
Service providersprogressively
cannot affordcovering
to underestimate
cautious
planning
and deployment
when it
comes to spanning tree and VLAN distribution issues. Most likely, service providers will want to
implement redundancy. Because spanning tree is required to protect against loops in the
network, an increase in the number of customer VLANs and locations can spin out of control
and result in network failure. Furthermore, it can complicate troubleshooting of a problem.
Cisco has developed some tools to aid administrators with the Layer 2 management to resolve
some of the Layer 2 issues with VLANs, STP, and scalability. These tools include the following:
VLAN Trunking Protocol (VTP) VPT is a Layer 2 messaging protocol that manages the
addition, deletion, and renaming of VLANs on a networkwide basis. It voids the necessity
of having to do these tasks manually.
Layer 2 VPN Architectures
Dynamic Trunking
(DTP)
DTP
gives a- switch
ability
to- automatically
ByWei Luo, -Protocol
CCIE No. 13,291,
Carlos
Pignataro,
CCIE No.port
4619,the
Dmitry
Bokotey,
CCIE
negotiate the
method
other network device.
No.trunking
4460,Anthony
Chan, -with
CCIEthe
No. 10,266
STP Root Guard
STP root guard forces a Layer 2 LAN interface to become a designated
Publisher: Cisco Press
port. If any device that is accessible through the interface becomes the root bridge, STP
Pub Date: March 10, 2005
Root Guard puts the interface into the root-inconsistent (blocked) state.
ISBN: 1-58705-168-0
Table of
BPDU Guard BPDU
Pages:
648 is an enhancement to STP that capitalizes on the predictability
Guard
Contents
of
STP
in
certain
network
environments and disables BPDU forwarding on designated
Index
ports.
In addition, Cisco uses the highest performance processors available to handle the STP
processing. To avoid
the the
"VLANs
everywhere"
model,
service
provider
might offer
the
Master
world
of Layer 2 VPNs
to the
provide
enhanced
services
and enjoy
enterprise multiple
VLANs,
one
to
each
site.
productivity gains
The next section covers another Layer 2 technologyQinQthat can be used as a transport
Learn about
Layer 2 Virtual Private Networks (VPNs)
mechanism in Metro Ethernet
networks.
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Table of
Pages:
648 mechanism that service providers can use to provide secure
Contents
802.1q
tunneling is a tunneling
IndexVPN services to their customers. Ethernet VPNs using QinQ are possible because of
Ethernet
the two-level VLAN tag scheme that QinQ uses. The outer VLAN tag is referred to as the
service provider VLAN and uniquely identifies a given customer within the network of the
service provider. The inner VLAN tag is referred to as the customer VLAN tag because the
theuse
world
of LayerVLAN
2 VPNs
toisprovide
services
and enjoy
customer assignsMaster
it. QinQ's
of double
tags
similar enhanced
to the label
stack used
in MPLS
gains2 VPNs. It is also possible for multiple customer VLANs to be
to enable Layer 3productivity
VPNs and Layer
tagged using the same outer or service provider VLAN tag, thereby trunking multiple VLANs
among customer sites. Note that by using two VLAN tagsouter and inner VLANyou achieve a
Learn about Layer 2 Virtual Private Networks (VPNs)
demarcation point between the domain of the customer and the domain of the service provider.
The service provider can use any VLAN scheme it decides upon to identify a given customer
Reduce costs and extend the reach of your services by unifying your
within his provider network. Similarly, the enterprise customer can independently decide on a
network architecture
VLAN scheme for the VLANs that traverse the service provider network without consulting the
service provider.
Gain from the first book to address Layer 2 VPN application utilizing
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Pub Date: March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Following are the new fields
inserted
by "tagging":
Gain from
the first
book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Ethertype 2 bytes that identify an 802.1q frame and equal 0x8100. Ethertype is also
Review strategies that allow large enterprise customers to enhance
called Tag Protocol Identifier (TPID).
their service offerings while maintaining routing control
TCI 2 bytes of Tag Control Information that in turn contain the following:
For a majority of Service Providers, a significant portion of their revenues
are3still
fromthe
data
and voice
on also
legacy
transport
Priority
bitsderived
that define
802.1p
user services
priority. based
They are
referred
to as the
technologies.
Although
Layer
3
MPLS
VPNs
fulfill
the
market
need
for some
class of service (CoS) bits.
customers, they have some drawbacks. Ideally, carriers with existing
legacy
Layer 2Format
and Layer
3 networks
would
like to move
toward
a single
CFI 1-bit
Canonical
Identifier
(CFI) for
compatibility
issues
between
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
Ethernet-type networks and Token Ringtype networks.
services over their existing Layer 3 cores. The solution in these cases is a
allow Layer
transport over a Layer 3
VLAN technology
ID A 12-bitthat
fieldwould
that identifies
the2VLAN.
infrastructure.
IEEE 802.1p is a supplement to the IEEE 802.1d specification. It is intended for QoS
Layer
2 VPN
Architectures
introduces
readers
toin
Layer
2 Virtual
Private
implementation on
LANs,
analogous
to the three
precedence
bits
IP. 802.1p
describes
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via of highmechanisms in switches for handling the time-sensitive traffic and reducing the impact
introductory
case
studies
and
comprehensive
design
scenarios.
This
book
bandwidth traffic within a LAN.
assists readers looking to meet those requirements by explaining the
and
implementation
the two
technologies
availableprovide
from
The IEEE 802.1p history
is needed
because
Ethernet,details
unlike of
Token
Ring,
does not inherently
thelevels
CiscoinUnified
VPN
suite:
MPLS (ATOM)
forprovides
MPLS- an
support for priority
frames.
Based
onAny
the Transport
MAC frameover
information,
802.1p
basedmethod
cores and
Tunneling Protocol
3 (L2TPv3)
for native
in-band QoS signaling
for Layer
traffic 2classification.
802.1pversion
also provides
an optional
IP cores.
structure
of this book
is focusedframe
on first
introducing the
mechanism in switches
for The
supporting
end-to-end
time-critical
delivery.
reader to Layer 2 VPN benefits and implementation requirements and
Under IEEE 802.1p,
eight CoSs
aretosupported.
The higher
the
valuesuch
is, the
higher then
the priority of
comparing
them
those of Layer
3 based
VPNs,
as MPLS,
the frame. Zero, the
lowest, stands
for routine
service with
no priority
specified.
You
can
progressively
covering
each currently
available
solution
in greater
detail.
configure switches in a LAN and different ports of a switch for several different priority levels.
Sometimes high-speed LANs do not require QoS capabilities. However, when backbone
networks are involved, QoS methods become necessary on service provider and enterprise
networks. You will learn more of the QoS in Layer 2 VPN implementations in Chapters 9,
"Advanced AToM Case Studies," and 13, "Advanced L2TPv3 Case Studies." Now it is time to
examine the innerworkings of 802.1q tunneling.
ISBN: 1-58705-168-0
648
802.1q
tunneling refersPages:
to multiple
tagging of dot1Q frames as they enter a service provider
Contents
switch
from
a
client
switch.
QinQ
can
tag or untag any frames that it receives from the
Index
customer tag. 802.1q also has native VLAN frames that are untagged. The service provider
switch adds the outer VLAN tag.
Reviewtrunk
strategies
that
allow large
enterprise
customers
to enhance
The link between the 802.1q
port on
a customer
device
and the
tunnel port
is known as
theirend
service
offerings while
routing
control the other end is
an asymmetrical link. One
is designated
as an maintaining
802.1q trunk
port, whereas
configured as a tunnel port. The tunnel port is configured with an access VLAN ID that is unique
a majority
of 4-6.
Service Providers, a significant portion of their revenues
to a customer, asFor
shown
in Figure
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacyPort
LayerDesignation
2 and Layer 3 networks
would like
to move Network
toward a single
Figure 4-6.
in a Service
Provider
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would [View
allowfullLayer
2 transport over a Layer 3
size image]
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
When a tunnel port receives tagged customer traffic from an 802.1q trunk port, it does not
strip the existing VLANReview
tag (imposed
by the
switch)
from the
frame header.
Instead,
strategies
thatcustomer
allow large
enterprise
customers
to enhance
it leaves the 802.1q tag
intact
and adds
a 2-byte
field
(0x8100)
followed by a 2-byte
their
service
offerings
whileEthertype
maintaining
routing
control
field containing the priority (CoS) and the VLAN ID. The tunnel port treats the new tagged
frame as a Layer For
2 frame
whereof
the
Ethertype
is not a
known
to theportion
serviceofprovider
because it
a majority
Service
Providers,
significant
their revenues
is the bottom of the
tag
stack.
It
uses
the
outer
or
top
VLAN
tag
for
subsequent
switching
are still derived from data and voice services based on legacy transport
inside the servicetechnologies.
provider infrastructure.
The tagging
is demonstrated
in Figure
4-7.
Although Layer
3 MPLS process
VPNs fulfill
the market need
for some
First, you see an original
untagged
frame
(described
in
Figures
4-1
and
4-2),
followed
by
a
customers, they have some drawbacks. Ideally, carriers with existing
customer VLAN tagged
you see
the addition
oflike
a provider's
802.1q atag.
legacyframe.
Layer 2Finally,
and Layer
3 networks
would
to move toward
single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
Figure 4-7. 802.1q Tag Addition
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
[View
full size
image] Layer 2 VPN techniques via
Network (VPN) concepts,
and
describes
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
The tunnel port then puts the received customer traffic into the service provider VLAN that is
assigned to the tunnel port. Subsequently, that VLAN transports the customer traffic to the
next tunnel device. The customer VLAN (customer 802.1q tagged frames) is tunneled traffic
that is carried in a service provider VLAN 802.1q tunnel. The ports in the tunnel are the ingress
or egress points of the tunnel. The tunnel ingress and egress ports are not necessarily located
Layer
2 VPN
Architectures
on the same device.
To
reach
a remote site in the customer network in the egress tunnel port,
ByWei Luo,
- CCIE No.
13,291,Carlos
- CCIEnetwork
No. 4619,Dmitry
Bokotey,
- CCIE as
the tunnel can traverse
multiple
network
links Pignataro,
and multiple
devices
(as many
No. 4460,customer
Anthony Chan,
- CCIE No. 10,266
required for a particular
support).
When the frame reaches
the Cisco
other
end of the provider network, an egress tunnel port at the
Publisher:
Press
edge switch strips the
outermost tag before sending it to the customer network. Then the
Pub Date: March 10, 2005
switch transmits the traffic out of the egress tunnel port with the original 802.1q tag of the
ISBN: 1-58705-168-0
Table ofto an 802.1q trunk port on a customer device. The 802.1q trunk port on the
enterprise
Pages:
648
Contents
customer
device strips the 802.1q
tag and removes the traffic from the tunnel.
Index
Note
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
An 802.1q trunk has an untagged native VLAN. When the port is in 802.1q trunk
mode, the native VLAN is used for untagged traffic. Therefore, the native VLAN and
about
Layer
2 Virtual
(VPNs)
all VLANs need to Learn
stay the
same
on both
sidesPrivate
of the Networks
trunk.
Reduce costs and extend the reach of your services by unifying your
network architecture
from the firstand
book Restrictions
to address Layer 2 VPN application utilizing
802.1q TunnelingGain
Guidelines
both ATOM and L2TP protocols
When you are configuring 802.1q tunneling, keep the following in mind:
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Because 802.1q tunneled packets are processed as non-IP packets, Layer 3 packet
a majority
of Service
a significant
portioncriteria
of their
revenues
classificationFor
does
not apply.
You canProviders,
consider only
Layer 2 match
(for
instance,
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
VLANs, source and destination MAC addresses, and 802.1p CoS bits) when filtering tunnel
technologies.
VPNs
fulfill
the to
market
need
for some
traffic. (Untagged
packetsAlthough
that are Layer
sent to3 aMPLS
tunnel
do not
have
adhere
to this
customers,
they
have
some
drawbacks.
Ideally,
carriers
with
existing
restriction inside the provider network.) Therefore, QoS for tunnel traffic can be provided
legacy
only for Layer
2. Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services
over
their existing
Layer
3 cores.
The solution
in these cases
is a
Dot1Q tunnel
ports are
essentially
access
ports
that support
double-tagging
of incoming
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
packets. Therefore, as far as Dynamic Trunking Protocol (DTP) is concerned, the port
mode of an infrastructure.
802.1q tunnel port is not negotiable. Hence, DTP does not work with
asymmetrical links because only one port on the link is configured as a trunk.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network
concepts, and
describes
Layer
2 VPN To
techniques
via between
VTP does not
work on(VPN)
an asymmetrical
link
or through
a tunnel.
enable VTP
introductory
case
studies
and
comprehensive
design
scenarios.
This
book
two customer ports across a tunnel, configure the protocol tunneling on the tunnel
ports.
assists readers looking to meet those requirements by explaining the
history
and
implementation
details
of the
two technologies available from
An asymmetrical
link
supports
the following
Layer
2 protocols:
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores
andDetection
Layer 2 Tunneling
versionto
3 detect
(L2TPv3)
for anative
UniDirectional
Link
(UDLD)Protocol
Allows devices
when
IP cores.
The
structure
of this
book is focused
first
introducing
the loops,
unidirectional
link
exists.
Because
unidirectional
linkson
can
cause
spanning-tree
readerdown
to Layer
2 when
VPN benefits
and
implementation
requirements and
UDLD shuts
a link
it detects
unidirectional
traffic.
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Port aggregation
(PAgP)
Used in
the automatic
of Fast
progressivelyprotocol
covering each
currently
available
solutioncreation
in greater
detail.
EtherChannel links.
Cisco Discovery Protocol (CDP) Disabled by default on a QinQ tunnel port to
prevent the service provider switch and the enterprise switch from seeing each
other. To use CDP between customer edge devices across the provider tunnel,
configure protocol tunneling for CDP on the tunnel ports.
As mentioned, traffic in the native VLAN is untagged and cannot be tunneled correctly.
Therefore, make sure that the native VLAN of the 802.1q trunk port in an asymmetrical
link does not carry traffic. Tag egress traffic in the native VLAN with 802.1q tags.
You can tunnel jumbo frames (that is, Ethernet frames in excess of the Ethernet frame
MTU and up to 9216 bytes in length) in the core. However, you need to support them in a
tunneled network
in 802.1q tunnel ports and trunk ports in the provider network)
Layer 2 (both
VPN Architectures
for tunnelingByto
work
correctly
with all packet sizes. Also, the total length of the frame
Wei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
plus 802.1qNo.
tag4460,
cannot
exceed
the maximum frame size.
Anthony Chan, - CCIE No. 10,266
If the VLAN of the tunnel port does not match the native VLAN of the 802.1q trunk, CDP
Publisher:
Cisco Press Because the 802.1q tunnel feature does not require that
reports a native
VLAN mismatch.
Pub
Date:
March
10, 2005
the VLANs match, you can ignore
these messages in this case.
ISBN: 1-58705-168-0
Table of
Enterprise and service
provider
switches should not participate in each other's STPs. To
Pages:
648
Contents
ensure this does not happen, STP BPDU filtering is enabled by default on 802.1q tunnel
Index
ports and access ports on provider switches. This makes BPDUs from the enterprise
network invisible to the provider and vice versa. On the flip side, self-loops from back-toback connection of the tunnel ports go undetected. To resolve this, all those ports on
provider edge
switches
that interface
a customer
should
have services
the Rootand
Guard
feature
Master
the world
of Layer with
2 VPNs
to provide
enhanced
enjoy
enabled. This
way,
a
customer
switch
does
not
mistakenly
become
an
STP
root.
When
you
productivity gains
configure protocol tunneling on the customer edge ports, customer switches on either end
of the tunnel can see STP BPDUs from other switches of that customer.
Learn about Layer 2 Virtual Private Networks (VPNs)
The maximum number of VLANs that the 802.1q standard allows in a Layer 2 domain is
4096, because the
VLAN ID
field
is 12
bits and
therefore
permits
4096byvariations
(212 =
Reduce
costs
and
extend
the reach
of your
services
unifying your
4096). Thus, the network
entire pure
Layer 2 solution is bound to that number. It might or might
architecture
not become a significant hindrance depending on the requirements placed on a particular
service provider. Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Pages:
648
Contentshave moved on from
enterprises
pure Layer 2 networks to those that are Layer 3 switched,
Index
Layer
2 still holds a great value for an Ethernet solution for a service provider.
Many enterprises and service providers are considering whether QinQ or 802.1q tunneling is
right for them. This technique solves the transparency problems for enterprises and enables
of Layer
to provide
enhanced
and
enjoy of
service providers Master
to offerthe
theworld
desired
Layer 22 VPNs
services
at the same
time. services
However,
because
productivity
gains
some of the issues
described in
this chapter, QinQ might not work for everyone.
Master
Understanding
ATMthe world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Before proceeding with a detailed examination of Layer 2 Tunneling Protocol Version 3
(L2TPv3) and Any Transport over MPLS (AToM), it is critical to understand the protocols that
Learn about
LayerThe
2 Virtual
Private
these tunneling mechanisms
transport.
four WAN
dataNetworks
link layer(VPNs)
protocols covered include
High-Level Data Link Control (HDLC), PPP, Frame Relay, and ATM.
Reduce costs and extend the reach of your services by unifying your
This chapter introducesnetwork
specificarchitecture
components of these Layer 2 protocols that are relevant to the
L2TPv3 and AToM pseudowire protocols explored later in this book. For each of these protocols,
Gain from the first book to address Layer 2 VPN application utilizing
the chapter examines the encapsulation format, any relevant control/management protocols
both ATOM and L2TP protocols
that the pseudowire protocols might have to emulate, and any inherent traffic-management
characteristics where applicable.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Pages:
648
Contents Committee for Telegraph
Consultative
and Telephone (CCITT), now known as International
Index
Telecommunication
Union (ITU-T), adopted HDLC for the X.25 Link Access Procedure when
developing standards for X.25 Data Transmission.
The frame formats between the ISO and ITU-T versions of HDLC share many similarities and
the world
of Layer
2 VPNssuch
to provide
enhanced
services
have also served Master
as the basis
for future
protocols
as Frame
Relay and
PPP. and enjoy
productivity gains
HDLC was defined to operate in the following three modes:
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
Each field is described both
as follows:
ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
Flag The beginning and end of every HDLC frame must contain a 1-byte Flag Sequence
their service offerings while maintaining routing control
field to delimit the frame. The flag sequence used is 01111110 (0x7E). Because these
flags must be
it is critical
thatProviders,
a 0x7E does
not show portion
up in the
To avoid
Forunique,
a majority
of Service
a significant
of Data
their field.
revenues
this scenarioare
onstill
synchronous
links,
HDLC
uses
a
method
known
as
bit
stuffing,
as
defined
derived from data and voice services based on legacy transport
inAmerican technologies.
National Standards
Institute
(ANSI)
T1.618,
to
differentiate
this
sequence
Although Layer 3 MPLS VPNs fulfill the market need for some
from a flag delimiter.
If they
five consecutive
1s are detected,
thecarriers
bit stuffing
customers,
have some drawbacks.
Ideally,
withtechnique
existing inserts
a 0 bit to avoid
having
six
consecutive
1s
in
a
row.
Upon
inspection
of
the
frame,
the
legacy Layer 2 and Layer 3 networks would like to move toward
a single
receiving end
removes
the
0
bit
when
it
detects
five
consecutive
1s
to
restore
the
original
backbone while new carriers would like to sell the lucrative Layer 2
sequence. Two
alternate
flag
fields
include
0xFF
to
indicate
an
IDLE
flag
and
0x7F
services over their existing Layer 3 cores. The solution in these cases isfor
a an
Abort flag. technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Note
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
On asynchronous links, HDLC uses byte stuffing (sometimes referred to as character
history and implementation details of the two technologies available from
stuffing or escaping ) to transform illegal byte values into a set of legal characters.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSThe receiving end reverses this mechanism to obtain the original values.
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively
covering
each
currently
available
solutionon
in the
greater
detail.
Address The
Address field
uniquely
identifies
each
of the stations
HDLC
link.
Depending on the operational mode (NRM, ARM, or ABM), the Address field could contain
the primary or secondary station's address when sending command and response
messages. ISO standard 3309 can be referenced for more detail on the use of the
Address field.
In Cisco HDLC encapsulation, instead of uniquely identifying a station, the Address field
indicates the frame type.
Valid values include these:
0x20 for
compressed
ByWei
Luo, - CCIE frame
No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Pages: 648
Contents
Information frameFigure 5-2 lays out the Control field octet for an information
Index
frame. The first bit of the control octet set to 0 indicates that the frame is an
information frame. The N(S) and N(R) are 3-bit fields containing the transmitter's
send and receive sequence numbers respectively. The P/F bit indicates whether this
is a command
request
Master the
worldor
ofresponse.
Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn5-2.
aboutControl
Layer 2 Virtual
Networks (VPNs) Frame
Figure
FieldPrivate
FormatInformation
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
Supervisory frameFigure 5-3 lays out the Control field octet for a supervisory
are still derived from data and voice services based on legacy transport
frame. The supervisory frame has a similar format to the information frame except
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
that the first two bits are set to 0 and 1 to distinguish this frame as a supervisory
customers, they have some drawbacks. Ideally, carriers with existing
frame, and bits 3 and 4 are supervisory function bits. The remaining fields have the
legacy Layer 2 and Layer 3 networks would like to move toward a single
same meaning as in the information frame.
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Protocol field identifies the upper-layer protocol stored in the succeeding Information
field. Cisco adopted standard Ethertype values to identify most protocols (see Table
5-1), but it also developed additional protocol values for Layer 3 protocols that
normally do not exist on Ethernet (see Table 5-2).
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Review
strategies
that allow large enterprise0x0600
customers to enhance
Xerox Network
Systems
(XNS)
their service offerings while maintaining routing control
IP
0x0800
For a majority of Service Providers, a significant portion of their revenues
Chaos
0x0804
are still derived from data and voice services based on legacy transport
technologies.
Although Protocol
Layer 3 MPLS
market need for some
RFC 826
Address Resolution
(ARP)VPNs fulfill the
0x0806
customers, they have some drawbacks. Ideally, carriers with existing
Virtual
Integrated
Service
(VINES)would
IP
legacy
Layer Network
2 and Layer
3 networks
like to0x0BAD
move toward a single
backbone
while
new
carriers
would
like
to
sell
the
lucrative
VINES ECHO
0x0BAF Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
DECnet
Phase IV that would allow Layer 2 transport over
0x6003
technology
a Layer 3
infrastructure.
Apollo Domain
0x8019
2 Virtual Private
Cisco Layer
SLARP2 VPN Architectures introduces readers to Layer
0x8035
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Digitalintroductory
Equipment Corporation
Bridge Spanning
0x8038
case studies (DEC)
and comprehensive
design
scenarios. This book
Tree Protocol
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
Apple Ethertalk
0x809b
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased
cores and Layer 2 Tunneling Protocol version
3 (L2TPv3) for native
AppleTalk
ARP
0x80f3
IP cores. The structure of this book is focused on first introducing the
Novellreader
Internetwork
(IPX)
0x8137
to LayerPacket
2 VPN Exchange
benefits and
implementation
requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Multiprotocol Label Switching (MPLS) Unicast
0x8847
progressively covering each currently available solution in greater detail.
0x0808
Pub Date:
March 10,
2005
IEEE Bridge
Spanning
Protocol
0x4242
ISBN: 1-58705-168-0
Table of Bridged Ethernet/802.3
Pages:
648
Contents
ISO
Connectionless
Network Protocol
Index
0x6558
0xFEFE
(CLNP)/International Organization for
Standardization (ISO) End System-to-Intermediate
System (ES-IS) destination service access point
(DSAP)/SSAP
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Novell IPX, Standard Form
0x1A58
ES-IS
0xEFEF
Learn about Layer 2 Virtual Private Networks (VPNs)
RSRB Raw
0x1996
Reduce costs and extend the reach of your services by unifying your
STUN Serialnetwork
Tunnel architecture
0x1997
Compressed TCP
0x1999
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Note
in turn, required PPP to support a Protocol field to allow for multiplexing several network
layer protocols over the same point-to-point link.
Error detection
PPP
beofable
to 2
detect
in theenhanced
encapsulated
frames.
Master
themust
world
Layer
VPNserrors
to provide
services
and enjoy
productivity gains
Network layer address negotiation PPP must support dynamic learning and
negotiation of network layer addresses.
Learn about Layer 2 Virtual Private Networks (VPNs)
Transparency PPP cannot restrict the network layer protocols to avoid certain characters
Reduce PPP
costs
andbe
extend
the reach of to
your
services
unifying your
or bit patterns. Instead,
must
fully transparent
higher
layerby
protocols.
architecture
Furthermore, PPPnetwork
must handle
any character or bit pattern restrictions through means
such as bit or escaping.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOMfeatures
and L2TP
protocols
The finalized RFC also described
that
PPP explicitly did not require, such as these:
PPP's capabilities. RFC 1570 defines additional extensions to the LCP mechanism, and RFC 1990
defines Multilink PPP (MLPPP), which provides a means for link aggregation.
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Note
Publisher: Cisco Press
This discussion primarily examines the basic format of PPP data encapsulation as
Pub Date: March 10, 2005
defined in RFCs 1661 and 1662. This discussion does not delve into the negotiation
ISBN: 1-58705-168-0
aspects
Table of of LCP and the various NCPs because the pseudowire emulation protocols do
Pages:
not
interact with PPP at 648
that level.
Contents
Index
Note
Similar to HDLC, PPP utilizes byte stuffing on asynchronous links.
Note
ISBN: 1-58705-168-0
When
Table ofyou perform Address and Control Field Compression (ACFC), the Address and
Pages:
648 Furthermore, the Protocol field is reduced to a single octet
Control
Contents fields are omitted.
when
Index performing Protocol Field Compression (PFC). Both ACFC and PFC are
negotiated in the Link Establishment phase. You can obtain additional details on this
in RFC 1661.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Protocol The Protocol field is a 2-octet field which identifies the encapsulated protocol.
about
Layer 2 (IANA)
Virtual Private
Networks
(VPNs) PPP protocol
Internet AssignedLearn
Numbers
Authority
administers
the assigned
numbers. You can find the numbers at http://www.iana.org/assignments/ppp-numbers.
Reduce costs
and
extend values
the reach
of your
services
by unifying
your
Note that the IANA-assigned
PPP
protocol
do not
match
Cisco-assigned
protocol
network
architecture
values used in HDLC.
from thefield
first is
book
to address Layer
VPN contains
application
utilizing
Information TheGain
Information
a variable-length
field2 that
upper
layer
both
ATOM
and
L2TP
protocols
protocol data.
that allow
enterprise
customers
to enhance
FCS The FCS is a Review
2-octetstrategies
CRC calculated
over large
the Address,
Control,
Protocol,
Information,
their
service offerings
while
maintaining
routing
and Padding fields.
If negotiated,
PPP also
supports
a 4-octet
FCScontrol
field.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
The increased availability of error-free transmission lines reduces the need for protocols
such as X.25Master
that perform
hop-by-hop
Frame
Relay
relies
on
the world
of Layer 2error
VPNscorrection.
to provide Instead,
enhanced
services
and
enjoy
higher level productivity
protocols to gains
perform end-to-end error correction and flow control.
Whereas X.25 requires packet processing at Layer 3, Frame Relay strictly operates at
Learnthe
about
Layer requirements
2 Virtual Private
Networks
(VPNs)
Layer 2. This reduces
switching
drastically
and
reduces per-hop delay.
Reduce
costs and
extend thecircuits,
reach ofwhich
your services
by unifying
your
Unlike time-division
multiplexing
(TDM)based
provide fixed
point-to-point
network
connectivity, Frame
Relay architecture
provides network connectivity via packet switching over logical
virtual circuits that are similar to X.25. Frame Relay accomplishes this by using a data-link
Gain(DLCI)
from the
first book
to addressvirtual
Layercircuits
2 VPN application
utilizing
connection identifier
to uniquely
distinguish
on a physical
link. This
both
ATOM
and
L2TP
protocols
allows for more flexibility and more efficient data transmission through statistical
multiplexing.
Review strategies that allow large enterprise customers to enhance
their service
while
maintaining
routing
control
Frame Relay has subsequently
beenofferings
extended
further
in the Frame
Relay
Forum (FRF)
standards body to support multiple features such as MultiLink Frame Relay (MLFR), defined in
ForRelay
a majority
of Servicedefined
Providers,
a significant
portion of their revenues
FRF.16, and Frame
Fragmentation,
in FRF.11
and FRF.12.
are still derived from data and voice services based on legacy transport
technologies.
3 MPLSL2TPv3
VPNs fulfill
the market
needoffor
some
As you will learn in
subsequent Although
chapters Layer
that explore
and AToM
transport
Frame
customers,
they interact
have some
Ideally,
carriers
with existing
Relay, both pseudowire
protocols
withdrawbacks.
three aspects
of Frame
Relay:
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
Frame Relayservices
encapsulation
to transport
the Frame
Relay
on the
pseudowire
over their
existing Layer
3 cores.
Theframe
solution
in these
cases is a
technology that would allow Layer 2 transport over a Layer 3
Control Management/Protocol
such as Operation, Administration, and Maintenance (OAM)
infrastructure.
to properly reflect attachment circuit and pseudowire state
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Traffic management
emulate
Frameand
Relay's
inherent
traffic
management
Network to
(VPN)
concepts,
describes
Layer
2 VPN
techniques capabilities
via
introductory case studies and comprehensive design scenarios. This book
This section explores
these
aspects
of Frame
Relay
as arequirements
reference forby
later
chapters.
assists
readers
looking
to meet
those
explaining
the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Encapsulation
IP cores. The structure of this book is focused on first introducing the
reader
to Frame
Layer 2Relay
VPN provides
benefits and
implementation
and Frame
To better understand
how
its functionality,
thisrequirements
section examines
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
Relay Frame structure. The Frame Relay frame format is standardized in two separate standard
progressively covering each currently available solution in greater detail.
bodies:
Internationally via the ITU-T (formerly known at the CCITT) Q.922 Annex A specification
Domestically in the United States via the ANSI T1.618 specification
Figure 5-6 illustrates the basic Frame Relay encapsulation per the Q.922 Annex A specification.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
The Frame Relay fields are described as follows:
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Flag Like HDLC and PPP, the beginning and end of every Frame Relay frame is delimited
with a 01111110 Review
(0x7E). strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Address The Address field is a 2-byte header that contains several subfields:
For a majority of Service Providers, a significant portion of their revenues
are still
fromfield
datathat
anduniquely
voice services
based
legacy
transporton the
DLCI The
DLCIderived
is a 10-bit
represents
a on
virtual
connection
technologies.
Although addressing
Layer 3 MPLS
VPNs a
fulfill
need address
for someis
physical
channel. If extended
is used,
17- the
andmarket
23-bit DLCI
customers, they have some drawbacks. Ideally, carriers with existing
supported.
legacy Layer 2 and Layer 3 networks would like to move toward a single
CR Thebackbone
Command/Response
bit is not
defined
and
not
used.
while new carriers
would
like to
sell
the
lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
EA Thetechnology
Extended Address
bit allow
is theLayer
last bit
in each header
that would
2 transport
over abyte.
LayerA 3value of 0
indicates
that
another
header
byte
follows,
whereas
a
value
of 1 indicates that this is
infrastructure.
the last header byte. This definition allows Frame Relay to support larger DLCI
values.Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
FECN introductory
(FE) The forward
explicit and
congestion
notification
bit is
set to 1 to
indicate
case studies
comprehensive
design
scenarios.
This
book to
the receiver
that
the
frame
encountered
network
congestion.
The
FECN
is
set
assists readers looking to meet those requirements by explaining the on
traffic history
sent from
sender to the details
receiver.
andthe
implementation
of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSBECN based
(BE) The
backward
explicit
congestion
notification
is set to 1for
to native
indicate to
cores
and Layer
2 Tunneling
Protocol
versionbit
3 (L2TPv3)
the sender
that
the
frame
encountered
network
congestion.
Because
the
BECN
bit is
IP cores. The structure of this book is focused on first introducing the
set on reader
framesto
traveling
thebenefits
oppositeand
direction
of the frames
that experienced
Layer 2 in
VPN
implementation
requirements
and
congestion,
there them
must to
bethose
returnoftraffic
the
sender
from
the receiver
comparing
Layertoward
3 based
VPNs,
such
as MPLS,
then to
accomplish
this
feedback
loop.
Both
FECN
and
BECN
bits
should
signify
upper
progressively covering each currently available solution in greatertodetail.
layer protocols to perform some action upon indication of congestion.
DEThe discard eligible bit indicates whether this frame can be dropped in response
to network congestion. A value of 0 indicates a higher priority frame versus a frame
marked with a DE value of 1.
Information The Information field is a variable length field from 5 to 4096 octets that
contains upper layer protocol data.
FCS The FCS is a 16-bit CRC calculated against the Frame Header and Data fields to
detect errors.
One of the items lacking in the ITU-T Q.922 Annex A and ANSI T1.618 Frame Relay frame
2 VPN Architectures
structure is a fieldLayer
indicating
the type of Layer 3 data stored in the Information field. In RFC
1490 (made obsolete
RFC
2427),
the IETF
Relay
that was
ByWeiby
Luo,
- CCIE
No. 13,291,
Carlosextended
Pignataro, - the
CCIEFrame
No. 4619,
Dmitry structure
Bokotey, - CCIE
defined in previous
support
method
No.standards
4460,Anthonyto
Chan,
- CCIEaNo.
10,266 of multiprotocol transport on Frame Relay.
The Frame Relay format was extended, as illustrated in Figure 5-7.
Publisher: Cisco Press
Pub Date: March 10, 2005
Table ofFigure
Contents
Index
ISBN: 1-58705-168-0
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
In addition to theNetwork
Flag, Address,
FCS fields,
RFC
2427techniques
defines the
following
(VPN) Information,
concepts, andand
describes
Layer
2 VPN
via
fields:
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
Control The Control field contains a value of 0x03 to indicate that this is an Unnumbered
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSInformation (UI) frame unless it is negotiated otherwise.
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
Padding You can add an optional 1-byte pad to alter the frame size to an even value.
reader to Layer 2 VPN benefits and implementation requirements and
comparing
themIdentifier
to those of(NLPID)
Layer 3 The
based
VPNs,
such asthe
MPLS,
then
Network Layer
Protocol
NLPID
identifies
Layer
3 protocol
progressively
covering
each
currently
available
solution
in
greater
detail.
that is stored in the Information field. ISO/IEC TR 9577 defines the NLPID values.
The
NLPID is only 1-byte long, so the number of protocols that this field can represent is
limited.
In those cases in which the NLPID is not defined for a protocol, the NLPID is set to 0x80 and an
additional Subnetwork Access Protocol (SNAP) is added. Figure 5-8 illustrates the SNAP header
format.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
aredescribed
still derived
from data and voice services based on legacy transport
The SNAP fields are
as follows:
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
OUI The Organizationally
Identifier
is a 3-octet
identifying
the organization
legacy Layer 2Unique
and Layer
3 networks
would field
like to
move toward
a single
that administers
the succeeding
Identifier
(PID).
RoutedLayer
PDUs2use an OUI
backbone
while new 1-byte
carriersProtocol
would like
to sell the
lucrative
of 0x000000services
whereas
Bridged
useLayer
OUI of
0x0080C2.
over
their PDUs
existing
3 cores.
The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
Protocol Identifier
(PID) PID is a 1-octet field managed by the organization identified
infrastructure.
in the preceeding OUI. The OUI and PID values together represent a unique protocol.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Cisco has an alternative
Frame
encapsulation
method
to identify
the Layer 3via
payload.
Network
(VPN)Relay
concepts,
and describes
Layer
2 VPN techniques
Instead of using an
NLPID, Cisco
uses
a Protocol
field to perform
a similar
function.
Figure
introductory
case
studies
and comprehensive
design
scenarios.
This
book 5-9
illustrates the Cisco
format.
The Protocol
field
is athose
2-byte
field that is by
equal
to the IEEE
assists
readers
looking to
meet
requirements
explaining
the
Ethertype or Cisco-invented
to represent
the protocol
that
is stored in available
the Information
history and codes
implementation
details
of the two
technologies
from
field.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
Figure
5-9.
Cisco
Frame
Relay
Frame
Structure
comparing
them
to those
of Layer
3 based
VPNs,
such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain
from the first book
to addressProtocol
Layer 2 VPN application utilizing
Frame Relay Link
Management
Interface
both ATOM and L2TP protocols
The initial Frame Relay standards by ANSI and ITU-T failed to provide a means to allow the
Review strategies that allow large enterprise customers to enhance
Frame Relay network and the Frame device to communicate their status. In 1990, Cisco,
their service offerings while maintaining routing control
Nortel, DEC, and StrataCom (known as the Gang of Four) developed an interim specification
known as Local Management
Interface
(LMI)
to meet athis
requirement.
The
LMI was to
For a majority
of Service
Providers,
significant
portion
of goal
their of
revenues
primarily allow forare
thestill
exchange
of
information
regarding
the
link/device
status
and
the
derived from data and voice services based on legacy transport
notification of logical
circuit
status.
LMI
accomplishes
this
goal
by
having
the
Frame
Relay
end
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
device (data terminal
equipment,
or
DTE)
send
polls
while
the
Frame
Relay
network
(data
customers, they have some drawbacks. Ideally, carriers with existing
communication equipment,
or 2
DCE)
to these would
polls over
legacy Layer
and responds
Layer 3 networks
like atopredetermined
move toward aDLCI.
single
Although LMI refers
to
the
Gang
of
Four
specification,
it
is
also
the
general
for2this databackbone while new carriers would like to sell the lucrativeterm
Layer
link mechanism. The
ITU-T
(Annex
Q.933A)
and ANSI
(Annex-D
T1.617)
developed
services
over
theirAexisting
Layer
3 cores.
The solution
in these
casesand
is a
standardized subsequent
variations
of
LMI.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
This section explores the Gang of Four LMI implementation, sometimes referred to as Cisco
LMI, and later addresses
the differences
when
compared
to theto
ANSI
and
ITU-T standards.
Layer 2 VPN
Architectures
introduces
readers
Layer
2 Virtual
Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
The LMI message contains a 5-byte header, a 1-byte message type, one or more information
introductory case studies and comprehensive design scenarios. This book
elements of variable length, and a 2-byte CRC as illustrated by Figure 5-10.
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Figure 5-10. LMI Message Format
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
The first two bytes
of the header
areexisting
the same
as the
standard
Relay
header
shown
services
over their
Layer
3 cores.
The Frame
solution
in these
cases
is a in
Figure 5-9. They technology
contain the that
DLCI,
CR, FECN,
BECN,2DE,
and EAover
bits.aHowever,
would
allow Layer
transport
Layer 3 the Gang of
Four implementation
uses a fixed DLCI value of 1023 to communicate.
infrastructure.
The LMI MessageLayer
Format
fields
are describedintroduces
as follows:
2 VPN
Architectures
readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
Control The Control field is fixed at 0x03 to indicate that this is an unnumbered frame.
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
Protocol The Protocol field is fixed at 0x09 to indicate that this is an LMI frame.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbasedThe
cores
Layer 2field
Tunneling
Protocol
version
3 0x00.
(L2TPv3) for native
Call Reference
Calland
Reference
is unused
and is
fixed at
IP cores. The structure of this book is focused on first introducing the
reader
Layer 2 VPN
implementation
requirements
Message Type
ThetoMessage
Typebenefits
field is aand
1-byte
value corresponding
to theand
category of
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
message that is being sent.
progressively covering each currently available solution in greater detail.
The three common message types are as follows:
Status Enquiry 0x75
Status 0x7D
Update Status 0x7B
Information Element The Information Element is a variable length field that is
composed of three additional fields:
The type of Information Element passed depends on the preceding message type.
Publisher: Cisco Press
Table of
Pages: 648
Contents
User-to-Network
Interface (UNI) A UNI connects a Frame Relay end device
Index (DTE) to the Frame Relay network device (DCE).
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services
their
existing
Layer 3iscores.
solution
in theseor
cases
a
Regardless of whether
theover
status
enquiry
message
a link The
integrity
verification
a fullisstatus
technology
allow
Layer
2 transport over a Layer 3
record, the message
containsthat
the would
following
three
components:
infrastructure.
LayerThis
2 VPN
Architectures
introduces
readers
to Layer
2 sent.
Virtual
Message Type
byte
field indicates
the type of
message
that is
InPrivate
the case of a
Network
(VPN)isconcepts,
and describes Layer 2 VPN techniques via
status enquiry,
this value
0x75.
introductory case studies and comprehensive design scenarios. This book
Report Information
Element
Thetofirst
information
element identifies
the type
assists readers
looking
meet
those requirements
by explaining
theof
request: linkhistory
integrity
(0x01)details
or fullof
status
record
(0x00). available from
andverification
implementation
the two
technologies
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSKeepalive Information
Element
second Protocol
information
element
exchanges
the
based cores and
Layer 2The
Tunneling
version
3 (L2TPv3)
for native
sequence number
values.
The
Send
Sequence
octet
should
contain
the
sender's
IP cores. The structure of this book is focused on first introducing thecurrent
sequence number,
whereas
Receive
Sequence
octet contains
the last sequence
reader to
Layer 2the
VPN
benefits
and implementation
requirements
and
number thatcomparing
the senderthem
received.
Theof
Frame
endVPNs,
device
increments
sequence
to those
LayerRelay
3 based
such
as MPLS,itsthen
number withprogressively
every status covering
enquiry message
that isavailable
sent. Similarly,
Frame Relay
each currently
solutionthe
in greater
detail.
network device increments its sequence number with every status message that is sent.
Report information element The first information element identifies the type of
request: link integrity verification (0x01) or full status record (0x00).
Publisher: Cisco Press
PVC status information element In a full status record, an additional PVC status
information element is sent for each PVC on the port. In addition to the two octets after
the length, which dictate the DLCI that this information element is reporting on, an
additional octet
indicates
the of
PVC
status.
The to
first
4 bits enhanced
indicating services
PVC state
areenjoy
as
Master
the world
Layer
2 VPNs
provide
and
follows:
productivity gains
N New bit. The
New
bit indicates
if the PVC
wasNetworks
newly added
since the last full
Learn
about
Layer 2 Virtual
Private
(VPNs)
status report (1) or if the PVC was provisioned (0) since the last full status report.
Reduce costs and extend the reach of your services by unifying your
D Deleted bit.
The Deleted
bit is not used in a status message.
network
architecture
A Active bit.Gain
The from
Activethe
bitfirst
indicates
whether
the
PVC 2isVPN
active
(1) or failed
(0).
book to
address
Layer
application
utilizing
both ATOM and L2TP protocols
R Receiver bit. The Receiver bit is an optional implementation that provides a simple
flow control Review
mechanism
to signal
endlarge
device
to stop sending
traffic
to this
strategies
thatthe
allow
enterprise
customers
to enhance
particular PVC.
their service offerings while maintaining routing control
The latter three
of the
PVC status
information
elementportion
are optional.
indicate
For aoctets
majority
of Service
Providers,
a significant
of theirThey
revenues
the bandwidth
of
the
PVC
and
are
specific
to
Gang
of
Four
LMI.
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Figure 5-12 customers,
shows the format
of a some
statusdrawbacks.
message containing
a full status
record.
they have
Ideally, carriers
with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
Figure
5-12.
Status
Frame
technology
that would
allow
Layer 2Message
transport over
a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Frame Relay network device to the Frame Relay end device to convey changes in the
interface's PVC state.
2 VPN
Architectures
The format of an Layer
update
status
message is similar to a status message with a few minor
differences (see Figure
5-13).
The
status
message
consists
a message
ByWei Luo,
- CCIE
No.update
13,291,Carlos
Pignataro,
- CCIE
No. 4619,of
Dmitry
Bokotey, - type,
CCIE report
type information No.
element,
and a
PVC- CCIE
status
element for only those PVCs that have
4460,Anthony
Chan,
No.information
10,266
changed state. No keepalive information element exchanges sequence numbers. The Delete bit
in the PVC Status octet
is setCisco
in this
message to indicate PVC removal; however, the New bit
Publisher:
Press
cannot be set in the Pub
update
status.
Date: March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
The Gang of Four LMI uses DLCI 1023, whereas both Annex D and Annex A uses DLCI 0.
Layer 2 VPN Architectures
Reserved DLCI ranges differ among Annex A, Annex D, and the Gang of Four
ByWei For
Luo, a
- CCIE
No.DLCI
13,291,
Carlos Pignataro,
- CCIE
No.Annex
4619,Dmitry
Bokotey,
CCIE user
implementation.
10-bit
address,
Annex
A and
D define
a -DLCI
No. 4460,Anthony
Chan,
- CCIE
No.
range from 16991,
whereas
the
Gang
of10,266
Four range is 161007. Annex A and Annex D are
supported in an NNI environment, whereas the Gang of Four LMI is supported only on
Publisher: Cisco Press
UNI.
Pub Date: March 10, 2005
Gang of Four LMI supports optionally carrying the PVC bandwidth in the PVC status
information element.
theutilizes
world of
Layer error
2 VPNs
to provide
enhanced
services to
and
enjoy
The Gang ofMaster
Four LMI
a lower
threshold
timer
of 2, compared
the
Annex D
gainsvalue of 3 for failed status message replies. A full description
and Annex Aproductivity
threshold timer
of the different timers and their standard defined values for each LMI type is listed in
Table 5-3.
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Table
5-3. Frame Relay LMI Timers
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Cisco
Annex
Review
strategies that allow large
to enhance
Title
Description
LMIenterprise
D customers
Annex
A
their service offerings while maintaining routing control
N391 Full Status
Number of cycles at
6
6
6
offull
Service
Providers,
Polling Counter For a majority
which a
status
record a significant portion of their revenues
are still derived
data and voice services based on legacy transport
request from
is made.
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
N392 Error Threshold
Number
of failed
events
2
3 carriers with
3 existing
customers,
they have
some
drawbacks.
Ideally,
out
of
N393
monitored
legacy Layer 2 and Layer 3 networks would like to move toward a single
events
declaring
backbone
while before
new carriers
would like to sell the lucrative Layer 2
the
port
in
alarm.
services over their existing Layer 3 cores. The solution in these cases is a
that would
allow Layer 24transport over
a Layer
N393 Monitored technology
Number
of events
4
4 3
infrastructure.
Events Count
monitored by the port
used to determine port
Layer 2 VPN
Architectures
introduces readers to Layer 2 Virtual Private
alarm
state.
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory
studies and comprehensive
design
scenarios.
This book
T391 Link Integrity
Timecase
(in seconds)
10
10
10
assists readers
looking
meet those requirements by explaining the
Polling Verification
between
statusto
enquiry
history and
implementation details of the two technologies available from
Timer
messages.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLST392 Polling
Timeand
interval
seconds) Protocol
15
15 3 (L2TPv3)
15
based cores
Layer(in
2 Tunneling
version
for native
Verification Timer
at
which
a
status
IP cores. The structure of this book is focused on first introducing the
expected
reader tomessage
Layer 2 is
VPN
benefitsinand implementation requirements and
reply
to
a
status
comparing them to thoseenquiry
of Layer 3 based VPNs, such as MPLS, then
message.
If it is
not currently available solution in greater detail.
progressively
covering
each
received in time, an N392
error is logged.
Managing Traffic
Frame Relay services typically provide traffic throughput guarantees per PVC. To meet those
guarantees, it is critical that a mechanism be in place to provide traffic management
capabilities. Frame Relay employs Frame Relay policing to determine ingress traffic admission
policy and Frame Relay shaping for egress traffic management.
Layer 2 VPN Architectures
ByWei Luo,
- CCIE No. 13,291,Carlos Pignataro, Frame Relay Traffic
Policing
Frame Relay traffic policing is a quality of service (QoS) mechanism that is applied on ingress
Press
into the network as Publisher:
a means Cisco
of admission
control to limit the amount of traffic that an end
Pub
Date:
March
device can send into the network.10, 2005
Table of
ISBN: 1-58705-168-0
Frame
Relay policing can
be 648
represented as a token-based abstraction known as a leaky bucket
Pages:
Contents
model . Essentially, the leaky bucket model determines whether a frame is compliant or
Index
noncompliant based on the fate of a frame's associated token. The leak rate of these buckets
represents the admission rate of traffic.
backbone while new carriers would like to sell the lucrative Layer 2
Excess burst
(Be) The
of excess
traffic
allowed
a Tc
interval.
Thisisisa
services
overamount
their existing
Layer
3 cores.
Theduring
solution
in these
cases
representedtechnology
in the dual that
leaky
bucket
model
as
part
of
the
depth
of
the
second
leaky
would allow Layer 2 transport over a Layer 3
bucket. Be can
be
set
to
0
to
cause
all
noncompliant
frames
in
the
second
bucket
to be
infrastructure.
discarded: Be=Tc*EIR.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
In the dual leaky Network
bucket model,
and Be and
tokens
are replenished
at every
Tc interval
(VPN) Bc
concepts,
describes
Layer 2 VPN
techniques
via for the
first and second bucket
respectively.
When
receiving
a
frame
without
the
DE
bit
set,
introductory case studies and comprehensive design scenarios. ThisFrame
book
Relay policing checks
thereaders
frame for
compliancy
determining
whether
associated
assists
looking
to meetbythose
requirements
by the
explaining
the token of
the frame is admitted
through
the first bucket.
If theof
DE
bittwo
is set
to 1, Frame
Relay policing
history
and implementation
details
the
technologies
available
from
checks the framethe
for Cisco
compliancy
against
the
second
bucket.
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Frames that conform to the CIR of the first bucket are admitted into the network. Frames that
IP cores. The structure of this book is focused on first introducing the
are not CIR conformant (that is, the associated token exceeds the depth of the first bucket) are
reader to Layer 2 VPN benefits and implementation requirements and
marked to be DE and are sent to the second bucket for EIR conformance.
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively
covering for
each
currently
available
solution
in bucket.
greater If
detail.
Frames with the DE
bit set are checked
EIR
conformance
in the
second
the frame
is EIR rate compliant, it is queued for transmission; otherwise, the frame is discarded.
Figure 5-14 shows the Frame Relay policing model and illustrates the different outcomes based
on compliancy and token availability at the time.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
strategies that allow large enterprise customers to enhance
Frame Relay TrafficReview
Shaping
their service offerings while maintaining routing control
legacy Layer 2 and Layer 3 networks would like to move toward a single
In Frame Relay traffic policing, the incoming rate of traffic was never adjusted and the packets
backbone while new carriers would like to sell the lucrative Layer 2
were never queued; instead, packets were admitted at their incoming rate based on token
services over their existing Layer 3 cores. The solution in these cases is a
availability. In the Frame Relay traffic policing case of noncompliancy, the traffic is potentially
technology that would allow Layer 2 transport over a Layer 3
dropped. Frame Relay traffic shaping, on the other hand, buffers packets for later transmission
infrastructure.
in the case of noncompliancy to enforce an average egress rate over time. Frame Relay traffic
shaping can be modeled
a Architectures
leaky bucket, as
shown inreaders
Figure 5-15.
Layer 2 as
VPN
introduces
to Layer 2 Virtual Private
Figure
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Frames are sent through the shaper only if an associated token is available. If no tokens are
available, the shaping function queues the frame for later transmission. Tokens are leaked out
of the bucket at the CIR.
At every
(Bc/CIR)
interval,
Bc/CIR
worth(VPNs)
of tokens is replenished.
Learn
aboutTc
Layer
2 Virtual
Private
Networks
The maximum size of the bucket is Bc + Be. The Be component allows a burst capability above
the CIR rate. The result
of a potentially
rateofisyour
a smoothed
stream
of
Reduce
costs andbursty
extendingress
the reach
servicesoutput
by unifying
your
traffic.
network architecture
Frame Relay traffic shaping
can also
its traffic
rates Layer
based2on
network
conditions.
For
Gain from
the adapt
first book
to address
VPN
application
utilizing
example, based on indicators
of network
congestion
both ATOM
and L2TP
protocolssuch as BECNs, the adaptive Frame Relay
traffic shaping can reduce the token replenish rate to similarly reduce its outgoing traffic rate.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Pages:
648
in theContents
header of each cell.
Index
ATM is probably most well known for its well-developed QoS support because of its strict traffic
class definitions. By utilizing a layered protocol architecture, ATM can transport voice, video,
and data on the network. Depending on their traffic characteristics, upper layer protocols are
Master
of Layer rules
2 VPNs
to provide
enhanced
services and enjoy
processed according
to athe
setworld
of adaptation
prior
to forming
each cell.
productivity gains
As subsequent chapters identify, L2TPv3 and AToM interact with three aspects of ATM:
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service
offerings
whilelayer
maintaining
routing
control
The next few sections examine
the AAL
and ATM
with specific
focus
on AAL5 and ATM cell
formats.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
ATM Adaptation
Layer
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
AAL defines multiple
AAL formats
depending
the traffic
the upper
layer
backbone
while new
carrierson
would
like totype
sell from
the lucrative
Layer
2 protocols.
They include the following:
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
AAL1 AAL1 is intended to carry connection-oriented, constant bit rate traffic with specific
timing requirements. Typical AAL1 traffic is Circuit Emulation Services (ATM Forum
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
standard af-vtoa-0078.0000), such as transparently carrying DS-1 and E-1 circuits across
Network (VPN) concepts, and describes Layer 2 VPN techniques via
an ATM core.
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
AAL2 AAL2 supports payloads that have timing requirements similar to that of AAL1
history and implementation details of the two technologies available from
traffic but that have bursty traffic patterns. Compressed voice and video are examples of
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSAAl2 traffic.
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores.
The structure
of this book and
is focused
on first introducing
AAL3/4 AAL3/4
supports
connection-oriented
connectionless
variable bitthe
rate traffic.
to of
Layer
2 VPN
benefits
and implementation
requirements
The primaryreader
function
AAL3/4
is to
carry Switched
MultiMegabit
Data Serviceand
(SMDS)
comparing them to those of Layer 3 based VPNs, such as MPLS, then
data.
progressively covering each currently available solution in greater detail.
AAL5 Because of AAL3/4's large overhead and complexity, AAL5 was developed as a
simpler and more efficient adaptation layer to carry connection-oriented and
connectionless traffic. AAL5 is the main format used today for carrying IP routed and
bridged data.
Figure 5-17 shows the CS-PDU and SAR-PDU structure for AAL5 and the processing involved
down to the ATM layer for cell header generation.
Table of
Contents
Index
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
The CS-PDU is formed by appending a CS-PDU trailer to the CS-SDU. The CS-PDU is composed
Review strategies that allow large enterprise customers to enhance
of the following fields:
their service offerings while maintaining routing control
For
a majority
Providers,
a significant
portion
of their
Padding The
Padding
fieldof
is Service
added to
ensure that
the resulting
CS-PDU
sizerevenues
is a multiple
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
of 48 bytes to present to the SAR function.
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers,
they have
some drawbacks.
Ideally,
carriers The
withCPCS-UU
existing field
Common part
convergence
sublayer
user to user
(CPCS-UU)
Layer 2 and
Layerinformation
3 networks transparently
would like to move
a single An
allows upperlegacy
layer protocols
to send
to thetoward
AAL5 structure.
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2 C/R bit. In
example application is FRF 8.1, which uses this octet to transport Frame Relay
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
a
other cases such as RFC 2684, "Multiprotocol Encapsulation over ATM Adaptation is
Layer
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
5," this field is unused.
infrastructure.
Common part indicator (CPI) CPI provides alignment of the CPCS-PDU to 64 bits. The
2 VPN
Architectures
introduces readers to Layer 2 Virtual Private
value of thisLayer
field is
set to
0x00.
Network (VPN) concepts, and describes Layer 2 VPN techniques via
case indicating
studies and
comprehensive
design scenarios.
This book
Length Thisintroductory
is a 2-byte field
the
length of the Payload
field.
assists readers looking to meet those requirements by explaining the
history and implementation
details
of the
two technologies
available
CRC Cyclic redundancy
calculated over the
entire
CS-PDU
minus the 4-byte
CRCfrom
field.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSThe resulting CS-PDU
presented
to the2SAR
layer, Protocol
which segments
it (L2TPv3)
into 48-byte
basediscores
and Layer
Tunneling
version 3
for SARPDUs.
native
The ATM layer generates
a
4-byte
header
for
each
SAR-PDU.
To
correctly
identify
IP cores. The structure of this book is focused on first introducingthe
thelast cell
forming the original
AAL5
last cell
header's
third bit in the payload
type identifier
reader
toPDU,
Layerthe
2 VPN
benefits
and implementation
requirements
and
(PTI), a field in the
ATM cell them
header,
set. of
The
TC sublayer
fifth
to then
complete the
comparing
to is
those
Layer
3 based adds
VPNs,the
such
asbyte
MPLS,
5-byte header. progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
The following are the fields in the ATM cell format:
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
Generic Flow
Control (GFC)
The Layer
GFC field
on the
UNIfulfill
header
flow for
control
technologies.
Although
3 MPLS
VPNs
the provides
market need
someon
the particular
logical
PVC.
This
field
is
set
to
0
and
is
not
fully
standardized.
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
Virtual path
identifier/virtual
connection
backbone
while new carriers
wouldidentifier
like to sell (VPI/VCI)
the lucrativeTogether,
Layer 2 the VPI
and the VCIservices
uniquelyover
identify
a
virtual
connection.
You
can
use
them
together
as ais a
their existing Layer 3 cores. The solution in these cases
switching identifier.
Alternately,
you
can
use
the
VPI
alone
as
a
switching
field
and
technology that would allow Layer 2 transport over a Layer 3
consider it ainfrastructure.
logical grouping of the VCIs in that scenario. Figure 5-19 illustrates the
difference between VP and VC switching.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
5-19.toATM
and
VC Switching
assists Figure
readers looking
meetVP
those
requirements
by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS[View full sizeProtocol
image]
based cores and Layer 2 Tunneling
version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
PTI PTI is composed of 3 bits that characterize the type of cell and measure congestion.
Learn
about Layer
2 Virtual
Private Networks
The first bit indicates
whether
the cell
is a management
cell (1)(VPNs)
or contains user data (0).
The remaining two bits are interpreted differently in each of those cases, as follows:
Reduce costs and extend the reach of your services by unifying your
network
architecture
User data cell
The second
bit, known as the explicit forward congestion indication
(EFCI) field, indicates congestion. The third bit is set to indicate whether this is the
Gain
from
the first book to address Layer 2 VPN application utilizing
last cell in an
AAL5
frame.
both ATOM and L2TP protocols
Management cellThe second bit identifies the cell as an OAM cell (0) or a resource
Review
strategies
that
allow
enterprise
to an
enhance
management
(RM) cell
(1). The
third
bit large
distinguishes
thecustomers
OAM cell as
F5 (OAM
service
offerings
while maintaining
routing control
cell used to their
convey
PVC status)
segment
(0) or F5 end-to-end
flow (1).
For a majority
of Service
significant
portion of their
revenues
Cell loss priority
(CLP) The
CLP bitProviders,
prioritizes athe
cell. In congestion
scenarios
in which
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
it is necessary to drop traffic, some devices could implement a selective discard
Although
Layerbe
3 MPLS
VPNs
fulfillcells
the market
for some
mechanism technologies.
whereby CLP set
cells would
dropped
before
without need
CLP marking.
customers, they have some drawbacks. Ideally, carriers with existing
legacy
Layer(HEC)
2 and The
Layer
networks
would
like
to move
toward
a single
Header error
control
TC3adds
the HEC
field,
which
provides
error
detection
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
and optionally bit error correction. It is calculated only for the ATM cell header.
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Table of
Pages:
648 are encapsulated in AAL5 over VPI/VCI 0/16 to access ILMI
ILMI Contents
uses SNMP messages that
Index
MIB variables.
This mechanism allows for a variety of information to be conveyed, such as type
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Note
about
Layer
Virtual
Networks (VPNs)
Although the ILMILearn
VPI/VCI
default
is 20/16,
thePrivate
ILMI specification
allows use of an
alternate VPI/VCI other than the default value. Also, in VP-tunnel applications, the
Reduce
and extend the reach of your services by unifying your
VPI is set to the VPI
of thecosts
VP-tunnel.
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both
andto
L2TP
protocols
In addition to ILMI, you
canATOM
use OAM
determine
logical circuit status. Two forms of OAM
cellsF5 and F4are used depending on the type of logical circuit you are dealing with.
Review strategies that allow large enterprise customers to enhance
their
service
offerings
whileF5
maintaining
control
In the case of a PVC, you
can
use and
send OAM
cells on therouting
same VPI
and VCI as the PVC.
The PTI field of a F5 cell not only differentiates the F5 OAM cell from a user data cell, but it
For a majority of Service Providers, a significant portion of their revenues
differentiates an end-to-end (ATM end-user device to end-user device) OAM or a segment (ATM
are still derived from data and voice services based on legacy transport
end-user device to ATM network device) OAM.
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
they convey
have some
drawbacks.
Ideally, carriers
F4 OAM cells, on customers,
the other hand,
the status
of a permanent
virtualwith
pathexisting
(PVP), a
legacy
Layer
2
and
Layer
3
networks
would
like
to
move
toward
a single
connection switched upon the VPI field alone. F4 OAM cells use the same VPI as the
PVP
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2 4 for endconnection that they are representing, but they use VCI 3 for segment OAM and VCI
services over their existing Layer 3 cores. The solution in these cases is a
to-end OAM.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Figure 5-20 shows
the typical OAM cell format.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both
ATOM
and L2TP
protocols
In addition to the typical
ATM
cell header
and
CRC field, the OAM fields include the following
fields:
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
OAM Type The OAM Type field determines the management cell's general role:
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
Fault management
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers,
they have some drawbacks. Ideally, carriers with existing
Performance
management
legacy Layer 2 and Layer 3 networks would like to move toward a single
Activation/deactivation
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
Function Type
The Function
Typeallow
field defines
specificover
function
of the
technology
that would
Layer 2 the
transport
a Layer
3 cell and is
interpreted differently
depending
on
the
OAM
type.
infrastructure.
Function Specific
Specific
field determines
payload
of thePrivate
OAM cell,
Layer 2 The
VPN Function
Architectures
introduces
readers the
to Layer
2 Virtual
which differsNetwork
based on
the OAM
Type and
and describes
Function Type
5-21 illustrates
the
(VPN)
concepts,
Layerfields.
2 VPNFigure
techniques
via
Function Specific
payloads
forstudies
an alarm
indication
signal (AIS),
end receive
introductory
case
and
comprehensive
designfar
scenarios.
Thisfailure
book
(FERF)/remote
defect
indication
(RDI),
and those
loopback
function type.
assists
readers
looking
to meet
requirements
by explaining the
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
theirand
service
offerings
maintaining routing control
Table 5-4 defines the OAM
Function
Typewhile
combinations.
OAM Type
Fault Management
0001
AIS
0000
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, RDI/FERF
and describes Layer 2 VPN techniques
via
0001
introductory case studies and comprehensive design scenarios. This book
Loopback
assists readers looking toOAM
meetCell
those
requirements by1000
explaining the
history and implementation
details
of
the
two
technologies
Continuity Check
0100 available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores
Protocol version 3 0000
(L2TPv3) for native
Performance
0010and Layer 2 Tunneling
Forward Monitor
IP cores. The structure of this book is focused on first introducing the
Management
Backward
Reporting
0001
reader to Layer 2 VPN benefits
and implementation
requirements
and
comparing them to those Monitoring
of Layer 3 based
VPNs,
such
as
MPLS,
then
and Reporting
0010
progressively covering each currently available solution in greater detail.
Activation/Deactivation 1000
Performance Monitor
0000
Continuity Check
0001
From a fault management perspective, the AIS, RDI/FERF, and Loopback function types are of
particular importance in dealing with logical circuit status.
AIS and RDI/FERF indicate to the remote endpoints a failure within the ATM network and
function in a similar manner to SONET, DS3, and T1 alarms. An intermediate device that is
detecting a link failure to notify downstream nodes generates AIS. RDI/FERF is generated at
the intermediate node upon receiving AIS to alert upstream devices. To draw an analogy
between T1 alarming and ATM, AIS is similar to a blue alarm, whereas RDI is a yellow alarm.
Layer 2 VPN Architectures
If an individual VPC
or Luo,
VCC- fails
network,
similar- VP
orNo.
VC4619,
AISDmitry
and Bokotey,
FERF/RDI
alarms are
ByWei
CCIE in
No.the
13,291,
Carlos Pignataro,
CCIE
- CCIE
generated.Figure No.
5-22
illustrates
the- AIS
RDI/FERF behavior of ATM nodes and endpoints
4460,
Anthony Chan,
CCIEand
No. 10,266
when dealing with logical circuit failure. The intermediate ATM node, upon detection of a logical
circuit breakage, generates
the direction of the failure. The ATM endpoint in turn
Publisher:AIS
CiscoinPress
generates AIS RDI/FERF
when receiving the AIS alarm.
Pub Date: March 10, 2005
Table of
Contents
Index
Figure
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
areare
stillalso
derived
voice services
based
on legacy
transport
OAM Loopback cells
usedfrom
as a data
fault and
management
feature
to confirm
logical
circuit
technologies.
Although cells
Layerare
3 MPLS
VPNs
fulfill the market
need for
some
status. When configured,
OAM loopback
sent and
a corresponding
loopback
cell
is
customers,
they have
carriers
with5-18.
existing
received in response.
The payload
of ansome
OAM drawbacks.
loopback cellIdeally,
is shown
in Figure
The
legacy
2 and
3 networks
would
like
to set
move
toward
a single
Loopback Indicator
field Layer
first bit
is setLayer
to 1 on
the outgoing
cell
and
to 0
to indicate
a looped
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2 received
response. The Correlation Tag field matches the outgoing OAM loopback cell with the
over
their existing
Layer
3 cores.
solution
in these
is ato the
response cells. A services
successive
number
of loopback
replies
notThe
being
returned
could cases
indicate
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
endpoint that the logical circuit should be declared unusable.
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Managing Traffic
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Like Frame Relay policing, ATM policing can be represented as a leaky bucket model, as shown
inFigure 5-23.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Figure
5-23.
LeakyNetworks
Bucket(VPNs)
Model
Learn
aboutATM
LayerPolicing
2 Virtual Private
Reduce costs and extend the reach of your services by unifying your
network architecture
[View full size image]
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
In a leaky bucket model, each ATM cell has an associated token whose fate determines
history and implementation details of the two technologies available from
whether the ATM cell is considered compliant or noncompliant. The bucket represents the
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSnumber of tokens that can be stored. If the number of tokens exceeds the size of the bucket,
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
the associated cell is considered noncompliant, and appropriate action, such as discarding or
IP cores. The structure of this book is focused on first introducing the
tagging the cell, is performed. The leak rate of the bucket represents the rate at which the
reader to Layer 2 VPN benefits and implementation requirements and
tokens are drained from the bucket. If the incoming token rate is greater than the leak rate,
comparing them to those of Layer 3 based VPNs, such as MPLS, then
the bucket will eventually overflow, and the incoming traffic will be considered noncompliant.
progressively covering each currently available solution in greater detail.
More complex traffic-policing contracts use a similar model but employ dual leaky buckets.
The ATM Forum Traffic Management 4.0 standard describes several conformance definitions
that determine the type of traffic that is regulated and the action that is performed for
compliancy/noncompliancy.Table 5-5 describes the traffic conformance definitions that will be
explored in more detail in the following sections: CBR.1, VBR.1, VBR.2, VBR.3, UBR.1, and
UBR.2. CBR.1, UBR.1, and UBR.2 can be represented as a single leaky bucket with a leak rate
that the peak cell rate (PCR) defines. The VBR.1, VBR.2, and VBR.3 definitions are modeled as
a dual leaky bucket, with the first and second bucket leak rate equal to the PCR and sustained
cell rate (SCR), respectively. The PCR flow and SCR flow columns define the traffic type that is
checked for conformance. For example, CLP (0+1) represents all cells, whereas CLP (0)
represents only cells with the CLP bit set to zero. The CLP tagging column defines whether the
nonconforming action for that bucket is tagged.
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
ISBN: 1-58705-168-0
ATM
Forum
Contents
TM 4.0
IndexSpec.
PCR Flow
CLP Tagging
for PCR
SCR Flow
CLP Tagging
for SCR
CBR.1
CLP (0+1)
No
NA
NA
VBR.1
VBR.2
Pages: 648
CLP (0+1)
No
CLP (0+1)
No
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
CLP (0+1) gainsNo
CLP (0)
No
productivity
VBR.3
CLP (0+1)
UBR.1
Learn about No
Layer 2 Virtual Private
Networks (VPNs)
CLP (0+1)
NA
NA
UBR.2
Reduce costsNo
and extend the NA
reach of your services
by unifying your
CLP (0+1)
NA
network architecture
CBR.1 Traffic
No
CLP (0)
Yes
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Policing
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
noncompliant cells in the second bucket are tagged with CLP 1 and admitted into the network
instead of being discarded.
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Figure
Anthony Chan,
- CCIE VBR.3
No. 10,266 Traffic Policing
5-27.
Publisher: Cisco Press
Pub Date: March 10, 2005[View full size image]
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
UBR.2 Traffic Policing
their service offerings while maintaining routing control
As illustrated in Figure 5-29, UBR.2 operates in the same fashion as UBR.1 except that
For aare
majority
compliant CLP 0 cells
taggedoftoService
CLP 1. Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
Figure 5-29. UBR.2 Traffic Policing
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
ATM traffic shaping is a QoS mechanism that is typically deployed on egress out of an ATM
ByWei
Luo,
CCIE No. 13,291,
Carlos Pignataro,
- CCIE
Dmitry Bokotey,
CCIE ATM
node or end device
used
to- enforce
a long-term
average
rateNo.
for4619,
a logical
circuit.- Unlike
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
traffic policing, in which noncompliant traffic is either dropped or marked to a lower priority,
ATM traffic shaping queues nonconforming traffic to restrain data bursts and smooth data rates
Press
to comply within thePublisher:
defined Cisco
traffic
contract.
Pub Date: March 10, 2005
Pages: 648
a PCR, SCR, and MBS and follows the general leaky bucket model. On the other hand, CBR's
long-term average rate is defined as its PCR and has some form of transmission priority to
meet a strict CDVT based on the nature of the traffic it has to support: real-time applications.
Layer
VPN shaped
Architectures
UBR PVCs typically
are2 not
and burst up to the ATM port rate. However, you can
ByPCR
Wei Luo,
- CCIEthe
No. maximum
13,291,Carlostransmission
Pignataro, - CCIE
No. 4619,
Bokotey,
- CCIE
optionally define a
to limit
rate.
ABRDmitry
is unique
compared
to the
No. because
4460,Anthony
- CCIEto
No.adapt
10,266its traffic rate based on indicators of network
other traffic classes
of Chan,
its ability
congestion states such as EFCI or via RM cells. ABR shaping defines a PCR, a minimum cell rate
(MCR), the minimum
rate that
thePress
PVC can send at, and some additional parameters that
Publisher:
Cisco
define its rate adaptation
factors.
Pub Date:
March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
HDLC uses a simple framing mechanism to encapsulate its data. Cisco HDLC
encapsulation
is a modified
of HDLC
and to
adds
a Protocol
Identifier
fieldand
to determine
Master
the worldform
of Layer
2 VPNs
provide
enhanced
services
enjoy
the Layer 3 productivity
protocol thatgains
is stored in the HDLC payload.
PPP utilizes a framing mechanism that is similar to HDLC. Although PPP has a rich set of
Learn
about
Layerdifferent
2 Virtualoptional
Private authentication
Networks (VPNs)
negotiation protocols
such
as LCP,
methods and various
NCPs, this was not discussed because they are transparent to the pseudowire emulation
Reduce costs and extend the reach of your services by unifying your
protocols.
network architecture
Frame Relay adopts an encapsulation format that is similar to HDLC and PPP. A DLCI
Gain from
first book
to address
Layer distinct
2 VPN application
utilizing
identifier in the Frame
Relaythe
header
distinguishes
logically
Frame Relay
circuits.
both ATOM and L2TP protocols
Frame Relay LMI conveys circuit status information between network devices through
Review strategies that allow large enterprise customers to enhance
periodic status messages.
their service offerings while maintaining routing control
Frame Relay has the option of performing Frame Relay policing to enforce a traffic
a majority
of Service
Providers,
a significant
portion ofYou
their
revenues
contract for For
traffic
that is inbound
to the
network
from the customer.
can
either
are still derived
datait and
services
based
on legacy
discard noncompliant
traffic from
or mark
withvoice
a lower
priority
by setting
the transport
DE bit.
Layershaping
3 MPLSon
VPNs
fulfill egress
the market
need
some
Conversely,technologies.
you can applyAlthough
Frame Relay
network
toward
thefor
customer.
customers,
theyishave
some drawbacks.
Ideally,
carriers
with existing
Shaping queues
traffic that
nonconforming
to meet
a long-term
average
rate.
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while
new stack
carriers
would
like
to sell
theprotocol
lucrativedata
Layer
2 processes
ATM has a well-defined
protocol
that
takes
upper
layer
and
services
over and
theirPhysical
existinglayers.
Layer 3
cores.
solution
in to
these
casesrepresent
is a
it through the
AAL, ATM,
ATM
alsoThe
uses
VPI/VCI
uniquely
technology
a logical ATM
circuit. that would allow Layer 2 transport over a Layer 3
infrastructure.
From a fault management perspective, ATM OAM indicates faults within the network and
Layer 2 VPN
Architectures
introduces readers to Layer 2 Virtual Private
performs end-to-end
connectivity
checks.
Network (VPN) concepts, and describes Layer 2 VPN techniques via
ATM traffic policing
offerscase
a set
of admission
control options
to enforce
ingress
introductory
studies
and comprehensive
design
scenarios.
Thistraffic
book
contracts from
end readers
customer
devices.
You can
either
discard out-of-contract
assists
looking
to meet
those
requirements
by explainingtraffic
the or
mark it withhistory
a lowerand
priority
through thedetails
use of of
the
CLP
bit.
Conversely,available
ATM traffic
implementation
the
two
technologies
from
shaping enforces
an average
rate suite:
of traffic
egress toward
customer
devices
and can
the Cisco
Unified VPN
AnyonTransport
over MPLS
(ATOM)
for MPLSemploy queuing
forcores
nonconforming
based
and Layer 2traffic.
Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Chapter 6
Table of
Chapter 7
Contents
Index
Chapter 8
Chapter 9
ISBN: 1-58705-168-0
LAN Protocols
over MPLS Case Studies
Pages:
648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Contents
Index
Pages: 648
AToM operations
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
To provide Layer productivity
2 VPN services
over an IP/Multiprotocol Label Switching (MPLS) network
gains
infrastructure, the Internet Engineering Task Force (IETF) developed a series of solution and
protocol specifications for various Layer 2 VPN applications, including pseudowire emulation.
Based on the pseudowire
emulation
specifications,
Any Transport
over
MPLS (AToM) is
Learn
about Layer
2 Virtual Private
Networks
(VPNs)
implemented as part of the Cisco Unified VPN Suite Solution. The Cisco solution also includes
costs
andLayer
extend
the reach
of your
services
by unifying
your 3,
alternative pseudowireReduce
emulation
using
2 Tunnel
Protocol
Version
3 (L2TPv3).
Chapter
network
architecture
"Layer 2 VPN Architectures,"
outlines
the benefits and implications of using each technology
and highlights some important factors that help network planners and operators determine the
Gain from the first book to address Layer 2 VPN application utilizing
appropriate technology.
both ATOM and L2TP protocols
This chapter starts with an overview of LDP used by pseudowire emulation over MPLS, followed
Review
strategies
that allow
enterprise
customers
to enhance
by an explanation of the
protocol
specifications
andlarge
operations
of AToM.
You learn
the general
their service
offerings
routingin
control
properties of the pseudowire
emulation
over while
MPLS maintaining
networks specified
IETF documents.
Additional features that AToM supports are also highlighted in this chapter.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Pages:
648
Contents
for this
purpose. Although the MPLS architecture allows different label distribution protocols,
Index is used as the signaling protocol for AToM.
only LDP
Note
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
The next few sections review some fundamental LDP specifications and operations that are
relevant to AToM:
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
LDP protocol components
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
Discovery mechanisms
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
Session establishment
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone
new carriers would like to sell the lucrative Layer 2
Label distribution
and while
management
services over their existing Layer 3 cores. The solution in these cases is a
LDP securitytechnology that would allow Layer 2 transport over a Layer 3
infrastructure.
Per-platform label space Assigns labels from a platform-wide pool of labels and
typically uses resources that are shared across the platform. Hop-by-hop best-effort
IP/MPLS forwarding is an example of using the per-platform label space.
Layer 2 VPN Architectures
Wei Luo,
- CCIE No.
13,291,Carlos
Pignataro,
- CCIE
No. 4619,To
Dmitry
Bokotey,
CCIE stack of
InChapter 3, the By
AToM
overview
explains
the use
of label
stacking.
recap,
the- label
No. 4460,of
Anthony
Chan, - CCIE
No.label
10,266and pseudowire label. Tunnel labels can be
AToM typically consists
two labels:
tunnel
from either per-interface label space or per-platform label space depending on whether the
Publisher:
Cisco Press
LSRs perform IP/MPLS
forwarding
in cell mode or frame mode. Pseudowire labels are always
allocated from the general-purpose
label space.
Pub Date: March 10,per-platform
2005
ISBN: 1-58705-168-0
Table User
of
LDP uses
Datagram Protocol (UDP) and TCP to transport the protocol data unit (PDU) that
Pages: 648
Contents
carries
LDP messages. Figure 6-1 illustrates the structure of an LDP packet. Each LDP PDU is
Index
an LDP
header followed by one or more LDP messages. All LDP messages have a common LDP
message header followed by one or more structured parameters that use a type, length, value
(TLV) encoding scheme. The Value field of a TLV might consist of one or more sub-TLVs.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
space. When an LSR uses LDP to advertise more than one label space to another LSR, it
creates a separate LDP session for each label space.
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
ISBN: 1-58705-168-0
Version
Table of (2 Octets) [=1]
Contents
Index
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Four categories exist
for LDP messages:
productivity
gains
Discovery messages
a mechanism
in whichNetworks
LSRs indicate
their presence in a
Learn Provide
about Layer
2 Virtual Private
(VPNs)
network by sending Hello messages periodically. Discovery messages include the LDP Link
Hello message and
the LDP
Targeted
Hello the
message.
You
learn
more about
discovery
Reduce
costs
and extend
reach of
your
services
by unifying
your
messages in the next
section
"Discovery
Mechanisms."
network architecture
Session messages
disconnect
sessions
between LDP
peers.
GainEstablish,
from the maintain,
first book and
to address
Layer
2 VPN application
utilizing
Session messagesboth
are ATOM
LDP Initialization
messages and Keepalive messages. You learn
and L2TP protocols
more about session messages in the section "Session Establishment" later in this chapter.
Review strategies that allow large enterprise customers to enhance
Advertisement messages
update,
delete label
mappings.
their serviceCreate,
offerings
while and
maintaining
routing
control All LDP Address
messages and LDP Label messages belong to advertisement messages.
For a majority of Service Providers, a significant portion of their revenues
Notification
messages
Provide
advisory
and
signal
information
are
still derived
from data
and information
voice services
based
onerror
legacy
transport to LDP
peers.
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
Except for discovery
messages
UDP
as the underlying
transport,
messages
legacy
Layer 2that
anduse
Layer
3 networks
would like
to move LDP
toward
a singlerely on
TCP to ensure reliable
and in-order
delivery
of would
messages.
LDP
messages
backbone
while new
carriers
like toAllsell
the
lucrative have
Layerthe
2 format
that is depicted inservices
Figure 6-3.
over their existing Layer 3 cores. The solution in these cases is a
to take if he does not understand the message. If the U-bit is set to 0, the receiver needs
to respond to the originator of the message with a notification message. Otherwise, the
receiver should silently ignore this unknown message.
Layer 2 VPN Architectures
Message Type
type
of message.
ByWeiThe
Luo, Message
- CCIE No. Type
13,291,field
Carlosidentifies
Pignataro, -the
CCIE
No. 4619,
Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Message Length The Message Length field specifies the total number of octets of the
Message ID, Mandatory
Parameters, and Optional Parameters.
Publisher: Cisco Press
Pub Date: March 10, 2005
Message IDThe
Message ID field is a 4-octet value that identifies individual messages.
ISBN: 1-58705-168-0
Table of
Mandatory Parameters
Pages:
648 The Mandatory Parameters field is a set of required parameters
Contents
with
variable
lengths
that
pertain to this message. Some messages do not have
Index
mandatory parameters.
Optional Parameters The Optional Parameters field is a set of optional parameters that
have variable
lengths.
notto
have
optional
parameters.
Master
the Many
world messages
of Layer 2do
VPNs
provide
enhanced
services and enjoy
productivity gains
Most information that is carried in an LDP message is encoded in TLVs. TLV provides a generic
and extensible encoding scheme for existing and future applications that use LDP signaling. An
LDP TLV consists of a 2-bit
field,
a 14-bit
TypePrivate
field, and
a 2-octet
Length field, followed by
LearnFlag
about
Layer
2 Virtual
Networks
(VPNs)
a variable length Value field. Figure 6-4 shows the common TLV encoding scheme.
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM
Figure 6-4. LDP
TLV and L2TP protocols
Encoding
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Session Establishment
After two LSRs exchange LDP discovery Hello messages, they start the process of session
establishment, which proceeds in two sequential phases:
1.
2.
ByWei
Luo, - CCIE
No. 13,291,Carlos
Pignataro, - CCIE
No.is4619,
Dmitry Bokotey,
- CCIE TCP
The objective of the
transport
connection
establishment
phase
to establish
a reliable
No. 4460,
Chan, -IfCCIE
10,266
connection between
two Anthony
LDP peers.
bothNo.
LDP
peers initiate an LDP TCP connection, it might
result in two concurrent TCP connections. To avoid this situation, an LSR first determines
whether it should play
the active
passive role in session establishment by comparing its own
Publisher:
Cisco or
Press
transport address with
transport
address it obtains through the exchange of LDP Hellos. If
Pubthe
Date:
March 10, 2005
its address has a higher value, it assumes the active role. Otherwise, it is passive. When an
ISBN: 1-58705-168-0
Table ofthe active role, it initiates a TCP connection to the LDP peer on the well-known LDP
LSR plays
Pages:
648
Contents
TCP port
646.
Index
After the LSR establishes the TCP connection, session establishment proceeds to the session
initialization phase. In this phase, LDP peers exchange and negotiate session parameters such
as the protocol version, label distribution methods, timer values, label ranges, and so on.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains
If an LSR plays the
active role,
it starts the negotiation of session parameters by sending an
Initialization message to its LDP peer. The Initialization message carries both the LDP Identifier
for the label space of the active LSR and the LDP Identifier of the passive LSR. The receiver
Learn with
about
Layer
Virtual Private
Networks
(VPNs)
compares the LDP Identifier
the
Hello2 adjacencies
created
during
LDP discovery. If the
receiver finds a match and the session parameters are acceptable, it replies with an
Reduce costs and extend the reach of your services by unifying your
Initialization message with its own session parameters and a Keepalive message to
network architecture
acknowledge the sender's parameters. When the sender receives an Initialization message with
acceptable session parameters, it responds with a Keepalive message.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
When both LDP peers exchange Initialization and Keepalive messages with each other, the
session initialization phase is completed successfully and the LDP session is considered
Review strategies that allow large enterprise customers to enhance
operational.
their service offerings while maintaining routing control
Label Binding
The main focus of an MPLS application is the distribution and management of label bindings.
Label bindings are always the centerpiece of information in LDP signaling.
LDP associates a Forwarding Equivalence Class (FEC) with each LSP that it creates. An FEC
specifies which packets should be forwarded through the associated LSP. Each FEC is defined
as a collection of one or more FEC elements. Each FEC element identifies a set of packets that
are mapped to the corresponding LSP. For those who are familiar with IP routing, you can
consider an FEC as a set of IP routes following a common forwarding path, and an FEC element
as a specific IP route prefix.
Layer 2 VPN Architectures
A label binding is By
the
between
an FEC
and a- label
that
represents
a specific
Weiassociation
Luo, - CCIE No.
13,291,Carlos
Pignataro,
CCIE No.
4619,
Dmitry Bokotey,
- CCIE LSP.
The association isNo.
created
by placing
FEC
and a Label TLV in a label advertisement
4460,Anthony
Chan, - an
CCIE
No. TLV
10,266
message.Figure 6-6 depicts the FEC TLV encoding.
Publisher: Cisco Press
Pub Date: March 10, 2005
Table of
Contents
Figure
6-6.
Index
ISBN: 1-58705-168-0
FEC
Pages:
648
TLV Encoding
Figure
0
Generic Label TLV has a type of 0x0200. A label is a 20-bit label value in a 4-octet Label field.
Label Mapping
Label Request
Layer 2 VPN Architectures
Label Withdraw
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Label Release
Contents
Pages: 648
When an LSR needs a label binding for a specific FEC but does not already have it, it can
Index
explicitly request this label binding from its LDP peer by sending a Label Request message. A
Label Request message contains the FEC for which a label is being requested. The receiving
LSR then responds to a Label Request message with a Label Mapping message for the
requested FEC if it
has such
binding.
Otherwise,
with a Notification
Master
the a
world
of Layer
2 VPNsittoresponds
provide enhanced
services message
and enjoy
indicating why it cannot
satisfy
the
request.
productivity gains
Whereas Label Mapping messages create the bindings between FECs and labels, Label
Withdraw messages break
them.
LSR sends
a Label
Withdraw
message
Learn
aboutAnLayer
2 Virtual
Private
Networks
(VPNs) to an LDP peer to
signal that the peer should not continue to use specified label bindings that the LSR previously
Reducemessage
costs andcontains
extend the
ofwhich
your services
unifying
your
advertised. A Label Withdraw
the reach
FEC for
the labelby
binding
is being
network
architecture
withdrawn and optionally
the originally
advertised label. If no Label TLV is included in a Label
Withdraw message, all labels that are associated with the FEC are to be withdrawn. Otherwise,
Gain from
the Label
first book
to to
address
Layer 2 VPN application utilizing
only the label that is specified
in the
TLV is
be withdrawn.
both ATOM and L2TP protocols
An LSR that receives a Label Withdraw message must acknowledge it with a Label Release
strategies
that
allow large
enterprise
customers
to enhance
message. The LSR alsoReview
uses Label
Release
messages
to indicate
that
it no longer
needs specific
their
service offerings
while maintaining
routing
control
label bindings previously
requested
of or advertised
by its LDP peer.
A Label
Release message
contains the FEC for which the label binding is being released and optionally the originally
majority
significant
portionall
of labels
their revenues
advertised label. For
If noa Label
TLVof
is Service
includedProviders,
in a LabelaRelease
message,
that are
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
associated with the FEC are to be released. Otherwise, only the label that is specified
in the
Although Layer 3 MPLS VPNs fulfill the market need for some
Label TLV is to betechnologies.
released.
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
Label Advertisement
Mode
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
The MPLS architecture
specifies two label advertisement modes. If an LSR explicitly requests a
infrastructure.
label binding for a particular FEC from the next-hop LSR of this FEC, it uses downstream ondemand label advertisement
If an LSR
advertises
label bindings
LDP Private
peers that
Layer 2 VPN mode.
Architectures
introduces
readers
to Layerto2 its
Virtual
have not explicitlyNetwork
requested
them,
it uses and
downstream
unsolicited
advertisement
mode.
(VPN)
concepts,
describes
Layer 2 VPN
techniques via
introductory case studies and comprehensive design scenarios. This book
Choosing which label
advertisement
mode
usethose
depends
on the characteristics
of the
a particular
assists
readers looking
to to
meet
requirements
by explaining
MPLS implementation
and
application.
Between
each
pair
of
LDP
peers,
they
must
have
the
history and implementation details of the two technologies available from
same label advertisement
mode.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader
to Layer
2 VPN benefits and implementation requirements and
Label Distribution
Control
Mode
comparing them to those of Layer 3 based VPNs, such as MPLS, then
covering
each
currently
availableinitially,
solutionand
in greater
detail.
Label distributionprogressively
control determines
how
LSPs
are established
it has two
modes:
independent and ordered label distribution control.
With independent label distribution control, each LSR advertises label bindings to its peers at
any time. It does not wait for the downstream or next-hop LSR to advertise the label binding
for the FEC that is being distributed in the upstream direction. A consequence of using
independent mode is that an upstream label can be advertised before a downstream label is
received.
When an LSR is using ordered label distribution control, it cannot advertise a label binding for
an FEC unless it has a label binding for the FEC from the downstream or next-hop LSR. It has
to wait for the downstream LSR to advertise the label binding for the FEC that is being
distributed in the upstream direction. As a result, ordered control makes the label distribution
Layersequentially
2 VPN Architectures
of a given LSP occur
from the last hop of the LSP toward the first hop of the LSP.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Conservative label retention keeps only the label bindings that will be used to forward packets.
The main advantage is that only the labels that are required for data forwarding are allocated
and maintained. Because downstream on-demand advertisement mode is mainly employed
when the label space
is limited,
it isofnormally
used with
the conservation
label retention
mode.
Master
the world
Layer 2 VPNs
to provide
enhanced services
and enjoy
productivity gains
Withliberal label retention , an LSR keeps every label binding it receives from its LDP peers
regardless of whether the peers are the next-hop LSRs for the advertised label binding. The
main advantage is thatLearn
an LSP
can be
updated
quickly
when
the label
forwarding information is
about
Layer
2 Virtual
Private
Networks
(VPNs)
changed. Liberal label retention is mainly used where the label space is considered an
Reduce
and
extend
the reach
of your services
by unifying
your
inexpensive resource. When
it costs
is used
with
downstream
unsolicited
advertisement
mode,
liberal
label retention reducesnetwork
the totalarchitecture
number of label advertisement messages required to set up
LSPs. If an LSR is using conservative retention mode in this scenario, it has to send Label
Gain
from
book
to address
2 VPN application
utilizing
Request messages to the
peer
forthe
thefirst
label
bindings
that itLayer
has discarded
during the
initial label
both
ATOM
and
L2TP
protocols
advertisement if that peer becomes the next-hop LSR for the FECs that are being requested.
LDP Security
Pages: 648
Contents
Index
The primary
tasks of AToM include establishing pseudowires between provider edge (PE)
routers and carrying Layer 2 packets over these pseudowires. The next sections cover the
operations of AToM from the perspectives of both the control plane and the data plane as
follows:
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Pseudowire label binding
Pseudowire ID FEC The first octet has a value of 128 that identifies it as a Pseudowire
ID FEC element.
Layer 2 VPN Architectures
Control Word Bit (C-Bit) The C-bit indicates whether the advertising PE expects the
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
control word to be present for pseudowire packets. A control word is an optional 4-byte
No. 4460,Anthony Chan, - CCIE No. 10,266
field located between the MPLS label stack and the Layer 2 payload in the pseudowire
packet. The control word carries generic and Layer 2 payload-specific information. If the
Publisher:
Cisco Press PE expects the control word to be present in every
C-bit is set to 1,
the advertising
Pub
Date:
March
10, 2005
pseudowire packet on the pseudowire
that is being signaled. If the C-bit is set to 0, no
ISBN: 1-58705-168-0
control word is expected
to be present.
Table of
Pages: 648
Contents
Pseudowire Type PW Type is a 15-bit field that represents the type of pseudowire.
Index
Reduce costs and extend the reach of your services by unifying your
Pseudowire ID network
The Pseudowire
ID, also known as VC ID, is a non-zero, 32-bit identifier
architecture
that distinguishes one pseudowire from another. To connect two attachment circuits
through a pseudowire,
you need
to associate
each one
with2the
Pseudowire
ID.
Gain from
the first
book to address
Layer
VPNsame
application
utilizing
both ATOM and L2TP protocols
Interface Parameters The variable-length Interface Parameters field provides
attachment circuit-specific
information,
interface
MTU,customers
maximum to
number
of
Review strategies
that such
allowas
large
enterprise
enhance
concatenated ATM
cells,
interface
description,
and so on. Each
interface
their
service
offerings
while maintaining
routing
controlparameter uses a
generic TLV encoding, as shown in Figure 6-9.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
Table
6-1.
Pseudowire
Types
legacy
Layer
2 and
Layer 3 networks
would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services Description
over their existing Layer 3 cores. The solution in these cases is a
Pseudowire Type
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
0x0001
Frame Relay data-link connection identifier (DLCI)
0x0002
0x0003
0x0004
0x0005
0x0006
0x0007
ATMArchitectures
AAL5 service data
unit (SDU)
virtual
channel
Layer 2 VPN
introduces
readers
to Layer
2 Virtual Private
(VCC)and describes Layer 2 VPN techniques via
Networkconnection
(VPN) concepts,
introductory
studies and
ATM case
Transparent
Cell comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and
implementation
details of the two technologies available from
Ethernet
VLAN
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSEthernet
based cores
and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores.High-Level
The structure
this Control
book is (HDLC)
focused on first introducing the
DataofLink
reader to Layer 2 VPN benefits and implementation requirements and
PPPthem to those of Layer 3 based VPNs, such as MPLS, then
comparing
progressively covering each currently available solution in greater detail.
Parameter
ID Luo,
(1 Octet)
Length
(1No.
Octet)
ByWei
- CCIE No. 13,291,Carlos Pignataro,
- CCIE
4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Parameter Value
(Variable Length)
Table
of LDP allows multiple FEC elements encoded into an FEC TLV, only one FEC
Even
though
648
Contents PseudowirePages:
elementthe
ID FEC elementexists in each FEC TLV for the pseudowire emulation
MPLS
Index application.
over
EstablishingMaster
AToM
thePseudowires
world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Typically, two types of LDP sessions are involved in establishing AToM pseudowires. They are
the nontargeted LDP session and the targeted LDP session.
Learn about Layer 2 Virtual Private Networks (VPNs)
The nontargeted LDP session that is established through LDP basic discovery between a PE
Reduce costs
and extend
the
of your
services
byThe
unifying
router and its directly connected
P routers
is used
toreach
distribute
tunnel
labels.
label your
network
architecture
distribution and management of tunnel labels pertains to the deployment model of the
underlying MPLS network. It can be some combination of downstream on-demand or
Gain fromindependent
the first book
address
Layer 2and
VPN
application or
utilizing
unsolicited label advertisement,
ortoordered
control,
conservative
liberal
both
ATOM
and
L2TP
protocols
label retention. Neither pseudowire emulation nor AToM dictates any particular label
distribution and management mode for tunnel labels.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
Note
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers,
they
have some
drawbacks.
existing
In some MPLS
deployment
scenarios,
tunnel
LSPs areIdeally,
set up carriers
throughwith
Resource
legacy
Layer
2
and
Layer
3
networks
would
like
to
move
toward
a single
Reservation Protocol Traffic Engineering (RSVP-TE) instead of nontargeted LDP
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
sessions.
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
The other type of LDP sessions are established through LDP extended discovery between PE
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
routers. These sessions are known as targeted LDP sessions because they send periodic
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Targeted Hello messages to each other. Targeted LDP sessions in the context of pseudowire
introductory case studies and comprehensive design scenarios. This book
emulation distribute pseudowire labels. IETF documents on pseudowire emulation over MPLS
assists readers looking to meet those requirements by explaining the
specify the use of downstream unsolicited label advertisement. In Cisco IOS Software, AToM
history and implementation details of the two technologies available from
uses independent label control and liberal label retention to improve performance and
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSconvergence time on pseudowire signaling.
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores.
The structure
of this
book is focused on first introducing the
Figure 6-10 illustrates
an example
of AToM
deployment.
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
1. A pseudowire is provisioned with an attachment circuit on PE1.
productivity gains
2. PE1 initiates a targeted LDP session to PE2 if none already exists. Both PE routers receive
Learn about
Layerother
2 Virtual
Private Networks
(VPNs)
LDP Keepalive messages
from each
and complete
the session
establishment. They
are ready to exchange pseudowire label bindings.
Reduce costs and extend the reach of your services by unifying your
network architecture
3. When the attachment circuit state on PE1 transitions to up, PE1 allocates a local
pseudowire label corresponding to the pseudowire ID that is provisioned for the
Gain from the first book to address Layer 2 VPN application utilizing
pseudowire.
both ATOM and L2TP protocols
4. PE1 encodes the local
pseudowire
label
into
thelarge
Labelenterprise
TLV and the
pseudowire
ID into the
Review
strategies
that
allow
customers
to enhance
FEC TLV. Then it sends
labelofferings
binding while
to PE2maintaining
in a Label Mapping
message.
their this
service
routing control
For
a majority
ofmessage
Service Providers,
a significant
of their revenues
5. PE1 receives a
Label
Mapping
from PE2 and
decodes portion
the pseudowire
label and
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
pseudowire ID from the Label TLV and FEC TLV.
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
6. PE2 performs Steps 1 through 5 independently.
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
7. After PE1 andservices
PE2 exchange
the existing
pseudowire
labels
and validate
interface
parameters
over their
Layer
3 cores.
The solution
in these
cases is afor a
particular pseudowire
ID,that
the would
pseudowire
pseudowire
IDa is
considered
technology
allow with
Layerthat
2 transport
over
Layer
3
established. infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
(VPN)
and describes
LayerWithdraw
2 VPN techniques
If one attachmentNetwork
circuit on
one concepts,
PE router goes
down, a Label
messagevia
is sent to the
studies andlabel
comprehensive
designadvertised.
scenarios. This book
peering PE routerintroductory
to withdraw case
the pseudowire
that it previously
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSControl Word
Negotiation
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
During pseudowire
establishment,
Mappingand
messages
are sent in
both directions.
reader
to Layer 2 Label
VPN benefits
implementation
requirements
and To
enable the pseudowire,
you need
some
interface
parameters
to certain
values
that the
comparing
them to
to set
those
of Layer
3 based
VPNs, such
as MPLS,
then
peering PE routerprogressively
expects. When
a
mismatch
occurs,
fixing
the
problem
requires
manual
covering each currently available solution in greater detail.
intervention or configuration changes. The protocol cannot correct the mismatch automatically.
For example, when the interface MTUs of the peering PE routers are different, the pseudowire
is not established.
You can negotiate the presence of the control word through protocol signaling. The control
word has 32 bits, as shown in Figure 6-11. If it is present, the control word is encapsulated in
every pseudowire packet and carries per-packet information, such as sequence number,
padding length, and control flags.
ISBN: 1-58705-168-0
productivity gains
For other Layer 2 payload types, the control word is optional. If a PE router cannot send and
receive the optional control word, or if it is capable of doing that but prefers not to do so, the
C-bit in the Label Mapping
message
that the
PE router
sends
is set to
0. If a PE router is
Learn
about Layer
2 Virtual
Private
Networks
(VPNs)
capable of and prefers sending and receiving the optional control word, the C-bit in the Label
Mapping message it sends
is set
to 1.
When
twothe
PE routers
Labelby
Mapping
Reduce
costs
and
extend
reach ofexchange
your services
unifyingmessages,
your
one of the following scenarios
happen when the control word is optional:
networkcould
architecture
Gain from the first book to address Layer 2 VPN application utilizing
Both C-bits are set
to the
same
is, either 0 or 1. In this case, the pseudowire
both
ATOM
andvaluethat
L2TP protocols
establishment is complete. The control word is used if the common C-bit value is 1.
Otherwise, the control
word
is not used.
Review
strategies
that allow large enterprise customers to enhance
their service offerings while maintaining routing control
A PE router receives a Label Mapping message but has not sent a Label Mapping message
for the pseudowire,
and the
C-bit
setting isadifferent
from
the remote
setting. If
For a majority
oflocal
Service
Providers,
significant
portion
of theirC-bit
revenues
the receivedare
Label
message
C-bit
set to based
1, in this
PE router
stillMapping
derived from
datahas
andthe
voice
services
on case,
legacythe
transport
ignores the technologies.
received LabelAlthough
MappingLayer
message
and VPNs
continues
wait
for the
next
3 MPLS
fulfillto
the
market
need
forLabel
some
message forcustomers,
the pseudowire.
If
the
received
Label
Mapping
message
has
the
C-bit
they have some drawbacks. Ideally, carriers with existing set to
0, the PE router
changes
local
C-bit
setting towould
0 for the
Mapping
message
legacy
Layer 2the
and
Layer
3 networks
like Label
to move
toward
a singleto be
sent. If the attachment
circuit
comes
up,would
the PElike
router
sends
Label Mapping
backbone while
new
carriers
to sell
the alucrative
Layer 2message
with the latest
local C-bit
services
over setting.
their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
A PE router infrastructure.
has already sent a Label Mapping message, and it receives a Label Mapping
message from a remote PE router. However, the local C-bit setting is different from the
remote C-bitLayer
setting.
If the
received Label
Mapping
message
has the
C-bit set
to 1, in this
2 VPN
Architectures
introduces
readers
to Layer
2 Virtual
Private
case, the PENetwork
router ignores
the received
Mapping
message
and continues
(VPN) concepts,
andLabel
describes
Layer
2 VPN techniques
via to wait for
the next label
message for
thestudies
pseudowire.
If the receiveddesign
Label scenarios.
Mapping message
has
introductory
case
and comprehensive
This book
the C-bit setassists
to 0, the
PE router
sends
a Label
Withdraw
message
a Wrong
readers
looking
to meet
those
requirements
bywith
explaining
theC-bit
status code,history
followed
byimplementation
a Label Mapping
message
with
the
C-bit set toavailable
0. The pseudowire
and
details
of the
two
technologies
from
establishment
now Unified
complete,
and
the Any
control
word isover
not used.
theisCisco
VPN
suite:
Transport
MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
To summarize theIPprevious
twostructure
scenarios,
the C-bit
settings
in the
two Label the
Mapping
cores. The
of when
this book
is focused
on first
introducing
messages do not reader
match,to
the
PE router
prefers
use of the option
control word
Layer
2 VPNthat
benefits
andthe
implementation
requirements
and
surrenders to thecomparing
PE router that
not prefer
it, and
the control
wordas
is MPLS,
not used.
themdoes
to those
of Layer
3 based
VPNs, such
then
progressively covering each currently available solution in greater detail.
Configuring whether the control word is to be used in an environment with many different
platforms is sometimes a tedious process. AToM automates this task by detecting the hardware
capability of the PE router. AToM always prefers the presence of the control word and utilizes
the control word negotiation procedures to reach a common C-bit value between PE routers.
Layer 2 protocols assume that the underlying transport ensures in-order packet delivery. These
protocols might not function correctly if out-of-order delivery occurs. For instance, if PPP LCP
packets are reordered, the end-to-end PPP connection is unable to establish.
Layer 2 VPN Architectures
To avoid out-of-order
solution
is to engineer
reordering-free
ByWeipackets,
Luo, - CCIEthe
No.best
13,291,
Carlos Pignataro,
- CCIE No.a4619,
Dmitry Bokotey, -packet
CCIE
network. Even though
this
goalChan,
is not
always
easy to achieve, you should make it a priority
No. 4460,
Anthony
- CCIE
No. 10,266
because no matter what kind of remedy you might use, network performance suffers
significantly from out-of-order
delivery.
Publisher: Cisco
Press
Pub Date: March 10, 2005
Sequencing that is defined in pseudowire emulation mainly serves a detection mechanism for
ISBN: 1-58705-168-0
network
to troubleshoot
occasional out-of-order delivery problems. Implementations
Tableoperators
of
Pages:
648or reorder out-of-order packets when they are detected.
mightContents
choose to either discard
Because
Indexthe latter requires huge packet buffer space for high-speed links and has significant
performance overhead, AToM simply discards out-of-order packets and relies on the upper
layer to retransmit these packets.
Master
the world is
ofto
Layer
2 VPNs
to provide
enhanced
enjoy in
The first step in using
sequencing
signal
the presence
of the
controlservices
word, asand
described
productivity
gains
the previous section.
The control
word contains a 16-bit Sequence Number field. However, the
presence of the control word does not mandate sequencing. When sequencing is not used,
Sequence Number value is set to 0.
Learn about Layer 2 Virtual Private Networks (VPNs)
After negotiating the control word, the sequence number is set to 1 and increments by 1 for
Reduce
extend theIfreach
of your services
by unifying
your
each subsequent packet
that iscosts
beingand
transmitted.
the transmitting
sequence
number
network
architecture
reaches the maximum value 65535, it wraps around to 1 again.
Gain
from the
book to
Layer 2 VPN
utilizing
To detect an out-of-order
packet,
thefirst
receiving
PEaddress
router calculates
theapplication
expected sequence
both
ATOM
and
L2TP
protocols
number for the next packet by using the last receiving sequence number (which has an initial
value of 0) plus 1, and then mod (modulus) by 216 (216 = 65536). If the result is 0, the
Review
allow
large
enterprise
customers
to enhance
expected sequence number
is strategies
set to 1. A that
packet
that
is received
over
a pseudowire
is
their
service
offerings
while
maintaining
routing
control
considered in-order if one of the following conditions is met:
For a majority of Service Providers, a significant portion of their revenues
are
still derived
fromisdata
The receiving
sequence
number
0. and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers,
haveissome
drawbacks.
Ideally, carriers
with
existing
The receiving
sequence they
number
no less
than the expected
sequence
number
and the
Layer
2 and Layer
3 networks
would
like tosequence
move toward
a single
result of thelegacy
receiving
sequence
number
minus the
expected
number
is less
than 32768.backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology
would
Layer
transport sequence
over a Layer
3
The receiving
sequencethat
number
is allow
less than
the2 expected
number
and the result
infrastructure.
of the expected
sequence number minus the receiving sequence number is no less than
32768.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN)
concepts,
describes
Layer 2out-of-order
VPN techniques
via
If none of these conditions
is satisfied,
the and
packet
is considered
and is
discarded.
introductory case studies and comprehensive design scenarios. This book
Sometimes the sending
the receiving
routerthose
might
lose the last by
transmitting
receiving
assists or
readers
looking PE
to meet
requirements
explaining or
the
sequence numberhistory
because
ofimplementation
transient system
problems.
might want
to restart
and
details
of theThis
two router
technologies
available
from the
sequence numberthe
from
theUnified
initial value.
AToMAny
implements
set ofMPLS
signaling
procedures
to
Cisco
VPN suite:
Transporta over
(ATOM)
for MPLSreliably resynchronize
the
sequence
number.
Although
the
IETF
documents
do
not
specify
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for nativethese
procedures, the procedures
arestructure
interoperable
with
any
implementation.
IP cores. The
of this
book
is standard-compliant
focused on first introducing
the
The resynchronization
procedures
AToM
are asand
follows:
reader
to Layer 2in
VPN
benefits
implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
If the transmitting PE router needs to reset the transmitting sequence number, it must
inform the receiving PE router to reset the receiving sequence number. AToM
accomplishes this by letting the transmitting PE router send a Label Release message to
the receiving PE router, followed by a Label Request message. Because the receiving PE
router interprets this as a pseudowire flapping, it resets the receiving sequence number.
If the receiving PE router needs to reset the receiving sequence number, it must inform
the receiving PE router to reset the transmitting sequence number. AToM does so by
letting the receiving PE router send a Label Withdraw message to the transmitting PE
router, followed by a Label Mapping message. Because the transmitting PE router
Pseudowire By
Encapsulation
Wei Luo, - CCIE No. 13,291,Carlos Pignataro, -
To properly emulate Layer 2 protocols over pseudowires, you need to encapsulate each Layer 2
payload in such a way that Layer 2 characteristics are preserved as close to what they are in
Publisher: Cisco Press
the native form as possible.
Pub Date: March 10, 2005
ISBN:
1-58705-168-0
AsideTable
fromof the MPLS label
stack,
pseudowire encapsulation also contains payload-specific
Pages:
648
information
that
varies
on
a
per-transport
and per-packet basis. This section discusses the
Contents
payload-specific
part
of
the
encapsulation,
which includes the control word and the Layer 2
Index
payload.
The next few sections explain how the following Layer 2 protocols are encapsulated and
processed on PE routers:
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
ATM
Frame Relay
HDLC
PPP
Ethernet
ATM
For a majority of Service Providers, a significant portion of their revenues
aretypes
still derived
from datafor
and
voice
servicesATM
based
on legacy
transport
AToM supports two
of encapsulation
ATM
transport:
AAL5
common
part
technologies.
Although
Layer
3
MPLS
VPNs
fulfill
the
market
need
for some
convergence sublayer service data unit (CPCS-SDU) and ATM Cell.
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer
2 and Layer
3 networks
would like
to move
toward
a single
The ATM AAL5 CPCS-SDU
encapsulation
includes
a mandatory
control
word.
The ATM
AAL5
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2 ATM
CPCS-SDU encapsulation requires segmentation and reassembly (SAR) on the CE-PE
services
their existing
cores.
The
solution
initthese
cases is a
interface. When an
ingressover
PE router
receivesLayer
ATM 3
cells
from
a CE
router,
reassembles
them
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
into an AAL5 CPCS-SDU and copies ATM control flags from the cell header into the control word
before sending it infrastructure.
over a pseudowire. The AAL5 CPCS-SDU is segmented into ATM cells with
proper cell headers on the egress PE router. Figure 6-12 illustrates the AAL5 CPCS-SDU
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
pseudowire encapsulation.
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco
Unified
VPN suite:Pseudowire
Any Transport over
MPLS (ATOM) for MPLSFigure 6-12.
AAL5
CPCS-SDU
Encapsulation
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
Reserved
Length and
reader
requirements
T to Layer
E 2 VPN Cbenefits and
U implementation
Rsv
(4 Bits)
(6 Bits)
comparing them to those of Layer 3 based VPNs, such as MPLS,
then
progressively covering each currently available solution in greater detail.
Sequence Number (16 Bits)
ATM AAL5 CPCS-SDU
(Variable Length)
EFCI (E-Bit)
stores
value
of the EFCI bit of the last cell to be reassembled
No.The
4460,E-bit
Anthony
Chan, -the
CCIE
No. 10,266
when the payload contains an AAL5 CPCS-SDU or that of the ATM OAM cell when the
payload is an ATM
OAMCisco
cell Press
on the ingress PE router. The egress PE router then sets the
Publisher:
EFCI bit of all cells
to the value of the E-bit.
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
CLP of(C-Bit) This is
set to 1 if the CLP bit of any cell is set to 1 regardless of whether the
Table
Pages:
648
cell is part of an AAL5 CPCS-SDU
or is an ATM OAM cell on the ingress PE router. The
Contents
egress PE router sets the CLP bit of all cells to the value of the C-bit.
Index
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Reserved
(4 Bits)
Length
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey,
- CCIE
B
F
D
C
Rsv
(6 Bits)
No. 4460,Anthony Chan, - CCIE No. 10,266
Sequence Number (16 Bits)
Frame
Pub Date: March 10,
2005 Relay PDU
Table of
Contents
Index
(Variable Length)
ISBN: 1-58705-168-0
Pages: 648
The Frame Relay control flags in the control word are described as follows:
Backward Explicit
Congestion
Notification
ingressservices
PE router
copies
Master the
world of Layer
2 VPNs to(B-Bit)
provideThe
enhanced
and
enjoythe
BECN field of
an
incoming
Frame
Relay
packet
into
the
B-bit.
The
B-bit
value
is
copied
to
productivity gains
the BECN field of the outgoing Frame Relay packet on the egress PE router.
Forward Explicit
Congestion
Notification
(F-Bit)Networks
The ingress
PE router copies the
Learn
about Layer
2 Virtual Private
(VPNs)
FECN field of an incoming Frame Relay packet into the F-bit. The F-bit value is copied to
the FECN field of Reduce
the outgoing
Relaythe
packet
onofthe
egress
PE router.
costs Frame
and extend
reach
your
services
by unifying your
network architecture
Discard Eligibility (D-Bit) The ingress PE router copies the DE field of an incoming
Frame Relay packet
into
thethe
D-bit.
D-bit
value isLayer
copied
theapplication
DE field ofutilizing
the
Gain
from
firstThe
book
to address
2 to
VPN
outgoing Frame Relay
packetand
on the
egress
PE router.
both ATOM
L2TP
protocols
Command/Response
Thethat
ingress
router
copies the
C/R fieldtoofenhance
an incoming
Review(C-Bit)
strategies
allowPE
large
enterprise
customers
Frame Relay packet
into
the C-bit.
The C-bit
is copied
to thecontrol
C/R field of the
their
service
offerings
while value
maintaining
routing
outgoing Frame Relay packet on the egress PE router.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
HDLC
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
HDLC mode provides port-to-port transport of HDLC encapsulated frames. The pseudowire
backbone while new carriers would like to sell the lucrative Layer 2
HDLC encapsulation consists of the optional control word, HDLC address, control and protocol
services over their existing Layer 3 cores. The solution in these cases is a
fields without HDLC flags, and the FCS.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
You can also use the HDLC mode to transport Frame Relay User-to-Network Interface (UNI) or
Network-to-Network Interface (NNI) traffic port-to-port transparently because they use HDLC
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
framing.
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
PPP
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased
cores and
Layer 2 of
Tunneling
Protocol version
3 The
(L2TPv3)
for native
PPP mode provides
port-to-port
transport
PPP encapsulated
frames.
PPP pseudowire
IP cores.
Theoptional
structure
of this
book
is focused
on first
the
encapsulation consists
of the
control
word
and
the protocol
fieldintroducing
without media-specific
reader
to as
Layer
2 VPN
benefits
implementation
framing information,
such
HDLC
address
and and
control
fields or FCS.requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
When you enableprogressively
the Protocol Field
Compression
(PFC) available
option in solution
PPP, thein
Protocol
is
covering
each currently
greaterfield
detail.
compressed from two octets into a single octet. PFC occurs between CE routers and is
transparent to PE routers. PE routers transmit the protocol field in its entirety as it is received
from CE routers.
If the CE-PE interface uses HDLC-like framing, the ingress PE router always strips off HDLC
address and control fields from the PPP frames before transporting them over pseudowires.
Perhaps two CE routers negotiate Address and Control Field Compression (ACFC). The egress
PE router has no way of knowing that unless it snoops into the PPP LCP negotiation between
the CE routers, and that is normally undesirable because of system complexities and
performance overhead. Therefore, the egress PE router cannot determine whether it should
add HDLC address and control fields for PPP frames that are being sent to the CE router.
In Cisco IOS, AToM uses a simple solution to solve this problem without snooping. Basically,
Layersays
2 VPNthat
Architectures
the PPP specification
a PPP implementation that supports HDLC-like framing must
prepare to receive
frames
with
uncompressed
address
and
fields
at all
times
ByPPP
Wei Luo,
- CCIE
No. 13,291,
Carlos Pignataro,
- CCIE
No. control
4619,Dmitry
Bokotey,
- CCIE
regardless of ACFC.
So with
AToM,
egress
PE router always adds HDLC address and control
No. 4460,
Anthony
Chan,the
- CCIE
No. 10,266
fields back to the PPP packet if the egress CE-PE interface uses HDLC-like framing. For
interfaces that do not
use HDLC-like
Publisher:
Cisco Pressframing, such as PPP over Ethernet, PPP over Frame
Relay, and PPP over Pub
ATMDate:
AAL5,
the egress PE router does not add HDLC address and control
March 10, 2005
fields to the PPP packet.
Table of
Contents
Index
Ethernet
ISBN: 1-58705-168-0
Pages: 648
With the Ethernet pseudowire encapsulation, the preamble and FCS are removed from the
Ethernet frames on
the ingress
PE of
router
before
sending
themenhanced
over pseudowires,
andenjoy
they are
Master
the world
Layer
2 VPNs
to provide
services and
regenerated on the
egress
PE
router.
The
control
word
is
optional.
productivity gains
Ethernet pseudowires have two modes of operations:
Learn about Layer 2 Virtual Private Networks (VPNs)
Raw mode In raw
mode,costs
an Ethernet
frame
not haveby
anunifying
IEEE 802.1q
Reduce
and extend
themight
reachor
ofmight
your services
your
VLAN tag. If the frame
does
have
this
tag,
the
tag
is
not
meaningful
to
both
the ingress
network architecture
and egress PE routers.
Gain from the first book to address Layer 2 VPN application utilizing
Tagged mode Inboth
tagged
mode,
must contain an IEEE 802.1q VLAN tag. The
ATOM
and each
L2TP frame
protocols
tag value is meaningful to both the ingress and egress PE routers.
Review strategies that allow large enterprise customers to enhance
To explain how ingresstheir
and service
egress PE
routerswhile
process
a VLAN tag,
it is control
necessary to define the
offerings
maintaining
routing
semantics for the VLAN tag first. For example, when the ingress PE receives an Ethernet frame
from a CE router For
andathe
frame of
contains
VLAN tag, athere
are two
possible
scenarios:
majority
Servicea Providers,
significant
portion
of their
revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
The VLAN tag
is a service
delimiter.
The drawbacks.
provider uses
a service
delimiter
to distinguish
customers,
they
have some
Ideally,
carriers
with existing
one type of legacy
customer
traffic
from
another.
For
example,
each
service-delimiting
VLAN tag
Layer 2 and Layer 3 networks would like to move toward a single
can represent
a
different
customer
who
the
provider
is
serving
or
a
particular
network
backbone while new carriers would like to sell the lucrative Layer 2
service that services
the provider
to offer.Layer
Some3equipment
the provider
operates
over wants
their existing
cores. The that
solution
in these cases
is a
usually places
this
VLAN
tag
onto
the
Ethernet
frame.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
The VLAN tag is not a service delimiter. A CE router or some equipment that the customer
operates usually
VLAN tag. introduces
The VLAN tag
is nottomeaningful
to thePrivate
ingress PE
Layerplaces
2 VPN this
Architectures
readers
Layer 2 Virtual
router.
Network (VPN) concepts, and describes Layer 2 VPN techniques via
802.1q VLAN tags. This type of packet is commonly known as a QinQ packet. When the outer
VLAN tag is the service-delimiting VLAN tag, QinQ packets are processed exactly like the ones
with a single VLAN tag in both raw mode and tagged mode. When the combination of the outer
Layeris2 used
VPN Architectures
and inner VLAN tags
for service-delimiting, it is processed as if it were a single VLAN
ByWei Luo,range
- CCIE of
No.values.
13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
tag but with an extended
No. 4460,Anthony Chan, - CCIE No. 10,266
If you need to take QoS into consideration, the ingress PE router can map the user priority bits
in the VLAN header to
the MPLS
Publisher:
CiscoEXP
Pressbits in the MPLS label stack. In this way, transit LSRs in
the MPLS network can
apply QoS policies to the Ethernet frames that are carried over
Pub Date: March 10, 2005
pseudowires.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Despite
multiple possible combinations
of label distribution and management modes for
Index
pseudowire
signaling, AToM implements the combination that uses LDP downstream unsolicited
LearnMPLS
aboutalso
Layer
2 Virtual
Networks
(VPNs) and data switching
Pseudowire emulation over
specifies
newPrivate
encapsulation
methods
procedures, such as the control word that is customized for carrying transport-specific
Reduceencapsulations,
costs and extend
the reach of processing
your services
by unifying
information, Layer 2 payload
ingress/egress
optimized
for your
network
architecture
transporting over pseudowires, and the sequence number for detecting out-of-order packets.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Contents
Index
Pages: 648
Chapter 6, "Understanding Any Transport over MPLS," introduced you to the general concepts
of Any Transport over MPLS
In this
chapter,
you learn
operation
and configuration of
Learn (AToM).
about Layer
2 Virtual
Private
Networks
(VPNs)
Ethernet over MPLS (EoMPLS), one of the draft-martini-based AToM technologies. EoMPLS
offers a way to connectReduce
geographically
Ethernet
networks.
By deploying
EoMPLS
costs anddispersed
extend the
reach of
your services
by unifying
yourin
their core, service providers
canarchitecture
implement Ethernet VPN services.
network
This chapter outlines important
the EoMPLS
technology
and provides
step-by-step
Gain fromaspects
the firstofbook
to address
Layer 2 VPN
application
utilizing
configuration procedures
forATOM
enabling
primarily on the service provider's side. As you
both
and EoMPLS,
L2TP protocols
already know from previous chapters, the Layer 2 VPN is transparent to the end customer, so
Review
strategies
that allow
large
enterprise customers to enhance
the configuration required
for the
enterprise's
devices
is minimal.
their service offerings while maintaining routing control
The case studies included in this chapter do not concentrate on configuration specifics that are
a majority
of Service
a significant
portion for
of their
revenues
native to differentFor
platforms.
Instead,
theyProviders,
provide generic
configuration
routers
and
are still derived from data and voice services based on legacy transport
switches.
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
Note
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
This chapterinfrastructure.
relies heavily on knowledge and comprehension of concepts learned
from previous chapters, especially Chapter 6. In some cases, simple references to
these chapters
are2provided.
In other cases
(whenreaders
necessary),
certain
concepts
are
Layer
VPN Architectures
introduces
to Layer
2 Virtual
Private
reiterated. Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
EoMPLS, as specifiedPublisher:
in the draft-martini
discussed in Chapter 6, allows Layer 2 Ethernet
Cisco Press
frames to be transported
across
Multiprotocol
Label Switching (MPLS) core network. For the
Pub Date:
Marcha10,
2005
label switch router (LSR) to switch Layer 2 virtual circuits (VC), it must have IP connectivity to
ISBN: 1-58705-168-0
Table of
transport
any Layer 2 attachment services. Thus, the edge LSRs must have the capability to
Pages:
648
Contents
switch
Layer 2 VCs. EoMPLS has several mechanisms in place to support such transport. These
Index
mechanisms
are further explained in the following sections:
EoMPLS Label Stack
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Supported VC
Types
productivity
gains
Label Imposition
Reduce costs and extend the reach of your services by unifying your
network architecture
tunnel label switches packets from the ingress PE to the egress PE. The ingress LSR sets the VC
label's Time to Live (TTL) field to a value of 2 (in this case), and it sets the TTL of the tunnel
label to 255. To indicate that the VC label is at the bottom of the stack, the ingress PE marks
Master thebit
world
Layer
2 VPNs
the VC label's end-of-stack
withofthe
value
of 1. to provide enhanced services and enjoy
productivity gains
Note
The preceding fields describe the Layer 2 header in an Ethernet PSN. Do not confuse
them with the Ethernet header fields in the transported Layer 2 frame from the
20-bit label
3-bitofExperimentalISBN:
Field1-58705-168-0
(Exp)
Table
Pages:
648
Contents
1-bit Bottom of Stack Indicator (S)
Index
1-byte TTL
Finally,Figure 7-2 shows an optional 4-byte control word and the original Ethernet frame. The
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
original Ethernet frame's header from the CE device that is transported in EoMPLS is at least 14
productivity gains
bytes and contains the following:
DA/SA12 bits
Reduce costs and extend the reach of your services by unifying your
Protocol EthertypeIndicates the upper-layer protocol
network architecture
In the case of 802.1q Ethernet VLAN transport, the Ethernet overhead is 18 bytes, with the
Gain from the first book to address Layer 2 VPN application utilizing
addition of the 4-byte VLAN Tag header, also referred to as the 802.1q header. An Ethertype
both ATOM and L2TP protocols
with a value of 0x8100 indicates that there is a VLAN Tag header between the Ethernet and
upper-layer headers. The
802.1q
header that
is asallow
follows:
Review
strategies
large enterprise customers to enhance
Next 2 bytes.
0x8847.
MPLS Unicast
indicated by
0x8847.
20 bits (bits
019 after MAC
header).
Layer 2 VPN Architectures
Derived from
PSN label for
the remote
PE's FEC[3].
Information
can be
obtained
through FIB
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
lookup.
No. 4460,Anthony Chan, - CCIE No. 10,266
3 bits. Bits
Experimental
bits in the
tunnel PSN.
ISBN: 1-58705-168-0
Table of
Contents
Index
Pages: 648
Intermediate
LSRs can
modify field
when switching
the packet
through the
PSN.
1 bit. Bit 23 of 0.
The S bit in the
tunnel label.
Tunnel Label
Master the world of Layer 2 VPNs to provide enhanced
fieldservices
is alwaysand enjoy
productivity gains
set to 0 for the
tunnel label to
indicate that
Learn about Layer 2 Virtual Private Networks (VPNs)
another LSE[5]
follows.by unifying your
Reduce costs and extend the reach of your services
and
describes
Layer
techniques
via
VC labelEXP bitsNetwork (VPN) concepts,
3 bits. Bits
20Same as
the 2 VPN
You
can
introductory case22
studies
and
comprehensive
design
scenarios.
This
book
of VC label. tunnel EXP
configure this
assists readers looking to meet those
requirements
by
explaining
the
bits.
field.
history and implementation details of the two technologies available from
the Cisco Unified1VPN
over MPLS
(ATOM)
VC labelS bit
bit. suite:
Bit 23 Any
of Transport
1.
Because
thefor MPLSbased cores and VC
Layer
2 Tunneling Protocol versionVC
3 (L2TPv3)
for native
label.
label is the
IP cores. The structure of this book is focused on first
lastintroducing
label in thethe
reader to Layer 2 VPN benefits and implementationMPLS
requirements
and
label
comparing them to those of Layer 3 based VPNs, such
as
MPLS,
then
stack, the S bit
progressively covering each currently available solution
in greater
is always
set to detail.
1.
VC labelTTL field
[1]
8 bits. Bits
2431 of VC
label.
2.
This field is
always set to
2.
[2]
[3]
Pages: 648
The overhead incurred when Ethernet frames were transported over MPLS and rules and
restrictions were imposed on the MPLS network.
VPN Architectures
For instance, the Layer
MTU 2configuration
of the MPLS network should accommodate the largest
expected frame size
in Luo,
the- label-switched
paths
(LSPs)- plus
header
(Ethernet
ByWei
CCIE No. 13,291,Carlos
Pignataro,
CCIEthe
No. 4619,
Dmitry
Bokotey, - frame
CCIE
header, in this case),
control
word,
8 additional
No. 4460,
Anthony
Chan,and
- CCIE
No. 10,266 label stack bytes. This includes
configuration of the CE and PE links.
Publisher: Cisco Press
Figure 7-3 illustrates a sample network over which you can see the MTU calculation for VLANPub Date: March 10, 2005
tunneled modes. (Both modes are discussed in the "Supported VC Types" section of this
ISBN: 1-58705-168-0
chapter.)
To verify these
calculations, you perform pings with different packet sizes from the
Table of
Pages:
648
CE R200
to the CE R204.
Contents
Index
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
[View full size image]
You can use the following formula to calculate MTU requirements for the core:
Core MTU >= Edge MTU + Transport Header + AToM Header + (MPLS Label Stack *
MPLS Header Size)
The Edge MTU is the MTU that is configured in the CE-facing PE's interface.
This formula uses the following values for VLAN transport and a two-label stack and provides
Layer to
2 VPN
Architectures
the core MTU needed
transport
1500-byte packets from the CE:
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
You input the value of 1470 bytes in the preceding formula as the edge MTU because that is
ISBN: 1-58705-168-0
Table of unfragmented packet that was successfully transported. The result of the formula is
the largest
Pages:
648
Contents
a core
MTU that is greater than
or equal to 1500 bytes, which is the actual MTU that is
Index in the core.
configured
On the other hand, if you want to transport 1500-byte packets from the CE device, you can
substitute that value for the Edge MTU in the general formula to calculate the corresponding
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Core MTU needed:
productivity gains
Core MTU >= Edge MTU + 18 + 4 + (2 * 4)
Core MTU >= 1500Learn
+ 18about
+ 4 +Layer
(2 *2 Virtual
4)
Private Networks (VPNs)
Core MTU >= 1530
Reduce costs and extend the reach of your services by unifying your
network architecture
In this case, you need to configure the MTU links to allow for 1530-byte packets.
Gain from the first book to address Layer 2 VPN application utilizing
Table 7-2 outlines the MTU calculation to show that the overhead is 30 bytes. That is why only
both ATOM and L2TP protocols
packets that are up to 1470 bytes with DF bit set are successfully transported in Example 7-2.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
Table 7-2.are
Calculating
MTU
Requirements
forbased
Ethernet
still derived from
data
and voice services
on legacy transport
VLAN
Transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
Layer
Description
Core
backbone while new carriers would like to sell the lucrative Layer 2
Overhead
services over their existing Layer 3 cores. The solution in these cases is a
technology that would
allow
Layer 2 transport over
Layer 3
Transported
Ethernet
VLAN
18 abytes
infrastructure.
AToM
Control word
4 bytes
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
MPLS
MPLS stack
entries
* MPLS
2 headers
* 4 via
Network (VPN) concepts,
and
describes
Layer 2 VPN
techniques
size
bytes/header
introductory caseheader
studies
and comprehensive design
scenarios. This book
= 8by
bytes
assists readers looking to meet those requirements
explaining the
history and implementation details of the two technologies available from
Total
30 bytes
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader
Layer 2 VPN
benefits
implementation
and
Keeping in mind that
theto
transport
overhead
for and
VLAN-tunneled
is 18 requirements
bytes, the transport
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
overhead for port-tunneled is 14 bytes, and that MPLS traffic engineering (TE) fast reroute
progressively
covering
each
currently
solution in greater
detail.
(FRR) uses an additional
label stack
entry,
you
can see available
the MTU calculations
for various
cases
inTable 7-3. (All values are in bytes.) Note that the sizes in square brackets indicate the
values when the optional control word is not used.
Field
EoMPLS Port
Mode
1500
Table of
14
4 [0]
2 LSEs
4
8
bytes/LSE
1526
[1522]
ISBN: 1-58705-168-0
EoMPLS
VLAN
Contents
Mode
Index
4 [0]
2 LSEs
4
8
bytes/LSE
1530
[1526]
EoMPLS Port
+ TE FRR
1500
4 [0]
3 LSEs
4
8
bytes/LSE
1530
[1526]
EoMPLS VLAN
+ TE FRR
14
Supported VC
Types
Layer
2 VPN Architectures
In VLAN-tunneling mode, the ingress information for the VLAN is contained within the dot1Q
header of the packet. (Refer to Chapter 4, "LAN Protocols," for more information on dot1Q.) By
looking at the VLAN ID in the dot1Q header, the network processor (NP) can determine the
next step in processing, described in the "Label Imposition" section of this chapter.
In port-tunneling mode, the packet does not have ingress port information. For inclusion of
ingress information, the port-tunneled interface is put into the QinQ mode. A hidden VLAN is
then created and added onto the packet. A hidden VLAN is a VLAN that is numbered outside
2 VPN Architectures
the allowed rangeLayer
for VLAN
IDs. This is how the NP learns the ingress information. The hidden
ByWeito
Luo,
CCIE No.
13,291,Carlos
Pignataro,
- CCIE
4619,
Dmitry Bokotey,
CCIE
VLAN concept applies
a -switch
platform
(that
is, 6500
and No.
7600
platforms).
In- contrast,
No. 4460,
Anthony
- CCIE
No. 10,266
VLAN-tunneled mode
does
not Chan,
require
a hidden
VLAN. The NP can discern the ingress
information from the packet's dot1Q header.
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
Pages:
648 port-tunneling mode and VLAN-tunneling mode is in the
Another
difference between the
Contents
handling
Indexof VLAN IDs. In port-tunneling mode, the VLAN ID is transparently passed from the
ingress PE to the egress PE over MPLS in a single VLAN. In VLAN-tunneling mode, however, the
VLAN ID at each end of the EoMPLS tunnel can be different. To overcome this, the egress side
of the tunnel that is mapped to a VLAN rewrites the VLAN ID in outgoing dot1Q packets to the
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
ID of the local VLAN.
productivity gains
label to its directly connected neighbor via BGP, which causes the neighbor to pop the tunnel
label when switching the packets to the egress PE.
2 VPN Architectures
When the egress Layer
PE receives
the packet with the VC label, it needs to select an appropriate
form of disposition.
ForLuo,
this,
the No.
egress
PE
checks
the label
information
base (LFIB).
ByWei
- CCIE
13,291,
Carlos
Pignataro,
- CCIEforwarding
No. 4619,Dmitry
Bokotey, - CCIE
The LFIB containsNo.
information
between the outgoing interface and a given VC
4460,Anthonyabout
Chan, - the
CCIEbinding
No. 10,266
ID, which was initially inserted into the LFIB with the VC label. The LFIB lookup informs the PE
that EoMPLS disposition
will be
performed
and finds the corresponding egress interface for the
Publisher:
Cisco
Press
VC. The VC label is then
popped, the VLAN ID is rewritten (if needed), and the frame is
Pub Date: March 10, 2005
transmitted to the proper outgoing interface.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Note
Master
the world
of the
Layer
2 VPNs
to provide
enhanced
serviceswith
and enjoy
The ingress and
egress
PEs are
only
two routers
in the
MPLS backbone
knowledge ofproductivity
the Layer 2gains
transport VCs. No other intermediate hops have table
entries for the Layer 2 transport VCs. Therefore, only PEs require EoMPLS
functionality.
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network
architecture
Figure 7-4 illustrates the
process
of imposition and disposition, where traffic flow is bound first
from Site 1 to Site 2 and then in the opposite direction.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
Figure
Label
Imposition
and routing
Disposition
their7-4.
service
offerings
while maintaining
control
Note
For an LSP to be present from PE to PE, routes from a PE that its neighbors discover
cannot be summarized. They must have a mask of /32.
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Pub Date: March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pages:
648
Contents
topologies
and configurations that involve routers and move on to case studies that involve switches.
Index
Figure 7-5 shows the general topology used throughout the case studies. Some variations from one case
study to the next require configuration or topology modifications. The goal that is common to all case
studies is to establish Layer 2 and higher connectivity between the two customer sites (Oakland and
Master
the 2world
of an
Layer
2 VPNs to provide
enhanced
services and
enjoy
Albany) by extending
Layer
across
MPLS-enabled
and routed
core network.
Routed
means that IP
gains
traffic is switchedproductivity
at Layer 2 and
not bridged across the core.
Figure
7-5.
Study
Topology
Reduce
costs
and EoMPLS
extend the Case
reach of
your services
by unifying your
network architecture
[View
size image]
Gain from the first book
tofull
address
Layer 2 VPN application utilizing
both ATOM and L2TP protocols
hostname SanFran
No. 4460,Anthony Chan, - CCIE No. 10,266
!
ip cef
Publisher: Cisco Press
mpls ip
Pub Date:
mpls label protocol
ldp March 10, 2005
ISBN: 1-58705-168-0
mpls Table
ldp ofrouter-id Loopback0
force
Pages: 648
Contents
!
Index
interface Loopback0
ip address 192.168.1.102 255.255.255.255
!
interface Serial6/0
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
ip address 10.1.1.102 255.255.255.0
productivity gains
no ip directed-broadcast
mpls label protocol ldp
Learn about Layer 2 Virtual Private Networks (VPNs)
mpls ip
!
Reduce costs and extend the reach of your services by unifying your
router ospf 100
network architecture
log-adjacency-changes detail
network 0.0.0.0 255.255.255.255
area
0 to address Layer 2 VPN application utilizing
Gain from the first
book
hostname Denver
both ATOM and L2TP protocols
!
ip subnet-zero
Review strategies that allow large enterprise customers to enhance
ip cef
their service offerings while maintaining routing control
mpls ip
mpls label protocol
ldp
For a majority
of Service Providers, a significant portion of their revenues
mpls ldp router-id
Loopback0
force
are still
derived from
data and voice services based on legacy transport
!
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
interface Loopback0
customers, they have some drawbacks. Ideally, carriers with existing
ip address 192.168.1.101
legacy Layer 2255.255.255.255
and Layer 3 networks would like to move toward a single
no ip directed-broadcast
backbone while new carriers would like to sell the lucrative Layer 2
!
services over their existing Layer 3 cores. The solution in these cases is a
interface Serial5/0
technology that would allow Layer 2 transport over a Layer 3
ip address 10.1.2.101
255.255.255.0
infrastructure.
no ip directed-broadcast
Layer 2 VPN
mpls label protocol
ldp Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
mpls ip
introductory case studies and comprehensive design scenarios. This book
!
assists readers looking to meet those requirements by explaining the
interface Serial6/0
history and255.255.255.0
implementation details of the two technologies available from
ip address 10.1.1.101
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSno ip directed-broadcast
based cores
mpls label protocol
ldp and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
tag-switching IP
ipcores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
!
router ospf 100comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively
covering each currently available solution in greater detail.
log-adjacency-changes
detail
network 0.0.0.0 255.255.255.255 area 0
hostname NewYork
!
ip subnet-zero
ip cef
mpls ip
mpls label protocol ldp
mpls ldp router-id Loopback0 force
!
interface Loopback0
ip address 192.168.1.103 255.255.255.255
!
Layer 2 VPN Architectures
interface Serial5/0
ByWei Luo, - 255.255.255.0
CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
ip address 10.1.2.103
No. 4460,Anthony
mpls label protocol
ldp Chan, - CCIE No. 10,266
mpls ip
!
Publisher: Cisco Press
router ospf 100 Pub Date: March 10, 2005
log-adjacency-changes detail
ISBN: 1-58705-168-0
Table of0.0.0.0 255.255.255.255 area 0
network
Contents
Index
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Normally, you would not use network 0.0.0.0 when configuring your OSPF statements. Here, it
is used strictly in a practice lab environment.
Learn about Layer 2 Virtual Private Networks (VPNs)
Note
Reduce costs and extend the reach of your services by unifying your
network
architecture
At this point, you should
verify that
basic connectivity between the core devices works before moving on
to specific EoMPLS configuration. Apply the following verification and troubleshooting principles to each
Gain from the first book to address Layer 2 VPN application utilizing
router. For brevity, output for only one router is shown for each step.
both ATOM and L2TP protocols
Check that the routes are being received via an IGP, as shown in Example 7-4.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Example 7-4.For
show
ip route
ospf
Command
a majority
of Service
Providers,
a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
SanFran#show ip route ospf
customers, they have some drawbacks. Ideally, carriers with existing
10.0.0.0/24 is subnetted, 2 subnets
legacy Layer 2 and Layer 3 networks would like to move toward a single
O
10.1.2.0 [110/128] via 10.1.1.101, 00:11:11, Serial6/0
backbone while new carriers would like to sell the lucrative Layer 2
192.168.1.0/32 is subnetted, 3 subnets
services over their existing Layer 3 cores. The solution in these cases is a
O
192.168.1.101 [110/65] via 10.1.1.101, 00:11:11, Serial6/0
technology that would allow Layer 2 transport over a Layer 3
O
192.168.1.103 [110/129] via 10.1.1.101, 00:11:11, Serial6/0
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Verify that the MPLS-enabled interfaces are operationalin other words, that MPLS is enabled on an
introductory case studies and comprehensive design scenarios. This book
interface, as in Example 7-5.
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSExample 7-5.based
show
mpls
interfaces
Command
cores
and Layer
2 Tunneling
Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader
to Layer 2 VPN benefits and implementation requirements and
Denver#show mpls
interfaces
comparing
of Layer
3 based VPNs, such as MPLS, then
Interface
IP them to those
Tunnel
Operational
progressively
covering
each
currently
available solution in greater detail.
Serial5/0
Yes (ldp) No
Yes
Serial6/0
Yes (ldp)
No
Yes
Ensure that the PE routers have discovered the P router via the show mpls ldp discovery command,
as shown in Example 7-6.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
NewYork#show mpls ldp neighbor
Peer LDP Ident: 192.168.1.101:0; Local LDP Ident 192.168.1.103:0
Learn about Layer 2 Virtual Private Networks (VPNs)
TCP connection: 192.168.1.101.646 - 192.168.1.103.11004
State: Oper; Msgs sent/rcvd: 10/10; Downstream
Reduce costs and extend the reach of your services by unifying your
Up time: 00:02:00
network architecture
LDP discovery sources:
Serial5/0,
Src
IP the
addr:
Gain
from
first 10.1.2.101
book to address Layer 2 VPN application utilizing
Addresses bound
to
peer
both ATOM and LDP
L2TPIdent:
protocols
10.1.2.101
192.168.1.101
10.1.1.101
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Another way of verifying
whether
labelProviders,
forwardinga table
is builtportion
correctly
is to revenues
issue the show mpls
For a majority
of the
Service
significant
of their
forwarding-table
and
show
mpls
forwarding-table
detail
commands,
as
in
Example
are still derived from data and voice services based on legacy transport 7-8.
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
Example 7-8.legacy
show
mpls
forwarding-table
and
show
mpls
forwarding-table
Layer
2 and
Layer 3 networks would
like
to move
toward
a single
backbone while new carriers would like to sell the lucrative Layer 2
detailCommands
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
SanFran#show mpls
forwarding-table
infrastructure.
Local Outgoing
Prefix
Bytes tag Outgoing
Next Hop
tag
tag or VC
Tunnel
Id
switched
interface
Layer or
2 VPN
Architectures
introduces readers
to Layer 2 Virtual Private
16
Pop tag Network
10.1.2.0/24
0 describesSe6/0
point2point
(VPN) concepts, and
Layer 2 VPN techniques
via
17
Pop tag introductory
192.168.1.101/32
0 comprehensive
Se6/0 design scenarios.
point2point
case studies and
This book
18
17
0
Se6/0
assists192.168.1.103/32
readers looking to meet
those requirements
bypoint2point
explaining the
----------------------------------------------------------history and implementation details of the two technologies available from
SanFran#show mpls
forwarding-table
detail
the Cisco
Unified VPN suite:
Any Transport over MPLS (ATOM) for MPLSLocal OutgoingbasedPrefix
Bytes tag
Outgoing
Next Hop
cores and Layer 2 Tunneling
Protocol
version 3 (L2TPv3)
for native
tag
tag or VC
or
Tunnel
Id
switched
interface
IP cores. The structure of this book is focused on first introducing the
16
Pop tag reader10.1.2.0/24
0 and implementation
Se6/0
point2point
to Layer 2 VPN benefits
requirements
and
MAC/Encaps=4/4,
MRU=1504,
Tag
Stack{}
comparing them
to those
of Layer
3 based VPNs, such as MPLS, then
0F008847
progressively covering each currently available solution in greater detail.
No output feature configured
17
Pop tag
192.168.1.101/32 0
Se6/0
point2point
MAC/Encaps=4/4, MRU=1504, Tag Stack{}
0F008847
No output feature configured
18
17
192.168.1.103/32 0
Se6/0
point2point
MAC/Encaps=4/8, MRU=1500, Tag Stack{17}
0F008847 00011000
No output feature configured
You are now ready to begin the specialized EoMPLS case studies. They are as follows:
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Pub
Date: Rewrite
March 10, 2005
Case Study 7-3:
VLAN
ISBN: 1-58705-168-0
Table of
Case Study 7-4: Switch
to SwitchVLAN Based
Pages:
648
Contents
Index
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Case Study 7-7: Map to Pseudowire
productivity gains
about
2 Virtual Private
Networks (VPNs)
Case Study 7-1: Learn
Router
toLayer
RouterPort
Based
Reduce costs and extend the reach of your services by unifying your
In this case study, you build on the preconfigured portion of the service provider core routers by using
network architecture
the topology presented in Figure 7-5. Your objective is to transport all customer traffic without utilizing
802.1q. In this case, CE
devices
You
CE 2switches
scenario utilizing
in Case Study 7-5,
Gain
from are
the routers.
first book
to explore
addressthe
Layer
VPN application
later in this chapter. both ATOM and L2TP protocols
The port transparency Review
feature strategies
is designed
for allow
Ethernet
port-to-port
transport, where
the entire Ethernet
that
large
enterprise customers
to enhance
frame without the preamble
or FCS offerings
is transported
a single packet
based
on the VC type 5.
their service
while as
maintaining
routing
control
interface Ethernet0/0
xconnect 192.168.1.102 100 encapsulation mpls
description to Albany
Layer 2 VPN Architectures
!
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Verifying and Troubleshooting
Port Transparency Operation
Pub Date: March 10, 2005
ISBN:to1-58705-168-0
You can
take several steps
ensure that your configuration is complete. First, you might want to check
Table of
the status
of
the
VCs
by
issuing
the show mpls l2transport vc command. Example 7-10 shows that
Pages:
648
Contents
VC 100
is
up
on
both
SanFran
and
NewYork.
Index
To check the VC type, you can turn on debugging with the debug mpls l2transport signaling
message command. Try using it immediately followed by the interface xconnect command. Your
output should match that in Example 7-12.
Layer 2 VPN Architectures
ByWei
Luo, - CCIE
No. 13,291,
Carlos Pignataro,signaling
- CCIE No. 4619,message
Dmitry Bokotey,Command
- CCIE
Example 7-12.
debug
mpls
l2transport
No. 4460,Anthony Chan, - CCIE No. 10,266
#SanFran#debug mpls
l2transport
Publisher:
Cisco Press signaling message
AToM LDP message Pub
debugging
Date: Marchis
10, on
2005
SanFran(config)#int e 0/0
ISBN: 1-58705-168-0
Table of
SanFran(config-if)#
xconnect 192.168.1.103 100 encapsulation mpls
Contents
Pages: 648
00:29:01:
%LDP-5-NBRCHG: LDP Neighbor 192.168.1.103:0 is UP
Index
00:29:01: AToM LDP [192.168.1.103]: Sending label mapping msg
vc type 5, cbit 1, vc id 100, group id 0, vc label 19, status 0, mtu 1500
00:29:01: AToM LDP [192.168.1.103]: Received label mapping msg, id 100
vc type 5, cbitMaster
1, vcthe
idworld
100,ofgroup
0, vc
label 19,
status
0, mtuand
1500
Layer id
2 VPNs
to provide
enhanced
services
enjoy
00:29:02: %SYS-5-CONFIG_I:
Configured from console by console
productivity gains
Note
Age (min)
0
Hardware Addr
00D0.0c00.6c00
00D0.0c00.6f00
Type
ARPA
ARPA
Interface
Ethernet0/0
Ethernet0/0
InExample 7-13, notice the difference between the first and the second time that the show arp
command is used.Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
This case study explains how to enable MPLS to transport Layer 2 VLAN packets between the two
ISBN: 1-58705-168-0
customer
sites. The configuration
is based on the topology from Figure 7-6.
Table of
Contents
Index
Pages: 648
interface FastEthernet0/0.100
encapsulation dot1Q 100
xconnect 192.168.1.103 100 encapsulation mpls
Layer 2 VPN Architectures
!
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
hostname NewYork
No. 4460,Anthony Chan, - CCIE No. 10,266
!
!
Publisher: Cisco Press
!
Pub Date: March 10, 2005
interface FastEthernet0/0
ISBN: 1-58705-168-0
!
Table of
Pages:
648
interface
FastEthernet0/0.100
Contents
encapsulation
dot1Q
100
Index
no ip directed-broadcast
no cdp enable
xconnect 192.168.1.102 100 encapsulation mpls
!
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
interface Ethernet0/0.100
encapsulation dot1Q 100
ip address 192.168.100.2 255.255.255.0
Layer 2 VPN Architectures
no ip directed-broadcast
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Verifying and Troubleshooting
the Configuration
Pub Date: March 10, 2005
To ensure
the validity ofISBN:
your1-58705-168-0
configuration, you can use the same techniques as in Case Study 7-1. For
Table of
instance,
issue
show
mpls
l2transport
vc on one of the PE routers to check the status of the VC, as
Pages:
648
Contents
shown
in
Example
7-16.
Note
the
subinterface
in the Local intf column.
Index
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
The show mpls l2transport
100 and
detail
command
output from Example 7-17 presents the .100
both vc
ATOM
L2TP
protocols
numbered subinterface, in addition to the Eth VLAN 100 up, indicating the use of the VLAN-based
EoMPLS. Compare it toReview
Ethernet
up from that
the same
command's
output
for port-based
EoMPLS used in
strategies
allow large
enterprise
customers
to enhance
Case Study 7-1.
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are show
still derived
from
data and voicevc
services
on
legacy transport
Example 7-17.
mpls
l2transport
100 based
detail
Command
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
SanFran#show mpls
l2transport
1003 detail
legacy
Layer 2 andvc
Layer
networks would like to move toward a single
Local interface:
Et0/0.100
protocol
up,to Eth
VLAN
100 upLayer 2
backbone
whileup,
newline
carriers
would like
sell the
lucrative
Destination address:
192.168.1.103,
VC ID:
100, The
VC solution
status: inup
services over
their existing Layer
3 cores.
these cases is a
Preferred path:
not that
configured
technology
would allow Layer 2 transport over a Layer 3
Default path:
active
infrastructure.
Tunnel label: 17, next hop point2point
Output interface:
Se6/0,
imposed introduces
label stack
{17 to
16}
Layer 2 VPN
Architectures
readers
Layer 2 Virtual Private
Create time: Network
00:00:57,
last
statusand
change
time:
00:00:20
(VPN)
concepts,
describes
Layer
2 VPN techniques via
Signaling protocol:
LDP,
peer
192.168.1.103:0
up design scenarios. This book
introductory
case
studies
and comprehensive
MPLS VC labels:
remote
16 those requirements by explaining the
assists local
readers16,
looking
to meet
Group ID: local
0
history0,
andremote
implementation
details of the two technologies available from
MTU: local the
1500,
Ciscoremote
Unified1500
VPN suite: Any Transport over MPLS (ATOM) for MPLSRemote interface
description:
based cores
and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Sequencing: receive
send
disabled
IP cores. disabled,
The structure
of this
book is focused on first introducing the
VC statistics:
reader to Layer 2 VPN benefits and implementation requirements and
packet totals:
receive
3,tosend
comparing
them
those3of Layer 3 based VPNs, such as MPLS, then
byte totals:
receivecovering
1627, send
1628
progressively
each currently
available solution in greater detail.
packet drops: receive 0, send 0
Theshow mpls forwarding-table command in Example 7-18 shows label 16 advertised to the remote
PE and used in disposition.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Example 7-19.
Configuring
CE Routers
Layer
2 VPN Architectures
introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
hostname Albanyassists readers looking to meet those requirements by explaining the
!
history and implementation details of the two technologies available from
interface Ethernet0/0
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS!
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
interface Ethernet0/0.100
IP cores. The structure of this book is focused on first introducing the
encapsulation reader
dot1Q to
100
Layer 2 VPN benefits and implementation requirements and
ip address 192.168.100.2
255.255.255.0
comparing them
to those of Layer 3 based VPNs, such as MPLS, then
no ip directed-broadcast
progressively covering each currently available solution in greater detail.
_______________________________________________________________________
hostname Oakland
!
interface Ethernet0/0
!
interface Ethernet0/0.200
encapsulation dot1Q 200
ip address 192.168.100.1 255.255.255.0
On the PE side, reconfigure the VLAN ID for the subinterface to match that of its neighboring CE.
Layer 2 VPN Architectures
According to the topology
used in this case study, you do not need to change the VLAN ID on NewYork
ByWei
Luo, - CCIE No.
13,291,Carlos
Pignataro,
CCIE
No. 4619,
Dmitry Bokotey,
- CCIE
from your previous
configuration
because
the VLAN
ID -for
Albany
remains
100. However,
you need to
No. 4460,Anthony
- CCIEOakland's
No. 10,266 new ID.
reset the ID for SanFran
to 200Chan,
to equal
As previously mentioned,
vcid
values
Publisher:
Cisco
Pressof both PEs need to be the same. Therefore, they will remain 100
in the xconnect command,
rewriting the 200 VLAN to 100 to meet the requirement. The PE
Pub Date: thereby
March 10, 2005
configuration is illustrated in Example 7-20.
Table of
Contents
Index
Example
ISBN: 1-58705-168-0
Pages: 648
hostname SanFran
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
!
productivity gains
!
! Output omitted for brevity
!
Learn about Layer 2 Virtual Private Networks (VPNs)
interface Ethernet0/0
!
Reduce costs and extend the reach of your services by unifying your
interface Ethernet0/0.200
network architecture
encapsulation dot1Q 200
xconnect 192.168.1.103
100 the
encapsulation
mpls Layer 2 VPN application utilizing
Gain from
first book to address
----------------------------------------------------------------------both ATOM and L2TP protocols
hostname NewYork
!
Review strategies that allow large enterprise customers to enhance
! Output omitted for
brevity
their
service offerings while maintaining routing control
!
For a majority of Service Providers, a significant portion of their revenues
!
are still derived from data and voice services based on legacy transport
interface Ethernet0/0
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
!
customers, they have some drawbacks. Ideally, carriers with existing
interface Ethernet0/0.100
encapsulation legacy
dot1Q Layer
100 2 and Layer 3 networks would like to move toward a single
backbone while
carriers would
like to sell the lucrative Layer 2
xconnect 192.168.1.102
100 new
encapsulation
mpls
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
The issue of VLAN mismatch is not as simple when switches are concerned. This is discussed further in
Case Study 7-6. Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists
readers looking
to meet those Based
requirements by explaining the
Case Study 7-4:
Switch
to SwitchVLAN
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSIn this case study, the topology differs from the rest in that both PE and CE devices are switches instead
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
of routers. The PEs are 7600 routers with gigabit WAN interfaces facing the MPLS core. Both CE switches
IP cores. The structure of this book is focused on first introducing the
connect to the PEs via 802.1q trunks.
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
The new topology is presented in Figure 7-8.
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Now you can configure specific tasks for this case study.
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Assume that SanFran is a SUP2-based system. Follow these steps to configure SanFran for EoMPLS:
Gain from the first book to address Layer 2 VPN application utilizing
Step 1. Configure a VLAN
ID or VLAN
range
with the vlan {vlan-id | vlan-range } global command.
both ATOM
and L2TP
protocols
Activate the VLAN with the state active command.
Review strategies that allow large enterprise customers to enhance
service
offerings
while
control
Step 2. Configure thetheir
physical
port
facing the
CE maintaining
for switchingrouting
by issuing
the switchport interface
command.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
Step 3. Set the trunk encapsulation to dot1Q when the interface is in trunking mode with the
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
switchport trunk encapsulation dot1q command.
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
Step 4. Changebackbone
the allowed
list new
for the
specified
VLANs
viasell
thethe
switchport
trunk2 allowed vlan list
while
carriers
would
like to
lucrative Layer
command.
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
Step 5. Specify infrastructure.
a trunking VLAN Layer 2 interface with the switchport mode trunk interface command.
2 interface
VPN Architectures
introducesvlan
readers
to Layer
2 Virtual Private
Step 6. Create aLayer
VLAN
with the interface
vlan-id
command.
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
Step 7. Specify assists
the VC readers
for transporting
the
Layer
2 VLAN
packets via
mpls l2transport
route
looking to
meet
those
requirements
bythe
explaining
the
destination
vc-id
command.
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Example 7-22 demonstrates
the
configuration
byfocused
following
steps.
IP cores. The
structure
of thisadded
book is
onthe
firstpreceding
introducing
the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Example 7-22.
SanFrancovering
Additional
Configuration
for SUP-2
progressively
each currently
available solution
in greater detail.
hostname SanFran
!
vlan 100
state active
!
interface GigabitEthernet1/4
no ip address
switchport
ISBN: 1-58705-168-0
Pages: 648
Index
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
The following set of steps applies EoMPLS on the SUP720-3BXL-based system for the NewYork PE:
Step
1.
Step
2.
Reduce
costs and
extend the
reach
your services by unifying your
Specify the Gigabit
Ethernet
subinterface
with
the of
interface
network architecture
gigabitethernetslot/interface.subinterface
command. Make sure the subinterface on the
adjoining CE switch is on the same VLAN as this PE switch.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Enable the subinterface to accept 802.1q VLAN packets via the encapsulation dot1q vlan-id
command. TheReview
subinterfaces
between
the CE
switches
that are
runningtoEoMPLS
should be in
strategies
that allow
large
enterprise
customers
enhance
the same subnet.
their service offerings while maintaining routing control
Step
3.
For a majority
of Service
Providers,VC
a significant
portion ofcommand.
their revenues
Bind the attachment
circuit
to a pseudowire
with the xconnect
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, the
theySUP720
have some
drawbacks.
carriers
existingsteps.
Example 7-23 demonstrates
configuration,
asIdeally,
discussed
in thewith
preceding
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services
over theirAdditional
existing LayerConfiguration
3 cores. The solution
these cases is a
Example 7-23.
NewYork's
forin
SUP-720
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
!
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
hostname NewYork
Network (VPN) concepts, and describes Layer 2 VPN techniques via
!
introductory case studies and comprehensive design scenarios. This book
vtp mode transparent
assists readers looking to meet those requirements by explaining the
!
history and implementation details of the two technologies available from
interface GigabitEthernet2/4
no ip address the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
no shut
IP cores. The structure of this book is focused on first introducing the
!
reader to Layer 2 VPN benefits and implementation requirements and
interface GigabitEthernet2/4.1
comparing
encapsulation dot1Q
100 them to those of Layer 3 based VPNs, such as MPLS, then
progressively
each currently
xconnect 192.168.1.102 100covering
encapsulation
mpls available solution in greater detail.
no shut
!
Step
4.
hostname Oakland
No. 4460,Anthony Chan, - CCIE No. 10,266
!
interface GigabitEthernet1/0
Publisher: Cisco Press
negotiation auto
Pub Date: March 10, 2005
no cdp enable
ISBN: 1-58705-168-0
no shut
Table of
Pages: 648
! Contents
interface
GigabitEthernet1/0.100
Index
encapsulation dot1Q 100
ip address 192.168.100.1 255.255.255.0
no cdp enable
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
no shut
productivity gains
!
_____________________________________________________________________
hostname Albany
Learn about Layer 2 Virtual Private Networks (VPNs)
!
interface GigabitEthernet4/0
Reduce costs and extend the reach of your services by unifying your
negotiation auto
network architecture
no cdp enable
no shut
Gain from the first book to address Layer 2 VPN application utilizing
!
both ATOM and L2TP protocols
interface GigabitEthernet4/0.100
encapsulation dot1QReview
100 strategies that allow large enterprise customers to enhance
ip address 192.168.100.2
255.255.255.0
their service
offerings while maintaining routing control
no ip directed-broadcast
no cdp enable For a majority of Service Providers, a significant portion of their revenues
no shut
are still derived from data and voice services based on legacy transport
!
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Theshow mpls ldp discovery and show mpls ldp neighbor commands (as described earlier in the
opening paragraphs of the "Case Studies" section of this chapter), in addition to the show mpls
forwarding-table command, are useful. Although the show mpls forwarding-table command was
already displayed in Examples 7-6 and 7-16 of this chapter, what makes it different now is the line
highlighted in Example 7-26 showing the Layer 2 circuit (VLAN) configured in this case study.
SanFran#show mpls
forwarding-table
No. 4460,Anthony Chan, - CCIE No. 10,266
Local
tag
Outgoing
Prefix
Cisco Press
tag or VC Publisher:
or Tunnel
Id
Untagged
l2ckt(100)
ISBN: 1-58705-168-0
Table of
! Output
omitted
for
brevity
Pages:
648
Contents
Index
Bytes tag
switched
Outgoing
interface
Next Hop
133093
Vl100
point2point
You can check the status of your VCs by issuing the show mpls l2transport vc command.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Note the difference in the output of the show mpls l2transport vc command between Example 7-16
productivity gains
(earlier in this chapter) and Example 7-27. The local intf portion that showed Et0/0.100 before now
shows VLAN 100.
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce
costs and
extend the reach
of your services by unifying your
Example 7-27. show
mpls
l2transport
vcCommand
network architecture
SanFran#show mpls l2transport
Gain from thevc
first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Local intf
Local circuit
Dest address
VC ID
Status
------------- ------------------------------------------------------Review strategies that allow large enterprise customers to
enhance
Vl100
Eth their
VLAN service
100
192.168.1.103
100 control UP
offerings while
maintaining routing
In this case study, you learn how to configure port-based EoMPLS in the switch-based environment. As
in the preceding case study, SanFran is a supervisor engine 2-based system and NewYork is a SUP7203BXL-based system. The configuration presented in this case study supports both QinQ and native
Layer 2 7-9
VPN shows
Architectures
Ethernet traffic. Figure
the topology for this case study.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Figure
Switch to SwitchPort-Based Topology
Publisher:7-9.
Cisco Press
Pub Date: March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Note
Reduce costs and extend the reach of your services by unifying your
network architecture
You could allow for port-based EoMPLS without 802.1q support. This would include all basic
configuration and Gain
exclude
allthe
dot1Q-related
Because
this
is application
a simpler approach
from
first book totasks.
address
Layer 2
VPN
utilizing with the
same basic configuration,
it does
its own case study in this book.
both ATOM
and not
L2TPwarrant
protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Configuring Port-Based
EoMPLS on the SanFran Switch
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
To set up the SanFran
SUP2-based
system
for port-based
EoMPLS
with
QinQ support,
technologies.
Although
Layer
3 MPLS VPNs
fulfill the
market
need for follow
some these
steps:
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
Step Enter thebackbone
VLAN ID with
vlan
{vlan_id
| vlan_range
command.
whilethe
new
carriers
would
like to sell }
the
lucrative Layer 2
1.
services over their existing Layer 3 cores. The solution in these cases is a
technology
allow
2 transport
over
a Layer
Step Enable dot1Q
taggingthat
for would
all VLANs
in Layer
a trunk
via the vlan
dot1q
tag3 native command.
infrastructure.
2.
Step
3.
Step
4.
Step
5.
Step
6.
Configure the physical port facing the CE for switching by using the switchport interface
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
command.
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
Set the trunking
mode tolooking
tunneling
with the
switchport
mode
dot1qtunnel
assists readers
to meet
those
requirements
by explaining
the interface
command.
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSLayer
Tunneling
version
3 (L2TPv3)
for native access vlan
Specify abased
VLAN cores
whoseand
traffic
will2be
acceptedProtocol
by the port
through
the switchport
IP cores. The structure of this book is focused on first introducing the
vlan_id command.
reader to Layer 2 VPN benefits and implementation requirements and
them data
to those
Layer filtering
3 based on
VPNs,
such as MPLS,
then
Configurecomparing
bridge protocol
unitof
(BPDU)
an interface
with the
spanning-tree
progressively
covering
each
currently
available
solution
in
greater
bpdufilter enable command to prevent a port from sending and receiving detail.
BPDUs to protect
the provider's side from potential spanning-tree attacks.
Step
7.
Step
8.
Specify the VC to transport the VLAN traffic with the mpls l2transport routedestination vc_id
command.
Example 7-29 demonstrates the SanFran EoMPLS port-based configuration for transporting QinQ traffic
hostname SanFran
!
Publisher: Cisco Press
vlan 100
Pub Date: March 10, 2005
!
ISBN: 1-58705-168-0
Table
of tag native
vlan
dot1q
Pages:
648
Contents
!
Index
interface
GigabitEthernet1/4
no ip address
switchport
switchport access vlan 100
Master
the world of Layer
switchport trunk
encapsulation
dot1q 2 VPNs to provide enhanced services and enjoy
productivity
gains
switchport mode dot1q-tunnel
no cdp enable
spanning-tree bpdufilter enable
Learn about Layer 2 Virtual Private Networks (VPNs)
no shut
!
Reduce costs and extend the reach of your services by unifying your
interface Vlan100 network architecture
no ip address
no ip mroute-cache Gain from the first book to address Layer 2 VPN application utilizing
mpls l2transport route
192.168.1.103
100
both ATOM
and L2TP protocols
no shut
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
!
interface GigabitEthernet2/4
no ip address
Layer 2 VPN Architectures
xconnect 192.168.1.102
100 encapsulation mpls
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
no shut
No. 4460,Anthony Chan, - CCIE No. 10,266
!
Publisher: Cisco Press
Pub Date: March 10, 2005
CE switches do not require special configuration. You have the choice of enabling or forgoing dot1Q on
ISBN: 1-58705-168-0
the CEs.
TableYou
of can review Example 7-24 from the preceding case study for Oakland and Albany's settings.
Contents
Pages: 648
To verify
Index your configuration, use the techniques described in Case Study 7-4. In the outputs of these
commands, you will not find specifics that indicate the difference between VLAN and port modes.
However, you will see whether your configuration is working.
Case Study
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
7-6:
VLANgains
Rewrite in Cisco 12000 Series Routers
For a majority
of Service
a significant
of their revenues
Figure
7-10. Providers,
VLAN ID
Rewriteportion
Topology
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some[View
drawbacks.
Ideally, carriers with existing
full size image]
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
When you are configuring
the case
VLANstudies
rewriteand
on the
Cisco 12000design
series scenarios.
platforms, This
keepbook
in mind that
introductory
comprehensive
because of the difference
in functionality,
configuration
might
be requiredthe
if the ends of the
assists readers
looking toadditional
meet those
requirements
by explaining
EoMPLS connections
are and
not provisioned
with details
the same
linetwo
cards.
history
implementation
of the
technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSSome examples of
the difference
system
flow between
different
line
withfor
VLAN
rewrite are
based
cores and in
Layer
2 Tunneling
Protocol
version
3 cards
(L2TPv3)
native
outlined next:
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
For example, a 4-port Gigabit Ethernet line card is used, traffic flows from VLAN 100 on Oakland to
progressively covering each currently available solution in greater detail.
VLAN200 on Albany. As the frame reaches the edge-facing line card of NewYork, the VLAN ID in
the dot1Q header changes to the VLAN ID that is assigned to VLAN 200. This is because the 4-port
Gigabit Ethernet line card performs a VLAN ID rewrite on the disposition side.
When a 3-port Gigabit Ethernet line card is used, traffic flows from VLAN 100 on Oakland to VLAN
200 on Albany. But, unlike the preceding example, as the frame reaches the edge-facing line card
of SanFran, the VLAN ID in the dot1Q header changes to the VLAN ID that is assigned to VLAN
200. This is because the 3-port Gigabit Ethernet line card performs VLAN ID rewrite on the
imposition side.
To configure VLAN rewrite on the PEs with the 3-port Gigabit Ethernet line card scenario, follow these
steps:
2 VPN Architectures
Step 1. Specify Layer
the Gigabit
Ethernet subinterface. Ensure that the subinterface on the adjoining CE
Byon
Weithe
Luo, same
- CCIE VLAN.
No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
router is
No. 4460,Anthony Chan, - CCIE No. 10,266
Step 2. Enable the subinterface to accept 802.1q VLAN packets with the encapsulation dot1q
Publisher: Cisco Press
vlan_id command.
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
StepTable
3. of
Bind the attachment
circuit to a pseudowire VC with the xconnect command.
Pages: 648
Contents
Index
Step
4. Enable the use of VLAN interfaces with different VLAN IDs at both ends of the tunnel via the
Master
world
of Layer
2 VPNs toon
provide
enhanced
services and enjoy
Example 7-31 shows
thethe
VLAN
rewrite
configuration
SanFran
and NewYork.
productivity gains
to the line card. Example 7-32 shows the output of the command on SanFran and NewYork.
Layer 2 VPN Architectures
SanFran
Publisher: Cisco Press
648
Contents
tag_rew_ptr
= D001BB58
Index
Leaf
entry?
= 1
FCR index
= 20
**tagrew_psa_addr
= 0006ED60
**tagrew_vir_addr
= 7006ED60
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
**tagrew_phy_addr
= F006ED60
productivity gains
[0-7] loq 8800 mtu 4458 oq 4000 ai 3 oi 04019110 (encaps size 4)
cw-size 4 vlanid-rew 200
gather A30 Learn
(bufhdr
size
32 2EoMPLS
(Control
Word) (VPNs)
Imposition profile 81)
about
Layer
Virtual Private
Networks
2 tag: 18 18
counters 1182,
10 costs
reported
1182,the
10.reach of your services by unifying your
Reduce
and extend
Local OutputQ (Unicast):
Slot:2 Port:0 RED queue:0 COS queue:0
network architecture
Output Q (Unicast):
Port:0
RED queue:0 COS queue:0
Gain from the first book to address Layer 2 VPN application utilizing
_______________________________________________________________________________
both ATOM and L2TP protocols
NewYork
Review strategies that allow large enterprise customers to enhance
LC-CON0#show controllers eompls forwarding-table 0 200
their service offerings while maintaining routing control
Port # 0, VLAN-ID # 200, Table-index 200
For a majority
of Service Providers, a significant portion of their revenues
EoMPLS configured:
1
are still derived
from data and voice services based on legacy transport
tag_rew_ptr
= D0027B90
technologies.
Although Layer 3 MPLS VPNs fulfill the market need for some
Leaf entry?
= 1
customers,
they have some drawbacks. Ideally, carriers with existing
FCR index
= 20
legacy Layer 2 and Layer
3 networks would like to move toward a single
**tagrew_psa_addr
= 0009EE40
backbone
while
new
carriers
would like to sell the lucrative Layer 2
**tagrew_vir_addr
= 7009EE40
services
over
their
existing
Layer
**tagrew_phy_addr
= F009EE40 3 cores. The solution in these cases is a
technology
that
would
allow
Layer
over a(encaps
Layer 3 size 4)
[0-7] loq 9400 mtu 4458 oq
4000
ai 28transport
oi 84000002
infrastructure.
cw-size 4 vlanid-rew 100
gather A30 (bufhdr size 32 EoMPLS (Control Word) Imposition profile 81)
2 VPN Architectures introduces readers to Layer 2 Virtual Private
2 tag: Layer
17 18
Network
concepts,1182,
and describes
Layer 2 VPN techniques via
counters 1182,(VPN)
10 reported
10.
introductory
case
studies
and
comprehensive
design scenarios.
This book
Local OutputQ (Unicast):
Slot:5 Port:0 RED queue:0
COS queue:0
assists
readers
looking
to
meet
those
requirements
by
explaining
the
Output Q (Unicast):
Port:0
RED queue:0 COS queue:0
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Note
progressively covering each currently available solution in greater detail.
Other platforms that do not require manual configuration do not provide VLAN ID rewrite
information in their output.
scenario, Port VLAN ID (PVID) inconsistency stems from the Per VLAN Spanning Tree + (PVST+) BPDU
being received on a different VLAN than it was originated. Therefore, when the trunk port on Oakland
receives a PVST+ BPDU from the Albany's STP of VLAN 200 with a tag of VLAN 200, you get an error
2 VPN
Architectures
message as soon Layer
as the
circuit
comes up:
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Pages: 648
Contents
Index the interface, change the VLAN IDs on the CEs so that they match. When this is not possible
To unblock
and VLAN ID rewrite is required, you must turn off the STP. This alternative opens a door to bridging
loops; therefore, you should use it with extreme caution.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn
about
Layer
2 Virtual
Private aNetworks
(VPNs)
For EoMPLS configuration,
you
might
choose
to configure
pseudowire
class template that consists of
configuration settings used by all attachment circuits that are bound to the class. Pseudowire was
costs and
extend the
reach of your
services by unifying
your
introduced in ChaptersReduce
2, "Pseudowire
Emulation
Framework
and Standards,"
and 6 and
is discussed in
network
architecture
further detail in the advanced configuration case studies of Chapter 9, "Advanced AToM Case Studies."
Gain from the
to in
address
Layer
VPN application utilizing
Example 7-33 shows configuration
offirst
the book
VC 100
Ethernet
port2 mode.
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
ISBN: 1-58705-168-0
Pages: 648
VC statistics:
packet totals: receive 0, send 0
byte totals:
receive 0, send 0
Layer 2receive
VPN Architectures
packet drops:
0, send 78
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Table 7-4 describes some of the significant fields of the show mpls l2transport vc detail
Publisher: Cisco Press
command output.
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Table of
Contents
Index
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains Description
Destination address
VC ID
MTU
Sequencing
Verify
to make sure that
MTU648
on each side is the same. If an EoMPLS tunnel is still down after this
Pages:
Contents
and you cannot pass traffic, perform another check by issuing the show mpls forwarding-table
Index
command, as demonstrated in Example 7-36.
Example 7-36.
show
mplsofforwarding-table
Master
the world
Layer 2 VPNs to provideCommand
enhanced services and enjoy
productivity gains
NewYork#show mpls forwarding-table
Local Outgoing
Prefix
BytesPrivate
tag Outgoing
Next Hop
Learn
about Layer 2 Virtual
Networks (VPNs)
tag
tag or VC
or Tunnel Id
switched
interface
Reduce costs and extend
the reachSe5/0
of your services
by unifying your
17
Untagged
10.1.1.0/24
0
point2point
network
architecture 0
18
Untagged
192.168.1.101/32
Se5/0
point2point
19
Untagged
192.168.1.102/32 0
Se5/0
point2point
Gain
from the first book
to address Et0/0.100
Layer 2 VPN application
utilizing
20
Untagged
l2ckt(100)
4592
point2point
both ATOM and L2TP protocols
Examples 7-38 and 7-39 display the output of the show mpls l2transport vcvciddetail command
with the two conditions, respectively.
Layer 2 VPN Architectures
ByWei
Luo, - CCIEPort
No. 13,291,
Carlos or
Pignataro,
CCIE No. 4619,Dmitry Bokotey, Example 7-38.
Remote
Down
Not -Configured
CCIE
NewYork#show mplsPublisher:
l2transport
vc 10 detail
Cisco Press
Local interface: Pub
FastEternet0/0.10
Date: March 10, 2005 up, line protocol up, Eth VLAN 10 up
Destination address: 192.168.1.102, VC ID: 10, VC status: down
ISBN: 1-58705-168-0
Table of label: not ready
Tunnel
Pages:
648
Contents interface: unknown,
Output
imposed label stack {}
Index time: 22:31:53, last status change time: 04:02:56
Create
Signaling protocol: LDP, peer 192.168.1.102:0 up
MPLS VC labels: local 19, remote unassigned
Group ID: local 0, remote unknown
worldunknown
of Layer 2 VPNs to provide enhanced services and enjoy
MTU: local Master
1500, the
remote
productivity
gains
Remote interface description:
Sequencing: receive disabled, send disabled
VC statistics:
Learn about Layer 2 Virtual Private Networks (VPNs)
packet totals: receive 1650, send 1743
byte totals:
receivecosts
552557,
send the
550044
Reduce
and extend
reach of your services by unifying your
packet drops: network
receivearchitecture
0, send 7
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Pages:
648
Contents drops: receive
packet
0, send 7
Index
Example 7-41 presents the verification and configuration sequence of enabling MPLS on the Serial
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
5/0 interface.
productivity gains
192.168.1.103:0
Discovery Sources:
Interfaces:
Layer(ldp):
2 VPN Architectures
Serial5/0
xmit/recv
- CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
LDPByWei
Id:Luo,
192.168.1.101:0
No. 4460,Anthony Chan, - CCIE No. 10,266
Targeted Hellos:
192.168.1.103 -> 192.168.1.102 (ldp): active/passive, xmit/recv
LDP Id:
192.168.1.102:0
Publisher:
Cisco Press
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Table of
Pages:
Example
7-44 shows that the648
VC is now ready and operational and should be able to send traffic
Contents
from
CE
to
Index CE.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
NewYork#show mpls l2transport vc
Local intf
------------Et0/0
Local
circuit
Dest
address
VC(VPNs)
ID
Status
Learn
about Layer 2 Virtual
Private
Networks
----------------------- --------------- ---------- ---------Reduce costs and extend192.168.1.102
the reach of your services
by unifying
your
Ethernet
100
UP
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
Verify with the show mpls
l2transport
vc protocols
detail command output (shown in Example 7-45) that
both ATOM
and L2TP
the packets are being sent and received.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
NewYork#debug mpls
l2transport
No. 4460,
Anthony Chan, - signaling
CCIE No. 10,266message
NewYork(config)#interface ethernet 0/1.100
Publisher: Cisco Press
NewYork(config-subif)#shutdown
Pub[192.168.1.102]:
Date: March 10, 2005
00:19:51: AToM LDP
Sending label withdraw msg
ISBN:
vc type 4, cbit 1, vc
id1-58705-168-0
100, group id 0, vc label 20, status 0, mtu 1500
Table of
00:19:51:
AToM LDP Pages:
[192.168.1.102]:
Received label release msg, id 78
648
Contents
vc type 4, cbit 1, vc id 100, group id 0, vc label 20, status 0, mtu 0
Index
NewYork(config-subif)#no shutdown
00:21:56: AToM LDP [192.168.1.102]: Sending label mapping msg
vc type 4, cbit 1, vc id 100, group id 0, vc label 20, status 0, mtu 1500
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
In troubleshooting the port-based EoMPLS operation, look for VC type 5 in the debug mpls
about command
Layer 2 Virtual
Private
Networks
(VPNs)7-47.
l2transport signalingLearn
message
output,
as shown
in Example
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
NewYork#debug mpls l2transport signaling message
AToM LDP message debugging
is on that allow large enterprise customers to enhance
Review strategies
!
their service offerings while maintaining routing control
NewYork(config)#interface ethernet 0/0
NewYork(config-if)#shutdown
For a majority of Service Providers, a significant portion of their revenues
00:08:39: AToM are
LDPstill
[192.168.1.102]:
withdraw
derived from data Sending
and voicelabel
services
based onmsg
legacy transport
vc type 5, cbittechnologies.
1, vc id 100,
group
id
0,
vc
label
16,
status
0, need
mtu 1500
Although Layer 3 MPLS VPNs fulfill the
market
for some
00:08:39: AToM customers,
LDP [192.168.1.102]:
Received
label
release
msg,
id
34
they have some drawbacks. Ideally, carriers with existing
vc type 5, cbitlegacy
1, vc
id 100,
0, vc label
16, to
status
0, mtua 0single
Layer
2 and group
Layer 3idnetworks
would like
move toward
backbone while new carriers would like to sell the lucrative Layer 2
00:08:41: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to
services over their existing Layer 3 cores. The solution in these cases is a
administratively down
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
NewYork(config-if)#no
shutdown
00:08:42: AToM LDP [192.168.1.102]: Sending label mapping msg
2 VPN
introduces
readers
to Layer
2 Virtual
vc type 5, cbitLayer
1, vc
id Architectures
100, group id
0, vc label
20,
status
0, mtuPrivate
1500
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
00:08:44: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to upvia
introductory case studies
comprehensive
design Ethernet0/0,
scenarios. This book
00:08:45: %LINEPROTO-5-UPDOWN:
Line and
protocol
on Interface
changed
assists
readers
looking
to
meet
those
requirements
by
explaining the
state to up
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Another helpful command
debug
acircuit
event
information
on all
attachment
IP cores. is
The
structure
of this
bookfor
is focused
on first
introducing
thecircuits, as
illustrated in Example
7-48.
reader
to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
acmgr_circuit_up
00:12:59: ACLIB [192.168.1.102, 100]: Setting new AC state to Ac-Connecting
00:12:59: ACLIB: Update switching plane with circuit UP status
2 VPN Architectures 100]: SW AC interface UP for Ethernet interface
00:12:59: ACLIBLayer
[192.168.1.102,
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Et0/0
4460,Anthony Chan, - CCIE
No. 10,266
00:12:59: ACLIBNo.[192.168.1.102,
100]:
pthru_intf_handle_circuit_up() ignoring
up event. Already connected or connecting.
00:12:59: Et0/0 ACMGR:
Publisher:Receive
Cisco Press<Circuit Up> msg
00:12:59: Et0/0 ACMGR:
up event, SIP state chg fsp up to connected,
Pub Date:circuit
March 10, 2005
action is p2p up forwarded
ISBN: 1-58705-168-0
Table of ACLIB: pthru_intf_response hdl is 8C000002, response is 2
00:12:59:
Pages:
648
Contents ACLIB [192.168.1.102,
00:12:59:
100]: Setting new AC state to Ac-Connected
Index
00:12:59:
AToM LDP [192.168.1.102]: Sending label mapping msg
vc type 5, cbit 1, vc id 100, group id 0, vc label 16, status 0, mtu 1500
00:12:59: Et0/0 ACMGR: Rcv SIP msg: resp peer-to-peer msg, hdl 8C000002,
sss_hdlB4000003
theremote
world ofup
Layer
2 VPNs
provide enhanced
enjoyis
00:12:59: Et0/0Master
ACMGR:
event,
SIPtoconnected
state services
no chg, and
action
productivity
gains
ignore
00:13:01: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
00:13:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed
Learn about Layer 2 Virtual Private Networks (VPNs)
state to up
Reduce costs and extend the reach of your services by unifying your
network architecture
Use the debug mpls l2transport vc event command to see the AToM event messages about the
Gain from the first book to address Layer 2 VPN application utilizing
VCs, as shown in Example 7-49. Watch how the messages reflect the shutdown of the interface and
both ATOM and L2TP protocols
the healthy recovery.
Pages:
648
Contents AToM SMGR [192.168.1.102,
00:15:16:
100]: sucessfully processed ssm provision
Index
request
pwid 5A000000
00:15:16: AToM SMGR [192.168.1.102, 100]: Send COMPLETE signal to SSM
00:15:16: AToM SMGR [192.168.1.102, 100]: sucessfully setup sss switch for pwid
5A000000
worldSSM
of Layer
2 VPNs to provide enhanced services and enjoy
00:15:16: AToM Master
SMGR: the
Submit
event
productivity
gains
00:15:16: AToM SMGR: Event SSM event
00:15:16: AToM SMGR [192.168.1.102, 100]: sucessfully processed ssm bind for pw
id 5A000000
Learn about Layer 2 Virtual Private Networks (VPNs)
00:15:16: AToM MGR [192.168.1.102, 100]: Receive SSM dataplane up notification
00:15:16: AToM MGR Reduce
[192.168.1.102,
100]:the
Dataplane
activated
costs and extend
reach of your
services by unifying your
00:15:18: %LINK-3-UPDOWN:
Interface
Ethernet0/0,
changed
state to up
network architecture
00:15:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed
state to up
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
00:17:44: 00 64 00 0A 00 00 FF 01 72 3A C0 A8 64 01 C0 A8
00:17:44: 64 02 08 00 28 0D 0E D9 13 FC 00 00 00 00 00 10
00:17:44: 33 58 AB CD AB CD AB CD AB CD AB CD AB CD AB CD
00:17:44:
00:17:44:
00:17:44:
00:17:44:
00:17:44:
00:17:44:
AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD
AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD
AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD
AB CDLayer 2 VPN Architectures
Wei Luo, - CCIE No.
Carlossize
Pignataro,
- CCIE
4619,Dmitry
- CCIE word 0x0
ATOM By
imposition:
out13,291,
Se5/0,
130,
EXPNo.0x0,
seq Bokotey,
0, control
4460,
Chan,
CCIE00
No.01
10,266
0F 00No.88
47Anthony
00 01
00- FF
01 02 00 00 00 00
^^^^^ ^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^
HDLC
Publisher:
Cisco Label
Press
Tunn.
VC Label
Pub Date:
March
10, 2005 Label=16
Label=16
ISBN: 1-58705-168-0
Table of
Contents
Index
S=0
Pages: 648
Ctrl-word
S=1
TTL=255
TTL=2
etype = MPLS Unicast
00:17:44: 00 00 0C 00 6C 00 00 00 0C 00 6F 00 08 00 45 00
^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^ ^^^^^ ^^^^^...
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Dest. Address Source Address
Begins IP packet
productivity gains
Etype = 0x0800 = IP
00:17:44:
00:17:44:
00:17:44:
00:17:44:
00:17:44:
00:17:44:
00:17:44:
00
64
33
AB
AB
AB
AB
64
01
58
CD
CD
CD
CD
00
00
AB
AB
AB
AB
0A 00 00 FF 01 72 3A C0 A8 64 02 C0 A8
Learn
2 Virtual
00 30about
0D 0ELayer
D9 13
FC 00Private
00 00 Networks
00 00 10(VPNs)
CD AB CD AB CD AB CD AB CD AB CD AB CD
Reduce costs and extend the reach of your services by unifying your
CD AB CD AB CD AB CD AB CD AB CD AB CD
network architecture
CD AB CD AB CD AB CD AB CD AB CD AB CD
CD AB
CD the
AB first
CD AB
CD toABaddress
CD AB Layer
CD AB2 VPN
CD application utilizing
Gain
from
book
Note
In the first packet, the Ethertype of 0x9000 indicates a loopback packet. For this reason, the source
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
and destination MAC addresses are the same. The second packet shows an IP packet transported in
Network (VPN) concepts, and describes Layer 2 VPN techniques via
EoMPLS. Finally, in the third packet with the imposition operation, you can also see the Tunnel,
introductory case studies and comprehensive design scenarios. This book
MPLS, and AToM headers. Specifically, the Layer 2 is Cisco HDLC with an HDLC type of 0x8847,
assists readers looking to meet those requirements by explaining the
indicating that MPLS follows. A two-level MPLS stack includes the Tunnel label of 16 and a VC label of
history and implementation details of the two technologies available from
16. Note that these two values do not need to be the same. The label stack is followed by a 4-byte
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLScontrol word and finally an Ethernet frame with an Ethertype of 0x0800 transporting an IP datagram
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
with an ICMP packet.
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively
covering
currently available solution in greater detail.
Troubleshooting
EoMPLS
on each
Switches
Troubleshooting commands on switches are, for the most part, the same as those on routers.
However, the output might be different, as you learn in this section. For instance, use the output of
the command show mpls l2transport vc from Example 7-51 to get information about the VCs just
as you would use this command on routers.
Remote
VC Label
215
Tunnel
Label
implc-null
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
ISBN: 1-58705-168-0
Pages: 648
Field
VC ID
Client Intf
Indicates
2 interface
is unifying your
Reduce costs and extend
thewhich
reachLayer
of your
services by
being used.
network architecture
VC State
shows
whether
VC
Gain from the first The
bookUP
tostate
address
Layer
2 VPNthe
application
utilizing
ever
saw traffic.
both ATOM and L2TP
protocols
Trans Type
The allow
available
results
include
vlan for to enhance
Review strategies that
large
enterprise
customers
VLAN
based
and Etherrouting
for portcontrol
based.
their service offerings
while
maintaining
Local VC label
Table of
Pages:
Table
7-6. Fields
of 648
the show mpls l2transport vc detail
Contents
Command
Index
Field
groupid
Description
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
AToM group ID advertised in the VC
productivity gains
FEC
destination
outgoing interface
next hop
packet or bytes in
Per VC counters for disposition
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts,Per
and
2 VPN techniques via
packet or bytes out
VCdescribes
counters Layer
for imposition
introductory case studies and comprehensive design scenarios. This book
*7600 supports assists
per-destination
load
readers looking
to meet those requirements by explaining the
sharing. If multiple
connections
to the
history
and implementation
details of the two technologies available from
MPLS cloud exist,
the
imposition
the
Cisco
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLStraffic can be transmitted
on and
one Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
based cores
interface, and the
disposition
IP cores. The traffic
structure of this book is focused on first introducing the
for the same VLAN
can to
beLayer
received
in benefits and implementation requirements and
reader
2 VPN
another interface.
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Contents
Index
Pages: 648
Pages:
648
LayerContents
2-specific customizations from the architectural model allow the transport of specific
Index
Layer
2 WAN protocols. This section covers some of these similarities and differences.
Control Plane
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
The setup and maintenance of AToM pseudowires is based on the targeted (also referred to as
directed ) Label Distribution Protocol (LDP) session between a pair of provider edge (PE)
Learn
about
Layer 2 Virtual
Private
Networks
(VPNs)
routers. You can bind the
Layer
2 attachment
circuit
(AC) to
the label
by using the LDP Label
Mapping message. Several pseudowires that are signaled by the targeted LDP session between
Reducenetwork
costs and
extend
the label-switched
reach of your services
by unifying
PEs use one packet-switched
(PSN)
tunnel
path (LSP)
signaled your
by Link
network
architecture
LDP (IGP) or another label distribution protocol, such as Resource Reservation Protocol Traffic
Engineering (RSVP-TE).
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and
protocols
The fact that multiple pseudowires
useL2TP
the same
PSN tunnel and that only PE devices
participate in pseudowire signaling adds to the scalability of the AToM solution, given that only
Review strategies that allow large enterprise customers to enhance
PEs know about pseudowire to attachment circuit mappings (PW<->AC), whereas the core P
their service offerings while maintaining routing control
routers remain uninformed of them. The core only knows about Interior Gateway Protocol
(IGP) layer LSPs.For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
Note
backbone while new carriers would like to sell the lucrative Layer 2
services
over(VC)
theirand
existing
Layer 3are
cores.
solution in these
cases is a
The terms virtual
circuit
pseudowire
usedThe
interchangeably
as the
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
mechanism that transports the elements of an emulated service between PE routers
infrastructure.
over the MPLS
PSN.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
One of the special cases of setting up WAN over MPLS pseudowires is the use of specific
assists readers looking to meet those requirements by explaining the
interface parameters in the Pseudowire ID FEC element, which you learned about in Chapter 6.
history and implementation details of the two technologies available from
For example, whereas some interface parameters are applicable to multiple VC types or
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSemulated services (such as maximum transmission unit [MTU] and Interface Description),
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
others are valid only for specific VC types.
IP cores. The structure of this book is focused on first introducing the
readeroftoconcatenated
Layer 2 VPN benefits
implementation
The maximum number
ATM cellsand
interface
parameterrequirements
is applicable and
only to the
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as MPLS,
thenindicates
different ATM cell transport modes. The Frame Relay DLCI length interface
parameter
covering
currently
available
solution
in Frame
greaterRelay
detail.
the length of the progressively
DLCI field in the
Frameeach
Relay
header and
pertains
only to
over
MPLS.
The following subsections explain more about the transport of WAN protocols over MPLS PSNs:
Pseudowire types used
Data plane encapsulation
Usage of the control word
The 15-bit pseudowire type (or VC type) field identifies the type of pseudowire. The different
Cisco
VC types used in thePublisher:
transport
of Press
WAN protocols over MPLS are shown in Table 8-1.
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Table of
Contents
Index
Pages: 648
Pseudowire
Master the world of Layer 2Usage
VPNs to provide enhanced services and enjoy
Type
Description
productivity gains
0x0001
Frame Relay DLCI
Frame Relay over MPLS DLCI Mode
0x0002
ATM AAL5
SDU
VCCLayer 2 Virtual
ATM over
MPLS
AAL5 SDU
Mode
Learn
about
Private
Networks
(VPNs)
0x0003
0x0006
0x0007
PPP
0x0009
0x000A
PPPtoover
MPLSLayer 2 VPN application utilizing
Gain from the first book
address
both ATOM and L2TP protocols
ATM n-to-one VCC[1] cell
ATM over MPLS Cell Relay VC Mode
Review VPC
strategies
allow
large
enterprise
customers
ATM n-to-one
[2] cell that
ATM
over
MPLS
Cell Relay
VP Modeto enhance
their service offerings while maintaining routing control
2 VPN
Architectures
introduces
readers
to Layer 2inVirtual
Private
The encapsulationLayer
of Layer
2 WAN
protocol data
units (PDU)
is specified
the encapsulation
(VPN)
concepts,Emulation
and describes
Layer 2 VPN
techniques
via
martini draft and Network
subsequent
Pseudowire
Edge-to-Edge
(PWE3)
working
group
introductory
case
studies
and8-1).
comprehensive
scenarios.
book
derivative drafts spawned
from
it (see
Figure
Essentially, design
the Layer
2 PDU isThis
encapsulated
readers
to meet
requirements
by explaining
in an MPLS stack assists
where the
innerlooking
or bottom
labelthose
(the VC
label contained
in the VCthe
MPLS shim
and2implementation
details
two technologies
header) identifieshistory
the Layer
attachment circuit
andof
is the
advertised
in the LDPavailable
targetedfrom
session.
the
VPN suite:
Transport
over MPLS
MPLSThe tunnel header
is Cisco
in turnUnified
comprised
by 0 orAny
more
MPLS headers
from(ATOM)
the PSNfor
tunnel
control
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
plane.
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively
covering each of
currently
solution
in MPLS
greater detail.
Figure
8-1. Encapsulation
WANavailable
Protocols
over
vary along the LSP. The tunnel header has 0 labels in the case of Penultimate Hop Popping
(PHP), whereby the egress PE advertises an implicit null label in the link LDP session. In the
most common case, the tunnel header is made of one label distributed by the core LDP session.
However, the tunnel
header
can contain
more
thanto
one
label in
cases such
as traffic
Master
the world
of Layer
2 VPNs
provide
enhanced
services
and enjoy
engineering (TE) productivity
with Fast Reroute
gains (FRR), MPLS-VPN Carrier Supporting Carrier (CSC), or
inter-AS (IAS) environments or when using the reserved Router Alert label of 1.
Learnreside
about between
Layer 2 Virtual
Networks
(VPNs)
A 32-bit control word might
the VCPrivate
label and
the WAN
Layer 2 PDU. The control
word negotiation and usage are covered in Chapter 6. The upcoming section discusses the
Reduce
costs
the reach
of your services by unifying your
control word usage in the
context
of and
WANextend
protocols
over MPLS.
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
Review
strategies
allow
large
enterprise customers
to enhance
During pseudowire setup,
the usage
of a that
control
word
is negotiated
by setting the
C bit in the
their service
while the
maintaining
routing
control
pseudowire ID FEC element.
Figure offerings
8-2 compares
control word
format
for different WAN
protocols over MPLS.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers,
they
have some
drawbacks.
Ideally, carriers
existing
Figure 8-2.
Control
Word
Format
for Different
WAN with
Protocols
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
All encapsulations
First Nibble
The Cisco
first four
Publisher:
Press bits are set to 0x0 to prevent aliasing with IP packets
over MPLS. For IP over MPLS (IPoMPLS), the first nibble coincides with the IP
Pub Date: March 10, 2005
Header's version field: 0x4 for IPv4 and 0x6 for IPv6.
ISBN: 1-58705-168-0
Table of
Pages:
648 two bits are fragmentation indicators that are used in PWE3
B- and E-Bits These
Contents
fragmentation
and
reassembly.
Index
Length The 6-bit Length field permits values from 0 to 64 only. You use this field
when the link layer protocol in the PSN requires a minimum frame length. If the
total length
ofthe
an AToM
payloadincluding
control services
wordis less
64
Master
world packet's
of Layer 2
VPNs to providethe
enhanced
andthan
enjoy
bytes, productivity
you set the Length
gains field to the length of the AToM packet's payload, including
the 4-byte control word. Otherwise, you set it to 0.
Layer also
2 Virtual
Private
Networks
(VPNs)
Frame Relay overLearn
MPLSabout
(FRoMPLS,
referred
to as
FRoPW in
Internet Engineering
Task Force [IETF] documents)
Reduce costs and extend the reach of your services by unifying your
network
architecture
F-bit FR forward
explicit
congestion notification (FECN) bit.
Gain from
the first
book to notification
address Layer
2 VPN
application utilizing
B-bit FR backward
explicit
congestion
(BECN)
bit.
both ATOM and L2TP protocols
D-bit FR DE bit, which indicates the discard eligibility.
Review strategies that allow large enterprise customers to enhance
C-bit FR frame
(C/R)
bit.
theircommand/response
service offerings while
maintaining
routing control
AAL5 CPCS-SDU
referred
to asProviders,
AAL5 SDUaover
MPLS) portion of their revenues
For a (often
majority
of Service
significant
are still derived from data and voice services based on legacy transport
T-bit Transport
type.
Indicates
ATM3admin
orfulfill
AAL5the
payload.
technologies.
Although
Layer
MPLS cell
VPNs
market need for some
customers, they have some drawbacks. Ideally, carriers with existing
E-bit Explicit
Forward
Congestion
Indicationwould
(EFCI)like
bit.to move toward a single
legacy Layer
2 and
Layer 3 networks
backbone while new carriers would like to sell the lucrative Layer 2
C-bit Cell loss priority (CLP) bit.
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
U-bit Command/Response field.
infrastructure.
Although the control word is optional for some encapsulations such as PPP, HDLC, and cell relay
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
(ATM cell mode transport), it is required for Frame Relay and ATM AAL5 over MPLS. This
Network (VPN) concepts, and describes Layer 2 VPN techniques via
requirement for Frame Relay and ATM AAL5 transport modes is because the control word
introductory case studies and comprehensive design scenarios. This book
carries control information. This information is specific for the Layer 2 that is being emulated
assists readers looking to meet those requirements by explaining the
that is not carried in the AToM payload. For example, you will see in the upcoming section
history and implementation details of the two technologies available from
"Frame Relay over MPLS" that the Frame Relay Q.922 header is stripped at the ingress PE at
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSMPLS imposition, so the control word carries the FECN, BECN, and DE bits that were present in
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
the now-stripped header.
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
MTU Requirements
progressively covering each currently available solution in greater detail.
Every time you encapsulate a PDU with a new protocol header, you need to take into account
maximum transmission unit (MTU) considerations. In a Layer 2 VPN, PEs during imposition are
encapsulating a customer edge's (CE) Layer 2 PDU to be switched across an MPLS network.
You need to calculate a series of associated overheads to properly set up the core MTU. You
can subdivide these overheads into three categories:
Transport overhead This is the overhead that is associated with the specific Layer 2
that is being transported. Table 8-2 lists transport overheads for different WAN protocols.
Table 8-2.
Transport
Overhead
for Different
WAN
Protocols
ByWei
Luo, - CCIE No.
13,291,Carlos Pignataro,
- CCIE No. 4619,
Dmitry
Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE
No. 10,266
over
MPLS
Publisher: Cisco Press
Transport Type
Transport
Pub Date:
March 10,Size
2005
Header
ISBN: 1-58705-168-0
Table of
Frame Relay DLCI,
2 648
bytes
Pages:
Contents
Cisco
Index
Ethertype [2]
encapsulation
2 about
bytes Layer 2 Virtual
PPPPrivate
DLL Protocol
[2](VPNs)
Learn
Networks
AAL5
0-32 bytes
Header
Reduce costs and extend the reach of your services by unifying your
network architecture
first book
toMPLS
address
Layeradd
2 VPN
application
utilizing
MPLS overheadGain
This from
is thethe
overhead
that
headers
(including
the VC
label). It
both
ATOM
L2TPofprotocols
is equal to 4 bytes
times
the and
number
MPLS headers included.
thatincurred
allow large
enterprise
to enhance
AToM overheadReview
This is strategies
the overhead
because
of thecustomers
control word.
It is equal to
their service offerings while maintaining routing control
4 bytes.
For
majority ofleft
Service
a In
significant
of their
revenues
ATM Cell transport
is adeliberately
out ofProviders,
Table 8-2.
ATM cellportion
relay over
MPLS
(CRoMPLS),
are transported
still derived are
fromofdata
andlength
voice services
based
on can
legacy
transport
the packets that are
a fixed
of 52 bytes.
They
be concatenated
Although
Layer
MPLS VPNsdifferent
fulfill thethan
market
need
forLayer
some 2
up to a maximumtechnologies.
number of cells,
making
MTU3calculation
for all
other
customers,
they have
some drawbacks.
Ideally,
carriers
withTransport"
existing covers
transports. The upcoming
section
"Encapsulations
and Packet
Format
for Cell
legacy Layer 2 and Layer 3 networks would like to move toward a single
this topic.
backbone while new carriers would like to sell the lucrative Layer 2
Frame Relay withservices
IETF encapsulation
refers to
RFC 3
2427,
"Multiprotocol
over their existing
Layer
cores.
The solution Interconnect
in these casesover
is a
Frame Relay," which
makes RFC
For 2Frame
Relay
witha IETF
DLCI
technology
that 1490
wouldobsolete.
allow Layer
transport
over
Layerencapsulation
3
transport, the overhead
is considered variable; many packets have a transport overhead of 2
infrastructure.
bytes: the control byte of 0x03 and the Network Layer Protocol Identifier (NLPID). This is the
Layer
2 VPN Architectures
introduces
readers
to Layer
Virtual
minimum overhead
in Frame
Relay IETF. However,
in some
other
cases 2(such
as Private
when a
Layer
VPNindicates
techniques
viaa Subnetprotocol does notNetwork
have an (VPN)
NLPIDconcepts,
assigned),and
thedescribes
NLPID value
of 20x80
that
studies
and The
comprehensive
design
scenarios.
This book
work Attachment introductory
Point (SNAP)case
header
follows.
Organizationally
Unique
Identifier
(OUI) of
assists
to meet
those
by explaining
the
0x000000 indicates
that readers
a 2-bytelooking
Ethertype
follows.
In requirements
this case, in which
the upper
layer
historythe
andtransport
implementation
details
of the and
two you
technologies
available
fromcase
protocol has no NLPID,
overhead
is 8 bytes,
need to use
the worst
when setting the the
coreCisco
MTU.Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
On the other hand,
Frame
Ciscoofencapsulation,
a 2-byte
is always
IP for
cores.
TheRelay
structure
this book is focused
on Ethertype
first introducing
the used
instead of controlreader
and NLPID,
making
the
transport
permanently
2 bytes.and
to Layer
2 VPN
benefits
andoverhead
implementation
requirements
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Tip
When you are studying the packet formats for the different WAN protocols in the
upcoming sections, a good exercise is to come back to Table 8-2 and identify the
different fields that make up the transport overhead.
You can use the following generic formula to calculate the core MTU from the edge MTU. The
edge MTU is the MTU configured in the interface of the CE-facing PE:
Layer 2 VPN Architectures
Core MTU
Edge
MTU- +CCIE
Transport
Header
+ AToM
Header
(MPLS
Label
Stack *
ByWei Luo,
No. 13,291,Carlos
Pignataro,
- CCIE
No. 4619,+Dmitry
Bokotey,
- CCIE
MPLS Header No.
Size)
4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Pub Date: March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pages: 648
Contents
Index
Figure
8-3. Cisco HDLCoMPLS Packet Format
their service offerings while maintaining routing control
In contrast to HDLCoMPLS, however, PPPoMPLS requires some interpretation of the PPP header.
Specifically, in addition
to the 0x7E flag and FCS fields being removed at imposition, the
Publisher: Cisco Press
Address (0xFF) and Control (0x03) fields are stripped at the imposition router. These fields are
Pub Date: March 10, 2005
not transported in PPPoMPLS packets (that information can be implicitly gleaned because the VC
ISBN: 1-58705-168-0
type is
PPP)
Table
of and re-created at the disposition PE before transmitting to the remote CE. Figure 8
Pages:
648format.
4 shows
the PPPoMPLS packet
Contents
Index
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
[View full size image]
Note
Using either ACFC or PFC (both defined in RFC 1661, "The Point-to-Point Protocol
[PPP]") changes the alignment of the network data inside the frame, which in turn
decreases switching efficiency in both the ingress and egress CE.
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Because the Protocol field is transported unmodified, you can negotiate PFC between PEs. That
is not recommendedPublisher:
though,Cisco
because
Press of the same word alignment reasons explained for ACFC.
Pub Date: March 10, 2005
One important aspect of the transport of PPPoMPLS is the PPP Finite State Machine (FSM)
ISBN: 1-58705-168-0
Table of specifically between which peers PPP negotiation (that is Link Control Protocol
negotiation,
Pages:
648
Contents
[LCP],
authentication, and Network
Control Protocols [NCP]) occur. In PPPoMPLS, the PPP
Index
negotiation
takes place directly between CE devices. In other words, PPP does not actually run
or terminate on the PE devices. After you configure an interface for PPP encapsulation in a PE
router, PPP leaves the closed state and tries to negotiate LCP and NCP. Then, when a
pseudowire is configured for PPPoMPLS, PPP enters a closed state, and LCP and NCP negotiation
Master
the world of Layer 2 VPNs to provide enhanced services and enjoy
is nonexistent with
the CE.
productivity gains
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
FromFigure 8-5, you can see that for both encapsulation methods, and similarly to HDLCoMPLS
and PPPoMPLS, the Flag
of 0x7E
and
the FCS
are stripped
at imposition
and are not transmitted
Learn
about
Layer
2 Virtual
Private Networks
(VPNs)
over AToM. The 2-byte Q.922 header is also stripped at imposition and is not transported in
AToM. In consequence,Reduce
a mechanism
should
be the
in place
toof
inform
the remote
PE of theyour
value of
costs and
extend
reach
your services
by unifying
all the fields in the Q.922
header
so
that
the
remote
PE
can
re-create
it
and
send
a
Frame
Relay
network architecture
packet to the remote CE without losing information. The following list details the different
methods for conveyingGain
the Q.922
FR first
header
information
the remote
PE:
from the
book
to addresstoLayer
2 VPN application
utilizing
both ATOM and L2TP protocols
DLCI PEs do not Review
exchange
the DLCIthat
at any
moment.
It is a local
PE responsibility
to map
strategies
allow
large enterprise
customers
to enhance
the local VC that is
exchanged
by LDP inwhile
the pseudowire
forward
error correction (FEC)
their
service offerings
maintainingID
routing
control
to the attachment circuit (that is, the Frame Relay DLCI). Remember that DLCIs are
locally significant,
and the of
PSN
is acting
as a Frame
Relay cloud.
For a majority
Service
Providers,
a significant
portion of their revenues
are still derived from data and voice services based on legacy transport
C/R The Command/Response
bit isLayer
sent in
the C-bit
in fulfill
the Frame
Relay need
over Pseudowire
technologies. Although
3 MPLS
VPNs
the market
for some
(FRoPW) Header
(that
is,
control
word).
Refer
to
Figure
8-2.
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
FECN The FECN
bit is while
sent in
thecarriers
F-bit in would
the FRoPW
is, control
backbone
new
like toHeader
sell the(that
lucrative
Layer word).
2
services over their existing Layer 3 cores. The solution in these cases is a
BECN The BECN bit is sent in the B-bit in the FRoPW Header (that is, control word).
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
DE The discard
eligible bit is sent in the D-bit in the FRoPW Header (that is, control word).
Layer 2 VPNestablishment,
Architectures PEs
introduces
readers
to Layer 2 Virtual
Private
EA During pseudowire
negotiate
the characteristic
of a Frame
Relay
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via Frame
PVC with respect to extended addressing. They do this by including the optional
introductory
case
studies and
comprehensive
design
scenarios.
This
book
Relay DLCI length
interface
parameter
in the
VC FEC element
in the
FEC TLV
inside
the
assists
readers
looking
to
meet
those
requirements
by
explaining
the
LDP Label Mapping message. The optional Frame Relay DLCI length interface parameter
history and
implementation
details
of the of
two
technologies
available
froma
(interface parameter
type
0x08) indicates
the length
the
FR Header and
can have
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSvalue of 2 or 4.
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
cores.
The
structure
of this
is focused
on first
introducing
In summary, the IP
C/R,
FECN,
BECN,
and DE
are book
sent on
the control
word
flags on a the
per-packet
to Layer
VPN benefits
and implementation
basis. In contrast,reader
LDP sends
the 2extended
addressing
characteristicsrequirements
of the FR PVCand
on
comparing
to thosethat
of Layer
3 based
VPNs,
suchPVC,
as MPLS,
then need to
pseudowire establishment
P.them
This implies
on a given
Frame
Relay
all packets
progressively
covering
currently
available
solution in(that
greater
detail.header
use normal addressing
(Q.922 header
ofeach
2 bytes)
or extended
addressing
is, Q.922
of 4 bytes), but not mixed.
Note
FRoMPLS requires the control word.
As shown in Figure 8-5, the difference between IETF and Cisco encapsulation for Frame Relay is
Layer 2 VPN Architectures
the upper layer protocol
identification. You can configure a Cisco router to run either of the two
encapsulations. ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
For IETF encapsulation, the format for routed frames allows an NLPID value of 0x80, indicating
that a SNAP header Publisher:
follows (see
CiscoFigure
Press 8-6). Because not all protocols have an NLPID value
assigned (NLPID space
limited),
you
have to use the SNAP form in such cases. Using the
Pubis
Date:
March 10,
2005
SNAP form increases the transport overhead for Frame Relay IETF to a total of 8 bytes.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
ATMoMPLS presents three different degrees of transport granularity: granularity at the VC, VP,
No. 4460,Anthony Chan, - CCIE No. 10,266
or Port level. If a user wants to transport an ATM VC over MPLS, he has the option of doing
AAL5 over MPLS (AAL5oMPLS) or CRoMPLS VC mode. A user has to use CRoMPLS if the ATM
Publisher:
Press
frames transported over
the Cisco
VC are
not AAL5 but a different adaptation layer, such as AAL2. In
Pub
Date:
March
10,the
2005differences between the two. If a user wants to
the next section, you learn some of
ISBN:
1-58705-168-0
transport an ATM VP (for
example,
for virtual trunking applications) or an ATM port (for
Table of
trunking
or cell transport
applications),
the only mode available is CRoMPLS.
Pages:
648
Contents
Index
Gain
from the first
address
Layer
2 VPNthe
application
utilizing
The first AToM mode for
transporting
ATMbook
is thetoAAL5
mode,
in which
pseudowire
both
ATOM
and
L2TP
protocols
transports AAL5 common part convergence sublayer (CPCS) service data units (SDU).
Review
strategies
that allow
enterprise
customers
Figure 8-7 shows that the
AAL5
CPCS protocol
datalarge
unit (PDU)
is composed
of to
theenhance
CPCS-PDU
service
offerings
while
maintaininglength
routing
control
payload or CPCS-SDU,their
padding
to ensure
that
the CPCS-PDU
is an
integer multiple of 48
bytes for the SAR layer, and a CPCS-PDU trailer. The CPCS-PDU trailer in turn contains a 1-byte
For a majority
of Service
a significant
portion (CPI),
of theira revenues
User-to-User indication
(CPCS-UU)
field, a Providers,
1-byte common
part indicator
2-byte Length
are
still
derived
from
data
and
voice
services
based
on
legacy
transport check
indicator that specifies the length of the payload in octets, and a 4-byte cyclic redundancy
technologies. CPCS-PDU's
Although Layer
3 MPLS
fulfill the without
market need
for some
(CRC). Only the CPCS-SDUthe
payload
or VPNs
the CPCS-PDU
its padding
and
customers,
they
have
some
drawbacks.
Ideally,
carriers
with
existing
traileris transported in AAL5oMPLS SDU mode.
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
Figure 8-7. AAL5oMPLS Packet Format
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
[View full size image]
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from
theAAL5
first CPCS-SDU
book to address
LayerISO
2 VPN
application
utilizing
Figure 8-7 shows the format
of the
for routed
(such
as Connectionless
both
ATOM
and
L2TP
protocols
Network Service [CLNS]) and non-ISO (such as IP) protocols. These formats are useful in
understanding the different overheads that play for different protocols that are transported in
Review strategies that allow large enterprise customers to enhance
AAL5oMPLS.
their service offerings while maintaining routing control
The only supported AAL5 transport mode over MPLS is AAL5 SDU mode. In protocol layering or
For a majority of Service Providers, a significant portion of their revenues
protocol encapsulation, a service access point (SAP) exists between two layers (see Figure 8-8).
are still derived from data and voice services based on legacy transport
Each protocol sends (down direction) and receives (up direction) data via the SAP. The PDU at a
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
higher layer N+1 becomes the layer N SDU when traversing the SAP. At layer N, protocol
customers, they have some drawbacks. Ideally, carriers with existing
control information (PCI) is added to the SDU to form the PDU at that layer N, which in turn
legacy Layer 2 and Layer 3 networks would like to move toward a single
becomes the SDU at layer N-1. In summary, at a given layer, PDU = PCI + SDU. PDU includes
backbone while new carriers would like to sell the lucrative Layer 2
the protocol control data (PCI) plus the carried data (SDU). The PDU at layer N is the SDU at
services over their existing Layer 3 cores. The solution in these cases is a
layer N-1. Any data that enters the AAL5 layer becomes an SDU for AAL5 CS.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
In AAL5 SDU mode, the AToM payload's (AAL5 CPCS-SDU) length need not be an integer
multiple of 48 bytes, because the padding and trailer were stripped before AToM encapsulation.
In AAL5oMPLS, the ingress PE receives ATM cells from the customer premises equipment (CPE),
and it needs to reassemble them to send an AAL5 SDU over MPLS in a single packet. The cell
headers are not transported,
so it is critical to understand how the different ATM cell header
Layer 2 VPN Architectures
fields are conveyed
to
the
other
end. In AAL5oMPLS, the presence of a control word is required,
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
although its use isNo.
optional
(refer
to Figure 8-2). The following list enumerates the different ATM
4460,Anthony Chan, - CCIE No. 10,266
cell header fields and how they are transported in AAL5 SDU mode:
Publisher: Cisco Press
Pub Date: March
10, 2005
Virtual path identifier
(VPI)
and virtual circuit identifier (VCI) PE routers do not
carry or exchange ISBN:
the VPI
and VCI. The PEs keep the VPI and VCI values in the state of
1-58705-168-0
Table of
the pseudowire, and
the
disposition PE router rewrites the VPI and VCI value.
Pages:
648
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
FromFigure 8-9, you can
see about
that for
cell 2
relay,
thePrivate
controlNetworks
word is optional.
Learn
Layer
Virtual
(VPNs) However, Cisco
implementation of CRoMPLS advertises the disposition capability for the control word (C-bit in
pseudowire ID FEC) and
uses the
control
word whenever
(that is, when
the remote
Reduce
costs
and extend
the reachpossible
of your services
by unifying
your side
supports the control word
as
a
disposition
capability).
network architecture
In n-to-one ATM cell transport,
complete
ATMtolayer
cell header
appended
afterutilizing
the control
Gain froma the
first book
address
Layer 2isVPN
application
word, followed by 48 bytes
ATMand
cell L2TP
payload.
both of
ATOM
protocols
Note
The VPI field in ATM cell encapsulation is 12 bits long to accommodate the NNI ATM header
format's VPI range. The field is interpreted as VPI; therefore, if the cell is actually using UNI
ATM header format, the Generic Flow Control field (first nibble) is always 0.
In n-to-1 ATM CRoMPLS, an imposition PE can concatenate multiple ATM cells into a single AToM
PDU. Concatenation of cells (also called cell packing ) is optional in transmission at the ingress
PE and is supported in ATM cell port, VP, and VC modes. You can view the cell concatenation as
a disposition property, in which an egress PE can support disposition for concatenated cells up
to a certain number of cells. The imposition PE knows the maximum number of cells that can be
2 VPN Architectures
linked because it Layer
is indicated
during pseudowire establishment with a new interface parameter.
ByWei Luo,
- CCIE No. 13,291,
Carlos
Pignataro,
- CCIE
No. 4619,Dmitry
Bokotey, -parameter
CCIE
The Maximum Number
of concatenated
ATM
cells
interface
parameter
(interface
type
No.maximum
4460,Anthonynumber
Chan, - CCIE
No. 10,266
0x02) specifies the
of cells
in a single AToM PDU that you can process at
disposition.
Publisher: Cisco Press
Pub Date: March 10, 2005
Table of
Contents
Note
Index
ISBN: 1-58705-168-0
Pages: 648
Because the interface parameter is included in the Label Mapping LDP message at VC
setup, changing its value would tear down and resignal the pseudowire.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
The Maximum Number of concatenated ATM cells interface parameter is required for all the
different ATM cell transport modes (port, VP, and VC modes). If the egress PE supports
about
Layer 2only
Virtual
(VPNs) Number of
concatenated cells, theLearn
ingress
PE should
link Private
cells upNetworks
to the Maximum
concatenated ATM cells interface parameter received from the remote PE in the pseudowire ID
Reduce costs and extend the reach of your services by unifying your
FEC element.
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Note
Pages: 648
Contents
Index
After
the configuration, each case study also covers verification and some troubleshooting for
Figure 8-10.
WAN Protocols over MPLS Case Study Topology
Reduce costs and extend the reach of your services by unifying your
network architecture
[View full size image]
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
All case studies require common configuration and verification of the MPLS core. The following list
services over their existing Layer 3 cores. The solution in these cases is a
details the required pre-AToM configuration steps on all P and PE routers:
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
1. Create a loopback interface and assign a /32 IP address to it.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
2. Enable IP Cisco
Express
Forwarding
(CEF)
Network
(VPN)
concepts,
andglobally.
describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers
looking
those
requirements
by explaining
theloopback
3. Enable MPLS globally
and select
LDP to
as meet
the label
distribution
protocol.
Specify the
implementation
details of the two technologies available from
interface's IP history
addressand
as the
LDP Router ID.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores
Layer
2 Tunneling
Protocol
version
3 (L2TPv3)
for Link
native
4. Assign IP addresses
to all and
physical
links
connecting
the core
routers,
and enable
LDP on
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
them.
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
5. Enable an Interior
Gatewaycovering
Protocol each
(IGP)currently
among the
core routers
and
loopback
progressively
available
solution
in include
greater the
detail.
and the interfaces connecting P and PE routers. These case studies use Open Shortest Path
First (OSPF) with a single area 0.
The configuration for the SanFran router is shown in Example 8-1. The configuration for the other
two core routers is analogous to this one.
Pages:
648
!
Contents
interface
Loopback0
Index
ip address 10.0.0.201 255.255.255.255
!
interface Ethernet1/0
Master the255.255.255.0
world of Layer 2 VPNs to provide enhanced services and enjoy
ip address 10.1.1.201
productivity gains
no ip directed-broadcast
mpls ip
!
Learn about Layer 2 Virtual Private Networks (VPNs)
router ospf 1
log-adjacency-changes
Reduce costs and extend the reach of your services by unifying your
network 10.0.0.0 0.255.255.255 area 0
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both
andtimestamps
L2TP protocols
InExample 8-1, you can
seeATOM
service
configured for logging and debug with the
msec option. This is done so that you have more time granularity in the debug and error message
Review strategies that allow large enterprise customers to enhance
output to better understand the protocols and ease troubleshooting.
their service offerings while maintaining routing control
Example 8-1 also shows mpls ldp explicit-null configured to advertise an IPv4 explicit null label
For a majority of Service Providers, a significant portion of their revenues
(a label with a value of 0) instead of the default implicit null (Pop label operation).
are still derived from data and voice services based on legacy transport
technologies.
Although
Layer 3
VPNs
the market
need
for some
Now you can verify
that the core
configuration
is MPLS
working
as fulfill
expected.
Use the
command
show
customers,
they have
some to
drawbacks.
Ideally,
carriers
withsessions
existing are UP.
mpls ldp neighbors
in the Denver
P router
confirm that
the two
link LDP
Layertwo
2 and
Layer
3 networks would like to move toward a single
Implicitly, you arelegacy
validating
other
things:
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology
that would
Layer themselves.
2 transport over
a Layer 3 is performed by
First, that the
LDP neighbors
have allow
discovered
LDP discovery
sending LDPinfrastructure.
Hellos over UDP to the all-routers multicast address (224.0.0.2). It is a
prerequisite to LDP session establishment. You can check the LDP discovery status using the
Layermpls
2 VPNldp
Architectures
commandshow
discovery. introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
case
and
comprehensive
design
scenarios.
ThisLDP
book
Second, thatintroductory
IP routes for
thestudies
loopback
addresses
are being
propagated.
After
session
assists
readers
to meet
requirements
by explaining
discovery, you
establish
thelooking
LDP session
by those
setting
up a TCP session
between the
the addresses
history and
implementation
of the
technologies
available
that are advertised
in the
IPv4 Transportdetails
address
TLVtwo
in the
Hello messagein
thisfrom
case, the
Cisco Unified
VPN suite:
Any Transport
oversets
MPLS
for MPLS- to the
loopback IP the
addresses.
The higher
LDP session
ID (active)
up(ATOM)
a TCP connection
based cores
and Layer
2 Tunneling
Protocol
version
3 (L2TPv3)
lower LDP session
ID (passive)
at the
well-known
LDP port
of 646.
You can for
alsonative
check the IP
IP cores.using
The structure
of this
bookip
is route,
focusedand
on first
introducing
the
routing information
the command
show
verify
the LDP transport
reader
to Layer 2show
VPN benefits
and
implementation
address using
the command
mpls ldp
discovery
detail.requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Example 8-2 shows
the Link LDP
sessions
highlighting
the state
is "operational."
progressively
covering
each
currentlythat
available
solution
in greater detail.
Up time: 00:34:06
LDP discovery sources:
Ethernet2/0, Src IP addr: 10.1.2.203
Layerbound
2 VPN Architectures
Addresses
to peer LDP Ident:
ByWei Luo, - CCIE10.1.2.203
No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
10.0.0.203
No. 4460,10.0.0.201:0;
Anthony Chan, - CCIELocal
No. 10,266
Peer LDP Ident:
LDP Ident 10.0.0.202:0
!This is SanFran PE
TCP connection:
10.0.0.201.646
- 10.0.0.202.11006
Publisher: Cisco
Press
State: Oper;
Msgs
sent/rcvd:
46/46; Downstream
Pub Date:
March
10, 2005
Up time: 00:33:57
ISBN: 1-58705-168-0
Table LDP
of
discovery sources:
Pages:
648
Contents Ethernet1/0, Src
IP addr: 10.1.1.201
Index Addresses bound to peer LDP Ident:
10.0.0.201
10.1.1.201
Denver#
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
You can also verify the MPLS forwarding state in a PE and a P router (see Example 8-3).
Learn about Layer 2 Virtual Private Networks (VPNs)
are forwarding-table
still derived from data and voice services based on legacy transport
Denver#show mpls
technologies.
3 MPLS
fulfill the Next
market
need for some
Local Outgoing
Prefix Although Layer
Bytes
tagVPNs
Outgoing
Hop
customers,
they
have
some
drawbacks.
Ideally,
carriers
with
existing
tag
tag or VC
or Tunnel Id
switched interface
legacy
Layer
2
and
Layer
3
networks
would
like
to
move
toward
16
0
10.0.0.203/32
1580313
Et2/0
10.1.2.203a single
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer 2
17
0
10.0.0.201/32
1614352
Et1/0
10.1.1.201
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases is a
Denver#
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
2 VPNfor
Architectures
introduces
readers
to Layer
2 Virtual
Private The
At this point, youLayer
are ready
the specific Layer
2 WAN
protocols
transport
configuration.
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
upcoming sections detail the configuration and verification in the following case studies:
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
and over
implementation
details of the two technologies available from
Case Study history
8-1: HDLC
MPLS
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSCase Study based
8-2: PPP
over
MPLS
cores
and
Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
Case Study reader
8-3: Frame
Relay
DLCIbenefits
over MPLS
to Layer
2 VPN
and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Case Study progressively
8-4: ATM AAL5
SDU over
MPLS
covering
each
currently available solution in greater detail.
Case Study 8-5: ATM Cell over MPLS
ISBN: 1-58705-168-0
Pages: 648
InFigure 8-11, you can see that building from the generic topology in Figure 8-10, you will be
Master
theinworld
of Layer
2 VPNs
to provide
enhanced
services
using interfaces Serial
5/0
both PE
routers
(SanFran
and NewYork)
and
in bothand
CE enjoy
routers
productivity gains
(Oakland and Albany).
Configuring HDLCoMPLS
Reduce costs and extend the reach of your services by unifying your
network
architecture
You know from previous
chapters
that the AToM states and all Layer 2 transport-specific
configuration exist only in the edge routers. This adds to the scalability of the whole AToM
Gain from
the first book
to Serial
address
Layer 2 VPN
application
solution. Start by configuring
HDLCoMPLS
on the
interfaces
in the
PE routersutilizing
SanFran and
both
ATOM
and
L2TP
protocols
NewYork, as shown in Example 8-4.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
InExample 8-4, the configurations that are applied to both PE routers are slightly different,
although both achieve the same result. NewYork uses the pseudowire-class configuration, which
is more versatile than the one liner xconnect configuration and allows for different characteristics
to be applied to a pseudowire in a class fashion. This way, you can reuse the pseudowire class
across multiple pseudowires.
Also note that the encapsulation for the Serial interfaces is not configured. This is because the
default of Cisco HDLC is used.
Layer 2 VPN Architectures
You will analyze the sequencing transmit configuration under the pseudowire class in the
Pub Date: March 10, 2005
subsequent "Troubleshooting
HDLCoMPLS" subsection.
Table of
ISBN: 1-58705-168-0
Pages:
The CE
configuration for
the 648
Oakland side is included in Example 8-5 for completeness. The far CE
Contents
is a mirror
of
this
configuration
except for the IP address.
Index
Review
strategies
that
allow
large
enterprise
toLayer
enhance
At this point, all specific
configuration
and
states
that
pertain
to the customers
transport of
2 frames
service offerings
maintaining
routing
control
over MPLS reside in thetheir
PE devices.
You havewhile
not configured
the
P router
Denver.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
Verifying HDLCoMPLS
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
When you configure
AToM,
the2targeted
LDP
session between
PE routers
established,
as shown
legacy
Layer
and Layer
3 networks
would like
to moveistoward
a single
inExample 8-6.Example
8-6while
highlights
the local
and peer
LDP
and Layer
the targeted
backbone
new carriers
would
like to
sellidentifiers
the lucrative
2
discovery source.services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Local labels are assigned and distributed using the targeted LDP session. See Example 8-7, which
highlights the Layer 2 circuit (l2ckt) local and remote labels.
Pages:
648
Cbit: 1,
VC Type:
HDLC,
GroupID: 0
Contents
MTU:
1500,
Interface
Desc:
n/a
Index
VCCV Capabilities: Type 1, Type 2
Remote Label: 19
Cbit: 1,
VC Type: HDLC,
GroupID: 0
Master the
world of Layer
VPNs to provide enhanced
services
MTU: 1500,
Interface
Desc: 2n/a
!-+ Signaled
as and enjoy
productivity gains
VCCV Capabilities:
Type 1, Type 2
!-+ Interface Parameter
SanFran#
Note
Another useful command is show mpls l2transport vc 50 detail, displayed in Example 8-8. The
highlighted parts show the VC status and the label stack used in forwarding at imposition.
Pages:
648
Group
0
Contents ID: local 0, remote
MTU:
local
1500,
remote
1500
Index
Remote interface description:
Sequencing: receive disabled, send disabled
Sequence number: receive 0, send 0
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
VC statistics:
productivity
gains
packet totals:
receive
1363, send 1402
byte totals:
receive 237913, send 246646
packet drops: receive 0, seq error 0, send 231
Learn about Layer 2 Virtual Private Networks (VPNs)
SanFran#
Reduce costs and extend the reach of your services by unifying your
network architecture
Among other things, the
VCfrom
status
is first
displayed
in address
the command
along with utilizing
the imposed
Gain
the
book to
Layer output
2 VPN application
label stack. In this case,
16 ATOM
is the and
IGP label
19 is the VC label. The VC can be in one of three
both
L2TP and
protocols
different statuses:
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
UP VC can carry data between the two endpoints. (Imposition and disposition are
programmed.)
conditions
need to
hold true:a significant portion of their revenues
For Two
a majority
of Service
Providers,
are still derived from data and voice services based on legacy transport
Disposition
interfacesAlthough
are programmed
The VC
is configured,
and the
CE for
interface
technologies.
Layer 3 MPLS
VPNs
fulfill the market
need
some is up.
customers, they have some drawbacks. Ideally, carriers with existing
Imposition
interfaces
programmed
The disposition
interface
is programmed,
legacy
Layer 2are
and
Layer 3 networks
would like to
move toward
a single and
you received
a remote
VC label
andwould
an IGP
label
(LSPthe
to lucrative
the peer).
backbone
while new
carriers
like
to sell
Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
DOWN VC is not ready to carry traffic between the two VC endpoints.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
ADMINDOWN A user has disabled the VC.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
A RAW adjacency, in which the protocol is shown as "raw" because no upper-layer adjacencies
Network (VPN) concepts, and describes Layer 2 VPN techniques via
exist between the PE and CE, is created out of the attachment circuit (see Example 8-9).
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
Example 8-9.the
AToM
HDLC VPN
RAW
Adjacency
Cisco Unified
suite:
Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The
structure
this book is focused on first introducing the
SanFran#show adjacency
serial
5/0ofdetail
reader
to
Layer
2
VPN
benefits
and implementation requirements and
Protocol Interface
Address
comparing
them
to
those
of
Layer
3 based VPNs, such as MPLS, then
RAW
Serial5/0
point2point(4)
progressively covering each
currently
0 packets,available
0 bytessolution in greater detail.
Raw
Epoch: 0
never
SanFran#
Note that in the case of HDLCoMPLS, the adjacency contains a null encapsulation prepended to
the packet that is switched through this adjacency, because the complete HDLC header is
transported unmodified. Keep this in mind on the PPPoMPLS case study for comparison.
Finally, you can verify that connectivity between CE routers indeed exists (see Example 8-10).
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Oakland#ping 192.168.5.2
Publisher: Cisco Press
Master
the world of Layer 2 VPNs to provide enhanced services and enjoy
Troubleshooting
HDLCoMPLS
productivity gains
So far, you have not configured an MTU in the network. All the PE and CE router's interfaces are
using the following default
MTU
settings:
Learn
about
Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
MTU == 1500 by network
default for
Serial and Ethernet
architecture
MTU == 4470 by Gain
default
forthe
High-Speed
Interface
(HSSI),
and Packet
over
from
first bookSerial
to address
Layer
2 VPN ATM,
application
utilizing
SONET (POS)
both ATOM and L2TP protocols
Try to calculate the maximum
packet sizethat
thatallow
you large
can send
between
CEs withto
the
default
Review strategies
enterprise
customers
enhance
settings. You have the their
following
overheads
place:
service
offeringsinwhile
maintaining routing control
Pages:
648
Contents
Request
6 timed out (size 1486)
Index 7 timed out (size 1487)
Request
Request 8 timed out (size 1488)
Request 9 timed out (size 1489)
Request 10 timed out (size 1490)
the world
of Layerround-trip
2 VPNs to provide
enhanced
Success rate isMaster
45 percent
(5/11),
min/avg/max
= services
28/41/64and
msenjoy
productivity
gains
Oakland#
Gain from the first book to address Layer 2 VPN application utilizing
Finally, capture HDLCoMPLS AToM packets in the SanFran router, from an ICMP Echo (PING) from
both ATOM and L2TP protocols
the Oakland CE. The imposition refers to AToM packets that are sent toward the NewYork PE out
of the Ethernet interface, and disposition means AToM packets that are received from Denver and
Review strategies that allow large enterprise customers to enhance
sent to the Oakland CE. Use the command debug mpls l2transport packet data, as shown in
their service offerings while maintaining routing control
Example 8-12.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
Example 8-12.
Capturing
and Decoding
HDLCoMPLS
technologies.
Although
Layer 3 MPLS
VPNs fulfill the Packets
market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
SanFran#debug mpls
l2transport
backbone
while new packet
carriers data
would like to sell the lucrative Layer 2
AToM packet data
debugging
is
on
services over their existing Layer 3 cores. The solution in these cases is a
SanFran#
technology that would allow Layer 2 transport over a Layer 3
*May 19 02:51:21.095:
ATOM imposition: out Et1/0, size 130, EXP 0x0, seq 0,
infrastructure.
control word 0x0
*May 19 02:51:21.095:
XX Architectures
XX XX XX XX introduces
XX YY YY readers
YY YY YY
YY 882 47
00 01
Layer 2 VPN
to Layer
Virtual
Private
^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^
^^^^^
Network (VPN)
concepts, and describes
Layer 2 VPN ^^^^^
techniques
via
introductory
case studies and comprehensive
design scenarios.
This book
SA MAC
DA MAC
top_shim-->
assists readers looking to meet those requirements by
explaining
theUnicast
etype
= MPLS
history and implementation details of the two technologies available from
*May 19 02:51:21.095:
FF 00
01suite:
31 02
00Transport
00 00 00over
0F MPLS
00 08(ATOM)
00 45 for
00 MPLSthe Cisco 00
Unified
VPN
Any
^^^^^
^^^^^^^^^^^
^^^^^^^^^^^
^^
^^
^^^^^
^^^^^...
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
VC_Label
Ctrl-word
Begins
IP<--top_shim
cores. The structure
of this book
is focused|on |first| introducing
theIP Packet
| | requirements
etype = IPv4
readerLabel=16
to Layer 2Label=19
VPN benefits and implementation
and
S=0 them S=1
| Control
comparing
to those of Layer 3 based VPNs,
such as MPLS, then
TTL=255
TTL=2
Address
Frame
progressively covering each currently available
solution=inUnicast
greater detail.
*May 19 02:51:21.095:
*May 19 02:51:21.095:
*May 19 02:51:21.095:
*May 19 02:51:21.095:
*May 19 02:51:21.095:
*May 19 02:51:21.095:
*May 19 02:51:21.095:
*May 19 02:51:21.143:
word 0xB59
00 64 00 32 00 00
05 02 08 00 03 A7
72 D8 AB CD AB CD
AB CD AB CD AB CD
AB CD AB CD AB CD
AB CD AB CD AB CD
AB CD
ATOM disposition:
FF
00
AB
AB
AB
AB
01
06
CD
CD
CD
CD
30
00
AB
AB
AB
AB
13
04
CD
CD
CD
CD
C0
00
AB
AB
AB
AB
A8
00
CD
CD
CD
CD
05
00
AB
AB
AB
AB
01
00
CD
CD
CD
CD
C0
07
AB
AB
AB
AB
A8
C1
CD
CD
CD
CD
*May 19 02:51:21.143: 0F 00 08 00 45 00 00 64 00 32 00 00 FF 01 30 13
^^ ^^ ^^^^^ ^^^^^...
| | |
Begins IP Packet
Layer 2 VPN|Architectures
| etype = IPv4
ByWei Luo, -| CCIE
No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Control
No. 4460,Anthony
Chan, -= CCIE
No. 10,266
Address
Unicast
Frame
*May 19 02:51:21.143: C0 A8 05 02 C0 A8 05 01 00 00 0B A7 00 06 00 04
*May 19 02:51:21.143:
00Cisco
00 Press
00 00 07 C1 72 D8 AB CD AB CD AB CD AB CD
Publisher:
*May 19 02:51:21.143:
ABMarch
CD AB
CD AB CD AB CD AB CD AB CD AB CD AB CD
Pub Date:
10, 2005
*May 19 02:51:21.143: AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD
ISBN: 1-58705-168-0
Table
of
*May
19 02:51:21.143:
AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD
Pages:
648
*May Contents
19 02:51:21.143: AB CD AB CD AB CD AB CD
Index
Note
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Note in Example 8-12 and in the following examples dealing with packet decoding that
Learn about
Layer
2 Virtual
Private
Networks (VPNs)
the offline hand decoding
of the
packets
is shown
in bold.
Reduce costs and extend the reach of your services by unifying your
network architecture
Analyzing the disposition as dumped in the SanFran PE, you can see that the control word has a
Gain from the first book to address Layer 2 VPN application utilizing
non-null value, whereas the control word in imposition is null. This is because you have configured
both ATOM and L2TP protocols
the NewYork endpoint to perform sequencing, and you can see the sequence number increasing in
the control word. The sequence
number in
theallow
control
word
is included
in the rightmost
2 bytes.
Review strategies
that
large
enterprise
customers
to enhance
FromExample 8-12, the
control
word
is 0x00000B59
so the sequence
their
service
offerings
while maintaining
routingnumber
control is 0x0B59. That
number is 2905 in decimal.
Configuring PPPoMPLS
The configuration for PPPoMPLS is analogous to HDLCoMPLS, except that the PPP encapsulation
needs to be specified in the Serial interface. Example 8-13 shows the configuration for the two PE
devices.
Layer 2 VPN Architectures
ByWei
Luo, - CCIE No. 13,291,
Carlos Pignataro, Example 8-13.
Configuring
PPPoMPLS
SanFran#show running-config
interface serial 6/0
Publisher: Cisco Press
Building configuration...
Pub Date: March 10, 2005
ISBN:
Current
: 1-58705-168-0
188 bytes
Table configuration
of
Pages: 648
! Contents
interface
Serial6/0
Index
description *** To Oakland Serial 6/0 ***
no ip address
encapsulation ppp
no cdp enable Master the world of Layer 2 VPNs to provide enhanced services and enjoy
xconnect 10.0.0.203
60 encapsulation
mpls
productivity
gains
end
SanFran#
Contents
Index
Pages: 648
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
The PPP negotiation happens between CE devices, and the core network acts as a transport.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
VC statistics:
packet totals: receive 18291, send 18289
byte totals:
receive 3577950, send 3403595
Layer 2receive
VPN Architectures
packet drops:
0, seq error 0, send 0
SanFran#
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
10, 2005
FromExample 8-16, Pub
youDate:
can March
see that
the VC is up and the interface parameters of MTU and
interface description have
been
advertised. The VC type is PPP, which has a value of 0x0007. You
ISBN:
1-58705-168-0
Table of
might
wonder, however,
how648
you can see the value of the VC type in real time when it is
Pages:
Contents
advertised. The answer is by using the debug command debug mpls l2transport signaling
Index
message. After you enable the debug in NewYork, you must bounce the remote interface to force
withdrawing and remapping of the label (see Example 8-17).
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Example 8-17.
Debugging
productivity
gains AToM Signaling Messages
bothAToM
ATOM
and[10.0.0.201]:
L2TP protocols Received label withdraw msg, id 1822,
*May 19 16:19:44.995:
LDP
graceful restart instance 2
Review strategies that allow large enterprise customers to enhance
vc type 7, cbit 1, vc id 60, group id 0, vc label 20, status 0, mtu 0
their service offerings while maintaining routing control
*May 19 16:19:45.203: AToM LDP [10.0.0.201]: Sending label release msg
vc type 7, cbitFor
1,a vc
id 60,
group id
0, vc label
20, status
mtu revenues
0
majority
of Service
Providers,
a significant
portion 0,
of their
SanFran(config-if)#no
shutdown
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
NewYork#
customers,
theyLDP
have
some drawbacks.
Ideally, label
carriersmapping
with existing
*May 19 16:20:40.071:
AToM
[10.0.0.201]:
Received
msg, id 1825,
legacyinstance
Layer 2 and
graceful restart
2 Layer 3 networks would like to move toward a single
while
carriers
would
to sell
lucrative
2
vc type 7, cbitbackbone
1, vc id
60,new
group
id 0,
vc like
label
20,the
status
0, Layer
mtu 1500
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
FromExample 8-17, you can see that when you shut down the interface in SanFran, an LDP label
Layer
2 VPN
Architectures
introduces
to Layer
2 Virtual
Private
withdraw message
is sent,
which
is acknowledged
with readers
an LDP label
release
message.
When you
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
enable the interface, an LDP label mapping message is sent, including the VC typevia
of 7. More
introductory
case studies
and Study
comprehensive
design
scenarios.
This book
details on this procedure
are covered
in "Case
8-6: Decoding
LDP
Label Mapping
and
assists
readers looking to meet those requirements by explaining the
Pseudowire ID FEC
Elements."
history and implementation details of the two technologies available from
Cisco PPPoMPLS
Unified VPN
suite:
Any Transport
over MPLS the
(ATOM)
for MPLS- You can
It is also useful tothe
capture
AToM
packets
to fully understand
encapsulation.
based cores
and Layer
Tunneling Protocol
3 shown
(L2TPv3)
for native8-18.
do this with the command
debug
mpls 2
l2transport
packet version
data, as
in Example
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing
them to
those
of Layer 3of
based
VPNs, suchPackets
as MPLS, then
Example 8-18.
Capturing
and
Decoding
PPPoMPLS
progressively covering each currently available solution in greater detail.
SanFran#debug mpls l2transport packet data
*May 19 17:33:26.916: ATOM imposition: out Et1/0, size 128, EXP
control word 0x0
*May 19 17:33:26.916: XX XX XX XX XX XX YY YY YY YY YY YY 88 47
^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^ ^^^^^
SA MAC
DA MAC
|
etype
*May 19 17:33:26.916: 00 FF 00 01 41 02 00 00 00 00 00 21 45 00
0x0, seq 0,
00 01
^^^^^
top_shim-->
= MPLS Unicast
00 64
Pages:
648
*May Contents
19 17:33:26.932: ATOM disposition: in Et1/0, size 102, seq 0, control
Index0x0
word
*May 19 17:33:26.932: 00 21 45 00 00 64 00 FA 00 00 FF 01 2D 4B C0 A8
^^^^^ ^^^^^...
|
Begins IP Packet
Master the
world
Layer 2 VPNs
provide enhanced services and enjoy
PPP
DLLofProtocol
# = to
IPv4
productivity
gains
*May 19 17:33:26.932: 06 02 C0 A8 06 01 00 00 73 C8 00 0F 00 02 00 00
*May 19 17:33:26.932: 00 00 0A E9 07 88 AB CD AB CD AB CD AB CD AB CD
*May 19 17:33:26.932: AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD
Learn about Layer 2 Virtual Private Networks (VPNs)
*May 19 17:33:26.932: AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD
*May 19 17:33:26.932:
AB CD
AB and
CD extend
AB CD AB
AB of
CDyour
AB services
CD AB CD
CD
Reduce
costs
the CD
reach
byAB
unifying
your
*May 19 17:33:26.932:
AB
CD
AB
CD
AB
CD
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
As noted before, the output of the debug command displays the complete packet for imposition
operations. It displays Review
only thestrategies
AToM payload
for disposition
actions.customers to enhance
that allow
large enterprise
their service offerings while maintaining routing control
Example 8-19 shows the new RAW adjacency that is created for PPPoMPLS.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
Example 8-19.
PPPoMPLS
RAWLayer
Adjacency
technologies.
Although
3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
SanFran#show adjacency
serial
6/0
detail
backbone while
new
carriers
would like to sell the lucrative Layer 2
Proocol Interface
Address
services over their existing
Layer 3 cores. The solution in these cases is a
RAW
Serial6/0
point2point(4)
technology that would allow
Layer 2 transport over a Layer 3
0 packets, 0 bytes
infrastructure.
FF03
never to Layer 2 Virtual Private
Layer 2 VPN Architectures Raw
introduces readers
0
Network (VPN) concepts,Epoch:
and describes
Layer 2 VPN techniques via
SanFran#
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSFromExample 8-19, you can see that the rewrite that was null for HDLCoMPLS has become
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
0xFF03. These two bytes are no more than the two bytes (Address and Control) from each PPP
IP cores. The structure of this book is focused on first introducing the
packet that are stripped in imposition and regenerated at disposition. They make the
reader to Layer 2 VPN benefits and implementation requirements and
encapsulation that is prepended to the packet switched through this adjacency.
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Figure 8-13. Frame Relay DLCI over MPLS Case Study Topology
Layer 2 VPN Architectures
ISBN: 1-58705-168-0
Pages: 648
In Frame Relay DLCI mode, PE and CE routers run Frame Relay LMI between them. If you instead
tunnel and transport Frame Relay in port mode using HDLCoMPLS, the LMI session runs between
Master
the world
LayerRelay
2 VPNs
to provide
enhanced
services
CE devices. If those
CE devices
areofFrame
switches,
configure
them
to run and
LMI enjoy
NNI. If the
productivity
CEs are routers, configure
onegains
end as LMI DCE and leave the other as the default LMI DTE.
Alternatively, configure both routers as LMI NNI so that the CE can provide status information
about its DLCIs to the PE.
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
Gain from
to address
Layer
2 VPN
The general PE configuration
for athe
PEfirst
thatbook
is running
Frame
Relay
DLCIapplication
over MPLS utilizing
(also known as
both
ATOM
and
L2TP
protocols
Frame Relay DLCI-Mode AToM) is shown in Example 8-20. The configuration in the NewYork PE is
parallel to this one.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Example 8-20.
Configuration
For FRoMPLS
a majority ofPE
Service
Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
SanFran#conf t
customers, they have some drawbacks. Ideally, carriers with existing
Enter configuration commands, one per line. End with CNTL/Z.
legacy Layer 2 and Layer 3 networks would like to move toward a single
SanFran(config)#frame-relay switching
backbone while new carriers would like to sell the lucrative Layer 2
SanFran(config)#interface serial7/0
services over their existing Layer 3 cores. The solution in these cases is a
SanFran(config-if)#encapsulation frame-relay ietf
technology that would allow Layer 2 transport over a Layer 3
SanFran(config-if)#frame-relay intf-type dce
infrastructure.
SanFran(config-if)#no shutdown
SanFran(config-if)#exit
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
SanFran(config)#
Network (VPN) concepts, and describes Layer 2 VPN techniques via
SanFran(config)#connect frompls serial7/0 100 l2transport
introductory case studies and comprehensive design scenarios. This book
SanFran(config-fr-pw-switching)#xconnect 10.0.0.203 70 encapsulation mpls
assists readers looking to meet those requirements by explaining the
SanFran(config-fr-pw-switching)#end
history and implementation details of the two technologies available from
SanFran#
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
to Layer
2 VPNframe-relay
benefits andswitching
implementation
requirements
and
InExample 8-20, reader
the global
command
is enabled.
This is required
so that
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
Frame Relay LMI types DCE or NNI can be enabled later.
progressively covering each currently available solution in greater detail.
Next, create a "switched" Frame Relay PVC by using the global command connect extended
with the l2transport keyword. You apply the xconnect command under the connect
configuration mode (fr-pw-switching).
Note
You can configure the MTU on a switched Frame Relay PVC (pseudowire endpoint) basis
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
A Frame Relay map-class
is defined,
including
all the
desired
Frame
Relay parameter
values.
Review
strategies
that allow
large
enterprise
customers
to enhance
Then this map-class istheir
applied
to the
Framewhile
Relaymaintaining
PVC using the
classcontrol
command.
service
offerings
routing
Name
Segment 1
Segment 2
State
===========================================================================
4
frompls
Se7/0 100
10.0.0.203 70
UP
SanFran#show connection
id 4
Layer 2 VPN Architectures
Wei Luo, - CCIE 4
No.-13,291,
Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
FR/Pseudo-Wire By
Connection:
frompls
No.
4460,
Anthony
Chan,
CCIE
No. 10,266
Status
- UP
Segment 1 - Serial7/0 DLCI 100
Publisher:
Segment status:
UP Cisco Press
Line status: Pub
UP Date: March 10, 2005
PVC status: ACTIVE
ISBN: 1-58705-168-0
Table of
ACTIVE
NNI PVC status:Pages:
648
Contents
Segment
2 - 10.0.0.203 70
Index
Segment status: UP
Requested AC state: UP
PVC status: ACTIVE
NNI PVC status: ACTIVE
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
SanFran#
productivity gains
Example 8-24.
the Status
the
FRoMPLS
are Verifying
still derived from
data and of
voice
services
based VC
on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
SanFran#show mpls
l2transport
---would
70
legacy
Layer 2 and vc
Layeri3Local
networks
like to move toward a single
Local intf
Local circuit
Dest like
address
ID
Status
backbone
while new carriers would
to sell theVC
lucrative
Layer
2
------------- services
---------------------------------------------over their existing Layer
3 cores. The solution
in these---------cases is a
Se7/0
FR DLCI 100
10.0.0.203
70 a Layer 3 UP
technology
that would allow Layer
2 transport over
SanFran#show mpls
l2transport vc 70 detail
infrastructure.
Local interface: Se7/0 up, line protocol up, FR DLCI 100 up
Destination address:
10.0.0.203,
ID: 70, readers
VC status:
up 2 Virtual Private
Layer 2 VPN
ArchitecturesVCintroduces
to Layer
Preferred path:
not
configured
Network
(VPN)
concepts, and describes Layer 2 VPN techniques via
Default path:
active case studies and comprehensive design scenarios. This book
introductory
Tunnel label:
16,readers
next hop
10.1.1.202
assists
looking
to meet those requirements by explaining the
Output interface:
Et1/0,
imposed label
{16 technologies
21}
history and
implementation
detailsstack
of the two
available from
Create time: the
00:47:09,
lastVPN
status
time: 00:47:08
Cisco Unified
suite:change
Any Transport
over MPLS (ATOM) for MPLSSignaling protocol:
LDP,
10.0.0.203:0
up
based cores
andpeer
Layer
2 Tunneling Protocol
version 3 (L2TPv3) for native
MPLS VC labels:
local
22, remote
21 book is focused on first introducing the
IP cores.
The structure
of this
Group ID: local
remote
0 benefits and implementation requirements and
reader 0,
to Layer
2 VPN
MTU: local comparing
1500, remote
them 1500
to those of Layer 3 based VPNs, such as MPLS, then
Remote interface
description:
progressively
covering each currently available solution in greater detail.
Sequencing: receive disabled, send disabled
Sequence number: receive 0, send 0
VC statistics:
packet totals: receive 317, send 346
byte totals: receive 110374, send 119708
packet drops: receive 0, seq error 0, send 0
SanFran#
This output is similar to other Layer 2 protocols that are transported over MPLS, but the VC Type
is displayed as FR DLCI DLCI .
Layer 2 VPN Architectures
Example 8-25 shows the command show frame-relay pvc in PE and CE routers for comparison.
Wei Luo, - CCIE
Pignataro,
- CCIE No.
Dmitry
Bokotey,
- CCIEfor the PE)
See the differenceByhighlighted
inNo.
the13,291,
DLCICarlos
Usage
field (Local
for 4619,
the CE
and
Switched
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
and the additional counters on the PE side. This command also shows the PVC status.
Publisher: Cisco Press
Date: March the
10, 2005
Example 8-25. Pub
Verifying
Status of the FRoMPLS Frame Relay PVC
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
SanFran#show
frame-relay pvc interface serial 7/0 100
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No.
4460,Anthony Chan,
- CCIE No. 10,266
Value
Definition
LOCAL
STATUS
SWITCHED
If DLCI is configured and the router is acting
ISBN: 1-58705-168-0
as a switch.
Pages: 648
UNUSED
STATIC
If keepalives (Frame Relay LMI) are disabled.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
DELETED
If DLCI is defined on the router (Frame Relay
productivity gains
DTE) but not the switch (Frame Relay DCE).
INACTIVE
If DLCI is defined on the switch (Frame Relay
Learn about DCE)
Layerbut
2 Virtual
Private
(VPNs)
the PVC
is notNetworks
up (that is,
network,
AToM, VC failure).
Reduce costs and extend the reach of your services by unifying your
network architecture
ACTIVE
If DLCI is defined on the switch (Frame Relay
DCE) and is enabled.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
The highlighted lines show the different state transition changes starting from the attachment
circuit being set to up, the connect segment being set to up, the Frame Relay NNI PVC being set
to active, and the circuit state being set to up. Example 8-27 shows a capture and decode of an
FRoMPLS packet. The packet dump was generated in the same way as the other case studies by
using the command debug mpls l2transport packet data. Refer to Figure 8-5 for comparison
Layer
2 VPN Architectures
of the Frame Relay
packets.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Pages:
648
Contents word 0x0
control
Index
*May
19 19:14:41.080: XX XX XX XX XX XX YY YY YY YY YY YY 88 47 00 01
^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^ ^^^^^ ^^^^^
SA MAC
DA MAC
|
top_shim-->
etype = MPLS Unicast
Master the
of Layer
VPNs
and enjoy
*May 19 19:14:41.080:
00world
FF 00
01 51202
00 to
00provide
00 00 enhanced
03 CC 45services
00 00 64
productivity
gains
^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^ ^^ ^^ ^^^^^...
<--top_shim VC_Label
Ctrl-word
| |
Begins IP Packet
Label=16 Label=21
| NLPID = IP (0xCC)
Learn about Layer 2 Virtual Private Networks (VPNs)
S=0
S=1
Control = 0x03
TTL=255
TTL=2
Reduce costs and extend the reach of your services by unifying your
*May 19 19:14:41.080:
01 11
00 00 FF 01 2B 34 C0 A8 07 01 C0 A8 07 02
network
architecture
*May 19 19:14:41.080: 08 00 BC 31 00 14 00 03 00 00 00 00 0B 45 B6 BC
*May 19 19:14:41.080:
CD the
AB first
CD AB
CD toABaddress
CD AB Layer
CD AB2 CD
CD AB CDutilizing
GainAB
from
book
VPNAB
application
*May 19 19:14:41.080:
CD AB
AB protocols
CD AB CD AB CD AB CD AB CD AB CD
bothAB
ATOM
andCD
L2TP
*May 19 19:14:41.080: AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD
*May 19 19:14:41.080:
AB CD
AB CD that
AB CD
AB large
CD ABenterprise
CD AB CDcustomers
AB CD ABtoCD
Review
strategies
allow
enhance
*May 19 19:14:41.104:
disposition:
inmaintaining
Et1/0, size
102,control
seq 0, control
theirATOM
service
offerings while
routing
word 0x0
For a majority
Service
a significant
of their
revenues
*May 19 19:14:41.104:
03 CCof45
00 00Providers,
64 01 11
00 00 FF portion
01 2B 34
C0 A8
are still derived
data and voice services based on legacy transport
^^ ^^ from
^^^^^...
technologies.
3 MPLS VPNs fulfill the market need for some
| |Although
Begins Layer
IP Packet
customers,
have
drawbacks. Ideally, carriers with existing
| they
NLPID
= some
IP (0xCC)
legacy Layer
2 and=Layer
Control
0x033 networks would like to move toward a single
backbone
while
new
carriers
likeC4to 31
sell00
the14
lucrative
*May 19 19:14:41.104: 07 02 C0 A8 07 01would
00 00
00 03 Layer
00 002
services over
their
Layer
cores.
TheAB
solution
these
cases is a
*May 19 19:14:41.104:
00 00
0B existing
45 B6 BC
AB 3CD
AB CD
CD AB inCD
AB CD
technology
Layer
2 transport
over
Layer
*May 19 19:14:41.104:
ABthat
CD would
AB CD allow
AB CD
AB CD
AB CD AB
CD aAB
CD 3
AB CD
infrastructure.
*May 19 19:14:41.104:
AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD
*May 19 19:14:41.104: AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD
Layer 2 VPN
readers to Layer 2 Virtual Private
*May 19 19:14:41.104:
AB Architectures
CD AB CD AB introduces
CD
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
You can see that history
the IP NLPID
of 0xCC is used.
For Frame
IETF encapsulation,
and implementation
details
of the Relay
two technologies
availableCisco
from IOS
uses the NLPID value
whenUnified
one is available;
it uses
a SNAP
NLPID 0x80.
the Cisco
VPN suite:otherwise,
Any Transport
over
MPLS header
(ATOM)with
for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader
to Layer
2 VPN
benefits
andMPLS
implementation requirements and
Case Study 8-4:
ATM
AAL5
SDU
over
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
The final two case studies explore the transport of ATMoMPLS. In particular, Case Study 8-4
analyzes AAL5 SDU over MPLS. The topology used is shown in Figure 8-14.
Pages: 648
Contents
Index
The configuration
of AAL5oMPLS SDU mode only applies to an ATM VC. AAL5 VP or port modes are
nonexistent. To configure AAL5oMPLS, you create an ATM PVC with the l2transport keyword and
then apply the following two configuration steps under an ATM PVC configuration mode:
Step 1.
Master
world of Layer
2 VPNs to provide
enhanced services and enjoy
Configure
thethe
encapsulation
as encapsulation
aal5.
productivity gains
Step 2.
and extend
of your
services by
Example 8-28 shows aReduce
sample costs
configuration
for the reach
SanFran
and NewYork
PE unifying
nodes. your
network architecture
Gain from the AAL5oMPLS
first book to address
Example 8-28. Configuring
PEs Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies
that allow
large enterprise customers to enhance
SanFran#show running-config
interface
ATM 4/0.1
their service offerings while maintaining routing control
Building configuration...
Current configuration
: 230ofbytes
For a majority
Service Providers, a significant portion of their revenues
!
are still derived from data and voice services based on legacy transport
interface ATM4/0.1
point-to-point
technologies.
Although Layer 3 MPLS VPNs fulfill the market need for some
description ***
AAL5
SDU
AToM
tosome
Oakland
***
customers,
they
have
drawbacks.
Ideally, carriers with existing
pvc 0/100 l2transport
legacy Layer 2 and Layer 3 networks would like to move toward a single
encapsulationbackbone
aal5
while new carriers would like to sell the lucrative Layer 2
xconnect 10.0.0.203
100 their
encapsulation
mpls
services over
existing Layer
3 cores. The solution in these cases is a
!
technology that would allow Layer 2 transport over a Layer 3
end
infrastructure.
SanFran #
The CE configuration is no different than if the CE routers were connected to a traditional ATM
switch (see Example 8-29).
Pages:
648
Contents manage
oam-pvc
! Index
end
Oakland #
Albany#show running-config
interface
Master the world
of Layer 2ATM
VPNs3/0.1
to provide enhanced services and enjoy
Building configuration...
productivity gains
Current configuration : 147 bytes
!
Learn about Layer 2 Virtual Private Networks (VPNs)
interface ATM3/0.1 point-to-point
ip address 192.168.1.2
Reduce255.255.255.252
costs and extend the reach of your services by unifying your
pvc 0/100
network architecture
oam-pvc manage
Gain from the first book to address Layer 2 VPN application utilizing
!
both ATOM and L2TP protocols
end
Albany#
One of the first things you can verify is the pseudowire status and details. You can use the
commandshow mpls l2transport vc (see Example 8-31).
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Pages:
648
Giants:
0
Contents
OAM cells
received:
340
Index
OAM cells sent: 340
Status: UP
Oakland#
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
SanFran#show atm
vc interface
productivity
gains ATM 4/0.1 detail
ATM4/0.1: VCD: 1, VPI: 0, VCI: 100
UBR, PeakRate: 149760
AAL5 L2transport, etype:0xF,
Learn about Flags:
Layer 2 0x10000C2E,
Virtual Private VCmode:
Networks0x0
(VPNs)
OAM Cell Emulation: not configured
Reduce
and extend the reach of your services by unifying your
Interworking Method:
like costs
to like
network
Remote Circuit Status
= No architecture
Alarm, Alarm Type = None
InPkts: 496, OutPkts: 216, InBytes: 34359772357, OutBytes: 12677
InPRoc: 0, OutPRoc:Gain
0 from the first book to address Layer 2 VPN application utilizing
both
ATOM
and L2TP
protocols
InFast: 156, OutFast: 216,
InAS:
0, OutAS:
0
InPktDrops: 0, OutPktDrops: 0
Review strategies
that allow large
CrcErrors: 0, SarTimeOuts:
0, OverSizedSDUs:
0 enterprise customers to enhance
Out CLP=1 Pkts: 0 their service offerings while maintaining routing control
OAM cells received: 340
For a majority of Service Providers, a significant portion of their revenues
OAM cells sent: 29
are still derived from data and voice services based on legacy transport
Status: UP
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
SanFran#
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services
their
existing
Layer
cores.
The
solution
in these
is a the
By contrasting the
output over
of the
display
of ATM
PVC3 in
the PE
and
CE routers,
youcases
can see
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
following:
infrastructure.
Layer 2type
VPN that
Architectures
introduces
readers
to Layer 2 Virtual
Private
The encapsulation
is displayed
for the CE
is AAL5-LLC/SNAP
(although
it could have
Network
(VPN) concepts,
and describes
2 VPN
vial2transport.
been AAL5-MUX
or something
else), whereas
for theLayer
PE PVC
it is techniques
always AAL5
introductory case studies and comprehensive design scenarios. This book
The CE PVC assists
shows OAM
configuration
(OAMthose
frequency),
whereas
PE PVC displays
OAM
readers
looking to meet
requirements
bythe
explaining
the
Cell Emulation
configuration.
You can enable
cell
by using the
commands
history
and implementation
details
of emulation
the two technologies
available
fromoam-ac
emulation-enable
oam-pvc
manage
that theover
PE locally
cells (as
the Ciscoand
Unified
VPN suite:
Any so
Transport
MPLS terminates
(ATOM) for OAM
MPLSopposed to transporting
them).
based cores and
Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
The PE PVC reader
shows AToM-specific
such
as the remoterequirements
pseudowire status
to Layer 2 VPNinformation
benefits and
implementation
and and the
interworkingcomparing
type.
them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
The OAM cells received and sent counters have a slightly different interpretation.
On the Oakland CE router, the OAM for cells received and sent display the total number of OAM
cells that are received and sent from and to the Albany CE. On the SanFran PE router, OAM
counter for received cells displays the total number of OAM cells from the Oakland CE. These cells
are encapsulated in an AToM packet as cells (setting the T-bit in the required AAL5oMPLS SDU
mode control word) and sent to the remote PE router NewYork. However, the OAM cells sent
counter in the PE router does not count the OAM cells received in AToM packets from the remote
NewYork PE and sent to the Oakland CE router. It counts the OAM cells that are generated from
the SanFran PE, which explains the number discrepancy (see Example 8-34).
SanFran#
No. 4460,Anthony Chan, - CCIE No. 10,266
*May 19 16:51:40.207: AToM LDP [10.0.0.203]: Received label withdraw msg, id 3340
vc type 2, cbit 1, vc id 100, group id 3, vc label 21, status 0, mtu 0
Publisher: Cisco Press
*May 19 16:51:40.207: ATM VC alarm condition: remote acircuit DOWN
Pub0/100
Date: March 10, 2005
forATM4/0.1:VC#1
ISBN:
1-58705-168-0
*May Table
19 16:51:40.207:
atm_oam_setstate
- VCD#1, VC 0/100: newstate = AIS Xmitted
of
19 16:51:40.207:
Pages:
648
*May
F5
OAM
alarm:
AIS
sent, VC#1 0/100 ATM4/0.1
Contents
*May
19
16:51:40.207:
atm_oam_start_timer
VC = 1, curr_q_index = 19016 q_index =
Index
19047, freq = 1000, cnt = 0 div = 31
*May 19 16:51:40.207: atm_oam_start_timer VC = 1, q_index = 19047, freq = 1000cnt
= 0
*May 19 16:51:40.207:
ATM
VC of
alarm
remoteenhanced
acircuit
DOWN and enjoy
Master the
world
Layercondition:
2 VPNs to provide
services
forATM4/0.1:VC#1
0/100 gains
productivity
Configuring CRoMPLS
The configuration steps to set up the cell relay transport of an ATM VC are similar to those
required to configure AAL5 transport. The difference is that under the l2transport PVC
configuration, the encapsulation is specified as aal0, implying no adaptation layer (raw cells).
Pages:
648
interface
ATM4/0.2
point-to-point
Contents
description
***
Cell
VC
AToM to Oakland ***
Index
pvc 0/200 l2transport
encapsulation aal0
xconnect 10.0.0.203 200 encapsulation mpls
!
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
end
productivity gains
SanFran#
! Configuring
Cell Relay over MPLS Port Mode
Index
interface ATM 6/0
xconnect 10.0.0.200 500 encapsulation mpls
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
You can see from Example 8-36 that you only need the encapsulation aal0 command in VC
mode, where it is necessary to distinguish between AAL5 and cell transport.
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
InExample 8-37, the MTU that is advertised appears as null. The method and reason for this will
become clear in this section.
Given that the transport of cells is inherently different from the transport of packets, some
differences exist in the AToM pseudowire setup. See the output of the command show mpls
l2transport vc in Example 8-38.
Layer 2 VPN Architectures
ByWei
Luo, - CCIE No.
13,291,
Carlos
Pignataro,
- CCIE
No. 4619,
Example 8-38.
Verifying
the
ATM
Cell
over
MPLS
VCDmitry Bokotey, -
CCIE
SanFran#show mplsPublisher:
l2transport
vc 200
Cisco Press
Pub Date:
March 10, 2005
Local intf
Local
circuit
Dest address
VC ID
Status
ISBN: 1-58705-168-0
------------------------------------------------------------------Table of
Pages:
648 0/200
AT4/0.2
ATM VCC
CELL
10.0.0.203
200
UP
Contents
SanFran#show
mpls
l2transport
vc
200
detail
Index
Local interface: AT4/0.2 up, line protocol up, ATM VCC CELL 0/200 up
Destination address: 10.0.0.203, VC ID: 200, VC status: up
Preferred path: not configured
Default path:
active
Master
the world of Layer 2 VPNs to provide enhanced services and enjoy
Tunnel label:
16, next
hop 10.0.1.203
productivity
gains
Output interface: Fa0/0, imposed label stack {16 20}
Create time: 1d23h, last status change time: 00:08:05
Learn
about
Layer
2 Virtual Private
Signaling protocol:
LDP,
peer
10.0.0.203:0
up Networks (VPNs)
MPLS VC labels: local 21, remote 20
costs 3
and extend the reach of your services by unifying your
Group ID: localReduce
0, remote
network
architecture
MTU: local n/a, remote n/a
Remote interface description: *** Cell VC AToM to Albany ***
Gain from the first book to address Layer 2 VPN application utilizing
Sequencing: receive disabled, send disabled
both ATOM and L2TP protocols
VC statistics:
packet totals: receive 0, send 1
Review strategies that allow large enterprise customers to enhance
byte totals:
receive 0, send 60
their service offerings while maintaining routing control
packet drops: receive 0, send 0
FromExample 8-39, you can see again that the MTU value does not apply to the transport of ATM
cells over MPLS. The pseudowire comes up even if the MTUs in the two attachment circuits differ.
Publisher: Cisco Press
However, a new interface parameter is advertised and displayed in the bindings. This new
Pub Date: March 10, 2005
interface parameter is the maximum number of concatenated ATM cells, also known as the
ISBN: 1-58705-168-0
maximum
Table ofnumber of cells packed (MNCP). This advertised parameter specifies the maximum
Pages:
648 egress PE can process in a single AToM packet disposition. The
number
of packed cells that the
Contents
MNCP
value
defaults
to
1,
meaning
that by default only one ATM cell is included in an AToM
Index
packet. This subject is covered in more detail in the upcoming section "Case Study 8-8: Packed
Cell Relay over MPLS."
From a fault management
perspective,
the 2
pseudowire
status enhanced
is conveyed
to the and
CE device's
Master the
world of Layer
VPNs to provide
services
enjoy ATM
endpoints by using
AIS of the gains
appropriate hierarchy. The following alarm indications are sent out
productivity
of the AC for each of the ATM transport modes if the VC label is withdrawn because of an MPLS
core network or remote AC failure:
Learn about Layer 2 Virtual Private Networks (VPNs)
ReduceAIS
costs
andcells
extend
the reach
your
services
your
VC Mode F5 (VC-level)
OAM
are sent.
Noteof
that
this
appliesby
to unifying
both AAL5oMPLS
and CRoMPLS VC network
Mode. architecture
Gain from
first
book
address Layer 2 VPN application utilizing
VP Mode F4 (VP-level)
AIS the
OAM
cells
areto
sent.
both ATOM and L2TP protocols
Port Mode Line (for example Layer 1 SONET-level) AIS is sent.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents analyzes four additional
This section
case studies. The first two case studies present additional details
Index
about
LDP signaling of pseudowires and specifics about Cisco implementation, including techniques so
that you can understand hardware specifics and documentation matrices. Although these two case
studies use WAN transport over MPLS examples, they are applicable to all other Layer 2 transports.
Master
the world
of Layer cases
2 VPNs
provide enhanced
services
and enjoy
Finally, this section
includes
two advanced
ofto
ATMoMPLS,
namely ATM
cell packing
and a
productivity
gains
detailed comparison
of different
AToM transports for ATM VCs.
Learn about Layer 2 Virtual Private Networks (VPNs)
Case Study 8-6: Decoding LDP Label Mapping and Pseudowire ID FEC
Reduce costs and extend the reach of your services by unifying your
Elements
network architecture
Pages:
648
Contents
.... ...1 = PWE3 Control Word: True
Index
.... ..1. = MPLS Router Alert: True
CV Type
.... ...0 = ICMP Ping: False
.... ..1. = LSP Ping: True
Master the world....
of Layer
2 VPNs
to provide
.0..
= BFD:
False enhanced services and enjoy
productivity
gains
Generic Label TLV
00.. .... = TLV Unknown bits: Known TLV, do not Forward (0x00)
TLV Type: Generic Label TLV (0x200)
Learn about Layer 2 Virtual Private Networks (VPNs)
TLV Length: 4
Generic
Label:
19 and extend the reach of your services by unifying your
Reduce
costs
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
FromExample 8-40, you can see that the LDP label mapping message is sent from SanFran (LDP ID
both ATOM and L2TP protocols
10.0.0.201) and contains two type, length, value (TLV) triplets to provide the FEC-to-label mapping
(FEC <-> label):
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
FEC TLV The FEC TLV includes one FEC element of Type 128 (Virtual Circuit FEC), as discussed
For a majority of Service Providers, a significant portion of their revenues
inChapter 6. This FEC element includes the following information:
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Control word present
customers, they have some drawbacks. Ideally, carriers with existing
legacy
Layer
and Layer 3 networks would like to move toward a single
VC Type
0x0006
for2HDLC
backbone while new carriers would like to sell the lucrative Layer 2
over their existing Layer 3 cores. The solution in these cases is a
Group services
ID 5
technology that would allow Layer 2 transport over a Layer 3
VC ID infrastructure.
50
Layer
2 VPNparameters:
Architectures introduces readers to Layer 2 Virtual Private
A set of
interface
Network (VPN) concepts, and describes Layer 2 VPN techniques via
MTU interface
parameter
introductory
case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
Interface
description
history
and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSVCCV capabilities
control
(CC) and
connectivity
verification
(CV)
based coresofand
Layerchannel
2 Tunneling
Protocol
version 3
(L2TPv3) for
native
IP cores. The structure of this book is focused on first introducing the
Generic Label TLV This TLV advertises label 19 for the previously referenced FEC.
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Note
It is interesting to note the value for the Group ID of 5. The Group ID is an arbitrary 32-bit
number that represents a group of pseudowires (a second degree of freedom by creating
groups in the VC ID space). These groups are per LDP peer, meaning that VC IDs with the
same Group ID belong to the same group if they belong to the same peer. The Group ID
provides a superficial incremental benefit when sending one LDP label withdrawal message
to a given peer for the group of VCs instead of multiple individual withdrawals for each VC.
Earlier releases of Cisco IOS Software used the Interface Index of the main hardware
interface descriptor block (IDB) as the Group ID. For example, for a VLAN attachment
circuit in interface Gigabit-Ethernet 1/0.100, the Group ID used to be the IfIndex for
Layer1/0.
2 VPN
Architectures
GigabitEthernet
This
way, wildcard label withdrawals or notifications could be sent on
Wei Luo, However,
- CCIE No. 13,291,
Carlos
- CCIE
No. 4619,
Bokotey, - withdrawal,
CCIE
physical portByfailure.
because
ofPignataro,
the limited
benefit
ofDmitry
the wildcard
No. 4460,
AnthonyIOS
Chan,
- CCIE No.set
10,266
current releases
of Cisco
software
the Group ID to 0 for all pseudowires, and
wildcard withdraw messages are not sent. For ATM ACs, a non-zero value is still used, but
wildcard withdrawals
are
notPress
sent.
Publisher:
Cisco
Pub Date: March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Reduce costs and extend the reach of your services by unifying your
network
architecture
PA-A1 in slot 3 that
does not
support AToM
from
the first
to address
PA-A3 version 2.0Gain
in slot
4 that
doesbook
support
AToM Layer 2 VPN application utilizing
both ATOM and L2TP protocols
First issue the command specifying the ATM PA that does not support ATM transport. See Example 8Review
strategies
that refers
allow large
enterprise customers
to enhance
41 for abbreviated output.
Core
functionality
to a core-facing
PE interface,
and Edge
their
service offerings
while maintaining routing control
functionality refers to an
edge-facing
PE interface.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
Example 8-41.
Unsupported AToM Layer 2 Transport Hardware Capability
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacyl2transport
Layer 2 and Layer
3 networks interface
would like toATM
move
C7206VXR#show mpls
hw-capability
3/0toward a single
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer 2
Interface ATM3/0
services over their existing Layer 3 cores. The solution in these cases is a
!Output omittedtechnology
for brevity
that would allow Layer 2 transport over a Layer 3
Transport type infrastructure.
ATM AAL5
Core functionality:
2 VPN Architectures
MPLS label Layer
disposition
supported introduces readers to Layer 2 Virtual Private
Network
(VPN) concepts,
and describes Layer 2 VPN techniques via
Control word
processing
supported
introductory
case studies
and comprehensive design scenarios. This book
Sequence number
processing
not supported
readers supported
looking to meet those requirements by explaining the
VCCV Type 1assists
processing
history and implementation details of the two technologies available from
Edge functionality:
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSNot supported
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Transport type IP
ATM
CELL
cores.
The structure of this book is focused on first introducing the
Core functionality:
reader to Layer 2 VPN benefits and implementation requirements and
MPLS label comparing
disposition
supported
them
to those of Layer 3 based VPNs, such as MPLS, then
Control word
processing
not supported
progressively covering
each currently available solution in greater detail.
Sequence number processing not supported
VCCV Type 1 processing not supported
Edge functionality:
Not supported
!Output omitted for brevity
Transport type ATM VCC CELL
Core functionality:
MPLS label disposition supported
Control word processing supported
Sequence number processing not supported
Transport type By
ATM
VPC CELL
Wei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Core functionality:
No. 4460,Anthony Chan, - CCIE No. 10,266
MPLS label disposition supported
Control word processing supported
Publisher: Cisco Press
Sequence number processing not supported
Pub Date: Marchsupported
10, 2005
VCCV Type 1 processing
ISBN: 1-58705-168-0
Edge
functionality:
Table
of
Not supported Pages: 648
Contents
C7206VXR#
Index
Reduce costsAToM
and extend
the2reach
of your services
by unifying
your
Example 8-42. Supported
Layer
Transport
Hardware
Capability
network architecture
InExample 8-42, you can see that imposition functions are supported for all AToM ATM transport.
Publisher: Cisco Press
Specific information about ATM transport features is also included in the command output.
Pub Date: March 10, 2005
1-58705-168-0
This procedure
enables ISBN:
you to
check the hardware dependencies without having to check support
Table of
Pages:
648
matrices.
Contents
Index
Specifying the maximum number of cells to be concatenated in an MPLS packet and the
timer that is available for use. You perform this step at the l2transport PVC configuration.
The configuration for the SanFran side is shown in Example 8-43. It highlights the specific cell packing
commands.
SanFran#
Index
SanFran#show running-config interface ATM 4/0.3
Building configuration...
Current configuration
: world
296 bytes
Master the
of Layer 2 VPNs to provide enhanced services and enjoy
!
productivity gains
interface ATM4/0.3 point-to-point
description *** Packed Cell VC AToM to Oakland ***
Learn about Layer 2 Virtual Private Networks (VPNs)
pvc 0/300 l2transport
encapsulation aal0
Reduce costs2 and extend the reach of your services by unifying your
cell-packing 10 mcpt-timer
network
xconnect 10.0.0.203
300 architecture
encapsulation mpls
!
Gain from the first book to address Layer 2 VPN application utilizing
end
both ATOM and L2TP protocols
SanFran#
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Three interface level
timers
are configured
with the atm
mcpt-timers
command.
They are shared by
For a
majority
of Service Providers,
a significant
portion
of their revenues
all Layer 2 transport
and VPsfrom
under
thatand
interface
and its subinterfaces.
are VCs
still derived
data
voice services
based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer
2 and Layer 3and
networks
would like to move toward a single
Verifying Cell Packing
Configuration
Operation
backbone while new carriers would like to sell the lucrative Layer 2
over
their
existing
Layer 3acores.
The solution
in these
is alabel
You advertise theservices
max cells
to be
packed
by adding
new interface
parameter
tocases
the LDP
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
mapping message (see Example 8-44). As mentioned earlier in the "Encapsulations and Packet
infrastructure.
Format for Cell Transport"
section, the MTU interface parameter does not apply to ATM Cell transport
and is not advertised.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
Example 8-44.
Packed
Cell
Relay
Verification
assists
readers
looking
to meet
those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSSanFran#show mpls l2transport binding 300
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Destination Address: 10.0.0.203, VC ID: 300
IP cores. The structure of this book is focused on first introducing the
Local Label: 18
reader to Layer 2 VPN benefits and implementation requirements and
Cbit: 1,
VC Type: ATM VCC CELL,
GroupID: 5
comparing them to those of Layer 3 based VPNs, such as MPLS, then
MTU: n/a,
Interface Desc: *** Packed Cell VC AToM to Oakland ***
progressively covering each currently available solution in greater detail.
Max Concatenated ATM Cells: 10
VCCV Capabilities: Type 1, Type 2
Remote Label: 18
Cbit: 1,
VC Type: ATM VCC CELL,
GroupID: 2
MTU: n/a, Interface Desc: *** Packed Cell VC AToM to Albany ***
Max Concatenated ATM Cells: 10
VCCV Capabilities: Type 1, Type 2
SanFran#
To fully understand how cell relay packing works, you can perform a simple experiment. First
calculate the size of a ping that would fully occupy ten cells without padding. You can use the
following formula and refer to the packets shown in Figure 8-7:
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Number of cellsNo.*4460,
48 Anthony
Bytes/cell
- AAL5
PDU Trailer
- SNAP Header for IP =
Chan, - CCIE
No. 10,266
Number of cells * 48 Bytes/cell - (UU + CPI + Length + CRC) - (LLC + OUI + etype) =
10
*
48
- (1 + 1 + 2 + 4)
- (3 + 3 + 2) = 464 Bytes
Publisher: Cisco Press
SanFran#ping
Protocol [ip]:
Target IP address: Learn
192.168.3.2
about Layer 2 Virtual Private Networks (VPNs)
Repeat count [5]: 10000
Datagram size [100]:
464 costs and extend the reach of your services by unifying your
Reduce
Timeout in seconds network
[2]:
architecture
Extended commands [n]:
Gain
from the first book to address Layer 2 VPN application utilizing
Sweep range of sizes
[n]:
both
and L2TP protocols
Type escape sequence
toATOM
abort.
Sending 10000, 464-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:
Review strategies that allow large enterprise customers to enhance
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
service offerings while maintaining routing control
!Output omitted fortheir
brevity
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
a majority
Service Providers,round-trip
a significantmin/avg/max
portion of their
Success rate isFor
100
percentof(10000/10000),
= revenues
1/2/16 ms
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
SanFran#show atm cell-packing
technologies. Although
Layer 3 MPLS VPNs fulfill the
market need for some
average
average
havenbr
some
Ideally,
existing MCPT
circuit customers, they
local
ofdrawbacks.
cells
peer carriers
nbr of with
cells
legacy Layer 2MNCP
and Layer
networks
wouldMNCP
like to
move
a single
type
rcvd3 in
one pkt
sent
intoward
one pkt
(us)
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
ATM4/0.3
vc 0/300
10
9
10
9
800
services over their existing Layer 3 cores. The solution in these cases is a
SanFran#
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
2 VPN
Architectures
readers
Layer 2
Private
The counter fromLayer
Example
8-45
shows nine introduces
cells instead
of ten to
because
ofVirtual
OAM cells
bringing down
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via another 10,000
the average slightly. The second part of the exercise is to clear the counters and send
case studies
and comprehensive
design(see
scenarios.
This
book
PING packets butintroductory
now 1 byte longer
than before,
which is 465 bytes
Example
8-46).
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Packed
Cisco Unified
VPN
suite:Exercise
Any Transport
over
Example 8-46.
Cell
Relay
Part
2 MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
SanFran#clear counters
comparingcounters
them to those
of Layer
3 based VPNs,
such as MPLS, then
Clear "show interface"
on all
interfaces
[confirm]
progressively
covering
each
currently
available
solution
in greater detail.
SanFran#
*May 27 01:22:25.858: %CLEAR-5-COUNTERS: Clear counter on all interfaces by
console
SanFran#ping
Protocol [ip]:
Target IP address: 192.168.3.2
Repeat count [5]: 10000
Datagram size [100]: 465
Timeout in seconds [2]:
Extended commands [n]:
Pages: 648
Contents
ATM4/0.3
vc 0/300
10
5
10
5
800
Index
SanFran#
Master
of Layer
2 VPNs
to provide
services
enjoy directions
Example 8-46 shows
thatthe
theworld
average
number
of cells
packed enhanced
both in receive
andand
transmit
productivity
dropped drastically
to 5. This gains
is because each ICMP echo request and echo packets now require 11
cells instead of 10. Therefore, each PING packet is sent using two MPLS AToM packets, one with 10
cells and the other with just 1 cell, averaging a bit over 5 cells per MPLS packet. Note that the timers
Learn
aboutMPLS
Layerpacket
2 Virtual
Private
Networks
(VPNs)
are short enough that the
second
does
not have
10 cells.
In addition, the second packet
is sent with only one cell because the timer expires before the second echo request is received.
Reduce costs and extend the reach of your services by unifying your
network architecture
from the first book
to addressATM
Layer Transfer
2 VPN application
utilizing
Case Study 8-9: Gain
Understanding
Different
Modes
both ATOM and L2TP protocols
You have learned about the different AToM encapsulationsin particular the different modes of
Review
strategies
thatsingle
allowcell
large
enterprise
customers
to enhance
transporting an ATM PVC
(AAL5
CPCS-SDU,
relay,
and packed
cell relay).
This section
their
service
offerings
while
maintaining
routing
control
illustrates their similarities and differences with examples to solidify the concepts.
a majority
of Serviceamong
Providers,
significant
portion
of their revenues
You can highlightFor
some
of the differences
ATMatransfer
modes
by sending
a 36-byte ping from
are
still
derived
from
data
and
voice
services
based
on
legacy
the Oakland CE routers in the three modes and comparing the capture of those transport
AToM packets in the
3 MPLS
fulfill the
for some
link between the technologies.
Denver P and Although
NewYork Layer
P routers.
YouVPNs
can obtain
themarket
captureneed
as output
for the
customers,
they
have
some
drawbacks.
Ideally,
carriers
with
existing
commanddebug mpls l2transport packet data. All packets you capture share the same Layer 2
legacy
Layer
2 and Layer
networks
would
to move
toward aThey
single
encapsulation (source
and
destination
MAC3address
and
MPLSlike
unicast
Ethertype).
also share the
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
absence of a PSN label because of Penultimate Hop Popping (PHP) and a VC MPLS header with a
services
their existing
Layer
3 cores.
solution
in these
cases
is a
different label. Finally,
all over
the packets
share the
presence
ofThe
a control
word
that has
different
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
characteristics.
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
AAL5 CPCS-SDU
Mode(VPN) concepts, and describes Layer 2 VPN techniques via
Network
ISBN: 1-58705-168-0
Pages: 648 out Fa4/0, size 74, EXP 0x0, seq 0, control word
01:45:40:
Contents ATOM imposition:
0x8380000
Index
0x380000
02:27:46: 00 0C CF 55 24 08 00 04 4E 26 18 70 88 47 00 01
^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^ ^^^^^ ^^^^^
Layer 2 VPN Architectures
SA MAC
DA MAC
|
VC Label-->
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - etype
CCIE No.=4619,
Dmitry
Bokotey, - CCIE
MPLS
Unicast
4460,
Chan,
CCIE0C
No.82
10,266
02:27:46: 21 02No.00
38Anthony
00 00
00- 00
00 00 00 00 00 00
^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^ ^^...
<--VC_Label Ctrl-word
ATM Cell
CPCS-PDU Padding
Publisher: Cisco Press
Label=18 Pub Date: March 10,
Header
2005
S=1
VPI=0; VCI = 200
ISBN: 1-58705-168-0
Table
of
TTL=2
EoAAL5
= 1
648
Contents 00 00 00 Pages:
02:27:46:
00 00 00 00 00 00 00 00 00 00 00 00 00
Index
02:27:46:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
02:27:46: 00 00 00 00 00 2C 2B F1 73 FD
...^^ ^^^^^^^^^^^^^^^^^^^^^^^
CPCS-PDU Pad CPCS-PDU Trailer
Master
Layer 2 VPNs to provide enhanced services and enjoy
UU = the
0; world
CPI =of0;
productivity
gains
Length = 0x2C = 44 Bytes
CRC = 0x2BF173FD
02:30:27: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
02:30:27: 00 00 00 00 00 00 00 00 00 2C A6 9C AA FC
...^^ ^^^^^^^^^^^^^^^^^^^^^^^
Layer
2 VPN Architectures
CPCS-PDU
Pad CPCS-PDU Trailer
ByWei Luo, - CCIE No.
Carlos
UU13,291,
= 0;
CPIPignataro,
= 0; - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan,
- CCIE No.
10,266 = 44 Bytes
Length
= 0x2C
CRC = 0xA69CAAFC
Publisher: Cisco Press
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
The format
Table of of the contents of this single AToM packet is similar to merging the contents of two AToM
Pages:
packets
in the previous case.648
That is, the two cells share the Layer 2, MPLS, and pseudowire (control
Contents
word)
overheads.
The control word presents a value of 0x00000000. The length is not included
Index
because it is 108 bytes (52 * 2 + 4), which is greater than 63 bytes, which is the maximum value the
length field can take with 6 bits (26 - 1 = 63).
Table
Reduce costs and extend the reach of your services by unifying your
network
architectureATM Transport Overheads
8-4.
Comparing
Gain from the first book to address Layer 2 VPN application utilizing
bothATM
ATOM and L2TP protocols
Transport Control
Cell
LLCCPCS- CPCSstrategies
that allow
large enterprise
customers to
enhance
Type
Word Review
Header
SNAP
IP/ICMP
Pad
Trailer
Total
their service offerings while maintaining routing control
AAL5
4 bytes
0
8 bytes 36 bytes 0
0
48 bytes
CPCS-SDU
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
Single Cell 2 * 4 bytes 2 * 4
8 bytes 36 bytes 44
8 bytes
112 bytes
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Relay
bytes
bytes
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer
Layer
3 networks
a single
Packed Cell 4 bytes
2 * 24 and 8
bytes
36 bytes would
44 like to8 move
bytes toward
108
bytes
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
Relay
bytes
bytes
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
From this table, you can see that when you are transporting AAL5 packets, AAL5 CPCS-SDU mode is
more efficient, especially
when
the ATM AAL5
packets are
small.
are transporting
other
Layer 2 VPN
Architectures
introduces
readers
toWhen
Layeryou
2 Virtual
Private
AALs, such as AAL1
for
Circuit
Emulation
Services
(CES)
or
AAL2
for
Voice
over
ATM
(VoATM),
cell
Network (VPN) concepts, and describes Layer 2 VPN techniques via
relay is the only option.
Similarly,
CRoMPLS
is
the
only
option
when
you
are
trunking
using
VP
or
port
introductory case studies and comprehensive design scenarios. This book
mode, because AAL5
mode
does
not
exist
for
VP
and
port
mode
ATM
transport.
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pages:
648
Contents
on the
martini drafts when adapting AToM to the transport of HDLC, PPP, Frame Relay DLCIs,
AAL5
Index SDUs, and ATM cells.
ATM
This chapter discussed the importance of the MTU setting both in the edge devices and the
core. For all WAN protocol transport over MPLS except the transport of ATM cells, a pseudowire
world
of Layer
2 VPNs
provide
enhanced
services
and
requires matchingMaster
MTUs the
in both
ends
for it to
cometo
up.
Even when
matching
MTUs
in enjoy
the
productivity
gainsplane success, a conscientious MTU setting in the core is
attachment circuits
enable control
required to avoid data plane problems.
about
Layer 2 Virtual
PrivateIn
Networks
(VPNs)
This chapter concludedLearn
with four
additional
case studies.
these case
studies, you learned
what the exact format of LDP label mapping messages is, how to check for hardware
Reduce costs and extend the reach of your services by unifying your
capabilities on a router, and how to decouple the platform specifics. You also learned about
network architecture
packed cell relay over MPLS and the ins and outs of ATMoMPLS VC mode, including a detailed
comparison of three different ways of transporting an ATM VC using AToM.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Contents
Index
Pages: 648
Load sharing
Preferred path
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
AToM pseudowires
with MPLS
productivity
gains traffic engineering fast reroute
AToM pseudowire over GRE tunnel
Learn about Layer 2 Virtual Private Networks (VPNs)
Pseudowire emulation in multi-AS networks
Reduce costs and extend the reach of your services by unifying your
LDP authentication
for pseudowire
signaling
network
architecture
Verifying pseudowire
Gaindata
fromconnectivity
the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Quality of service in AToM
Note
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
ISBN: 1-58705-168-0
Pages: 648
Pages:
648
interface
Contents Loopback0
ip address
10.1.1.2
255.255.255.255
Index
!
interface Ethernet0/0
no ip address
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
!
productivity gains
interface Ethernet0/0.1
encapsulation dot1Q 100
xconnect 10.1.1.1 100 encapsulation mpls
Learn about Layer 2 Virtual Private Networks (VPNs)
!
interface Ethernet0/0.2
Reduce costs and extend the reach of your services by unifying your
encapsulation dot1Q 200
network architecture
xconnect 10.1.1.1 200 encapsulation mpls
!
Gain from the first book to address Layer 2 VPN application utilizing
interface Ethernet0/0.3
both ATOM and L2TP protocols
encapsulation dot1Q 300
xconnect 10.1.1.1 Review
300 encapsulation
strategies thatmpls
allow large enterprise customers to enhance
!
their service offerings while maintaining routing control
interface Ethernet1/0
ip address 10.23.23.1
255.255.255.0
For a majority
of Service Providers, a significant portion of their revenues
mpls ip
are still derived from data and voice services based on legacy transport
!
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
interface Serial3/0
customers, they have some drawbacks. Ideally, carriers with existing
ip address 10.23.21.2
255.255.255.0
legacy Layer
2 and Layer 3 networks would like to move toward a single
mpls ip
backbone while new carriers would like to sell the lucrative Layer 2
!
services over their existing Layer 3 cores. The solution in these cases is a
router ospf 1 technology that would allow Layer 2 transport over a Layer 3
network 10.1.1.2
0.0.0.0 area 0
infrastructure.
network 10.23.21.0 0.0.0.255 area 0
network 10.23.23.0
area 0 introduces readers to Layer 2 Virtual Private
Layer 20.0.0.255
VPN Architectures
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
The following case
study and
sections
discuss howdetails
PE routers
path selection
decisions
for
history
implementation
of themake
two technologies
available
from
pseudowire trafficthe
when
these
types
of
forwarding
paths
are
present:
Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
Case Study 9-1: Unequal-Cost Multipath
reader to Layer 2 VPN benefits and implementation requirements and
them Multipath
to those of Layer 3 based VPNs, such as MPLS, then
Case Study comparing
9-2: Equal-Cost
progressively covering each currently available solution in greater detail.
Ethernet links.
Layer 2 VPN Architectures
ISBN: 1-58705-168-0
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
To reach the loopback interface on PE1 and PE2, you must take the cost of the loopback
interface into account, as shown in Example 9-4.
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce
and extend
the reach
of your services by unifying your
Example 9-4. SPF
Costcosts
on PE1
Loopback
Interface
network architecture
Gain fromloopback0
the first book to address Layer 2 VPN application utilizing
PE1#show ip ospf interface
both
ATOM
andis
L2TP
Loopback0 is up, line protocol
up protocols
Internet Address 10.1.1.1/32, Area 0
Review
that
allow large
customers
Process ID 1, Router
ID strategies
10.1.1.1,
Network
Typeenterprise
LOOPBACK,
Cost: 1to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
aregostill
derived
data PE2
and is
voice
legacy the
transport
The cost for PE1 to
through
P1from
to reach
64 +services
64 + 1 based
= 129,on
whereas
cost to go
technologies.
3 MPLS
VPNs fulfill
thethe
market
need for
some is
through P2 and P3
is 10 + 10 +Although
10 + 1 =Layer
31. The
least-cost
path to
destination
10.1.1.2
customers,
theybyhave
drawbacks.
with existing
through P2 and P3,
thus chosen
the some
routing
protocol toIdeally,
forwardcarriers
data packets.
You can
legacy
and Layer in
3 networks
would like to move toward a single
observe this through
theLayer
show2 command
Example 9-5.
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
that
Layer 2 Interface
transport over a Layer 3
Example 9-5.technology
SPF Cost
towould
PE2 allow
Loopback
infrastructure.
Layer10.1.1.2
2 VPN Architectures introduces readers to Layer 2 Virtual Private
PE1#show ip route
Network
(VPN) concepts, and describes Layer 2 VPN techniques via
Routing entry for 10.1.1.2/32
introductory
case studies
comprehensive
design area
scenarios. This book
Known via "ospf 1", distance
110, and
metric
31, type intra
assists
readers
looking
to
meet
those
requirements
by
Last update from 10.23.12.2 on Ethernet1/0, 00:52:57 ago explaining the
history and
implementation details of the two technologies available from
Routing Descriptor
Blocks:
Cisco
Unified VPN
suite: Any
Transport
over MPLS (ATOM) for MPLS* 10.23.12.2,the
from
10.1.1.2,
00:52:57
ago,
via Ethernet1/0
basedis
cores
Layer 2share
Tunneling
Protocol
Route metric
31,and
traffic
count
is 1 version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Because Ethernet1/0
is the onlycovering
outgoing
interface
thatavailable
the routing
protocol
chooses
to reach
progressively
each
currently
solution
in greater
detail.
the destination, all AToM pseudowires on PE1 take that interface (see Example 9-6).
2 VPN
Architectures
PE2 has a similar Layer
result
to PE1,
as shown in Example 9-7.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Case Study 9-2:
Equal-Cost Multipath
productivity gains
In the previous case study, all AToM pseudowires took a single outgoing path when all feasible
outgoing paths had different
costs. Layer
Example
9-8 uses
the same
topology
and configuration, but
Learn about
2 Virtual
Private
Networks
(VPNs)
the cost of the link between P2 and P3 is increased so that the overall cost for the path going
Reduce
coststoand
the reach
of your
services
by unifying
through P2 and P3 becomes
equal
theextend
one through
P1. As
a result,
the routing
tableyour
on PE1
network architecture
now shows it has two equal-cost
paths to the destination.
Example 9-8.
Gain from the first book to address Layer 2 VPN application utilizing
both
ATOM and L2TP
protocols
Two
Equal-Cost
Paths
to PE2 Loopback Interface
When equal-cost paths are available, AToM attempts to distribute pseudowires among them.
On PE1 and PE2, the show mpls l2transport summary command demonstrates that AToM
pseudowires are assigned to different output interfaces, as shown in Example 9-10.
Example 9-10.
Pseudowires Load Share Across Equal-Cost Paths
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan,
- CCIE No. 10,266
PE1#show mpls l2transport
summary
Destination address: 10.1.1.2, total number of vc: 3
0 unknown, 3 up,
0 down,
admin down
Publisher:
Cisco0Press
2 active vc on Pub
MPLS
interface
Se3/0
Date:
March 10, 2005
1 active vc on MPLS interface Et1/0
Table of
ISBN: 1-58705-168-0
Pages: 648summary
PE2#show
mpls l2transport
Contents
Destination
address:
10.1.1.1, total number of vc: 3
Index
0 unknown, 3 up, 0 down, 0 admin down
2 active vc on MPLS interface Et1/0
1 active vc on MPLS interface Se3/0
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Notice that PE1 and PE2 come up with different ideas for how to load share the pseudowires.
For all three provisioned
pseudowires,
PE1
two Networks
of them to(VPNs)
the serial interface, which
Learn
about Layer
2 distributes
Virtual Private
takes P1 as the next-hop router towards PE2; PE2 distributes two of the pseudowires to the
Reduce
the router
reach of
your PE1.
services
unifying
Ethernet interface, which
takescosts
P3 asand
theextend
next-hop
toward
Thisby
means
thatyour
one of
network
architecture
the pseudowires selects
the path
through P1 in the direction from PE1 to PE2, but it takes the
path through P3 and P2 in the return direction from PE2 to PE1. For this particular pseudowire,
Gain
the first P1,
book
to PE2
address
Layer its
2 VPN
application
PE1 transmits its packets
tofrom
PE2 through
and
transmits
packets
to PE1 utilizing
through P3
both
ATOM
and
L2TP
protocols
and P2.
Review
that allow
large
enterprisebeing
customers
to enhance
This is not really a problem
or strategies
mistake. Packets
of this
pseudowire
transmitted
in each
service
while maintaining
routing control
direction still follow thetheir
same
path. offerings
IP/MPLS traffic
is generally considered
unidirectional, and
the routing protocol is free to choose different equal-cost paths for packets sent in different
For a majority
of Service
Providers,
a significant
portion
of their
revenues and
directions. It is normal
for the core
network
to route packets
under
the default
hop-by-hop
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
best-effort forwarding scheme. On the other hand, if the core network engages in traffic
technologies.
Although
Layer
3 MPLS
VPNs fulfilltraffic,
the market
needtofor
some
engineering techniques
and prefers
explicit
paths
for pseudowire
you need
associate
customers,
havepaths.
someThe
drawbacks.
Ideally,
carriers
with existing
AToM pseudowires
with thesethey
explicit
next section
discusses
preferred
paths in more
legacy Layer 2 and Layer 3 networks would like to move toward a single
detail.
backbone while new carriers would like to sell the lucrative Layer 2
overscheme,
their existing
Layer
3 cores.
The solution
in these
cases is a
Under the defaultservices
forwarding
the show
mpls
l2transport
vc detail
command
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
reveals how the underlying load-sharing algorithm works when equal-cost paths are present
infrastructure.
(seeExample 9-11).
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Example 9-11.
Load Sharing Selects Different Output Interfaces for
introductory case studies and comprehensive design scenarios. This book
Pseudowires assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified
suite: Any Transport over MPLS (ATOM) for MPLSPE1#show mpls l2transport
vc VPN
detail
based
cores
and
Layer
Tunnelingup,
Protocol
3 (L2TPv3)
for native
Local interface: Et0/0.1 up, line 2protocol
Eth version
VLAN 100
up
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
Destination address: 10.1.1.2, VC ID: 100, VC status: up
reader
to
Layer
2
VPN
benefits
and
implementation
requirements
and
Preferred path: not configured
comparing
Default path:
activethem to those of Layer 3 based VPNs, such as MPLS, then
progressively
each currently available solution in greater detail.
Tunnel label: 17, nextcovering
hop point2point
Output interface: Se3/0, imposed label stack {17 22}
Create time: 2d10h, last status change time: 2d10h
Signaling protocol: LDP, peer 10.1.1.2:0 up
MPLS VC labels: local 21, remote 22
Group ID: local 0, remote 0
MTU: local 1500, remote 1500
Remote interface description:
!Output omitted for brevity
Local interface: Et0/0.2 up, line protocol up, Eth VLAN 200 up
Destination address: 10.1.1.2, VC ID: 200, VC status: up
Preferred path: not configured
Layeractive
2 VPN Architectures
Default path:
ByWei17,
Luo, -next
CCIE No.
Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Tunnel label:
hop13,291,
10.23.12.2
No. 4460,Anthony
Chan,imposed
- CCIE No.label
10,266 stack {17 25}
Output interface:
Et1/0,
Create time: 2d10h, last status change time: 2d10h
Signaling protocol:
LDP,
Publisher:
Ciscopeer
Press 10.1.1.2:0 up
MPLS VC labels:
local
22,
25
Pub Date:
March
10, remote
2005
Group ID: local 0, remote 0
ISBN: 1-58705-168-0
Table oflocal 1500, remote 1500
MTU:
Pages:
648
Contents interface description:
Remote
Index omitted for brevity
!Output
Local interface: Et0/0.3 up, line protocol up, Eth VLAN 300 up
Destination address: 10.1.1.2, VC ID: 300, VC status: up
Preferred path:
configured
Master not
the world
of Layer 2 VPNs to provide enhanced services and enjoy
Default path:
active gains
productivity
Tunnel label: 17, next hop point2point
Output interface: Se3/0, imposed label stack {17 26}
Learn
about
Layer change
2 Virtualtime:
Private2d10h
Networks (VPNs)
Create time: 2d10h,
last
status
Signaling protocol: LDP, peer 10.1.1.2:0 up
and extend
MPLS VC labels:Reduce
local costs
23, remote
26 the reach of your services by unifying your
network
architecture
Group ID: local 0, remote 0
MTU: local 1500, remote 1500
Gain from the first book to address Layer 2 VPN application utilizing
Remote interface description:
both ATOM and L2TP protocols
!Output omitted for brevity
configure preferred paths for pseudowires: IP routing and MPLS traffic engineering.
Before starting the discussion on preferred path options, it is worthwhile to reiterate that the IP
Master
world ofip_address
Layer 2 VPNs
provide enhanced
services
androuter
enjoy ID
address configured
in thethe
xconnect
vc_idto command
must always
be the
productivity
gains
that the remote PE
router uses
for Label Distribution Protocol (LDP) signaling. The router ID is the
first four bytes in the LDP ID. The show mpls ldp neighbor and show mpls ldp discovery
commands display the LDP IDs of the local PE router and its neighbors (see Example 9-12).
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
Gain from the first book to address Layer 2 VPN application utilizing
PE1#show mpls ldp neighbor
both ATOM and L2TP protocols
Peer LDP Ident: 10.33.23.1:0; Local LDP Ident 10.1.1.1:0
TCP connection:
- large
10.1.1.1.646
Review10.33.23.1.11000
strategies that allow
enterprise customers to enhance
State: Oper;
Msgs
sent/rcvd:
Downstream
their
service
offerings 5548/5548;
while maintaining
routing control
Up time: 3d08h
LDP discovery
sources:
For a majority
of Service Providers, a significant portion of their revenues
Ethernet1/0,
Src IP
addr:
are still derived
from
data 10.23.12.2
and voice services based on legacy transport
Addresses
bound
to
peer
LDP
Ident:
technologies. Although Layer
3 MPLS VPNs fulfill the market need for some
10.33.23.1
10.23.12.2
customers, they
have some drawbacks. Ideally, carriers with existing
Peer LDP Ident:
Local
LDP Ident
legacy 10.23.11.2:0;
Layer 2 and Layer
3 networks
would10.1.1.1:0
like to move toward a single
TCP connection:
10.23.11.2.11142
- 10.1.1.1.646
backbone while
new carriers would
like to sell the lucrative Layer 2
State: services
Oper; Msgs
sent/rcvd:
Downstream
over their
existing 125/126;
Layer 3 cores.
The solution in these cases is a
Up time:
01:30:57
technology that would allow Layer 2 transport over a Layer 3
LDP discovery
sources:
infrastructure.
Serial3/0, Src IP addr: 10.23.11.2
Addresses
peer LDP Ident:
Layerbound
2 VPN to
Architectures
introduces readers to Layer 2 Virtual Private
10.23.11.2
10.43.11.2
Network (VPN)10.23.21.1
concepts, and describes
Layer 2 VPN techniques via
Peer LDP Ident:
10.1.1.2:0;
Local
Ident 10.1.1.1:0
introductory
case studies
andLDP
comprehensive
design scenarios. This book
TCP connection:
10.1.1.2.11003
- those
10.1.1.1.646
assists readers
looking to meet
requirements by explaining the
State: history
Oper; and
Msgs
sent/rcvd: 136/137;
Downstream
implementation
details of the
two technologies available from
Up time:
the 01:30:53
Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSLDP discovery
sources:
based cores
and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Targeted
Hello
->this
10.1.1.2,
active,
IP cores. The10.1.1.1
structure of
book is focused
on passive
first introducing the
Addresses
bound
to peer
Ident:
reader
to Layer
2 VPNLDP
benefits
and implementation requirements and
10.1.1.2
10.23.21.2
10.1.1.200
comparing them
to those of Layer10.23.23.1
3 based VPNs, such
as MPLS, then
10.1.1.201
progressively covering each currently available solution in greater detail.
PE1#show mpls ldp discovery
Local LDP Identifier:
10.1.1.1:0
Discovery Sources:
Interfaces:
Ethernet1/0 (ldp): xmit/recv
LDP Id: 10.33.23.1:0
Serial3/0 (ldp): xmit/recv
LDP Id: 10.23.11.2:0
Targeted Hellos:
10.1.1.1 -> 10.1.1.2 (ldp): active/passive, xmit/recv
LDP Id: 10.1.1.2:0
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Three LDP signaling sessions are available, as shown in the show mpls ldp neighbor command
output. PE1 establishes two nontargeted LDP sessions with P1 and P2 to exchange IGP labels,
Publisher: Cisco Press
which serve as tunnel labels for pseudowire packets. The targeted LDP session between PE1 and
Pub Date: March 10, 2005
PE2 is for pseudowire signaling. The first four bytes of the LDP ID for PE2 are 10.1.1.2, its router
ISBN: 1-58705-168-0
ID. The
targeted
LDP session
for pseudowire signaling uses the local and remote router IDs as the
Table
of
Pages:
648
source
and destination addresses.
When no preferred path is configured for a pseudowire, an
Contents
output
path is selected based on the remote router ID in the forwarding table for pseudowire
Index
packets.
The preferred path option not only allows pseudowire data packets to flow through a different
path from pseudowire
control
packets,
but it2 also
it possible
to provide
differentiated
Master
the world
of Layer
VPNsmakes
to provide
enhanced
services
and enjoy
services to pseudowires
with different
forwarding requirements. For example, you can place
productivity
gains
pseudowires that carry voice traffic to a special traffic-engineered path with low latency and
jitter; you can place pseudowires that remotely back up a large amount of data for file servers to
Layer 2 Virtual Private Networks (VPNs)
a best-effort path that Learn
allowsabout
high bursts.
Reduce
andneed
extend
the reach aofpseudowire
your services
byand
unifying
your it with
To configure a preferred
path, costs
you first
to configure
class
associate
networkclass
architecture
the pseudowire. A pseudowire
configures common attributes for a group of pseudowires. For
AToM pseudowires, the encapsulation for the pseudowire class is MPLS, as shown in Example 9Gain from the first book to address Layer 2 VPN application utilizing
13.
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
Example 9-14.
Configuring an xconnectCommand with a Pseudowire
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Class
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
PE1(config)#interface Ethernet0/0.2
history and implementation details of the two technologies available from
PE1(config-subif)#xconnect 10.1.1.2 200 pw-class PE1-P1-PE2
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader
to discuss
Layer 2 how
VPN to
benefits
implementation
requirements
and
The following case
studies
use IP and
routing
and MPLS traffic
engineering
to select
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
preferred paths for pseudowires.
progressively covering each currently available solution in greater detail.
Note
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Contents
Index
Pages: 648
Host routes such as router IDs are typically configured on loopback interfaces. A relatively simple
way to specify a preferred path for AToM pseudowires is to configure multiple loopback interfaces
Master
the world of Layer 2 VPNs to provide enhanced services and enjoy
with different host
addresses.
productivity gains
Thepreferred-path peerhost_address command configures a preferred path using a host
address. For example, 10.1.1.200 is a host route configured in a loopback interface on PE2, and
Learn about
Layer
2 Virtual
Private Networks
(VPNs)
PE1 configures a pseudowire
class that
takes
the preferred
path to reach
10.1.1.200. When
forwarding pseudowire packets to PE2, PE1 uses 10.1.1.200 instead of PE2's router ID 10.1.1.2 to
Reduce
and extend
the reach
of your services
look up the output interface
in costs
the forwarding
tables
(see Example
9-15). by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
ISBN: 1-58705-168-0
Pages: 648
Assume that the initial configuration is identical to that in the "Load Sharing" section. In the
Mastersteps,
the world
of Layer 2 VPNs
to provide
enhanced
services
and
enjoy
following configuration
the pseudowire
with VC
ID 100 still
takes the
default
path
assigned
productivity
by the load-sharing
algorithm,gains
but pseudowire 200 takes the preferred path through P1, and
pseudowire 300 takes the path through P2 and P3, as shown in Figure 9-2.
Learn about
Layerinterfaces
2 Virtual Private
Networks
(VPNs)
Step Configure two additional
loopback
and host
addresses
on PE2:
1.
Reduce costs and extend the reach of your services by unifying your
network architecture
PE2(config)#interface
Loopback1
PE2(config-if)#ip address 10.1.1.200 255.255.255.255
Gain from the first book to address Layer 2 VPN application utilizing
PE2(config-if)#exit
both ATOMLoopback2
and L2TP protocols
PE2(config)#interface
PE2(config-if)#ip address 10.1.1.201 255.255.255.255
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Step Add the host routes into the routing process on PE2:
For a majority of Service Providers, a significant portion of their revenues
2.
are still derived from data and voice services based on legacy transport
PE2(config)#router
ospf
1
technologies.
Although
Layer 3 MPLS VPNs fulfill the market need for some
PE2(config-router)#network
0.0.0.0
areacarriers
0
customers, they have10.1.1.200
some drawbacks.
Ideally,
with existing
PE2(config-router)#network
10.1.1.201
0.0.0.0
area
legacy Layer 2 and Layer
3 networks
would like
to 0move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
Step Verify that technology
the host routes
present
the routing
tableover
on PE1:
that are
would
allow in
Layer
2 transport
a Layer 3
3.
infrastructure.
PE1#show ip route
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
Network (VPN) concepts, and describes Layer 2 VPN techniques via
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
introductory case studies and comprehensive design scenarios. This book
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
assists readers looking to meet those requirements by explaining the
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
history and implementation details of the two technologies available from
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSia - IS-IS inter area, * - candidate default, U - per-user static route
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
o - ODR
IP cores. The structure of this book is focused on first introducing the
Layer 2is
VPN
benefits
Gateway ofreader
last toresort
not
set and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
10.0.0.0/8
is variably
10available
subnets,
2 masks
progressively
covering subnetted,
each currently
solution
in greater detail.
O
10.23.21.0/24 [110/128] via 10.23.11.2, 1d01h, Serial3/0
O
10.1.1.2/32 [110/129] via 10.23.11.2, 1d01h, Serial3/0
[110/129] via 10.23.12.2, 1d01h, Ethernet1/0
O
10.23.23.0/24 [110/128] via 10.23.12.2, 1d01h, Ethernet1/0
C
10.1.1.1/32 is directly connected, Loopback0
C
10.23.12.0/24 is directly connected, Ethernet1/0
C
10.23.11.0/24 is directly connected, Serial3/0
O
10.43.11.0/24 [110/74] via 10.23.11.2, 1d01h, Serial3/0
O
10.33.23.0/24 [110/118] via 10.23.12.2, 1d01h, Ethernet1/0
O
10.1.1.200/32 [110/129] via 10.23.11.2, 00:00:16, Serial3/0
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Caution
productivity gains
When you are using a static route to associate a host route to an outgoing path,
configure the next-hop IP address (the IP address of the P router) instead of the
LearnUsing
aboutoutput
Layer interfaces
2 Virtual Private
(VPNs) to be unable to
output interface.
causes Networks
MPLS forwarding
resolve the outgoing tunnel label, which results in a broken LSP.
Reduce costs and extend the reach of your services by unifying your
Step Verify that each network
host route
is associated with the desired output interface in the routing
architecture
5.
table, and each has a corresponding label in the MPLS forwarding table.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
PE1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
Review strategies that allow large enterprise customers to enhance
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
their service offerings while maintaining routing control
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
For a majority of Service Providers, a significant portion of their revenues
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
are still derived from data and voice services based on legacy transport
ia - IS-IS inter area, * - candidate default, U - per-user static route
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
o - ODR
customers, they have some drawbacks. Ideally, carriers with existing
2 and
3 networks would like to move toward a single
Gateway oflegacy
last Layer
resort
is Layer
not set
backbone while new carriers would like to sell the lucrative Layer 2
10.0.0.0/8
variably
subnetted,
10 subnets,
2 masks
services is
over
their existing
Layer 3 cores.
The solution
in these cases is a
O
10.23.21.0/24
10.23.11.2,
1d01h,
Serial3/0
technology that[110/128]
would allowvia
Layer
2 transport over
a Layer
3
O
10.1.1.2/32
[110/129] via 10.23.11.2, 1d01h, Serial3/0
infrastructure.
[110/129] via 10.23.12.2, 1d01h, Ethernet1/0
O
10.23.23.0/24
[110/128] introduces
via 10.23.12.2,
1d01h,
Layer 2 VPN Architectures
readers to
Layer 2Ethernet1/0
Virtual Private
C
10.1.1.1/32
isconcepts,
directlyand
connected,
Loopback0
Network (VPN)
describes Layer
2 VPN techniques via
C
10.23.12.0/24
isstudies
directly
connected, Ethernet1/0
introductory case
and comprehensive
design scenarios. This book
C
10.23.11.0/24
directly
connected,
Serial3/0
assists readers is
looking
to meet
those requirements
by explaining the
O
10.43.11.0/24
[110/74] via
10.23.11.2,
Serial3/0
history and implementation
details
of the two 1d01h,
technologies
available from
O
10.33.23.0/24
[110/118]
Ethernet1/0
the Cisco Unified
VPN suite:via
Any 10.23.12.2,
Transport over1d01h,
MPLS (ATOM)
for MPLSS
10.1.1.200/32
10.23.11.2
based cores and[1/0]
Layer via
2 Tunneling
Protocol version 3 (L2TPv3) for native
S
10.1.1.201/32
[1/0] via
10.23.12.2
IP cores. The structure
of this
book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
PE1#show mpls forwarding-table
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Local Outgoing
Prefix
Bytes tag Outgoing
Next Hop
progressively covering each currently available solution in greater detail.
tag
tag or VC or Tunnel Id
switched
interface
16
Pop tag
10.23.21.0/24
0
Se3/0
point2point
17
20
10.1.1.2/32
0
Se3/0
point2point
17
10.1.1.2/32
0
Et1/0
10.23.12.2
18
Pop tag
10.33.23.0/24
0
Et1/0
10.23.12.2
19
18
10.23.23.0/24
0
Et1/0
10.23.12.2
20
Pop tag
10.43.11.0/24
0
Se3/0
point2point
21
Untagged
l2ckt(200)
557264
Et0/0.2
point2point
22
23
10.1.1.201/32
0
Et1/0
10.23.12.2
24
21
10.1.1.200/32
0
Se3/0
point2point
25
26
Untagged
Untagged
l2ckt(300)
l2ckt(100)
557264
557631
Et0/0.3
Et0/0.1
point2point
point2point
Gain from the first book to address Layer 2 VPN application utilizing
Step Verify that pseudowires
200and
andL2TP
300 are
taking the preferred paths:
both ATOM
protocols
8.
Review strategies that allow large enterprise customers to enhance
PE1#show mpls l2transport vc detail
their service offerings while maintaining routing control
Local interface: Et0/0.1 up, line protocol up, Eth VLAN 100 up
Destination address: 10.1.1.2, VC ID: 100, VC status: up
For a majority of Service Providers, a significant portion of their revenues
Preferred path: not configured
are still derived from data and voice services based on legacy transport
Default path: active
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Tunnel label: 20, next hop point2point
customers, they have some drawbacks. Ideally, carriers with existing
Output interface: Se3/0, imposed label stack {20 22}
legacy Layer 2 and Layer 3 networks would like to move toward a single
Create time: 1d01h, last status change time: 1d01h
backbone while new carriers would like to sell the lucrative Layer 2
Signaling protocol: LDP, peer 10.1.1.2:0 up
services over their existing Layer 3 cores. The solution in these cases is a
MPLS VC labels: local 26, remote 22
technology that would allow Layer 2 transport over a Layer 3
Group ID: local 0, remote 0
infrastructure.
MTU: local 1500, remote 1500
Remote
interface
description:
Layer
2 VPN Architectures
introduces readers to Layer 2 Virtual Private
Sequencing:
receive
send
disabled
Network
(VPN) disabled,
concepts, and
describes
Layer 2 VPN techniques via
VC statistics:
introductory case studies and comprehensive design scenarios. This book
packet
totals:
receive
1536,
send
1538
assists
readers
looking
to meet
those
requirements by explaining the
byte totals:
receive
572855,
send
history and implementation details of573600
the two technologies available from
packetthe
drops:
receive
send
0 Transport over MPLS (ATOM) for MPLSCisco Unified
VPN0,
suite:
Any
based cores
and Layer
Tunneling
Protocol
3 (L2TPv3)
Local interface:
Et0/0.2
up, 2line
protocol
up,version
Eth VLAN
200 up for native
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
Destination address: 10.1.1.2, VC ID: 200, VC status: up
readerpath:
to Layer
2 VPN benefits
and implementation requirements and
Preferred
10.1.1.200,
active
comparing
them to those of Layer 3 based VPNs, such as MPLS, then
Default
path: ready
progressively
each
currently available solution in greater detail.
Tunnel label: 21,covering
next hop
point2point
Output interface: Se3/0, imposed label stack {21 25}
Create time: 1d01h, last status change time: 1d01h
Signaling protocol: LDP, peer 10.1.1.2:0 up
MPLS VC labels: local 21, remote 25
Group ID: local 0, remote 0
MTU: local 1500, remote 1500
Remote interface description:
Sequencing: receive disabled, send disabled
VC statistics:
Local interface:
Et0/0.3 up, line protocol up, Eth VLAN 300 up
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Destination
address:
10.1.1.2, VC ID: 300, VC status: up
No. 4460,Anthony Chan, - CCIE No. 10,266
Preferred path: 10.1.1.201, active
Default path: ready
Publisher: Cisco Press
Tunnel label: 23, next hop 10.23.12.2
Pub Date: MarchEt1/0,
10, 2005 imposed label stack {23 26}
Output interface:
1-58705-168-0
time: ISBN:
1d01h,
last status change time: 1d01h
TableCreate
of
Pages:
648
Signaling
protocol:
LDP,
peer 10.1.1.2:0 up
Contents
MPLS
VC
labels:
local
25,
remote 26
Index
Group ID: local 0, remote 0
MTU: local 1500, remote 1500
Remote interface description:
Sequencing:
disabled,
Masterreceive
the world
of Layer 2send
VPNs disabled
to provide enhanced services and enjoy
VC statistics:
productivity gains
packet totals: receive 1536, send 1538
byte totals:
receive 572855, send 573605
Learn about
Layer
Virtual
packet drops:
receive
0, 2send
0 Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
At the end of Step 8, the pseudowire with VC ID 100 is going through the default path, and
Gain
from the
book to
address
Layer
2 VPN application
utilizing
pseudowire 200 is going
through
the first
preferred
path
toward
10.1.1.200,
with the output
interface
both
ATOM
and
L2TP
protocols
Serial3/0 connected to P1. Pseudowire 300 is going through the preferred path toward
10.1.1.201, with the output interface Ethernet1/0 connected to P2.
Review strategies that allow large enterprise customers to enhance
their service
offeringson
while
control
Example 9-16 is the complete
configuration
PE1maintaining
for sending routing
pseudowire
traffic toward PE2
over preferred paths:
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Example 9-16.
Configuration for Preferred Path Using IP Routing
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
hostname PE1 backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
!
technology that would allow Layer 2 transport over a Layer 3
ip cef
infrastructure.
mpls label protocol
ldp
mpls ldp router-id Loopback0
Layer
2 VPN Architectures introduces readers to Layer 2 Virtual Private
pseudowire-class
PE1-P1-PE2
Network
(VPN) concepts, and describes Layer 2 VPN techniques via
encapsulation mpls
introductory
case studies and comprehensive design scenarios. This book
preferred-path peer 10.1.1.200
assists
readers
looking to meet those requirements by explaining the
!
history
and
implementation
details of the two technologies available from
pseudowire-class PE1-P2-P3-PE2
the
Cisco
Unified
VPN
suite:
Any Transport over MPLS (ATOM) for MPLSencapsulation mpls
based
cores
and
Layer
2
Tunneling
Protocol version 3 (L2TPv3) for native
preferred-path peer 10.1.1.201
IP
cores.
The
structure
of
this
book
is focused on first introducing the
!
reader
to
Layer
2
VPN
benefits
and
implementation
requirements and
interface Loopback0
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as MPLS, then
ip address 10.1.1.1 255.255.255.255
progressively
covering
each
currently
available
solution
in greater detail.
!
interface Ethernet0/0
no ip address
!
interface Ethernet0/0.1
encapsulation dot1Q 100
xconnect 10.1.1.2 100 encapsulation mpls
!
interface Ethernet0/0.2
encapsulation dot1Q 200
Pages:
648
Contents
ip address
10.23.11.1 255.255.255.0
Index
mpls
ip
!
router ospf 1
network 10.1.1.1 0.0.0.0 area 0
Master 0.0.0.255
the world ofarea
Layer0 2 VPNs to provide enhanced services and enjoy
network 10.23.11.0
productivity
gains
network 10.23.12.0 0.0.0.255 area 0
!
ip route 10.1.1.200 255.255.255.255 10.23.11.2
Learn about Layer 2 Virtual Private Networks (VPNs)
ip route 10.1.1.201 255.255.255.255 10.23.12.2
Reduce costs and extend the reach of your services by unifying your
network architecture
If PE2 needs to send pseudowire traffic to PE1 over the same preferred path, repeat Steps 1
Gain from the first book to address Layer 2 VPN application utilizing
through 8 with appropriate parameters on PE2.
both ATOM and L2TP protocols
The dynamic nature of IGP routing protocols makes it difficult to engineer explicit paths in a
meshed network, and it is not always feasible to configure static routes on all the routers along
the path. Explicit paths are useful when network operators know the traffic pattern of their
networks and want to direct certain traffic through predetermined paths. It takes the guesswork
Layer the
2 VPN
Architectures
out of predicting how
traffic
traverses across the network. An MPLS traffic engineering tunnel
ByWei
Luo, - fulfills
CCIE No.
13,291,
Carlos Pignataro,
- CCIE No. 4619,Dmitry Bokotey, - CCIE
with an explicit path
option
this
objective
precisely.
No. 4460,Anthony Chan, - CCIE No. 10,266
When real-time traffic is encapsulated inside pseudowires, pseudowire traffic must be able to
reserve and maintain
the bandwidth
Publisher:
Cisco Pressneeded to guarantee the service quality at a reasonable
level. When networkPub
operators
care more about reducing jitter and congestion for real-time traffic
Date: March 10, 2005
than directing traffic through a predetermined path, an MPLS traffic engineering tunnel with
ISBN: 1-58705-168-0
Tablepath
of
dynamic
option is more appropriate; this means that as long as a path satisfies the specified
Pages:
Contentsrequirement, it is 648
bandwidth
considered a feasible path.
Index
Example
Tunnel
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains Preferred Path Using Traffic Engineering
9-17.
Configuring
Learn about Layer 2 Virtual Private Networks (VPNs)
PE1(config)#pseudowire-class PE1-P1-PE2
Reduce costs and extend the reach of your services by unifying your
PE1(config-pw-class)#encapsulation mpls
network architecture
PE1(config-pw-class)#preferred-path interface Tunnel1 ?
disable-fallback Gain
disable
back
to toalternative
route
fromfall
the first
book
address Layer
2 VPN application utilizing
Note
Step Configure MPLS-enabled interfaces to support RSVP traffic engineering signaling. For
2.
interface Ethernet1/0, reserve 8000-Kbps bandwidth. For interface Serial3/0, reserve
1200-Kbps bandwidth.
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
PE1(config)#interface
Ethernet1/0
No. 4460,Anthony Chan,
- CCIE No. 10,266
PE1(config-if)#mpls traffic-eng tunnels
PE1(config-if)#ip rsvp bandwidth 8000
Publisher: Cisco Press
PE1(config-if)#exit
Pub Date: March 10, 2005
PE1(config)#interface Serial3/0
ISBN: 1-58705-168-0
PE1(config-if)#mpls
traffic-eng tunnels
Table
of
Pages:
648
PE1(config-if)#ip rsvp
bandwidth 1200
Contents
Index
PE2, of which the addresses are 10.23.11.2 and 10.23.21.2, respectively. The bandwidth
Review
strategies
that allow
enterprise
requirement for this
traffic
engineering
tunnellarge
is 1000
Kbps. customers to enhance
their service offerings while maintaining routing control
For a majority
of Servicename
Providers,
a significant
portion of their revenues
PE1(config)#ip
explicit-path
P1-PE2
enable
are still derived from data and voice
services based on legacy transport
PE1(cfg-ip-expl-path)#next-address
10.23.11.2
technologies.
Although Layer 3 MPLS VPNs fulfill the market need for some
Explicit Path
name P1-PE2:
customers, they
have some drawbacks. Ideally, carriers with existing
1: next-address
10.23.11.2
legacy Layer 2 and Layer 3 networks
would like to move toward a single
PE1(cfg-ip-expl-path)#next-address
10.23.21.2
backbone
while
new
carriers
would
like
to sell the lucrative Layer 2
Explicit Path name P1-PE2:
services over10.23.11.2
their existing Layer 3 cores. The solution in these cases is a
1: next-address
technology that
would allow Layer 2 transport over a Layer 3
2: next-address
10.23.21.2
infrastructure.
PE1(cfg-ip-expl-path)#exit
PE1(config)#interface Tunnel1
Layer 2 VPNunnumbered
ArchitecturesLoopback0
introduces readers to Layer 2 Virtual Private
PE1(config-if)#ip
Network
(VPN)
concepts,
and
describes Layer 2 VPN techniques via
PE1(config-if)#tunnel destination 10.1.1.2
introductory
case
studies
and
comprehensive
design scenarios. This book
PE1(config-if)#tunnel mode mpls traffic-eng
assists
readers
looking
to
meet
those
requirements
PE1(config-if)#tunnel mpls traffic-eng priority 7 7 by explaining the
history and implementation
details of
the two technologies
available from
PE1(config-if)#tunnel
mpls traffic-eng
bandwidth
1000
the Cisco Unified
VPN traffic-eng
suite: Any Transport
over MPLS
(ATOM) for
MPLSPE1(config-if)#tunnel
mpls
path-option
1 explicit
name
P1-PE2
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Step Verify the status of the MPLS traffic engineering tunnel with the explicit path using the
6.
show mpls traffic-eng tunnels command.
Layer 2 VPN Architectures
PE1#show mpls
traffic-eng
tunnels
Tunnel1- CCIE No. 4619,Dmitry Bokotey, - CCIE
ByWei Luo,
- CCIE No. 13,291,
Carlos Pignataro,
No. 4460,Anthony Chan, - CCIE No. 10,266
Name: PE1_t1
(Tunnel1) Destination: 10.1.1.2
Status:
Publisher: CiscoOper:
Press up
Admin: up
Path: valid
Signalling: connected
Pub Date: March 10, 2005
path option 1, type explicit P1-PE2 (Basis for Setup, path weight 128)
ISBN: 1-58705-168-0
Table of
Pages:
648
Config
Parameters:
Contents
Bandwidth:
1000
kbps (Global) Priority: 7 7
Index
Affinity: 0x0/0xFFFF
Metric Type: TE (default)
AutoRoute: disabled
LockDown: disabled Loadshare: 1000 bw-based
auto-bw: disabled
Active Path
Parameters:
MasterOption
the world
of Layer 2 VPNs to provide enhanced services and enjoy
State:productivity
explicit gains
path option 1 is active
BandwidthOverride: disabled LockDown: disabled Verbatim: disabled
Step Verify that the intermediate router P1 sets up the traffic engineering tunnel properly.
7.
Layer traffic-eng
2 VPN Architectures
P1#show mpls
tunnels
Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
LSP TunnelByWei
PE1_t1
is signalled, connection is up
No. 4460,Anthony Chan, - CCIE No. 10,266
InLabel : Serial2/0, 16
OutLabel : Serial3/0, implicit-null
Publisher:Info:
Cisco Press
RSVP Signalling
Pub
Date:
March
10, 10.1.1.2,
2005
Src 10.1.1.1, Dst
Tun_Id 1, Tun_Instance 8
RSVP Path Info:
ISBN: 1-58705-168-0
Table of
My Address:
Pages:10.23.11.2
648
Contents
Explicit Route: 10.23.21.2 10.1.1.2
Index
Record
Route:
NONE
Tspec: ave rate=1000 kbits, burst=1000 bytes, peak rate=1000 kbits
RSVP Resv Info:
Record
NONE
Master Route:
the world of
Layer 2 VPNs to provide enhanced services and enjoy
Fspec:
ave
rate=1000
kbits, burst=1000 bytes, peak rate=1000 kbits
productivity gains
Gain
from the
firstengineering
book to address
VPN application
utilizing
Step On PE1, configure
an MPLS
traffic
tunnelLayer
with 2
5-Mbps
guaranteed
bandwidth.
both
ATOM
and
L2TP
protocols
8.
PE1(config)#interface
Tunnel2that allow large enterprise customers to enhance
Review strategies
PE1(config-if)#ip
unnumbered
Loopback0
their service
offerings
while maintaining routing control
PE1(config-if)#tunnel destination 10.1.1.2
PE1(config-if)#tunnel
mode
mpls
traffic-eng
For a majority of
Service
Providers,
a significant portion of their revenues
PE1(config-if)#tunnel
traffic-eng
7 7 on legacy transport
are still derivedmpls
from data
and voicepriority
services based
PE1(config-if)#tunnel
mpls traffic-eng
5000
technologies. Although
Layer 3 MPLSbandwidth
VPNs fulfill the
market need for some
PE1(config-if)#tunnel
mpls
traffic-eng
path-option
1 dynamic
customers, they have some drawbacks. Ideally, carriers
with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
Step Verify the status
of the
engineering
tunnel
bysolution
using the
mpls is
trafficservices
overMPLS
theirtraffic
existing
Layer 3 cores.
The
in show
these cases
a
9.
eng tunnels
command.
technology
that would allow Layer 2 transport over a Layer 3
infrastructure.
PE1#show mpls traffic-eng tunnels Tunnel2
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes (Tunnel2)
Layer 2 VPNDestination:
techniques via10.1.1.2
Name: PE1_t2
introductory
case
studies
and
comprehensive
design
scenarios.
This book
Status:
assists
readers
looking
to
meet
those
requirements
by
explaining
Admin: up
Oper: up
Path: valid
Signalling:the
connected
history and implementation details of the two technologies available from
path option
type VPN
dynamic
for Setup,
path (ATOM)
weight for
30)MPLSthe Cisco1,Unified
suite:(Basis
Any Transport
over MPLS
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Config Parameters:
IP cores. The structure of this book is focused on first introducing the
Bandwidth: 5000
kbps (Global) Priority: 7 7
Affinity: 0x0/0xFFFF
reader to Layer 2 VPN benefits and implementation requirements and
Metric Type: TE (default)
comparing them to those of Layer 3 based VPNs, such as MPLS, then
AutoRoute: disabled LockDown: disabled Loadshare: 5000
bw-based
progressively covering each currently available solution in greater detail.
auto-bw: disabled
Active Path Option Parameters:
State: dynamic path option 1 is active
BandwidthOverride: disabled LockDown: disabled Verbatim: disabled
InLabel : OutLabel : Ethernet1/0, 22
RSVP Signalling Info:
Src 10.1.1.1, Dst 10.1.1.2, Tun_Id 2, Tun_Instance 16
RSVP Path Info:
My Address: 10.23.12.1
Explicit Route: 10.23.12.2 10.33.23.2 10.33.23.3 10.23.23.2
10.23.23.1 10.1.1.2
Layer 2 VPN
Architectures
Record
Route:
NONE
ByWeiave
Luo, -rate=5000
CCIE No. 13,291,
Carlos Pignataro,
- CCIEbytes,
No. 4619,Dmitry
- CCIE kbits
Tspec:
kbits,
burst=1000
peakBokotey,
rate=5000
No. 4460,
Anthony Chan, - CCIE No. 10,266
RSVP Resv
Info:
Record
Route:
NONE
Fspec:Publisher:
ave rate=5000
Cisco Press kbits, burst=1000 bytes, peak rate=5000 kbits
Shortest Unconstrained
Pub Date: March 10, Path
2005 Info:
Path Weight: 30 (TE)
ISBN: 1-58705-168-0
Table ofExplicit Route: 10.23.12.1 10.23.12.2 10.33.23.2 10.33.23.3
Pages:
648
Contents
10.23.23.2 10.23.23.1 10.1.1.2
IndexHistory:
Tunnel:
Time since created: 9 minutes, 50 seconds
Time since path change: 6 minutes, 27 seconds
Master
Current
LSP:the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains 27 seconds
Uptime: 6 minutes,
Step Verify that the PE2 sets up both traffic engineering tunnels correctly as the tailend.
11.
Layer 2traffic-eng
VPN Architectures
PE2#show mpls
tunnels
Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
LSP TunnelByWei
PE1_t1
is signalled, connection is up
No. 4460,Anthony Chan, - CCIE No. 10,266
InLabel : Serial3/0, implicit-null
OutLabel : Publisher:
Cisco Press
RSVP Signalling
Info:
Pub
Date:
March
2005
Src 10.1.1.1, Dst 10,
10.1.1.2,
Tun_Id 1, Tun_Instance 8
RSVP Path Info:
ISBN: 1-58705-168-0
Table of
My Address:
10.1.1.2
Pages:
648
Contents
Explicit Route: NONE
Index
Record
Route:
NONE
Tspec: ave rate=1000 kbits, burst=1000 bytes, peak rate=1000 kbits
RSVP Resv Info:
RecordMaster
Route:
NONE
the world
of Layer 2 VPNs to provide enhanced services and enjoy
Fspec:
ave
rate=1000
productivity gains kbits, burst=1000 bytes, peak rate=1000 kbits
2 VPN Architectures
introduces
readers
to Layer
Virtual
Private
Notice that Layer
the disable-fallback
option
is enabled
to prevent
the2traffic
from
taking the
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
default route when the traffic engineering tunnel becomes unavailable.
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
Step Configure ahistory
pseudowire
class that prefers
a high-bandwidth
path.
and implementation
details
of the two technologies
available from
13.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 TunnelingHigh_Bandwidth
Protocol version 3 (L2TPv3) for native
PE1(config-pw-class)#pseudowire-class
IP cores. The structure of this book
PE1(config-pw-class)#encapsulation
mplsis focused on first introducing the
reader to Layer 2 VPN benefits and
implementation
PE1(config-pw-class)#preferred-path
interface
Tunnel2requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Because the disable-fallback option is not present, the traffic takes the default route when
the high-bandwidth traffic engineering tunnel becomes unavailable.
Step Provision the pseudowire of VC ID 200 with the explicit path and pseudowire 300 with the
14. high-bandwidth path.
Layer 2 VPN Architectures
PE1(config)#interface
Ethernet0/0.2
ByWei Luo, - CCIE No.
13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
PE1(config-subif)#xconnect
10.1.1.2
No. 4460,Anthony Chan, - CCIE
No. 10,266200 pw-class PE1-P1-PE2
PE1(config-subif)#exit
PE1(config)#interface Ethernet0/0.3
Publisher: Cisco Press
PE1(config-subif)#xconnect 10.1.1.2 300 pw-class High_Bandwidth
Pub Date: March 10, 2005
Table of
ISBN: 1-58705-168-0
The traffic engineering tunnel labels for pseudowires 200 and 300 are 16 and 22,
respectively, which match the traffic engineering labels that P1 and P2 assign. Because the
traffic engineering tunnels are from PE1 to PE2, the forwarding process on PE1 perceives
the world
of Layer
2 VPNsthe
to provide
enhanced services
and
enjoy
PE2 as if it Master
were directly
connected
through
tunnel interfaces.
Therefore,
the
tunnel
label fields productivity
have a label gains
value of 3, which is the implicit-null label.
Learn
about
2 Virtual
Private
(VPNs)
Upon completion of these
steps,
theLayer
network
has two
MPLSNetworks
traffic engineering
tunnels established
from PE1 to PE2. Traffic engineering tunnels are always unidirectional. If you want the same
Reduce costs and extend the reach of your services by unifying your
forwarding properties for pseudowire traffic from PE2 to PE1, PE2 needs to configure its own
network architecture
traffic engineering tunnels toward PE1 by repeating Steps 5 through 15 with appropriate
parameters.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Caution
Example 9-18.
Configuration
for introduces
Preferred
Pathto
Using
MPLS
Layer
2 VPN Architectures
readers
Layer 2
VirtualTraffic
Private
Engineering Tunnel
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
hostname PE1 history and implementation details of the two technologies available from
!
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSip cef
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
mpls label protocol
ldp
IP cores.
The structure of this book is focused on first introducing the
mpls ldp router-id
readerLoopback0
to Layer 2 VPN benefits and implementation requirements and
mpls traffic-eng
tunnelsthem to those of Layer 3 based VPNs, such as MPLS, then
comparing
pseudowire-class
PE1-P1-PE2
progressively
covering each currently available solution in greater detail.
encapsulation mpls
preferred-path interface Tunnel1 disable-fallback
!
pseudowire-class High_Bandwidth
encapsulation mpls
preferred-path interface Tunnel2
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interface Tunnel1
ip unnumbered Loopback0
tunnel destination 10.1.1.2
Layertraffic-eng
2 VPN Architectures
tunnel mode mpls
ByWei Luo, - CCIE
No. 13,291,7
Carlos
tunnel mpls traffic-eng
priority
7 Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthonybandwidth
Chan, - CCIE No.
10,266
tunnel mpls traffic-eng
1000
tunnel mpls traffic-eng path-option 1 explicit name P1-PE2
!
Publisher: Cisco Press
interface Tunnel2Pub Date: March 10, 2005
ip unnumbered Loopback0
ISBN: 1-58705-168-0
Table destination
of
tunnel
10.1.1.2
Pages:
648
Contents
tunnel
mode mpls traffic-eng
Index mpls traffic-eng priority 7 7
tunnel
tunnel mpls traffic-eng bandwidth 5000
tunnel mpls traffic-eng path-option 1 dynamic
!
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
interface Ethernet0/0
no ip address productivity gains
!
interface Ethernet0/0.1
Learn about Layer 2 Virtual Private Networks (VPNs)
encapsulation dot1Q 100
xconnect 10.1.1.2 Reduce
100 encapsulation
mpls
costs and extend
the reach of your services by unifying your
!
network architecture
interface Ethernet0/0.2
encapsulation dot1Q
200
Gain
from the first book to address Layer 2 VPN application utilizing
xconnect 10.1.1.2 both
200 ATOM
pw-class
and PE1-P1-PE2
L2TP protocols
!
interface Ethernet0/0.3
Review strategies that allow large enterprise customers to enhance
encapsulation dot1Q
300
their
service offerings while maintaining routing control
xconnect 10.1.1.2 300 pw-class High_Bandwidth
For a majority of Service Providers, a significant portion of their revenues
!
are still derived from data and voice services based on legacy transport
interface Ethernet1/0
technologies.
Although Layer 3 MPLS VPNs fulfill the market need for some
ip address 10.23.12.1
255.255.255.0
customers, they have some drawbacks. Ideally, carriers with existing
mpls ip
legacy
Layer 2 and Layer 3 networks would like to move toward a single
mpls traffic-eng
tunnels
backbone
ip rsvp bandwidth 8000while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
!
technology that would allow Layer 2 transport over a Layer 3
interface Serial3/0
infrastructure.
ip address 10.23.11.1
255.255.255.0
mpls ip
Layertunnels
2 VPN Architectures introduces readers to Layer 2 Virtual Private
mpls traffic-eng
Network
(VPN) concepts, and describes Layer 2 VPN techniques via
ip rsvp bandwidth 1200
introductory
case studies and comprehensive design scenarios. This book
!
assists
readers
looking to meet those requirements by explaining the
router ospf 1
history
and implementation
mpls traffic-eng
router-id
Loopback0 details of the two technologies available from
the Cisco
VPN suite: Any Transport over MPLS (ATOM) for MPLSmpls traffic-eng
area Unified
0
based
cores and
Layer
network 10.1.1.1
0.0.0.0
area
0 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores.
The structure
network 10.23.11.0
0.0.0.255
areaof0this book is focused on first introducing the
reader 0.0.0.255
to Layer 2 VPN
benefits
and implementation requirements and
network 10.23.12.0
area
0
comparing
them
to
those
of
Layer
3 based VPNs, such as MPLS, then
!
progressively
covering
each
currently
available solution in greater detail.
ip explicit-path name P1-PE2 enable
next-address 10.23.11.2
next-address 10.23.21.2
Besides using the preferred-path interface command, you can also direct pseudowire traffic to
an MPLS traffic engineering tunnel by using the preferred-path peer command. The net effect is
similar to using IP routing for the preferred path. The only difference is that the specified /32 host
route has a traffic engineering tunnel interface as the output interface instead of a physical
interface in the forwarding table.
When the traffic engineering tunnel is configured with the autoroute option, IGP can learn the
host route through the traffic engineering tunnel interface. As a result, IGP forwards both IP and
Layer
2 VPN Architectures
pseudowire packets
through
the traffic engineering tunnel for the routing prefixes it learns
through the tunnel.
To Luo,
enable
the
option,
configure
the
tunnel
mpls traffic-eng
ByWei
- CCIE
No.autoroute
13,291,Carlos
Pignataro,
- CCIE No.
4619,
Dmitry Bokotey,
- CCIE
autoroute announce
command
under
the
No. 4460,
Anthony Chan,
- CCIE
No.tunnel
10,266 interface configuration mode.
Publisher: Cisco Press
Pub Date: March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
MPLS traffic engineering automatically establishes and maintains LSPs across the MPLS core
ISBN: 1-58705-168-0
Tableusing
of
network
RSVP. Such LSPs are created based on the resource constraints that are
Pages:
648 resources, such as bandwidth. IGP routing protocols such as
Contentsand available network
configured
Index
IS-IS
or OSPF announce available network resources using traffic engineering protocol
extensions along with link state advertisements throughout the network.
In any network, links, routers, or both can fail because of unexpected events. Network
the world
of Layerplanning
2 VPNs to
and
enjoyat
operators includeMaster
this factor
their network
byprovide
having enhanced
redundantservices
links and
routers
productivity
gains
the physical or logical
locations
where the failures are most likely to happen. When such failure
conditions occur, routers within the network might temporarily have inconsistent routing
information. They might need to exchange routing updates and come up with a new, consistent
Learn
aboutisLayer
2 Virtual
Private
Networks .(VPNs)
view of the network. This
process
known
as network
convergence
During network
convergence, routing loops and black holes can cause packet loss. The longer the convergence
Reduce costs and extend the reach of your services by unifying your
takes, the larger the amount of packet loss.
network architecture
The convergence time includes the amount of time for an adjacent router to detect the link (or
Gain from the first book to address Layer 2 VPN application utilizing
router) failure. It also includes the amount of time for this router to distribute the information
both ATOM and L2TP protocols
to all other routers and for all other routers to recalculate routes in the forwarding tables.
Detecting a link failure requires physical and link layerspecific mechanisms. MPLS traffic
Review strategies that allow large enterprise customers to enhance
engineering does not have a way to reduce the amount of time to detect failures. However, it
their service offerings while maintaining routing control
can reduce the time required to distribute the failure information and update the forwarding
tables by using MPLS
engineering
fast
reroutinga capability.
For atraffic
majority
of Service
Providers,
significant portion of their revenues
are still derived from data and voice services based on legacy transport
Prior to a failure, fast reroute calculates and establishes a protection traffic engineering tunnel
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
around the link or node that is deemed vulnerable. Upon detecting such a failure, the backup
customers, they have some drawbacks. Ideally, carriers with existing
tunnel takes over packet forwarding immediately. Rerouting typically takes less than 50 ms
legacy Layer 2 and Layer 3 networks would like to move toward a single
upon failure detection, and packet loss is kept minimal.
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
Before you enable fast reroute for an AToM pseudowire, you need to configure an MPLS traffic
technology that would allow Layer 2 transport over a Layer 3
engineering tunnel as the preferred path, as shown in the previous case study. Then at the
infrastructure.
ingress PE where the traffic engineering tunnel headend is, you can use fast reroute options to
configure a backup traffic engineering tunnel to protect the primary traffic engineering tunnel.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
InFigure 9-4, a pseudowire takes the explicit path from PE1 to PE2 through P1. Suppose that
introductory case studies and comprehensive design scenarios. This book
the link between PE1 and P1 is considered vulnerable. PE1 provisions a fast reroute traffic
assists readers looking to meet those requirements by explaining the
engineering tunnel through P2 and P1 to circumvent the possible failing link. To configure the
history and implementation details of the two technologies available from
primary traffic engineering tunnel with the explicit path, refer to "Case Study 9-4: Configuring
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSa Preferred Path Using MPLS Traffic Engineering Tunnels."
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Figureprogressively
9-4. Protect
AToM Pseudowire with Fast Reroute
covering each currently available solution in greater detail.
[View full size image]
ISBN: 1-58705-168-0
Pages: 648
Assume that the pseudowire has been provisioned with a preferred path that uses MPLS traffic
Master
theas
world
of Layer
2 VPNs
provide
enhanced
services
and enjoy
engineering's explicit
path,
shown
in Case
Studyto
9-4.
The following
steps
describe
how to
productivity
gains traffic engineering tunnel.
enable fast reroute
on the primary
Step Add an explicit path on PE1 that originates from the PE, traverses through P2, and ends
Learn about Layer 2 Virtual Private Networks (VPNs)
1.
at P1.
Reduce costs and extend the reach of your services by unifying your
architecture
PE1(config)#ipnetwork
explicit-path
name P2-P1 enable
PE1(cfg-ip-expl-path)#next-address 10.23.12.2
the first book to address Layer 2 VPN application utilizing
Explicit Path Gain
namefrom
P2-P1:
both
ATOM
and L2TP protocols
1: next-address 10.23.12.2
PE1(cfg-ip-expl-path)#next-address 10.33.23.1
strategies that allow large enterprise customers to enhance
Explicit Path Review
name P2-P1:
their
service
offerings while maintaining routing control
1: next-address 10.23.12.2
2: next-address 10.33.23.1
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Step Provision a backup traffic engineering tunnel with the explicit path configured in Step 1.
customers, they have some drawbacks. Ideally, carriers with existing
2.
Note that the tailend of this backup tunnel is P1, and its IP address is 10.1.2.1.
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their
existing Layer 3 cores. The solution in these cases is a
PE1(config)#interface
Tunnel100
technologyunnumbered
that would allow
Layer 2 transport over a Layer 3
PE1(config-if)#ip
Loopback0
infrastructure. destination 10.1.2.1
PE1(config-if)#tunnel
PE1(config-if)#tunnel mode mpls traffic-eng
Layer 2 VPN Architectures
introduces
readers to
2 Virtual Private
PE1(config-if)#tunnel
mpls traffic-eng
priority
7 Layer
7
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
PE1(config-if)#tunnel mpls traffic-eng bandwidth 1000
introductory
case
studies
and
comprehensive
design
scenarios.
This
PE1(config-if)#tunnel mpls traffic-eng path-option 1 explicit namebook
P2-P1
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Step Configure the primary traffic engineering tunnel with fast reroute protection. The initial
3.
tunnel interface configuration is as follows:
Layer 2 VPN Architectures
PE1#show
Building
running-config
Tunnel1- CCIE No. 4619,Dmitry Bokotey, - CCIE
ByWei Luo, - CCIE No.interface
13,291,Carlos Pignataro,
configuration...
No. 4460,Anthony Chan, - CCIE No. 10,266
no ip directed-broadcast
Pages:
648
Contents
tunnel destination 10.1.1.2
Index
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng priority 7 7
tunnel mpls traffic-eng bandwidth 1000
tunnel mpls
traffic-eng
name P1-PE2
Master
the world ofpath-option
Layer 2 VPNs 1to explicit
provide enhanced
services and enjoy
end
productivity gains
PE1#config t
Enter configuration commands, one per line. End with CNTL/Z.
Learn about Layer 2 Virtual Private Networks (VPNs)
PE1(config)#interface Tunnel1
PE1(config-if)#tunnel
mpls
traffic-eng
fast-reroute
Reduce costs
and
extend the reach
of your services by unifying your
network architecture
Step Configure the protected
linkthe
to first
use the
backup
tunnel.
The2interface
that connects
to the
Gain from
book
to address
Layer
VPN application
utilizing
4.
protected link onboth
PE1 ATOM
is Serial3/0.
and L2TP protocols
Pages:
648
Contents
Fast Reroute Protection via {Tu100, outgoing label 16}
Index
Notice that the fast reroute status for the primary tunnel is ready. This means that the
backup tunnel is operational and ready to protect the primary tunnel.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains
Step Verify the status
of AToM
pseudowire with VC ID 200, which traverses the primary
6.
tunnel under normal conditions. Label 16 is the traffic engineering tunnel label.
Pages:
648 next hop point2point
Tunnel
label:
16,
Contents
Output
interface:
Tu100, imposed label stack {16 16 24}
Index
Create time: 01:17:49, last status change time: 01:14:07
Signaling protocol: LDP, peer 10.1.1.2:0 up
MPLS VC labels: local 17, remote 24
Group Master
ID: local
0, remote
the world
of Layer02 VPNs to provide enhanced services and enjoy
MTU: local
1500,gains
remote 1500
productivity
Remote interface description:
Sequencing: receive disabled, send disabled
Learn about Layer 2 Virtual Private Networks (VPNs)
VC statistics:
packet totals: receive 111, send 114
Reducereceive
costs and
extendsend
the reach
byte totals:
33316,
32384of your services by unifying your
network
architecture
packet drops: receive 0, send 5
Gain from the first book to address Layer 2 VPN application utilizing
both
ATOM status
and L2TP
Notice that the fast
reroute
hasprotocols
changed from ready to active. The output
interface for the pseudowire has switched from Tunnel1 to Tunnel100, and the label
Review
strategies
large
enterprise
toso
enhance
stack has become
{16 16
24}. Thethat
top allow
label 16
is the
backup customers
tunnel label
that
theircan
service
offerings to
while
routing
controlthe backup traffic
pseudowire packets
be forwarded
the maintaining
tailend router
P1 through
engineering tunnel. The second label 16 is the primary tunnel label that P1 assigns. The
For
majority
offor
Service
Providers, a significant portion of their revenues
last label 24
is a
the
VC label
the pseudowire.
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
The configuration on PE1 after finishing these steps is shown in Example 9-19.
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
Example 9-19.
Configuration
MPLS
RerouteProtected
technology
that would for
allow
Layer Fast
2 transport
over a Layer 3
Pseudowire infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
hostname PE1 Network (VPN) concepts, and describes Layer 2 VPN techniques via
!
introductory case studies and comprehensive design scenarios. This book
ip cef
assists readers looking to meet those requirements by explaining the
mpls label protocol
historyldp
and implementation details of the two technologies available from
mpls ldp router-id
Loopback0
the Cisco
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSmpls traffic-eng
tunnels
based
cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
pseudowire-class
PE1-P1-PE2
IP cores.
The structure of this book is focused on first introducing the
encapsulation reader
mpls to Layer 2 VPN benefits and implementation requirements and
preferred-pathcomparing
interface
Tunnel1
disable-fallback
them
to those
of Layer 3 based VPNs, such as MPLS, then
!
progressively covering each currently available solution in greater detail.
pseudowire-class High_Bandwidth
encapsulation mpls
preferred-path interface Tunnel2
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interface Tunnel1
ip unnumbered Loopback0
tunnel destination 10.1.1.2
tunnel
tunnel
tunnel
tunnel
tunnel
mode
mpls
mpls
mpls
mpls
mpls traffic-eng
traffic-eng priority 7 7
traffic-eng bandwidth 1000
Layer 2 VPN Architectures
traffic-eng
path-option 1 explicit name P1-PE2
ByWei Luo, - CCIE
No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
traffic-eng
fast-reroute
Pages:
648
Contents
tunnel
mpls traffic-eng bandwidth 5000
Index mpls traffic-eng path-option 1 dynamic
tunnel
!
interface Tunnel100
ip unnumbered Loopback0
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
no ip directed-broadcast
productivity
gains
tunnel destination
10.1.2.1
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng priority 7 7
Learn about Layer 2 Virtual Private Networks (VPNs)
tunnel mpls traffic-eng bandwidth 1000
tunnel mpls traffic-eng
1 explicit
P2-P1
Reduce path-option
costs and extend
the reach name
of your
services by unifying your
!
network architecture
interface Ethernet0/0
no ip address
Gain from the first book to address Layer 2 VPN application utilizing
!
both ATOM and L2TP protocols
interface Ethernet0/0.1
encapsulation dot1Q
100 strategies that allow large enterprise customers to enhance
Review
xconnect 10.1.1.2 their
100 encapsulation
service offerings mpls
while maintaining routing control
!
For a majority of Service Providers, a significant portion of their revenues
interface Ethernet0/0.2
still derived
from data and voice services based on legacy transport
encapsulation are
dot1Q
200
technologies.
Although
Layer 3 MPLS VPNs fulfill the market need for some
xconnect 10.1.1.2
200 pw-class
PE1-P1-PE2
customers, they have some drawbacks. Ideally, carriers with existing
!
legacy Layer 2 and Layer 3 networks would like to move toward a single
interface Ethernet0/0.3
while new carriers would like to sell the lucrative Layer 2
encapsulation backbone
dot1Q 300
services
their existing
Layer 3 cores. The solution in these cases is a
xconnect 10.1.1.2
300over
pw-class
High_Bandwidth
technology that would allow Layer 2 transport over a Layer 3
!
infrastructure.
interface Ethernet1/0
ip address 10.23.12.1 255.255.255.0
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
mpls ip
Network
(VPN) concepts, and describes Layer 2 VPN techniques via
mpls traffic-eng
tunnels
introductory
ip rsvp bandwidth 8000 case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
!
history and implementation details of the two technologies available from
interface Serial3/0
the Cisco Unified
VPN suite: Any Transport over MPLS (ATOM) for MPLSip address 10.23.11.1
255.255.255.0
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
mpls ip
IP cores.
The structure of this book is focused on first introducing the
mpls traffic-eng
tunnels
reader
to Layer 2 VPN
benefits and implementation requirements and
mpls traffic-eng
backup-path
Tunnel100
comparing
them
to
those
of Layer 3 based VPNs, such as MPLS, then
ip rsvp bandwidth 1200
progressively
covering
each
currently available solution in greater detail.
!
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
network 10.1.1.1 0.0.0.0 area 0
network 10.23.11.0 0.0.0.255 area 0
network 10.23.12.0 0.0.0.255 area 0
!
ip explicit-path name P1-PE2 enable
next-address 10.23.11.2
next-address 10.23.21.2
!
ip explicit-path name P2-P1 enable
Layer 2 VPN Architectures
next-address 10.23.12.2
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
next-address 10.33.23.1
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Pub Date: March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Typically, when AToM pseudowire packets traverse an MPLS network, they carry label stacks
ISBN: 1-58705-168-0
Table of
that have
more than one label. As described in Chapter 3, "Layer 2 VPN Architectures," each
Pages:
label Contents
represents an LSP. The 648
top label is responsible for delivering pseudowire packets from one
Index to another through a tunnel LSP; therefore, it is known as the tunnel label . The
PE router
tunnel label serves as an encapsulation header for the rest of the packet, which has little
dependency on the tunnel label. Analogically, the relationship is somewhat like the IP header of
an IP packet to the payload it carries. When an IP header or GRE/IP header replaces the tunnel
Master
the
world
of Layer
2 VPNs
to provide
enhanced
services and enjoy
label, the tunnel label
has
little
impact
on the
pseudowire
emulation
functionality.
productivity gains
This case study explores the deployment model of transporting AToM pseudowire packets over
GRE tunnels. Although this model enables you to deploy AToM pseudowires in any IP or MPLS
about Layer
2 efficient
Virtual Private
Networks
network, they are mostLearn
advantageous
and
in networks
that (VPNs)
do not have MPLS
forwarding. For example, the pseudowire endpoints are located in MPLS edge routers with a
Reduce costs and extend the reach of your services by unifying your
plain IP core network or two separate MPLS networks connected by a transit network with plain
network architecture
IP forwarding. With pseudowire emulation in MPLS networks, you should choose the native
MPLS tunnel label to reduce encapsulation overhead and leverage advanced features, such as
Gain from the first book to address Layer 2 VPN application utilizing
MPLS traffic engineering and fast reroute.
both ATOM and L2TP protocols
Forwarding pseudowire traffic over a GRE tunnel is quite similar to that over an MPLS traffic
Review strategies that allow large enterprise customers to enhance
engineering tunnel with the autoroute option, where both IP and pseudowire packets can go
their service offerings while maintaining routing control
through the same tunnel. You cannot use the preferred-path interface command with a GRE
tunnel interface. For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
As illustrated in Figure 9-5, the PE routers are enabled with MPLS services, but the core
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
network runs plain IP forwarding only.
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
Figure
9-5.
AToM
over GRE
technology
that
would Pseudowire
allow Layer 2 transport
over Tunnel
a Layer 3
infrastructure.
[Viewintroduces
full size image]readers to Layer 2 Virtual Private
Layer 2 VPN Architectures
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing
to those
of Layerto
3 based
VPNs,
such
as MPLS,
then a GRE
The following steps
configurethem
an AToM
pseudowire
traverse
the IP
network
through
progressively covering each currently available solution in greater detail.
tunnel:
Step Enable MPLS forwarding and set the MPLS label protocol to LDP in the global
1.
configuration mode on PE3.
PE3(config)#ip cef
PE3(config)#mpls ip
PE3(config)#mpls label protocol ldp
Step Configure a GRE tunnel interface on PE3, and set the tunnel source and destination
Publisher: Cisco Press
3.
addresses to be a routable address on PE3 and PE4, respectively.
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Table of
PE3(config-if)#interface
Tunnel1
Pages:
648
Contents
PE3(config-if)#ip unnumbered Loopback0
Index
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Step To avoid recursive routing loops, make sure the tunnel destination address does not use
productivity gains
4.
the tunnel interface as the outgoing interface. It can accomplish this by using static
route or dynamic routing protocols. Here, OSPF runs on the core facing network
interface.
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
PE3(config)#router ospf 1
network architecture
PE3(config-router)#network 172.16.34.0 0.0.0.255 area 0
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Step Enable MPLS forwarding on the GRE tunnel interface. This step is necessary so that MPLS
5.
applications see Review
the tunnel
interface
as allow
a feasible
interface
for MPLS
traffic.
strategies
that
largeoutgoing
enterprise
customers
to enhance
their service offerings while maintaining routing control
PE3(config-if)#interface Tunnel1
For a majority
PE3(config-if)#mpls
ipof Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
they have
some drawbacks.
carriers
with existing
Step Add a staticcustomers,
route to redirect
pseudowire
traffic intoIdeally,
the tunnel
interface.
legacy Layer 2 and Layer 3 networks would like to move toward a single
6.
backbone while new carriers would like to sell the lucrative Layer 2
PE3(config)#ip
route
172.16.1.2
Tunnel1in these cases is a
services
over their
existing 255.255.255.255
Layer 3 cores. The solution
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Step Provision an AToM pseudowire on the CE-facing interface.
7.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
PE3(config)#interface Ethernet0/0.1
introductory case studies and comprehensive design scenarios. This book
PE3(config-subif)#encapsulation dot1Q 100
assists readers looking to meet those requirements by explaining the
PE3(config-subif)#xconnect 172.16.1.2 100 encapsulation mpls
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased
cores and
2 Tunneling
Protocol
version 3 (L2TPv3) for native
Step Repeat Steps
1 through
7 onLayer
PE4 with
appropriate
parameters.
IP
cores.
The
structure
of
this
book
is
focused
on first introducing the
8.
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Step Verify the tunnel interface status and encapsulation using the show interface and
9.
show adjacency commands.
Layer 2 VPN Architectures
PE3#show interface
Tunnel1
ByWei Luo, - CCIE
No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Tunnel1 isNo.up,
line
4460,Anthonyprotocol
Chan, - CCIEis
No. up
10,266
Hardware is Tunnel
Interface is unnumbered. Using address of Loopback0 (172.16.1.1)
Publisher: Cisco Press
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, rely 255/255, load 1/255
Pub Date: March 10, 2005
Encapsulation TUNNEL, loopback not set
notISBN:
set1-58705-168-0
TableKeepalive
of
Pages:
648
Tunnel source 172.16.34.1
(Serial2/0), destination 172.16.44.1
Contents
Tunnel
protocol/transport
GRE/IP, sequencing disabled
Index
Tunnel TTL 255
Key disabled
Checksumming of packets disabled, fast tunneling enabled
Master
the worldoutput
of Layer00:00:00,
2 VPNs to provide
services and enjoy
Last input
00:00:00,
output enhanced
hang never
productivity
gains interface" counters never
Last clearing
of "show
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Learn
Layer 2 Virtual Private Networks (VPNs)
Output queue:
0/0about
(size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
Reduce costs and extend the reach of your services by unifying your
5 minute output rate 0 bits/sec, 0 packets/sec
network architecture
25314 packets input, 2578630 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
Gain from the first book to address Layer 2 VPN application utilizing
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
both ATOM and L2TP protocols
26389 packets output, 2905870 bytes, 0 underruns
0 output Review
errors,
0 collisions,
0 large
interface
resets
strategies
that allow
enterprise
customers to enhance
0 output their
buffer
failures,
output
buffers routing
swapped
out
service
offerings0 while
maintaining
control
adjacency Tunnel1 detail
For a majority of Service Providers, a significant portion of their revenues
Interface
Address
are still derived from data and voice services based on legacy transport
Tunnel1
point2point(5)
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
2148 packets, 856752 bytes
customers, they have some drawbacks. Ideally, carriers with existing
4500000000000000FF2F15ACAC102201
legacy Layer 2 and Layer 3 networks would like to move toward a single
AC102C0100008847
backbone while new carriers would like to sell the lucrative Layer 2
TFIB
never
services over their existing Layer 3 cores. The solution in these cases is a
Epoch: 0
technology that would allow Layer 2 transport over a Layer 3
IP
Tunnel1
point2point(7)
infrastructure.
0 packets, 0 bytes
4500000000000000FF2F15ACAC102201
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
AC102C0100000800
Network (VPN) concepts, and describes Layer 2 VPN techniques via
CEF
expires: 00:02:16
introductory case studies and comprehensive design scenarios. This book
refresh: 00:00:16
assists readers looking to meet those requirements by explaining the
Epoch: 0
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSLayer 2command
Tunnelingcontains
Protocoltwo
version
3 (L2TPv3)
forThe
native
The output based
of the cores
show and
adjacency
adjacency
entries.
tag
IPfor
cores.
The
structure
focused ontraffic,
first introducing
adjacency is
MPLS
traffic,
such of
asthis
the book
AToMispseudowire
and the IPthe
adjacency
reader
to Layer
VPN
benefits
implementation
requirements
and
is for IP traffic.
Notice
that 2
the
GRE
tunnel and
encapsulation
for switching
MPLS traffic
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
consists of an IP header and a GRE header. The IP header contains an IP protocol type
progressively
covering
each
currently
available
in greater
detail.
47 (0x2F) indicating
a payload
GRE
packet,
and the
tunnelsolution
source and
destination
PE3#show
Protocol
TAG
addresses are in hex format (0xAC102201, 0xAC102C01). The GRE header has a
protocol type 0x8847 for MPLS unicast traffic.
Step Verify the pseudowire status by using the show mpls l2transport vc detail
1.
command.
Layer 2 VPN Architectures
PE3#show By
mpls
l2transport
vc Carlos
detail
Wei Luo,
- CCIE No. 13,291,
Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Local interface:
Et0/0.1
up,
line
protocol up, Eth VLAN 100 up
No. 4460,Anthony Chan, - CCIE No. 10,266
Destination address: 172.16.1.2, VC ID: 100, VC status: up
Preferred
path: not configured
Publisher: Cisco Press
Default path: active
Pub Date: March 10, 2005
Tunnel label: imp-null, next hop point2point
ISBN: 1-58705-168-0
Table of Output interface: Tu1, imposed label stack {16}
Pages:
648
Create time: 17:47:08,
last status change time: 17:46:36
Contents
Index Signaling protocol: LDP, peer 172.16.1.2:0 up
MPLS VC labels: local 16, remote 16
Group ID: local 0, remote 0
MTU: local 1500, remote 1500
Master
the world
of Layer 2 VPNs to provide enhanced services and enjoy
Remote
interface
description:
productivity
gains
Sequencing:
receive
disabled, send disabled
VC statistics:
packet totals: receive 1070, send 1070
Learn about
Layer
2 Virtualsend
Private
Networks (VPNs)
byte totals:
receive
398956,
398956
packet drops: receive 0, send 0
Reduce costs and extend the reach of your services by unifying your
network architecture
Notice that the output interface of the pseudowire is the GRE tunnel interface. The
Gain
from the
book
address
2 VPN
utilizing
tunnel label is the
implicit
null first
label,
as iftothe
two PELayer
routers
are application
connected directly.
both ATOM and L2TP protocols
Example 9-20.
Configuration
forvoice
AToM
Pseudowire
overtransport
GRE
are PE3
still derived
from data and
services
based on legacy
Tunnel
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
hostname PE3 backbone while new carriers would like to sell the lucrative Layer 2
!
services over their existing Layer 3 cores. The solution in these cases is a
ip cef
technology that would allow Layer 2 transport over a Layer 3
mpls label protocol
ldp
infrastructure.
!
interface Loopback0
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
ip address 172.16.1.1
255.255.255.255
Network (VPN)
concepts, and describes Layer 2 VPN techniques via
!
introductory case studies and comprehensive design scenarios. This book
interface Tunnel1
assists readers looking to meet those requirements by explaining the
ip unnumbered history
Loopback0
and implementation details of the two technologies available from
mpls ip
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLStunnel source based
Serial2/0
cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
tunnel destination
172.16.44.1
IP cores.
The structure of this book is focused on first introducing the
!
reader to Layer 2 VPN benefits and implementation requirements and
interface Ethernet0/0
comparing them to those of Layer 3 based VPNs, such as MPLS, then
no ip address progressively covering each currently available solution in greater detail.
!
interface Ethernet0/0.1
encapsulation dot1Q 100
xconnect 172.16.1.2 100 encapsulation mpls
!
interface Serial2/0
ip address 172.16.34.1 255.255.255.0
!
router ospf 1
network 172.16.34.0 0.0.0.255 area 0
!
ip route 172.16.1.2 255.255.255.255 Tunnel1
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Pages: 648
!
ip cef
mpls label protocol ldp
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
!
productivity gains
interface Loopback0
ip address 172.16.1.2 255.255.255.255
!
interface Tunnel1 Learn about Layer 2 Virtual Private Networks (VPNs)
ip unnumbered Loopback0
Reduce costs and extend the reach of your services by unifying your
mpls ip
network architecture
tunnel source Serial2/0
tunnel destinationGain
172.16.34.1
from the first book to address Layer 2 VPN application utilizing
!
both ATOM and L2TP protocols
interface Ethernet0/0
no ip address
Review strategies that allow large enterprise customers to enhance
!
their service offerings while maintaining routing control
interface Ethernet0/0.1
encapsulation For
dot1Q
100
a majority
of Service Providers, a significant portion of their revenues
xconnect 172.16.1.1
100 encapsulation
are still derived
from data andmpls
voice services based on legacy transport
!
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
interface Serial2/0
customers, they have some drawbacks. Ideally, carriers with existing
ip address 172.16.44.1
legacy Layer255.255.255.0
2 and Layer 3 networks would like to move toward a single
!
backbone while new carriers would like to sell the lucrative Layer 2
router ospf 1 services over their existing Layer 3 cores. The solution in these cases is a
network 172.16.44.0
0.0.0.255
area
0 Layer 2 transport over a Layer 3
technology
that would
allow
!
infrastructure.
ip route 172.16.1.1 255.255.255.255 Tunnel1
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pages:
648
Contents
different
autonomous systems.
Index
Figure 9-6 illustrates an example of connecting ACs across the autonomous system boundary.
Suppose that the AC of Ethernet VLAN 100 on CE1 in AS100 needs to be connected to the one
on CE4 in AS200, and the AC of Ethernet VLAN 200 on CE2 in AS100 needs to be connected to
world
of Layer
2 studies
VPNs topresent
providethree
enhanced
services
and enjoy
the one on CE3 inMaster
AS200.the
The
following
case
different
solutions
to
productivity
gains has its own merits and applicable deployment scenarios.
accomplish the goal.
Each solution
Figure 9-6.
Pseudowire
Emulation
in of
Multi-AS
Networks
Reduce
costs and extend
the reach
your services
by unifying your
network architecture
full to
sizeaddress
image]
Gain from the first[View
book
Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Instead of building end-to-end pseudowires across the autonomous system boundary, each
ASBR acts as a PE router and provides pseudowire emulation services. Essentially, each ASBR
treats the peeringLayer
ASBR
in aArchitectures
different domain as a CE router and the links between the ASBRs
2 VPN
as ACs. In the pseudowire
emulation
architecture,
the connectivity
between
CE and
PE devices
ByWei Luo, - CCIE No. 13,291,
Carlos Pignataro,
- CCIE No. 4619,
Dmitry Bokotey,
- CCIE
is at Layer 2. In theory,
Layer
3
connectivity
is
not
required
between
ASBRs
if
only
pseudowire
No. 4460,Anthony Chan, - CCIE No. 10,266
emulation services are required. However, ASBRs typically provide interdomain routing
services, too, so Layer 3 connectivity is configured in the example. MPLS forwarding is not
Publisher: Cisco Press
required between ASBRs in this deployment model.
Pub Date: March 10, 2005
1-58705-168-0
As shown
in Figure 9-7,ISBN:
a pseudowire
with VC ID 100 is provisioned between PE1 and ASBR1 in
Table of
Pages:
648
AS100.
A
pseudowire
with
VC
ID
100
is
also provisioned between PE4 and ASBR2 in AS200. To
Contents
have
end-to-end
connectivity
between
CE1
and CE4, ASBR1 and ASBR2 allocate a dedicated
Index
Ethernet VLAN 100 and use it as the common AC for both pseudowires. It is not mandatory for
both pseudowires to have the same VC ID, but it is a good self-documenting practice. Similarly,
CE2 and CE3 are connected by concatenating a pseudowire to a dedicated Ethernet VLAN 200
and then to another
pseudowire.
is configured
between
to exchange
Master
the worldBGP
of Layer
2 VPNs to
provideASBRs
enhanced
services interdomain
and enjoy
routing information,
but
it
is
not
essential
for
inter-AS
pseudowire
emulation
in this particular
productivity gains
case.
Pages:
648
Contents
!
Index
interface
Ethernet0/0
no ip address
!
interface Ethernet0/0.1
encapsulation Master
dot1Q the
100world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains
xconnect 10.1.1.3
100 encapsulation
mpls
!
interface Ethernet1/0
Learn about Layer 2 Virtual Private Networks (VPNs)
ip address 10.23.12.1 255.255.255.0
mpls ip
Reduce costs and extend the reach of your services by unifying your
!
network architecture
interface Serial3/0
ip address 10.23.11.1
Gain 255.255.255.0
from the first book to address Layer 2 VPN application utilizing
mpls ip
both ATOM and L2TP protocols
!
router ospf 1
Review strategies that allow large enterprise customers to enhance
network 10.1.1.1 0.0.0.0
areaofferings
0
their service
while maintaining routing control
network 10.23.11.0 0.0.0.255 area 0
For a majority
of Service
network 10.23.12.0
0.0.0.255
area 0Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
On PE2, configurelegacy
the pseudowire
with
VC ID
200 on the
AC that
connects
to CE2,aas
shown in
Layer 2 and
Layer
3 networks
would
like to
move toward
single
Example 9-23. backbone while new carriers would like to sell the lucrative Layer 2
Example
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
9-23.
PE2 Pseudowire Configuration
infrastructure.
interface Serial3/0
ip address 10.23.21.2 255.255.255.0
mpls ip
Layer 2 VPN Architectures
!
router ospf 1 ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,
Anthony Chan,
CCIE No. 10,266
network 10.1.1.2
0.0.0.0
area- 0
network 10.23.21.0 0.0.0.255 area 0
network 10.23.23.0
0.0.0.255
area 0
Publisher:
Cisco Press
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Table of
Pages:
648
On PE3,
configure the pseudowire
with VC ID 200 on the AC that connects to CE3, as shown in
Contents
Example
9-24.
Index
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
hostname PE3
!
Learn about Layer 2 Virtual Private Networks (VPNs)
ip cef
mpls label protocol ldp
costs and extend the reach of your services by unifying your
mpls ldp router-id Reduce
Loopback0
network
architecture
!
interface Loopback0
Gain from the first book to address Layer 2 VPN application utilizing
ip address 172.16.1.1 255.255.255.255
both ATOM and L2TP protocols
!
interface Ethernet0/0
Review strategies that allow large enterprise customers to enhance
no ip address
their service offerings while maintaining routing control
!
interface Ethernet0/0.2
For a majority of Service Providers, a significant portion of their revenues
encapsulation are
dot1Q
still 200
derived from data and voice services based on legacy transport
xconnect 172.16.1.3
200 encapsulation
mpls
technologies.
Although Layer 3
MPLS VPNs fulfill the market need for some
!
customers, they have some drawbacks. Ideally, carriers with existing
interface Serial2/0
legacy Layer 2 and Layer 3 networks would like to move toward a single
ip address 172.16.34.1
255.255.255.0
backbone while
new carriers would like to sell the lucrative Layer 2
mpls ip
services over their existing Layer 3 cores. The solution in these cases is a
!
technology that would allow Layer 2 transport over a Layer 3
router ospf 1 infrastructure.
network 172.16.1.1 0.0.0.0 area 0
network 172.16.34.0
0.0.0.255
area 0introduces readers to Layer 2 Virtual Private
Layer 2 VPN
Architectures
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
On PE4, configurehistory
the pseudowire
with VC ID details
100 onofthe
that
connects toavailable
CE4, as shown
and implementation
theAC
two
technologies
from in
Example 9-25. the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
Example 9-25.
PE4
Configuration
reader
toPseudowire
Layer 2 VPN benefits
and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
hostname PE4
!
ip cef
mpls label protocol ldp
mpls ldp router-id Loopback0
!
interface Loopback0
ip address 172.16.1.2 255.255.255.255
!
interface Ethernet0/0
no ip address
!
interface Ethernet0/0.1
2 VPN
Architectures
encapsulation Layer
dot1Q
100
ByWei Luo,100
- CCIE
No. 13,291,Carlos Pignataro,
xconnect 172.16.1.3
encapsulation
mpls - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
!
interface Serial2/0
ip address 172.16.44.1
255.255.255.0
Publisher: Cisco
Press
mpls ip
Pub Date: March 10, 2005
!
ISBN: 1-58705-168-0
Table
of
router
ospf
1
Pages:
648
Contents
network
172.16.1.2 0.0.0.0 area 0
Index 172.16.44.0 0.0.0.255 area 0
network
Master
the world
of Layer
2 VPNs
to provide
services and enjoy
When you are using
dedicated
circuits
between
ASBRs,
ensureenhanced
that the encapsulation
of these
productivity
gains
circuits matches that
of the ACs
between CE and PE routers, because the ASBRs effectively act
as PE routers. In this example, the connection between ASBR1 and ASBR2 is Ethernet.
Learn
about Layer
Virtual
Private
Networks
(VPNs)
On ASBR1, configure the
pseudowire
with2VC
ID 100
and the
pseudowire
with VC ID 200 on the
corresponding dedicated circuits, as shown in Example 9-26.
Reduce costs and extend the reach of your services by unifying your
network architecture
On ASBR2, configure the pseudowire with VC ID 100 and the pseudowire with VC ID 200 on the
Layer 2 VPN Architectures
corresponding dedicated
circuits, as shown in Example 9-27.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
hostname ASBR2
ISBN: 1-58705-168-0
! Table of
Pages:
648
Contents
ip cef
Index
mpls
label protocol ldp
mpls ldp router-id Loopback0
!
interface Loopback0
Master the255.255.255.255
world of Layer 2 VPNs to provide enhanced services and enjoy
ip address 172.16.1.3
productivity
gains
!
interface Ethernet0/0
description Connect
to about
ASBR1 Layer
in AS100
Learn
2 Virtual Private Networks (VPNs)
ip address 172.16.100.2 255.255.255.0
!
Reduce costs and extend the reach of your services by unifying your
interface Ethernet0/0.1
network architecture
encapsulation dot1Q 100
xconnect 172.16.1.2
100
encapsulation
Gain
from
the first book mpls
to address Layer 2 VPN application utilizing
!
both ATOM and L2TP protocols
interface Ethernet0/0.2
Review
encapsulation dot1Q
200 strategies that allow large enterprise customers to enhance
their
service
offerings while
maintaining routing control
xconnect 172.16.1.1
200
encapsulation
mpls
!
For a majority of Service Providers, a significant portion of their revenues
interface Ethernet1/0
are still derived
from data and voice services based on legacy transport
ip address 172.16.24.2
255.255.255.0
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
mpls ip
customers, they have some drawbacks. Ideally, carriers with existing
!
router ospf 1 legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone
while new
would like to sell the lucrative Layer 2
network 172.16.1.3
0.0.0.0
areacarriers
0
services
over
their
existing
Layer
3 cores. The solution in these cases is a
network 172.16.24.0 0.0.0.255 area 0
technology that would allow Layer 2 transport over a Layer 3
!
router bgp 200 infrastructure.
no synchronization
Layer 2 VPN
Architectures
neighbor 172.16.100.1
remote-as
100 introduces readers to Layer 2 Virtual Private
Network
(VPN)
concepts,
and describes Layer 2 VPN techniques via
no auto-summary
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
Unified VPN
suite:
Any Transport
over MPLS
(ATOM)
for MPLSWhen consideringthe
thisCisco
deployment
model
for inter-AS
pseudowire
emulation
services,
you need
based cores
and Layer
Tunneling
Protocol
3 (L2TPv3) for native
to evaluate the following
restrictions
that2 are
associated
with version
it:
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
To be interconnected,
Layer
2 encapsulation
of the VPNs,
links between
must be
comparingthe
them
to those
of Layer 3 based
such as ASBRs
MPLS, then
identical to that
of the ACs.
progressively
covering each currently available solution in greater detail.
The number of dedicated circuits or virtual circuits between ASBRs can be limited. For
example, ASBR1 and ASBR2 are connected through an Ethernet connection that can
support up to 4096 802.1q VLANs, which is 4096 dedicated circuits at most.
In the future, when you can replace dedicated circuits with pseudowires for inter-AS
pseudowire emulation services, these restrictions should be eliminated.
Note
A new pseudowire
emulation solution is being developed at press time to replace the
Layer 2 VPN Architectures
dedicated circuits between ASBRs with pseudowires. In other words, disjointed
Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
pseudowiresBy
ofWei
different
autonomous systems can be interconnected through another
No. 4460,Anthony Chan, - CCIE No. 10,266
set of pseudowires that is established between ASBRs. You can imagine that the endto-end connectivity is provided by "stitching" several pseudowires together. By
Publisher:
Ciscowith
Presspseudowires, pseudowire emulation in multi-AS
replacing dedicated
circuits
Pub
Date:
March
10, 2005and scalability.
networks achieves better flexibility
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Case Study 9-8: BGP IPv4 Label Distribution with IGP Redistribution
To provide edge-to-edge network connectivity for pseudowires within a single autonomous
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
system, you need to have the /32 host routes of PE routers and the corresponding labels,
productivity gains
which you learn through IGP and LDP (or RSVP if you are using MPLS traffic engineering). One
solution for obtaining the same level of connectivity in a multi-AS environment is by using
external BGP (eBGP) toLearn
exchange
/322host
routes
of PE
devices and
the corresponding
aboutthe
Layer
Virtual
Private
Networks
(VPNs)
labels across the autonomous system boundaries and then redistributing the /32 host routes
learned through EBGP Reduce
into IGP.costs
From
theextend
point of
view
of the
PE routers,
is similaryour
to the
and
the
reach
of your
servicesthis
by unifying
single autonomous system
scenario
except that the /32 host routes appear to be of IGP
network
architecture
external types in the routing tables. Instead of using LDP, ASBRs piggyback IPv4 label
fromroute
the first
book to address
Layer
2 VPN
application
utilizing
information along with Gain
the host
advertisements
in BGP
update
messages
so that
ASBRs
both
ATOM
and for
L2TP
protocols
can set up LSPs between
one
another
these
host routes. Figure 9-8 illustrates such an
example.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority
of Service Providers,
a significant
portion
of their revenues
Figure 9-8. Inter-AS
Pseudowire
Emulation
with IGP
Redistribution
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some
drawbacks.
[View full
size image] Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
To provide the same end-to-end inter-AS pseudowire emulation services, you configure PE1,
PE2, PE3, and PE4 identically to "Case Study 9-7: Interconnecting Pseudowires with Dedicated
Circuits," except the pseudowire endpoint addresses. On ASBR1 and ASBR2, BGP is configured
to announce /32 host routes of PE1, PE2, PE3, and PE4 to the remote autonomous system. To
Layerfor
2 VPN
Architectures
distribute IPv4 labels
these
routes, ASBR1 and ASBR2 specify the send-label keyword in
Wei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
the BGP neighborBy
command.
No. 4460,Anthony Chan, - CCIE No. 10,266
The following configuration gives you some examples of how to configure the PE and ASBR
routers to use BGP IPv4
labelCisco
distribution
with IGP redistribution to provide inter-AS
Publisher:
Press
pseudowire connectivity.
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
On PE1,
the router
ID and the pseudowire with VC ID 100 on the AC that connects to
Tableconfigure
of
Pages:
648
CE1, Contents
as shown in Example 9-28.
Index
Gain from
the the
firstpseudowire
book to address
Layer
2 VPN
On PE2, configure the router
ID and
with VC
ID 200
onapplication
the AC thatutilizing
connects to
both
ATOM
and
L2TP
protocols
CE2, as shown in Example 9-29.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
On PE4, configure the router ID and the pseudowire with VC ID 100 on the AC that connects to
CE4, as shown in Example 9-31.
interface Loopback0
ip address 172.16.1.2 255.255.255.255
interface Ethernet0/0.1
2 VPN Architectures
encapsulation Layer
dot1Q
100
ByWei Luo,
CCIE No. 13,291,Carlos
Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
xconnect 10.1.1.1
100- encapsulation
mpls
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
On ASBR1, configure BGP IPv4 label distribution and redistribute BGP routes into OSPF, as
Pub Date: March 10, 2005
shown in Example 9-32.
Table of
Contents
Index
Example
ISBN: 1-58705-168-0
Pages: 648
hostname ASBR1
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
!
productivity gains
ip cef
mpls label protocol ldp
!
interface Loopback0Learn about Layer 2 Virtual Private Networks (VPNs)
ip address 10.1.1.3 255.255.255.255
Reduce costs and extend the reach of your services by unifying your
!
network architecture
interface Ethernet0/0
description Connect
to from
ASBR2
AS200
Gain
thein
first
book to address Layer 2 VPN application utilizing
ip address 172.16.100.1
255.255.255.0
both ATOM and L2TP protocols
!
interface Ethernet1/0
Review strategies that allow large enterprise customers to enhance
ip address 10.43.11.2
their 255.255.255.0
service offerings while maintaining routing control
mpls ip
!
For a majority of Service Providers, a significant portion of their revenues
router ospf 1 are still derived from data and voice services based on legacy transport
redistribute bgp
100 subnets
technologies.
Although Layer 3 MPLS VPNs fulfill the market need for some
network 10.1.1.3
0.0.0.0
area
0 some drawbacks. Ideally, carriers with existing
customers,
they
have
network 10.43.11.0
legacy 0.0.0.255
Layer 2 andarea
Layer03 networks would like to move toward a single
default-metricbackbone
20
while new carriers would like to sell the lucrative Layer 2
!
services over their existing Layer 3 cores. The solution in these cases is a
router bgp 100 technology that would allow Layer 2 transport over a Layer 3
neighbor 172.16.100.2
remote-as 200
infrastructure.
!
address-familyLayer
ipv42 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN)
concepts, and describes Layer 2 VPN techniques via
neighbor 172.16.100.2
activate
introductory
case studies and comprehensive design scenarios. This book
neighbor 172.16.100.2
send-label
assists readers looking to meet those requirements by explaining the
no auto-summary
history and implementation details of the two technologies available from
no synchronization
the Cisco
VPN suite: Any Transport over MPLS (ATOM) for MPLSnetwork 10.1.1.1
mask Unified
255.255.255.255
based
cores
and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
network 10.1.1.2
mask
255.255.255.255
IP cores. The structure of this book is focused on first introducing the
exit-address-family
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
On ASBR2, configure BGP IPv4 label distribution and redistribute BGP routes into OSPF, as
shown in Example 9-33.
Pages:
648
Contents
ip address
172.16.24.2 255.255.255.0
Index
mpls
ip
!
router ospf 1
redistribute bgp 200 subnets
Master 0.0.0.0
the worldarea
of Layer
network 172.16.1.3
0 2 VPNs to provide enhanced services and enjoy
productivity
gains
network 172.16.24.0 0.0.0.255 area 0
default-metric 20
!
Learn about Layer 2 Virtual Private Networks (VPNs)
router bgp 200
neighbor 172.16.100.1
remote-as
Reduce
costs and100
extend the reach of your services by unifying your
!
network architecture
address-family ipv4
neighbor 172.16.100.1
Gain activate
from the first book to address Layer 2 VPN application utilizing
neighbor 172.16.100.1
both send-label
ATOM and L2TP protocols
no auto-summary
no synchronizationReview strategies that allow large enterprise customers to enhance
network 172.16.1.1their
mask
255.255.255.255
service
offerings while maintaining routing control
network 172.16.1.2 mask 255.255.255.255
For a majority of Service Providers, a significant portion of their revenues
exit-address-family
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
On ASBR1 and ASBR2,
/322addresses
PE routers
BGPtoward
routes,aas
shown in
legacythe
Layer
and Layerof
3 the
networks
wouldappear
like toas
move
single
Example 9-34. backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Example 9-34.
Host Routes of PE Routers on ASBR1 and ASBR2
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
One caveat for this deployment model is that /32 host routes are injected into the IGP routing
Review strategies
that
allow
large router
enterprise
customers
enhance
domain through redistributions;
therefore,
every
transit
in the
same IGPtorouting
domain
theirAsservice
while
maintaining
routing
control
installs these host routes.
shownofferings
in Example
9-36,
transit routers
P1,
P2, and P3 all see the
host routes for PE3 and PE4 in their routing tables, and P4 has host routes for PE1 and PE2.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Example 9-36.
Transit
Routers
Learn
Host Routes
for PE1
and
PE2
customers,
they
have some
drawbacks.
Ideally, carriers
with
existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone
P1#show ip route
ospf while new carriers would like to sell the lucrative Layer 2
services
their existing
Layer 3 cores. The solution in these cases is a
172.16.0.0/32 is over
subnetted,
2 subnets
technology
that
would
allow
Layer 200:01:31,
transport over
a Layer 3
O E2
172.16.1.1 [110/20] via 10.43.11.2,
Ethernet1/0
infrastructure.
O E2
172.16.1.2 [110/20] via 10.43.11.2, 00:01:31, Ethernet1/0
O
O
O
O
O
O
O
Case Study 9-9: BGP IPv4 Label Distribution with IBGP Peering
Using IGP redistribution of BGP routes, all transit routers in the IGP routing domain install the
routes to their routing tables. If the BGP routing database also contains Internet routes, the
number of entries that is redistributed into IGP is enormous. Applying route maps that only
allow PE host routes to be redistributed at ASBRs can mitigate the IGP routing table explosion.
However, when the number of host routes to be filtered increases, the configuration task
becomes quite tedious and the routing table size of the transit routers still grows. To solve this
problem, PE routers can establish internal BGP (IBGP) sessions with ASBRs within the same
autonomous system so that external routes are distributed via IBGP sessions. This confines the
external routes within the BGP routing domain, and the transit routers that do not participate
in BGP routing never see these external routes.
Layer 2 VPN Architectures
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists are
readers
looking these
to meet
those
requirements
by explaining
the tables
After the IBGP sessions
established,
host
routes
are still missing
in the routing
history
and
implementation
details
of
the
two
technologies
available
on PE devices. For example, the routing table on PE1 does not have the entry for PE4 from
(see
Example 9-37). the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
Example 9-37.
Host Route for PE4 Not in IP Routing Table on PE1
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
PE1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR
Gateway of last resort is not set
O
O
O
O
O
O
O
C
C
C
O
O
Pages:
648
10.23.11.0/24
is
directly
connected,
Serial3/0
Contents
10.43.11.0/24
[110/30]
via
10.23.12.2,
02:59:03, Ethernet1/0
Index
10.33.23.0/24 [110/20] via 10.23.12.2, 02:59:03, Ethernet1/0
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
A closer examination
of the BGP
routing table on PE1 reveals the problem. The host route entry
productivity
gains
172.16.1.2 for PE4 exists in the BGP routing table, but its next-hop address, 172.16.100.2, is
inaccessible from PE1 (see Example 9-38).
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce
costs for
and PE4
extend
reach
of your services
Example 9-38. Host
Route
inthe
BGP
Routing
Table by
onunifying
PE1 your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
PE1#show ip bgp 172.16.1.2
both ATOM
and L2TP protocols
BGP routing table entry
for 172.16.1.2/32,
version 68
Paths: (1 available, no best path)
strategies that allow large enterprise customers to enhance
Not advertised toReview
any peer
their service offerings while maintaining routing control
200
172.16.100.2 (inaccessible) from 10.1.1.3 (10.1.1.3)
For ametric
majority
of Service
Providers,
a significant
portion of their revenues
Origin IGP,
75,
localpref
100, valid,
internal
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer
andinterface
Layer 3 networks
would
like to move
a single
The address 172.16.100.2
is of2the
Ethernet0/0
on ASBR2,
whichtoward
announces
the host
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2 this host
route 172.16.1.2 with the next-hop address set to 172.16.100.2. When ASBR1 relays
services
over
existing
Layeris3kept
cores.
The by
solution
in these
cases is a
route to PE1 through
IBGP,
thetheir
next-hop
address
intact
default.
The interface
technology
that connected
would allowtoLayer
2 transport
over a Layer
3
Ethernet0/0 on ASBR1
is directly
the interface
Ethernet0/0
on ASBR2.
Typically,
IGP routing is notinfrastructure.
enabled on these interfaces, which means the interfaces are not reachable
from the PE routers through IGP routing. You can fix this problem in several ways. For
2 VPN
introduces
readers
to them
Layeras
2 Virtual
example, you canLayer
enable
IGP Architectures
routing on these
interfaces
and set
passivePrivate
interfaces, or
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
you can configure the ASBRs as the next hop in the IBGP peering. For the sake ofvia
simplicity,
introductory
studies and comprehensive
design
This book for
the ASBRs are configured
withcase
the next-hop-self
keyword in the
BGPscenarios.
neighbor command
readers
looking to meet those requirements by explaining the
the IBGP peers inassists
this case
study.
history and implementation details of the two technologies available from
Cisco
Unified
suite: Anythrough
Transport
overinMPLS
(ATOM)
for MPLSPE1 sees that thethe
host
route
of PE4VPN
is reachable
ASBR1
its routing
table,
and transit
based
cores
and
Layer
2 Tunneling
Protocol
version
3 (see
(L2TPv3)
for native
routers such as P2
do not
have
these
host
routes in their
routing
table
Example
9-39).
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing
them tofor
those
of Layer
based VPNs,
such as
Example 9-39.
Host Route
PE4
in IP3 Routing
Table
onMPLS,
PE1,then
But
progressively
covering
each
currently
available
solution
in
greater
detail.
Not on P2
PE1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR
Gateway of last resort is not set
Layer 2 VPN Architectures
Service Providers,
a significant
portion of their revenues
10.0.0.0/8For
isa majority
variablyofsubnetted,
12 subnets,
2 masks
are still derived
fromvia
data10.33.23.1,
and voice services
based Ethernet0/0
on legacy transport
10.23.21.0/24
[110/74]
12:06:10,
technologies.
Although
Layer 3 MPLS 12:06:10,
VPNs fulfill the
market need for some
10.1.2.1/32
[110/11]
via 10.33.23.1,
Ethernet0/0
customers,
they have
drawbacks.
Ideally, carriers
with existing
10.1.1.2/32
[110/21]
via some
10.33.23.3,
12:06:10,
Ethernet0/0
legacy [110/21]
Layer 2 and
Layer
3 networks 12:06:10,
would like to
move toward a single
10.1.1.3/32
via
10.33.23.1,
Ethernet0/0
backbone[110/20]
while new via
carriers
would like 12:06:10,
to sell the lucrative
Layer 2
10.23.23.0/24
10.33.23.3,
Ethernet0/0
services
over
their
existing
Layer
3
cores.
The
solution
in
these
10.1.2.3/32 [110/11] via 10.33.23.3, 12:06:10, Ethernet0/0 cases is a
technology
that wouldconnected,
allow Layer Loopback0
2 transport over a Layer 3
10.1.2.2/32
is directly
infrastructure.
10.1.1.1/32 [110/11] via 10.23.12.1, 12:06:10, Ethernet1/0
10.23.12.0/24 is directly connected, Ethernet1/0
Layer 2 VPN
Architectures
introduces readers
to Layer
2 Virtual Private
10.23.11.0/24
[110/74]
via 10.33.23.1,
12:06:10,
Ethernet0/0
Network (VPN)
concepts,
and
describes
Layer
2
VPN
techniques
[110/74] via 10.23.12.1, 12:06:10, Ethernet1/0via
introductory
case studies
and comprehensive
designEthernet0/0
scenarios. This book
O
10.43.11.0/24 [110/20]
via 10.33.23.1,
12:06:10,
assists
readers
looking
to
meet
those
requirements
by
explaining the
C
10.33.23.0/24 is directly connected, Ethernet0/0
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores.inThe
structure
of thisofbook
is focused
first introducing
In previous case studies,
which
host routes
PE routers
are on
exchanged
throughthe
IGP, having
reader
to Layer 2 VPNlabels
benefits
and implementation
requirements
and In this
/32 host routes and
the corresponding
is sufficient
for establishing
pseudowires.
them
of Layer 3 label
basedtoVPNs,
such
MPLS,
then
example, PE1 hascomparing
a /32 route
and to
thethose
corresponding
PE4. If
the as
AToM
pseudowire
is
each
currentlythat
available
solution in functions
greater detail.
configured and itsprogressively
status is up, covering
it gives the
impression
the pseudowire
fully.
Based on the output of the show ip cef and show mpls l2transport vc commands in
Example 9-40, the pseudowire with VC ID 100 has a label stack of {27 16}. Label 27 is the
tunnel label, and label 16 is the VC label.
O
O
O
O
O
O
C
O
C
O
ISBN: 1-58705-168-0
Local
tag
24
Outgoing
tag or VC
Pop tag
Prefix
or Tunnel Id
10.43.11.0/24
Bytes tag
switched
0
Outgoing
interface
Et0/0
Next Hop
10.33.23.1
When labeled pseudowire packets arrive at ASBR1, the last label 16 in the label stack is
removed according to the MPLS forwarding table, which leaves the pseudowire packets
Publisher: Cisco Press
unlabeled (see Example 9-43).
Pub Date: March 10, 2005
Table of
Contents
Example
Index
ISBN: 1-58705-168-0
Pages: 648
Network
Next Hop
Cisco Press
172.16.1.1/32 Publisher:
10.1.1.3
172.16.1.2/32 Pub Date:
10.1.1.3
March 10, 2005
In label/Out label
nolabel/31
nolabel/32
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Index
From
the show ip cef and show mpls l2transport vc commands, the pseudowire with VC ID
100 now has a label stack of {27 32 16}. Label 16 is still the VC label, but to reach PE4, it
requires two labels: Label 27 is the IGP label to reach ASBR1 that has the address 10.1.1.3,
and label 32 is the BGP IPv4 label assigned by ASBR1 to reach PE4 that has the address
Master the
world of Layer 2 VPNs to provide enhanced services and enjoy
172.16.1.2 (see Example
9-46).
productivity gains
When sending packets from CE1 to CE4 again, they arrive at ASBR1 with a label stack {32 16}
this time. The show mpls forwarding-table command on ASBR1 further confirms that
pseudowire packets are properly forwarded to ASBR2 through an LSP, as shown in Example 947.
Pages:
648
inter-AS
pseudowire
connectivity
by
using
BGP IPv4 label distribution with IBGP peering.
Contents
Index
The following configuration gives you some examples of how to configure the PE and ASBR
routers to use BGP IPv4 label distribution with IBGP peering to provide inter-AS pseudowire
connectivity.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
On PE1, configureproductivity
BGP IPv4 label
distribution with IBGP peering and the pseudowire with VC ID
gains
100, as shown in Example 9-48.
Reduce costs and extend the reach of your services by unifying your
network architecture
hostname PE1
Gain from the first book to address Layer 2 VPN application utilizing
!
both ATOM and L2TP protocols
ip cef
mpls label protocol ldp
strategies that allow large enterprise customers to enhance
mpls ldp router-id Review
Loopback0
their service offerings while maintaining routing control
!
interface Loopback0
For a majority of Service Providers, a significant portion of their revenues
ip address 10.1.1.1 255.255.255.255
are still derived from data and voice services based on legacy transport
!
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
interface Ethernet0/0
customers, they have some drawbacks. Ideally, carriers with existing
no ip address
legacy Layer 2 and Layer 3 networks would like to move toward a single
!
backbone while new carriers would like to sell the lucrative Layer 2
interface Ethernet0/0.1
services over their existing Layer 3 cores. The solution in these cases is a
encapsulation dot1Q 100
technology that would allow Layer 2 transport over a Layer 3
xconnect 172.16.1.2 100 encapsulation mpls
infrastructure.
!
interface Ethernet1/0
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
ip address 10.23.12.1 255.255.255.0
Network (VPN) concepts, and describes Layer 2 VPN techniques via
mpls ip
introductory case studies and comprehensive design scenarios. This book
!
assists readers looking to meet those requirements by explaining the
interface Serial3/0
history and implementation details of the two technologies available from
ip address 10.23.11.1 255.255.255.0
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSmpls ip
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
!
IP cores. The structure of this book is focused on first introducing the
router ospf 1
reader to Layer 2 VPN benefits and implementation requirements and
network 10.1.1.1 0.0.0.0 area 0
comparing them to those of Layer 3 based VPNs, such as MPLS, then
network 10.23.11.0 0.0.0.255 area 0
progressively covering each currently available solution in greater detail.
network 10.23.12.0 0.0.0.255 area 0
!
router bgp 100
neighbor 10.1.1.3 remote-as 100
neighbor 10.1.1.3 update-source Loopback0
!
address-family ipv4
neighbor 10.1.1.3 activate
neighbor 10.1.1.3 send-label
no auto-summary
no synchronization
exit-address-family
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
On PE2, configureNo.
BGP
IPv4
label
distribution
with IBGP peering and the pseudowire with VC ID
4460,
Anthony
Chan,
- CCIE No. 10,266
200, as shown in Example 9-49.
Publisher: Cisco Press
Pub Date: March 10, 2005
Pages: 648
!
ip cef
mpls label protocol ldp
MasterLoopback0
the world of Layer 2 VPNs to provide enhanced services and enjoy
mpls ldp router-id
productivity gains
!
interface Loopback0
ip address 10.1.1.2 255.255.255.255
Learn about Layer 2 Virtual Private Networks (VPNs)
!
interface Ethernet0/0
Reduce costs and extend the reach of your services by unifying your
no ip address
network architecture
!
interface Ethernet0/0.2
Gain from the first book to address Layer 2 VPN application utilizing
encapsulation dot1Q 200
both ATOM and L2TP protocols
xconnect 172.16.1.1 200 encapsulation mpls
!
Review strategies that allow large enterprise customers to enhance
interface Ethernet1/0
their service offerings while maintaining routing control
ip address 10.23.23.1 255.255.255.0
mpls ip
For a majority of Service Providers, a significant portion of their revenues
!
are still derived from data and voice services based on legacy transport
interface Serial3/0
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
ip address 10.23.21.2
customers,255.255.255.0
they have some drawbacks. Ideally, carriers with existing
mpls ip
legacy Layer 2 and Layer 3 networks would like to move toward a single
!
backbone while new carriers would like to sell the lucrative Layer 2
router ospf 1 services over their existing Layer 3 cores. The solution in these cases is a
network 10.1.1.2
0.0.0.0
area
0 allow Layer 2 transport over a Layer 3
technology
that
would
network 10.23.21.0
0.0.0.255
area
0
infrastructure.
network 10.23.23.0 0.0.0.255 area 0
!
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
router bgp 100 Network (VPN) concepts, and describes Layer 2 VPN techniques via
neighbor 10.1.1.3
remote-as
introductory
case 100
studies and comprehensive design scenarios. This book
neighbor 10.1.1.3
assistsupdate-source
readers lookingLoopback0
to meet those requirements by explaining the
!
history and implementation details of the two technologies available from
address-familythe
ipv4
Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSneighbor 10.1.1.3
basedactivate
cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
neighbor 10.1.1.3
send-label
IP cores.
The structure of this book is focused on first introducing the
no auto-summary
reader to Layer 2 VPN benefits and implementation requirements and
no synchronization
comparing them to those of Layer 3 based VPNs, such as MPLS, then
exit-address-family
progressively covering each currently available solution in greater detail.
On PE3, configure BGP IPv4 label distribution with IBGP peering and the pseudowire with VC ID
200, as shown in Example 9-50.
hostname PE3
!
ip cef
Layer 2 VPN
mpls label protocol
ldpArchitectures
ByWei Luo,
- CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
mpls ldp router-id
Loopback0
No. 4460,Anthony Chan, - CCIE No. 10,266
!
interface Loopback0
ip address 172.16.1.1
Publisher:255.255.255.255
Cisco Press
!
Pub Date: March 10, 2005
interface Ethernet0/0
ISBN: 1-58705-168-0
Table
of
no ip
address
Pages:
648
Contents
!
Index
interface
Ethernet0/0.2
encapsulation dot1Q 200
xconnect 10.1.1.2 200 encapsulation mpls
!
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
interface Serial2/0
productivity255.255.255.0
gains
ip address 172.16.34.1
mpls ip
!
Learn about Layer 2 Virtual Private Networks (VPNs)
router ospf 1
network 172.16.1.1Reduce
0.0.0.0
area
costs
and0extend the reach of your services by unifying your
network 172.16.34.0
0.0.0.255
area 0
network architecture
!
router bgp 200
Gain from the first book to address Layer 2 VPN application utilizing
neighbor 172.16.1.3
remote-as
both
ATOM and200
L2TP protocols
neighbor 172.16.1.3 update-source Loopback0
!
Review strategies that allow large enterprise customers to enhance
address-family ipv4
their service offerings while maintaining routing control
neighbor 172.16.1.3 activate
For a majority
of Service Providers, a significant portion of their revenues
neighbor 172.16.1.3
send-label
are still derived from data and voice services based on legacy transport
no auto-summary
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
no synchronization
customers, they have some drawbacks. Ideally, carriers with existing
exit-address-family
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
On PE4, configuretechnology
BGP IPv4 label
distribution
peering over
and the
pseudowire
with VC ID
that would
allow with
LayerIBGP
2 transport
a Layer
3
100, as shown in infrastructure.
Example 9-51.
interface Serial2/0
ip address 172.16.44.1 255.255.255.0
mpls ip
Layer 2 VPN Architectures
!
router ospf 1 ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,0.0.0.0
Anthony Chan,
- CCIE
network 172.16.1.2
area
0 No. 10,266
network 172.16.44.0 0.0.0.255 area 0
!
Publisher: Cisco Press
router bgp 200 Pub Date: March 10, 2005
neighbor 172.16.1.3 remote-as 200
ISBN: 1-58705-168-0
Table of 172.16.1.3 update-source Loopback0
neighbor
Pages:
648
! Contents
Index
address-family
ipv4
neighbor 172.16.1.3 activate
neighbor 172.16.1.3 send-label
no auto-summary
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
no synchronization
productivity gains
exit-address-family
Gain from the first book to address Layer 2 VPN application utilizing
Example 9-53.
Master
the world
Layer 2 VPNs to provide enhanced services and enjoy
Example 9-53.
ASBR2
BGPofConfiguration
productivity gains
hostname ASBR2
!
Learn about Layer 2 Virtual Private Networks (VPNs)
ip cef
mpls label protocolReduce
ldp costs and extend the reach of your services by unifying your
mpls ldp router-id network
Loopback0
architecture
!
interface Loopback0Gain from the first book to address Layer 2 VPN application utilizing
ip address 172.16.1.3
255.255.255.255
both ATOM
and L2TP protocols
!
Review strategies that allow large enterprise customers to enhance
interface Ethernet0/0
their
description Connect
to service
ASBR1 offerings
in AS100while maintaining routing control
ip address 172.16.100.2 255.255.255.0
For a majority of Service Providers, a significant portion of their revenues
!
are still derived from data and voice services based on legacy transport
interface Ethernet1/0
technologies.
Although Layer 3 MPLS VPNs fulfill the market need for some
ip address 172.16.24.2
255.255.255.0
customers, they have some drawbacks. Ideally, carriers with existing
mpls ip
legacy Layer 2 and Layer 3 networks would like to move toward a single
!
router ospf 1 backbone while new carriers would like to sell the lucrative Layer 2
services
over their
existing
Layer 3 cores. The solution in these cases is a
network 172.16.1.3
0.0.0.0
area
0
technology
that would
allow
network 172.16.24.0
0.0.0.255
area
0 Layer 2 transport over a Layer 3
infrastructure.
!
router bgp 200
Layer 2 VPN
Architectures
introduces readers to Layer 2 Virtual Private
neighbor 172.16.1.1
remote-as
200
Network
(VPN)
concepts,
and
describes Layer 2 VPN techniques via
neighbor 172.16.1.1 update-source Loopback0
introductory
case
studies
and
comprehensive
design scenarios. This book
neighbor 172.16.1.2 remote-as 200
assists
readers
looking
to
meet
those
requirements
by explaining the
neighbor 172.16.1.2 update-source Loopback0
history
and
implementation
details
of
the
two
technologies
available from
neighbor 172.16.100.1 remote-as 100
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for MPLS!
address-familybased
ipv4cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores.activate
The structure of this book is focused on first introducing the
neighbor 172.16.1.1
reader to
Layer 2 VPN benefits and implementation requirements and
neighbor 172.16.1.1
next-hop-self
comparing
them to those of Layer 3 based VPNs, such as MPLS, then
neighbor 172.16.1.1 send-label
progressively
covering each currently available solution in greater detail.
neighbor 172.16.1.2 activate
neighbor 172.16.1.2 next-hop-self
neighbor 172.16.1.2 send-label
neighbor 172.16.100.1 activate
neighbor 172.16.100.1 send-label
no auto-summary
no synchronization
network 172.16.1.1 mask 255.255.255.255
network 172.16.1.2 mask 255.255.255.255
exit-address-family
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
In an MPLS network, where the trust relationship is assumed within the network boundary,
ISBN: 1-58705-168-0
Table of
authentication
for pseudowire signaling is usually absent. However, Cisco IOS still provides LDP
Pages:
Contents
authentication
when network648
operators consider it necessary. Like other MPLS applications that
Index AToM can also enable LDP authentication for pseudowire signaling.
use LDP,
LDP performs authentication through the TCP MD5 Signature Option, which is essentially a
message digest checksum to validate the integrity of the message. The checksum is calculated
Master
the transmitted
world of Layer
to provide
enhanced services and enjoy
based on the content
being
and2aVPNs
shared
password.
productivity gains
To configure LDP authentication for pseudowire signaling, use the mpls ldp neighbor password
command under the global configuration mode. For example, PE1 and PE2 need to configure LDP
Learn
aboutpassword
Layer 2 Virtual
Networks
(VPNs)
authentication and have
a shared
l2vpn, Private
as shown
in Example
9-54.
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both
ATOM and
L2TP protocols
PE1(config)#mpls ldp
neighbor
10.1.1.2
password ?
LINE The password
Review strategies that allow large enterprise customers to enhance
<0-7> Encryption type (0 to disable encryption, 7 for proprietary)
their service offerings while maintaining routing control
PE1(config)#mpls ldp neighbor 10.1.1.2 password l2vpn
For a majority of Service Providers, a significant portion of their revenues
PE2#config t are still derived from data and voice services based on legacy transport
Enter configuration
commands,
one Layer
per line.
technologies.
Although
3 MPLSEnd
VPNswith
fulfillCNTL/Z.
the market need for some
PE2(config)#mpls
ldp
neighbor
10.1.1.1
password
l2vpn
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
To verify that thetechnology
LDP sessionthat
is enabled
with Layer
MD5 authentication,
use
the show
mpls ldp
would allow
2 transport over
a Layer
3
neighbor detail command,
as
shown
in
Example
9-55.
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Example 9-55.
Verify
That
LDP Authentication
Enabled
Network
(VPN)
concepts,
and describes LayerIs
2 VPN
techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
PE1#show mpls ldp
neighbor
10.1.1.2 detail
history
and implementation
details of the two technologies available from
Peer LDP Ident:
10.1.1.2:0;
LDP Transport
Ident 10.1.1.1:0
the Cisco Unified VPNLocal
suite: Any
over MPLS (ATOM) for MPLSTCP connection:
10.1.1.2.11035
10.1.1.1.646;
MD53 on
based cores and Layer 2 Tunneling Protocol version
(L2TPv3) for native
State: IP
Oper;
Msgs
sent/rcvd:
26/26;
Downstream;
Last
TIB rev the
sent 22
cores. The structure of this book is focused on first
introducing
Up time:
00:08:10;
Peer Id
reader
to LayerUID:
2 VPN5;
benefits
and2;
implementation requirements and
LDP discovery
sources:
comparing
them to those of Layer 3 based VPNs, such as MPLS, then
Targeted
Hello
-> 10.1.1.2,
active,solution
passive;
progressively10.1.1.1
covering each
currently available
in greater detail.
holdtime: infinite, hello interval: 10000 ms
Addresses bound to peer LDP Ident:
10.23.23.1
10.1.1.2
10.23.21.2
Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab
Clients: Dir Adj Client
If a PE router has a password configured for a peer PE router, but the peer PE router does not
have the password configured, a message such as the following appears on the console of the PE
router:
00:53:41: %TCP-6-BADAUTH:
No MD5 digest from 10.1.1.2(11037) to 10.1.1.1(646)
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
If two PE routers have different passwords configured, a message such as the following appears
Publisher: Cisco Press
on the console:
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
00:55:57:
Table of %TCP-6-BADAUTH: Invalid MD5 digest from 10.1.1.2(11041) to 10.1.1.1(646)
Contents
Index
Pages: 648
When the password is missing from one PE router or the passwords that are configured on two PE
routers do not match, the LDP session is not established.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pages:
648
Contents
answer
to pseudowire fault detection.
Index
The connectivity verification model for pseudowires consists mainly of two distinctive building blocks
that are specified in two different Internet drafts:
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Advertising productivity
the VCCV capability
gains
Verifying data plane connectivity
Learn about Layer 2 Virtual Private Networks (VPNs)
Case Studies 9-11 and 9-12 describe both building blocks in detail.
Reduce costs and extend the reach of your services by unifying your
You can verify the pseudowire
connectivity by creating a control channel within the
networkdataplane
architecture
pseudowire. This control channel is associated with the pseudowire, and data connectivity packets
Gain from
the first
book tohas
address
Layer 2 VPN application utilizing
flow in this control channel.
The control
channel
two requirements:
both ATOM and L2TP protocols
To follow the pseudowire
data path that
as closely
as possible
Review strategies
allow large
enterprise customers to enhance
their service offerings while maintaining routing control
To divert data connectivity verification packets so that they are processed by the receiving PE
device as opposed
to beingofforwarded
out to theaCE
devices portion of their revenues
For a majority
Service Providers,
significant
are still derived from data and voice services based on legacy transport
As you will see intechnologies.
"Case Study 9-11:
Advertising
VCCV
Capability,"
three control
channel
Although
Layer 3 the
MPLS
VPNs
fulfill the market
need for
some types
(CC types) provide
the
preceding
two
requirements.
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
After you define the
controlwhile
channel,
needwould
to specify
thesell
connectivity
verification
backbone
newyou
carriers
like to
the lucrative
Layer 2 packets and
protocols that willservices
use the over
control
channel.
You
can
use
multiple
protocols
over
the
control
their existing Layer 3 cores. The solution in these
cases
is a channel,
which have different
data
connectivity
verification
types
(CV
types).
The
three
currently
defined CV
technology that would allow Layer 2 transport over a Layer 3
types are IP-based
protocols.
infrastructure.
VCCV
PWE3 Control Word (type 1) The control channel traffic is carried inband with data
traffic on the pseudowire being monitored using the same label stack. When you use this
control channel, a special format of the AToM control word instructs the PE router to
inspectMaster
the control
channel
traffic.
the world
of Layer
2 VPNs to provide enhanced services and enjoy
productivity gains
MPLS Router Alert Label (type 2) The control channel is created out-of-band from the
pseudowire, and it utilizes the reserved Router Alert (RA) label. The notion of "out-of-band"
comes fromLearn
the fact
thatLayer
the connectivity
verification
packet
has a slightly different MPLS
about
2 Virtual Private
Networks
(VPNs)
label stack than the actual pseudowire data packet.
Reduce costs and extend the reach of your services by unifying your
MPLS Inner
Label TTL
= 1 (type 3) It is also known as TTL Expiry that sets the TTL of
network
architecture
the VC label to 1, which forces the control packet to be processed by the receiving PE
router.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Connectivity Verification (CV) type Defines a bitmask that indicates the types of CV packets
and protocols thatReview
can bestrategies
sent on the
specified
control
channel:
that
allow large
enterprise
customers to enhance
their service offerings while maintaining routing control
Internet Control Message Protocol (ICMP) Ping ICMP-based Echo Request and Reply.
For a majority of Service Providers, a significant portion of their revenues
LSP Ping
MPLS-based
Echodata
Request
and Reply.
are still
derived from
and voice
services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
BFD Bidirectional
Detection
provides
a continuous
and forward and
customers, Forwarding
they have some
drawbacks.
Ideally,
carriers monitoring
with existing
backward
defect
indication
and propagation.
legacy
Layer
2 and Layer
3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
Table 9-1 compares the three control channel types.
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Table 9-1.
Comparing
VCCVand
Control
Channel
Types
Network
(VPN) concepts,
describes
Layer 2 VPN
techniques via
When you create an inband control channel of a pseudowire, the data flow and the control flow are
Layer 2 VPN Architectures
effectively multiplexed
over the same forwarding path, which is the most accurate picture of the data
Luo,
- CCIE methods
No. 13,291,Carlos
Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
connectivity. ThisBy
isWei
why
inband
are preferred.
No. 4460,Anthony Chan, - CCIE No. 10,266
In contrast, the out-of-band control flow might follow a different forwarding path from the actual data
flow because of the Publisher:
ECMP load
sharing
Cisco
Press forwarding behavior described earlier in this chapter. There is
no impact, however,Pub
if the
pseudowire
path is free of ECMPs, although that is not a realistic
Date:
March 10, 2005
assumption. The out-of-band channel is created by using the reserved RA label. The RA label means
ISBN: 1-58705-168-0
Table ofrouter must examine the packet. With an RA label, all packets are punted to the route
that every
Pages:
648
Contents
processor
(RP) for processing; therefore, you can use this method to detect inconsistencies between
Index
the linecard
and the RP. In an intermediate router, after the packet that contains the RA label is
processed, if the packet needs to be forwarded further, the RA label is pushed back onto the label
stack before forwarding.
Master advertise
the world CC
of Layer
tobut
provide
enhanced
enjoy
Currently, Cisco routers
types 21 VPNs
and 2,
the Cisco
routerservices
prefers and
to use
the control
productivity
gains capabilities to traverse the same path as the pseudowire data
word CC type because
of its inband
plane. The only CV type that is currently supported is LSP Ping.
Learn
about Layer
2 Virtual Private
Networks
(VPNs)
You can display the VCCV
capability
advertisement
by using
the show
mpls l2transport binding
command.Example 9-57 provides output of this command.
Reduce costs and extend the reach of your services by unifying your
network architecture
and set to 0. For VCCV traffic with control channel type 1, the control word is required. Its first nibble
is set to 1 to avoid aliasing the payload with an IPv4 or IPv6 packet. However, for VCCV label;
therefore, VCCV traffic can take a different path than pseudowire data traffic.
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
After the VCCV capability has been exchanged, each control channel distinguishes data and VCCV
Pub Date: March 10, 2005
packets as follows:
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
For
CC
type
1,
a
special
control word is used. The first nibble is set to 1 to indicate VCCV
Index
packets. The first nibble of the control word is set to 0 for all data packets.
For CC type 2, the RA label is placed immediately above the pseudowire label for VCCV packets,
and data packets
not
haveofthe
RA label
in the
MPLS label
stack. services and enjoy
Masterdothe
world
Layer
2 VPNs
to provide
enhanced
productivity gains
The special control word in CC type 1 also includes a protocol type field to indicate the protocol that is
being carried. The protocol type field that is used is the Internet Assigned Numbers Authority (IANA)
PPP Data Link Layer (DLL)
Protocol
Number.
Learn
about Layer
2 Virtual Private Networks (VPNs)
LSP Ping is currently the
only supported
type,the
where
MPLS
Echo
packets
IPv4 or
IPv6 User
Reduce
costs and CV
extend
reach
of your
services
byare
unifying
your
Datagram Protocol (UDP)
packets
using
the
IANA
assigned
well-known
UDP
port
of
3503.
These UDP
network architecture
packets are possibly MPLS labeled. In an MPLS Echo Request, the source IP address is the originating
router's outgoing interface
expected,
the destination
IP application
address is within
the reserved
Gainaddress
from theasfirst
book tobut
address
Layer 2 VPN
utilizing
range of internal host loopback
addresses
127.0.0.0/8. The IP TTL of the MPLS Echo Request
both ATOM
and L2TPofprotocols
packet is set to 1 so that when all of the MPLS labels are popped, the underlying LSP Ping IP packet is
strategies
large enterprise
enhance
not forwarded, and theReview
RA option
is set inthat
theallow
IP header.
The formatcustomers
of an LSP to
Echo
packet is shown
their service offerings while maintaining routing control
inFigure 9-10.
The message type is either 1 for MPLS Echo Request or 2 for MPLS Echo Reply. The reply mode can
specify no reply, reply via IPv4/IPv6 with or without RA option, or reply via application-level control
channel. The ability to specify the reply mode gives great flexibility to LSP Ping. You can use the
option with no reply to verify one-way connectivity by checking the Sequence Number field, or you
can gather SLA statistics by checking the TimeStamp Sent field. The mode of reply via the application
level control channel is currently not further defined. You can choose between the remaining two reply
modes of IP with and without RA option when issuing LSP Ping packets from the Cisco IOS command
Layer
2 VPN
Architectures
line. The difference
and
applicability
between these two reply modes are covered at the end of this
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
case study.
No. 4460,Anthony Chan, - CCIE No. 10,266
Currently, the five Type Length Values (TLV) defined are as follows:
Publisher: Cisco Press
Pub Date: March 10, 2005
Target FEC Stack
ISBN: 1-58705-168-0
Table of
Downstream Mapping
Pages:
648
Contents
Index
Pad
Error Code
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Vendor Enterprise Code
productivity gains
In a pseudowire ping, you will use the Target FEC Stack TLV with a pseudowire sub-TLV to identify the
pseudowire. Optionally,
you will
useLayer
the Pad
TLV and
the Vendor
Enterprise
Learn
about
2 Virtual
Private
Networks
(VPNs) Code TLV with a Cisco
SMI enterprise number of 9.
Reduce costs and extend the reach of your services by unifying your
network architecture
Note
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Version: 4
Header length: 24 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Layer100
2 VPN Architectures
Total Length:
ByWei Luo,
- CCIE No.
Identification:
0x0000
(0)13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
4460,Anthony
Chan, - CCIE No. 10,266
Flags: 0x04No.(Don't
Fragment)
Fragment offset: 0
Time to live:Publisher:
1
Cisco Press
Protocol: UDPPub
(0x11)
Date: March 10, 2005
Header checksum: 0x5cba (correct)
ISBN: 1-58705-168-0
Table of
Source:
10.0.0.201 (10.0.0.201)
Pages:
648
Contents
Destination:
localhost (127.0.0.1)
Options:
Index
(4 bytes)
Router Alert: Every router examines packet
User Datagram Protocol, Src Port: 3503 (3503), Dst Port: 3503 (3503)
Source port: 3503 (3503)
world
of Layer 2 VPNs to provide enhanced services and enjoy
DestinationMaster
port:the
3503
(3503)
productivity
gains
Length: 76
Checksum: 0x4f8f (correct)
Multiprotocol Label Switching Echo
Learn about Layer 2 Virtual Private Networks (VPNs)
Version: 1
MBZ: 0
Reduce costs and extend the reach of your services by unifying your
Message Type: MPLS
Echo
Request (1)
network
architecture
Reply Mode: Reply via an IPv4/IPv6 UDP packet with Router Alert (3)
Return Code: NoGain
return
(0)book to address Layer 2 VPN application utilizing
fromcode
the first
Return Subcode:both
0 ATOM and L2TP protocols
Sender's Handle: 0xc8000033
Sequence Number:
1
Review
strategies that allow large enterprise customers to enhance
Timestamp Sent:their
2004-05-03
15:32:22.5040
UTC
service offerings
while maintaining
routing control
Timestamp Received: NULL
a majority of Service Providers, a significant portion of their revenues
Target FEC For
Stack
are still derived
from(1)
data and voice services based on legacy transport
Type: Target
FEC Stack
Although Layer 3 MPLS VPNs fulfill the market need for some
Length:technologies.
20
customers,
they
have some
FEC Element
1: L2
circuit
ID drawbacks. Ideally, carriers with existing
legacy
2 and
Type:
L2 Layer
cirtuit
IDLayer
(9) 3 networks would like to move toward a single
backbone
Length:
16 while new carriers would like to sell the lucrative Layer 2
services PE
over
their existing
Layer 3 cores.
The solution in these cases is a
Sender's
Address:
10.0.0.203
(10.0.0.203)
technology
that would
allow Layer(10.0.0.201)
2 transport over a Layer 3
Remote
PE Address:
10.0.0.201
VC infrastructure.
ID: 50
Encapsulation: HDLC (6)
Layer
2 VPN Architectures introduces readers to Layer 2 Virtual Private
MBZ:
0x0000
Network
(VPN) concepts, and describes Layer 2 VPN techniques via
Pad
introductory
case studies and comprehensive design scenarios. This book
Type: Pad (3)
assists
readers
looking to meet those requirements by explaining the
Length: 8
historyDrop
and implementation
the two technologies available from
Pad Action:
Pad TLV from details
reply of
(1)
the ABCDABCDABCDAB
Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSPadding:
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
The highlighted lines
in Example
showof
how
an MPLS
Echo
packet
encapsulated
comparing
them9-58
to those
Layer
3 based
VPNs,
suchisas
MPLS, then in IP/UDP with
the RA option in the
IP header, covering
and in turn
MPLS-labeled.
You can
also see
a Pseudowire
Control
progressively
each
currently available
solution
in that
greater
detail.
Channel Header is included when using CC type 1.
To verify data connectivity using LSP Ping on Cisco routers, you can execute the ping mpls command
with the pseudowire keyword in the EXEC mode. Other available keywords are ipv4 for an LDP IPv4
FEC and traffic-eng for an RSVP-TE Tunnel FEC (see Example 9-59).
Pages: 648
Contents
PE1#ping
mpls pseudowire 10.0.0.201 200
Index
Sending
5, 100-byte MPLS Echos to 10.0.0.201/0,
timeout is 2 seconds, send interval is 0 msec:
Pages:
648
someContents
QoS features.
Index
The QoS model for AToM follows the Differentiated Services (DiffServ) QoS architecture in
Cisco IOS that uses the Modular QoS CLI (MQC). DiffServ defines a scalable QoS architecture
that relies on the separation of complex edge versus simple core behaviors. The edge
Master theinworld
of Layer
2 VPNs
to provide
enhanced
services
andpoint
enjoy
behaviors are summarized
a small
number
of classes
defined
in the DiffServ
code
productivity
gains is defined in RFC 3270. It uses the Experimental bits in the
(DSCP). MPLS support
for DiffServ
MPLS header, also referred to as class of service (CoS) bits for the few classes that DiffServ
uses to which LSPs are mapped.
Learn about Layer 2 Virtual Private Networks (VPNs)
The MQC model can be summarized as follows:
Reduce costs and extend the reach of your services by unifying your
network architecture
from the
book to
Layerclasses
2 VPN application
utilizing
1. Interesting trafficGain
is defined
andfirst
classified
asaddress
one or more
using the class-map
both
ATOM
and
L2TP
protocols
command.
strategies
thatdefined
allow large
customers
to enhance
2. Policies pertainingReview
to these
classes are
usingenterprise
the policy-map
command.
their service offerings while maintaining routing control
3. The policies are applied to either the input or output direction of the traffic flow using the
For acommand.
majority of Service Providers, a significant portion of their revenues
service-policy
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
Case Study 9-13:
Traffic
Marking
legacy Layer
2 and
Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
The first of the QoS
building
blocks
the marking
traffic The
by setting
the
services
over
theirisexisting
Layer of
3 cores.
solution
inMPLS
theseExperimental
cases is a
(Exp) bits. You apply
the Expthat
bit setting
to both
the 2
pseudowire
and tunnel
because of
technology
would allow
Layer
transport over
a Layerlabels
3
the possibility of PHP,
which removes the tunnel label at the penultimate hop. This traffic
infrastructure.
marking based on the Exp bits is meaningful if the core network performs differentiated
Layerclasses,
2 VPN Architectures
introduces
readers
Layerin2aVirtual
Private queue.
treatment of different
such as by queuing
highest
classto
traffic
strict priority
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Example 9-60 shows
how to set
thestudies
Exp bits
forcomprehensive
an ATM AAL5 SDU
andscenarios.
Cell RelayThis
VC Mode
introductory
case
and
design
book
pseudowires on PE1
shown
in Figure
9-1.to meet those requirements by explaining the
assists
readers
looking
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased
cores and
Layer
2 Tunneling Protocol version 3 (L2TPv3) for native
Example 9-60.
Setting
Exp
Bits
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
hostname PE1 comparing them to those of Layer 3 based VPNs, such as MPLS, then
!
progressively covering each currently available solution in greater detail.
class-map match-any all_traffic
match any
!
policy-map exp3
class all_traffic
set mpls experimental 3
!
policy-map exp5
class all_traffic
set mpls experimental 5
!
interface ATM4/0.1 point-to-point
description *** AAL5 SDU AToM to CE1 ***
Layer 2 VPN Architectures
pvc 0/100 l2transport
Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
encapsulationByWei
aal5
No. 4460,100
Anthony
Chan, - CCIE No. 10,266
xconnect 10.1.1.2
encapsulation
mpls
service-policy input exp3
!
Publisher: Cisco Press
interface ATM4/0.2
Pubpoint-to-point
Date: March 10, 2005
description *** Cell VC AToM to CE1 ***
ISBN: 1-58705-168-0
Table
of l2transport
pvc
0/200
Pages:
648
Contents
encapsulation
aal0
Index
xconnect
10.1.1.2 200 encapsulation mpls
service-policy input exp5
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains all traffic in which the corresponding service-policy is
Theclass-map all_traffic
matches
applied. Instead of defined class, you could have used the built-in class-default to obtain the
same results. The policy-map exp3 sets the Exp bits to 3 for all the classified traffic (that is,
Learn
about
Layer
2 Virtual
Private Networks
(VPNs)
all traffic). This policy is
applied
as an
input
service-policy
to the ATM
AAL5-SDU mode AC.
Similarly, the policy-map exp5 sets the Exp bits to 5 and is applied to the ATM Cell Relay VC
Reduce costs and extend the reach of your services by unifying your
AC. Therefore, all traffic that is incoming into ATM PVC 0/100 and 0/200 is encapsulated with
network architecture
the MPLS Exp bits set to 3 or 5, respectively. You can also perform traffic marking using
policing.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
You can see this service policy working in Example 9-61 by enabling the debug mpls packets
in PE2 and sending 5 default size (100 Bytes) PING packets from CE1 to CE2 in each PVC. Do
Review strategies that allow large enterprise customers to enhance
not enable the debug mpls packets command in production networks.
their service offerings while maintaining routing control
Example 9-61.
Traffic
Marking
are QoS
still derived
from
data andVerification
voice services based on legacy transport
PE2#
*Jun
*Jun
*Jun
*Jun
*Jun
PE2#
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
2
2
2
2
2
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
11:26:17.733:
MPLS:
recvd:
CoS=3,
TTL=2,
backbone
whileFa0/0:
new carriers
would
like to
sell theLabel(s)=19
lucrative Layer 2
11:26:17.737:
MPLS:
Fa0/0:
recvd:
CoS=3,
TTL=2,
Label(s)=19
services over their existing Layer 3 cores. The solution
in these cases is a
11:26:17.737:
MPLS:
recvd:
CoS=3,
TTL=2,
Label(s)=19
technology
thatFa0/0:
would allow
Layer
2 transport
over
a Layer 3
11:26:17.737:
MPLS: Fa0/0: recvd: CoS=3, TTL=2, Label(s)=19
infrastructure.
11:26:17.741: MPLS: Fa0/0: recvd: CoS=3, TTL=2, Label(s)=19
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
You can see from Example 9-61 that all the MPLS packets are arriving with the VC label only
because of PHP, and the TTL of the VC label is 2. The first five MPLS packets have the Exp bits
set to 3. These are the five 100-byte PING packets encapsulated in ATM AAL5-SDU mode, and
the Exp bits are set by the policy-map exp3 on PE1. The output of the debug command
shows the Exp value as CoS. After these five packets, you see 15 packets with the Exp set to 5.
2 VPN Architectures
These are the fiveLayer
100-byte
PING packets that are encapsulated in ATM Cell Relay VC mode
ByWei
Luo, -packet
CCIE No.
Carlos
- CCIE
No. 4619,
Bokotey,
- CCIE
without cell packing.
Each
is 13,291,
broken
intoPignataro,
three ATM
cells,
andDmitry
therefore
three
No. 4460,
AnthonyThe
Chan,
- CCIE
10,266
corresponding AToM
packets.
Exp
bitsNo.
are
set to 5 as defined in the policy-map exp5 on
PE1.
Publisher: Cisco Press
Pub Date: March 10, 2005
Table of
Contents
Note
Index
ISBN: 1-58705-168-0
Pages: 648
For ATM Cell Relay VP mode with QoS configuration, configure each ATM permanent
virtual path (PVP) into its own multipoint ATM subinterface, and apply the service
policy to the subinterface. This allows you to apply various service policies with
the
world
of Layer 2
to provide
enhanced
services
unique policyMaster
actions
such
as marking
orVPNs
policing
to the different
ATM
PVPs. and
In enjoy
productivity
gains
contrast to ATM
PVC configuration,
the atm pvp command-line interface (CLI)
command does not enable a configuration submode.
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Policing CE traffic is similar to marking. The difference is the policy action taken with the
customers, they have some drawbacks. Ideally, carriers with existing
classified traffic. The following two modes support policing actions for Frame Relay, ATM, and
legacy Layer 2 and Layer 3 networks would like to move toward a single
Ethernet:
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
that would
Layer against
2 transport
overcommitted
a Layer 3 information rate
Single-ratetechnology
policer Policed
trafficallow
is checked
a single
infrastructure.
(CIR).
Layer 2 Policed
VPN Architectures
introduces
readers
to Layer
Virtual
Private
policer
traffic is checked
against
two rates:
CIR2and
peak
information
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
This policer for IP networks is modeled after the Frame Relay policer.
introductory case studies and comprehensive design scenarios. This book
assists can
readers
to meet those
requirements
by explaining the
The two policing modes
havelooking
color-awareness
enabled
or disabled:
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSColor-blindbased
All the
policed
equally
and version
policed 3
against
the for
same
rate or
cores
andtraffic
Layeris2 treated
Tunneling
Protocol
(L2TPv3)
native
rates.
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
Color-aware
A user-defined
criteria
policed
traffic
and
against
comparing
them to
those preclassifies
of Layer 3 based
VPNs,
such
aschecks
MPLS, itthen
different rates
depending covering
on the preclassification
To solution
this extent,
you can
use the
progressively
each currently result.
available
in greater
detail.
conform-action and exceed-action commands under the police configuration mode to
color traffic to be policed. Packets that are not classified under either the conformaction or exceed-action class belong to the violate-action class.
Dual-rate
rate (PIR).
hostname PE1
!
class-map match-any all_traffic
Layer 2 VPN Architectures
match any
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
!
No. 4460,Anthony Chan, - CCIE No. 10,266
policy-map policing
class all_traffic
police cir 128000
Publisher: Cisco Press
conform-action
set-mpls-exp-transmit
5
Pub Date:
March 10, 2005
exceed-action drop
ISBN: 1-58705-168-0
! Table of
Pages:
648
Contents ATM4/0.2 point-to-point
interface
Index
description
*** Cell VC AToM to CE1 ***
pvc 0/200 l2transport
encapsulation aal0
xconnect 10.0.0.203 200 encapsulation mpls
Master
the world of Layer 2 VPNs to provide enhanced services and enjoy
service-policy
in policing
productivity gains
about
Layer 2 Virtual
Private
(VPNs)
A dual rate color-awareLearn
policer
configuration
is included
in Networks
Example 9-66
in Case Study 9-17.
Cisco IOS implements the single rate three-color policer based on RFC 2697 and the dual rate
Reduce costs and extend the reach of your services by unifying your
three-color policer based on RFC 2698.
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
ATOM andand
L2TPShaping
protocols
Case Study 9-15:both
Queuing
Review
strategies
that allow
enterprise
customers
to enhance
In general, the following
features
are supported
forlarge
queuing
and shaping
actions:
their service offerings while maintaining routing control
Forqueuing
a majority
of Service
a significant
portion
their
revenues
Low-latency
(LLQ),
also Providers,
called priority
queuing
(PQ)ofThe
LLQ
is a strict
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
priority first-in, first-out (FIFO) queue. Strict priority queuing allows delay-sensitive data
Although
Layer 3 MPLS
VPNs
fulfill theand
market
needbefore
for some
to receive a technologies.
preferential queuing
treatment
by being
dequeued
serviced
any
customers, they have some drawbacks. Ideally, carriers with existing
other queues.
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone
while
new
carriers(CBWFQ)
would likeCBWFQ
to sell the
lucrative
2 based on
Class-based
weighted
fair
queuing
provides
fair Layer
queuing
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
is a
defined classes with no strict priority. The weight for a packet that belongs to a specific
technology
that would that
allowyou
Layer
2 transport
a Layer 3
class is given
from the bandwidth
assigned
to theover
class.
infrastructure.
Byte-based weighted random early detection (WRED) WRED drops packets
Layer on
2 VPN
ArchitecturesThe
introduces
readers
to Layer 2
Virtual
Private
selectively based
IP precedence.
higher the
IP precedence,
the
less likely
packets
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
are to be dropped.
introductory case studies and comprehensive design scenarios. This book
assists
readers
looking
to meet
those
requirements
by explaining
You can see egress
queuing
policies
to provide
CIR
guarantees
in Example
9-63. the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased
cores andConfiguration
Layer 2 Tunnelingfor
Protocol
version 3 (L2TPv3)
for native
Example 9-63.
Queuing
CIR Guarantees
in Frame
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
Relay Pseudowires
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
!
hostname PE1
!
class-map match-all CustomerA
match fr-dlci 100
class-map match-all CustomerB
match fr-dlci 200
!
policy-map CIR_guarantee
class CustomerA
bandwidth 128
class CustomerB
bandwidth 256
Layer 2 VPN Architectures
!
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
interface Serial3/1
no ip address No. 4460,Anthony Chan, - CCIE No. 10,266
service-policy output CIR_guarantee
encapsulation frame-relay
Publisher: Cisco Press
frame-relay intf-type
Pub Date:dce
March 10, 2005
!
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
In this example, customers use two seperate DLCIs in the same Frame Relay interface. Using a
different class-map for each DLCI allows you to apply CBWFQ with the bandwidth command
to each class for each DLCI. In addition, FRoMPLS supports traffic shaping and ATMoMPLS
Master
the world
of Layer
supports class-based
shaping
on ATM
VCs. 2 VPNs to provide enhanced services and enjoy
productivity gains
You can accomplish per-class traffic shaping for ATM PVC and PVP ACs with the ATM PVC and
PVP service type configuration using the following commands:
Learn about Layer 2 Virtual Private Networks (VPNs)
cbr {PCR}
Reduce costs and extend the reach of your services by unifying your
network architecture
ubr {PCR}
Gain from the first book to address Layer 2 VPN application utilizing
vbr-rt {PCR} {SCR}
[MBS]and L2TP protocols
both ATOM
vbr-nrt {PCR} {SCR}
Review[MBS]
strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Pages:
648
Contents clp1
policy-map
Index qosg_class
class
set atm-clp
policy-map qosg
class exp3
Master
the world of Layer 2 VPNs to provide enhanced services and enjoy
set qos-group
1
productivity gains
!
interface Serial4/0
ip unnumbered Loopback0
Learn about Layer 2 Virtual Private Networks (VPNs)
mpls ip
service-policy input
qosgcosts and extend the reach of your services by unifying your
Reduce
!
network architecture
interface ATM5/0
no ip address
Gain from the first book to address Layer 2 VPN application utilizing
pvc 0/100 l2transport
both ATOM and L2TP protocols
encapsulation aal5
xconnect 10.1.1.2Review
100 encapsulation
mpls large enterprise customers to enhance
strategies that allow
service-policy out
clp1
their
service offerings while maintaining routing control
!
For a majority of Service Providers, a significant portion of their revenues
!
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
You can see fromlegacy
Example
9-64
that Layer
the service-policy
qosg is
applied
to traffic
coming
into the
Layer
2 and
3 networks would
like
to move
toward
a single
PE device from the
P routerwhile
on interface
Serial4/0.
With
service-policy,
with
backbone
new carriers
would
likethis
to sell
the lucrativeMPLS
Layerpackets
2
Exp = 3 (from theservices
class exp3)
with
the3qos-group
1. On AC
over are
theirmarked
existing
Layer
cores. Theofsolution
in PVC
these0/100
casesinis a
ATM5/0, the outbound
service-policy
clp1
is applied.
serviceover
policy
sets the
technology
that would
allow
Layer 2This
transport
a Layer
3 ATM CLP bit for
cells that were previously
marked
with
a
qos-group
of
1.
With
this
internal
qos-group
ID
infrastructure.
marking, a classification is conveyed from one interface to another.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory
case
studies and Matching
comprehensive
design
scenarios. This book
Case Study 9-17:
Layer
2Specific
and
Setting
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
Different Layer 2 protocols comprise different characteristics and sometimes have an impact on
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSthe QoS configuration. This case study discusses the protocol-specific QoS characteristics and
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
configuration.Table 9-2 outlines the different matching and setting criteria based on Layer 2
IP cores. The structure of this book is focused on first introducing the
protocol.
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Layer 2 Protocol
Matching
Setting
ByWei Luo, - CCIE No.
13,291,Carlos Pignataro, - CCIE
No. 4619,Dmitry Bokotey, - CCIE
Ethernet
match cos
match vlan
set cos
Frame Relay
Table of
ATMContents
match fr-dlci
ISBN: 1-58705-168-0
Pages: 648
set fr-de
set fr-fecn-becn
set atm-clp
Index
However, no platforms support a set vlan policy or include a set vlan command. The VLAN
rewrite configuration was covered in detail in Chapter 7, "LAN Protocols over MPLS Case
Studies."
With FRoMPLS, you can match traffic using Frame Relay specific fields. The following QoS
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
directives are specific to Frame Relay:
No. 4460,Anthony Chan, - CCIE No. 10,266
Matching:
Publisher: Cisco Press
match fr-de
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Table ofmatch fr-dlci
Pages:
648
Contents
Index match fr-dlci range
Setting:
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
set fr-de
productivity gains
set fr-fecn-becn
about
Layer 2 Virtual
Private
(VPNs)
Example 9-66 shows a Learn
dual-rate
color-aware
policer
using Networks
Frame Relay-specific
fields.
Example 9-66.
Reduce costs and extend the reach of your services by unifying your
network architecture
Dual-Rate
Color-Aware Policer
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
hostname PE1
!
strategies that allow large enterprise customers to enhance
class-map match-anyReview
FR_DLCI_100
match fr-dlci 100their service offerings while maintaining routing control
class-map match-any FR_DE0
For a majority of Service Providers, a significant portion of their revenues
match not fr-de
are still derived from data and voice services based on legacy transport
!
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
policy-map FR_Policing
customers, they have some drawbacks. Ideally, carriers with existing
class FR_DLCI_100
legacy Layer 2 and Layer 3 networks would like to move toward a single
police cir 64000 pir 128000
backbone while new carriers would like to sell the lucrative Layer 2
conform-color FR_DE0
services over their existing Layer 3 cores. The solution in these cases is a
conform-action set-mpls-exp-transmit 5
technology that would allow Layer 2 transport over a Layer 3
exceed-action set-mpls-exp-transmit 2
infrastructure.
violate-action drop
class class-default
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
set mpls experimental 0
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history
details
the does
two technologies
from
In the FR_DE0 class,
theand
notimplementation
qualifier matches
trafficofthat
not have theavailable
DE bit set.
The
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSFR_DE0 class is used for the color.
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
cores. The
structure
of this
book
is focused
on first
This policer allowsIPpolicing
traffic
according
to the
color
classification
of introducing
whether thethe
discard
Layer 2Frame
VPN benefits
and implementation
requirements
and
eligible (DE) bit isreader
set in to
incoming
Relay frames.
With this policy,
only packets
that do
comparing
them toCIR
those
ofPIR.
Layer
3 based
VPNs,
suchthe
as MPLS,
not have DE set are
policed against
and
Packets
that
do have
DE bit then
set are not
progressively
covering
currently
available solution
inthey
greater
treated as conforming.
They are
policed each
against
PIR to determine
whether
are detail.
exceeding
or violating.
To apply this policy, you need to create a subinterface effectively to map to the Frame Relay
PVC. This is accomplished with the command switched-dlci in Cisco 12000 series router
platforms (see Example 9-67).
interface POS4/0
encapsulation frame-relay cisco
!
Layer 2 VPN Architectures
interfacePOS4/0.1
point-to-point
Wei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
switched-dlci By
100
4460,Anthony
Chan, - CCIE No. 10,266
service-policyNo.input
FR_Policing
!
connect frompls101
POS4/0
100
l2transport
Publisher:
Cisco
Press
xconnect 10.0.0.203
70 March
encapsulation
mpls
Pub Date:
10, 2005
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Indexthe FR_Policing policy to the point-to-point subinterface POS4/0.1 effectively applies
Applying
the policy to the local AC that is defined with the connect command.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
ATM over MPLS
QoS
productivity gains
Currently, the only ATM-specific field for matching or setting is the cell loss priority (CLP) bit in
the ATM Cell header. For
ATMabout
over Layer
MPLS,2you
can Private
apply a Networks
service policy
under an interface, a
Learn
Virtual
(VPNs)
subinterface, or a PVC.
Reduce costs and extend the reach of your services by unifying your
You can use the commands
match
atm clp and set atm-clp to match and set the ATM CLP
network
architecture
bit, respectively.
Gain from the first book to address Layer 2 VPN application utilizing
Example 9-68 demonstrates
how to
use
these
two commands.
both ATOM
and
L2TP
protocols
You can see in Example 9-68 that because of the qualifier not, the class-map not-clp matches
on all incoming ATM cells in PVC 0/100 that have the CLP bit clear. All AToM packets that
encapsulate these matched cells have the MPLS Exp bits set to a value of 4. In addition, the
service policy atm-clp that is applied in the same PVC in the outbound direction is setting the
ATM CLP bit for all cells out of the PVC, because the set atm-clp directive is applied to the
class-default for all outbound ATM cells.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Deploying pseudowire
emulation
in MPLS networks can be a rather sophisticated task
Publisher:
Cisco services
Press
when you take factors
routing,
Pubsuch
Date:as
March
10, 2005network resource utilization, and path protection into
account. This chapter discussed some of the most common but complex deployment scenarios
ISBN: 1-58705-168-0
Table ofencounter when offering pseudowire emulation services, as follows:
you might
Contents
Index
Pages: 648
Table of
Contents
Chapter 10
Index
ISBN: 1-58705-168-0
Pages: 648
Understanding L2TPv3
Chapter 11
Chapter 12
MasterAdvanced
the worldL2TPv3
of Layer
2 VPNs
to provide enhanced services and enjoy
Chapter 13
Case
Studies
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
network architecture
This chapter examines the base L2TPv3 protocol by first reviewing the history of its
development from its prestandard
beginnings.
exploration
theapplication
protocol's evolution
Gain from the
first book This
to address
Layerinto
2 VPN
utilizing is
then followed by an examination
of
L2TPv3's
data
encapsulation
and
control
channel
signaling.
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains
Figure
10-1. UTI Connectivity Model
Learn about Layer 2 Virtual Private Networks (VPNs)
[View full size image]
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
R1 and R2 are provider
routers
connectivity
each
IP core.
legacy edge
Layer(PE)
2 and
Layerwith
3 networks
wouldtolike
to other
move through
toward aan
single
These PE routers backbone
provide pseudowire
connectivity
via
two
separate
UTI
tunnels:
Tunnel
1 for
while new carriers would like to sell the lucrative Layer 2
the serial line connectivity
between
the
customer
edge
(CE)
routers,
R3
and
R4,
and
Tunnel
services over their existing Layer 3 cores. The solution in these cases is a 2
for Ethernet connectivity
between
LAN 1allow
and LAN
2.2Assuming
serial
lines3are using Frame
technology
that would
Layer
transportthe
over
a Layer
Relay encapsulation,
a
Frame
Relay
frame
from
R3
is
encapsulated
with
a
UTI header for UTI
infrastructure.
Tunnel 1 and an IP header with the destination address of R2. After R2 verifies the UTI header
contents, it de-encapsulates
original Layer
2 payload
and sends
it to2R4.
Likewise,
LAN 1
Layer 2 VPN the
Architectures
introduces
readers
to Layer
Virtual
Private
and LAN 2 are essentially
across UTI
Tunnel
2 in aLayer
similar
fashion.
Network bridged
(VPN) concepts,
and
describes
2 VPN
techniques via
introductory case studies and comprehensive design scenarios. This book
UTI also attemptsassists
to optimize
performance
by avoiding
suboptimal tunnel
identification
readers
looking to meet
those requirements
by explaining
the and
parsing schemes history
that areand
present
in
other
tunneling
protocols.
For
example,
generic
implementation details of the two technologies availablerouting
from
encapsulation (GRE)
tunnel
identification
requires
a lookup on
a combination
of the
source and
the Cisco Unified VPN suite:
Any Transport
over
MPLS (ATOM)
for MPLSdestination address
paircores
or tunnel
key depending
on RFC
implementation:
RFC 2784,
RFC 1701,
based
and Layer
2 Tunneling
Protocol
version 3 (L2TPv3)
for native
or RFC 2890. UTI's
encapsulation
shown
in
Figure
10-2
is
designed
to
avoid
some
of
the
IP cores. The structure of this book is focused on first introducing the
overhead that is required
tunnel
identification
and implementation
parsing by means
of a tunnel ID
reader toinLayer
2 VPN
benefits and
requirements
andthat
identifies the tunnel
context
on
the
de-encapsulating
system.
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
The UTI encapsulation consists of the following fields:
Learn about Layer 2 Virtual Private Networks (VPNs)
costs and
extend
theheader
reach of
your
services
your
Delivery HeaderReduce
The Delivery
Header
is the
that
carries
the by
UTIunifying
packet across
network
architecture
the packet core. Although this header can be an IPv4 or IPv6 header, the initial Cisco
implementation supports only an IPv4 header without IPv4 options and an IP protocol
Gain from the first book to address Layer 2 VPN application utilizing
number of 120. Fragmentation is not supported, so the IPv4 Don't Fragment (DF) bit is
both ATOM and L2TP protocols
set. Therefore, the IP MTU of any intermediate links along the tunnel path should be
sufficiently large to
carrystrategies
the largestthat
Layer
2 packet.
Review
allow
large enterprise customers to enhance
their service offerings while maintaining routing control
UTI Payload Independent Header The Payload Independent Header is composed of
the followingFor
two
subcomponents:
a majority
of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
Tunnel Identifier The Tunnel Identifier, sometimes referred to as a Session
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Identifier, is a 4-octet value that distinguishes the tunnel at the de-encapsulating
customers, they have some drawbacks. Ideally, carriers with existing
endpoint. The Tunnel Identifier represents a unidirectional session. A bidirectional
legacy Layer 2 and Layer 3 networks would like to move toward a single
tunnel has two identifiers: a local and remote value. If the tunnel identifier does not
backbone while new carriers would like to sell the lucrative Layer 2
match the tunnel value on the de-encapsulating endpoint, the packet is discarded.
services over their existing Layer 3 cores. The solution in these cases is a
The UTI specification reserves value 0x00000000 and limits the user-defined tunnel
technology that would allow Layer 2 transport over a Layer 3
identifier to the first 10 bits, leaving 1023 available values.
infrastructure.
Tunnel Key The Tunnel Key is an 8-octet field used to avoid misconfiguration or
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
malicious attempts that lead to inserting unwanted traffic into the Layer 2 stream.
Network (VPN) concepts, and describes Layer 2 VPN techniques via
The tunnel key value must match on both ends of the de-encapsulating endpoint;
introductory case studies and comprehensive design scenarios. This book
otherwise, the packet is discarded. The tunnel key is configured using a high key
assists readers looking to meet those requirements by explaining the
(the most significant 4 bytes) and low key value (the least significant 4 bytes).
history and implementation details of the two technologies available from
the Cisco Unified
VPN suite:
Transport over MPLS
(ATOM)
for any
MPLSUTI Payload-Dependent
Header
The Any
Payload-Dependent
Header
contains
payload
based
cores
and
Layer
2
Tunneling
Protocol
version
3
(L2TPv3)
for
native2
information that is essential for the egress PE to properly forward the original Layer
IP the
cores.
of this book isdoes
focused
on firstthis
introducing
the and is
frame toward
CE.The
Thestructure
Cisco implementation
not define
header value
reader
to
Layer
2
VPN
benefits
and
implementation
requirements
and
not used.
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively
each
currently
available
in greater
detail.
UTI Alignment
Paddingcovering
Alignment
Padding
ensures
that solution
the payload
is aligned
to a
byte boundary that might assist implementations to more efficiently parse the payload.
Although this field is defined in the UTI specification, Alignment Padding was never used in
the initial Cisco implementation.
Payload Payload is the original data link layer frame transported by UTI. This can be a
Frame Relay, Ethernet, HDLC, or PPP frame.
Although UTI fulfilled its original goal of providing pseudowire connectivity, it had some
limitations. As mentioned earlier in this section, one of UTI's restrictions is that it does not
Pages: 648
Contents
Another
IndexUTI limitation was the lack of a signaling protocol, which required that Tunnel
Identifiers and Tunnel Keys be manually configured and preprovisioned on each PE router for
each pseudowire. Although some providers might prefer the simplicity of manual provisioning,
this can be operationally infeasible for large deployments.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
gains protocol. As such, it prohibited multivendor interoperable
Finally, UTI was aproductivity
Cisco proprietary
implementations. An open standards-based IP pseudowire solution that overcame these
limitations was required.
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pages:
648
Contents
Protocol
'L2TP'").
Index
Figure 10-3 shows the L2TPv3 connectivity model. L2TPv3's control messages are sent inband
using the same packet core path as the data traffic. Each pseudowire is maintained through
separate L2TPv3 data sessions similar to UTI tunnels: one for the Frame Relay PVC between R3
Mastersession
the world
Layer 2 VPNs
to provide
enhanced
and enjoy
and R4, and a separate
forof
connectivity
between
LAN 1
and LAN services
2.
productivity gains
Reduce costs and extend the reach of your services by unifying your
network architecture
[View full size image]
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
L2TPv3's signaling protocol is optional. Therefore, it can operate in the same way as UTI:
technology that would allow Layer 2 transport over a Layer 3
manually defined static sessions with or without a keepalive mechanism for dead peer
infrastructure.
detection. However, with its signaling protocol enabled, L2TPv3 can signal individual
attachment circuitLayer
states
per pseudowire
dynamically
negotiate
values
for Session
2 VPN
Architecturesand
introduces
readers
to Layer
2 Virtual
Private
Identifiers and Key
values
without
having
predefined
values
on
each
PE
router.
The
Network (VPN) concepts, and describes Layer 2 VPN techniques
viabase
L2TPv3 protocol essentially
accomplishes
this
by
extending
L2TPv2's
control
channel
introductory case studies and comprehensive design scenarios. Thissignaling
book
by supporting additional
attributes
that are
passed
in message
formats
to the
as Attributeassists readers
looking
to meet
those
requirements
by referred
explaining
Value Pairs (AVPs).
The next
two sections examine
data
encapsulation
and control
history
and implementation
detailsL2TPv3's
of the two
technologies
available
from
plane in more detail.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
to Layer 2 VPN benefits and implementation requirements and
L2TPv3 Datareader
Encapsulation
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively
covering each
currently
availableand
solution
in greater
As mentioned in Chapter
2, "Pseudowire
Emulation
Framework
Standards,"
thedetail.
IETF
Pseudowire Emulation Edge to Edge (PWE3) group laid some of the framework and specified
requirements for a pseudowire emulation protocol. One of the architecture aspects explored in
the PWE3 architecture draft was the Pseudowire Protocol Layering Model. To understand
L2TPv3's frame encapsulation, this section describes each of the encapsulation components of
L2TPv3 and, where applicable, relates it to the Pseudowire Emulation Protocol Layer subset
shown in Figure 10-4.
Demultiplexing Sublayer
Encapsulation Sublayer
(Optional)
ISBN: 1-58705-168-0
Table of
Contents
Index
Pages: 648
Payload
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Unlike Any Transport over MPLS (AToM), which uses an outer MPLS label-to-label switch traffic
to the far-end PE, L2TPv3 expects an IP-based packet core (IPv4 or IPv6). The L2TPv3 draft
specifies two alternative
delivery
header
Figure 10-5:
Learn
about
Layerencapsulations,
2 Virtual Privateillustrated
Networksin
(VPNs)
Plain IP
IP/UDP
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
Figure 10-5.
L2TPv3
Packet-Switched
Layer
their service
offerings
while maintainingNetwork
routing control
confirming the reliability of L2TPv3 control messages, which are covered in the section "L2TPv3
Control Connection," later in this chapter.
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Note
Publisher: Cisco Press
The Cisco implementation of L2TPv3 only supports IPv4 header encapsulation for the
Pub Date: March 10, 2005
L2TPv3 Delivery Header. As such, the remainder of this chapter focuses on the IPv4
ISBN: 1-58705-168-0
L2TPv3
Table of implementation.
Contents
Index
Pages: 648
Demultiplexing Sublayer
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
The L2TPv3 Demultiplexing
Sublayer
productivity
gains field allows the IPv4 tunnel (an IPv4 source and
destination pair) to carry and demultiplex multiple pseudowires. This field is the equivalent of
the Demultiplexing Sublayer described in Chapter 2. L2TPv3 supports demultiplexing through a
Learn
about Layer
2 Virtual
Private
Networks
(VPNs)
combination of a Session
Identifier
and Cookie
values
shown
in Figure
10-6.
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
The Session Identifier is a 4-byte field with a nonzero value that identifies a specific L2TPv3
session between two tunnel endpoints. A Session ID value of 0 is reserved for control channel
communication. Like the Tunnel Identifier in UTI, the Session Identifier is locally significant;
therefore, it utilizes a local and remote value to represent a bidirectional session.
The Cookie field fulfills the same role as the UTI Tunnel Key. It is an optional layer containing a
variable length field (maximum of 64 bits) that protects against inadvertent insertion of Layer 2
frames into the tunnel through either misconfiguration or malicious blind attacks. When the
Cookie field is negotiated through the control channel, it is consistent throughout the duration
of the session. Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Pages:
648
Contents
infeasible
from a resource perspective
to perform a brute force attack. For example, a brute
Index
force
attack to insert a 40-byte spoofed packet into a tunnelassuming the attacker can inject
data at an OC-192 ratewould require approximately 18,000 years.
The Cisco implementation allows for the Session Identifier and Cookie to be either manually
Master
the
world oforLayer
2 VPNsover
to provide
enhanced
services
and
enjoy
predefined on each
tunnel
endpoint
negotiated
the L2TPv3
control
channel.
The
Cookie
productivity
gains
field can be negotiated
to a 0-,
4-, or 8-byte field size, depending on the platform restrictions.
Encapsulation Sublayer
Reduce costs and extend the reach of your services by unifying your
network
architecture
L2TPv3 uses an optional
field, referred
to as an Layer 2-Specific Sublayer, to convey
information that is not carried in the Layer 2 Payload but that is required for the tunnel defrom thereconstruct
first book to
address
2 VPN
utilizing
encapsulating endpointGain
to properly
the
Layer 2Layer
Payload
andapplication
send the frame
to the
both
ATOM
and
L2TP
protocols
CE device. This field is the equivalent of the optional Encapsulation Sublayer that is defined in
the Pseudowire Emulation Protocol Layers.
Review strategies that allow large enterprise customers to enhance
service
offerings
while
maintaining
routing
control in Figure 10-7
The L2TPv3 base draft their
specifies
a default
Layer
2-Specific
Sublayer
illustrated
that you use if it meets the Layer 2 Payload requirements. Otherwise, you can define alternate
For a majority
of Service
Providers,
a significant
of their revenues
Layer 2-Specific Sublayers
and use
them as
negotiated
through anportion
Layer 2-Specific
Sublayer
are
still
derived
from
data
and
voice
services
based
on
legacy
transport to
Type AVP control message. A Data Sequencing AVP is signaled during session negotiation
technologies.
Layer
3 MPLS
fulfillneeds
the market
need for some
determine whether
sequencing Although
is required
or what
typeVPNs
of traffic
to be sequenced.
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services
over
their existing
Layer
3 cores.
The solution
in these cases is a
Figure
10-7.
L2TPv3
Default
Layer
2-Specific
Sublayer
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
A Sequence bit (S-bit) set to 1 indicates that the 24-bit Sequence Number field contains a valid
value. When the S-bit is not set, the de-encapsulating endpoint must ignore the Sequence
Number field. The Sequence Number in the remainder of the default Layer 2-Specific Sublayer
is a 24-bit field containing a free-running counter that starts at 0.
Layer 2 VPN
Architectures
If sequencing is enabled,
the
current expected sequence number on the receiving device is
equal to the previous
ofCarlos
the Pignataro,
last in-order
plus
1.Bokotey,
Sequenced
ByWeisequence
Luo, - CCIEnumber
No. 13,291,
- CCIEpacket
No. 4619,
Dmitry
- CCIEL2TPv3
data is accepted ifNo.the
stored
sequence
number
is equal to or greater than the current
4460,
Anthony
Chan, - CCIE
No. 10,266
expected sequence number. Any other packets that do not fit this description are either out-oforder or duplicate packets
and
are
discarded. Because of the finite range of sequence numbers,
Publisher:
Cisco
Press
you must take the wrapping
of the field into account by tracking a window of sequence
Pub Date: March 10, 2005
numbers greater than the current expected value. The recommended default range is equal to
ISBN: 1-58705-168-0
Table
half of
theofavailable sequence number space (224/2=8388608). For example, assuming a
Pages:
Contents
sequence
number field of 24 648
bits, the window range of "new" sequence numbers for the current
Index number of 10,040,243 is 10,040,244 through 1,677,216 and 0 through 3,303,269.
sequence
The Sequence Field allows you to detect lost, duplicate, or out-of-order packets for an
individual session. However, the criticality of preserving the correct ordering depends on the
Master the world
of Layer
2 VPNs
provide
enhanced
enjoy
sensitivity of the encapsulated
Layer
2 traffic.
If thetoLayer
3 traffic
in theservices
Layer 2 and
tunneled
productivity
gains might handle out-of-sequence packets. Therefore, the
frame is IP, the upper
layer protocol
aforementioned Data Sequencing AVP supports the following three options:
Reduce costs and extend the reach of your services by unifying your
network
architecture
Non-IP data requires
sequencing.
Gain from
the first book to address Layer 2 VPN application utilizing
All data packets require
sequencing.
both ATOM and L2TP protocols
The Cisco sequencing implementation only drops out-of-order frames and does not attempt to
Review
strategies
that allow
large enterprise
customers
to behavior
enhance prior
reorder out-of-sequence
packets.
You should
understand
the implications
of this
service
offerings
maintaining routing control
to enabling sequencingtheir
relative
to the
Layer 2while
protocol.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
L2TPv3 Control
Connection
technologies.
Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
L2TPv3 supports an
optional
mechanism,
peer capability
legacy
Layercontrol
2 and connection
Layer 3 networks
would which
like tohandles
move toward
a single
negotiation and detection
addition
pseudowire
maintenance,
teardown.
This
backboneinwhile
newto
carriers
wouldcreation,
like to sell
the lucrativeand
Layer
2
section explores L2TPv3's
control
connection
by examining
control messages
are is a
services over
their
existing Layer
3 cores. how
The solution
in these cases
encapsulated andtechnology
what the different
negotiation
phases
are for control
channel
that would
allow Layer
2 transport
over a Layer
3 initialization and
session negotiation.
infrastructure.
Unlike AToM, which
uses
link Layer
Distribution
Protocolreaders
(LDP) for
LSP tunneling
tunnel
Layer
2 VPN
Architectures
introduces
to Layer
2 Virtual(PSN
Private
signaling) and directed
LDP
for virtual
circuit
(VC)
label distribution
(pseudowire/PE
Network
(VPN)
concepts,
and
describes
Layer 2 VPN
techniques via
maintenance), L2TPv3
utilizescase
a single
reliable,
inband control plane
both purposes.
This
introductory
studies
and comprehensive
designfor
scenarios.
This book
control plane setup
phase
beginslooking
with anto
L2TP
Control
(sometimes
referred
assists
readers
meet
those Connection
requirements
by explaining
the to in
L2TP terminologyhistory
as the and
L2TPimplementation
tunnel) establishment
phase
for advertising
and
negotiating
details of
the two
technologies
available
from
capabilities between
After the
L2TP
Control
Connection
is established,
individual
the peers.
Cisco Unified
VPN
suite:
Any Transport
over
MPLS (ATOM)
for MPLSpseudowire sessions
(referred
to in
L2TP2terminology
as L2TPversion
sessions)
are set up
the
based
cores and
Layer
Tunneling Protocol
3 (L2TPv3)
forinnative
Session Negotiation
phase The
as needed
based
on book
the attachment
IP cores.
structure
of this
is focused circuit
on firststate.
introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Note
There are three variations on the control plane implementation of L2TPv3. L2TPv3 in
its simplest mode of operation, known as Manual Mode , obviates the need for a
control plane protocol and simply requires predefined session IDs and cookies. The
second variation, called Manual Mode with Keepalive , negotiates the Control
Connection phase but not the Session Negotiation phase. This offers a simple deadpeer detection mechanism that is similar to what is available in UTI with keepalives.
Dynamic Mode negotiates both the Control Connection phase as well as the Session
ISBN: 1-58705-168-0
Pages: 648
Figure
Reduce costs and extend the reach of your services by unifying your
architecture
10-8.network
L2TPv3
Control Channel Encapsulation over IP
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Figure 10-8 illustrates the encapsulation for L2TPv3 Control Messages, assuming that an IPv4
header is used. As described in the earlier "Demultiplexing Sublayer" section, L2TPv3 data
packets utilize a nonzero Session Identifier. The Session Identifier value of 0 is reserved for
Layer 2 VPNand
Architectures
control channel messages
distinguishes data packets from control messages. The
ByWei
Luo, - to
CCIE
No.control
13,291,Carlos
Pignataro,
- CCIE No. 4619,
Dmitry
- CCIE
remaining fields are
unique
the
message
encapsulation
and
areBokotey,
examined
No. 4460,Anthony Chan, - CCIE No. 10,266
individually:
Publisher: Cisco Press
T, L, S You must set the Type bit (T-bit) to 1 to indicate that this is a control message.
Pub Date: March 10, 2005
You must also set the Length bit (L-bit) and Sequence bit (S-bit) to 1 to indicate that
ISBN: 1-58705-168-0
length
Table
of and sequence numbers are present in the L2TPv3 control message header. Do not
Pages:
648
confuse the sequence numbers
with the Sequence Number field in the Layer 2-Specific
Contents
Sublayer. The former are sequence numbers that are used in the control message header
Index
for reliable delivery.
Version The Version field indicates which version of L2TP is in use. Set this value to 3 to
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
indicate L2TPv3.
productivity gains
Length The Length field indicates the total size of the control message calculated from
the beginning of the message starting with the T-bit.
Learn about Layer 2 Virtual Private Networks (VPNs)
Control Connection IDThe Control Connection Identifier contains a locally significant
costs
and extend
the tunnel).
reach of The
yournonzero
servicesControl
by unifying
your
field to represent Reduce
the control
channel
(L2TPv3
Connection
network
IDs are exchanged
during architecture
the L2TP Control Channel phase by using the Assigned Control
Connection ID AVP.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM
andsent,
L2TP indicates
protocolsthe sequence number for this control
Ns Ns, or the sequence
number
message. This field begins at 0 and increments by 1 for each control message that is sent
Review strategies that allow large enterprise customers to enhance
to the peer.
their service offerings while maintaining routing control
Nr Nr is the sequence number expected to be received in the next control message. Ns
For aa simple
majority
of Service
Providers,
a significant
their revenues
and Nr provide
sliding
window
mechanism
to handleportion
controlofmessage
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
transmission, retransmission, and detection of lost or duplicate control message
packets.
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers,
they
haveare
some
Ideally,
with existing
Following the control
message
header
onedrawbacks.
or more AVPs.
Eachcarriers
AVP follows
a consistent
legacy
2 and
Layer 3 networks would like to move toward a single
format that contains
theLayer
following
fields:
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
M When thetechnology
Mandatory that
bit (M-bit)
is set,Layer
it indicates
that the
associated
would allow
2 transport
over
a Layer 3Control
Connection or
PW Session must be shut down if the recipient does not recognize this AVP.
infrastructure.
If a Control Connection occurs, a Stop Control Connection (STOPCCN) message is sent. If
Layer
2 VPN
Architectures
readers
Layer 2isVirtual
a PW Session
occurs,
a Call
Disconnectintroduces
Notification
(CDN) to
message
sent. Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
H The Hidden
bit (H-bit) case
indicates
to the
whetherdesign
the AVP
content This
is passed
introductory
studies
andrecipient
comprehensive
scenarios.
book in
clear text orassists
obfuscated
in some
manner
to those
hide sensitive
information.
For thisthe
AVP
readers
looking
to meet
requirements
by explaining
encryption to
occur,and
a shared
secret must
be defined
endpoints,
Control from
Message
history
implementation
details
of the on
twoboth
technologies
available
Authentication
enabled,
a Random
Vector over
AVP must
sent. for MPLSthe must
Ciscobe
Unified
VPNand
suite:
Any Transport
MPLS be
(ATOM)
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
AVP Length
AVPThe
Length
field indicates
the is
length
of the
entire
AVP, as highlighted
in
IPThe
cores.
structure
of this book
focused
on first
introducing
the
Figure 10-8.reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Vendor ID progressively
The Vendor IDcovering
is a 2-byte
field
that follows
Internet
Assigned
Numbers
each
currently
available
solution
in greater
detail.
Authority (IANA) assigned values that are defined in RFC 1700 in the "SMI Network
Management Private Enterprise Codes" section. This allows vendors to define private
Attribute Types. A Vendor ID field of 0 represents that this Attribute Type is an Internet
Engineering Task Force (IETF) adopted attribute value that is defined in the L2TPv3 base
draft.
Attribute Type The Attribute Type contains a 2-byte field representing the Attribute
Message. You must interpret this field's value relative to the Vendor ID field.
Attribute Value The Attribute Value contains the actual content of the defined Vendor ID
Attribute Type. The length of this field is the Attribute Length minus 6 bytes for Attribute
Header fields.
Layer 2 VPN Architectures
Wei Luo, - CCIE
No. 13,291,Carlos Pignataro, L2TPv3 ControlByChannel
Signaling
Control channel signaling operates in two phases: control connection establishment followed by
Publisher: Cisco Press
session establishment
(optional).
Pub Date: March 10, 2005
1-58705-168-0
Figure 10-9 builds uponISBN:
the network
layout in Figure 10-3 and shows the control connection
Table of
establishment
that is required
to build the control channel between the two L2TPv3 endpoints,
Pages:
648
Contents
R1 and R2, and subsequent control channel messages.
Index
Figure
10-9.
Connection
Phase
Master the
worldL2TPv3
of Layer 2Control
VPNs to provide
enhanced
services and enjoy
productivity gains
[View full size image]
3.
After the Control Connection is established, both peers send hello messages as keepalive
mechanisms during Publisher:
regular intervals
to detect dead peers. If these maintenance messages are
Cisco Press
not received within a hold time period, the PE router can consider the peer unreachable and
Pub Date: March 10, 2005
send a teardown message for the Control Channel. Because the hello message is
ISBN: 1-58705-168-0
representative
of the Control
Channel, the Session Identifier value in the encapsulation of the
Table of
Pages:
Control
Message is set to 0. 648
Contents
Index
Whether because of hello timer expiration or some other critical error (such as unrecognized
Mandatory AVP), you use a Stop-Control-Connection-Notification (StopCCN) to tear down the
Control Channel. The StopCCN message must contain the Assigned Control Connection ID if
Masterafter
the world
of Layer
2 VPNsmessage.
to provideIncluding
enhanced
services
enjoyID
you send the teardown
an SCCRQ
or SCCRP
the
Controland
Channel
gains that you need to disable. If you send a StopCCN
explicitly defines productivity
the Control Channel
message, not only must you tear down the Control Channel, but you also must implicitly clear
all the associated active sessions that you might have subsequently negotiated.
Learn about Layer 2 Virtual Private Networks (VPNs)
One of the optional features negotiated during Control Channel establishment is a lightweight
Reduce
costs
and extend
the reach. of
your
services by unifying
security option known as
Control
Message
Authentication
This
authentication
providesyour
peer
network
architecture
authentication and integrity checking against all control messages. Control Message
Authentication performs a one-way hash against the header and body of the control message
Gainbegins
from the
first
to address
Layer
2 VPN
application
(with L2TPv3 over IP, this
after
thebook
Session
Identifier
of 0),
a shared
secretutilizing
both
ATOM
and
L2TP
protocols
preconfigured on both PE routers, and a local and remote nonce value that is passed via the
Control Message Authentication Nonce AVP during Control Connection establishment.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
To perform peer authentication, you must configure the shared secret between the PE routers.
However, if a shared secret is undefined, you can still perform control message integrity
checking by using the hash against an empty shared secret.
Layer 2 VPN Architectures
Pages:
648pseudowire sessions. The Session establishment phase can
whichContents
dynamically establishes
involve
incoming call requests (that is, receiving a call) and outgoing call requests (that is,
Index
asking to place an outbound call). The Cisco implementation supports only incoming call
messages for pseudowire session establishment. Figure 10-10 illustrates the various messages
that are used in session negotiation, maintenance, and teardown. Similar to the Control
Master the
worldthe
of Layer
2 VPNs
to provide
enhanced services
and enjoy
Connection establishment
phase,
Session
negotiation
establishment
uses a three-way
productivity gains
handshake mechanism.
Figure
10-10. L2TPv3 Session Negotiation
Reduce costs and extend the reach of your services by unifying your
network architecture
full size image]
Gain from the first[View
book
to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
3.
2.
to indicate that the ICRQ was accepted. Similar AVPs are sent in the ICRP reply to pass
relevant properties with regard to the L2TPv3 session.
Layer 2 VPN Architectures
3. An Incoming-Call-Connected
(ICCN) message is sent in reply to the received ICRQ to
indicate thatBythe
is fully
established.
Wei pseudowire
Luo, - CCIE No.session
13,291,Carlos
Pignataro,
- CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
This three-way session negotiation mechanism occurs for each pseudowire that needs to be
dynamically built. ToPublisher:
signal an
individual session state, any PE can send Set-Link-Info (SLI)
Cisco Press
messages to indicate attachment circuit status changes. For example, if a Frame Relay PVC
Pub Date: March 10, 2005
changes to down, a PE can send an SLI message to the remote PE to indicate this change in
ISBN: 1-58705-168-0
state.Table
Theofremote PE can
use this information to inform the end devices via Frame Relay LMI
Pages:
648
that the
PVC is no longer usable.
Contents
Index
A peer can also tear down individual pseudowire sessions by using Circuit-Disconnect-Notify
(CDN) messages. When the peer receives this message, it must silently tear down this session
and its associated resources.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
L2TPv3 borrowed heavily from UTI's encapsulation format and L2TPv2's control plane to
provide pseudowire emulation.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
L2TPv3 supports
IP encapsulation
using an IP protocol value of 115, whereas UTI uses an
productivity
gains
IP protocol value of 120.
Although the baseLearn
L2TPv3
draft
supports
bothPrivate
IP andNetworks
IP/UDP encapsulation,
the Cisco
about
Layer
2 Virtual
(VPNs)
initial implementation supports only IP encapsulation.
Reduce costs and extend the reach of your services by unifying your
The Cisco L2TPv3network
data packet
encapsulation essentially is composed of an IP header,
architecture
Session ID, cookie, an optional Layer 2-Specific Sublayer, and the Layer 2 payload.
Gain from the first book to address Layer 2 VPN application utilizing
The Cisco L2TPv3both
control
packet
ATOM
and encapsulation
L2TP protocolsis composed of an IP header, Session ID,
Control Message Header, and AVPs if necessary. The Control Message header includes a
Review T-,
strategies
allow
large enterprise
customers
to enhance
12-octet field containing
L-, andthat
S-bits;
Version
field; Length
field; Control
Connection
service
offerings
while maintaining
routing control
ID; and Sequencetheir
Number
sent
and received
fields.
For a channel
majorityisofinband
Service
Providers,
a significant
portion to
of AToM.
their revenues
L2TPv3's control
along
the data
path, as opposed
are still derived from data and voice services based on legacy transport
Control Connection
IDs are
locally significant
values
to identify
specific need
Control
technologies.
Although
Layer 3 MPLS
VPNs
fulfill thea market
for Channel.
some
One Controlcustomers,
Channel usually
exists
between
a
pair
of
PE
routers.
they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
Session IDs backbone
are locallywhile
significant
values would
that identify
specific
pseudowire
session.
new carriers
like to asell
the lucrative
Layer
2
services over their existing Layer 3 cores. The solution in these cases is a
AVPs are antechnology
extensible method
of defining
individual
parameters
each3 of the control
that would
allow Layer
2 transport
over a in
Layer
messages. infrastructure.
When you have
Control
signalingintroduces
enabled, you
mustto
first
build
the Control
Channel
Layer
2 VPN Plane
Architectures
readers
Layer
2 Virtual
Private
between theNetwork
PE devices
using
SCCRQ/SCCRP/SCCCN
messages.
You negotiate
(VPN)
concepts,
and describes Layer
2 VPN techniques
viaany
subsequent introductory
pseudowire sessions
that and
you comprehensive
need to build through
similar three-way
case studies
design ascenarios.
This book
handshake using
ICRQ/ICRP/ICCN
messages.
assists readers looking to meet those requirements by explaining the
Contents
Index
Pages: 648
Pages:
648
Contents
1, which
shows the L2TPv3 connectivity model that was introduced in Chapter 10,
Index
"Understanding
L2TPv3." The original model has been modified slightly to illustrate two specific
L2TPv3 Ethernet pseudowire types: port tunneling and VLAN tunneling.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
Figure gains
11-1. L2TPv3 Connectivity Model
Learn about Layer 2 Virtual Private Networks (VPNs)
[View full size image]
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
InFigure 11-1, the
two provider
edge
(PE)
routers,
R1 andIdeally,
R2, arecarriers
L2TPv3with
endpoints
providing
customers,
they
have
some
drawbacks.
existing
Layer 2 connectivity
between
of like-to-like
circuits
separate
L2TPv3
legacy
Layer each
2 andpair
Layer
3 networksattachment
would like to
movevia
toward
a single
pseudowire sessions.
Ethernet
802.1q
trunks exist
R3 the
andlucrative
R1 and between
backbone
while
new carriers
wouldbetween
like to sell
Layer 2 R2 and R4.
Although each 802.1q
trunk
is capable
of transporting
multiple
100 cases
is used
services
over
their existing
Layer 3 cores.
The VLANs,
solutionVLAN
in these
is in
a
Figure 11-1 to demonstrate
VLAN
tunneling
pseudowire.
The VLAN
100
attachment
circuit on
technologyathat
would
allow Layer
2 transport
over a
Layer
3
R3's E1/0.100 subinterface
is attached to R4's E1/0.100 subinterface via L2TPv3 pseudowire
infrastructure.
session 1. When you are per-forming VLAN tunneling, only 802.1q Ethernet frames with VLAN
Layer
2 VPN
Architectures
introduces
readers to Layer
Virtual
Private onto
IDs that match the
VLAN
ID value
defined by
the local attachment
circuit2 are
transported
Network
describes
Layer
2 VPN techniques
via
the pseudowire. When
the(VPN)
VLAN concepts,
IDs for theand
local
and remote
attachment
circuits differ,
the far
introductoryfor
case
studiesthe
andVLAN
comprehensive
design scenarios.
book
end PE device is responsible
rewriting
tag on the outgoing
Ethernet This
frame.
assists readers looking to meet those requirements by explaining the
In contrast, L2TPv3
pseudowire
session 2 is an
example
of two
a port
tunneling pseudowire
that
history
and implementation
details
of the
technologies
available from
stitches together the
R3'sCisco
E0/0Unified
Ethernet
interface
on LAN1
to R4's
E0/0
Ethernet
interface
on
VPN
suite: Any
Transport
over
MPLS
(ATOM)
for MPLSLAN2. Unlike VLAN
tunneling,
any Layer
Ethernet
frame that
is received
on Ethernet
interface
E0/0 is
based
cores and
2 Tunneling
Protocol
version
3 (L2TPv3)
for native
transported on the
and replicated
the is
far-end
attachment
circuit. Therefore,
IPpseudowire
cores. The structure
of thison
book
focused
on first introducing
the
regardless of whether
the
untagged,
has
an implementation
802.1q tag, or has
a QinQ tag,and
the frame
reader
toframe
Layer is
2 VPN
benefits
and
requirements
is replicated transparently
onthem
the outgoing
circuit.
comparing
to those attachment
of Layer 3 based
VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
All LAN and WAN (covered in Chapter 12, "WAN Protocols over L2TPv3 Case Studies") L2TPv3
pseudowire sessions can be defined statically or have an optional control channel exist between
the L2TPv3 endpoints to negotiate session details (such as session IDs and sequencing) and
endpoint information (that is, control channel authentication and hidden Attribute-Value Pairs
[AVP]).
From a configuration perspective, you need a method to tie the attachment circuit to the
pseudowire session. For scalability purposes, the CLI should also allow multiple sessions to
share the same session characteristic's template (that is, sequencing and source IP address)
and multiple dynamic sessions to share the same control channel parameters. Essentially, the
L2TPv3 configuration syntax fulfills these requirements through the use of the xconnect,
pseudowire-class, and l2tp-class command syntax and configuration modes.
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, xconnect Command
Syntax
No. 4460,Anthony Chan, - CCIE No. 10,266
In the case of Ethernet transport, L2TPv3 supports two types of attachment circuits, as
Publisher: Cisco Press
described in the previous section:
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Table of
Port tunneling on Pages:
Ethernet
648 interface
Contents
Index
Thexconnect command that is configured under these interface types locally binds the
attachment circuit to the pseudowire session and employs the following syntax:
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
xconnectpeer-ip-address vcid pseudowire-parameters
[sequencing
{transmit receive
both}]
Learn
about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
The following list explains the arguments in the syntax:
Gain from the first book to address Layer 2 VPN application utilizing
bothpeer-ip-address
ATOM and L2TPargument
protocolsidentifies the remote PE router where the
peer-ip-address The
AC resides. This IP address should reference a virtual interface such as a loopback
Review strategies that allow large enterprise customers to enhance
interface, whose reachability depends solely on its administrative state.
their service offerings while maintaining routing control
vcid The 32-bit virtual circuit identifier, vcid, acts as a unique per-peer-address identifier
For a majority of Service Providers, a significant portion of their revenues
of the pseudowire. You should configure the matching VC ID on the remote L2TPv3
are still derived from data and voice services based on legacy transport
endpoint's attachment circuit to associate the pseudowire session to the attachment
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
circuit.
customers, they have some drawbacks. Ideally, carriers with existing
legacy LayerThis
2 and
Layer 3 networks
would like the
to move
toward a and
single
pseudowire-parameters
placeholder
syntax represents
encapsulation
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
pseudowire session parameters when defining the xconnect command. As briefly
theircan
existing
Layer
3 cores.
The solution
described inservices
Chapter over
10, you
configure
L2TPv3
in three
modes:in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Manual mode
Manual mode requires all session characteristics to be configured on each
end of the L2TPv3 endpoint. In this setting, the attachment circuit state cannot be
Layer
2 VPNend,
Architectures
introduces
readers
Layer 2endpoint
Virtual Private
signaled to the
remote
and reachability
to the
remotetoL2TPv3
is not
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
monitored.
introductory case studies and comprehensive design scenarios. This book
assists
readers
looking
to meet
those
requirements
by explaining
the
Manual mode
with
keepalive
Manual
mode
with
keepalive operates
in the same
history
and
implementation
details
of
the
two
technologies
available
from
manner as manual mode but enables a simple peer keepalive mechanism for dead
peer
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSdetection.
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores.
The structure
of this
book
is focused
onfor
first
introducing
Dynamic mode
Dynamic
mode utilizes
the
control
channel
peer
capabilitythe
and
Layer 2 VPN
and preconfiguration
implementation requirements
and
pseudowire reader
sessionto
negotiation
so benefits
that manual
is unnecessary.
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively
covering
each currently
solution
greater detail.
Because of these
variations,
the xconnect
syntaxavailable
must handle
bothinmanually
defined
and dynamically negotiated sessions. As described earlier, the pseudowire-parameters
field is merely a placeholder for an expanded set of command options. pseudowireparameters takes the following form:
mpls} pw-class
Pages:
session characteristics, 648
which are explored later in this section. The pw-class command
Contents
is a mandatory argument when L2TPv3 manual mode is selected as the encapsulation
Index
method.
sequencing {transmit | receive | both}Thesequencing syntax is an optional
Master
the primarily
world of Layer
VPNs to provide
and transmit
enjoy
argument that
is used
when 2
configuring
L2TPv3enhanced
in manualservices
mode. The
gains sequencing of L2TPv3 data packets sent and received over
andreceiveproductivity
options configure
the pseudowire, respectively. Selecting both enables transmit and receive sequencing.
Packets received from the pseudowire session that are considered out of order are
Learn about Layer 2 Virtual Private Networks (VPNs)
dropped.
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
ATOM and
L2TP
protocols
Thepseudowire-classboth
command
defines
a named
template containing a series of session
characteristics. The pseudowire adopts these session characteristics when the xconnect pwReviewargument
strategiesrefers
that allow
large
enterprise
customers
enhance
classpseudowire-class-name
to the
respective
template.
The to
syntax
has the
their service offerings while maintaining routing control
following format:
For a majority of Service Providers, a significant portion of their revenues
pseudowire-class
pseudowire-class-name
]
are[still
derived from data and voice
services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy is
Layer
2 and
Layer 3 networks
would like
move
toward
a single
pseudowire-class-name
a locally
significant,
unique identifier
ofto
the
template.
When
you
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2 the
enter this argument, the CLI enters into config-pw-class configuration submode, and
over their existing Layer 3 cores. The solution in these cases is a
following options services
are available:
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
encapsulation {l2tpv3 | mpls} The encapsulation option defines the tunneling method
that is used.Layer
After2you
the pseudowire-class
template
and enter
the config-pwVPNdefine
Architectures
introduces readers
to Layer
2 Virtual
Private
class submode,
this is
the only
command
is initially
available
to the uservia
because the
Network
(VPN)
concepts,
and that
describes
Layer
2 VPN techniques
remaining options
depend
on the
encapsulation
that you choose.
introductory
case
studies
and comprehensive
design scenarios. This book
assists readers looking to meet those requirements by explaining the
ip local interface
The ip
local of
interface
command defines
the from
source
historyinterface-name
and implementation
details
the two technologies
available
address of the
L2TPv3
control
and
data
packets.
The
encapsulation
and
ip
local
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSinterface definitions
areand
minimum
a complete
L2TPv3
pseudowire-class.
based cores
Layer 2arguments
Tunneling for
Protocol
version
3 (L2TPv3)
for native
IP cores. The structure of this book is focused on first introducing the
protocol {l2tpv3
| none}[l2tp-class-name
] The
protocol syntax
defines whether
reader to
Layer 2 VPN benefits and
implementation
requirements
and the
L2TPv3 signaling
protocol
is used
for session
If you
prefer
dynamic
session
comparing
them
to those
of Layernegotiation.
3 based VPNs,
such
as MPLS,
then
negotiation,progressively
configure protocol
l2tpv3
and
optionally
reference
an
l2tp-class
template
so
covering each currently available solution in greater detail.
that multiple sessions can share the same control channel characteristics. If no session
negotiation is required, select protocol none. If no definition is made, the default
assumes that protocol l2tpv3 is configured and that dynamic session negotiation will
occur.
sequencing {transmit | receive | both} The sequencing configuration follows the
same format as previously defined in the xconnect syntax.
ip dfbit set By enabling this option, the don't fragment (DF) bit is set on the IP packet
header of the L2TPv3 packets.
ip pmtu L2TPv3 supports the discovery of path maximum transmission unit (MTU) to
reach the remote L2TPv3 endpoint. This topic is explored in more detail in Chapter 13,
"Advanced L2TPv3
Case
Studies."
Layer 2 VPN
Architectures
ByWei
Luo,|- reflect}
CCIE No. 13,291,
Carlos
Pignataro,
CCIE
No.option
4619,Dmitry
Bokotey,
- CCIE
ip tos {value
value
When
enabled,
the- ip
tos
uses
the configured
type
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
of service (ToS) value in the IP header of the L2TPv3 packet. If the payload of the Layer 2
frame is IP, the reflect option reflects the ToS value that is stored in the inner IP header
Cisco
tothe outer IP Publisher:
header. If
ip Press
tos value and ip tos reflect are configured simultaneously,
March
2005
the configured Pub
ToSDate:
value
is 10,
used
on the outer IP header when the Layer 2 frame payload
is not IP, while reflection
would
occur
when the payload is IP.
ISBN: 1-58705-168-0
Table of
Pages: 648
Contents
ip ttlvalue The IP Time to Live (TTL) of the outer IP packet is configured with the defined
Index
TTL value that is configured in this command.
ip protocol {l2tp | uti} To allow for interoperability with Universal Transport Interface
(UTI), you can adjust the IP protocol field to identify the IP packet as either L2TPv3 using
Master
the using
world IP
of protocol
Layer 2 VPNs
IP protocol 115
or UTI
120. to provide enhanced services and enjoy
productivity gains
Note
Reduce costs and extend the reach of your services by unifying your
network architecture
It is highly recommended as a best practice that every xconnect command
reference a pseudowire-class
template
so to
that
the source
of the L2TPv3
Gain from the
first book
address
Layeraddress
2 VPN application
utilizing
packets is definedboth
to a ATOM
virtualand
interface,
such
as
a
loopback
interface.
If you do not
L2TP protocols
define a source address using the ip local interface command, the source address is
not deterministic;Review
it uses strategies
the PE's egress
interface
thatcustomers
is closest to
that allow
largeaddress
enterprise
to the
enhance
destination, whichtheir
might
change
depending
onmaintaining
the network
topology.
service
offerings
while
routing
control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
l2tp-class Command
Syntax
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
Similar to the pseudowire-class
command,
template
of pseudowire
backbone while new
carrierswhich
wouldacts
like as
to a
sell
the lucrative
Layer 2 session
characteristics, the
l2tp-class
command
defines
containing
seriesisofa
services
over their
existing
Layera 3named
cores.template
The solution
in thesea cases
control channel characteristics,
such
as
control
channel
authentication
and
hidden
AVPs. You
technology that would allow Layer 2 transport over a Layer 3
can reference theinfrastructure.
l2tp-class command in the pseudowire-class definition via the protocol
l2tpv3 syntax for dynamic session negotiation or via the config-if-xconn configuration
submode when defining
manual
L2TPv3 session
with keepalive
This chapter
Layer 2aVPN
Architectures
introduces
readers tosupport.
Layer 2 Virtual
Private
examines the latter
case in(VPN)
moreconcepts,
detail in "Case
Study 11-2:
Ethernet
Port-to-Portvia
Manual
Network
and describes
Layer
2 VPN techniques
Session with Keepalive"
and "Case
Ethernet Port-to-Port
Session."
The
introductory
case Study
studies11-3:
and comprehensive
design Dynamic
scenarios.
This book
following syntax is
used when
defining
the
assists
readers
looking
to l2tp-class:
meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified]VPN suite: Any Transport over MPLS (ATOM) for MPLSl2tp-class [ l2tp-class-name
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing
to those
3 based VPNs,
such asthis
MPLS,
then
l2tp-class-name is
the locallythem
unique
name of
forLayer
this template.
Configuring
places
the user in
progressively
covering
each
currently
available
solution
in
greater
detail.
a config-l2tp-class configuration submode. When the user is in this mode, several control
channel parameters are available, falling into four categories, as follows:
Local cookie size
Control channel timing
Control channel authentication and integrity checking
Control channel maintenance
The optional L2TPv3 local cookie size contains a single command and has the following form:
Layer 2 VPN Architectures
cookie size [4 | 8] [size] The cookie size defines the size of the locally unique cookie
ByWei Luo, -negotiated
CCIE No. 13,291,
Carlos Pignataro,
- CCIE
No.shares
4619,Dmitry
- CCIE
for each dynamically
pseudowire
session
that
thisBokotey,
l2tp-class
template.
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
Only two options are offered: a 4- or 8-byte cookie value. The default assumes a 0-byte
cookie (that is, no local cookie is defined). As such, the local peer does not pass a Cookie
Publisher:
AVP to the remote
peer.Cisco Press
Pub Date: March 10, 2005
Table of
Pages: 648
Contents
Index
receive-window [size] The L2TPv3 control channel utilizes a sliding window
implementation using Ns, the sequence number found in the L2TPv3 control message that
was sent, and Nr, the sequence number expected in the next L2TPv3 control message to
be received. The receive window value determines the number of outstanding messages
Master
the world
of Layer
2 receiving
VPNs to provide
enhanced services
that the remote
device
can send
before
an acknowledgement
fromand
theenjoy
local
productivity gains
device.
retransmit {initial retriesinitial-retries | retriesretries | timeout {max | min}
Learn about
Layer
2 Virtual
Private
Networks
(VPNs)of retransmission
timeout } The retransmit
retries
retries
interval
defines
the number
attempts before declaring the remote end as unresponsive. More specifically, initial
Reduce costs and extend the reach of your services by unifying your
retriesinitial-retries defines the number of Start-Control-Connection Request (SCCRQ)
network architecture
attempts made when trying to initialize the control channel. The first retransmission is
sent at the timeout mintimeout value after the first unacknowledged request. The time
Gain from the first book to address Layer 2 VPN application utilizing
between each subsequent retransmission increases exponentially until it reaches the
both ATOM and L2TP protocols
value specified in the timeout maxtimeout configuration.
device.
digest [secret [0 | 7]password ] [hash {md5 | sha}] The digest secret defines the
Layer
2 VPN
Architectures
shared secret
and
hashing
mechanism used in the new control message hashing
authentication
mechanism.
The
[0 |Carlos
7] input
type- option
theBokotey,
format- of
the
ByWei
Luo, - CCIE No.
13,291,
Pignataro,
CCIE No.defines
4619,Dmitry
CCIE
password that
defined.
A 0 indicates
the subsequent password is entered in
No. is
4460,
Anthony Chan,
- CCIE No. that
10,266
plaintext, whereas a 7 indicates that the password is encrypted. The hash {md5 | sha}
option defines Publisher:
the hashing
that calculates the message digest. The default
Ciscomechanism
Press
assumes a 0 input
type option and hash md5. Both peers should use the same shared
Pub Date: March 10, 2005
digest secret and hashing mechanism for the control message.
ISBN: 1-58705-168-0
Table of
Pages:
648 check enables validation of the contained message digest. By
digest check The digest
Contents
default, this option is enabled. You can disable it only when digest secret is not
Index
Master
the world
Layer keyword
2 VPNs toinprovide
enhanced
services
and enjoy
hidden When
you define
the of
hidden
a l2tp-class,
AVPs
are encoded
to hide
productivity
sensitive information.
If gains
the hidden keyword is not configured, AVPs are sent in the clear.
The Cookie AVP that protects against blind insertion attacks is an example of an AVP that
would be hidden when the hidden keyword is configured along with a digest secret
Learnofabout
Layer 2AVP
Virtual
Private from
Networks
(VPNs)AVP because of
command. The length
the hidden
is different
the original
potential padding and additional overhead in the process of hiding the AVP.
Reduce costs and extend the reach of your services by unifying your
network architecture
Note
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Reviewsecret
strategies
thatyou
allow
large enterprise
customers
to enhance
When you use a digest
option,
perform
control connection
authentication
their
service
offerings
while
maintaining
routing
control
of the remote peer. In this case, the message digest is calculated against the L2TPv3
control message content along with the configured digest secretpassword and the
For a majority of Service Providers, a significant portion of their revenues
local and remote Control Message Authentication Nonce.
are still derived from data and voice services based on legacy transport
technologies.
Although
Layer
3 MPLSby
VPNs
fulfill
the market
need
for some
However, you
can configure
the digest
keyword
itself
to simply
perform
a control
customers,
they
have
some
drawbacks.
Ideally,
carriers
with
existing
connection integrity check. In this scenario, the message digest is calculated against
legacy message
Layer 2 and
Layerand
3 networks
like to move
towardcheck.
a single
the L2TPv3 control
content
provideswould
a unidirectional
integrity
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
L2TPv3 control channel
maintenance parameters involve the following option:
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network
(VPN)interval
concepts,
and describes
Layer
2 VPN techniques
via
hello [interval
] The hello
defines
the interval
in seconds
between Hello
introductory
case
studies
and
comprehensive
design
scenarios.
This
messages after the control channel is initialized. The hello mechanism provides abook
simple
assists readers
looking
todefaults
meet those
requirements
explaining
the
dead peer detection
mechanism
and
to 60
seconds if it by
is not
configured
explicitly. history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Review
strategies
that allow
large enterprise
customers toCase
enhance
Figure 11-2.
L2TPv3
Ethernet
Port-to-Port
Emulation
Study
their service offerings while maintaining routing control
Device
PE
P
PE
Table of
links
PE-P
Contents
Index
Site
Subnet
ByWei Luo, - CCIE
No. 13,291,Carlos Pignataro, - CCIE No.
4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
SanFran (Loopback 0)
Publisher: Cisco
Press(Loopback 0)
Denver
Pub Date: March 10, 2005
NewYork (Loopback 0)
ISBN: 1-58705-168-0
CE
CE
CE
10.1.1.102/32
10.1.1.101/32
10.1.1.103/32
core
/30s out of
10.1.2.0/24 block
Oakland (Loopback 0)
192.168.1.108/32
Albany (Loopback 0)
192.168.1.111/32
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
192.168.1.113/32
productivity Hudson
gains (Loopback 0)
Reduce costs and extend the reach of your services by unifying your
network architecture
The following list describes the required steps in establishing the IP PSN core:
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM
and and
L2TPassign
protocols
Step 1. Create a loopback
interface
a /32 IP address to it.
Review strategies that allow large enterprise customers to enhance
Step 2. Enable IP CEF
globally.
Depending
on themaintaining
platform type,
configure
distributed CEF (dCEF) to
their
service
offerings while
routing
control
further improve switching performance.
For a majority of Service Providers, a significant portion of their revenues
areaddresses
still derived
from
data and
voice
on routers.
legacy transport
Step 3. Assign IP
to all
physical
links
thatservices
connect based
the core
In this chapter, /30
3 MPLS
VPNs fulfill the market need for some
subnetstechnologies.
are allocatedAlthough
for each Layer
core serial
link.
customers, they have some drawbacks. Ideally, carriers with existing
Layer
2 and Layer
3 networks
wouldthe
likecore
to move
toward
a single
Step 4. Enable legacy
an Interior
Gateway
Protocol
(IGP) among
devices.
In this
chapter, OSPF is
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
configured as a single area 0.
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Example 11-1 includes
the base configuration of the SanFran PE router. Denver and NewYork are
configured equivalently to the SanFran router, with adjustments to the interface IP addressing.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
Example 11-1.
SanFran
Preconfiguration
assists
readersRequired
looking to meet
those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLShostname SanFran
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
!
IP cores. The structure of this book is focused on first introducing the
ip cef
reader to Layer 2 VPN benefits and implementation requirements and
!
comparing them to those of Layer 3 based VPNs, such as MPLS, then
interface Loopback0
progressively
covering each currently available solution in greater detail.
ip address 10.1.1.102
255.255.255.255
!
interface Serial6/0
ip address 10.1.2.1 255.255.255.252
!
router ospf 1
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
network 10.1.2.0 0.0.0.255 area 0
!
The highlighted lines indicate the relevant IP addressing specific to the SanFran router that would change
Layer 2 VPN Architectures
in the respective configuration in the Denver and NewYork devices.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No.proper
4460,Anthony
Chan,
- CCIE
No.distributed,
10,266
To confirm that the
routes
are
being
Example 11-2 captures the IP routing table of the
IP PSN network.
Publisher: Cisco Press
Pub Date: March 10, 2005
Tablein
of this case study is to provide Layer 2 Ethernet port-to-port connectivity over an IP-based PSN
The goal
Pages: 648
Contents
between Oakland's CE router E0/0 interface and Albany's CE router E0/0 interface. The subsequent
Indexexamine the necessary configuration, verification, and data plane details of this environment.
sections
Ethernet Port-to-Port
Manual
Master the
world Configuration
of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
To provision an Ethernet port-to-port manual pseudowire, the SanFran and NewYork PE devices will
configure the following to act as L2TPv3 endpoints for the customer:
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
1. Define a pseudowire-class
template.
Gainonfrom
first bookinterface
to address
2 VPN application
utilizing
2. Define an xconnect
the the
appropriate
withLayer
the necessary
preconfigured
manual attributes
both ATOM and L2TP protocols
Example 11-3 shows the relevant configuration for the SanFran PE device.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
hostname NewYork
ip cef
!
Layer
2 VPN Architectures
pseudowire-class
pw-manual
Wei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
encapsulation By
l2tpv3
protocol none No. 4460,Anthony Chan, - CCIE No. 10,266
ip local interface Loopback0
!
Publisher: Cisco Press
interface Loopback0
Pub Date: March 10, 2005
ip address 10.1.1.103 255.255.255.255
ISBN: 1-58705-168-0
! Table of
Pages:
648
Contents Ethernet0/0
interface
Indexaddress
no ip
no cdp enable
xconnect 10.1.1.102 33 encapsulation l2tpv3 manual pw-class pw-manual
l2tp id 329 245
Master8the
world945
of Layer 2 VPNs to provide enhanced services and enjoy
l2tp cookie local
76429
productivity
gains
l2tp cookie remote 8 957344 9379092
As mentioned earlier in the section, both PE routers should configure a pseudowire-class template first.
Reduce costs and extend the reach of your services by unifying your
San Francisco's and New York's pseudowire-class template is called pw-manual, as highlighted in the
network architecture
example. Although defining a pseudowire-class is an optional step, it is a highly recommended best
practice at least to define the L2TPv3 local interface to a loopback interface. This forces the source address
Gain from the first book to address Layer 2 VPN application utilizing
for the L2TPv3 session to use a virtual interface that otherwise would never go down unless it was shut
both ATOM and L2TP protocols
administratively.
245
Publisher: Cisco Press
329
Session ID
(0x000000F5)
(0x00000149)
957344
76429
(0x000E9BA0)
(0x00012A8D)
ISBN: 1-58705-168-0
Table of
Cookie
Size
Contents
Index
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
9379092
945
productivity gains
Cookie Value (High)
(0x008F1D14)
(0x000003B1)
Severalshow commands are useful for determining the state of the manual Ethernet port-to-port L2TPv3
session. This section describes the following:
show l2tun
show l2tun session all
Theshow l2tun command shows summarized information regarding all defined tunnels and sessions on
Layer
2 VPN Architectures
the local device, as
demonstrated
in Example 11-5. As mentioned in Chapter 10, the term L2TP tunnel
refers to the L2TPv3
control
connection.
highlighted
Example
11-5,
can- see
ByWei
Luo, - CCIE
No. 13,291,As
Carlos
Pignataro, -in
CCIE
No. 4619,
Dmitryyou
Bokotey,
CCIEthe term tunnel in
this context. Because
this
case Chan,
study- CCIE
configures
a manual session, no L2TPv3 control connection is
No. 4460,
Anthony
No. 10,266
established, and the total tunnels is 0. However, one session does exist, which happens to be the Ethernet
port-to-port manualPublisher:
session defined
between Oakland and Albany.
Cisco Press
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Pages: 648
Contents
Index
SanFran#show l2tun
Tunnel and Session Information Total tunnels 0 sessions 1
Tunnel control packets dropped due to failed digest 0
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
LocID
RemIDproductivity
TunID
Username, Intf/
State
gains
Vcid, Circuit
245
329
0
33, Et0/0
est
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
The final line of the Example
11-5
output provides summarized information regarding each of the sessions.
network
architecture
The output includes the local and remote session IDs, which in SanFran's case are 245 and 329,
Gain
to address Layer
application
utilizing
respectively. The defined
VCfrom
ID isthe
33,first
andbook
the attachment
circuit2isVPN
Ethernet
0/0. Also
notice that the
ATOM
andID
L2TP
protocols the control connection ID defined in Chapter 10.
tunnel ID in this case isboth
0. The
tunnel
is essentially
Normally, this would be a negotiated value; however, because the pseudowire session is in manual mode,
Review
allow large
customers
to enhance
no control channel is used
andstrategies
no controlthat
connection
ID isenterprise
necessary.
Finally, the
state of the session
their
service that
offerings
while maintaining
control
shows established (est),
indicating
this pseudowire
sessionrouting
is active.
For a majority
Service Providers,
a significant
portion ofall
their
revenues
You can glean additional
sessionofattributes
from the show
l2tun session
output
shown in Example
are still derived from data and voice services based on legacy transport
11-6.
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy
Layer 2 show
and Layer
3 networks
would like to move toward a single
Example 11-6.
SanFran
l2tun
all Output
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology
thatall
would allow Layer 2 transport over a Layer 3
SanFran#show l2tun
session
infrastructure.
Session Information
Total tunnels 0 sessions 1
Tunnel control packets dropped due to failed digest 0
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Session id 245 is up, tunnel id 0
introductory case studies and comprehensive design scenarios. This book
Call serial number is 0
assists readers looking to meet those requirements by explaining the
Remote tunnel name is
history and implementation details of the two technologies available from
Internet address is 10.1.1.103
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSSession is manually signalled
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Session state is established, time since change 00:53:09
IP cores. The structure of this book is focused on first introducing the
692 Packets sent, 693 received
reader to Layer 2 VPN benefits and implementation requirements and
66992 Bytes sent, 66981 received
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Receive packets dropped:
progressively covering each currently available solution in greater detail.
out-of-order:
0
total:
0
Send packets dropped:
exceeded session MTU:
0
total:
0
Session vcid is 33
Session Layer 2 circuit, type is Ethernet, name is Ethernet0/0
Circuit state is UP
Remote session id is 329, remote tunnel id 0
DF bit off, ToS reflect disabled, ToS value 0, TTL value 255
Sequencing is off
the PE device. Like the show l2tun session command, the capture from Example 11-6 shows the local
and remote session ID as 245 and 329 respectively, the VCID of 33, a local TunID of 0, the attachment
circuit interface of E0/0, and the session state of established.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Theshow l2tun session all command also displays the peering address as New York's loopback address
productivity gains
of 10.1.1.103, the session type of manually signaled, and timers since the previous session state change.
The session state timer is followed by counters for packets and bytes sent and received. The sent
packets/bytes are fromLearn
the perspective
circuit
frames(VPNs)
that are encapsulated with an L2TPv3
about Layerof2attachment
Virtual Private
Networks
header and sent onto the pseudowire session. Conversely, the received packets/bytes are from the
perspective of receivedReduce
L2TPv3costs
packets
are the
from
the session
be sent
theyour
attachment circuit.
andthat
extend
reach
of your to
services
bytoward
unifying
The size and hexadecimal
valuearchitecture
of local and remote cookies is also displayed for the session.
network
introduces
to Layer
Virtual Private
Common Circuit Layer
ID 0 2 VPN Architectures
Serial
Num 5 readers
Switch
ID 2
22074136
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
--------------------------------------------------------------------------introductory
case
studies
and
comprehensive
design
scenarios.
This
book
Status Encapsulation
assists
readers
looking
to
meet
those
requirements
by
explaining
the
UP flg len dump
Y AES 0 history and implementation details of the two technologies available from
Cisco Unified
VPN suite:
Any Transport
MPLS (ATOM) for MPLSY AES 32 the
45000000
00000000
FF73A4BC
0A010166 over
0A010167
based00000149
cores and 000003B1
Layer 2 Tunneling
Protocol
version
3 (L2TPv3) for native
00012A8D
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
covering
each
currently
available
in greater
detail.
The first 20 bytesprogressively
are the IP packet
header
with
a source
addresssolution
of SanFran's
loopback
of 10.1.1.102
(0x0A010166) and a destination address of 10.1.1.103 (0x0A010167). The IP header is then followed by
the remote session ID of 329 (0x00000149) and the 8-byte remote cookie (cookie value high =
0x000003B1, cookie value low = 00012A8D).
You can perform a final verification by passing traffic between the CE routers to the next-hop interface
address. As shown in Example 11-8, a ping is executed from the Oakland CE router to the E0/0 IP address
on the Albany CE router of 192.168.2.2, indicating successful connectivity.
Plane Details
Chapter 10 discussed at length the L2TPv3 encapsulation format for encapsulating data. In this case study
correlating the encapsulated packet with the preconfigured details for the pseudowire session should be
Master the
world
2 VPNs
to provide
enhanced
services
and enjoy
fairly simple. An L2TPv3
frame
thatofisLayer
captured
in the
IP PSN core
is shown
in Example
11-9.
productivity gains
^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^
IPv4 Delivery Header
L2TPv3 Header
0020 00 01 2a 8d 00 00 0c 00 6f 00 00 00 0c 00 6c 00
Layer ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2 VPN Architectures
^^^^^^^^^^
ByWeiL2TPv3
Luo, - CCIE
No. 13,291,
Carlos Pignataro,
CCIE No. 4619,Dmitry Bokotey, - CCIE
L2TPv3 Header
Payload
(Ethernet
II - Frame)
No. 4460,
Anthony
- CCIE
0030 08 00 45 00
00 64
04 Chan,
6e 00
00 No.
ff 10,266
01 31 d7 c0 a8
^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Ethertype
IPv4
Hdr
(ICMP packet)
Publisher:
Cisco
Press
March
0040 02 01 c0 a8 Pub
02 Date:
02 08
0010,
9d2005
07 00 09 00 00 00 00
ISBN: 1-58705-168-0
^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Table of
IPv4 Hdr (ICMP packet)
Pages: 648
ICMP packet
Contents
!remainder
omitted
for
brevity
Index
Note
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Reduce costs and extend the reach of your services by unifying your
network architecture
Example 11-9 includes the full Ethereal decode of the packet followed by the hexadecimal capture of the
Gain
fromofthe
book to
address
Layer 2 VPN
utilizing
frame. Each highlighted
section
thefirst
Ethereal
decode
corresponds
to aapplication
highlighted
hexadecimal field. The
both
ATOM
and
L2TP
protocols
decode captures a Cisco-HDLC frame between the SanFran PE router and the Denver P router that
contains an L2TPv3 packet. This L2TPv3 packet payload contains an Ethernet frame from the previous CE
Review strategies
that allow
large
enterprise
customers
enhance
verification ICMP ping executed
from Oakland's
E0/0
interface
to Albany's
E0/0to
interface.
their service offerings while maintaining routing control
Notice that the capture has two Layer 2 frame headers. The first Layer 2 frame is the Cisco-HDLC frame
For aand
majority
of routers.
Service Providers,
a significant
portion
of their
revenues
between the SanFran
Denver
This is followed
by the IP
delivery
header
that is part of the
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
L2TPv3 packet. Because the L2TPv3 endpoints are the PE routers, the source and destination IP addresses
technologies.
Layer
MPLS VPNsLoopback
fulfill the 0market
need respectively.
for some
in the outer IP delivery
header Although
are SanFran
and3 NewYork's
addresses,
An IP
customers,
they have
some
Ideally,
carriers
with The
existing
protocol type of 0x73,
115, indicates
that
the drawbacks.
IP payload is
an L2TPv3
packet.
session ID is
legacy
Layer 2isand
networks
would
like session
to moveID
toward
a single
0x00000149, which
in decimal
329Layer
and is3 equal
to the
remote
configured
on SanFran that
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
uniquely identifies the session on NewYork. Following the session ID is the 8-byte remote
cookie value,
serviceswhich
over was
theirconfigured
existing Layer
3 cores.as
The
thesevalue.
cases is a
0x000003B100012A8D,
on SanFran
thesolution
remoteincookie
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
The L2TPv3 payload
follows the L2TPv3 header and is the second Layer 2 frame header. In this case, the
L2TPv3 payload is a standard Ethernet Version II untagged frame minus the frame check sequence (FCS)
Layer 2 VPN
Architectures
readersfrom
to Layer
2 Virtual
Private
sent to Albany's Ethernet
port,
MAC addressintroduces
0000.0c00.6f00,
Oakland's
Ethernet
port, MAC address
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
0000.0c00.6c00. Further inspection shows that this Ethernet frame is carrying an via
IP payload that is
introductory
case studies
and IP
comprehensive
design scenarios.
This book
sourced from Oakland's
E0/0 interface,
whose
address is 192.168.2.1
(0xc0a80201),
to Albany's E0/0
assists
readers
looking
to
meet
those
requirements
by
explaining
the
interface, whose IP address is 192.168.2.2 (0xc0a80202).
history and implementation details of the two technologies available from
therouter
Cisco receives
Unified VPN
Any
Transport
overIP
MPLS
(ATOM)
for MPLSWhen the NewYork
this suite:
L2TPv3
frame,
the outer
header
and L2TPv3
header are stripped
based
cores and
Layer
2 Tunneling
Protocol
version
(L2TPv3)router
for native
off. The session ID
and cookie
value
in the
L2TPv3 header
provide
the3NewYork
with enough
IP cores.
The structure
of thisand
book
is focused
on first
information to properly
demultiplex
the frame
associate
it with
the introducing
appropriate the
egress attachment
reader
to Layer 2frame
VPN benefits
and implementation
circuit. In this case,
the Ethernet
is forwarded
out of NewYork'srequirements
Ethernet 0/0and
interface and destined
comparing
to Albany's Ethernet
port. them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
The nature of the Ethernet port-to-port session is that any valid Ethernet frame minus the FCS is
transported across the pseudowire to be replayed on the far-end attachment circuit. Because of this, the
Ethernet port-to-port session is oblivious to the fact that tagged or untagged frames might be received on
Oakland's E0/0 interface. In an alternate scenario in which the Oakland and Albany routers are sending
802.1q tagged frames, the Ethernet port-to-port emulation would be oblivious to the 802.1q tag. It would
transport the tagged Ethernet II frame across the pseudowire transparently, leaving the 802.1q tag
untouched.
Although a manually
Ethernet port-to-port session fulfills the original goal for Layer 2 connectivity,
Layerdefined
2 VPN Architectures
one of the disadvantages
is
that
the13,291,
PE devices
cannot -detect
whether
theBokotey,
remote
peer is responding. If
ByWei Luo, - CCIE No.
Carlos Pignataro,
CCIE No.
4619,Dmitry
- CCIE
connectivity is lost
to
the
NewYork
PE,
the
SanFran
router
would
not
tear
down
the
pseudowire; it would
No. 4460,Anthony Chan, - CCIE No. 10,266
continue sending data packets on the session. In fact, the pseudowire session state for a manual session
always shows established, as shown in the show l2tun session output, regardless of the state of the
Publisher: Cisco Press
peer PE router.
Pub Date: March 10, 2005
This case
study exploresISBN:
the 1-58705-168-0
configuration, verification, and control plane details for an Ethernet port-toTable of
Pages:
648
port manual
session
with
keepalives.
Because the addition of the keepalives affects only the control plane,
Contents
the data
plane
details
are
the
same
as
in Case Study 11-1 and are not reexamined.
Index
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains
Recognizing the drawback
of no
peer detection, the service provider has decided to adjust the original
configuration to support a simple keepalive mechanism. This keepalive mechanism is essentially an L2TPv3
control channel maintained
the PE
devices.
This case
study (VPNs)
adjusts the control connection and
Learnbetween
about Layer
2 Virtual
Private
Networks
management timers so that you can understand how they function. To provision this service, Example 1110 contains the new configuration
applied
to thethe
SanFran
router.
Reduce costs
and extend
reach PE
of your
services by unifying your
network architecture
Gain from the
first book to address
Layer
2 VPN application
utilizing
Example 11-10. Ethernet
Port-to-Port
Manual
Session
with Keepalive
both
ATOM
and
L2TP
protocols
Configuration on SanFran
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
hostname SanFran
!
For a majority of Service Providers, a significant portion of their revenues
l2tp-class l2-keepalive
are still derived from data and voice services based on legacy transport
hello 30
technologies.
Although Layer 3 MPLS VPNs fulfill the market need for some
retransmit retries
5
customers,
they have some drawbacks. Ideally, carriers with existing
retransmit timeout
max 4
legacy min
Layer
retransmit timeout
2 2 and Layer 3 networks would like to move toward a single
backbone
while
carriers would like to sell the lucrative Layer 2
retransmit initial retries new
3
services
over
their
existing
Layer 3 cores. The solution in these cases is a
retransmit initial timeout max 7
technology
that
would
allow
Layer 2 transport over a Layer 3
retransmit initial timeout min 2
infrastructure.
!
pseudowire-class pw-manual
2 VPN Architectures introduces readers to Layer 2 Virtual Private
encapsulation Layer
l2tpv3
Network
(VPN) concepts, and describes Layer 2 VPN techniques via
protocol none
introductory
case studies and comprehensive design scenarios. This book
ip local interface Loopback0
assists
readers
looking to meet those requirements by explaining the
!
history
and
implementation
details of the two technologies available from
interface Ethernet0/0
the
Cisco
Unified
VPN
suite:
Any Transport over MPLS (ATOM) for MPLSno ip address
based
cores
and
Layer
2
Tunneling
Protocol version 3 (L2TPv3) for native
no cdp enable
IP
cores.
The
structure
of
this
book
focused
on first introducing
xconnect 10.1.1.103 33 encapsulation l2tpv3 is
manual
pw-class
pw-manualthe
reader to Layer 2 VPN benefits and implementation requirements and
l2tp id 245 329
comparing
them to
those of Layer 3 based VPNs, such as MPLS, then
l2tp cookie local
8 957344
9379092
progressively
covering
l2tp cookie remote 8 76429 945 each currently available solution in greater detail.
l2tp hello l2-keepalive
Example 11-11 contains the new configuration applied to the SanFran PE router.
hostname NewYork
!
Layer 2 VPN Architectures
l2tp-class l2-keepalive
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
hello 30
No. 4460,5Anthony Chan, - CCIE No. 10,266
retransmit retries
retransmit timeout max 4
Publisher:
Press
retransmit timeout
min Cisco
2
retransmit initial
retries
Pub Date:
March 3
10, 2005
retransmit initial ISBN:
timeout
max
7
1-58705-168-0
Table of
retransmit
initialPages:
timeout
min
2
648
Contents
!
Index
pseudowire-class pw-manual
encapsulation l2tpv3
protocol none
Master Loopback0
the world of Layer 2 VPNs to provide enhanced services and enjoy
ip local interface
productivity gains
!
interface Ethernet0/0
no ip address
Learn about Layer 2 Virtual Private Networks (VPNs)
no cdp enable
xconnect 10.1.1.102 33 encapsulation l2tpv3 manual pw-class pw-manual
Reduce costs and extend the reach of your services by unifying your
l2tp id 329 245
network architecture
l2tp cookie local 8 76429 945
l2tp cookie remote
8 957344
Gain
from the9379092
first book to address Layer 2 VPN application utilizing
l2tp hello l2-keepalive
both ATOM and L2TP protocols
Note
an l2tp-class was defined named l2-keepalive that consists of a series of timer modifications. The Hello
message keepalive timer was modified from the default 60 seconds to 30 seconds via the hello 30 syntax
If a Hello message is not acknowledged, the control channel attempts five retries per the retransmit
retries configuration. The retransmit retries min configuration defines the first retry interval at 2
seconds and doubles per interval up to the retransmit retries max value. After the pseudowire session
fails, the L2TPv3 endpoints try to restore the control channel by sending the initial SCCRQ message. In the
same manner, the number of SCCRQ retries and time between retry attempts are dictated by the
retransmit initial retries,retransmit initial min, and retransmit initial max configured values.
Thepseudowire-class pw-manual definition is reused from the previous "Ethernet Port-to-Port Manual
Session" section of Case Study 11-1. As mentioned in that case study, defining a pseudowire-class
template is a highly recommended best practice to make the source address of L2TPv3 packets
Layer 2 VPN Architectures
deterministic.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Thexconnect configuration
then
references
l2tp-class by name in the config-if-xconn submode as a
No. 4460,Anthony
Chan,
- CCIE No.this
10,266
template to use for its keepalive mechanism via the l2tp hello l2-keepalive command. The control
channel negotiation Publisher:
and keepalive
are examined in more detail in the subsequent "Ethernet Port-to-Port
Cisco Press
Manual Session withPub
Keepalive
Control Plane Details" section.
Date: March 10, 2005
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Ethernet
Port-to-Port Manual Session
Index
Because of the use of the control channel in this case study, additional output is available from several
show commands used to monitor the health of the L2TPv3 control channel and sessions. They include the
following commands:
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
show l2tun
In the second portion of the show l2tun output, described as the tunnel summary section, the L2TP class
field refers to the l2-keepalive template for this L2TPv3 tunnel. Also note that the tunnel ID, also referred
to as the control connection ID, in the session summary section is now a nonzero value of 37528 that was
negotiated as part of the control channel establishment. The method by which the control channel is
established and the way the tunnel ID is negotiated are explored in more detail in the "Ethernet Port-to-
Port Manual Session with Keepalive Control Plane Details" section of this case study.
Layer 2 VPN Architectures
Note
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Pages:
count,
both manually and dynamically negotiated sessions. The Sessions field
Contentswhich consists of648
only dynamic sessions negotiated against that specific L2TPv3 tunnel. Because this case
counts
Index
study examines a manually defined session, the Sessions field does not register it against the
tunnel.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Theshow l2tun tunnel all output shown in Example 11-13 captures additional details for the L2TPv3
control channel.
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
Gain from the first book to address Layer 2 VPN application utilizing
SanFran#show l2tun tunnel all
both ATOM and L2TP protocols
Tunnel Information Total tunnels 1 sessions 1
Tunnel control packets
due
toallow
failed
0 customers to enhance
Reviewdropped
strategies
that
largedigest
enterprise
service offerings
while maintaining
routing control
Tunnel id 37528 is their
up, remote
id is 27854,
0 active sessions
Tunnel state is established, time since change 00:52:10
For a majority
of Service Providers, a significant portion of their revenues
Tunnel transport
is IP (115)
are
still
derived
from data and voice services based on legacy transport
Remote tunnel name is NewYork
technologies.
Although
Layer03 MPLS VPNs fulfill the market need for some
Internet Address 10.1.1.103, port
customers,
they
have
some
drawbacks. Ideally, carriers with existing
Local tunnel name is SanFran
legacy
Layer
2
and
Layer
3
networks
would like to move toward a single
Internet Address 10.1.1.102, port 0
backbone
while
new
carriers
would
like
to sell the lucrative Layer 2
Tunnel domain is
services
over
their
existing
Layer
3
cores.
The solution in these cases is a
VPDN group for tunnel is technology
that
would
allow
Layer
2
transport
over a Layer 3
L2TP class for tunnel is l2-keepalive
infrastructure.
0 packets sent, 0 received
0 bytes sent, 0 received
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Control Ns 105, Nr 106
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Local RWS 1024 (default), Remote RWS 1024 (max)
introductory case studies and comprehensive design scenarios. This book
Tunnel PMTU checking disabled
assists readers looking to meet those requirements by explaining the
Retransmission time 1, max 2 seconds
history and implementation details of the two technologies available from
Unsent queuesize 0, max 0
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSResend queuesize 0, max 1
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Total resends 0, ZLB ACKs sent 105
IP cores. The structure of this book is focused on first introducing the
Current nosession queue check 0 of 5
reader to Layer 2 VPN benefits and implementation requirements and
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Sessions disconnected due to lack of resources 0
progressively covering each currently available solution in greater detail.
Control message authentication is disabled
Example 11-13 displays both the local and remote tunnel IDs that were negotiated during control channel
establishment and the current tunnel state and tunnel timer since the last state change. Because L2TPv3 is
used instead of UTI, the IP protocol tunnel transport type is set to 115. Also, as a part of the control
channel establishment, the remote and local tunnel names and negotiated receive window sizes (RWS) are
displayed. The RWS is the maximum number of control messages that can be sent before the L2TPv3
control connection must wait for an acknowledgement. The negotiated window size allows for a sliding
Note
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Theshow l2tun
session all command output is essentially the same as in "Case Study 11-1:
Publisher: Cisco Press
Ethernet Port-to-Port Manual Session." Therefore, it is not reviewed in this case study.
Pub Date: March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
seconds
*Nov 17 11:27:42.460: Tnl37528 L2TP: Tunnel state change from idle to wait-ctlreply
Layer 2 VPNTnl37528
Architectures
*Nov 17 11:27:42.536:
L2TP: Parse AVP 0, len 8, flag 0x8000 (M)
ByWei Luo, -Tnl37528
CCIE No. 13,291,
Carlos
Pignataro,
- CCIE No. 4619,Dmitry Bokotey, - CCIE
*Nov 17 11:27:42.536:
L2TP:
Parse
SCCCN
No. 4460,Anthony
Chan, - L2TP:
CCIE No.No
10,266
*Nov 17 11:27:42.536:
Tnl37528
missing AVPs in SCCCN
*Nov 17 11:27:42.536: Tnl37528 L2TP: I SCCCN, flg TLS, ver 3, len 20, tnl 37528,
ns 1, nr 1 contiguous
pak,Press
size 20
Publisher: Cisco
*Nov 17 11:27:42.536:
Tnl37528
L2TP: I SCCCN from NewYork tnl 27854
Pub Date:
March 10, 2005
*Nov 17 11:27:42.536: Tnl37528 L2TP: Control connection authentication skipped/
ISBN: 1-58705-168-0
Table of
passed.
Pages:
648
*Nov Contents
17 11:27:42.536: Tnl37528 L2TP: Tunnel state change from wait-ctl-reply to
Index
established
*Nov 17 11:27:42.536: Tnl37528 L2TP: O ZLB ctrl ack, flg TLS, ver 3, len 12, tnl
27854, ns 1, nr 2
*Nov 17 11:27:42.536: Tnl37528 L2TP: SM State established
Master the
Layer 2omitted
VPNs to provide
enhanced services and enjoy
! world
Debugofoutput
for brevity
productivity
gains
*Nov 17 11:28:12.552: Tnl37528 L2TP: O Hello to NewYork tnlid 27854
*Nov 17 11:28:12.552: Tnl37528 L2TP: O Hello, flg TLS, ver 3, len 20, tnl 27854,
ns 1, nr 3
Learn about Layer 2 Virtual Private Networks (VPNs)
! Debug output omitted for brevity
*Nov 17 11:28:12.600:
Tnl37528
L2TP:
I ZLB
flg
TLS, ver
3, lenyour
12, tnl
Reduce costs and
extend
the ctrl
reach ack,
of your
services
by unifying
37528, ns 3, nr 2network architecture
! Debug output omitted for brevity
*Nov 17 11:28:42.568:
L2TP:
O Hello
to Layer
NewYork
tnlid
27854 utilizing
GainTnl37528
from the first
book
to address
2 VPN
application
*Nov 17 11:28:42.568:
O Hello, flg TLS, ver 3, len 20, tnl 27854,
bothTnl37528
ATOM andL2TP:
L2TP protocols
ns 2, nr 3
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
The purpose of configuring keepalives in this case study is to provide a means of detecting L2TPv3 peer
loss. Whereas Example 11-14 illustrates control connection initialization, the next example demonstrates a
control connection teardown for a different L2TPv3 tunnel with a local tunnel ID of 40786 and remote
tunnel ID of 22379. More specifically, Example 11-15 shows the debug vpdn l2x-events output from the
SanFran router during a core link failure, where it loses connectivity to its L2TPv3 peer, NewYork.
Layer 2 VPN Architectures
ByWei SanFran
Luo, - CCIE No.
13,291,Carlos
Pignataro,
- CCIE No. 4619,
Dmitry Bokotey,
- CCIEConnection
Example 11-15.
debug
vpdn
l2x-events
Output
Control
No. 4460,Anthony Chan, - CCIE No. 10,266
Teardown
Publisher: Cisco Press
SanFran#
Pub Date: March 10, 2005
*Nov 20 15:11:55.979:
Tnl40786
L2TP: O Hello to NewYork tnlid 22379
ISBN:
1-58705-168-0
Table of
*Nov
Tnl40786 L2TP: Control channel retransmit delay set to 2
20 15:11:55.979:
Pages: 648
Contents
seconds
Index
*Nov
20 15:11:57.999: Tnl40786 L2TP: O Resend Hello, flg TLS, ver 3, len 20, tnl
22379, ns 97, nr 98
*Nov 20 15:11:57.999: Tnl40786 L2TP: Control channel retransmit delay set to 4
seconds
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
*Nov 20 15:12:01.999: Tnl40786 L2TP: O Resend Hello, flg TLS, ver 3, len 20, tnl
productivity gains
22379, ns 97, nr 98
*Nov 20 15:12:05.999: Tnl40786 L2TP: O Resend Hello, flg TLS, ver 3, len 20, tnl
22379, ns 97, nr Learn
98
about Layer 2 Virtual Private Networks (VPNs)
*Nov 20 15:12:10.019: Tnl40786 L2TP: O Resend Hello, flg TLS, ver 3, len 20, tnl
22379, ns 97, nr Reduce
98
costs and extend the reach of your services by unifying your
*Nov 20 15:12:13.999:
Tnl40786
L2TP: O Resend Hello, flg TLS, ver 3, len 20, tnl
network
architecture
22379, ns 97, nr 98
*Nov 20 15:12:17.999:
L2TP:
O StopCCN
toLayer
NewYork
22379utilizing
GainTnl40786
from the first
book
to address
2 VPNtnlid
application
*Nov 20 15:12:17.999:
Tunnel state change from established to
bothTnl40786
ATOM andL2TP:
L2TP protocols
shutting-down
Review
strategies
thatShutdown
allow largetunnel
enterprise customers to enhance
*Nov 20 15:12:23.019:
Tnl40786
L2TP:
theirTnl/Sn0/245
service offerings
while
maintainingsession
routing control
*Nov 20 15:12:23.019:
L2TP:
Destroying
! Debug output omitted for brevity
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
Note
services over their existing Layer 3 cores. The solution in these cases is a
InExample 11-15,
SanFran's
Hello messages
are
unacknowledged
via ZLB
technology
that would
allow Layer
2 transport
over a Layer
3 messages because of
the loss of connectivity
to NewYork. To display ZLB acknowledgements or the lack thereof,
infrastructure.
enabledebug vpdn l2x-packets in Example 11-15.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
to meet those
requirements
by explaining
Initially, SanFran assists
sends areaders
Hello atlooking
15:11:55.979.
Unfortunately,
because
of the linkthe
failure, the Hello
history and implementation
details
the two technologies
available
from
message is not acknowledged
via a ZLB message.
Asofconfigured
in retransmit
retries
5, five
thesent
Cisco
VPN suite:
Any Transport
over MPLS (ATOM)
for MPLS-and
retransmissions are
atUnified
15:11:57.999,
15:12.01.999,
15:12:05.999,
15:12:10.019,
coresl2-keepalive
and Layer 2template
Tunneling
Protocol version
3 (L2TPv3) for native
15:12:13.999. Inbased
SanFran's
configuration,
the retransmission
intervals are bounded
IP retries
cores. The
structure
of this bookretries
is focused
on4first
introducing
the
by the retransmit
min
2 and retransmit
max
values.
Any subsequent
retries use the
reader
to Layer
2 VPN
and implementation
requirements
max value when it
is reached.
After
the benefits
final retransmission,
the control
channel is and
torn down and a Stopcomparing them
to those ofmessage
Layer 3 based
such as MPLS,
then the loss of
Control-Connection-Notification
(STOPCCN)
is sentVPNs,
at 15:12:17.999.
Because
progressively
covering
available
solution
greater
detail.
connectivity to NewYork
is detected,
noteach
only currently
is the tunnel
shut down,
butinits
associated
sessions are, too.
Example 11-16 captures the debug vpdn l2x-events output for SanFran's attempt to reinitialize the
L2TPv3 control connection after it detects peer loss.
Pages:
648
tnlContents
0, ns 0, nr 0
Index
*Nov
20 15:12:35.119: Tnl52029 L2TP: Control channel retransmit delay set to 4 seconds
*Nov 20 15:12:39.119: Tnl52029 L2TP: O Resend SCCRQ, flg TLS, ver 3, len 122, tnl
0, ns 0, nr 0
*Nov 20 15:12:39.119: Tnl52029 L2TP: Control channel retransmit delay set to 7 seconds
Master the
world of Layer
to provide
services
and
enjoy
*Nov 20 15:12:46.119:
Tnl52029
L2TP: 2OVPNs
Resend
SCCRQ,enhanced
flg TLS,
ver 3,
len
122,
productivity
gains
tnl 0, ns 0, nr 0
*Nov 20 15:12:53.119: Tnl52029 L2TP: O StopCCN
*Nov 20 15:12:53.119: Tnl52029 L2TP: Tunnel state change from wait-ctl-reply to
Learn about Layer 2 Virtual Private Networks (VPNs)
shutting-down
*Nov 20 15:12:58.139:
Tnl52029
L2TP:
Shutdown
tunnel
Reduce
costs and
extend
the reach
of your services by unifying your
*Nov 20 15:12:58.139:
Tnl/Sn0/245
L2TP:
Destroying
session
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
InExample 11-16, SanFran attempts to reinitialize the control channel by sending an SCCRQ request at
15:12:33.099. Although
this isstrategies
the continuation
of the
debug
outputcustomers
from Example
11-15 where SanFran's
Review
that allow
large
enterprise
to enhance
local tunnel ID is 40786,
theservice
SanFran
PE router
is attempting
initialize
a new control connection and has
their
offerings
while
maintainingtorouting
control
allocated a new local tunnel ID of 52029. Unfortunately, because connectivity to NewYork has not been
restored yet, the For
SCCRQ
is not acknowledged,
and three
SCCRQ attempts
sent
at 15:12:35.119,
a majority
of Service Providers,
a significant
portion ofare
their
revenues
15:12:39.119, and
15:12:46.119
based
on
the
retransmit
retries
initial
3
configuration.
These
are still derived from data and voice services based on legacy transport
retransmissions begin
with
the
retransmit
retries
initial
min
2
and
double
per
retransmission
up to the
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
retransmit retries
initial
max
7.
Because
all
three
attempts
fail,
a
STOPCCN
is
sent
to
tear
down
the
customers, they have some drawbacks. Ideally, carriers with existing
control channel atlegacy
15:12:53.119.
Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology
that would
allow Layer 2 transport
overSession
a Layer 3
Case Study 11-3:
Ethernet
Port-to-Port
Dynamic
infrastructure.
Although a manually
defined
with keepalive
provides
some
added
this method still has
Layer
2 VPN session
Architectures
introduces
readers
to Layer
2 benefit,
Virtual Private
some drawbacks.Network
From a management
perspective,
manual
sessions
require
the
administrator
to predefine
(VPN) concepts, and describes Layer 2 VPN techniques via
the session IDs and
cookies
on
each
peer,
whereas
dynamic
sessions
automatically
negotiate
them.
introductory case studies and comprehensive design scenarios. This book
Furthermore, dynamic
sessions
signal
pseudowire
session
states.
assists
readerscan
looking
toindividual
meet those
requirements
by explaining
the
Note
Although L2TPv3 dynamic sessions could signal the session state, the attachment circuit must
have some management mechanism to indicate the health of its circuit to the CE device.
Unfortunately, Ethernet presently does not have a management mechanism to signal individual
Ethernet VLAN failures or Ethernet port failures outside of disabling the port, unlike Frame Relay
or ATM. Therefore, although a pseudowire might have failed with dynamically negotiated
sessions, the attachment circuits would not fail because Ethernet inherently does not support this
capability.
Layer 2 VPN
Architectures
Ethernet Port-to-Port
Dynamic
Configuration
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony
Chan, - configurations
CCIE No. 10,266 to dynamically negotiate the pseudowire sessions. The
This case study modifies
the L2TPv3
SanFran router configuration is shown in Example 11-17. A similar configuration exists on NewYork.
Publisher: Cisco Press
Pub Date: March 10, 2005
Pages: 648
!
l2tp-class l2-dyn
authentication
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
password i8spr42
cookie size 8 productivity gains
!
pseudowire-class pw-dynamic
Learn about Layer 2 Virtual Private Networks (VPNs)
encapsulation l2tpv3
protocol l2tpv3 l2-dyn
Reduce costs and extend the reach of your services by unifying your
ip local interfacenetwork
Loopback0
architecture
!
interface Ethernet0/0
Gain from the first book to address Layer 2 VPN application utilizing
no ip address
both ATOM and L2TP protocols
no ip directed-broadcast
no cdp enable
Review strategies that allow large enterprise customers to enhance
xconnect 10.1.1.103
33 service
pw-class
pw-dynamic
their
offerings
while maintaining routing control
SanFran#show l2tun
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Tunnel and Session
Total
tunnels 1 sessions 1
No. 4460,Information
Anthony Chan, - CCIE
No. 10,266
Tunnel control packets dropped due to failed digest 0
Publisher:
Press Remote Address Port Sessions L2TPclass
LocID RemID Remote
Name Cisco
State
Pub
Date:
March
10, 200510.1.1.103
33819 41993 NewYork
est
0
1
l2-dyn
Table of
LocID
ISBN: 1-58705-168-0
RemID
Contents
Index
23878
36820
TunID
Pages: 648
33819
Username, Intf/
Vcid, Circuit
33, Et0/0
State
est
Master
thethe
world
of Layer
2 VPNs
provide
enhanced
enjoy
One of the differences
with
previous
case
is theto
session
count.
As in services
Example and
11-12,
both the total
productivity
gains
tunnels and sessions
values are
equal to 1 in the first line of output. However, in the tunnel summary
information, the Sessions field is also 1. That is because this pseudowire session is negotiated dynamically
against the L2TPv3 tunnel. Also notice that in the session summary information, the local LocID and
Learn about Layer 2 Virtual Private Networks (VPNs)
RemID fields represent the local and remote session IDs. Unlike the manual session case studies, in which
session IDs were configured explicitly under the xconnect command in the config-if-xconn submode,
Reduce costs and extend the reach of your services by unifying your
these values were negotiated dynamically via the control channel. The dynamic creation of the session and
network architecture
the negotiation of the session ID are examined in detail in the control plane negotiation.
Gain from the first book to address Layer 2 VPN application utilizing
Example 11-19 captures the output from the show l2tun tunnel all command.
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
As highlighted in Example 11-19, because the pseudowire session is negotiated dynamically in the tunnel,
one session is listed as active. The last line indicates that control message authentication is disabled. As
described in the section "l2tp-class Command Syntax," the two methods of control channel authentication
Layer a
2 VPN
Architectures
are an old style using
CHAP-like
mechanism and a new style using message digests. The last line of
Byrefers
Wei Luo,to
- CCIE
No. 13,291,
Pignataro,
CCIE study
No. 4619,
Dmitry Bokotey,the
- CCIE
highlighted output
the new
style.Carlos
Because
the- case
implements
old style of control
No. 4460,the
Anthony
Chan, - shows
CCIE No.the
10,266
channel authentication,
message
authentication as disabled.
ISBN: 1-58705-168-0
Pages: 648
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents 11-21. SanFran
Example
debug vpdn l2x-eventsand debug
Index for Control Connection Establishment Phase
Output
vpdn l2x-packet
SanFran#
Master the
world of Layer
to provide enhanced services and enjoy
*Nov 22 07:34:46.445:
Tnl33819
L2TP:2OVPNs
SCCRQ
productivity
gains L2TP: O SCCRQ, flg TLS, ver 3, len 144, tnl 0,
*Nov 22 07:34:46.445:
Tnl33819
ns 0, nr 0
*Nov 22 07:34:46.445: Tnl33819 L2TP: Control channel retransmit delay set to
Learn about Layer 2 Virtual Private Networks (VPNs)
1 seconds
*Nov 22 07:34:46.445: Tnl33819 L2TP: Tunnel state change from idle to wait-ctlReduce costs and extend the reach of your services by unifying your
reply
network architecture
*Nov 22 07:34:46.445: Tnl33819 L2TP: SM State wait-ctl-reply
*Nov 22 07:34:46.525:
L2TP:
Parse
AVP 0,Layer
len 28,
flag
0x8000 utilizing
(M)
GainTnl33819
from the first
book
to address
VPN
application
*Nov 22 07:34:46.525:
Tnl33819
L2TP:
Parse
SCCRP
both ATOM and L2TP protocols
! AVP 2 Protocol Version, AVP 6 Firmware Version, AVP 10 Rx Window Size, Cisco AVP
8 Vendor Name, and
Ciscostrategies
AVP 10 that
Vendor
AVP
version
omitted
for brevity
Review
allow
large
enterprise
customers
to enhance
*Nov 22 07:34:46.525:
L2TP: Parse
AVP 7, lenrouting
13, flag
0x8000 (M)
theirTnl33819
service offerings
while maintaining
control
*Nov 22 07:34:46.525: Tnl33819 L2TP: Hostname NewYork
*Nov 22 07:34:46.525:
Tnl33819
L2TP:Providers,
Parse AVP
11, len portion
22, flag
0x8000
(M)
For a majority
of Service
a significant
of their
revenues
*Nov 22 07:34:46.525:
Tnl33819
Chlng
are still derived
fromL2TP:
data and
voice services based on legacy transport
*Nov 22 07:34:46.525:
Tnl33819
L2TP:
Parse
AVPVPNs
13, fulfill
len the
22, market
flag 0x8000
technologies.
Although
Layer
3 MPLS
need for(M)
some
*Nov 22 07:34:46.525:
Tnl33819
L2TP:
Chlng
Resp
customers, they have some drawbacks. Ideally, carriers with existing
*Nov 22 07:34:46.525:
Tnl33819
L2TP:3 Parse
Cisco
AVP
10,
flaga 0x8000
legacy Layer
2 and Layer
networks
would
like1,tolen
move
toward
single (M)
*Nov 22 07:34:46.525:
Assigned
Connection
ID 41993
backboneTnl33819
while newL2TP:
carriers
would likeControl
to sell the
lucrative Layer
2
*Nov 22 07:34:46.525:
Tnl33819
L2TP: Parse
len 22,
flagcases
0x8000
services over
their existing
Layer 3Cisco
cores.AVP
The 2,
solution
in these
is a (M)
*Nov 22 07:34:46.525:
Tnl33819
L2TP:
Capabilities
List:
technology
that would
allowPseudo
Layer 2Wire
transport
over a Layer
3
! Pseudo Wire Capabilities
infrastructure. List omitted for brevity
*Nov 22 07:34:46.525: Tnl33819 L2TP: No missing AVPs in SCCRP
Layer 2 VPN
Architectures
to Layer
2 Virtual
Private
*Nov 22 07:34:46.525:
Tnl33819
L2TP: introduces
I SCCRP, readers
flg TLS,
ver 3,
len 166,
tnl 33819,
Network (VPN)
and describes Layer 2 VPN techniques via
ns 0, nr 1 contiguous
pak,concepts,
size 166
introductory
case studies
comprehensive
design scenarios. This book
*Nov 22 07:34:46.525:
Tnl33819
L2TP:and
I SCCRP
from NewYork
assists readers
looking
to meet
requirements
by explaining
the
*Nov 22 07:34:46.525:
Tnl33819
L2TP:
Got those
a challenge
in SCCRP,
NewYork
history and
implementation
details
of the two in
technologies
available
from
*Nov 22 07:34:46.525:
Tnl33819
L2TP: Got
a response
SCCRP, from
remote
peer
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSNewYork
based cores
and Layer
2 Tunneling
version 3 success
(L2TPv3) for native
*Nov 22 07:34:46.525:
Tnl33819
L2TP:
Tunnel Protocol
Authentication
IP cores. Tnl33819
The structure
of this
book isconnection
focused on first
introducing theskipped/
*Nov 22 07:34:46.525:
L2TP:
Control
authentication
reader to Layer 2 VPN benefits and implementation requirements and
passed.
comparing
them to those
Layer 3state
based change
VPNs, such
as wait-ctl-reply
MPLS, then
*Nov 22 07:34:46.525:
Tnl33819
L2TP:ofTunnel
from
to
progressively covering each currently available solution in greater detail.
established
*Nov 22 07:34:46.525: Tnl33819 L2TP: O SCCCN to NewYork tnlid 41993
*Nov 22 07:34:46.525: Tnl33819 L2TP: O SCCCN, flg TLS, ver 3, len 42, tnl 41993,
ns 1, nr 1
*Nov 22 07:34:46.525: Tnl33819 L2TP: Control channel retransmit delay set to
1 seconds
*Nov 22 07:34:46.525: Tnl33819 L2TP: SM State established
In this case, SanFran initiates the control channel request by sending out an SCCRQ. SanFran's debug
output shows the outbound SCCRQ request in addition to the dynamically chosen tunnel ID of 33819.
Although it is not shown in this outbound message, the SCCRQ contains SanFran's Challenge AVP sent to
NewYork. The Challenge AVP contains a random value used in the CHAP-like control channel authentication
Layer 2 VPN
mechanism. In response
to Architectures
the SCCRQ, NewYork sends an SCCRP message. SanFran receives this
Wei Luo,output
- CCIE No.
Carlos Pignataro,
- CCIE No. 4619,
Dmitry
Bokotey, - Two
CCIE notable AVPs include
message, and theBydebug
lists13,291,
the various
AVPs contained
in the
message.
No. 4460,
Chan, - CCIEChallenge
No. 10,266 Response AVP. In this case, NewYork's Challenge
NewYork's Challenge
AVPAnthony
and NewYork's
Response AVP contains the output of the hashing function performed against SanFran's Challenge AVP
value and the shared
secret.Cisco
For the
Publisher:
Presscontrol channel message to be validated properly, the SanFran router
performs the same hashing
Pub Date:mechanism
March 10, 2005and compares the output to the received Challenge Response AVP
value. If the shared secret
from both peers is equal, the two values are equivalent. Another AVP that is
ISBN: 1-58705-168-0
Table of
sent
Control Connection ID value of 41993, which matches the output from the
in the SCCRP is NewYork's
Pages: 648
showContents
l2tun tunnel command. To complete the three-way handshake, SanFran responds with an SCCCN.
Index
The SCCCN
contains a Challenge Response AVP that is not shown in outbound debugs. The SCCCN
Challenge Response AVP is sent in reply to NewYork's Challenge AVP sent in the SCCRP.
Example 11-22 contains the debug output from the second part of the negotiation: the session
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
establishment phase.
productivity gains
After successfully initiating a control channel, the session negotiation begins. SanFran sends an IncomingCall Request (ICRQ), which contains several AVPs, including a dynamically assigned Session ID of 23878,
Cookie, End Identifier, and Serial Number AVP that is not shown in the outbound debug output. The End
Identifier AVP equals the VC ID that is configured on the xconnect command, 33. This AVP allows the
pseudowire to associate itself to the necessary attachment circuit. The Serial Number is equivalent to the
Layer
2 VPN
Architectures
Call Serial Number
field
identified
in the show l2tunn sess all output. It serves as an identifier for the
ByWei Luo,on
- CCIE
13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
session that is consistent
bothNo.
peers.
No. 4460,Anthony Chan, - CCIE No. 10,266
In response to the ICRQ, NewYork sends an Incoming-Call Reply (ICRP) message with several AVPs. The
ICRP contains a Local
Session
ID Press
AVP of 36820, a Remote Session ID AVP of 23878, an Assigned Cookie
Publisher:
Cisco
AVP of 0xF56A1F7F1A7B12BF,
and a Pseudowire Type AVP. A Pseudowire Type AVP is included to identify
Pub Date: March 10, 2005
the type of pseudowire that is being negotiated, which in this case is 0x0005 for type Ethernet. Keep in
ISBN: 1-58705-168-0
mind Table
that ofthe Local and Remote Session ID values and the Assigned Cookies in the ICRP message are from
Pages:
648
Contentsperspective. When
NewYork's
you compare them to SanFran's show l2tunn sess all output in Example
Index
11-20,
the values correspond to appropriate SanFran fields (that is, SanFran's Local Session ID equals
NewYork's Remote Session ID). Finally, SanFran completes this three-way handshake with the IncomingCall Connected (ICCN) message. After the ICCN message is sent, the pseudowire session is fully
established.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Similar to "Case Study 11-3: Ethernet Port-to-Port Dynamic Session," the SanFran and NewYork PE
routers use dynamically negotiated VLAN L2TPv3 sessions with 8-byte cookies. To introduce a new concept
in this case study, the PE routers are configured to use the new control channel authentication by utilizing
message digests.
hostname SanFran
!
Publisher: Cisco Press
l2tp-class l2-dynPub Date: March 10, 2005
digest secret p7jd8ge
ISBN: 1-58705-168-0
Table size
of
cookie
8
Pages:
648
Contents
!
Index
pseudowire-class
pw-dynamic
encapsulation l2tpv3
protocol l2tpv3 l2-dyn
ip local interface Loopback0
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
interface Ethernet0/0
productivity gains
no ip address
no ip directed-broadcast
Learn about Layer 2 Virtual Private Networks (VPNs)
no cdp enable
interface Ethernet0/0.200
Reduce costs and extend the reach of your services by unifying your
encapsulation dot1Q
200 architecture
network
no ip directed-broadcast
Gain from the first book to address Layer 2 VPN application utilizing
no cdp enable
both
and L2TP
protocols
xconnect 10.1.1.103
33 ATOM
pw-class
pw-dynamic
!
Review strategies that allow large enterprise customers to enhance
interface Ethernet0/0.201
their
service offerings while maintaining routing control
encapsulation dot1Q
201
no ip directed-broadcast
no cdp enable For a majority of Service Providers, a significant portion of their revenues
are still derived
from data
and voice services based on legacy transport
xconnect 10.1.1.103
34 pw-class
pw-dynamic
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone
new carriers
would
like to router.
sell the lucrative Layer 2
Example 11-24 contains
thewhile
configuration
for the
NewYork
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Example 11-24.
NewYork VLAN-to-VLAN Dynamic Configuration
no cdp enable
xconnect 10.1.1.102 34 pw-class pw-dynamic
!
Layer 2 VPN Architectures
interface Ethernet1/0
no ip address ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
no ip directed-broadcast
no cdp enable
!
Publisher: Cisco Press
interface Ethernet1/0.140
Pub Date: March 10, 2005
encapsulation dot1Q 140
ISBN: 1-58705-168-0
Tabledirected-broadcast
of
no ip
Pages:
648
Contents
no cdp
enable
Index
xconnect
10.1.1.102 33 pw-class pw-dynamic
!
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
gains
The general stepsproductivity
to provisioning
a dynamic Ethernet VLAN-to-VLAN session are similar to those in the
Ethernet port-to-port dynamic session. The major difference is that the attachment circuit in this case
study is the Ethernet VLAN. Therefore, the xconnect statements are configured under the appropriately
Learn about
Layer 2 Virtual
Private 11-23
Networks
tagged Ethernet subinterfaces,
as highlighted
in Example
and (VPNs)
11-24.
Reduce
coststhe
andnew
extend
your services
by unifying
Because this case study
introduces
formthe
of reach
controlofchannel
authentication,
theyour
digest secret
network
architecture
password configuration is applied underneath the l2tp-class command.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
RemID
TunID
Username,
Intf/
State
23944
23945
36877
36878
41796
41796
Vcid, Circuit
34, Et0/0.201:201
33, Et0/0.200:200
est
est
SanFran#show l2tun
session all vcid 34
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Session Information
Total tunnels 1 sessions 2
No. 4460,Anthony Chan, - CCIE No. 10,266
Tunnel control packets dropped due to failed digest 5
Pressid 41796
Session id 23944 Publisher:
is up, Cisco
tunnel
Call serial number
2931100013
Pubis
Date:
March 10, 2005
Remote tunnel name is
NewYork
ISBN:
1-58705-168-0
Table of
Internet
address Pages:
is 10.1.1.103
648
Contents
Session
is L2TP signalled
Index
Session
state is established, time since change 00:13:11
93 Packets sent, 91 received
9306 Bytes sent, 8950 received
Receive packets dropped:
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
out-of-order:
0
productivity gains
total:
0
Send packets dropped:
exceeded session
0 2 Virtual Private Networks (VPNs)
LearnMTU:
about Layer
total:
0
Session vcid is 34
Reduce costs and extend the reach of your services by unifying your
Session Layer 2 circuit,
type is Ethernet Vlan, name is Ethernet0/0.201:201
network architecture
Circuit state is UP
from
the first
book tunnel
to address
Remote session Gain
id is
36877,
remote
id Layer
8769 2 VPN application utilizing
both ATOM
and L2TPToS
protocols
DF bit off, ToS reflect
disabled,
value 0, TTL value 255
Session cookie information:
Review
strategies
that allow
enterprise
customers
to enhance
local cookie, size
8 bytes,
value
E9 B8large
78 B2
C2 6C 8E
16
offerings
maintaining
remote cookie, their
size service
8 bytes,
valuewhile
88 9E
DD 75 03routing
A0 39control
75
FS cached header information:
a majority
encap size For
= 32
bytes of Service Providers, a significant portion of their revenues
are
still
from00000000
data and voice services based on legacy transport
00000000 00000000derived
00000000
technologies.
Although
Layer 3 MPLS VPNs fulfill the market need for some
00000000 00000000 00000000 00000000
customers, they have some drawbacks. Ideally, carriers with existing
Sequencing islegacy
off Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
The primary differences
in the output when compared to Case Study 11-3 are related to the attachment
infrastructure.
circuit type. In the show l2tun session output in Example 11-26, notice the two session lines for the two
VCIDs 34 and 33 Layer
and their
corresponding
Et0/0.200,
2 VPN
Architecturesattachment
introducescircuits
readersEt0/0.201
to Layer 2and
Virtual
Privaterespectively.
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Theshow l2tun session
all vcid
output
includes
more specific
details
about This
that book
particular
introductory
case 34
studies
and
comprehensive
design
scenarios.
attachment circuit.
Unlike
the
manual
case
studies,
Example
11-26
shows
the
session
assists readers looking to meet those requirements by explaining theas L2TP signaled,
indicating that thehistory
pseudowire
was negotiateddetails
dynamically.
Also,
as highlighted
midway
in the show l2tun
and implementation
of the two
technologies
available
from
session all vcid the
34 Cisco
output,
the
type
of
pseudowire
session
is
Ethernet
VLAN,
whereas
in
Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS- previous
Ethernet port-to-port
case
studies,
the pseudowire
was just
Ethernet.
based cores and Layer
2 Tunnelingtype
Protocol
version
3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
Ethernet VLAN-to-VLAN
Dynamic
Session
Control
comparing them
to those
of Layer
3 basedPlane
VPNs, Details
such as MPLS, then
progressively covering each currently available solution in greater detail.
As with any dynamically negotiated L2TPv3 session, the control channel setup and session negotiation can
be monitored via debug vpdn l2x-events and debug vpdn l2x-packets.Example 11-27 captures this
debug output for SanFran's control channel establishment phase.
SanFran#
*Nov 22 13:19:04.312: Tnl/Sn41796/23944 L2TP: Create session
*Nov 22 13:19:04.312: Tnl41796 L2TP: SM State idle
Layer 2 VPNTnl41796
Architectures
*Nov 22 13:19:04.312:
L2TP: O SCCRQ
ByWei Luo, -Tnl41796
CCIE No. 13,291,
Carlos
CCIETLS,
No. 4619,
Dmitry
- CCIEtnl 0,
*Nov 22 13:19:04.312:
L2TP:
O Pignataro,
SCCRQ, - flg
ver
3,Bokotey,
len 167,
ns 0, nr 0 No. 4460,Anthony Chan, - CCIE No. 10,266
*Nov 22 13:19:04.312: Tnl41796 L2TP: Control channel retransmit delay set to
1 seconds
Publisher: Cisco Press
*Nov 22 13:19:04.312:
Tnl41796
L2TP: Tunnel state change from idle to
Pub Date:
March 10, 2005
wait-ctl-reply
ISBN: 1-58705-168-0
Table
of
*Nov
22 13:19:04.312:
Tnl41796 L2TP: SM State wait-ctl-reply
Pages:
648
*Nov Contents
22 13:19:04.312: L2X: L2TP: Received L2TUN message <Connect>
Index
*Nov
22 13:19:04.312: Tnl/Sn41796/23945 L2TP: Session state change from idle to
wait-for-tunnel
*Nov 22 13:19:04.312: Tnl/Sn41796/23945 L2TP: Create session
*Nov 22 13:19:04.312: Tnl41796 L2TP: SM State wait-ctl-reply
Master the
world of Layer
VPNs to
provide
enhanced
services
enjoy
*Nov 22 13:19:04.372:
Tnl41796
L2TP: 2Parse
AVP
0, len
8, flag
0x8000and
(M)
productivity
gains
*Nov 22 13:19:04.372: Tnl41796 L2TP: Parse SCCRP
*Nov 22 13:19:04.372: Tnl41796 L2TP: Parse Cisco AVP 12, len 23, flag 0x8000 (M)
*Nov 22 13:19:04.372: Tnl41796 L2TP: Message Digest
Learn about Layer 2 Virtual Private Networks (VPNs)
! Message Digest hex output omitted for brevity
*Nov 22 13:19:04.372:
Tnl41796
L2TP:
Parse
AVP
13,
len 22,
flag 0x8000
Reduce
costs and
extend
the Cisco
reach of
your
services
by unifying
your (M)
*Nov 22 13:19:04.372:
Tnl41796
L2TP:
CC
Auth
Nonce
network architecture
D7 6E BB ED 3D 01 33 31 0E 45 1A E7 67 24 4E A1
! AVP 2 Protocol Version
,AVP
Firmware
AVP 210
Rxapplication
Window Size,
Cisco
Gain from
the6first
book to Version,
address Layer
VPN
utilizing
AVP 8 Vendor Name,
and
Cisco
10protocols
Vendor AVP version omitted for brevity
both
ATOM
andAVP
L2TP
*Nov 22 13:19:04.372: Tnl41796 L2TP: Parse AVP 7, len 13, flag 0x8000 (M)
*Nov 22 13:19:04.372:
Tnl41796
L2TP:
Review
strategies
thatHostname
allow largeNewYork
enterprise customers to enhance
*Nov 22 13:19:04.372:
L2TP: Parse
Cisco AVP routing
1, lencontrol
10, flag 0x8000 (M)
theirTnl41796
service offerings
while maintaining
*Nov 22 13:19:04.372: Tnl41796 L2TP: Assigned Control Connection ID 8769
For a majority
of Service
a significant
of their
*Nov 22 13:19:04.372:
Tnl41796
L2TP:Providers,
Parse Cisco
AVP 2,portion
len 22,
flagrevenues
0x8000 (M)
are still derived
fromL2TP:
data and
voiceWire
services
based on legacy
transport
*Nov 22 13:19:04.372:
Tnl41796
Pseudo
Capabilities
List:
technologies. Although
Layer 3 for
MPLS
VPNs fulfill the market need for some
! Pseudo Wire Capabilities
List omitted
brevity
customers,
they have
someNo
drawbacks.
*Nov 22 13:19:04.372:
Tnl41796
L2TP:
missing Ideally,
AVPs incarriers
SCCRP with existing
legacy Layer
2 and Layer
like to
move
a single
*Nov 22 13:19:04.372:
Tnl41796
L2TP:3 Inetworks
SCCRP, would
flg TLS,
ver
3, toward
len 167,
tnl 41796,
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
ns 0, nr 1 contiguous pak, size 167
services over
their existing
Layer
3 cores.
solution in these cases is a
*Nov 22 13:19:04.372:
Tnl41796
L2TP: I
SCCRP
from The
NewYork
technology
that would
allowMessage
Layer 2 transport
over aperformed,
Layer 3
*Nov 22 13:19:04.372:
Tnl41796
L2TP:
digest match
passed.
infrastructure.
*Nov 22 13:19:04.372:
Tnl41796 L2TP: Control connection authentication skipped/
passed.
Layer 2 VPN
Architectures
readers
to Layer
2 Virtual
Private
*Nov 22 13:19:04.372:
Tnl41796
L2TP: introduces
Tunnel state
change
from
wait-ctl-reply
to
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
established
introductory
case studies
comprehensive
design
scenarios.
*Nov 22 13:19:04.372:
Tnl41796
L2TP:and
O SCCCN
to NewYork
tnlid
8769 This book
assists
readers
looking
to
meet
those
requirements
by
explaining
*Nov 22 13:19:04.372: Tnl41796 L2TP: O SCCCN, flg TLS, ver 3, len 43,the
tnl 8769,
ns 1, nr 1 history and implementation details of the two technologies available from
the Cisco Tnl41796
Unified VPN
suite:Control
Any Transport
over
MPLS (ATOM)
for MPLS*Nov 22 13:19:04.372:
L2TP:
channel
retransmit
delay
set to
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
1 seconds
IP cores. Tnl41796
The structure
of this
is focused
on first introducing the
*Nov 22 13:19:04.372:
L2TP:
SM book
State
established
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
One notable difference in the control channel establishment is that a few additional AVPs are used during
the SCCRQ/SCCRP/SCCCN three-way handshake. As is typical, the three-way handshake begins with
SanFran sending an SCCRQ message. The SCCRQ contains a Message Digest and a Control Message
Authentication Nonce AVP. As described in Chapter 10, these AVPs are used in control channel
authentication. More specifically, they are used in the newer form of control channel authentication, unlike
Case Study 11-3, which uses the CHAP-like mechanism.
The second step in the three-way handshake involves SanFran sending an SCCRP reply. This SCCRP
message, like the SCCRQ message, contains a Message Digest and a Control Message Authentication
Nonce AVP, as highlighted in Example 11-27. All subsequent control channel messages will contain the
Example 11-28.
SanFran
debug vpdn l2x-eventsand debug vpdn l2x-packets
Publisher:
Cisco Press
on Session Initialization
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
SanFran#
Index
*Nov
22 13:19:04.372: Tnl/Sn41796/23944 L2TP: O ICRQ to NewYork 8769/0
*Nov 22 13:19:04.372: Tnl/Sn41796/23944 L2TP: O ICRQ, flg TLS, ver 3, len 117,
tnl 8769, lsid 23944, rsid 0, ns 2, nr 1
*Nov 22 13:19:04.372: Tnl/Sn41796/23944 L2TP: Session state change from
Master
world of Layer 2 VPNs to provide enhanced services and enjoy
wait-for-tunnel
to the
wait-reply
productivity
gains L2TP: Perform early message digest validation
*Nov 22 13:19:04.420:
Tnl41796
for ACK
*Nov 22 13:19:04.420: Tnl41796 L2TP: Parse Cisco AVP 12, len 23, flag 0x8000 (M)
Learn about Layer 2 Virtual Private Networks (VPNs)
*Nov 22 13:19:04.420: Tnl41796 L2TP: Message Digest
! Message Digest hex output omitted for brevity
Reduce costs and extend the reach of your services by unifying your
*Nov 22 13:19:04.420: Tnl41796 L2TP: Message digest match performed, passed.
network architecture
*Nov 22 13:19:04.420: Tnl41796 L2TP: Control connection authentication skipped/
passed.
Gain from the first book to address Layer 2 VPN application utilizing
*Nov 22 13:19:04.420:
Parse AVP 0, len 8, flag 0x8000 (M)
bothTnl41796
ATOM andL2TP:
L2TP protocols
*Nov 22 13:19:04.420: Tnl41796 L2TP: Parse ICRP
*Nov 22 13:19:04.420:
Tnl41796
L2TP:
Ciscoenterprise
AVP 12, customers
len 23, flag
0x8000 (M)
Review
strategies
thatParse
allow large
to enhance
*Nov 22 13:19:04.420:
L2TP: Parse
Cisco AVP routing
3, lencontrol
10, flag 0x8000 (M)
theirTnl41796
service offerings
while maintaining
*Nov 22 13:19:04.420: Tnl41796 L2TP: Local Session ID 36877
*Nov 22 13:19:04.420:
Tnl41796
L2TP:Providers,
Parse Cisco
AVP 4,portion
len 10,
flagrevenues
0x8000 (M)
For a majority
of Service
a significant
of their
*Nov 22 13:19:04.420:
Tnl41796
Remote
23944
are still derived
fromL2TP:
data and
voiceSession
services ID
based
on legacy transport
*Nov 22 13:19:04.420:
Tnl41796
L2TP:
Parse
Cisco
5,the
len
14, flag
technologies.
Although
Layer
3 MPLS
VPNsAVP
fulfill
market
need 0x8000
for some(M)
*Nov 22 13:19:04.420:
Tnl41796
L2TP:
Assigned
Cookie
customers, they have some drawbacks. Ideally, carriers with existing
88 9E legacy
DD 75 Layer
03 A02 and
39 75
Layer 3 networks would like to move toward a single
*Nov 22 13:19:04.420:
Parse
7, lucrative
len 8, flag
(M)
backboneTnl41796
while newL2TP:
carriers
wouldCisco
like to AVP
sell the
Layer0x8000
2
*Nov 22 13:19:04.420:
Tnl41796
L2TP: Pseudo
Wire Type
4
services over
their existing
Layer 3 cores.
The solution
in these cases is a
*Nov 22 13:19:04.420:
Tnl41796
L2TP:
missing
AVPs in
technology
that would
allowNo
Layer
2 transport
overICRP
a Layer 3
*Nov 22 13:19:04.420:
Tnl/Sn41796/23944 L2TP: I ICRP, flg TLS, ver 3, len 85,
infrastructure.
tnl 41796, lsid 23944, rsid 0, ns 1, nr 3 contiguous pak, size 85
Layer 2 VPN
Architectures introduces
2 Virtual
Private
*Nov 22 13:19:04.420:
Tnl/Sn41796/23944
L2TP: readers
O ICCN to
toLayer
NewYork
8769/36877
Network (VPN)
concepts, and describes
VPN TLS,
techniques
vialen 73,
*Nov 22 13:19:04.420:
Tnl/Sn41796/23944
L2TP: O Layer
ICCN,2 flg
ver 3,
introductory
case 36877,
studies and
comprehensive
design scenarios. This book
tnl 8769, lsid
23944, rsid
ns 4,
nr 2
assists readers
looking to meetL2TP:
those requirements
by explaining
the
*Nov 22 13:19:04.420:
Tnl/Sn41796/23944
Session state
change from
and implementation details of the two technologies available from
wait-reply tohistory
established
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
After the control channel
is Layer
authenticated,
the session
negotiation occurs.
Because this
reader to
2 VPN benefits
and implementation
requirements
and case study utilizes
two pseudowires,comparing
two three-way
are
initiated.
the sake
of brevity, Example
themICRQ/ICRP/ICCN
to those of Layerphases
3 based
VPNs,
such For
as MPLS,
then
11-28 only captures
the three-way
session
negotiation
for VCID 34.
As highlighted
the output, SanFran
progressively
covering
each
currently available
solution
in greater in
detail.
sends an ICRQ message for local session ID 23944. In response, SanFran receives an ICRP message from
NewYork. The ICRP message contains NewYork's local session ID of 36877. The pseudowire type is type 4
for Ethernet VLAN. Also notice that the Message Digest AVP is contained in the ICRP message. In fact, the
Message Digest AVP is also contained in the ICRQ and ICCN messages, but the debug output does not
show this level of detail for outbound messages. Finally, SanFran sends an ICCN to NewYork to fully
establish the pseudowire session.
The L2TPv3 data frame encapsulation for a VLAN-emulated session is comparable to the port-emulated
session except that the Ethernet frame carries the Ethernet frames that are specific to the attachment
circuit VLAN ID. Example
11-29
captures an Ethereal decode and the hexadecimal capture of an L2TPv3
Layer 2 VPN
Architectures
frame from the Oakland Ethernet subinterface E0/0.201 to Albany E0/0.201.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Example 11-29. Ethereal Decode and Capture of Oakland to Albany ICMP Ping
Publisher: Cisco Press
Cisco HDLC
ISBN: 1-58705-168-0
Table of
Address: Unicast
(0x0f)
Pages:
648
Contents
Protocol: IP (0x0800)
Index
Internet Protocol, Src Addr: 10.1.1.102 (10.1.1.102), Dst Addr: 10.1.1.103 (10.1.1.103)
Version: 4
Header length: 20 bytes
! IP headerMaster
DSCP,the
Flags
offset enhanced
and TTL services
omitted and
forenjoy
brevity
worlddetail,
of Layer Fragment
2 VPNs to provide
Protocol: Layer
2
Tunneling
(0x73)
productivity gains
Header checksum: 0x3a3e (correct)
Source: 10.1.1.102 (10.1.1.102)
Destination: 10.1.1.103
Learn about(10.1.1.103)
Layer 2 Virtual Private Networks (VPNs)
Layer 2 Tunneling Protocol version 3
Reduce costs and extend the reach of your services by unifying your
Session ID: 36877
network architecture
Cookie: 889EDD7503A03975
Ethernet II, Src: 00:00:0c:00:6c:00, Dst: 00:00:0c:00:6f:00
Gain from the first book
to address Layer 2 VPN application utilizing
Destination: 00:00:0c:00:6f:00
(00:00:0c:00:6f:00)
both
ATOM
and
L2TP
protocols
Source: 00:00:0c:00:6c:00 (00:00:0c:00:6c:00)
Type: 802.1Q Virtual LAN (0x8100)
802.1q Virtual LAN Review strategies that allow large enterprise customers to enhance
offerings0 while maintaining routing control
000. .... .... their
.... service
= Priority:
...0 .... .... .... = CFI: 0
For a majority of Service Providers, a significant portion of their revenues
.... 0000 1100 1001 = ID: 201
are still derived from data and voice services based on legacy transport
Type: IP (0x0800)
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Internet Protocol, Src Addr: 192.168.2.1 (192.168.2.1), Dst Addr: 192.168.2.2
customers, they have some drawbacks. Ideally, carriers with existing
(192.168.2.2)
legacy Layer 2 and Layer 3 networks would like to move toward a single
Version: 4
backbone while new carriers would like to sell the lucrative Layer 2
Header length: 20 bytes
services over their existing Layer 3 cores. The solution in these cases is a
! IP header DSCP, Flags detail, Fragment offset and TTL omitted for brevity
technology that would allow Layer 2 transport over a Layer 3
Protocol: ICMP (0x01)
infrastructure.
Header checksum: 0x31be (correct)
Source: 192.168.2.1 (192.168.2.1)
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Destination: 192.168.2.2 (192.168.2.2)
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Internet Control Message Protocol
introductory case studies and comprehensive design scenarios. This book
Type: 8 (Echo (ping) request)
assists readers looking to meet those requirements by explaining the
Code: 0
history and implementation details of the two technologies available from
Checksum: 0xb7fa (correct)
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSIdentifier: 0x000e
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Sequence number: 0x0000
IP cores. The structure of this book is focused on first introducing the
Data (72 bytes)
reader to Layer 2 VPN benefits and implementation requirements and
0000 0f 00 08 00 45 00 00 96 69 e8 00 00 ff 73 3a 3e
comparing them to those of Layer 3 based VPNs, such as MPLS, then
^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
progressively covering each currently available solution in greater detail.
Cisco HDLC IPv4 Delivery Header (IP Protocol L2TPv3)
0010 0a 01 01 66 0a 01 01 67 00 00 90 0d 88 9e dd 75
^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^
IPv4 Delivery Header
L2TPv3 Header
0020 03 a0 39 75 00 00 0c 00 6f 00 00 00 0c 00 6c 00
^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
L2TPv3 Header L2TPv3 Payload (Ethernet II Frame)
0030 81 00 00 c9 08 00 45 00 00 64 04 87 00 00 ff 01
^^^^^ ^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Ethertype .1q VLANID
IPv4 Hdr (ICMP packet)
0040 31 be c0 a8 02 01 c0 a8 02 02 08 00 b7 fa 00 0e
^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^
IPv4 Hdr (ICMP packet)
ICMP packet
Layer 2for
VPN Architectures
!remainder omitted
brevity
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Because the Ethereal capture was performed between the SanFran and Denver routers, the first Layer 2
Publisher: Cisco Press
header is the HDLC frame. The outer IP Delivery header is sourced from SanFran's loopback address of
Pub Date: March 10, 2005
10.1.1.102 (0x0a010166), destined to NewYork's address of 10.1.1.103 (0x0a010167). The L2TPv3
ISBN: 1-58705-168-0
header
consists
of NewYork's
local session ID of 36877 (0x0000900d) and a cookie value of
Table
of
Pages:
648
0x889edd7503a03975.
Following
the L2TPv3 header is the Ethernet II frame destined to Albany's MAC
Contents
address
Indexof 0x00000c006c00 and sourced from Oakland's Ethernet port with MAC address 0x00000c006f00
In this particular case, the Ethernet frame is an 802.1q tagged frame that contains the VLAN tag protocol
ID of 0x8100, a 3-bit VLAN CoS field of 0, a 1-bit VLAN canonical format indicator of 0, and the VLAN ID
tag of 201. Because the far-end router's attachment circuit also uses a dot1Q tag of 201, NewYork does
MasterVLAN
the world
ofbefore
Layer 2
VPNs toit provide
enhanced
services and
enjoy
not change the original
ID tag
sending
to the CE
device. However,
in the
case of an
productivity
Ethernet frame from
Oakland gains
to Hudson, the original VLAN ID tag of 200 would have to be rewritten to the
far-end attachment circuit VLAN ID value of 140.
Learn
about Layer
2 Virtual Private
Networks
(VPNs) scenarios in which the VLAN
Case Study 11-2 focused
on providing
VLAN-to-VLAN
emulation.
It examined
header was transported unmodified (that is, between Oakland and Albany) and in which the VLAN header
and extend
the reach
yourtoservices
byseveral
unifying
your issues when
was rewritten (that is, Reduce
betweencosts
Oakland
and Hudson).
Youofneed
consider
design
network
architecture
deploying such a solution.
Gain study,
from the
bookprovider
to address
Layerthe
2 VPN
application
utilizing
In this VLAN-to-VLAN case
thefirst
service
dictates
VLAN
values. From
a customer
both
ATOM
and
L2TP
protocols
perspective, this might be a heavy restriction. In such a scenario, the customer can use QinQ to alleviate
this requirement. In essence, the customer can use the inner 802.1q tag in QinQ to represent the
Review strategies that allow large enterprise customers to enhance
customer VLANs and then set the outer 802.1q tag to equal the value that the service provider requires.
their service offerings while maintaining routing control
This allows for flexibility on the customer's behalf to use any VLAN rewrite.
For a majority of Service Providers, a significant portion of their revenues
Another consideration when dealing with VLAN-to-VLAN transport revolves around spanning tree. In the
are still derived from data and voice services based on legacy transport
Oakland-to-Hudson scenario, the respective L2TPv3 endpoints rewrite the VLAN header as needed.
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Although the VLAN header is rewritten, the BPDU payload also contains a field known as the Per VLAN ID
customers, they have some drawbacks. Ideally, carriers with existing
(PVID), which is not rewritten. If spanning tree is enabled in such a VLAN rewrite scenario, the BPDUs
legacy Layer 2 and Layer 3 networks would like to move toward a single
show a mismatch and the ports are blocked. The only solution is to avoid this rewrite scenario so that the
backbone while new carriers would like to sell the lucrative Layer 2
BPDU payload matches the expected VLAN ID value on either end.
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pages: 648
Contents
Index are several key aspects to take away from this chapter:
Following
Contents
Index
Pages: 648
In this chapter, you learn the functional aspects and configuration of the transport and
tunneling of WAN protocols
Layer
2 Tunnel
Protocol
3 (L2TPv3).
Learnover
about
Layer
2 Virtual
PrivateVersion
Networks
(VPNs) Building on
Chapter 5, "WAN Data-Link Protocols," and Chapter 10, "Understanding L2TPv3," this chapter
presents the configuration,
verification,
troubleshooting
High-Level
Link Control
Reduce
costs andand
extend
the reach of of
your
services Data
by unifying
your
(HDLC), PPP, Frame Relay,
andarchitecture
ATM protocols over L2TPv3. This chapter also presents multiple
network
case studies describing the different L2TPv3 configurations for the multiple WAN protocols that
Gain from the first book to address Layer 2 VPN application utilizing
are transported.
both ATOM and L2TP protocols
Pages:
648
Contents control plane does
fundamental
not change. Different virtual circuit (VC) types indicate the
Index
specific
attachment circuit technology. This section presents some opening ideas about the
transport of WAN protocols using L2TPv3.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Control Plane
productivity gains
All the control plane concepts covered in Chapter 10 are applicable to the transport and
Learn On
about
Layernegotiation,
2 Virtual Private
Networks
(VPNs) circuit is indicated
tunneling of WAN protocols.
session
the type
of attachment
in the Pseudowire Type AVP (currently Cisco AVPusing a Structure of Management Information
Reduce
andofextend
the reach
of your services
by unifying
yourthe
[SMI] enterprise code of
9Typecosts
7) part
the Session
Management
AVPs. The
values that
network
architecture
Pseudowire Type AVP can take for WAN protocols are enumerated in Table 12-1.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
[4]
[5]
[6]
[7]
[8]
Note
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Although the values for the pseudowire type AVP from Table 12-1 are numerically the
Publisher: Cisco Press
same as the ones used in Any Transport over MPLS (AToM) for the pseudowire type
Pub Date: March 10, 2005
forward error correction
(FEC) field, they belong to different registries. You can find
ISBN: 1-58705-168-0
the
for "L2TPv3
Pseudowire Types" at the Internet Assigned Numbers
Tableregistry
of
Authority (IANA) at
Pages:
648
http://www.iana.org/assignments/l2tp-parameters.
Contents
Index
These pseudowire types are also included in the Pseudowire Capabilities List AVP part of the
Control Connection
Management
to indicate
Layer 2 enhanced
payload types
that and
a sender
Master
the worldAVPs
of Layer
2 VPNsthe
to provide
services
enjoycan
support.
productivity gains
Data Plane
Reduce costs and extend the reach of your services by unifying your
network architecture
The transport of WAN protocols
over L2TPv3 follows the base specification Internet document
for L2TPv3, plus the additional companion documents for each WAN technology. Cisco
Gain from
book
to address
Layer115.
2 VPN
application
utilizing
implemented L2TPv3 directly
overthe
IP first
using
IP protocol
number
Figure
12-1 shows
the data
both
ATOM
and
L2TP
protocols
plane encapsulation for the transport of WAN protocols over L2TPv3.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
ISBN: 1-58705-168-0
Pages: 648
Gain from the first book to address Layer 2 VPN application utilizing
LengthThis is the total length of the message in octets.
both ATOM and L2TP protocols
Control Connection ID This contains an identifier for the "tunnel" or control connection.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Ns This contains the sequence number for this control message.
Note
The first two values are defined and assigned in the base "Layer Two Tunneling
Protocol (Version 3)" IETF document, whereas the third value is defined in the "ATM
Pseudo-Wire Extensions for L2TP" IETF document. ATM AAL5 transport needs an
ATM-Specific Sublayer to transport ATM cell header fields that would otherwise be
lost; other transported protocols, however, rely on the default Layer 2-Specific
Sublayer.
Contents
Index
Pages: 648
[View full size image]
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain12-3
fromare
thedefined
first book
to address Layer 2 VPN application utilizing
The fields shown in Figure
as follows:
both ATOM and L2TP protocols
All Layer 2-Specific
Sublayers:
Review
strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
S-Bit The Sequence bit is set to indicate that the Sequence Number field contains a
valid sequence
number
for this sequenced
and itportion
is cleared
otherwise.
When
For a majority
of Service
Providers, aframe,
significant
of their
revenues
the field
cleared,
youfrom
must
ignore
contents
of based
the Sequence
Number.
areisstill
derived
data
andthe
voice
services
on legacy
transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Sequence
Number
The
Sequence
Number field
contains
a free-running
counter of
customers,
they
have
some drawbacks.
Ideally,
carriers
with existing
224 sequence
numbers.
AsLayer
opposed
to AToM,
the sequence
number
begins
at 0,
legacy Layer
2 and
3 networks
would
like to move
toward
a single
which is
a valid sequence
backbone
while newnumber.
carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
X-Bitstechnology
Set the Reserved
bits allow
to 0 on
transmission
and
ignore
them3 on reception.
that would
Layer
2 transport
over
a Layer
infrastructure.
ATM-Specific Sublayer:
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
T-Bit The Transport bit indicates whether the L2TPv3 packet contains an ATM admin
Network (VPN) concepts, and describes Layer 2 VPN techniques via
cell (when T is set) or an AAL5 payload (when T is cleared). OAM cells are examples
introductory case studies and comprehensive design scenarios. This book
of admin cells.
assists readers looking to meet those requirements by explaining the
history
and implementation
details
of the two
technologies
available
from
G-Bit The
Explicit
Forward Congestion
Indication
(EFCI)
bit indicates
congestion.
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSThe LCCE sets the G bit if the EFCI bit of the final cell of the incoming AAL5 payload
Layer
2 Tunneling
Protocol
version 3 (L2TPv3) for native
or the based
(EFCI)cores
in theand
single
ATM
cell is set to
1.
IP cores. The structure of this book is focused on first introducing the
reader
Layer
2 VPN
benefits
C-Bit The
cellto
loss
priority
(CLP)
bit inand
the implementation
ATM cell headerrequirements
indicates cell and
loss priority.
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as MPLS,
then
The LCCE sets the C bit if any of the CLP bits of any of the incoming
ATM
cells of the
progressively
covering
currently
solution in greater detail.
AAL5 payload
or of the
single each
ATM cell
is set available
to 1.
U-Bit The U-bit carries the Command/Response (C/R) bit, which is used with
FRF.8.1 "Frame Relay/ATM PVC Service Interworking."
Note
Bits 2 and 3 in both Layer 2-Specific Sublayers indicate fragmentation as negated
AAL5 The transport and tunneling of ATM AAL5 CPCS-SDU require the usage of an ATM
Pub Date: March 10, 2005
Specific Sublayer that carries the EFCI, CLP, and C/R and identifies AAL5 CPCSSDU versus
ISBN:
1-58705-168-0
ATM ofCell. Otherwise,
those
fields would be lost because the cell header is not transported.
Table
Pages: 648
Contents
Sequencing
Sequencing
for all Layer 2 protocols transported requires an Layer 2-Specific
Index
For all other cases, an Layer 2-Specific Sublayer is optional. In contrast to the transport of
Frame Relay overMaster
MPLS, the
which
requires
the2control
word,
FRoL2TPv3
does
not require
the
world
of Layer
VPNs to
provide
enhanced
services
and enjoy
Layer 2-Specific Sublayer,
which
is
equivalent
to
the
control
word.
The
difference
lies
in
the fact
productivity gains
that Frame Relay over MPLS (FRoMPLS) does not transport the Q.922 header, and the only
way to transport control bits is by piggybacking them in the control word. In FRoL2TPv3, the
Learn about
Layerthe
2 Virtual
Private Networks
(VPNs)
Q.922 header is transported;
therefore,
Layer 2-Specific
Sublayer
header is not needed.
Reduce costs and extend the reach of your services by unifying your
network architecture
MTU Considerations
Gain from the first book to address Layer 2 VPN application utilizing
both
ATOM and
L2TP
protocols
When you tunnel a Layer
2 protocol
data
unit
(PDU) by means of encapsulation, you need to
factor the additional overheads associated with this tunneling scheme into packet sizes and
strategies
allow large the
enterprise
enhance
maximum transmissionReview
unit (MTU).
Whenthat
encapsulating
Layer 2customers
PDU to beto
transported
service offeringsnetwork
while maintaining
using L2TPv3 across antheir
IP packet-switched
(PSN), yourouting
need tocontrol
take into account a
series of overheads that are added. This section details all the associated overheads.
For a majority of Service Providers, a significant portion of their revenues
arethese
still derived
from
and voice services based on legacy transport
You can categorize
overheads
asdata
follows:
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
Transport Overhead
The
overhead
is associated
themove
specific
Layer
2 being
legacy Layer
2 and
Layer that
3 networks
would with
like to
toward
a single
transported.backbone
Table 12-2while
lists new
this overhead
for the
and
tunneling
of different
carriers would
liketransport
to sell the
lucrative
Layer
2
WAN protocols.
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Table
12-2.(VPN)
Transport
for
Different
WAN via
Network
concepts,Overhead
and describes
Layer
2 VPN techniques
introductory case
studies and
comprehensive
Protocols
over
L2TPv3 design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
Transport
Transport
Header
Reasonfor MPLSthe Cisco Unified
VPN suite: Any Transport
over
MPLS (ATOM)
Transportbased
Type cores and
Header
Size
[Bytes]
Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP DLCI,
cores. The 4
structure
is focused
on [2]
first+introducing
the
Frame Relay
bytes of this bookQ.922
Header
Ethertype [2]
reader to Layer 2 VPN benefits and implementation requirements and
Cisco encapsulation
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Frame Relay
DLCI,
10
bytes each currently
Q.922
Headersolution
[2] + SNAP
[2] =>
progressively
covering
available
in greater
detail.
IETF[1] encapsulation
Control [1] + Pad [1] + NLPID[3]
[1] + OUI[4] [3] + Ethertype [2]
Cisco HDLC
4 bytes
PPP
2 bytes
AAL5
0-32 bytes
Header
[1]
[5]
Publisher:
DLL = Data
Link LayerCisco Press
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Table
of
L2TPv3
Overhead The tunneling overhead that is associated with the L2TP data
Pages:
648
Contents
message headers. It can
be further subdivided into the following:
Index
L2TP Session Overhead The overhead that is associated to the L2TP Session
Header:
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Sessionproductivity
ID The 4-byte
overhead that is always present
gains
Cookie Optional overhead that can be NULL, 4 bytes, or 8 bytes
Learn about Layer 2 Virtual Private Networks (VPNs)
L2-Specific Overhead An optional overhead that is associated with the Layer 2ReduceItcosts
and
extend
theor
reach
of your
serviceson
bywhether
unifyingthe
your
Specific Sublayer.
can be
either
NULL
4 bytes,
depending
field
is present. network architecture
from the
first
book to that
address
Layer 2 VPN
utilizing
Delivery (IPv4)Gain
Overhead
The
overhead
is associated
withapplication
the outer IP
header
both ATOMprotocol
and L2TP
protocols
without options identifying
type
115 for L2TPv3. It is always 20 bytes.
Review
strategies
that
allow
large enterprise
customers
enhance
You can see the transport
overhead
for all
WAN
protocols
over L2TPv3
in Tableto
12-2.
ATM Cell
their
offerings
while
maintaining
control(CRoL2TPv3), the
transport is deliberately
left service
out of Table
12-2.
In ATM
cell relayrouting
over L2TPv3
packets transported are of a fixed length of 52 bytes. You can concatenate them up to a
For
majority
of Service
a significant
portion
maximum number
of apacked
cells,
makingProviders,
MTU calculation
different
from of
alltheir
otherrevenues
Layer 2
are still derived from data and voice services based on legacy transport
transports.
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
Note
technology that would allow Layer 2 transport over a Layer 3
You can compare
transport overheads for L2TPv3 in Table 12-2 with the AToM
infrastructure.
transport overheads and draw the conclusion that the only different overhead is for
2 Relay
VPN Architectures
introduces
readers
to header
Layer 2isVirtual
Private
transportingLayer
Frame
DLCI mode. In
L2TPv3, the
Q.922
transported
and describes
Layer 2 VPN
techniques
via
but is not in Network
AToM. A (VPN)
2-byteconcepts,
Q.922 header
without extended
addressing
is assumed.
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
From the differentthe
overheads
presented,
you can
total
overhead
and
the
Cisco Unified
VPN suite:
Any calculate
Transportthe
over
MPLS
(ATOM)
forinfer
MPLSMTU in the provider
edge
(PE)and
andLayer
provider
(P) routers
toward
the PSN
(Core MTU)
based
cores
2 Tunneling
Protocol
version
3 (L2TPv3)
for from
nativethe
MTU in the PE attachment
interface
MTU).
The following
equations
calculateg
the
IP cores. circuit
The structure
of(Edge
this book
is focused
on first
introducing
the
core MTU for different
WAN
protocols:
reader
to Layer
2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Core MTU
Edge MTU + Transport Header + L2TPv3 Header + IPv4 Header
Where
L2TPv3 Header = L2TP Session Header + Layer 2-Specific Sublayer Header
L2TP Session Header = Session ID (4 bytes) + Cookie (0, 4 or 8 bytes)
Layer 2-Specific Sublayer Header = 0 or 4 bytes
In addition to the transport overhead, the maximum overhead that IP and L2TPv3oIP add is 36
bytes (20 bytes from the IP header, 4 bytes of the L2TPv3 Session ID, 8 bytes of Cookie, and 4
bytes of the Layer 2-Specific Sublayer Header). The minimum overhead is 24 bytes, skipping
the Cookie and Layer 2-Specific Sublayer fields. This minimum overhead is the default for the
transport of WAN protocols over L2TPv3. By default, cookies and sequencing are nonexistent,
except for AAL5 SDU transport, in which the ATM-Specific Sublayer is required.
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
You can transport HDLC pseudowire that is defined in an L2TPv3 companion Internet document
Pub Date: March 10, 2005
using L2TPv3 by including all HDLC data and control fields (address, control, and protocol
fields)
andofstripping theISBN:
flag 1-58705-168-0
and frame check sequence (FCS) fields. From Chapter 5, you know
Table
Pages:
648
that Cisco
routers use a proprietary
version of HDLC referred to as Cisco HDLC. It differs from
Contents
standard
Index HDLC in that the higher layer protocol identification is performed using the Ethernet
type.
Because the behavior of an HDLC pseudowire is to function in a port-mode fashion, removing
the flag and FCS during
and
transporting
complete
packetservices
over theand
pseudowire
Master imposition
the world of
Layer
2 VPNs tothe
provide
enhanced
enjoy
without inspecting
it, Cisco HDLC
is also transported over an HDLC pseudowire. In fact, therein
productivity
gains
is one of the most important facets of the HDLC pseudowire: it can transport transparently in
an interface-to-interface mode all protocols that contain HDLC-like framing (meaning 0x7E flag
Layer 2
Private
Networks
and FCS). This includesLearn
but isabout
not limited
toVirtual
PPP, Frame
Relay,
X.25,(VPNs)
Synchronous Data Link
Control (SDLC), and so on.
Reduce costs and extend the reach of your services by unifying your
network
architecture
The transport of PPP frames
over
L2TPv3 pseudowires is quite similar to the transport of HDLC
frames. This coincides with the fact that PPP was modeled after HDLC with the addition of
Gainmultiprotocol
from the firstdatagrams
book to address
Layer 2 VPN application
utilizing
protocol fields to transport
over point-to-point
links.
both ATOM and L2TP protocols
Differences and optimizations exist, however, traceable to the fact that PPPoL2TPv3 has some
Review
strategies that
allow large
enterprise
customers
to fields
enhance
Layer 2 packet inspection.
At imposition,
the Address
(0xFF)
and Control
(0x03)
of the
their
service
maintaining
routing
control
PPP frame are removed,
leaving
theofferings
first fieldwhile
transported
as the
PPP DLL
Protocol Number. The
IANA assigns these PPP DLL Protocol Numbers. You can check them at
For a majority of Service Providers, a significant portion of their revenues
http://www.iana.org/assignments/ppp-numbers.
are still derived from data and voice services based on legacy transport
technologies.
Although
3 MPLS
VPNs
the market
need
for some
Figure 12-4 shows
the encapsulation
andLayer
packet
formats
for fulfill
HDLCoL2TPv3
and
PPPoL2TPv3.
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services
over
their existing Layer
3 cores.
The solution in
these
cases is a
Figure 12-4.
HDLC
Pseudowire
and PPP
Pseudowire
over
L2TPv3
technology that would allow Layer 2 transport over a Layer 3
Packet Formats
infrastructure.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Because the Address and Control fields are stripped at imposition and not transported over
L2TPv3, FCS Alternatives (specify different FCS formats or no FCS at all by means of the LCP
Gain from the first book to address Layer 2 VPN application utilizing
configuration option) and Address and Control Field Compression (ACFC) do not work. In
both ATOM and L2TP protocols
contrast, the protocol field is transported so that Protocol Field Compression (PFC) works.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
ISBN: 1-58705-168-0
Pages: 648
FromFigure 12-5,Master
you can
see
bothofFrame
IETF
encapsulation
andservices
Frame Relay
Cisco
the
world
LayerRelay
2 VPNs
to provide
enhanced
and enjoy
encapsulation. They
differ
in
the
upper-layer
protocol
identification.
You
can
configure
Cisco
productivity gains
routers for either type of encapsulation.
Because the complete Learn
Q.922 about
header
is transported,
you doNetworks
not need(VPNs)
to transport the
Layer
2 Virtual Private
Command/Response (C/R), forward explicit congestion notification (FECN), backward explicit
and extend
the reach
your
services by
unifying
your with
congestion notificationReduce
(BECN),costs
and discard
eligibility
(DE) of
bits
separately,
as was
the case
network
architecture
FRoMPLS. However, the
DLCIs can
be different at both ends of the Frame Relay pseudowire, so
you must rewrite the Frame Relay DLCI at disposition.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
ATM cell mode over L2TPv3
also allows
multiple
granularities with three different services:
both ATOM
and L2TP
protocols
Review strategies that allow large enterprise customers to enhance
ATM VCC Cell-Relay Service
their service offerings while maintaining routing control
ATM VPC Cell-Relay Service
For a majority of Service Providers, a significant portion of their revenues
are still derived
ATM Port Cell-Relay
Service from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers,
they single-cell
have somerelay
drawbacks.
Ideally,
carriers with existing
These three modes
exist for both
mode and
cell concatenation
mode. Figure
legacyformat
Layer 2
and
3 networks
to cells
move
toward
a single
12-7 shows the packet
for
theLayer
transport
of two would
packedlike
ATM
over
L2TPv3.
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Figure
12-7. Cell Relay over L2TPv3 Packet Formats
Note
In ATM cell mode, ATM layer cells are transported. This translates to a 4-byte ATM
cell header plus a 48-byte cell payload. The fifth byte in the ATM cell header contains
the header error control (HEC) and is appended by the Transmission Convergence
Layer
2 VPN
Architectures
(TC) sublayer
in the
ATM
physical layer. The HEC byte is not transported over an
Wei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
L2TPv3 ATM By
pseudowire.
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Pages:
648
Contents
transport
of ATM over L2TPv3 that are not present for other protocols:
Index
ATM Maximum Concatenated Cells AVP This AVP only applies to ATM cell relay
pseudowire types. It consists of a 16-bit value that indicates the maximum number of
Master
the world
Layer
VPNs
to provide
services
and enjoy
concatenated
or packed
ATM of
cells
that2the
sending
LCCEenhanced
can process
at disposition.
Using
productivity
gainsthe bandwidth efficiency given that multiple cells share the
cell concatenation
increases
same L2TPv3 tunneling overhead; the expense is additional latency incurred while waiting
for cells to be concatenated in a single L2TPv3 packet.
Learn about Layer 2 Virtual Private Networks (VPNs)
OAM Emulation Required AVP This AVP can be used in AAL5 CPCS-SDU mode to
Reduce This
costsisand
extend
thethe
reach
your services
bynot
unifying
your
request OAM emulation.
helpful
when
ATMofpseudowire
does
support
the
network
architecture
transport of OAM cells (by setting the T-bit) in an AAL5 ATM pseudowire; therefore, you
can terminate OAM cells in the LCCE. For it to work, you must use OAM emulation in both
Gain from the first book to address Layer 2 VPN application utilizing
ends simultaneously. This AVP has a NULL value. The mere presence of this AVP indicates
both ATOM and L2TP protocols
that OAM emulation is required.
ISBN: 1-58705-168-0
Table of
Pages:
EveryContents
one of the case studies648
uses the same IP PSN, shown in Figure 12-8. The goal is to demonstrate the
Index
configuration
steps, verification, and troubleshooting stages required to set up Layer 2 connectivity betwee
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains
Figure
12-8.
WAN Protocols over IP Case Study Topology
Learn about Layer 2 Virtual Private Networks (VPNs)
[View full size image]
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Layer 2interface
VPN Architectures
readerstotoit.Layer 2 Virtual Private
Create a loopback
and assignintroduces
a /32 IP address
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Enable IP CEF
globally. case studies and comprehensive design scenarios. This book
introductory
assists readers looking to meet those requirements by explaining the
Assign IP addresses
(unnumbered
to thedetails
loopbacks)
alltechnologies
physical linksavailable
that connect
history and
implementation
of theto
two
from the core routers
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSEnable an IGP
among
the
core
routers.
These case
studies
use OSPF
with a for
single
area 0.
based
cores
and
Layer
2 Tunneling
Protocol
version
3 (L2TPv3)
native
IP cores. The structure of this book is focused on first introducing the
Example 12-1 shows the required configuration for the SanFran PE router. The configuration for the other
reader to Layer 2 VPN benefits and implementation requirements and
two core routers is equivalent to this one.
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
The highlighted
lines
show
how
you are using only one /32 IP address in the SanFran PE. You can now veri
Index
The routes highlighted are learned through OSPF. You can see in Example 12-2 that the 10.0.0.202/32 pre
with cost 65 (64 of
1544 the
kbps
link of
+1
of loopback)
and
the 10.0.0.203/32
prefixand
withenjoy
cost 129 (2 * 64 of 2
Master
world
Layer
2 VPNs to
provide
enhanced services
1544 kbps links +productivity
1 of loopback)
are reachable from SanFran through Serial 10/0.
gains
FigurePublisher:
12-9.Cisco
HDLCoL2Tv3
Static Session Case Study Topology
Press
Pub Date: March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
The IP PSN provides the transport of HDLC connecting Serial 5/0 interface in the Oakland and Albany CE
Reduce costs and extend the reach of your services by unifying your
routers.
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
Configuring HDLCoL2TPv3
both ATOM and L2TP protocols
Review
thatrequired
allow large
customers
enhance
InChapter 11, you learned
the strategies
configuration
for enterprise
static L2TPv3
sessionstofor
Ethernet pseudowires.
service offerings
while maintaining
controlthe protocol none statemen
recap, the creation of atheir
pseudowire
class is required
because it routing
must include
for a static session. A static session has no signaling protocol.
For a majority of Service Providers, a significant portion of their revenues
are stillpseudowires
derived fromisdata
and voice services
based
transport
The pillar of configuring
the xconnect
command,
and on
thislegacy
case is
no exception. For
technologies.
Although is
Layer
MPLS the
VPNs
fulfill the market
HDLCoL2TPv3, the
xconnect command
used3under
attachment
circuit, need
whichfor
is some
the Serial 5/0
customers,
have some
carriers
existing
interface on the PE
routers. Itthey
specifies
the IPdrawbacks.
address andIdeally,
pseudowire
ID with
of the
peer PE. This case study
legacy
Layer
2 and
3 networks
would
like
toofmove
toward
a single
uses a pseudowire
ID (also
known
asLayer
the VC
ID or remote
end
ID)
50. The
VCID
binds L2TP sessions to
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
given attachment circuit (virtual circuit, interface, or interface bundle). For a static 2L2TPv3 session, enter t
their existingl2tpv3
Layer 3statement.
cores. TheYou
solution
is the
a previously
manual keywordservices
after theover
encapsulation
needin
tothese
followcases
it with
technology
that would allow Layer 2 transport over a Layer 3
defined pseudowire
class.
infrastructure.
These steps are shown for the SanFran endpoint in Example 12-3.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory
case studies
and comprehensive
design
scenarios. This book
Example 12-3.
HDLCoL2TPv3
Static
Configuration
in SanFran
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS!
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
hostname SanFran
IP cores. The structure of this book is focused on first introducing the
!
reader
to Layer 2 VPN benefits and implementation requirements and
pseudowire-class
hdlc-v3-manual
them to those of Layer 3 based VPNs, such as MPLS, then
encapsulation comparing
l2tpv3
protocol none progressively covering each currently available solution in greater detail.
ip local interface Loopback0
!
interface Serial5/0
no ip address
xconnect 10.0.0.203 50 encapsulation l2tpv3 manual pw-class hdlc-v3-manual
l2tp id 221 238
l2tp cookie local 4 286331153
l2tp cookie remote 8 572662306 572662306
!
FromExample 12-3, you can see the specification of protocol none for a static session under the hdlc-v3
Layer 2 VPN Architectures
manual pseudowire-class.
You must set the ip local interface directive to a loopback interface. For
Wei Luo,
- CCIEisNo.
13,291,Carlos
Pignataro,followed
- CCIE No.by
4619,
Bokotey,
- CCIE The encapsulatio
dynamic sessions,Bythe
protocol
specified
as l2tpv3
anDmitry
optional
l2tp-class.
Chan,command
- CCIE No. 10,266
manual directiveNo.
in 4460,
the Anthony
xconnect
instructs the LCCE that no signaling is to be used in the L2TP
control channel (or to only use the control channel for keepalives) and enters the xconnect configuration
submode to configure
the L2TPv3
static session parameters.
Publisher:
Cisco Press
Pub Date: March 10, 2005
By entering the xconnect command specifying the encapsulation as l2tpv3 with the manual keyword, yo
ISBN: 1-58705-168-0
Table of
aretaken
into the config-if-xconn configuration mode. In this new lower-level configuration mode, you
Pages:
648
Contents
specify
L2TP manual configuration commands using the l2tp keyword, such as local and remote session ID
Index
local
and remote cookie size and value, and hello control messages.
Table 12-3 summarizes the values chosen from the SanFran perspective and configured in Example 12-3.
Note that the values are simple in hexadecimal to facilitate the decoding. Table 12-3 also shows the
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
hexadecimal values.
productivity gains
Gain
from the first book to address
Local
RemoteLayer 2 VPN application utilizing
both ATOM and L2TP protocols
221
238
Review
strategies that allow(0x000000EE)
large enterprise customers to enhance
Session ID
(0x000000DD)
their service offerings while maintaining routing control
Cookie Size
4
8
For a majority of Service Providers, a significant portion of their revenues
286331153
572662306
are still derived
from data and voice
services based on legacy transport
Cookie Value (Low)
(0x11111111)
(0x22222222)
technologies. Although Layer 3 MPLS
VPNs fulfill the market need for some
customers,
Ideally, carriers with existing
N/Athey have some drawbacks.
572662306
legacy Layer 2 and Layer 3 networks
would like to move toward a single
Cookie Value (High)
(0x22222222)
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
FromTable 12-3, infrastructure.
you can see that the local cookie value does not have a high-order part, because it is only
4 bytes. Example 12-4 shows the configuration in the NewYork PE router.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory
case studies
and comprehensive
design
scenarios. This book
Example 12-4.
HDLCoL2TPv3
Static
Configuration
in NewYork
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
!
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLShostname NewYork
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
!
IP cores. The structure of this book is focused on first introducing the
pseudowire-class
hdlc-v3-manual
reader
to Layer 2 VPN benefits and implementation requirements and
encapsulation comparing
l2tpv3
them to those of Layer 3 based VPNs, such as MPLS, then
protocol none progressively covering each currently available solution in greater detail.
ip local interface Loopback0
!
interface Serial5/0
no ip address
no ip directed-broadcast
xconnect 10.0.0.201 50 encapsulation l2tpv3 manual pw-class hdlc-v3-manual
l2tp id 238 221
l2tp cookie local 8 572662306 572662306
l2tp cookie remote 4 286331153
!
Because in a static
session
protocol is involved to signal the L2TPv3 parameters such as session ID,
Layer
2 VPN no
Architectures
cookie size, and cookie
value,
you
manually
configure
values
the -local
ByWei Luo, - CCIE No.must
13,291,
Carlos Pignataro,
- CCIEthese
No. 4619,
Dmitry for
Bokotey,
CCIEand remote session
endpoints. For dynamic
sessions,
only
the
local
cookie
size
is
configured.
The
session
ID and cookie value a
No. 4460,Anthony Chan, - CCIE No. 10,266
dynamically assigned at the local LCCE. For dynamic sessions, the remote values are signaled in L2TPv3
AVPs.
Publisher: Cisco Press
Pub Date:
2005 you can see that the manually configured local and remote session
By comparing Examples
12-3March
and10,
12-4,
ISBN: 1-58705-168-0
IDs, cookie
Table of sizes, and cookie values mirror each other. The local session ID, cookie size, and cookie value
Pages:
648are the remote ones in NewYork and vice versa. To emphasize, this case
that are
configured
in
SanFran
Contents
study
also
shows
that
although
the local cookie size that is configured in an LCCE needs to match the remo
Index
cookie size that is configured in the peer LCCE, the cookie sizes do not need to match in both endpoints. Th
is because the local cookie size in SanFran is 32 bits, whereas the local cookie size in NewYork is 64 bits.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Verifying HDLCoL2TPv3
The first verification step
is toabout
issueLayer
the command
(see (VPNs)
Example 12-5).
Learn
2 Virtual show
Privatel2tun
Networks
Reduce costs and extend the reach of your services by unifying your
Note
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
Example 12-7.
HDLCoL2TPv3
Encapsulation
Details from
SanFran
reader
to Layer 2 VPN benefits
and implementation
requirements
and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
SanFran#show sss circuits
Current SSS Circuit Information: Total number of circuits 1
Common Circuit ID 0
Serial Num 2
Switch ID 18797112
--------------------------------------------------------------------------Status Encapsulation
UP flg len dump
Y AES 0
Y AES 32 45000000 00000000 FF73A5F7 0A0000C9 0A0000CB
000000EE 22222222 22222222
SanFran#
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
The SanFran 32-byte
encapsulation consists of the following:
No. 4460,Anthony Chan, - CCIE No. 10,266
Delivery (IPv4)
Header
Publisher:
CiscoThis
Pressis the 20-byte IP header indicating IP protocol 115 (0x73) for L2TPv3.
Pub Date: March 10, 2005
L2TPv3 Session Header This includes the remote session ID (4 bytes) and optional cookie (8 bytes
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Similarly,
the NewYork side shows
a 28-byte encapsulation consisting of the following:
Index
Delivery (IPv4) Header This is a 20-byte IP header indicating IP protocol 115 (0x73) for L2TPv3.
L2TPv3 Session
This
a 4-byte
remoteenhanced
session IDservices
of 221 (0x000000DD)
and a 4-by
MasterHeader
the world
of includes
Layer 2 VPNs
to provide
and enjoy
remote cookie
of
0x11111111.
productivity gains
Example 12-8 shows the NewYork HDLCoL2TPv3 encapsulation details using the command show l2tun
session all.
Learn about Layer 2 Virtual Private Networks (VPNs)
Example 12-8.
Reduce costs and extend the reach of your services by unifying your
network architecture
HDLCoL2TPv3
Encapsulation Details from NewYork
Gain from the first book to address Layer 2 VPN application utilizing
ATOM
and L2TP protocols
NewYork#show l2tun both
session
all
Session Information Total tunnels 0 sessions 1
Reviewdropped
strategies
that
largedigest
enterprise
Tunnel control packets
due
toallow
failed
0 customers to enhance
their service offerings while maintaining routing control
Session id 238 For
is aup,
tunnel
id 0 Providers, a significant portion of their revenues
majority
of Service
Call serial number
is
0
are still derived from data and voice services based on legacy transport
Remote tunnel name
is
technologies.
Although Layer 3 MPLS VPNs fulfill the market need for some
Internet address
is
10.0.0.201
customers,
they have some drawbacks. Ideally, carriers with existing
Session is manually
signalled
legacy Layer
2 and Layer 3 networks would like to move toward a single
Session statebackbone
is established,
time since
1w0d
while new carriers
wouldchange
like to sell
the lucrative Layer 2
70767 Packets
sent,
70757
received
services over their existing Layer 3 cores. The solution in these cases is a
4940396 Bytes
sent, that
4949086
technology
wouldreceived
allow Layer 2 transport over a Layer 3
Receive packets
dropped:
infrastructure.
out-of-order:
0
introduces readers to Layer 2 Virtual Private
total: Layer 2 VPN Architectures
0
Network
(VPN)
concepts,
and
describes Layer 2 VPN techniques via
Send packets dropped:
introductory
case
studies
and
comprehensive
design scenarios. This book
exceeded session MTU:
0
assists
readers
looking
to
meet
those
requirements
by explaining the
total:
0
history
and
implementation
details
of
the
two
technologies
available from
Session vcid is 50
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for MPLSSession Layer 2 circuit, type is HDLC, name is Serial5/0
based
cores
and
Layer
2
Tunneling
Protocol
version
3
(L2TPv3)
for native
Circuit state is UP
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
Remote session id is 221, remote tunnel id 0
reader
to
Layer
2
VPN
benefits
and
implementation
requirements
and
DF bit off, ToS reflect disabled, ToS value 0, TTL value 255
comparing
them to those of Layer 3 based VPNs, such as MPLS, then
Session cookie
information:
progressively
covering
each currently
solution
local cookie, size 8 bytes,
value
22 22 22available
22 22 22
22 22in greater detail.
remote cookie, size 4 bytes, value 11 11 11 11
FS cached header information:
encap size = 28 bytes
00000000 00000000 00000000 00000000
00000000 00000000 00000000
Sequencing is off
NewYork#show sss circuits
Current SSS Circuit Information: Total number of circuits 1
Common Circuit ID 0
Serial Num 1
Switch ID 18785464
--------------------------------------------------------------------------Status Encapsulation
UP flg len Layer
dump2 VPN Architectures
Y AES
0 ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony
Chan, - CCIE
No. 10,266
Y AES
28 45000000
00000000
FF73A5F7
0A0000CB 0A0000C9
000000DD 11111111
NewYork#
Publisher: Cisco Press
Pub Date: March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Note
As a reminder, the data message format consists of the following:
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Delivery Header The IPv4 header that transports the L2TPv3 packets across the IP
backbone network.
Learn about Layer 2 Virtual Private Networks (VPNs)
L2TPv3 Session Header The header that uniquely identifies tunneled traffic among multiple
Reduce It
costs
and extend
the reach
services by unifying your
L2TP data sessions.
is further
subdivided
into of
theyour
following:
network architecture
Session ID 4 bytes.
Gain from the first book to address Layer 2 VPN application utilizing
Cookie 0,
4, ATOM
or 8 bytes.
both
and L2TP protocols
L2-SpecificReview
Sublayer
The control
fields large
that facilitate
tunneling
of each
frame (that is,
strategies
that allow
enterprise
customers
to enhance
sequencing, their
flags).
service offerings while maintaining routing control
L2 Payload
The DataofLink
LayerProviders,
payload to
be transported
over
For a majority
Service
a significant
portion
ofL2TPv3.
their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
The ultimate verification
involves
checking
connectivity
between
devices,
as shown
in Example 12-9.
legacy Layer
2 and
Layer 3
networks would
like CE
to move
toward
a single
Successful pings are
highlighted.
backbone
while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Example 12-9.
Verifying the HDLCoL2TPv3 CE
Because this is a static session, it is not possible to show control plane information exchange. However, yo
can capture and decode the data plane packets of the ping in Example 12-9 from the SanFran PE using the
commandsdebug vpdn packet and debug vpdn packet detail. See Example 12-10.
SanFran#
SanFran#debug vpdn packet
VPDN packet debugging is on
Layer 2 VPN Architectures
SanFran#debug vpdn
packet detail
ByWei Luo,
- CCIE No. 13,291,
VPDN packet details
debugging
is onCarlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
SanFran#
02:01:13: L2TP:(Tnl0:Sn221):FS/CEF Into tunnel (SSS): Sending pak
02:01:13: L2TP:(Tnl0:Sn221):FS/CEF
Into tunnel: Sending 136 byte pak
Publisher: Cisco Press
contiguous pak, size
136March 10, 2005
Pub Date:
45 00 00 88ISBN:
06 1-58705-168-0
4E 00 00 FF 73 9F 21 0A 00 00 C9
Table of^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^...
Pages: 648
Contents
IPv4 Delivery Header (IP protocol L2TPv3)
Index
0A 00 00 CB 00 00 00 EE 22 22 22 22 22 22 22 22
...^^^^^^^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^
IPv4 Delivery Header Session Id Cookie (Remote)
Master the
world of Layer 2 VPNs to provide enhanced services and enjoy
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
productivity
L2TPgains
Session Header
0F 00 08 00 45 00 00 64 00 2D 00 00 FF 01 72 17
^^ ^^ ^^^^^ ^^^^^...
Learn
aboutIP
Layer
2 Virtual Private Networks (VPNs)
| | |
Begins
Packet
| | etype = IPv4
Reduce costs and extend the reach of your services by unifying your
| Control
network architecture
Address = Unicast Frame
Gain
the02
first
to address
Layer
VPN application utilizing
C0 A8 64 01
C0from
A8 64
08book
00 FC
51 00 09
00 200
both
ATOM
and
L2TP
protocols
00 00 00 00 24 3F 5D B0 ...
02:01:13: L2TP:(Tnl0:Sn221):CEF Into tunnel (SSS): Pak send successful
Review
strategies
that allow
customers to enhance
02:01:13: L2X:CEF From
tunnel:
Received
136large
byteenterprise
pak
their
service offerings while maintaining routing control
contiguous pak, size
136
majority
significant
portion of their revenues
0F 00 For
08 a00
45 00 of
00Service
84 05 Providers,
72 00 00 aFD
73 A2 01
are still derived
from data and voice services based on legacy transport
^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^...
technologies.
Although
Layer(IP
3 MPLS
VPNs fulfill
the market need for some
HDLC L2
IPv4 Delivery
Header
protocol
L2TPv3)
customers, they have some drawbacks. Ideally, carriers with existing
0A 00 legacy
00 CB Layer
0A 002 and
00 C9
00 300networks
00 DD 11
11 like
11 11
Layer
would
to move toward a single
...^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^
^^^^^^^^^^^
backbone while new carriers
would like
to sell the lucrative Layer 2
IPv4
Delivery
Header
Session
CookieThe
(Local)
services
over their
existing
LayerId3 cores.
solution in these cases is a
^^^^^^^^^^^^^^^^^^^^^^^
technology that would allow Layer 2 transport over a Layer 3
L2TP Session Header
infrastructure.
0F 00 08 00 45 00 00 64 00 2D 00 00 FF 01 72 17
^^ ^^ Layer
^^^^^2 VPN
^^^^^...
Architectures introduces readers to Layer 2 Virtual Private
| | Network
|
Begins
IP Packet
(VPN) concepts,
and describes Layer 2 VPN techniques via
| | case
etype
= IPv4
introductory
studies
and comprehensive design scenarios. This book
| Control
assists readers
looking to meet those requirements by explaining the
Address
= Unicast Frame
history
and implementation
details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSC0 A8 64 02 C0 A8 64 01 00 00 04 52 00 09 00 00
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
00 00 00 00 24 3F 5D B0 ...
IP cores. The structure of this book is focused on first introducing the
02:01:13: L2TP:(Tnl0:Sn221):CEF From tunnel: Pak send successful
reader to Layer 2 VPN benefits and implementation requirements and
SanFran#
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Note
Note that in Example 12-10 and several of the following examples that deal with packet decoding,
the offline hand decoding of the packets is shown in bold.
Example 12-10 shows two packets captured in the SanFran PE. The highlighted portion indicates the
overhead added to the HDLC frames that are transported. The first packet labeled "Into tunnel" is an ICMP
Echo received from Oakland and forwarded to the L2TPv3 tunnel. The second one labeled "From tunnel" is
Layer 2 VPN Architectures
the ICMP Echo Reply received from Denver P and forwarded to the Oakland CE. It is worth noting that the
ByWei
Luo,
CCIE"Into
No. 13,291,
Carlospackets)
Pignataro, display
- CCIE No.
4619,
Dmitry
Bokotey,
- CCIE
imposition packets
(that
is,- the
tunnel"
the
IPv4
and
L2TPv3
headers in addition to t
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
HDLC payload, whereas the disposition packets (that is, the "From Tunnel" packets) also include the datalink layer header (C-HDLC) between the PE and P routers.
Publisher: Cisco Press
Cookie: 2222222222222222
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Note
Learn about
Layer 2protocol
Virtual Private
Networks
(VPNs)
Similar to AToM, L2TPv3
is a stateful
in which
the PE device
stores the state of interaction
after connection initialization. This implies that it is impossible to perform a nonheuristic decode by
costs
andout
extend
the reach
your services
unifying your
mere inspection ofReduce
a single
packet
of context
and of
lacking
the stateby
information.
network architecture
Example 12-10 shows this behavior. Without the state information, you do not know the cookie
Gain
from theoffirst
book to
address Sublayer,
Layer 2 VPN
application
utilizing
size (0, 4, or 8), the
presence
an Layer
2-Specific
or the
encapsulated
Layer 2
both
ATOM
and
L2TP
protocols
protocol. For AToM, you do not know the presence of the control word or the Layer 2 protocol that
is being tunneled.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
majority
of Service
Providers,
significant
portion
of their
revenues
You can see that For
the a
HDLC
frames
are transported
in atheir
entirety,
including
the following:
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers,
they
have some drawbacks. Ideally, carriers with existing
Address 0x0F
for unicast
frame
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
Control 0x00
services over their existing Layer 3 cores. The solution in these cases is a
Ethertype 0x0800
for IPv4
technology
that would allow Layer 2 transport over a Layer 3
infrastructure.
IPv4 packet The HDLC payload is the IPv4 packet of the CE. It contains the ICMP echo request, whi
is often referred
IP-framed
because
it is IP transported
over a2 Layer
frame over L2TPv3.
Layerto
2 as
VPN
Architectures
introduces
readers to Layer
Virtual2 Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
The 0x7E flags and
FCS are stripped
at imposition
and regenerated
at scenarios.
disposition.This book
introductory
case studies
and comprehensive
design
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco
Unified
VPNL2TPv3
suite: Anywith
Transport
over MPLS
(ATOM) for MPLSCase Study 12-2:
PPP
over
Dynamic
Session
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
Both static and manual L2TPv3 sessions are limited in that they are prone to configuration errors and do n
reader to Layer 2 VPN benefits and implementation requirements and
allow for dynamic pseudowire status notifications. You can use them, however, in small deployments or wh
comparing them to those of Layer 3 based VPNs, such as MPLS, then
a peer does not support dynamic sessions. Static sessions with keepalives are an intermediate stage betwe
progressively covering each currently available solution in greater detail.
static and dynamic sessions that was explored in Chapter 11. The real scalability and manageability
advantages of L2TPv3 occur in dynamic sessions. This section presents a case study of PPPoL2TPv3 with
dynamic sessions using the topology shown in Figure 12-10.
Table of
Configuring
PPPoL2TPv3
Pages: 648
Contents
Index
You can divide the configuration for the PE routers of SanFran and NewYork into four separate yet related
steps:
Step
1.
Using theMaster
l2tp-class
command,
create
an to
L2TP
class enhanced
to serve as
a template
for L2TPv3 sessions,
the world
of Layer
2 VPNs
provide
services
and enjoy
and configure
the
required
parameters.
This
case
study
specifies
authentication
and a cookie size o
productivity gains
4 bytes. This step is optional.
Step
2.
Step
3.
Step
4.
Review
strategiesunder
that allow
large enterprise
to enhance
Apply an xconnect
statement
the attachment
circuitcustomers
(serial interface)
from the Step 3
service
offerings
while
maintaining
routing
control
interface. The their
statement
should
specify
the
remote peer,
VC ID,
and pseudowire class from Step 2
It is interesting to observe in Example 12-11 under the l2tp-class l2tpv3-wan that the password controls n
only Challenge Handshake Authentication Protocol (CHAP) authentication but also the AVP hiding. You can
configure the hidden command under the l2tp-class to hide AVPs in control messages by encrypting AVP
Layer 2 VPN Architectures
values with a shared secret between LCCEs that derive a unique shared key via an HMAC-MD5 keyed hash
ByWei
Luo,
- CCIE
No. 13,291,
Pignataro, - CCIE The
No. 4619,
Dmitry
Bokotey,
- CCIE
You can also specify
the
host
name
used Carlos
for authentication.
router
host
name
is the default.
No. 4460,Anthony Chan, - CCIE No. 10,266
It is important to note that PPP runs transparently between CE devices, and the PEs do not participate in P
negotiation. After you
enter the
command in the PE interface, the PPP state machine goes into a
Publisher:
Ciscoxconnect
Press
closed state. Example
12-12
was captured
using the debug ppp negotiation command.
Pub
Date: March
10, 2005
Table of
Contents
Example
Index
ISBN: 1-58705-168-0
Pages: 648
Reduce costs and extend the reach of your services by unifying your
network architecture
Verifying PPPoL2TPv3
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM
L2TP protocols
The L2TPv3 Layer 2 transport
and and
tunneling
feature includes multiple commands that present different
information about L2TPv3 tunnels and sessions. The first command you can check is show l2tun. It displa
Review strategies that allow large enterprise customers to enhance
tunnel and session summary information (see Example 12-13).
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
Example 12-13.
Displaying
the
L2TPv3
are still
derived from
data
and voiceTunnel
services and
basedSession
on legacySummary
transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
SanFran#show l2tun
legacy Layer 2 and Layer 3 networks would like to move toward a single
Tunnel and Session Information Total tunnels 1 sessions 2
backbone while new carriers would like to sell the lucrative Layer 2
Tunnel control packets dropped due to failed digest 0
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
LocID RemID Remote
Name
State Remote Address Port Sessions L2TPclass
infrastructure.
61936 64821 NewYork
est
10.0.0.203
0
1
l2tpv3-wan
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
LocID
RemID
TunID
Username, Intf/
State
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Vcid, Circuit
introductory case studies and comprehensive design scenarios. This book
54459
51837
61936
60, Se6/0
est
assists readers looking to meet those requirements by explaining the
221
238
0
50, Se5/0
est
history and implementation details of the two technologies available from
SanFran#
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
to Layer
2 VPN
benefits
and
implementation
You can see that,reader
as opposed
to Case
Study
12-1,
a tunnel
now existsrequirements
(because youand
have a dynamic
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as MPLS, then
session), in addition to a new session.
progressively covering each currently available solution in greater detail.
You can divide the output of the show l2tun command into three areas:
Tunnel and session summary information
Tunnel (control connection) summary information
Session summary information
In the tunnel summary information in Example 12-13, you can see that the local tunnel ID is 61936. This
number will become significant in the next section, "Control Plane Negotiation," when you analyze debug
command output. The tunnel state is established, and it is using the l2tpv3-wan L2TP class as configured.
You can also see that one session is negotiated in this Control Connection because the first session is static
Layer
2 VPN
Architectures
Finally, the remote
port
is as
0 because the current implementation supports L2TPv3 directly over IP, whic
Wei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
means there is noByport.
No. 4460,Anthony Chan, - CCIE No. 10,266
You can see two sessions in the session summary information. The session that uses VC ID 50 indicates a
Tunnel ID of 0 because
it is static
(HDLCoL2TPv3). The session with VC ID 60 uses tunnel ID 61936 (contro
Publisher:
Cisco Press
connection) with local
and remote session IDs of 54459 and 51837, respectively. The attachment circuits a
Pub Date: March 10, 2005
serial interfaces, because in both sessions you configured a port-to-port type of tunneling service.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Note
MasterL2TPv3
the world
of Layer
2 VPNs to
provide
enhanced
services
and LCCEs
enjoy or PE
Normally, a single
Control
Connection
(tunnel)
exists
between
two peer
productivity
routers. It advertises
andgains
negotiates capabilities and sessions.
To have multiple tunnels between PE routers, you can set up multiple loopback addresses. Multiple
Learn about
Layer 2using
Virtual
Privateloopback
Networks
(VPNs) (also referred to as multiple
tunnels between different
PE routers
multiple
interfaces
tunnel loopbacks in this context) provide multipath load sharing in the IP core network.
Reduce costs and extend the reach of your services by unifying your
network
architecture
You can even configure
two
loopback addresses (loopback 1 and loopback 2) in a single router and
create two L2TPv3 endpoints in two attachment circuits in the same router. To achieve this, you
Gain from
theloopback
first book2 to
address
Layer
2 VPN
application
can build an xconnect
toward
and
VCID 100
using
loopback
1 as utilizing
ip local interface in
both
ATOM
and
L2TP
protocols
thepseudowire-class template 1, and the other endpoint xconnect toward loopback 1 using
loopback 2 as ip local interface in the pseudowire-class template 2. By using two loopback IP
Review
strategies
that allow
large(mirror
enterprise
customers
to enhance
addresses, you can
have two
local L2TPv3
tunnels
to each
other) with
one hairpinning or
their
service
offerings
while
maintaining
routing
control
local switching (linking two attachment circuits in the same router) connection. This hairpinning
configuration is unique to L2TPv3. It is not allowed in AToM.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
You can find the remaining commands that provide more detailed information or different group summarie
legacy Layer 2 and Layer 3 networks would like to move toward a single
hanging off the show l2tun exec parser tree by adding different keywords. In particular, you can choose
backbone while new carriers would like to sell the lucrative Layer 2
between tunnel or session information. In either case, the all keyword displays all details. Example 12-14
services over their existing Layer 3 cores. The solution in these cases is a
shows detailed tunnel information.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Example 12-14.
L2TPv3
Control
Connection
LayerDisplaying
2 VPN Architectures
introduces
readers
to Layer 2Information
Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
SanFran#show l2tun tunnel all
assists readers looking to meet those requirements by explaining the
Tunnel Information Total tunnels 1 sessions 2
history and implementation details of the two technologies available from
Tunnel control packets dropped due to failed digest 0
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Tunnel id 61936IPis
up, The
remote
id is
64821,
cores.
structure
of this
book1 isactive
focusedsessions
on first introducing the
Tunnel state reader
is established,
time
sinceand
change
00:04:37 requirements and
to Layer 2 VPN
benefits
implementation
Tunnel transport
is IPthem
(115)
comparing
to those of Layer 3 based VPNs, such as MPLS, then
progressively
covering
Remote tunnel name is NewYork each currently available solution in greater detail.
Internet Address 10.0.0.203, port 0
Local tunnel name is SanFran
Internet Address 10.0.0.201, port 0
Tunnel domain is
VPDN group for tunnel is L2TP class for tunnel is l2tpv3-wan
69 packets sent, 70 received
3306 bytes sent, 3644 received
Control Ns 6, Nr 8
ISBN: 1-58705-168-0
Pages: 648
Example 12-14 shows the local and remote tunnel IDs, the encapsulation of L2TPv3oIPv4 (with IPv4 protoc
number 115) that the tunnel is using, the remote and local tunnel names (the name equals the router host
name by default) and IP addresses, the L2TP class used, and the control sequence numbers.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Following are the productivity
control sequence
gains numbers:
Ns Sequence number
(my
sequence
number).
is the (VPNs)
sequence number for the particular
Learnsent
about
Layer
2 Virtual
PrivateThis
Networks
control message. It is incremented by 1 for each message sent.
Reduce costs and extend the reach of your services by unifying your
Nr Sequence number
received
(your sequence number seen plus 1). This is the sequence number
network
architecture
expected to be received in the next control message. It is set to the Ns of the last message received
Gain from the first book to address Layer 2 VPN application utilizing
order plus 1.
both ATOM and L2TP protocols
Note
Pages:
648
Contents size = 32 bytes
encap
00000000
Index
00000000 00000000 00000000
00000000 00000000 00000000 00000000
Sequencing is on
Ns 83, Nr 84,
0 out
of order
packets
received
Master
the world
of Layer
2 VPNs
to provide enhanced services and enjoy
SanFran#
productivity gains
Example 12-16.
Connectivity Verification from the CEs
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
Oakland#ping 192.168.101.2
legacy Layer 2 and Layer 3 networks would like to move toward a single
Type escape sequence
towhile
abort.
backbone
new carriers would like to sell the lucrative Layer 2
Sending 5, 100-byte
ICMP
to 192.168.101.2,
is 2
services
overEchos
their existing
Layer 3 cores. timeout
The solution
in seconds:
these cases is a
!!!!!
technology that would allow Layer 2 transport over a Layer 3
Success rate isinfrastructure.
100 percent (5/5), round-trip min/avg/max = 20/24/32 ms
Oakland#
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
Control Plane Negotiation
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSThis section demonstrates the following two L2TPv3 control plane negotiations from the SanFran PE router
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
debug output:
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing
themestablishment
to those of Layer 3 based VPNs, such as MPLS, then
Control connection
(tunnel)
progressively covering each currently available solution in greater detail.
Session (pseudowire) establishment
The debugs that are enabled are debug vpdn l2x-events and debug vpdn l2x-packets. They display
L2TP protocol events and packets, including AVP parsing.
Example 12-17 shows the debug output for the control connection establishment, highlighting the L2TPv3
messages and their respective state transitions. The output includes all the L2TP events, but only some of
the more interesting packet and AVP details. The AVPs that were removed for brevity are indicated.
Pages:
648
Contents L2X: Parse Cisco
00:05:58:
AVP 1, len 10, flag 0x8000 (M)
Index
00:05:58:
L2X: Assigned Control Connection ID 64821
00:05:58: L2X: Parse Cisco AVP 2, len 22, flag 0x8000 (M)
00:05:58: L2X: Pseudo Wire Capabilities List
00:05:58: L2X:
FR-DLCI [0001], ATM-AAL5 [0002], ATM-Cell [0003],
the world[0004],
of Layer Ether
2 VPNs [0005],
to provideHDLC
enhanced
services and enjoy
00:05:58: L2X: Master
Ether-Vlan
[0006],
gains ATM-VCC-Cell [0009],
00:05:58: L2X: productivity
PPP [0007],
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
00:05:58:
SanFran#
L2X:
ATM-VPC-Cell [000A], IP [000B]
L2X: I SCCRQ, flg TLS, ver 3, len 144, tnl 0, ns 0, nr 0
Learn about Layer 2 Virtual Private Networks (VPNs)
L2TP: I SCCRQ from NewYork tnl 64821
Tnl61936 Reduce
L2TP: Got
challenge
in reach
SCCRQ,
SanFran
costsa and
extend the
of your
services by unifying your
Tnl61936 network
L2TP: Control
connection
authentication
skipped/passed.
architecture
Tnl61936 L2TP: New tunnel created for remote NewYork, address 10.0.0.203
Tnl61936 Gain
L2TP:
O SCCRP
tobook
NewYork
tnlidLayer
64821
from
the first
to address
2 VPN application utilizing
Tnl61936 both
L2TP:
O SCCRP,
flgprotocols
TLS, ver 3, len 166, tnl 64821, ns 0, nr 1
ATOM
and L2TP
Tnl61936 L2TP: Control channel retransmit delay set to 1 seconds
Tnl61936 Review
L2TP: Tunnel
state
change
from
idle tocustomers
wait-ctl-reply
strategies
that allow
large
enterprise
to enhance
Tnl61936 their
L2TP:service
Parseofferings
AVP 0, while
len 8,
flag 0x8000
(M)
maintaining
routing
control
Tnl61936 L2TP: Parse SCCCN
For a L2TP:
majority
Service Providers,
a significant portion of their revenues
Tnl61936
Noofmissing
AVPs in SCCCN
are still
derived
from data
voice
services
based
transport
Tnl61936
L2TP:
I SCCCN,
flgand
TLS,
ver
3, len
42, on
tnllegacy
61936,
ns 1, nr 1
technologies.
LayerNewYork
3 MPLS VPNs
fulfill the market need for some
Tnl61936
L2TP: IAlthough
SCCCN from
tnl 64821
customers,
some drawbacks.
Ideally,
Tnl61936
L2TP: they
Got have
a response
in SCCCN,
from carriers
remote with
peerexisting
NewYork
legacyL2TP:
Layer Tunnel
2 and Layer
3 networks would
like to move toward a single
Tnl61936
Authentication
success
backbone
while
new carriers
would like
to sell the lucrative
Layer 2
Tnl61936
L2TP:
Control
connection
authentication
skipped/passed.
services
overTunnel
their existing
3 cores.
solution in these
is a
Tnl61936
L2TP:
state Layer
change
from The
wait-ctl-reply
to cases
established
technology
would
allow
Layer
a Layer
Tnl61936
L2TP:that
O ZLB
ctrl
ack,
flg2 transport
TLS, ver over
3, len
12,3tnl 64821, ns 1, nr 2
infrastructure.
Tnl61936
L2TP: SM State established
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reducefrom
costs
and extend
the
of your services
by in
unifying
You can correlate the output
Example
12-17
toreach
the corresponding
steps
Figure your
12-11:
network architecture
Note
Both in the tunnel and session establishment, many of the new AVPs that are defined for L2TPv3 in
the base IETF L2TPv3 specification are sent with the Cisco Systems vendor ID of 9 (SMI Network
Management Private Enterprise Codes from http://www.iana.org/assignments/enterprisenumbers). This is because the AVP types are yet to be assigned. When IANA assigns Cisco routers,
the routers send the AVPs with IETF Vendor ID of 0 and accept both IETF and Cisco AVPs, giving
Layer
2 VPN Architectures
priority to IETF
AVPs.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Index
Example
ISBN: 1-58705-168-0
Pages: 648
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Local Layer
Session
IDArchitectures
51837Example
12-18 shows
thisto
value
in 2the
received
message from the
2 VPN
introduces
readers
Layer
Virtual
Private
NewYork
PE. In(VPN)
Example
12-13, and
this describes
same fieldLayer
is shown
as techniques
the remotevia
session ID from SanFran
Network
concepts,
2 VPN
perspective,
because
thestudies
AVP is and
withcomprehensive
respect to the NewYork
PE.
introductory
case
design scenarios.
This book
assists readers looking to meet those requirements by explaining the
Remote
Session
ID 0 The remotedetails
session
unknown
to NewYork
at this
point.
history
and implementation
of ID
theistwo
technologies
available
from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSAssigned
Cookie
9B 16
16 2
5E
This is the
cookie version
value that
was assigned
in the NewYork PE fo
based
cores and
Layer
Tunneling
Protocol
3 (L2TPv3)
for native
this session.
It
is
displayed
in
Example
12-18
as
the
parsed
AVP
value
in
the
IP cores. The structure of this book is focused on first introducing the incoming message
from NewYork.
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Pseudo Wire Type 7 This indicates PPP (Pseudowire Type 0x0007 from Table 12-1).
progressively covering each currently available solution in greater detail.
End Identifier 60 This is the VC ID configured.
Sequencing Required This indicates that sequencing for the pseudowire is on.
2. ICRPIn the second part of the three-way handshake, the SanFran PE sends an Incoming-Call-Reply
(ICRP) message to the NewYork PE, and the session state machine advances to the wait-connect stat
This message includes SanFran's local session ID of 54459.
3. ICCN In the third part of the three-way handshake, the SanFran PE receives an Incoming-Call-
3.
Connected (ICCN) message from the NewYork PE, and the session state moves to established.
From the debug output and Figure 12-12, you can track the Ns and Nr values. Ns is always set to the
2 VPN
previous Ns sent Layer
plus 1.
ForArchitectures
example, an ICRQ sent from NewYork contains Ns 2, and an ICCN sent from
NewYork containsByNs
Nr- is
always
set to
thePignataro,
previous
Ns received
plus Bokotey,
1. For example,
an ICRQ received
Wei3.
Luo,
CCIE
No. 13,291,
Carlos
- CCIE
No. 4619,Dmitry
- CCIE
in SanFran contains
Ns 2,
and an
ICRP
sent
No. 4460,
Anthony
Chan,
- CCIE
No.from
10,266SanFran contains Nr 3.
Publisher: Cisco Press
ISBN: 1-58705-168-0
Example 12-19.
PPPoL2TPv3
Encapsulation
Details
from
SanFran
Master
the world of Layer
2 VPNs to provide
enhanced
services
and enjoy
productivity gains
SanFran#show sss circuits
Learn about Layer 2 Virtual Private Networks (VPNs)
Current SSS Circuit Information: Total number of circuits 2
extendNum
the 2reach of yourSwitch
servicesID
by18797112
unifying your
Common Circuit ID 0Reduce costs and
Serial
network
architecture
--------------------------------------------------------------------------Status Encapsulation
Gain from the first book to address Layer 2 VPN application utilizing
UP flg len dump
both ATOM and L2TP protocols
Y AES 2
FF03
Y AES 32 45000000 00000000 FF73A5F7 0A0000C9 0A0000CB
Review strategies that allow large enterprise customers to enhance
0000CA7D 9B16165E 00000000
their service offerings while maintaining routing control
SanFran#
Layer
2 VPN ID
Architectures
introduces
readers to
Virtual
Remote
Session
4 bytes equal
to 0x0000CA7D
or Layer
51837.2 You
canPrivate
see this in Example 12-1
Network
(VPN)
concepts,
and describes
Layer
2 VPN techniques
via output as rsid 51837.
in the show
l2tun
command
output,
in addition
to Example
12-18 debug
introductory case studies and comprehensive design scenarios. This book
Remote
Cookie
4 bytes
equal
0x9B16165E.
You can see
value inthe
Example 12-15 in the
assists
readers
looking
toto
meet
those requirements
by this
explaining
outputhistory
of the command
show l2tun
session
alltwo
vcid
60 displaying
session
details, and in
and implementation
details
of the
technologies
available
from
Example
as theAny
Assigned
Cookie
the Cisco
5 in the ICRQ
the12-18
Cisco debug
Unifiedoutput
VPN suite:
Transport
overvalue
MPLSin(ATOM)
forAVP
MPLSmessage
thatcores
SanFran
based
and received.
Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
L2-Specificreader
Sublayer
The Default
L2-Specific
is used requirements
because sequencing
has been
to Layer
2 VPN benefits
and Sublayer
implementation
and
configured. The
show sss
circuit
command
4 bytes
and
fills in the bytes for ea
comparing
them
to those
of Layerdisplays
3 basedthe
VPNs,
suchas
asNULL
MPLS,
then
packet with progressively
the appropriate
value. each currently available solution in greater detail.
covering
InExample 12-19, the PPP header address (0xFF) and control (0x03) fields are removed at imposition.
Toward the attachment circuit, the encapsulation is 2 bytes long. It includes the following two fields that
were removed at imposition and need to be prepended at disposition:
PPP Address 1 byte equal to 0xFF.
PPP Control 1 byte equal to 0x03.
To see the encapsulation in action, Example 12-20 captures two packets from the ping messages in Examp
12-16. Use the two debug commands: debug vpdn packet and debug vpdn packet detail. The former
one provides packet summary information, whereas the latter one displays a hexadecimal dump of the firs
Layer
2 VPN
Architectures
bytes of the packet
(see
Example
12-20).
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
SanFran#
ISBN: 1-58705-168-0
Table of L2TP:(Tnl0:Sn54459):FS/CEF Into tunnel (SSS): Sending pak
00:17:15:
Pages:
648
Contents L2TP:(Tnl0:Sn54459):FS/CEF
00:17:15:
Into tunnel: Sending 134 byte pak
Index
contiguous
pak, size 134
45 00 00 86 01 D7 00 00 FF 73 A3 9A 0A 00 00 C9
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^...
IPv4 Delivery Header (IP protocol L2TPv3)
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
0A 00 productivity
00 CB 00 00
CA 7D 9B 16 16 5E 40 00 00 A0
gains
...^^^^^^^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^
IPv4 Delivery Header Rem. Sess Id Rem. Cookie L2-Specific Sublayer
Learn
about Layer 2 Virtual Private
Networks (VPNs)
^^^^^^^^^^^^^^^^^^^^^^^
S (Sequence
flag) = 1
L2TP Session Header
Sequence Number = 160 (0xA0)
Reduce costs and extend the reach of your services by unifying your
00 21 45 00
00 64architecture
00 05 00 00 FF 01 70 3F C0 A8
network
^^^^^ ^^^^^...
GainIP
from
the first book to address Layer 2 VPN application utilizing
|
Begins
Packet
bothDLL
ATOM
and L2TP
protocols
PPP
Protocol
Number
- 0x0021 (IPv4)
65 01 C0 A8
65 02
08 00 9B
51allow
00 01
00 enterprise
00 00 00 customers to enhance
Review
strategies
that
large
00 00 00 0F
E2 service
E8 AB offerings
CD ... while maintaining routing control
their
00:17:15: L2TP:(Tnl0:Sn54459):CEF Into tunnel (SSS): Pak send successful
For a majority of Service Providers, a significant portion of their revenues
00:17:15: L2X:CEF From tunnel: Received 138 byte pak
are still derived from data and voice services based on legacy transport
contiguous pak, size 138
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
0F 00 08 00 45 00 00 86 01 AC 00 00 FD 73 A5 C5
customers, they have some drawbacks. Ideally, carriers with existing
^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^...
legacy Layer 2 and Layer 3 networks would like to move toward a single
HDLC L2 IPv4 Delivery Header (IP protocol L2TPv3)
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
0A 00 technology
00 CB 0A that
00 00
C9 00
00 Layer
D4 BB2 transport
5B AD 54 over
4D a Layer 3
would
allow
...^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^ ^^^^^^^^^^^
infrastructure.
IPv4 Delivery Header Loc.Sess Id Cookie (Local)
^^^^^^^^^^^^^^^^^^^^^^^
Layer 2 VPN Architectures
introduces readers to Layer 2 Virtual Private
L2TP
Header
Network (VPN) concepts,
andSession
describes
Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
40 00 00 A1 00 21 45 00 00 64 00 05 00 00 FF 01
assists readers looking to meet those requirements by explaining the
^^^^^^^^^^^ ^^^^^ ^^^^^...
history and implementation details of the two technologies available from
|
|
Begins IP Packet
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS|
PPP DLL Protocol Number - 0x0021 (IPv4)
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
L2-Specific Sublayer: S = 1; Sequence Number = 161 (0xA1)
IP cores. The structure of this book is focused on first introducing the
2 VPN
benefits
70 3F reader
C0 A8 to
65Layer
02 C0
A8 65
01 00and
00implementation
A3 51 00 01 requirements and
comparing
them
to
those
of
Layer
3
based
VPNs, such as MPLS, then
00 00 00 00 00 00 00 0F ...
progressively
covering
each
currently
available
solution
in greater detail.
00:17:15: L2TP:(Tnl0:Sn54459):CEF From tunnel: Pak send
successful
Example 12-20 shows two packets captured in the SanFran PE. The highlighted portion of the hexadecimal
dump indicates the overhead added to the PPP frames that are transported. The first packet labeled "Into
tunnel" is an ICMP Echo that SanFran receives from Oakland and forwards into the L2TPv3 tunnel toward
New York. The second packet labeled "From tunnel" is the ICMP Echo Reply received from Denver P and
forwarded to Oakland CE. As before, the imposition packets (that is, the "Into tunnel" packets) display the
IPv4 and L2TPv3 headers plus the PPP payload, whereas the disposition packets (that is, the "From Tunnel
packets) also include the data link layer header (HDLC in the case of the SanFran PE to the Denver P link).
The L2TPv3 portion of the first packet contains the following fields:
Layer 2 VPN Architectures
Layer 2 Tunneling
Protocol
version
ByWei Luo,
- CCIE No.
13,291,3Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Default L2-SpecificISBN:
Sublayer
1-58705-168-0
Table of
Pages: 648
Contents
.1.. .... = S-bit: True
Index
about Layer
Virtual
Private
Networks
(VPNs)
IPv4 Packet TheLearn
PPP payload
is the2 CE's
IPv4
packet
containing
the ICMP Echo request.
Reduce costs
and extend the reach of your services by unifying your
However, the payload excludes
the following:
network architecture
Address 0xFF
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Control 0x03
You will be using different DLCIs at both ends to observe the DLCI rewrite.
Configuring FRoL2TPv3
2 VPN Architectures
The configurationLayer
for FRoL2TPv3
is slightly different from the other case studies. This is the first case in
ByWei circuit
Luo, - CCIE
13,291,
Carlos Pignataro,
- CCIE
Dmitry Bokotey,
- CCIE
which the attachment
is aNo.
virtual
circuit
as opposed
toNo.
an4619,
interface.
The configuration
of an
Anthony
Chan, - CCIE
attachment circuitNo.in4460,
a PVC
as opposed
to No.
an 10,266
interface is accomplished by executing the xconnect comma
under a connect and not under the interface. In fact, after you set the encapsulation to frame-relay in a
Serial or Packet overPublisher:
SONET Cisco
(POS)
interface, the interface no longer accepts the xconnect command. The
Press
attachment circuit occurs
by March
creating
the l2transport endpoint with the connect configuration command.
Pub Date:
10, 2005
This effectively generates a switched DLCI under the main interface with DLCI specified in the connect
ISBN: 1-58705-168-0
Table ofYou can configure the switched DLCI by using the frame-relay interface-dlci command with t
command.
Pages:
648
Contents
switched
keyword.
Index
This is also the first case study in which signaling messaging between PE and CE takes place. In particular,
Frame Relay LMI runs on the links between PE and CE, providing a link keepalive mechanism and PVC stat
exchange. To achieve this, you configure the PE interfaces as Frame Relay LMI DCE after you enable the
Master the
world of Layer 2 VPNs to provide enhanced services and enjoy
frame-relay switching
command.
productivity gains
The configuration for the SanFran PE is included in Example 12-21.
Note
Configuring the xconnect statement under a connect as opposed to under a new subinterface
saves memory and enhances the scalability of DLCI-to-DLCI mode by not requiring a Cisco IOS
Software interface descriptor block (IDB) for each attachment circuit pseudowire in the PE device.
The same is true for ATM PVC and permanent virtual path (PVP) modes by configuring the
xconnect command under the PVC and PVP configuration mode, respectively. That assumes that
the PVC or PVP are on the main interface, but it is not true for VLAN transport, in which a new
subinterface is needed for each VLAN.
The CE configuration
in Example 12-22. It does not differ if the Oakland CE is connected to a
Layeris2 included
VPN Architectures
traditional Frame By
Relay
switch.
Wei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Example 12-22.
Configuring
Publisher:
Cisco Press the Frame Relay DLCI over the L2TPv3 CE
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
!
Table of
Pages:
648
hostname
Oakland
Contents
! Index
interface Serial7/0
no ip address
encapsulation frame-relay
!
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
interface Serial7/0.1
point-to-point
productivity
gains
ip address 192.168.102.1 255.255.255.252
frame-relay interface-dlci 100
Learn about Layer 2 Virtual Private Networks (VPNs)
!
Reduce costs and extend the reach of your services by unifying your
network architecture
Verifying FRoL2TPv3
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
For the Frame Relay DLCI over L2TPv3 (FR_DLCIoL2TPv3) verification, first check the connection in the
Review
strategies that allow large enterprise customers to enhance
SanFran PE (see Example
12-23).
their service offerings while maintaining routing control
For a Verifying
majority of Service
Providers, a significant
portion of their revenues
Example 12-23.
the FR_DLCIoL2TPv3
Connection
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
SanFran#show connection
legacy Layer 2 and Layer 3 networks would like to move toward a single
ID
Name
Segment
1 carriers would like
Segment
backbone
while new
to sell2the lucrative LayerState
2
===========================================================================
services over their existing Layer 3 cores. The solution in these cases is a
1
l2tpv3-fr-dlci
Se7/0
70 a Layer 3
UP
technology
that100
would allow Layer 210.0.0.203
transport over
infrastructure.
SanFran#show connection
name l2tpv3-fr-dlci
2 VPN Architectures
introduces readers to Layer 2 Virtual Private
FR/Pseudo-Wire Layer
Connection:
1 - l2tpv3-fr-dlci
Network
(VPN)
concepts,
and
describes Layer 2 VPN techniques via
Status - UP
introductory
case
studies
and
comprehensive
design scenarios. This book
Segment 1 - Serial7/0 DLCI 100
assists UP
readers looking to meet those requirements by explaining the
Segment status:
history
Line status:
UP and implementation details of the two technologies available from
Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSPVC status:the
ACTIVE
based cores
and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
NNI PVC status:
ACTIVE
IP cores. The70
structure of this book is focused on first introducing the
Segment 2 - 10.0.0.203
reader UP
to Layer 2 VPN benefits and implementation requirements and
Segment status:
comparing
Requested AC
state: them
UP to those of Layer 3 based VPNs, such as MPLS, then
progressively
covering each currently available solution in greater detail.
PVC status: ACTIVE
NNI PVC status: ACTIVE
SanFran#
You can display the two connection segments or endpoints by using the show connection command. The
first segment is the attachment circuit, and the second segment is the pseudowire remote endpoint identifi
by peer IPv4 address and VC ID. You can see that all respective statuses and states are ACTIVE and UP.
Next, you can verify the switched DLCI created in the PE devices by using the connect command (see
Example 12-24).
Layer 2 VPN Architectures
Frame-Relay VC Summary
ActiveISBN: 1-58705-168-0
Inactive
0 Pages: 648
0
1
0
0
0
Table of
Local
Contents
Switched
Index
Unused
SanFran#
SanFran#show frame-relay pvc 100
Deleted
0
0
0
Static
0
0
0
the world of
Layer 2 VPNs
to provide
services and enjoy
PVC Statistics Master
for interface
Serial7/0
(Frame
Relay enhanced
DCE)
productivity gains
DLCI = 100, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial7/0
You can see that the session is established, the circuit is UP, and it is displayed as Se7/0:100 because the
attachment circuit is now the logical connection with DLCI 100 in interface Serial 7/0. The details of the
L2TPv3 session are shown in Example 12-26.
648York
Remote
tunnel name Pages:
is New
Contents
Internet
address
is
10.0.0.203
Index
Session is L2TP signalled
Session state is established, time since change 22:37:10
1365 Packets sent, 1365 received
491480 Bytes
sent,
Master
the490120
world ofreceived
Layer 2 VPNs to provide enhanced services and enjoy
Receive packets
dropped:
productivity gains
out-of-order:
0
total:
0
Learn about Layer 2 Virtual Private Networks (VPNs)
Send packets dropped:
exceeded session MTU:
0
Reduce costs and
total:
0 extend the reach of your services by unifying your
network
architecture
Session vcid is 70
Session Layer 2 circuit, type is Frame Relay, name is Serial7/0:100
Circuit state is Gain
UP from the first book to address Layer 2 VPN application utilizing
both
ATOM
and remote
L2TP protocols
Remote session id is
51845,
tunnel id 64821
DF bit off, ToS reflect disabled, ToS value 0, TTL value 255
Review strategies that allow large enterprise customers to enhance
Session cookie information:
their service offerings while maintaining routing control
local cookie, size 4 bytes, value 58 47 4E 42
remote cookie,
4 bytes,
value
E6 FC aCF
51
For a size
majority
of Service
Providers,
significant
portion of their revenues
FS cached header
information:
are still derived from data and voice services based on legacy transport
encap size technologies.
= 28 bytes Although Layer 3 MPLS VPNs fulfill the market need for some
00000000 00000000
00000000
00000000
customers,
they have
some drawbacks. Ideally, carriers with existing
00000000 00000000
00000000
legacy Layer 2 and Layer 3 networks would like to move toward a single
Sequencing isbackbone
off
while new carriers would like to sell the lucrative Layer 2
SanFran#
services over their existing Layer 3 cores. The solution in these cases is a
You can see all the details of the session in Example 12-26. It is important to note that the encapsulation s
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
is 28 bytes: 24 bytes minimum from IPv4 encapsulation plus the session ID, plus 4 bytes of cookie that wa
Network (VPN) concepts, and describes Layer 2 VPN techniques via
specified in the l2tpv3-wan l2tp-class. The circuit type is Frame Relay DLCI, which corresponds to 0x0001
introductory case studies and comprehensive design scenarios. This book
fromTable 12-1.
assists readers looking to meet those requirements by explaining the
history
and implementation
detailsCE,
of the
two technologies
available
from
Finally, you can test
connectivity
from the Oakland
highlighting
successful
pings (see
Example 12-27).
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
Example 12-27.
FR_DLCIoL2TPv3 Checking Connectivity from the CEs
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Oakland#ping 192.168.102.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/25/36 ms
Oakland#
Figure 12-14 shows the 2-byte Q.922 header that was first introduced in Figure 12-5 in a reorganized
Publisher:
Press
format. It also calculates
theCisco
Q.922
header value for the two DLCI values used in this case studynamely 10
Pub
Date:
March
10, 2005
and 101.
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
45 00 00 64 00 27 00 00 FF 01 6E 1D C0 A8 66 01
^^^^^...
Begins IP Packet
Layer 2 VPN Architectures
Wei02
Luo,08
- CCIE
Carlos
- CCIE
C0 A8 By
66
00 No.
47 13,291,
A0 00
07 Pignataro,
00 04 00
00 No.
004619,
00 Dmitry Bokotey, - CCIE
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
09 07 2D 98 AB CD AB CD ...
*Jun 28 19:07:17.405: L2TP:(Tnl0:Sn54467):CEF Into tunnel (SSS): Pak send successful
Publisher:
Cisco Press
*Jun 28 19:07:17.437:
L2X:CEF
From tunnel: Received 136 byte pak
contiguous pak, size
136March 10, 2005
Pub Date:
0F 00 08 00ISBN:
45 1-58705-168-0
00 00 84 19 ED 00 00 FD 73 8D 86
Table of
^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^...
Pages: 648
Contents
HDLC L2
IPv4 Delivery Header (IP protocol L2TPv3)
Index
0A 00 00 CB 0A 00 00 C9 00 00 D4 C3 58 47 4E 42
...^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^ ^^^^^^^^^^^
IPv4 Delivery Header Session Id Cookie (Local)
Master the world of Layer 2 VPNs to provide enhanced services^^^^^^^^^^^^^^^^^^^^^^^
and enjoy
productivity gains
L2TP Session Header
18 51 08 00 45 00 00 64 00 27 00 00 FF 01 6E 1D
^^^^^ ^^^^^ ^^^^^...
Learn about Layer 2 Virtual Private Networks (VPNs)
|
|
Begins IP Packet
|
etype = IPv4
Reduce costs and extend the reach of your services by unifying your
Q.922 Header: DLCI = 101
network architecture
C0 A8 66 02 C0 A8 66 01 00 00 4F A0 00 07 00 04
Gain
the98
first
book to address Layer 2 VPN application utilizing
00 00 00 00
09 from
07 2D
...
both
ATOM
and
L2TP
protocols From tunnel: Pak send successful
*Jun 28 19:07:17.437: L2TP:(Tnl0:Sn54467):CEF
SanFran#
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
a can
majority
of Service
Providers,
a significant
of theirPE.
revenues
InExample 12-28,For
you
see two
FRoL2TPv3
packets
captured inportion
the SanFran
The portion highlighted
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
in the hexadecimal dump corresponds to the overhead added to the Frame Relay frames that are being
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
transported.
customers, they have some drawbacks. Ideally, carriers with existing
legacy
Layer 2 the
andfirst
Layer
3 networks
to move
a single
Similarly to previous
examples,
packet
labeledwould
"Into like
tunnel"
is an toward
ICMP Echo
that SanFran receive
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2 labeled "From tunne
from Oakland and forwards to the L2TPv3 tunnel toward New York. The second packet
over
existing
Layer and
3 cores.
The solution
in theseCE.
cases
a
is the ICMP Echo services
Reply that
thetheir
Denver
P receives
forwards
to the Oakland
Theisimposition
packet
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
that is sent into the tunnel displays the IPv4 and L2TPv3 headers. In contrast, the disposition packet that i
infrastructure.
coming from the tunnel
and is later sent out of the attachment circuit also includes the data link layer
header, IPv4, and L2TPv3.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network
concepts,
and the
describes
Layer
2 VPN techniques via
The L2TPv3 portion
of the (VPN)
first packet
contains
following
fields:
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
Session ID: history
51845 and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSCookie: E6FCCF51
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
You can see that reader
the payload
corresponds
to theand
complete
Frame Relay
frames thatand
in turn carry IPv4 traff
to Layer
2 VPN benefits
implementation
requirements
containing the following:
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Q.922 Header 2 bytes, including the following:
DLCI 10 bits with a value of 100 (Higher DLCI: 0x06; Lower DLCI: 0x04)
C/R 1 bit with a value of 0
BECN 1 bit with a value of 0
FECN 1 bit with a value of 0
Ethertype 0x0800
indicating
ByWei Luo,
- CCIE No. IPv4
13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
IPv4 Packet The IP packet from the CE being transported inside the Frame Relay encapsulation
Cisco Press
Because you did notPublisher:
specify IETF
Frame Relay encapsulation in the CE devices Oakland and Albany, the
Pub
Date:
March
10, 2005
default of Cisco Frame Relay encapsulation
is used (refer to Figure 12-5). The Ethertype is used as the
ISBN: 1-58705-168-0
upper-layer
protocol
identifier.
Table of
Pages: 648
Contents
In the first packet sent out of SanFran toward New York, the Q.922 header equals 0x1841, indicating DLCI
Index
100. The DLCI field is rewritten to 101 before the Frame Relay frame is sent out of the New York PE towar
the Albany CE. In contrast, in the second packet received in the SanFran PE from the Denver P, the Q.922
header is 0x1851, designating a DLCI of 101 that the New York PE received from the Albany CE. The
SanFran PE rewrites
this the
DLCI
fieldof
toLayer
a value
of 100
sending
the services
frame toand
the enjoy
Oakland CE.
Master
world
2 VPNs
tobefore
provide
enhanced
productivity gains
pseudowire-class pw-l2tpv3-atm
encapsulation l2tpv3
ip local interface Loopback0
Layer 2 VPN Architectures
!
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
!
No. 4460,Anthony Chan, - CCIE No. 10,266
interface ATM5/0
no ip address
pvc 0/100 l2transport
Publisher: Cisco Press
encapsulation aal5
Pub Date: March 10, 2005
xconnect 10.0.0.203 27 pw-class pw-l2tpv3-atm
ISBN: 1-58705-168-0
! Table of
Pages:
648
Contents
!
Index
Example 12-29 uses the default l2tp-class (l2tp_default_class), which means no authentication and no
the
world
Layer
2 VPNs
to the
provide
enhancedSublayer
services is
and
enjoy
cookie. However,Master
because
you
are of
using
AAL5
mode,
ATM-Specific
mandatory.
productivity gains
Example 12-30 shows the normal configuration of the CE device from the Oakland CE. OAM management i
disabled.
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
Gain from the first book to address Layer 2 VPN application utilizing
!
both ATOM and L2TP protocols
hostname Oakland
!
Review strategies that allow large enterprise customers to enhance
interface ATM6/0.1 point-to-point
their service offerings while maintaining routing control
ip address 192.168.103.1 255.255.255.252
pvc 0/100
For a majority of Service Providers, a significant portion of their revenues
oam-pvc 0
are still derived from data and voice services based on legacy transport
encapsulationtechnologies.
aal5snap Although Layer 3 MPLS VPNs fulfill the market need for some
!
customers, they have some drawbacks. Ideally, carriers with existing
!
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
allow
transport
over ato
Layer
3
The configurationtechnology
in the Newthat
Yorkwould
PE and
the Layer
Albany2 CE
is analogous
Examples
12-29 and 12-30,
infrastructure.
respectively.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Verifying AAL5_SDUoL2TPv3
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history
and
implementation
details
the two
from
To verify the status
of the
tunneling
and transport
ofof
AAL5
SDUtechnologies
frames over available
L2TPv3, confirm
the l2tun
Cisco Unified
VPN suite:
Any of
Transport
over
MPLS (ATOM)
for MPLSsession using thethe
summary
and detailed
versions
the show
command
(see Example
12-31).
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader
to Layer 2 the
VPN benefits
and implementation
requirements and
Example 12-31.
Verifying
AAL5_SDUoL2TPv3
Session
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
SanFran#show l2tun session
Tunnel and Session Information Total tunnels 1 sessions 1
Tunnel control packets dropped due to failed digest 0
LocID
RemID
TunID
43729
28232
23520
SanFran#
SanFran#show l2tun session all
Username, Intf/
Vcid, Circuit
27, AT5/0:0/100
State
est
Session id 43729
isLuo,
up,
tunnel
id 23520
ByWei
- CCIE
No. 13,291,
Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Call serial number
isAnthony
2763400000
No. 4460,
Chan, - CCIE No. 10,266
Remote tunnel name is New York
Internet address
is 10.0.0.203
Publisher:
Cisco Press
Session is L2TP signalled
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Session
state is established,
time since change 00:57:57
Table of
0 Packets sent,Pages:
0
received
648
Contents
0 Bytes sent, 0 received
Index
Receive packets dropped:
out-of-order:
0
total:
0
Send packets
dropped:
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
exceeded productivity
session MTU:
0
gains
total:
0
Session vcid is 27
Learn about
Layer
Virtual
Private
(VPNs)
Session Layer 2 circuit,
type
is 2ATM
AAL5,
nameNetworks
is ATM5/0:0/100
Circuit state is UP
costs and
extendtunnel
the reach
your services by unifying your
Remote session Reduce
id is 28232,
remote
id of
60864
network architecture
DF bit off, ToS reflect
disabled, ToS value 0, TTL value 255
No session cookie information available
from the first book to address Layer 2 VPN application utilizing
FS cached header Gain
information:
both
ATOM
and L2TP protocols
encap size = 28 bytes
00000000 00000000 00000000 00000000
Review strategies that allow large enterprise customers to enhance
00000000 00000000 00000000
their service offerings while maintaining routing control
Sequencing is off
SanFran#
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
have someand
drawbacks.
carriers
with
existing
You can see that customers,
the session they
is established,
similar toIdeally,
Frame Relay
DLCI
mode,
the attachment circuit
legacy Layer 2 and
3 networks
would like
move toward
a single
shown as interface:virtual_circuit
(in Layer
this case
AT5/0:0/100).
Theto
detailed
information
shows the tunnel
backbone
while
carriers
would
sell the
lucrative
Layer
signaled and established
using
VCnew
ID 27.
The type
is like
ATMtoAAL5
using
VC Type
(PW2Type) 0x0002 from Tab
services
overFinally,
their existing
Layer 3 cores.
solution
these
cases is a to the following
12-1 for ATM AAL5
SDU VCC.
the encapsulation
sizeThe
is 28
bytes, in
which
corresponds
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Transport (IPv4) Header (20 bytes)
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network
(VPN)
concepts,
and
describes
Layer 2 VPN Sublayer
techniques
via (mandatory 4 bytes
L2TPv3 Header
including
Session
ID (4
bytes)
and ATM-Specific
Header
introductory case studies and comprehensive design scenarios. This book
As usual, the definitive
is CE-CE
connectivity
(see Example
12-32).
assiststest
readers
looking
to meet those
requirements
by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbasedVerifying
cores and Layer
2 Tunneling
Protocol version 3 (L2TPv3)
for native
Example 12-32.
CE-to-CE
AAL5_SDUoL2TPv3
Connectivity
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
SanFran#ping 192.168.103.2
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.103.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/24 ms
SanFran#
You can also display ATM PVC information. It is interesting to see how the ATM PVC information differs
between the CE and PE routers (see Example 12-33).
Example 12-33. ATM PVC Summary in the Oakland CE and the SanFran PE
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Oakland#show atm
pvc Anthony
interface
6/0.1
No. 4460,
Chan, - ATM
CCIE No.
10,266
VCD /
Interface
Name
VPI
VCI
Type
Publisher: Cisco Press
6/0.1
1 Pub Date: March 10, 02005 100
PVC
Oakland#
Table of
Peak
Encaps
Kbps
SNAP
149760
Avg/Min Burst
Kbps Cells
N/A
Sts
UP
ISBN: 1-58705-168-0
Pages:
648
SanFran#show
atm pvc
interface
ATM 5/0
Contents
VCD
/
Peak Avg/Min Burst
Index
Interface
Name
VPI
VCI
Type
Encaps
Kbps
Kbps Cells
5/0
1
0
100
PVC
AAL5
149760
N/A
SanFran#
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Sts
UP
In the Oakland CE, the encapsulation is AAL5SNAP because you normally configure on an ATM PVC.
However, in the SanFran
side,
the encapsulation
just AAL5,
meaning
AAL5 SDU L2Transport and tunnelin
Learn
about
Layer 2 VirtualisPrivate
Networks
(VPNs)
You can see the same distinction displaying PVC details in Example 12-34.
Reduce costs and extend the reach of your services by unifying your
network architecture
Example 12-34. ATM PVC Details in the Oakland CE and the SanFran PE
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Oakland#show atm vc interface ATM 6/0.1 detail
Review
ATM6/0.1: VCD: 1, VPI:
0, strategies
VCI: 100that allow large enterprise customers to enhance
their service offerings while maintaining routing control
UBR, PeakRate: 149760
AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0
a majority of Service Providers, a significant portion of their revenues
OAM frequency: For
0 second(s)
are
stillminutes(s)
derived from data and voice services based on legacy transport
InARP frequency: 15
technologies.
Although Layer 3 MPLS VPNs fulfill the market need for some
Transmit priority 4
customers,
they have540,
someOutBytes:
drawbacks.540
Ideally, carriers with existing
InPkts: 5, OutPkts:
5, InBytes:
legacy 5
Layer 2 and Layer 3 networks would like to move toward a single
InPRoc: 5, OutPRoc:
backbone
like to sell the lucrative Layer 2
InFast: 0, OutFast:
0, while
InAS:new
0, carriers
OutAS: would
0
services
over
their
existing
Layer
3
cores. The solution in these cases is a
InPktDrops: 0, OutPktDrops: 0
technology
that
would
allow
Layer
2
over a Layer 3
CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: transport
0
infrastructure.
Out CLP=1 Pkts: 0
OAM cells received: 125
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
OAM cells sent: 125
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Status: UP
introductory case studies and comprehensive design scenarios. This book
Oakland#
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
SanFran#show atm
interface
ATMsuite:
5/0 Any
detail
the vc
Cisco
Unified VPN
Transport over MPLS (ATOM) for MPLSATM5/0: VCD: 1,based
VPI:cores
0, VCI:
100
and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
UBR, PeakRate: IP
149760
cores. The structure of this book is focused on first introducing the
AAL5 L2transport,
etype:0xF,
0x10000C2E,
VCmode: 0x0
reader
to Layer 2 Flags:
VPN benefits
and implementation
requirements and
OAM Cell Emulation:
not them
configured
comparing
to those of Layer 3 based VPNs, such as MPLS, then
Interworking Method:
like covering
to like each currently available solution in greater detail.
progressively
Remote Circuit Status = No Alarm, Alarm Type = None
InPkts: 130, OutPkts: 5, InBytes: 17179869224, OutBytes: 540
InPRoc: 0, OutPRoc: 0
InFast: 5, OutFast: 5, InAS: 0, OutAS: 0
InPktDrops: 0, OutPktDrops: 0
CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0
Out CLP=1 Pkts: 0
OAM cells received: 125
OAM cells sent: 125
Status: UP
SanFran#
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Table Plane
of
Control
Details
Contents
Index
Pages: 648
This section presents a complete session establishment control plane negotiation for L2TPv3 AA15 SDU
transport. As before, the complete three-way handshake session establishment is shown highlighting the
L2TPv3 control messages and AVPs that are specific to the pseudowire type. In all cases, all AVPs in the
messages are parsed. Then the control message is accepted (see Example 12-35).
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Example 12-35. ATM AAL5 over L2TPv3 Session Establishment Control Plane
Learn about Layer 2 Virtual Private Networks (VPNs)
Details
Reduce costs and extend the reach of your services by unifying your
network architecture
SanFran#
SanFran#
GainTnl23520
from the first
book
to address
VPN
application
*Jun 29 08:18:21.587:
L2TP:
Parse
AVP 0,Layer
len 28,
flag
0x8000 utilizing
(M)
both
ATOM
and
L2TP
protocols
*Jun 29 08:18:21.587: Tnl23520 L2TP: Parse ICRQ
*Jun 29 08:18:21.587: Tnl23520 L2TP: Parse AVP 15, len 10, flag 0x8000 (M)
Review
strategies
thatSerial
allow large
enterprise
customers to enhance
*Jun 29 08:18:21.587:
Tnl23520
L2TP:
Number
-1531567296
theirTnl23520
service offerings
while maintaining
*Jun 29 08:18:21.587:
L2TP: Parse
Cisco AVP routing
3, lencontrol
10, flag 0x8000 (M)
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
29
29
29
29
29
29
29
29
29
Pages:
648
*Jun Contents
29 08:18:21.607: Tnl/Sn23520/43729 L2TP: Session state change from wait-connect
Index
to
established
SanFran#
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains
You can note in Example
12-35
the following messages and AVPs:
Layer 2 Virtual
PrivateThe
Networks
(VPNs)
1 ICRQ The first Learn
way inabout
the three-way
handshake.
New York
PE sends the SanFran PE an ICRQ
message. The tunnel ID is 23520, as shown earlier in Example 12-31. At this point, the session state
costs and and
extend
thelocal
reach
of your
services
byID
unifying
machine changesReduce
to wait-connect,
a new
session
with
session
43729your
(also shown in
architecture
Example 12-31) isnetwork
created.
Some of the most significant AVPs for AAL5 SDU shown in the debug outp
for the ICRQ message are as follows:
Gain from the first book to address Layer 2 VPN application utilizing
and L2TP
Pseudowire both
Type ATOM
2 indicates
ATMprotocols
AAL5 SDU VCC (pseudowire type 0x0002 from Table 12-1).
Review
that is
allow
large enterprise customers to enhance
End Identifier
27 is strategies
the VC ID that
configured.
their service offerings while maintaining routing control
Layer 2-Specific Sublayer 2 indicates the mandatory ATM-Specific Sublayer.
For a majority of Service Providers, a significant portion of their revenues
still derived
from
data and handshake.
voice services
on legacy
transport
2 ICRP Theare
second
way in the
three-way
Thebased
SanFran
PE sends
an ICRP message to the
technologies.
Although
3 MPLS
VPNs to
fulfill
the market need
New York PE,
and the session
state Layer
machine
advances
a wait-connect
state.for some
customers, they have some drawbacks. Ideally, carriers with existing
3 ICCN Thelegacy
third way
in 2the
three-way
handshake.
Thelike
New
PEtoward
sends a
the
SanFran PE an ICCN
Layer
and
Layer 3 networks
would
toYork
move
single
message, and
the session
established.
Again,
Layer Layer
2-Specific
Sublayer AVP
backbone
whilestate
newmoves
carrierstowould
like to sell
the the
lucrative
2
contains a value
of 2,over
indicating
that theLayer
ATM 3
Layer
2-Specific
Sublayer
is used.
services
their existing
cores.
The solution
in these
cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Sess Id
ATM-Specific Sublayer
00 00 08 00 45 00 00 24 00 19 00 00 FF 01 6C 6B
...^^^^^^^^^^^
^^...
Layer 2 VPN
Architectures
|
Begins
IP Packet
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
SNAP:
OUI:
000000; etype: 0x0800 (IPv4)
No. 4460,Anthony Chan, - CCIE No. 10,266
C0 A8 67 01 C0 A8 67 02 08 00 78 3F 00 05 00 00
Press
00 00 00Publisher:
00 00 Cisco
67 7F
54
Pub Date: March^^^^^
10, 2005
ISBN: 1-58705-168-0
Table of
Ends IP Packet
Pages:
648
Contents
*Jun
29
09:23:44.271:
L2TP:(Tnl0:Sn43729):CEF
Into tunnel (SSS): Pak send successful
Index
0A 00 00 CB 0A 00 00 C9 00 00 AA D1 00 00 00 00
...^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^
Learn about Layer^^^^^^^^^^^
2 Virtual Private
Networks (VPNs)
IPv4 Delivery Header Sess Id
ATM-Specific Sublayer
Reduce costs and extend the reach of your services by unifying your
AA AA 03 00 00 00 08 00 45 00 00 24 00 19 00 00
network architecture
^^^^^^^^^^^^^^^^^^^^^^^ ^^...
|
Begins IP Packet
Gain from the first book to address Layer 2 VPN application utilizing
SNAP: LLC: AAAA03; OUI: 000000; etype: 0x0800 (IPv4)
both ATOM and L2TP protocols
FF 01 6C 6B C0 A8 67 02 C0 A8 67 01 00 00 80 3F
Review
strategies
that
allow large enterprise customers to enhance
00 05 00 00
00 00
00 00 00
...
theirL2TP:(Tnl0:Sn43729):CEF
service offerings while maintaining
routing control
*Jun 29 09:23:44.283:
From tunnel:
Pak send successful
Control Field:
U, func=UI
(0x03)
Pub Date:
March 10, 2005
ISBN: 1-58705-168-0
Table ofOrganization Code: Encapsulated Ethernet (0x000000)
Pages:
648
Contents
Index Type: IP (0x0800)
In contrast to transporting AAL5 frames over the AAL5PW, you enable OAM cell management in the Oaklan
CE by using the PVC configuration mode command oam-pvc manage and capture an OAM cell that is bein
the
world of Layer 2 VPNs to provide enhanced services and enjoy
transported (see Master
Example
12-37).
productivity gains
SanFran#
*Jun 29 10:25:16.719:
IntoLayer
tunnel
(SSS):
Sending
pak
GainL2TP:(Tnl0:Sn43729):FS
from the first book to address
2 VPN
application
utilizing
*Jun 29 10:25:16.719:
L2TP:(Tnl0:Sn43729):FS/CEF
Into
tunnel:
Sending
80
byte pak
both ATOM and L2TP protocols
particle pak, size 80
45 00 00 50
04 D3strategies
00 00 FF
73allow
A0 D4
0A enterprise
00 00 C9 customers to enhance
Review
that
large
0A 00 00 CB
00 service
00 6E offerings
48 08 00while
00 00
00 00 06routing
4A
their
maintaining
control
^^^^^^^^^^^ ^^^^^^^^^^^
Cell Header:
= 0/100; PTI: 101b
For a majority of Service Providers,| aATM
significant
portion ofVPI/VCI
their revenues
ATM-Specific
Sublayer:
T-bit
= 1 transport
are still derived from data
and voice services
based
on legacy
18 01 technologies.
00 00 00 01Although
FF FF FF
FF 3
FFMPLS
FF FF
FF fulfill
FF FF
Layer
VPNs
the market need for some
FF FF customers,
FF FF FF they
FF FFhave
FF some
FF FFdrawbacks.
FF FF FF Ideally,
FF 6A 6A
carriers with existing
6A 6A legacy
6A 6A Layer
6A 6A2 and
6A 6A
6A 3...
Layer
networks would like to move toward a single
*Jun 29 10:25:16.719:
tunnel
(SSS):Layer
Pak 2send successful
backboneL2TP:(Tnl0:Sn43729):CEF
while new carriers would likeInto
to sell
the lucrative
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
FromExample 12-37, you can see that the OAM cell is encapsulated using Cell Relay over L2TPv3.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
The ATM-Specific Sublayer has the Transport bit set, an indication that it is carrying an ATM cell.
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
An ATM Cell Header is included in the payload. The payload type identifier (PTI) value of 101 binary
history and implementation details of the two technologies available from
indicates an end-to-end OAM F5 flow cell.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Note
progressively covering each currently available solution in greater detail.
In AAL5 SDU mode, OAM cells that are received over the attachment circuit are sent immediately
and might not maintain the relative cell order with respect to cells that comprise an AAL5 frame
that is being reassembled.
The complete L2TPv3 encapsulation that indicates an admin cellincluding the T-bit in the ATM-Specific
Sublayercontains the following fields:
.0.. ....By=Wei
S-bit:
Luo, - False
CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Cisco Press
.... .0.. =Publisher:
G-bit: False
Pub Date: March 10, 2005
ISBN:
1-58705-168-0
.... ..0. = C-bit:
False
Table of
Pages:
648
Contents
.... ...0 = U-bit: False
Index
Sequence Number: 0
The first two nibbles in the OAM cell payload are 0x18. The OAM type 0x1 indicates a Fault Management, a
thespecifies
world of an
Layer
2 Cell
VPNsLoopback.
to provideThe
enhanced
services
enjoyindicator (LBI),
the OAM FunctionMaster
type 0x8
OAM
next byte
is the and
loopback
productivity
gains
and a value of 0x01 indicates that the cell must be looped back. It contains a 4-byte correlation tag (CTag)
of 1 because you captured the first OAM cell after enabling OAM management. It follows with 16 bytes of
binary ones for the location
which
designates
end-to-end
loopback.
LearnID,
about
Layer
2 Virtualan
Private
Networks
(VPNs)Unused bytes are filled with a
0x6A padding. Refer to the ITU-T Recommendation I.610, "B-ISDN Operation and Maintenance Principles a
Functions," for ATM OAM
details.
Reduce
costs and extend the reach of your services by unifying your
network architecture
from
the first
bookover
to address
Layer with
2 VPN application
Case Study 12-5:Gain
ATM
Cell
Relay
L2TPv3
Dynamicutilizing
Session
both ATOM and L2TP protocols
Figure
The configuration steps that are required to provision ATM_CRoL2TPv3 in VC mode are similar to the ones
you just learned in Case Study 12-4. However, one difference is needed to specify ATM Cell Relay service a
opposed to ATM AAL5 service. This difference involves specifying the encapsulation as aal0, meaning "no
ATM Adaptation Layer," under the attachment circuit PVC (see Example 12-38).
!
hostname SanFran
Layer 2 VPN Architectures
!
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
interface ATM5/0
no ip address No. 4460,Anthony Chan, - CCIE No. 10,266
pvc 0/200 l2transport
encapsulation aal0
Publisher: Cisco Press
xconnect 10.0.0.203
28March
pw-class
Pub Date:
10, 2005 pw-l2tpv3-atm
!
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
You can see that Example 12-38 uses the same pseudowire class for comparison. The CE router's
configuration is analogous to the previous case study and is the same as normal ATM PVC configuration us
VPI/VCI 0/200.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Verifying ATM_CRoL2TPv3
Learn about Layer 2 Virtual Private Networks (VPNs)
To verify the correct functioning of the L2TPv3 pseudowire, use the show l2tun session command (see
Example 12-39).
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the
first
book to address LayerSession
2 VPN application utilizing
Example 12-39. Verifying
the
ATM_CRoL2TPv3
both ATOM and L2TP protocols
that
SanFran#show l2tun Review
sessionstrategies
all vcid
28allow large enterprise customers to enhance
their
service
offerings
while maintaining
routing control
Session Information
Total
tunnels
1 sessions
2
Tunnel control packets dropped due to failed digest 0
For a majority of Service Providers, a significant portion of their revenues
Session id 43738
tunnel
23520
areis
stillup,
derived
fromid
data
and voice services based on legacy transport
Call serial number
is
2763400001
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Remote tunnel name
is New
York
customers,
they
have some drawbacks. Ideally, carriers with existing
Internet address
10.0.0.203
legacyis
Layer
2 and Layer 3 networks would like to move toward a single
Session is L2TP
signalled
backbone
while new carriers would like to sell the lucrative Layer 2
Session stateservices
is established,
time since
00:00:44
over their existing
Layer 3change
cores. The
solution in these cases is a
0 Packets sent,
0 received
technology
that would allow Layer 2 transport over a Layer 3
0 Bytes sent,
0 received
infrastructure.
Receive packets dropped:
Layer 2 VPN Architectures
introduces readers to Layer 2 Virtual Private
out-of-order:
0
and describes Layer 2 VPN techniques via
total: Network (VPN) concepts,
0
introductory
Send packets
dropped:case studies and comprehensive design scenarios. This book
readers
exceeded assists
session
MTU: looking
0 to meet those requirements by explaining the
details of the two technologies available from
total: history and implementation
0
Session vcid the
is Cisco
28 Unified VPN suite: Any Transport over MPLS (ATOM) for MPLScores andtype
Layer
Tunneling
Protocol
version
3 (L2TPv3) for native
Session Layerbased
2 circuit,
is2 ATM
VCC CELL,
name
is ATM5/0:0/200
cores.
Circuit stateIP is
UP The structure of this book is focused on first introducing the
readeridto is
Layer
2 VPNremote
benefitstunnel
and implementation
requirements and
Remote session
28241,
id 60864
comparing
them
to those of
Layer
3 based
VPNs,
such255
as MPLS, then
DF bit off, ToS
reflect
disabled,
ToS
value
0, TTL
value
progressively
covering
each currently available solution in greater detail.
No session cookie
information
available
FS cached header information:
encap size = 24 bytes
00000000 00000000 00000000 00000000
00000000 00000000
Sequencing is off
SanFran#
Theshow l2tun session command for the session with the VC ID of 28 as configured in Example 12-38
shows that the session is signaled and established. The VC Type (pseudowire type) is ATM VCC Cell using
pseudowire type 0x0009 for ATM n-to-one VCC cell from Table 12-1. The encapsulation size is now 24 byte
which is the minimum possible encapsulation size. In ATM_CRoL2TPv3, you do not use the ATM-Specific
2 VPNcell
Architectures
Sublayer becauseLayer
the ATM
headers are actually carried. The ATM L2TPv3 companion document specifie
ByWei the
Luo, Default
- CCIE No.or13,291,
CarlosLayer
Pignataro,
- CCIE No.
4619,Dmitry
Bokotey,
- CCIECisco IOS routers sign
that, if needed, either
the ATM
2-Specific
Sublayer
can
be used.
4460,Anthony
- CCIE Sublayer
No. 10,266 if sequencing is required.
a request for the No.
Default
Layer Chan,
2-Specific
You can also compare
the ATM
L2transport
PVCs in the SanFran PE (see Example 12-40).
Publisher:
Cisco
Press
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Pages: 648
Contents
Index
Sts
UP
UP
Port mode
VP and Port mode do not support AAL5 transport because cells from different PVCs are interleaved and
Layer
2 VPN Architectures
cannot be properly
reassembled.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
ATM CR Port Mode Create the xconnect under ATM interface configuration mode.
Example 12-42 shows an example of each case.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Layer
2 VPNMode
Architectures
! ATM Cell Relay
Port
PW Type
*Jun 29 10:43:29.767:
L2TP:
Parse
Cisco
AVP
flag- CCIE
0x8000 (M)
ByWei Luo, -Tnl23520
CCIE No. 13,291,
Carlos
Pignataro,
- CCIE
No. 7,
4619,len
Dmitry8,
Bokotey,
*Jun 29 10:43:29.767:
Tnl23520
Wire Type 3
No. 4460,Anthony
Chan, - L2TP:
CCIE No.Pseudo
10,266
Publisher: Cisco Press
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
0x0009 ATM n-to-one
VCC cell (ATMoL2TPv3 Cell VC mode)
Table of
Pages:
648
Contents
0x000A ATM n-to-one VPC cell (ATMoL2TPv3 Cell VP mode)
Index
To conclude this section, Example 12-44 shows how these pseudowire types and attachment circuits for th
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
different CRoL2TPv3 modes are displayed.
productivity gains
Pages:
648
Contents
HDLC,
PPP, Frame Relay, and different flavors of ATM.
Index
This chapter compared and contrasted L2TPv3 to transport diverse WAN protocols, in addition
to L2TPv3 and AToM as pseudowire technology for WAN protocol transport. You learned L2TPv3
control plane theory and practice through multiple messaging exchange examples, data plane
Master the
VPNs to provide
enhanced
characteristics including
the world
use of of
anLayer
Layer22-Specific
Sublayer,
packet services
decodes,and
andenjoy
MTU
considerations. productivity gains
Contents
Index
Pages: 648
This chapter concentrates on advanced concepts and techniques in Layer 2 Tunnel Protocol
Version 3 (L2TPv3) transport
deployments.
Building
from the
concepts
and configurations
Learn about
Layer 2 Virtual
Private
Networks
(VPNs)
covered in Chapters 10, "Understanding L2TPv3," through 12, "WAN Protocols over L2TPv3
Case Studies," this chapter
covers
topicsthe
andreach
case of
studies
that involve
a higheryour
degree
Reduce
costsdiverse
and extend
your services
by unifying
of complexity than previous
chapters.
Because the advanced deployment scenarios cover a
network
architecture
wide range of concepts, the format of this chapter varies somewhat from other case study
Gain from the first book to address Layer 2 VPN application utilizing
chapters.
both ATOM and L2TP protocols
This chapter starts by explaining path maximum transmission unit discovery (PMTUD), the
Review strategies
allow large
customers
to learn
enhance
problem it solves, the rationale
behind itsthat
operation,
and enterprise
multiple examples.
You
details
their
service
offerings
while
maintaining
routing control
about combining PMTUD
with
setting
the DF bit
in the
delivery header.
a majority
of Service
Providers,
a significant
of their revenues
This chapter also For
covers
two advanced
cases
of ATM over
L2TPv3:portion
ATM Operation,
areMaintenance
still derived from
data
and voice
based
on legacy
transport
Administration, and
(OAM)
emulation
andservices
ATM cell
packing.
This chapter
technologies.
3 in
MPLS
VPNs
fulfill
the market
need for some
concludes by describing
qualityAlthough
of serviceLayer
(QoS)
L2TPv3
and
explaining
configuration
customers, they have some drawbacks. Ideally, carriers with existing
examples.
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pages:
648
13-1 Contents
to cover PMTUD. The maximum transmission unit (MTU) is left as 1500 bytes default for all serial
Index
links
in the network.
Master theFigure
world of13-1.
Layer 2L2TPv3
VPNs to provide
enhanced
services and enjoy
PMTUD
Topology
productivity gains
[View full size image]
You configure an L2TPv3 HDLC pseudowire with a remote and local cookie size of 4 bytes and with
sequencing enabled. The configuration for the SanFran end is shown in Example 13-1. The NewYork PE
configuration is analogous to this one.
Layer 2 VPN Architectures
ByWei
Luo, - CCIE
No. 13,291,
Carlos Pignataro, -(HDLCPW)
CCIE No. 4619,Dmitry
Bokotey, - CCIE
Example 13-1.
L2TPv3
HDLC
Pseudowire
Configuration
No. 4460,Anthony Chan, - CCIE No. 10,266
!
Publisher: Cisco Press
hostname SanFran Pub Date: March 10, 2005
!
ISBN: 1-58705-168-0
Table of l2tpv3-wan
l2tp-class
Pages:
648
Contents
cookie
size 4
! Index
pseudowire-classwan-l2tpv3-pw
encapsulation l2tpv3
sequencing both
Master
the world of Layer 2 VPNs to provide enhanced services and enjoy
protocol l2tpv3
l2tpv3-wan
productivity
gains
ip local interface Loopback0
!
interface Serial5/0
Learn about Layer 2 Virtual Private Networks (VPNs)
no ip address
no cdp enable
Reduce costs and extend the reach of your services by unifying your
xconnect 10.0.0.203
50 pw-class
wan-l2tpv3-pw
network
architecture
!
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
You can see in ExampleReview
13-2 that
the L2TPv3
session
is UP,
and thecustomers
encapsulation
size is 32 bytes. The
strategies
that allow
large
enterprise
to enhance
commandshow sss circuit
also displays
thewhile
encapsulation
size.
their service
offerings
maintaining
routing control
Start by sending 500 Internet Control Message Protocol (ICMP) ping packets that total 1464 bytes, which
is exactly 1500 bytes (core MTU) - 36 bytes (total encapsulation overhead) from the Oakland CE to the
Architectures
Albany CE. While Layer
these2 VPN
packets
are being sent, profile the IP Input IOS process by using the command
show processesBycpu,
which
displays
detailed
CPU utilization
on
Cisco -IOS
Wei Luo, - CCIE No. 13,291,
Carlos Pignataro,
- CCIE No.statistics
4619,Dmitry
Bokotey,
CCIEprocesses. The IP
Input process takes
care
of
process
switching
received
IP
packets
in
Cisco
IOS.
Example
13-3 shows the
No. 4460,Anthony Chan, - CCIE No. 10,266
CPU profile for the IP Input process when the packets are being transferred.
Publisher: Cisco Press
Pub Date: March 10, 2005
Table of
Pages: 648
Contents
NewYork#show
processes
cpu | include util|PID|IP Input
Index
CPU utilization for five seconds: 5%/0%; one minute: 5%; five minutes: 5%
PID Runtime(ms) Invoked
uSecs
5Sec
1Min
5Min TTY Process
18
5368
648
8283 0.07% 0.08% 0.12%
0 IP Input
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
NewYork#
productivity gains
Learn
about
Layer
2 Virtual
Private CPU
Networks
(VPNs)
You can see from Example
13-3
that
the IP
Input process
utilization
is low. That is consistent with
the fact that those L2TPv3 packets from the HDLC-PW are being Cisco Express Forwarding (CEF)
Reduceincosts
andpath
extend
your services
switched. They are switched
the fast
andthe
notreach
in theofprocess
path. by unifying your
network architecture
Perform a similar experiment with packets that are larger than the core MTU minus the encapsulation
Gain
from theand
firstCisco
bookDiscovery
to addressProtocol
Layer 2(CDP)
VPN application
utilizing so that you
overhead. Disable HDLC
keepalives
on the CE devices
both
ATOM
and
L2TP
protocols
have an accurate count of packets existing in the core routers (see Example 13-4).
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Note that even though the DF bit is set and the packets do not fit, the pings are successful. Although the
Layer 2 VPN Architectures
DF bit is set in packets
that are sent from the Oakland CE device, they are further encapsulated in
ByThe
Wei Luo,
CCIE
No. 13,291,
CCIE No. is
4619,
Dmitry
- CCIEthese oversized
L2TPv3 over IPv4.
DF -bit
in this
outerCarlos
IPv4Pignataro,
delivery- header
not
set.Bokotey,
Therefore,
No. 4460,Anthony
CCIE over
No. 10,266
packets that are carrying
ICMP Chan,
over- IPv4
HDLC over L2TPv3 over IPv4 are being fragmented after
tunnel encapsulation.
Publisher: Cisco Press
ISBN: 1-58705-168-0
Pages: 648
Note
A Cisco IOS router does not attempt to reassemble all IP fragments; it only fragments those that are
destined to the router that need to be reassembled before decapsulation. Several issues could make you
want to avoid IP fragmentation and reassembly. In a router, reassembly is an expensive operation. A
router architecture is designed to switch packets as quickly as possible. Holding a packet for a relatively
long period of time is not what a router is intended for; it is more of a host operation. When fragmenting
a packet, a router needs to make copies of the original IP packet. When fragments are received, a Cisco
Layer
2 VPN
Architectures
IOS device chooses
the
largest
buffer of 18 KB because the length of the total packet is unknown when
Luo, - CCIE
13,291,coalescing
Carlos Pignataro,
CCIE No. 4619,This
Dmitry
- CCIE use of the buffers,
the first fragmentByisWei
received
andNo.
before
the- fragments.
isBokotey,
an inefficient
No. 4460,Anthony
CCIEIP
No.
10,266 are process switched (process level switching path or
but even more important
is theChan,
fact -that
packets
slow path) for reassembly. This can degrade throughput and performance and increase CPU utilization.
Publisher: Cisco Press
Pub Date: March 10, 2005
Table of
Contents
Note
Index
ISBN: 1-58705-168-0
Pages: 648
In Cisco IOS, multiple fragments from an IP packet are counted as a single IP packet.
Therefore, the counters from Example 13-7 and Example 13-8 indicate 500 packets.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
gains
Example productivity
13-8. IP Reassembly
Is Process Switched
Learn aboutSerial
Layer 25/0
Virtual
Private Networks (VPNs)
NewYork#show interfaces
stats
Serial5/0
Reduce costs and extend the reach of your services by unifying your
Switching path
Pkts In
Chars In
Pkts Out Chars Out
network architecture
Processor
0
0
500
734500
Route cache
500
734500
0
0
Gain from the first book to address Layer 2 VPN application utilizing
Total
500
734500
500
734500
both ATOM and L2TP protocols
NewYork#show interfaces Serial 5/0 switching
Serial5/0
Review strategies that allow large enterprise customers to enhance
Throttle
0
their count
service offerings while
maintaining routing control
Drops
RP
0
SP
0
SPD Flushes
Fast
0
SSE
0
For a majority of Service Providers, a significant portion of their revenues
SPD Aggress
Fastfrom data and
0 voice services based on legacy transport
are still derived
SPD Priority
Inputs
0
technologies. Although Layer03 MPLS Drops
VPNs fulfill the market
need for some
customers, they have some drawbacks. Ideally, carriers with existing
Protocol
Path
Pkts In
Chars In
Pkts Out Chars Out
legacy Layer 2 and Layer 3 networks would like to move toward a single
Other
Process
0
0
500
734500
backbone while new carriers would like to sell the lucrative Layer 2
Cache misses
0
services over their existing Layer 3 cores. The solution in these cases is a
Fast
500
734500
0
0
technology that would allow Layer 2 transport over a Layer 3
Auton/SSE
0
0
0
0
infrastructure.
NewYork#
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSTo verify that the reassembly process takes place in the process path, you can use these two show
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
interface commands from the NewYork PE: show interfaces stats and show interfaces switching.
IP cores. The structure of this book is focused on first introducing the
These commands are hidden in some IOS releases (see Example 13-8).
reader to Layer 2 VPN benefits and implementation requirements and
comparing
them to
thoseinto
of Layer
3 based
VPNs,and
such
as MPLS,
then
Example 13-8 shows
that packets
coming
Serial5/0
interface
sent
into the
tunnel are fast
progressively
covering
each
currently
available
solution
in
greater
switched (CEF switched), but packets that are sent out of interface Serial5/0 comingdetail.
from the L2TPv3
session and sent to Albany CE are process switched (switched in the process level switching path by a
software process level component). You can see that the 500 IP packets sent from the Oakland CE and
fragmented by the SanFran PE are process switched at the NewYork PE because of reassembly and then
sent to the Albany CE device.
In summary, stay away from reassembly by avoiding fragmentation by means of MTU tuning. As you will
learn in the upcoming examples, Sweep Ping is a useful tool to identify fragmentation issues and their
boundary conditions.
ISBN: 1-58705-168-0
The ingress LCCE copies the DF bit from the IP header in the CE IPv4 packet into the IPv4 delivery
header. The DF bit is reflected from the inner IP header to the tunnel IP header.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
The ingress LCCE listens to ICMP Unreachable messages with code 4 to find out the path MTU and
productivity gains
records the discovered path MTU for the session.
The ingress LCCELearn
inspects
theLayer
IPv4 packet
inside
theNetworks
Layer 2 frame
it receives from the CE. If the
about
2 Virtual
Private
(VPNs)
IPv4 packet has the DF bit cleared and the resulting L2TPv3 packet exceeds the discovered MTU, it
determines the number
fragments
so that
fragment
the encapsulation
overhead is
Reduceofcosts
and extend
theeach
reach
of your plus
services
by unifying your
smaller than the path
MTU.
It
fragments
the
CE
IPv4
packet,
copies
the
original
Layer
2 header and
network architecture
appends it into each of the generated fragments, and sends multiple L2TPv3 packets. This
procedure effectively
thefirst
computational
expensive
reassembly
the receiving CE
Gainpushes
from the
book to address
Layer IPv4
2 VPN
applicationinto
utilizing
device and relieves
theATOM
PE from
centralized reassembly point. Note that this action occurs
both
andbeing
L2TP aprotocols
only after the path MTU is discovered.
Review strategies that allow large enterprise customers to enhance
The ingress LCCEtheir
generates
unreachable
messages routing
to the CE
device when the IPv4 CE packet
serviceICMP
offerings
while maintaining
control
contains the DF bit set and the resulting L2TPv3 packet exceeds the discovered MTU. The MTU value
majority
of Service
Providers,
a significant
portion
of their revenues
informed byFor
theaPE
to the CE
in this ICMP
unreachable
is called
the adjusted
MTU . The adjusted MTU
are still
derived
from data
andcore
voiceminus
services
onoverhead
legacy transport
is the discovered
path
MTU (PMTU)
in the
the based
L2TPv3
(IPv4 header, Session
technologies.
Although
Layer 3 MPLS
VPNs fulfill
the
market MTU
needplus
for some
ID, cookie, and
Layer 2-Specific
Sublayer).
Consequently,
this
adjusted
the L2TPv3
customers,
some drawbacks.
Ideally, PMTUD
carriers applications
with existingin the customer (C)
overhead adds
up to thethey
corehave
discovered
PMTU and enables
legacy
Layer 2 and
3 networks
wouldonly
like to
move
a single
network to work
correctly.
NoteLayer
that this
action occurs
after
the toward
path MTU
is discovered.
backbone while new carriers would like to sell the lucrative Layer 2
If the path MTU
has not
the 3ingress
performs
actions
services
overbeen
theirdiscovered,
existing Layer
cores. LCCE
The solution
in only
thesethe
cases
is a in the first two
bulleted points.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
ISBN: 1-58705-168-0
Pages: 648
the that
world
Layer 2 VPNs
provide enhanced services and enjoy
1. CE1 sends anMaster
IP packet
is of
encapsulated
in to
HDLC.
productivity gains
2. PE1 encapsulates the Layer 2 frame in L2TPv3 and sends the single L2TPv3 packet onto P1. The
outer IPv4 header always has the DF bit cleared.
Learn about Layer 2 Virtual Private Networks (VPNs)
3. P1 determines thatReduce
the MTU
of the
outgoing
interface
than the
costs
and
extend the
reach is
ofsmaller
your services
byL2TPv3
unifyingover
yourIPv4 packet
size. Because the DF
bit in the
delivery header is cleared, P1 fragments the packet and sends two
network
architecture
fragments of an IPv4 packet to P2.
Gain from the first book to address Layer 2 VPN application utilizing
both
ATOM and
4. P2 switches the two
fragments
thatL2TP
PE2 protocols
receives. PE2 reassembles the IPv4 packet that contains the
L2TPv3 packet and decapsulates the reassembled L2TPv3 packet.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
5. PE2 sends the Layer 2 PDU that contains the CE IPv4 packet toward CE2.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
The following steps take place when PMTUD is enabled:
Learn about Layer 2 Virtual Private Networks (VPNs)
1. CE1 sends an IP packet that is encapsulated in HDLC.
Reduce costs and extend the reach of your services by unifying your
2. PE1 determines that
the resulting
L2TPv3 over IPv4 packet is greater than the path that MTU
network
architecture
discovered. PE1 proceeds to fragment the IPv4 CE packet inside the HDLC frame and appends a copy
of the HDLC headerGain
to the
seconds
fragment.
The result
is that
twoapplication
Layer 2 frames
are passed onto
from
the first
book to address
Layer
2 VPN
utilizing
L2TPv3 for encapsulation
and two
over IPv4 packets are sent onto P1.
both ATOM
and L2TPv3
L2TP protocols
that allow large enterprise customers to enhance
3. P1 router does not Review
need tostrategies
perform fragmentation.
their service offerings while maintaining routing control
4. PE2 receives the
L2TPv3ofdata
packets,
and asa far
as PE2 knows,
are revenues
from two different
For two
a majority
Service
Providers,
significant
portionthey
of their
Layer 2 frames.
PE2
then
decapsulates
the
two
L2Tpv3
packets
to
end
up
with
two Layer 2 frames
are still derived from data and voice services based on legacy transport
containing two
fragments
of
a
single
IPv4
packet
from
CE1.
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Note
Note
Another important aspect of MTU handling is that the Layer 2 frames being tunneled should fall
within the MTU of the remote attachment circuit. In a bidirectional communication, this means
that attachment circuit MTUs need to match. As opposed to Any Transport over MPLS (AToM),
where pseudowires do not come up if an MTU mismatch occurs between the attachment
2 VPN Architectures
circuits, the Layer
attachment
circuit MTU is not advertised or enforced in L2TPv3.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Implementing PMTUD
Pub Date: March 10, 2005
ISBN:the
1-58705-168-0
Now that
have learned
operational procedures of PMTUD, it is time to see it in action. Example
Table you
of
Pages:
13-9 Contents
shows the configuration648
changes that are required to enable PMTUD. This configuration is applied in
the SanFran
and NewYork PE devices.
Index
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
!
hostname SanFran
Learn about Layer 2 Virtual Private Networks (VPNs)
!
pseudowire-classwan-l2tpv3-pw-pmtu
Reduce costs and extend the reach of your services by unifying your
encapsulation l2tpv3
network architecture
sequencing both
protocol l2tpv3 l2tpv3-wan
Gain from the first book to address Layer 2 VPN application utilizing
ip local interface Loopback0
both ATOM and L2TP protocols
ip pmtu
!
Review strategies that allow large enterprise customers to enhance
interface Serial5/0their service offerings while maintaining routing control
no ip address
no ip directed-broadcast
For a majority of Service Providers, a significant portion of their revenues
no cdp enable are still derived from data and voice services based on legacy transport
no clns route-cache
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
xconnect 10.0.0.203
50 they
pw-class
wan-l2tpv3-pw-pmtu
customers,
have some
drawbacks. Ideally, carriers with existing
!
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
Example 13-9 shows the ip pmtu command added into a new pseudowire class for the L2TPv3
infrastructure.
pseudowire. The ip pmtu command can also hard-code the maximum path MTU for the session by
adding the max keyword
andArchitectures
the maximumintroduces
path MTU value
to to
theLayer
ip pmtu
command.
Layer 2 VPN
readers
2 Virtual
PrivateThis is most
useful to account Network
for the extra
overheads
when
the
core
network
has
further
encapsulations.
Example
(VPN) concepts, and describes Layer 2 VPN techniques via
13-10 highlights a
new
line
of
output
that
specifies
that
PMTUD
is
enabled
for
the
session.
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
Example 13-10.
Verifying
PMTUD
the Cisco
Unified VPN
suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
SanFran#show l2tun session all vcid 50
reader to Layer 2 VPN benefits and implementation requirements and
Session Information Total tunnels 1 sessions 3
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Tunnel control packets dropped due to failed digest 0
progressively covering each currently available solution in greater detail.
Session id 61603 is up, tunnel id 51402
Call serial number is 2310500000
Remote tunnel name is NewYork
Internet address is 10.0.0.203
Session is L2TP signalled
Session state is established, time since change 00:00:23
0 Packets sent, 0 received
0 Bytes sent, 0 received
Receive packets dropped:
out-of-order:
0
total:
0
Send packets dropped:
2 VPN Architectures
exceeded Layer
session
MTU:
0
total: ByWei Luo, - CCIE No. 13,291,
0 Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Session vcid No.
is4460,
50 Anthony Chan, - CCIE No. 10,266
Session Layer 2 circuit, type is HDLC, name is Serial5/0
Circuit state is
UP
Publisher:
Cisco Press
Remote session
isMarch
5399,
remote tunnel id 51995
Pubid
Date:
10, 2005
Session PMTU enabled, path MTU is not known
ISBN: 1-58705-168-0
Table
DF
bit ofoff, ToS reflect disabled, ToS value 0, TTL value 255
Pages:
648
Contents cookie information:
Session
local
Index
cookie, size 4 bytes, value 0B B4 A2 90
remote cookie, size 4 bytes, value BA 12 10 7F
FS cached header information:
encap size = 32 bytes
Master the
world of Layer
2 VPNs to provide enhanced services and enjoy
00000000 00000000
00000000
00000000
productivity
gains
00000000 00000000 00000000 00000000
Sequencing is on
Learn
2 Virtual
Private Networks (VPNs)
Ns 0, Nr 0, 0 out
ofabout
orderLayer
packets
received
SanFran#
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from
book
toisaddress
Layer 2because
VPN application
utilizing
Session PMTU is now enabled,
butthe
thefirst
path
MTU
still unknown
the PE has
not received an ICMP
both
ATOM
and
L2TP
protocols
unreachable "packet too big" message yet. Nevertheless, until the path MTU is known, the default
behavior is the same as before. Fragmentation is not possible until the MTU is known; therefore, if you
Review
strategies
that
allow
largesetup,
enterprise
customers
were to perform the initial
experiment
with
this
current
the result
wouldto
beenhance
analogous to before.
their service offerings while maintaining routing control
To trigger the path MTU to be discovered and the session PMTU to be updated, you need to send an IP
For a majority
a significant
portion
of their
revenues
packet from the Oakland
CE thatofisService
at leastProviders,
1465 bytes
long and has
the DF
bit set
that will be copied
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
over to the delivery header. Meanwhile, enable debug ip icmp. This example uses the same network
technologies.
Although Layer 3 MPLS VPNs fulfill the market need for some
fromFigure 13-1 (see
Example 13-11).
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
Example 13-11.
Triggering PMTU Discovery
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Oakland#debug ip
icmp
ICMP packet debugging is on
Layer 2 VPN Architectures
readers to Layer 2 Virtual Private
Oakland#ping 192.168.105.2
size 1465 introduces
df-bit
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory
case studies and comprehensive design scenarios. This book
Type escape sequence
to abort.
assists readers
looking
meet those requirements
the
Sending 5, 1465-byte
ICMP Echos
toto192.168.105.2,
timeout by
isexplaining
2 seconds:
history
implementation
details of the two technologies available from
Packet sent with
the and
DF bit
set
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS.MMMM
cores and
Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Success rate isbased
0 percent
(0/5)
IP cores. The structure of this book is focused on first introducing the
Oakland#
to Layer 2 VPN benefits
implementation
requirements
andrcv
02:13:02: ICMP:reader
dst (192.168.105.1)
frag.and
needed
and DF set
unreachable
192.168.105.2comparing them to those of Layer 3 based VPNs, such as MPLS, then
covering each
currently
available
solution
in greater detail.
02:13:02: ICMP:progressively
dst (192.168.105.1)
frag.
needed
and DF
set unreachable
rcv
192.168.105.2
02:13:02: ICMP: dst (192.168.105.1) frag. needed and DF set unreachable rcv
192.168.105.2
02:13:02: ICMP: dst (192.168.105.1) frag. needed and DF set unreachable rcv
192.168.105.2
Oakland#
from
from
from
from
You can see in the Oakland CE that the first ping times out ("." ). This is because the SanFran PE drops
the first ping packet in the P network, which triggers the ICMP unreachable message that the SanFran PE
absorbs, inspects, and uses to discover the path MTU. For the remaining four ICMP echo packets, you see
an M character standing for MTU, which means "Could not fragment." The four M characters correspond
Layer 2needed
VPN Architectures
to the four ICMP frag.
and DF set unreachable messages sent by the SanFran PE, received by the
Wei Luo,
CCIE
No. 13,291,
CarlosAlthough
Pignataro, -the
CCIE
No. 4619,
Bokotey,
CCIE
Oakland CE, and By
shown
in -the
debug
output.
source
forDmitry
these
ICMP- unreachables
is
No. SanFran
4460,Anthony
- CCIE No.
10,266
192.168.105.2, the
PEChan,
generates
these
ICMP unreachable messages by using a source IP
address that is equal to the destination IP address in the ICMP echo packets.
Publisher: Cisco Press
Pages:
Contents
the same
and equal to 1500 648
bytes. After the first ping is dropped, the PMTU is discovered. Example 13-12
Index
shows
the respective output in the SanFran PE with debug ip icmp and debug vpdn l2x-events
enabled.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Example 13-12.
Discovering PMTUD in the SanFran PE
productivity gains
SanFran#debug ip icmp
Learn about Layer 2 Virtual Private Networks (VPNs)
ICMP packet debugging is on
SanFran#debug vpdn l2x-events
Reduce costs and extend the reach of your services by unifying your
L2X protocol events debugging is on
network architecture
SanFran#
*Jul 6 03:09:47.799:
dstfirst
(10.0.0.203)
frag.
needed
DF set utilizing
unreachable sent
GainICMP:
from the
book to address
Layer
2 VPNand
application
to 10.0.0.201
both ATOM and L2TP protocols
*Jul 6 03:09:47.835: ICMP: dst (10.0.0.201) frag. needed and DF set unreachable rcv
from 10.0.0.201
Review strategies that allow large enterprise customers to enhance
*Jul 6 03:09:47.835:
L2TP: Socket
MTU changed
tocontrol
1500
theirTnl46820
service offerings
while maintaining
routing
SanFran#
SanFran#show l2tun
session of
all
vcid Providers,
50 | include
PMTU portion of their revenues
For a majority
Service
a significant
Session PMTU are
enabled,
pathfrom
MTU data
is 1500
bytes
still derived
and voice
services based on legacy transport
SanFran#
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
You can also see services
the ICMPover
unreachables
thatLayer
the SanFran
generates
a sweep
their existing
3 cores.PE
The
solution with
in these
casesping
is a with verbose
output. This is, intechnology
fact, how devices
in
the
C
network
learn
about
the
adjusted
path
MTU
when they
that would allow Layer 2 transport over a Layer 3
perform their owninfrastructure.
PMTUD by setting the DF bit (see Example 13-13).
Pages:
648
Contents
Unreachable
from 192.168.105.2, maximum MTU 1464 (size 1466)
Index
Unreachable
from 192.168.105.2, maximum MTU 1464 (size 1467)
Unreachable from 192.168.105.2, maximum MTU 1464 (size 1468)
Unreachable from 192.168.105.2, maximum MTU 1464 (size 1469)
Unreachable from 192.168.105.2, maximum MTU 1464 (size 1470)
the world
of Layerround-trip
2 VPNs to provide
enhanced
Success rate isMaster
45 percent
(5/11),
min/avg/max
= services
20/24/36and
msenjoy
productivity
gains
Oakland#
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Protocol
Path
Pkts In
Chars In
Pkts Out
Chars Out
Other
Process
0
0
0
0
Cache misses
0
Layer 2 VPN
Architectures 500
Fast
734500
1000
746500
By
Wei Luo, - CCIE No. 13,291,0
Carlos Pignataro, - 0CCIE No. 4619,Dmitry Bokotey,
- CCIE
Auton/SSE
0
0
No. 4460,Anthony Chan, - CCIE No. 10,266
NewYork#
Publisher: Cisco Press
Pub Date: March 10, 2005
Example 13-15 shows that from the 500 packets that the Oakland CE sent and the SanFran PE received,
ISBN: 1-58705-168-0
the NewYork
Table of PE received 1000 packets from the Denver PE and sent them to the Albany CE. This is twice
Pages:
as many.
The CE IPv4 packet648
inside each frame that was received from SanFran was divided into two
Contents
fragments
Index and sent to two separate HDLC over L2TPv3 packets with their respective HDLC transport
overhead. See Example 13-16 for the SanFran PE statistics.
Master
worldFragmentation
of Layer 2 VPNs to and
provide
enhanced
services and
enjoySanFran
Example 13-16.
CEthe
IPv4
Packet
Statistics
in the
productivity
gains
PE
Learn about
Layer IP
2 Virtual
Private Networks (VPNs)
SanFran#show ip traffic
| include
stat|frag|reass
IP statistics:
Reduce costs and extend the reach of your services by unifying your
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
network architecture
500 fragmented, 1 couldn't fragment
SanFran#
Gain from the first book to address Layer 2 VPN application utilizing
SanFran#show l2tun both
session
vcid
50
ATOMpackets
and L2TP
protocols
Session Information Total tunnels 2 sessions 3
Tunnel control packets
due
toallow
failed
0 customers to enhance
Reviewdropped
strategies
that
largedigest
enterprise
their
service offerings
while maintaining
controlBytes-Out
RemID
TunID
Pkts-In
Pkts-Out routing
Bytes-In
64786
48966
1000
1001
746500
748001
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy
Layer
and Layer
3 networks
would
like
to move
toward
a fragmented
single
Example 13-16 shows
that
5002packets
were
fragmented.
One
packet
could
not be
but
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
triggered PMTUD. From the 500 fragmented IPv4 CE packets, 1000 L2TPv3 packets were sent into the
services
over
their
existing
Layer
3 cores.
The solution
these
is fragments
a
tunnel. You can also
validate
the
results
using
debug
ip packet
so that in
you
can cases
see the
in the
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
CE device, as shown in Example 13-17.
infrastructure.
LocID
4437
SanFran#
Example 13-17.
IP Fragments in the Oakland CE
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Notice in Example 13-17 that although the Oakland and Albany CE devices send full unfragmented IP
Layer 2 VPN Architectures
packets, they receive fragmented IP packets. You can see an IP packet composed of two fragments of
Wei1441
Luo, - bytes.
CCIE No.
13,291,Carlosthe
Pignataro,
- CCIE
No. 4619,Dmitry
Bokotey,
CCIE make the 1465lengths 44 bytes By
and
Coalescing
two and
removing
the extra
IP -header
No. 4460,
Chan, -20
CCIE
No. 10,266
byte packet (44 bytes
+ Anthony
1441 bytes
bytes
= 1465 bytes).
The most important Publisher:
thing, however,
Cisco Pressis that the NewYork PE device does not perform reassembly, and the
1000 packets are switched
the fast
switching path, which is CEF-switched in this case. As far as the
Pub Date:inMarch
10, 2005
NewYork PE and the Albany
CE
can
see,
it is as if the Oakland CE fragmented the packets. The CPUISBN: 1-58705-168-0
Table reassembly
of
intensive
is now pushed onto the Albany CE (see Example 13-18).
Contents
Index
Pages: 648
NewYork#show l2tun
vcid 50 | include Packets
Pubsession
Date: Marchall
10, 2005
500 Packets sent,
500
received
ISBN: 1-58705-168-0
Table of
NewYork#show
interface
Serial5/0
stats
Pages:
648
Contents
Serial5/0
Index
Switching path
Pkts In Chars In Pkts Out Chars Out
Processor
0
0
500
734500
Route cache
500
734500
0
0
Total
500
734500
500
734500
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
NewYork#
productivity gains
Observe in Example 13-21 that the 1465-byte packet with the DF bit set triggers PMTUD, and the 500
packets that the Oakland CE sends to the Albany CE are received as 1000 packets in the NewYork PE and
then switched in the fast path. The highlighted Route cache line in the show interface stats command
shows that these packets are fast switched. On the other hand, PMTUD is not triggered in the other
direction (return path from the Albany CE to the Oakland CE); therefore, only 500 packets are sent from
Layer
VPN Architectures
the NewYork PE to
the2SanFran
PE on the way back, and the SanFran PE does the reassembly.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Note
ISBN: 1-58705-168-0
Because
of this reason
and to add predictability to the PMTUD process and decouple the CE
Table of
Pages:
devices
process, use PMTUD in conjunction with the DF bit set. Otherwise,
Contents from driving the648
are not prefragmented. They are post-fragmented unless the CE device sends a large
packets
Index
packet with the DF bit set to trigger PMTUD as usual. Combining PMTUD with setting the DF bit
allows the PE to obtain the PMTU more quickly and predictably.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
The PE device can take a more active role in the PMTUD process and strengthen the whole concept. You
can bring this about by setting the DF bit in all packets in the outer delivery IPv4 header. As a result,
Learn
about
Layer 2 The
Virtual
Private
Networks (VPNs)
reassembly is prevented
in the
PE devices.
required
configuration,
shown in Example 13-22, is
accomplished by using the ip dfbit set command in the pseudowire class. You create a new pseudowire
Reduce costs and extend the reach of your services by unifying your
class exactly like the previous one, with the addition of the ip dfbit set command, which you use in the
network architecture
Serial 5/0 xconnect.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
!
hostname SanFran
For a majority of Service Providers, a significant portion of their revenues
!
are still derived from data and voice services based on legacy transport
pseudowire-class
wan-l2tpv3-pw-pmtu-df
technologies.
Although Layer 3 MPLS VPNs fulfill the market need for some
encapsulation customers,
l2tpv3
they have some drawbacks. Ideally, carriers with existing
sequencing both
legacy Layer 2 and Layer 3 networks would like to move toward a single
protocol l2tpv3
l2tpv3-wan
backbone
while new carriers would like to sell the lucrative Layer 2
ip local interface
Loopback0
services
over their existing Layer 3 cores. The solution in these cases is a
ip pmtu
technology that would allow Layer 2 transport over a Layer 3
ip dfbit set infrastructure.
!
interface Serial5/0
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
no ip address Network (VPN) concepts, and describes Layer 2 VPN techniques via
no cdp enable introductory case studies and comprehensive design scenarios. This book
xconnect 10.0.0.203
50 pw-class
assists readers
lookingwan-l2tpv3-pw-pmtu-df
to meet those requirements by explaining the
!
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Caution progressively covering each currently available solution in greater detail.
Before you enable PMTUD, make sure that end-to-end PMTUD works. If it does not work, you
could break applications just by setting the DF bit. PMTUD might not operate correctly if ICMP
unreachables are blocked or end devices are noncompliant.
You can see the DF bit configuration in the show l2tun session command output, as shown in Example
13-23.
SanFran#show l2tun
session all vcid 50
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Session Information
Total tunnels 1 sessions 3
No. 4460,Anthony Chan, - CCIE No. 10,266
Tunnel control packets dropped due to failed digest 0
Publisher: Cisco Press
Pages:
648
Contents address is 10.0.0.203
Internet
Index
Session
is L2TP signalled
Session state is established, time since change 00:09:13
0 Packets sent, 0 received
0 Bytes sent, 0 received
Master dropped:
the world of Layer 2 VPNs to provide enhanced services and enjoy
Receive packets
productivity gains
out-of-order:
0
total:
0
Send packets dropped:
Learn about Layer 2 Virtual Private Networks (VPNs)
exceeded session MTU:
0
total:
0
Reduce costs and extend the reach of your services by unifying your
Session vcid is 50
network architecture
Session Layer 2 circuit, type is HDLC, name is Serial5/0
Circuit state is Gain
UP from the first book to address Layer 2 VPN application utilizing
Remote session both
id is
38115,
tunnel id 47670
ATOM
and remote
L2TP protocols
Session PMTU enabled, path MTU is not known
DF bit on, ToS reflect
ToSallow
value
0, enterprise
TTL value
255
Review disabled,
strategies that
large
customers
to enhance
Session cookie information:
their service offerings while maintaining routing control
local cookie, size 4 bytes, value 17 72 1D 8B
remote cookie,
size 4 bytes,
value
3D 49 a99
2F
For a majority
of Service
Providers,
significant
portion of their revenues
FS cached header
information:
are still
derived from data and voice services based on legacy transport
encap size technologies.
= 32 bytes Although Layer 3 MPLS VPNs fulfill the market need for some
00000000 00000000
00000000
00000000
customers,
they have
some drawbacks. Ideally, carriers with existing
00000000 00000000
00000000
00000000
legacy Layer
2 and Layer
3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
Sequencing is on
services over their existing Layer 3 cores. The solution in these cases is a
Ns 0, Nr 0, 0 out of order packets received
technology that would allow Layer 2 transport over a Layer 3
SanFran#
infrastructure.
Oakland#
1. The Oakland CE sends the first IP/ICMP request packet over HDLC. The SanFran PE receives it,
encapsulates it with
the L2TPv3 and IPv4 delivery headers, and sends it to the IP layer. The SanFran
Publisher: Cisco Press
PE sets the DF bit in the delivery header because of the ip dfbit set command.
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Table
2. The
IPofpacket is dropped in the SanFran PE in the IP layer because it is too big and has the DF bit set.
Pages: 648
Contents
This
triggers an ICMP type 3 code 4 message that is used to discover the path MTU. The ICMP type 3
code
Index4 packet is generated source from and destined to the SanFran PE; the source IP address is
from the outgoing interface of the originating device, and the destination address comes from the
source IP address of the dropped L2TPv3 packet. In the general case, the ICMP type 3 code 4 packet
would be sourced from a router in the IP cloud that is destined to the PE device. Note that as far as
Master the
of was
Layer
2 VPNs
to provide
andThis
enjoy
L2TPv3 is concerned,
thisworld
packet
sent
and will
show upenhanced
in L2TPv3services
counters.
packet times out
productivity
gains
in the Oakland CE.
Figure 13-4. Processing with L2TPv3 PMTUD and DF Bit Setting Enabled
[View full size image]
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For
a majority
of counters
Service Providers,
significant
of their
revenues
You can also track
various
packet
along the away,
startingportion
from the
SanFran
PE (see Example
are still derived from data and voice services based on legacy transport
13-25).
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy
Layer 2 and
3 networks
wouldinlike
to SanFran
move toward
Example 13-25.
PMTUD
andLayer
DF Bit
Counters
the
PEa single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
would allow
Layer 2 transport over a Layer 3
SanFran#show iptechnology
traffic that
| include
IP stat|frag|reass
IP statistics: infrastructure.
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
Layer 2 VPN Architectures
introduces readers to Layer 2 Virtual Private
499 fragmented,
1 couldn't fragment
Network
(VPN)
concepts,
and
describes Layer 2 VPN techniques via
SanFran#show l2tun session packet vcid 50
introductory
case
studies
and
comprehensive
design scenarios. This book
Session Information Total tunnels 1 sessions 3
assists
readers
looking
to
meet
those
requirements
by explaining the
Tunnel control packets dropped due to failed digest 0
history and implementation details of the two technologies available from
LocID
RemID
Pkts-In
Pkts-Out
Bytes-In
Bytes-Out
the Cisco TunID
Unified VPN suite:
Any Transport
over MPLS
(ATOM) for
MPLS12967
49396
62563
996
999
743514
746508
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for
native
SanFran#
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
In the output of the show ip traffic command, you can see that the SanFran PE could not fragment one
packet: packet number 1.
This packet also shows up in the L2TPv3 session counters. The SanFran PE fragmented the remaining 499
packets, creating 2 * 499 = 998 L2TPv3 packets. These 999 (1 + 998) packets are shown as packets
sent out and into the tunnel in the L2TPv3 session packet counters. Example 13-26 shows the respective
counters in the NewYork PE, including the 998 L2TPv3 packets that are counted as packets from the
SanFran PE.
LocID
Contents RemID
49396
12967
Index
NewYork#
ISBN: 1-58705-168-0
Pages:
648
TunID
35876
Pkts-In
998
Pkts-Out
997
Bytes-In
745007
Bytes-Out
745015
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
The output of theproductivity
command show
gains ip traffic from the NewYork PE shows that one packetthe reply to
packet number 2could not be fragmented. The remaining 498 packets (from packet 3 through packet
500) were prefragmented, creating 996 L2TPv3 packets that you can see in Example 13-25 in the
SanFran PE as packetsLearn
in from
the tunnel
thePrivate
NewYork
PE. These
997 (1 + 996) packets appear as
about
Layer 2from
Virtual
Networks
(VPNs)
packets out, meaning into the L2TPv3 tunnel in the output of the command show l2tun session packet
Reduce costs and extend the reach of your services by unifying your
in NewYork.
network architecture
Gain from and
the first
to address Layer
2 VPN
application
Example 13-27. PMTUD
DFbook
Bit Counters
in the
Albany
CE utilizing
both ATOM and L2TP protocols
Review
strategies
that allow large enterprise customers to enhance
Albany#show ip traffic
| i
IP stat|frag|reass|ICMP|echo
their service offerings while maintaining routing control
IP statistics:
Frags: 499 reassembled, 0 timeouts, 0 couldn't reassemble
For a majority
of Servicefragment
Providers, a significant portion of their revenues
0 fragmented,
0 couldn't
are
still
derived
from
data
and voice services based on legacy transport
ICMP statistics:
technologies.
Although
Layer
MPLS VPNs0 fulfill
market need
for some
499 echo, 0 echo reply, 0 mask 3
requests,
maskthe
replies,
0 quench
customers,
they have some
carriers with existing
Sent: 0 redirects,
0 unreachable,
0 drawbacks.
echo, 499 Ideally,
echo reply
legacy Layer 2 and Layer 3 networks would like to move toward a single
Albany#
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
The new configuration
effectively pushes the reassembly into the CE devices. Albany reassembled 499
packets (all except packet number 1) from ICMP Echo messages and replied to them.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network
concepts,
and
Layer
2 VPN techniques via
Example 13-28 shows
the (VPN)
IP traffic
counters
fordescribes
the Oakland
CE.
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history
and implementation
of the two
technologies
available
Example 13-28.
PMTUD
and DF Bitdetails
Counters
in the
Oakland
CE from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores.
The structure
of this book
PMTUD and DF Bit
Counters
in the Oakland
CE is focused on first introducing the
to Layer
VPN
benefits and implementation requirements and
Oakland#show ipreader
traffic
| i 2IP
stat|frag|reass|ICMP|echo
IP statistics: comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering
each currently
available
solution in greater detail.
Frags: 498 reassembled,
0 timeouts,
0 couldn't
reassemble
0 fragmented, 0 couldn't fragment
ICMP statistics:
0 echo, 498 echo reply, 0 mask requests, 0 mask replies, 0 quench
Sent: 0 redirects, 0 unreachable, 500 echo, 0 echo reply
Oakland#
You can see that the Oakland CE reassembled 498 packets from the 498 respective Echo replies (all
except packets 1 and 2, which were dropped in the core to discover the PMTU).
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Contents
Index
Pages: 648
You might wonder when you would use ATM OAM local emulation. You can use OAM emulation to
locally terminate or loop the OAM cells in two realistic scenarios:
When a PE device does not support the transport of OAM cells across the AAL5 L2TPv3 session.
When you are using different virtual path identifier (VPI) or virtual circuit identifier (VCI) values at
both ends of an AAL5 L2TPv3 pseudowire. Rewriting the VPI/VCI values for admin cells that are
transported over AAL5 SDU L2TPv3 sessions is not supported.
Layer
VPN learn
Architectures
In this case study,
you2 will
OAM emulation in L2TPv3 using the topology shown in Figure 13-6.
Note that the VPI/VCI
different
in both
of the
ByWei pair
Luo, -isCCIE
No. 13,291,
Carlosendpoints
Pignataro, - CCIE
No.pseudowire.
4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Figure
13-6.
L2TPv3 OAM Emulation Topology
Pub Date: March
10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
In AAL5 SDU L2TPv3 sessions, the VPI/VCI pair that makes up the attachment circuits for the PVCs can
Gain from
first book
to However,
address Layer
application
utilizing The
be different at both endpoints,
asthe
in Figure
13-6.
such 2a VPN
scenario
has a limitation:
both
ATOM
and
L2TP
protocols
VPI/VCI cannot be rewritten for cells that are transported over the AAL5 pseudowire. This limitation
exists only for ATM cells that are transported over the AAL5 SDU pseudowire; it does not pose a
strategies
that over
allowit.large
enterprise transport
customersoftoraw
enhance
problem for AAL5 SDUsReview
that are
transported
For successful
ATM cells (such as
their
service
offerings
while
maintaining
routing
control
F5 OAM cells) over an AAL5 SDU pseudowire, the VPI/VCI pair needs to match at both ends. The only
way of supporting OAM management of CE PVCs with different VPI/VCIs is by enabling OAM local
For a majority of Service Providers, a significant portion of their revenues
emulation. With OAM local emulation, OAM cells are looped back or terminated and acted upon in the
are still derived from data and voice services based on legacy transport
PE's attachment circuit. They are not transported over the pseudowire.
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
Note
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
When an L2TPv3
PE that is configured for OAM emulation receives an OAM cell indicating an
alarm condition such as OAM AIS, a Set-Link-Info (SLI) message is triggered to notify the
2 VPN instead
Architectures
introduces
readers
tosession.
Layer 2 This
Virtual
Private
remote PE ofLayer
the defect
of tearing
down the
L2TPv3
in turn
triggers the
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
generation of OAM alarm signals in the remote end of the L2TPv3 session and
toward the
introductory
studies alarm
and comprehensive
design scenarios.
Thisasbook
remote CE. This
achievescase
end-to-end
indication, maintaining
the session
UP but
assists
readers
looking
to
meet
those
requirements
by
explaining
the
alarmed.
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores.
The structure
of this
is focused
on first
introducing
thedevices.
Example 13-29 shows
the L2TPv3
sessions
usedbook
in both
the SanFran
and
NewYork PE
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
LocID
TunID
Peer-address
38764
45445
10.0.0.201
Layer 2 VPN Architectures
NewYork#
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Now enable OAM PVC management in the Oakland and Albany PVCs with the command oam-pvc
Publisher: Cisco Press
manage.Example 13-30 shows the configuration for the Oakland endpoint.
Pub Date: March 10, 2005
Table of
Contents
Example
Index
ISBN: 1-58705-168-0
Pages: 648
!
hostname Oakland
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
!
productivity
gains
interface ATM6/0.1
point-to-point
ip address 192.168.103.1 255.255.255.252
pvc 0/100
Learn about Layer 2 Virtual Private Networks (VPNs)
oam-pvc manage
!
encapsulation aal5snap
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
ATOM
L2TP
protocols
The CE PVCs go into a both
DOWN
stateand
when
OAM
cells that are looped back are not received (see Example
13-31).
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Example 13-31.
PVCsofGo
DOWN
Without
OAM-AC
Emulation
For a CE
majority
Service
Providers,
a significant
portion
of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Oakland#show atm pvc interface ATM 6/0.1
customers, they have some drawbacks. Ideally, carriers with existing
VCD /
Peak Avg/Min Burst
legacy Layer 2 and Layer 3 networks would like to move toward a single
Interface
Name
VPI
VCI Type
Encaps
Kbps
Kbps Cells Sts
backbone while new carriers would like to sell the lucrative Layer 2
6/0.1
1
0
100 PVC
SNAP
149760
N/A
DOWN
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
You can use the command show atm vc to display the OAM state and counters (see Example 13-32).
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
Example 13-32.
CE PVCs DOWN and OAM Counters
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the vc
Cisco
Unified VPN
Any
Transport over MPLS (ATOM) for MPLSOakland#show atm
interface
ATMsuite:
6/0.1
detail
cores
Layer
ATM6/0.1: VCD: based
1, VPI:
0,and
VCI:
1002 Tunneling Protocol version 3 (L2TPv3) for native
cores. The structure of this book is focused on first introducing the
UBR, PeakRate: IP
149760
to Layer
2 VPN 0xC20,
benefits VCmode:
and implementation
requirements and
AAL5-LLC/SNAP, reader
etype:0x0,
Flags:
0x0
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as MPLS, then
OAM frequency: 10 second(s)
progressively
covering
each
currently
available
solution
in greater detail.
InARP frequency: 15 minutes(s)
Transmit priority 4
InPkts: 0, OutPkts: 0, InBytes: 0, OutBytes: 0
InPRoc: 0, OutPRoc: 0
InFast: 0, OutFast: 0, InAS: 0, OutAS: 0
InPktDrops: 0, OutPktDrops: 0
CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0
Out CLP=1 Pkts: 0
OAM cells received: 0
OAM cells sent: 16
Status: DOWN
Example 13-33.
CE PVCs DOWN and Enhanced OAM Counters
Pub Date: March 10, 2005
Table of
ISBN: 1-58705-168-0
Pages:
648
Oakland#show
atm pvc
0/100
Contents
ATM6/0.1:
VCD:
1,
VPI:
0,
VCI: 100
Index
UBR, PeakRate: 149760
AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0
OAM frequency: 10 second(s), OAM retry frequency: 1 second(s)
Master 3,
theOAM
world
of Layer
2 VPNs
to provide
enhanced services and enjoy
OAM up retry count:
down
retry
count:
5
productivity
OAM Loopback status:
OAM gains
Sent
OAM VC state: Not Verified
ILMI VC state: Not Managed
Learn about Layer 2 Virtual Private Networks (VPNs)
VC is managed by OAM.
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
By comparing Example 13-32 and Example 13-33, you can see the difference in output between the
oldshow atm vc Layer
command
the new show
atm pvc
command.
The2latter
contains
2 VPNand
Architectures
introduces
readers
to Layer
Virtual
Privatemuch more
detailed information
than
the
former.
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
For OAM emulation to work effectively, you must enable it in both ends simultaneously. The L2TPv3
assists readers looking to meet those requirements by explaining the
extensions for ATM pseudowires define the new OAM Emulation Required Attribute-Value Pair (AVP) to
history and implementation details of the two technologies available from
be used in AAL5 CPCS-SDU mode to signal OAM Emulation. OAM Emulation AVP is a boolean AVP that
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLShas no attribute value. Its mere presence or absence indicates a TRUE or FALSE value, respectively.
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores.
The structure
of this on
book
is side,
focused
firstLCCE
introducing
thesupport it, which
If OAM cell emulation
is configured
or detected
one
theon
other
also must
reader
to
Layer
2
VPN
benefits
and
implementation
requirements
and
is the purpose of the OAM Emulation Required AVP signaling method. If the other LCCE cannot support
comparing
those
of the
Layer
3 based L2TP
VPNs,session
such asvia
MPLS,
then
the OAM cell emulation,
you them
must to
tear
down
associated
a Call-Disconnect-Notify
progressively
covering
each
currently
available
solution
in
greater
detail.
(CDN) message.
Example 13-34 shows the command to enable OAM emulation in the SanFran PE.
oam-ac emulation-enable 2
encapsulation aal5
xconnect 10.0.0.203 27 pw-class pw-l2tpv3-atm
Layer 2 VPN Architectures
!
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
The rate in seconds at which OAM alarm indication signal (AIS) cells are sent follows the command
Publisher: Cisco Press
oam-ac emulation-enable.
Pub Date: March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Note
After you enable OAM emulation with the oam-ac emulation-enable command, you can
make the usual
OAMthe
Management
commands
such
as oam-pvc
manage
in the
Master
world of Layer
2 VPNs to
provide
enhanced
servicesavailable
and enjoy
Layer 2 transport
PVC.
A
Layer
2
transport
PVC
(attachment
circuit)
that
has
been
configured
productivity gains
for OAM emulation can periodically send OAM loopback cells toward the CE router and
manage the Layer 2 transport PVC status based on the reply to those OAM loopback cells.
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
At this point, you havenetwork
enabled architecture
OAM emulation only at one endin the SanFran PE. As you have learned
already in this section, this tears down the session with a CDN message because the OAM emulation
Gain
from
theExamples
first book13-33
to address
Layer
2 VPN
application
utilizingin the
value does not match at
both
ends.
through
13-35
show
the L2X debugs
both
ATOM
and
L2TP
protocols
SanFran and NewYork PEs. The debugs that are enabled are debug vpdn l2x-errors,debug vpdn
l2x-events, and debug vpdn l2x-packets. L2X means that the command is applicable to both Layer
strategies
that allow
largeprotocols.
enterprise customers to enhance
2 Forwarding (L2F) andReview
Layer 2
Tunnel Protocol
(L2TP)
their service offerings while maintaining routing control
Example 13-35 shows an Incoming-Call-Request (ICRQ) message that the SanFran PE receives. It has
For2 afor
majority
of Service
Providers,
significant
of their revenues
a pseudowire Type
AAL5 SDU
and a VC
ID (end aidentifier)
ofportion
27.
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
Example 13-35.
Mismatch OAM-AC Emulation ConfigurationICRQ
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services
over their existing Layer 3 cores. The solution in these cases is a
SanFran#debug vpdn
l2x-errors
technology
that would
allow Layer 2 transport over a Layer 3
L2X protocol errors debugging
is on
infrastructure.
SanFran#debug vpdn l2x-events
L2X protocol events debugging is on
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
SanFran#debug vpdn l2x-packets
Network (VPN) concepts, and describes Layer 2 VPN techniques via
L2X control packets debugging is on
introductory case studies and comprehensive design scenarios. This book
SanFran#
assists readers looking to meet those requirements by explaining the
SanFran#show debugging
history and implementation details of the two technologies available from
VPN:
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSL2X protocol events debugging is on
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
L2X control packets debugging is on
IP cores. The structure of this book is focused on first introducing the
L2X protocol errors debugging is on
reader to Layer 2 VPN benefits and implementation requirements and
SanFran#
comparing them to those of Layer 3 based VPNs, such as MPLS, then
*Jul 6 18:27:26.792: Tnl56204 L2TP: Parse AVP 0, len 8, flag 0x8000 (M)
progressively covering each currently available solution in greater detail.
*Jul 6 18:27:26.792: Tnl56204 L2TP: Parse ICRQ
!Output omitted for brevity
*Jul 6 18:27:26.792: Tnl56204 L2TP: Parse Cisco AVP 7, len 8, flag 0x8000 (M)
*Jul 6 18:27:26.792: Tnl56204 L2TP: Pseudo Wire Type 2
*Jul 6 18:27:26.792: Tnl56204 L2TP: Parse Cisco AVP 6, len 8, flag 0x0
*Jul 6 18:27:26.792: Tnl56204 L2TP: End Identifier 27
!Output omitted for brevity
*Jul 6 18:27:26.792: Tnl56204 L2TP: Parse AVP 47, len 10, flag 0x0
*Jul 6 18:27:26.792: Tnl56204 L2TP: L2 Specific Sublayer 2
The ICRQ message also includes the Layer 2-Specific Sublayer AVP specifying the ATMSpecific Sublayer
2 VPN Architectures
with a value of 2.Layer
No OAM
Emulation Required AVP is available because it has not been configured in
ByWei Luo, 13-36
- CCIE No.
13,291,
Carlos
Pignataro, - CCIE No. 4619,
Dmitry
Bokotey, - in
CCIE
the NewYork PE. Example
shows
the
Incoming-Call-Reply
(ICRP)
message
reply as received
No. 4460,Anthony Chan, - CCIE No. 10,266
by the NewYork PE.
Publisher: Cisco Press
Pub
Date: March 10,OAM-AC
2005
Example 13-36.
Mismatch
Emulation ConfigurationICRP
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
NewYork#debug
vpdn l2x-errors
Index
L2X protocol
errors debugging is on
FromExample 13-37,
youAnthony
can see
that
theNo.
SanFran
No. 4460,
Chan,
- CCIE
10,266 PE receives the CDN that destroys the session.
The CDN message contains the Result Code AVP (IETF AVP 1) as defined in RFC 2661, "Layer Two
Tunneling Protocol 'L2TP.'" The result code of 4 indicates that the call failed because appropriate
Publisher: Cisco Press
facilities were not available (temporary condition). Error code 0 specifies no general error.
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Because
Tablethe
of L2TPv3 pseudowire is down, ATM OAM AIS cells are sent out of the attachment circuits
Pages:
648 reply with remote defect indication (RDI) OAM cells that the PE
toward
the
CEs.
The
CEs
in turn
Contents
receives
(see
Example
13-38).
Index
SanFran. The SanFran attachment circuit has sent 52 AIS cells (F5 OutAIS) toward the Oakland CE
because the L2TPv3 session is down, and it has received 52 RDI cells (F5 InRDI) from the Oakland CE.
OAM AIS cells are equivalent to a blue alarm, and OAM RDI cells are equivalent to a yellow alarm.
the
world
Layerthe
2 VPNs
to provide
enhanced
services
and enjoy
Consistently, the Master
Oakland
CE's
PVCofshows
receipt
of 52 OAM
AIS cells
(F5 InAIS)
from the SanFran
productivity
gains(F5 OutRDI) generated toward the SanFran PE. The Oakland OAM
PE, which resulted
in 52 RDI cells
PVC status is now DOWN because of AIS/RDI.
Learn about
Layer 2 Virtual
Private
(VPNs)
To conclude the OAM emulation
configuration,
enable
OAMNetworks
emulation
in the NewYork PE and verify that
the L2TPv3 session comes up. The Oakland PVC receives end-to-end loopback cells and comes up (see
Reduce costs and extend the reach of your services by unifying your
Example 13-39).
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
Pages:
648
shown
in
Figure
13-7.
Contents
Index
encapsulation aal0
cell-packing 14 mcpt-timer 3
xconnect 10.0.0.203 28 pw-class pw-l2tpv3-atm
Layer 2 VPN Architectures
!
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
InExample 13-41, you have enabled cell packing for the pseudowire with attachment circuit, with
Publisher: Cisco Press
VPI/VCI 0/200 in the SanFran PE specifying a maximum number of cells to be packed equal to 14 cells,
Pub Date: March 10, 2005
and using the third preconfigured timer. Although you can configure a different value in the remote PE,
ISBN: 1-58705-168-0
you can
Tablealso
of configure a maximum number of cells packed (MNCP) of 14 cells in the NewYork PE.
Contents
Pages: 648
The value
Index of MNCP is signaled in the ATM Maximum Concatenated Cells AVP. MNCP indicates how many
concatenated cells (maximum value) the LCCE node can process as a disposition capability. The values
that are advertised in both directions do not need to match. Furthermore, the absence of this AVP
indicates no cell packing. This AVP and cell packing in general apply only to ATM Cell Relay pseudowire
types (see Example
13-42).
Master
the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Reduce costs and extend the reach of your services by unifying your
SanFran#
network
architecture
*Jul 1 10:45:09.119:
Tnl22650
L2TP: Parse AVP 0, len 8, flag 0x8000 (M)
*Jul 1 10:45:09.119: Tnl22650 L2TP: Parse ICRQ
from the first book to address Layer 2 VPN application utilizing
!Output omitted forGain
brevity
both
ATOM
andL2TP:
L2TP protocols
*Jul 1 10:45:09.123: Tnl22650
Parse Cisco AVP 7, len 8, flag 0x8000 (M)
*Jul 1 10:45:09.123: Tnl22650 L2TP: Pseudo Wire Type 9
Review strategies that allow large enterprise customers to enhance
!Output omitted for brevity
their service offerings while maintaining routing control
*Jul 1 10:45:09.123: Tnl22650 L2TP: Parse Cisco AVP 11, len 8, flag 0x0
*Jul 1 10:45:09.123:
Tnl22650
L2TP:Providers,
ATM Maximum
Numberportion
of cells
that
can be packed 14
For a majority
of Service
a significant
of their
revenues
*Jul 1 10:45:09.123:
Tnl22650
L2TP:
No
missing
AVPs
in
ICRQ
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy
Layer
and LayerConcatenated
3 networks would
move toward
a single
Example 13-42 shows
the
ATM2Maximum
Cells like
AVPto
included
in the ICRQ
and using Cisco
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
AVP 11. You can verify the configuration of ATM cell packing from the SanFran PE. 2
See Example 13-43,
services
their
existing
Layer
3 cores.
which shows the local
andover
remote
MNCP
values
of 14
cells. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Example 13-43.
Verification
LayerATM
2 VPNCell-Packing
Architectures introduces
readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
SanFran#show atm cell-packing
assists readers looking to meet those requirements by explaining the
average
average
history and implementation details of the two technologies available from
circuit
local nbr of cells
peer nbr of cells
MCPT
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLStype
MNCP rcvd in one pkt MNCP sent in one pkt (us)
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
ATM5/0
vc 0/200
14
0
14
0
4095
IP cores. The structure of this book is focused on first introducing the
SanFran#
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
As you know, each ATM cell carries 48 bytes of payload. When you concatenate 14 cells, you can carry
an SDU of 48 bytes/cell * 14 cells = 672 bytes. You configured the Oakland and Albany CE's PVCs with
AAL5-LLC/SNAP encapsulation, which means that an IP packet would have 16 bytes of encapsulation
overhead as follows: 8 bytes of CPCS-PDU trailer plus 8 bytes of LLC/SNAP header. Therefore, the
largest IP packet that you can fit into a single L2TPv3 Cell Relay packet that is concatenating 14 cells is
672 bytes 16 bytes = 656 bytes.
To verify these calculations, send 100 656-bytes packets from the Oakland CE to the Albany CE. Then
display the average number of cells sent and received per packet (see Example 13-44).
Oakland#ping ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Protocol [ip]: No. 4460,Anthony Chan, - CCIE No. 10,266
Target IP address: 192.168.104.2
Repeat count [5]:Publisher:
100
Cisco Press
Datagram size [100]:
656March 10, 2005
Pub Date:
Timeout in seconds [2]:
ISBN: 1-58705-168-0
Table of commands [n]:
Extended
Pages:
648
SweepContents
range of sizes [n]:
Index
Type
escape sequence to abort.
Sending 100, 656-byte ICMP Echos to 192.168.104.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Success rate is 100 percent (100/100), round-trip min/avg/max = 96/98/108 ms
productivity gains
Oakland#
SanFran#show atm cell-packing
Learn about Layer 2 Virtual Private Networks (VPNs)
average
average
Reduce costs
and
extend
the reach ofpeer
your services
by unifyingMCPT
your
circuit
local
nbr
of cells
nbr of cells
network architecture
type
MNCP rcvd in one pkt
MNCP sent in one pkt (us)
ATM5/0
vc 0/200 14
14
14
14
4095
Gain from the first book to address Layer 2 VPN application utilizing
SanFran#
both ATOM and L2TP protocols
local
MNCP
vc 0/200 14
average
nbr of cells
rcvd in one pkt
7
average
peer nbr of cells
MCPT
MNCP sent in one pkt (us)
14
7
4095
You can see in Example 13-45 that the average number of cells sent and received per L2TPv3 packet
Layer 2 VPN Architectures
drastically dropped
to 7 bytes. Each IP packet now needs 15 ATM cells; thus, it uses a first L2TPv3
ByWei
Luo,
CCIE No.L2TPv3
13,291,Carlos
Pignataro,
- CCIE
No. 4619,
Dmitry
Bokotey,
- CCIE to 7 cells per
packet with 14 cells
and
a -second
packet
with just
1 cell.
The
average
equates
l2TPv3 packet. No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Pub Date: March 10, 2005
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pages: 648
Contents
Indexseparates edge behaviorssuch as classification, marking, policing, metering, and complex
DiffServ
ClassificationTraffic
is classified
with to
a class-map.
Gain from
the first book
address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Policy creationPolicies are applied to the traffic classes that were defined previously in
a policy-map. Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Step
3.
Policy applicationThe policies that were defined previously are applied in a direction to
a majority
of Service or
Providers,
significant
of their
revenues
a specificFor
interface,
subinterface,
ATM andaFrame
Relayportion
VCs using
a service
policy.
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
The following case studies explain examples of different QoS modules, including traffic marking,
legacy Layer 2 and Layer 3 networks would like to move toward a single
traffic policing, queuing and shaping, and Layer 2-specific matching and setting.
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
Case Study 13-4:
Traffic Marking
infrastructure.
Layer 2pieces
VPN Architectures
readers
to Layer
2 Virtual
Privatespecific
One of the constitutive
of the DiffServintroduces
model is traffic
marking.
Before
exploring
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
traffic marking methods, this section presents a historical perspective on the IPv4via
header TOS
introductory
case
and
comprehensive
design
scenarios.
ThisIPv4
book
octet that was defined
originally
in studies
RFC 791.
The
ToS byte is the
second
byte in the
header
assists
readers
looking
to
meet
those
requirements
by
explaining
the
and can be interpreted in multiple ways. Figure 13-8 shows the evolution of the ToS octet in
history
andthat
implementation
details
of the two
frombits, and
different RFCs. You
can see
the three most
significant
bits technologies
are called theavailable
precedence
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSthey correspond to the class selector in the DSCP.
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing
them to
of Layer
3 based
VPNs,Octet
such asEvolution
MPLS, then
Figure
13-8. Type
ofthose
Service
IPv4
Header
progressively covering each currently available solution in greater detail.
[View full size image]
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Note
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Example 13-46 shows the ToS set to a value of 96 (0x60 in hexadecimal). This is the value for the
complete ToS byte. The number 96 that is represented in binary equals 01100000, from which
you can infer thatLayer
the 2IPVPN
precedence
is 011b or 3 (flash). To verify this configuration, configure
Architectures
inbound (that is, packets received) IP accounting by IP precedence in the NewYork PE in the
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
interface that connects to the Denver P (see Example 13-47).
No. 4460,Anthony Chan, - CCIE No. 10,266
Table of
ISBN: 1-58705-168-0
!
Pages: 648
Contents
hostname NewYork
Index
!
interface Serial10/0
ip unnumbered Loopback0
ip accounting Master
precedence
input
the world
of Layer 2 VPNs to provide enhanced services and enjoy
!
productivity gains
Example 13-48.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM
and Verification
L2TP protocols in the NewYork PE
ToS
Setting
ToS Reflection
Another traffic-marking feature that is specific to L2TPv3 is called ToS reflection . In ToS reflection
marking, the ToS octet is copied over or reflected from the inner CE IP packet header into the
outer IP tunnel packet header. This behavior cannot be mimicked with MQC.
To configure TOS reflection, you can use the pseudowire-class command ip tos reflect. The
commandip tos {reflect | value} appears only in pseudowire-class configuration when the
encapsulation is set
to2L2TPv3
(see Example 13-49).
Layer
VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Reduce costs and extend the reach of your services by unifying your
network architecture
To verify the ToS reflection functioning, generate 1000 packets with IP precedence 5 (critical)
from the Oakland CE toGain
the from
Albany
Use
an extended
command,
in which utilizing
you must
theCE.
first
book
to addressping
Layer
2 VPN application
specify the ToS octet value.
You can
express
an IP precedence of 5 in binary as 101. Therefore,
both ATOM
and
L2TP protocols
the binary representation of the ToS is 10100000, which is 0xA0 or 160 (see Example 13-50).
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Using the same IP accounting method, verify the precedence in the packets sent over the IP PSN
and received by the NewYork PE (see Example 13-51).
You can also configure both ip tos actions of value and reflect into a single pseudowire class. In
that case, the ToS value in the outer IP header defaults to the fixed set value but is overwritten
the world
of Layer
2 VPNs to
provide
enhanced
with the reflectedMaster
value when
the Layer
2 tunneled
frame
contains
an IPservices
packet. and enjoy
productivity gains
MQC IP PrecedenceLearn
or DSCP
Setting
about Layer 2 Virtual Private Networks (VPNs)
The third traffic-marking
mechanism
uses
MQC. the
Thereach
MQC set
ip precedence
and setyour
ip dscp
Reduce
costs and
extend
of your
services by unifying
policy commands havenetwork
been extended
to include the tunnel keyword to indicate that the policy
architecture
applies to the outer L2TPv3 tunnel IPv4 delivery header.
Gain from the first book to address Layer 2 VPN application utilizing
When you are using MQC
toATOM
perform
with L2TPv3, only the inbound direction (that is,
both
andmarking
L2TP protocols
coming from the CE device) is meaningful for classification; therefore, the classification criterion
Review
strategies
thatcircuit.
allow large
customers
to classified
enhance traffic
needs to be Layer 2 fields
at the
attachment
A PE enterprise
device normally
marks
their
service
offerings
while
maintaining
control
with a tunnel as IP DSCP.
The
primary
goal for
tunnel
marking routing
is to control
QoS for a particular
tunneled customer within the provider core network. Customer-specific PHB should be pushed out
majority ofExample
Service 13-52
Providers,
a significant
portion required
of their revenues
to the CE devices.For
Fora simplicity,
shows
the configuration
to perform
are astill
derived from
and voice
services
on legacy
transport
tunnel marking with
precedence
of 2 data
(immediate)
using
MQCbased
to classify
all traffic
incoming into
technologies.
Although
VPNs
fulfill the market
need for some
the attachment circuit.
Apply the
service Layer
policy3inMPLS
a Layer
2 transport
ATM PVC.
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone
whileMarking
new carriers
would
like Configuration
to sell the lucrative Layer 2
Example 13-52.
Tunnel
with
MQC
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
!
hostname SanFran
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
!
Network
(VPN) concepts, and describes Layer 2 VPN techniques via
class-map match-all
all_traffic
introductory
case studies and comprehensive design scenarios. This book
match any
assists
readers
looking to meet those requirements by explaining the
!
history and implementation details of the two technologies available from
policy-map prec-2
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSclass all_traffic
based cores
and 2Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
set ip precedence
tunnel
IP cores. The structure of this book is focused on first introducing the
!
reader to Layer 2 VPN benefits and implementation requirements and
interface ATM5/0
comparing them to those of Layer 3 based VPNs, such as MPLS, then
pvc 0/100 l2transport
progressively covering
each currently available solution in greater detail.
oam-ac emulation-enable
2
encapsulation aal5
xconnect 10.0.0.203 27 pw-class pw-l2tpv3-atm
service-policy in prec-2
!
!
Now generate 500 packets by using an extended ping command from the Oakland CE to the
Albany CE, and check the MQC policy-map counters (see Example 13-53).
Example 13-53.
Tunnel Marking with MQC Verification in the SanFran
Layer 2 VPN Architectures
PE
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Table of
Pages: 648
Contents
SanFran(config-pmap-c-police)#conform-action
?
Index
drop
drop packet
set-clp-transmit
set atm clp and send it
set-cos-transmit
set cos and send it
Master the world of Layer 2
VPNs
to provide enhanced
services
set-discard-class-transmit
set
discard-class
and send
it and enjoy
productivity gains
set-dscp-transmit
set dscp and send it
set-dscp-tunnel-transmit
rewrite tunnel packet dscp and send it
set-frde-transmit
set FR DE and send it
Learn about Layer 2 set
Virtual
Private
Networks
(VPNs)and send it
set-mpls-exp-imposition-transmit
exp
at tag
imposition
set-prec-transmit
rewrite packet precedence and send it
Reduce costs and extend the reach of your services by unifying your
set-prec-tunnel-transmit
rewrite tunnel packet precedence and send it
network architecture
set-qos-transmit
set qos-group and send it
transmit
transmit packet
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
SanFran(config-pmap-c-police)#conform-action
MQC is versatile enough through the use of nested or hierarchical policies to allow the
configuration of ATM Forum Traffic Management 4.0 (TM 4.0) policers using the policy police rate.
With this capability, a PE device can behave like a traditional ATM switch. In particular, you can
configure the following policing policies:
Layer 2 VPN Architectures
CBR Policing
Using
single
and
police
statement.
ByWei
Luo, a
- CCIE
No.class
13,291,
Carlos
Pignataro,
- CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
class CLP0
police rate 5000 cps atm-mbs 1000
conform-action transmit
Layer 2 VPN
Architectures
exceed-action
drop
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
policy-map VBR.2
No. 4460,Anthony Chan, - CCIE No. 10,266
class class-default
police rate 10000 cps delay-tolerance 200
conform-action
transmit
Publisher:
Cisco Press
exceed-action
Pubdrop
Date: March 10, 2005
set ip precedence tunnel 3
ISBN: 1-58705-168-0
Table of
service-policy
VBR.2_child
Pages:
Contents VBR.3_child 648
policy-map
Index CLP0
class
police rate 5000 cps atm-mbs 750
conform-action transmit
exceed-action set-clp-transmit
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
policy-map VBR.3
productivity gains
class class-default
police rate 10000 cps delay-tolerance 400
conform-action transmit
Learn about Layer 2 Virtual Private Networks (VPNs)
exceed-action drop
set ip precedence
tunnel
2 and extend the reach of your services by unifying your
Reduce
costs
service-policy VBR.3_child
network architecture
policy-map UBR.plus
class class-default
Gain from the first book to address Layer 2 VPN application utilizing
police rate 10000
cps
delay-tolerance
2000
both
ATOM
and L2TP protocols
conform-action transmit
exceed-action Review
drop strategies that allow large enterprise customers to enhance
set ip precedence
tunnel
1 offerings while maintaining routing control
their
service
!
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
The ATMF TM4.0 customers,
specificationthey
useshave
the PCR
the rate in Ideally,
the firstcarriers
bucket and
delay variation
someasdrawbacks.
withcell
existing
tolerance (CDVT)legacy
as the Layer
height2of
theLayer
first bucket.
It also
defines
themove
use of
the SCR
as the rate in
and
3 networks
would
like to
toward
a single
the second bucket
and a function
of maximum
burst like
size to
(MBS)
as the
heightLayer
of the
backbone
while new
carriers would
sell the
lucrative
2 second
bucket.
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
You can see that,infrastructure.
as specified in ATMF TM4.0, Example 13-57 uses the PCR and CDVT combination
in the first bucket specified by the parent policy and uses the SCR and MBS combination in the
second bucket specified
the
child policy for
VBR service
types.
Layer 2by
VPN
Architectures
introduces
readers
to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
Note
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Some platforms do not support the atm-mbs keyword. In those cases, you should
IP cores. The structure of this book is focused on first introducing the
define the SCR only in the child policies.
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
On some platforms, Layer 2 marking is supported only in the outbound direction. In these
platforms, you cannot implement VBR.3 because it cannot use set atm-clp in an input policy.
However, you can usually configure around this by marking with a new tunnel IP precedence
instead of ATM CLP at ingress. You can map the tunnel IP precedence back to ATM CLP at egress
with an intermediate qos-group:
Ingress PE In the ingress PE, perform VBR.2 policing as an inbound policy but set a
different tunnel IP precedence or DSCP for the exceed-action in the VBR.3_child policymap
instead of performing a drop action. This effectively performs an IP marking. You can refer to
this IP precedence as CLP precedence .
Layer
Architectures
Egress PE In
the2 VPN
egress
PE, at ingress from the P router, match the CLP precedence tunnel
IP precedence
with
an
inbound
policy
andPignataro,
set the -qos-group.
traffic that will
ByWei
Luo,
- CCIE
No. 13,291,
Carlos
CCIE No. 4619,This
Dmitryclassifies
Bokotey, - CCIE
later be marked
with
CLP.Chan,
At egress
attachment circuit that is outbound toward the
No. 4460,
Anthony
- CCIE in
No.the
10,266
CE, match the qos-group and set atm-clp.
Publisher: Cisco Press
Two local markings exist: qos-group and discard-class. They preserve the marking tunnel IP
Pub Date: March 10, 2005
precedence or DSCP information (or MPLS Experimental bits in AToM) before tunnel or label
ISBN: 1-58705-168-0
disposition.
Table of Used as an input feature, the qos-group ID identifies or selects a class, and the
Pages:
648 precedence. These two local markings are important when input
discard-class
identifies a drop
Contents
Layer
2 marking is not supported. They allow you to match on PSN information, such as IP DSCP
Index
or MPLS EXP, while acting on them at egress on an attachment circuit when that PSN class
information is lost because of disposition.
of Layer
VPNs conveys
to provide
enhanced
enjoy
The intermediate Master
step is the world
qos-group
ID,2which
the
receivedservices
class to and
the output
productivity
gains
interface. A qos-group
and discard-class
are required when you use the input PHB marking to
classify packets on the output interface. Example 13-58 shows a sample configuration setting the
ATM CLP at attachment circuit egress based on the tunnel IP precedence at ingress from the P
Learn about Layer 2 Virtual Private Networks (VPNs)
router.
Reduce costs and extend the reach of your services by unifying your
network architecture
!
hostname NewYork
Review strategies that allow large enterprise customers to enhance
!
their service offerings while maintaining routing control
class-map match-all pre1
match ip precedence
1
For a majority
of Service Providers, a significant portion of their revenues
class-map match-all
qosg
are still derived from data and voice services based on legacy transport
match qos-group
1
technologies.
Although Layer 3 MPLS VPNs fulfill the market need for some
!
customers, they have some drawbacks. Ideally, carriers with existing
!
legacy Layer 2 and Layer 3 networks would like to move toward a single
policy-map clp backbone while new carriers would like to sell the lucrative Layer 2
class qosg services over their existing Layer 3 cores. The solution in these cases is a
set atm-clp technology that would allow Layer 2 transport over a Layer 3
policy-map qosginfrastructure.
class pre1
set qos-group
1 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Layer
!
Network (VPN) concepts, and describes Layer 2 VPN techniques via
interface Serial4/0
introductory case studies and comprehensive design scenarios. This book
ip unnumbered assists
Loopback0
readers looking to meet those requirements by explaining the
service-policyhistory
inputand
qosg
implementation details of the two technologies available from
!
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSinterface ATM5/0
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
no ip address IP cores. The structure of this book is focused on first introducing the
pvc 0/101 l2transport
reader to Layer 2 VPN benefits and implementation requirements and
oam-ac emulation-enable
2 to those of Layer 3 based VPNs, such as MPLS, then
comparing them
encapsulationprogressively
aal5
covering each currently available solution in greater detail.
xconnect 10.0.0.201 27 pw-class pw-l2tpv3-atm
service-policy out clp
!
!
You can see that the Serial4/0 interface coming into the NewYork PE from the Denver P has the
inbound service policy qosg. The qosg policy-map classifies traffic with IP precedence of 1 in the
class-map pre1 and sets the qos-group to 1 for the classified packets.
At egress and toward the attachment circuit, the PVC 0/101 in interface ATM5/0 has the outbound
service policy clp. The policy-map clp sets the ATM CLP bit for traffic that is classified with the qosg
class-map that matches
qos-group
1. In effect, you are applying an outbound policy in the
Layer 2 VPN
Architectures
outgoing interface from an inbound classification in the incoming interface. The qos-group
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
marking and matching acts like the middle man. Example 13-59 shows the verification for this pair
No. 4460,Anthony Chan, - CCIE No. 10,266
of service policies.
Publisher: Cisco Press
Pub Date: March 10, 2005
Example 13-59.
Verifying the QoS Group Configuration
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
NewYork#show
policy-map
interface
Index
Serial4/0
Low-latency queuing (LLQ) The LLQ is a strict priority first-in, first out (FIFO) queue.
Strict priority queuing allows delay-sensitive data to receive a preferential queuing treatment
Layer 2 VPN
Architectures
by being dequeued
and
serviced before other queues.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Class-based
weighted fair queuing (CBWFQ) CBWFQ provides a fair queuing based on
No. 4460,Anthony Chan, - CCIE No. 10,266
defined classes with no strict priority. The weight for a packet that belongs to a specific class
is given from the bandwidth that you assigned to the class when you configured it.
Publisher: Cisco Press
Pub Date:
MarchDetection
10, 2005
Weighted Random
Early
(WRED) WRED drops packets selectively based on IP
ISBN: 1-58705-168-0
precedence.
The
higher
the
IP
precedence,
the less likely the packets are to be dropped.
Table of
Pages: 648
Contents
Example 13-60 shows an example of egress queuing policies to provide committed information
Index
rate (CIR) guarantees.
Example 13-60.
Queuing
Frame
Relay
Pseudowires
Master
the world Configuration
of Layer 2 VPNs tofor
provide
enhanced
services
and enjoy
productivity gains
!
hostname SanFran
Learn about Layer 2 Virtual Private Networks (VPNs)
!
class-map match-allReduce
cust1 costs and extend the reach of your services by unifying your
match fr-dlci 100network architecture
class-map match-all cust2
match fr-dlci 101Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
!
policy-map cir_guarantee
Review strategies that allow large enterprise customers to enhance
class cust1
bandwidth 128 their service offerings while maintaining routing control
class cust2
For a majority of Service Providers, a significant portion of their revenues
bandwidth 256
are still derived from data and voice services based on legacy transport
!
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
interface Serial3/1
no ip address customers, they have some drawbacks. Ideally, carriers with existing
Layer
2 and Layer 3 networks would like to move toward a single
service-policylegacy
output
cir_guarantee
backbone
while
encapsulation frame-relay new carriers would like to sell the lucrative Layer 2
services over
frame-relay intf-type
dcetheir existing Layer 3 cores. The solution in these cases is a
technology
that would allow Layer 2 transport over a Layer 3
!
infrastructure.
L2TPv3 transports and tunnels multiple and diverse Layer 2 technologies. It is reasonable that
MQC supports different matching and setting criteria for different Layer 2 protocols. Table 13-1
summarizes some of these Layer 2 technology-specific criteria.
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher:
Cisco Press Matching and Marking Criteria
Table 13-1. Layer
2-Specific
Pub Date: March 10, 2005
Layer
2 of
Table
Contents
Ethernet
Index
Frame Relay
ATM
ISBN: 1-58705-168-0
Matching
Setting
Pages: 648
match cos
match vlan (including VLAN ranges)
set cos
match fr-de
set fr-de
match fr-dlci
set fr-fecn-becn
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
match atmgains
clp
set atm-clp
Example 13-62 shows how to set the ATM CLP bit for all traffic.
Layer 2 VPN Architectures
Example 13-62.
on13,291,
ATMCarlos
CLP-Configuration
ByWei Setting
Luo, - CCIE No.
Pignataro, - CCIE No. 4619,Dmitry Bokotey, -
CCIE
!
hostname NewYork Publisher: Cisco Press
Pub Date: March 10, 2005
!
1-58705-168-0
class-map match-all ISBN:
everything
Table of
match
any
Pages:
648
Contents
policy-map atm-clp
Index
class everything
set atm-clp
interface ATM5/0
pvc 0/101 l2transport
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
oam-ac emulation-enable
2
productivity gains
encapsulation aal5
xconnect 10.0.0.201 27 pw-class pw-l2tpv3-atm
Learn
about Layer 2 Virtual Private Networks (VPNs)
service-policy out
atm-clp
!
Reduce costs and extend the reach of your services by unifying your
!
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
ATOM and results
L2TP protocols
Example 13-63 Shows both
the verification
in the NewYork PE when sending 200 pings from the
Oakland CE to the Albany CE.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pages:
648
Contents
headers
to an SDU, MTU and fragmentations issues arise in the IP PSN. PMTUD combined with
DF bitIndex
setting provides a practical approach to solving the core MTU and IP reassembly
processing problems.
You learned the control plane and data plane considerations of ATM OAM cell emulation and
the world
ofwere
Layerpresented
2 VPNs todetailing
provide their
enhanced
services and enjoy
ATM cell packing.Master
New L2TPv3
AVPs
use, functionality,
and
productivity gains
interaction.
In the final few pages of this chapter, you learned QoS essentials, configuration, and QoS
Learn about
Layer
2 Virtual
Private
Networks
(VPNs)
particulars regarding L2TPv3.
You saw
how
to configure
and
apply traffic
marking, policing,
queuing, shaping, and advanced QoS matching and setting criteria for each Layer 2 technology
Reduce costs and extend the reach of your services by unifying your
that is tunneled and transported using L2TPv3.
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Table of
Contents
Chapter 14
Index
Chapter 15
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Contents
Index
Pages: 648
Pages:
648
you aContents
mechanism and the underlying theory to configure any-to-any IW pseudowires. IW
Index perform the translation and adaptation necessary to interconnect disparate
functions
attachment circuits by means of a native service processor (NSP) function. The NSP requires
knowledge of the semantics of the payload to be adapted. It resides between the pseudowire
termination and the attachment circuit.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Following are theproductivity
two types ofgains
Layer 2 VPN IW:
LearnInternetworking
about Layer 2 Virtual
Private
Networks
(VPNs)
Bridged (Ethernet)
Ethernet
frames
that are
extracted from the
attachment circuit are sent over the pseudowire. In the case of 802.1q, the VLAN tag is
Reduce costs
and extend
the reach
of your
services
by unifying
yourand
removed. The pseudowire
functions
in Ethernet
(VC type
0x0005)
like-to-like
mode,
network
architecture
the IW function at the NSP performs the required adaptation based on the attachment
circuit technology. Non-Ethernet frames are dropped.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP
protocols
Routed (IP) Internetworking
IP packets
that are extracted from the attachment
circuit are sent over the pseudowire. The pseudowire functions in IP Layer 2 Transport
Review strategies that allow large enterprise customers to enhance
(VC type 0x000B) like-to-like mode, and the IW function (NSP) performs the required
their service offerings while maintaining routing control
adaptation based on the attachment circuit technology. Non-IPv4 packets are dropped.
different, but also because various interface types might have diverse default MTU values.
Layer 2 VPN Architectures
Bridged Interworking
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, -
In the Ethernet IW case, Ethernet frames are bridged across the pseudowire. The customer
edge (CE) devices can either be running native Ethernet bridging or using Integrated Routing
Publisher: Cisco Press
and Bridging (IRB) or Routed Bridge Encapsulation (RBE), for example, on ATM subinterfaces.
Pub Date: March 10, 2005
This scenario shows you one of the usages for bridged IW: when a customer wants to bridge
ISBN: 1-58705-168-0
between
Tabletwo
of sites with LAN segments but the service provider access technology in one of the
Pages:
sites Contents
is either ATM or Frame 648
Relay.
Index
Bridged IW has some Layer 2-specific encapsulation behaviors, specifically when carrying
bridged protocols over ATM or Frame Relay. With Ethernet over ATM, two translations by the
NSP are supported when using Logical Link Control (LLC) of 0xAA-AA-03, indicating a
Subnetwork Access
Protocol
(SNAP)
an to
Organizationally
Unique
Identifier
(OUI) of
Master
the world
ofheader
Layer 2and
VPNs
provide enhanced
services
and enjoy
0x00-80-C2, which
means bridged
productivity
gains protocols. The same two translations by the NSP are
supported for Ethernet over Frame Relay using Control of 0x03; Pad of 0x00; Network Layer
Protocol Identifier (NLPID) of 0x80, indicating a SNAP header; and an OUI of 0x00-80-C2,
Learn about Layer 2 Virtual Private Networks (VPNs)
indicating bridged protocols:
Reduce costs and extend the reach of your services by unifying your
network architecture
PID 0x0007 802.3/Ethernet
without preserved frame check sequence (FCS)
Gainprotocol
from the
firstunit
book
to address
Layer 2
application
utilizing
PID 0x000E Bridge
data
(BPDU),
as defined
byVPN
802.1
or 802.1(g).
both ATOM and L2TP protocols
Figure 14-1 shows the bridged Ethernet/802.3 frame encapsulation over Frame Relay and ATM.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For aBridged
majority of
Service Providers, aFrame
significant
portion of their revenues
Figure 14-1.
Ethernet/802.3
Encapsulation
over
are still derived Frame
from data
and
voice
services
based
on legacy transport
Relay and ATM
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer
3 full
networks
would like to move toward a single
[View
size image]
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Figure 14-2 shows the BPDU encapsulation over Frame Relay and ATM.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
The encapsulation of bridged Ethernet over Frame Relay and ATM is defined in RFC 2427
Learn about Layer 2 Virtual Private Networks (VPNs)
(which obsoletes RFC 1490 and RFC 1294), "Multiprotocol Interconnect over Frame Relay," and
RFC 2684 (which obsoletes
RFCcosts
1483),
Encapsulation
over ATM
Adaptation
Layer
Reduce
and"Multiprotocol
extend the reach
of your services
by unifying
your
5," respectively.
network architecture
Routed
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Interworking
Ethernet With native Ethernet, the provider edge (PE) device acts as a proxy-ARP to all
ARP requests received from the CE.
Layer 2 VPN Architectures
Point-to-point
ATM and Frame Relay Inverse ARP does not run by default in point-toWei Luo,
CCIEsubinterfaces,
No. 13,291,Carlos Pignataro,
CCIE
4619,Dmitry
- CCIE
point FrameBy
Relay
or -ATM
because- the
IPNo.
address
andBokotey,
subnet
mask define
No. prefix.
4460,Anthony
Chan, - CCIE
No. 10,266
the connected
Therefore,
no configuration
is required in the CE devices.
Multipoint ATM
and Frame
Relay Inverse ARP is enabled and runs by default in
Publisher:
Cisco Press
multipoint ATMPub
andDate:
Frame
Relay
subinterfaces. Because routed IW simply drops inverse
March
10, 2005
ARP packets and does not support inverse ARP, the IPv4 address at the remote end of an
ISBN: 1-58705-168-0
Table
ATM ofor Frame Relay permanent virtual circuit (PVC) cannot be discovered dynamically.
Pages:
648
Contents
Therefore, in this case, manual configuration of static IPv4 to PVC mapping is needed in
Index
the CE devices.
PPP For PPP attachment circuits, manual configuration of the remote CE's IPv4 address
for IPCP negotiation is needed in the PE device configuration.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Note
Reduce
costs and extend
the reach to
of routed
your services
by unifying
your
The address resolution
considerations
are applicable
IW because
address
network
architecture
resolution packets are not transported end-to-end over the pseudowire.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review
strategies that allow large enterprise customers to enhance
Interworking MTU
Considerations
their service offerings while maintaining routing control
As you learned in Chapter 6, "Understanding Any Transport over MPLS," in all Layer 2 VPN IW
For a majority of Service Providers, a significant portion of their revenues
using AToM cases except the transport of ATM cells, MTUs need to match in both attachment
are still derived from data and voice services based on legacy transport
circuits for the pseudowire to come up. The MTU value is advertised in the MTU interface
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
parameter.
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
This prerequisite takes a new meaning with IW because different interface types have different
backbone while new carriers would like to sell the lucrative Layer 2
default MTU values. The default MTU values in Cisco IOS are shown in Table 14-1.
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Table 14-1.
Default MTU Values for Different Medias
Network (VPN) concepts, and describes Layer 2 VPN techniques via
When you are configuring pseudowires between interfaces that have default MTU values (such
as Packet over SONET [POS] to Ethernet), the MTU values need to match. Frame Relay has a
special circumstance that is covered in the case studies.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Note
!
hostname SanFran
!
Layer 2 VPN Architectures
ip cef
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
mpls ip
No. 4460,ldp
Anthony Chan, - CCIE No. 10,266
mpls label protocol
mpls ldp router-id Loopback0 force
!
Publisher: Cisco Press
interface Loopback0
Pub Date: March 10, 2005
ip address 10.0.0.201 255.255.255.255
ISBN: 1-58705-168-0
! Table of
Pages:
648
Contents Serial10/0
interface
Index
ip unnumbered
Loopback0
mpls ip
!
router ospf 1
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
log-adjacency-changes
productivity
gains
network 10.0.0.201
0.0.0.0
area 0
Gain from the first book to address Layer 2 VPN application utilizing
both
Ethernet (Bridged)
IW:ATOM and L2TP protocols
strategies that allow
large
enterprise customers to enhance
Case Study Review
14-1: Ethernet-to-VLAN
Using
AToM
their service offerings while maintaining routing control
Case Study 14-2: Ethernet-to-VLAN Using L2TPv3
For a majority of Service Providers, a significant portion of their revenues
are still
derived
data and voice
Case Study
14-3:
ATMfrom
AAL5-to-VLAN
Usingservices
AToM based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
they have some drawbacks. Ideally, carriers with existing
IP (Routed) customers,
IW:
legacy Layer 2 and Layer 3 networks would like to move toward a single
Case Study
14-4:while
Frame
Relay-to-VLAN
AToM
backbone
new
carriers wouldUsing
like to
sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
Case Study
14-5: that
Frame
Relay-to-PPP
Using
L2TPv3 over a Layer 3
technology
would
allow Layer
2 transport
infrastructure.
Case Study 14-6: IP L2-Transport MTU Considerations
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Case Study
14-7:
Frame
Relay-to-ATM
Interworking
Best
Network
(VPN)
concepts,
and describes
Layer 2
VPNPractices
techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and
implementation Case
details of
the two technologies available from
Ethernet (Bridged)
Interworking
Studies
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased
cores
and Layer
2 Tunneling
Protocol
version
3 (L2TPv3)
In this section, you
learn
to configure
bridged
IW using
both AToM
and
L2TPv3. for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Case Study 14-1:
Ethernet-to-VLAN
Using
AToMavailable solution in greater detail.
progressively
covering each
currently
The first case study covers Ethernet-to-VLAN bridged IW using AToM. The topology used is shown in
Figure 14-4.
Example 14-2 shows the configuration for the Ethernet side in the SanFran PE.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
!
interface Ethernet0/0.1
encapsulation dot1Q 1
no cdp enable Layer 2 VPN Architectures
ByWei Luo,1- pw-class
CCIE No. 13,291,
Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
xconnect 10.0.0.201
atom-iw-eth-vlan
No. 4460,Anthony Chan, - CCIE No. 10,266
!
Publisher: Cisco Press
Pub Date: March 10, 2005
The VLAN PE side is similar to the Ethernet side, except that the xconnect command is applied to the
ISBN:
1-58705-168-0
dot1Q
subinterface.
Also,
remember
to disable CDP in the Ethernet main interface and subinterface so
Table
of
Pages:
648
that you
do not send CDP packets
to the CE device.
Contents
Index
The CE configuration is included in Example 14-4 for both Oakland and Albany CEs for comparison.
Master
the world of Layer 2 CE
VPNs
to provide enhanced services and enjoy
Example 14-4.
Ethernet-to-VLAN
Configuration
productivity gains
! Oakland CE Ethernet attachment circuit configuration
Learn about Layer 2 Virtual Private Networks (VPNs)
!
hostname Oakland
Reduce costs and extend the reach of your services by unifying your
!
network architecture
interface Ethernet0/0
ip address 192.168.27.1 255.255.255.0
Gain from the first book to address Layer 2 VPN application utilizing
!
both ATOM and L2TP protocols
! Albany CE VLAN attachment
circuit
configuration
Review strategies
that
allow large enterprise customers to enhance
!
their service offerings while maintaining routing control
hostname Albany
!
For a majority of Service Providers, a significant portion of their revenues
interface Ethernet0/0
are still derived from data and voice services based on legacy transport
no ip address technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
!
customers, they have some drawbacks. Ideally, carriers with existing
interface Ethernet0/0.1
legacy Layer 2 and Layer 3 networks would like to move toward a single
encapsulation backbone
dot1Q 1 while new carriers would like to sell the lucrative Layer 2
ip address 192.168.27.2
services over255.255.255.0
their existing Layer 3 cores. The solution in these cases is a
!
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
UP
Pages:
648
Contents drops: receive
packet
0, seq error 0, send 0
Index
NewYork#
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
The first verification
is performed
using the command show mpls l2transport vc to check that the
productivity
gains
L2transport VC is UP. You can note some important points using the detail keyword of that command
in the NewYork side (VLAN side). The following list explains the first three lines of the output:
Learn about Layer 2 Virtual Private Networks (VPNs)
Local interface and
state
Et0/0.1
up, line
protocol
up.
Note
that line
Reduce
costs
and extend
the
reach of
your
services
byprotocol
unifyingcannot
your be
detected in the PEnetwork
Ethernet
interfaces
because
that
would
imply
generating
loop
packets
out of
architecture
the attachment circuit toward the CE device and intercepting them. Instead, all Ethernet packets
received are transported
without
inspection.
Gain from
the first
book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Attachment circuit type and state Eth VLAN 1 up. Note that this refers only to the local
attachment circuitReview
type. strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
VC type Ethernet (VC type 0x0005). Although the attachment circuit (AC) is Ethernet VLAN, the
VC type is always
Ethernetof
forService
bridged
IW. Bridged
IW uses this
VC type
for revenues
all AC technologies.
For a majority
Providers,
a significant
portion
of their
are still derived from data and voice services based on legacy transport
Interworking
type Ethernet
(bridged)
the market
pseudowire-class
atomiwtechnologies.
Although
Layeras
3 configured
MPLS VPNsunder
fulfill the
need for some
eth-vlan template.
This
triggers
the
use
of
the
Ethernet
VC
Type.
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
10.0.0.201backbone
This is thewhile
remote
router
ID configured
thelucrative
xconnect
command.
newPE's
carriers
would
like to sellinthe
Layer
2
services over their existing Layer 3 cores. The solution in these cases is a
VC ID 1 as configured in the xconnect command. The VC ID needs to match in both PEs.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
VC status: UP The VC status UP means that the VC can carry data between the two endpoints.
(Imposition and disposition are programmed.) Two conditions need to hold true:
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Disposition interfaces programmed The VC has been configured and the CE interface is
introductory case studies and comprehensive design scenarios. This book
up.
assists readers looking to meet those requirements by explaining the
historyinterfaces
and implementation
details
of disposition
the two technologies
from and there
Imposition
programmed
The
interface isavailable
programmed,
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for
MPLSis a remote VC label and an IGP label (label-switched path to the peer). Note that for the
based
cores and
Layer
2 Tunnelingthe
Protocol
version
3 (L2TPv3)
native
imposition
interface
to be
programmed,
disposition
interface
must for
have
been
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
programmed previously.
reader to Layer 2 VPN benefits and implementation requirements and
comparing
to those
of Layer
3 based
VPNs, such
asisMPLS,
then
Even though the first
line of them
the output
shows
that the
attachment
circuit
the Ethernet
VLAN with a
progressively
covering
each
currently
available
solution
in
greater
detail.
VLAN ID of 1, the VC type that is signaled is Ethernet because of the IW type Ethernet.
You can also
see this in Example 14-6.
Cbit: 1,
VC Type: Ethernet,
GroupID: 0
MTU: 1500,
Interface Desc: n/a
VCCV Capabilities: Type 1, Type 2
Layer 18
2 VPN Architectures
Remote Label:
ByWei Luo,
CCIE No.Ethernet,
13,291,Carlos Pignataro,
- CCIE0No. 4619,Dmitry Bokotey, - CCIE
Cbit: 1,
VC- Type:
GroupID:
No. 4460,Anthony
Chan, - Desc:
CCIE No.n/a
10,266
MTU: 1500,
Interface
VCCV Capabilities: Type 1, Type 2
NewYork#
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
In all the pseudowire endpoints that use Ethernet IW, the VC type is 0x0005 for Ethernet regardless of
Index
whether the attachment circuits are 802.1q VLAN, ATM AAL5, or Frame Relay.
Each endpoint does behave differently, however, because the attachment circuits differ:
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains
Ethernet The
Ethernet attachment
circuit behaves exactly as described in Chapter 7, "LAN
Protocols over MPLS Case Studies." There is no difference in imposition or disposition of Ethernet
frames or in CLI command output. In fact, the Ethernet side is completely unaware that a remote
Learn about Layer 2 Virtual Private Networks (VPNs)
IW function exists, so its state is no different.
Reduce costs and extend the reach of your services by unifying your
802.1q VLAN The VLAN attachment circuit performs the IW function by the NSP both at
network architecture
imposition and disposition. For example, at disposition, Ethernet frames that are received from
the pseudowire are
inserted
with
thebook
4-byte
802.1q header
source MAC
address. These
Gain
from the
first
to address
Layer 2after
VPN the
application
utilizing
extra 4 bytes include
the
2-byte
Ethertype
value
of
0x8100,
indicating
802.1q/802.1p
VLAN,
both ATOM and L2TP protocols
followed by the 2 bytes of tag control information (3 bits of class of service [CoS], 1 bit of
Canonical FormatReview
Identifier
[CFI], and
bits large
of VLAN
ID equalcustomers
to 1 in this
strategies
that12
allow
enterprise
toexample).
enhance Following
these 4 bytes, thetheir
nextservice
2 bytes
are the while
ones that
originally
came control
after the source MAC
offerings
maintaining
routing
addressthat is, Ethertype for Ethernet II and length in the case of 802.3. This new packet is sent
over the attachment
circuitoftoService
the CEProviders,
device. a significant portion of their revenues
For a majority
are still derived from data and voice services based on legacy transport
It is also worth noting
that ARPAlthough
is end-to-end,
in Ethernet
IW,market
ARP packets
aresome
just Ethernet
technologies.
Layer because
3 MPLS VPNs
fulfill the
need for
frames with Ethertype
0x0806.
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
You can see in Figure
14-5 the
way
the
encapsulation
changes
packet Layer
traverses
from the
backbone
while
new
carriers
would like
to sell as
thethe
lucrative
2
Oakland CE through
the
AToM
network
to
the
Albany
CE
and
vice
versa.
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Figure 14-5.Layer
Ethernet-to-VLAN
Bridged
Interworking
2 VPN Architectures AToM
introduces
readers
to Layer 2 VirtualEncapsulation
Private
Network (VPN) concepts, and Details
describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
full size
history and implementation[View
details
of image]
the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
You can see that the NewYork PE inserts the 802.1q header at imposition and removes it at disposition.
The 802.1q header is not
carried
over
the
pseudowire.
Youofcan
also
see that
LAN FCS
Reduce
costs
and
extend
the reach
your
services
bythe
unifying
youris not
transported over the pseudowire.
The
PE
routers
need
to
regenerate
it
at
disposition
and
remove it at
network architecture
imposition.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
hostname SanFran
!
pseudowire-class l2tpv3-iw-eth-vlan
2 VPN Architectures
encapsulation Layer
l2tpv3
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
interworking ethernet
No. 4460,Loopback0
Anthony Chan, - CCIE No. 10,266
ip local interface
!
interface Ethernet1/0
Publisher: Cisco Press
no ip address
Pub Date: March 10, 2005
no cdp enable
ISBN: 1-58705-168-0
Table of 10.0.0.203 2 pw-class
xconnect
l2tpv3-iw-eth-vlan
Pages:
648
Contents
!
Index
Example 14-8 shows the configuration required for the NewYork PE, where the attachment circuit is
Master subinterface.
the world of Layer 2 VPNs to provide enhanced services and enjoy
configured in an 802.1q
productivity gains
RemID
TunID
Username, Intf/
Vcid, Circuit
2, Et1/0.1:2
39772
21748
12926
NewYork#
NewYork#show l2tun session all
Session Information Total tunnels 1 sessions 1
Tunnel control packets dropped due to failed digest 0
State
est
Pages: 648
Contents
Send
packets dropped:
Index
exceeded session MTU:
0
total:
0
Session vcid Master
is 2 the world of Layer 2 VPNs to provide enhanced services and enjoy
Session Layerproductivity
2 circuit,
type is Ethernet Vlan, name is Ethernet1/0.1:2
gains
Circuit state is UP
L2TP VC type is Ethernet, interworking type is Ethernet
Layer
2 Virtual
Private
(VPNs)
Remote session Learn
id isabout
21748,
remote
tunnel
id Networks
48316
DF bit off, ToS reflect disabled, ToS value 0, TTL value 255
costs and
extend the reach of your services by unifying your
No session cookieReduce
information
available
architecture
FS cached header network
information:
encap size = 24 bytes
Gain00000000
from the first
book to address Layer 2 VPN application utilizing
00000000 00000000
00000000
both
ATOM
and
L2TP
protocols
00000000 00000000
Sequencing is off
Review strategies that allow large enterprise customers to enhance
NewYork#
their service offerings while maintaining routing control
TunID
Peer-address
39772
NewYork#
12926
10.0.0.201
VLAN ETH
Vcid, Circuit
2, Et1/0.1:2
FromExample 14-10, you can see that in the SanFran end, the type is represented as ETH for
Ethernet, because that is the attachment circuit type. The IW type (Iwrk) is dashed out, meaning that
Publisher: Cisco Press
an NSP IW function is nonexistent, or to be more precise, a NULL IW function exists between Ethernet
Pub Date: March 10, 2005
and Ethernet.
Table of
ISBN: 1-58705-168-0
Pages:
648 is oblivious about the remote NSP IW function. For all the SanFran side
As you
know, the Ethernet
side
Contents
knows,
the
remote
end
might
also be Ethernet.
Index
In contrast, the NewYork side shows the type as VLAN because that is the attachment circuit type. The
NSP IW type is shown as ETH for Ethernet, making explicit the fact that there is an NSP function.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
ARP packets are also
handled gains
end-to-end just the same way as in the AToM bridged IW Case Study 14productivity
1. As a final note that is applicable to both AToM and L2TPv3 Ethernet VLAN attachment circuits, you
can use the command show interface to display xconnect statistics (see Example 14-11).
Learn about Layer 2 Virtual Private Networks (VPNs)
Gain from
the first
book to address Layer 2 VPN application utilizing
NewYork#show interfaces
ethernet
1/0.1
both
ATOM
and
L2TP
Ethernet1/0.1 is up, line protocol isprotocols
up
Hardware is Lance, address is 0000.0c00.cb01 (bia 0000.0c00.cb01)
Review
that1000
allowusec,
large enterprise
customers
enhance
MTU 1500 bytes, BW
10000strategies
Kbit, DLY
rely 255/255,
loadto1/255
their Virtual
service offerings
whileID
maintaining
routing control
Encapsulation 802.1Q
LAN, Vlan
2.
ARP type: ARPA, ARP Timeout 04:00:00
For a majority of Service Providers, a significant portion of their revenues
Xconnect switched:
areChars
still derived
from data
voice
services
on legacy transport
Pkts In 556,
In 75990,
Pktsand
Out
795,
Chars based
Out 91196
technologies.
Although
Layer
3
MPLS
VPNs
fulfill
the
market need for some
NewYork#
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
Case Study 14-3:
ATM AAL5-to-VLAN
Using
technology
that would allow
LayerAToM
2 transport over a Layer 3
infrastructure.
This bridged IW case study shows Ethernet IW between ATM AAL5 and Ethernet VLAN attachment
Layer
2 VPN
Architectures
introduces
to Layer
Virtual Private
circuits using AToM.
The
objective
is to present
a minorreaders
difference
and to2 emphasize
concepts. See
Network
(VPN)ATM
concepts,
and describes
Layer 2 VPN techniques via
Example 14-12 for
the SanFran
AAL5-specific
configuration.
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history
and Side
implementation
details offor
the Ethernet
two technologies
available
from
Example 14-12.
ATM
Configuration
IW Using
AToM
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
!
IP cores. The structure of this book is focused on first introducing the
hostname SanFran
reader to Layer 2 VPN benefits and implementation requirements and
!
comparing them to those of Layer 3 based VPNs, such as MPLS, then
pseudowire-class
atom-iw-atm-vlan
progressively
covering each currently available solution in greater detail.
encapsulation mpls
interworking ethernet
!
interface ATM4/0.500 point-to-point
mtu 1500
pvc 0/500 l2transport
encapsulation aal5snap
xconnect 10.0.0.203 500 pw-class atom-iw-atm-vlan
!
ISBN: 1-58705-168-0
Pages: 648
!
hostname NewYork
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
!
productivity gains
pseudowire-class atom-iw-atm-vlan
encapsulation mpls
Learn about Layer 2 Virtual Private Networks (VPNs)
interworking ethernet
!
Reduce costs and extend the reach of your services by unifying your
interface FastEthernet0/0.500
network
encapsulation dot1Q
500 architecture
xconnect 10.0.0.201 500 pw-class atom-iw-atm-vlan
Gain from the first book to address Layer 2 VPN application utilizing
!
both ATOM and L2TP protocols
Pages:
648 Type 1, Type 2
Contents
SanFran#
Index
From the output of the command show mpls l2transport vc 500, you can see that the local circuit is
world
of Layer
VPNs to provide
enhanced
services
enjoysee that
an ATM AAL5 VC Master
and thethe
status
is UP.
When2 appending
the detail
keyword,
you and
can also
productivity
gains
although the attachment circuit is ATM AAL5 0/500, the MPLS VC type (PW Type) is 0x0005 for
Ethernet. The IW type is also Ethernet. Finally, using the command show mpls l2transport binding
500, you can further prove that for both the ATM AAL5 VC and Ethernet VLAN attachment circuits, the
Learn about Layer 2 Virtual Private Networks (VPNs)
VC type is Ethernet and the MTU that is advertised is 1500 bytes.
Reduce costs and extend the reach of your services by unifying your
InFigure 14-7, the encapsulation changes as the packet traverses from the Oakland CE as bridged
network architecture
Ethernet/802.3 PDUs over AAL5, through the AToM network as Ethernet over MPLS, to the Albany CE
as a tagged Ethernet frame
and vice
versa.
Gain from
the first
book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
You can see that the NewYork PE inserts the 802.1q header at imposition and removes it at disposition.
The LAN FCS is not transported over the pseudowire. The NewYork PE needs to regenerate the LAN
FCS at disposition and remove it at imposition. For a bridged frame over AAL5, the organization code is
0x0080C2 for 802.1. Only the PID of 0x0007 indicating 802.3/Ethernet without preserved FCS is
supported. Therefore, no LAN FCS exists in the AAL5 attachment circuit.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
You can see from Figure 14-8 that you have an IW scenario between Ethernet and VLAN in a LAN
Learn
about14-8,
Layer
Virtual
Private
Networks
(VPNs)
switch environment. From
Figure
SP2 SW
1 and
SP SW
2 are service
provider switches, and CE
SW 1 and CE SW 2 are customer switches. The PSN can be either MPLS with AToM pseudowire or IP
Reduce costs and extend the reach of your services by unifying your
with L2TPv3 pseudowire.
network architecture
In this case, you are using bridged IW between Ethernet and VLAN attachment circuits and allowing
Gain
the first
book toofaddress
2 VPN application
utilizing
per-VLAN spanning tree
plusfrom
(PVST+).
Because
the NSPLayer
IW function,
the VLAN tag
is modified,
both
ATOM
and
L2TP
protocols
removed, or added. Spanning Tree Protocol (STP) BPDUs sent from the switch contain the source VLAN
that the BPDU is sent on in the 802.1q header, but PVST+ also contains the Port VLAN ID (PVID) TLV
Review
strategies
that
allow
large enterprise
customers
to enhance
(type, length, value) field
inside
the BPDU
that
identifies
the VLAN number
of the
source port. The
their
offerings awhile
maintaining
routing
control
result is that the remote
CE service
switch received
BPDU
with an outer
802.1q
VLAN tag that is different
from the VLAN number in the PVID TLV field in the PVST+ BPDU, or even missing. Because of this
a majority
ofport
Service
a significant
portion
of their
inconsistency, theFor
BPDU
puts the
into Providers,
a PVID-inconsistent
state,
blocking
therevenues
traffic in that VLAN
are
still
derived
from
data
and
voice
services
based
on
legacy
transport
to prevent forwarding loops. This error condition is a result of violating one of the
PVST+ rules,
technologies.
Although
3 MPLS
fulfill the market
need forasome
ensuring a consistent
native VLAN
on all Layer
bridges.
WhenVPNs
the inconsistency
is detected,
switch logs
customers,
they
have
some
drawbacks.
Ideally,
carriers
with
existing
error messages such as %SPANTREE-2-RX_1QPVIDERR, % SPANTREE-2-RX_BLKPORTPVID,
or others
Layer
2 and Layer
networks
wouldThese
like toerrors
moveindicate
toward ainconsistency
single
depending on thelegacy
specific
configuration
and3traffic
direction.
while tag.
newThis
carriers
would likealso
to sell
the lucrative
Layer Ethernet
2
between the PVIDbackbone
and the VLAN
consideration
applies
to like-to-like
VLAN mode
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
is a tag needs
pseudowires with VLAN rewrite and Frame Relay or ATM to VLAN bridged IW, where a VLAN
technology that would allow Layer 2 transport over a Layer 3
to be inserted or removed.
infrastructure.
Routed Interworking
Network (VPN) concepts, and describes Layer 2 VPN techniques via
ISBN: 1-58705-168-0
SanFran
and Oakland use
Frame
Pages:
648 Relay Internet Engineering Task Force (IETF) encapsulation. SanFran
Contents
is the LMI data communication equipment (DCE) (Frame Relay switch behavior), and Oakland is the
Index
Local Management Interface (LMI) data terminal equipment (DTE). In the case of IP IW, the
configuration command that directs the use of IP VC type and consequent transport of IP only is
interworking ip.Example 14-15 shows the configuration for the SanFran PE.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Because it is necessary to specify the encapsulation (either MPLS or L2TPv3) and the IW type (either
Ethernet or IP) in all Ethernet and IP IW cases, the use of a pseudowire-class is mandatory.
The rest of the configuration uses the global connect command with the l2transport keyword to enter
the fr-pw-switching configuration mode and then the actual xconnect. See Example 14-16 for the
NewYork side of the configuration.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
!
No. 4460,Anthony Chan, - CCIE No. 10,266
hostname NewYork
!
Publisher: Cisco Press
pseudowire-class atom-iw-fr-vlan
Pub Date: March 10, 2005
encapsulation mpls
ISBN: 1-58705-168-0
Table of
interworking
ip
Pages:
648
Contents
!
Index
interface
Ethernet2/0
no ip address
no cdp enable
!
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
interface Ethernet2/0.2
gains
encapsulation productivity
dot1Q 2
no cdp enable
xconnect 10.0.0.201 100 pw-class atom-iw-fr-vlan
Learn about Layer 2 Virtual Private Networks (VPNs)
!
Reduce costs and extend the reach of your services by unifying your
network architecture
The configuration is similar to the Ethernet VLAN like-to-like case, with the addition of the
Gain from the first book to address Layer 2 VPN application utilizing
interworking ip directive. The CE configuration uses a point-to-point Frame Relay subinterface in the
both ATOM and L2TP protocols
Oakland router and does not need inverse ARP or static mapping (see Example 14-17).
Albany#
You can issue the usual verification shown in Example 14-18 from the SanFran side. You can use the
commanddebug frame-relay pseudowire to display events and errors that occur, binding a Frame
Relay data-link connection identifier (DLCI) to a pseudowire.
Layer 2 VPN Architectures
Example
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,
AnthonyRouted
Chan, - CCIE
No. 10,266
14-18.
AToM
IW
Verification
Publisher: Cisco Press
SanFran#show mplsPub
l2transport
Date: March 10, vc
2005100
1-58705-168-0
LocalTable
intf
LocalISBN:
circuit
Dest address
VC ID
Status
of
Pages:
648
------------------------------------------------------------------Contents
Se5/0
FR
DLCI
100
10.0.0.203
100
UP
Index
SanFran#show mpls l2transport vc 100 detail
Local interface: Se5/0 up, line protocol up, FR DLCI 100 up
MPLS VC type is IP, interworking type is IP
Destination address:
ID: 100,
VC status:
upservices and enjoy
Master the10.0.0.203,
world of LayerVC
2 VPNs
to provide
enhanced
Preferred path:
not configured
productivity
gains
Default path: active
Tunnel label: 16, next hop point2point
Learn
about Layer
2 Virtual
Private
Output interface:
Se10/0,
imposed
label
stackNetworks
{16 19}(VPNs)
Create time: 22:26:36, last status change time: 22:24:17
Reduce
extend the reach
Signaling protocol:
LDP,costs
peerand
10.0.0.203:0
up of your services by unifying your
network
architecture
MPLS VC labels: local 20, remote 19
Group ID: local 0, remote 0
Gain from the first book to address Layer 2 VPN application utilizing
MTU: local 1500, remote 1500
both ATOM and L2TP protocols
Remote interface description:
Sequencing: receive disabled, send disabled
Review strategies that allow large enterprise customers to enhance
Sequence number: receive 0, send 0
their service offerings while maintaining routing control
VC statistics:
packet totals:
receive of
14,
send Providers,
19
For a majority
Service
a significant portion of their revenues
are still derived from data and voice services based on legacy transport
byte totals:
receiveAlthough
1512, send
technologies.
Layer2052
3 MPLS VPNs fulfill the market need for some
packet drops:
receive
0,
seq
error
0, send Ideally,
0
customers, they have some
drawbacks.
carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
SanFran#show mpls l2transport binding 100
backbone while new carriers would like to sell the lucrative Layer 2
Destination Address: 10.0.0.203, VC ID: 100
services over their existing Layer 3 cores. The solution in these cases is a
Local Label: 20
technology that would allow Layer 2 transport over a Layer 3
Cbit: 1,
VC Type: IP,
GroupID: 0
infrastructure.
MTU: 1500,
Interface Desc: n/a
VCCV Capabilities:
Type 1, Type
2
Layer 2 VPN Architectures
introduces
readers to Layer 2 Virtual Private
Remote Label:
19 (VPN) concepts, and describes Layer 2 VPN techniques via
Network
Cbit: 1,
VC Type:
GroupID:
0
introductory
case IP,
studies and
comprehensive
design scenarios. This book
MTU: 1500,
Interface
Desc:
n/a
assists readers looking to meet those requirements by explaining the
VCCV Capabilities:
Type 1, Type
2
history and implementation
details
of the two technologies available from
SanFran#
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
In the SanFran PE, the command show mpls l2transport vc shows that the VC is UP and the
comparing them to those of Layer 3 based VPNs, such as MPLS, then
attachment circuit is FR DLCI 100. When you use the detail keyword, the VC type of IP (using
progressively covering each currently available solution in greater detail.
0x000B) and the IW type of IP become explicit. The command show mpls l2transport binding
displays the VC type as IP for both the local and remote endpoints.
Note
In routed IW, no attachment circuit natively uses the VC type of IP, unlike bridged IW, where
Ethernet interfaces use the VC type of Ethernet. As a consequence, the l2transport VCs in
both PEs always perform the IP IW function. This is to say that for routed IW, two NSPs are
needed. You can see this with the output of the command show mpls l2transport vc
detail, by verifying that the attachment circuit type does not match the VC type in either PE.
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
To see the VC type being advertised, you can use the debug command debug mpls l2transport
signaling message,
as shown
Example 14-19.
Publisher:
CiscoinPress
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Pages: 648
Contents
Index
Reduce costs and extend the reach of your services by unifying your
network architecture
The highlighted sections of Example 14-19 show the use of the IP Layer 2 transport VC type with a
Gain from the first book to address Layer 2 VPN application utilizing
value of 11, both for the LDP label mapping received and sent.
both ATOM and L2TP protocols
Because you are using a switched Frame Relay DLCI attachment circuit created by means of the
Review strategies that allow large enterprise customers to enhance
connect command, you can utilize the show connection command to view connection status and
their service offerings while maintaining routing control
information. The show connection command is also a troubleshooting tool (see Example 14-20).
Without keywords, you can see that show connection command displays a summary of connections
with their respective state. You can also see that a connection has two segments: segment 1 and
segment 2. Identifying a specific connection by connection name or ID gives the connection details. In
particular, it lists the status of each segment, including the segment status, line or attachment circuit
status, PVC status, and NNI status. The PVC status refers to the local DLCI status, and the NNI status
Layer
VPNDLCI
Architectures
refers to the status
of 2the
as learned through NNI from the CE device.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Pages:
648
pseudowires
they are more prone toward MTU mismatches between attachment
Contents use diverse interfaces,
circuits.
IndexIn a FR-VLAN IW case, the Frame Relay attachment circuit might be located in a POS interface
with a default MTU of 4470, and the VLAN might reside in an Ethernet subinterface with a default MTU
of 1500. To solve this problem, you might be tempted to consider changing the MTU in the POS
interface to match the 1500 bytes. However, that would affect every DLCI on that interface, including
worldattachment
of Layer 2 VPNs
and enjoy
the IW DLCIs thatMaster
have athe
remote
circuittoinprovide
an ATMenhanced
interface services
with a default
MTU of 4470.
productivity
gains solution for this problem, achieved by modifying the MTU per DLCI
Example 14-21 presents
the optimal
under connect mode.
648
Contents
22:43:38:
ATOM disposition: in Se10/0, size 100,
Index
22:43:38:
45 00 00 64 00 13 00 00 FF 01 00 32 C0
^^^ ...
Begins IP Packet
22:43:38:
22:43:38:
22:43:38:
22:43:38:
22:43:38:
22:43:38:
C0
04
AB
AB
AB
AB
00
CD
CD
CD
CD
00
AB
AB
AB
AB
00
CD
CD
CD
CD
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
A8productivity
1D 01 00 gains
00 13 B7 00 03 00 04 00 00 00 00
E0 6D AC AB CD AB CD AB CD AB CD AB CD AB CD
CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD
2 Virtual
CD AB Learn
CD ABabout
CD ABLayer
CD AB
CD ABPrivate
CD AB Networks
CD AB CD(VPNs)
CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD
costs and extend the reach of your services by unifying your
CD AB Reduce
CD
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Note
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
You can see that only the raw IP datagram is transported over the AToM pseudowire. The PE routers
remove the complete Layer
2 encapsulation
at imposition
re-create
it at
Reduce
costs and extend
the reach and
of your
services
bydisposition.
unifying your
network architecture
Gain from
the first book
to address
Layer 2 VPN application utilizing
Case Study 14-5: Frame
Relay-to-PPP
Using
L2TPv3
both ATOM and L2TP protocols
In this case study, you learn the configuration and verification of IP IW between Frame Relay and PPP
Review strategies that allow large enterprise customers to enhance
endpoints using L2TPv3 on the topology included in Figure 14-11.
their service offerings while maintaining routing control
interworking ip
ip local interface Loopback0
!
Layer 2 VPN Architectures
interface Serial6/0
no ip address ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
4460,Anthony Chan, - CCIE No. 10,266
encapsulation No.
frame-relay
frame-relay intf-type dce
!
Publisher: Cisco Press
connect fr-ppp Serial6/0
60 l2transport
Pub Date: March
10, 2005
xconnect 10.0.0.203 60 pw-class fr-ppp-l2tpv3
ISBN: 1-58705-168-0
! Table of
Pages:
648
Contents
!
Index
The routed IW behavior is configured explicitly with the interworking ip command. As usual with
the world
of Layer
VPNs to provide
services
and enjoy
Frame Relay DLCIMaster
attachment
circuits,
this 2
configuration
uses enhanced
the connect
command
and the crossgainsconfiguration mode.
connect inside theproductivity
fr-pw-switching
Example 14-24 shows the configuration in the NewYork side.
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
Gain from the first book to address Layer 2 VPN application utilizing
!
both ATOM and L2TP protocols
hostname NewYork
!
Review strategies that allow large enterprise customers to enhance
pseudowire-class fr-ppp-l2tpv3
their service offerings while maintaining routing control
encapsulation l2tpv3
interworking ip
For a majority of Service Providers, a significant portion of their revenues
ip local interface
are stillLoopback0
derived from data and voice services based on legacy transport
!
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
interface Serial6/0
customers, they have some drawbacks. Ideally, carriers with existing
no ip address legacy Layer 2 and Layer 3 networks would like to move toward a single
encapsulation backbone
ppp
while new carriers would like to sell the lucrative Layer 2
ppp ipcp address
proxy
192.168.30.1
services
over
their existing Layer 3 cores. The solution in these cases is a
xconnect 10.0.0.201
60
pw-class
technology that
would fr-ppp-l2tpv3
allow Layer 2 transport over a Layer 3
!
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
The configuration in Example 14-24 is similar to a normal L2TPv3 session configuration, with the
introductory case studies and comprehensive design scenarios. This book
addition of the interworking ip directive. However, an additional command exists under the PPP
assists readers looking to meet those requirements by explaining the
interface. The command ppp ipcp address proxy specifies the remote CE's IP address, which is the
history and implementation details of the two technologies available from
IP address of the Oakland CE. This is necessary because ARP mediation does not take place.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLScores
and
Layer
2 Tunneling
version
3 (L2TPv3)
In the like-to-likebased
scenario
with
PPP
pseudowires,
PPPProtocol
negotiations
including
IPCPfor
arenative
between the two
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
CE devices. In IP IW, Layer 2 from the CE is terminated in the PE. Therefore, in thethe
case of a PPP
reader
2 VPN
benefits
implementation
requirements
andPE and CE
attachment circuit,
IPCP to
asLayer
specified
in RFC
1332and
needs
to be negotiated
between the
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
because PPP is terminated at the PE. IPCP negotiation includes the exchange of IP addresses, but the
progressively
eachIPcurrently
solution
inthe
greater
detail.
NewYork PE has no
knowledge covering
of Oakland's
address.available
The Oakland
CE is
IP peer
to the Albany
CE. You need to manually assign Oakland's IP address in the NewYork PE so that it can be included in
IPCP packets in the IPCP IP-Address Configuration option (type number 3). In this case, the PE device
acts as an IPCP address proxy for the remote CE.
IPCP has a PPP DLL protocol number of 0x8021 and terminates on the PE. Only IP packets that have a
PPP DLL protocol number of 0x0021 are transported over the pseudowire.
When the PE performs address resolution with the local CE, you can achieve the same result without
configuring the PE device by using the command peer default ip address in the local CE, indicating
!
ISBN: 1-58705-168-0
Table ofOakland
hostname
Pages:
648
Contents
!
Index
interface
Serial6/0
no ip address
encapsulation frame-relay
!
Master themultipoint
world of Layer 2 VPNs to provide enhanced services and enjoy
interface Serial6/0.60
productivity gains
ip address 192.168.30.1
255.255.255.252
no ip directed-broadcast
frame-relay map ip 192.168.30.2 60 broadcast
Learn about Layer 2 Virtual Private Networks (VPNs)
!
Reduce costs and extend the reach of your services by unifying your
network architecture
You can see from Example 14-25 that you are now using a multipoint subinterface. This is to show the
Gain from the first book to address Layer 2 VPN application utilizing
difference in configuration between using point-to-point versus multipoint subinterfaces. You do not
both ATOM and L2TP protocols
need the frame-relay map configuration in a point-to-point subinterface, because the IP address and
mask already define the connected prefix. The main interface has multipoint behavior, and you need to
Review strategies that allow large enterprise customers to enhance
configure a frame-relay map (or inverse ARP when possible) for DLCIs in the main interface.
their service offerings while maintaining routing control
Example 14-25 shows the usage of the command frame-relay map instead of frame-relay
For a majority of Service Providers, a significant portion of their revenues
interface-dlci. The frame-relay map command creates a DLCI but also maps it to a next-hop
are still derived from data and voice services based on legacy transport
network protocol address. The example shows DLCI 60 mapped to the IP address 192.168.30.2 (the
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
remote CE's IP on the PPP side) and specifies that broadcast packets such as routing protocol updates
customers, they have some drawbacks. Ideally, carriers with existing
are to be sent over the DLCI.
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
Example 14-26 shows the configuration at the PPP-speaking Albany CE.
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
LocID
11756
L2TP Contents
Session
Pages: 648
Index
Gain from
the first
book
to address Layer 2 VPN application utilizing
Example 14-29. Frame
Relay
CE
Verification
both ATOM and L2TP protocols
Note
The command show frame-relay map includes two hexadecimal numbers between
parentheses beside the DLCI. The first number is the DLCI in hexadecimal representation.
The second number is the 2-byte Q.922 header with the BECN, FECN, and DE bits zeroed
out.
Next, analyze the PPP interface at the Oakland CE (see Example 14-30).
Layer 2 VPN Architectures
Example
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,
Anthony Chan,
- CCIE No. 10,266
14-30.
PPP-CE
Verification
Publisher: Cisco Press
Albany#show interfaces
Pub Date:s6/0
March 10, 2005
Serial6/0 is up, line
protocol
is up
ISBN: 1-58705-168-0
Table of is M4T
Hardware
648
Contents address Pages:
Internet
is 192.168.30.2/30
Index
MTU
1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set
Keepalive set (10 sec)
LCP Open
Open: IPCP Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains 00:00:02, output hang never
Last input 00:00:02,
output
Last clearing of "show interface" counters never
Input queue: 0/75/0/0
(size/max/drops/flushes);
Total output
Learn about
Layer 2 Virtual Private Networks
(VPNs) drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0
(size/max
total/threshold/drops)
Reduce costs
and extend
the reach of your services by unifying your
!Output omitted fornetwork
brevity
architecture
Albany#
Albany#show ip route
connected
| include
Gain
from the first
book to Serial6/0
address Layer 2 VPN application utilizing
C
192.168.30.0/24
is directly
Serial6/0
both ATOM
and L2TPconnected,
protocols
C
192.168.30.1/32 is directly connected, Serial6/0
Review strategies that allow large enterprise customers to enhance
Albany#
their service offerings while maintaining routing control
Pages:
648
*Jun Contents
10 01:42:43.454: Se6/0 IPCP: O CONFREQ [ACKrcvd] id 9 len 10
Index
*Jun
10 01:42:43.454: Se6/0 IPCP:
Address 192.168.30.1 (0x0306C0A81E01)
*Jun 10 01:42:43.454: Se6/0 IPCP: I CONFREQ [REQsent] id 7 len 10
*Jun 10 01:42:43.454: Se6/0 IPCP:
Address 192.168.30.2 (0x0306C0A81E02)
*Jun 10 01:42:43.454: Se6/0 IPCP: O CONFACK [REQsent] id 7 len 10
Master the
worldIPCP:
of Layer 2Address
VPNs to provide
enhanced
services and enjoy
*Jun 10 01:42:43.454:
Se6/0
192.168.30.2
(0x0306C0A81E02)
productivity
gains
*Jun 10 01:42:43.470: Se6/0 IPCP: I CONFACK [ACKsent] id 9 len 10
*Jun 10 01:42:43.470: Se6/0 IPCP:
Address 192.168.30.1 (0x0306C0A81E01)
*Jun 10 01:42:43.470: Se6/0 IPCP: State is Open
Learn about Layer 2 Virtual Private Networks (VPNs)
NewYork#
NewYork#show interfaces
6/0extend the reach of your services by unifying your
Reduceserial
costs and
Serial6/0 is up, line
protocol
is
up
network architecture
Hardware is M4T
MTU 1500 bytes, BW
1544
Kbit,
DLYbook
20000
usec, rely
load 1/255
Gain
from
the first
to address
Layer 255/255,
2 VPN application
utilizing
Encapsulation PPP,
loopback
not
setprotocols
both
ATOM and
L2TP
Keepalive set (10 sec)
LCP Open
Review strategies that allow large enterprise customers to enhance
Open: IPCP
their service offerings while maintaining routing control
Last input 00:00:00, output 00:00:00, output hang never
a majority
!Output omittedFor
for
brevityof Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
NewYork#
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
You can see that backbone
LCP and IPCP
are
terminated
at thelike
PE router,
IPv4
is transported,
while
new
carriers would
to sell the
lucrative
Layer 2 and everything
else is dropped. Example
shows
that all
the debug
information
before
and including
services 14-31
over their
existing
Layer
3 cores.
The solution
in these
cases is athe
timestamp of Juntechnology
10 01:42:41.418
is LCP
negotiation
that succeeds
the 3LCP state being open. The
that would
allow
Layer 2 transport
over with
a Layer
debug information
after and including the timestamp of Jun 10 01:42:41.438 pertains to the only NCP
infrastructure.
that is IPCP negotiation and concludes with the open state for IPCP. You can also use the command
show interface Layer
in the 2PE
device
and see that
in contrast
to thetolike-to-like
case,Private
LCP and IPCP are
VPN
Architectures
introduces
readers
Layer 2 Virtual
now open at the PE
attachment
Network
(VPN)circuit.
concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
Regarding the data
planereaders
encapsulation
canrequirements
see in Figureby
14-12
how the
encapsulation
assists
looking details,
to meetyou
those
explaining
the
changes as the packet
traverses
from the Oakland
Frame
Relayencapsulated
datagram (RFC
history
and implementation
detailsCE
of as
thea two
technologies
available IP
from
2427), through the
IP
service
provider
network
over
L2TPv3,
to
the
Albany
CE
as
a
PPP-encapsulated
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSIP datagram (RFCbased
1661)cores
and vice
versa.2 Tunneling Protocol version 3 (L2TPv3) for native
and Layer
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Figure 14-12.
Frame Relay
DLCI-to-PPP
Routed
Encapsulation
progressively
covering
each currently L2TPv3
available solution
in IW
greater
detail.
Details
[View full size image]
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
You can see that only the raw IP datagram is transported over the L2TPv3 pseudowire, and the PE
routers remove the complete Layer 2 encapsulation at imposition and re-create it at disposition. Non-IP
datagrams coming from
the CE
device
are2 dropped
at the Networks
PE.
Learn
about
Layer
Virtual Private
(VPNs)
Reduce costs and extend the reach of your services by unifying your
architecture
Case Study 14-6: IPnetwork
L2-Transport
MTU Considerations
Gain from the first book to address Layer 2 VPN application utilizing
This section presents the important and recurring topic of MTU as it pertains to IP IW, both in the AToM
both ATOM and L2TP protocols
and L2TPv3 cases. IP IW is the most efficient from an overhead perspective. It holds the best-case
scenario in regards to MTU
adjustments
only
rawenterprise
IP is transported,
and
2 overhead
Review
strategies because
that allow
large
customers
to Layer
enhance
does not exist. For IP IW,
Layerofferings
2 from the
CE maintaining
is terminated
at the control
PE and not transported;
theirthe
service
while
routing
therefore, no additional overhead is present.
For a majority of Service Providers, a significant portion of their revenues
Table 14-2 summarizes
different
addedservices
in the PE
router
an IP transport
packet received from
are stillthe
derived
fromoverheads
data and voice
based
ontolegacy
the CE device. Table
14-2
lists
the
overheads
for
both
AToM
and
L2TPv3,
including
overhead
technologies. Although Layer 3 MPLS VPNs fulfill the market need the
for some
definition and thecustomers,
actual overhead
value
from
Case
Studies
14-4
and
14-5,
respectively.
they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
Table 14-2.
MTU Considerations for IP Layer 2 Transport
infrastructure.
LayerPSN
2 VPN
Architectures
introduces readers
Tunnel
Demultiplexer
Layer 2to Layer 2 Virtual Private
Network
(VPN)
concepts,
and
describes
Layer 2 VPN techniques
via
PSN
Overhead
Overhead
Specific
Total
introductory case studies and comprehensive design scenarios. This book
AToM
MPLS
Tunnel
MPLS
VC those requirements
Control word by explaining the
assists
readers
looking
to meet
(Case Study 14header
headerdetails of the two technologies
history
and implementation
from
12 available
bytes
4)
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLS4 bytes
4 bytes
4 bytes
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores.
The structure
of thisID
book
on first introducing the
IP header
Session
+ is focused
L2-Specific
L2TPv3
reader
to Layer
2 VPNcookie
benefits and implementation
requirements and
without
options
Sublayer
(Case Study 1424MPLS,
bytesthen
comparing them to those of Layer 3 based VPNs, such as
20 bytes covering
4 each
bytescurrently
+0
0 bytes solution in greater detail.
5)
progressively
available
bytes
FromTable 14-2, you can see that the IP IW AToM Case Study 14-4 has 12 bytes of overhead,
whereas the IP IW L2TPv3 Case Study 14-5 has 24 bytes of overhead (because of the cookie absence
and because sequencing is disabled).
Knowing these overheads, you can calculate the largest IP packet that can be sent from the CE and
make it unfragmented, where all interfaces have a default MTU of 1500 bytes:
Cisco
Press
For AToM, sendPublisher:
extended
ping
from the Oakland CE while setting the don't fragment (DF) bit in
Pub
Date:
March
10, 2005
the IP header and using "Sweep
range of sizes" and verbose output.
ISBN: 1-58705-168-0
Table of
the
For L2TPv3, configure
Pages:
648 L2TPv3 session to set the DF bit in the IP header, adding ip dfbit set
Contents
in the fr-ppp-l2tpv3 pseudowire class, as explained in Chapter 13, "Advanced L2TPv3 Case
Index
Studies." In this case, the extended ping from the Oakland CE does not need to set the DF bit,
because the DF bit that will be used in the cloud is the one in the L2TPv3 IPv4 delivery header.
Oakland#ping
Protocol [ip]:
Target IP address: 192.168.30.2
Layer12 VPN Architectures
Repeat count [5]:
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Datagram size [100]:
No. 4460,
Anthony Chan, - CCIE No. 10,266
Timeout in seconds
[2]:
Extended commands [n]: y
Source address orPublisher:
interface:
Cisco Press
Type of service [0]:
Pub Date: March 10, 2005
Set DF bit in IP header? [no]:
ISBN: 1-58705-168-0
Table ofreply data? [no]:
Validate
Pages:
648
Data Contents
pattern [0xABCD]:
IndexStrict, Record, Timestamp, Verbose[none]: v
Loose,
Loose, Strict, Record, Timestamp, Verbose[V]:
Sweep range of sizes [n]: y
Sweep min size [36]: 1470
the world
Sweep max size Master
[18024]:
1480 of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains
Sweep interval [1]:
Type escape sequence to abort.
Sending 11, [1470..1480]-byte ICMP Echos to 192.168.30.2, timeout is 2 seconds:
Learn about Layer 2 Virtual Private Networks (VPNs)
Reply to request 0 (20 ms) (size 1470)
Reply to request 1 Reduce
(20 ms)costs
(size
and1471)
extend the reach of your services by unifying your
Reply to request 2 network
(32 ms)architecture
(size 1472)
Reply to request 3 (20 ms) (size 1473)
Reply to request 4 Gain
(24 ms)
1474)
from (size
the first
book to address Layer 2 VPN application utilizing
Reply to request 5 both
(28 ATOM
ms) (size
1475)
and L2TP
protocols
Reply to request 6 (36 ms) (size 1476)
Request 7 timed outReview
(size strategies
1477)
that allow large enterprise customers to enhance
Request 8 timed outtheir
(size
1478)
service
offerings while maintaining routing control
Request 9 timed out (size 1479)
For out
a majority
Service Providers, a significant portion of their revenues
Request 10 timed
(size of
1480)
derived(7/11),
from dataround-trip
and voice services
based on
legacy transport
Success rate isare
63still
percent
min/avg/max
= 20/25/36
ms
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Oakland#
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
You can concludeservices
that theover
calculation
is correct.
From
Example
you
learn that
inisthe
their existing
Layer
3 cores.
The 14-32,
solution
in these
cases
a AToM case,
the largest IP packet
that makes
through
is Layer
1488 bytes
because
of athe
12-byte
overhead. In
technology
that it
would
allow
2 transport
over
Layer
3
contrast, in the L2TPv3
case, the largest IP packet that makes it through is 1476 bytes because of the
infrastructure.
24-byte overhead.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
By knowing the IPNetwork
MTU limitation
and calculation
with IP IW,
you
can tune
the core
(VPN) concepts,
and describes
Layer
2 VPN
techniques
viaMTU based on the
largest expected introductory
IP datagram case
from studies
the CE device.
and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
theFrame
Cisco Unified
VPN suite:Interworking
Any Transport over
(ATOM) for MPLSCase Study 14-7:
Relay-to-ATM
BestMPLS
Practices
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP study,
cores. The
thisbest
bookpractices
is focused
on first
introducing
the Frame Relay
In this last IW case
you structure
will learn of
some
about
routed
IW between
reader to Layer
2 VPN
benefits and
implementation
requirements
andis not FRF.8,
and ATM. First, understand
that IP
IW pseudowire
between
Frame Relay
and ATM VCs
comparing
them
to those of Implementation
Layer 3 based VPNs,
such as MPLS,
"Frame Relay/ATM
PVC Service
Interworking
Agreement,"
(SIW) then
in which an IW
progressively
covering
each
currently
available
solution
in
detail.
function (IWF) translates between RFC 2427 encapsulated Frame Relay andgreater
RFC 2684
encapsulated
AAL5 with a null SSCP. Only IP packets are transported over the IP IW pseudowire.
In contrast to FRF.8 SIW, which supports address resolution translation, inverse ARP is not supported
in IP IW pseudowires; therefore, the ATM and Frame Relay CEs need to be configured on point-to-point
subinterfaces or use static maps if they are on multipoint subinterfaces.
In the ATM attachment circuit, only AAL5 SDU VC mode is supported, and the ATM PVC encapsulation
can either be AAL5SNAP or AAL5MUX (in which no translation is required because LLC/SNAP is
nonexistent, and only one protocol is carried). Either AAL5SNAP or AAL5MUX needs to be configured in
both the CE and PE devices under the PVC configuration mode. The encapsulations of AAL0 or AAL5 are
not valid for IP IW, because AAL5 terminates at the PE device, and the PE device needs to know the
AAL5 encapsulation type. However, in contrast to the CE configuration, when using AAL5MUX
Layer
2 VPN
Architectures
encapsulation in the
PE
Layer
2 PVC, you do not need to specify ip as the protocol carried.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
A typical configuration
for
a CE Chan,
that -has
multipoint
No. 4460,
Anthony
CCIE
No. 10,266 subinterfaces is included in Example 14-33.
Publisher: Cisco Press
Example 14-33.
CE
Configuration
with Multipoint ATM Subinterfaces
Pub
Date:
March 10, 2005
Table of
Contents
!
Index Oakland
hostname
ISBN: 1-58705-168-0
Pages: 648
!
interface ATM3/0.27 multipoint
ip address 192.168.31.1 255.255.255.0
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
pvc 0/270
productivity gains
protocol ip 192.168.31.2
broadcast
encapsulation aal5snap
!
Learn about Layer 2 Virtual Private Networks (VPNs)
!
interface ATM3/0.28 multipoint
Reduce costs and extend the reach of your services by unifying your
ip address 192.168.32.1 255.255.255.0
network architecture
pvc 0/271
protocol ip 192.168.32.2
Gain from broadcast
the first book to address Layer 2 VPN application utilizing
encapsulation aal5mux
ip
both ATOM
and L2TP protocols
!
!
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Pages:
648
Contents circuit technologies:
attachment
Index
ISBN: 1-58705-168-0
Pages: 648
Master
the
world of Layer
VPNs
to provide
Example 14-35 shows
the
configuration
for 2
the
SanFran
PE. enhanced services and enjoy
productivity gains
Se8/0 80
UP
SanFran#
ISBN: 1-58705-168-0
Reduce costs and extend the reach of your services by unifying your
When you are using AAL5, VPI/VCI values do not need to match in both endpoints. However, if you
network architecture
are transporting OAM cells over the local switched connection, the VPI/VCI must match because OAM
cells are transported asGain
cells,
andthe
youfirst
have
theto
same
limitation
single cell
relay (SCR).
from
book
address
Layer stated
2 VPN for
application
utilizing
both ATOM and L2TP protocols
Besides the local switching of ATM PVCs, some platforms support the local switching of ATM
permanent virtual paths
(PVP)strategies
and packed
cellallow
relaylarge
(PCR)
for local customers
switching of
PVCs and ATM
Review
that
enterprise
toATM
enhance
PVPs. In addition, localtheir
switching
ofofferings
ATM PVCs
and maintaining
ATM PVPs inrouting
the same
port is supported. The
service
while
control
configuration is analogous to this case study, using the same ATM interface for both connection
endpoints.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
Example 14-37 shows
a sampleAlthough
configuration
PVC ATM-to-ATM
local
switching.
technologies.
Layerfor
3 MPLS
VPNs fulfill the
market
need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
Example 14-37.
ATM-to-ATM
Localwould
Switching
Configuration
backbone
while new carriers
like to sell
the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
!
infrastructure.
hostname SanFran
!
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
interface ATM1/0
Network (VPN) concepts, and describes Layer 2 VPN techniques via
pvc 0/100 l2transport
introductory case studies and comprehensive design scenarios. This book
encapsulationassists
aal5 readers looking to meet those requirements by explaining the
!
history and implementation details of the two technologies available from
interface ATM2/0
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSpvc 0/200 l2transport
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
encapsulationIPaal5
cores. The structure of this book is focused on first introducing the
!
reader to Layer 2 VPN benefits and implementation requirements and
connect aal5_local_sw
atm
1/0to0/100
atm
2/030/200
comparing
them
those of
Layer
based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Notice that Example 14-37 shows cross-connecting PVCs with different VPI/VCI values, and the
configuration uses encapsulation AAL5. Observe that the ATM PVCs are created using the
l2transport keyword to identify the PVC as switched and not as terminated. The connection
configuration is analogous to the Frame Relay-to-Frame Relay example, using VPI/VCI instead of
DLCI.
Another similarity with Frame Relay-to-Frame Relay local switching is that you can enter the connect
command without previously configuring the ATM PVCs, in which case the PVCs are created
automatically in the respective interfaces that are specified (see Example 14-38).
Layer 2 VPN Architectures
of
ID Table
Name
Segment
1
Segment 2
State
Pages:
648
Contents
===========================================================================
1 Index
atm_local
AT4/0 CELL 0/40
AT3/0 CELL 0/40
UP
SanFran#
SanFran#show connection id 1
the world of Layer 2 VPNs to provide enhanced services and enjoy
Connection: 1 -Master
atm_local
gains
Current State:productivity
UP
Segment 1: ATM4/0 CELL 0/40 u
Segment 2: ATM3/0 CELL 0/40 up
Learn about Layer 2 Virtual Private Networks (VPNs)
SanFran#
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain14-38
from the
book
addresscommand
Layer 2 VPN
application
You can see from Example
thatfirst
only
the to
connect
is entered,
and utilizing
it automatically
bothconnection.
ATOM and L2TP
protocols
creates the local switched
Note from
the show connection output that the default
encapsulation for automatically created l2transport PVCs is AAL0that is, VC Cell Relay mode. Example
Review
thatcreated
allow large
enterprise
customers
enhance
14-39 shows how to check
for strategies
automatically
l2transport
PVCs
and theirtodefault
encapsulation.
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
Example 14-39.
Displaying Automatic PVCs
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers,
they have
SanFran#show atm
vc | include
40|some
VC drawbacks. Ideally, carriers with existing
legacy
a single
VCD / Layer 2 and Layer 3 networks would like to move
Peaktoward
Avg/Min
Burst
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2 Cells Sts
Interface
Name
VPI
VCI Type
Encaps
Kbps
Kbps
services
over their 0
existing40
Layer
3 cores.
The solution
in these N/A
cases is a UP
3/0
11
PVC-A
AAL0
155000
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
4/0
19
0
40 PVC-A
AAL0
149760
N/A
UP
infrastructure.
SanFran#
SanFram#show atm pvc 0/40 | begin ATM4/0
Layer
2 VPN
introduces readers to Layer 2 Virtual Private
ATM4/0: VCD: 19,
VPI:
0, Architectures
VCI: 40
Network
(VPN)
concepts,
and
describes Layer 2 VPN techniques via
UBR, PeakRate: 149760
introductory
case
studies
and
comprehensive
design
scenarios. This book
AAL0-Cell Relay, etype:0x10, Flags: 0x10000C2D, VCmode:
0x0
assists
readers
looking
to
meet
those
requirements
by
explaining the
OAM Cell Emulation: not configured
history
and
implementation
details
of
the
two
technologies
available from
Interworking Method: like to like
the
Cisco
Unified
VPN
suite:
Any
Transport
over
MPLS
(ATOM)
for MPLSRemote Circuit Status = No Alarm, Alarm Type = None
based
cores
and
Layer
2
Tunneling
Protocol
version
3
(L2TPv3)
for native
InBytes: 208963575912, OutBytes: 1088149400
IP
cores.
The
structure
of
this
book
is
focused
on
first
introducing
the
Cell-packing Disabled
reader
to
Layer
2
VPN
benefits
and
implementation
requirements
and
OAM cells received: 1
comparing
them to those
Layer 31,
based
VPNs, such
F5 InEndloop: 0,
F5 InSegloop:
0, F5ofInAIS:
F5 InRDI:
0 as MPLS, then
progressively
covering
each
currently
available
solution
in greater detail.
OAM cells sent: 1
F5 OutEndloop: 0, F5 OutSegloop: 0, F5 OutAIS: 1, F5 OutRDI: 0
OAM cell drops: 0
Auto-created by Connection Manager
Status: UP
W2N-7.11-c7206VXR-A#m
Displaying the ATM PVC summary, you can see that the PVC type is PVC-A, which stands for PVC
automatically created. You can also see that the encapsulation is AAL0 single-cell relay by default,
which works fine for like-to-like ATM-to-ATM connections but does not work for IW ones. A detailed
list of valid and default encapsulations for IW and local switching ATM VC attachment circuits is
2 VPN
Architectures
included in "Case Layer
Study
14-12:
ATM Attachment Circuits and Local Switching."
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Case
Study 14-10:
Ethernet-to-Ethernet
Local Switching
ISBN:
1-58705-168-0
Table of
Contents
Pages: 648
This case
Index study shows Ethernet-to-Ethernet port mode local switching. The same configuration and
verification presented here is analogous to Ethernet dot1Q VLAN-to-VLAN local switching using
subinterfaces instead of the main interface. This topology is included in Figure 14-14.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
The configuration that is required at the PE is to activate the Ethernet interfaces with a no shutdown
and issue the connect command. You can verify that the local switched connection is working (see
Example 14-41).
SanFran#
Publisher: Cisco Press
SanJose#ping 192.168.51.1
Pub Date: March 10, 2005
Pages: 648
!!!!!Contents
Index rate is 100 percent (5/5), round-trip min/avg/max = 24/28/36 ms
Success
SanJose#
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
For the sake of argument,
yougains
can use the local switching feature without configuring IP addresses in
the PE device, because no signaling is involved. An interface or a router that does not have an IP
address does not process IP packets; therefore, it cannot process signaling messages carried over IP,
about Layer
2 Virtual
Private Networks
(VPNs)
as is the case with LDPLearn
and L2TPv3.
This idea
emphasizes
the point that
no signaling protocol is
implicated in local switching.
Reduce costs and extend the reach of your services by unifying your
network
architecture
You can witness this fact
when enabling
the debug command debug acircuit event to debug events
that occur on the attachment circuits (see Example 14-42).
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
You can see by inspecting [0.0.0.0, 0] that the IP address of the remote peer is displayed as 0.0.0.0,
Layer 2 VPN Architectures
and the VC ID is shown
as 0. This is because it is a local switching connection.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Note
Table
of
A
consequence
of no pseudowire signaling protocol being involved in local switching cases is
Pages:
648
Contents
that
MTU mismatches
between
the attachment circuits do not prevent the circuit from
coming
Index
up. The downside is that a circuit not coming up might trigger you to revisit the MTU
settings.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pages: 648
Contents
Index
In this
section, you learn the configuration and verification of the following case studies:
interface Ethernet3/0.1
encapsulation dot1Q 27
!
Layer
2 VPN Architectures
connect eth-vlan
Ethernet2/0
Ethernet3/0.1 interworking ethernet
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
!
No. 4460,Anthony Chan, - CCIE No. 10,266
!
Publisher: Cisco Press
Pub Date: March 10, 2005
You can see that this example uses the global command connect with diverse interfaces, and
ISBN: 1-58705-168-0
it prompts
Table ofyou for the IW type. The IW types are also IP or Ethernet.
Contents
Pages: 648
You can
Indexperform connection verification from the SanFran PE and connectivity checking from
the SanJose CE (see Example 14-44).
Master
the world of
Layer 2 VPNs to provide
enhanced
services and enjoy
Example 14-44.
Verifying
Ethernet-to-VLAN
Local
Switching
productivity gains
SanFran#show connection name eth-vlan
Learn about Layer 2 Virtual Private Networks (VPNs)
Connection: 4 - eth-vlan
Current State: UP
Reduce
Segment 1: Ethernet2/0
upcosts and extend the reach of your services by unifying your
network
architecture
Segment 2: Ethernet3/0.1 up
Interworking Type: ethernet
Gain from the first book to address Layer 2 VPN application utilizing
SanFran#
both ATOM and L2TP protocols
SanJose#ping 192.168.52.1
Review strategies that allow large enterprise customers to enhance
Type escape sequence
to service
abort.offerings while maintaining routing control
their
Sending 5, 100-byte ICMP Echos to 192.168.52.1, timeout is 2 seconds:
!!!!!
For a majority of Service Providers, a significant portion of their revenues
Success rate isare
100
(5/5),
min/avg/max
= 24/29/36
ms
stillpercent
derived from
dataround-trip
and voice services
based on
legacy transport
SanJose#
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
Theshow connection
command
shows
the IW
type
as Ethernet.
services
over their
existing
Layer
3 cores.
The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 PVC
VPN Architectures
Table 14-3. ATM
Encapsulation Usage for IW and Local
ByWei Luo, - CCIE No.Switching
13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, -
CCIE
Segment 1
(Attachment
Circuit)
Table of
Contents
Index
ATM
PVC
ATM PVC
Segment 2
Publisher: Cisco Press
(Attachment
Pub Date: March 10, 2005
Circuit)
Interworking
(IW) Type
ATM PVC
Encapsulations
N/A
aal0 (default)
ISBN: 1-58705-168-0
ATM Pages:
PVC 648
aal5
Ethernet/VLAN
Ethernet
aal5snap
IP
aal5snap (default)
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
aal5mux
ATM PVC
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
connect
command
You
learn about the different behaviors of this command.
Index
Encapsulation You learn detailed information about the encapsulations of IW and local
switching.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
connect Command
Learn about Layer 2 Virtual Private Networks (VPNs)
At this point, you know how to use the connect command in multiple contexts. You used it to
create AToM and L2TPv3
pseudowire
endpoints
Frame
DLCI
attachment
circuits
to
Reduce
costs and
extend in
the
reachRelay
of your
services
by unifying
your
perform local switchingnetwork
and Frame
Relay local switching. This section compares the different
architecture
modes of this command using examples.
Gain from the first book to address Layer 2 VPN application utilizing
You have used the connect
command
in three
different contexts and created different
both ATOM
and L2TP
protocols
configuration modes. Example 14-45 shows the connect command that performs Frame Relay
pseudowire switching. Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a connect
majority of Command
Service Providers,
significant
portion
of their revenues
Example 14-45.
and aFrame
Relay
Pseudowire
are still derived from data and voice services based on legacy transport
Switching
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layerfr-vlan
2 and Layer
3 networks
like to move toward a single
SanFran(config)#connect
Serial5/0
100 would
l2transport
backbone
while
new
carriers
would
like
to
sell
the lucrative Layer 2
SanFran(config-fr-pw-switching)#
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
When you use the connect command with the l2transport keyword, you are taken into
Layer configuration
2 VPN Architectures
introduces
readers
to Layer
2 Virtual
Private that
config-fr-pw-switching
mode. Example
14-46
shows
the connect
command
Network
(VPN)
concepts, and describes Layer 2 VPN techniques via
performs local Frame
Relay
switching.
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history
and implementation
details
the two Relay
technologies
available from
Example 14-46.
connect
Command
andofFrame
Switching
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The
structure of this
book7/0
is focused
on first
the
SanFran(config)#connect
fr_local_sw
serial
70 serial
8/0introducing
80
reader to Layer 2 VPN benefits and implementation requirements and
SanFran(config-fr-switching)#
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
When you use the connect command to cross connect two local Frame Relay DLCIs, you are
taken into config-fr-switching configuration mode. Example 14-47 shows the connect
command that performs local cross connection between two attachment circuits.
SanFran(config-connection)#
SanFran(config)#connect eth-fr ethernet 3/0 serial 7/0 100 interworking ip
SanFran(config-connection)#
Layer 2 VPN Architectures
ByWei Luo, - CCIE
No. 13,291,
Carlos Pignataro,
No. 4619,4/0.1
Dmitry Bokotey, - CCIE
SanFran(config)#connect
eth-eth
ethernet
3/0.1- CCIE
ethernet
No.
4460,
Anthony
Chan,
CCIE
No.
10,266
SanFran(config-connection)#exit
SanFran(config)#connect
atm_local
ATM 4/0 0/40 ATM 3/0 0/40
Publisher: Cisco
Press
SanFran(config-connection)#
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Table of
Pages:
648
Contents
Example
14-47
shows
various
cases used throughout this chapter. In the case of any-to-any
Index
(not like-to-like) attachment circuits, the IW option is presented. These different configuration
submodes also present different commands that are applicable to the specific function that is
being performed. (For example, the local switching submodes have no xconnect command.)
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Encapsulation
Learn about Layer 2 Virtual Private Networks (VPNs)
This section introduces you to encapsulation details for some of the case studies presented in
Reduce
costs anddetails,
extend use
the Subscriber
reach of your
services
by unifying
your
this chapter. To view the
encapsulation
Service
Switch
(SSS) exec
network
commands. The connections
arearchitecture
represented as attachment circuit session types to SSS. All
the examples use the command show sss circuits, which provides the status, encapsulation
Gainhexadecimal
from the first
bookfor
to the
address
Layer
2 encapsulation
VPN application
utilizing
length, and encapsulation
dump
circuits.
The
that
is
both
ATOM
and
L2TP
protocols
presented as output of this command, also called rewrite, indicates data that is added to the
packet.
Review strategies that allow large enterprise customers to enhance
their
service
maintaining
control processes and
This section's goal is that
you
obtainofferings
a betterwhile
understanding
of routing
the underlying
protocols in the case studies. The following examples are presented:
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies.
Although Layer
3 MPLS VPNs
fulfill the
Encapsulation
1: Ethernet-to-VLAN
Local Switching
Ethernet
IW market need for some
customers, they have some drawbacks. Ideally, carriers with existing
Encapsulation
2: Frame
IP IW Using
AToM
legacy
LayerRelay-to-VLAN
2 and Layer 3 networks
would
like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
Encapsulation
3: VLAN-to-Ethernet
Bridged
services
over their existing
LayerIW
3 Using
cores. L2TPv3
The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
Encapsulation
4: Frame Relay-to-PPP IP-IW Using L2TPv3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
(VPN) concepts,Local
and describes
Layer
2 VPN techniques
via
Encapsulation Network
1: Ethernet-to-VLAN
Switching
Ethernet
IW
introductory case studies and comprehensive design scenarios. This book
assists
readers
looking toCase
meetStudy
those14-10in
requirements
by explaining
thebetween
This scenario presents
the
local switching
the SanFran
PE router
history
and
implementation
details
of
the
two
technologies
available
from
Ethernet 2/0 and VLAN 27 in Ethernet 3/0.1 (see Example 14-48).
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
Example 14-48.
SSS Circuit Encapsulation for Ethernet-to-VLAN
reader to Layer 2 VPN benefits and implementation requirements and
Local Switching
Ethernet-IW
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
SanFran#show sss circuits
Current SSS Circuit Information: Total number of circuits 5
!Output omitted for brevity
Common Circuit ID 0
Serial Num 5
Switch ID 18796512
--------------------------------------------------------------------------Status Encapsulation
UP flg len dump
Y AES 0
Y AES
SanFran#
8100001B
Contents
Index
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
The VLAN ID of 0x1B or 27 as configured
productivity gains
Encapsulation 2: Frame
IP IW
Using
AToM (VPNs)
Learn Relay-to-VLAN
about Layer 2 Virtual
Private
Networks
costs
andCase
extend
the14-4
reach
of your
by unifying
your
This scenario presents Reduce
the AToM
IP IW
Study
from
bothservices
the SanFran
and New
York
network
architecture
PE routers. The scenario starts from the SanFran PE router, in which the local cross-connection
is Frame Relay-to-AToM (see Example 14-49).
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
The least significant bit of the second byte is set to 1, to indicate the lack of an
extended address (EA).
Layer
VPNencapsulation
Architectures
The third octet
in2the
is the control of 0x03.
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
ISBN: 1-58705-168-0
Master
the Circuit
world of Layer
2 VPNs to provide
enhanced
services
and enjoy
Example 14-50.
SSS
Encapsulation
for VLAN
IP-IW
Using
productivity gains
AToM
Learn about Layer 2 Virtual Private Networks (VPNs)
New York#show sss circuits
Current SSS CircuitReduce
Information:
of of
circuits
4
costs andTotal
extendnumber
the reach
your services
by unifying your
network architecture
[snip]
Common Circuit ID 0Gain from the first
Serial
3
ID 18796912
book Num
to address
Layer 2Switch
VPN application
utilizing
--------------------------------------------------------------------------both ATOM and L2TP protocols
Status Encapsulation
UP flg len dumpReview strategies that allow large enterprise customers to enhance
Y AES 18 FFFFFFFF
FFFF000C
CF552408
their service
offerings
while 81000002
maintaining0800
routing control
Y AES 0
!Output omittedFor
for
brevityof Service Providers, a significant portion of their revenues
a majority
are still derived from data and voice services based on legacy transport
New York#
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone
newcommand
carriers would
toYork
sell the
lucrative Layer
To reiterate, the show
sss while
circuits
in thelike
New
PE illustrates
the 2
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
is a
encapsulations that are local to this PE router and does not show the remote Frame
Relay
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
encapsulation. In IP IW, only raw IP packets are transmitted over the pseudowire; therefore,
infrastructure.
the VLAN side should
show a complete 18-byte VLAN rewrite.
Layer
VPN Architectures
readers
to routed
Layer 2IW,
Virtual
Private
When you compare
the2VLAN
encapsulation introduces
for both bridged
and
you see
the
Network
(VPN)
concepts,
and
describes
Layer
2
VPN
techniques
via
following:
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history
and implementation
details
the twothe
technologies
available
Bridged The
encapsulation
is only 4 bytes
and of
includes
802.1q header
only. from
This is
Cisco frame
UnifiedisVPN
suite:over
Anythe
Transport
over MPLS
(ATOM)
for802.1q
MPLSbecause an the
Ethernet
received
pseudowire,
and adding
the
based
cores andVLAN
Layer
2 Tunneling Protocol version 3 (L2TPv3) for native
header creates
a complete
frame.
IP cores. The structure of this book is focused on first introducing the
Routed Thereader
encapsulation
bytes
and and
includes
the complete
Layer 2 encapsulation,
to Layer is
2 18
VPN
benefits
implementation
requirements
and
including Ethernet
II and
802.1q
headers.
This3isbased
because
an such
IP datagram
is then
received over
comparing
them
to those
of Layer
VPNs,
as MPLS,
the pseudowire,
so appending
the 18-byte
encapsulation
creates
a complete
frame.
progressively
covering
each currently
available
solution
in greaterVLAN
detail.
You can see that the encapsulation length is 18 bytes and is composed of the following:
The first 6 bytes are the destination MAC address where 0xFFFFFFFFFFFF is a broadcast
Ethernet address, meaning that the PE has not yet learned the CE's MAC address. This
MAC address is changed to the actual value after it is learned.
The next 6 bytes are the source MAC address.
The next 4 bytes are the VLAN tag, including the following:
VLAN etype of 0x8100
Layer 2 VPN Architectures
CoS and
CFILuo,
of -0 CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
ByWei
No. 4460,Anthony Chan, - CCIE No. 10,266
VLAN ID of 2 as configured
Figure 14-16 shows the encapsulation added in both SanFran and New York PEs for this
scenario. The fields in gray represent the rewrite that has been described verbally.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Common Circuit ID 0
Serial Num 2
Switch ID 18797112
--------------------------------------------------------------------------Status Encapsulation
UP flg
Y AES
Y AES
New York#
len dump
4
81000002
28 45000000 00000000 FF73A5F7 0A0000CB 0A0000C9
Layer 2000058FB
VPN Architectures
00000000
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Pub Date:
March
10, 2005
The local encapsulations
to the
New
York PE router are VLAN toward the attachment circuit and
L2TPv3 toward the PSN.ISBN:
The 1-58705-168-0
attachment circuit side is equivalent to previous encapsulation
Table of
scenario
1. Because this
is bridged
IW and Ethernet frames are received over the pseudowire,
Pages:
648
Contents
no other encapsulation is needed.
Index
However, the PSN side that uses L2TPv3 is new and shows an encapsulation length of 28 bytes,
consisting of the following:
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
20 bytes of IPv4
header,gains
including the following:
Version 4 Header length 5 32-bit words
Learn about Layer 2 Virtual Private Networks (VPNs)
Protocol 115 (0x73) for L2TPv3
Reduce costs and extend the reach of your services by unifying your
network
architecture
Source address
10.0.0.203
from
the first book to address Layer 2 VPN application utilizing
Destination Gain
address
10.0.0.201
both ATOM and L2TP protocols
4 bytes of L2TPv3 Session Header (0x000058FB): 32-bit Session ID of 22779
Review strategies that allow large enterprise customers to enhance
their Sublayer
service offerings
whilewas
maintaining
routing control
4 bytes of L2-Specific
(sequencing
configured):
For a
Sequence
bitmajority
clear of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies.
Although Layer 3 MPLS VPNs fulfill the market need for some
Sequence
number cleared
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
Note
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
You can also display the L2TPv3 encapsulation by using the show adjacency detail
command inLayer
the pseudowire
IP adjacency.
2 VPN Architectures
introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
An Ethernet frame
is encapsulated.
After you details
complete
the two
empty
fields, such
as DSCPfrom
in the IP
history
and implementation
of the
technologies
available
Header and sequencing
information
in the
L2-Specific
Sublayer,
can(ATOM)
send the
the Cisco
Unified VPN
suite:
Any Transport
overyou
MPLS
forL2TPv3
MPLSpacket toward thebased
PSN. cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
to those ofIP-IW
Layer Using
3 basedL2TPv3
VPNs, such as MPLS, then
Encapsulation comparing
4: Frame them
Relay-to-PPP
progressively covering each currently available solution in greater detail.
This scenario presents the L2TPv3 Ethernet IW Case Study 14-5 from the SanFran and New
York PE routers. The discussion starts from the SanFran PE router, in which the local cross
connection is Frame Relay to L2TPv3 (see Example 14-52).
Pages: 648
Contents
Index
SanFran#
L2TPv3
New York#show sss circuits
Current SSS Circuit Information: Total number of circuits 4
!Output omitted for brevity
Common Circuit ID 0
Serial Num 4
Switch ID 18796712
---------------------------------------------------------------------------
Status
UP flg
Y AES
Y AES
Encapsulation
len dump
4
FF030021
2 VPN Architectures
24 Layer
45000000
00000000 FF73A5F7 0A0000CB 0A0000C9
ByWei Luo,
- CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
000058FA
4460,brevity
Anthony Chan, - CCIE No. 10,266
!Output omittedNo.for
New York#
Table of
Address of 0xFF
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Control of 0x03
productivity gains
PPP DLL protocol number of 0x0021 for IPv4
Learn about
2 Virtual
Networks
(VPNs)
Prepending this encapsulation
to anLayer
IP packet
that Private
is received
over the
pseudowire creates a
PPP frame to be sent out of the Serial 6/0 interface in the New York PE. The L2TPv3 side is
Reduce costs and extend the reach of your services by unifying your
equivalent to the analysis in the SanFran PE with mirror source and destination IP addresses
network architecture
and a different Session ID. The L2TPv3 encapsulation includes the following:
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM
and L2TP
protocols
20 bytes of IPv4 header,
including
the following:
Review
strategies
that words
allow large enterprise customers to enhance
Version 4 Header
Length
5, 32-bit
their service offerings while maintaining routing control
Protocol 115 (0x73) for L2TPv3
For a majority of Service Providers, a significant portion of their revenues
still derived
from data
and voice
services
based on legacy transport
Sourceare
address
10.0.0.203,
destination
address
10.0.0.201
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers,
they
have some
drawbacks.
Ideally,
carriers
with
existing
4 bytes of L2TPv3
Session
Header
(0x000058FA):
32-bit
Session
ID of
22778
legacy Layer 2 and Layer 3 networks would like to move toward a single
Figure 14-17 shows
the encapsulations
added would
in bothlike
thetoSanFran
New York
backbone
while new carriers
sell the and
lucrative
LayerPEs
2 for this
scenario in addition
to theover
L2TPv3
encapsulation
added
to the
PDU.
The fields
services
their
existing Layer
3 cores.
Thecarried
solution
in these
casesinisgray
a
represent the rewrite
that has
been
described
verbally.
technology
that
would
allow Layer
2 transport over a Layer 3
infrastructure.
Figure
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pages:
648
someContents
of the chapter's case studies.
Index
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
costs and
extend edge
the reach
your services
by unifying
your
Like other Layer 2 VPNReduce
architectures,
customer
(CE) of
routers
are connected
through
network
architecture
provider edge (PE) routers and pseudowires, but they no longer have the point-to-point
peering relationship. Instead, VPLS enables CE routers to communicate with one another as if
Gain from the first book to address Layer 2 VPN application utilizing
they were attached to a common LAN.
both ATOM and L2TP protocols
Interestingly, pseudowires that are used in VPLS are the same type of pseudowire as that used
Review strategies that allow large enterprise customers to enhance
in the point-to-point Layer 2 VPN architectures. The point-to-point versus multipoint behavior is
their service offerings while maintaining routing control
determined by the data packet forwarding behaviors of a given Layer 2 VPN architecture. This
also implies that the pseudowire encapsulation is orthogonal to the functionality that VPLS
For a majority of Service Providers, a significant portion of their revenues
provides. In theory, both Multiprotocol Label Switching (MPLS) and L2TP pseudowires satisfy
are still derived from data and voice services based on legacy transport
the forwarding requirements of VPLS. In reality, the rapid growth of MPLS network deployment
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
drives the momentum behind the MPLS-based VPLS in terms of standardization activities and
customers, they have some drawbacks. Ideally, carriers with existing
product implementations. Therefore, this chapter focuses on VPLS concepts and examples that
legacy Layer 2 and Layer 3 networks would like to move toward a single
involve MPLS pseudowires.
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
This chapter begins with an overview of VPLS that describes the service definitions, signaling
technology that would allow Layer 2 transport over a Layer 3
protocols, and more importantly the concept of virtual switch and its data forwarding
infrastructure.
characteristics. Then it describes VPLS deployment issues of network topology, complexity, and
scalability. VPLS configuration case studies conclude the chapter.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pages:
648
Contents
services
by leveraging advanced MPLS features, such as traffic engineering.
Index
The inherent broadcast nature of Ethernet makes it easy for networked devices to discover one
another. VPLS extends that broadcast capability to the reach that is possible only with a WAN
infrastructure. In VPLS, end users perceive that the network devices are connected directly to a
Masterwhich
the world
Layer
2 VPNs toLAN
provide
enhanced
services
and enjoy
common LAN segment,
is in of
fact
an emulated
created
by VPLS,
also known
as a
productivity gains
VPLS domain .
Figure 15-1 shows the VPLS network reference model, where PE devices act as virtual switches
about Layer
Virtualappear
PrivatetoNetworks
(VPNs)bridged Ethernet
such that CE routers ofLearn
a particular
VPLS 2
domain
be on a single
network. CE routers can connect to PE routers either through direct links or through an access
Reduce costs and extend the reach of your services by unifying your
network.
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Layer 2 VPN is based on a point-to-point architecture. With VPLS, packets are no longer
forwarded based on the one-to-one mapping between an attachment circuit and a pseudowire
on a PE router. Rather, a PE router uses a Layer 2 forwarding table to determine the outgoing
Layer
2 VPN Architectures
paths based on the
destination
MAC addresses. A Layer 2 forwarding table is populated
ByWeiaddresses
Luo, - CCIE No.
Carlos interfaces
Pignataro, - CCIE
No. 4619,
Bokotey,
- CCIE The
dynamicallywith MAC
and13,291,
next-hop
through
theDmitry
learning
process.
4460,Anthony
Chan, of
- CCIE
No. 10,266
next few sectionsNo.
explain
the types
service
that VPLS provides, protocol signaling, and
packet forwarding behaviors.
Publisher: Cisco Press
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Service
Definitions
Table of
Contents
Pages: 648
VPLS
offers two types of service:
Index
TLS
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Ethernet Virtual
Connection
Service (EVCS)
productivity
gains
The services are differentiated by the way that MAC addresses are learned and the way that
bridging protocol data Learn
units (BPDU)
are processed.
TLS performs
unqualified
about Layer
2 Virtual Private
Networks
(VPNs) learning, in which
all customer VLANs of a Layer 2 VPN are treated as if they were in the same broadcast domain.
Reduce costs and extend the reach of your services by unifying your
Source MAC addressesnetwork
are learned
and forwarding entries are populated in the same Layer 2
architecture
forwarding table regardless of whether they are tagged or untagged. This means that MAC
addresses have to be unique
among
customer
VLANs. Overlapping
addresses
can
Gain from
the all
first
book to address
Layer 2 VPNMAC
application
utilizing
cause confusion in the both
LayerATOM
2 forwarding
and result in loss of customer packets.
and L2TPtable
protocols
Besides tagged and untagged
a PE
router
that provides
TLS also
forwards
Review Ethernet
strategiespackets,
that allow
large
enterprise
customers
to enhance
BPDUs that it receives their
from service
the CE-facing
interface
to other interfaces
pseudowires without
offerings
while maintaining
routing or
control
processing. Such transparency in BPDU forwarding makes the CE routers perceive that they
For a through
majorityan
of Ethernet
Service Providers,
a significant
ofof
their
revenues
are connected directly
hub instead
of throughportion
a series
virtual
switches,
are still
derived
and voice
based
transport
which you learn more
about
in thefrom
nextdata
section.
Virtualservices
switches,
like on
reallegacy
physical
switches,
technologies.
Although
terminate and process
BPDUs by
default.Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
Figure 15-2 illustrates
anLayer
example
ofLayer
TLS. 3 networks would like to move toward a single
legacy
2 and
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Figure 15-2. TLS Example
For customers who want to keep a separate broadcast domain for each VLAN, EVCS is a more
appropriate choice. In EVCS, the outer VLAN tag on the Ethernet packet differentiates one
customer VLAN instance from another. Each VLAN has its own MAC address space, which
allows qualified learning. In qualified learning, MAC addresses of different VLANs might overlap
with one another, and each VLAN has a separate Layer 2 forwarding table.
EVCS keeps the broadcast domain on a per-VLAN basis and does not extend the spanning tree
across the MPLS network. BPDU packets from CE routers are dropped or processed at PE
routers. In such cases, CE routers do not see each other directly in the spanning tree. Figure
Layer 2 VPN Architectures
15-3 shows an example of EVCS. Suppose that a VPLS customer has four sites that form two
ByWei
Luo, - CCIE
No.and
13,291,
Carlos
Pignataro,
- CCIE
No. 4619,
Dmitry Bokotey,
- CCIEto
separate broadcast
domains.
CE1
CE2
connect
to the
same
PE router
but belong
No.domains.
4460,Anthony
Chan,
- CCIE No.
10,266
different broadcast
IEEE
802.1q
VLAN
encapsulation is used between the CE routers
and PE router to separate the traffic of different broadcast domains.
Publisher: Cisco Press
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Table of
Contents
Index
Figure
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Note
Virtual Switch
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
The bridge module in a virtual switch has the equivalent role of that in a physical Ethernet
Review strategies that allow large enterprise customers to enhance
switch. It makes no distinction between the emulated LAN interface and any physical LAN
their service offerings while maintaining routing control
interface in terms of bridging functions, such as MAC address learning and aging, and packet
flooding. Besides For
the abridge
module
maintaining
a forwarding
table
that maps
MAC
addresses
majority
of Service
Providers,
a significant
portion
of their
revenues
to attachment circuits,
it
can
run
spanning-tree
protocols
on
them.
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
A VFI has similar functionality to a bridge but performs bridging operations on pseudowires
customers, they have some drawbacks. Ideally, carriers with existing
instead of attachment circuits. It maintains a forwarding table that maps MAC addresses to
legacy Layer 2 and Layer 3 networks would like to move toward a single
pseudowires. The forwarding table is populated through the MAC address learning process
backbone while new carriers would like to sell the lucrative Layer 2
based on packets it receives on pseudowires. It never learns the MAC addresses of the packets
services over their existing Layer 3 cores. The solution in these cases is a
it receives on attachment circuits.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
Note
introductory case studies and comprehensive design scenarios. This book
assists virtual
readersswitching
looking to
meet those
by explaining
the
In some literature,
instance
(VSI)requirements
is used in place
of VFI. They
are
history
and
implementation
details
of
the
two
technologies
available
from
inter-changeable terms.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
to Layer
2 of
VPN
benefits
and implementation
requirements
and
Conceptually, thereader
forwarding
table
a bridge
module
and that of a VFI
are different
entities.
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as
MPLS,
then
In practice, VPLS implementations can choose either to create separate tables for each or
progressively
covering
each
available
in greater
detail.
combine them into
a single table.
Because
thecurrently
actual form
of thesolution
data structures
does
not
affect VPLS operations, this chapter assumes a single Layer 2 forwarding table for every VPLS
domain for the sake of simplicity.
2. The virtual switch looks up the forwarding table using the destination MAC address and
determines the proper forwarding action. Unless a policy is in place to block this particular
packet, the forwarding action can be either broadcast or unicast.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Initially, the Layer 2 forwarding table does not include dynamically learned entries.
productivity gains
When packets arrive on attachment circuits or pseudowires, MAC address learning takes place
as part of the forwarding
process.
the source
MAC
address
is not present
Learn
aboutIfLayer
2 Virtual
Private
Networks
(VPNs) in the forwarding
table, it is added to the table with the arriving attachment circuit or pseudowire as the outgoing
interface. Also, an aging
timer costs
is started
for the the
newreach
forwarding
If the
MAC
Reduce
and extend
of yourentry.
services
bysource
unifying
your
address is already in the
forwarding
table,
no
new
entry
is
created,
and
the
aging
timer
is
network architecture
refreshed so that an active MAC address is not flushed out prematurely.
Gain from the first book to address Layer 2 VPN application utilizing
Unlike Layer 3 forwarding,
which
packets
are dropped if no forwarding entry matches the
bothin
ATOM
and
L2TP protocols
Layer 3 destination address, VPLS employs a flooding process when the virtual switch receives
a packet that has an unknown
destinationthat
MAC
address.
flooding
process also
applies to
Review strategies
allow
large The
enterprise
customers
to enhance
multicast and broadcast
packets.
Resembling
that of
a real bridge,
VPLS
flooding also has its
their
service
offerings while
maintaining
routing
control
distinct nuances that pertain to pseudowires. Depending on whether the packet receives on an
of Service
Providers,
portion
of their flooding
revenues
attachment circuitFor
or aa majority
pseudowire
and whether
Layera 2significant
split horizon
is enabled,
can
are still
derived from data and voice services based on legacy transport
take different courses
of action.
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
When a packet with
an unknown
addressIdeally,
arrives carriers
on an attachment
circuit, it is
customers,
theydestination
have some MAC
drawbacks.
with existing
flooded to all other
attachment
and3all
pseudowires
boundtoward
to the virtual
legacy
Layer 2circuits
and Layer
networks
wouldthat
likeare
to move
a singleswitch.
When Layer 2 split
horizon is
enabled
on a pseudowire,
thatlucrative
arrive on
this pseudowire
backbone
while
new carriers
would likepackets
to sell the
Layer
2
are flooded to all services
attachment
but notLayer
a pseudowire.
When
Layerin
2 these
split horizon
overcircuits,
their existing
3 cores. The
solution
cases isisa
disabled, packetstechnology
are floodedthat
to all
otherallow
pseudowires
and all attachment
circuits
that are
would
Layer 2 transport
over a Layer
3
bound to the virtual
switch.
infrastructure.
Layer 2 split horizon
is a
prevention mechanism
specifically
forwarding
Layer
2 loop
VPN Architectures
introduces
readers todevised
Layer 2for
Virtual
PrivateVPLS
traffic over pseudowires.
switches
of a VPLSLayer
domain
are interconnected
NetworkWhen
(VPN)virtual
concepts,
and describes
2 VPN
techniques via by a fully
meshed network introductory
of pseudowires,
mustand
enable
Layer 2 splitdesign
horizon
on all pseudowires
caseyou
studies
comprehensive
scenarios.
This book to
prevent forwarding
loops.
Servicelooking
providers
typically
dorequirements
not run spanning-tree
protocols
assists
readers
to meet
those
by explaining
the over
pseudowires. Thehistory
"VPLS Deployment
Models" details
sectionoflater
this
chapter examines
the
and implementation
the in
two
technologies
available
from
correlations between
split horizon
deployment
the Cisco
Unified and
VPNdifferent
suite: Any
Transport models.
over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
VPLS Signaling
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Chapter 2, "Pseudowire Emulation Framework and Standards," explained two MPLS pseudowire
emulation frameworks, known as draft-martini and draft-kompella, in the context of point-topoint Layer 2 VPN architectures. Each architecture defines a signaling protocol to establish and
manage pseudowires. Just as the networking community debates which signal protocol is
superior in the point-to-point Layer 2 VPN architectures, a similar debate arose when VPLS
debuted as a multipoint Layer 2 VPN architecture. The two competing proposals that were
made to the networking community are based on the same ideas as in draft-martini and draftkompella, where one is based on Label Distribution Protocol (LDP) and the other is based on
Border Gateway Protocol (BGP). Despite being applied to a new architecture like VPLS, the
fundamental property of each protocol still remains.
The LDP-based VPLS solution, like its point-to-point counterpart, receives much wider
acceptance in terms of vendor implementation and network deployment. The VPLS solution
that Cisco IOS offered
an Architectures
LDP-based solution.
Layer 2isVPN
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
To comprehend the details of the BGP-based VPLS solution, refer to the relevant documents of
No. 4460,Anthony Chan, - CCIE No. 10,266
the Layer 2 VPN working group at the IETF web site (http://www.ietf.org). This chapter focuses
on the LDP-based VPLS solution and its deployment scenarios. Note that both solutions have
Publisher:
Cisco Press
the same data forwarding
specifications
despite the difference in signaling.
Pub Date: March 10, 2005
Pages: 648 First, a targeted LDP session is created between each pair of PE
Contents
routers that participate in a given VPLS domain. In a full-mesh deployment model, N * (N 1) /
Index
2 LDP sessions need to be established, where N is the number of PE routers participating in
VPLS. These LDP sessions can be shared among different VPLS domains. In other words, you
can use a single LDP session between a pair of PE routers to establish pseudowires for all VPLS
domains that are Master
provisioned
on the
routers.
the world
of PE
Layer
2 VPNs to provide enhanced services and enjoy
productivity gains
After LDP sessions are established among participating PE routers, the next step is to create
pseudowires to interconnect the virtual switches. Again, in a full-mesh deployment model, each
VPLS domain requires N
* (Nabout
1) / 2Layer
pseudowires
the network,
Learn
2 Virtualthroughout
Private Networks
(VPNs)where N is the
number of virtual switches.
Reduce costs and extend the reach of your services by unifying your
network architecture
Note
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Compared to point-to-point
2 VPNs, deploying multipoint Layer 2 VPNs that are built on
Publisher:Layer
Cisco Press
the VPLS architecture
is Date:
far more
complicated.
One of the reasons is that a point-to-point Layer
Pub
March 10,
2005
2 VPN resembles a traditional Frame Relay-or ATM-based network in areas such as topologies
ISBN: 1-58705-168-0
Table of
and forwarding
characteristics. For this reason, it is natural to overlap a point-to-point Layer 2
Pages:
648
Contents
VPN on
top of the WAN-based core network.
Index
LAN services, as the name suggests, are designed for networks that are confined to a local or
metropolitan area. One fundamental assumption that many LAN services make is that plenty of
cheap bandwidth is available in the local or metro-area network (MAN). Many LAN services also
Master
worldto
offunction
Layer 2 properly.
VPNs to provide
servicesgrowth
and enjoy
rely on broadcasting
andthe
flooding
Despiteenhanced
the phenomenal
in
productivity
gains
building high-speed
network infrastructures,
WAN bandwidth has always been one of the most
expensive pieces in the overall network cost. Without carefully engineered VPLS deployment,
new VPLS services will not be the only ones to suffer. Broadcast storms seen in a LAN
Learn about Layer 2 Virtual Private Networks (VPNs)
environment can propagate to the multiservice backbone and affect other non-VPLS services.
This section examines a few deployment issues, with considerations to loop-free forwarding,
Reduce costs and extend the reach of your services by unifying your
broadcast traffic, and scalability.
network architecture
Basic
Gain from the first book to address Layer 2 VPN application utilizing
ATOM and L2TP protocols
Topologicboth
Models
Full Mesh
The simplicity of a hub-and-spoke model makes it an attractive choice for small VPLS
deployment. Realize, though, that the hub PE router is a single point of failure. Because all
traffic has to go through the hub PE router, the router requires ample processing power to
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
relay and flood packets across pseudowires.
productivity gains
Partial Mesh
Reduce
costs
extend
the
of your
servicesforwarding
by unifyinginyour
The most flexible topologic
model
is and
partial
mesh.
Toreach
guarantee
loop-free
an
network
architecture
arbitrary partial-mesh model, you need to run spanning-tree protocols on pseudowires
throughout the backbone. Spanning-tree protocols are typically chatty and take a considerable
Gain from the first book to address Layer 2 VPN application utilizing
amount of expensive WAN bandwidth. In addition, deploying spanning-tree protocols in a largeboth ATOM and L2TP protocols
scale network is always a great challenge. Network design considerations such as root bridge
selection, redundancy, and load balancing are highly complex, which means they are more
Review strategies that allow large enterprise customers to enhance
vulnerable to configuration and operation mistakes. Service providers typically do not deploy a
their service offerings while maintaining routing control
partial-mesh model because they want to avoid running spanning-tree protocols in the core
network.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Hierarchical customers,
VPLS they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
while
new basic
carriers
would like
to sell
themitigating
lucrative Layer
2
Aiming at having backbone
the benefits
of both
topologic
models
while
their problems,
a
services
over
their
existing
Layer
3
cores.
The
solution
in
these
cases
hybrid between the full-mesh and hub-and-spoke models is now available, known as is a
thatVPLS
wouldconsists
allow Layer
2 transport
over
a Layer
hierarchical VPLS .technology
A hierarchical
of a top
tier and a
bottom
tier.3Depending on
infrastructure.
the type of network that is deployed at the bottom tier, hierarchical VPLS comes in two forms:
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
(VPN)
and describes Layer 2 VPN techniques via
HierarchicalNetwork
VPLS with
MPLSconcepts,
access network
introductory case studies and comprehensive design scenarios. This book
readers
meet those requirements by explaining the
Hierarchicalassists
VPLS with
QinQlooking
access to
network
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased
cores
and Layer
2 Tunneling
Protocol version 3 (L2TPv3) for native
Hierarchical VPLS
with
MPLS
Access
Network
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
As shown in Figure
15-5, for them
a given
switches
in the
tier then
are fully
comparing
to VPLS
those domain,
of Layer virtual
3 based
VPNs, such
astop
MPLS,
meshed through pseudowires.
Each
virtual
switch
in
the
bottom
tier
has
exactly
one
progressively covering each currently available solution in greater detail.
pseudowire that connects to a top-tier virtual switch, which is effectively a hub-and-spoke
model. This form of hierarchical VPLS is known as hierarchical VPLS with MPLS access . PE
routers in the top tier and bottom tier are also known as network-facing PE (N-PE) routers and
user-facing PE (U-PE) routers, respectively. To ensure loop-free forwarding, an N-PE router
must enable Layer 2 split horizon on all pseudowires that connect to other N-PE routers and
disable split horizon on all pseudowires that connect to U-PE routers. On an N-PE router,
packets are forwarded to other pseudowires only if they arrive on a pseudowire that connects a
U-PE router. Packets that arrive on a pseudowire that connects an N-PE router can be
forwarded to pseudowires that connect to U-PE routers only.
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Hierarchical VPLS has an alternate form that uses Ethernet QinQ tunnels between U-PE and NPE routers, as depicted in Figure 15-6. It is also known as hierarchical VPLS with QinQ access .
Review strategies that allow large enterprise customers to enhance
Instead of a pseudowire, you can use an Ethernet QinQ tunnel between a U-PE router and an
their service offerings while maintaining routing control
N-PE router. Despite the absence of pseudowires in the bottom tier, the overall bridging
architecture is still
based
on twooflogically
where portion
an N-PEofrouter
forwards
For
a majority
Serviceseparated
Providers,layers,
a significant
their revenues
packets to pseudowires
that
connect
to
other
N-PE
routers
only
if
they
arrive
on
QinQ
tunnels
are still derived from data and voice services based on legacy transport
that connect to U-PE
routers.
The
hierarchical
VPLS
models
significantly
reduce
the
total
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
number of signaling
sessions they
and pseudowires;
therefore,Ideally,
they improve
network
scalability and
customers,
have some drawbacks.
carriers
with existing
performance. Thelegacy
scalability
surfaces
whenwould
you add
a PE router.
Layerbenefit
2 and also
Layer
3 networks
like or
to relocate
move toward
a singleIf the
object is an N-PE backbone
router, you
need
to reconfigure
only
other
N-PE
If Layer
the object
is a Uwhile
new
carriers would
like
to sell
therouters.
lucrative
2
PE router, you need
to
reconfigure
only
the
attached
N-PE
router.
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Figure
Hierarchical
VPLSreaders
with QinQ
Access
Layer 215-6.
VPN Architectures
introduces
to Layer
2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
full size
image]requirements by explaining the
assists readers looking[View
to meet
those
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Like point-to-point Layer 2 VPN architectures, you can deploy VPLS in an inter-autonomous
system (AS) or multidomain environment using a hierarchical model. In their simplest form,
the peering VPLS PE routers of different administrative domains operate in such a fashion that
Layer 2 VPN Architectures
each PE router treats itself as an N-PE router, and treats the peering PE as a U-PE router in the
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
hierarchical model.
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
VPLS Redundancy
of
In theTable
hierarchical
VPLS model, an N-PE router can still be a single point of failure for attached
648
U-PE Contents
routers. To solve Pages:
this problem,
each U-PE can connect to multiple N-PE routers through
Index pseudowires or QinQ tunnels. This method for providing redundancy is also known
redundant
asmultihoming . In this case, Layer 2 split horizon alone is no longer sufficient for providing
loop-free forwarding. You need to enable spanning-tree protocols between U-PE and N-PE
routers.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
gains
In Metro Ethernetproductivity
deployment,
you can view each metro area as an island of which U-PE and
N-PE routers are closely located and are connected through a LAN. You can view VPLS as a
collection of islands interconnected by pseudowires. When you confine spanning-tree protocols
Learn
Layer
2 Virtual
Privatespanning-tree
Networks (VPNs)
within individual islands,
eachabout
island
becomes
a separate
domain of which the
boundary stays within the LAN, and the core network does not suffer bridging protocolrelated
Reduce costs and extend the reach of your services by unifying your
problems such as bandwidth inefficiency, operation complexity, and other drawbacks.
network architecture
When a U-PE router multihomes with N-PE routers, you must enable spanning-tree protocols
Gain from the first book to address Layer 2 VPN application utilizing
on the U-PE router for all the pseudowires or QinQ tunnels that exist between the U-PE and Nboth ATOM and L2TP protocols
PE routers. However, an N-PE router can choose whether to participate in spanning-tree
protocols. If it does, it Review
behavesstrategies
like an Ethernet
bridge
that
exchanges
and processes
BPDUs
that allow
large
enterprise
customers
to enhance
with U-PE and other N-PE
the same
island.
If it does routing
not, it acts
as an Ethernet hub
theirrouters
serviceofofferings
while
maintaining
control
that simply relays BPDUs without processing. In the next section, a case study shows how to
achieve VPLS redundancy
using of
multihoming.
For a majority
Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Pages: 648
Contents
Index
This section
describes how to configure VPLS on a Cisco router. The case studies that are
commonly seen in Metro Ethernet deployment, which are by no means exhaustive, can help
you further understand the Cisco VPLS solution. Configuration examples in this section are
based on the Cisco 7600 series router. Refer to Cisco.com to obtain the information on the
Master
the world
of Layer 2 VPNs to provide enhanced services and enjoy
latest platform and
hardware
support.
productivity gains
tag. Such independence allows service providers to offer multiple value-added services to a
single VPLS customer using the same physical connection. Currently, this provisioning model is
available only on interfaces of high-end intelligent access line cards.
Layer 2 VPN Architectures
Pages:
648 how each mode is used in normal bridging applications:
modes.
The following list recaps
Contents
Index
access The interface sends and accepts untagged Ethernet packets only. Tagged
Ethernet VLAN packets are dropped.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
trunk The interface
sends
and receives tagged Ethernet VLAN packets and native VLAN
productivity
gains
packets.
dot1q-tunnel Any
packet,
tagged
untagged,
is forwarded
Learn
about
Layeror
2 Virtual
Private
Networksthrough
(VPNs) a QinQ tunnel. A
QinQ tunnel is identified by the access VLAN tag that is configured on the Layer 2
Reduce
and
extend
the
reachtoofthe
your
services
by ingress
unifyingtunnel
your
switchport interface.
The costs
access
VLAN
tag is
added
packet
at the
network
architecture
interface and removed
at the
egress tunnel interface, which means that the VLAN tags
must be identical at both interfaces for a given QinQ tunnel.
Gain from the first book to address Layer 2 VPN application utilizing
ATOM
andinL2TP
protocols
In VPLS, the switchportboth
modes
work
a similar
fashion from an end user's perspective, but
some of the internal operations vary slightly.
Review strategies that allow large enterprise customers to enhance
their steps
service
offerings
while
maintaining routing
The following configuration
highlight
how
service-delimiting
VLANcontrol
tags and internal VLAN
tags are used in each switchport mode.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
Although Layer 3 MPLS VPNs fulfill the market need for some
Configuring thetechnologies.
Access Mode
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
The access mode backbone
in VPLS iswhile
identical
that inwould
normal
bridging.
Only
untagged
Ethernet
newto
carriers
like
to sell the
lucrative
Layer
2
packets are sent and
received
on
the
Layer
2
switchport
interface,
and
the
Ethernet
header
services over their existing Layer 3 cores. The solution in these cases
is a is
sent over the pseudowire
unmodified
because
no
service-delimiting
VLAN
tag
exists.
You
can
technology that would allow Layer 2 transport over a Layer 3
configure the access
mode
as
follows:
infrastructure.
Step 1. Configure
the2interface
as a switchport:
Layer
VPN Architectures
introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and
comprehensive
VPLS-PE1(config)#interface
FastEthernet
4/3design scenarios. This book
assists
readers
looking
to
meet
those
requirements
by explaining the
VPLS-PE1(config-if)#switchport
history
and
implementation
details
of
the
two
technologies
available from
VPLS-PE1(config-if)#
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP the
cores.
The structure
this book
is focused on first introducing the
Step 2. Configure
switchport
as an of
access
mode:
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
VPLS-PE1(config-if)#switchport
mode access
progressively covering each currently
available solution in greater detail.
VPLS-PE1(config-if)#
Step 3. Assign the Layer 2 switchport interface to a bridge domain, which is represented by
an internal VLAN tag:
Layer 2 VPN Architectures
VPLS-PE1(config-if)#switchport
access
vlan
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro,
- CCIE
No. 2
4619,Dmitry Bokotey, - CCIE
VPLS-PE1(config-if)#
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Pub Date:after
Marchthese
10, 2005
The interface configuration
steps is shown in Example 15-1.
Table of
Contents
Example
Index
ISBN: 1-58705-168-0
Pages: 648
interface FastEthernet4/3
no ip address Master the world of Layer 2 VPNs to provide enhanced services and enjoy
switchport
productivity gains
switchport access vlan 2
switchport mode access
Learn about Layer 2 Virtual Private Networks (VPNs)
Configuring the
Reduce costs and extend the reach of your services by unifying your
network
architecture
Trunk
Mode
Gain from the first book to address Layer 2 VPN application utilizing
When you configure a Layer
2 switchport
interface
as trunk mode in VPLS, the VLAN tag maps
both ATOM
and L2TP
protocols
packets received from a CE router to a bridge domain. In other words, the VLAN tag in the
customer traffic is considered
service-delimiting
VLANenterprise
tag. A Layer
2 switchport
interface
Review the
strategies
that allow large
customers
to enhance
does not support a configurable
service-delimiting
tag; therefore,
the service-delimiting
their service
offerings while VLAN
maintaining
routing control
VLAN tag has to match the internal VLAN tag of the bridge domain for a given VPLS customer.
a majority
of multiple
Service Providers,
significant
portionVPLS
of their
revenues
Because the trunkFor
mode
supports
VLAN tags,a traffic
of different
customers
can
are still
data andinterface.
voice services based on legacy transport
be sent and received
overderived
a Layerfrom
2 switchport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
In trunk mode, a customers,
PE router removes
thesome
service-delimiting
VLAN tag
on the
Ethernet
header
they have
drawbacks. Ideally,
carriers
with
existing
before applying the
pseudowire
For the would
opposite
PE applies
the
legacy
Layer 2 encapsulation.
and Layer 3 networks
likedirection,
to move atoward
a single
internal VLAN tagbackbone
to the Ethernet
header
afterwould
the pseudowire
is removed
from
while new
carriers
like to sellencapsulation
the lucrative Layer
2
the pseudowire packet.
Use
thetheir
following
steps
to configure
the solution
trunk mode
on a cases
Layer is
2a
services
over
existing
Layer
3 cores. The
in these
switchport interface:
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Step 1.
Configure the interface as a switchport:
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
VPLS-PE1(config)#interface
introductory case studies and FastEthernet
comprehensive 4/3
design scenarios. This book
VPLS-PE1(config-if)#switchport
assists readers looking to meet those requirements by explaining the
VPLS-PE1(config-if)#
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Step 2.
Configure the interface to use 802.1q VLAN encapsulation:
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer trunk
3 basedencapsulation
VPNs, such as MPLS,
VPLS-PE1(config-if)#switchport
dot1q then
progressively
covering
each
currently
available
solution
in
greater
detail.
VPLS-PE1(config-if)#
Step 3.
(Optional) Assign a list of VLANs allowed on this trunk, such as VLAN 2 to VLAN 10:
VPLS-PE1(config-if)#switchport trunk allowed vlan 2-10
VPLS-PE1(config-if)#
Step 4.
Cisco Press
Example 15-2 showsPublisher:
the interface
configuration after you complete the steps for the trunk
Pub
Date:
March
10, 2005
mode.
Table of
Contents
Example
Index
ISBN: 1-58705-168-0
Pages: 648
interface FastEthernet4/3
no ip address Master the world of Layer 2 VPNs to provide enhanced services and enjoy
switchport
productivity gains
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-10
Learn about Layer 2 Virtual Private Networks (VPNs)
switchport mode trunk
Reduce costs and extend the reach of your services by unifying your
network architecture
Configuring dot1q-tunnel
Mode
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
QinQ tunneling is an Ethernet native tunneling mechanism that stacks VLAN tags together in a
similar fashion to the MPLS
labels.
The outer
that
is addedcustomers
at the tunnel
ingress
Review
strategies
that VLAN
allow tag
large
enterprise
to enhance
interface is the access their
VLANservice
tag that
is configured
on the Layerrouting
2 switchport
offerings
while maintaining
controlinterface. The
purpose of the outer VLAN tag is similar to that of the tunnel label in an MPLS-encapsulated
ForThe
a majority
of Service
Providers,
significant
portion
their revenues
pseudowire packet.
outer VLAN
tag is to
forward athe
packet from
the of
ingress
tunnel
are still
derived
from data
services
based
on legacy
transport
endpoint to the egress
tunnel
endpoint
and and
hidevoice
the inner
VLAN
tag from
the transit
network.
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
In VPLS, the transit
network they
is an have
MPLSsome
network,
and a tunnel
label
is used
to existing
move packets
customers,
drawbacks.
Ideally,
carriers
with
from the LSP ingress
endpoint
the Layer
egress3 endpoint.
the
of an a
outer
VLAN
legacy
Layer 2toand
networks Because
would like
to function
move toward
single
tag is effectively replaced
an MPLS
tunnel label,
VLAN
is no longer
backboneby
while
new carriers
wouldthe
likeouter
to sell
the tag
lucrative
Layer 2added to
the Ethernet header
whenover
the Layer
2 switchport
configured
as these
dot1q-tunnel
services
their existing
Layerinterface
3 cores. is
The
solution in
cases is mode.
a
That is the main difference
the would
way dot1q-tunnel
mode
operates
normal
technologyinthat
allow Layer 2
transport
overinaVPLS
Layerversus
3
bridging.
infrastructure.
The following is an
example
configuring a introduces
Layer 2 switchport
interface
dot1q-tunnel
Layer
2 VPNofArchitectures
readers to
Layer 2as
Virtual
Private
mode:
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
ISBN: 1-58705-168-0
Table of
VPLS-PE1(config-if)#switchport
mode dot1q-tunnel
Pages:
648
Contents
VPLS-PE1(config-if)#
Index
Step 3. Assign the Layer 2 switchport interface to a bridge domain, which is represented by
an internal VLAN tag:
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
VPLS-PE1(config-if)#switchport access vlan 2
VPLS-PE1(config-if)#
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network
architecture mode is shown in Example 15-3.
The interface configuration
for dot1q-tunnel
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Step
1.
The keyword manual indicates that you will enter the peering relationship with remote
Publisher: Cisco Press
PE routers manually.
Pub Date: March 10, 2005
1-58705-168-0
StepTable
Configure
a VPNISBN:
ID for
the VFI:
of
Pages:
648
2. Contents
Index
VPLS-PE1(config-vfi)#vpn id 100
VPLS-PE1(config-vfi)#
Master
the worldinofthe
Layer
VPNs
to provideinteger.
enhanced
enjoy
The VPN ID
is configured
form2 of
an unsigned
Theservices
range ofand
values
is
productivity
gains
from 1 to 4294967295, or 0xFFFFFFFF in hex.
Step
3.
Reduce costs and extend the reach of your services by unifying your
VPLS-PE1(config-vfi)#neighbor 10.0.0.2 encapsulation mpls
network architecture
VPLS-PE1(config-vfi)#
Step
4.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Repeat Step 3 for every peering PE router.
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Note
access and dot1q-tunnel mode use the command switchport access vlan to specify the
bridge domain explicitly. Those in trunk mode use the service-delimiting VLAN tags instead.
Layerinterface
2 VPN Architectures
You can view a VLAN
as a virtual interface representation of a bridge domain. By
associating the VFI
under
VLAN
interface
mode,
the
many-to-many
ByWei
Luo, the
- CCIE
No. 13,291,
Carlosconfiguration
Pignataro, - CCIE
No. 4619,
Dmitry
Bokotey, - CCIE
association is finally
accomplished.
configure
the VFI under a VLAN interface, use the
No. 4460,
Anthony Chan,To
- CCIE
No. 10,266
following steps:
Publisher: Cisco Press
Step
1.
Create or access
a VLAN
also known as a switched virtual interface:
Pub Date:
Marchinterface,
10, 2005
ISBN: 1-58705-168-0
Table of
Pages:
648
VPLS-PE1(config)#interface
vlan 2
Contents
VPLS-PE1(config-if)#
Index
Note that the VLAN ID needs to be identical to the service-delimiting VLAN tag when
using Layer 2 switchport trunk mode. Otherwise, it can be the tag value of an unused
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
VLAN.
productivity gains
Step
2.
Gain from the first book to address Layer 2 VPN application utilizing
You must have a valid VFI configured before this command can be accepted.
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
The next section showstheir
the complete
configuration
example and
ways to
verify whether it is
service offerings
while maintaining
routing
control
working.
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Configuration Example
customers, they have some drawbacks. Ideally, carriers with existing
legacy
Layer 2 and
Layer blocks,
3 networks
would
like to move
toward a fairly
single
With the basic VPLS
configuration
building
network
operators
can construct
backbone
while
new
carriers
would
like
to
sell
the
lucrative
Layer
2
sophisticated multipoint Layer 2 VPNs. Figure 15-7 shows an example of a full-mesh VPLS
over their
existing
cores. The solution in these cases is a
Layer 2 VPN with services
four CE routers
of the
sameLayer
VPLS3customer.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Figure 15-7. VPLS Configuration Example
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
[View full size image]
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
To illustrate the flexibility of how you can connect CE devices, the configuration example uses
different switchport modes and service-delimiting VLAN tags on each PE router as follows:
Layer 2 VPN Architectures
CE3 sends and receives untagged Ethernet packetsthat is, null service-delimiting VLAN
tags. PE2 configures the switchport mode as access to forward all untagged packets. The
internal VLAN
that is
associated
with the
switchport
is 8. enhanced services and enjoy
Master
the
world of Layer
2 VPNs
to provide
productivity gains
CE4 sends and receives tagged Ethernet VLAN packets of which the service-delimiting
VLAN tag is 10. PE4 configures the switchport mode as a trunk to remove or add the
Layer 2 Virtual
service-delimitingLearn
VLANabout
tag accordingly.
The Private
internalNetworks
VLAN that(VPNs)
is associated with the
switchport is 10.
Reduce costs and extend the reach of your services by unifying your
network
architecture
Example 15-5 shows the
configuration
on PE1.
Example 15-5.
Gain from the first book to address Layer 2 VPN application utilizing
bothConfiguration
ATOM and L2TP protocols
PE1
hostname PE2 ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
!
mpls label protocol ldp
Cisco Press
mpls ldp logging Publisher:
neighbor-changes
mpls ldp router-id
PubLoopback0
Date: March 10, 2005
!
ISBN: 1-58705-168-0
Table of
l2 vfi
l2vpn manualPages: 648
vpn Contents
id 1
Index
neighbor
10.0.0.1 encapsulation mpls
neighbor 10.0.0.3 encapsulation mpls
neighbor 10.0.0.4 encapsulation mpls
!
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
interface Loopback0
productivity gains
ip address 10.0.0.2 255.255.255.255
!
interface POS3/1
Learn about Layer 2 Virtual Private Networks (VPNs)
ip address 10.0.2.1 255.255.255.252
mpls ip
Reduce costs and extend the reach of your services by unifying your
!
network architecture
interface FastEthernet4/2
Gain from the first book to address Layer 2 VPN application utilizing
no ip address
both ATOM and L2TP protocols
switchport
switchport trunk encapsulation dot1q
Review strategies
switchport trunk allowed
vlan 4 that allow large enterprise customers to enhance
their service offerings while maintaining routing control
switchport mode trunk
!
interface Vlan4For a majority of Service Providers, a significant portion of their revenues
no ip address are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
xconnect vfi l2vpn
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services
over their existing
Layer 3 cores. The solution in these cases is a
Example 15-7 shows
the configuration
on PE3.
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
!
interface FastEthernet4/2
no ip address
Layer 2 VPN Architectures
switchport
ByWei Luo,
- CCIE
switchport access
vlan
8 No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,
Anthony Chan, - CCIE No. 10,266
switchport mode
access
!
interface Vlan8 Publisher: Cisco Press
no ip address
Pub Date: March 10, 2005
xconnect vfi l2vpn
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master
world of Layer 2 VPNs to provide enhanced services and enjoy
Example 15-8.
PE4the
Configuration
productivity gains
hostname PE4
Learn about Layer 2 Virtual Private Networks (VPNs)
!
mpls label protocol ldp
Reduce costs and extend the reach of your services by unifying your
mpls ldp logging neighbor-changes
architecture
mpls ldp router-id network
Loopback0
!
Gain from the first book to address Layer 2 VPN application utilizing
l2 vfi l2vpn manual
both ATOM and L2TP protocols
vpn id 1
neighbor 10.0.0.1 Review
encapsulation
strategiesmpls
that allow large enterprise customers to enhance
neighbor 10.0.0.2 their
encapsulation
mpls while maintaining routing control
service offerings
neighbor 10.0.0.3 encapsulation mpls
!
For a majority of Service Providers, a significant portion of their revenues
interface Loopback0
are still derived from data and voice services based on legacy transport
ip address 10.0.0.4
255.255.255.255
technologies.
Although Layer 3 MPLS VPNs fulfill the market need for some
!
customers, they have some drawbacks. Ideally, carriers with existing
interface POS3/1
legacy Layer 2 and Layer 3 networks would like to move toward a single
ip address 10.0.4.1
255.255.255.252
backbone
while new carriers would like to sell the lucrative Layer 2
mpls ip
services over their existing Layer 3 cores. The solution in these cases is a
!
technology that would allow Layer 2 transport over a Layer 3
interface FastEthernet4/2
infrastructure.
no ip address
switchport
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
switchport trunk
encapsulation
dot1q
Network
(VPN) concepts,
and describes Layer 2 VPN techniques via
switchport trunk
allowedcase
vlan
10
introductory
studies
and comprehensive design scenarios. This book
switchport mode
trunk
assists
readers looking to meet those requirements by explaining the
!
history and implementation details of the two technologies available from
interface Vlan10
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSno ip address based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
xconnect vfi l2vpn
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
You can examine the VFI using the command show vfi (see Example 15-9).
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Router
CE1
CE2
CE3
CE4
MAC Address
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains
000b.5fb5.0080
000b.5fad.e580
Learn about Layer 2 Virtual Private Networks (VPNs)
000b.5fb1.5780
Reduce costs and extend the reach of your services by unifying your
000b.5fb1.5480
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
ATOM and
L2TP all
protocols
After full connectivity isboth
established
among
CE routers, every PE router should learn all MAC
addresses from the CE routers. To verify the learning process on each PE router, use the
Review strategies
thatasallow
large
enterprise
customers to enhance
commandshow mac-address-table
vlan,
shown
in Example
15-10.
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
Example 15-10.
Verifying the Learning Process on Each PE Router
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, theyvlan
have2some drawbacks. Ideally, carriers with existing
PE1#show mac-address-table
legacy entry
Layer 2 and Layer 3 networks would like to move toward a single
Legend: * - primary
backbone while new carriers would like to sell the lucrative Layer 2
vlan
mac address
learn Layer 3 cores.ports
services overtype
their existing
The solution in these cases is a
------+---------------+-------+-----+----------------------technology that would allow Layer 2 transport over a Layer 3
*
2 000b.5fb5.0080
dynamic Yes
Fa4/2
infrastructure.
*
2 000b.5fad.e580 dynamic Yes
*
2 000b.5fb1.5780
dynamic
Yes introduces readers to Layer 2 Virtual Private
Layer 2 VPN
Architectures
*
2 000b.5fb1.5480
dynamic
Yes and describes Layer 2 VPN techniques via
Network (VPN)
concepts,
introductory case studies and comprehensive design scenarios. This book
assists readers vlan
looking
PE2#show mac-address-table
4 to meet those requirements by explaining the
historyentry
and implementation details of the two technologies available from
Legend: * - primary
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSvlan
mac address
typeLayer
learn
ports
based cores and
2 Tunneling Protocol
version 3 (L2TPv3) for native
------+----------------+-------+-----+----------------------IP cores. The structure of this book is focused on first introducing the
*
4 000b.5fb5.0080
dynamic
reader to Layer
2 VPN Yes
benefits and implementation requirements and
*
4 000b.5fad.e580
dynamic
Yesof Layer
Fa4/2
comparing them
to those
3 based VPNs, such as MPLS, then
*
4 000b.5fb1.5780
dynamic
progressively
coveringYes
each currently available solution in greater detail.
*
4 000b.5fb1.5480 dynamic Yes
PE3#show mac-address-table vlan 8
Legend: * - primary entry
vlan
mac address
type
learn
ports
------+----------------+-------+-----+----------------------*
8 000b.5fb5.0080 dynamic Yes
*
8 000b.5fad.e580 dynamic Yes
*
8 000b.5fb1.5780 dynamic Yes
Fa4/2
000b.5fb1.5480
dynamic
Yes
Pages: 648
To display the status of the pseudowires that interconnect the virtual switches, use the
commandshow mpls l2transport vc on PE routers, as shown in Example 15-11.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
For a majority
of Service
Providers,
a significant
portion of their revenues
Case Study 15-2:
Per-VLAN
MAC
Address
Limiting
are still derived from data and voice services based on legacy transport
Although
LayerVPLS
3 MPLS
VPNs fulfill
the market
need
for some
Service providerstechnologies.
are concerned
that a rogue
customer
will take
too much
system
and
customers,
have
some drawbacks.
Ideally, carriers
existingsystem
network resources
and affectthey
normal
services
for other customers.
One ofwith
the limited
legacy
LayerVPLS
2 and
Layer 3 networks
like to
move toward
resources on which
different
customers
compete would
is the MAC
address
table. a single
backbone while new carriers would like to sell the lucrative Layer 2
services
over
existing
Layer
3 cores.
The solution
is a
Generally speaking,
the size
of their
the MAC
address
table
on a given
systeministhese
finite,cases
and the
technology
that
would
allow
Layer
2
transport
over
a
Layer
3
portion allocated for each bridge domain directly impacts the forwarding performance. The
larger the portioninfrastructure.
allocated is, the less likely a packet is subject to flooding. Flooding is always
an expensive operation in terms of processing power and the network bandwidth it takes; it
Layer 2 forwarding
VPN Architectures
introduces readers to Layer 2 Virtual Private
penalizes overall packet
performance.
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory
studies
and comprehensive
design basis,
scenarios.
Thismacbook
To limit the maximum
numbercase
of MAC
address
entries on a per-VLAN
use the
assists
readers
looking
to
meet
those
requirements
by
explaining
the
address-table limit command, as shown in Example 15-12. Cisco VPLS allows setting a limit
history which
and implementation
of the two
technologies available from
for each bridge domain,
is represented details
by an internal
VLAN.
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores.
The structure of this book
is focused
on first introducing the
Example 15-12.
mac-address-table
limit
Command
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering
each
currently
available
solution in greater detail.
PE1(config)#mac-address-table
limit
vlan
2 maximum
1000
PE1(config)#
To display the MAC address limiting status for a VLAN, use the show mac-address-table
limit vlan command, as shown in Example 15-13.
Case
Study 15-3: ISBN:
Quality
of Service
1-58705-168-0
Table of
Contents
Pages: 648
On Cisco
Index 7600 series routers, Layer 2 switchport interfaces use Policy Feature Card (PFC)based
QoS configuration, and the core-facing interfaces use Modular QoS CLI (MQC). The general
topics on PFC-based and MQC-based configuration alone warrant a book. This book does not
cover the details on these topics. Refer to Cisco.com for the PFC-based and MQC-based QoS
commands and examples.
This
QoS
study
shows
an example
that isservices
related and
to VPLS.
Master the
world
ofcase
Layer
2 VPNs
to provide
enhanced
enjoy
productivity gains
Per-VLAN traffic shaping in VPLS specifies the shaping rate of individual MPLS uplinks for a
given bridge domain, not the aggregated rate of all MPLS uplinks. For example, if a VLAN is
Learn
about
2 Virtual
Private
Networks
(VPNs) toward the MPLS
configured with a shaping
rate
of 10Layer
Mbps,
and there
are two
MPLS uplinks
core network, the shaper allows up to 20 Mbps of VPLS traffic forwarded into the core network.
Reduce costs and extend the reach of your services by unifying your
InExample 15-14, PE1 network
matchesarchitecture
all traffic coming from CE1 and shapes the VPLS traffic on
each core-facing interface to 10 Mbps.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
ISBN: 1-58705-168-0
Pages: 648
Learn
about
Layer
2 Virtual
Private
(VPNs) the interfaces on
To allow CE1 and CE3 in
Figure
15-7
to view
each other
asNetworks
CDP neighbors,
PE1 and PE3 that connect to CE1 and CE3 respectively need to enable Layer 2 protocol
costs and extend the reach of your services by unifying your
tunneling (see ExampleReduce
15-16).
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
Local Intrfce
Fas 0/1
Holdtme
170
Capability
R S I
Platform Port ID
WS-C3550-2Fas 0/1
For STPs, a separate spanning tree is created at each customer site if Layer 2 protocol
tunneling is not enabled on PE routers. Using the network shown in Figure 15-7 as an example,
bridging devices at Site 1including CE1build a spanning tree solely for Site 1 without
considering convergence parameters of other customer sites. In this particular example, the
disjointed spanning tree domains do not lead to potential forwarding loops because of the use
of Layer 2 split horizon in the service provider network. However, if the customer sites have
2 VPN Architectures
backdoor links, it Layer
is imperative
that you have a single spanning-tree domain for the VPLS
Wei Luo, - CCIE
No. 13,291,
Pignataro,
- CCIE No. 4619,Dmitry Bokotey, - CCIE
customer to avoidByforwarding
loops
in theCarlos
customer
network.
No. 4460,Anthony Chan, - CCIE No. 10,266
Figure 15-8 shows a backdoor link that connects CE1 and CE2. A possible forwarding loop
exists between CE1 Publisher:
and CE2 Cisco
when
packets can be sent over the links that are connected to the
Press
service provider andPub
theDate:
backdoor
link. To identify the possible forwarding loop, examine the
March 10, 2005
spanning-tree status on both CE routers.
ISBN: 1-58705-168-0
Table of
Contents
Index
Pages: 648
Role
---Desg
Root
Sts
--FWD
FWD
Cost
--------19
19
Prio.Nbr
-------128.1
128.3
Type
-------------------------------P2p
P2p
CE2 is the root bridge for VLAN 2 because it has a lower bridge address than CE1 when both
have the same bridge priority. Both the interface FastEthernet0/1 that connects to PE2 and the
interface FastEthernet0/3 that connects to Site 2 have a role of designated port for VLAN 2,
and they are both in the forwarding state (see Example 15-19).
Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,
Anthony2
Chan,
- CCIE No. 10,266
15-19.
VLAN
Spanning-Tree
Status on CE2 Before the
Example
Forwarding Loop Is Fixed
CE2#show spanning-tree
2
ISBN:vlan
1-58705-168-0
Table of
Pages: 648
VLAN0002
Contents
Spanning
tree
enabled
protocol ieee
Index
Root ID
Priority
32770
Address
000b.5fadfie580
This bridge is the root
Master
the world
of Layer
VPNs
provide
enhanced
Hello
Time
2 sec
Max 2
Age
20 to
sec
Forward
Delayservices
15 sec and enjoy
productivity gains
Bridge ID Priority
32770 (priority 32768 sys-id-ext 2)
Address
000b.5fadfie580
Hello Time
2 secLayer
Max 2Age
20 Private
sec Forward
Delay
15 sec
Learn about
Virtual
Networks
(VPNs)
Aging Time 300
Reduce costs and extend the reach of your services by unifying your
Interface
Role
Sts Cost
network
architecturePrio.Nbr Type
---------------- ---- --- --------- -------- -------------------------------Fa0/1
Desg
19the first book
128.1
P2p Layer 2 VPN application utilizing
GainFWD
from
to address
Fa0/3
Desg
19 and L2TP128.3
bothFWD
ATOM
protocols P2p
To display Layer 2 protocol tunneling status on PE routers, use the show l2protocol-tunnel
command, as in Example 15-22.
Publisher: Cisco Press
Contents
Index
Pages: 648
For a VLAN
majority
Service Providers, Status
a significant
of their
revenues
Example 15-23.
2ofSpanning-Tree
on portion
CE1 After
the
are still derived from data and voice services based on legacy transport
Forwarding Loop Is Fixed
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer
2 and
CE1#show spanning-tree
vlan
2 Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
VLAN0002
services over their existing Layer 3 cores. The solution in these cases is a
Spanning treetechnology
enabled that
protocol
would ieee
allow Layer 2 transport over a Layer 3
Root ID
Priority
32770
infrastructure.
Address
000b.5fad580
Cost
19
Layer 2 VPN Architectures
introduces readers to Layer 2 Virtual Private
Port
1 (FastEthernet0/1)
Network (VPN)
concepts, and describes Layer 2 VPN techniques via
Hello
Time case
2 sec
Max and
Age comprehensive
20 sec Forward
Delay
15 sec This book
introductory
studies
design
scenarios.
assists readers looking to meet those requirements by explaining the
Bridge ID Priority
32770 (priority 32768 sys-id-ext 2)
history and implementation details of the two technologies available from
Address
000b.5fb5.0080
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSHello Time
2 sec Max Age 20 sec Forward Delay 15 sec
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Aging Time 300
IP cores. The structure of this book is focused on first introducing the
reader
Layer
2 VPN benefits
and implementation
requirements and
Interface
Roleto Sts
Cost
Prio.Nbr
Type
comparing
them
to
those
of
Layer
3
based
VPNs,
such
as MPLS, then
---------------- ---- --- --------- -------- -------------------------------progressively
covering
each
currently
available
solution
in greater detail.
Fa0/1
Root FWD 19
128.1
P2p
Fa0/3
Altn BLK 19
128.3
P2p
only a single connection with an N-PE router, which makes the N-PE router a single point of
failure.
Layermore
2 VPN than
Architectures
By multihoming with
one PE or N-PE router, a CE or U-PE router can achieve fault
tolerance throughBythe
connections.
redundant
Ethernet
connections
exist,
Wei redundant
Luo, - CCIE No.
13,291,Carlos Whenever
Pignataro, - CCIE
No. 4619,Dmitry
Bokotey,
- CCIE
bridging loops form
a Anthony
result.Chan,
Layer
2 split
No. as
4460,
- CCIE
No. horizon
10,266 is not designed to deal with redundant
connections; therefore, STPs need to be enabled to create loop-free forwarding paths.
Publisher: Cisco Press
As described in the "VPLS Redundancy" section, each metro area or island consists of a group
Pub Date: March 10, 2005
of U-PE and N-PE routers that are connected through a LAN. Figure 15-9 shows a network with
ISBN: 1-58705-168-0
threeTable
separate
islands. The
goal is to run STPs within each island for redundancy while
of
Pages:
648from spreading across the WAN. In a Metro Ethernet
preventing
Contentsthe spanning trees
environment,
devices from different network vendors are often deployed and required to work
Index
together, which means the network needs to run standard network protocols. For STPs, IEEE
802.1S Multiple Spanning Tree Protocol (MSTP) fits the purpose.
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
Both U-PE1 and U-PE2
peered
with
N-PE1
and N-PE2.
To like
reduce
the amount
legacyare
Layer
2 and
Layer
3 networks
would
to move
towardof
a complexity
single
and processing power
required,
and N-PE2
do like
not to
runsell
STPs
but simply
relay
backbone
whileN-PE1
new carriers
would
thethemselves
lucrative Layer
2
BPDUs from one link
to another.
To prevent
leaking
to the WAN,
youcases
need is
toa
services
over their
existing BPDUs
Layer 3from
cores.
The solution
in these
separate customer
traffic from
thewould
BPDUs
thatLayer
originated
in each
island.
In this
technology
that
allow
2 transport
over
a Layer
3 case study, you
accomplish this by
marking these two types of traffic with different service provider VLAN tags.
infrastructure.
After the two types of traffic are separated into different VLANs, you can configure N-PE
routers in such a Layer
way that
only
VLAN traffic introduces
that is marked
as customer
traffic
can
be
2 VPN
Architectures
readers
to Layer 2
Virtual
Private
forwarded to other
islands.(VPN)
VLANconcepts,
traffic that
is marked
asLayer
BPDU2isVPN
onlytechniques
forwardedvia
to other NNetwork
and
describes
PE routers of the introductory
same island. case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
In Island A, two separate
forwarding
loops exist:
history and
implementation
details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
From U-PE1 to N-PE1, N-PE2, and back to U-PE1
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
From U-PE2 to N-PE1, N-PE2, and back to U-PE2.
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively
covering
each connections,
currently available
solution
in greater
detail.
Because U-PE1 and
U-PE2 do not
have direct
they can
construct
separate
spanning trees.
On U-PE1, MST traffic is carried in the native VLAN for which the tag value is 200. VLAN 2
carries customer traffic for a particular VPLS customer. The configuration on U-PE1 is shown in
Example 15-24.
hostname U-PE1
spanning-tree mode mst
!
Layer 2 VPN Architectures
spanning-tree mst configuration
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
name MST-1
No. 4460,Anthony Chan, - CCIE No. 10,266
revision 1
instance 1 vlan 2
Publisher: Cisco Press
!
vlan dot1q tag native
Pub Date: March 10, 2005
!
ISBN: 1-58705-168-0
Table of
interface
FastEthernet0/1
Pages:
648
Contents
switchport
trunk encapsulation dot1q
Index
switchport
trunk native vlan 200
switchport trunk allowed vlan 2,200
switchport mode trunk
no ip address
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
!
productivity gains
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk native
vlan Layer
200 2 Virtual Private Networks (VPNs)
Learn about
switchport trunk allowed vlan 2,200
switchport mode trunk
Reduce costs and extend the reach of your services by unifying your
no ip address
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
On U-PE2, MST traffic is carried in the native VLAN for which the tag value is 400. VLAN 2
carries the customer traffic.
The
configuration
on U-PE2
shown in customers
Example 15-25.
Review
strategies
that allow
large is
enterprise
to enhance
their service offerings while maintaining routing control
For a U-PE2
majorityConfiguration
of Service Providers, a significant portion of their revenues
Example 15-25.
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
hostname U-PE2 customers, they have some drawbacks. Ideally, carriers with existing
legacymst
Layer 2 and Layer 3 networks would like to move toward a single
spanning-tree mode
backbone while new carriers would like to sell the lucrative Layer 2
!
services
over their existing Layer 3 cores. The solution in these cases is a
spanning-tree mst
configuration
technology that would allow Layer 2 transport over a Layer 3
name MST-2
infrastructure.
revision 1
instance 1 vlan 2
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
!
vlan dot1q tag Network
native (VPN) concepts, and describes Layer 2 VPN techniques via
introductory
case studies and comprehensive design scenarios. This book
!
assists readers looking to meet those requirements by explaining the
interface FastEthernet0/1
history
and implementation
switchport trunk
encapsulation
dot1q details of the two technologies available from
the Cisco
Unified
switchport trunk
native
vlanVPN
400suite: Any Transport over MPLS (ATOM) for MPLSbased
cores and
Layer
2 Tunneling Protocol version 3 (L2TPv3) for native
switchport trunk
allowed
vlan
2,400
IP cores.
switchport mode
trunk The structure of this book is focused on first introducing the
no ip address reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
!
progressively covering each currently available solution in greater detail.
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 400
switchport trunk allowed vlan 2,400
switchport mode trunk
no ip address
STPs are disabled on N-PE1 and N-PE2. To relay BPDUs for each MST instance transparently, in
addition to configuring Layer 2 protocol tunneling N-PE1 and N-PE2, you must configure a
dedicated VFI for each MST instance, where the neighbors are N-PE routers in the same island.
The configuration on N-PE1 is shown in Example 15-26.
Layer 2 VPN Architectures
ByWei N-PE1
Luo, - CCIEConfiguration
No. 13,291,Carlos Pignataro, Example 15-26.
hostname N-PE1
Publisher: Cisco Press
!
Pub Date: March 10, 2005
mpls label protocol ldp
ISBN: 1-58705-168-0
Table
mpls
ldp ofrouter-id Loopback0
Pages:
648
Contents
!
Indexl2vpn manual
l2 vfi
vpn id 1
neighbor 10.0.0.2 encapsulation mpls
neighbor 10.0.0.3 encapsulation mpls
Master
the world of Layer
2 VPNs to provide enhanced services and enjoy
neighbor 10.0.0.4
encapsulation
mpls
productivity
gains
!
l2 vfi mst-1 manual
vpn id 1001
Learn about Layer 2 Virtual Private Networks (VPNs)
neighbor 10.0.0.2 encapsulation mpls
!
Reduce costs and extend the reach of your services by unifying your
l2 vfi mst-2 manualnetwork architecture
vpn id 2001
neighbor 10.0.0.2 Gain
encapsulation
mpls
from the first
book to address Layer 2 VPN application utilizing
!
both ATOM and L2TP protocols
no spanning-tree vlan 2,200,400
!
Review strategies that allow large enterprise customers to enhance
vlan dot1q tag native
their service offerings while maintaining routing control
!
For a majority of Service Providers, a significant portion of their revenues
interface Loopback0
are still derived
from data and voice services based on legacy transport
ip address 10.0.0.1
255.255.255.255
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
!
customers, they have some drawbacks. Ideally, carriers with existing
interface POS3/1
legacy Layer
2 and Layer 3 networks would like to move toward a single
ip address 10.0.1.1
255.255.255.252
backbone
while
new carriers would like to sell the lucrative Layer 2
mpls ip
services over their existing Layer 3 cores. The solution in these cases is a
!
technology that would allow Layer 2 transport over a Layer 3
interface FastEthernet4/2
no ip address infrastructure.
no keepalive
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
switchport
Network
(VPN) concepts,
and describes Layer 2 VPN techniques via
switchport trunk
encapsulation
dot1q
introductory
case
studies
and
comprehensive design scenarios. This book
switchport trunk native vlan 200
assists
readers
looking
to
meet
those requirements by explaining the
switchport trunk allowed vlan 2,200
history
and implementation details of the two technologies available from
switchport mode
trunk
the Cisco
l2protocol-tunnel
stp Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
!
IP cores. The structure of this book is focused on first introducing the
interface FastEthernet4/3
no ip address reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
switchport
progressively
covering
each currently available solution in greater detail.
switchport trunk
encapsulation
dot1q
switchport trunk native vlan 400
switchport trunk allowed vlan 2,400
switchport mode trunk
l2protocol-tunnel stp
no cdp enable
!
interface Vlan2
no ip address
xconnect vfi l2vpn
!
interface Vlan200
no ip address
Layer 2 VPN Architectures
xconnect vfi mst-1
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
!
No. 4460,Anthony Chan, - CCIE No. 10,266
interface Vlan400
no ip address
xconnect vfi mst-2
Publisher: Cisco Press
Pub Date: March 10, 2005
ISBN: 1-58705-168-0
Table of
Pages:
648
The configuration
on N-PE2 is
shown in Example 15-27.
Contents
Index
Pages:
648
Contents
!
Index
interface
Vlan400
no ip address
xconnect vfi mst-2
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
To verify that MSTP removes the forwarding loops, use the show spanning-tree mst
command on U-PE1 and U-PE2 (see Example 15-28). Notice that each router is the root bridge
Learn
Layer
2 Virtual Private
Networks
(VPNs) port and is in a
for its own MST instance,
theabout
interface
FastEthernet0/1
acts
as a designated
forwarding state, and the interface FastEthernet0/2 acts as a backup port and is in a blocking
Reduce costs and extend the reach of your services by unifying your
state.
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
VPN Architectures
###### MST01 Layer 2vlans
mapped:
2introduces readers to Layer 2 Virtual Private
Network
(VPN) concepts,
and describes
2 VPN
techniques
via
Bridge
address
000b.5fad580
priority
32769 Layer
(32768
sysid
1)
introductory
caseMST01
studies and comprehensive design scenarios. This book
Root
this
switch for
assists readers looking to meet those requirements by explaining the
Interface
Roleand
Sts
Cost
Prio.Nbr
history
implementation
details ofType
the two technologies available from
------------------------------------------------------------------the Cisco Unified VPN suite: Any Transport
over MPLS (ATOM) for MPLSFa0/1
Desg
FWDand
200000
128.1
P2p
based
cores
Layer 2 Tunneling
Protocol
version 3 (L2TPv3) for native
Fa0/2
Back BLK
200000 of this
128.2
IP cores.
The structure
book isP2p
focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Table A-1.
L2TPv3
AVP
Attribute
Types
MasterComparing
the world of Layer
2 VPNs
to provide
enhanced
services and enjoy
productivity gains
Cisco
IETF[1]
AVP
AVP
Messages
Learn about Layer 2 Virtual Private Networks (VPNs)
Extended Vendor ID AVP
N/A
58
All messages
Reduce costs and extend the reach of your services by unifying your
Message Digest
12
59
All messages
network architecture
AVP Name
Router ID
N/A
74
Rx Connect Speed
N/A
75
N/A
ICRQ
11
N/A
108
N/A
109
N/A
SLI
Pages:
648
[5] ICRQ = Incoming-Call-Request
Contents
[3]
Index
[6] ICRP = Incoming-Call-Reply
[7]
[8]
CDN = Circuit-Disconnect-Notify
[9]
WEN = WAN-Error-Notify
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
[10]
Reduce
and extend
thenumbers
reach ofmanaged
your services
byIANA
unifying
You can find a complete
list of costs
L2TP registries
and
by the
at your
network architecture
http://www.iana.org/assignments/l2tp-parameters.
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Table of
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Table of
802.1p
tagging 2nd
Contents
802.1q tagging 2nd
Index
802.1q tunneling
asymmetrical links
restrictions
tagging process
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
AAL(ATM Adaptation Layer) Pages: 648
Contents
AAL5
Index
CPCS-SDU mode
packet cell relay mode
single cell relay mode
AAL5_SDUoL2TPv3
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
configuring 2nd
productivity gains
control plane
data plane
verifying configuration 2nd Learn about Layer 2 Virtual Private Networks (VPNs)
AAL5oMPLS, case study configuration
ABM (Asynchronous BalancedReduce
Mode) costs and extend the reach of your services by unifying your
ABR (available bit rate)
network architecture
access mode, VPLS configuration
Gain
from the first book to address Layer 2 VPN application utilizing
ACFC (Address and Control Field
Compression)
both ATOM and L2TP protocols
Address field
Frame Relay frames
Review strategies that allow large enterprise customers to enhance
HDLC frames
their service offerings while maintaining routing control
PPP frames
adjusted MTU
For
a majority
of Service Providers, a significant portion of their revenues
advertisement messages
(LDP)
2nd
are
still
derived
from data and voice services based on legacy transport
advertising VCCV
technologies.
Although
Layer 3 MPLS VPNs fulfill the market need for some
any-to-any local switching
customers, they have some drawbacks. Ideally, carriers with existing
ATM attachment circuits
Ethernet-to-VLAN legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone
while new carriers would like to sell the lucrative Layer 2
ARM (Asynchronous Response
Mode)
services
over
their existing Layer 3 cores. The solution in these cases is a
associating VPLS attachment circuits to VFI
technology
that
would allow Layer 2 transport over a Layer 3
asymmetrical links
infrastructure.
ATM (Asynchronous Transfer Mode)
AAL5 CPCS-SDU mode
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
AAL5oMPLS, case study configuration
Network (VPN) concepts, and describes Layer 2 VPN techniques via
ATMoMPLS
introductory case studies and comprehensive design scenarios. This book
AAL5 transport
assists readers looking to meet those requirements by explaining the
cell transport
history and implementation details of the two technologies available from
cell format
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLScell packing
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Cell Relay operational modes, configuring
IP cores. The structure of this book is focused on first introducing the
CRoMPLS, case study configuration
reader to Layer 2 VPN benefits and implementation requirements and
encapsulation
comparing them to those of Layer 3 based VPNs, such as MPLS, then
ILMI
progressively covering each currently available solution in greater detail.
interaction with pseudowire protocols
legacy Layer 2 VPNs
OAM
OAM emulation
packet cell relay mode
single cell relay mode
traffic management
traffic policing
traffic shaping
ATM Forum Traffic Management 4.0 standard
Pages:
648
Contents
Ethernet
Frame
Index Relay
HDLC
PPP
hardware support, verifying
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
label stacking
productivity gains
LDP
LDP peers
packets
Learn about Layer 2 Virtual Private Networks (VPNs)
pseudowire label binding
pseudowires
Reduce costs and extend the reach of your services by unifying your
establishing
network architecture
QoS
intermediate markings Gain from the first book to address Layer 2 VPN application utilizing
queuing
both ATOM and L2TP protocols
traffic marking
traffic policing
Review strategies that allow large enterprise customers to enhance
selection criteria
their service offerings while maintaining routing control
advanced network services
For a majority
of Service Providers, a significant portion of their revenues
existing network installation
base
interoperability are still derived from data and voice services based on legacy transport
Although Layer 3 MPLS VPNs fulfill the market need for some
network operationtechnologies.
complexity
sequence numbers customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
supported Layer 2 protocols
backbone while new carriers would like to sell the lucrative Layer 2
attachment circuits
associating to VFI services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
ATM and local switching
infrastructure.
Layer 2 local switching
ATM-to-ATM
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Ethernet-to-Ethernet
Network
Frame Relay-to-Frame
Relay (VPN) concepts, and describes Layer 2 VPN techniques via
introductory
case studies and comprehensive design scenarios. This book
like-to-like
assists
readers
looking to meet those requirements by explaining the
VPLS configuration
history and implementation details of the two technologies available from
auto-discovery mechanism
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSAVPs (Attribute-Value Pairs)
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
basic LDP discovery
Pages:
648
Contents
BGP IPv4 label distribution with IGP redistribution
Index
BGP-based VPLS
BPDU Guard
BPDUs
bridged IW
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
ATM AAL5-to-VLAN using AToM, case study
productivity gains
case study
environment considerations
MTU
Learn about Layer 2 Virtual Private Networks (VPNs)
using AToM, case study
using L2TPv3, case study Reduce costs and extend the reach of your services by unifying your
byte stuffing
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
calculating
Pages:
648
Contents
EoMPLS MTU size requirements
Index
required LDP sessions for VPLS deployment
case studies
AAL5_SDUoL2TPv3
configuring
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
control plane
productivity gains
data plane
verifying configuration
ATM_CoL2TPv3
Learn about Layer 2 Virtual Private Networks (VPNs)
configuring
verifying configuration Reduce costs and extend the reach of your services by unifying your
EoMPLS transport
network architecture
port-based 2nd
Gain from
port-based, switch configuration
2nd the first book to address Layer 2 VPN application utilizing
both
ATOM and L2TP protocols
pseudowire class template
configuration
VLAN rewrite 2nd
Review strategies that allow large enterprise customers to enhance
VLAN-based
their service offerings while maintaining routing control
VLAN-based, switch configuration
Equal-Cost Multipath
For a majority of Service Providers, a significant portion of their revenues
Frame Relay over L2TPv3
are still derived from data and voice services based on legacy transport
configuring
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
data plane
customers, they have some drawbacks. Ideally, carriers with existing
verifying configuration
HDLC over L2TPv3 legacy Layer 2 and Layer 3 networks would like to move toward a single
configuring 2nd backbone while new carriers would like to sell the lucrative Layer 2
data plane detailsservices over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
verifying configuration
infrastructure.
IW
bridged
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
bridged using AToM 2nd
Network (VPN) concepts, and describes Layer 2 VPN techniques via
bridged using L2TPv3
introductory case studies and comprehensive design scenarios. This book
routed
assists readers looking to meet those requirements by explaining the
point-to-point L2TPv3 transport
history and implementation details of the two technologies available from
Ethernet port-to-port dynamic session
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSEthernet port-to-port manual session
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Ethernet port-to-port manual session with keepalive
IP cores. The structure of this book is focused on first introducing the
Ethernet VLAN-to-VLAN dynamic session
reader to Layer 2 VPN benefits and implementation requirements and
IP topology
comparing them to those of Layer 3 based VPNs, such as MPLS, then
PPP over L2TPv3
progressively covering each currently available solution in greater detail.
configuring
control plane negotiation
data plane
verifying configuration
Unequal-Cost Multipath
WANs over L2TPv3
ATM transport
configuring
control plane
data plane
Pages:
648
Contentsbit rate)
CBR (constant
Index
CBR.1
traffic policing
CE routers
vlan-based EoMPLS transport, configuring
cell format (ATM)
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
cell packing
productivity gains
configuring
verifying configuration
Cell Relay modes (ATM), configuring
Learn about Layer 2 Virtual Private Networks (VPNs)
character stuffing
Cisco 12000 series routers, VLAN
rewrite,costs
configuring
Reduce
and extend the reach of your services by unifying your
port VLAN ID inconsistencynetwork
issue
architecture
Cisco HDLC versus standard HDLC
Cisco LMI
Gain from the first book to address Layer 2 VPN application utilizing
Cisco Unified VPN suite
both ATOM and L2TP protocols
local switching
ATM attachment circuits Review strategies that allow large enterprise customers to enhance
ATM-to-ATM
their service offerings while maintaining routing control
Ethernet-to-Ethernet
Ethernet-to-VLANFor a majority of Service Providers, a significant portion of their revenues
are still
Frame Relay-to-Frame
Relayderived from data and voice services based on legacy transport
CLP field (ATM cells) technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
they have some drawbacks. Ideally, carriers with existing
combining PMTUD andcustomers,
DF bit
legacy Layer 2 and Layer 3 networks would like to move toward a single
commands
backbone while new carriers would like to sell the lucrative Layer 2
connect
debug acircuit eventservices over their existing Layer 3 cores. The solution in these cases is a
technology
that would allow Layer 2 transport over a Layer 3
debug mpls 12transport
signaling message
infrastructure.
debug mpls l2transport
packet data
debug mpls l2transport signaling message
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
interworking
Network (VPN) concepts, and describes Layer 2 VPN techniques via
l2tp-class
pseudowire-class introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
remote circuit id
history and implementation details of the two technologies available from
show arp
show connection the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
show ip traffic
IP vc
cores.
The structure of this book is focused on first introducing the
show mpls 12transport
2nd 3rd
reader2nd
to Layer 2 VPN benefits and implementation requirements and
show mpls forwarding-table
comparing them to those of Layer 3 based VPNs, such as MPLS, then
show mpls ldp discovery
progressively covering each currently available solution in greater detail.
show mpls ldp neighbor
show processes cpu
show sss circuits
xconnect
comparing EoMPLS modes
configuring
AAL5_SDUoL2TPv3
control plane
data plane
verifying configuration
Pages:
648
Contents
data
plane details
verifying
Index configuration
Ethernet port-to-port manual session with keepalive
data plane details
verifying configuration
Master
thesession
world of Layer 2 VPNs to provide enhanced services and enjoy
Ethernet VLAN-to-VLAN
dynamic
productivity
gains
control plane details
frame encapsulation
verifying configuration
Learn about Layer 2 Virtual Private Networks (VPNs)
Frame Relay over L2TPv3
data plane
Reduce costs and extend the reach of your services by unifying your
verifying configuration network architecture
HDLCoL2TPv3
data plane details
Gain from the first book to address Layer 2 VPN application utilizing
verifying configuration both ATOM and L2TP protocols
L2TPv3
l2tp-class command
Review strategies that allow large enterprise customers to enhance
pseudowire-class command
their service offerings while maintaining routing control
xconnect command
For
a majority
of Service Providers, a significant portion of their revenues
LDP authentication for
pseudowire
signaling
are still derived from data and voice services based on legacy transport
OAM emulation
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
PPPoL2TPv3
customers, they have some drawbacks. Ideally, carriers with existing
control plane negotiation
data plane 2nd legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
verifying configuration
services over their existing Layer 3 cores. The solution in these cases is a
preferred path
with IP routing technology that would allow Layer 2 transport over a Layer 3
with MPLS Trafficinfrastructure.
Engineering tunnels
pseudowires
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
QoS
Network (VPN) concepts, and describes Layer 2 VPN techniques via
input service policies
introductory case studies and comprehensive design scenarios. This book
queuing
traffic marking assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
traffic policing
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSVPLS
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
access mode
IP cores. The structure of this book is focused on first introducing the
attachment circuits
reader to Layer 2 VPN benefits and implementation requirements and
dot1Q-tunnel mode
comparing them to those of Layer 3 based VPNs, such as MPLS, then
example configuration
progressively covering each currently available solution in greater detail.
Layer 2 protocol tunneling
multihoming
per-VLAN MAC address limiting
QoS
trunk mode
VFI
WAN protocols MPLS
AAL5oMPLS
CRoMPLS
FRoMPLS
HDLCoMPLS
PPPoMPLS
WAN protocols over L2TPv3
Layer 2 VPN Architectures
WANs over MPLS pseudowires
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
control plane
No. 4460,Anthony Chan, - CCIE No. 10,266
control word negotiation
data plane encapsulation
MTU requirements Publisher: Cisco Press
pseudowire types
Pub Date: March 10, 2005
connect command
ISBN: 1-58705-168-0
Table of
conservative
label retention mode
Pages:
648
controlContents
connection mechanism (L2TPV3)
Index
control
channel signaling
Control Message Authentication
control message to encapsulation
Control field (Frame Relay frames)
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
Control field (HDLC frames)
productivity gains
Control field (PPP frames)
Control Message Authentication (L2TPv3)
control messages, L2TPv3
Learn about Layer 2 Virtual Private Networks (VPNs)
control packets, L2TPv3
control plane
Reduce costs and extend the reach of your services by unifying your
configuring WAN protocols network
over MPLS architecture
pseudowires
L2TPv3
PE device system architecture
Gain from the first book to address Layer 2 VPN application utilizing
control word negotiation
both ATOM and L2TP protocols
AToM
configuring WAN protocols Review
over MPLS
pseudowiresthat allow large enterprise customers to enhance
strategies
criteria
their service offerings while maintaining routing control
for AToM selection
a majority of Service Providers, a significant portion of their revenues
advanced networkFor
services
are still base
derived from data and voice services based on legacy transport
existing network installation
interoperability technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
they have some drawbacks. Ideally, carriers with existing
network operationcustomers,
complexity
for L2TPv3 selectionlegacy Layer 2 and Layer 3 networks would like to move toward a single
while new carriers would like to sell the lucrative Layer 2
advanced networkbackbone
services
servicesbase
over their existing Layer 3 cores. The solution in these cases is a
existing network installation
interoperability technology that would allow Layer 2 transport over a Layer 3
network operationinfrastructure.
complexity
CRoL2TPv3
Layer 2
VPN
Architectures introduces readers to Layer 2 Virtual Private
CRoMPLS (cell relay transport
over
MPLS)
Network
(VPN)
concepts, and describes Layer 2 VPN techniques via
case study configuration
introductory
case
studies and comprehensive design scenarios. This book
CS (convergence sublayer) PDUs
assists
readers
looking
to meet those requirements by explaining the
CS-PDU
history and implementation details of the two technologies available from
CSMA-CD
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
dataencapsulation, L2TPv3 Pages: 648
Contents
Demultiplexing Sublayer field
Index
Encapsulation Sublayer field
packet-switched network layer
data plane
connectivity, verifying
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
encapsulation, configuring WAN protocols over MPLS pseudowires
productivity gains
PE device system architecture
debug acircuit event command
debug mpls l2transport packetLearn
data command
about Layer 2 Virtual Private Networks (VPNs)
debug mpls l2transport signaling message command 2nd
debugging EoMPLS on PE routers
2nd costs and extend the reach of your services by unifying your
Reduce
decoding LDP label mapping messages
network2nd
architecture
Demultiplexing Sublayer field (L2TPv3)
DF bit, combining with PMTUDGain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
DiffServ
discovery mechanisms (LDP)
discovery messages (LDP) Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
displaying VPLS pseudowire status
DLCIs
For a majority of Service Providers, a significant portion of their revenues
DLSw, legacy Layer 2 VPNs
areconfiguration
still derived from data and voice services based on legacy transport
dot1Q-tunnel mode, VPLS
technologies.
Although
Layer 3 MPLS VPNs fulfill the market need for some
downstream on demand label advertisement
mode
customers, they have some drawbacks. Ideally, carriers with existing
draft-kompella
legacy Layer 2 and Layer 3 networks would like to move toward a single
draft-martini
backbone while new carriers would like to sell the lucrative Layer 2
DTE (data terminal equipment)
DTP (Dynamic Trunkingservices
Protocol) over their existing Layer 3 cores. The solution in these cases is a
technology
that would allow Layer 2 transport over a Layer 3
dual leaky bucket model
infrastructure.
dynamic protocol signaling
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
ECMP
(Equal-Cost Multipath) Pages: 648
Contents
encapsulation
Index
ATM
AAL
cell format
AToM
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
for ATM transport
productivity gains
for Ethernet transport
for Frame Relay transport
for HDLC transport
Learn about Layer 2 Virtual Private Networks (VPNs)
for PPP transport
for Ethernet-to-VLAN local switching
IW extend the reach of your services by unifying your
ReduceEthernet
costs and
for Frame Relay-to VLAN IPnetwork
IW using AToM
architecture
for Frame Relay-to-PPP-IW using L2TPv3
Gain
from the first book to address Layer 2 VPN application utilizing
for VLAN-to-bridged IW using
L2TPv3
both ATOM and L2TP protocols
IW
UTI, fields
Review
strategies that allow large enterprise customers to enhance
encapsulation layer (pseudowire
emulation)
their service offerings while maintaining routing control
Encapsulation Sublayer field (L2TPv3)
enhanced Layer 2 VPNs
For a majority of Service Providers, a significant portion of their revenues
AToM
still derived from data and voice services based on legacy transport
EoMPLS (Ethernet overare
MPLS)
technologies.
Although Layer 3 MPLS VPNs fulfill the market need for some
debugging on PE routers
customers, they have some drawbacks. Ideally, carriers with existing
label disposition
legacy Layer 2 and Layer 3 networks would like to move toward a single
label imposition
backbone while new carriers would like to sell the lucrative Layer 2
label stack
services over their existing Layer 3 cores. The solution in these cases is a
MTU size requirements
technology that would allow Layer 2 transport over a Layer 3
calculating
infrastructure.
packets
fields
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
format
Network (VPN) concepts, and describes Layer 2 VPN techniques via
supported VC types
introductory case studies and comprehensive design scenarios. This book
transport, case studies
assists readers looking to meet those requirements by explaining the
port-based
history and implementation details of the two technologies available from
port-based, switch configuration
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSpreconfiguration requirements
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
pseudowire class template configuration
IP cores. The structure of this book is focused on first introducing the
VLAN rewrite 2nd
reader to Layer 2 VPN benefits and implementation requirements and
VLAN-based
comparing them to those of Layer 3 based VPNs, such as MPLS, then
VLAN-based, switch configuration
progressively covering each currently available solution in greater detail.
troubleshooting
on routers
on switches
Equal-Cost Cost Multipath 2nd
establishing AToM pseudowires
Ethernet
CSMA-CD
frames
Metro Ethernet
port-to-port dynamic session
configuring
data plane details
verifying configuration
Layer 2 VPN Architectures
port-to-port manual session
configuring 2nd ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
data plane detailsNo.
2nd4460,Anthony Chan, - CCIE No. 10,266
verifying configuration 2nd
VLAN-to-VLAN dynamicPublisher:
session Cisco Press
configuring
Pub Date: March 10, 2005
control plane details
ISBN: 1-58705-168-0
Tableencapsulation
of
frame
Pages:
648
Contents
verifying
configuration
Index
Ethernet
II frames
Ethernet IW
ATM AAL5-to-VLAN using AToM, case study
case study
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
environment considerations
productivity gains
MTU
using AToM, case study
using L2TPv3, case study
Learn about Layer 2 Virtual Private Networks (VPNs)
Ethernet-to-Ethernet local switching 2nd
Ethernet-to-VLAN local switching
Reduce costs and extend the reach of your services by unifying your
EVCS (Ethernet Virtual Connection
Service)
network
architecture
evolution of L2TPv3
example VPLS configuration Gain from the first book to address Layer 2 VPN application utilizing
extended LDP discovery
both ATOM and L2TP protocols
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
F-bit(forward unknown TLV bit)
Pages:
648
Contents
Fast Reroute
Index
FCS field
Frame Relay frames
HDLC frames
PPP frames
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
FEC (Forwarding Equivalence Class)
productivity gains
fields
of LDP messages
of UTI encapsulation
Learn about Layer 2 Virtual Private Networks (VPNs)
Flag field
Frame Relay frames
Reduce costs and extend the reach of your services by unifying your
HDLC frames
network architecture
PPP frames
Gain from the first book to address Layer 2 VPN application utilizing
flooding, VPLS
both ATOM and L2TP protocols
forwarding, VPLS
fragmentation
Review strategies that allow large enterprise customers to enhance
adjusted MTU
their service offerings while maintaining routing control
avoiding in L2TPv3 networks
PMTUD
post-fragmentation For a majority of Service Providers, a significant portion of their revenues
prefragmentation are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
frame format
customers, they have some drawbacks. Ideally, carriers with existing
HDLC
legacy Layer 2 and Layer 3 networks would like to move toward a single
PPP
backbone while new carriers would like to sell the lucrative Layer 2
Frame Relay
services over their existing Layer 3 cores. The solution in these cases is a
encapsulation
technology that would allow Layer 2 transport over a Layer 3
frame format
infrastructure.
FRoMPLS
case study configuration
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
interaction with pseudowire protocols
Network (VPN) concepts, and describes Layer 2 VPN techniques via
legacy Layer 2 VPNs
introductory case studies and comprehensive design scenarios. This book
LMI
assists readers looking to meet those requirements by explaining the
message format
history and implementation details of the two technologies available from
status enquiry messages
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSstatus messages
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
update status messages
IP cores. The structure of this book is focused on first introducing the
over L2TPv3
reader to Layer 2 VPN benefits and implementation requirements and
configuring
comparing them to those of Layer 3 based VPNs, such as MPLS, then
data plane
progressively covering each currently available solution in greater detail.
verifying configuration
traffic management
traffic policing
traffic shaping
Frame Relay-to-Frame Relay local switching
frames, Ethernet
FRoMPLS, case study configuration
full-mesh VPLS topological model
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
Gang
of Four
Pages:
648
Contents
LMI implementation versus Annex A/D
Index
Generic Label TLV encoding
GFC (Generic Flow Control) field (ATM cells)
goals of RFC 1547
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
hardware
support for AToM, verifying
Pages:
648
Contents
HDLC
Index
Cisco implementation
frame format
modes of operation
over L2TPv3
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
configuring
productivity gains
data plane details
verifying configuration
pseudowire transport
Learn about Layer 2 Virtual Private Networks (VPNs)
HDLCoMPLS
case study configuration Reduce costs and extend the reach of your services by unifying your
HDLCPW configuration
network architecture
HEC field (ATM cells)
Gain from the first book to address Layer 2 VPN application utilizing
hidden VLANs
both ATOM and L2TP protocols
hierarchical VPLS
with MPLS access network
with QnQ access network Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
hop popping
hub-and-spoke VPLS topological model
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
IEEE 802.3 SNAP frame format
Pages:
648
Contents
IETF working groups, IETF standardization
Index
draft-kompella
draft-martini
"Illegal C-bit" status code
ILMI (Interim Local Management Interface)
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
implementing PMTUD
productivity gains
Information field
Frame Relay frames
HDLC frames
Learn about Layer 2 Virtual Private Networks (VPNs)
PPP frames
input service policies, configuring
Reduce costs and extend the reach of your services by unifying your
inter-AS pseudowire emulationnetwork
with IGP redistribution
architecture
intermediate markings, AToM
Gain from the first book to address Layer 2 VPN application utilizing
internal VLAN tags
both ATOM and L2TP protocols
interworking command
IP accounting
Review
strategies
that allow large enterprise customers to enhance
IP topology for point-to-point L2TPv3
transport
case studies
IPLS (IP-only LAN Service) their service offerings while maintaining routing control
ISO 3309 standard, HDLC frame format
For a majority of Service Providers, a significant portion of their revenues
IW (interworking)
are still derived from data and voice services based on legacy transport
bridged
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
case study
customers, they have some drawbacks. Ideally, carriers with existing
case studies
connect command legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
encapsulation
services
over their
existing
Layer 3 cores. The solution in these cases is a
for Ethernet-to-VLAN
local switching
Ethernet
IW
technology
that
would
allow
Layer 2 transport over a Layer 3
for Frame Relay-to VLAN IP IW using AToM
infrastructure.
for Frame Relay-to-PPP-IW using L2TPv3
for VLAN-to-bridged IW using L2TPv3
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
MTU
Network (VPN) concepts, and describes Layer 2 VPN techniques via
routed
introductory case studies and comprehensive design scenarios. This book
case study
assists readers looking to meet those requirements by explaining the
Frame Relay-to-ATM, case study
history and implementation details of the two technologies available from
Frame Relay-to-PPP using L2TPv3, case study
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSFrame Relay-to-VLAN using AToM, case study
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
MTU considerations
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Table of
jumbo
frames
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
L2-Specific
Sublayer
Pages:
648
Contents
l2tp-class command, syntax
Index
L2TPv3 2nd
AAL5_SDUoL2TPv3
configuring
control plane
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
data plane
productivity gains
verifying configuration
ATM transport
CRoL2TPv3
Learn about Layer 2 Virtual Private Networks (VPNs)
OAM emulation
ATM_CoL2TPv3
Reduce costs and extend the reach of your services by unifying your
configuring
network architecture
verifying configuration
Gain from the first book to address Layer 2 VPN application utilizing
AVPs
both ATOM and L2TP protocols
configuring
l2tp-class command
Review strategies that allow large enterprise customers to enhance
pseudowire-class command
their service offerings while maintaining routing control
xconnect command
connectivity model
control connection For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
control channel signaling
Although Layer 3 MPLS VPNs fulfill the market need for some
Control Message technologies.
Authentication
customers,
control message to
encapsulationthey have some drawbacks. Ideally, carriers with existing
control messages legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
control packets
services over their existing Layer 3 cores. The solution in these cases is a
control plane
data encapsulation technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Demultiplexing Sublayer
field
Encapsulation Sublayer field
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
packet-switched network layer
Network (VPN) concepts, and describes Layer 2 VPN techniques via
evolution of
introductory case studies and comprehensive design scenarios. This book
fragmentation, avoiding
assists readers looking to meet those requirements by explaining the
Frame Relay transport
history and implementation details of the two technologies available from
configuring
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSdata plane 2nd
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
verifying configuration
IP cores. The structure of this book is focused on first introducing the
HDLC pseudowire transport
reader to Layer 2 VPN benefits and implementation requirements and
HDLC transport
comparing them to those of Layer 3 based VPNs, such as MPLS, then
configuring
progressively covering each currently available solution in greater detail.
data plane details
verifying configuration
LCCEs
MTU considerations
operation
over WAN protocols, configuring
PMTUD
avoiding fragmentation
combining with DF bit
implementing
Pages:
648
Contents
data
plane
verifying
Index configuration
QoS
input service policies
queuing
traffic marking Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
traffic policing
selection criteria
advanced network services
Learn about Layer 2 Virtual Private Networks (VPNs)
existing network installation base
interoperability
Reduce costs and extend the reach of your services by unifying your
network operation complexity
network architecture
session negotiation
supported Layer 2 protocolsGain from the first book to address Layer 2 VPN application utilizing
label advertisement mode (MPLS)
both ATOM and L2TP protocols
label bindings
label disposition
Review strategies that allow large enterprise customers to enhance
label distribution control mode their
(MPLS)service offerings while maintaining routing control
label distribution protocol
For a majority of Service Providers, a significant portion of their revenues
label imposition
are still derived from data and voice services based on legacy transport
Label Mapping messages
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
decoding
customers, they have some drawbacks. Ideally, carriers with existing
label retention mode (MPLS)
legacy Layer 2 and Layer 3 networks would like to move toward a single
label spaces
backbone while new carriers would like to sell the lucrative Layer 2
label stacking
services over their existing Layer 3 cores. The solution in these cases is a
AToM
Label TLV encodings technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Label Withdraw messages
Layer 2 local switching
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
ATM-to-ATM
Ethernet-to-EthernetNetwork (VPN) concepts, and describes Layer 2 VPN techniques via
introductory
case studies and comprehensive design scenarios. This book
Frame Relay-to-Frame
Relay
assists
readers
looking to meet those requirements by explaining the
Layer 2 protocol tunneling, configuring for VPLS
history
and implementation details of the two technologies available from
Layer 2 protocols supported
by L2TPv3
Layer 2 VPN forwarderthe Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased
cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
Layer 2-specific matching
and setting
IP cores. The structure of this book is focused on first introducing the
ATM over MPLS QoS
to Layer 2 VPN benefits and implementation requirements and
Ethernet over MPLSreader
QoS
comparing
them to those of Layer 3 based VPNs, such as MPLS, then
Frame Relay over MPLS QoS
progressively
covering each currently available solution in greater detail.
Layer 3 VPNs
limitations of
LCCEs (L2TP Control Connection Endpoints) 2nd
LDP (Label Distribution Protocol)
advertisement messages
authentication for pseudowire signaling, configuring
discovery
label advertisement mode
label bindings
label distribution control mode
Pages:
648
Contents
LDP-based
VPLS
Index model
leaky bucket
ATM
legacy Layer 2 VPNs
ATM
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
DLSw
productivity gains
Frame Relay
VPDNs
liberal label retention mode
Learn about Layer 2 Virtual Private Networks (VPNs)
like-to-like attachment circuits
limitations
Reduce costs and extend the reach of your services by unifying your
of Layer 3 VPNs
network architecture
of STP
LMI (Local Management Interface)
Gain from the first book to address Layer 2 VPN application utilizing
message format
both ATOM and L2TP protocols
status enquiry messages
status messages
Review strategies that allow large enterprise customers to enhance
update status messages their service offerings while maintaining routing control
load sharing
For a majority of Service Providers, a significant portion of their revenues
Equal-Cost Cost Multipath
are still derived from data and voice services based on legacy transport
preferred path, configuring
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
Unequal Cost Multipath
customers, they have some drawbacks. Ideally, carriers with existing
local emulation mode (OAM)
legacy Layer 2 and Layer 3 networks would like to move toward a single
local switching
backbone while new carriers would like to sell the lucrative Layer 2
ATM attachment circuits
services over their existing Layer 3 cores. The solution in these cases is a
ATM-to-ATM
Ethernet-to-Ethernettechnology that would allow Layer 2 transport over a Layer 3
Ethernet-to-VLAN infrastructure.
Frame Relay-to-Frame Relay
loopback cells (OAM) Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
LSPs, FEC
introductory case studies and comprehensive design scenarios. This book
LSRs
assists readers looking to meet those requirements by explaining the
LDP discovery mechanisms
history and implementation details of the two technologies available from
session establishment
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
manual
pseudowire configuration
Pages:
648
Contents
messages
Index
LDP
advertisement
fields
LMI
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
status
productivity gains
status enquiry
update status
Metro Ethernet
Learn about Layer 2 Virtual Private Networks (VPNs)
MPLS
AToM
Reduce costs and extend the reach of your services by unifying your
ATM encapsulation
network architecture
control word negotiation
Ethernet encapsulation Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Frame Relay encapsulation
HDLC encapsulation
Review strategies that allow large enterprise customers to enhance
label stacking
their service offerings while maintaining routing control
PPP encapsulation
pseudowire label binding
For a majority of Service Providers, a significant portion of their revenues
pseudowires
are still derived from data and voice services based on legacy transport
pseudowires, establishing
selection criteria technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
sequence numbers
supported Layer 2legacy
protocolsLayer 2 and Layer 3 networks would like to move toward a single
backbone
while new carriers would like to sell the lucrative Layer 2
HDLCoMPLS
services
over
their existing Layer 3 cores. The solution in these cases is a
LDP
technology
that
would allow Layer 2 transport over a Layer 3
advertisement messages
infrastructure.
discovery mechanisms
label advertisement mode
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
label bindings
Network (VPN) concepts, and describes Layer 2 VPN techniques via
label distribution and management
introductory case studies and comprehensive design scenarios. This book
label distribution control mode
assists readers looking to meet those requirements by explaining the
label retention mode
history and implementation details of the two technologies available from
label space
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSmessages
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
packets
IP cores. The structure of this book is focused on first introducing the
security
reader to Layer 2 VPN benefits and implementation requirements and
session establishment
comparing them to those of Layer 3 based VPNs, such as MPLS, then
traffic engineering
progressively covering each currently available solution in greater detail.
Fast Reroute 2nd
tunnels, preferred path configuration
WAN protocol over pseudowire configuration control plane
control word negotiation
data plane encapsulation
MTU requirements
pseudowire types
MQC (Modular QoS CLI) configuration
traffic marking
MSTP (Multiple Spanning Tree Protocol)
MTU
adjusted MTU
IP IW considerations 2nd
Layer 2 VPN Architectures
L2TPv3 transport overhead
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
requirements
4460,Anthony
Chan,
- CCIE No. 10,266
configuring WAN No.
protocols
over MPLS
pseudowires
for EoMPLS
multi-AS networks, pseudowire
emulation
Publisher:
Cisco Press
interconnecting psuedowires
with dedicated
Pub Date:
March 10,circuits
2005 2nd
multihoming VPLS 2nd
ISBN: 1-58705-168-0
Table
of
multipoint
connectivity,
VPLS
Pages:
648
Contents
configuring
Index
EVCS
example configuration
flooding
forwarding
full-mesh topologicalMaster
model the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity
gains
hierarchical VPLS
hub-and-spoke topological model
Layer 2 protocol tunneling
Learn about Layer 2 Virtual Private Networks (VPNs)
multihoming 2nd
network reference model Reduce costs and extend the reach of your services by unifying your
partial-mesh topological model
network architecture
per-VLAN MAC address limiting
QoS
Gain from the first book to address Layer 2 VPN application utilizing
redundancy
both ATOM and L2TP protocols
signaling
TLS
Review strategies that allow large enterprise customers to enhance
topological models
their service offerings while maintaining routing control
virtual switches
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
native
emulation)
service processing (pseudowire
Pages:
648
Contents
NLPID field (Frame Relay frames)
Index
notification messages (LDP)
NRM (Normal Response Mode)
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
OAM 2nd
Pages:
648
Contents
loopback cells
Index
operational modes
OAM emulation
OUI field (Frame Relay frames)
out-of-order packets, sequencing
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
packet
cell relay mode (ATM) Pages: 648
Contents
packet-switched network layer (L2TPv3)
Index
packets
EoMPLS
fields
label disposition
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
label imposition
productivity gains
LDP
out-of-order, sequencing
Padding field (Frame Relay frames)
Learn about Layer 2 Virtual Private Networks (VPNs)
PARC (Palo Alto Research Center)
partial-mesh VPLS topologicalReduce
model
costs and extend the reach of your services by unifying your
payload layer (pseudowire emulation)
network architecture
PDU Length field (LDP packets)
PE device system architectureGain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
control plane
data plane
Review strategies that allow large enterprise customers to enhance
PE routers
their
debugging EoMPLS operation
2ndservice offerings while maintaining routing control
VLAN rewrite configuration
Fortransport
a majority
of Service Providers, a significant portion of their revenues
VLAN-based EoMPLS
configuration
are
still
derived
from data and voice services based on legacy transport
PE switches, VLAN-based EoMPLS configuration
technologies.
Although
Layer 3 MPLS VPNs fulfill the market need for some
PEP (pseudowire encapsulation processor)
customers, they have some drawbacks. Ideally, carriers with existing
per-interface label space
legacy Layer 2 and Layer 3 networks would like to move toward a single
per-platform label space
while new carriers would like to sell the lucrative Layer 2
PHP (Penultimate Hop backbone
Popping)
services
over
their existing Layer 3 cores. The solution in these cases is a
physical layer (ATM)
technology
that
would allow Layer 2 transport over a Layer 3
PID field (Frame Relay frames)
infrastructure.
PMTUD (path maximum transmission unit discovery)
combining with DF bit
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
fragmentation, avoiding
Network (VPN) concepts, and describes Layer 2 VPN techniques via
implementing
introductory case studies and comprehensive design scenarios. This book
switching statistics, displaying
assists readers looking to meet those requirements by explaining the
triggering
history and implementation details of the two technologies available from
point-to-point LAN transport 2nd
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSEthernet port-to-port dynamic session
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
configuring
IP cores. The structure of this book is focused on first introducing the
data plane details
reader to Layer 2 VPN benefits and implementation requirements and
verifying configuration
comparing them to those of Layer 3 based VPNs, such as MPLS, then
Ethernet port-to-port manual session
progressively covering each currently available solution in greater detail.
data plane details
verifying 2nd
Ethernet port-to-port manual session with keepalive
data plane details
verifying configuration
Ethernet VLAN-to-VLAN dynamic session, configuring
policing
ATM traffic
CBR.1
UBR.1
UBR.2
VBR.1
VBR.2
Layer 2 VPN Architectures
VBR.3
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Frame Relay
No. 4460,
- CCIEtransport
No. 10,266
port transparency, configuring
forAnthony
EoMPLSChan,
port-based
port-based EoMPLS transport, port-based EoMPLS transport configuration
case study
Publisher: Cisco Press
switch configuration case
study
Pub
Date: March 10, 2005
port-tunneling mode (EoMPLS)
ISBN: 1-58705-168-0
Table of
post-fragmentation
Pages:
648
Contents
PPP (Point-to-Point
Protocol)
Index
encapsulation
frame format
PPPoMPLS
case study configuration
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
PPP over L2TPv3
productivity gains
configuring
control plane negotiation
data plane
Learn about Layer 2 Virtual Private Networks (VPNs)
verifying configuration
pre-fragmentation
Reduce costs and extend the reach of your services by unifying your
preferred path
network architecture
configuring
with IP routing, configuring Gain
2nd from the first book to address Layer 2 VPN application utilizing
with MPLS Traffic Engineering
tunnels,
configuring
both
ATOM
and L2TP protocols
Protocol field (HDLC frames)
Protocol field (PPP frames) Review strategies that allow large enterprise customers to enhance
protocol layers of pseudowire emulation
2nd
their service
offerings while maintaining routing control
pseudowire class template configuration, case study
For also
a majority
of Service Providers, a significant portion of their revenues
pseudowire emulation [See
pseudowires]
are still derived from data and voice services based on legacy transport
auto-discovery mechanism
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
configuring
in multi-AS networkscustomers, they have some drawbacks. Ideally, carriers with existing
legacy Layer
2 and Layer
interconnecting psuedowires
with dedicated
circuits 3 networks would like to move toward a single
backbone
while
new
carriers would like to sell the lucrative Layer 2
native service processing
services over their existing Layer 3 cores. The solution in these cases is a
network reference model
technology that would allow Layer 2 transport over a Layer 3
PE device system architecture
infrastructure.
control plane
data plane
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
PEP
Network (VPN) concepts, and describes Layer 2 VPN techniques via
protocol layers
introductory case studies and comprehensive design scenarios. This book
standardization
draft-kompella assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
draft-martini
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSIETF working groups
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
transporting over PSN
IP cores.
The structure of this book is focused on first introducing the
Pseudowire ID FEC element
encoding
reader to Layer 2 VPN benefits and implementation requirements and
pseudowire label binding
comparing
pseudowire-class command,
syntax them to those of Layer 3 based VPNs, such as MPLS, then
progressively
covering each currently available solution in greater detail.
pseudowires
and VCs
AToM 2nd
connectivity verification model
data plane connectivity, verifying
VCCV
IW
bridged
case studies
MTU
routed
routed, case study
label mapping messages, decoding
Layer 2 VPN Architectures
PSN layer
VPLS, configuring ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
4460,
Anthony Chan,
- CCIE No. 10,266
WAN protocols overNo.
MPLS
pseudowires,
configuring
PSN layer (packet-switched network)
PTI field (ATM cells)
Publisher: Cisco Press
pure Layer 2 model
Pub Date: March 10, 2005
PVCs
ISBN: 1-58705-168-0
of
PWE3 Table
(Pseudowire
Emulation Edge to Edge) group
Pages:
648
Contents
Index
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
QinQ
Pages:
648
Contents
asymmetrical links
Index
restrictions
tagging process
QoS
ATM traffic management
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
configuring for VPLS
productivity gains
in AToM
intermediate markings
queuing
Learn about Layer 2 Virtual Private Networks (VPNs)
traffic marking
traffic policing
Reduce costs and extend the reach of your services by unifying your
input service policies
network architecture
queuing
traffic marking, configuring Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
traffic policing
configuring
Review strategies that allow large enterprise customers to enhance
traffic shaping
their service offerings while maintaining routing control
queuing
configuring
For a majority of Service Providers, a significant portion of their revenues
in AToM
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
Rapid
Spanning Tree Protocol Pages: 648
Contents
redundancy, VPLS multihoming
Index
remote circuit id command
required EoMPLS transport preconfiguration
restrictions of 802.1Q
RFC 1547
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
goals of
productivity gains
RFC 1661, PPP encapsulation
routed IW
Frame Relay-to-ATM, caseLearn
study about Layer 2 Virtual Private Networks (VPNs)
Frame Relay-to-PPP using L2TPv3, case study
Frame Relay-to-VLAN usingReduce
AToM, case
study
costs
and extend the reach of your services by unifying your
MTU considerations 2nd network architecture
routers, EoMPLS
configuration case studies Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
port-based transport
VLAN-based transport
debugging on PE routers Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
troubleshooting
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
security,
LDP
Pages:
648
Contents
selection criteria for L2TPv3
Index
advanced network services
existing network installation base
interoperability
network operation complexity
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
sequence numbers
productivity gains
service providers
service-delimiting VLAN tags
session establishment (LDP) Learn about Layer 2 Virtual Private Networks (VPNs)
session messages (LDP)
session negotiation, L2TPv3 Reduce costs and extend the reach of your services by unifying your
shaping ATM traffic
network architecture
show arp command
show connection command Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
show ip traffic command
show mpls forwarding-table command 2nd
Review
show mpls l2transport vc command
2nd strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
show mpls l2transport vc commands
show mpls ldp discovery command
a majority of Service Providers, a significant portion of their revenues
show mpls ldp neighborFor
command
are
still derived from data and voice services based on legacy transport
show processes cpu command
technologies.
Although Layer 3 MPLS VPNs fulfill the market need for some
show sss circuits command
customers, they have some drawbacks. Ideally, carriers with existing
signaling, VPLS
legacy Layer 2 and Layer 3 networks would like to move toward a single
single cell relay mode (ATM)
backbone
SNAP (Subnetwork Access
Protocol)while new carriers would like to sell the lucrative Layer 2
services
over
existing
standardizing pseudowire emulation,
IETFtheir
working
groups Layer 3 cores. The solution in these cases is a
technology
that
would
allow Layer 2 transport over a Layer 3
draft-kompella
infrastructure.
draft-martini
status enquiry messages (LMI)
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
status messages (LMI)
Network (VPN) concepts, and describes Layer 2 VPN techniques via
StopCCN (Stop-Control-Connection-Notification)
introductory case studies and comprehensive design scenarios. This book
STP (Spanning Tree Protocol)
assists readers looking to meet those requirements by explaining the
limitations of
history and implementation details of the two technologies available from
operation overview
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSRapid Spanning Tree Protocol
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
STP Root Guard
IP cores. The structure of this book is focused on first introducing the
SUP7203BXL-based systems, configuring VLAN-based EoMPLS
reader to Layer 2 VPN benefits and implementation requirements and
switches
comparing them to those of Layer 3 based VPNs, such as MPLS, then
EoMPLS configuration case studies
progressively covering each currently available solution in greater detail.
port-based transport
VLAN-based transport
troubleshooting EoMPLS
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
tagging
process, 802.1Q
Pages:
648
Contents
targeted LDP sessions
Index
TCP MD5
TLS (Transparent LAN Service) 2nd
topological models (VPLS)
full mesh
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
hierarchical VPLS
productivity gains
with MPLS access network
with QinQ access network
hub and spoke
Learn about Layer 2 Virtual Private Networks (VPNs)
partial mesh
ToS reflection
Reduce costs and extend the reach of your services by unifying your
traffic management
network architecture
ATM
Gain from the first book to address Layer 2 VPN application utilizing
traffic policing
both ATOM and L2TP protocols
traffic shaping
Frame Relay
Review strategies that allow large enterprise customers to enhance
traffic policing
their service offerings while maintaining routing control
traffic shaping
traffic marking
For a majority of Service Providers, a significant portion of their revenues
in AToM
are still derived from data and voice services based on legacy transport
intermediate markings
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
MQC
setting ToS value customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
ToS reflection
backbone while new carriers would like to sell the lucrative Layer 2
traffic policing
services over their existing Layer 3 cores. The solution in these cases is a
configuring
technology that would allow Layer 2 transport over a Layer 3
in AToM
infrastructure.
traffic shaping
transparent mode (OAM)
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
transporting pseudowire traffic over PSN
Network (VPN) concepts, and describes Layer 2 VPN techniques via
triggering PMTUD
introductory case studies and comprehensive design scenarios. This book
troubleshooting
assists readers looking to meet those requirements by explaining the
EoMPLS
history and implementation details of the two technologies available from
on routers
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSon switches
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
HDLCoMPLS configuration
IP cores. The structure of this book is focused on first introducing the
port transparency for EoMPLS port-based transport
reader to Layer 2 VPN benefits and implementation requirements and
PPPoMPLS configuration
comparing them to those of Layer 3 based VPNs, such as MPLS, then
VLAN rewrite on Cisco 12000 series routers
progressively covering each currently available solution in greater detail.
VLAN-based EoMPLS on switches
VLAN-based EoMPLS transport
trunk mode, VPLS configuration
tunnel labels
tunnel ports
tunneling
802.1q
asymmetrical links
restrictions
tagging process
L2TPv3 mechanisms
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
U-bit (unknown message bit) Pages: 648
Contents
UBR (unspecified Bit Rate)
Index
UBR.1 traffic policing
UBR.2 traffic policing
Unequal Cost Multipath
UPC (usage parameter control)
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
update status messages (LMI)
productivity gains
UTI (Universal Transport Interface)
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
VBR (variable bit rate)
Pages:
648
Contents
VBR.1 traffic policing
Index
VBR.2 traffic policing
VBR.3 traffic policing
VCCV (virtual circuit connectivity verification)
advertising
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
data plane connectivity, verifying
productivity gains
VCs (virtual circuits)
and pseudowires
label mapping messages, decoding
Learn about Layer 2 Virtual Private Networks (VPNs)
PVCs
verifying
Reduce costs and extend the reach of your services by unifying your
AAL5_SDUoL2TPv3 configuration
network architecture
AAL5oMPLS case study configuration
Gain from the first book to address Layer 2 VPN application utilizing
ATM_CRoL2TPv3 configuration
AToM hardware support both ATOM and L2TP protocols
cell packing configuration
CRoMPLS configuration Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
Ethernet port-to-port configuration
Ethernet port-to-port dynamic session configuration
For dynamic
a majority
of Service Providers, a significant portion of their revenues
Ethernet VLAN-to-VLAN
session
are
still
derived
from data and voice services based on legacy transport
FRoL2TPv3 configuration
technologies.
Although
Layer 3 MPLS VPNs fulfill the market need for some
FRoMPLS configuration
customers, they have some drawbacks. Ideally, carriers with existing
HDLCoL2TPv3 configuration
legacy Layer 2 and Layer 3 networks would like to move toward a single
HDLCoMPLS configuration
backbone while new carriers would like to sell the lucrative Layer 2
PPPoL2TPv3 configuration
services over their existing Layer 3 cores. The solution in these cases is a
PPPoMPLS configuration
technology that would allow Layer 2 transport over a Layer 3
Version field (LDP packets)
VFI, VPLS configurationinfrastructure.
viewing encapsulation details
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
virtual switches
Network (VPN) concepts, and describes Layer 2 VPN techniques via
VLAN rewrite, configuring on Cisco 12000 series routers, case study 2nd
introductory case studies and comprehensive design scenarios. This book
VLAN-based EoMPLS transport
assists readers looking to meet those requirements by explaining the
configuring, case study
history and implementation details of the two technologies available from
switch configuration, case study 2nd
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLStroubleshooting
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
VLAN-tunneling mode (EoMPLS)
IP cores. The structure of this book is focused on first introducing the
VLANs, STP
reader to Layer 2 VPN benefits and implementation requirements and
limitations of
comparing them to those of Layer 3 based VPNs, such as MPLS, then
operation overview
progressively covering each currently available solution in greater detail.
VPDNs, legacy Layer 2 VPNs
VPI/VCI field (ATM cells)
VPLS (Virtual Private LAN Service) 2nd [See also hierarchical VPLS]
access mode, configuring
attachment circuits
associating to VFI
configuring
configuring
domains
dot1Q-tunnel mode, configuring
EVCS
example configuration
flooding
Layer 2 VPN Architectures
forwarding
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
Layer 2 protocol tunneling
No. 4460,Anthony Chan, - CCIE No. 10,266
multihoming
network reference model
per-VLAN MAC addressPublisher:
limiting Cisco Press
pseudowires, displaying Pub
status
Date: March 10, 2005
QoS
ISBN: 1-58705-168-0
Table of multihoming
redundancy,
Pages:
648
Contents
signaling
Index
TLS
topological models
full mesh
hierarchical VPLS
hub and spoke Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
partial mesh
trunk mode, configuring
VFI, configuring
Learn about Layer 2 Virtual Private Networks (VPNs)
virtual switches
VPWS
Reduce costs and extend the reach of your services by unifying your
VTP
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
ISBN: 1-58705-168-0
Table of
WANs
Pages:
648
Contents
AAL5_SDUoL2TPv3
Index
configuring
control plan
control plane
data plan 2nd
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
verifying configuration
productivity gains
ATM
AAL
AAL5 CPCS-SDU mode Learn about Layer 2 Virtual Private Networks (VPNs)
cell format
encapsulation
Reduce costs and extend the reach of your services by unifying your
ILMI 2nd
network architecture
interaction with pseudowire protocols
Gain from the first book to address Layer 2 VPN application utilizing
OAM
packet cell relay mode both ATOM and L2TP protocols
single cell relay mode
Review strategies that allow large enterprise customers to enhance
traffic management
their service offerings while maintaining routing control
traffic policing
traffic shaping
For a majority of Service Providers, a significant portion of their revenues
ATM_CoL2TPv3
are still derived from data and voice services based on legacy transport
configuring
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
verifying configuration
customers, they have some drawbacks. Ideally, carriers with existing
ATMoMPLS
AAL5 transport legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
cell transport
services over their existing Layer 3 cores. The solution in these cases is a
Frame Relay
technology that would allow Layer 2 transport over a Layer 3
encapsulation
infrastructure.
frame format
interaction with pseudowire protocols
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
LMI
Network (VPN) concepts, and describes Layer 2 VPN techniques via
over L2TPv3, configuring
introductory case studies and comprehensive design scenarios. This book
traffic management
assists readers looking to meet those requirements by explaining the
traffic policing
history and implementation details of the two technologies available from
traffic shaping
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSFRoMPLS
based cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
HDLCoMPLS
IP cores. The structure of this book is focused on first introducing the
over L2TPv3
reader to Layer 2 VPN benefits and implementation requirements and
ATM transport
comparing them to those of Layer 3 based VPNs, such as MPLS, then
configuring
progressively covering each currently available solution in greater detail.
control plane
data plane
Frame Relay transport
HDLC pseudowire transport
L2-Specific Sublayer
MTU considerations
PPP transport
over MPLS case studies
AAL5oMPLS
CRoMPLS
FRoMPLS
HDLCoMPLS
PPPoMPLS
PPP encapsulation Layer 2 VPN Architectures
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
frame format
No. 4460,Anthony Chan, - CCIE No. 10,266
PPPoMPLS
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.
Index
ByWei Luo, - CCIE No. 13,291,Carlos Pignataro, - CCIE No. 4619,Dmitry Bokotey, - CCIE
No. 4460,Anthony Chan, - CCIE No. 10,266
Publisher: Cisco Press
Table of
xconnect
command, syntax
Contents
Index
ISBN: 1-58705-168-0
Pages: 648
Master the world of Layer 2 VPNs to provide enhanced services and enjoy
productivity gains
Learn about Layer 2 Virtual Private Networks (VPNs)
Reduce costs and extend the reach of your services by unifying your
network architecture
Gain from the first book to address Layer 2 VPN application utilizing
both ATOM and L2TP protocols
Review strategies that allow large enterprise customers to enhance
their service offerings while maintaining routing control
For a majority of Service Providers, a significant portion of their revenues
are still derived from data and voice services based on legacy transport
technologies. Although Layer 3 MPLS VPNs fulfill the market need for some
customers, they have some drawbacks. Ideally, carriers with existing
legacy Layer 2 and Layer 3 networks would like to move toward a single
backbone while new carriers would like to sell the lucrative Layer 2
services over their existing Layer 3 cores. The solution in these cases is a
technology that would allow Layer 2 transport over a Layer 3
infrastructure.
Layer 2 VPN Architectures introduces readers to Layer 2 Virtual Private
Network (VPN) concepts, and describes Layer 2 VPN techniques via
introductory case studies and comprehensive design scenarios. This book
assists readers looking to meet those requirements by explaining the
history and implementation details of the two technologies available from
the Cisco Unified VPN suite: Any Transport over MPLS (ATOM) for MPLSbased cores and Layer 2 Tunneling Protocol version 3 (L2TPv3) for native
IP cores. The structure of this book is focused on first introducing the
reader to Layer 2 VPN benefits and implementation requirements and
comparing them to those of Layer 3 based VPNs, such as MPLS, then
progressively covering each currently available solution in greater detail.