L2 VPN Configuration


E-Line

In L2VPNs, the provider act as a transparent L2 switch, providing ports to the customer.

E-Line is essentially a P2P circuit, where the customer does not engage in any routing with the provider.  in L3VPNs, customer and provider must agree on a routing protocol, link IP addresses and routing is configured between them.

L2VPN-E-Line

In this example, customer has CE1 and CE2 in 2 remote locations, and wishes to use a L2 circuit from the provider. CE1 and CE2 connect to the ISP Edge routers P1 and PE2, and the provider transports the traffic between the 2 CE nodes, as if the 2 routers were directly connected.

On PE and PE2, we enable:

  1. IGP, in this case it will be OSPF.
  2. MPLS LDP.

Let’s start with OSPF.

PE1(config)#int lo0 
PE1(config-if)#ip address 1.1.1.1 255.255.255.255 
PE1(config-if)#ip ospf 10 area 0 ! 
PE1(config-if)#int gi0/0 
PE1(config-if)#ip address 172.16.1.1 255.255.255.0 
PE1(config-if)#ip ospf 10 area 0 ! 
PE1(config-router)#router-id 1.1.1.1
PE2(config)#int lo0
PE2(config-if)#ip address 2.2.2.2 255.255.255.255
PE1(config-if)#ip ospf 10 area 0
!
PE2(config-if)#int gi0/0
PE2(config-if)#ip address 172.16.1.2 255.255.255.0
PE2(config-if)#ip ospf 10 area 0   
!
PE2(config-router)#router-id 2.2.2.2

At this point, we have OSPF adjacency enabled between PE1 and PE2 and Loopback addresses advertised.

Let’s enable MPLS LDP. We have 2 options, either we enable LDP per interface, or globally under OSPF process.

PE1(config)#router ospf 10
PE1(config-router)#mpls ldp autoconfig 

and on PE2

PE2(config)#router ospf 10
PE2(config-router)#mpls ldp autoconfig 

In this next section, we validate our configuration so far.

PE1#sh ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/BDR        00:00:30    172.16.1.2      GigabitEthernet0/0
PE1#sh ip route ospf | b Gateway
Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
O        2.2.2.2 [110/2] via 172.16.1.2, 01:36:55, GigabitEthernet0/0
PE1#sh mpls ldp neighbor        
    Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 1.1.1.1:0
        TCP connection: 2.2.2.2.53184 - 1.1.1.1.646
        State: Oper; Msgs sent/rcvd: 114/115; Downstream
        Up time: 01:32:32
        LDP discovery sources:
          GigabitEthernet0/0, Src IP addr: 172.16.1.2
        Addresses bound to peer LDP Ident:
          172.16.1.2      2.2.2.2         

The next step is to configure the interfaces facing customer CE nodes for the P2P E-Line service. Customer will be totally oblivious to how the traffic is transported between CE and CE2, as it does not interact with the provider’s routing.

On both PE1 and PE2 we configure the following:


PE1(config)#pseudowire-class LAB1 
PE1(config-pw-class)#encapsulation mpls 
PE1(config-pw-class)#ex
!
PE1(config)#int gigabitEthernet 0/1
PE1(config-if)#xconnect 2.2.2.2 12 pw-class LAB1

PE2(config)#pseudowire-class LAB1 
PE2(config-pw-class)#encapsulation mpls 
PE2(config-pw-class)#ex
!
PE2(config)#int gigabitEthernet 0/1
PE2(config-if)#xconnect 1.1.1.1 12 pw-class LAB1

The xconnect configuration must reach to the remote PE loopback address and VC ID (12 in our case is a trivial number) must match for the xconnect.

Once the Xconnect is configured on both interfaces, you would notice a log message indicating an LDP session is up. This is a targeted LDP session between PE1 and PE2.

*Apr 27 21:36:34.896: %LDP-5-NBRCHG: LDP Neighbor 1.1.1.1:0 (1) is UP

Let’s validate the status of the xconnect:

PE1#sh xconnect all 
Legend:    XC ST=Xconnect State  S1=Segment1 State  S2=Segment2 State
  UP=Up       DN=Down            AD=Admin Down      IA=Inactive
  SB=Standby  HS=Hot Standby     RV=Recovering      NH=No Hardware

XC ST  Segment 1                         S1 Segment 2                         S2
------+---------------------------------+--+---------------------------------+--
UP pri   ac Gi0/1:3(Ethernet)            UP mpls 2.2.2.2:12                   UP
PE1#sh xconnect all detail 
Legend:    XC ST=Xconnect State  S1=Segment1 State  S2=Segment2 State
  UP=Up       DN=Down            AD=Admin Down      IA=Inactive
  SB=Standby  HS=Hot Standby     RV=Recovering      NH=No Hardware

XC ST  Segment 1                         S1 Segment 2                         S2
------+---------------------------------+--+---------------------------------+--
UP pri   ac Gi0/1:3(Ethernet)            UP mpls 2.2.2.2:12                   UP
            Interworking: none                   Local VC label 17              
                                                 Remote VC label 17             
                                                 pw-class: LAB1             

As a final validation, let’s test if we can ping CE2 from CE1.

CE1#ping 10.10.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/15/26 ms 

E-LAN

E-LAN is similar to E-Line in terms of concept and how the customer does not interact and route with the provider. However, E-LAN is not P2P, but more as a full mesh.

Here, the provider act as a switch, enabling the end CEs to learn each other MAC addresses and therefore communicate.
I expanded on the previous example by adding PE3 and CE3 to existing nodes. The goal is to have all 3 CEs communicating

As we have done previously for PE1 and PE2, I have also added OSPF to PE3, routing loopback0 (3.3.3.3) and enabled MPLS LDP.

L2VPN E-LAN

The steps to configure E-LAN or VPLS are as follows:

  1. Configure service instance ethernet under the interface facing CE.
  2. Configure a bridge domain, this will be the virtual switch where MAC addresses will be learnt.
  3. Configure the VFI (Virtual Forwarding Instance), where VPN ID must be unique across the domain.
On each PE Interface facing CE
PE2(config)#int gigabitEthernet 2 
PE2(config-if)#service instance 
PE2(config-if-srv)#encapsulation default 
PE2(config-if-srv)#bridge-domain 200
PE2(config-if-srv)#exit
!
PE2(config)#bridge-domain 200

Then we configure the VFI

PE2(config)#l2 vfi LAB2 manual 
PE2(config-vfi)#vpn id 1
PE2(config-vfi)#bridge-domain 200
PE2(config-vfi)#
PE2(config-vfi)#neighbor 1.1.1.1 encapsulation mpls 
PE2(config-vfi)#neighbor 3.3.3.3 encapsulation mpls  

For the validation process, we could run these 2 show commands then finish off with a ping from CE1 to CE2 & CE3.

PE2#sh bridge-domain       
Bridge-domain 200 (3 ports in all)
State: UP                    Mac learning: Enabled
Aging-Timer: 300 second(s)
Maximum address limit: 65536
    GigabitEthernet2 service instance 123
    vfi LAB2 neighbor 1.1.1.1 1
    vfi LAB2 neighbor 3.3.3.3 1
   AED MAC address    Policy  Tag       Age  Pseudoport
PE2#sh vfi 
Legend: RT=Route-target, S=Split-horizon, Y=Yes, N=No

VFI name: LAB2, state: up, type: multipoint, signaling: LDP
  VPN ID: 1
  Bridge-Domain 200 attachment circuits:
  Neighbors connected via pseudowires:
  Peer Address     VC ID        S
  3.3.3.3          1            Y
  1.1.1.1          1            Y
PING to CE2
CE1#ping 10.10.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/9/16 ms
CE1#
PING to CE3
CE1#ping 10.10.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/16/29 ms