Advanced MPLS breakout - Index of
13.07.2015 Views
Share Embed Flag

Advanced MPLS breakout - Index of

Advanced MPLS breakout - Index of

Advanced MPLS breakout - Index of

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
files.netcore.be

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

<strong>Advanced</strong> <strong>MPLS</strong><strong>breakout</strong>BRKIPM-3071Patrice BellagambaConsulting Engineer, Cisco EuropeBRKIPM-3071 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public1

Housekeeping We value your feedback- don't forget to complete youronline session evaluations after each session & completethe Overall Conference Evaluation which will be availableonline from Thursday Visit the World <strong>of</strong> Solutions Please remember this is a 'non-smoking' venue! Please switch <strong>of</strong>f your mobile phones Please make use <strong>of</strong> the recycling bins provided Please remember to wear your badge at all timesincluding the PartyBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public2

Session objectives This session will focus on key detail design bestpractices to implement services like IP-VPN, Eo<strong>MPLS</strong>,VPLS combined with Fast-convergence and FastReRoute. A special focus will be given on the usage <strong>of</strong>Eo<strong>MPLS</strong>/VPLS to allow VLAN extension between Data-Centers in a high-availability fashion, compatible withthe strict SLA requirered for Server clusters.BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public3

What are the <strong>MPLS</strong> hot topics nowadays Layer 3 VPNFast Convergence (FRR / Local protection / PIC)Label Switched Multicast (LSM) Layer 2 VPNRedundancy (VPLS PE / PW)L2 Data Center InterconnectionScalabilty constraintsL2VPN over IP Core optimizationTE for Layer 2 VPN Domain <strong>of</strong> applicationSP edge and coreEnterprise virtualizationData-Center InterconnectBRKIPM-3071 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public4

Agenda PE CE link local protection VPLS PE redundancy L2VPN over IP core <strong>MPLS</strong>-TE for L2 VFI balancingBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public5

PE-CE Link Protection (Ph. 1) RecapPE 1(PLR)CE 1P1PE 3CE 2PE 2BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public6

PE-CE Link Protection (Ph. 1) Recap3. Routesdown, run BGPbestpath4. Reprogram forwarding,maintain local label, redirecttraffic (Connectivity Restored)5. Send BGPwithdrawal2. FailureDetection6. Propagate update throughRR1. Link FailureRR7. Recv update, runbestpathPE 1CE 1PE 38. Reprogram forwarding, redirect traffic (Bypasslocal repair)PE 2BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public7

Policy Based Egress Scenario – i.e. BGP MEDPh1 solution is not effective when there is noalternative path at PLR upon PE-CE linkfailure Prefix N1:– MED value <strong>of</strong> 100 for PE1-CE1 path– MED value <strong>of</strong> 200 for PE2-CE1 pathPE2 prefers the iBGP path via PE1 and doesnot advertise its external path via CE1.There is no secondary path at PLR:PE1BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public8

Policy Based Egress Scenario – i.e. BGP MED2. Send BGPWithd: N1: MED1. Send BGP100Adv: N1: MED100PE 13. Process: BGPWithd: N1: MED100 4. RemoveForwarding Entryfor N1N1:MED=100CE 1PE 3N1:MED=200PE 23. Process: BGP5. Send Withd: BGP N1: MEDAdv: N1: MED 1002006. Process BGPAdv: N1: MED200 7.ProgramForwarding Entryfor N1BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public9

<strong>MPLS</strong> VPN BGP Best External SolutionA converged IOS and IOX solution developed by keyIOS and IOX architects and engineers.BGP advertises its best-external route to its internalpeers even if it prefers a path over its internal peer.A corresponding <strong>MPLS</strong> forwarding entry ispreprogrammed; However, not used in steady state.Improve end-2-end convergence even without PE-CElink protection.Per VRF/AFI/SAFI controlBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public10

<strong>MPLS</strong> VPN BGP Best External Solution1.Local <strong>MPLS</strong>VPN forwardingentry isprogrammed;2. Send BGP Adv:N1: MED 1003.Route down;BGP bestpath4.Reprogram forwardingentry; maintain locallabel;traffic redirected5.Send BGPWithd: N1: MED1006.Process: BGPWithd: N1: MED100N1:MED=100PE 1CE 1PE 3N1:MED=2001.Local <strong>MPLS</strong> VPNforwarding entry isprogrammed;However, it is notused in steady state.2. Send BGP Adv:N1: MED 200PE 27. ReprogramForwarding Entryfor N1;Bypass PLRBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public11

Configuring PE-CE Local Link Protection Can be enabled/disabled on a per VRF basis Cleanup Timer <strong>of</strong> 5 minutes is not configurabletuonno(config-vrf)#protection ?local-prefixes Enable protection for local prefixesBRKIPM-3071tuonno#sh ip vrf detail vrf1VRF vrf1 (VRF Id = 1); default RD 4711:1; default VPNID No interfacesVRF Table ID = 1Export VPN route-target communitiesRT:4711:1Import VPN route-target communitiesRT:4711:1No import route-mapNo export route-mapVRF label distribution protocol: not configuredVRF label allocation mode: per-prefixvrf-conn-aggr for connected and BGP aggregates (No Label)Local prefix protection enabled© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public12

Agenda PE CE link local protection VPLS PE redundancy L2VPN over IP core <strong>MPLS</strong>-TE for L2 VFI balancingCredit toDennis CaiTechnical Marketing EngineerBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public13

Accessu-PE14End-to-End L2VPN Redundancy<strong>MPLS</strong> PE<strong>MPLS</strong> Aggregation1<strong>MPLS</strong> Pn-PE1<strong>MPLS</strong> Coren-PE3Native EthernetAggregationL2 switch3 1442AccessU-PE2n-PE2Pseudo wiresFailure 1 – <strong>MPLS</strong> network link or P node failureTE/FRR with fast LoS Detectionn-PE4Native VLANsFailure 2 – L2 network link or node failureRapid STP, REPFailure 3 – <strong>MPLS</strong> aggregation n-PE node failurePW redundancy with VPLS MAC withdrawalBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicFailure 4 – Ethernet access/aggregation PE node failureMST over special PWREP, R-L2GPwith VPLS MAC withdrawal14

AToM/VPLS TE/FRR –<strong>MPLS</strong> link or P node FailurePrimary TE tunnelLSP link or P node failure trig<strong>MPLS</strong> TE/FRRPEPPPEPPCEPEPPECEFRR builds an alternate path to be used in case <strong>of</strong> a network failure (Link or Node) / local repair negatesconvergence delaysNo special configuration for AToM/VPLS PWsFRR protected tunnel will support all the traffic traversing the linkWhen tied to POS AIS or SIP based GE/10GE ~50ms restore times are achievableAToM packet forwarded to TE tunnel by auto tunnel selection or IGP routing configurationBRKIPM-3071Not solved by TE/FRR –Tunnel end point (PE node) failure or AC failure© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public15

AToM VPWS PW Redundancy –Primary TE tunnelLSP link or P node failure trig<strong>MPLS</strong> TE/FRRPEPPPEPE node or Attachment Circuit failPPCEPEPPECEBackup PW to different PE ordifferent Attachment CircuitTE/FRR only address the LSP link or P node failure. It doesn’t cover the PE node or attachment circuitfailureIn case <strong>of</strong> PE node or attachment circuit fail, PW goes downThe solution is to build backup PW to different PE node or different attachment circuitPW failover upon detecting primary PW going downThe issue –PE node redundancy is only for one side (called one-way PW redundancy)Need redundant PEs on both sides (so called two-way PW redundancyBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public16

PW redundancy-IOS Configuration ExamplesExample 1 – The debounce timer is set to 3 seconds so that we don’t allow a switchover until theconnection has been deemed down for 3 seconds. After 10 seconds <strong>of</strong> original primary PW becomingavailable, it will switch backIn this example, primary and backup PW terminate into two different PE boxesinterface gig1/1xconnect 10.0.0.1 100 encapsulation mplsbackup peer 10.0.0.2 200backup delay 3 10Example 2 – In this example, when detect primary PW goes down, it will switch over to backup PWimmediately. Once a switchover occurs, we will not fallback to the primary until the secondary xconnectfailsIn this example, both primary and backup PW terminate into same PE box, with different attachmentcircuitsInterface gig 1/1xconnect 20.0.0.1 50 encapsulation mplsbackup peer 20.0.0.1 100backup delay 0 neverBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public17

Apply PW Redundancy (P2P) into H-VPLS(multipoint)U-PE11PPN-PE11VFIxVFIN-PE21PPVFIVFICEU-PE12PN-PE12VFIN-PE31N-PE22UPE has primary/backup PW to two N-PEs. Upon primary PW goes down, U-PE switch over to backupPWFor bi-directional traffic, as soon as N-PE21 receive traffic from N-PE12, it will update it’s MAC tableaccordingly. Traffic continueFor uni-directional traffic, N-PE21 will continue forwarding packet to wrong place until MAC aging outBRKIPM-3071The issue - Possible packet black hole during PW switchoverNeed mechanism to flush MAC address table since VPLS is multipointbridging service© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public18

H-VPLS PW Redundancy –With VPLS MAC WithdrawalU-PEPPN-PE11VFIxVFIN-PE21PPVFIVFICEPE12PN-PE12VFIxN-PE31N-PE22U-PE switchover to backup PW if primary PW goes down As soon as backup PW come active, U-PE will generate MAC withdrawal message via D-LDP to N-PE12. N-PE12 will flush it’s MAC table and forward this message to all its remote PEsAfter receive the MAC withdrawal message, remote PEs will flush it’s MAC address tablePacket from N-PE21 will flood to all N-PEs including N-PE12 which will forward it to U-PE. N-PE11 andN-PE31 will drop the packetFlooding will stop if PE receive packet from the reverse direction. No packet black holeBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public19

L2 Access/Aggregation Redundancy ScenariosAccess L2 RingAggregationNetworkAccess L2 RingVFIVFIVFIVPLSVFITwo-way PWRedundancyVFIH-VPLS RedundancyVFIOne-way PWRedundancyLayer 3 terminationNative L2 bridginglike PBBBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public20

Access Redundancy – The RequirementsVFIVFIVFIVFINeed to be blocked Req#1 – Convergence time, 50msec stretch goal, sub second target,

MST over Special PW on PE12.2(33)SRC<strong>MPLS</strong> linkVFIVFIPE configurationl2 vfi bpdu-pw manualvpn id 1forward permit l2protocol allneighbor 10.0.0.6 encaps mplsinterface Vlan1xconnect vfi bpdu-pwVFIVFISpecial PW running MSTAll access networks with the same pair<strong>of</strong> PE belong to same MST domain All CE networks with the same pair <strong>of</strong> PEs belong to same MST domain.Special PW between two PEs run MST. Not forwarding any data packet, only BPDUSTP is configured in such a way to make sureSpecial PW is never blocked, by assigning very low STP port cost internally STP TCN can trig VPLS MAC withdrawal in PE networkBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public22

MST on EVC – Configuration Model12.2(33)SRD EVC port’s configurationInterface gi1/1Service instance 1 ethernetencapsulation dot1q 10 second dot1q 200rewrite ingress tag pop 2 symmetricbridge-domain 100 Bridge-domain MST Configurationspanning-tree mode mstspanning-tree mst configurationname ciscoinstance 1 vlan 1-1000instance 2 vlan 1001-2000instance 3 vlan 2001-3000BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public23

MST over Special PW on PEConvergence time Rapid STP,

Reverse-L2GPASR9000 now – 7600 in Q3CY09I’m therootN1N2I’m thesecond-bestrootU3U6U4Applies to MST onlyU5I’m just in anormal STPringBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public25

R-L2GP Failure Scenario ExampleN1N2LDP mac withdrawalTCU3U6U4U5BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public26

R-L2GP – Why need the Inter-PE PW?[to avoid packet black hole for intra-access ring traffic]LDP mac withdrawalN1TCN2TCTCU3U6TCU4TCU5Supports any topologyBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public27

Reverse L2GP Solution SummaryReq#1 – Convergence time, per rapid STPReq#2 – MAC flushing mechanism (see previous slide)Req#3 – Access network isolation or separation, Each access network is in itsown STP domainReq#4 – Access network dependency, MST is widely supportedPotential issuesThe operational issue, need manual MST configuration per each access network onthe aggregation PECurrently no mechanism to avoid mis-configuration. For example, human mistake canlead to L2 loopEnhancement: integrate this into the overall inter-chassis redundancy solution (seenext section)BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public28

CE&PE Combined Solution (2) – REP<strong>MPLS</strong> linkREP Segment 1REP Segment 2 REP is per segment, excellent CE network isolation Sub second convergence time (sub-200msec on certain LC on 7600, close to50msec on 3400) Typically one <strong>of</strong> the link between CE and PE is blocked by REP. Per VLANload balancing is done by REP configuration REP TCN can trig VPLS MAC withdrawal in PE VPLS cloud REP is not aware <strong>of</strong> <strong>MPLS</strong> uplink failure. Need redundant uplinks to avoidsingle point <strong>of</strong> failure in the real designBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public29

REP Solution SummaryConvergence time Sub second (sub-200msec for certain LC on7600, close to 50msec on 3400)L2 domain isolation REP is per segment, there is no interactionbetween access networks. Access network is isolated to each otherTCN propagation REP TCN can trig VPLS MAC withdrawal. Nopacket black hole in the PE VPLS cloudNotesREP is not aware <strong>of</strong> PE <strong>MPLS</strong> uplink failure. For example, if all <strong>of</strong>PE’s <strong>MPLS</strong> uplink fail, this won’t cause REP topology change. CEstill forward packet to original PE and cause packet black hole. Inthe real design, recommend to have redundant <strong>MPLS</strong> uplinks. Thepossibility <strong>of</strong> both <strong>MPLS</strong> uplink failure while PE node is still alive isvery low ☺REP doesn’t work on “EVC” port. Plan to support this in SRD orpost-SRD releaseBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public30

N-PE Active/Standby conceptsusing Inter-Chassis Communication Protocol (ICCP)ICCP target is 2HCY09N-PEPrimaryLocalSTPmLACPICCP<strong>MPLS</strong>CoreN-PEBack-upPWMAC withdrawOne only link active per MEC at first phasedraft-martini-pwe3-iccp in progressBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public31

Function Block Overview PE RoleTwo PEs form one virtual redundancy group. Multiple application groupscan be created within one virtual redundancy group (pair <strong>of</strong> PEs). One PEis primary, the other is backup. Primary/backup is per application grouplevel. MonitoringKeep alive message is exchanged between two PEs over the L3 path tocheck box level health. Typically it uses BFD or route watchIt can also monitor access link and core link Failure reactionUpon detecting peer PE failure, or link failure, it can take certain action, likeprimary PE role switchover, interact with access network, generate VPLSMAC withdrawal, MVRP/MIRP message, etc ApplicationTwo PEs can exchange the information for specific application. Forexample, for inter-chassis port channel system ID, sync up the DHCPsnooping table, etcBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public32

N-PE Active/Standby conceptsusing Inter-Chassis Communication Protocol (ICCP)RootN-PEPrimaryEdge portLocalSTPICCP<strong>MPLS</strong>CoreEdge portMiRP / MVRPTriggerEdge STPMAC flushN-PEBack-upPWMAC withdrawdraft-martini-pwe3-iccp in progressICCP target is 2HCY09Time to market solution using EEM scripts to execute ICCPBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public33

Features to be SupportedAccess side Single CE dual home – mLACP active-standby mode, active-active moderequiring per VLAN load balancing for the port-channel L2 ring termination – integrate with MVRP, integrate with R-L2GP/MST,integrate with access side REPService side L2VPN service, VPWS, VPLS, H-VPLS Basic L3 routing, including IP multicast IP session awareness – session information sync between two chassisExtend ? Multi-chassis APS – apply to other access typeBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public34

Data-Center Layer 2 InterconnectDC applications like clusters and VMwareDC Migration and DRP Requirement for VLAN extension Requirement for STP isolation Requirement for link protectionApplicable to any DC Spanning-treeMulti-sites (3 or more)BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public35

L2 extension Loop PreventionVPLS bridging domainVPLSN-PEDCSTP IsolationAny DC STPAny number <strong>of</strong> sitesAny number <strong>of</strong> VLAN (using QinQ today, +802.1ah later on)7600 SRC or 6500 SXIActive/Backup scriptsBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public36

L2 extension Loop PreventionVPLS bridging domainVPLSN-PEDC7600 SREICCP based6500 VSS coming nextNexus OTV coming nextBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public37

EEM in N-PE = ‘VPLS node redundancy using EEM’SRC & SXI implementation using scriptingN-PEsP signals Primary is upwait a start-up delay– Backup PW is forced down– B is set downPrimaryPrimary PWB signals Backup is down– Primary PW is set up__________________________P signals Primary is down– Backup PW is set up– B is set up immediatlyBPB signals Backup is active– Primary PW is forced downMac-flush trickBackupBack-up PWSemaphores role is to synch Primary & Backup• Ensure fast backup and return in function• Dual handshake prohibits Active/Active state (to prevent loops)BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public38

No loop even on unexpected Active/Active stateVPLS Split-horizon isprotecting against loopRootPPRootLocalSTP<strong>MPLS</strong>CoreLocalSTPBBUnexpected Split-brain !!!with local semaphores+ Tie-break failuresRemote back-up node isinactiveNo loop can be created by a one site split-brainBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public39

N-PE – Back-up nodeManage Semaphorestrack 10 ip route 10.80.76.1 reachabilityevent manager applet VPLS_P_semaphore-is-downevent track 10 state downaction 1.0 cli command "enable"action 2.0 cli command "conf t“action 3.0 cli command "int lo80"action 3.1 cli command "no shutdown“action 4.0 cli command "int lo90"action 4.1 cli command "no shutdown“action 5.0 cli command "int g1/3"action 5.1 cli command "shutdown“action 5.2 cli command “no shutdown“Up B-semaphoreStart XconnectForce flush mac@ thru linkflapping (only the onetoward Primary)action 9.0 syslog msg "Backup PW is active"BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public40

Migration exampleDC-Core is pure <strong>MPLS</strong><strong>MPLS</strong> deployed on CoreL3 now can beneficiate <strong>of</strong>VRF / TE /FRRL2L3L2Dedicated L2 edge boxSharing coreNo impact on DCBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public41

Migration exampleDC-Core is pure IPNo impact on CorePure IP routingL2oIPL3L2oIPDedicated L2 edge boxWith L2VPNoGRENo impact on DCBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicRem: Performance <strong>of</strong> GRE encapsulationis below simple <strong>MPLS</strong> label imposition42

Scalability concerns MAC address table? VLAN Scale? Maximum point-to-point VPWS service? Maximum bridge-domain and VPLS instance? Maximum VPLS peers per VPLS instance? Maximum attachment circuit? Broadcast/multicast replication ? ….BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public43

Point-to-Point vs. Multipoint Point-to-Point (VPWS, E-LINE, EWS/ERS, and so on)One virtual circuit connect two UNIsUNI can be on the same box or two boxesNo MAC learning or MAC based forwarding are involvedVirtual Circuit is tied to port/VLAN, it doesn’t need system wideVLAN resource, potential large scale number <strong>of</strong> circuit aresupported. Multipoint (VPLS, L2 local bridging, EMS/EMRS, and so on)More than two UNIs, one or multiple Virtual CircuitsMAC learning and MAC based forwardingBridge-domain is tied to system wide resource like global VLAN,thus less scaleTypically it has maximum peers per bridge-domain limitBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public44

VLAN Scale Point-to-Point (VPWS, E-LINE, EWS/ERS, and so on)Doesn’t require global VLAN resource. Can go much morebeyond 4K limitCurrently 7600 support 16K local VLANs per ES20, thus 16KEo<strong>MPLS</strong> PWs per ES20 Multipoint (VPLS, L2 local bridging, EMS/EMRS, and so on)Multipoint bridging create L2 broadcast domain. Packet isforwarded based on MAC addressNeed global VLAN resource, maximum 4K currentlyBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public45

EVC Scalability 32k EVCs per box independent <strong>of</strong> service (local connect, xconnect,bridge-domain) 16K EVCs per line card (ES20, ES40, SIP-400) 8K EVCs per port without QoS, 4K EVCs per port with QoS Maximum EVCs (service instances) per Bridge-domain Note,–120 EVCs per bridge-domain per SIP-400–110 EVCs per bridge-domain per NP for ES20 and ES40, thus ES20 support220 EVCs per bridge-domain per linecard, ES40 support 440 EVCs per bridgedomainper linecard–Both VPLS VC and service instance VC are presented as pseudo port whichrequire LTL index resource. The LTL index is shared among VPLS VC andservice instance VCBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public46

Hierarchical-VPLS with QinQ edgeVLANQinQVLANBridgingQinQVLANVFIVLAN<strong>MPLS</strong>VLANQinQQinQUses QinQ for scalabilityBeware <strong>of</strong> mac@ overlappingRequires SIP/ES20 facing CoreBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public47

Example <strong>of</strong> EVC with Selective QinQ(here with Odd/Even VLAN concept )interface Port-channel31description - QinQ ES20 card facing Aggregation (Multi-Etherchannel)no ip addressspanning-tree portfast trunkservice instance 3001 ethernet!encapsulation dot1q1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31,33,35,37,39,41,43,45,47,49,51,53,55,57,59,61,201,203,205,207,209,211,213,215,217,219,221,223,225,227,229,231,233,235,237,239,241,243,245,247,249,251,253,255,257bridge-domain 3001service instance 3004 ethernetencapsulation dot1q2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56,58,60,202,204,206,208,210,212,214,216,218,220,222,224,226,228,230,232,234,236,238,240,242,244,246,248,250,252,254,256,258bridge-domain 3004BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public48

QinQ caveat to be aware <strong>of</strong>QinQ is key to scalability until 802.1ahQinQ usage is presenting a caveat for virtual MAC-addressesAAAAABRKIPM-3071 Avoid usage <strong>of</strong> same mac-address for Virtual-MACMainly HSRP / Default MAC in SVI Avoid FW or ACE Active/active state extension Control MAC-add setting into Virtual-Machines configure ‘no mac-learning on PE edge ports© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public49

MAC Scale MAC learning/limiting FeatureMAC learning can be disabled/enabled per VLAN per module (DFC) basis.For example, if VLAN A only have physical ports on Module A, then otherDFC based module and SUP don’t need to learn MAC for VLAN AMAC limiting can be configured per VLAN or per interface to limit thenumber <strong>of</strong> MAC address learned7604-npe1(config)#mac address-table ?aging-time Set MAC address table entry maximum agelearning Enable a MAC table learning featurelimit Enter parameters for mac limit featurenotification Enable a Notification featurestatic static keywordsynchronize Synchronize MAC address table entries in the system 802.1ah (MAC-in-MAC)Basically customer MAC address will only reside on the local PE line card,not in the L2VPN backbone. Support in future releaseBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public50

Native 802.1ah Aggregation over <strong>MPLS</strong> (CY09)AccessNetwork(802.1ad)Aggregation Network(802.1ah)Core Network(<strong>MPLS</strong>)Aggregation Network(802.1ah)AccessNetwork(802.1ad)PCEPEBIB-BEBBCBPE /B--BEBPE /B--BEBB-BEBIB-BEBPEBCEPBB-BEBPPBCBPBCEPEBIB-BEBBCBPE /B--BEBPPE /B--BEBB-BEBIB-BEBPEBCE802.1ad/Q in Qencapsulation802.1ahencapsulation<strong>MPLS</strong>encapsulation<strong>MPLS</strong>decapsulation802.1ahdecapsulation802.1ad/Q in Qdecapsulation<strong>MPLS</strong>C-DAC-SAC-TagC payloadFCSC-DAC-SAS-TagC-TagC payloadFCSB-DAB-SAB-TagI-TagC-DAC-SAS-Tag(opt)C-TagC payloadFCSB-DAB-SAB-Tag (opt)I-TagC-DAC-SAS-Tag(opt)C-TagC payloadFCSB-DAB-Tag (opt)I-TagC-DAC-SAS-Tag(opt)C-TagC payloadFCSC-DAC-SAS-TagC-TagC payloadFCSC-DAC-SAC-TagC payloadFCSBRKIPM-3071Packet© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public51

VPLS Scale VPLS Forwarding Instance (VFI)s per boxVFI is 1:1 mapped to system VLAN or bridge-domain. 4K VFI is limited byglobal VLAN resourceWith 802.1ah, it can map multiple I-SID to same B-VLAN (VPLS Instance) tosolve VFI scalability issue Maximum peers per VFI60 up to SRCSRD increases VFI peer to 110 with uplink SIP-400 or ES20 or ES40 Maximum VPLS VCsCode limit is 240K. Up to 30K has been <strong>of</strong>ficially tested Combination <strong>of</strong> the above limitWhich ever limit come at first, it become bottleneck. For example, we cansupport those combinations, (2K VFI, 15 peers per VFI, 30K VCs), (500 VFI, 60peers per VFI, 30K VCs), (4K VFI, 1 peer per VFI, 4K VCs)BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public52

Flooding Packet in VPLS Broadcast and unknown unicast packet are flooded inthe VPLS network. For multicast, it’s flooded if igmpsnooping is disabled Flooding packet is replicated on the ingress PE (perhop replication will be supported in the future release).For large number <strong>of</strong> PEs in the VPLS network, floodingpacket can easily kill the physical link bandwidth Igmp snooping and pim snooping is supported overVPLS PW to reduce unnecessary multicast flooding Flooding packet can be ratelimited by QoS policing andstorm controlBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public53

Agenda PE CE link local protection VPLS PE redundancy L2VPN over IP core <strong>MPLS</strong>-TE for L2 VFI balancingBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public54

Eo<strong>MPLS</strong> & VPLS o GREXconnectedLAN portEo<strong>MPLS</strong>SIP-400GRE6500 SXI7600 SRB1BridgedLAN portVLANorQinQVFISIP-400GREOnly6500 SXIGREGREOne GRE per destination siteSIP-400 does GRE encapsulation and de-encapsulation.EARL7 does mpls tag switching. SIP-400 at 3Gbps FDX with 128B packetsBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public55

Configuration:<strong>MPLS</strong>oGREinterface Loopback90description : dedicated loopback (in global routing) per GREip address 10.90.1.1 255.255.255.255interface Tunnel90description : GRE tunnel transport for Eo<strong>MPLS</strong>ip address 192.168.90.1 255.255.255.0mpls iptunnel source Loopback90tunnel destination 10.90.1.4interface Loopback98description : LDP peeringip address 10.98.76.1 255.255.255.255ip route 10.98.76.4 255.255.255.255 Tunnel90BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public56

VPLSoGRE (without encryption):Ethernet MTU = 1576 bytes maxCore link Ethernet encapsulation:+ Core Ethernet header = 14+ Optional core 802.1Q = 4 (could be null when no core VLAN)+ Core Trailer (FCS) = 4GRE encapsulation:+ IP header = 20+ GRE encaps = 4<strong>MPLS</strong> encapsulation:+ Core LDP = 4 (could be null when direct link)+ Targetted-LDP (VPN-id) = 4L2VPN+ AToM options = 4 (not optional in L2 mode)+ Ethernet (DA/SA/Type) = 14+ Optional edge 802.1Q header = 4 (when H-VPLS or Eo<strong>MPLS</strong> type4)(rem: no edge FCS encapsulated)IP-PDU = 1500BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public57

VPLS o GRE o VTI in one boxwith wrap-cable6500 - SXIVRFcoreSIP-400H-QoSGranikos VTIBridgedLAN portVLANorQinQVFISIP-400GREVRFedgeSIP-400VPLSoGRE H-QoSGREGREOne GRE per destination siteAt 2Gbps FDX (bi-directional):• no drop occurs into Real-Time queue at 192Bytes MTU• 6% drops into RT for 128Bytes• 50% drop into RT for 64BytesBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public58

VTI with AES encaps + crypto:Ethernet MTU = 1642 bytes max(crypto expension could depend in some cases on frame content,but most <strong>of</strong> cases this is stable due to padding)+ VTI IP header = 20+ Crypto extension = 46BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public59

Agenda PE CE link local protection VPLS PE redundancy L2VPN over IP core <strong>MPLS</strong>-TE for L2 VFI balancingBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public60

<strong>MPLS</strong> backbone optimization Reduce number <strong>of</strong> label using LDP ACL Use BFD to poll links Use IGP Fast-convergence with throttle Use LDP session protection (targetted-LDP) Use Traffic-Engineering for path diversity, if required Use Fast-ReRoute for very fast convergenceBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public61

<strong>MPLS</strong> TE benefit with L2VPN FastReRoute Load Repartition over core Load Repartition over parallel links bundleEtherchannel and ECMP hashing are executed blindly on lasttwo labels <strong>of</strong> the stack = N-PE/VFIWhen number <strong>of</strong> VFI is low, balancing is poorOne link may be overloaded while other is emptyTE allows to ensure per VFI controlled balancingBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public62

Core load-balancingBasic <strong>MPLS</strong> Load BalancingThe maximum number <strong>of</strong> load balancing paths is 8.The PFC forwards <strong>MPLS</strong> labeled packets without explicitconfiguration. If the packet has three labels or less and theunderlying packet is IPv4, then the PFC uses the sourceand destination IPv4 address. If the underlying packet is notIPv4 or more than three labels are present, the PFC parsesdown as deep as the fifth or lowest label and uses it forhashing.<strong>MPLS</strong> Layer 2 VPN Load BalancingLoad balancing is based on the VC label in the <strong>MPLS</strong> core ifthe first nibble <strong>of</strong> the MAC address in the customer Ethernetframe is not 4.BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public63

<strong>MPLS</strong> TE for link bundle balancingParallel TE tunnelsRootRootLocalSTPLocalSTPParallel TE tunnelsFor backup pathSelective QinQ(or multiple Q-links)BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public64

Traffic-Engineering ConfigurationEnable TEmpls traffic-eng tunnelsinterface Giga 3/0/0mpls traffic-eng tunnels. . .Enable TE globaly, and on every core linksrouter isismetric-style widempls traffic-eng router-id Loopback99mpls traffic-eng level-1router ospf 7600router-id 10.99.76.1mpls traffic-eng router-id Loopback99mpls traffic-eng area 7600Choose IGP andenable TEBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public65

Traffic-Engineering ConfigurationPush PW into TE-Tunnelsinterface Tunnel13ip unnumbered Loopback98mpls iptunnel destination 10.98.76.3tunnel mode mpls traffic-engtunnel mpls traff path-option 1 explicit name RED-1to3ip explicit-path name RED-2to5 enable…pseudowire-class VPLS-Tunnel-13encapsulation mplspreferred-path interface Tunnel13!l2 vfi VFI-99 manualvpn id 99neighbor 10.98.76.3 pw-class VPLS-Tunnel-13neighbor 10.98.76.5 pw-class VPLS-Tunnel-15BRKIPM-3071 © 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicHave the VFI using the alternateTE tunnel66

Using explicit-path option10.10.13.310.10.21.2Interface tunnel13tunnel mpls traff path-option 1 explicit name RED-1to3tunnel mpls traff path-option 2 explicit name RED-1to3-bckip explicit-path name RED-1to3 enablenext-address 10.10.13.3ip explicit-path name RED-1to3-bck enablenext-address 10.10.21.2next-address 10.10.25.5next-address 10.10.35.310.10.25.510.10.35.3Primary TE tunnel R1 to R3 in normal and backup modeBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public67

Using FRR in explicit-path option10.10.13.3interface Tunnel13tunnel mpls traff path-option 1 explicit name RED-1to3tunnel mpls traffic-eng fast-reroute10.10.21.2ip explicit-path name RED-1to3 enablenext-address 10.10.13.3interface Tunnel139tunnel mpls traff path-option 2 explicit name RED-1to3-bckip explicit-path name RED-1to3-bck enablenext-address 10.10.21.2next-address 10.10.25.5next-address 10.10.35.310.10.25.510.10.35.3Int te3/0/0mpls traffic-eng backup-path Tunnel139BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public68

Using color affinity optionAffinity = 01 / Cost 1Affinity = 01 / cost 2Int te3/0/1mpls traffic-eng administrative-weight 2mpls traffic-eng attribute-flags 0x10…interface Tunnel13tunnel mpls traffic-eng affinity 0x10 mask 0x11tunnel mpls traffic-eng path-option 2 dynamictunnel mpls traffic-eng path-selection metric teAffinity = 01 / Cost 1Affinity = 01 / cost 2Primary TE tunnel R1 to R3 in normal and backup modeBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public69

Using FRR in affinity option10.10.13.3interface Tunnel13tunnel mpls traffic-eng affinity 0x10 mask 0x11tunnel mpls traffic-eng fast-reroute10.10.21.2interface Tunnel139tunnel mpls traffic-eng affinity 0x10 mask 0x11tunnel mpls traff path-option 2 explicit name RED-1to3-bckip explicit-path name RED-1to3-bck enableexclude-address 10.10.13.3Int te3/0/0mpls traffic-eng backup-path Tunnel13910.10.25.510.10.35.3BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public70

Using color multiple affinity optionsAffinity = 01 / Cost 1Int te3/0/1mpls traffic-eng administrative-weight 2affinit = 01Affinity = 01 / cost 2mpls traffic-eng lsp attributes T1affinity 0x01 mask 0xFFmpls traffic-eng lsp attributes T1-bckaffinity 0x10 mask 0xFF!interface Tunnel13tunnel mpls traffic-eng path-option 2 explicit name P1 attributes T1Affinity = 01 / Cost 1tunnel mpls traffic-eng path-option 4 explicit name P2 attributes T1-bcktunnel mpls traffic-eng path-option 6 dynamictunnel mpls traffic-eng path-selection metric teAffinity = 01 / cost 2Primary TE tunnel R1 to R3 in normal and backup modeBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public71

Usage <strong>of</strong> Autobandwith for core usageoptimization Create multiple VFI per edge port Create one TE per VFI Let autobandwidth optimize load repartition onParallel linksParallel pathesBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public72

Meet The ExpertTo make the most <strong>of</strong> your time at Cisco Networkers 2009,schedule a Face-to-Face Meeting with a top Cisco Expert.Designed to provide a "big picture" perspective as well as"in-depth" technology discussions, these face-to-facemeetings will provide fascinating dialogue and a wealth <strong>of</strong>valuable insights and ideas.Visit the Meeting Centre reception desk located in theMeeting Centre in World <strong>of</strong> SolutionsBRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public73

Recommended ReadingBRKIPM-3071BRKIPM-3071Source: Cisco Press© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public74

BRKIPM-3071© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public75

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!