2 Dot1q Headers on an IOS-XE Box

Jerems · ‎09-25-2024

Hi dear community,

How can this happen ?

Two dot1q headers on a captured MPLS frame going out from a Cisco ISR 1111-8P acting as a PE.

Thanks in advance for your help !

Regards,

Jerems

Giuseppe Larosa · ‎09-25-2024

Hello @Jerems ,

can you post the packet capture file in wireshark format ?

can you expand the control word section what do you see ?

if you compare at binary level the control word with the external 802.1Q header with VLAN ID 0 what do you see ?

Edit:

at MPLS level we see two labels and this is correct because the remote PE node the SRX300 is not directly attached.

the most internal label should be the VC label as advertised by remote PE node SRX300. the one with S Bottom of Stack flag set to 1.

Hope to help

Giuseppe

Jerems · ‎09-25-2024

Hi @Giuseppe Larosa

Thank you so much for your appreciated involvement ;-).

Please find attached the pcap file.

Regards,

Jerems

Giuseppe Larosa · ‎09-27-2024

Hello @Jerems ,

thanks for the packet capture file. I have tried to open it in different wireshark versions with the same results you are showing.

Ref frame 9

There are two MPLS labels the packet comes from Cisco PE.

Actually the control word made of 00 00 then there are the destination MAC address, the source MAC address them there is the external 802.1Q with VLAN ID 0.

Then there is the internal 802.1Q header with VLAN ID 20.

if we look at a frame sourced by a Juniper source MAC address we see for frame n. 8 :

a single MPLS label for PHP occurring on the Juniper box in the path between the two PE nodes.

There is no control word !

After the single MPLS header there is the ethernet frame with single 802.1Q field with VLAN ID 20.

We can say the control plane is fine, but in the data plane the two PE ndoes are using different encapsulations as described above.

First of all there is the mismatch on the control word used by Cisco PE in sending its sourced frames not used by Juniper PE box.

In addition to this the Cisco PE is adding an 802.1Q tag with vlan id 0 before 802.1Q tag with vlan id 20.

Is this an inteoperability issue ? or one of the two devices is making something wrong ?

I have tried to search.

The reference RFC for EVPN based VPWS is RFC

https://datatracker.ietf.org/doc/rfc8214/

Now the RFC say that in the control plane in AF vpn vpws the field called Ethernet ID:

>>

For EVPN routes, the Ethernet Tag IDs are set to zero for port-based,
   VLAN-based, and VLAN bundle interface mode and set to non-zero
   Ethernet Tag IDs for VLAN-aware bundle mode.  Conversely, for
   EVPN-VPWS, the Ethernet Tag ID in the Ethernet A-D route MUST be set
   to a non-zero value for all four service interface types

this is in the control plane in MP BGP NLRI AD route type.

For the data plane it says:

>>

 For the EVPL
   service, the Ethernet frames transported over an MPLS/IP network
   SHOULD remain tagged with the originating VLAN ID (VID), and any VID
   translation MUST be performed at the disposition PE.  For the EPL
   service, the Ethernet frames are transported as is, and the tags
   are not altered

more in details in section 2.1 VLAN based service:

>>

n such scenarios, the Ethernet frames

Boutros, et al.              Standards Track                    [Page 6]
RFC 8214                  VPWS Support in EVPN               August 2017

   transported over an MPLS/IP network SHOULD remain tagged with the
   originating VID, and a VID translation MUST be supported in the data
   path and MUST be performed on the disposition PE

in section 2.2 for bundle vlan service type

>>

The transmitting PE can
   cross-connect traffic from a group of VLANs on a specific port to the
   MPLS label.  The MPLS-encapsulated frames MUST remain tagged with the
   originating VID.

For port level service section 2.2..1

>>

 This service interface is a special case of the VLAN bundle service
   interface, where all of the VLANs on the port are mapped to the same
   VPWS service instance identifier.  The procedures are identical to
   those described in Section 2.2.

for VLAN aware service type section 2.3

Contrary to EVPN, in EVPN-VPWS this service interface maps to a
   VLAN-based service interface (defined in Section 2.1); thus, this
   service interface is not used in EVPN-VPWS.  In other words, if one
   tries to define data-plane and control-plane behavior for this
   service interface, one would realize that it is the same as that of
   the VLAN-based service

To be noted there is a variant of EVPN VPWS called seamless that allows to have a mix of VCs with legacy L2VPN VPWS and new EVPN VPWS for the same AC access circuit.

it is described in the following draft

https://datatracker.ietf.org/doc/html/draft-ietf-bess-evpn-vpws-seamless-00#name-data-plane-operations

It is supported in IOS XR

https://www.cisco.com/c/en/us/td/docs/iosxr/cisco8000/l2vpn/711x/configuration/guide/b-l2vpn-cg-cisco8000-711x/evpn-virtual-private-wire-service.html

Hope to help

Giuseppe

Jerems · ‎09-25-2024

Here is one packet with detailed information displayed.

Thanks in advance for your kind help.

Regards,

Jerems

Jerems · ‎09-28-2024

Thank you for this great feedback & contribution @Giuseppe Larosa.

I will have a look at this probabaly this week.

Regards,

Jerems

Jerems · ‎09-28-2024

I could not keep my arms crossed with the time you spent in getting back to me.

By the way i can confirm that in the Juniper box the control word parameter can be changed

set routing-instances evpn-12120 protocols evpn no-control-word
set routing-instances evpn-12120 protocols evpn control-word

But also on per interface basis

set routing-instances evpn-12120 protocols evpn interface ge-0/0/5.20 control-word
set routing-instances evpn-12120 protocols evpn interface ge-0/0/5.20 no-control-word

But whatever option i use, it doesn't change the outcome :

Let me investigate deeper next week.

Regards,

Jerems

Jerems · ‎09-28-2024

Seems that Juniper is able to adapt its behaviour depending on the opposite PE.

Jerems · ‎09-30-2024

Hi,

Beside this topic, i gonna test what is happening between two cisco box separated by a juniper box.

I mean that i gonna setup a EVPN-VPWS between two ciscos with a srx300 in between and capture trafic as comparison to the mixed setup i have at the moment. I plan to test this on wednesday.

Regards,
Jerems

Jerems · ‎10-01-2024

Please find below a diagram where i have now an EVPN VPWS service between two Cisco.

On the Top Right corner the details of an outgoing packet from the last Juniper LSR in the mpls path towards the Cisco PE ISR 1111.

As expected, the ingress LER (PE Cisco ISR 4321 left top corner) also puts a double tagged frame in the pipe which is processed by all the Juniper LSR in the path towards the egress LER (PE Cisco ISR 1111).

I'll check tonight if the ping flows well in such topology.

Regards,

Jerems · ‎10-01-2024

Hi,

As you may guess the ping between the two hosts connected through Both Cisco IOS-XE PEs worked like a charm.

Both Headers have the same content which means that in terms of data plane it has to work as expected.

So it seems that we have an interop issue between Ios-xe and Junos.

Does it make a sense to have an additionnal Dot1Q header here ? The first one is useless.

Feel free to contribute.

Regards,

Jerems

Giuseppe Larosa · ‎10-03-2024

Hello @Jerems ,

my guess is the external 802.1Q header with VLAN Id = 0 can provide two functions:

a) to signal the service is port based

b) by helping in forwarding functions including internal VLAN ID rewrite at remote end.

like a stack of MPLS labels the external is consumed for some operations when the internal label emerges we are on in the ingress PE.

Edit :

to demux received frames over the port based Pseudowire by re-using code used to deploy Q in Q

this can be a possible explanation.

It is an implementation choice. However , a configuration option to enable/disable the double tag in VPWS EVPN in the data plane should be provided to avoid interoperability issues in multi vendor contexts.

Hope to help

Giuseppe