09-25-2024 11:13 AM
Hi dear community,
How can this happen ?
Two dot1q headers on a captured MPLS frame going out from a Cisco ISR 1111-8P acting as a PE.
Thanks in advance for your help !
Regards,
Jerems
09-25-2024 12:50 PM - edited 09-25-2024 12:54 PM
Hello @Jerems ,
can you post the packet capture file in wireshark format ?
can you expand the control word section what do you see ?
if you compare at binary level the control word with the external 802.1Q header with VLAN ID 0 what do you see ?
Edit:
at MPLS level we see two labels and this is correct because the remote PE node the SRX300 is not directly attached.
the most internal label should be the VC label as advertised by remote PE node SRX300. the one with S Bottom of Stack flag set to 1.
Hope to help
Giuseppe
09-25-2024 11:21 PM
Thank you so much for your appreciated involvement ;-).
Please find attached the pcap file.
Regards,
Jerems
09-27-2024 07:48 PM
Hello @Jerems ,
thanks for the packet capture file. I have tried to open it in different wireshark versions with the same results you are showing.
Ref frame 9
There are two MPLS labels the packet comes from Cisco PE.
Actually the control word made of 00 00 then there are the destination MAC address, the source MAC address them there is the external 802.1Q with VLAN ID 0.
Then there is the internal 802.1Q header with VLAN ID 20.
if we look at a frame sourced by a Juniper source MAC address we see for frame n. 8 :
a single MPLS label for PHP occurring on the Juniper box in the path between the two PE nodes.
There is no control word !
After the single MPLS header there is the ethernet frame with single 802.1Q field with VLAN ID 20.
We can say the control plane is fine, but in the data plane the two PE ndoes are using different encapsulations as described above.
First of all there is the mismatch on the control word used by Cisco PE in sending its sourced frames not used by Juniper PE box.
In addition to this the Cisco PE is adding an 802.1Q tag with vlan id 0 before 802.1Q tag with vlan id 20.
Is this an inteoperability issue ? or one of the two devices is making something wrong ?
I have tried to search.
The reference RFC for EVPN based VPWS is RFC
https://datatracker.ietf.org/doc/rfc8214/
Now the RFC say that in the control plane in AF vpn vpws the field called Ethernet ID:
>>
For EVPN routes, the Ethernet Tag IDs are set to zero for port-based, VLAN-based, and VLAN bundle interface mode and set to non-zero Ethernet Tag IDs for VLAN-aware bundle mode. Conversely, for EVPN-VPWS, the Ethernet Tag ID in the Ethernet A-D route MUST be set to a non-zero value for all four service interface types
this is in the control plane in MP BGP NLRI AD route type.
For the data plane it says:
>>
For the EVPL service, the Ethernet frames transported over an MPLS/IP network SHOULD remain tagged with the originating VLAN ID (VID), and any VID translation MUST be performed at the disposition PE. For the EPL service, the Ethernet frames are transported as is, and the tags are not altered
more in details in section 2.1 VLAN based service:
>>
n such scenarios, the Ethernet frames Boutros, et al. Standards Track [Page 6] RFC 8214 VPWS Support in EVPN August 2017 transported over an MPLS/IP network SHOULD remain tagged with the originating VID, and a VID translation MUST be supported in the data path and MUST be performed on the disposition PE
in section 2.2 for bundle vlan service type
>>
The transmitting PE can cross-connect traffic from a group of VLANs on a specific port to the MPLS label. The MPLS-encapsulated frames MUST remain tagged with the originating VID.
For port level service section 2.2..1
>>
This service interface is a special case of the VLAN bundle service interface, where all of the VLANs on the port are mapped to the same VPWS service instance identifier. The procedures are identical to those described in Section 2.2.
for VLAN aware service type section 2.3
Contrary to EVPN, in EVPN-VPWS this service interface maps to a VLAN-based service interface (defined in Section 2.1); thus, this service interface is not used in EVPN-VPWS. In other words, if one tries to define data-plane and control-plane behavior for this service interface, one would realize that it is the same as that of the VLAN-based service
To be noted there is a variant of EVPN VPWS called seamless that allows to have a mix of VCs with legacy L2VPN VPWS and new EVPN VPWS for the same AC access circuit.
it is described in the following draft
It is supported in IOS XR
Hope to help
Giuseppe
09-25-2024 11:24 PM
Here is one packet with detailed information displayed.
Thanks in advance for your kind help.
Regards,
Jerems
09-28-2024 07:37 AM
Thank you for this great feedback & contribution @Giuseppe Larosa.
I will have a look at this probabaly this week.
Regards,
Jerems
09-28-2024 07:51 AM
I could not keep my arms crossed with the time you spent in getting back to me.
By the way i can confirm that in the Juniper box the control word parameter can be changed
set routing-instances evpn-12120 protocols evpn no-control-word
set routing-instances evpn-12120 protocols evpn control-word
But also on per interface basis
set routing-instances evpn-12120 protocols evpn interface ge-0/0/5.20 control-word
set routing-instances evpn-12120 protocols evpn interface ge-0/0/5.20 no-control-word
But whatever option i use, it doesn't change the outcome :
Let me investigate deeper next week.
Regards,
Jerems
09-28-2024 07:53 AM
Seems that Juniper is able to adapt its behaviour depending on the opposite PE.
09-30-2024 11:05 AM - edited 09-30-2024 11:24 AM
Hi,
Beside this topic, i gonna test what is happening between two cisco box separated by a juniper box.
I mean that i gonna setup a EVPN-VPWS between two ciscos with a srx300 in between and capture trafic as comparison to the mixed setup i have at the moment. I plan to test this on wednesday.
Regards,
Jerems
10-01-2024 05:30 AM - edited 10-01-2024 05:36 AM
Please find below a diagram where i have now an EVPN VPWS service between two Cisco.
On the Top Right corner the details of an outgoing packet from the last Juniper LSR in the mpls path towards the Cisco PE ISR 1111.
As expected, the ingress LER (PE Cisco ISR 4321 left top corner) also puts a double tagged frame in the pipe which is processed by all the Juniper LSR in the path towards the egress LER (PE Cisco ISR 1111).
I'll check tonight if the ping flows well in such topology.
Regards,
10-01-2024 10:58 PM
Hi,
As you may guess the ping between the two hosts connected through Both Cisco IOS-XE PEs worked like a charm.
Both Headers have the same content which means that in terms of data plane it has to work as expected.
So it seems that we have an interop issue between Ios-xe and Junos.
Does it make a sense to have an additionnal Dot1Q header here ? The first one is useless.
Feel free to contribute.
Regards,
Jerems
10-03-2024 01:47 PM - edited 10-03-2024 06:55 PM
Hello @Jerems ,
my guess is the external 802.1Q header with VLAN Id = 0 can provide two functions:
a) to signal the service is port based
b) by helping in forwarding functions including internal VLAN ID rewrite at remote end.
like a stack of MPLS labels the external is consumed for some operations when the internal label emerges we are on in the ingress PE.
Edit :
to demux received frames over the port based Pseudowire by re-using code used to deploy Q in Q
this can be a possible explanation.
It is an implementation choice. However , a configuration option to enable/disable the double tag in VPWS EVPN in the data plane should be provided to avoid interoperability issues in multi vendor contexts.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide