on 03-07-2011 07:18 AM
In this article we'll be discussing the EVC (Ethernet Virtual Circuit) infrastructure that the ASR9000 and IOS-XR use to define L2 services.
You'll find in this article how packets coming in on an interface are being matched against an EFP (Ethernet Flow Point), how to manipulate the vlan tags and use them in XCONNECT (VPWS) or Bridging (eg VPLS) scenarios with the optional L3 endpoint to provide IRB (Integrated Route Bridging)
The way that IOS-XR handles EVC's is a bit different then the way that IOS handles it when for instance using the 7600.
When starting with IOS-XR and the ASR9000 there are a few things that you will want to be aware of when defining L2 services.
A couple of the key differences are:
- XR does have the concept of a trunk interface
- therefore XR cannot do vlan pruning
- XR does not strip vlan tags by default.
- XR does not have the concept of an "interface VLAN" a.k.a. SVI's (Switch Virtual Interface), instead it uses a BVI (Bridge Virtual Interface) that can be inserted into the bridge-domain.
How the ASR9000 matches traffic to an EFP
how to modify the vlan headers and how that works
and a comparison with IOS
using IRB/BVI interfaces
In order to define an L2 service, we need to match traffic to a particular interface. In IOS-XR and the ASR9000 we use the Ethernet Flow Point (EFP) to match this traffic. An EFP is effectively a subinterface of a physical interface with the keyword "l2transport" attached to it. This l2transport defines that we are going to use this (sub) interface for L2 Services. We can match L2 and L3 interfaces on a single physical port:
When traffic is coming in on a port, we use the TCAM to find out which particular subinterface this traffic matches on. With that in mind there are a couple of rules as to how traffic is matched.
An EFP is defined as follows:
RP/0/RSP0/CPU0:asr(config)#int gig 0/0/0/4.100 l2transport
RP/0/RSP0/CPU0:asr(config-subif)#encapsulation ?
default Packets unmatched by other service instances
If a particular packet is not matching any other specific EFP on this physical port, this "Default" will capture all unmatched traffic.
dot1ad IEEE 802.1ad VLAN-tagged packets
dot1q IEEE 802.1Q VLAN-tagged packets
untagged Packets with no explicit VLAN tag
If there is no vlan tag on the packet, the "untagged" EFP will capture this traffic, this is effectively plain ethernet and useful for instance to capture
BPDU's for instance.
When we are going to match on say dot1q encapsulated traffic we have a variaty of how we can match vlan tagged traffic (see also foot note below in the "Related Information" section on the ethertypes used).
RP/0/RSP1/CPU0:A9K-BOTTOM(config-subif)#encapsulation dot1q ?
<1-4094> Start of VLAN range
<1-4094> Single VLAN id
any Match any VLAN id
priority-tagged IEEE 802.1ad priority-tagged packets
At the first level of dot1q classification we can select a vlan, vlan-range or any. These are obvious. The option "Priority tagged" allows us to capture vlan encapped traffic that is with a vlan id of 0.
RP/0/RSP1/CPU0:A9K-BOTTOM(config-subif)#encapsulation dot1q 100 ?
comma comma
exact Do not allow further inner tags
ingress Perform MAC-based matching
second-dot1q IEEE 802.1Q VLAN-tagged packets
Here is an important concept that is to be highlighted. You see the "word" exact" here. What that means is, in the absence of the keyword exact, if the outter vlan header is "100" in this example, this EFP is matched. so that means that also qinq frames that are of the 100 outter and 200 inner kind (if there is no specific EFP for the qiq combo 100/200 available) will match this EFP.
Just a few examples:
encapsulation dot1q 100: will match any number of vlan headers as long as the outter vlan id is 100
encapsulation dot1q 100 second any: will match any qiq frame where the outter vlan is 100
encapsulation dot1q 100 second 200: will match vlan tagged packets whereby the outter is 100, the inner is 200 and also a potential vlan combo of 100/200/300
encapsulation dot1q 100 second 200 exact: will match vlan tagged packets whereby the outter is 100, the inner is 200 and no other vlan tags are on the packet then these 2 specified.
Normally "longest match" will win, or better put, the most specific match will win.
ASR9000 doesn't support best match for VLAN ranges, but we do support best match if the "any" keyword is used.
So the configuration :
EFP 1 VLAN: S-VLAN=1000, C-VLAN_range=1-4095
EFP 2 VLAN= S-VLAN=1000, C-VLAN=2000
isn't allowed because the more specific C-vlan is part of the range. The parser will reject this config upon commit.
The following options A and B, achieving the same, are allowed :
A)
EFP 1) VLAN: S-VLAN=1000, C-VLAN_range=1-1999,2001-4095
EFP 2) VLAN= S-VLAN=1000, C-VLAN=2000
B)
EFP 1) VLAN: S-VLAN=1000, C-VLAN=any
EFP 2) VLAN= S-VLAN=1000, C-VLAN=2000,
The ASR9000/XR is capable of doing many translations on vlan to a packet.
The behavior is always symmetric (though this keyword is to be provided as part of that config command). The symmetry means that if we pop a tag on ingress, we push it back on egress.
the following rewrites are possible:
RP/0/RSP0/CPU0:A9K(config)#int gig 0/0/0/4.100 l2transport
RP/0/RSP0/CPU0:A9K(config-subif)#rewrite ingress tag ?
pop Remove one or more tags
push Push one or more tags
translate Replace tags with other tags
RP/0/RSP0/CPU0:A9K(config-subif)#rewrite ingress tag pop ?
1 Remove outer tag only
2 Remove two outermost tags
RP/0/RSP0/CPU0:A9K(config-subif)#rewrite ingress tag push ?
dot1ad Push a Dot1ad tag (ethertype 88a8)
dot1q Push a Dot1Q tag (ethertype 8100 by default, or 9100/9200 is specied on the main interface for the outter most tag)
RP/0/RSP0/CPU0:A9K(config-subif)#rewrite ingress tag push dot1q 100 ?
second-dot1q Push another Dot1Q tag
symmetric All rewrites must be symmetric
RP/0/RSP0/CPU0:A9K(config-subif)#rewrite ingress tag translate ?
1-to-1 Replace the outermost tag with another tag
1-to-2 Replace the outermost tag with two tags
2-to-1 Replace the outermost two tags with one tag
2-to-2 Replace the outermost two tags with two other tags
If you want to make a cross connect or bridge between two EFP's where one EFP is vlan 100 and the other EFP is vlan 200,
you need to make sure you pop the tags so that the vlan 100 is removed from the packet so it, by means of symmetry, will get vlan 200 on the egress
of the other EFP.
The following picture highlights how to create L2 services on the ASR9000.
To provide L3 services in a bridge-domain, you can add a routed interface to the bridge domain.
What is important here is that the BVI is not vlan tagged. So in order for the EFP's to talk to the BVI, we need to pop ALL Tags on ingress!!
This means that frames with more then 2 tags cannot be natively using the BVI, unless we do some workarounds such as loopback cables to
pop more tags.
interface BVI5
ipv4 address 31.1.1.1 255.255.255.0
mac-address 0.4343.3434
! when creating the bvi verify the show int bvi to see if the mac address is correctly programmed, these macs are coming from the backplane mac table, ! if we ran out because of so many bundle interfaces etc, you may need to provide a mac manually.
interface TenGigE0/7/0/3.100 l2transport
encapsulation dot1q 100
rewrite ingress tag pop 1 symmetric
l2vpn
bridge group testing
bridge-domain testing
interface TenGigE0/7/0/3.100
!
interface GigabitEthernet0/1/0/14
!
routed interface BVI5
!
Dot1q, Dot1ad and configuring "dot1q tunneling ethertype on the physical interface:
Xander Thuijs, CCIE #6775
Sr. Tech Lead ASR9000
i understand your delemma, but it is the "natural" difference between the IEEE model (that the IOS/7600 implements) vs the EVC model (that XR uses).
a BD is the equivalent of a vlan hence for every vlan that you want to transport you need to create a bD, it bloats the config a bit, but it allows for full control of the subinterfaces and services more so then what IOS allowed...
As you work with it more, you'll find (hopefully:)) that the EVC model is more straight forward.
regards
xander
Ok, let's hope that sometime in the future there will be a way to configure it using variables:
foreach $ID=100 to 3000 step 100
{
interface TenGigE0/4/0/1.$ID l2transport
encapsulation dot1q $ID
rewrite ingress tag pop 1 symmetric
!
bridge group TEST-BG
bridge-domain $ID-BD
interface TenGigE0/4/0/1.$ID
!
neighbor 10.201.201.105 pw-id $ID
}
The above should be the actual config stored in the router, not the input of a script which would generate hundrends of config lines (something that is possible now).
Many thx for your time
Tassos
Hi Alex,
Is PWHE now available in ASR? or only in CRS ?
Hakan
Hakan, I am not a CRS expert, but I checked some internal design documents and case notes and found this:
In 4.1.0, PW-HE feature is only supported on metro LC (like: MSC-B), and deployment is
expected to be done on system with only metro LC.
xander
Hi Xander how are you?
I'm having a issue, I need the same vlan interconnection in 7600 and two ASR9000 Router (VLAN used as the 2nd)
In the ASR9000 is being used bridge-domine.
The ASRs are interconnected by MPLS.
The problem is that only reaches one of the ASR BVI and not both at the same time, placed in the ASR 7600 (192.168.1.3) came to 192168.1.2, but no maner to 192.168.1.1 solve this problem?.
----------------------
RT_7604
#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
RT_7604#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 40 percent (2/5), round-trip min/avg/max = 1/2/4 ms
RT_7604#
-----------------------------
Step a scheme with the conf. try to clarify.
Hi Sergio,
For this design you need STP obviously, are you running full MSTP or MSTAG?
If you have STP blocking the uplink to the 192.168.1.1 side, so in order to ping that address, we have to go via the 192.168.1.2 side over the PW. There are a couple of things to verify there:
Can you ping 192.168.1.1 from the 1.2 side?
Are you seeing arp requests on the 1.1 side coming from 1.3
Do we see the MAC being learned on in the bridge domain attached to the right circuit?
Considering you have an Access PW (SHG-0) and put the phy AC into SHG-2 there may be a communication problem in that regard, so if you're not learning the mac correctly or ARP is not making it through, it might be related to that.
Normally in designs like this you would connect the 2 9k's together via a PW with a VFI.
Also to check; is the PW up and forwarding properly?
One common mistake is that the mpls router ID is set to an interface instead o the address, could that be it?
regards
xander
Hello Xander, if I'm using MSTAG and sp this blocked where it says.
But I had bad diagnosis, I did not see, Is that this flapping OSPF, copy the log from ASR9, if I put the shutdown OSPF the ping is OK on the same LAN.
No logro encontrar el error
Log ASR:
ospf[1011]: %ROUTING-OSPF-5-ADJCHG : Process 11014, Nbr 190.104.193.1 on BVI2 in area 0 from LOADING to FULL, Loading Done,vrf default vrfid 0x60000000
RP/0/RSP0/CPU0:Sep 16 10:28:47.405 : ospf[1011]: %ROUTING-OSPF-5-ADJCHG : Process 11014, Nbr 190.104.193.3 on BVI2 in area 0 from LOADING to FULL, Loading Done,vrf default vrfid 0x60000000
thank you very much for your help
Ok perfect, thanks for letting me know Sergio.
Just so you know IOS-XR prefers an ARP adj over a routing ADJ, what that means is that if we have an arp adj for a particular route that is used for forwarding over the routing decission.
So if at some point we learn the route via a directly connected ADJ (eg when the link unblocks) and then when the link blocks and we learn the same path via IGP we probably retain the local ADJ and try to forward on that resulting in that ping loss.
The right appraoch for this design is probably using HSRP with a virtual address between the A9K's to provide a virtual mac and gateway addr to the 7600 CE side.
cheers
xander
Hi Alexander,
is there any example to configuring VLAN Xconnect on ASR9K ?
like :
int vlan 50
xconnect y.y.y.y 1050
!
int gi1/1.50
encapsulation dot1q 50
!
int gi2/1.50
encapsulation dot1q 50
!
Please help... Is it doable on ASR9K ?
Thanks,
Budi L
Hi Budi,
yes that is possible.
First define all the physical (sub)interfaces (aka EFP's) that you want to pull into that bridge domain, eg:
int g 0/0/0/0.50 l2trans
encap dot1q 50
rewrite ingress tag pop 1 symm
and do this for every phy interface that carries this vlan 50 that you want to pull in.
Next define a BVI (aka SVI for switch platforms) like this:
interface BVI50
ipv4 add 1.2.3.4 255.255.255.0
Finally, define the bridge domain that links all EFPs for that vlan together with the BVI for the L3 endpoint like this:
l2vpn
bridge-group VLAN50
bridge-domain VLAN50_BD
int g 0/0/0/0.50
routed interface BVI50
Note that I used 50 throughout for clarity, but the encap dot1q doesn't necessarily need to match the subinterface designator or the bvi number.
Also note that bridge group is merely a config hierarchy, it is the birdge-domain config that instantiates the mac learning for those interfaces connected together.
regards
xander
Hi Alexander,
I mean the xconnect on VLAN BVI. Because i can't found the configuration on BVI xconnect.
So we got several interface associated to BVI 50. And BVI 50 actually only layer2 xconnect service.
So how can i create vlan mode xconnect on the ASR ?
int gi0/1.50 l2 and gi0/2.50 l2 is member of vlan 50. But vlan 50 is only l2 xconnect service.
But i can't configure xconnect for bvi.
Thanks,
Budi L
Hi Budi,
if you have a single interface that requires an L3 endpoint, you might as well configure the L3 addr directly on the subinterface (and not making it L2transport).
You can't link an xcon to a bvi directly (the better way would be addr directly on the subif as mentioned).
If you have a PW coming in that you want to assign an L3 addr to, then either you can use a BD for that with a PW and a BVI, or use the funtionality known as Pseudowire Headend.
Using a BD, aka mac learning resources counts against some of the supported scale, of which on Typhoon cards you have 16k BD's and 2M macs, so got some ways to grow if needed.
hope that helps,
regards
xander
Hi Alexander
First I would like to thank you for the great documents you continously post on the support forum :]
I tried VPLS between ASR9K & ES+7600 .. VC is up but ping is unsuccessful
Is there something I should take care of ?
So as not to enlarge comments section, I pasted config/logs in below URL
https://supportforums.cisco.com/message/4070576#4070576
Many Thanks in advance
Regards
Sherif Ismail
Hi Sherif, thank you for the comment, appreciate it!
Let me have a look at that thread you opened, and we'll take it from there.
regards
xander
Xander, are there any plans to support pppoe/ip classification like in 7600/ES+T?
7600(config-if-srv)#encapsulation dot1q any etype ?
ipv4 IPv4
ipv6 IPv6
pppoe-all PPPoE ALL
--
Tassos
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: