1. L2VPN Overview

Layer 2 Virtual Private Network (L2VPN) emulates the behavior of a LAN across an L2 switched, IP or MPLS-enabled IP network, allowing Ethernet devices to communicate with each other as they would when connected to a common LAN segment. Point-to-point L2 connections are vital when creating L2VPNs.

As Internet service providers (ISPs) look to replace their Frame Relay or Asynchronous Transfer Mode (ATM) infrastructures with an IP infrastructure, there is a need to provide standard methods of using an L2 switched, IP or MPLS-enabled IP infrastructure. These methods provide a serviceable L2 interface to customers; specifically, to provide virtual circuits between pairs of customer sites.

Building a L2VPN system requires coordination between the ISP and the customer. The ISP provides L2 connectivity; the customer builds a network using data link resources obtained from the ISP. In an L2VPN service, the ISP does not require information about the customer's network topology, policies, routing information, point-to-point links, or network point-to-point links from other ISPs.

There are two fundamentally different kinds of Layer 2 VPN service that a service provider could offer to a customer: Virtual Private Wire Service (VPWS) and Virtual Private LAN Service (VPLS). There is also the possibility of an IP-only LAN-like Service (IPLS).

A VPWS is a VPN service that supplies an L2 point-to-point service. As this is a point-to-point service, there are very few scaling issues with the service as such. Scaling issues might arise from the number of end-points that can be supported on a particular PE.    

A VPLS is an L2 service that emulates LAN service across a Wide Area Network (WAN). With regard to the amount of state information that must be kept at the edges in order to support the forwarding function, it has the scaling characteristics of a LAN. Other scaling issues might arise from the number of end-points that can be   supported on a particular PE.

2. Why L2VPN Auto Discovery?

Discovery refers to the process of finding all the PEs that participates in a given VPLS/VPWS instance. A PE either can be configured with the identities of all the other PEs in a given L2VPN service or can use some protocol to discover the other PEs. The later is called auto-discovery.

The former approach is fairly configuration-intensive, especially since it is required that the PEs participating in a given VPLS is fully meshed (i.e., that every PE in a given VPLS establish pseudowires to every other PE in that VPLS). Furthermore, when the   topology of a VPLS changes (i.e., a PE is added to, or removed from, the VPLS), the VPLS configuration on all PEs in that VPLS must be changed.    

In the auto-discovery approach, each PE "discovers" which other PEs are part of a given VPLS/VPWS by means of some protocol, in this case BGP. This allows each PE's configuration to consist only of the identity of the VPLS/VPWS instance established on this PE, not the identity of every other PE in that VPLS/VPWS instance -- that is auto-discovered. Moreover, when the topology changes, only the affected PE's configuration changes; other PEs automatically find out about the change and adapt.

2.1 VPLS auto-discovery

Conventional VPLS implementation requires manual configuration of each neighbor (VPLS PE) in the VPLS domain. When a new PE is added or removed from the VPLS domain, manual configuration of each PE in the VPLS domain is required.

Manual configuration changes add operational costs and increase the chance of network mis-configuration.

VPLS Auto Discovery eliminates the need to manually provision a VPLS neighbor. VPLS auto discovery automatically detects when new PEs are added or removed from the VPLS domain.

Auto-discovery by nature requires the information to be distributed to all members of a VPN - multipoint mechanism - which BGP is well suited for.

BGP is also used for signaling to exchange label bindings and signal MTU and state changes. Although LDP is better suited for signaling between two endpoints, it is needed for interoperability with other vendors.

2.2 VPWS auto-discovery

There is no true auto-discovery in VPWS as it is in VPLS. In VPWS, to connect CEs, user has to explicitly configure at each PE. All what is discovered in VPWS is the existence of other PEs.

3. VPLS Operation with BGP Auto-Discovery and Signaling

There are two primary functions of the VPLS control plane: auto-discovery, and setup and teardown of the pseudowires that constitute the VPLS, often called signaling. Both of these functions are accomplished with a single BGP Update advertisement.

When the L2VPN address-family (AF) and VPLS/VPWS subsequent address-family (SAF) are configured, BGP will connect to L2VPN to receive configured VPLS bridge domains. In the case of distributed BGP and the presence of multiple BGP speakers, L2VPN still communicates with one active BGP instance only. Therefore, BGP distribution is completely hidden from L2VPN.

When a VPLS Bridge domain is configured with BGP auto-discovery and signaling enabled, BGP needs to distribute NLRI for the VPLS bridge domain with the PE as the BGP next-hop and appropriate VE-ID. Additionally, the VPLS is associated with one or more BGP export Route Targets (RTs) that are also distributed (along with NLRI). VPLS SAFI NLRI uses AFI = 25 and SAFI = 65. The keywords "l2vpn" and "vpls-vpws" will be introduced to represent AF and SAF respectively in the BGP configuration.

If a PE receiving VPLS NLRIs is configured with the VPLS associated with a particular import RT, it can then import all the NLRIs tagged with the same RT. Generic BGP RPL policies for RT filtering will be supported for the VPLS/VPWS SAFI. No specific NLRI policy will be added for VPLS/VPWS SAFIs.

The NLRI format for VPLS BGP-AD & BGP Signaling is shown in the diagram below:

                          Figure 1: NLRI format for VPLS with BGP Auto-discovery and Signaling

3.1 Responsibilities of BGP & L2VPN

3.1.1. BGP

• Advertise LRI, RTs, VE-IDs and label blocks using AFI = 25 SAFI = 65.
• Learn VE-ID, range, as well as the RD/RT configured under a VPLS bridge domain. <ve-id, range, rd> along with RT.
• Import NLRIs based on RT(s) and passes {VFI_ID, local label, remote-label and next-hop, layer2info} to L2VPN_MGR.
• Replay the necessary information for the imported VFIs on the request of L2VPN_MGR.
• Provide an API for L2VPN to retrieve AS number.

3.1.2. L2VPN

• Learns the configured VFIs from Sysdb.
• Obtains the configured data such as RT, VPLS-ID, VPN-ID, VE-ID, VE-ID range, CE-ID and CE-ID from Sysdb.
• Obtains label block from LSD and maps the local label range (block size, label base, offset) per VFI.
• Notifies BGP of the configured parameters such RT, etc. Also, L2VPN_MGR shall replay this information upon request from BGP.
• Receives information such as local label, remote label, etc., pertaining to the PWs from BGP, creates appropriate entries in the bridge database, and notifies L2FIB to setup forwarding plane.
• Display auto-discovered data via show output.

3.2 Configuring VPLS with BGP AD & Signaling

3.3 Example of NLRI for VPLS with BGP-AD & Signaling

3.4 Verification of VPLS with BGP-AD & Signaling

PE1:

PE2:

3.5 Adding a third PE (PE3)

A third PE (PE3) is added to the same VPLS domain with BGP AD & signaling.

3.5.1.  L2VPN config for PE3

Following is the L2VPN config for PE3:

3.5.2.  Verification of PE3

4. VPWS Operation with BGP Auto-Discovery and Signaling

Similar to VPLS, two primary functions of the VPWS control plane is: auto-discovery, and setup and teardown of the pseudowires that constitute the VPWS to build a full mesh of CEs, often called signaling. Both of these functions are accomplished with a single BGP Update advertisement.

When a VPWS cross-connect is configured with BGP auto-discovery and signaling enabled, BGP needs to distribute NLRI for the xconnect with the PE as the BGP next-hop and appropriate CE-ID. Additionally, the cross-connect is associated with one or more BGP export Route Targets (RTs) that are also distributed (along with NLRI). VPLS SAFI NLRI uses AFI = 25 and SAFI = 25 [5]. The keywords "l2vpn" and "vpls-vpws" will be introduced to represent AF and SAF respectively in the BGP configuration.

The configured attributes are similar to VPLS with the following differences:

• CE-IDs instead of VE-IDs

• ce-id-range instead of ve-id-range.

• ACs are configured with remote CE-IDs. This association is save in L2VPN database and used to establish P2P xconnects.

If a PE receiving VPWS NLRIs is configured with the cross-connect associated with a particular import RT, it can then import all the NLRIs tagged with the same RT.

The NLRI is in the format shown in diagram below:

                                      Figure 2: NLRI format for VPWS BGP Auto-discovery and Signaling

4.1 Responsibilities of BGP & L2VPN

4.1.1. BGP

• Advertising NLRI, RTs, CE-IDs and labelblocks using AFI = 25 SAFI = VPWS.
• Learns CE-IDs, range, as well as the RD/RT configured under a vpls domain. <MP2MP_ID, ce-id, range, rd> along with RT for ce-id locally configured (rd and RT remain the same for a VPLS)
• Obtains label block from LSD and maps the local label range (block size, label base, offset) per MP2MP_ID (xconnect group)
• Imports NLRIs based on RT(s) and passes {MP2MP_ID, local label, remote-label and nexthop, remote CE-ID, l2info} to L2VPN_MGR for each local CE_ID
• Replay the necessary information for the imported VFIs on the request of L2VPN_MGR.

4.1.2. L2VPN

• Learns the configured Xconnect from Sysdb.
• Obtains the configured data such as RT, VPLS-ID, VPN-ID, VE-ID, VE-ID range, CE-ID and CE-ID from Sysdb.
• Notifies BGP of the configured parameters such RT, etc. Also, L2VPN_MGR shall replay this information upon request from BGP.
• Receives information such as local label, remote label, etc., pertaining to the PWs from BGP, update xconnect database entry, and notifies L2FIB to setup forwarding plane.
• Display auto-discovered data via show output.

4.2 Configuring VPWS with BGP AD & Signaling

4.3 Example of NLRIs of VPWS with BGP AD & Signaling

4.4 Verification of VPWS with BGP-AD & Signaling

PE1:

PE2:

5. Troubleshooting

L2VPN discovery not working

Check the router bgp configs, as sample configs shown below:

RP/0/RSP1/CPU0:PE1#show run router bgp

router bgp 100

nsr

bgp router-id 2.2.2.2

bgp graceful-restart

address-family l2vpn vpls-vpws

!

neighbor 3.3.3.3

  remote-as 100

  update-source Loopback0

  address-family l2vpn vpls-vpws

  !

!

!

RP/0/RSP1/CPU0:PE1#

RP/0/RSP0/CPU0:PE2#show run router bgp

router bgp 100

nsr

bgp router-id 3.3.3.3

bgp graceful-restart

address-family l2vpn vpls-vpws

!

neighbor 2.2.2.2

  remote-as 100

  update-source Loopback0

  address-family l2vpn vpls-vpws

  !

!

!

RP/0/RSP0/CPU0:PE2#

Check the configs for BGP AD under l2vpn BD :

-> Check the VPN-ID matches with the other side PE

-> Check the ve-id is different from the other side PE

-> Check the rd, generally it will be auto

-> Check the signalling protocol configured the same correctly on both the ends

Sample Cfgs :

On PE1 :

l2vpn

bridge group bg1

  bridge-domain bg1_bd1

   interface PW-Ether2.1

   !

   interface GigabitEthernet0/1/1/10.1

   !

   vfi bgp_ad1

    vpn-id 1001

    autodiscovery bgp

     rd auto

     route-target 10.1.1.1:1

     signaling-protocol bgp

      ve-id 1001

     !

    !

On PE2 :

l2vpn

bridge group bg1

  bridge-domain bg1_bd1

   interface GigabitEthernet0/2/1/11.101

   !

   vfi bgp_ad1

    vpn-id 1001

    autodiscovery bgp

     rd auto

     route-target 10.1.1.1:1

     signaling-protocol bgp

      ve-id 2001

     !

    !

   !

If still the VFI is down

--> Start from IGP Neighborship

RP/0/RSP1/CPU0:PE1#show ospf neighbor

* Indicates MADJ interface

Neighbors for OSPF 100

Neighbor ID     Pri   State           Dead Time   Address         Interface

3.3.3.3         1     FULL/DR         00:00:35    30.2.1.2        Bundle-Ether3

   Neighbor is up for 23:38:15

3.3.3.3         1     FULL/DR         00:00:38    30.1.1.2        TenGigE0/1/0/1

    Neighbor is up for 1d22h

4.4.4.4         1     FULL/DR         00:00:35    60.1.1.2        GigabitEthernet0/1/1/9

    Neighbor is up for 1d22h

Total neighbor count: 3

RP/0/RSP1/CPU0:PE1#

--> Then check the BGP l2vpn Neighbors

RP/0/RSP1/CPU0:PE1#show bgp l2vpn vpls  summary

BGP router identifier 2.2.2.2, local AS number 100

BGP generic scan interval 60 secs

Non-stop routing is enabled

BGP table state: Active

Table ID: 0x0   RD version: 0

BGP main routing table version 1

BGP NSR Initial initsync version 1 (Reached)

BGP scan interval 60 secs

BGP is operating in STANDALONE mode.

Process       RcvTblVer   bRIB/RIB   LabelVer  ImportVer  SendTblVer  StandbyVer

Speaker               1          1          1          1           1           1

Neighbor        Spk    AS MsgRcvd MsgSent   TblVer  InQ OutQ  Up/Down  St/PfxRcd

3.3.3.3           0   100       4       4        1    0    0 00:01:21          0

RP/0/RSP1/CPU0:PE1#

--> Check the BD Detail for more details when the PW is down.

RP/0/RSP1/CPU0:PE1#show l2vpn bridge-domain bd-name bg1_bd1                                                

Legend: pp = Partially Programmed.

Bridge group: bg1, bridge-domain: bg1_bd1, id: 20, state: up, ShgId: 0, MSTi: 0

  Aging: 300 s, MAC limit: 4000, Action: none, Notification: syslog

  Filter MAC addresses: 0

  ACs: 2 (2 up), VFIs: 1, PWs: 1 (1 up), PBBs: 0 (0 up)

  List of ACs:

    Gi0/1/1/10.1, state: up, Static MAC addresses: 0

    PE2.1, state: up, Static MAC addresses: 0

  List of Access PWs:

  List of VFIs:

    VFI bgp_ad1 (up)

      Neighbor 3.3.3.3 pw-id 1001, state: up, Static MAC addresses: 0

RP/0/RSP1/CPU0:PE1#

RP/0/RSP1/CPU0:PE1#show l2vpn bridge-domain bd-name bg1_bd1

Legend: pp = Partially Programmed.

Bridge group: bg1, bridge-domain: bg1_bd1, id: 20, state: up, ShgId: 0, MSTi: 0

  Aging: 300 s, MAC limit: 4000, Action: none, Notification: syslog

  Filter MAC addresses: 0

  ACs: 2 (2 up), VFIs: 1, PWs: 1 (1 up), PBBs: 0 (0 up)

  List of ACs:

    Gi0/1/1/10.1, state: up, Static MAC addresses: 0

    PE2.1, state: up, Static MAC addresses: 0

  List of Access PWs:

  List of VFIs:

    VFI bgp_ad1 (up)

      Neighbor 3.3.3.3 pw-id 1001, state: up, Static MAC addresses: 0

RP/0/RSP1/CPU0:PE1#show l2vpn bridge-domain autodiscovery bgp detail

Legend: pp = Partially Programmed.

Bridge group: bg1, bridge-domain: bg1_bd1, id: 20, state: up, ShgId: 0, MSTi: 0

  Coupled state: disabled

  MAC learning: enabled

  MAC withdraw: enabled

    MAC withdraw for Access PW: enabled

    MAC withdraw sent on: bridge port up

    MAC withdraw relaying (access to access): disabled

  Flooding:

    Broadcast & Multicast: enabled

    Unknown unicast: enabled

  MAC aging time: 300 s, Type: inactivity

  MAC limit: 4000, Action: none, Notification: syslog

  MAC limit reached: no

  MAC port down flush: enabled

  MAC Secure: disabled, Logging: disabled

  Split Horizon Group: none

  Dynamic ARP Inspection: disabled, Logging: disabled

  IP Source Guard: disabled, Logging: disabled

  DHCPv4 snooping: disabled

  IGMP Snooping: enabled

  IGMP Snooping profile: none

  MLD Snooping profile: none

  Storm Control: disabled

  Bridge MTU: 1500

  MIB cvplsConfigIndex: 21

  Filter MAC addresses:

  Create time: 26/06/2013 12:36:30 (00:14:13 ago)

  No status change since creation

  ACs: 2 (2 up), VFIs: 1, PWs: 1 (1 up), PBBs: 0 (0 up)

  List of VFIs:

    VFI bgp_ad1 (up)

      VPN-ID: 1001, Auto Discovery: BGP, state is Provisioned (Service Connected)      Route Distinguisher:  (auto) 2.2.2.2:32768

      Import Route Targets:

        10.1.1.1:1

      Export Route Targets:

        10.1.1.1:1

      Signaling protocol: BGP

      Local VE-ID: 1001 ,  Advertised Local VE-ID : 1001

      VE-Range: 10

      PW: neighbor 3.3.3.3, PW ID 1001, state is up ( established )

        PW class not set, XC ID 0xc0000414

        Encapsulation MPLS, Auto-discovered (BGP), protocol BGP

        Source address 2.2.2.2

        PW type VPLS, control word disabled, interworking none

        Sequencing not set

          MPLS         Local                          Remote                      

          ------------ ------------------------------ -------------------------

          Label        289975                         16046                       

          MTU          1500                           1500                        

          Control word disabled                       disabled                    

          PW type      VPLS                           VPLS                        

          VE-ID        1001                           2001                        

          ------------ ------------------------------ -------------------------

        MIB cpwVcIndex: 3221226516

        Create time: 26/06/2013 12:37:26 (00:13:18 ago)

        Last time status changed: 26/06/2013 12:37:26 (00:13:18 ago)

        MAC withdraw messages: sent 0, received 0

        Static MAC addresses:

        Statistics:

          packets: received 0, sent 0

          bytes: received 0, sent 0

      DHCPv4 snooping: disabled

      IGMP Snooping profile: none

      MLD Snooping profile: none

      VFI Statistics:

        drops: illegal VLAN 0, illegal length 0

RP/0/RSP1/CPU0:PE1#

6. Glossary

• PSN (Packet Switched Network): a network using IP or MPLS as the mechanism for packet forwarding
• PE (Provider Edge): a device connected to customer devices through virtual circuits and providing L2VPN service
• VE (VPLS Edge): a PE participating in VPLS
• CE (Customer Edge): a customer device connected to the PE.
• AC (Attachment Circuit): the connection between the CE and the PE. It is either a port interface or a sub-interface (VLAN, ATM VPI/VCI, Frame Relay)
• PW (Pseudo Wire): an emulated circuit between two PE’s through a PSN.
• XC (Cross-Connect): a configured connection between two segments in a PE. A segment can be either an AC or a PW.
• VFI (Virtual Forwarding Instance): the set of Pseudowires facing the core network
• NLRI (Network Layer Reachability Information): VPN information exchanged between PEs for auto-discovery and signaling.
• RD (Route Distinguisher): is an address qualifier used only within a single VPN. It is used to distinguish the distinct VPN routes of separate customers who connect to the provider.
• BGP extended community: an 8 byte encoded value used to provide extra functionality and avoid routing loops.
• RT (Route Target): a BGP extended community to tag VPN routes with unique values in order to determine which routes belong to particular VPN.