- Preface
- Product Overview
- Virtual Switching Systems (VSS)
- IP Unicast Layer 3 Switching
-
- Cisco IOS ACL Support
- Cisco TrustSec (CTS)
- AutoSecure
- MAC Address-Based Traffic Blocking
- Port ACLs (PACLs)
- VLAN ACLs (VACLs)
- Policy-Based Forwarding (PBF)
- Denial of Service (DoS) Protection
- Control Plane Policing (CoPP)
- Dynamic Host Configuration Protocol (DHCP) Snooping
- IP Source Guard
- Dynamic ARP Inspection (DAI)
- Traffic Storm Control
- Unknown Unicast Flood Control
- IEEE 802.1X Port-Based Authentication
- Configuring Web-Based Authentication
- Port Security
- Lawful Intercept
- Online Diagnostic Tests
- Migrating From a 12.2SX QoS Configuration
- Index
- Prerequisites for EVCs
- Restrictions for EVCs
- Information About EVCs
- Default Settings for EVCs
- How to Configure EVCs
Ethernet Virtual Connections (EVCs)
- Prerequisites for EVCs
- Restrictions for EVCs
- Information About EVCs
- Default Settings for EVCs
- How to Configure EVCs
- Monitoring EVCs
Note ● For complete syntax and usage information for the commands used in this chapter, see these publications:
http://www.cisco.com/en/US/products/ps11846/prod_command_reference_list.html
- Cisco IOS Release 15.1SY supports only Ethernet interfaces. Cisco IOS Release 15.1SY does not support any WAN features or commands.
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum
Prerequisites for EVCs
Restrictions for EVCs
- LACP EtherChannels and the 802.1ad provider-bridge mode are mutually exclusive. LACP EtherChannels cannot transmit traffic when the 802.1ad provider-bridge mode is enabled.
- Maximum EFPs per switch: 10K.
- Maximum EFPs per bridge domain: 124.
- Maximum EFPs per interface: 4K.
- Maximum bridge domains per switch: 4K.
- Bridge domain configuration is supported only as part of the EVC service instance configuration.
- EVC support requires the following:
– The spanning tree mode must be MST.
– The dot1ad global configuration mode command must be configured.
- Service instances can be configured only on ports configured to trunk unconditionally with the switchport nonegotiate command.
- You can configure PFC QoS to support EVC ports.
- These are the supported EVC features:
– Service instances—You create, delete, and modify EFP service instances on Ethernet interfaces.
– Ethernet service protection on EVCs:
—Ethernet Operations, Administration, and Maintenance (EOAM)
—Connectivity fault management (CFM)
—Ethernet Local Management Interface (E-LMI)
– IPv6 access control lists (ACLs).
– Encapsulation—You can map traffic to EFPs based on 802.1Q VLANs (a single VLAN or a list or range of VLANs).
– You can configure EFPs as members of a bridge domain.
– Bridge domains support push symmetric only: the supported rewrite configuration implies egress pushing (adding a tag)
– Bridge domains support ingress rewrite
– MAC address learning and aging
– Bridging between switchports and EFPs
– MSTP (MST on EVC bridge domain)
– EFP statistics (packets and bytes)
– QoS aware EVC/EFP per service instance
– Layer 2 multicast frame flooding
– Service instance groups; also called Ethernet flow point (EFP) groups
Information About EVCs
- EVC Overview
- Ethernet Flow Points
- Service Instances and EFPs
- Encapsulation (Flexible Service Mapping)
- EFPs and MSTP
- Bridge Domains
- Rewrite Operations
- Layer 3 and Layer 4 ACL Support
- Advanced Frame Manipulation
- Egress Frame Filtering
EVC Overview
Ethernet virtual circuits (EVCs) define a Layer 2 bridging architecture that supports Ethernet services. An EVC is defined by the Metro-Ethernet Forum (MEF) as an association between two or more user network interfaces that identifies a point-to-point or multipoint-to-multipoint path within the service provider network. An EVC is a conceptual service pipe within the service provider network. A bridge domain is a local broadcast domain that exists separately from VLANs.
Ethernet Flow Points
An Ethernet flow point (EFP) service instance is a logical interface that connects a bridge domain to a physical port or to an EtherChannel. Configuring a service instance on a Layer 2 port creates a pseudoport or EFP on which you configure EVC features. Each service instance has a unique number per interface, but you can use the same number on different interfaces because service instances on different ports are not related.
An EFP classifies frames from the same physical port to one of the multiple service instances associated with that port, based on user-defined criteria. Each EFP can be associated with different forwarding actions and behavior.
The three major characteristics (or parameters) of an EFP are
An EVC broadcast domain is determined by a bridge domain and the EFPs that are attached to it. An incoming frame is matched against EFP matching criteria on the interface, learned on the matching EFP, and forwarded to one or more EFPs in the bridge domain. If there are no matching EFPs, the frame is dropped.
You can use EFPs to configure VLAN translation. For example, if there are two EFPs egressing the same interface, each EFP can have a different VLAN rewrite operation, which is more flexible than the traditional switch port VLAN translation model.
When an EFP is created, the initial state is UP. The state changes to DOWN under the following circumstances:
Service Instances and EFPs
Configuring a service instance on a Layer 2 port or EtherChannel creates a pseudoport or Ethernet flow point (EFP) on which you configure EVC features. Each service instance has a unique number per interface, but you can use the same number on different interfaces because service instances on different ports are not related.
If you have defined an EVC by entering the ethernet evc evc-id global configuration command, you can associate the EVC with the service instance (optional). There is no default behavior for a service instance. You can configure a service instance only on trunk ports with no allowed VLANs. Any other configuration is not allowed. After you have configured a service instance on an interface, switchport commands are not allowed on the interface. You can also configure a service instance on an EtherChannel group.
Use the service instance number ethernet [ name ] interface configuration command to create an EFP on a Layer 2 interface or EtherChannel and to enter service instance configuration mode. You use service instance configuration mode to configure all management and control date plane attributes and parameters that apply to the service instance on a per-interface basis.
- The service instance number is the EFP identifier, an integer from 1 to 4000.
- The optional ethernet name is the name of a previously configured EVC. You do not need to enter an EVC name, but you must enter ethernet. Different EFPs can share the same name when they correspond to the same EVC. EFPs are tied to a global EVC through the common name.
When you enter service instance configuration mode, you can configure these options:
- default —Sets a command to its defaults
- description —Adds a service instance specific description
- encapsulation —Configures Ethernet frame match criteria
- errdisable —Configures error disable
- ethernet —Configures Ethernet-lmi parameters
- exit —Exits from service instance configuration mode
- l2protocol —Configures Layer 2 control protocol processing
- mac —Commands for MAC address-based features
- no —Negates a command or sets its defaults
- service-policy —Attaches a policy-map to an EFP
- shutdown —Takes the service instance out of service
Enter the [ no ] shutdown service-instance configuration mode to shut down or bring up a service instance.
On a Layer 2 port with no service instance configured, multiple switchport commands are available ( access, backup, block, host, mode, and trunk). When one or more service instances are configured on a Layer 2 port, no switchport commands are accepted on that interface.
Encapsulation (Flexible Service Mapping)
Encapsulation defines the matching criteria that map any of these in any combination to a service instance:
VLAN tags and CoS can be a single value, a range, or a list. Ethertype can be a single type or a list of types. These are the encapsulation types:
Priority-tagged frames are always single-tagged. All Ethernet traffic is supported. The encapsulation classification options are:
When you configure an encapsulation method, you enable flexible service mapping, which allows you to map an incoming packet to an EFP based on the configured encapsulation.
The default behavior for flexible service mapping based on the outer 802.1q VLAN tag value is nonexact, meaning that when the EFP encapsulation configuration does not explicitly specify an inner (second) VLAN tag matching criterion, the software maps both single-tagged and double-tagged frames to the EFP as long as the frames fulfill the criteria of outer VLAN tag values. The command-line interface (CLI) does allow you to specify exact mapping with the exact keyword. If this keyword is specified, the EFP is designated as single-tagged-frame-only and double-tagged frames are not classified to that EFP.
Using the CLI encapsulation command in service-instance configuration mode, you can set encapsulation criteria. You must configure one encapsulation command per EFP (service instance). After you have configured an encapsulation method, these commands are available in service instance configuration mode:
If a packet entering a port does not match any of the encapsulations on that port, the packet is dropped, resulting in filtering of the packet. The encapsulation must match the packet on the wire to determine filtering criteria. On the wire refers to packets ingressing the switch before any rewrites and to packets egressing the switch after all rewrites.
EFPs and MSTP
EFP bridge domains are supported by the Multiple Spanning Tree Protocol (MSTP). These restrictions apply when running STP with bridge domains.
- All incoming VLANs (outer-most or single) mapped to a bridge domain must belong to the same MST instance or loops could occur.
- For all EFPs that are mapped to the same MST instance, you must configure backup EFPs on every redundant path to prevent loss of connectivity due to STP blocking a port.
- When STP mode is PVST+ or PVRST, EFP information is not passed to the protocol. EVC only supports only MSTP.
- Changing STP mode from MST to PVST+ or PVRST for a multicast port is not allowed.
Bridge Domains
Bridge Domain Overview
A bridge domain defines a broadcast domain internal to a platform and allows the decoupling of a broadcast domain from a VLAN. This decoupling enables per-port VLAN significance, thus removing the scalability limitations associated with a single per-device VLAN ID space. Frames received from one of the EFPs participating in a bridge domain matches are bridged.
A service instance must be attached to a bridge domain. Flooding and communication behavior of a bridge domain is similar to that of a VLAN domain. Bridge-domain membership is determined by which service instances have joined it (based on encapsulation criteria), while VLAN domain membership is determined by the VLAN tag in the packet.
Note You must configure encapsulation before you can configure the bridge domain.
IGMP snooping is enabled by default on the switch and on all VLANs but is automatically disabled on a VLAN when you configure a bridge domain under 4094. The switches support up to 124 bridge domains.
Ethernet MAC Address Learning
MAC address learning is always enabled and cannot be disabled.
Flooding of Layer 2 Frames for Unknown MAC and Broadcast Addresses
A Layer 2 frame with an unknown unicast or broadcast destination MAC address is flooded to all the EFPs in the bridge domain except to the originating EFP.
Replication of frames involves recirculating the frame several times. Recirculation negatively affect forwarding performance and reduce the packet forwarding rate for all features.
Layer 2 Destination MAC Address-Based Forwarding
When bridging is configured, a unicast frame received from an EFP is forwarded based on the destination Layer 2 MAC address. If the destination address is known, the frame is forwarded only to the EFP/NNI associated with the destination address.
Because the bridge and EFP configurations are interrelated, bridging is supported only on EFPs. To support multiple bridge domains, MAC address entries are associated with the bridge domain of the EFP. Only unicast MAC addresses need to be dynamically learned.
MAC Address Aging
The dynamically learned MAC address entries in the MAC table are periodically aged out and entries that are inactive for longer than the configured time period are removed from the table. The supported range of aging-time values, in seconds, is 5 through 1000000, with a granularity of 1. The default is 8 minutes. The aging-time parameter can be configured per bridge domain and is a relative value. The value is the aging time relative to the time a frame was received with that MAC address.
MAC Address Table
The MAC address table is used to forward frames based on Layer 2 destination MAC addresses. The table consists of static MAC addresses downloaded from the route processor (RP) and the MAC addresses dynamically learned by the data path.
While the MAC Learning feature is enabled, an entry is added to the MAC table when a new unique MAC address is learned on the data path and an entry is deleted from the table when it is aged out.
Rewrite Operations
The rewrite command pushes the 802.1ad tag onto ingress packets to forward the packet on the 802.1ad cloud.
Enter the rewrite ingress tag push dot1ad vlan-id symmetric service-instance configuration mode command to specify the encapsulation of additional dot1ad tag on the frame ingress to the EFP.
Note The symmetric keyword is required to complete rewrite to configuration.
When you enter the symmetric keyword, the egress counterpart performs the inverse action and pushes (adds) the encapsulation VLAN.
Layer 3 and Layer 4 ACL Support
Configuring an ACL on an EFP is the same as configuring an ACL on other types of interfaces.
Note ACLs are not supported for packets prefixed with a Multiprotocol Label Switching (MPLS) header, including when an MPLS packet contains either Layer 3 or Layer 4 headers of supported protocols.
Advanced Frame Manipulation
The Advanced Frame Manipulation feature supports a PUSH operation that adds one VLAN tag to both the incoming and outgoing frames of an EFP.
When a VLAN tag exists and a new one is added, the CoS field of the new tag is set to the same value as the CoS field of the existing VLAN tag; otherwise, the CoS field is set to a default of 0. Using QoS marking configuration commands, you can change the CoS marking.
Egress Frame Filtering
Egress frame filtering is performed to ensure that frames exiting an EFP contain a Layer 2 header that matches the encapsulation characteristics associated with the EFP. This filtering is done primarily to prevent unintended frame leaks and is always enabled on EFPs.
Default Settings for EVCs
How to Configure EVCs
Configuring a service instance on a Layer 2 port creates an EFP on which you can configure EVC features. Perform this task to configure an EFP.
|
|
|
---|---|---|
Enables privileged EXEC mode. Enter your password if prompted. |
||
Enables 802.1ad provider-bridge mode. Note LACP EtherChannels and the 802.1ad provider-bridge mode are mutually exclusive. LACP EtherChannels cannot transmit traffic when the 802.1ad provider-bridge mode is enabled. |
||
Configures the port for Layer 2 switching. Note You must enter the switchport command once without any keywords to configure the LAN port as a Layer 2 port before you can enter additional switchport commands with keywords. |
||
Router(config-if)# switchport trunk allowed vlan vlan [, vlan [, vlan [,...]] |
Configures the list of VLANs allowed on the trunk. Note If VLAN locking is enabled, enter VLAN names instead of VLAN numbers. For more information, see the “VLAN Locking” section. |
|
Configures the port as an 802.1ad provider-bridge user-to-network interface (UNI) port. Note The dot1ad uni interface mode command imposes some SPAN restrictions (see “Feature Incompatibilities” section). |
||
Router(config-if)# service instance number ethernet [ name ] |
Configures an Ethernet service instance (EFP) and enters service instance configuration mode. |
|
Router(config-if)# ip access-group access-list-number | access-list-name } { in | out } |
(Optional) Applies an IP access list or object group access control list (OGACL) to an interface. |
|
Router(config-if-srv)# encapsulation encapsulation-type vlan-id [ cos cos_value ] |
Configures the encapsulation type for the service instance.
|
|
Router(config-if-srv)# rewrite ingress tag push dot1ad vlan-id [ symmetric ] |
(Optional) Specifies the encapsulation adjustment to be performed on a frame ingressing a service instance. |
|
|
Configuring Multiple Service Instances
Router(config)#
interface gigabitethernet1/1
Router(config-if)#
switchport mode trunk
Router(config-if)#
switchport nonegotiate
Router(config-if)#
service instance 1 ethernet evc1
Router(config-if-srv)#
encapsulation dot1q 201 cos 1
Router(config-if-srv)#
rewrite ingress tag push dot1ad 300 symmetric
Router(config-if-srv)#
bridge-domain 300
Router(config-if-srv)#
end
Router(config-if)#
service instance 2 ethernet evc2
Router(config-if-srv)#
encapsulation default
Router(config-if-srv)#
rewrite ingress tag push dot1ad 301 symmetric
Router(config-if-srv)#
bridge-domain 301
Router(config-if-srv)#
end
Router(config-if)#
service instance 3 ethernet evc3
Router(config-if-srv)#
encapsulation priority-tagged cos 1
Router(config-if-srv)#
rewrite ingress tag push dot1ad 302 symmetric
Router(config-if-srv)#
bridge-domain 302
Configuring a Service Instance
Router(config)#
interface gigabitethernet1/1
Router(config-if)#
switchport mode trunk
Router(config-if)#
switchport nonegotiate
Router(config-if)#
switchport trunk allowed vlan none
Router(config-if)#
service instance
22
ethernet evc1
Router(config-if-srv)#
encapsulation dot1q 100
Router(config-if-srv)#
bridge-domain 10
Encapsulation Using a VLAN Range
Router(config)#
interface gigabitethernet1/1
Router(config-if)#
service instance
1
ethernet
Router(config-if-srv)#
encapsulation dot1q 22-44 cos 1
Router(config-if-srv)#
rewrite ingress tag push dot1ad 10 symmetric
Router(config-if-srv)#
bridge-domain 10
Two Service Instances Joining the Same Bridge Domain
In this example, service instance 1 on interfaces Gigabit Ethernet 1/1 and 1/2 can bridge between each other.
Router(config)#
interface gigabitethernet1/1
Router(config-if)#
service instance
1
Ethernet
Router(config-if-srv)#
encapsulation dot1q 10
Router(config-if-srv)#
rewrite ingress tag push dot1ad 10 symmetric
Router(config-if-srv)#
bridge-domain 10
Router(config)#
interface gigabitethernet1/2
Router(config-if)#
service instance
1
Ethernet
Router(config-if-srv)#
encapsulation dot1q 10
Router(config-if-srv)#
rewrite ingress tag push dot1ad 10 symmetric
Router(config-if-srv)#
bridge-domain 10
Bridge Domains and VLAN Encapsulation
Use the VLAN ID configured with the rewrite ingress tag push dot1ad command as the bridge-domain number, rather than the VLAN ID configured with the encapsulation dot1q command, which can be the same or a different value.
Router(config)#
interface gigabitethernet1/1
Router(config-if)#
service instance
1
ethernet evc1
Router(config-if-srv)#
encapsulation dot1q 10
Router(config-if-srv)#
rewrite ingress tag push dot1ad 4000 symmetric
Router(config-if-srv)#
bridge-domain 4000
Router(config)#
interface gigabitethernet1/2
Router(config-if)#
service instance
1
ethernet evc1
Router(config-if-srv)#
encapsulation dot1q 10
Router(config-if-srv)#
rewrite ingress tag push dot1ad 4000 symmetric
Router(config-if-srv)#
bridge-domain 4000
Traffic cannot be forwarded if the the VLAN ID configured with the encapsulation dot1q commands do not match in a bridge domain. In this example, the service instances on Gigabit Ethernet 1/1 and 1/2 cannot forward between each other, because the encapsulation VLAN IDs do not match (filtering criteria). You can use the rewrite command to allow communication between these two.
Router(config)#
interface gigabitethernet1/1
Router(config-if)#
service instance
1
ethernet evc1
Router(config-if-srv)#
encapsulation dot1q 10
Router(config-if-srv)#
rewrite ingress tag push dot1ad 4000 symmetric
Router(config-if-srv)#
bridge-domain 4000
Router(config)#
interface gigabitethernet1/2
Router(config-if)#
service instance
1
ethernet evc1
Router(config-if-srv)#
encapsulation dot1q 99
Router(config-if-srv)#
rewrite ingress tag push dot1ad 4000 symmetric
Router(config-if-srv)#
bridge-domain 4000
Rewrite
In this example, the VLAN ID configured in the rewrite ingress tag push dot1ad command (4000 in the example) is pushed onto packets that match the VLAN ID configured in the encapsulation dot1q command (10 in the example). The symmetric keyword enables the inverse action on packets in the reverse direction: packets that egress from this service instance with VLAN ID 4000 are deencapsulated, resulting in VLAN ID 10 with cos 1.
Router
(config)# interface gigabitethernet1/1
Router
(config-if)# service instance 1 ethernet
Router
(config-if-srv)# encapsulation dot1q 10 cos 1
Router
(config-if-srv)# rewrite ingress tag push dot1ad 4000 symmetric
Router
(config-if-srv)# bridge-domain 4000
Monitoring EVCs
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum