Configuring Virtual Private LAN Services

Virtual Private LAN Services (VPLS) enables enterprises to link together their Ethernet-based LANs from multiple sites via the infrastructure provided by their service provider.

This module explains VPLS and how to configure it.

Prerequisites for Virtual Private LAN Services

Before you configure Virtual Private LAN Services (VPLS), ensure that the network is configured as follows:

  • Configure IP routing in the core so that provider edge (PE) devices can reach each other via IP.

  • Configure Multiprotocol Label Switching (MPLS) in the core so that a label switched path (LSP) exists between PE devices.

  • Configure a loopback interface for originating and terminating Layer 2 traffic. Ensure that PE devices can access the loopback interface of the other device. Note that the loopback interface is not required in all cases. For example, tunnel selection does not need a loopback interface when VPLS is directly mapped to a traffic engineering (TE) tunnel.

  • Identify peer PE devices and attach Layer 2 circuits to VPLS at each PE device.

Restrictions for Virtual Private LAN Services

The following general restrictions apply to all transport types under Virtual Private LAN Services (VPLS):

  • If you do not enable the EFP feature template, then there is no traffic flow between EFP and VFI (when EFP is with Split Horizon group and VFI is default). But when you enable the EFP feature template, then there is traffic flow between EFP and VFI because of design limitations.

  • Supported maximum values:

    • Total number of virtual forwarding instances (VFIs): 4096 (4 K)

  • Software-based data plane is not supported.

  • Load sharing and failover on redundant customer-edge-provider-edge (CE-PE) links are not supported.

Information About Virtual Private LAN Services

VPLS Overview

Virtual Private LAN Services (VPLS) enables enterprises to link together their Ethernet-based LANs from multiple sites via the infrastructure provided by their service provider. From the enterprise perspective, the service provider’s public network looks like one giant Ethernet LAN. For the service provider, VPLS provides an opportunity to deploy another revenue-generating service on top of the existing network without major capital expenditures. Operators can extend the operational life of equipment in their network.

VPLS uses the provider core to join multiple attachment circuits together to simulate a virtual bridge that connects the multiple attachment circuits together. From a customer point of view, there is no topology for VPLS. All customer edge (CE) devices appear to connect to a logical bridge emulated by the provider core (see the figure below).

Figure 1. VPLS Topology


Full-Mesh Configuration

A full-mesh configuration requires a full mesh of tunnel label switched paths (LSPs) between all provider edge (PE) devices that participate in Virtual Private LAN Services (VPLS). With a full mesh, signaling overhead and packet replication requirements for each provisioned virtual circuit (VC) on a PE can be high.

You set up a VPLS by first creating a virtual forwarding instance (VFI) on each participating PE device. The VFI specifies the VPN ID of a VPLS domain, the addresses of other PE devices in the domain, and the type of tunnel signaling and encapsulation mechanism for each peer PE device.

The set of VFIs formed by the interconnection of the emulated VCs is called a VPLS instance; it is the VPLS instance that forms the logic bridge over a packet switched network. After the VFI has been defined, it needs to be bound to an attachment circuit to the CE device. The VPLS instance is assigned a unique VPN ID.

PE devices use the VFI to establish a full-mesh LSP of emulated VCs to all other PE devices in the VPLS instance. PE devices obtain the membership of a VPLS instance through static configuration using the Cisco IOS CLI.

A full-mesh configuration allows the PE device to maintain a single broadcast domain. When the PE device receives a broadcast, multicast, or unknown unicast packet on an attachment circuit (AC), it sends the packet out on all other ACs and emulated circuits to all other CE devices participating in that VPLS instance. The CE devices see the VPLS instance as an emulated LAN.

To avoid the problem of a packet looping in the provider core, PE devices enforce a “split-horizon” principle for emulated VCs. In a split horizon, if a packet is received on an emulated VC, it is not forwarded on any other emulated VC.

The packet forwarding decision is made by looking up the Layer 2 VFI of a particular VPLS domain.

A VPLS instance on a particular PE device receives Ethernet frames that enter on specific physical or logical ports and populates a MAC table similarly to how an Ethernet switch works. The PE device can use the MAC address to switch these frames into the appropriate LSP for delivery to the another PE device at a remote site.

If the MAC address is not available in the MAC address table, the PE device replicates the Ethernet frame and floods it to all logical ports associated with that VPLS instance, except the ingress port from which it just entered. The PE device updates the MAC table as it receives packets on specific ports and removes addresses not used for specific periods.

Static VPLS Configuration

Virtual Private LAN Services (VPLS) over Multiprotocol Label Switching-Transport Profile (MPLS-TP) tunnels allows you to deploy a multipoint-to-multipoint layer 2 operating environment over an MPLS-TP network for services such as Ethernet connectivity and multicast video. To configure static VPLS, you must specify a static range of MPLS labels using the mpls label range command with the static keyword.

H-VPLS

Hierarchical VPLS (H-VPLS) reduces signaling and replication overhead by using full-mesh and hub-and-spoke configurations. Hub-and-spoke configurations operate with split horizon to allow packets to be switched between pseudowires (PWs), effectively reducing the number of PWs between provider edge (PE) devices.


Note


Split horizon is the default configuration to avoid broadcast packet looping.


Supported Features

Multipoint-to-Multipoint Support

In a multipoint-to-multipoint network, two or more devices are associated over the core network. No single device is designated as the Root node; all devices are considered as Root nodes. All frames can be exchanged directly between the nodes.

Non-Transparent Operation

A virtual Ethernet connection (VEC) can be transparent or non-transparent with respect to Ethernet protocol data units (PDUs). The VEC non-transparency allows users to have a Frame Relay-type service between Layer 3 devices.

Circuit Multiplexing

Circuit multiplexing allows a node to participate in multiple services over a single Ethernet connection. By participating in multiple services, the Ethernet connection is attached to multiple logical networks. Some examples of possible service offerings are VPN services between sites, Internet services, and third-party connectivity for intercompany communications.

MAC-Address Learning, Forwarding, and Aging

Provider edge (PE) devices must learn remote MAC addresses and directly attached MAC addresses on ports that face the external network. MAC address learning accomplishes this by deriving the topology and forwarding information from packets originating at customer sites. A timer is associated with stored MAC addresses. After the timer expires, the entry is removed from the table.

Jumbo Frame Support

Jumbo frame support provides support for frame sizes between 1548 and 9216 bytes. You use the CLI to establish the jumbo frame size for any value specified in the above range. The default value is 1500 bytes in any Layer 2/VLAN interface. You can configure jumbo frame support on a per-interface basis.

Q-in-Q Support and Q-in-Q to EoMPLS Support

With 802.1Q tunneling (Q-in-Q), the customer edge (CE) device issues VLAN-tagged packets and VPLS forwards these packets to a far-end CE device. Q-in-Q refers to the fact that one or more 802.1Q tags may be located in a packet within the interior of the network. As packets are received from a CE device, an additional VLAN tag is added to incoming Ethernet packets to segregate traffic from different CE devices. Untagged packets originating from a CE device use a single tag within the interior of the VLAN switched network, whereas previously tagged packets originating from the CE device use two or more tags.

VPLS Services

Transparent LAN Service

Transparent LAN Service (TLS) is an extension to the point-to-point port-based Ethernet over Multiprotocol Label Switching (EoMPLS), which provides bridging protocol transparency (for example, bridge protocol data units [BPDUs]) and VLAN values. Bridges see this service as an Ethernet segment. With TLS, the PE device forwards all Ethernet packets received from the customer-facing interface (including tagged and untagged packets, and BPDUs) as follows:

  • To a local Ethernet interface or an emulated virtual circuit (VC) if the destination MAC address is found in the Layer 2 forwarding table.

  • To all other local Ethernet interfaces and emulated VCs belonging to the same VPLS domain if the destination MAC address is a multicast or broadcast address or if the destination MAC address is not found in the Layer 2 forwarding table.


Note


You must enable Layer 2 protocol tunneling to run the Cisco Discovery Protocol (CDP), the VLAN Trunking Protocol (VTP), and the Spanning-Tree Protocol (STP).


Ethernet Virtual Connection Service

Ethernet Virtual Connection Service (EVCS) is an extension to the point-to-point VLAN-based Ethernet over MPLS (EoMPLS) that allows devices to reach multiple intranet and extranet locations from a single physical port. With EVCS, the provider edge (PE) device forwards all Ethernet packets with a particular VLAN tag received from the customer-facing interface (excluding bridge protocol data units [BPDUs]) as follows:

  • To a local Ethernet interface or to an emulated virtual circuit (VC) if the destination MAC address is found in the Layer 2 forwarding table.

  • To all other local Ethernet interfaces and emulated VCs belonging to the same Virtual Private LAN Services (VPLS) domain if the destination MAC address is a multicast or a broadcast address or if the destination MAC address is not found in the Layer 2 forwarding table.


Note


Because it has only local significance, the demultiplexing VLAN tag that identifies a VPLS domain is removed before the packet is forwarded to the outgoing Ethernet interfaces or emulated VCs.


VPLS Integrated Routing and Bridging

Virtual Private LAN Services (VPLS) integrated routing and bridging routes Layer 3 traffic and switches Layer 2 frames for pseudowire connections between provider edge (PE) devices using a VPLS multipoint PE device. The ability to route frames to and from these interfaces supports the termination of a pseudowire into a Layer 3 network (VPN or global) on the same switch or to tunnel Layer 3 frames over a Layer 2 tunnel (VPLS).

To configure routing support for a pseudowire, configure an IP address and other Layer 3 features for the Layer 3 domain in interface configuration mode.


Note


VPLS integrated routing and bridging does not support multicast routing. VPLS integrated routing and bridging is also known as routed pseudowire and routed VPLS.


The following example shows how to assign IP address 10.10.10.1 to a bridge domain interface (BDI).


interface bdi 100
  ip address 10.10.10.1 255.255.255.0 

VPLS and Type 4 dummy VLAN Tag

From Cisco IOS XE Everest 16.4.1 release, VPLS VC type 4 mode (with autodiscovery) can be used to configure a dummy VLAN tag. This feature can be used to modify the VLAN ID to filter based on the VLAN ID. The dummy VLAN ID is 0 in default VPLS type 4 mode, and can be set to any value from 1 to 4094. Refer to the section titled "Example: MAC ACL with Dummy VLAN ID" in this chapter for the configuration example.

How to Configure Virtual Private LAN Services

Provisioning a Virtual Private LAN Services (VPLS) link involves provisioning the associated attachment circuit and a virtual forwarding instance (VFI) on a provider edge (PE) device.

In Cisco IOS XE Release 3.7S, the L2VPN Protocol-Based CLIs feature was introduced. This feature provides a set of processes and an improved infrastructure for developing and delivering Cisco IOS software on various Cisco platforms. This feature introduces new commands and modifies or replaces existing commands to achieve a consistent functionality across Cisco platforms and provide cross-Operating System (OS) support.

This section consists of tasks that use the commands existing prior to Cisco IOS XE Release 3.7S and a corresponding task that uses the commands introduced or modified by the L2VPN Protocol-Based CLIs feature.

Configuring PE Layer 2 Interfaces on CE Devices

You can configure the Ethernet flow point (EFP) as a Layer 2 virtual interface. You can also select tagged or untagged traffic from a customer edge (CE) device.

Configuring 802.1Q Access Ports for Tagged Traffic from a CE Device


Note


When Ethernet Virtual Connection Service (EVCS) is configured, a provider edge (PE) device forwards all Ethernet packets with a particular VLAN tag to a local Ethernet interface or emulated virtual circuit (VC) if the destination MAC address is found in the Layer 2 forwarding table.


SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface type number
  4. no ip address [ip-address mask ] [secondary ]
  5. negotiation auto
  6. service instance si-id ethernet
  7. encapsulation dot1q vlan-id
  8. bridge-domain bd-id
  9. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable
Enables privileged EXEC mode.
  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface type number

Example:

Device(config)# interface gigabitethernet 0/0/1

Specifies an interface and enters interface configuration mode.

Step 4

no ip address [ip-address mask ] [secondary ]

Example:

Device(config-if)# no ip address 

Disables IP processing.

Step 5

negotiation auto

Example:

Device(config-if)# negotiation auto

Enables the autonegotiation protocol to configure the speed, duplex, and automatic flow control of the Gigabit Ethernet interface.

Step 6

service instance si-id ethernet

Example:

Device(config-if)# service instance 10 ethernet

Specifies the service instance ID and enters service instance configuration mode.

Step 7

encapsulation dot1q vlan-id

Example:

Device(config-if-srv)# encapsulation dot1q 200

Defines the matching criteria to map 802.1Q frames ingress on an interface to the appropriate service instance.

Ensure that the interface on the adjoining customer edge (CE) device is on the same VLAN as this PE device.

Step 8

bridge-domain bd-id

Example:

Device(config-if-srv)# bridge-domain 100

Binds a service instance to a bridge domain instance.

Step 9

end

Example:

Device(config-if-srv)# end

Exits service instance configuration mode and returns to privileged EXEC mode.

Configuring 802.1Q Access Ports for Tagged Traffic from a CE Device: Alternate Configuration


Note


When Ethernet Virtual Connection Service (EVCS) is configured, the PE device forwards all Ethernet packets with a particular VLAN tag to a local Ethernet interface or an emulated virtual circuit (VC) if the destination MAC address is found in the Layer 2 forwarding table.


SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface type number
  4. no ip address [ip-address mask ] [secondary ]
  5. negotiation auto
  6. service instance si-id ethernet
  7. encapsulation dot1q vlan-id
  8. exit
  9. exit
  10. bridge-domain bd-id
  11. member interface-type-number service-instance service-id [split-horizon group group-id ]
  12. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable
Enables privileged EXEC mode.
  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface type number

Example:

Device(config)# interface gigabitethernet 0/0/1

Specifies an interface and enters interface configuration mode.

Step 4

no ip address [ip-address mask ] [secondary ]

Example:

Device(config-if)# no ip address 

Disables IP processing.

Step 5

negotiation auto

Example:

Device(config-if)# negotiation auto

Enables the autonegotiation protocol to configure the speed, duplex, and automatic flow control of the Gigabit Ethernet interface.

Step 6

service instance si-id ethernet

Example:

Device(config-if)# service instance 10 ethernet

Specifies a service instance ID and enters service instance configuration mode.

Step 7

encapsulation dot1q vlan-id

Example:

Device(config-if-srv)# encapsulation dot1q 200
Defines the matching criteria to map 802.1Q frames ingress on an interface to the appropriate service instance.
  • Ensure that the interface on the adjoining customer edge (CE) device is on the same VLAN as this provider edge (PE) device.

Step 8

exit

Example:

Device(config-if-srv)# exit

Exits service instance configuration mode and returns to interface configuration mode.

Step 9

exit

Example:

Device(config-if)# exit

Exits interface configuration mode and returns to global configuration mode.

Step 10

bridge-domain bd-id

Example:

Device(config)# bridge-domain 100

Specifies the bridge domain ID and enters bridge-domain configuration mode.

Step 11

member interface-type-number service-instance service-id [split-horizon group group-id ]

Example:

Device(config-bdomain)# member gigabitethernet0/0/1 service-instance 1000

Binds a service instance to a bridge domain instance.

Step 12

end

Example:

Device(config-bdomain)# end

Exits bridge-domain configuration mode and returns to privileged EXEC mode.

Configuring Access Ports for Untagged Traffic from a CE Device

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface type number
  4. no ip address [ip-address mask ] [secondary ]
  5. negotiation auto
  6. service instance si-id ethernet
  7. encapsulation untagged
  8. bridge-domain bd-id
  9. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable
Enables privileged EXEC mode.
  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface type number

Example:

Device(config)# interface gigabitethernet 0/0/0

Specifies an interface and enters interface configuration mode.

Step 4

no ip address [ip-address mask ] [secondary ]

Example:

Device(config-if)# no ip address 

Disables IP processing.

Step 5

negotiation auto

Example:

Device(config-if)# negotiation auto

Enables the autonegotiation protocol to configure the speed, duplex, and automatic flow control of the Gigabit Ethernet interface.

Step 6

service instance si-id ethernet

Example:

Device(config-if)# service instance 10 ethernet

Specifies a service instance ID and enters service instance configuration mode.

Step 7

encapsulation untagged

Example:

Device(config-if-srv)# encapsulation untagged
Defines the matching criteria to map untagged ingress Ethernet frames on an interface to the appropriate service instance.
  • Ensure that the interface on the adjoining customer edge (CE) device is on the same VLAN as this provider edge (PE) device.

Step 8

bridge-domain bd-id

Example:

Device(config-if-srv)# bridge-domain 100

Binds a service instance or MAC tunnel to a bridge domain instance.

Step 9

end

Example:

Device(config-if-srv)# end

Exits service instance configuration mode and returns to privileged EXEC mode.

Configuring 802.1Q Access Ports for Tagged Traffic from a CE Device: Alternate Configuration


Note


When Ethernet Virtual Connection Service (EVCS) is configured, the PE device forwards all Ethernet packets with a particular VLAN tag to a local Ethernet interface or an emulated virtual circuit (VC) if the destination MAC address is found in the Layer 2 forwarding table.


SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface type number
  4. no ip address [ip-address mask ] [secondary ]
  5. negotiation auto
  6. service instance si-id ethernet
  7. encapsulation dot1q vlan-id
  8. exit
  9. exit
  10. bridge-domain bd-id
  11. member interface-type-number service-instance service-id [split-horizon group group-id ]
  12. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable
Enables privileged EXEC mode.
  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface type number

Example:

Device(config)# interface gigabitethernet 0/0/1

Specifies an interface and enters interface configuration mode.

Step 4

no ip address [ip-address mask ] [secondary ]

Example:

Device(config-if)# no ip address 

Disables IP processing.

Step 5

negotiation auto

Example:

Device(config-if)# negotiation auto

Enables the autonegotiation protocol to configure the speed, duplex, and automatic flow control of the Gigabit Ethernet interface.

Step 6

service instance si-id ethernet

Example:

Device(config-if)# service instance 10 ethernet

Specifies a service instance ID and enters service instance configuration mode.

Step 7

encapsulation dot1q vlan-id

Example:

Device(config-if-srv)# encapsulation dot1q 200
Defines the matching criteria to map 802.1Q frames ingress on an interface to the appropriate service instance.
  • Ensure that the interface on the adjoining customer edge (CE) device is on the same VLAN as this provider edge (PE) device.

Step 8

exit

Example:

Device(config-if-srv)# exit

Exits service instance configuration mode and returns to interface configuration mode.

Step 9

exit

Example:

Device(config-if)# exit

Exits interface configuration mode and returns to global configuration mode.

Step 10

bridge-domain bd-id

Example:

Device(config)# bridge-domain 100

Specifies the bridge domain ID and enters bridge-domain configuration mode.

Step 11

member interface-type-number service-instance service-id [split-horizon group group-id ]

Example:

Device(config-bdomain)# member gigabitethernet0/0/1 service-instance 1000

Binds a service instance to a bridge domain instance.

Step 12

end

Example:

Device(config-bdomain)# end

Exits bridge-domain configuration mode and returns to privileged EXEC mode.

Configuring Q-in-Q EFP


Note


When a thread-local storage (TLS) is configured, the provider edge (PE) device forwards all Ethernet packets received from the customer edge (CE) device to all local Ethernet interfaces and emulated virtual circuits (VCs) that belong to the same Virtual Private LAN Services (VPLS) domain if the MAC address is not found in the Layer 2 forwarding table.


SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface type number
  4. no ip address [ip-address mask ] [secondary ]
  5. negotiation auto
  6. service instance si-id ethernet
  7. encapsulation dot1q vlan-id second-dot1q vlan-id
  8. bridge-domain bd-id
  9. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable
Enables privileged EXEC mode.
  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface type number

Example:

Device(config)# interface gigabitethernet 0/0/2

Specifies an interface and enters interface configuration mode.

Step 4

no ip address [ip-address mask ] [secondary ]

Example:

Device(config-if)# no ip address 

Disables IP processing.

Step 5

negotiation auto

Example:

Device(config-if)# negotiation auto

Enables the autonegotiation protocol to configure the speed, duplex, and automatic flow control of the Gigabit Ethernet interface.

Step 6

service instance si-id ethernet

Example:

Device(config-if)# service instance 10 ethernet

Specifies a service instance ID and enters service instance configuration mode.

Step 7

encapsulation dot1q vlan-id second-dot1q vlan-id

Example:

Device(config-if-srv)# encapsulation dot1q 200 second-dot1q 400
Defines the matching criteria to map Q-in-Q ingress frames on an interface to the appropriate service instance.
  • Ensure that the interface on the adjoining CE device is on the same VLAN as this PE device.

Step 8

bridge-domain bd-id

Example:

Device(config-if-srv)# bridge-domain 100

Binds a service instance or a MAC tunnel to a bridge domain instance.

Step 9

end

Example:

Device(config-if-srv)# end

Exits service instance configuration mode and returns to privileged EXEC mode.

Configuring Q-in-Q EFP: Alternate Configuration


Note


When a thread-local storage (TLS) is configured, the provider edge (PE) device forwards all Ethernet packets received from the customer edge (CE) device to all local Ethernet interfaces and emulated virtual circuits (VCs) belonging to the same Virtual Private LAN Services (VPLS) domain if the MAC address is not found in the Layer 2 forwarding table.


SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface type number
  4. no ip address [ip-address mask ] [secondary ]
  5. negotiation auto
  6. service instance si-id ethernet
  7. encapsulation dot1q vlan-id second-dot1q vlan-id
  8. exit
  9. exit
  10. bridge-domain bd-id
  11. member interface-type-number service-instance service-id [split-horizon group group-id ]
  12. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable
Enables privileged EXEC mode.
  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface type number

Example:

Device(config)# interface gigabitethernet 0/0/2

Specifies an interface and enters interface configuration mode.

Step 4

no ip address [ip-address mask ] [secondary ]

Example:

Device(config-if)# no ip address 

Disables IP processing.

Step 5

negotiation auto

Example:

Device(config-if)# negotiation auto

Enables the autonegotiation protocol to configure the speed, duplex, and automatic flow control of the Gigabit Ethernet interface.

Step 6

service instance si-id ethernet

Example:

Device(config-if)# service instance 10 ethernet

Specifies a service instance ID and enters service instance configuration mode.

Step 7

encapsulation dot1q vlan-id second-dot1q vlan-id

Example:

Device(config-if-srv)# encapsulation dot1q 200 second-dot1q 400
Defines the matching criteria to map Q-in-Q ingress frames on an interface to the appropriate service instance.
  • Ensure that the interface on the adjoining CE device is on the same VLAN as this PE device.

Step 8

exit

Example:

Device(config-if-srv)# exit

Exits service instance configuration mode and returns to interface configuration mode.

Step 9

exit

Example:

Device(config-if)# exit

Exits interface configuration mode and returns to global configuration mode.

Step 10

bridge-domain bd-id

Example:

Device(config)# bridge-domain 100

Specifies the bridge domain ID and enters bridge-domain configuration mode.

Step 11

member interface-type-number service-instance service-id [split-horizon group group-id ]

Example:

Device(config-bdomain)# member gigabitethernet0/0/2 service-instance 1000

Binds a service instance to a bridge domain instance.

Step 12

end

Example:

Device(config-bdomain)# end

Exits bridge-domain configuration mode and returns to privileged EXEC mode.

Configuring MPLS on a PE Device

To configure Multiprotocol Label Switching (MPLS) on a provider edge (PE) device, configure the required MPLS parameters.


Note


Before configuring MPLS, ensure that IP connectivity exists between all PE devices by configuring Interior Gateway Protocol (IGP), Open Shortest Path First (OSPF), or Intermediate System to Intermediate System (IS-IS) between PE devices.


SUMMARY STEPS

  1. enable
  2. configure terminal
  3. mpls label protocol {ldp | tdp}
  4. mpls ldp logging neighbor-changes
  5. mpls ldp discovery hello holdtime seconds
  6. mpls ldp router-id interface-type-number [force]
  7. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

mpls label protocol {ldp | tdp}

Example:


Device(config)# mpls label protocol ldp

Specifies the label distribution protocol for the platform.

Step 4

mpls ldp logging neighbor-changes

Example:


Device(config)# mpls ldp logging neighbor-changes

(Optional) Generates system error logging (syslog) messages when LDP sessions go down.

Step 5

mpls ldp discovery hello holdtime seconds

Example:


Device(config)# mpls ldp discovery hello holdtime 5

Configures the interval between the transmission of consecutive LDP discovery hello messages or the hold time for an LDP transport connection.

Step 6

mpls ldp router-id interface-type-number [force]

Example:


Device(config)# mpls ldp router-id loopback0 force

Specifies a preferred interface for the LDP router ID.

Step 7

end

Example:


Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Configuring a VFI on a PE Device

The virtual forwarding interface (VFI) specifies the VPN ID of a Virtual Private LAN Services (VPLS) domain, the addresses of other provider edge (PE) devices in the domain, and the type of tunnel signaling and encapsulation mechanism for each peer.


Note


Only Multiprotocol Label Switching (MPLS) encapsulation is supported.


SUMMARY STEPS

  1. enable
  2. configure terminal
  3. l2 vfi name manual
  4. vpn id vpn-id
  5. neighbor remote-router-id vc-id {encapsulation encapsulation-type | pw-class pw-name } [no-split-horizon ]
  6. bridge-domain bd-id
  7. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

l2 vfi name manual

Example:


Device(config)# l2 vfi vfi110 manual

Establishes a Layer 2 VPN (L2VPN) virtual forwarding interface (VFI) between two or more separate networks and enters VFI configuration mode.

Step 4

vpn id vpn-id

Example:


Device(config-vfi)# vpn id 110

Configures a VPN ID for a VPLS domain.

  • The emulated VCs bound to this Layer 2 virtual routing and forwarding (VRF) instance use this VPN ID for signaling.

Step 5

neighbor remote-router-id vc-id {encapsulation encapsulation-type | pw-class pw-name } [no-split-horizon ]

Example:


Device(config-vfi)# neighbor 172.16.10.2 4 encapsulation mpls

Specifies the type of tunnel signaling and encapsulation mechanism for each VPLS peer.

Note

 

Split horizon is the default configuration to avoid broadcast packet looping and to isolate Layer 2 traffic. Use the no-split-horizon keyword to disable split horizon and to configure multiple VCs per spoke into the same VFI.

Step 6

bridge-domain bd-id

Example:


Device(config-vfi)# bridge-domain 100

Specifies a bridge domain.

Step 7

end

Example:


Device(config-vfi)# end

Exits VFI configuration mode and returns to privileged EXEC mode.

Configuring a VFI on a PE Device: Alternate Configuration

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. l2vpn vfi context name
  4. vpn id id
  5. member ip-address [vc-id] encapsulation mpls
  6. exit
  7. bridge-domain bd-id
  8. member vfi vfi-name
  9. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:


Device> enable
Enables privileged EXEC mode.
  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

l2vpn vfi context name

Example:


Device(config)# l2vpn vfi context vfi110

Establishes a L2VPN VFI between two or more separate networks, and enters VFI configuration mode.

Step 4

vpn id id

Example:


Device(config-vfi)# vpn id 110

Configures a VPN ID for a Virtual Private LAN Services (VPLS) domain. The emulated virtual circuits (VCs) bound to this Layer 2 virtual routing and forwarding (VRF) instance use this VPN ID for signaling.

Step 5

member ip-address [vc-id] encapsulation mpls

Example:


Device(config-vfi)# member 172.16.10.2 4 encapsulation mpls

Specifies the devices that form a point-to-point Layer 2 VPN (L2VPN) virtual forwarding interface (VFI) connection and Multiprotocol Label Switching (MPLS) as the encapsulation type.

Step 6

exit

Example:


Device(config-vfi)# exit

Exits VFI configuration mode and returns to global configuration mode.

Step 7

bridge-domain bd-id

Example:


Device(config)# bridge-domain 100

Specifies a bridge domain and enters bridge-domain configuration mode.

Step 8

member vfi vfi-name

Example:


Device(config-bdomain)# member vfi vfi110

Binds a VFI instance to a bridge domain instance.

Step 9

end

Example:


Device(config-bdomain)# end

Exits bridge-domain configuration mode and returns to privileged EXEC mode.

Configuring Static Virtual Private LAN Services

To configure static Virtual Private LAN Services (VPLS), perform the following tasks:

  • Configuring a Pseudowire for Static VPLS

  • Configuring VFI for Static VPLS

  • Configuring a VFI for Static VPLS: Alternate Configuration

  • Configuring an Attachment Circuit for Static VPLS

  • Configuring an Attachment Circuit for Static VPLS: Alternate Configuration

  • Configuring an MPLS-TP Tunnel for Static VPLS with TP

  • Configuring a VFI for Static VPLS: Alternate Configuration

Configuring a Pseudowire for Static VPLS

The configuration of pseudowires between provider edge (PE) devices helps in the successful transmission of the Layer 2 frames between PE devices.

Use the pseudowire template to configure the virtual circuit (VC) type for the virtual path identifier (VPI) pseudowire. In the following task, the pseudowire will go through a Multiprotocol Label Switching (MPLS)-Tunneling Protocol (TP) tunnel.

The pseudowire template configuration specifies the characteristics of the tunneling mechanism that is used by the pseudowires, which are:

  • Encapsulation type

  • Control protocol

  • Payload-specific options

  • Preferred path

Perform this task to configure a pseudowire template for static Virtual Private LAN Services (VPLS).


Note


Ensure that you perform this task before configuring the virtual forwarding instance (VFI) peer. If the VFI peer is configured before the pseudowire class, the configuration is incomplete until the pseudowire class is configured. The show running-config command displays an error stating that configuration is incomplete.

Device# show running-config | sec vfi

l2 vfi config manual
 vpn id 1000
 ! Incomplete point-to-multipoint vfi config

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. template type pseudowire name
  4. encapsulation mpls
  5. signaling protocol none
  6. preferred-path interface Tunnel-tp interface-number
  7. exit
  8. interface pseudowire number
  9. source template type pseudowire name
  10. neighbor peer-address vcid-value
  11. label local-pseudowire-label remote-pseudowire-label
  12. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

template type pseudowire name

Example:

Device(config)# template type pseudowire static-vpls

Specifies the template type as pseudowire and enters template configuration mode.

Step 4

encapsulation mpls

Example:

Device(config-template)# encapsulation mpls 
Specifies the tunneling encapsulation.
  • For Any Transport over MPLS (AToM), the encapsulation type is MPLS.

Step 5

signaling protocol none

Example:

Device(config-template)# signaling protocol none 

Specifies that no signaling protocol is configured for the pseudowire class.

Step 6

preferred-path interface Tunnel-tp interface-number

Example:

Device(config-template)# preferred-path interface Tunnel-tp 1

(Optional) Specifies the path that traffic uses: an MPLS Traffic Engineering (TE) tunnel or destination IP address and Domain Name Server (DNS) name.

Step 7

exit

Example:

Device(config-template)# exit

Exits template configuration mode and returns to global configuration mode.

Step 8

interface pseudowire number

Example:

Device(config)# interface pseudowire 1

Establishes a pseudowire interface and enters interface configuration mode.

Step 9

source template type pseudowire name

Example:

Device(config-if)# source template type pseudowire static-vpls

Configures the source template type of the configured pseudowire.

Step 10

neighbor peer-address vcid-value

Example:

Device(config-if)# neighbor 10.0.0.1 123

Specifies the peer IP address and VC ID value of a Layer 2 VPN (L2VPN) pseudowire.

Step 11

label local-pseudowire-label remote-pseudowire-label

Example:

Device(config-if)# label 301 17

Configures an Any Transport over MPLS (AToM) static pseudowire connection by defining local and remote circuit labels.

Step 12

end

Example:

Device(config-if)# end

Exits interface configuration mode and returns to privileged EXEC mode.

Configuring VFI for Static VPLS


Note


Ensure that you perform this task after configuring the pseudowire. If the VFI peer is configured before the pseudowire, the configuration is incomplete until the pseudowire is configured. The output of the show running-config command displays an error stating that configuration is incomplete.

Device# show running-config | sec vfi

l2 vfi config manual
 vpn id 1000
 ! Incomplete point-to-multipoint vfi config

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. mpls label range minimum-value maximum-value [static minimum-static-value maximum-static-value ]
  4. pseudowire-class [pw-class-name]
  5. encapsulation mpls
  6. protocol {l2tpv2 | l2tpv3 | none } [l2tp-class-name]
  7. exit
  8. l2 vfi vfi-name manual
  9. vpn id vpn-id
  10. neighbor ip-address pw-class pw-name
  11. mpls label local-pseudowire-label remote-pseudowire-label
  12. mpls control-word
  13. neighbor ip-address pw-class pw-name
  14. mpls label local-pseudowire-label remote-pseudowire-label
  15. mpls control-word
  16. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

mpls label range minimum-value maximum-value [static minimum-static-value maximum-static-value ]

Example:

Device(config)# mpls label range 16 200 static 300 500

Configures the range of local labels available for use with Multiprotocol Label Switching (MPLS) applications on packet interfaces.

Step 4

pseudowire-class [pw-class-name]

Example:

Device(config)# pseudowire-class static_vpls

Specifies the name of a Layer 2 pseudowire class and enters pseudowire class configuration mode.

Step 5

encapsulation mpls

Example:

Device(config-pw-class)# encapsulation mpls

Specifies the tunneling encapsulation as MPLS.

Step 6

protocol {l2tpv2 | l2tpv3 | none } [l2tp-class-name]

Example:

Device(config-pw-class)# protocol none

Specifies that no signaling protocol will be used in Layer 2 Tunneling Protocol Version 3 (L2TPv3) sessions.

Step 7

exit

Example:

Device(config-pw-class)# exit

Exits pseudowire class configuration mode and returns to global configuration mode.

Step 8

l2 vfi vfi-name manual

Example:

Device(config)# l2 vfi static-vfi manual

Establishes a Layer 2 VPN (L2VPN) virtual forwarding interface (VFI) between two or more separate networks, and enters Layer 2 VFI manual configuration mode.

Step 9

vpn id vpn-id

Example:

Device(config-vfi)# vpn id 100

Specifies the VPN ID.

Step 10

neighbor ip-address pw-class pw-name

Example:

Device(config-vfi)# neighbor 10.3.4.4 pw-class static_vpls

Specifies the IP address of the peer and the pseudowire class.

Step 11

mpls label local-pseudowire-label remote-pseudowire-label

Example:

Device(config-vfi)# mpls label 301 17

Configures an Any Transport over MPLS (AToM) static pseudowire connection by defining local and remote circuit labels.

Step 12

mpls control-word

Example:

Device(config-vfi)# mpls control-word

(Optional) Enables the MPLS control word in an AToM static pseudowire connection.

Step 13

neighbor ip-address pw-class pw-name

Example:

Device(config-vfi)# neighbor 2.3.4.3 pw-class static_vpls

Specifies the IP address of the peer and the pseudowire class.

Step 14

mpls label local-pseudowire-label remote-pseudowire-label

Example:

Device(config-vfi)# mpls label 302 18

Configures an AToM static pseudowire connection by defining local and remote circuit labels.

Step 15

mpls control-word

Example:

Device(config-vfi)# mpls control-word

(Optional) Enables the MPLS control word in an AToM static pseudowire connection.

Step 16

end

Example:

Device(config-vfi)# end

Exits Layer 2 VFI manual configuration mode and returns to privileged EXEC mode.

Configuring a VFI for Static VPLS: Alternate Configuration


Note


Ensure that you perform this task after configuring the pseudowire. If the VFI peer is configured before the pseudowire, the configuration is incomplete until the pseudowire is configured. The output of the show running-config command displays an error stating that configuration is incomplete.

Device# show running-config | sec vfi

l2 vfi config manual
 vpn id 1000
 ! Incomplete point-to-multipoint vfi config

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. l2vpn vfi context vfi-name
  4. vpn id vpn-id
  5. exit
  6. interface type number
  7. encapsulation mpls
  8. neighbor ip-address vc-id
  9. label local-pseudowire-label remote-pseudowire-label
  10. control-word {include | exclude}
  11. exit
  12. bridge-domain bd-id
  13. member vfi vfi-name
  14. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

l2vpn vfi context vfi-name

Example:

Device(config)# l2vpn vfi context vpls1

Establishes a Layer 2 VPN (L2VPN) virtual forwarding interface (VFI) between two or more separate networks and enters VFI configuration mode.

Step 4

vpn id vpn-id

Example:

Device(config-vfi)# vpn id 100

Specifies the VPN ID.

Step 5

exit

Example:

Device(config-vfi)# exit

Exits VFI configuration mode and returns to global configuration mode.

Step 6

interface type number

Example:

Device(config)# interface pseudowire 100

Specifies an interface and enters interface configuration mode.

Step 7

encapsulation mpls

Example:

Device(config-if)# encapsulation mpls

Specifies an encapsulation type for tunneling Layer 2 traffic over a pseudowire.

Step 8

neighbor ip-address vc-id

Example:

Device(config-if)# neighbor 10.3.4.4 100

Specifies the peer IP address and virtual circuit (VC) ID value of a Layer 2 VPN (L2VPN) pseudowire.

Step 9

label local-pseudowire-label remote-pseudowire-label

Example:

Device(config-if)# label 301 17

Configures an Any Transport over MPLS (AToM) static pseudowire connection by defining local and remote circuit labels.

Step 10

control-word {include | exclude}

Example:

Device(config-if)# control-word include

(Optional) Enables the Multiprotocol Label Switching (MPLS) control word in an AToM dynamic pseudowire connection.

Step 11

exit

Example:

Device(config-if)# exit

Exits interface configuration mode and returns to global configuration mode.

Step 12

bridge-domain bd-id

Example:

Device(config)# bridge-domain 24

Specifies the bridge domain ID and enters bridge-domain configuration mode.

Step 13

member vfi vfi-name

Example:

Device(config-bdomain)# member vfi vpls1

Binds a service instance to a bridge domain instance.

Step 14

end

Example:

Device(config-bdomain)# end

Exits bridge-domain configuration mode and returns to privileged EXEC mode.

Configuring an Attachment Circuit for Static VPLS

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface gigabitethernet slot/interface
  4. service instance si-id ethernet
  5. encapsulation dot1q vlan-id
  6. rewrite ingress tag pop number [symmetric]
  7. bridge-domain bd-id
  8. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/interface

Example:

Device(config)# interface gigabitethernet 0/0/1
Specifies an interface and enters interface configuration mode.
  • Ensure that the interfaces between the customer edge (CE) and provider edge (PE) devices that run Ethernet over MPLS (EoMPLS) are in the same subnet. All other interfaces and backbone devices do not need to be in the same subnet.

Step 4

service instance si-id ethernet

Example:

Device(config-if)# service instance 100 ethernet

Configures an Ethernet service instance on an interface and enters service instance configuration mode.

Step 5

encapsulation dot1q vlan-id

Example:

Device(config-if-srv)# encapsulation dot1q 200
Defines the matching criteria to map 802.1Q frames ingress on an interface to the appropriate service instance.
  • Ensure that the interface on the adjoining CE device is on the same VLAN as this PE device.

Step 6

rewrite ingress tag pop number [symmetric]

Example:

Device(config-if-srv)# rewrite ingress tag pop 1 symmetric

(Optional) Specifies the encapsulation adjustment to be performed on a frame ingressing a service instance and the tag to be removed from a packet.

Step 7

bridge-domain bd-id

Example:

Device(config-if-srv)# bridge-domain 24

(Optional) Binds a service instance or a MAC tunnel to a bridge domain instance.

Step 8

end

Example:

Device(config-if-srv)# end

Exits service instance configuration mode and returns to privileged EXEC mode.

Configuring an Attachment Circuit for Static VPLS: Alternate Configuration

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface gigabitethernet slot/interface
  4. service instance si-id ethernet
  5. encapsulation dot1q vlan-id
  6. rewrite ingress tag pop number [symmetric]
  7. exit
  8. exit
  9. bridge-domain bd-id
  10. member interface-type-number service-instance service-id [split-horizon group group-id ]
  11. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/interface

Example:

Device(config)# interface gigabitethernet 0/0/1
Specifies an interface and enters interface configuration mode.
  • Ensure that the interfaces between the customer edge (CE) and provider edge (PE) devices that are running Ethernet over MPLS (EoMPLS) are in the same subnet. All other interfaces and backbone devices do not need to be in the same subnet.

Step 4

service instance si-id ethernet

Example:

Device(config-if)# service instance 10 ethernet

Specifies a service instance ID and enters service instance configuration mode.

Step 5

encapsulation dot1q vlan-id

Example:

Device(config-if-srv)# encapsulation dot1q 200
Defines the matching criteria to map 802.1Q frames ingress on an interface to the appropriate service instance.
  • Ensure that the interface on the adjoining CE device is on the same VLAN as this PE device.

Step 6

rewrite ingress tag pop number [symmetric]

Example:

Device(config-if-srv)# rewrite ingress tag pop 1 symmetric

(Optional) Specifies the encapsulation adjustment to be performed on a frame ingressing a service instance and the tag to be removed from a packet.

Step 7

exit

Example:

Device(config-if-srv)# exit

Exits service instance configuration mode and returns to interface configuration mode.

Step 8

exit

Example:

Device(config-if)# exit

Exits interface configuration mode and returns to global configuration mode.

Step 9

bridge-domain bd-id

Example:

Device(config)# bridge-domain 100

Specifies the bridge domain ID and enters bridge-domain configuration mode.

Step 10

member interface-type-number service-instance service-id [split-horizon group group-id ]

Example:

Device(config-bdomain)# member gigabitethernet0/0/1 service-instance 1000

(Optional) Binds a service instance to a bridge domain instance.

Step 11

end

Example:

Device(config-bdomain)# end

Exits bridge-domain configuration mode and returns to privileged EXEC mode.

Configuring an MPLS-TP Tunnel for Static VPLS with TP

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface Tunnel-tp number
  4. no ip address
  5. no keepalive
  6. tp destination ip-address
  7. bfd bfd-template
  8. working-lsp
  9. out-label number out-link number
  10. lsp-number number
  11. exit
  12. protect-lsp
  13. out-label number out-link number
  14. in-label number
  15. lsp-number number
  16. exit
  17. exit
  18. interface type number
  19. ip address ip-address ip-mask
  20. mpls tp link link-num {ipv4 ip-address | tx-mac mac-address }
  21. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface Tunnel-tp number

Example:

Device(config)# interface Tunnel-tp 4
Configures a Multiprotocol Label Switching (MPLS) transport profile tunnel and enters interface configuration mode.
  • Use the same interface as you configured for the pseudowire class.

Step 4

no ip address

Example:

Device(config-if)# no ip address

Disables the IP address configuration.

Step 5

no keepalive

Example:

Device(config-if)# no keepalive

Disables the keepalive configuration.

Step 6

tp destination ip-address

Example:

Device(config-if)# tp destination 10.22.22.22

Configures the tunnel destination.

Step 7

bfd bfd-template

Example:

Device(config-if)# bfd tp

Binds a single-hop Bidirectional Forwarding Detection (BFD) template to an interface.

Step 8

working-lsp

Example:

Device(config-if)# working-lsp

Configures the working label switched path (LSP) and enters working interface configuration mode.

Step 9

out-label number out-link number

Example:

Device(config-if-working)# out-label 16 out-link 100

Configures the out link and out label for the working LSP.

Step 10

lsp-number number

Example:

Device(config-if-working)# lsp-number 0

Configures the ID number for the working LSP.

Step 11

exit

Example:

Device(config-if-working)# exit

Exits working interface configuration mode and returns to interface configuration mode.

Step 12

protect-lsp

Example:

Device(config-if)# protect-lsp

Enters protection configuration mode for the label switched path (LSP) and enters protect interface configuration mode.

Step 13

out-label number out-link number

Example:

Device(config-if-protect)# out-label 11 out-link 500

Configures the out link and out label for the protect LSP.

Step 14

in-label number

Example:

Device(config-if-protect)# in-label 600

Configures the in label for the protect LSP.

Step 15

lsp-number number

Example:

Device(config-if-protect)# lsp-number 1

Configures the ID number for the working protect LSP.

Step 16

exit

Example:

Device(config-if-protect)# exit

Exits protect interface configuration mode and returns to interface configuration mode.

Step 17

exit

Example:

Device(config-if)# exit

Exits interface configuration mode and returns to global configuration mode.

Step 18

interface type number

Example:

Device(config-if)# interface GigabitEthernet 0/1/0

Configures a interface and enters interface configuration mode.

Step 19

ip address ip-address ip-mask

Example:

Device(config)# ip address 10.0.0.1 255.255.255.0

(Optional) Configures the IP address and mask if not using an IP-less core.

Step 20

mpls tp link link-num {ipv4 ip-address | tx-mac mac-address }

Example:

Device(config-if)# mpls tp link 10 tx-mac 0100.0c99.8877 

Configures Multiprotocol Label Switching (MPLS) transport profile (TP) link parameters.

Step 21

end

Example:

Device(config-if)# end

Exits interface configuration mode and returns to privileged EXEC mode.

Configuration Examples for Virtual Private LAN Services

Example: Configuring 802.1Q Access Ports for Tagged Traffic from a CE Device

This example shows how to configure the tagged traffic:


Device(config)# interface GigabitEthernet 0/0/1
Device(config-if)# no ip address
Device(config-if)# negotiation auto
Device(config-if)# service instance 10 ethernet
Device(config-if-srv)# encapsulation dot1q 200
Device(config-if-srv)# bridge-domain 100
Device(config-if-srv)# end

Example: Configuring 802.1Q Access Ports for Tagged Traffic from a CE Device: Alternate Configuration

The following example shows how to configure the tagged traffic:


Device(config)# interface GigabitEthernet 0/0/1
Device(config-if)# no ip address
Device(config-if)# negotiation auto
Device(config-if)# service instance 10 ethernet
Device(config-if-srv)# encapsulation dot1q 200
Device(config-if-srv)# exit
Device(config-if)# exit
Device(config)# bridge-domain 100
Device(config-bdomain)# member gigabitethernet0/0/1 service-instance 1000
Device(config-bdomain)# end

Example: Configuring Access Ports for Untagged Traffic from a CE Device

The following example shows how to configure access ports for untagged traffic:

Device(config)# interface gigabitethernet 0/0/0
Device(config-if)# no ip address
Device(config-if)# negotiation auto
Device(config-if)# service instance 10 ethernet
Device(config-if-srv)# encapsulation untagged
Device(config-if-srv)# bridge-domain 100
Device(config-if-srv)# end

The following example shows a virtual forwarding interface (VFI) configuration:


Device(config)# l2 vfi VPLSA manual
Device(config-vfi)# vpn id 110
Device(config-vfi)# neighbor 10.11.11.11 encapsulation mpls
Device(config-vfi)# neighbor 10.33.33.33 encapsulation mpls
Device(config-vfi)# neighbor 10.44.44.44 encapsulation mpls
Device(config-vfi)# bridge-domain 110
Device(config-vfi)# end

The following example shows a VFI configuration for hub and spoke.


Device(config)# l2 vfi VPLSB manual
Device(config-vfi)# vpn id 111
Device(config-vfi)# neighbor 10.99.99.99 encapsulation mpls
Device(config-vfi)# neighbor 10.12.12.12 encapsulation mpls
Device(config-vfi)# neighbor 10.13.13.13 encapsulation mpls no-split-horizon
Device(config-vfi)# bridge-domain 111
Device(config-vfi)# end

The output of the show mpls 12transport vc command displays various information related to a provide edge (PE) device. The VC ID in the output represents the VPN ID; the VC is identified by the combination of the destination address and the VC ID as shown in the command output. The output of the show mpls l2transport vc detail command displays detailed information about virtual circuits (VCs) on a PE device.


Device# show mpls l2transport vc 201

Local intf     Local circuit        Dest address    VC ID      Status
-------------  -------------------- --------------- ---------- ----------
VFI VPLSA      VFI                  10.11.11.11     110        UP
VFI VPLSA      VFI                  10.33.33.33     110        UP
VFI VPLSA      VFI                  10.44.44.44     110        UP

The following sample output from the show vfi command displays the VFI status:


Device# show vfi VPLSA

VFI name: VPLSA, state: up
  Local attachment circuits:
    Vlan2  
  Neighbors connected via pseudowires:
  Peer Address     VC ID     Split-horizon
  10.11.11.11          110             Y
  10.33.33.33          110             Y
  10.44.44.44          110             Y


Device# show vfi VPLSB

VFI name: VPLSB, state: up
  Local attachment circuits:
    Vlan2  
  Neighbors connected via pseudowires:
  Peer Address     VC ID     Split-horizon
  10.99.99.99       111             Y
  10.12.12.12       111             Y
  10.13.13.13       111             N

Example: Configuring Access Ports for Untagged Traffic from a CE Device: Alternate Configuration

The following example shows how to configure the untagged traffic.


Device(config)# interface GigabitEthernet 0/4/4
Device(config-if)# no ip address
Device(config-if)# negotiation auto
Device(config-if)# service instance 10 ethernet
Device(config-if-srv)# encapsulation untagged
Device(config-if-srv)# exit
Device(config-if)# exit
Device(config)# bridge-domain 100
Device(config-bdomain)# member GigabitEthernet0/4/4 service-instance 10
Device(config-if-srv)# end

Example: Configuring Q-in-Q EFP

The following example shows how to configure the tagged traffic.


Device(config)# interface GigabitEthernet 0/0/2
Device(config-if)# no ip address
Device(config-if)# negotiate auto
Device(config-if)# service instance 10 ethernet
Device(config-if-srv)# encapsulation dot1q 200 second-dot1q 400
Device(config-if-srv)# bridge-domain 100
Device(config-if-srv)# end

Use the show spanning-tree vlan command to verify that the ports are not in a blocked state. Use the show vlan id command to verify that a specific port is configured to send and receive specific VLAN traffic.

Example: Configuring Q-in-Q in EFP: Alternate Configuration

The following example shows how to configure the tagged traffic:


Device(config)# interface GigabitEthernet 0/4/4
Device(config-if)# no ip address
Device(config-if)# nonegotiate auto
Device(config-if)# service instance 10 ethernet
Device(config-if-srv)# encapsulation dot1q 200 second-dot1q 400
Device(config-if-srv)# exit
Device(config-if)# exit
Device(config)# bridge-domain 100
Device(config-bdomain)# member GigabitEthernet0/4/4 service-instance 1000
Device(config-bdomain)# end

Use the show spanning-tree vlan command to verify that the port is not in a blocked state. Use the show vlan id command to verify that a specific port is configured to send and receive a specific VLAN traffic.

Example: Configuring MPLS on a PE Device

The following example shows a global Multiprotocol Label Switching (MPLS) configuration:


Device(config)# mpls label protocol ldp
Device(config)# mpls ldp logging neighbor-changes
Device(config)# mpls ldp discovery hello holdtime 5 
Device(config)# mpls ldp router-id Loopback0 force

The following sample output from the show ip cef command displays the Label Distribution Protocol (LDP) label assigned:


Device# show ip cef 192.168.17.7

192.168.17.7/32, version 272, epoch 0, cached adjacency to POS4/1
0 packets, 0 bytes
  tag information set
    local tag: 8149
    fast tag rewrite with PO4/1, point2point, tags imposed: {4017}
  via 10.3.1.4, POS4/1, 283 dependencies
    next hop 10.3.1.4, POS4/1
    valid cached adjacency
    tag rewrite with PO4/1, point2point, tags imposed: {4017}

Example: VFI on a PE Device

The following example shows a virtual forwarding instance (VFI) configuration:


Device(config)# l2 vfi vfi110 manual
Device(config-vfi)# vpn id 110
Device(config-vfi)# neighbor 172.16.10.2 4 encapsulation mpls
Device(config-vfi)# neighbor 10.16.33.33 encapsulation mpls
Device(config-vfi)# neighbor 198.51.100.44 encapsulation mpls
Device(config-vfi)# bridge-domain 100
Device(config-vfi)# end

The following example shows a VFI configuration for a hub-and-spoke configuration:


Device(config)# l2 vfi VPLSA manual
Device(config-vfi)# vpn id 110
Device(config-vfi)# neighbor 10.9.9.9 encapsulation mpls
Device(config-vfi)# neighbor 192.0.2.12 encapsulation mpls
Device(config-vfi)# neighbor 203.0.113.4 encapsulation mpls no-split-horizon
Device(config-vfi)# bridge-domain 100
Device(config-vfi)# end

The show mpls 12transport vc command displays information about the provider edge (PE) device. The show mpls l2transport vc detail command displays detailed information about the virtual circuits (VCs) on a PE device.


Device# show mpls l2transport vc 201

Local intf     Local circuit        Dest address    VC ID      Status
-------------  -------------------- --------------- ---------- ----------
VFI test1      VFI                  209.165.201.1   201        UP
VFI test1      VFI                  209.165.201.2   201        UP
VFI test1      VFI                  209.165.201.3   201        UP


The show vfi vfi-name command displays VFI status. The VC ID in the output represents the VPN ID; the VC is identified by the combination of the destination address and the VC ID as in the example below.


Device# show vfi VPLS-2

VFI name: VPLS-2, state: up
  Local attachment circuits:
    Vlan2  
  Neighbors connected via pseudowires:
  Peer Address     VC ID     Split-horizon
  10.1.1.1          2             Y
  10.1.1.2          2             Y
  10.2.2.3          2             N

Example: VFI on a PE Device: Alternate Configuration

The following example shows how to configure a virtual forwarding interface (VFI) on a provider edge (PE) device:


Device(config)# l2vpn vfi context vfi110 
Device(config-vfi)#	vpn id 110
Device(config-vfi)#	member 172.16.10.2 4 encapsulation mpls
Device(config-vfi)#	member 10.33.33.33 encapsulation mpls
Device(config-vfi)#	member 10.44.44.44 encapsulation mpls
Device(config-vfi)# exit
Device(config)# bridge-domain 100
Device(config-bdomain)# member vfi vfi110
Device(config-bdomain)# end

The following example shows how to configure a hub-and-spoke VFI configuration:.


Device(config)# l2vpn vfi context VPLSA
Device(config-vfi)#	vpn id 110
Device(config-vfi)#		member 10.9.9.9 encapsulation mpls
Device(config-vfi)#		member 172.16.10.2 4 encapsulation mpls
Device(config-vfi)#		exit
Device(config)#	bridge-domain 100
Device(config-bdomain)#	member vfi VPLSA
Device(config-bdomain)#	member GigabitEthernet0/0/0 service-instance 100
Device(config-bdomain)#	member 10.33.33.33 10 encapsulation mpls
Device(config-bdomain)#	end

The show l2vpn atom vc command displays information about the PE device. The command also displays information about Any Transport over MPLS (AToM) virtual circuits (VCs) and static pseudowires that are enabled to route Layer 2 packets on a device.


Device# show l2vpn atom vc

Local intf    Local circuit           Dest address    VC ID      Status
------------- ----------------------- --------------- ---------- ----------
Et0/0.1       Eth VLAN 101            10.0.0.2        101        UP
Et0/0.1       Eth VLAN 101            10.0.0.3        201        DOWN

The show l2vpn vfi command displays the VFI status. The VC ID in the output represents the VPN ID; the VC is identified by the combination of the destination address and the VC ID as in the example below.


Device# show l2vpn vfi VPLS-2

Legend: RT= Route-target

VFI name: serviceCore1, State: UP, Signaling Protocol: LDP
  VPN ID: 100, VPLS-ID: 9:10, Bridge-domain vlan: 100
  RD: 9:10, RT: 10.10.10.10:150
  Pseudo-port Interface: Virtual-Ethernet1000
 
  Neighbors connected via pseudowires:
  Interface    Peer Address    VC ID      Discovered Router ID   Next Hop
  Pw2000       10.0.0.1        10         10.0.0.1               10.0.0.1   
  Pw2001       10.0.0.2        10         10.1.1.2               10.0.0.2   
  Pw2002       10.0.0.3        10         10.1.1.3               10.0.0.3   
  Pw5          10.0.0.4        10         -                      10.0.0.4

Example: Full-Mesh VPLS Configuration

In a full-mesh configuration, each provider edge (PE) device creates a multipoint-to-multipoint forwarding relationship with all other PE devices in the Virtual Private LAN Services (VPLS) domain using a virtual forwarding interface (VFI). An Ethernet or a VLAN packet received from the customer network can be forwarded to one or more local interfaces and/or emulated virtual circuits (VCs) in the VPLS domain. To avoid a broadcast packet loop in the network, packets received from an emulated VC cannot be forwarded to any emulated VC in the VPLS domain on a PE device. Ensure that Layer 2 split horizon is enabled to avoid a broadcast packet loop in a full-mesh network.

Figure 2. Full-Mesh VPLS Configuration

PE 1 Configuration

The following examples shows how to create virtual switch instances (VSIs) and associated VCs:


l2 vfi PE1-VPLS-A manual
 vpn id 100
 neighbor 10.2.2.2 encapsulation mpls
 neighbor 10.3.3.3 encapsulation mpls
 bridge domain 100
!
interface Loopback 0
 ip address 10.1.1.1 255.255.0.0

The following example shows how to configure the customer edge (CE) device interface (there can be multiple Layer 2 interfaces in a VLAN):


interface GigabitEthernet 0/0/0
 no ip address 
 negotiation auto 
 service instance 10 ethernet 
 encapsulation dot1q 200 
 bridge-domain 100

PE 2 Configuration

The following example shows how to create VSIs and associated VCs.


l2 vfi PE2-VPLS-A manual
 vpn id 100
 neighbor 10.1.1.1 encapsulation mpls
 neighbor 10.3.3.3 encapsulation mpls
 bridge domain 100
!
interface Loopback 0
 ip address 10.2.2.2 255.255.0.0

The following example shows how to configure the CE device interface (there can be multiple Layer 2 interfaces in a VLAN):


interface GigabitEthernet 0/0/0
 no ip address 
 negotiation auto 
 service instance 10 ethernet 
 encapsulation dot1q 200 
 bridge-domain 100

PE 3 Configuration

The following example shows how to create VSIs and associated VCs:


l2 vfi PE3-VPLS-A manual
 vpn id 112
 neighbor 10.1.1.1 encapsulation mpls
 neighbor 10.2.2.2 encapsulation mpls
 bridge domain 100
!
interface Loopback 0
 ip address 10.3.3.3 255.255.0.0

The following example shows how to configure the CE device interface (there can be multiple Layer 2 interfaces in a VLAN).


interface GigabitEthernet 0/0/1
 no ip address 
 negotiation auto 
 service instance 10 ethernet 
 encapsulation dot1q 200 
 bridge-domain 100
!

The following sample output from the show mpls l2 vc command provides information about the status of the VC:


Device# show mpls l2 vc

Local intf       Local circuit        Dest address    VC ID      Status
-------------    -------------------- --------------- ---------- ----------
VFI PE1-VPLS-A   VFI                  10.2.2.2     				100        UP
VFI PE1-VPLS-A   VFI                  10.3.3.3         100        UP

The following sample output from the show vfi command provides information about the VFI:


Device# show vfi PE1-VPLS-A

VFI name: VPLSA, state: up
  Local attachment circuits:
    Vlan200
  Neighbors connected via pseudowires:
    10.2.2.2  10.3.3.3

The following sample output from the show mpls 12transport vc command provides information about virtual circuits:


Device# show mpls l2transport vc detail

Local interface: VFI PE1-VPLS-A up
  Destination address: 10.2.2.2, VC ID: 100, VC status: up
    Tunnel label: imp-null, next hop point2point
    Output interface: Se2/0, imposed label stack {18}
  Create time: 3d15h, last status change time: 1d03h
  Signaling protocol: LDP, peer 10.2.2.2:0 up
    MPLS VC labels: local 18, remote 18
    Group ID: local 0, remote 0
    MTU: local 1500, remote 1500
    Remote interface description: 
  Sequencing: receive disabled, send disabled
  VC statistics:
    packet totals: receive 0, send 0
    byte totals:   receive 0, send 0
    packet drops:  receive 0, send 0

Example: Full-Mesh Configuration : Alternate Configuration

In a full-mesh configuration, each provider edge (PE) router creates a multipoint-to-multipoint forwarding relationship with all other PE routers in the Virtual Private LAN Services (VPLS) domain using a virtual forwarding interface (VFI). An Ethernet or virtual LAN (VLAN) packet received from the customer network can be forwarded to one or more local interfaces and/or emulated virtual circuits (VCs) in the VPLS domain. To avoid broadcasted packets looping in the network, no packet received from an emulated VC can be forwarded to any emulated VC of the VPLS domain on a PE router. That is, Layer 2 split horizon should always be enabled as the default in a full-mesh network.

Figure 3. VPLS Configuration Example

PE 1 Configuration

The following example shows how to create virtual switch instances (VSIs) and associated VCs and to configure the CE device interface (there can be multiple Layer 2 interfaces in a VLAN):


interface gigabitethernet 0/0/0
 service instance 100 ethernet
 encap dot1q 100
 no shutdown
!
l2vpn vfi context PE1-VPLS-A
 vpn id 100
 neighbor 10.2.2.2 encapsulation mpls
 neighbor 10.3.3.3 encapsulation mpls
!
bridge-domain 100
 member gigabitethernet0/0/0 service-instance 100
 member vfi PE1-VPLS-A

PE 2 Configuration

The following example shows how to create VSIs and associated VCs and to configure the CE device interface (there can be multiple Layer 2 interfaces in a VLAN):


interface gigabitethernet 0/0/0
 service instance 100 ethernet
 encap dot1q 100
 no shutdown
!
l2vpn vfi context PE2-VPLS-A
 vpn id 100
 neighbor 10.1.1.1 encapsulation mpls
 neighbor 10.3.3.3 encapsulation mpls
!
bridge-domain 100
 member gigabitethernet0/0/0 service-instance 100
 member vfi PE2-VPLS-A

PE 3 Configuration

The following example shows how to create of the VSIs and associated VCs and to configure the CE device interface (there can be multiple Layer 2 interfaces in a VLAN):


interface gigabitethernet 0/0/0
 service instance 100 ethernet
 encap dot1q 100
 no shutdown
!
l2vpn vfi context PE3-VPLS-A
 vpn id 100
 neighbor 10.1.1.1 encapsulation mpls
 neighbor 10.2.2.2 encapsulation mpls
!
bridge-domain 100
 member gigabitethernet0/0/0 service-instance 100
 member vfi PE3-VPLS-A

The following sample output from the show mpls l2 vc command provides information on the status of the VC:


Device# show mpls l2 vc

Local intf       Local circuit  Dest address    VC ID      Status
-------------    -------------- --------------- ---------- ----------
VFI PE3-VPLS-A   VFI            10.2.2.2     			100        UP
VFI PE3-VPLS-A   VFI            10.3.3.3        100        UP

The following sample output from the show l2vpn vfi command provides information about the VFI:


Device# show l2vpn vfi VPLS-2

Legend: RT= Route-target

VFI name: serviceCore1, State: UP, Signaling Protocol: LDP
  VPN ID: 100, VPLS-ID: 9:10, Bridge-domain vlan: 100
  RD: 9:10, RT: 10.10.10.10:150
  Pseudo-port Interface: Virtual-Ethernet1000
 
  Neighbors connected via pseudowires:
  Interface    Peer Address    VC ID      Discovered Router ID   Next Hop
  Pw2000       10.0.0.1        10         10.0.0.1               10.0.0.1   
  Pw2001       10.0.0.2        10         10.1.1.2               10.0.0.2   
  Pw2002       10.0.0.3        10         10.1.1.3               10.0.0.3   
  Pw5          10.0.0.4        10         -                      10.0.0.4

The following sample output from the show l2vpn atom vc command provides information on the virtual circuits:


Device# show l2vpn atom vc

Local intf    Local circuit           Dest address    VC ID      Status
------------- ----------------------- --------------- ---------- ----------
Et0/0.1       Eth VLAN 101            10.0.0.2        101        UP
Et0/0.1       Eth VLAN 101            10.0.0.3        201        DOWN

Example: MAC ACL with Dummy VLAN ID

PE basic configuration for VPLS type 4


 router bgp 100
 bgp log-neighbor-changes
 neighbor 19.0.0.1 remote-as 100
 neighbor 19.0.0.1 update-source Loopback0
 !
 address-family ipv4
  neighbor 19.0.0.1 activate
  neighbor 19.0.0.1 send-community extended
 exit-address-family
 !
 address-family l2vpn vpls
  neighbor 19.0.0.1 activate
 exit-address-family
l2vpn vfi context vlan_tag
 vpn id 10
 autodiscovery bgp signaling ldp template vlan_tag
!
mpls label protocol ldp
bridge-domain 10
 member GigabitEthernet2/1/0 service-instance 10
  remote circuit id 191
 member vfi vlan_tag
template type pseudowire vlan_tag
 encapsulation mpls
 vc type vlan
 control-word include
interface GigabitEthernet2/1/0
 no ip address
 negotiation auto
 service instance 10 ethernet
  encapsulation dot1q 10
 !
interface GigabitEthernet2/1/4
 ip address 108.0.0.2 255.255.255.0
 negotiation auto
 mpls ip
!

//Change the circuit ID and check if the download ID is correct//
bridge-domain 10
 member gigabitEthernet 2/1/0 service-instance 10
  remote circuit id 1982 <<< Set the dummy VLAN

Verifying the Configuration

Here's a sample output for the show command to verify the configured VLAN ID.


Device# show platform hardware qfp active feature bridge-domain client 10 interface

QFP L2BD datapath interface information
Name: GigabitEthernet2/1/0.EFP10
IF handle: 26, Input uidb: 245752
Flags: 0X000038
Split-horizon cfged: No, shg id: 0
STP state: Unknown/Bad
Mac security enabled:
MAC limit: 65536, MAC learned: 0
BD PPE addr: 0X8CBF3C00
efp circuit id: 1982 <<< The configured VLAN ID

Feature Information for Configuring Virtual Private LAN Services

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for Configuring Virtual Private LAN Services

Feature Name

Releases

Feature Information

Virtual Private LAN Services (VPLS)

Cisco IOS XE Release 3.5S

This feature enables you to configure dynamic Virtual Private LAN Services (VPLS). VPLS is a class of VPN that supports the connection of multiple sites in a single bridged domain over a managed IP/MPLS network.

In Cisco IOS XE Release 3.5S, this feature was introduced on the Cisco ASR 903 Series Aggregation Services Routers.

L2VPN Protocol-Based CLIs

Cisco IOS XE Release 3.7S

In Cisco IOS XE Release 3.7S, the L2VPN Protocol-Based CLIs feature was introduced. This feature provides a set of processes and an improved infrastructure for developing and delivering Cisco IOS software on various Cisco platforms. This feature introduces new commands and modifies or replaces existing commands to achieve a consistent functionality across Cisco platforms and provide cross-Operating System support.

Static VPLS over MPLS-TP

Cisco IOS XE Release 3.6S

This features enables static VPLS to use MPLS Transport Profile.

In Cisco IOS XE Release 3.6S, this feature was introduced on the Cisco ASR 903 Series Aggregation Services Routers.

Type 4 PWE VLAN Rewrite

Cisco IOS XE Everest Release 16.4.1

From Cisco IOS XE Everest 16.4.1 release, VPLS VC type 4 mode (with autodiscovery) can be used to configure a dummy VLAN tag. This feature can be used to modify the VLAN ID to filter based on the VLAN ID.