ASR9000/XR Flexible VLAN matching, EVC, VLAN-Tag rewriting, IRB/BVI and defining L2 services

Document

Mar 7, 2011 7:18 AM
Mar 7th, 2011

Introduction

In this article we'll be discussing the EVC (Ethernet Virtual Circuit) infrastructure that the ASR9000 and IOS-XR use to define L2 services.

You'll find in this article how packets coming in on an interface are being matched against an EFP (Ethernet Flow Point), how to manipulate the vlan tags and use them in XCONNECT (VPWS) or Bridging (eg VPLS) scenarios with the optional L3 endpoint to provide IRB (Integrated Route Bridging)

Core Issue

The way that IOS-XR handles EVC's is a bit different then the way that IOS handles it when for instance using the 7600.

When starting with IOS-XR and the ASR9000 there are a few things that you will want to be aware of when defining L2 services.

A couple of the key differences are:

- XR does have the concept of a trunk interface

- therefore XR cannot do vlan pruning

- XR does not strip vlan tags by default.

- XR does not have the concept of an "interface VLAN" a.k.a. SVI's (Switch Virtual Interface), instead it uses a BVI (Bridge Virtual Interface) that can be inserted into the bridge-domain.

Flexible VLAN matching

     How the ASR9000 matches traffic to an EFP

TAG rewriting

     how to modify the vlan headers and how that works

Defining L2 services

     and a comparison with IOS

Providing L3 services in L2VPN

     using IRB/BVI interfaces

Resolution

In order to define an L2 service, we need to match traffic to a particular interface. In IOS-XR and the ASR9000 we use the Ethernet Flow Point (EFP) to match this traffic. An EFP is effectively a subinterface of a physical interface with the keyword "l2transport" attached to it. This l2transport defines that we are going to use this (sub) interface for L2 Services. We can match L2 and L3 interfaces on a single physical port:

evc-overview.jpg

Flexible VLAN matching

When traffic is coming in on a port, we use the TCAM to find out which particular subinterface this traffic matches on. With that in mind there are a couple of rules as to how traffic is matched.

An EFP is defined as follows:

RP/0/RSP0/CPU0:asr(config)#int gig 0/0/0/4.100 l2transport

RP/0/RSP0/CPU0:asr(config-subif)#encapsulation ?

  default  Packets unmatched by other service instances

If a particular packet is not matching any other specific EFP on this physical port, this "Default" will capture all unmatched traffic.

  dot1ad    IEEE 802.1ad VLAN-tagged packets

  dot1q     IEEE 802.1Q VLAN-tagged packets

  untagged Packets with no explicit VLAN tag

If there is no vlan tag on the packet, the "untagged" EFP will capture this traffic, this is effectively plain ethernet and useful for instance to capture

BPDU's for instance.

When we are going to match on say dot1q encapsulated traffic we have a variaty of how we can match vlan tagged traffic (see also foot note below in the "Related Information" section on the ethertypes used).

RP/0/RSP1/CPU0:A9K-BOTTOM(config-subif)#encapsulation dot1q ?
  <1-4094>         Start of VLAN range
  <1-4094>         Single VLAN id
  any              Match any VLAN id
  priority-tagged  IEEE 802.1ad priority-tagged packets

At the first level of dot1q classification we can select a vlan, vlan-range or any. These are obvious. The option "Priority tagged" allows us to capture vlan encapped traffic that is with a vlan id of 0.

RP/0/RSP1/CPU0:A9K-BOTTOM(config-subif)#encapsulation dot1q 100 ?
  comma         comma
  exact         Do not allow further inner tags
  ingress       Perform MAC-based matching
  second-dot1q IEEE 802.1Q VLAN-tagged packets

Here is an important concept that is to be highlighted. You see the "word" exact" here. What that means is, in the absence of the keyword exact, if the outter vlan header is "100" in this example, this EFP is matched. so that means that also qinq frames that are of the 100 outter and 200 inner kind (if there is no specific EFP for the qiq combo 100/200 available) will match this EFP.

Just a few examples:

encapsulation dot1q 100: will match any number of vlan headers as long as the outter vlan id is 100

encapsulation dot1q 100 second any: will match any qiq frame where the outter vlan is 100

encapsulation dot1q 100 second 200: will match vlan tagged packets whereby the outter is 100, the inner is 200 and also a potential vlan combo of 100/200/300

encapsulation dot1q 100 second 200 exact: will match vlan tagged packets whereby the outter is 100, the inner is 200 and no other vlan tags are on the packet then these 2 specified.

Normally "longest match" will win, or better put, the most specific match will win.

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

ASR9000 doesn't support best match for VLAN ranges, but we do support best match if the "any" keyword is used. 

So the configuration :

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

EFP 1 VLAN: S-VLAN=1000, C-VLAN_range=1-4095

EFP 2 VLAN= S-VLAN=1000, C-VLAN=2000

isn't allowed because the more specific C-vlan is part of the range. The parser will reject this config upon commit.

The following options A and B, achieving the same, are allowed :

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

A)

EFP 1) VLAN: S-VLAN=1000, C-VLAN_range=1-1999,2001-4095

EFP 2) VLAN= S-VLAN=1000, C-VLAN=2000

B)

EFP 1) VLAN: S-VLAN=1000, C-VLAN=any

EFP 2) VLAN= S-VLAN=1000, C-VLAN=2000,

VLAN  TAG rewriting

The ASR9000/XR is capable of doing many translations on vlan to a packet.

The behavior is always symmetric (though this keyword is to be provided as part of that config command). The symmetry means that if we pop a tag on ingress, we push it back on egress.

the following rewrites are possible:

RP/0/RSP0/CPU0:A9K(config)#int gig 0/0/0/4.100 l2transport

RP/0/RSP0/CPU0:A9K(config-subif)#rewrite ingress tag ?
  pop        Remove one or more tags
  push       Push one or more tags
  translate  Replace tags with other tags

RP/0/RSP0/CPU0:A9K(config-subif)#rewrite ingress tag pop ?
  1  Remove outer tag only
  2  Remove two outermost tags

RP/0/RSP0/CPU0:A9K(config-subif)#rewrite ingress tag push ?
  dot1ad  Push a Dot1ad tag (ethertype 88a8)
  dot1q   Push a Dot1Q tag (ethertype 8100 by default, or 9100/9200 is specied on the main interface for the outter most tag)

RP/0/RSP0/CPU0:A9K(config-subif)#rewrite ingress tag push dot1q 100 ?
  second-dot1q  Push another Dot1Q tag
  symmetric     All rewrites must be symmetric

RP/0/RSP0/CPU0:A9K(config-subif)#rewrite ingress tag translate ?
  1-to-1  Replace the outermost tag with another tag
  1-to-2  Replace the outermost tag with two tags
  2-to-1  Replace the outermost two tags with one tag
  2-to-2  Replace the outermost two tags with two other tags

If you want to make a cross connect or bridge between two EFP's where one EFP is vlan 100 and the other EFP is vlan 200,

you need to make sure you pop the tags so that the vlan 100 is removed from the packet so it, by means of symmetry, will get vlan 200 on the egress

of the other EFP.

L2VPN configuration examples and comparison to 7600

The following picture highlights how to create L2 services on the ASR9000.

l2vpn.jpg

l2vpn-7600-9k.jpg

Using IRB/BVI

To provide L3 services in a bridge-domain, you can add a routed interface to the bridge domain.

What is important here is that the BVI is not vlan tagged. So in order for the EFP's to talk to the BVI, we need to pop ALL Tags on ingress!!

This means that frames with more then 2 tags cannot be natively using the BVI, unless we do some workarounds such as loopback cables to

pop more tags.

interface BVI5
ipv4 address 31.1.1.1 255.255.255.0
mac-address 0.4343.3434

! when creating the bvi verify the show int bvi to see if the mac address is correctly programmed, these macs are coming from the backplane mac table, ! if we ran out because of so many bundle interfaces etc, you may need to provide a mac manually.

interface TenGigE0/7/0/3.100 l2transport

encapsulation dot1q 100

rewrite ingress tag pop 1 symmetric

l2vpn

bridge group testing
  bridge-domain testing
   interface TenGigE0/7/0/3.100
   !
   interface GigabitEthernet0/1/0/14
   !
   routed interface BVI5
  !

Related Information

XR MTU calculations

Dot1q, Dot1ad and configuring "dot1q tunneling ethertype on the physical interface:

As per IEEE documentation, Ethertype 8100 is for 802.1q and Ethertype 88A8 is for 802.1ad.
IEEE also calls any kind of double tagging as QinQ, including dot1ad. That means that under IEEE's point of view, dot1ad = qinq.
Cisco, on the other hand, calls qinq a double dot1q, where both Ethertypes (inner and outer) are 8100.
Ethertype 9100 and 9200 were used as an option to differentiate the inner Ethertpe form the outer Ethertype,
but they are obsolete now and the standard became dot1ad (with Ethertype 88A8).
In order to configure ethertype 9100 and 9200 you have to explicitly issue the command dot1q tunneling ethertype 0x9100 or
dot1q tunneling ethertype 0x9200 under the physical interface you are configuring.
Summarizing:
encapsulation dot1q second dot1q                                     -> inner and outer ethertype are 8100
encapsulation dot1ad second dot1q                                   -> inner 8100, outer 88A8
encapsulation dot1q second dot1q (with ethertype 9100)      -> inner 8100, outer 9100
encapsulation dot1q second dot1q (with ethertype 9200)      -> inner 8100, outer 9200




Xander Thuijs, CCIE #6775

Sr. Tech Lead ASR9000

Average Rating: 4.5 (2 ratings)

Comments

atif_hafeez Wed, 02/22/2012 - 02:59

Dear Xander Thuijus,

Thank you for this article!

Can you please explain if EFPs (with options mentioned in the article above) can be made over bundle interface instead of a physical interface.

Best regards!

xthuijs Wed, 02/22/2012 - 04:40 (reply to atif_hafeez)

Hi Atif, appreciate your comment! Yes you can use bundle interfaces as an EFP also.

The configuration for that would be:

int g0/0/0/0

bundle id 100 mode act

int bundle-e100

int bundle-e100.123 l2trans

encap dot1q 123

etc. the bundle-id number references the bundle interface number, they must match.

the subinterface in my example 123 does not need to be linked to vlan 123, but is nice for consistency.

The bundle EFP's can now be used as an AC in an l2vpn xconnect/vpls etc.

xander

atif_hafeez Wed, 02/22/2012 - 05:28

Dear Alexander,

Thanks!

Is it possible to have an alternative of open trunk as we use to have it in switches. (switch mode trunk).

In my scenario, i have a pair of PEs where each PE is configured with X number of BVI interfaces with HSRP on them. To have redundant L2 connectivity between the two PEs, i want to have direct L2 link b/w PEs. One way of doing is to have EFP configuation per BVI on this direct link b/w PEs exactly the same way as it is done on the access ports (connected to access switches). Can we have just one EFP (similar to open trunk in 7600) which will provide L2 connectivity for all BVIs configured in both PEs?

So far, i didn't find any such option. I believe it is the hard way we have to go with.

Regards!

xthuijs Wed, 02/22/2012 - 06:48 (reply to atif_hafeez)

Hi Atif,

great question! I like your analogy of open vs closed. IOS-XR with the EVC model follows the normally closed model, so you have to define your EFP's which you want to trunk the vlans for.

I have a document here on how to "convert" an IOS trunk to an XR like model.

You can define an EFP with a vlan range (aka ambigious), but you can't pop the tags from it. Popping the tag is required when using BVI. Popping a tag on an ambigious range would not allow you to slap the tag back on in the egress direction as we have no clue what the tag would be in that direction.

As powerful as the XR implementation is, the "open trunk" situation is unfortunately one drawback that bloats the configuration a bit as opposed to the IOS model...

xander

humphreys Wed, 03/14/2012 - 09:29

Hi dear Xander how are you..., I would like to know if it´s possible in the MSE ASR9000 configure a port to support, at the same time, a level two interface, for instance

S-VLAN 100 C-VLAN 30-3016, and a level 3 interface  EFP S-VLAN 100 C-VLAN 3017-3999. You see, both interfaces with the same S-VLAN. If this is possible, the idea is to associate each kind of traffic to a different VPLS.

I know you will be wondering why I want to do this. Believe me we have a PTN equipment (my working area has inherited) that for a matter of performance we can only configure a unique pwe towards another one which is the border connected to our NPE. And of course we need to transport on it three services, which would detect them because of the C-VLAN as I have describeb in the previous paragraph.

xthuijs Wed, 03/14/2012 - 10:17 (reply to humphreys)

Hi Humphry

yes you can!

note however that for l3 interface the encap cannot be ambigious, but you can do something like this:

interface GigabitEthernet0/1/0/10.1003017

encapsulation dot1q 100 second 3017

ipv4 address 1.1.1.1 255.255.255.0

!

interface GigabitEthernet0/1/0/10.10030316 l2transport

encapsulation dot1q 100 second-dot1q 30-3016 <<< ambigious range

The L2 transport interface can then be pulled into an xcon or BD no problem, while the L3 subif does routing.

xander

humphreys Thu, 03/15/2012 - 09:06

Hi Xander, may you let me some more questions,... currently we dont see the inner tag to filter. We only check the SVLAN to map the services to differents vpls (we have any in the encapsul sentence, you see). The fact that we must filter looking at the c-valn with ambiguous range and also have L3 interfaces, t does impact in the NPE performance? what kind of resources does it consume?

Regards,

Javier

xthuijs Thu, 03/15/2012 - 09:22 (reply to humphreys)

hey Javier, The flexible vlan matching is taken care of by the TCAM per NP.

regardless of the vlan stack and the range it has it is just a single tcam lookup.

The tcam has a pre-carved (set of) regions for this vlan matching to EFP and that is why there is a scale limit of the number of EFP's per NP. So as long as you stay within that range which is documented on the linecard specifications and is different betwee L/B/E cards (trident based) or TR/SE (typhoon based).

regards!

xander

harindhafdo Mon, 06/25/2012 - 08:15

Hi Xander,

I have a scenario that inner VLANs is unique but outer VLAN is different, in this case can we use the following configuration.

interface Bundle-Ether10.100 l2transport

encapsulation dot1q any second-dot1q 100

rewrite ingress tag pop 2 symmetric

and use a BVI to have the Layer3 IP address.

Rgds

Harin

xthuijs Mon, 06/25/2012 - 09:51 (reply to harindhafdo)

Using ambigious vlans is not recommended (/not working) when popping tags.

the reason for that is that the system doesn't associate macs with vlans for that matter in this case

so packets on egress can't be rewritten with the right outer tag value in this amb case.

Note that 9k BNG can do this though with ambigious vlans (no popping) as the PPPoE session table or dHCP binding will remember the vlan (combo) and is able to slap on the right vlan for the session in amb cases.

xander

fernandesdb Mon, 12/10/2012 - 07:48

Hello Everyone ! I'm having a hard time trying to figure out how to implement L2 on ASR9K, I've read a lot of things about that but I dont know how to deploy the following scenario bellow, does anybody can help with that?

ASR-VLAN.jpg

xthuijs Mon, 12/10/2012 - 08:04 (reply to fernandesdb)

You need to create a bridge per vlan and pull in a bvi into that bd for your routed endpoint:

int g 0/0/0/0.10 l2trans

encap dot1q 10

rewrite ingress tag pop 1 sym

int bvi 10

ipv4 add 192.168.x.y

l2vpn

bridge domain VL10

bridge group VL10

int g 0/0/0/0.10

routed-interface bvi10

fernandesdb Mon, 12/10/2012 - 08:19

Is that correct? What if I have a port-channel interface (g 0/0/0/0 e

g 0/0/0/1) what do I have to do to add this Po interface to this BD?

ASR-1

int g 0/0/0/2.10 l2trans

encap dot1q 10

rewrite ingress tag pop 1 sym

int g 0/0/0/3.10 l2trans

encap dot1q 10

rewrite ingress tag pop 1 sym

interface bvi 10

ipv4 add 192.168.10.1

l2vpn

bridge domain VL10

bridge group VL10

int g 0/0/0/2.10

int g 0/0/0/3.10

routed-interface bvi10

teste.jpg

xthuijs Mon, 12/10/2012 - 08:25 (reply to fernandesdb)

bundle efp's are created like this:

int g 0/0/0/0

bundle id 100 mode active/on/passive

int bundle-e 100 (number must match the id given above)

int bundle-e 100.10 l2trans

encap dot1q 10

rewrite ingress tag pop 1 symm

and the bd then pulls in this newly created EFP.

xander

fernandesdb Mon, 12/10/2012 - 08:36

Hello Alexander, thank you so much for you help ! Could you just validate if this configs are correct?

int g 0/0/0/2.10 l2trans

encap dot1q 10

rewrite ingress tag pop 1 sym

int g 0/0/0/2.100 l2trans

encap dot1q 100

rewrite ingress tag pop 1 sym

int g 0/0/0/3.10 l2trans

encap dot1q 10

rewrite ingress tag pop 1 sym

int g 0/0/0/3.100 l2trans

encap dot1q 100

rewrite ingress tag pop 1 sym

interface bvi 10

ipv4 add 192.168.10.1

interface bvi 100

ipv4 add 172.16.10.1

l2vpn

bridge domain VL10

bridge group VL10

int g 0/0/0/2.10

int g 0/0/0/3.10

int bundle-e 100.10 l2trans

routed-interface bvi10

bridge domain VL100

bridge group VL100

int g 0/0/0/2.100

int g 0/0/0/3.100

int bundle-e 100.100 l2trans

routed-interface bvi100

--------------- Interface bundle ---------------

int g 0/0/0/0

bundle id 100 mode active

int g 0/0/0/1

bundle id 100 mode active

int bundle-e 100.10 l2trans

encap dot1q 10

rewrite ingress tag pop 1 symm

int bundle-e 100.100 l2trans

encap dot1q 10

rewrite ingress tag pop 1 symm

-------------------------------------------------

xthuijs Mon, 12/10/2012 - 08:39 (reply to fernandesdb)

two minor nits, but in general the gist here will work:

1) add a config item for the main bundle interface

     interface bundle-ether 100

2) the bridge group and domain are reversed

l2vpn

bridge group VL10

  bridge-domain VL10

...interfaces...

other then that all good.

xander

fernandesdb Mon, 12/10/2012 - 08:54 (reply to xthuijs)

I guess I got your point. I have another question. What if I want  to enable the OSPF process on all interfaces connected to VLAN 10, all I need to do is to put the interface bvi 10 under the OSPF process?

:router# configure

:router(config)# router ospf 2

:router(config-ospf)# router-id 192.168.10.1

:router(config-ospf)# area 2

:router(config-ospf-ar)# interface bvi 10

:router(config-ospf-ar-if)# commit

lanzola_oplk Fri, 12/14/2012 - 09:21

Hi Xander,

Hope all is going well for you!

I was wondering if the ASR9K supports the concept of Routed-PW? If so, what routing protocols are supported for PE-CE? Is there any remarkable restriction?

Thanks in advance!

Luis

xthuijs Fri, 12/14/2012 - 09:23 (reply to lanzola_oplk)

Hi Luis,

yes we do, it is called pseudo wire head end which is an XR4.3.0 feature.

this release will come end of this year (planned).

today you could mimick it with a PW in a BD and using a BVI.

xander

lanzola_oplk Fri, 12/14/2012 - 09:45 (reply to xthuijs)

Excellent!

I´m running XR4.2.3 so I think the workaround will work well for me!

Thanks for your help.

Luis

humphreys Mon, 12/17/2012 - 12:04

Hi Xander how are you!!!!

One question in connection with 4.3.0 , pwe-he is not supporting pppoe sessions, isn't it?

if we needed to solve that scenary in 4.3, we would have to do it with hairpinning, wouldn't we?

Regards

Javier

xthuijs Mon, 12/17/2012 - 12:48 (reply to humphreys)

Hey Javier,

correct PWHE is not in 431, but beyond, either hairpinning or popping the tunnel on the adjacent PE node is the course of action you want to take today.

xander

xthuijs Tue, 02/12/2013 - 04:14 (reply to hakansurucu)

Hakan, I am not a CRS expert, but I checked some internal design documents and case notes and found this:

In 4.1.0, PW-HE  feature is only supported on  metro LC (like: MSC-B), and deployment is
expected to be done on system with only metro LC.

xander

lanzola_oplk Sat, 01/05/2013 - 13:53

Hi Alexander,

I was wondering what is the best way to convert a L2 switchport access configuration (for untagged traffic) from IOS to IOS XR on the ASR9K to provide IP access to a few servers within a Vlan? I understand that I´m able to configure this using the following methods:

  • Setting up the physical interfaces connected to the servers as l2transport and associating them to a bridge-domain with a routed-BVI. Simplest way to configure it!
  • Creating l2transport subinterfaces (EFPs) matching untagged traffic and associating them to a bridge-domain with a routed-BVI.

Are there any pros and cons (QoS Classification/Marking, ACL) when I use any of these methods?

Thanks in advance!

Luis

xthuijs Sun, 01/06/2013 - 07:30 (reply to lanzola_oplk)

Luis,

you can go either way, the same features are available.

I think it makes more sense to define individual EFP's (so an untagged one for that service and individual or ambigious/range ones for those vlans you want to enable service on).

If you use the main interface, which is technically equivalent, then ALL vlans including untagged belong to the same service and you have little or less control when the CE side has say a misconfiguration.

regards

xander

701031ola Thu, 01/24/2013 - 02:27

Hi Xander,

I have a scenario where outer vlans is different(say 20-40) and inner vlan is any(ambiguous. Can I use the following configuration in this case?

interface Bundle-Ether10.100 l2transport

encapsulation dot1q 20-40 second-dot1q any


and use a BVI to have the Layer3 IP address.

Or this configuration:

interface Bundle-Ether10.100 l2transport

encapsulation dot1q 20 second-dot1q any

rewrite ingress tag pop 1 symmetric

interface Bundle-Ether10.101 l2transport

encapsulation dot1q 21 second-dot1q any

rewrite ingress tag pop 1 symmetric

interface Bundle-Ether10.102 l2transport

encapsulation dot1q 22 second-dot1q any

rewrite ingress tag pop 1 symmetric

and use a BVI to have the Layer3 IP address.

Regards,

Babatunde

xthuijs Thu, 01/24/2013 - 04:45 (reply to 701031ola)

Hi Babatunde,

ambigious vlans for EFP's (that is l2transport interfaces) can only be ambigious (that is a range) on the outer most tag. That means :

encapsulation dot1q 20-40

or encapsulation dot1q 20 second 40-50

when you do choose to use amb vlans, popping the tag is difficult because on egress we don't know what to apply back on to the egress direction, unless we have a helper application (such as DHCP/proxy) that keeps track of MAC, IP and the vlan combo to use.

With that, you can't pop tags for amb vlans, which means inherently BVI can't be used either in such designs.

It makes sense, as generally a vlan is the equivalent of an ip subnet and a bvi serves only 1.

You should move to an unamb design, that is fixed inner and outer in order to use tag pop manipulation and or use of BVI's.

xander

chatasos Fri, 02/08/2013 - 11:58

Hi Xander,

Just wondering....Can you have one (sub)interface attached to more than one bridge-domains?

bridge group TEST1-BG

  bridge-domain TEST1-BD

   interface TenGigE0/4/0/1

   neighbor 10.201.201.105 pw-id 1

   !

bridge group TEST2-BG

  bridge-domain TEST2-BD

   interface TenGigE0/4/0/1

   neighbor 10.201.201.105 pw-id 2

If yes, can you filter the AC=>PW direction based on vlans?

i.e. in the PW=>AC direction i have:

in TEST1-BD i have traffic with 100/1 vlans coming from pw 1

in TEST2-BD i have traffic with 100/2 vlans coming from pw 2

Is there a way i can filter traffic (directly on the PW) on the opposite direction (AC=>PW) based on the outer vlan, in order to avoid using a different subif per bridge-domain?

That way, traffic with 100/1 vlans coming from TenGigE0/4/0/1 will go only to pw-id 1, while traffic with 100/2 vlans coming from TenGigE0/4/0/1 will go only to pw-id 2.

Thx,

Tassos

xthuijs Fri, 02/08/2013 - 12:13 (reply to chatasos)

Hi Tassos,

that you can't do like that, an EFP, that is an l2transport interface, can only belong to one BD at a time.

but you can split out the vlans from a main interface into different BD's.

Something like this:

BD-X

int te0/4/0/1.100 l2transport

encap dot1q 100

BD-Y

int te0/4/0/1.200 l2transport

encap dot1q 200

effectively a BD is the equivalent of a vlan whereb you like all EFP's from the same vlan (set) to the same BD.

cheers!

xander

xthuijs Fri, 02/08/2013 - 13:13 (reply to chatasos)

i understand your delemma, but it is the "natural" difference between the IEEE model (that the IOS/7600 implements) vs the EVC model (that XR uses).

a BD is the equivalent of a vlan hence for every vlan that you want to transport you need to create a bD, it bloats the config a bit, but it allows for full control of the subinterfaces and services more so then what IOS allowed...

As you work with it more, you'll find (hopefully:)) that the EVC model is more straight forward.

regards

xander

chatasos Fri, 02/08/2013 - 13:10

The problem is that i'm trying to avoid subifs, because if i have 500 bridge-domains, then i'll also need 500 subifs per interface.

I was hoping to get something equivalent to an IOS L2 trunk, without much configuration.

It's strange to move from 7600/IOS to ASR9k/IOS-XR and be forced to multiply x 500 x NoOfInterfaces my interface config.

interface TenGigabitEthernet7/1

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 100,200,etc

interface Vlan100

no ip address

xconnect vfi VFI-100

interface Vlan200

no ip address

xconnect vfi VFI-200

chatasos Fri, 02/08/2013 - 13:23

Ok, let's hope that sometime in the future there will be a way to configure it using variables:

foreach $ID=100 to 3000 step 100

{

interface TenGigE0/4/0/1.$ID l2transport

encapsulation dot1q $ID

rewrite ingress tag pop 1 symmetric

!

bridge group TEST-BG

  bridge-domain $ID-BD

   interface TenGigE0/4/0/1.$ID

   !

   neighbor 10.201.201.105 pw-id $ID

}

The above should be the actual config stored in the router, not the input of a script which would generate hundrends of config lines (something that is possible now).

Many thx for your time

Tassos

reclamosred Fri, 09/13/2013 - 14:47

Hi Xander how are you?

I'm having a issue, I need the same vlan interconnection in 7600 and two ASR9000 Router (VLAN used as the 2nd)

In the ASR9000 is being used bridge-domine.

The ASRs are interconnected by MPLS.

The problem is that only reaches one of the ASR BVI and not both at the same time, placed in the ASR 7600 (192.168.1.3) came to 192168.1.2,  but no maner to 192.168.1.1 solve this problem?.

----------------------

RT_7604

#ping 192.168.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

RT_7604#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

.....

Success rate is 40 percent (2/5), round-trip min/avg/max = 1/2/4 ms

RT_7604#

-----------------------------

Step a scheme with the conf. try to clarify.

Consulta OSPF ASR.jpg

xthuijs Sat, 09/14/2013 - 08:06 (reply to reclamosred)

Hi Sergio,

For this design you need STP obviously, are you running full MSTP or MSTAG?

If you have STP blocking the uplink to the 192.168.1.1 side, so in order to ping that address, we have to go via the 192.168.1.2 side over the PW. There are a couple of things to verify there:

Can you ping 192.168.1.1 from the 1.2 side?

Are you seeing arp requests on the 1.1 side coming from 1.3

Do we see the MAC being learned on in the bridge domain attached to the right circuit?

Considering you have an Access PW (SHG-0) and put the phy AC into SHG-2 there may be a communication problem in that regard, so if you're not learning the mac correctly or ARP is not making it through, it might be related to that.

Normally in designs like this you would connect the 2 9k's together via a PW with a VFI.

Also to check; is the PW up and forwarding properly?

One common mistake is that the mpls router ID is set to an interface instead o the address, could that be it?

regards

xander

reclamosred Mon, 09/16/2013 - 15:03

Hello Xander, if I'm using MSTAG and sp this blocked where it says.

But I had bad diagnosis, I did not see, Is that this flapping OSPF, copy the log from ASR9, if I put the shutdown OSPF the ping  is OK on the same LAN.

No logro encontrar el error

Log ASR:

ospf[1011]: %ROUTING-OSPF-5-ADJCHG : Process 11014, Nbr 190.104.193.1 on BVI2 in area 0 from LOADING to FULL, Loading Done,vrf default vrfid 0x60000000

RP/0/RSP0/CPU0:Sep 16 10:28:47.405 : ospf[1011]: %ROUTING-OSPF-5-ADJCHG : Process 11014, Nbr 190.104.193.3 on BVI2 in area 0 from LOADING to FULL, Loading Done,vrf default vrfid 0x60000000

thank you very much for your help

xthuijs Mon, 09/16/2013 - 15:35 (reply to reclamosred)

Ok perfect, thanks for letting me know Sergio.

Just so you know IOS-XR prefers an ARP adj over a routing ADJ, what that means is that if we have an arp adj for a particular route that is used for forwarding over the routing decission.

So if at some point we learn the route via a directly connected ADJ (eg when the link unblocks) and then when the link blocks and we learn the same path via IGP we probably retain the local ADJ and try to forward on that resulting in that ping loss.

The right appraoch for this design is probably using HSRP with a virtual address between the A9K's to provide a virtual mac and gateway addr to the 7600 CE side.

cheers

xander

budilasmono Sat, 10/19/2013 - 07:46

Hi Alexander,

is there any example to configuring VLAN Xconnect on ASR9K ?

like :

int vlan 50

xconnect y.y.y.y 1050

!

int gi1/1.50

encapsulation dot1q 50

!

int gi2/1.50

encapsulation dot1q 50

!

Please help... Is it doable on ASR9K ?

Thanks,

Budi L

xthuijs Sat, 10/19/2013 - 08:19 (reply to budilasmono)

Hi Budi,

yes that is possible.

First define all the physical (sub)interfaces (aka EFP's) that you want to pull into that bridge domain, eg:

int g 0/0/0/0.50 l2trans

encap dot1q 50

rewrite ingress tag pop 1 symm

and do this for every phy interface that carries this vlan 50 that you want to pull in.

Next define a BVI (aka SVI for switch platforms) like this:

interface BVI50

ipv4 add 1.2.3.4 255.255.255.0

Finally, define the bridge domain that links all EFPs for that vlan together with the BVI for the L3 endpoint like this:

l2vpn

bridge-group VLAN50

bridge-domain VLAN50_BD

int g 0/0/0/0.50

routed interface BVI50

Note that I used 50 throughout for clarity, but the encap dot1q doesn't necessarily need to match the subinterface designator or the bvi number.

Also note that bridge group is merely a config hierarchy, it is the birdge-domain config that instantiates the mac learning for those interfaces connected together.

regards

xander

budilasmono Sat, 10/19/2013 - 19:24 (reply to xthuijs)

Hi Alexander,

I mean the xconnect on VLAN BVI. Because i can't found the configuration on BVI xconnect.

So we got several interface associated to BVI 50. And BVI 50 actually only layer2 xconnect service.

So how can i create vlan mode xconnect on the ASR ?

int gi0/1.50 l2 and gi0/2.50 l2 is member of vlan 50. But vlan 50 is only l2 xconnect service.

But i can't configure xconnect for bvi.

Thanks,

Budi L

xthuijs Sat, 10/19/2013 - 20:24 (reply to budilasmono)

Hi Budi,

if you have a single interface that requires an L3 endpoint, you might as well configure the L3 addr directly on the subinterface (and not making it L2transport).

You can't link an xcon to a bvi directly (the better way would be addr directly on the subif as mentioned).

If you have a PW coming in that you want to assign an L3 addr to, then either you can use a BD for that with a PW and a BVI, or use the funtionality known as Pseudowire Headend.

Using a BD, aka mac learning resources counts against some of the supported scale, of which on Typhoon cards you have 16k BD's and 2M macs, so got some ways to grow if needed.

hope that helps,

regards

xander

sherifismail Mon, 10/21/2013 - 22:45

Hi Alexander

First I would like to thank you for the great documents you continously post on the support forum :]

I tried VPLS between ASR9K & ES+7600 .. VC is up but ping is unsuccessful

Is there something I should take care of ?

So as not to enlarge comments section, I pasted config/logs in below URL

https://supportforums.cisco.com/message/4070576#4070576

Many Thanks in advance

Regards
Sherif Ismail

xthuijs Tue, 10/22/2013 - 08:01 (reply to sherifismail)

Hi Sherif, thank you for the comment, appreciate it!

Let me have a look at that thread you opened, and we'll take it from there.

regards

xander

chatasos Thu, 12/12/2013 - 03:02

Xander, are there any plans to support pppoe/ip classification like in 7600/ES+T?

7600(config-if-srv)#encapsulation dot1q any etype ?

  ipv4       IPv4

  ipv6       IPv6

  pppoe-all  PPPoE ALL

--

Tassos

xthuijs Thu, 12/12/2013 - 09:18 (reply to chatasos)

hey tassos, you mean, in XR/EVC terminology, the ability to define an EFP with a vlan encap that also checks teh ether type besides the vlan, so we can direct vlan 10/ip to a different BD/xcon then pppoe on vlan 10?

If that is the case, then no, such requirement has not been made for the a9k/EVC before.

regards

xander

Actions

Login or Register to take actions

This Document

Posted March 7, 2011 at 7:18 AM
Stats:
Comments:52 Avg. Rating:4.5
Views:16996 Contributors:13
Shares:0
Tags: No tags.