Download Print this page

Nokia 7950 Advanced Configuration Manual

Part ii releases up to 15.0.r5 ethernet service switch; service router; extensible routing system.
Hide thumbs
   
1
2
Table of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990

Advertisement

Advanced Configuration Guide - Part II Releases Up To 15.0.R5
7450 Ethernet Service Switch
7750 Service Router
7950 Extensible Routing System
Advanced Configuration Guide - Part II
Releases Up To 15.0.R5
3HE 13718 AAAA TQZZA 01
Issue: 01
November 2017
Nokia — Proprietary and confidential.
Use pursuant to applicable agreements.

Advertisement

   Related Manuals for Nokia 7950

   Summary of Contents for Nokia 7950

  • Page 1

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 7450 Ethernet Service Switch 7750 Service Router 7950 Extensible Routing System Advanced Configuration Guide - Part II Releases Up To 15.0.R5 3HE 13718 AAAA TQZZA 01 Issue: 01 November 2017 Nokia —...

  • Page 2

    © 2017 Nokia. Contains proprietary/trade secret information which is the property of Nokia and must not be made available to, or copied or used by anyone outside Nokia without its written authorization. Not to be used or disclosed except in accordance with applicable agreements.

  • Page 3: Table Of Contents

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Table of Contents Preface ......................21 About This Guide.........................21 Services Overview..................25 G.8032 Ethernet Ring Protection Multiple Ring Topology .......27 Applicability ........................27 Overview ........................27 Configuration ........................35 Conclusion ........................70 G.8032 Ethernet Ring Protection Single Ring Topology ........71 Applicability ........................71 Overview...

  • Page 4: Table Of Contents

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Conclusion .........................221 Black-hole MAC for EVPN Loop Protection .............223 Applicability .........................223 Overview .........................223 Configuration .........................227 Conclusion .........................237 Conditional Static Black-Hole MAC in EVPN ...........239 Applicability .........................239 Overview .........................239 Configuration .........................242 Conclusion .........................268 EVPN for MPLS Tunnels ..................269...

  • Page 5: Table Of Contents

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Conclusion .........................486 EVPN Interconnect Ethernet Segments ............487 Applicability .........................487 Overview .........................487 Configuration .........................488 Conclusion .........................512 EVPN-MPLS Interconnect for EVPN-VXLAN VPLS Services......513 Applicability .........................513 Overview .........................513 Configuration .........................515 Conclusion .........................538 Fully Dynamic VSD Integration Model..............539 Applicability .........................539 Overview...

  • Page 6: Table Of Contents

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Configuration .........................675 Conclusion .........................695 Multi-Segment Pseudowire Routing ..............697 Applicability .........................697 Summary .........................697 Overview .........................698 Configuration .........................701 Conclusion .........................745 P2MP mLDP Tunnels for BUM Traffic in EVPN-MPLS Services ....747 Applicability .........................747 Overview .........................747 Configuration...

  • Page 7: Table Of Contents

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Virtual Ethernet Segments ................911 Applicability .........................911 Overview .........................911 Configuration .........................915 Conclusion .........................923 VLAN Range SAPs for VPLS and Epipe Services ...........925 Applicability .........................925 Overview .........................925 Configuration .........................935 Conclusion .........................943 Layer 3 Services ..................945 BGP Best External in a VPRN ................947 Applicability .........................947...

  • Page 8: Table Of Contents

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 NG-MVPN Sender-Only, Receiver-Only............1119 Applicability .......................1119 Overview .......................1119 Configuration .......................1121 Conclusion .......................1170 NG-MVPN Source Redundancy...............1171 Applicability .......................1171 Summary .......................1171 Overview .......................1172 Configuration .......................1174 Conclusion .......................1202 NG-MVPN Wildcard S-PMSI ................1203 Applicability .......................1203 Overview .......................1203 Configuration...

  • Page 9: Table Of Contents

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Quality of Service ................. 1353 Class Fair Hierarchical Policing for SAPs .............1355 Applicability .......................1355 Summary .......................1355 Overview .......................1356 Configuration .......................1365 Conclusion .......................1392 FP and Port Queue Groups ................1393 Applicability .......................1393 Overview .......................1393 Configuration...

  • Page 10

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 3HE 13718 AAAA TQZZA 01 Issue: 01...

  • Page 11

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 List of tables G.8032 Ethernet Ring Protection Multiple Ring Topology .......27 Table 1 Terminology Comparison ................30 BGP VPLS ......................189 Table 2 VE-IDs and Labels .................198 Table 3 VE-IDs and Number of Labels..............199 EVPN for MPLS Tunnels ..................269 Table 4 Comparing EVPN Multi-homing and BGP Multi-homing .......314...

  • Page 12

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 FP and Port Queue Groups ................1393 Table 20 Default QoS and Queue Group Comparison ........1394 Table 21 Queue Group Templates - Ingress ............1397 Table 22 Queue Group Templates - Egress ............1397 Table 23 Network Ingress FP Queue Group Policer Usage .......1404 QoS Architecture and Basic Operation............1535...

  • Page 13

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 List of figures G.8032 Ethernet Ring Protection Multiple Ring Topology .......27 Figure 1 G.8032 Major Ring and Sub-Ring .............31 Figure 2 G.8032 Ring Components ................33 Figure 3 G.8032 Sub-Ring Interconnection Components........34 Figure 4 Ethernet Test Topology ................39 Figure 5...

  • Page 14

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 BGP VPLS ......................189 Figure 29 Network Topology..................190 Figure 30 BGP VPLS Using Auto-Provisioned SDPs ..........196 Figure 31 BGP VPLS Using Pre-Provisioned SDP..........212 Black-hole MAC for EVPN Loop Protection .............223 Figure 32 Black-hole MAC for EVPN Loop Protection..........224 Figure 33 Example Topology...................227...

  • Page 15

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 60 EVPN MAC Mobility.................438 EVPN for VXLAN Tunnels (Layer 3) ..............447 Figure 61 EVPN-VXLAN for R-VPLS Services............449 Figure 62 BGP adjacencies and enabled families ...........452 Figure 63 EVPN-VXLAN for IRB Backhaul R-VPLS Services .........457 Figure 64 EVPN-VXLAN in EVPN-tunnel R-VPLS Services ........466 Figure 65...

  • Page 16

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 91 LDP VPLS Using BGP-AD with prefer-provisioned-sdp Option ....661 Figure 92 Example Topology...................662 Figure 93 SDP Bindings in VPLS 1 with use-provisioned-sdp Option .....666 Figure 94 Auto-Created SDP Bindings in VPLS 2 ...........666 Figure 95 SDP Bindings in VPLS 1 with prefer-provisioned-sdp Option ....670 Multi-Chassis Endpoint for VPLS Active/Standby Pseudowire .....671...

  • Page 17

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 126 Send Flush on BVPLS Failure Example..........837 Figure 127 Inter-Domain B-VPLS and MMRP Policies/ISID-Based Filters Example....................843 Preference-based and Non-revertive EVPN DF Election ........855 Figure 128 Virtual Ethernet Segments...............856 Figure 129 BGP-EVPN Extended Community for DF Election........857 Figure 130 Example Topology with All-active and Single-active vESs......858...

  • Page 18

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 156 Example Topology...................955 Figure 157 Loadsharing for Traffic from PE-3 Destined to 10.0.0.0/8 .......972 Carrier Supporting Carrier IP VPNs ..............975 Figure 158 CSC Network Topology ................976 Layer 3 VPN: VPRN Type Spoke ...............999 Figure 159 CE Hub and Spoke Data Path...............1000 Figure 160...

  • Page 19

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Rosen MVPN Inter-AS Option B ..............1257 Figure 188 General Topology for Inter-AS MVPN ...........1258 Figure 189 Protocols Used for Inter-AS MVPN ............1258 Figure 190 BGP Signaling Steps ................1261 Figure 191 PIM-P Signaling Steps for Default MDT ..........1262 Figure 192 PIM-C Signaling ..................1263...

  • Page 20

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Pseudowire QoS ....................1513 Figure 223 Ingress PW QoS..................1514 Figure 224 Egress PW QoS ..................1515 Figure 225 Example Epipe Pseudowire Topology...........1518 QoS Architecture and Basic Operation............1535 Figure 226 Service and Network QoS Policies............1538 Figure 227 Visualization of Default Network Policies ..........1556 Figure 228...

  • Page 21: About This Guide, List Of Technical Publications

    List of Technical Publications The 7x50 series documentation set also includes the following guides: • 7450 ESS, 7750 SR, 7950 XRS, and VSR Basic System Configuration Guide Issue: 01 3HE 13718 AAAA TQZZA 01...

  • Page 22

    Service Access Points (SAPs), Service Distribution Points (SDPs), customer information, and user services. • 7450 ESS, 7750 SR, 7950 XRS, and VSR Layer 2 Services and EVPN Guide: VLL, VPLS, PBB, and EVPN 3HE 13718 AAAA TQZZA 01...

  • Page 23

    Lines (VLLs), Virtual Private LAN Service (VPLS), Provider Backbone Bridging (PBB), and EVPN. • 7450 ESS, 7750 SR, 7950 XRS, and VSR Layer 3 Services Guide: IES and VPRN Describes Layer 3 service functionality and provides examples to configure and implement Internet Enhanced Services (IES) and Virtual Private Routed Network (VPRN) services.

  • Page 24

    Preface Advanced Configuration Guide - Part II Releases Up To 15.0.R5 3HE 13718 AAAA TQZZA 01 Issue: 01...

  • Page 25: Services Overview

    Advanced Configuration Guide - Part II Services Overview Releases Up To 15.0.R5 Services Overview In This Section This section provides configuration information for the following topics: • G.8032 Ethernet Ring Protection Multiple Ring Topology • G.8032 Ethernet Ring Protection Single Ring Topology Issue: 01 3HE 13718 AAAA TQZZA 01...

  • Page 26

    Services Overview Advanced Configuration Guide - Part II Releases Up To 15.0.R5 3HE 13718 AAAA TQZZA 01 Issue: 01...

  • Page 27: G.8032 Ethernet Ring Protection Multiple Ring Topology

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology G.8032 Ethernet Ring Protection Multiple Ring Topology This chapter provides information about G.8032 Ethernet ring protection multiple ring topologies. Topics in this chapter include: •...

  • Page 28

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 and service availability. Each ring node is connected to adjacent nodes participating in the same ring using two independent paths, which use ring links (configured on ports or link aggregation groups (LAGs)).

  • Page 29

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology • Forwarding database MAC flush on ring status change • RPL (Ring Protection Link) − Defines blocked link in idle status When sub-rings are used, they can either connect to a major ring (which is configured in the exact same way as a single ring) or another sub-ring, or to a VPLS service.

  • Page 30

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Table 1 Terminology Comparison ITU-T G.8032v2 Terminology SROS Terminology ETH_FF control vpls Service_FF data vpls East Ring Link path a West Ring Link path b RPL owner rpl-node owner...

  • Page 31

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology Figure 1 G.8032 Major Ring and Sub-Ring Owner Neighbor Control 1/1/1:1 Major Ring 1 Data 1/1/1:11 Virtual Channel 1/1/1:2 1/1/3:1 Control for sub-ring 2 1/1/3:11 Data 1/1/3:2 Virtual Channel for sub-ring 2...

  • Page 32

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 An RPL owner and RPL neighbor are configured for both the major ring and sub-ring. The path and associated link will be the RPL when the ring is fully operational and will be blocked by the RPL owner whenever there is no fault on other ring links.

  • Page 33

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology SROS Implementation G.8032 is built from VPLS components and each ring consists of the configuration components illustrated in Figure Figure 2 G.8032 Ring Components Port 1/1/1 Port 1/1/2 path a...

  • Page 34

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Figure 3 G.8032 Sub-Ring Interconnection Components Port 1/1/1 Port 1/1/2 path a path b R-APS Tag 1 Eth-ring 1 R-APS Tag 1 Major Major Major Major...

  • Page 35: Configuration

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology The R-APS tags (ring automatic protection switching tags) and SAPs on the rings can either be dot1Q or QinQ encapsulated. It is also possible to have the control VPLS using single tagged frames with the data VPLSs using double tagged framed;...

  • Page 36

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 • <ring-index> — This is the number by which the ring is referenced, values: 1 to128. • ccm-hold-time { [down <down-timeout>] [up <up-timeout>] } −...

  • Page 37

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology • guard-time <time> — The forwarding method, in which R-APS messages are copied and forwarded at every Ethernet ring node, can result in a message corresponding to an old request, that is no longer relevant, being received by Ethernet ring nodes.

  • Page 38

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 • rpl-node {owner|nbr} — A node can be designated as either the owner of the RPL, in which case this node is responsible for the RPL, or the nbr (neighbor), in which case this node is expected to be the neighbor to the RPL owner across the RPL.

  • Page 39

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology Figure 4 Ethernet Test Topology RPL Owner 1/1/2 1/1/1 PE-2 Major Ring 1 Control VLAN ID Data VLAN ID 1.11 Virtual Channel for sub-ring 2 VLAN ID 2.1 Major Ring 1 1/1/1...

  • Page 40

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 • Eth-ring for sub-ring 2 • Control channel service and add Eth-ring SAPs • User data channels Configure the Encapsulation for the Ring Ports. Eth-Ring needs an R-APS tag to send/receive G.8032 signaling messages.

  • Page 41

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology Loss-of-signal, in conjunction with other OAM mechanisms, is applicable only when the nodes are directly connected. Figure 5 shows the details of the MEPs and their associations configured when both the major and sub rings are used.

  • Page 42

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 exit association 14 format icc-based name "Association14" ccm-interval 1 remote-mepid 144 exit exit exit Ring node PE-2: Association 12 and 23 are used for the major ring. *A:PE-2# configure eth-cfm domain 1 format none level 2...

  • Page 43

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology association 34 format icc-based name "Association34" ccm-interval 1 remote-mepid 343 exit exit exit Configuring Eth-Ring – Major Ring 1 Two paths must be configured to form a ring. In this example, VLAN tag 1.1 is used as control channel for R-APS signaling for the major ring (ring 1) on the ports shown Figure 4 using the ETH CFM information shown in...

  • Page 44

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 *A:PE-1>config>eth-ring>path# no shutdown INFO: ERMGR #1001 Not permitted - must configure eth-cfm MEP first While MEPs are mandatory, enabling CCMs on the MEPs under the paths as a failure detection mechanism is optional as explained earlier.

  • Page 45

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology eth-ring 1 description "Ethernet Ring 1" revert-time 60 rpl-node nbr path a 1/1/3 raps-tag 1.1 description "Ethernet Ring 1 - PathA" eth-cfm mep 133 domain 1 association 13 ccm-enable control-mep no shutdown...

  • Page 46

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Ring node PE-1 provides an interconnection between the major ring (1) and the sub- ring (2). Ring 2 is configured to be a sub-ring which interconnects to ring 1. It will use a virtual link on ring 1 to send R-APS messages to the other interconnection node and topology changes will be propagated from sub-ring 2 to the major ring 1.

  • Page 47

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology Ring node PE-4: This node only has configuration for the sub-ring, ring 2. It is also the RPL owner, with path “b” being the RPL end, for the RPL between PE-3 and PE- *A:PE-4# configure eth-ring 2 description "Ethernet Sub-ring 2"...

  • Page 48

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Defect Status Sub-Ring Type : none ------------------------------------------------------------------------------- Ethernet Ring Path Summary ------------------------------------------------------------------------------- Path Port Raps-Tag Admin/Oper Type Fwd State ------------------------------------------------------------------------------- 1/1/1 Up/Down normal blocked 1/1/3 Up/Down...

  • Page 49

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology Ring node PE-3: Control service for the major ring. *A:PE-3# configure service vpls 1 customer 1 create description "Control VID 1.1 for Ring 1 - Major Ring" sap 1/1/2:1.1 eth-ring 1 create exit sap 1/1/3:1.1 eth-ring 1 create...

  • Page 50

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 vpls 2 customer 1 create description "Virtual Channel VID 2.1 for Ring 2" sap 1/1/1:2.1 eth-ring 1 create exit sap 1/1/2:2.1 eth-ring 1 create exit no shutdown If multiple virtual channels are used (due to the aggregation of multiple sub-rings into...

  • Page 51

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology At this point, the Eth-Ring 1 is operationally up and the RPL is blocking successfully on ring node PE-2 port 1/1/1, as expected for the RPL owner/end configuration and on port 1/1/2 on PE-3 as the RPL neighbor.

  • Page 52

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Ring node PE-1: *A:PE-1# show eth-ring 1 =============================================================================== Ethernet Ring 1 Information =============================================================================== Description : Ethernet Ring 1 Admin State : Up Oper State : Up Node ID : 4a:c4:ff:00:00:00...

  • Page 53

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology =============================================================================== *A:PE-2# PE-2 is the RPL owner with port 1/1/1 as an RPL end, which is blocked as expected. The revert-time is also shown to be the configured value. Detailed information is shown relating to the R-APS PDUs being transmitted on this ring as this node is the RPL owner.

  • Page 54

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Node ID : 4a:c4:ff:00:00:00 Guard Time 5 deciseconds RPL Node : rplNone Max Revert Time 60 seconds Time to Revert : N/A CCM Hold Down Time : 0 centiseconds CCM Hold Up Time : 20 deciseconds...

  • Page 55

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology Ring Node PE-4: Sub-ring. *A:PE-4# show eth-ring 2 =============================================================================== Ethernet Ring 2 Information =============================================================================== Description : Ethernet Sub-ring 2 Admin State : Up Oper State : Up Node ID...

  • Page 56

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 The ring hierarchy created can be shown, either for all rings, or as below for a specific ring. *A:PE-1# show eth-ring 1 hierarchy =============================================================================== Ethernet Ring 1 (hierarchy) ===============================================================================...

  • Page 57

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology *A:PE-2# configure service vpls 11 customer 1 create description "Data VPLS" sap 1/1/1:1.11 eth-ring 1 create exit sap 1/1/2:1.11 eth-ring 1 create exit sap 1/2/1:11 create description "Sample Customer Service SAP"...

  • Page 58

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 1/1/3:1.11 Data ------------------------------------------------------------------------------- Number of SAPs : 8 =============================================================================== *A:PE-1# Statistics are available showing both the CCM and R-APS messages sent and received on a node. An associated clear command is available. *A:PE-1# show eth-cfm statistics =============================================================================== ETH-CFM System Statistics...

  • Page 59

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology For troubleshooting, the tools dump eth-ring <ring-index> command displays path information, the internal state of the control protocol, related statistics information and up to the last 16 protocol events (including messages sent and received, and the expiration of timers).

  • Page 60

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 IDLE RxF<- Fwd Fwd 000 04:26:01.010 PROT ----- Fwd Fwd 000 04:26:01.010 PROT : 0xb000 TxF-> Blk Fwd 000 04:26:03.850 pdu A: 4a:c5:ff:00:00:00-0xb020 Sf PROT : 0xb000 RxF<- Blk Fwd 000 04:31:27.710...

  • Page 61

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology propagate-topology-change exit exit path a 1/1/2 raps-tag 2.1 description "Ethernet Ring 2 - PathA" eth-cfm mep 141 domain 1 association 14 ccm-enable control-mep no shutdown exit exit...

  • Page 62

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 *A:PE-1# show service sap-using eth-ring =============================================================================== Service Access Points (Ethernet Ring) =============================================================================== SapId SvcId Eth-Ring Path Admin Oper Blocked Control/ State State Data ------------------------------------------------------------------------------- 1/1/1:1.1 Ctrl...

  • Page 63

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology Configuration of a Sub-Ring to a VPLS Service (with a Non-Virtual Link) Sub-rings can be connected to VPLS services, in which case a virtual link is not used and is not configurable.

  • Page 64

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 The differences for the VPLS service connection to the configuration when the sub- ring is connected to a major ring without a virtual link are: •...

  • Page 65

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology sub-ring non-virtual-link exit path a 1/1/1 raps-tag 2.1 description "Ethernet Ring 2 - PathA" eth-cfm mep 144 domain 1 association 14 ccm-enable control-mep no shutdown exit exit...

  • Page 66

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 =============================================================================== Description : Ethernet Sub-ring 2 on Major Ring 1 Admin State : Up Oper State : Up Node ID : 4a:c4:ff:00:00:00 Guard Time 5 deciseconds RPL Node : rplNone...

  • Page 67

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology *A:PE-1# configure port 1/1/2 shutdown 100 2016/05/10 07:16:59.16 UTC WARNING: SNMP #2004 Base 1/1/2 "Interface 1/1/2 is not operational" 101 2016/05/10 07:16:59.16 UTC MINOR: ERING #2001 Base eth-ring-2 "Eth-Ring 2 path a changed fwd state to blocked"...

  • Page 68

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 tools perform eth-ring force <ring-index> path {a|b} tools perform eth-ring manual <ring-index> path {a|b} In the following output , path “b” of eth-ring 1 is manually blocked and then cleared. Initially, both ports are unblocked.

  • Page 69

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology Path Port Raps-Tag Admin/Oper Type Fwd State ------------------------------------------------------------------------------- 1/1/1 Up/Up normal unblocked 1/1/3 Up/Up normal blocked =============================================================================== *A:PE-1# *A:PE-1# *A:PE-1# tools perform eth-ring clear 1 *A:PE-1# show eth-ring 1 =============================================================================== Ethernet Ring 1 Information...

  • Page 70: Conclusion

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Conclusion Ethernet Ring APS provides an optimal solution for designing native Ethernet services with ring topology. With sub-rings, both multiple rings and access rings increase the versatility of G.8032.

  • Page 71: G.8032 Ethernet Ring Protection Single Ring Topology

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology G.8032 Ethernet Ring Protection Single Ring Topology This chapter provides information about G.8032 Ethernet ring protection single ring topology. Topics in this chapter include: •...

  • Page 72

    G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 The fundamentals of this ring protection switching architecture are: • the principle of loop avoidance and • the utilization of learning, forwarding, and address table mechanisms defined in the ITU-T G.8032v2 Ethernet flow forwarding function (ETH_FF) (Control plane).

  • Page 73

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology Figure 7 shows a ring of six nodes, with the RPL owner on the top right. One link of the RPL owner is designated to be the RPL and will be blocked in order to prevent a loop.

  • Page 74

    G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 The protection protocol uses a specific control VLAN, with the associated data VLANs taking their forwarding state from the control VLAN. Configuration The example topology is shown in Figure Figure 8 Example Topology...

  • Page 75

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology sub-ring {virtual-link|non-virtual-link} Parameters: • ring-index — This is the number by which the ring is referenced, values: 1 to128. • ccm-hold-time {[down <down-timeout>] [up <up-timeout>]} −...

  • Page 76

    G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 • guard-time <time> — The forwarding method, in which R-APS messages are copied and forwarded at every Ethernet ring node, can result in a message corresponding to an old request, that is no longer relevant, being received by Ethernet ring nodes.

  • Page 77

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology • sub-ring {virtual-link|non-virtual-link} — This is beyond the scope of this chapter, as it is only required for multiple ring topologies. Prerequisites Logging Create following log-id on PE-2 to see major events logged to the console on PE-2.

  • Page 78

    G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Configure ETH-CFM Ethernet Ring requires Eth-CFM domains, associations and MEPs being configured. The domain format should be none and association name should be ITU-T carrier code- based (ICC-based - Y.1731).

  • Page 79

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology eth-cfm domain 1 format none level 3 association 1 format icc-based name "ring1_1_2" ccm-interval 1 remote-mepid 1122 exit association 2 format icc-based name "ring1_1_3" ccm-interval 1 remote-mepid 1133 exit...

  • Page 80

    G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 PE-1: configure eth-ring 1 path a 1/1/1 raps-tag 1 eth-cfm mep 1121 domain 1 association 1 ccm-enable control-mep no shutdown exit exit no shutdown exit path b 1/1/2 raps-tag 1 eth-cfm...

  • Page 81

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology exit exit no shutdown exit path b 1/1/2 raps-tag 1 rpl-end eth-cfm mep 1122 domain 1 association 2 ccm-enable control-mep no shutdown exit exit no shutdown exit...

  • Page 82

    G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Until the Ethernet Ring instance is attached to the service (VPLS in this case), the ring operational status is down and the forwarding status of each port is blocked. This prevents operator from creating a loop by mis-configuration.

  • Page 83

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology exit no shutdown exit PE-2: configure service vpls 1 customer 1 create sap 1/1/1:1 eth-ring 1 create exit sap 1/1/2:1 eth-ring 1 create exit no shutdown exit...

  • Page 84

    G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 ------------------------------------------------------------------------------- a - 1/1/1 ----- b - 1/1/2 ----- =============================================================================== Ethernet Tunnel MEP Defect Legend: R = Rdi, M = MacStatus, C = RemoteCCM, E = ErrorCCM, X = XconCCM *A:PE-2# The ring and path forwarding states is shown with following command.

  • Page 85

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology =============================================================================== Ethernet Ring 1 Information =============================================================================== Description : (Not Specified) Admin State : Up Oper State : Up Node ID : 4a:c5:ff:00:00:00 Guard Time 5 deciseconds RPL Node : rplOwner...

  • Page 86

    G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 On reversion, the following console message is logged. 68 2016/05/02 11:22:50.87 UTC MINOR: ERING #2001 Base eth-ring-1 "Eth-Ring 1 path b changed fwd state to blocked" PE-3: *A:PE-3# show eth-ring 1 ===============================================================================...

  • Page 87

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology Configure User Data Channel VPLS Service The user data channels are created on a separate VPLS, VPLS 100 in the example. Tag 100 and VPLS 100 are used here. The ring data channels must be on the same ports as the corresponding control channels configured above.

  • Page 88

    G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 All of the SAPs which are configured to use ETH rings can be shown, using PE-1 as an example. *A:PE-1# show service sap-using eth-ring =============================================================================== Service Access Points (Ethernet Ring) ===============================================================================...

  • Page 89

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology path-b, port 1/1/2 (Up), tag 1.0(Up) status (Up/Up/Blk) cc (Dn/Up): Cnt 3/3 tm 000 00:41:33.740/000 00:41:33.960 state: Cnt 11 B/F 000 00:49:11.680/000 00:47:58.630, flag: 0x0 FsmState= IDLE, Rpl = Owner, revert = 60 s, guard = 5 ds Defects =...

  • Page 90

    G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Conclusion Ethernet Ring APS provides optimal solution for designing native Ethernet services with ring topology. This protocol provides simple configuration, operation and guaranteed fast protection time. SROS also has a flexible encapsulation that allows dot1Q, qinq or PBB for the ring traffic.

  • Page 91: Layer 2 Services And Evpn

    Advanced Configuration Guide - Part II Layer 2 Services and EVPN Releases Up To 15.0.R5 Layer 2 Services and EVPN In This Section This section provides configuration information for the following topics: • Auto-Learn MAC Protect in EVPN • BGP Multi-Homing for VPLS Networks •...

  • Page 92

    Layer 2 Services and EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 • Shortest Path Bridging for MAC • Virtual Ethernet Segments • VLAN Range SAPs for VPLS and Epipe Services 3HE 13718 AAAA TQZZA 01 Issue: 01...

  • Page 93: Auto-learn Mac Protect In Evpn

    Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 Auto-Learn MAC Protect in EVPN This chapter provides information about Auto-Learn MAC Protect in EVPN. Topics in this chapter include: • Applicability • Overview • Configuration •...

  • Page 94

    Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Configuring static MAC addresses is not scalable if large numbers of MAC addresses need to be protected. Also, configuring static MAC addresses is not an option when the MAC addresses are unknown.

  • Page 95

    Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 However, RPS-DF can optionally be configured on destinations in EVPN MPLS or EVPN VXLAN, where data plane MAC learning is never performed for incoming traffic. For EVPN MPLS, the RPS-DF configuration is in the BGP EVPN context, as follows: configure service vpls 1 bgp-evpn mpls restrict-protected-src discard-frame For EVPN VXLAN, the RPS-DF configuration is in the VXLAN context, as follows:...

  • Page 96

    Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Note: The configuration of restrict-protected-src alarm-only and restrict-unprotected-dst are not allowed in EVPN. Protection is provided at the point where a MAC address first enters the EVPN part of the network.

  • Page 97

    Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 Figure 10 Example Topology - No LAG MTU-1 PE-2 CE-10 CE-20 192.0.2.1 192.0.2.2 172.16.0.10/24 172.16.0.20/24 1/1/3 192.168.12.0/30 1/2/3 aa:aa:01:10:10:10 aa:aa:02:20:20:20 1/2/1 1/2/1 1/1/3 1/1/4 .1 1/1/1 192.168.13.0/30 192.168.24.0/30...

  • Page 98

    Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 On PE-2, VPLS 1 is configured with EVPN MPLS and contains a SAP toward CE-20 and a SAP toward MTU-1, as follows: configure service vpls 1 customer 1 create exit bgp-evpn evi 1...

  • Page 99

    Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 • RPS-DF on EVPN MPLS destinations, MAC first learned on PE-2 • RPS-DF on EVPN MPLS destinations, MAC simultaneously learned on PE-2 and PE-3 • No RPS-DF on EVPN MPLS destinations, MAC simultaneously learned on PE-2 and PE-3 −...

  • Page 100

    Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 11 MAC Address Learned Simultaneously on SAPs on PE-2 and PE-3 MTU-1 PE-2 192.0.2.1 192.0.2.2 CE-20 CE-10 aa:aa:02:20:20:20 aa:aa:01:10:10:10 VPLS 1 VPLS 1 VPLS 1 VPLS 1 PE-3 PE-4...

  • Page 101

    Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 The following shows the settings for EVPN MAC address duplication detection, which are the default. It also lists the detected duplicate MAC addresses of CE-10 and CE-20: *A:PE-3# show service id 1 bgp-evpn ===============================================================================...

  • Page 102

    Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The MAC addresses are in a hold-down state on the EVPN destinations and no MAC address moves take place until the next MAC address duplication detection retry after 9 minutes.

  • Page 103

    Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 Seq:4 LABEL 262140 192.0.2.2 u*>i 192.0.2.2:1 aa:aa:02:20:20:20 ESI-0 Seq:4 LABEL 262140 192.0.2.2 ------------------------------------------------------------------------------- Routes : 2 =============================================================================== *A:PE-3# PE-3 does not use these BGP EVPN MAC address routes in its FDB, because locally learned MAC addresses are preferred.

  • Page 104

    Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 ------------------------------------------------------------------------------- Routes : 4 =============================================================================== *A:PE-4# In the preceding output, MAC aa:aa:01:10:10:10 is learned from BGP peer 192.0.2.3 with MAC mobility sequence number 3, and from BGP peer 192.0.2.2 with sequence number 4.

  • Page 105

    Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 No ALMP on SAPs, RPS-DF on EVPN Destinations When there are no protected MAC addresses (ALMP is disabled and no static MAC addresses are configured), the behavior is as described earlier. RPS-DF discards frames with protected MAC addresses that were not learned on the object, but there are no protected MAC addresses, because ALMP is not configured.

  • Page 106

    Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 RestMacProtSrc Act : none (oper: Discard-frame) ---snip--- ALMP and RPS-DF on SAPs, RPS-DF on EVPN MPLS Destinations, MAC First Learned on PE-2 Initially, the SAP on PE-3 is shut down to ensure that the MAC address will first be learned on PE-2, then on PE-3, as follows: *A:PE-3# configure service vpls 1 sap 1/2/3:1 shutdown Each learned MAC address on the SAPs on PE-2 will be protected;...

  • Page 107

    Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 Flag: 0x40 Type: 5 Len: 4 Local Preference: 100 Flag: 0xc0 Type: 16 Len: 24 Extended Community: target:64500:1 bgp-tunnel-encap:MPLS mac-mobility:Seq:0/Static " Note: The MPLS label is label1 in the BGP update divided by 16 (2 ), as follows: Figure 12 PE-2 sends similar BGP EVPN updates to peer PE-4.

  • Page 108

    Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== Forwarding Database, Service 1 =============================================================================== ServId Source-Identifier Type Last Change ------------------------------------------------------------------------------- aa:aa:01:10:10:10 eMpls: 05/11/17 15:06:35 EvpnS 192.0.2.2:262140 aa:aa:02:20:20:20 eMpls: EvpnS 05/11/17 15:06:35 192.0.2.2:262140 ------------------------------------------------------------------------------- No.

  • Page 109

    Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 =============================================================================== Flag Route Dist. MacAddr Mac Mobility Label1 Ip Address NextHop ------------------------------------------------------------------------------- u*>i 192.0.2.2:1 aa:aa:01:10:10:10 ESI-0 LABEL 262140 Static 192.0.2.2 u*>i 192.0.2.2:1 aa:aa:02:20:20:20 ESI-0 Static LABEL 262140 192.0.2.2 -------------------------------------------------------------------------------...

  • Page 110

    Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Because the MAC address was protected on the SAP on PE-2 and the BGP EVPN MAC route update had been received by PE-3 before any frame was received with this MAC SA, there will be no temporary loop.

  • Page 111

    Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 Figure 14 MAC Learned and Protected Simultaneously on PEs - RPS-DF on EVPN Endpoints MTU-1 PE-2 192.0.2.1 192.0.2.2 CE-20 CE-10 aa:aa:02:20:20:20 aa:aa:01:10:10:10 VPLS 1 VPLS 1 MAC aa:aa:01:10:10:10 is protected on SAPs on PE-2 and PE-3...

  • Page 112

    Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 *A:PE-2# show service id 1 fdb detail =============================================================================== Forwarding Database, Service 1 =============================================================================== ServId Source-Identifier Type Last Change ------------------------------------------------------------------------------- aa:aa:01:10:10:10 sap:1/2/3:1 LP/0 05/11/17 15:09:17 aa:aa:02:20:20:20 sap:1/2/1:1 LP/0 05/11/17 15:09:17 -------------------------------------------------------------------------------...

  • Page 113

    Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 Flag: 0x80 Type: 4 Len: 4 MED: 0 Flag: 0x40 Type: 5 Len: 4 Local Preference: 100 Flag: 0xc0 Type: 16 Len: 24 Extended Community: target:64500:1 bgp-tunnel-encap:MPLS mac-mobility:Seq:0/Static...

  • Page 114

    Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 When a frame is received at SAP 1/2/3:1 on PE-3 with protected MAC SA aa:aa:01:10:10:10, it is not dropped by the SAP, because this MAC SA has been learned and protected on this SAP on PE-3.

  • Page 115

    Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 ALMP and RPS on SAPs, RPS-DF on EVPN MPLS Destinations, MAC First Learned on PE-2 RPS-DF is enabled on the EVPN MPLS destinations on the PEs, as follows: configure service vpls 1 bgp-evpn mpls restrict-protected-src discard-frame To simulate a scenario where the MAC addresses are first learned on PE-2, the SAP on PE-3 is shut down until the BGP EVPN MAC route updates are sent, as follows:...

  • Page 116

    Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 192.0.2.2:262140 ------------------------------------------------------------------------------- No. of MAC Entries: 2 ------------------------------------------------------------------------------- Legend: L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf =============================================================================== *A:PE-3# The SAP on PE-3 is enabled, as follows: configure service vpls 1 sap 1/2/3:1 no shutdown The operational state of the SAP is up, because no protected MAC addresses have been received yet:...

  • Page 117

    Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 Figure 15 MAC Learned and Protected on SAP on PE-2 - RPS Enabled on SAP on PE-3 MAC aa:aa:01:10:10:10 MTU-1 PE-2 is protected on SAP 192.0.2.1 192.0.2.2 on PE-2...

  • Page 118

    Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Flags : RxProtSrcMac Multi Svc Site : None ---snip--- *A:PE-3# show service id 1 sap 1/2/3:1 detail =============================================================================== Service Access Points(SAP) =============================================================================== Service Id : 1/2/3:1 Encap : q-tag Description...

  • Page 119

    Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 Figure 16 RPS Enabled on SAPs - RPS-DF on EVPN Endpoints, MACs Learned Simultaneously MTU-1 PE-2 192.0.2.1 192.0.2.2 CE-20 CE-10 aa:aa:02:20:20:20 aa:aa:01:10:10:10 VPLS 1 VPLS 1 MAC aa:aa:01:10:10:10 is protected on SAPs on PE-2 and PE-3...

  • Page 120

    Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The FDB on PE-3 contains MAC address aa:aa:01:10:10:10 that is locally learned and protected, and MAC address aa:aa:02:20:20:20 that is protected on PE-2, as follows: *A:PE-3# show service id 1 fdb detail =============================================================================== Forwarding Database, Service 1...

  • Page 121

    Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 ALMP in All-Active Multi-Homing SAPs All-active multi-homing for EVPN MPLS is explained in chapter EVPN for MPLS Tunnels. ALMP is not required on all-active multi-homing SAPs. The following example shows that traffic can be dropped when ALMP is enabled on the SAPs and RPS-DF is enabled on the EVPN-MPLS destinations.

  • Page 122

    Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 exit exit exit exit exit ALMP is enabled on the SAPs on PE-2 and PE-3, as follows: configure service vpls 1 sap lag-1:1 auto-learn-mac-protect MAC address aa:aa:01:10:10:10 is learned and protected on PE-2 and PE-3, as follows: *A:PE-2# show service id 1 fdb detail ===============================================================================...

  • Page 123

    Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 ALMP in All-Active Multi-Homing, RPS-DF on EVPN MPLS Destinations ALMP is not recommended in all-active multi-homing because it can cause traffic loss. The following example shows when frames are dropped. Figure 18 shows the example setup with MAC address aa:aa:01:10:10:10 protected on SAP lag-1:1 on both PE-2 and PE-3, and RPS-DF enabled on the EVPN...

  • Page 124

    Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 versa. If the MAC address is not protected yet on PE-2, the first few messages get through until the MAC address is protected on PE-2. Both multi-homing PEs, PE-2 and PE-3, protect the MAC address aa:aa:01:10:10:10 on their local all-active SAP.

  • Page 125: Bgp Multi-homing For Vpls Networks

    Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 BGP Multi-Homing for VPLS Networks This chapter describes BGP Multi-Homing (BGP-MH) for VPLS network configurations. Topics in this chapter include: • Applicability • Summary • Overview •...

  • Page 126

    BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Each multi-homing site connected to two or more peers is represented by a site-id (2 bytes long) which is encoded in the BGP MH Network Layer Reachability Information (NLRI).

  • Page 127: Overview

    Using Label Distribution Protocol (LDP) Signaling, and RFC 4761, Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling) architecture and functionality is assumed throughout this document. For further information, see the relevant Nokia documentation. Overview Figure 19 shows the example topology that will be used throughout the rest of the chapter.

  • Page 128

    BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The topology consists of three core nodes (PE-1, PE-2, and PE-3) and three Multi- Tenant Unit (MTU) nodes connected to the core. The VPLS service 500 is configured on all the six nodes with the following characteristics: The VPLS service 500 is configured on all the six nodes with the following characteristics:...

  • Page 129

    Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 Configuration This section describes all the relevant configuration tasks for the setup shown in Figure 19. The appropriate associated IP/MPLS configuration is out of the scope of this chapter.

  • Page 130

    BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 • By having a direct BGP peering between MTU-4 and MTU-5, the BGP updates do not have to travel back and forth. • On MTU-4 and MTU-5, BGP is exclusively used for multi-homing, therefore there will not be more BGP peers for either MTUs and a RR adds nothing in terms of control plane scalability.

  • Page 131

    Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 • The rapid-update l2-vpn statement allows BGP MH to send BGP updates immediately after detecting link failures, without having to wait for the Minimum Route Advertisement Interval (MRAI) to send the updates in batches. This statement is required to guarantee a fast convergence for BGP MH.

  • Page 132

    BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 configure router policy-options begin community "comm_core" members "target:65000:500" policy-statement "vsi500_export" entry 10 action accept community add "comm_core" exit exit exit policy-statement "vsi500_import" entry 10 from community "comm_core"...

  • Page 133

    Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 pw-template 500 use-provisioned-sdp create exit vpls 500 customer 1 create route-distinguisher 65000:501 vsi-export "vsi500_export" vsi-import "vsi500_import" pw-template-binding 500 split-horizon-group "CORE" exit exit bgp-vpls max-ve-id 65535 ve-name 501 ve-id 501 exit...

  • Page 134

    BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 − The pw-template-binding command maps the previously defined pw- template 500 to the split-horizon-group “CORE”. In this way, all the BGP- signaled pseudowires will be part of this split horizon group. Although not shown in this example, the pw-template-binding command can also be used to instantiate pseudowires within different split horizon groups, based on different import route targets:...

  • Page 135

    Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 Where: • The site name is defined by a string of up to 32 characters. • The site-id is an integer that identifies the multi-homing site and is encoded in the BGP MH NLRI.

  • Page 136

    BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 − Manual site activation using the no shutdown command at the site-id level or at member object(s) level (SAP(s) or pseudowire(s)) − Site activation after a failure −...

  • Page 137

    Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 =============================================================================== Site Information =============================================================================== Site Name : MH-site-1 ------------------------------------------------------------------------------- Site Id Dest : sap:1/1/1:8 Mesh-SDP Bind : no Admin Status : Enabled Oper Status : up Designated Fwdr : No DF UpTime...

  • Page 138

    BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 pw-template 500 use-provisioned-sdp create exit vpls 500 customer 1 create route-distinguisher 65000:502 vsi-export "vsi500_export" vsi-import "vsi500_import" pw-template-binding 500 split-horizon-group "CORE" exit exit bgp-vpls max-ve-id 65535 ve-name 502 ve-id 502 exit...

  • Page 139

    Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 site-id 1 split-horizon-group site-1 no shutdown exit endpoint "CORE" create no suppress-standby-signaling exit sap 1/1/1:7 split-horizon-group "site-1" create exit sap 1/1/2:8 split-horizon-group "site-1" create eth-cfm mep 48 domain 1 association 1 direction down fault-propagation-enable use-if-tlv ccm-enable...

  • Page 140

    BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 sdp 51 mpls create far-end 192.0.2.1 lsp "LSP-MTU-5-PE-1" path-mtu 8000 no shutdown exit sdp 52 mpls create far-end 192.0.2.2 lsp "LSP-MTU-5-PE-2" path-mtu 8000 no shutdown exit vpls 500 customer 1 create route-distinguisher 65000:505...

  • Page 141

    Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 configure router policy-options begin community "comm_core" members "target:65000:500" policy-statement "vsi500_export" entry 10 action accept community add "comm_core" local-preference 150 exit exit exit policy-statement "vsi500_import" entry 10 from community "comm_core"...

  • Page 142

    BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Min Down Timer : default Timer Remaining : 0d 00:00:00 Failed Threshold : default(all) Monitor Oper Grp : (none) =============================================================================== *A:PE-2# The import and export policies are applied at service 500 level, which means that the LP changes for all the potential multi-homing sites configured under service 500.

  • Page 143

    Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 • BGP VPLS — The remote BGP VPLS PEs interpret the F bit transitions from 1 to 0 as an implicit MAC flush-all-from-me indication. If a BGP update with the flag F=0 is received from the previous DF PE, the remote PEs perform MAC flush- all-from-me, flushing all the MACs associated with the pseudowire to the old DF PE.

  • Page 144

    BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Access CE/PE Signaling BGP MH works at service level, therefore no physical ports are torn down on the non- DF, but rather the objects are brought down operationally, while the physical port will stay up and used for any other services existing on that port.

  • Page 145

    Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 Figure 22 Access PE/CE Signaling 192.0.2.1 CCM With isDOWN 192.0.2.4 PW Status 0x20 1/1/2:8 CE-9 192.0.2.3 CE-8 1/1/1:8 MTU-4 10.50.50.9 192.0.2.6 PE-1 1/1/1:9 10.50.50.8 MH site-1 MH site-2 1/1/1:10 MTU-6...

  • Page 146

    BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 If CE-8 is a service router, upon receiving a CCM with isDown, an alarm will be triggered and the SAP will be brought down: 61 2017/04/26 06:58:30.32 UTC MINOR: ETH_CFM #2001 Base "MEP 1/1/84 highest defect is now defRemoteCCM"...

  • Page 147

    Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 Description : (Not Specified) SDP Id : 51:500 Type : Spoke Spoke Descr : (Not Specified) Split Horiz Grp : (Not Specified) Etree Root Leaf Tag: Disabled Etree Leaf AC : Disabled VC Type...

  • Page 148

    BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 This concept can be used to enhance the BGP-MH solution for avoiding black-holes on the PE selected as the Designated Forwarder (DF), if the rest of the VPLS endpoints fail (pseudowire spoke(s)/pseudowire mesh and/or SAP(s)).

  • Page 149

    Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 exit exit site "MH-site-2" monitor-oper-group "group-1" exit When all the BGP-VPLS pseudowires go down, oper-group group-1 will go down and therefore the monitoring object, site MH-site-2, will also go down and PE-2 will then be elected as DF.

  • Page 150

    BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== Site Site-Id Dest Mesh-SDP Admin Oper Fwdr ------------------------------------------------------------------------------- MH-site-2 sdp:25:500 Enabled up ------------------------------------------------------------------------------- Number of Sites : 1 ------------------------------------------------------------------------------- =============================================================================== *A:PE-2# The process reverts when at least one BGP-VPLS pseudowire comes back up. Show Commands and Debugging Options The main command to find out the status of a site is the show service id x site command.

  • Page 151

    Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 *A:MTU-5# The detail view of the command displays information about the BGP MH timers. The values are only shown if the global values are overridden by specific ones at service level (and will be tagged with Ovr if they have been configured at service level).

  • Page 152

    BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 *A:PE-3# show router bgp routes l2-vpn =============================================================================== BGP Router ID:192.0.2.3 AS:65000 Local AS:65000 =============================================================================== Legend - Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid l - leaked, x - stale, >...

  • Page 153

    Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 Nexthop : 192.0.2.1 From : 192.0.2.1 Res. Nexthop : n/a Local Pref. : 100 Interface Name : NotAvailable Aggregator AS : None Aggregator : None Atomic Aggr.

  • Page 154

    BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The following shows the Layer 2 BGP routes on PE-1: *A:PE-1# show service l2-route-table - l2-route-table [detail] [bgp-ad] [multi-homing] [bgp-vpls] [bgp-vpws] [all-routes] <detail> : keyword - display detailed information *A:PE-1# show service l2-route-table multi-homing =============================================================================== Services: L2 Multi-Homing Route Information - Summary...

  • Page 155

    Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 SdpId SvcId Type IP address ------------------------------------------------------------------- 12:4294967292 BgpVpls 192.0.2.2 13:4294967293 BgpVpls 192.0.2.3 ------------------------------------------------------------------- SDP Entries found: 2 =================================================================== =============================================================================== Monitoring Sites for OperGroup: group-1 =============================================================================== SvcId Site Site-Id...

  • Page 156

    BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Log 2 has been configured to log BGP updates and LDP commands. *A:MTU-4# show log log-id 2 =============================================================================== Event Log 2 =============================================================================== Description : (Not Specified) Memory Log contents [size=100 next event=11...

  • Page 157

    Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 Assuming all the recommended tools are enabled, a DF to non-DF transition can be shown as well as the corresponding MAC flush messages and related BGP processing.

  • Page 158

    BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 l2-vpn/vrf-imp:Encap=19: Flags=D: MTU=1514: PREF=0 " The D flag, sent along with the BGP VPLS update for veid 501, would be seen on the remote core PEs as though it was a pseudowire status fault (although there is no TLDP running in the core).

  • Page 159: Bgp Virtual Private Wire Services

    Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 BGP Virtual Private Wire Services This chapter describes BGP Virtual Private Wire Service (VPWS) configurations. Topics in this chapter include: • Applicability • Overview • Configuration •...

  • Page 160

    BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Overview Figure 24 Example Topology PE-1 192.0.2.1 192.168.14.1/30 192.168.14.2/30 192.0.2.5 192.168.45.2/30 192.168.24.2/30 192.0.2.4 192.0.2.2 192.168.45.1/30 192.168.24.1/30 RR-5 PE-2 192.168.34.2/30 192.168.34.1/30 192.0.2.3 PE-3 al_0265 The network topology is shown in Figure 24.

  • Page 161

    Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 BGP VPWS In this architecture, a VPWS is a collection of two (or three in case of redundancy) BGP VPWS service instances present on different PEs in a provider network. The PEs communicate with each other at the control plane level by means of BGP updates containing BGP VPWS Network Layer Reachability Information (NLRI).

  • Page 162

    BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 autonomous-system 65536 group “INTERNAL” family l2-vpn peer-as 65536 neighbor 192.0.2.5 exit exit exit exit The configuration for the other PE nodes is exactly the same. The IP addresses can be derived from Figure The configuration for the Route Reflector (RR-5) is:...

  • Page 163

    Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 Def. Instance 65536 0 00h00m22s 0/0/0 (L2VPN) ------------------------------------------------------------------------------- *A:RR-5# Configuration Pseudowire Templates BGP VPWS utilizes pseudowire (PW) templates to dynamically instantiate SDP bindings for a service to signal the egress service de-multiplexer labels used by remote PEs to reach the local PE.

  • Page 164

    BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 vlan-vc-tag 0..4094 no vlan-vc-tag Note that: • The encapsulation type in the Layer-2 extended community is either 4 (Ethernet VLAN tagged mode) or 5 (Ethernet raw mode), depending on the vc-type parameter.

  • Page 165

    Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 A pseudowire template is required. The following example is created using the default values: configure service pw-template 1 create exit Pseudowire Templates for Provisioned SDPs using RSVP-TE RSVP-TE LSPs need to be created between the PE routers on which provisioned SDPs will be used as prerequisite.

  • Page 166

    BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 description "SDP-PE-1-PE-2_RSVP_BGP" signaling bgp far-end 192.0.2.2 lsp "LSP-PE-1-PE-2“ no shutdown exit The signaling bgp parameter is required. BGP VPWS instances using BGP VPWS signaling are able to use these SDPs. Conversely, SDPs that are bound to RSVP- based LSPs with signaling set to the default value of “tldp”...

  • Page 167

    Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 *A:PE-1# configure service pw-template 1 create vc-type vlan exit epipe 1 customer 1 create route-distinguisher 65536:11 route-target export target:65536:1 import target:65536:1 pw-template-binding 1 exit exit bgp-vpws ve-name "PE-1"...

  • Page 168

    BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 *A:PE-1# tools perform service eval-pw-template 1 eval-pw-template succeeded for Svc 1 Tx L2 ExtComm, Policy 1 eval-pw-template succeeded for Svc 1 17407:4294967295 Policy 1 *A:PE-1# VE-ID and BGP Label Allocations For a point-to-point VPWS, there are only two members within the BGP VPWS service, so only one label entry is required by each remote service.

  • Page 169

    Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 exit no shutdown exit PE-1 Service Operation Verification Verify that the BGP VPWS service is enabled on PE-1. *A:PE-1# show service id 1 bgp-vpws =============================================================================== BGP VPWS Information =============================================================================== Admin State...

  • Page 170

    BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Service Type : Epipe Name : (Not Specified) Description : (Not Specified) Customer Id Creation Origin : manual Last Status Change: 05/02/2017 13:30:00 Last Mgmt Change : 05/02/2017 13:30:00 Test Service : No...

  • Page 171

    Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 *A:PE-1# show log log-id 2 ---snip--- 4 2017/05/02 13:30:17.85 UTC MINOR: DEBUG #2001 Base Peer 1: 192.0.2.5 "Peer 1: 192.0.2.5: UPDATE Peer 1: 192.0.2.5 - Send BGP UPDATE: Withdrawn Length = 0 Total Path Attr Length = 76 Flag: 0x90 Type: 14 Len: 32 Multiprotocol Reachable NLRI:...

  • Page 172

    BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 *A:PE-1# configure service epipe 1 sap 1/1/4:1 shutdown 6 2017/05/02 13:34:40.86 UTC MINOR: DEBUG #2001 Base Peer 1: 192.0.2.5 "Peer 1: 192.0.2.5: UPDATE Peer 1: 192.0.2.5 - Send BGP UPDATE: Withdrawn Length = 0 Total Path Attr Length = 76 Flag: 0x90 Type: 14 Len: 32 Multiprotocol Reachable NLRI:...

  • Page 173

    Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 PE-3 Service Operation Verification Similar to PE-1, the service operation should be validated on PE-3. Single Homed BGP VPWS using Pre-Provisioned SDP It is possible to configure BGP VPWS instances that use RSVP-TE transport tunnels. In this case, the SDPs must be created with the MPLS LSPs mapped and with the signaling set to BGP, because the service labels are signaled using BGP.

  • Page 174

    BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 signaling bgp far-end 192.0.2.2 lsp "LSP-PE-1-PE-2" no shutdown exit SDP on PE-2 *A:PE-2# configure service sdp 21 mpls create description "SDP-PE-2-PE-1_RSVP_BGP" signaling bgp far-end 192.0.2.1 lsp "LSP-PE-2-PE-1"...

  • Page 175

    Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 The route distinguisher and route target extended community values for Epipe 2 are different from that in Epipe 1. This is to differentiate between the two as their visibility is global within the BGP domain.

  • Page 176

    BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 For completeness, verify the service is operationally up on PE-2. *A:PE-2# show service id 2 base =============================================================================== Service Basic Information =============================================================================== Service Id Vpn Id Service Type : Epipe ---snip---...

  • Page 177

    Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 Figure 27 Dual Homed BGP VPWS with Single Pseudowire VE-id=1 MH-id=1 PE-1 Site-preference=200 RD=65551:31 RT=65536:3 192.0.2.1 Epipe 3 VE-id=3 RD=65551:32 RT=65536:3 Dual-homed Site 192.0.2.4 192.0.2.2 SiteB SiteA PE-2...

  • Page 178

    BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 no shutdown exit site "SITEB" create site-id 1 sap 1/1/4:3 site-preference 200 no shutdown exit sap 1/1/4:3 create exit no shutdown exit Epipe 3 is configured on PE-3 as follows: *A:PE-3# configure service pw-template 3 create...

  • Page 179

    Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 route-distinguisher 65536:32 route-target export target:65536:3 import target:65536:3 pw-template-binding 3 exit exit bgp-vpws ve-name "PE-2" ve-id 2 exit remote-ve-name "PE-1 or PE-3" ve-id 1 exit no shutdown exit sap 1/1/4:3 create exit...

  • Page 180

    BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 *A:PE-2# show router bgp routes l2-vpn rd 65536:33 =============================================================================== BGP Router ID:192.0.2.2 AS:65536 Local AS:65536 =============================================================================== Legend - Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid l - leaked, x - stale, >...

  • Page 181

    Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 After disabling the SAP in the service on PE-1, BGP update messages are received. The VPLS/VPWS message received on PE-2 from PE-1 shows in the CSV that the access circuit is down (the CSV has the most-significant bit set to 1 (0x80)), so PE- 2 selects the update from PE-3 to create the pseudowire.

  • Page 182

    BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 " The result can be shown on PE-2 as now the spoke SDP is up (active) to PE-3. *A:PE-2# show service l2-route-table bgp-vpws detail =============================================================================== Services: L2 Bgp-Vpws Route Information - Summary =============================================================================== ---snip---...

  • Page 183

    Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 Figure 28 Dual Homed BGP VPWS with Active/Standby Pseudowire VE-id=1 MH-id=1 PE-1 Site-preference=200 RD=65551:41 RT=65551:4 192.0.2.1 Epipe 4 VE-id=3 RD=65551:42 RT=65551:4 Dual-homed Site 192.0.2.4 192.0.2.2 SiteB SiteA PE-2...

  • Page 184

    BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 exit no shutdown exit site "SITEB" create site-id 1 sap 1/1/4:4 site-preference 200 no shutdown exit sap 1/1/4:4 create exit no shutdown exit Epipe 4 is configured on PE-3 as follows: The local VE-ID is 3 (different from previous example).

  • Page 185

    Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 pw-template 3 create exit epipe 4 customer 1 create route-distinguisher 65536:42 route-target export target:65536:4 import target:65536:4 pw-template-binding 3 exit exit bgp-vpws ve-name "PE-2" ve-id 2 exit remote-ve-name "PE-1"...

  • Page 186

    BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Path MTU : 1514 Control Word Seq Delivery Status : active Tx Status : inactive Preference : 10 Sdp Bind Id : 17406:4294967289 =============================================================================== *A:PE-2# The choice of pseudowire to be used to transmit traffic from PE-2 to PE-1 can also be seen in the endpoint created in the BGP VPWS service.

  • Page 187

    Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 Conclusion BGP VPWS allows the delivery of Layer 2 virtual private wire services to customers where BGP is commonly used. This chapter shows the configuration of single and dual-homed BGP VPWS services together with the associated show output, which can be used to verify and troubleshoot them.

  • Page 188

    BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 3HE 13718 AAAA TQZZA 01 Issue: 01...

  • Page 189: Bgp Vpls

    Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 BGP VPLS This chapter describes advanced BGP VPLS configurations. Topics in this chapter include: • Applicability • Summary • Overview • Configuration • Conclusion Applicability This chapter was initially written for SR OS release 9.0.R3. The CLI in the current edition corresponds to release 15.0.R2.

  • Page 190

    BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Overview Figure 29 Network Topology RR-7 PE-1 192.168.14.0/30 192.168.47.0/30 192.0.2.7 192.0.2.4 192.0.2.1 192.168.45.0/30 192.168.12.0/30 PE-2 192.168.25.0/30 192.0.2.5 192.0.2.2 192.168.35.0/30 192.168.26.0/30 PE-3 192.168.36.0/30 192.0.2.3 192.0.2.6 BGP_VPLS_01 The network topology is displayed in Figure 29.

  • Page 191

    Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 BGP VPLS In this architecture, a VPLS instance is a collection of local VPLS instances present on a number of PEs in a provider network. In this context, any VPLS-aware PE is also known as a VPLS Edge (VE) device.

  • Page 192

    BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The BGP configuration for the other PE nodes is identically the same. The IP addresses can be derived from Figure The configuration for RR-7 is as follows: *A:RR-7# configure router autonomous-system 65536 cluster 1.1.1.1...

  • Page 193

    Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 =============================================================================== * indicates that the corresponding row element may have been truncated. *A:PE-1# On RR-7, show that BGP sessions with each PE are established, and have a negotiated the l2-vpn address family capability. *A:RR-7# show router bgp summary all =============================================================================== BGP Summary...

  • Page 194

    BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 no shutdown exit no shutdown exit The MPLS and LSP configuration for PE-2 and PE-3 are similar to that of PE-1 with the appropriate interfaces and LSP names configured. BGP VPLS PE Configuration Pseudowire Templates Pseudowire templates are used by BGP to dynamically instantiate SDP bindings, for...

  • Page 195

    Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 Using this mechanism, SDPs can be auto-instantiated with SDP-IDs starting at the higher end of the SDP numbering range, such as 17407. Any subsequent SDPs created use SDP-IDs decrementing from this value. A pseudowire template is required containing a split horizon group.

  • Page 196

    BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 far-end 192.0.2.2 lsp "LSP-PE-1-PE-2" no shutdown exit The signaling bgp parameter is required for BGP-VPLS to be able to use this SDP. Conversely, SDPs that are bound to RSVP-based LSPs with signaling set to the default value of tldp will not be used as SDPs within BGP-VPLS.

  • Page 197

    Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 exit bgp-vpls max-ve-id 10 ve-name "PE-1" ve-id 1 exit no shutdown exit service-name "VPLS1_PE-1" sap 1/1/4:1.0 create exit no shutdown exit The bgp context specifies parameters which are valid for all of the VPLS BGP applications, such as BGP-multi-homing, BGP-auto-discovery, and BGP-VPLS.

  • Page 198

    BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 VE-ID and BGP Label Allocations The choice of ve-id is crucial in ensuring efficient allocation of de-multiplexer labels. The most efficient choice is for ve-ids to be allocated starting at 1 and incrementing for each PE as the following section explains.

  • Page 199

    Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 Table 2 VE-IDs and Labels (Continued) VE-ID Label 262132 262133 262434 262135 This shows that the label allocated to a given PE is (LB+veid-1). The “1” is the VE block offset (VBO).

  • Page 200

    BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 If ve-ids are chosen that map to different block offsets, then each PE will have to send multiple BGP updates to signal service labels. Each PE sends label blocks in BGP updates to each of its BGP neighbors for all label blocks in which at least one ve-id has been seen by this PE (it does not advertise label blocks which do not contain an active ve-id, where active ve-id means the ve-id of this PE or any other PE in this...

  • Page 201

    Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 no shutdown exit service-name "VPLS1_PE-2" sap 1/1/4:1.0 create exit no shutdown exit The max-ve-id value is set to 10 to allow an increase in the number of PEs that could be a part of this VPLS instance.

  • Page 202

    BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== Max Ve Id : 10 Admin State : Enabled VE Name : PE-1 VE Id PW Tmpl used =============================================================================== *A:PE-1# The following command shows that the service is operationally up on PE-1: *A:PE-1# show service id 1 base =============================================================================== Service Basic Information...

  • Page 203

    Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 As can be seen from the following output, a BGP-VPLS NLRI update is sent to the route reflector (192.0.2.7) and is received by each PE. The following debug trace from PE-1 shows the BGP NLRI update for VPLS 1 sent by PE-1 to the route reflector.

  • Page 204

    BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Flag: 0x90 Type: 14 Len: 28 Multiprotocol Reachable NLRI: Address Family L2VPN NextHop len 4 NextHop 192.0.2.1 [VPLS/VPWS] preflen 17, veid: 1, vbo: 1, vbs: 8, label-base: 262128, RD 65536:1 Flag: 0x40 Type: 1 Len: 1 Origin: 0 Flag: 0x40 Type: 2 Len: 0 AS Path: Flag: 0x80 Type: 4 Len: 4 MED: 0...

  • Page 205

    Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 Source Class Dest Class ------------------------------------------------------------------------------- Routes : 4 =============================================================================== *A:PE-1# In this configuration example, PE-1 (192.0.2.1) with ve-id =1 has sent an update with base offset (VBO) =1, block size (VBS) = 8, and label base 262128. This means that labels 262128 (LB) to 262135 (LB+VBS-1) are available as de-multiplexer labels, egress labels to be used to reach PE-1 for VPLS 1.

  • Page 206

    BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Label calculation = label base + local ve-id - Base offset = 262128 + 2 - 1 Egress label used = 262129 This is verified using the following command on PE-2 where the egress label toward PE-1 (192.0.2.1) is 262129.

  • Page 207

    Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 Routes : 3 =============================================================================== *A:PE-3# The ve-id of PE-3 is also in the label block covered by block offset VBO =1. Label calculation= label base + local ve-id - VBO = 262128 + 3 - 1 Egress label used = 262130 This is verified using the following command on PE-3 where egress label toward...

  • Page 208

    BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== * indicates that the corresponding row element may have been truncated. *A:PE-2# PE-2 De-Multiplexer Label Calculation In the same way that PE-1 allocates a label base (LB), block size (VBS), and base offset (VBO), PE-2 also allocates the same parameters for PE-1 and PE-3 to calculate the egress service label required to reach PE-2.

  • Page 209

    Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 =============================================================================== Services: Service Destination Points =============================================================================== SdpId Type Far End addr I.Lbl E.Lbl ------------------------------------------------------------------------------- 17406:4294967294 BgpVpls 192.0.2.3 262130 262128 17407:4294967295 BgpVpls 192.0.2.2 262129 262126 ------------------------------------------------------------------------------- Number of SDPs : 2 ------------------------------------------------------------------------------- =============================================================================== *A:PE-1#...

  • Page 210

    BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 ------------------------------------------------------------------------------- sap:1/1/4:1.0 qinq 1522 1522 sdp:17406:4294967294 SB(192.0.2.1) BgpVpls 1556 sdp:17407:4294967295 SB(192.0.2.2) BgpVpls 1556 =============================================================================== * indicates that the corresponding row element may have been truncated. *A:PE-3# *A:PE-3# show service id 1 sdp =============================================================================== Services: Service Destination Points ===============================================================================...

  • Page 211

    Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 Services: Service Destination Points =============================================================================== SdpId Type Far End addr I.Lbl E.Lbl ------------------------------------------------------------------------------- 17406:4294967294 BgpVpls 192.0.2.3 262128 262129 17407:4294967295 BgpVpls 192.0.2.1 262126 262129 ------------------------------------------------------------------------------- Number of SDPs : 2 ------------------------------------------------------------------------------- =============================================================================== *A:PE-2#...

  • Page 212

    BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 31 BGP VPLS Using Pre-Provisioned SDP PE-1 SDP 13 192.0.2.1 RR-7 SDP 12 192.0.2.7 SDP 31 PE-3 VPLS 2 192.0.2.3 SDP 32 SDP 21 PE-2 SDP 23 192.0.2.2 BGP_VPLS_03 Figure 31...

  • Page 213

    Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 sdp 23 mpls create description "SDP-PE-2-PE-3_RSVP_BGP" signaling bgp far-end 192.0.2.3 lsp "LSP-PE-2-PE-3" no shutdown exit SDPs on PE-3 *A:PE-3# configure service sdp 31 mpls create description "SDP-PE-3-PE-1_RSVP_BGP" signaling bgp far-end 192.0.2.1 lsp "LSP-PE-3-PE-1"...

  • Page 214

    BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The following output shows the configuration required for a BGP-VPLS service using a pseudowire template configured for using pre-provisioned RSVP-TE SDPs. *A:PE-1# configure service vpls 2 customer 1 create route-distinguisher 65536:2 route-target export target:65536:2 import target:65536:2 pw-template-binding 2...

  • Page 215

    Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 *A:PE-3# configure service vpls 2 customer 1 create route-distinguisher 65536:2 route-target export target:65536:2 import target:65536:2 pw-template-binding 2 exit exit bgp-vpls max-ve-id 100 ve-name "PE-3" ve-id 3 exit no shutdown exit sap 1/1/4:2.0 create exit...

  • Page 216

    BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Service Type : VPLS ---snip--- Admin State : Up Oper State : Up : 1514 Def. Mesh VC Id SAP Count SDP Bind Count ---snip--- ------------------------------------------------------------------------------- Service Access & Destination Points ------------------------------------------------------------------------------- Identifier Type...

  • Page 217

    Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 Consider PE-1’s BGP update NLRIs. *A:PE-1# show router bgp routes l2-vpn rd 65536:2 hunt =============================================================================== BGP Router ID:192.0.2.1 AS:65536 Local AS:65536 =============================================================================== Legend - Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid l - leaked, x - stale, >...

  • Page 218

    BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Route Tag Neighbor-AS : N/A Orig Validation: N/A Source Class Dest Class ------------------------------------------------------------------------------- Routes : 8 =============================================================================== *A:PE-1# Two NLRIs updates are sent to the route reflector, with the following label parameters: 1.

  • Page 219

    Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 • ve-id < (VBO+VBS) for ve-id = 3 is true. • PE-3 chooses label 262120 + 3 - 1 = 262122 (LB + veid - VBO) • Update 2: LB = 262112, VBS = 8, VBO = 17 •...

  • Page 220

    BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Label Label Type Label Owner ----------------------------------------------------------------- 262110 dynamic ILDP 262111 dynamic ILDP 262112 dynamic 262113 dynamic 262114 dynamic 262115 dynamic 262116 dynamic 262117 dynamic 262118 dynamic 262119 dynamic 262120 dynamic 262121...

  • Page 221

    Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 Conclusion BGP-VPLS allows the delivery of Layer 2 VPN services to customers where BGP is commonly used. The examples presented in this chapter show the configuration of BGP-VPLS together with the associated show outputs which can be used for verification and troubleshooting.

  • Page 222

    BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 3HE 13718 AAAA TQZZA 01 Issue: 01...

  • Page 223: Black-hole Mac For Evpn Loop Protection

    Advanced Configuration Guide - Part II Black-hole MAC for EVPN Loop Protection Releases Up To 15.0.R5 Black-hole MAC for EVPN Loop Protection This chapter provides information about Black-hole MAC for EVPN Loop Protection. Topics in this chapter include: • Applicability •...

  • Page 224

    Black-hole MAC for EVPN Loop Protection Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 32 Black-hole MAC for EVPN Loop Protection PE-1 192.0.2.1 CE-10 EVI 1 172.16.10.10/24 MAC1 = ca:fe:01:10:10:10 EVPN-MAC EVPN-MAC MAC2 SEQ x MAC2 SEQ backdoor link CE-20 EVI 1...

  • Page 225

    Advanced Configuration Guide - Part II Black-hole MAC for EVPN Loop Protection Releases Up To 15.0.R5 If the mac-duplication black-hole-dup-mac option is configured, MAC2 will be added to the FDB as black-hole MAC, so traffic with MAC DA = MAC2 will be discarded.

  • Page 226

    Black-hole MAC for EVPN Loop Protection Advanced Configuration Guide - Part II Releases Up To 15.0.R5 • MAC addresses assigned to a black-hole destination are protected and incoming frames with MAC SA = MAC2 will be discarded or the system will bring down the SAP/SDP-binding, depending on the restrict- protected-src setting on the SAP/SDP/EVPN endpoint.

  • Page 227

    Advanced Configuration Guide - Part II Black-hole MAC for EVPN Loop Protection Releases Up To 15.0.R5 Configuration Figure 33 shows the example topology with three PEs and two CEs. A loop will occur when CE-20 sends Broadcast, Unknown unicast, or Multicast (BUM) traffic. Traffic between PE-2 and PE-3 will be sent over the regular router interfaces between the PEs, but also over the backdoor link (SAP 1/1/2:1 in VPLS 1 on PE-2 and SAP 1/1/1:1 in VPLS 1 on PE-3).

  • Page 228

    Black-hole MAC for EVPN Loop Protection Advanced Configuration Guide - Part II Releases Up To 15.0.R5 configure router autonomous-system 64500 min-route-advertisement 1 rapid-withdrawal split-horizon rapid-update evpn group "internal" family evpn cluster 1.1.1.1 peer-as 64500 neighbor 192.0.2.1 exit neighbor 192.0.2.2 exit exit exit VPLS 1 is configured on all PEs with BGP-EVPN and MAC duplication enabled, as...

  • Page 229

    Advanced Configuration Guide - Part II Black-hole MAC for EVPN Loop Protection Releases Up To 15.0.R5 On the EVPN-MPLS endpoints, restrict-protected-src discard-frame must be configured. When MAC address ca:fe:02:20:20:20 is detected on PE-3 as a duplicate MAC address that is black-holed, the EVPN-MPLS endpoints on PE-3 should discard all frames with MAC SA ca:fe:02:20:20:20.

  • Page 230

    Black-hole MAC for EVPN Loop Protection Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== *A:PE-2# The following FDB on PE-3 shows that MAC ca:fe:02:20:20:20 has been detected as a duplicate and protected MAC (type EvpnD:P) associated with a black-hole endpoint: *A:PE-3# show service id 1 fdb mac ca:fe:02:20:20:20 ===============================================================================...

  • Page 231

    Advanced Configuration Guide - Part II Black-hole MAC for EVPN Loop Protection Releases Up To 15.0.R5 50 2017/08/17 07:16:28.176 UTC MINOR: SVCMGR #2331 Base "VPLS Service 1 has MAC(s) detected as duplicates by EVPN mac-duplication detection." MAC address ca:fe:02:20:20:20 remains in the FDB as duplicate and black-holed until the retry interval expires, as follows: *A:PE-3# configure service vpls 1 bgp-evpn mac-duplication retry - no retry...

  • Page 232: Clear Commands

    Black-hole MAC for EVPN Loop Protection Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Clear Commands The following FDB entry on PE-3 of type EvpnD:P cannot be cleared with a normal FDB clear command: *A:PE-3# show service id 1 fdb mac ca:fe:02:20:20:20 =============================================================================== Forwarding Database, Service 1 ===============================================================================...

  • Page 233

    Advanced Configuration Guide - Part II Black-hole MAC for EVPN Loop Protection Releases Up To 15.0.R5 *A:PE-3# show service id 1 bgp-evpn | match "Detected" pre-lines 2 post-lines 5 ------------------------------------------------------------------------------- Detected Duplicate MAC Addresses Time Detected ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- =============================================================================== =============================================================================== *A:PE-3# Instead of clearing the MAC duplication state for one specific MAC address, all duplicate MAC addresses can be cleared by the following command:...

  • Page 234

    Black-hole MAC for EVPN Loop Protection Advanced Configuration Guide - Part II Releases Up To 15.0.R5 *A:PE-3# show log log-id 99 count 3 =============================================================================== Event Log 99 =============================================================================== Description : Default System Log Memory Log contents [size=500 next event=103 (not wrapped)] 102 2017/08/17 11:29:07.597 UTC MINOR: SVCMGR #2203 Base "Status of SAP 1/1/1:1 in service 1 (customer 1) changed to admin=up oper=down flags=RxProtSrcMac "...

  • Page 235

    Advanced Configuration Guide - Part II Black-hole MAC for EVPN Loop Protection Releases Up To 15.0.R5 Black-hole MAC Duplication in All-active Multi-homing Figure 34 shows the example topology with all-active multi-homing. Figure 34 Example Topology with All-active Multi-homing PE-1 192.0.2.1 CE-12 1/2/1:2 172.16.20.12/24...

  • Page 236

    Black-hole MAC for EVPN Loop Protection Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The reason why black-hole MAC duplication should be configured instead of ALMP is the following. When ALMP is configured on SAP lag-1:2 on PE-2 and PE-3, MAC address ca:fe:01:12:12:12 of CE-12 is learned and protected on the SAP on both PEs.

  • Page 237

    Advanced Configuration Guide - Part II Black-hole MAC for EVPN Loop Protection Releases Up To 15.0.R5 resolution any exit no shutdown exit exit sap 1/2/1:2 create exit sap lag-1:2 create exit no shutdown The configuration of VPLS 2 on PE-3 is similar. Conclusion Black-hole MAC for EVPN MAC duplication protects EVPN services against customer-created backdoors or loops, while supporting MAC mobility and all-active...

  • Page 238

    Black-hole MAC for EVPN Loop Protection Advanced Configuration Guide - Part II Releases Up To 15.0.R5 3HE 13718 AAAA TQZZA 01 Issue: 01...

  • Page 239: Conditional Static Black-hole Mac In Evpn

    Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 Conditional Static Black-Hole MAC in EVPN This chapter provides information about Conditional Static Black-Hole MAC in EVPN. Topics in this chapter include: • Applicability •...

  • Page 240

    Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The default behavior on the SAP/SDP-bindings is Restricted Protected Source Discard Frame (RPS-DF). Therefore, all frames with MAC SA equal to the black-hole MAC will, by default, be dropped on the SAP/SDP-binding where the frames enter the service.

  • Page 241

    Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 Figure 36 Proxy-ARP/ND and ARP Spoofing MACs/IPs MAC/IP IP or IP/MPLS Core Network Who has IP1? MAC1 has IP1 Proxy-ARP/ND Spoofer 26244 EVPN can suppress ARP/ND flooding within an EVPN service if all the attached hosts advertise their presence.

  • Page 242

    Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Configuration Figure 37 shows the example topology. Traffic will be sent between the CEs and may be dropped in the PEs if the MAC DA or MAC SA matches a black-hole MAC. IP address 172.16.0.10/24 is duplicate (CE-10 and CE-11).

  • Page 243

    Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 peer-as 64500 neighbor 192.0.2.3 exit neighbor 192.0.2.4 exit exit exit VPLS 1 is configured on all PEs and on MTU-1 (MTU-1's VPLS 1 is connected to PE- 3 by a SAP).

  • Page 244

    Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 38 Conditional Static Black-Hole MAC PE-3 MTU-1 192.0.2.1 192.0.2.3 1/2/1:1 CE-30 CE-10 172.16.0.30/24 00:00:aa:aa:aa:aa 1/2/1:1 CE-40 CE-20 172.16.0.40/24 172.16.0.20/24 00:00:04:40:40:40 00:00:02:20:20:20 PE-4 PE-2 192.0.2.2 192.0.2.4 26246...

  • Page 245

    Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 =============================================================================== ServId Source-Identifier Type Last Change ------------------------------------------------------------------------------- 00:00:aa:aa:aa:aa black-hole CStatic: 05/15/17 13:41:03 ---snip--- The source identifier is black-hole and it is applicable to frames that enter the VPLS on this node, regardless of how they enter the VPLS (SAP, SDP-binding, or EVPN endpoint).

  • Page 246

    Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Request timed out. icmp_seq=1. Request timed out. icmp_seq=2. Request timed out. icmp_seq=3. Request timed out. icmp_seq=4. Request timed out. icmp_seq=5. ---- 172.16.0.30 PING Statistics ---- 5 packets transmitted, 0 packets received, 100% packet loss *A:PE-2# The port statistics show that the traffic was sent from PE-2 to PE-3, where it entered...

  • Page 247

    Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 =============================================================================== Port Statistics on Slot 1 =============================================================================== Port Ingress Ingress Egress Egress Packets Octets Packets Octets ------------------------------------------------------------------------------- 1/1/3 1051 129115 5016 =============================================================================== The FDB entry for this MAC DA is black-holed and no traffic is received on SAP 1/2/1:1 toward CE-30;...

  • Page 248

    Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 *A:PE-2# show port 1/1/[1..3] statistics =============================================================================== Port Statistics on Slot 1 =============================================================================== Port Ingress Ingress Egress Egress Packets Octets Packets Octets ------------------------------------------------------------------------------- 1/1/1 1534 1017 125718 ===============================================================================...

  • Page 249

    Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 Conditional Static Black-Hole MAC in Combination with Restrict Protected Source For Ethernet frames with MAC SA equal to the static black-hole MAC, the treatment is the same as for protected MACs (see chapter Auto-Learn MAC Protect in EVPN),...

  • Page 250

    Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 *A:PE-3# clear port 1/[1..2]/[1..4] statistics *A:PE-3# ping router 10 172.16.0.20 rapid count 1000 ---snip--- 1000 packets transmitted, 0 packets received, 100% packet loss *A:PE-3# show port 1/[1..2]/[1..4] statistics =============================================================================== Port Statistics on Slot 1 ===============================================================================...

  • Page 251

    Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 ---snip--- 1000 packets transmitted, 0 packets received, 100% packet loss *A:PE-3# show port 1/[1..2]/[1..4] statistics =============================================================================== Port Statistics on Slot 1 =============================================================================== Port Ingress Ingress Egress Egress...

  • Page 252

    Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 When CE-30 sends traffic with MAC SA equal to a protected MAC address (black- hole or not), the entire SAP 1/2/1:1 will be brought operationally down, as follows: *A:PE-3# ping router 10 172.16.0.20 PING 172.16.0.20 56 data bytes Request timed out.

  • Page 253

    Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 The SAP can only be brought up manually by disabling and re-enabling the SAP, as follows: *A:PE-3# configure service vpls 1 sap 1/2/1:1 shutdown *A:PE-3# configure service vpls 1 sap 1/2/1:1 no shutdown *A:PE-3# show service id 1 sap ===============================================================================...

  • Page 254

    Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 • Dynamic (learned on SAP) and EVPN • EVPN and dynamic • Dynamic and dynamic The following example shows IP address moves from dynamic to dynamic between SAP 1/2/1:1 (to CE-10) and SAP 1/2/1:2 (to CE-11) in VPLS 1 on MTU-1.

  • Page 255

    Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 <static-black-hole> : keyword In VPLS 1 on PE-3, a proxy-ARP with duplicate IP detection is configured, including an optional anti-spoof MAC (AS-MAC) 00:00:bb:bb:bb:bb for offending IP addresses, as follows: configure service...

  • Page 256

    Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Flag: 0xc0 Type: 16 Len: 24 Extended Community: target:64500:1 bgp-tunnel-encap:MPLS mac-mobility:Seq:0/Static " Without the option static black-hole, the configured AS-MAC is not added to the local FDB, but this MAC address is treated as a local MAC.

  • Page 257

    Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 bgp-tunnel-encap:MPLS " There is no duplicate IP detected yet. The following GARP update is sent locally: 62 2017/05/16 10:14:11.19 UTC MINOR: DEBUG #2001 Base proxy arp "proxy arp: svc: 1 ip: 172.16.0.10 type: Dyn mac: 00:00:01:11:11:11 Gratuitous Update"...

  • Page 258

    Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 When CE-10 confirms MAC 00:00:01:10:10:10 for IP 172.16.0.10, IP duplication is detected for IP address 172.16.0.10 (after three MAC moves in a detection period of three minutes), and the following message is raised in log 99 after a duplicate proxy- ARP entry was detected for IP 172.16.0.10: 60 2017/05/16 10:14:56.19 UTC MINOR: SVCMGR #2346 Base...

  • Page 259

    Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 The proxy-ARP entry is shown with type duplicate (dup) and active status in the proxy-ARP table for VPLS 1 on PE-3, as follows: *A:PE-3# show service id 1 proxy-arp detail ------------------------------------------------------------------------------- Proxy Arp -------------------------------------------------------------------------------...

  • Page 260

    Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Note: The AS-MAC will always be "unique" in the system. When the AS-MAC is configured, the system will flush any entry with the same MAC learned through EVPN or dynamic sources.

  • Page 261

    Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 Withdrawn Length = 0 Total Path Attr Length = 46 Flag: 0x90 Type: 15 Len: 42 Multiprotocol Unreachable NLRI: Address Family EVPN Type: EVPN-MAC Len: 37 RD: 192.0.2.3:1 ESI: ESI-0, tag: 0, mac len: 48 mac: 00:00:bb:bb:bb:bb, IP len: 4, IP: 172.16.0.10, label1: 0 "...

  • Page 262

    Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 MAC 00:00:01:10:10:10 is confirmed for IP 172.16.0.10; therefore, the MAC address is changed in the proxy-ARP entry from 00:00:01:11:11:11 to 00:00:01:10:10:10, and an ARP confirmation is asked for the old MAC 00:00:01:11:11:11, as follows: 83 2017/05/16 10:14:56.08 UTC MINOR: DEBUG #2001 Base proxy arp "proxy arp: svc: 1 ip: 172.16.0.10 Mac Change: 00:00:01:11:11:11->00:00:01:10:10:10 "...

  • Page 263

    AS-MACs in the service at each PE, which increases the complexity of the filters. Nokia recommends using the same AS-MAC for the same service in all the PES where duplicate detect is active and MAC filters need to be configured.

  • Page 264

    Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 1. Local MACs (including AS-MACs without static-black-hole, es-bmacs, src- bmacs, OAM, and so on) 2. Conditional static MACs (including AS-MACs with static-black-hole) 3. Auto-Learn Protected MACs 4.

  • Page 265

    Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 vpls 1 static-mac mac 00:00:bb:bb:bb:bb create black-hole exit proxy-arp dup-detect window 3 num-moves 5 hold-down max anti-spoof-mac 00:00:bb:bb:bb:bb static-black-hole dynamic-arp-populate static 172.16.0.20 00:00:02:20:20:20 no shutdown exit When the AS-MAC is configured with the static black-hole option, the AS-MAC will be added not only to the MAC DB, but also to the FDB as CStatic, and associated...

  • Page 266

    Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 target:64500:1 bgp-tunnel-encap:MPLS mac-mobility:Seq:0/Static " When a duplicate IP address is detected, the EVPN-MAC update contains the IP address 172.16.0.10, as follows: 126 2017/05/16 11:04:37.65 UTC MINOR: DEBUG #2001 Base Peer 1: 192.0.2.2 "Peer 1: 192.0.2.2: UPDATE Peer 1: 192.0.2.2 - Send BGP UPDATE: Withdrawn Length = 0...

  • Page 267

    Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 No. of ARP Entries: 2 =============================================================================== A:PE-3# CE-30 and CE-31 cannot reach CE-10 or CE-11, because the MAC DA will be the AS-MAC and all traffic to this MAC DA is black-holed instead of forwarded to SAP 1/2/3:1 toward CE-10 or CE-11.

  • Page 268

    Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Conclusion Static black-hole MACs can be applied in EVPN for security as a scalable alternative to MAC filters. Static black-hole MACs are programmed in the FDB and all frames with MAC DA equal to the static black-hole MAC are dropped, regardless of how the frame arrived at the system (SAP/SDP-binding or EVPN endpoint).

  • Page 269: Evpn For Mpls Tunnels

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 EVPN for MPLS Tunnels This chapter provides information about EVPN for MPLS tunnels. Topics in this chapter include: • Applicability • Overview • Configuration • Conclusion Applicability This chapter was initially written for SR OS Release 13.0.R6, but the CLI in the current edition corresponds to release 15.0.R2.

  • Page 270

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The EVPN for Virtual eXtensible Local Area Network (VXLAN) tunnels (Layer 2) chapter focuses on the use of EVPN as a control plane for VXLAN tunnels, whereas this chapter provides configuration guidelines for EVPN when used for MPLS tunnels.

  • Page 271

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 When EVPN multi-homing is used in an EVI, routes type 1 and 4 are used (where type 1 has two different purposes): • Route type 1 - Auto-discovery per Ethernet segment (AD per ES) route: This route is advertised per ES from the PE, carries the Ethernet Segment Identifier (ESI) label (used for split-horizon) in multi-homing mode, and can affect procedures such as the Designated Forwarder (DF) election, as well as the...

  • Page 272

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 41 EVPN-MPLS for VPLS Services 192.0.2.2 PE-2 192.0.2.4 PE-4 (Route-Reflector) VPLS 1 VPLS 1 192.0.2.6 192.0.2.1 MTU-6 MTU-1 1/2/1:1 1/2/1:1 IP/MPLS IP/MPLS LAG-1 VPLS 1 VPLS 1 Access CORE...

  • Page 273

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 enable-peer-tracking rapid-withdrawal split-horizon rapid-update evpn group "internal" family evpn cluster 1.1.1.1 peer-as 64500 neighbor 192.0.2.3 exit neighbor 192.0.2.4 exit neighbor 192.0.2.5 exit exit The BGP configuration on the clients PE-3, PE-4, and PE-5 is as follows: configure router autonomous-system 64500...

  • Page 274

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 EVPN routes type 1 (auto-discovery per-EVI route), type 2 (MAC/IP route), type 3 (inclusive multicast route), and type 5 (IP-prefix route) are always sent with the RFC 5512, the BGP Encapsulation Subsequent Address Family Identifier (SAFI) and the BGP Tunnel Encapsulation Attribute, BGP encapsulation extended community that indicates the associated encapsulation of the route.

  • Page 275

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 • bgp enables the context for the BGP configuration relevant to the service. If a manual (non-auto-derived) RD/RT, as well as import/export policies, are needed for the service, the commands in the bgp context must be configured. When bgp-evpn is enabled in a VPLS instance, other families are supported within the same service (bgp-ad and bgp-mh, not bgp-vpls).

  • Page 276

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 • bgp-evpn>cfm-mac-advertisement must be enabled when eth-cfm is used across an EVPN-MPLS service among different PEs. If a Maintenance Endpoint (MEP) or Maintenance domain Intermediate Point (MIP) is configured in any of the SAP/SDP bindings in the VPLS and has to exchange eth-cfm packets with a remote MEP/MIP across the EVPN-MPLS core, this command must be enabled.

  • Page 277

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 − If the auto-bind-tunnel resolution any is configured, as in the example, EVPN destinations in the service are resolved based on the best tunnel in the Tunnel Table Manager (TTM). For instance, the following command shows the existing EVPN destinations for VPLS 1 in PE-3.

  • Page 278

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 − The user must set the resolution to filter to activate the list of tunnel-types configured under resolution-filter. Although not shown in the bgp-evpn mpls basic configuration for PE-3, there are other parameters that can be modified: *A:PE-3# configure service vpls 1 bgp-evpn mpls - mpls...

  • Page 279

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 • send-evpn-encap configures the encapsulation to be advertised with the EVPN routes for the service. The encapsulation is encoded in RFC5512-based tunnel encapsulation extended communities. When configured in the bgp-evpn>mpls context, the supported options are none (no send-evpn-encap), mpls, mplsoudp, or both.

  • Page 280

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 192.0.2.5 262140 05/04/2017 08:09:05 ------------------------------------------------------------------------------- Number of entries : 3 ------------------------------------------------------------------------------- =============================================================================== =============================================================================== BGP EVPN-MPLS Ethernet Segment Dest =============================================================================== Eth SegId Num. Macs Last Change ------------------------------------------------------------------------------- No Matching Entries =============================================================================== ===============================================================================...

  • Page 281

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 BGP EVPN MPLS Auto Bind Tunnel Information =============================================================================== Resolution : any Filter Tunnel Types: (Not Specified) =============================================================================== When traffic is generated, the PEs will start learning MAC addresses and advertising them in BGP so that the remote PEs learn those MAC addresses against EVPN destinations.

  • Page 282

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Number of entries : 4 ------------------------------------------------------------------------------- =============================================================================== When an EVPN-MPLS destination or MAC address is not created/installed correctly, the user may check the BGP-EVPN routes received and the routes kept in the RIB. The routes that the PE receives are shown when debug router bgp update is enabled.

  • Page 283

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 If the route is successfully imported, it can be shown in the RIB (show router bgp routes commands). The route shown in the debug and the same route in a show command do not necessarily have the same label value.

  • Page 284

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 far-end 192.0.2.4 no shutdown exit vpls 1 spoke-sdp 24:1 create exit exit The service configuration on PE-4 is as follows: configure service sdp 42 mpls create far-end 192.0.2.2 no shutdown exit...

  • Page 285

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 Spoke SDP 24:1 is down because of an EVPN route conflict, as indicated by the flags: *A:PE-2# show service id 1 sdp 24 detail | match Flag context all Flags : PWPeerFaultStatusBits EvpnRouteConflict...

  • Page 286

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 exit exit bgp-evpn mpls split-horizon-group "CORE" ingress-replication-bum-label ecmp 2 auto-bind-tunnel resolution any exit no shutdown exit exit sap 1/2/1:2 split-horizon-group "CORE" create exit sap lag-1:2 create exit no shutdown EVPN-MPLS Multi-Homing...

  • Page 287

    ESI-2 that will be resolved to the two next-hops: PE-2 and PE-3. Unicast load- balancing will happen as long as ECMP > 1 is enabled in PE-4. Nokia recommends the use of ingress-replication-bum-label on the PEs that are part of an all-active ES. In an all-active multi-homing scenario, if a specified MAC...

  • Page 288

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 This issue is solved by the use of ingress-replication-bum-label in PE-2 and PE-3. If configured, PE-2/PE-3 will know that the received packet is an unknown unicast packet;...

  • Page 289

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 configure lag 1 mode access encap-type dot1q port 1/1/1 lacp active administrative-key 1 system-id 00:00:00:00:02:03 no shutdown Ethernet segment “ESI-12” is configured in the service system bgp-evpn context on PE-2 and PE-3, as follows: configure service...

  • Page 290

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 − esi — 10-byte identifier that represents the ES in the BGP control plane. The same ESI must be configured in all the PEs connected to the same CE/MTU (using a unique value that cannot be associated with any other CE/MTU/access network).

  • Page 291

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 − service-carving — As defined in RFC 7432, service-carving controls the distribution of DF/non-DF roles across the different services defined in an *A:PE-2>config>service>system>bgp-evpn>eth-seg>service-carving# mode - mode {manual|auto} <manual|auto>...

  • Page 292

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Although not configured as part of the ES, the config>redundancy>bgp-evpn- multi-homing>boot-timer allows the necessary time for the control plane protocols to come up after the PE has rebooted, and before bringing up the ESs and running the DF algorithm.

  • Page 293

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 =============================================================================== Description : Default System Log Memory Log contents [size=500 next event=118 (not wrapped)] 117 2017/05/05 13:52:44.77 UTC MINOR: SVCMGR #2203 Base "Status of SAP lag-1:1 in service 1 (customer 1) changed to admin=up oper=up flags=" All-Active Multi-Homing Operation To confirm that all-active multi-homing is working correctly for ESI-12, the user can use the following commands:...

  • Page 294

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The following command shows that PE-2 is not the DF and the DF candidate PEs for EVI 1 are PE-2 and PE-3: *A:PE-2# show service system bgp-evpn ethernet-segment name "ESI-12" evi 1 =============================================================================== EVI DF and Candidate List ===============================================================================...

  • Page 295

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 192.0.2.2 192.0.2.3 ------------------------------------------------------------------------------- Number of entries: 2 ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- ---snip--- The following command shows all information related to ESI-12 on PE-3: *A:PE-3# show service system bgp-evpn ethernet-segment name "ESI-12" all =============================================================================== Service Ethernet Segment ===============================================================================...

  • Page 296

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Total Path Attr Length = 70 Flag: 0x90 Type: 14 Len: 34 Multiprotocol Reachable NLRI: Address Family EVPN NextHop len 4 NextHop 192.0.2.3 Type: EVPN-Eth-Seg Len: 23 RD: 192.0.2.3:0 ESI: 01:00:00:00:00:12:00:00:00:01, IP-Len: 4 Orig-IP-Addr: 192.0.2.3 Flag: 0x40 Type: 1 Len: 1 Origin: 0 Flag: 0x40 Type: 2 Len: 0 AS Path:...

  • Page 297

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 Flag: 0x90 Type: 14 Len: 36 Multiprotocol Reachable NLRI: Address Family EVPN NextHop len 4 NextHop 192.0.2.3 Type: EVPN-AD Len: 25 RD: 192.0.2.3:1 ESI: 01:00:00:00:00:12:00:00:00:01, tag: MAX-ET Label: 0 Flag: 0x40 Type: 1 Len: 1 Origin: 0 Flag: 0x40 Type: 2 Len: 0 AS Path: Flag: 0x80 Type: 4 Len: 4 MED: 0...

  • Page 298

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== *A:PE-2# show router bgp routes evpn auto-disc esi 01:00:00:00:00:12:00:00:00:01 hunt ---snip--- =============================================================================== BGP EVPN Auto-Disc Routes =============================================================================== ------------------------------------------------------------------------------- RIB In Entries ------------------------------------------------------------------------------- Network : N/A Nexthop : 192.0.2.3 From...

  • Page 299

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 l - leaked, x - stale, > - best, b - backup, p - purge Origin codes : i - IGP, e - EGP, ? - incomplete =============================================================================== BGP EVPN Auto-Disc Routes ===============================================================================...

  • Page 300

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 ServId Source-Identifier Type Last Change ------------------------------------------------------------------------------- 00:00:11:11:11:11 eES: Evpn 05/05/17 08:57:00 01:00:00:00:00:12:00:00:00:01 ---snip--- • Due to the aliasing function, the newly created EVPN-MPLS ES destination to ESI-12 has two next-hops (PE-2 and PE-3), to which PE-4 can load-balance the unicast traffic because ecmp 2 is configured in the VPLS-1 of PE-4.

  • Page 301

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 192.0.2.2 262141 05/05/2017 11:47:00 192.0.2.3 262141 05/05/2017 11:47:00 ------------------------------------------------------------------------------- Number of entries : 2 ------------------------------------------------------------------------------- =============================================================================== • PE-3 will show the CE-11 MAC address as learned locally in SAP lag-1:1 (because the data plane learning of the CE-11 MAC address happened in PE- 3).

  • Page 302

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 43 EVPN-MPLS Single-Active Multi-Homing: Mass-Withdraw, Backup Path ESI34 PE-4 Withdraw EVI 1 EVI 2 PE-2 EVI 3 ESI34 EVI 1 EVI 2 EVI 3 EVI 1 EVI 2 EVI 3 PE-5...

  • Page 303

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 service sdp 46 mpls create far-end 192.0.2.6 no shutdown exit Ethernet segment “ESI-34” is configured on PE-4 as follows: configure service system bgp-evpn ethernet-segment "ESI-34" create esi 01:00:00:00:00:34:00:00:00:01 es-activation-timer 3 service-carving...

  • Page 304

    Although the ESI-label is always used in all-active multi-homing when sending BUM traffic between the PEs in the ES, it is configurable for single-active. However, Nokia recommends to use the default option (using ESI-label) to avoid potential transient issues when there is a DF switchover.

  • Page 305

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 ingress-replication-bum-label ecmp 2 auto-bind-tunnel resolution any exit no shutdown exit exit spoke-sdp 56:1 create no shutdown exit no shutdown In all-active multi-homing, the non-DF does not bring down the service SAP associated with the ES (it only removes it from the default-multicast-list).

  • Page 306

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The local PW bits (pwFwdingStandby) are sent to MTU-6: *A:PE-4# show service id 1 sdp 46:1 detail | match Pw Local Pw Bits : pwFwdingStandby Peer Pw Bits : None Single-Active Multi-Homing Operation The same commands used in the...

  • Page 307

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 =============================================================================== Legend - Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid l - leaked, x - stale, > - best, b - backup, p - purge Origin codes : i - IGP, e - EGP, ? - incomplete ===============================================================================...

  • Page 308

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== BGP EVPN-MPLS Dest TEP Info =============================================================================== TEP Address Egr Label Last Change Transport ------------------------------------------------------------------------------- 192.0.2.5 262141 05/05/2017 12:22:41 ------------------------------------------------------------------------------- Number of entries : 1 ------------------------------------------------------------------------------- =============================================================================== •...

  • Page 309

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 *A:PE-5# show service id 1 fdb detail =============================================================================== Forwarding Database, Service 1 =============================================================================== ServId Source-Identifier Type Last Change ------------------------------------------------------------------------------- 00:00:16:16:16:16 sdp:56:1 L/60 05/05/17 12:37:26 ---snip--- ------------------------------------------------------------------------------- Legend: L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf ===============================================================================...

  • Page 310

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Svc Carving : auto Oper Svc Carving : auto Cfg Range Type : primary =============================================================================== PE-5 is no longer the DF and the only DF candidate is PE-4: *A:PE-5# show service system bgp-evpn ethernet-segment name "ESI-34"...

  • Page 311

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 *A:PE-4# show service system bgp-evpn ethernet-segment name "ESI-34" evi 1 =============================================================================== EVI DF and Candidate List =============================================================================== SvcId Actv Timer Rem DF Last Change ------------------------------------------------------------------------------- yes 05/05/2017 13:24:58 =============================================================================== =============================================================================== DF Candidates...

  • Page 312

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The following must be considered: • The DF election procedure is revertive, that is, when the failed SDP comes back up, PE-5 will take over again as DF and the network will re-converge. •...

  • Page 313

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 • EVPN macs with higher SEQ number • Lowest IP (next-hop IP of the EVPN NLRI) • Lowest eth-tag (will be normally zero) • Lowest RD •...

  • Page 314

    EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 BGP EVPN-MPLS Ethernet Segment Dest =============================================================================== Eth SegId Num. Macs Last Change ------------------------------------------------------------------------------- 01:00:00:00:00:12:00:00:00:01 05/05/2017 14:00:24 =============================================================================== =============================================================================== BGP EVPN-MPLS Dest TEP Info =============================================================================== TEP Address Egr Label Last Change Transport...

  • Page 315

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 Table 4 Comparing EVPN Multi-homing and BGP Multi-homing (Continued) VPN Requirements EVPN-MH BGP-MH Comments Allows multiple SAPs or SDP-bindings per service on Through the use of the same site SHGs Boot timer and site(es)-...