Distributed denial-of-service (DDoS) attacks can be a major threat to the availability...
Pseudowire, MPLS pseudowires, and the MPLS L2 VPN Configuration
The PW is also an industry term for the transport of any frames over an MPLS network using MPLS to encapsulate and LDP as a signaling mechanism. Cisco calls this AToM for Any Transport over MPLS and this is the building block of the Layer 2 VPNs over MPLS .
Although PW is defined to run over PSN such IPv4 or IPv6 networks, Layer 2 Tunneling Protocol (L2TPv3) networks, MPLS is now commonly used for this purpose. Therefore, we will focus on the explanation and configuration of PW related to MPLS-based pseudowires.
PW is a connection between two provider edge (PE) devices that connects two attachment circuits (AC) (Figure 1). The AC part carries the customer traffic in native form, e.g., Ethernet frames with/without VLAN tagging (RFC 4448), legacy services such as ATM (RFC 4717, 4816), Frame-Relay (RFC 4619), etc.
Figure 1 – Pseudowire Emulation (provider) Edge to Edge PWE3 Reference Model (RFC 3916)
Pseudowires can be used to deliver two types of services to end-users:
- Virtual Private LAN Service (VPLS)
- Virtual Private Wire Service (VPWS)
VPLS emulates a LAN over an MPLS network, so different sites share the Ethernet broadcast domain. MPLS tunnel is set up between every pair of PEs (full-mesh).
VPWS is an L2 point-to-point service provisioned by Layer 2 VPN, which delivers the virtual equivalent of a leased line. Any Transport Over MPLS (AToM) is Cisco’s implementation of VPWS for IP/MPLS networks.
Native packets or frames that are received on ingress PE are encapsulated with two MPLS labels (tunnel and VC) and sent across PWs to the egress PE router (Picture 2):
- Tunnel/transport label (top label)
- VC/VPN label (bottom label)
The ingress PE router first pushes the VC label on the frame and then the tunnel label. The MPLS packet is forwarded based on tunnel label hop by hop until it reaches the egress PE. In our case, the tunnel label is number 18 (Figure 2). It is worth saying that when the egress PE router receives an MPLS packet, the tunnel (the topmost) label is already removed by the PE router due to Penultimate-Hop-Popping (PHP) behavior. Therefore, only the VC label is presented within the MPLS packet.
|NOTE: The tunnel label is derived through the Label Distribution Protocol (LDP).|
VC label identifies a particular circuit (PW) in a tunnel and egress AC on the egress PE. This label is on the bottom of the label stack. When the egress PE router receives the packet from Pseudowire, it looks up the VC label in the forwarding information base, removes the VC label (label 21), and forwards the frame to AC.
|NOTE: P routers are completely unaware of customers’ network. They just forward frames based on the top MPLS label.|
Figure 2 – Pseudowires Encapsulation on Ingress PE (Router PE-1 on Figure 3)
MPLS L2 VPN Configuration
The Layer 2 connection is extended through the service provider’s (SP) MPLS network (routers R2 – R5 (Figure 3). The L2 MPLS VPN tunnel between R2 and R5 bridges two Layer 2 domains: CE1-PE1 and CE2-PE2. The tunnel is identified by the virtual circuit (VC) ID 10 (Picture 4).
|NOTE: There is no layer 3 relationship between CE and PE routers; the connection is the layer 2 type. Therefore, PEs have no IP addresses configured on the interfaces facing CE, and the PE routers are completely transparent to the EIGRP routing protocol configured on CE routers.|
Figure 3 – MPLS Layer 2 VPN
Traffic that is coming through the interface Gi0/0 on R2 is encapsulated and pushed to R5 with two labels (Figure 4).
The bottom (VC) label identifies the tunnel; R2 uses label 21 given by R5 and a local label 16. Similarly, R5 uses the label 16 given by R2. This is because MPLS LSPs are unidirectional by default, so we need two of them in opposite directions to enable bidirectional communication. The top (tunnel) label 18 is to move traffic from R2 to R5.
In terms of CE routers (R1 and R6), they appear to be directly connected by a single L2 circuit. The IP addresses configured on their Gi0/0 interface are assigned from the same subnet 10.0.0.0/30.
Figure 4 – VC Info for Circuit Transport Over MPLS from the PE-1 Perspective
The routers R1 and R6 are routing peers, and they build their EIGRP peer relationship through the point-to-point L2 VPN tunnel. The peer R6 learns about networks 192.168.1.0/24 and 184.108.40.206/32 from the EIGRP Update message received from R1. Similarly, R1 learns about 192.168.2.0/24 and 220.127.116.11/32 from R6 (Figure 5).
Figure 5 – EIGRP Routes on R1 advertised by R6
Most of the configuration is done on the PE routers. Initial PE configuration includes enabling mpls globally and for the Ethernet interface toward P router, setting up a loopback for OPSF router ID and configuring OSPF for MPLS.
Finally, we will create a new pseudo-class and select mpls encapsulation for the class. Once we create a pseudowire class, we will use the xconnect command pointing to the IP address of the remote PE router (R5) along with VC ID (10) and the already configured pseudo class for the interface connected to the CE router (Gi0/0).
pseudowire-class R1_L2-R6_L2 encapsulation mpls interface Loopback0 ip address 18.104.22.168 255.255.255.255 interface GigabitEthernet0/0 no ip address xconnect 22.214.171.124 10 encapsulation mpls pw-class R1_L2-R6_L2 interface GigabitEthernet0/1 ip address 126.96.36.199 255.255.255.0 mpls ip router ospf 1 network 188.8.131.52 0.0.0.0 area 0 network 184.108.40.206 0.0.0.255 area 0
|NOTE: In the case of L2TPv3, encapsulation l2tpv3 is used under the pseudowire-class command.|
Configuration of MPLS core is pretty straightforward; we only enable MPLS switching on the interfaces toward PE and P routers and OSPF. Make sure that LDP router ID is forced to a loopback interface.
interface Loopback0 ip address 220.127.116.11 255.255.255.255 interface GigabitEthernet0/0 ip address 18.104.22.168 255.255.255.0 mpls ip interface GigabitEthernet0/1 ip address 22.214.171.124 255.255.255.0 mpls ip router ospf 1 network 126.96.36.199 0.0.0.0 area 0 network 188.8.131.52 0.0.0.255 area 0 network 184.108.40.206 0.0.0.255 area 0
We can test the PW section of AToM VC with MPLS LSP ping from the R2 router (Figure 6).
Figure 6 – MPLS LSP Ping to Test PW Section of AToM
Customer devices require configuration of the loopback interface so that EIGRP can select the IP on that interface as the router-id and configuration of EIGRP itself.
Cinterface Loopback0 ip address 220.127.116.11 255.255.255.255 interface Loopback1 ip address 192.168.1.1 255.255.255.0 interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.252 router eigrp 1 network 18.104.22.168 0.0.0.0 network 10.0.0.0 0.0.0.3 network 192.168.1.0
Finally, we will test the emulated circuit between CE devices with the ping command (Figure 7).
Figure 7 – Ping to Test Emulated Circuit
If a customer is attached to a Service Provider with an existing MPLS backbone, AToM may be a good L2 VPN option to transfer traffic between the customer’s endpoints. Service providers do not need to invest in separate Layer 2 devices.
However, where there is no MPLS-enabled network, L2TPv3 can be used to provide L2 VPN services.
Both options support Ethernet, PP, HDLC, TDM, FR, and ATM technologies.
Boost BGP Preformance
Automate BGP Routing optimization with Noction IRP
SUBSCRIBE TO NEWSLETTER
You May Also Like
Diverting DDoS traffic using the FlowSpec redirect via VRF capability. Configuration example.
In the previous article, we described different DDoS attacks and their impact on network infrastructure. We focused on...
BGP traffic rerouting, Flowspec, and the DDoS Scrubbing Centers
When it comes to distributed denial-of-service (DDoS) attacks, they are far from a downward trend. Although the...
Optimizing BGP convergence
When there is a change in the reachability of one or more prefixes, BGP needs to do some work to adapt to that change...