irp demo
Request Noction IRP Demo

Request a personalized demo/review session of our Intelligent Routing Platform

irp trial
Start Noction IRP Trial

Evaluate Noction IRP, and see how it meets your network optimization challenges

nfa demo
Noction Flow Analyzer Demo

Schedule a one-on-one demonstration of our network traffic analysis product

nfa trial
Free Noction Flow Analyzer Trial

Test drive NFA today with your own fully featured 30-day free trial

Pseudowire, MPLS pseudowires, and the MPLS L2 VPN Configuration

PseudowireIn general, a Pseudowire (PW) is an emulation of a point-to-point connection over a packet-switched network (PSN). To put it simply, PW is an emulated circuit.

The PW is also an industry term for the transport of any frames over an MPLS network using MPLS to encapsulate and LDP as a signaling mechanism. Cisco calls this AToM for Any Transport over MPLS and this is the building block of the Layer 2 VPNs over MPLS [1].

Although PW is defined to run over PSN such IPv4 or IPv6 networks, Layer 2 Tunneling Protocol (L2TPv3) networks, MPLS is now commonly used for this purpose.  Therefore, we will focus on the explanation and configuration of PW related to MPLS-based pseudowires.

PW is a connection between two provider edge (PE) devices that connects two attachment circuits (AC) (Figure 1). The AC part carries the customer traffic in native form, e.g., Ethernet frames with/without VLAN tagging (RFC 4448), legacy services such as ATM (RFC 4717, 4816), Frame-Relay (RFC 4619), etc.


Pseudowire Emulation

Figure 1 – Pseudowire Emulation (provider) Edge to Edge PWE3 Reference Model (RFC 3916)

Pseudowires can be used to deliver two types of services to end-users:

  • Virtual Private LAN Service (VPLS)
  • Virtual Private Wire Service (VPWS)

VPLS emulates a LAN over an MPLS network, so different sites share the Ethernet broadcast domain. MPLS tunnel is set up between every pair of PEs (full-mesh).

VPWS is an L2 point-to-point service provisioned by Layer 2 VPN, which delivers the virtual equivalent of a leased line. Any Transport Over MPLS (AToM) is Cisco’s implementation of VPWS for IP/MPLS networks.

Native packets or frames that are received on ingress PE are encapsulated with two MPLS labels (tunnel and VC) and sent across PWs to the egress PE router (Picture 2):

  • Tunnel/transport label (top label)
  • VC/VPN label (bottom label)

The ingress PE router first pushes the VC label on the frame and then the tunnel label. The MPLS packet is forwarded based on tunnel label hop by hop until it reaches the egress PE. In our case, the tunnel label is number 18 (Figure 2). It is worth saying that when the egress PE router receives an MPLS packet, the tunnel (the topmost) label is already removed by the PE router due to Penultimate-Hop-Popping (PHP) behavior.  Therefore, only the VC label is presented within the MPLS packet.

NOTE: The tunnel label is derived through the Label Distribution Protocol (LDP).

VC label identifies a particular circuit (PW) in a tunnel and egress AC on the egress PE. This label is on the bottom of the label stack. When the egress PE router receives the packet from Pseudowire, it looks up the VC label in the forwarding information base, removes the VC label (label 21), and forwards the frame to AC.

NOTE: P routers are completely unaware of customers’ network. They just forward frames based on the top MPLS label.

Pseudowires Encapsulation

Figure 2 – Pseudowires Encapsulation on Ingress PE (Router PE-1 on Figure 3)

MPLS L2 VPN Configuration

The Layer 2 connection is extended through the service provider’s (SP) MPLS network (routers R2 – R5 (Figure 3).  The L2 MPLS VPN tunnel between R2 and R5 bridges two Layer 2 domains: CE1-PE1 and CE2-PE2. The tunnel is identified by the virtual circuit (VC) ID 10 (Picture 4).

NOTE: There is no layer 3 relationship between CE and PE routers; the connection is the layer 2 type. Therefore, PEs have no IP addresses configured on the interfaces facing CE, and the PE routers are completely transparent to the EIGRP routing protocol configured on CE routers.

MPLS Layer 2 VPN

Figure 3 – MPLS Layer 2 VPN

Traffic that is coming through the interface Gi0/0 on R2 is encapsulated and pushed to R5 with two labels (Figure 4).

The bottom (VC) label identifies the tunnel; R2 uses label 21 given by R5 and a local label 16. Similarly, R5 uses the label 16 given by R2. This is because MPLS LSPs are unidirectional by default, so we need two of them in opposite directions to enable bidirectional communication. The top (tunnel) label 18 is to move traffic from R2 to R5.

In terms of CE routers (R1 and R6), they appear to be directly connected by a single L2 circuit. The IP addresses configured on their Gi0/0 interface are assigned from the same subnet

L2 VPN tunnel

Figure 4 – VC Info for Circuit Transport Over MPLS from the PE-1 Perspective

The routers R1 and R6 are routing peers, and they build their EIGRP peer relationship through the point-to-point L2 VPN tunnel. The peer R6 learns about networks and from the EIGRP Update message received from R1. Similarly, R1 learns about and from R6 (Figure 5).

EIGRP Routes

Figure 5 – EIGRP Routes on R1 advertised by R6

PE1 Configuration

Most of the configuration is done on the PE routers. Initial PE configuration includes enabling mpls globally and for the Ethernet interface toward P router, setting up a loopback for OPSF router ID and configuring OSPF for MPLS.

Finally, we will create a new pseudo-class and select mpls encapsulation for the class. Once we create a pseudowire class, we will use the xconnect command pointing to the IP address of the remote PE router (R5) along with VC ID (10) and the already configured pseudo class for the interface connected to the CE router (Gi0/0).

pseudowire-class R1_L2-R6_L2
 encapsulation mpls

interface Loopback0
 ip address
interface GigabitEthernet0/0
 no ip address
 xconnect 10 encapsulation mpls pw-class R1_L2-R6_L2
interface GigabitEthernet0/1
 ip address
 mpls ip 

router ospf 1
 network area 0
 network area 0
NOTE: In the case of L2TPv3, encapsulation l2tpv3 is used under the pseudowire-class command.

P Configuration

Configuration of MPLS core is pretty straightforward; we only enable MPLS switching on the interfaces toward PE and P routers and OSPF. Make sure that LDP router ID is forced to a loopback interface.

interface Loopback0
 ip address

interface GigabitEthernet0/0
 ip address
 mpls ip  
interface GigabitEthernet0/1
 ip address
 mpls ip  

router ospf 1
 network area 0
 network area 0
 network area 0

We can test the PW section of AToM VC with MPLS LSP ping from the R2 router (Figure 6).


Figure 6 – MPLS LSP Ping to Test PW Section of AToM

CE1 Configuration

Customer devices require configuration of the loopback interface so that EIGRP can select the IP on that interface as the router-id and configuration of EIGRP itself.

Cinterface Loopback0
 ip address

interface Loopback1
 ip address

interface GigabitEthernet0/0
 ip address

router eigrp 1

Finally, we will test the emulated circuit between CE devices with the ping command (Figure 7).

Ping to Test Emulated Circuit

Figure 7 – Ping to Test Emulated Circuit


If a customer is attached to a Service Provider with an existing MPLS backbone, AToM may be a good L2 VPN option to transfer traffic between the customer’s endpoints. Service providers do not need to invest in separate Layer 2 devices.

However, where there is no MPLS-enabled network, L2TPv3 can be used to provide L2 VPN services.

Both options support Ethernet, PP, HDLC, TDM, FR, and ATM technologies.

Boost BGP Performance

Automate BGP Routing optimization with Noction IRP

bgp demo


You May Also Like

ACK and NACK in Networking

ACK and NACK in Networking

In networking, communication between devices relies on the efficient exchange of data packets. Among the essential...

BGP and asymmetric routing

BGP and asymmetric routing

What is asymmetric routing? Asymmetric routing is a network communication scenario where the forward and reverse paths...