Routehub TUNNEL L2VPN PDF

Layer 2 VPN (L2VPN)
Tunneling: L2VPN
Practical Cisco Training for Network Engineers & Consultants!
RouteHub Group, LLC

www.RouteHub.net
February 22, 2009
Preface i
ROUTEHUB GROUP END-USER LICENSE AGREEMENT
END USER LICENSE FOR ONE (1) PERSON ONLY

IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS,
DO NOT OPEN OR USE THE TRAINING MATERIALS.
IMPORTANT! BE SURE TO CAREFULLY READ AND UNDERSTAND ALL OF THE RIGHTS AND RESTRICTIONS
SET FORTH IN THIS END-USER LICENSE AGREEMENT ("EULA"). YOU ARE NOT AUTHORIZED TO USE THIS
NETWORK CONFIGURATION GUIDE/TRAINING UNLESS AND UNTIL YOU ACCEPT THE TERMS OF THIS EULA.
This EULA is a binding legal agreement between you and ROUTEHUB GROUP, LLC (hereinafter "Licensor") for the
materials accompanying this EULA, including the accompanying computer Network Configuration Guide/Training, associated
media, printed materials and any "online" or electronic documentation (hereinafter the "Network Configuration Guide/Training").
By using the Network Configuration Guide/Training, you agree to be bound by the terms of this EULA. If you do not agree to
the terms of this EULA, do not install or attempt to use the Network Configuration Guide/Training.
The Guide & Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual authorized
to use the Guide & Training Materials throughout the term of this License.
1. Grant of License
The Network Configuration Guide/Training is protected by copyright laws and international copyright treaties, as well as
other intellectual property laws and treaties. The Network Configuration Guide/Training is licensed, not sold. This EULA grants
you the following rights:
A. You may use, access, display and run only one copy of the Network Configuration Guide/Training, on a single
computer, workstation or terminal ("Computer"). The primary user of the Computer on which the Network Configuration
Guide/Training is installed may make a second copy for his or her exclusive use for archival purposes only.
B. You may store or install a copy of the Network Configuration Guide/Training on a storage device, such as a
network server, used only to run the Network Configuration Guide/Training on your other Computers over an internal network.
You must, however, acquire a license for each separate Computer on which the Network Configuration Guide/Training is run,
displayed or utilized from the server or similar device. A license for the Network Configuration Guide/Training may not be
shared or used concurrently on different Computers.
C. Your license rights under this EULA are non-exclusive. All rights not expressly granted herein are reserved by
Licensor.
D. You may not sell, transfer or convey the Network Configuration Guide/Training to any third party without
Licensor's prior express written consent.
2. Price and Payment
If you have not previously paid the license fee for the Network Configuration Guide/Training, then you must pay the
license fee within the period indicated in the applicable invoice sent to you by Licensor.
3. Support Services
This EULA is a license of the Network Configuration Guide/Training only, and Licensor does not assume any obligation
to provide maintenance, patches or fixes to the Network Configuration Guide/Training. Licensor further disclaims any obligation
to provide support or to prepare and distribute modifications, enhancements, updates and new releases of the Network
Configuration Guide/Training.
4. Replacement, Modification and/or Upgrades
Licensor may, from time to time, and for a fee, replace, modify or upgrade the Network Configuration Guide/Training.
When accepted by you, any such replacement or modified Network Configuration Guide/Training code or upgrade to the
Network Configuration Guide/Training will be considered part of the Network Configuration Guide/Training and subject to the
terms of this EULA (unless this EULA is superceded by a further EULA accompanying such replacement or modified version of
or upgrade to the Network Configuration Guide/Training).
ii
Preface
5. Termination
You may terminate this EULA at any time by destroying all your copies of the Network Configuration Guide/Training.
Your license to the Network Configuration Guide/Training automatically terminates if you fail to comply with the terms of this
agreement. Upon termination, you are required to remove the Network Configuration Guide/Training from your computer and
destroy any copies of the Network Configuration Guide/Training in your possession. No refund with the product will be
granted.
6. Copyright
A. All title and copyrights in and to the Network Configuration Guide/Training (including but not limited to any
images, photographs, animations, video, audio, music and text incorporated into the Network Configuration Guide/Training),
the accompanying printed materials, and any copies of the Network Configuration Guide/Training, are owned by Licensor or its
suppliers. This EULA grants you no rights to use such content. If this Network Configuration Guide/Training contains
documentation that is provided only in electronic form, you may print one copy of such electronic documentation. Except for
any copies of this EULA, you may not copy the printed materials accompanying the Network Configuration Guide/Training.
B. You may not reverse engineer, de-compile, disassemble, alter, duplicate, modify, rent, lease, loan, sublicense,
make copies of, create derivative works from, distribute or provide others with the Network Configuration Guide/Training in
whole or part, transmit or communicate the application over a network.
7. Export Restrictions
You may not export, ship, transmit or re-export Network Configuration Guide/Training in violation of any applicable law
or regulation including but not limited to Export Administration Regulations issued by the U. S. Department of Commerce.
8. Disclaimer of Warranties
LICENSOR AND ITS SUPPLIERS PROVIDE THE NETWORK CONFIGURATION GUIDE/TRAINING "AS IS" AND
WITH ALL FAULTS, AND HEREBY DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, EITHER EXPRESS,
IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO ANY (IF ANY) IMPLIED WARRANTIES OR CONDITIONS
OF MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE, OF LACK OF VIRUSES, AND OF LACK OF
NEGLIGENCE OR LACK OF WORKMANLIKE EFFORT. ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, OF
QUIET ENJOYMENT, OR OF NONINFRINGEMENT. THE ENTIRE RISK ARISING OUT OF THE USE OR PERFORMANCE
OF THE NETWORK CONFIGURATION GUIDE/TRAINING IS WITH YOU.
9. Limitation of Damages
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR OR ITS
SUPPLIERS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, DIRECT, INDIRECT, SPECIAL, PUNITIVE OR OTHER
DAMAGES WHATSOEVER ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE
NETWORK CONFIGURATION GUIDE/TRAINING AND WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT
LIABILITY OR OTHERWISE, EVEN IF LICENSOR OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES. THIS EXCLUSION OF DAMAGES WILL BE EFFECTIVE EVEN IF ANY REMEDY FAILS OF ITS
ESSENTIAL PURPOSE.
10. Arbitration
Any dispute arising under this EULA will be subject to binding arbitration by a single Arbitrator with the American
Arbitration Association (AAA), in accordance with its relevant industry rules, if any. The parties agree that this EULA will be
governed by and construed and interpreted in accordance with the laws of the State of California. The arbitration will be held in
California. The Arbitrator will have the authority to grant injunctive relief and specific performance to enforce the terms of this
EULA. Judgment on any award rendered by the Arbitrator may be entered in any Court of competent jurisdiction.
11. Severability
If any term of this EULA is found to be unenforceable or contrary to law, it will be modified to the least extent necessary
to make it enforceable, and the remaining portions of this Agreement will remain in full force and effect.
12. No Waiver
Preface iii
No waiver of any right under this EULA will be deemed effective unless contained in writing signed by a duly authorized
representative of the party against whom the waiver is to be asserted, and no waiver of any past or present right arising from
any breach or failure to perform will be deemed to be a waiver of any future rights arising out of this EULA.
13. Entire Agreement
This EULA constitutes the entire agreement between the parties with respect to its subject matter, and supersedes all
prior agreements, proposals, negotiations, representations or communications relating to the subject matter. Both parties
acknowledge that they have not been induced to enter into this EULA by any representations or promises not specifically
stated herein.
iv
Preface
Table of Contents
1 Introduction 6
2 Configuration 7
2.1 L2TPv3 7
2.1.1 Concepts 7
2.1.2 L2TPv3 using Static Tunnels 9
2.2 EoMPLS 18
2.2.1 Concepts 18
2.2.2 EoMPLS for Hub-and-Spoke WAN 19
2.3 VPLS 29
2.3.1 Concepts 29
2.3.2 VPLS (VLAN-Based) 30
2.3.3 VPLS (QinQ or Port-Based) 43
3 Monitor 54
3.1 Troubleshooting Tips 54
3.1.1 Root Causes 54
3.1.2 Initial questions to ask 54
3.1.3 Typical fixes 55
4 Full Configuration 56
4.1 L2TPv3 56
4.1.1 L2TPv3 using Static Tunnels 56
4.2 EoMPLS 63
4.2.1 EoMPLS for Hub-and-Spoke WAN 63
Preface v
1 Introduction
Many sites focus on providing training towards certifications or exams. These are important
for career development as we possess the CCIE, CCNP, and CCNA certifications. So we
know that they are very valuable to your network engineering career, however, they do not
teach practical network training relevant for network engineers and consultants in the real
world.
This is what our training format is based upon providing practical solutions and technologies
that are deployed in real working environment. Our training workbooks provide four major
components for learning.
Concepts
Design
Configuration
Monitor
Learn the concepts that matter in terms of the components and protocols involved for a
technology's operation.
Learn how to design a network solution with practical steps, considerations, and tools for
your company or clients.
Learn how to configure a network with best practices and get operational step-by-step. We
also include full working configuration files of the network design.
Learn how to monitor, troubleshoot, and confirm the operational state of your configured
network.
All four are important for network engineers and consultants to know how to manage a
network in real time.
RouteHub Group, LLC Page 6 www.routehub.net

2 Configuration
2.1 L2TPv3
2.1.1 Concepts
L2TPv3 (Layer 2 Tunneling Protocol Version 3) is a Layer 2 VPN (L2VPN) Tunneling
technology that operates differently than MPLS VPN.
MPLS VPN is an example of a Layer 3 VPN (L3VPN) Tunneling technology where isolated
routing domains for multiple clients on the same Service Provider network exist using VRF
technology. MPLS provides the ability to scale large number of VRF domains and has
mechanisms for forwarding MPLS packets throughout an MPLS infrastructure.
A L2VPN tunnel is basically a virtual connection between two sites that is seen as if the two
sites are directly connected together.
Unlike L3VPN tunnels like MPLS, CE sites may have multiple IP next-hops to reach their
destinations. For dynamic routing CE devices would peer with its locally connected PE
router.
L2VPN tunnels allow us to provide a direct point-to-point connection between devices as if

they are directly connected with only one hop. This configuration can provide a good
perspective of what the configuration is for other point-to-point connections like T1s, DS3, or
Optical connections like OC3 and OC12.
L2VPN configuration is only needed on our PE or Aggregation routers, where our provider
core is acting as a transit area for high-speed switching for the network. Similar to MPLS
where VRF and MP-BGP are configured on the PE routers.
L2TPv3 consist of the following components:
MODE
CLASSES
XCONNECT
VC ID
MODE
When a L2VPN tunnel like a L2TPv3 tunnel is built it can be configured in one of three
available modes:
(1) Manual
(2) Manual with Keepalives
(3) Dynamic

Manual means we can configure our L2VPN tunnels statically between two sites similar to
MPLS TE using static tunnels. Where the dynamic mode can be configured to build L2VPN
tunnels between other sites automatically within minimal configuration, which is similar to
MPLS TE using dynamic tunnels.
CLASSES
Two classes are configured with L2TP. A L2TP class is configured for the control channel
parameters. Treat the L2TP class similar to other control sessions like Voice Call Signaling
or even the D channel with a BRI or PRI connection. The L2TP class is responsible for
controlling and managing the L2TPv3 tunnel that is built from point A to point B. L2TP class
configuration requires configuring a cookie value represented in Bytes.
The second class is the pseudo-wire class that defines the details of the L2VPN tunnel that is
being built such as the MODE, the encapsulation type, and the interface that would be used
for establishing and terminating the L2TPv3 tunnel.
XCONNECT
This is the configuration needed for building or attaching the Layer 2 tunnel between two PE
or Aggregation points within an ISP network. The configuration associates the two classes
that are pre-configured including the unique local and remote VC IDs. The cookie value that
is configured within the L2TP class is also included.
VC ID
This is the unique identifier that is labeled for the L2VPN tunnel for what the local ID will be
and what the remote ID is. It's good to keep the numbers consistent and standardized.

2.1.2 L2TPv3 using Static Tunnels
Step 1: NETWORK DESIGN

The network design for using static L2TPv3 tunnels across our Service Provider network will
consist of the following details:
Requirements:
Create a point-to-point connection between two client sites for routing and switching
services.
The two sites should be able to communicate with one another (routing and traffic).
Technical Objectives:
Performance: the bandwidth services utilized within our network will be FastEthernet
since traffic usage will be minimal and this is a test setup. No voice or video traffic
will exist across our network.
Reliability: hardware redundancy is not included in this design since the SLA
requirements are low and it is a test setup for our L2TPv3 design. If any component
within our ISP fails then our entire network will be inaccessible for our two sites.
Scalability: no requirements for scalability are outlined and we are glad because we
would encounter some scalability issues.
Security: L2VPN like L3VPN tunnels provides a lot of security within its technology
preventing the other traffic to be injected within this virtual connection.
Flexibility: Additional services that may be included at this time.
Network Management: No initial monitoring is needed today, but the network will be
managed by a consulting group.
Topology:
Solutions used in our design: WAN/MAN. From the two, we would be a MAN
solution since Ethernet will be our technology used across our ISP network and the
distances are shorter.
Topology: our WAN/MAN topology will be a 2Tier model with a Core and 2
Aggregation routers. Our MAN Core will be our MPLS P router and our MAN AGG
will be our MPLS PE1 and PE2 routers. Each PE router will connect to one of the
CE sites.
Topology Services and Sub-Services

Tunneling using L2VPN L2TPv3 is used for creating a point-to-point connection
between two client sites for routing and switching services.
Routing & Switching using OSPF (routing used within our ISP network) and EIGRP
(configured among our CE sites).
L2TPv3 Sub-Services to include: Static L2VPN tunnel (or manual built tunnel) to
allow us to specify how and where the tunnel would be built.
Bandwidth Services among our MAN will consist of Fast Ethernet connections for all
devices including downlinks to our two CE devices since the anticipated traffic rate is
below FE bandwidth rates of 100Mbps.
Our IP Schema developed is a standard that will use the 10.0.0.0 /8 subnet with a
specific usage for each octet
Hardware & Software:

Cisco 3660 Series Routers running IOS 12.4 with the Advanced IP Services Feature
set to support the requirements and topology services.

Network Diagram
Step 2: BASIC CONFIGURATION

Below is the basic configuration for our Service Provider Aggregation routers within our ISP
network. A loopback interface will be configured as our management interface. Each
Provider Aggregation router will be connecting to one CE or client site.
ROUTEHUB-PE1
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface FastEthernet0/1
ip address 10.1.2.2 255.255.255.0
no shutdown
ROUTEHUB-PE2
interface Loopback0
ip address 3.3.3.3 255.255.255.255
ip address 10.1.3.3 255.255.255.0
no shutdown
Below is the basic configuration for our Service Provider Core router connecting the two
Aggregation routers together.
ROUTEHUB-P
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip address 10.1.2.1 255.255.255.0
no shutdown

ip address 10.1.3.1 255.255.255.0
no shutdown
Step 3: OSPF CONFIGURATION ON OUR PROVIDER NETWORK

The purpose of this configuration is to provide routing connectivity for all components within
our ISP network. This is important to have working in order for our L2VPN tunnels to be
established between our Aggregation routers.
Issuing router ospf followed by a process ID will enable OSPF routing on our device. The
Process ID or PID will be a unique ID that we have assigned to each device on our network.
Next we will enable logging for all OSPF neighbor events for useful troubleshooting when
needed. Next we will add the subnets for all the IP addresses we added for that specific
router. This configuration is important to allow our MPLS devices to form OSPF neighbors in
order to exchange routing information. ALL interfaces among our MPLS devices will exist
within the OSPF backbone network or AREA 0. The loopback interfaces will be added to
their own area unique again to their device ID.
Below is the basic configuration for our two PE routers on our network.
router ospf 2
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 2
network 10.1.2.0 0.0.0.255 area 0
router ospf 3
network 3.3.3.3 0.0.0.0 area 3
network 10.1.3.0 0.0.0.255 area 0
And below is the OSPF configuration for our Service Provider Core router.
router ospf 1
network 1.1.1.1 0.0.0.0 area 1
network 10.1.2.0 0.0.0.255 area 0
network 10.1.3.0 0.0.0.255 area 0

Step 4: L2TPV3 CONFIGURATION
The purpose of this configuration is to configure a L2VPN tunnel between two of our client
sites to resemble that they are directly connected.
Unlike L3VPN tunnels like MPLS, CE devices have many IP next-hops to reach their
destinations. L2VPN tunnels allow us to provide a direct point-to-point connection between
devices as if they are directly connected with only one hop. This configuration can provide a
good perspective of what the configuration is for other point-to-point connections with T1s or
other dedicated connections between sites.
L2TPv3 configuration only exist on our PE or Aggregation routers, where our provider core is
acting as a transit area for high-speed switching between our Aggregation routers.
The configuration for L2TPv3 will look different from L3VPN configuration, but they are
necessary for creating a unique L2VPN tunnel between only two participants or clients in our
case.
Let's first do the configuration for PE1 which is directly connected to client site, ROUTEHUB-
CE2. First we need to configure a L2TP class. Under this class we will use a cookie size of
4 bytes. Other values can be 4 or 8, the default is zero. 4 bytes tends to be a common value
for most small configuration for controlling the tunnel parameters and it's negotiation with the
other end.
l2tp-class manual
cookie size 4
Next, we will configure our pseudo-wire class that will specify the L2VPN protocol or
encapsulation we will use including other session details. In our case we will configure
L2TPv3.
Next we need to configure our L2VPN tunnel to act in manual mode. The other modes we
could use are manual, manual with keepalive, and dynamic. We will choose manual because
we will manually specify the details of our L2Tv3 tunnel on both ends.
The syntax field "protocol" can be l2tpv3 or none. We would use "none" which will specify
use of the manual mode for our tunnel. We will also specify that our L2VPN tunnel between
our CE sites will be established using the loopback interface IP for better reliability and
management of our tunnel.
pseudowire-class manual
encapsulation l2tpv3
protocol none
ip local interface Loopback0
Next, we will configure our L2TPv3 tunnel to PE2, which is directly connected to CE1. Here,
on our PE1 router CE2 is connected to FastEthernet0/0, but no IP address is configured.
That's right because this is a L2 interface with no L3 presence needed on this interface. That
will be handled by the client. We are only building or extending the LAN for CE2 across our
ISP network to CE1.
The "xconnect" is the actual configuration that builds our L2VPN tunnel to the other side. It
tells us to build the tunnel to 3.3.3.3, which is the loopback interface IP address for PE2. The
configuration for xconnect will use the two pre-configured classes we just completed and the
remote VC ID of 1.

The other l2tp details are the unique IDs and keepalives used for our L2VPN tunnel,
components under our xconnect configuration. Here we are specifying what our unique ID or
VC ID will be locally and what the remote ID is. In our case, our local ID will be 1 and the
remote site also be 1. This will keep our configuration simplified and we can use a VC
numbering standard for different clients for better management. And last, we will configure
an l2tp cookie for local and remote being the same values. 4 represents our cookie size of 4
bytes that we recently configured from the L2TP class and the second number is the unique
VC ID we configured for our tunnel.
As a recap below defines what that configuration would look like.
no ip address
duplex auto
speed auto
xconnect 3.3.3.3 1 encapsulation l2tpv3 manual pw-class manual
l2tp id 1 1
l2tp cookie local 4 1
l2tp cookie remote 4 1
l2tp hello manual
Next, we would configure the other end of our L2TPv3 tunnel on PE2, which would be
identical to our configuration from PE1. However, this time our L2VPN tunnel would be
established to PE1 using loopback interface IP 2.2.2.2.
CE1 would be connected to the interface FastEthernet0/0 on our PE2 router.
To be consistent we will keep all of our IDs the same for better results and management.
l2tp-class manual
cookie size 4
protocol none
no ip address
duplex auto
speed auto
l2tp id 1 1
l2tp hello manual
For verification, there are many commands to confirm if the L2TPv3 tunnel is up. Two of
them are the following:
show l2tun tunnel all

show xconnect all
These commands will show that we have our L2VPN tunnel up and running on both ends.
Do this first before continuing with the configuration of our CE devices.

Step 5: CE CONFIGURATION
Once we have confirmed that our L2VPN tunnel is up and running between all devices our
clients can start its configuration for connectivity.
No L2VPN configuration is needed or required on CE devices similar to MPLS VPNs.
This is essentially what the configuration looks like from the client side (on their Client Edge
or CE device). The configuration enables all IP addressing based on the network diagram.
For both CE devices, the FA0/0 interface will be part of the same IP subnet, 10.4.5.0 /24 just
like any other point-to-point subnet.
Below is the configuration for CE1:
ROUTEHUB-CE1
interface Loopback0
ip address 4.4.4.4 255.255.255.255
ip address 10.4.5.4 255.255.255.0
ROUTEHUB-CE2
interface Loopback0
ip address 5.5.5.5 255.255.255.255
ip address 10.4.5.5 255.255.255.0
Before continuing confirm that CE1 and CE2 can ping there virtually directly connected IP
address. For example, from CE1 confirm we can ping 10.4.5.5. And versa for CE2 before
we enable IP routing between our two sites.

Step 6: EIGRP ROUTING ON CE DEVICES
Once we confirm that both CE devices can ping each other's LAN interface then we can
enable EIGRP routing between other devices to exchange routing information.
Doing this configuration will create an EIGRP peer between the two CE routers. We will add
its local LAN subnet and loopback interface subnet for route advertisement and neighbor
establishment.
Below is the configuration for CE1 and CE2:
ROUTEHUB-CE1
router eigrp 1
network 4.4.4.4 0.0.0.0
network 10.4.5.0 0.0.0.255
no auto-summary
no eigrp log-neighbor-changes
ROUTEHUB-CE2
router eigrp 1
network 5.5.5.5 0.0.0.0
network 10.4.5.0 0.0.0.255
no auto-summary
To confirm that the operation is working, we can issue the command "show ip eigrp neighbor"
first to confirm if we have an EIGRP neighbor established.
Second, we can issue the command "show ip route" to view all routes learned (or configured)
in our global routing table.

Step 7: Monitor
2.1.2.7.1 show xconnect all

Use this command to view and confirm if all configured L2VPN tunnels configured on a
device are up and running.
The command will also show that our L2VPN tunnel is really composed of two segments,
which makes sense for a point-to-point connection. Where Segment 1 is our local end of the
tunnel being built out of interface FA0/0, which is the interface directly to connected to one of
our CE devices. Our end shows an UP status listed under S1.
For the second Segment or Segment 2, that is the tunnel built via L2TP to device 2.2.2.2
(loopback IP for PE1). That segment shows that the tunnel is UP listed under S2.
Therefore, under "XC ST" it will show that our L2VPN tunnel from end-to-end is UP, so we
have a functional L2VPN tunnel configured.
You can also use this command to confirm that our tunnel is being established to the correct
interfaces, protocols, and destination IP addresses especially if issues occur where the
tunnel is not coming up or not built correctly between two sites.
Below is a command from PE2

2.1.2.7.2 show l2tun tunnel
This command from PE1 shows similar information from the command "show xconnect all"
except it displays the information differently and provides other details.
This command shows that our L2VPN tunnel is established successfully listed under "State"
as "est" for Established. We see that the mode used is "manual" including the device name
and IP address of the destination device on the other side of the tunnel. In our case it would
be PE2 (using the loopback IP address).
Also when the L2VPN tunnel is being established a Tunnel ID is generated and would be
reflected here if needed for reference.
2.1.2.7.3 show l2tp session

This command similar to the other two commands we discussed shows what L2VPN tunnels
are established listed under "State" as "est" for Established including how long the tunnel has
been up. Good to use to confirm if the tunnel is flapping if there is connectivity issues for
between client sites.
We also see the L2TP VC ID information that we configured under xconnect listed here also
for reference.

2.2 EoMPLS
2.2.1 Concepts
Ethernet over MPLS (EoMPLS) is another L2VPN technology that allows client networks to
extend Layer 2 services (VLANs) across a Layer 3 network (running MPLS VPN).
EoMPLS creates a point-to-point L2VPN tunnel between two sites created from two PE
routers on the MPLS network. It establishes targeted LDP sessions between the two PE.
LDP neighbors are built between directly connected MPLS devices on the same broadcast
domain.
The configuration for implementing EoMPLS is very straight-forward and is supported on a lot
more hardware such as the Cisco 7200 series compared to VPLS which is limited and
requires high-end devices such as the Cisco 7600 router.
Using either EoMPLS, VPLS, or VPWS our CE device can simply be a Layer 2 or Layer 3
switch enabled for 802.1Q up to the MPLS provider to extend VLANs between the sites.
With the L2VPN tunnel built the CE will be able to exchange VTP and BPDU messages
between the sites as if there is a directly connected.
The downside of EoMPLS is management of building point-to-point tunnels across between

two sites. Plus we cannot enable point-to-multipoint L2VPN tunnels between more than 2
sites. We would need to use VPLS to accomplish that if VLANs need to be exchanged
between multiple sites.
Like L2TPv3, we would use the "xconnect" command for building these point-to-point L2VPN
tunnels using EoMPLS.

2.2.2 EoMPLS for Hub-and-Spoke WAN
Step 1: Network Design

In our design, we have a single client network with two locations. CE-H is our Headquarters
(HQ) site and CE-S is our WAN spoke. Both site's will connect into a IP WAN Provider that is
running MPLS VPN.
For the WAN, we will use Layer 2 over an existing Layer 3 network (using MPLS on the
Service Provider). To overlay layer 2 across the L3 network our Provider will use Ethernet
over MPLS (EoMPLS) to carry VLANs, BPDUs, and VTP messages between our client
locations.
Our client will extend three VLANs across the WAN. One will be for Internal Users (VLAN10,
on the 10.1.1.0 /24 subnet) and the other will be for Guest Users (VLAN100, 192.168.1.0 /24
subnet). We will also extend a third VLAN used for Network Management (VLAN199,
10.254.1.0 /24 subnet). This VLAN used between the two sites is used for management and
device access (telnet, ssh) to the network devices.
EoMPLS is an alternative over using VPLS, though, VPLS allows for better scalability and
allows for point-to-multipoint L2 services compared to EoMPLS which only supports point-to-
point L2 services.
Our CE-H site will use a Cisco Catalyst 3750 L3-switch and our CE-S site will use a Cisco
Catalyst 2960 L2-switch. We will have one computer from each network (Internal User VLAN
and the Guest User VLAN) connected to the CE-S switch shown in the network diagram
below. The computers default gateway will be the IP address that will be configured on
VLAN Layer 3 interface on our CE-H L3-switch.
Our MPLS routers (PE and P) will be Cisco 7206VXR routers running 12.4 (Service Provider
feature set) to support the feature EoMPLS).

Step 2: MPLS Configuration
First we will configure our Service Provider network for L3VPN using MPLS.
Below you will see configuration for the following:
Basic IP Information configured for all interfaces in our MPLS design

OSPF configuration advertising all subnets from the IP Addresses configured on the
interfaces. Our MPLS network will exist in AREA 0 and the loopback interface
network will exist in standard OSPF areas unique to that router's device ID.
MPLS configuration on all MPLS components (PE and P router) enabling to use LDP
as the label switching protocol.
ROUTEHUB-P
hostname ROUTEHUB-P1
ip cef
mpls ip
mpls label protocol ldp
mpls ldp router-id Loopback0 force
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface p1/0
ip address 10.1.2.1 255.255.255.0
mpls ip
no shutdown
interface p2/0
ip address 10.1.3.1 255.255.255.0
mpls ip
no shutdown
router ospf 1
network 1.1.1.1 0.0.0.0 area 1
network 10.1.2.0 0.0.0.255 area 0
network 10.1.3.0 0.0.0.255 area 0
ROUTEHUB-PE1
hostname ROUTEHUB-PE1
ip cef
mpls ip
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface p1/0
ip address 10.1.2.2 255.255.255.0
mpls ip

no shutdown
router ospf 2
network 2.2.2.2 0.0.0.0 area 2
network 10.1.2.0 0.0.0.255 area 0
ROUTEHUB-PE2
ip cef
mpls ip
interface Loopback0
ip address 3.3.3.3 255.255.255.255
interface p1/0
ip address 10.1.3.3 255.255.255.0
mpls ip
no shutdown
router ospf 3
network 3.3.3.3 0.0.0.0 area 3
network 10.1.3.0 0.0.0.255 area 0
Step 3: EoMPLS Configuration

In this configuration we will extend the user VLANs across the MPLS network to be used
between the two sites.
This is only configured on the two PE routers.
This configuration happens on the directly connected interface (or downlink interface) to our
CE devices. PE1 is connecting to CE-H and PE2 is connecting to CE-S.
1. For the downlink interface we will configure it to be a sub-interface for each VLAN
that will be used for our client network. Therefore, in our case we will have three
sub-interfaces (Internal, Guest, Management).
2. We will enable 802.1Q under that sub-interface matching the VLAN tag that is used
on the client end.
3. We will configure our EoMPLS tunnel between the two PE routers using the loopback
interface IP for that router that is learned via OSPF. This is essentially building a
direct LDP tunnel between our two PE routers (because of the syntax "encapsulation
mpls").
4. In the "xconnect" configuration we will specify a unique ID or VC ID for the EOMPLS
tunnel created for each sub-interface. The VC ID we will use will match our the
VLAN ID, but it doesn't have to be. If we have another client and they are using

VLAN10 then we can't use VC ID 10 because it's already in use. Therefore we need
to use some other number like "11" for our VC ID.
ROUTEHUB-PE1
no ip address
no shutdown
interface FastEthernet0/0.10
description S1 CEA VLAN 10
encapsulation dot1Q 10
xconnect 3.3.3.3 10 encapsulation mpls
ROUTEHUB-PE2
no ip address
no shutdown

Step 4: CE (Hub and Spoke) Configuration
The configuration for our CE devices will consist of basic network configuration and LAN
switching (VLAN, 802.1Q, VTP).
We will configure our CE-H device based on the following:
1. Configure the three VLANs for Internal Users, Guest users, and our Management
VLAN.
2. We will use VTP Transparent mode to prevent unauthorized VLAN additions or
changes on the network including specifying the name for our VTP domain (called
ROUTEHUB).
3. We will configure Layer 3 interfaces for our VLANs called SVI interfaces, which
allows our VLANs to be routable. The IP address configured on these SVI interfaces
will be the default gateway for our two computers at the remote site respectively to
access other network resources.
4. We will configure 802.1Q on our uplink interface to the MPLS network to carry the
VLAN tags for the three VLANs created on our network.
ROUTEHUB-CE-H
hostname ROUTEHUB-CE-H
ip routing
spanning-tree mode rapid-pvst

spanning-tree loopguard default
spanning-tree extend system-id
spanning-tree backbonefast
vtp mode transparent

vtp domain ROUTEHUB
vlan 10
name RHG-CEA-INTERNAL
vlan 100
name RHG-CEA-GUEST
vlan 199
name RHG-CEA-MGMT
interface FastEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10,100,199
switchport nonegotiate
spanning-tree portfast trunk
no shutdown
interface Vlan 10
description RHG VLAN SVI INTERNAL
ip address 10.1.1.1 255.255.255.0
no shutdown
interface Vlan 100

description RHG VLAN SVI GUEST

ip address 192.168.1.1 255.255.255.0
no shutdown
interface Vlan 199

description RHG VLAN SVI MGMT
ip address 10.254.1.1 255.255.255.0
no shutdown
We will configure our CE-S device based on the following:
VLAN.
ROUTEHUB).
3. We will assign one port into the Internet User VLAN (VLAN 10) and another port into
the Guest User VLAN (VLAN100).
4. We will configure the interface for VLAN199 to allow us to manage the CE-S router
from the HQ site. It's default gateway would be the IP configured for the VLAN199
SVI interface on the CE-H router.
ROUTEHUB-CE-S
hostname ROUTEHUB-CE-S


vtp domain ROUTEHUB
vlan 10
vlan 100
name RHG-CEA-GUEST
vlan 199
name RHG-CEA-MGMT
description TO: RHG EOMPLS PE2
no shutdown
description RHG INTERNAL USER PORT
switchport access vlan 10

switchport mode access
spanning-tree portfast
no shutdown
description RHG GUEST USER PORT
no shutdown
interface Vlan 199

description RHG VLAN MGMT
ip address 10.254.1.10 255.255.255.0
no shutdown
ip default-gateway 10.254.1.1
Step 5: Monitor: Operations and Traffic Flow
Now let's show how we can confirm that EoMPLS is working.
2.2.2.5.1 show mpls ldp neighbor
This command shows all LDP neighbors from our MPLS router. Since we configured
EoMPLS between our two PE routers a targeted (or direct) LDP session will be established
between the PEs.
This is important to ensure that this LDP neighbor is established and below we can see that
for both PE routers:
ROUTEHUB-PE1#show mpls ldp neighbor

Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 2.2.2.2:0
TCP connection: 1.1.1.1.646 - 2.2.2.2.57307
State: Oper; Msgs sent/rcvd: 11/14; Downstream
Up time: 00:03:24
LDP discovery sources:
POS1/0, Src IP addr: 10.1.2.1
Addresses bound to peer LDP Ident:
1.1.1.1 10.1.2.1 10.1.3.1
TCP connection: 3.3.3.3.34233 - 2.2.2.2.646
Up time: 00:02:38
Targeted Hello 2.2.2.2 -> 3.3.3.3, active, passive
10.1.3.3 3.3.3.3

ROUTEHUB-PE2#show mpls ldp neighbor
TCP connection: 1.1.1.1.646 - 3.3.3.3.65047
Up time: 00:02:58
POS1/0, Src IP addr: 10.1.3.1
1.1.1.1 10.1.2.1 10.1.3.1
TCP connection: 2.2.2.2.646 - 3.3.3.3.34233
Up time: 00:02:56
Targeted Hello 3.3.3.3 -> 2.2.2.2, active, passive
2.2.2.2 10.1.2.2
There are numerous "xconnect" show commands we can use to confirm if the EoMPLS
tunnels are up and running between two CE sites.
2.2.2.5.2 show xconnect peer 3.3.3.3 all
This command executed from PE1 shows that our L2VPN tunnel is up and running extending
our three VLANs across.
ROUTEHUB-PE1#show xconnect peer 3.3.3.3 all

Legend: XC ST=Xconnect State, S1=Segment1 State, S2=Segment2 State
UP=Up, DN=Down, AD=Admin Down, IA=Inactive, NH=No Hardware
XC ST Segment 1 S1 Segment 2 S2
------+---------------------------------+--+---------------------------------+--
UP ac Fa0/0.10 10(Eth VLAN) UP mpls 3.3.3.3:10 UP
2.2.2.5.3 show xconnect interface
We can also view the specific L2VPN tunnels based on the sub-interface:
ROUTEHUB-PE1#show xconnect interface fastEthernet 0/0.10

------+---------------------------------+--+---------------------------------+--
ROUTEHUB-PE1#show xconnect interface fastEthernet 0/0.100

------+---------------------------------+--+---------------------------------+--

2.2.2.5.4 show mpls l2transprot vc <VC-ID>
We can also view L2VPN tunnels based on the VC ID that was configured:
ROUTEHUB-PE1#show mpls l2transport vc 10
Local intf Local circuit Dest address VC ID Status

------------- -------------------------- --------------- ---------- ----------
Fa0/0.10 Eth VLAN 10 3.3.3.3 10 UP
2.2.2.5.5 show mpls l2transprot vc <VC-ID> detail
Or get further details from the same command:
ROUTEHUB-PE1#show mpls l2transport vc 10 detail

Local interface: Fa0/0.10 up, line protocol up, Eth VLAN 10 up
Destination address: 3.3.3.3, VC ID: 10, VC status: up
Output interface: PO1/0, imposed label stack {17 16}
Preferred path: not configured
Default path: active
Next hop: point2point
Create time: 00:09:00, last status change time: 00:08:12
Signaling protocol: LDP, peer 3.3.3.3:0 up
MPLS VC labels: local 16, remote 16
Group ID: local 0, remote 0
MTU: local 1500, remote 1500
Remote interface description: S2 CEA VLAN 10
Sequencing: receive disabled, send disabled
VC statistics:
packet totals: receive 24, send 244
byte totals: receive 2582, send 21430
packet drops: receive 0, seq error 0, send 0
2.2.2.5.6 ping
The best way to confirm that the operations and traffic flow is working is to test from one of
our user computers.
From the Guest computer let's confirm if we can ping our default gateway (192.168.1.1).
C:\Users\Guest>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time=350ms TTL=61

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 343ms, Maximum = 358ms, Average = 349ms
Great! So we know that the L2VPN is working correctly since we can ping the IP address
that is located at the CE-H site.
Next we can see if we can ping the other computer (Internal user) located at the same
remote site:
C:\Users\Guest>ping 10.1.1.10
Pinging 10.1.1.10 with 32 bytes of data:

Ping statistics for 10.1.1.10:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 43ms, Maximum = 38ms, Average = 39ms
2.2.2.5.7 traceroute, tracert
Again we are successful, so we know that our routing operations is correct, but how do we
know if the traffic flow is correct.
Based on our configuration, traffic from our Guest computer should be routed through the
EoMPLS tunnel to CE-H on VLAN100. Then routing back to the CE-S, but through
VLAN100.
Let's do a traceroute to confirm this operation:
C:\Users\Guest>tracert 10.1.1.10
Tracing route to 10.1.1.10 over a maximum of 30 hops
1 <36 ms 40 ms <16 ms 192.168.1.1

1 <32 ms 32 ms <40 ms 10.1.1.10
We now know that our EoMPLS operations and traffic flow is working correctly with our
configuration.

2.3 VPLS
2.3.1 Concepts
Virtual Private LAN Service (VPLS) is a L2VPN technology that provides L2 multipoint
services over a L3 network running MPLS. VPLS is viewed as a very big virtual switch or
bridge network from the perspective of the client.
Using L2 services allows extending VLANs (broadcast domains), BPDU, and VTP messages
between sites. Clients can run different routing protocols or technologies such as IPv6, IPX,
OSPF and EIGRP managed by the client.
VPLS involves the following components:
Client Edge (CE):

The client device or CE is what the client uses to extend L2 services. The CE can be a
switch or a router.
Targeted LDP:
Like EoMPLS, VPLS builds LDP tunnels between the PE routers used for exchanging VC
labels for the pseudo wires.
Pseudo Wires (PW):

Virtual tunnels using a VPN ID that is extended between PE routers within LSP tunnels
containing the client VLAN tags.
Virtual Switch Interface (VSI):

Terminates the PW providing the virtual bridge function. Configuration wise, VSI is
represented as the Virtual Forwarding Interface (VFI) interface in Cisco IOS.
The VSI also prevents loops on the L2 network by using split horizon. It does this by doing
the following:
Each router in a VPLS sees itself as the root bridge of the network. The other PE
routers are seen as spokes in the point-to-multipoint Ethernet network.
VSI participates with flooding and forwarding of unknown MAC addresses to all ports very
much like a L2 switch.
H-VPLS
Using VPLS alone with multiple with PE routers requires a full mesh of PW terminated
between all PE routers. This creates heavy overhead and concerns for scalability and
management. This is a common issues with IBGP which require full-mesh peering,
therefore, its recommended to use a Route Reflector. Well with VPLS its recommended to
use a H-VPLS deployment.
In a H-VPLS solution, some of the VPLS roles are pushed down to another PE router (U-PE)
or Edge PE router. Leaving our Core PE router with full-mesh PWs with other Core PE
routers limiting the number of PW peers.

2.3.2 VPLS (VLAN-Based)

In our design, we have a single client network with three locations. CE-H is our
Headquarters (HQ) site with two remote sites, CE-S1 and CE-S2. All site's will connect into a
IP WAN Provider that is running MPLS VPN. Our client will be called Client A.
Service Provider). To overlay layer 2 across the L3 network between multiple sites (more
than 2) our Provider will use VPLS to carry VLANs, BPDUs, and VTP messages between our
three client locations. Using EoMPLS will not work for our design since we are dealing with a
point-to-multipoint design and EoMPLS deals with L2 point-to-point tunnels.
Client A will extend three VLANs across the WAN. One will be for Internal Users (VLAN10,
10.254.1.0 /24 subnet). This VLAN used between the three sites will be used for
management purposes device access via Telnet or SSH.
Our CE-H site will use a Cisco Catalyst 3750 L3-switch and our two CE-S sites will use a
Cisco Catalyst 2960 L2-switch. We will have one computer from each network (Internal User
VLAN and the Guest User VLAN) connected to each CE-S site as shown in the network
diagram. The computers default gateway will be the IP address that will be configured on
Our Service Provider will implement VPLS using a VLAN-based deployment, meaning each
VLAN that will be used for Client A must be configured on each PE router, the VFI group
must be associated to each VLAN, and 802.1Q allowing the three VLANs must be
configured. This also creates some complexity if there are other clients who want to use
VLAN10. It would need to be some other VLAN ID tag.
Our MPLS routers (PE and P) will be Cisco 7600 Series Routers running 12.4 (Service
Provider feature set) to support the feature VPLS.


MPLS configuration on all MPLS components (PE and P router) enabled to use LDP
ROUTEHUB-P
ip cef
mpls ip
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface p3/1
ip address 10.1.2.1 255.255.255.0
mpls ip
no shutdown
interface p3/2
ip address 10.1.3.1 255.255.255.0
mpls ip
no shutdown
interface p3/3
ip address 10.1.4.1 255.255.255.0
mpls ip
no shutdown
router ospf 1
network 1.1.1.1 0.0.0.0 area 1
network 10.1.2.0 0.0.0.255 area 0
network 10.1.3.0 0.0.0.255 area 0
network 10.1.4.0 0.0.0.255 area 0

ROUTEHUB-PE1
ip cef
mpls ip
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface p3/1
ip address 10.1.2.2 255.255.255.0
mpls ip
no shutdown
router ospf 2
network 2.2.2.2 0.0.0.0 area 2
network 10.1.2.0 0.0.0.255 area 0
ROUTEHUB-PE2
ip cef
mpls ip
interface Loopback0
ip address 3.3.3.3 255.255.255.255
interface p3/1
ip address 10.1.3.3 255.255.255.0
mpls ip
no shutdown
router ospf 3
network 3.3.3.3 0.0.0.0 area 3
network 10.1.3.0 0.0.0.255 area 0
ROUTEHUB-PE3
ip cef
mpls ip
interface Loopback0
ip address 4.4.4.4 255.255.255.255

interface p3/1
ip address 10.1.4.4 255.255.255.0
mpls ip
no shutdown
router ospf 4
network 4.4.4.4 0.0.0.0 area 4
network 10.1.4.0 0.0.0.255 area 0
Step 3: VPLS (VLAN-based) Configuration

In this configuration we will extend the user VLANs across the MPLS network that will be
used between the three sites.
This is only configured on the three PE routers.
Below is the configuration that is needed. As a recap from the network diagram PE1 is
connecting to CE-H, PE2 is connecting to CE-S1, and PE3 is connecting to CE-S2.
1. First we configure the VSI interface, which in IOS is represented as the VFI interface
followed by a unique name to identify this group as CLIENTA because there will be
other clients added to the VPLS network in the future.
ROUTEHUB-PE1
l2 vfi VPLS-CLIENTA manual
2. Second we will specify a unique VC ID or VPN ID that would be used among all PE
routers connected to a CE device for CLIENTA. Treat the VPN ID very much like a
VLAN ID. This would essentially build the pseudo-wires for each VLAN through an
LSP.

vpn id 50
3. Next we will configure direct LDP tunnel between our PE routers that will carry
pseudo-wire (PW) for each VLAN:

neighbor 3.3.3.3 encapsulation mpls

4. Next we will configure all the VLANs on our PE router that will be used across the
VPLS for the three client sites.
vlan 10
name CEA-RHG-VLAN10
5. Next we will associate the configured VFI to the VLAN SVI interface and activate it
under the VLAN ID itself for each user VLAN.
interface Vlan10
xconnect vfi VPLS-CLIENTA
vlan 10
state active
6. For the downlink interface connected to the CE device, we will enabled the interface
for 802.1Q and specify what VLANs are allowed.
switchport
switchport allowed vlan 10,100,199
no shutdown
Configuration Summary: PE1, PE2, and PE3
ROUTEHUB-PE1

vpn id 50
vlan 10
name CEA-RHG-VLAN10
vlan 100
name CEA-RHG-VLAN100
vlan 199
interface Vlan10
vlan 10
state active

interface Vlan100
vlan 100
state active
interface Vlan199
vlan 199
state active
switchport
no shutdown
ROUTEHUB-PE2

vpn id 50
vlan 10
name CEA-RHG-VLAN10
vlan 100
vlan 199
interface Vlan10
vlan 10
state active
interface Vlan100
vlan 100
state active
interface Vlan199
vlan 199
state active
switchport

no shutdown
ROUTEHUB-PE3

vpn id 50
vlan 10
name CEA-RHG-VLAN10
vlan 100
vlan 199
interface Vlan10
vlan 10
state active
interface Vlan100
vlan 100
state active
interface Vlan199
vlan 199
state active
switchport
no shutdown

Step 4: CE (Hub) Configuration
VLAN.
ROUTEHUB-CE-H
vlan 10
vlan 100
name RHG-CEA-GUEST
vlan 199
name RHG-CEA-MGMT

ROUTEHUB).

vtp domain ROUTEHUB
will be the default gateway for our computers at the remote site respectively to
access other network resources including the L2 switches.
interface Vlan 10
ip address 10.1.1.1 255.255.255.0
no shutdown
interface Vlan 100

ip address 192.168.1.1 255.255.255.0
no shutdown
interface Vlan 199

ip address 10.254.1.1 255.255.255.0
no shutdown

no shutdown
Configuration Summary: CE-H
ROUTEHUB-CE-H
ip routing


vtp domain ROUTEHUB
vlan 10
vlan 100
name RHG-CEA-GUEST
vlan 199
name RHG-CEA-MGMT
no shutdown
interface Vlan 10
ip address 10.1.1.1 255.255.255.0
no shutdown
interface Vlan 100

ip address 192.168.1.1 255.255.255.0
no shutdown
interface Vlan 199

ip address 10.254.1.1 255.255.255.0
no shutdown
Step 5: CE (Spoke) Configuration

We will configure our CE-S1 and CE-S2 devices based on the following (step-by-step shown
for CE-S1):
VLAN.
vlan 10
vlan 100
name RHG-CEA-GUEST
vlan 199
name RHG-CEA-MGMT

ROUTEHUB).

vtp domain ROUTEHUB
3. We will assign one port for the Internal User VLAN (VLAN 10) and another port for
no shutdown
no shutdown

4. We will configure the interface for VLAN199 to allow us to manage the two remote L2
switches from the HQ site. It's default gateway would be the IP configured for the
VLAN199 SVI interface on the CE-H router.
interface Vlan 199

ip address 10.254.1.10 255.255.255.0
no shutdown
no shutdown
Configuration Summary: CE-S1, CE-S2
ROUTEHUB-CE-S1
hostname ROUTEHUB-CE-S1


vtp domain ROUTEHUB
vlan 10
vlan 100
name RHG-CEA-GUEST
vlan 199
name RHG-CEA-MGMT

no shutdown
no shutdown
no shutdown
interface Vlan 199

ip address 10.254.1.10 255.255.255.0
no shutdown
ROUTEHUB-CE-S2


vtp domain ROUTEHUB
vlan 10
vlan 100
name RHG-CEA-GUEST
vlan 199
name RHG-CEA-MGMT
no shutdown

no shutdown
no shutdown
interface Vlan 199

ip address 10.254.1.11 255.255.255.0
no shutdown
Step 6: Monitor: Operations
Now let's show how we can confirm that VPLS is working.
show mpls l2transport vc
We can view L2VPN VPLS tunnels that was configured on our network:
ROUTEHUB-PE1#show mpls l2transport vc

------------- -------------------------- --------------- ---------- ----------
VFI VPLS-CLIENTA VFI 3.3.3.3 50 UP

2.3.3 VPLS (QinQ or Port-Based)

In our design, we have a single client network with three locations. CE-H is our
Headquarters (HQ) site with two remote sites, CE-S1 and CE-S2. All sites will connect into
an IP WAN Provider that is running MPLS VPN. Our client will be called Client A.
Service Provider). To overlay layer 2 across the L3 network between multiple sites (more
than 2) our Provider will use VPLS to carry VLANs, BPDUs, and VTP messages between our
three client locations. Using EoMPLS will not work for our design since we are dealing with a
point-to-multipoint design and EoMPLS deals with L2 point-to-point tunnels.
Client A will extend three VLANs across the WAN. One will be for Internal Users (VLAN10,
10.254.1.0 /24 subnet). This VLAN used between the three sites will be used for
management and for device access using Telnet or SSH.
Our CE-H site will use a Cisco Catalyst 3750 L3-switch and our two CE-S sites will use a
Cisco Catalyst 2960 L2-switch. We will have one computer from each network (Internal User
VLAN and the Guest User VLAN) connected at each CE-S site as shown in the network
diagram. The computers default gateway will be the IP address that will be configured on the
Our Service Provider will implement VPLS using a Port-based or QinQ deployment, meaning
all VLANs used for Client A will be tunneled inside a dedicated 802.1Q tunnel using a
unique VLAN for that client. On each PE router we still need to configure the VFI group that
will be associated to that unique VLAN, VLAN900 This avoids the complexity where clients
can continue to use their unique VLANs through the Service Provider network.
Our MPLS routers (PE and P) will be Cisco 7600 Series Routers running 12.4 (Service
Provider feature set) to support the feature VPLS).


MPLS configuration on all MPLS components (PE and P router) enabling to use LDP
ROUTEHUB-P
ip cef
mpls ip
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface p3/1
ip address 10.1.2.1 255.255.255.0
mpls ip
no shutdown
interface p3/2
ip address 10.1.3.1 255.255.255.0
mpls ip
no shutdown
interface p3/3
ip address 10.1.4.1 255.255.255.0
mpls ip
no shutdown
router ospf 1
network 1.1.1.1 0.0.0.0 area 1
network 10.1.2.0 0.0.0.255 area 0
network 10.1.3.0 0.0.0.255 area 0
network 10.1.4.0 0.0.0.255 area 0
ROUTEHUB-PE1
ip cef
mpls ip

interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface p3/1
ip address 10.1.2.2 255.255.255.0
mpls ip
no shutdown
router ospf 2
network 2.2.2.2 0.0.0.0 area 2
network 10.1.2.0 0.0.0.255 area 0
ROUTEHUB-PE2
ip cef
mpls ip
interface Loopback0
ip address 3.3.3.3 255.255.255.255
interface p3/1
ip address 10.1.3.3 255.255.255.0
mpls ip
no shutdown
router ospf 3
network 3.3.3.3 0.0.0.0 area 3
network 10.1.3.0 0.0.0.255 area 0
ROUTEHUB-PE3
ip cef
mpls ip
interface Loopback0
ip address 4.4.4.4 255.255.255.255
interface p3/1
ip address 10.1.4.4 255.255.255.0
mpls ip
no shutdown
router ospf 4
network 4.4.4.4 0.0.0.0 area 4
network 10.1.4.0 0.0.0.255 area 0

Step 3: VPLS (QinQ) Configuration
In this configuration we will extend the user VLANs across the MPLS network that will be
used between the three sites.
This is only configured on the three PE routers.
Below is the configuration that is needed. As a recap from the network diagram PE1 is
connecting to CE-H, PE2 is connecting to CE-S1, and PE3 is connecting to CE-S2.
1. First we configure the VSI interface, which in IOS is represented as the VFI interface
followed by a unique name to identify this group as CLIENTA because there will be
other clients added to the VPLS network in the future.
ROUTEHUB-PE1
2. Second we will specify a unique VC ID or VPN ID that would be used among all PE
routers connected to a CE device for CLIENTA. Treat the VPN ID very much like a
VLAN ID. This would essentially build the pseudo-wires for each VLAN through an
LSP.

vpn id 50
3. Next we will configure direct LDP tunnel between our PE routers that will carry
pseudo-wire (PW) for each VLAN:

4. Next we will associate the configured VFI to the VLAN SVI interface and activate it
under the VLAN ID itself for each user VLAN.
interface Vlan900
vlan 900
state active
5. Enabled 802.1Q tunnel (QinQ) where all VLANs from Client A (assigned to
VLAN900) through the VPLS. This is configured on the directly connected interface
to one of the CE devices for Client A.
switchport

switchport mode dot1qtunnel
l2protocol-tunnel-stp
no shutdown
Configuration Summary: PE1, PE2, PE3
ROUTEHUB-PE1

vpn id 50
vlan 900
state active
interface Vlan900
switchport
no shutdown
ROUTEHUB-PE2

vpn id 50
vlan 900
state active
interface Vlan900
switchport
no shutdown
ROUTEHUB-PE3

vpn id 50

vlan 900
state active
interface Vlan900
switchport
no shutdown
Step 4: CE (Hub) Configuration

VLAN.
ROUTEHUB-CE-H
vlan 10
vlan 100
name RHG-CEA-GUEST
vlan 199
name RHG-CEA-MGMT

ROUTEHUB).

vtp domain ROUTEHUB
will be the default gateway for our computers at the remote site respectively to
access other network resources including the L2 switches.
interface Vlan 10

ip address 10.1.1.1 255.255.255.0
no shutdown
interface Vlan 100

ip address 192.168.1.1 255.255.255.0
no shutdown
interface Vlan 199

ip address 10.254.1.1 255.255.255.0
no shutdown
no shutdown
Configuration Summary: CE-H
ROUTEHUB-CE-H
ip routing


vtp domain ROUTEHUB
vlan 10
vlan 100
name RHG-CEA-GUEST
vlan 199
name RHG-CEA-MGMT

no shutdown
interface Vlan 10
ip address 10.1.1.1 255.255.255.0
no shutdown
interface Vlan 100

ip address 192.168.1.1 255.255.255.0
no shutdown
interface Vlan 199

ip address 10.254.1.1 255.255.255.0
no shutdown
Step 5: CE (Spoke) Configuration

We will configure our CE-S1 and CE-S2 devices based on the following (step-by-step shown
for CE-S1):
VLAN.
vlan 10
vlan 100
name RHG-CEA-GUEST
vlan 199
name RHG-CEA-MGMT

ROUTEHUB).

vtp domain ROUTEHUB
3. We will assign one port for the Internal User VLAN (VLAN 10) and another port for

no shutdown
no shutdown
4. We will configure the interface for VLAN199 to allow us to manage the two remote L2
switches from the HQ site. It's default gateway would be the IP configured for the
VLAN199 SVI interface on the CE-H router.
interface Vlan 199

ip address 10.254.1.10 255.255.255.0
no shutdown
no shutdown
Configuration Summary: CE-S1, CE-S2
ROUTEHUB-CE-S1


vtp domain ROUTEHUB
vlan 10
vlan 100
name RHG-CEA-GUEST

vlan 199
name RHG-CEA-MGMT
no shutdown
no shutdown
no shutdown
interface Vlan 199

ip address 10.254.1.10 255.255.255.0
no shutdown
ROUTEHUB-CE-S2


vtp domain ROUTEHUB
vlan 10
vlan 100
name RHG-CEA-GUEST
vlan 199
name RHG-CEA-MGMT

no shutdown
no shutdown
no shutdown
interface Vlan 199

ip address 10.254.1.11 255.255.255.0
no shutdown
Step 6: Monitor: Operations
Now let's show how we can confirm that VPLS is working.
show mpls l2transport vc
We can view L2VPN VPLS tunnels that was configured on our network:
ROUTEHUB-PE1#show mpls l2transport vc

------------- -------------------------- --------------- ---------- ----------

3 Monitor
3.1 Troubleshooting Tips
3.1.1 Root Causes

Once a network has been deployed and working operational any issue that will occur will
likely be due to one of the following below:
1. User Error
2. Software Error or Failure
3. Hardware Error or Failure
4. Power Error or Failure
5. Traffic Increase
6. Security Related
7. Third-Party Components
3.1.2 Initial questions to ask

Once a network has been deployed and working operational any issue that will occur will
likely be due to the following:
1. What has changed recently anywhere on the network?
a. Not just routers or switch, but with servers and various services such as
DNS, SMTP, etc. This tends to be the most common issue we have seen
where different groups make services changes like DNS, as an example, and
certain things on the network break where nothing was changed on the
routers or firewalls. However, the DNS changes affected some of the other
services on the network. That group who made the change will assume that
they didn't think that change would affect the network. Remember, IT is all
connected in more than one way, so validating all changes with all IT groups
is critical to confirm what could break including other considerations. Plus
any changes should rerun (or test) there baseline punch list to confirm that
all services outlined in the baseline are operational as they were before and
after any changes.
2. Confirm for any network changes? If so, check for configuration syntax errors and
cross check against a known working configuration.

3.1.3 Typical fixes
Identifying the root cause and resolving it are two separate things. Fixing a problem will
usually involve one or more of the following
Configuration change or rollback

Reboot
Software upgrade
Hardware replacement
It may require a configuration change or a rollback to a previously working configuration

known to work.
A reboot may do it or a software upgrade may be needed where a bug has emerged and/or a
hardware replacement may be needed, though is very rare.

4 Full Configuration
4.1 L2TPv3
4.1.1 L2TPv3 using Static Tunnels
ROUTEHUB-P
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTEHUB-P
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
ip address 10.1.2.1 255.255.255.0

duplex auto
speed auto
!
ip address 10.1.3.1 255.255.255.0
duplex auto
speed auto
!
router ospf 1
network 1.1.1.1 0.0.0.0 area 1
network 10.1.2.0 0.0.0.255 area 0
network 10.1.3.0 0.0.0.255 area 0
!
ip http server
no ip http secure-server
ip forward-protocol nd
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
ROUTEHUB-PE1
!
version 12.4
!
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
l2tp-class manual
cookie size 4
!

!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
protocol none
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
no ip address
duplex auto
speed auto
l2tp id 1 1
l2tp hello manual
!
ip address 10.1.2.2 255.255.255.0
duplex auto
speed auto
!
router ospf 2
network 2.2.2.2 0.0.0.0 area 2
network 10.1.2.0 0.0.0.255 area 0
!
ip http server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!

!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
ROUTEHUB-PE2
!
version 12.4
!
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
l2tp-class manual
cookie size 4
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
protocol none
!
!
!
!

!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
no ip address
duplex auto
speed auto
l2tp id 1 1
l2tp hello manual
!
ip address 10.1.3.3 255.255.255.0
duplex auto
speed auto
!
router ospf 3
network 3.3.3.3 0.0.0.0 area 3
network 10.1.3.0 0.0.0.255 area 0
!
ip http server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
ROUTEHUB-CE1
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
!
hostname ROUTEHUB-CE1
!
!
!
!
!

!
memory-size iomem 15
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
ip address 10.4.5.4 255.255.255.0
duplex auto
speed auto
!
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 1
network 4.4.4.4 0.0.0.0
network 10.4.5.0 0.0.0.255
no auto-summary
!
ip classless
ip http server
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
end
ROUTEHUB-CE2
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
!
hostname ROUTEHUB-CE2
!
!
!
!
!
!
memory-size iomem 15
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!

!
!
!
!
!
!
interface Loopback0
ip address 5.5.5.5 255.255.255.255
!
ip address 10.4.5.5 255.255.255.0
duplex auto
speed auto
!
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 1
network 5.5.5.5 0.0.0.0
network 10.4.5.0 0.0.0.255
no auto-summary
!
ip classless
ip http server
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
end

4.2 EoMPLS
4.2.1 EoMPLS for Hub-and-Spoke WAN
ROUTEHUB-P
!
upgrade fpd auto
version 12.4
!
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
ip cef
!
!
!
!
no ipv6 cef
!
!
voice dsp waitstate 0
!
!
!
!
!
!
!
!
!
!
!
!
!
memory-size iomem 0
archive
log config
hidekeys
!
!
!
!

!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
no ip address
shutdown
duplex half
!
interface POS1/0
ip address 10.1.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
mpls ip
!
interface POS2/0
ip address 10.1.3.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
mpls ip
!
router ospf 1
passive-interface default
no passive-interface POS1/0
network 1.1.1.1 0.0.0.0 area 1
network 10.1.2.0 0.0.0.255 area 0
network 10.1.3.0 0.0.0.255 area 0
!
no ip http server
!
!
!
logging alarm informational
!
!
!
!
control-plane
!
!
!
mgcp fax t38 ecm
!
!
!
!

gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end
ROUTEHUB-PE1
!
upgrade fpd auto
version 12.4
!
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip source-route
ip cef
!
!
!
!
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
memory-size iomem 0
archive
log config
hidekeys
!
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
no ip address
duplex auto
speed auto
!
!
!
!
no ip address
shutdown
duplex auto
speed auto
!
interface POS1/0
ip address 10.1.2.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
mpls ip
!
router ospf 2
network 2.2.2.2 0.0.0.0 area 2
network 10.1.2.0 0.0.0.255 area 0
!

no ip http server
!
!
!
!
!
!
!
control-plane
!
!
!
mgcp fax t38 ecm
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end
ROUTEHUB-PE2
!
upgrade fpd auto
version 12.4
!
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip source-route

ip cef
!
!
!
!
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
memory-size iomem 0
archive
log config
hidekeys
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
no ip address
shutdown
duplex half
!
interface POS1/0
ip address 10.1.3.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
mpls ip
!
no ip address
duplex auto
speed auto
!

!
!
!
no ip address
shutdown
duplex auto
speed auto
!
router ospf 3
network 3.3.3.3 0.0.0.0 area 3
network 10.1.3.0 0.0.0.255 area 0
!
no ip http server
!
!
!
!
!
!
!
control-plane
!
!
!
mgcp fax t38 ecm
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4

login
!
end

Routehub TUNNEL L2VPN PDF

Uploaded by

Copyright:

Available Formats

Routehub TUNNEL L2VPN PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Routehub TUNNEL L2VPN PDF

Uploaded by

Copyright:

Available Formats

Layer 2 VPN (L2VPN)

RouteHub Group, LLC

February 22, 2009

END USER LICENSE FOR ONE (1) PERSON ONLY

2. Price and Payment

4. Replacement, Modification and/or Upgrades

13. Entire Agreement

RouteHub Group, LLC Page 6 www.routehub.net

L2VPN tunnels allow us to provide a direct point-to-point connection between devices as if

L2TPv3 consist of the following components:

RouteHub Group, LLC Page 7 www.routehub.net

RouteHub Group, LLC Page 8 www.routehub.net

Step 1: NETWORK DESIGN

Topology Services and Sub-Services

Hardware & Software:

RouteHub Group, LLC Page 9 www.routehub.net

Step 2: BASIC CONFIGURATION

RouteHub Group, LLC Page 10 www.routehub.net

Step 3: OSPF CONFIGURATION ON OUR PROVIDER NETWORK

RouteHub Group, LLC Page 11 www.routehub.net

RouteHub Group, LLC Page 12 www.routehub.net

As a recap below defines what that configuration would look like.

CE1 would be connected to the interface FastEthernet0/0 on our PE2 router.

show l2tun tunnel all

RouteHub Group, LLC Page 13 www.routehub.net

No L2VPN configuration is needed or required on CE devices similar to MPLS VPNs.

Below is the configuration for CE1:

RouteHub Group, LLC Page 14 www.routehub.net

Below is the configuration for CE1 and CE2:

RouteHub Group, LLC Page 15 www.routehub.net

2.1.2.7.1 show xconnect all

Below is a command from PE2

RouteHub Group, LLC Page 16 www.routehub.net

2.1.2.7.3 show l2tp session

RouteHub Group, LLC Page 17 www.routehub.net

The downside of EoMPLS is management of building point-to-point tunnels across between

RouteHub Group, LLC Page 18 www.routehub.net

Step 1: Network Design

RouteHub Group, LLC Page 19 www.routehub.net

Below you will see configuration for the following:

Basic IP Information configured for all interfaces in our MPLS design

RouteHub Group, LLC Page 20 www.routehub.net

Step 3: EoMPLS Configuration

This is only configured on the two PE routers.

RouteHub Group, LLC Page 21 www.routehub.net

RouteHub Group, LLC Page 22 www.routehub.net

We will configure our CE-H device based on the following:

spanning-tree mode rapid-pvst

vtp mode transparent

interface Vlan 100

RouteHub Group, LLC Page 23 www.routehub.net

interface Vlan 199

We will configure our CE-S device based on the following:

spanning-tree mode rapid-pvst

vtp mode transparent

RouteHub Group, LLC Page 24 www.routehub.net

interface Vlan 199

Step 5: Monitor: Operations and Traffic Flow

Now let's show how we can confirm that EoMPLS is working.