Layer 2 VPNs

As enterprises virtualize their networks, some might require the support of non-IP or nonroutable traffic in these virtualized environments. To support this type of traffic, it is necessary to extend Layer 2 domains across the enterprise network. In general, the extension of Layer 2 domains is discouraged because of all the scalability issues discussed in Chapter 2. Therefore, when pervasive any-to-any connectivity is required, it is highly advisable that a routed alternative be evaluated before considering any sort of Layer 2 extension. The requirement for Layer 2 extensibility is usually limited to the interconnection of a few sites to support legacy protocols or the interconnection of server farms. It is important to maintain the scale of this requirement as small as possible. As we study the different alternatives for extending Layer 2 connectivity, it will become evident that these are practical in solving a limited connectivity requirement and will cease to scale rapidly.

Instead of attempting to extend VLANs throughout the enterprise, the creation of VPNs for nonroutable traffic calls for the use of Layer 2 VPN or tunneling technologies that will provide the desired Layer 2 connectivity over the enterprise's routed core. In brief, the requirements for this type of Layer 2 connectivity are as follows:

• Mainly p2p connectivity In many cases, the requirement for Layer 2 connectivity will be restricted to interconnecting a couple of sites only. For example, enterprises consolidating disperse server clusters will require, in general, the interconnection of two data centers.

• Some multipoint connectivity For many reasons, enterprises might require the support of legacy (non-IP) protocols in their network. The hosts using these legacy protocols will require peer-to-peer connectivity. As the support for legacy protocols is gradually phased out across the industry, the support for these is maintained by transparently tunneling the information to interconnect the hosts.

• Resiliency No single point of failure must be allowed when interconnecting the sites at Layer 2. This has interesting implications in the combination and use of different technologies.

Ethernet over MPLS

The following sections explore two of the most common MPLS-based Layer 2 VPN technologies: Ethernet over MPLS (EoMPLS) and Virtual Private LAN Services (VPLS).

Providing Point-to-Point Connectivity

EoMPLS pseudowires are by definition p2p Layer 2 connections. The basic operating principle of a pseudowire is that of being able to take any traffic received on an ingress port and transparently send it over to the egress port at the other end of the pseudowire (as shown in Figure 6-14).

Figure 6-14. EoMPLS Pseudowires

Two types of ports can be mapped to EoMPLS tunnels:

• Routed physical ports This mode of operation is known as port mode.

• Logical subinterfaces on a routed port This mode of operation is referred to as VLAN mode.

The creation of the pseudowire is achieved by encapsulating the traffic received on the "cross-connected" ingress port and switching it to the remote end based on the encapsulation header. The use of the encapsulation header allows the traffic to remain untouched as it traverses the routed cloud. When traffic arrives at the remote end, the encapsulation headers are removed, and traffic is forwarded out the egress port without any alterations. Because all traffic received on a cross-connected port is forwarded transparently, the PEs do not learn any MAC addresses on the cross-connected ports. Thus, the pseudowires effectively behave as a link extension or a virtual wire, which is commonly referred to as a pseudowire. Therefore, in the figure above, switches Giacometti and Brancusi appear as if directly connected by an Ethernet link.

An EoMPLS virtual circuit can be created between a pair of PE devices on opposite sides of the MPLS-enabled campus network or MAN to transparently carry the traffic between the two cross-connected ports. The cross-connected ports on each PE device receive and tunnel all the Ethernet frames from the Layer 2 switches at the edge. The configuration required for enabling this functionality on the PE interfaces is simple, as demonstrated in Example 6-29.

Example 6-29. EoMPLS Pseudowire Configuration

 interface GigabitEthernet1/1  description EoMPLS vc to Brancusi  no ip address  no cdp enable  xconnect 3.3.3.1 1 encapsulation mpls 

The xconnect command is basically the only command required, and it is used to specify the remote PE loopback address (for example, on Brancusi it is 3.3.3.1).

One restriction to be aware of is the size of the packets that can be sent over the pseudowire. Because there is no check done on the packets by the routers at the endpoints of the pseudowire, it is possible to exceed the valid MTU in the routed core by sending large packets. If the packet size is close to the MTU limit supported by the routed core, the addition of headers could generate packets of an MTU greater than what the network can support. In this case, jumbo frame support might be required in the network core.

Providing Multipoint Connectivity

As discussed, EoMPLS is a p2p technology. Any attempt to provide multi-site connectivity has to involve a combination of multiple p2p connections.

When you are combining multiple Layer 2 p2p connections, a hub-and-spoke logical topology can provide multipoint connectivity by aggregating and switching all traffic at the hub. Because a hub-and-spoke topology is loop free, there is no strict requirement on the use of STP.

EoMPLS circuits take all traffic on an interface and tunnel it over the MPLS core. Unfortunately, a single interface cannot be mapped to multiple EoMPLS pseudowires.

Therefore, you must use a distinct physical interface at the hub site for each remote site that needs to be connected. In other words, each pseudowire requires a dedicated physical interface at each end. To switch traffic between the different sites, you must aggregate these different interfaces onto a Layer 2 bridge at the hub site; this functionality can be provided by a separate switch, as shown in the figure. If this seems awkward, it is because EoMPLS was designed with p2p wire emulation in mind, not for multipoint switched-connectivity purposes.

In Figure 6-15, three physical links would be required on the hub PE to connect to the three different sites; the configuration for each of these interfaces is similar to the one displayed before, with an xconnect command on each interface to establish the EoMPLS virtual circuit with the remote PEs.

Figure 6-15. Multipoint Connectivity Emulation with EoMPLS

Resilient Pseudowire Topologies

Traffic entering an EoMPLS tunnel is not checked for integrity or validity. Therefore, any type of traffic can be forwarded over an EoMPLS pseudowire. This allows the transparent forwarding of Layer 2 control traffic such as STP bridge protocol data units (BPDUs), Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP), 802.3ad Link Aggregation Control Protocol (LACP), and so on. This allows the use of some traditional Ethernet protocols over the pseudowires to provide failure detection and failover mechanisms that enable resiliency.

Multiple Tunnels and CE STP

Because the EoMPLS pseudowires transparently forward all traffic they receive, the logical topology illustrated in Figure 6-16 is equivalent to directly connecting the edge switches (Brancusi and Giacometti) with two Ethernet links. This clearly forms a Layer 2 loop. Because the pseudowires forward all traffic transparently, including STP BPDUs, it is possible to run spanning tree between Brancusi and Giacometti to block the loop and to provide a resilient path in case of failures.

Figure 6-16. Resilient Pseudowires

The use of the Rapid Spanning Tree Protocol (RSTP) allows optimal reconvergence and subsecond failover times in this array. However, this model does not provide any load balancing between the two pseudowires, and as a matter of fact, only half of the capacity in the network is used. The following section looks at alternatives that can provide load balancing and resiliency. However, the failover times for these alternatives are significantly slower.

Multiple Tunnels and CE Link Aggregation

To deploy resilient pseudowires between a pair of sites without creating a Layer 2 loop, you can bundle the two pseudowires to create a port channel. You should use a dynamic negotiation protocol to ensure that if a local link connecting to the PE fails, the remote site can detect the failure. The dynamic negotiation options include the following:

• PAgP (port aggregation protocol, a Cisco proprietary EtherChannel negotiation protocol)

• LACP (IEEE 802.3ad standard link aggregation protocol)

However, the timers on both these protocols provide relatively slow failure detection, in the order of 90 seconds.

Using UniDirectional Link Detection (UDLD) to provide failure detection can help lower the failover time between redundant circuits. The expected failover times with UDLD in aggressive mode vary between 20 and 40 seconds depending on the hardware used and the possibility of tuning the UDLD timers.

The configuration in Example 6-30 would be required on each of the switches establishing the bundle. Notice that these are not the PEs with the cross-connects, but the edge switches feeding traffic into the PEs.

Example 6-30. Establishing an EtherChannel over EoMPLS Across Sites

 udld aggressive udld message time 7 ... interface Port-channel1  switchport trunk encapsulation dot1q  switchport trunk allowed vlan 62  switchport mode trunk ! interface GigabitEthernet1/0/25  description link to Warhol  switchport trunk encapsulation dot1q  switchport mode trunk  channel-group 1 mode desirable ! interface GigabitEthernet1/0/26  description link to Malevich  switchport trunk encapsulation dot1q   switchport mode trunk  channel-group 1 mode desirable 

The connections between the Layer 2 switch and the PEs are trunk links; therefore, various Layer 2 domains (VLANs) can be transparently extended using the same EoMPLS virtual circuits.

VPLS

As described in Chapter 5, VPLS provides a mechanism to provide multipoint Layer 2 connectivity over an MPLS switched infrastructure. At first, this may sound like a scalable alternative to extending VLANs across the enterprise. However, it is important to keep in mind that VPLS has its own scalability limitations:

• Virtual circuit proliferation. Each VFI is in reality a full mesh of p2p pseudowires. As the number of sites increases, the mesh of pseudowires becomes more complex.

• The lack of intelligent broadcast and multicast handling can cause large-scale traffic replication and flooding throughout the network.

• Every PE must learn all the MAC addresses associated to a VFI. If this is intended to replace end-to-end VLANs, the number of MAC addresses to be learned may well be close to the full capacity of most high-end switching platforms.

• By deploying VPLS, we are effectively converting a Layer 3 core back to Layer 2. With this conversion, all the scalability and resiliency limitations of a plain Layer 2 network come back into play.

VPLS is by no means an alternative to Layer 3-based segmentation. Although it can provide any-to-any connectivity, it can only do it effectively for a limited number of hosts and sites.

Note

When used in a service provider setting, VPLS has different requirements than when used in an enterprise. The scalability concerns for VPLS in a service provider setting are much different. For instance, the enterprise might intend to use VPLS for Layer 2 extensibility, whereas the service provider might require a routed hop to access the VPLS cloud and therefore not extend the customer's Layer 2 domains.

Because VPLS has been designed to cover a specific need in the service provider space, its availability on enterprise platforms is limited and its cost is high (when available).

VPLS could provide a valid alternative for small-scale multipoint Layer 2 connectivity. However, the cost-benefit ratio may not be justifiable (and hence our focus on multipoint solutions based on EoMPLS).