Tag: LDP

Networking Field Day: Service Provider – Arista VPLS – UPDATED

Vince Schuele 1 Comment

During the first networking field day: service provider one of the big topics was EVPN versus VPLS. Arista has put a lot of work into their EVPN deployment and this has give then a ton of success in the data center. However, a large portion of the provider space, especially last mile providers, rely on VPLS heavily. This naturally led to discussion about Arista VPLS support.

I’m pleased to see that there is now basic support in EOS as of EOS 4.27.2F and more on the roadmap. Hopefully, we’ll see the off ramp, RFC8560, from VPLS to EVPN which was a hot button topic throughout the week.

In the release notes for EOS 4.27.2F it calls our basic VPLS support. So I took a look. Reviewing the new 4.27.2F manual I found support for LDP PWs on RFC4447 which is virtual private wire support. This also appeared to be in EOS 4.26 but not earlier. Thanks to Arista for providing more documentation on their support for RFC4762 – LDP signaled VPLS.

In the meantime lets review how this works:

mpls ip
!
mpls ldp
   router-id 100.127.0.3
   transport-address interface Loopback0
   no shutdown
   !
   pseudowires
      pseudowire TEST-PW
         neighbor 100.127.0.1
         pseudowire-id 1
         mtu 1500
!
patch panel
   patch TEST
   !
   patch TEST-PW-PATCH
      connector 1 pseudowire ldp TEST-PW
      connector 2 interface Ethernet3
!

You have to define the end point for the LDP signaling in the LDP configuration. The configuration requires an endpoint (neighbor), pseudowire-id, and mtu. Without all three of these the PW won’t establish.

Then tie the port you want to use the PW with a patch panel connector. In this case we tied ethernet3 to PW TEST-PW.

Everything that comes in on Ethernet3 will be pushed into the PW and on to the endpoint. Let’s verify that the signaling mechanism works:

arista-11#show patch panel detail
PW Fault Legend:
   ET-IN - Ethernet receive fault
   ET-OUT - Ethernet transmit fault
   TUN-IN - Tunnel receive fault
   TUN-OUT - Tunnel transmit fault
   NF - Pseudowire not forwarding (other reason)

Patch: TEST, Status: Down, Last change: 0:26:17 ago
Patch: TEST-PW-PATCH, Status: Up, Last change: 16:35:05 ago
   Connector 1: LDP neighbor 100.127.0.1 PW ID 1
      Status: Up
      Local MPLS label: 116384, Group ID: 0x0
         MTU: 1500, 802.1Q VLAN request sent: -
         Flow label capability: none
         Supported VCCV CV types: LSP ping
         Supported VCCV CC types: Router alert label
      Neighbor MPLS label: 116384, Group ID: 0x0
         MTU: 1500, 802.1Q VLAN request received: -
         Flow label capability: none
         Supported VCCV CV types: LSP ping
         Supported VCCV CC types: Router alert label
      PW type: 5 (raw), Control word: N
      Flow label used: no
      Tunnel type: LDP, Tunnel index: 1
   Connector 2: Ethernet3
      Status: Up
CE-1#ping 172.16.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 14/18/22 ms

Now we have a functional layer 2 link between the distance CEs.

This image has an empty alt attribute; its file name is IPA-Blog-ad-template-network.jpg
iparchitechs.com/contact

An important note if you want to put this into production is you have to use service routing protocols model multi-agent which requires a reboot of your devices.

There are also some restrictions in vlan translation/passing which I will explore in a future post. Now let’s check out the basic configuration.

After reviewing the documents for LDP signaled VPLS we built the topology above. All 3 PEs are in the same mesh so the 3 CE routers are all layer 2 adjacent.

I probably made every mistake you could as I started building this but the CLI is pretty helpful in what is wrong.

arista-11#show vpls
VPLS: TEST-VPLS
VLAN: 10, 802.1Q tag: -
MAC withdrawal trigger for local interface going down: Y
Pseudowire group: MESH, split-horizon
MAC withdrawal trigger on pseudowire failure: N
MAC withdrawal propagation: locally triggered
LDP neighbor 100.127.0.1 PW ID 1 PW name ARISTA-10
   Status: No remote, Interface: Pseudowire3.0
LDP neighbor 100.127.0.4 PW ID 1 PW name ARISTA-13
   Status: CLI incomplete

I originally missed specifying the MTU on the CLI so it told me my configuration was incomplete. I thought this was pretty neat as it prevented me from going down a bunch of different paths to determine why my original build was broken.

arista-13
mpls ldp
   router-id 100.127.0.4
   transport-address interface Loopback0
   no shutdown
   !
   pseudowires
      pseudowire ARISTA-10
         neighbor 100.127.0.1
         pseudowire-id 1
         mtu 1500
      !
      pseudowire ARISTA-11
         neighbor 100.127.0.3
         pseudowire-id 1
         mtu 1500
!
router vpls
   vpls TEST-VPLS
      ldp mac withdrawal trigger interface
      !
      vlan 10
      !
      pseudowire ldp MESH split-horizon
         pseudowire ARISTA-10
         pseudowire ARISTA-11
!
end
arista-13#show vpls
VPLS: TEST-VPLS
VLAN: 10, 802.1Q tag: -
MAC withdrawal trigger for local interface going down: Y
Pseudowire group: MESH, split-horizon
MAC withdrawal trigger on pseudowire failure: N
MAC withdrawal propagation: locally triggered
LDP neighbor 100.127.0.1 PW ID 1 PW name ARISTA-10
   Status: Up, Interface: Pseudowire1.0
LDP neighbor 100.127.0.3 PW ID 1 PW name ARISTA-11
   Status: Up, Interface: Pseudowire2.0
CE-3#ping 172.16.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 11/14/17 ms
CE-3#ping 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 11/12/14 ms
CE-3#

If you need help with your deployment reach out to us at IP architechs.

Interop IP infusion and MikroTik: part 2 – VPLS

Vince Schuele Leave a comment

VPLS is a pretty common technology in ISPs to either sell layer 2 services or backhaul traffic to a centralized aggregation point to conserve IPv4 space; check out more on that here.

How can I take advantage of segment routing but still deliver the same services? We already looked at how to setup the label switched paths utilizing IP Infusion as a segment routing mapping server in this interop post. Now let’s see how we can deliver a VPLS service over this with mikrotik as a provider edge router.

Delivering a service with a L2VPN

After setting up the IGP and label distribution between the PEs we will start building the L2VPN.

Why a BGP signaled VPLS session instead of LDP signaled VPLS?

In the segment-routing domain there is no LDP running. However, some vendors support static pseudowires or other methods to bring up a targeted LDP session for VPLS. I did some basic testing here couldn’t easily identify the right combination of knobs to make this work. Don’t worry; I’ll come back to it.

BGP signaled VPLS is a standards based technology that both vendors support.

First thing we need to do after having loopback reachability is to build the BGP sessions.

ipi-1.lab.jan1.us.ipa.net:

router bgp 65000
 neighbor 100.127.2.0 remote-as 65000
 neighbor 100.127.2.0 update-source lo
 !
 address-family l2vpn vpls
 neighbor 100.127.2.0 activate
!
MikroTik-1:

/routing bgp peer
add address-families=l2vpn name=OCNOS1 nexthop-choice=force-self \
    remote-address=100.127.0.1 remote-as=65000 update-source=Lo0

After establishing the BGP peering we need to build the vpls instance.

ipi-1.lab.jan1.us.ipa.net:

mpls vpls TEST 10
 signaling bgp
  ve-id 10
  exit-signaling
 exit-vpls
!
MikroTik-1:

/interface vpls bgp-vpls
add bridge=VPLS-TEST export-route-targets=65000:10 import-route-targets=\
    65000:10 name=TEST route-distinguisher=100.127.2.0:10 site-id=2 \
    use-control-word=no

On OcNOS the route-target and route distinguisher is automatically derived from the vpls instance creation. While you explicitly set it on MikroTik.

ipi-1.lab.jan1.us.ipa.net# show mpls vpls TEST
Virtual Private LAN Service Instance: TEST, ID: 10
 SIG-Protocol: BGP
  Route-Distinguisher :65000:10
  Route-Target :65000:10
  VE-ID :10

The site-id (Tik) or VE-ID (OcNOS) are the vpls endpoint identifiers which uniquely identify each PE.

The final step before we can start to test is to setup the attachment circuit. On OcNOS we will have to setup a service template to pair with the vpls instance on attachment circuit. Then you can assign the vpls instance and the service template to a switchport. We will match vlan tag 10 on our service template. Anything coming in with dot1q 10 from the CCR2004 will enter the VPLS tunnel.

ipi-1.lab.jan1.us.ipa.net:

service-template TEST
 match outer-vlan 10
!
interface xe2
 switchport
 mpls-vpls TEST service-template TEST
  exit-if-vpls
!

On the MikroTik side we need to setup a bridge for the autocreation of the tunnels and assign appropriate interfaces to it. Again, we will match on dot1q 10.

MikroTik-1:

/interface bridge
add name=Lo0
add name=LoVOICE
add mtu=1500 name=VPLS-TEST protocol-mode=none

/interface bridge port
add bridge=VPLS-TEST interface=ether10 pvid=10

/interface bridge vlan
add bridge=VPLS-TEST tagged=VPLS-TEST untagged=vlan10,ether10 vlan-ids=10

Finally, we can do testing and verification. We want to look for the mesh peer which is the autodiscovered PE also in this vpls instance.

ipi-1.lab.jan1.us.ipa.net#show mpls vpls TEST
Virtual Private LAN Service Instance: TEST, ID: 10
 SIG-Protocol: BGP
  Route-Distinguisher :65000:10
  Route-Target :65000:10
  VE-ID :10
 Attachment-Circuit :UP
 Learning: Enabled
 Control-Word: Disabled
 Group ID: 0, Configured MTU: 1500
 Description: none
 service-tpid: dot1.q
 Operating mode: Raw
 Configured interfaces:
  Interface: xe2
 Service-template : TEST
  Match criteria : 10

 Mesh Peers:
   100.127.2.0 (Up)

Then we want to make sure we are learning mac-addresses. As you can see the MACs not learned from the attached device are learned from the BGP peer at 100.127.2.0.

ipi-1.lab.jan1.us.ipa.net#show mpls vpls mac-address
VPLS-ID     MAC address       Learned from   Vlan-Id          Peer address   Tim
e-out
10          027b.6866.7831    xe48           -                100.127.2.0    300

10          488f.5a00.4f87    xe2            10               -              300


10          4c5e.0c6f.4476    xe48           -                100.127.2.0    300

Next we can test reachability. I did have a strange issue where if the AC went down on the MikroTik-1 the mesh wouldn’t form on reattachment. This was resolvable with the following command on IPI-1: clear bgp 100.127.2.0 l2vpn vpls

This image has an empty alt attribute; its file name is IPA-Blog-ad-template-network.jpg
https://iparchitechs.com/contact

I’ll be doing more testing on interop here. Let us know in the comments what you’d like to see next.