MPLS PW and IP forwarding

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Solved
Is there any way to terminate a pseudo-wire on a VLAN with IP forwarding enabled?

Consider a scenario where a provider network is L2 back to a routing core - a classic scenario might be an EAPS ring around a number of edge switches, with a pair of core switches somewhere in this ring.

These cores are the only devices doing L3, and customer connections come back over a protected VLAN to the cores to be routed.  Now in reality, you might do some L3 routing around this edge ring as well; but let us assume that there are some customer connections - for example, a customer dual-homed to each core with a VLAN and BGP being used as the routing protocol between provider and customer - where the customer connection must have its L3 termination point on a core switch.

With the EAPS+VLAN solution, this works like a charm.  The VLAN has a port on the edge switch facing the customer, and an IP address on the core switch and IP forwarding is enabled, great.  This is VLAN switching 101.

However, say you replace your EAPS solution with MPLS, and use a pseudowire to get from the edge customer port to the core switch, you hit a problem.  You cannot add a service VLAN to an l2vpn if it has IP forwarding enabled, and you cannot enable IP forwarding on a VLAN which is connected to an l2vpn.

Is this a hardware limitation, does anyone know (I'm testing this on X480s and X460s with 15.7 code)?  Or is it just not implemented yet?  It seems a glaring omission if it is not a hardware limitation.

How to reproduce (easy):

* core1.2 # create l2vpn vpws test_cust fec-id-type pseudo-wire 54321
* core1.3 # config l2vpn vpws test_cust add peer 10.1.1.2
* core1.4 # create vlan test_cust_1
* core1.5 # dis igmp snoop test_cust_1
* core1.6 # config vlan test_cust_1 ipa 10.1.3.1/30
IP interface for VLAN test_cust_1 has been created.
* core1.7 # enable ipf test_cust_1
* core1.8 # config l2vpn vpws "test_cust" add service vlan test_cust_1
Error: IP forwarding must be disabled on VLAN "test_cust_1"  before adding L2VPN services
* core1.9 # 

I thought I'd ask here before opening a TAC case, as I'm expecting the TAC to say something like "The concepts guide says you cannot do this" which, whilst correct, isn't very helpful.

Thanks

Paul.
Photo of Paul Thornton

Paul Thornton

  • 1,374 Points 1k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Paul Thornton

Paul Thornton

  • 1,374 Points 1k badge 2x thumb
Apologies for the <pre> tags going a bit mad there.
Photo of OscarK

OscarK, ESE

  • 7,702 Points 5k badge 2x thumb
Hello Paul, as the name implies L2VPN is for L2 services only. If you want to route over the MPLS you should create an L3VPN with a VRF for that customer.

Oscar
Photo of Srinivasan, Satishkumar

Srinivasan, Satishkumar, Employee

  • 80 Points 75 badge 2x thumb
Hi Paul

Not sure if you have thought about this- You might consider moving ipforwarding and routing away from VPLS nodes, Your design remains the same, except you have another switch (or pair of switches for n+1 redundancy with VRRP) which does routing between VPLS service VLANs.

Regards,
Sathish  
Photo of Paul Thornton

Paul Thornton

  • 1,374 Points 1k badge 2x thumb
Hi Sathish, Oscar,

The L3VPN isn't exactly what we want in this scenario as we're interested in only having one end of it
routed (where we need to bring the connection back at L2 to a core switch).  The other router involved is the customer's equipment.

After some creative thinking, we ended up doing a bit of a hack to work around this, using a physical external loopback between two ports.

VLAN A tag (n) terminates the l2vpn and is tagged on port 1.
VLAN B tag (n+1) has the IP address and is tagged on port 2 with translation to (n).

Physical cable between ports 1 and 2.

Not very nice, but achieves what is required.

I think the long term option here is to take the X480 core routing switches out of MPLS, and connect them to another pair of switches that are - and have connections between the two just using VLANs to separate the MPLS part of the network from the BGP routing part.

Paul.
Photo of Brunno Lopes

Brunno Lopes

  • 218 Points 100 badge 2x thumb
Hello Paul, 

We ́ve just made the same solution as yours to have L3 interface inside the VPWS on the same device. An external loop cable connects a port ending a VPWS VMAN to the other port ending L3 VLAN. 

This causes no loop to the switch, as the VPWS does not learn mac-addresses and simply forwards to the other end. 

On the X670 it has worked fine, but when it comes to the BD8K switches, somehow, broadcast/multicast packets are not forwarded. Have you tried this issue on BD8K switches? Have you faced any issues like this in your scenario?
Photo of Paul Thornton

Paul Thornton

  • 1,374 Points 1k badge 2x thumb
Hi Brunno

Sorry for slow reply - no we didn't try this with BD8Ks; only X480s.

The core architecture has now changed to the setup I mentioned before.

We have 2x X670 in front of the X480s - so the psedowires can terminate on the X670 and then just take a VLAN to the X480.  Redundancy is not a problem for us as failover for this service is provided at L3 - so 2x PW - one to each X670/X480 pair and therefore no worries at L2.

Paul.