cancel
Showing results for 
Search instead for 
Did you mean: 

MPLS PW and IP forwarding

MPLS PW and IP forwarding

Paul_Thornton
New Contributor III
Is there any way to terminate a pseudo-wire on a VLAN with IP forwarding enabled?

Consider a scenario where a provider network is L2 back to a routing core - a classic scenario might be an EAPS ring around a number of edge switches, with a pair of core switches somewhere in this ring.

These cores are the only devices doing L3, and customer connections come back over a protected VLAN to the cores to be routed. Now in reality, you might do some L3 routing around this edge ring as well; but let us assume that there are some customer connections - for example, a customer dual-homed to each core with a VLAN and BGP being used as the routing protocol between provider and customer - where the customer connection must have its L3 termination point on a core switch.

With the EAPS+VLAN solution, this works like a charm. The VLAN has a port on the edge switch facing the customer, and an IP address on the core switch and IP forwarding is enabled, great. This is VLAN switching 101.

However, say you replace your EAPS solution with MPLS, and use a pseudowire to get from the edge customer port to the core switch, you hit a problem. You cannot add a service VLAN to an l2vpn if it has IP forwarding enabled, and you cannot enable IP forwarding on a VLAN which is connected to an l2vpn.

Is this a hardware limitation, does anyone know (I'm testing this on X480s and X460s with 15.7 code)? Or is it just not implemented yet? It seems a glaring omission if it is not a hardware limitation.

How to reproduce (easy):

* core1.2 # create l2vpn vpws test_cust fec-id-type pseudo-wire 54321* core1.3 # config l2vpn vpws test_cust add peer 10.1.1.2* core1.4 # create vlan test_cust_1* core1.5 # dis igmp snoop test_cust_1* core1.6 # config vlan test_cust_1 ipa 10.1.3.1/30IP interface for VLAN test_cust_1 has been created.* core1.7 # enable ipf test_cust_1* core1.8 # config l2vpn vpws "test_cust" add service vlan test_cust_1Error: IP forwarding must be disabled on VLAN "test_cust_1" before adding L2VPN services* core1.9 #
I thought I'd ask here before opening a TAC case, as I'm expecting the TAC to say something like "The concepts guide says you cannot do this" which, whilst correct, isn't very helpful.

Thanks

Paul.

6 REPLIES 6

Paul_Thornton
New Contributor III
Hi Brunno

Sorry for slow reply - no we didn't try this with BD8Ks; only X480s.

The core architecture has now changed to the setup I mentioned before.

We have 2x X670 in front of the X480s - so the psedowires can terminate on the X670 and then just take a VLAN to the X480. Redundancy is not a problem for us as failover for this service is provided at L3 - so 2x PW - one to each X670/X480 pair and therefore no worries at L2.

Paul.

Brunno_Lopes
New Contributor
Hello Paul,

We´ve just made the same solution as yours to have L3 interface inside the VPWS on the same device. An external loop cable connects a port ending a VPWS VMAN to the other port ending L3 VLAN.

This causes no loop to the switch, as the VPWS does not learn mac-addresses and simply forwards to the other end.

On the X670 it has worked fine, but when it comes to the BD8K switches, somehow, broadcast/multicast packets are not forwarded. Have you tried this issue on BD8K switches? Have you faced any issues like this in your scenario?

Paul_Thornton
New Contributor III
Hi Sathish, Oscar,

The L3VPN isn't exactly what we want in this scenario as we're interested in only having one end of it
routed (where we need to bring the connection back at L2 to a core switch). The other router involved is the customer's equipment.

After some creative thinking, we ended up doing a bit of a hack to work around this, using a physical external loopback between two ports.

VLAN A tag (n) terminates the l2vpn and is tagged on port 1.
VLAN B tag (n+1) has the IP address and is tagged on port 2 with translation to (n).

Physical cable between ports 1 and 2.

Not very nice, but achieves what is required.

I think the long term option here is to take the X480 core routing switches out of MPLS, and connect them to another pair of switches that are - and have connections between the two just using VLANs to separate the MPLS part of the network from the BGP routing part.

Paul.

Srinivasan__Sat
Extreme Employee
Hi Paul

Not sure if you have thought about this- You might consider moving ipforwarding and routing away from VPLS nodes, Your design remains the same, except you have another switch (or pair of switches for n+1 redundancy with VRRP) which does routing between VPLS service VLANs.

Regards,
Sathish
GTM-P2G8KFN