VPWS with Tag Manipulation

Load vpws.tag.manipulation.init.cfg

#IOS-XE (R1-R6, CE1,5-6,8-12)
config replace flash:vpws.tag.manipulation.init.cfg

#IOS-XR (XR1, XR2)
configure
load vpws.tag.manipulation.init.cfg
commit replace
y

Configure the following VPWS services.

• CE1 & CE12

  • Only allow VLANs 10-12 to work

• CE11 & CE5

  • Ensure CE11 on vlan 11 and CE5 on vlan 5 work by removing the tag upon ingress

• CE10 & CE6

  • Ensure CE10 on vlan 10 and CE6 on vlan 6 work without popping the tag

• CE8 & CE9

  • Ensure CE8 on vlan 8 and CE9 unencapsulated traffic work without manipulating the vlan from CE8 upon ingress or egress.

Answer

#R1
int gi4
 service instance 1 ethernet
  encapsulation dot1q 10-12
!
int gi5
 service instance 1 ethernet
  encapsulation dot1q 10-12
 exit
!
bridge-domain 1
 member Gi4 service-instance 1
 member Gi5 service-instance 1
 
#R2
int gi5
 service instance 11 ethernet
  encapsulation dot1q 11
  rewrite ingress tag pop 1 symmetric
!
l2vpn xconnect context CE5_CE11
 member Gi5 service-instance 11
 member 11.11.11.11 511 encapsulation mpls
!
int gi4
 mtu 1504
 service instance 10 ethernet
  encapsulation dot1q 10
  rewrite ingress tag translate 1-to-1 dot1q 6
!
l2vpn xconnect context CE6_CE10
 member Gi4 service-instance 10
 member 12.12.12.12 610 encapsulation mpls

#XR1
default int gi0/0/0/3
!
int gi0/0/0/3
 no shut
!
int gi0/0/0/3.5 l2transport
 encapsulation dot1q 5
 rewrite ingress tag pop 1 symmetric
!
l2vpn xconnect group VPWS p2p CE5_CE11
 int gi0/0/0/3.5
 neighbor 2.2.2.2 pw-id 511

#XR2
default int gi0/0/0/3
!
int gi0/0/0/3
 no shut
!
int gi0/0/0/3.6 l2transport
 encapsulation dot1q 6
 rewrite ingress tag translate 1-to-1 dot1q 10
!
l2vpn xconnect group VPWS p2p CE6_CE10
 int gi0/0/0/3.6
 neighbor 2.2.2.2 pw-id 610

#R4
int gi6
 service instance 9 ethernet
  encapsulation untagged
  rewrite ingress tag push dot1q 8 symmetric
!
l2vpn xconnect context CE8_CE9
 member gi6 service-instance 9
 member 6.6.6.6 89 encapsulation mpls

#R6
int gi6
 service instance 8 ethernet
  encapsulation dot1q 8
!
l2vpn xconnect context CE8_CE9
 member gi6 service-instance 8
 member 4.4.4.4 89 encapsulation mpls

Explanation

CE1 & CE12 - VLAN restriction

This task requires that only VLANs 10-12 are allowed to be used in the xconnect. This is accomplished by only matching these VLANs in the EFP.

int gi4
 service instance 1 ethernet
  encapsulation dot1q 10-12
!
int gi5
 service instance 1 ethernet
  encapsulation dot1q 10-12

The connect command does not work for service instances, so instead we can bridge the two EFPs together:

bridge-domain 1
 member Gi3 service-instance 1
 member Gi5 service-instance 1

We can confirm the bridge-domain configuration and see if MACs are learned (you might need to initiate pings first):

There are four subinterfaces configured on CE1 and CE12:

Verify that traffic on vlan 13 does not work, but traffic on vlans 10-12 does work:

CE11 & CE5 - Removing tags upon ingress

CE11 and CE5 have different VLAN tags at the AC. CE11 uses vlan 11 and CE5 uses vlan 5. There are several ways to make this work, but the simplest is to just remove the tag upon ingress symmetrically. The symmetrical keyword means that the VLAN is added back upon egress. So when the frame comes in with VLAN 5 or 11, the VLAN tag is removed and now there is no VLAN. The frame is transported to the other PE without an tag. When a frame is forwarded out the EFP the locally defined tag via the encapsulation command is pushed upon egress. (When using tag popping, you can only match a single tag with the encapsulation statement, not a range of tags).

#R2
int gi5
 service instance 11 ethernet
  encapsulation dot1q 11
  rewrite ingress tag pop 1 symmetric

#XR1
default int gi0/0/0/3
!
int gi0/0/0/3
 no shut
!
int gi0/0/0/3.5 l2transport
 encapsulation dot1q 5
 rewrite ingress tag pop 1 symmetric

We can see the details of the EFP using this show command on IOS-XE:

We can see similar output on IOS-XR using this show command:

In general, these above show commands don’t really give us any more info than the running config does, so it may not be worth using these over simply viewing the running config.

CE10 & CE6 - Tag translation

This task requires that traffic between CE10 Gi0/0.10 and CE6 Gi0/0.6 work without removing tags. An alternative to popping tags would be to translate tags. At R2 we can translate tag 10 to tag 6, and on XR2 we can translate tag 6 to tag 10.

int gi4
 service instance 10 ethernet
  encapsulation dot1q 10
  rewrite ingress tag translate 1-to-1 dot1q 6
!
int gi0/0/0/3.6 l2transport
 encapsulation dot1q 6
 rewrite ingress tag translate 1-to-1 dot1q 10

This appears that it would be enough to get the VPWS working, however there is an MTU mismatch:

The reason for this is that IOS-XE and IOS-XR treat MTU differently. On the IOS-XR side, the MTU for the subinterface is 1518 and 14 is subtracted for the Ethernet header. This was the case on XR1 as well in the previous tag, however the tag was popped so the router also subtracted an additional 4 bytes, leaving the result as 1500. This is why we didn’t have to manipulate MTU in the previous task.

To make both sides match for this task, we can increase the IOS-XE side to 1504 or subtract 4 from the IOS-XR side. Note that if you change the XR side, you must add 14 bytes to the mtu command.

#R2
int gi3
 mtu 1504

!
! or
!

#XR2
interface GigabitEthernet0/0/0/3.6 l2transport
 mtu 1514

Traffic between CE6 and CE10 should now be working. When CE10 sends a frame, R2 will translate the dot1q value of 10 to a value of 6. XR2 sends this unmanipulated to CE6. The same action happens when CE6 sends a frame - 6 is translated to 10 at XR2 upon ingress.

We can see the rewrite action on IOS-XE with a slightly different command from before:

The same command as seen on the previous on IOS-XR works. Interestingly we can see that the internal action for translation is to first pop the tag and then push the translated tag:

CE8 & CE9 - Pushing a tag

This task requires that CE8 Gi0/0.8 and CE9 Gi0/0 can directly work. We are prohibited from manipulating the frame at the CE8 AC. Our only option is to push the correct tag upon ingress at the CE9 side.

int gi6
 service instance 9 ethernet
  encapsulation untagged
  rewrite ingress tag push dot1q 8 symmetric

The symmetric keyword causes the tag of 8 to be stripped upon forwarding a frame out the AC (egress towards CE9). Upon ingress, the tag value of 8 is pushed onto the frame.

Note that you can use either encap default or encap untagged. This is because the symmetric keyword causes the router to pop tag 8 off upon egress, so we don’t need to restrict the service instance to a particular single VLAN ID. However, we should techincally use untagged to meet the task requirements, since only untagged traffic should have vlan 8 pushed on top.

Summary

In this lab we’ve seen how VLAN tags can be manipulated at the AC. We can pop/push/translate tags upon ingress and egress. (Egress was not demonstrated in this lab). When popping or pushing upon ingress, we can do this symmetrically so that the reverse action is preformed upon egress. We also have the ability to manipulate two tags. For example, we can pop two tags or push two tags.

Besides VLAN tag manipulation, we also have flexibility in how we match L2 traffic onto an EFP or l2transport interface on IOS-XR. We can match based on the basic dot1q tag value. We can match a range of dot1q values which we saw in this lab. We can also match specifically untagged traffic. We can match two tags (encapsulation dot1q 23 second-dot1q 40 or encapsulation dot1ad 23 dot1q 40). When matching the outer tag using encapsulation dot1q 100 it will also match vlan 100 traffic with an additional inner tag of any value. To only match single tagged traffic with vlan 100 we can use the exact keyword. In addition to matching the vlan tag, we can also match the cos value and the ethernet payload type in the L2 header.