Currently , I am reading Cisco Press Book- Layer 2 VPN Architecture which it includes good context and full of cool examples.
Here are the parts that I want to share ;
The inherent broadcast nature of Ethernet makes it easy for networked devices to discover one another.
VPLS extends that broadcast capability to the reach that is possible only with a WAN infrastructure.
In VPLS, end users perceive that the network devices are connected directly to a common LAN segment, which is in fact an emulated LAN created by VPLS, also known as aVPLS domain.
As a multipoint architecture, VPLS allows a single physical or logical CE-PE link to be used for transmitting Ethernet packets to multiple remote CE routers.
With VPLS, packets are no longer forwarded based on the one-to-one mapping between an attachment circuit and a pseudowire on a PE router.
Rather, a PE router uses a Layer 2 forwarding table to determine the outgoing paths based on the destination MAC addresses
A Layer 2 forwarding table is populated dynamicallywith MAC addresses and next-hop interfaces through the learning process.
Service Definitions
VPLS offers two types of service:
TLS
Ethernet Virtual Connection Service (EVCS)
TLS:
The services are differentiated by the way that MAC addresses are learned and the way that bridging protocol data units (BPDU) are processed.
TLS performs unqualified learning, in which all customer VLANs of a Layer 2 VPN are treated as if they were in the same broadcast domain.
Source MAC addresses are learned and forwarding entries are populated in the same Layer 2 forwarding table regardless of whether they are tagged or untagged.
This means that MAC addresses have to be unique among all customer VLANs.
!!Overlapping MAC addresses can cause confusion in the Layer 2 forwarding table and result in loss of customer packets.
Besides tagged and untagged Ethernet packets, a PE router that provides TLS also forwards BPDUs that it receives from the CE-facing interface to other interfaces or pseudowires without processing.
Such transparency in BPDU forwarding makes the CE routers perceive that they are connected directly through an Ethernet hub instead of through a series of virtual switches,
EVCS:
For customers who want to keep a separate broadcast domain for each VLAN, EVCS is a more appropriate choice.
In EVCS, the outer VLAN tag on the Ethernet packet differentiates one customer VLAN instance from another.
Each VLAN has its own MAC address space, which allows qualified learning.
EVCS keeps the broadcast domain on a per-VLAN basis and does not extend the spanning tree across the MPLS network.
BPDU packets from CE routers are dropped or processed at PE routers.
In such cases, CE routers do not see each other directly in the spanning tree.
Suppose that a VPLS customer has four sites that form two separate broadcast domains.
CE1 and CE2 connect to the same PE router but belong to different broadcast domains.
802.1q VLAN encapsulation is used between the CE routers and PE router to separate the traffic of different broadcast domains.
Virtual Switch
Each service that is defined in the previous section is offered by a virtual switch inside a PE router.
When provisioned to support multiple VPLS customers, the PE router effectively is partitioned into multiple virtual switches.
A given PE router has at most one virtual switch for every VPLS domain.
A virtual switch consists of a bridge module, an emulated LAN interface, and a virtual forwarding instance (VFI)
The bridge module in a virtual switch has the equivalent role of that in a physical Ethernet switch. It makes no distinction between the emulated LAN interface and any physical LAN interface in terms of bridging functions, such as MAC address learning and aging, and packet flooding.
Besides the bridge module maintaining a forwarding table that maps MAC addresses to attachment circuits, it can run spanning-tree protocols on them.
A VFI has similar functionality to a bridge but performs bridging operations on pseudowires instead of attachment circuits. It maintains a forwarding table that maps MAC addresses to pseudowires. The forwarding table is populated through the MAC address learning process based on packets it receives on pseudowires. It never learns the MAC addresses of the packets it receives on attachment circuits.
Hierarchical VPLS
Aiming at having the benefits of both basic topologic models while mitigating their problems, a hybrid between the full-mesh and hub-and-spoke models is now available, known as hierarchical VPLS.
Depending on the type of network that is deployed at the bottom tier, hierarchical VPLS comes in two forms:
Hierarchical VPLS with MPLS access network
Hierarchical VPLS with QinQ access network
Hierarchical VPLS with MPLS Access NetworkAs shown in Figure 15-5, for a given VPLS domain, virtual switches in the top tier are fully meshed through pseudowires. Each virtual switch in the bottom tier has exactly one pseudowire that connects to a top-tier virtual switch, which is effectively a hub-and-spoke model. This form of hierarchical VPLS is known as hierarchical VPLS with MPLS access.
PE routers in the top tier and bottom tier are also known as network-facing PE (N-PE) routers and user-facing PE (U-PE) routers, respectively. To ensure loop-free forwarding, an N-PE router must enable Layer 2 split horizon on all pseudowires that connect to other N-PE routers and disable split horizon on all pseudowires that connect to U-PE routers.
Hierarchical VPLS with QinQ Access Network
Hierarchical VPLS has an alternate form that uses Ethernet QinQ tunnels between U-PE and N-PE routers, as depicted in Figure 15-6. It is also known as hierarchical VPLS with QinQ access. Instead of a pseudowire, you can use an Ethernet QinQ tunnel between a U-PE router and an N-PE router.
Despite the absence of pseudowires in the bottom tier, the overall bridging architecture is still based on two logically separated layers, where an N-PE router forwards packets to pseudowires that connect to other N-PE routers only if they arrive on QinQ tunnels that connect to U-PE routers.
VPLS Redundancyn the hierarchical VPLS model, an N-PE router can still be a single point of failure for attached U-PE routers. To solve this problem, each U-PE can connect to multiple N-PE routers through redundant pseudowires or QinQ tunnels.
This method for providing redundancy is also known as multihoming.
In this case, Layer 2 split horizon alone is no longer sufficient for providing loop-free forwarding. You need to enable spanning-tree protocols between U-PE and N-PE routers.
When a U-PE router multihomes with N-PE routers, you must enable spanning-tree protocols on the U-PE router for all the pseudowires or QinQ tunnels that exist between the U-PE and N-PE routers.
However, an N-PE router can choose whether to participate in spanning-tree protocols.
If it does, it behaves like an Ethernet bridge that exchanges and processes BPDUs with U-PE and other N-PE routers of the same island.
If it does not, it acts as an Ethernet hub that simply relays BPDUs without processing.
Hiç yorum yok:
Yorum Gönder