Design and Deployment of Data
Center Interconnects Using
Advanced VPLS (A-VPLS)
BRKDCT-2011
Amit Singh
Technical Marketing Engineer
Thursday, July 14, 2011
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
1
Reference Sessions
BRKDCT-2840 – Data Center Networking: Taking the Risk Away from
Layer 2 Interconnects
BRKDCT-3060 – Advanced Deployment challenges with
Interconnecting Data Centers
TECDCT-2781 – Deployment Considerations for Interconnecting
Distributed Virtual Data Centers
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
2
Agenda
Data Center Interconnect (DCI) Overview
DCI Solution Options
Advanced VPLS (A-VPLS) Overview
A-VPLS Benefits and Configuration
A-VPLS Deployment Architecture
Services
Summary
Q/A
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
3
What Will You Learn?
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
4
Datacenters Interconnect (DCI) Considerations
Main Data
Center
EoMPLS
L2
WAAS
L2
WAAS
EoMPLSoGRE
L2
SAN
L2
DWDM/CWDM
SAN
FC
FC
Storage
DCI Involves
BRKDCT-2011
Backup
Data Center
L3
IP Routed Service
L3
© 2011 Cisco and/or its affiliates. All rights reserved.
Storage
• Layer 3 Extensions
• SAN extensions
• LAN Extensions
• Application Virtualization
Cisco Public
5
Datacenter Interconnect SAN Extension
Considerations
Main
Data
Center
IP
Routed
Service
L3
EoMPLS
L2
L3
Backup
Data Center
L2
WAAS
EoMPLSoGRE
WAAS
L2
SAN
SAN
• For Additional Information
please refer to reference links
section
FC
FC
Storage
BRKDCT-2011
• Disaster recovery/business
continuance a priority for
enterprises
• Fed policy/regulations e.g.
HIPAA drive demand for data
replication solutions
L2
DWDM/
CWDM
• Stored data needs to be
replicated
Storage
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
6
Datacenters Layer 3 Extension
Considerations
Main
Data
Center
IP
Routed
Service
L3
EoMPLS
L2
L3
Backup
Data Center
L2
WAAS
EoMPLSoGRE
WAAS
L2
SAN
SAN
FC
FC
• Segmentation of Networks to
Integrate new Datacenters
• Layer 3 Interconnects are also
used for File server backup
Replication Applications which
can be optimized with Cisco’s
WAAS Solution
L2
DWDM/
CWDM
• Layer 3 Interconnects can be
utilized by all applications not
requiring a L2 Domain
• For Additional Information refer
to the reference links section
Storage
BRKDCT-2011
Storage
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
7
Datacenter Interconnect Layer 2 Extension Considerations
Focus of this Session
Main
Data
Center
IP
Routed
Service
L3
EoMPLS
L2
L3
Backup
Data Center
L2
WAAS
EoMPLSoGRE
WAAS
L2
SAN
L2
DWDM/
CWDM
• Application needs (Embedded
IP Addressing) driving
customers to bring Layer 2
across DCI
• Server HA clusters, “geoclustering”
• Move, consolidate servers
• Virtual Machine (VM) mobility
requires Layer 2 Extension
SAN
FC
FC
Storage
BRKDCT-2011
Storage
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
8
High Availability Clusters
Typically Active/Standby failover
Inter-server heartbeats, status &
control synchronized through
private and public networks
node1
Link Local Multicast
node2
heartbeats
Requires Layer 2 path
between hosts
Client reconnection transparent shared IP address
Layer 2 must be extended
Data Center 1
Failure transfers Storage
“ownership”
Requires multiple high-speed, low
latency Layer 2 interconnects
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
9
Virtual Machine:
Workload Mobility & Business Continuance
Email
VSAN_3
Web
VSAN_2
File & Print
VSAN_1
• Process migration increases
application availability
• Consideration:
GE VMotion Control network
recommended for VM migration
IVR
IVR
pHBA
pHBA
vHBA
VLAN
“A”
vHBA
VLAN
“B”
VLAN
“A”
VLAN
“B”
• LAN & SAN requires Layer 2
path to maintain user sessions
during migration
• The VM maintains the IP
Address and MAC Address after
the transfer
• Embedded Network Services
enable consistent policy
enforcement & user experience
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
10
DCI Solution Options
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
11
Cisco Data Center Interconnect
Options Available Today and Cisco Innovations
Any location/any transport/on demand
Dark Fiber/DWDM
•Catalyst 6500 VSS
•Nexus 7000 vPC
IP
•ONS Crossponder
•OTV with Nexus 7000
•A-VPLS with Catalyst 6500
Elastic LAN Extensions
MPLS
•EoMPLS
L3
•VPLS and A-VPLS (Catalyst 6500)
L2
•OTV with Nexus 7000 (IP Traffic gets
•MPLS tagged)
IP
•Any Transport over GRE (Catalyst 6500)
DC-1
DC-2
•OTV with Nexus 7000
•A-VPLS over GRE with Catalyst 6500
VSS- Virtual Switching System, vPC – Virtual Port Channel, DWDM – Dense Wavelength Division Multiplexing ; EoMPLS – Ethernet over MPLS,
VPLS- Virtual Private LAN service; A-VPLS – Advanced Virtual Private LAN Service
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
12
Primary LAN Extension Challenges
BRKDCT-2011
Configuration
Complexity
Redundancy
and Fast
Failover
Efficient
Loadbalancing
STP Isolation
and Loop
avoidance
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
13
Advanced VPLS (A-VPLS)
Overview
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
14
MPLS LAN ExtensionVirtual Private LAN Service (VPLS)
• VPLS defines an architecture that allows MPLS networks to offer
Layer 2 multipoint Ethernet Services
• MPLS Core emulates an IEEE Ethernet bridge (virtual)
• Virtual Bridges (VFI) linked with Pseudowires (PWs)
VPLS Multipoint Services
CE
PE
PE
PW
VFI
CE
VFI
MPLS
VFI
CE
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
15
Virtual Forwarding Instance (VFI)
IOS Representation of Virtual Switch Interface
Flooding / Forwarding
• MAC table instances per customer (port/VLAN) for each PE
• VFI will participate in learning and forwarding process
• Associate ports to MAC, flood unknowns to all other ports
Address Learning / Aging
• LDP enhanced with additional MAC List TLV (label withdrawal)
• MAC timers refreshed with incoming frames
Loop Prevention
• Create full-mesh of Pseudo Wire VCs (EoMPLS)
• Unidirectional LSP carries VCs between pair of N-PE Per
• VPLS Uses “split horizon” concepts to prevent loops
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
16
Multipoint Topologies
Advanced Virtual Private LAN Service (A-VPLS)
A-VPLS leverages traditional VPLS for its core functionality while adding additional benefits
making it a superior solution for Data Center Interconnect deployments
Enhanced VPLS traffic load-balancing capabilities
VPLS configuration simplifications
Enhanced VPLS availability
A-VPLS Multipoint Services
CE
PE
PE
PW
CE
VFI
VFI
MPLS
VFI
PE
CE
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
17
Multipoint Topologies
Advanced Virtual Private LAN Service over GRE(A-VPLSoGRE)
A-VPLS Can also be used over IP Networks by using A-VPLSoGRE Encapsulation
In IP core, point-to-point GRE tunnels are used to carry PW traffic
A-VPLS service can be supported over MPLS over GRE tunnels to take advantage of load
balancing PW flows over ECMP in an IP network
A-VPLS over MPLS over GRE is planned in the future release
A-VPLSoGRE Multipoint Services
CE
PE
PE
PW over GRE
VFI
CE
VFI
MPLS
VFI
PE
CE
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
18
DCI Primary LAN extension challenges –
Solutions
Challenges
VPLS
A-VPLS
Redundancy and Fast
Failover
EEM Scripts
VSS Support for VPLS
STP Isolation and Loop
avoidance
EEM Scripts or MST
VSS Support for VPLS
and Split Horizon
Efficient Load-balancing EEM Scripts and forced
STP configuration
VSS, A-VPLS and AVPLS Flow Label
Configuration
Complexity
New Virtual Ethernet
Interface and CLI
BRKDCT-2011
Leverage Management
tools and QinQ
configuration
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
19
Advanced VPLS Benefits and
Configuration
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
20
Advanced VPLS (A-VPLS)
A-VPLS Consists of a Suite of Enhancements
Easy-to-use CLI
for VLAN extension
Cisco Enhancements to
VPLS Standard
Easy
Configuration
Reduced complexity!
A-VPLS
VSS single chassis
redundancy
Fast sub-second
failover
L2/L3/L4 Flow Based
Balancing
Optimal
Loadbalancing
Simplified
Redundancy
DC edge to
aggregation
DC edge to WAN
WAN core
Ethernet LAN extension over MPLS or IP:
“Any flow Any Link” load-balancing
Multipoint loop-free connectivity
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
21
Existing STP Manipulation
VLAN Based Load Sharing
!
spanning-tree vlan Even cost 1000
spanning-tree vlan Odd cost 1500
!
Aggregation Switch 1
!
spanning-tree vlan Even cost 1500
spanning-tree vlan Odd cost 1000
!
Aggregation Switch 2
Same would be applicable for a VPLS or VPLSoGRE Setup
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
22
A-VPLS Encapsulation
IETF draft-bryant-filsfils-fat-pw -Standards Track
Original VPLS
Encapsulation
MPLS Tunnel label(s)
PW Label
Optional Control Word
A-VPLS
Encapsulation
MPLS Tunnel label(s)
PW Label
Flow Label
Optional Control Word
Payload
Payload
A-VPLS introduces “Flow Label” - an additional label to be interposed during PW packet
encapsulation
–between the PW Label or VC Label and the Control Word
–between the PW Label or VC Label and Payload if Control Word is not present
Flow Label stimulates ECMP load balancing behavior
Core MTU ≥ Edge MTU + Transport Header + (MPLS Label Stack * MPLS Header Size)
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
23
Multiple Levels of Load Balancing with A-VPLS
pseudowire-class A-VPLS_Remote_PE
encapsulation mpls
load-balance flow
! enable ML-PW load-balancing based on ECMP
flow-label enable
! enable FAT PW by allowing imposition/disposition of flow labels
Si
Si
Multi Link Pseudo-Wire
One only PW
Over Multiple ECMP Links
Si
Si
FAT-PW:
Flow Label Insertion based on Layer 2, 3 and 4 Information
Load Balance Traffic on Intermediate Provider Node
ML-PW:
Multi-Link Pseudowire
Load Balance Traffic Between Multiple ECMP on One VSS Member
Etherchannel:
RBH (Result Bundle Hash) Etherchannel Load Balancing
Polarization of Traffic within VSS Member
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
24
Configuration – Existing VPLS CLI
l2 vfi for_10 manual
vpn id 10
neighbor 2.2.2.2 encap mpls
neighbor 3.3.3.3 encap mpls
PE1 (1.1.1.1)
l2 vfi for_20 manual
vpn id 20
neighbor 2.2.2.2 encap mpls
neighbor 3.3.3.3 encap mpls
IP/MPLS
PE2 (2.2.2.2)
PE3 (3.3.3.3)
Interface vlan 10
xconnect vfi for_10
Interface vlan 20
xconnect vfi for_20
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
25
Simplified Configuration for A-VPLS
pseudowire-class cl1
encap mpls
PE1 (1.1.1.1)
! enable ML PW (ECMP LB)
load-balance flow
! enable FAT PW
flow-label enable
!
interface virtual-ethernet 1
IP/MPLS
! transport configuration
transport vpls mesh
neighbor 2.2.2.2 pw-class cl1
--neighbor 3.3.3.3 pw-class cl1
! service configuration
switchport
switchport mode trunk
switchport trunk allowed vlan 10, 20
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
PE2 (2.2.2.2)
Cisco Public
PE3 (3.3.3.3)
26
Configuration – A-VPLS over GRE
1 GRE Tunnel per DC Site
pseudowire-class cl1
encap mpls
! enable ML PW (ECMP LB)
load-balance flow
!
interface tunnel 1
tunnel mode gre
mpls ip
tunnel source 11.11.11.11
tunnel destination 22.22.22.22
!
interface tunnel 2
tunnel mode gre
mpls ip
tunnel source 11.11.11.12
tunnel destination 33.33.33.33
interface virtual-ethernet 1
! transport configuration
transport vpls mesh
neighbor 2.2.2.2 pw-class cl1
!
! service configuration
switchport
switchport mode trunk
switchport trunk allowed vlan 10, 20
PE1 (1.1.1.1)
Only Interface to have
MPLS enabled on it
! ip route 2.2.2.2 255.255.255.255
Tunnel1
Interface
ip route TenGigabitEthernet1/1/3/0
2.2.2.2 255.255.255.255
Tunnel2
ip address 10.1.1.1 255.255.255.0
!
IP/MPLS
PE2 (2.2.2.2)
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
PE3 (3.3.3.3)
27
Integrated Routing and Bridging (IRB) or Routed
VPLS with A-VPLS
virtual-ethernet
be interface
supported
in SXJ11
IP Service
! transport configuration
transport vpls mesh
neighbor 2.2.2.2 pw-class cl1
Core/WAN Edge
Si
Si
Layer 3
! service configuration
switchport
DC Aggregation
Si
switchport mode trunk
Si
DEMARCATION
Layer 2
switchport trunk allowed vlan 10, 20
DC Access
!
Interface VLAN 10
ip vrf forwarding vrf_1
ip address 12.12.12.1 255.255.255.0
!
SVI can now Route traffic to the client sitting on the Internet or to a segmented
L3VPN network through the same device and Require less number of Devices (1
device for SVI and Xconnect (Virtual-Ethernet)
Enables Multi-Tenancy Deployment
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
28
A-VPLS Functionality Verification
Verify A-VPLS Control Plane Is Setup
PE2#sh vfi
Legend: RT=Route-target, S=Split-horizon, Y=Yes, N=No
Automatically generated VFI
VLAN ID mapped to VPN ID
A-VPLS VSS PE
A-VPLS PE3
A-VPLS VFI 10 is
transported over V-E 1
BRKDCT-2011
VFI name: VFI_10_, state: up, type: multipoint, auto-provisioned
VPN ID: 10
Bridge-Domain 10 attachment circuits:
Vlan10
Neighbors connected via pseudowires:
Peer Address VC ID
S
1.1.1.1
10
Y
5.5.5.5
10
Y
PE2#sh interfaces virtual-ethernet 1 transport
VLAN Transport type for the V-E instance: VPLS Mesh
1 VPLS domains provisioned for this V-E instance
VFI names : VFI[10]_
PE2#
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
29
Show MPLS Layer 2 VC
VSS#sh mpls l2 vc
Local intf Local circuit
Dest address VC ID
Status
------------- -------------------------- --------------- ---------- ---------VFI VFI_3_ VFI
3.3.3.3
3
UP
VFI VFI_4_ VFI
3.3.3.3
4
UP
VFI VFI_5_ VFI
3.3.3.3
5
UP
VFI VFI_6_ VFI
3.3.3.3
6
UP
VFI VFI_7_ VFI
3.3.3.3
7
UP
Still Standards based VPLS code doing Signaling
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
30
VSS (NSF/SSO) Support for A-VPLS for PE Redundancy
MCEC for CE Multihoming
A-VPLS Pseudowire – Single Virtual Ethernet Interconnect across Multiple Interfaces
Agg
Agg
LSP/GRE
Tunnel
nPE
nPE
Agg
Agg
VSL
IP/MPLS Cloud
VSL
Agg
Agg
VSS system
MCEC
Pseudowire
BRKDCT-2011
!
redundancy
Legacy Solution
used EEM
mode sso
! for
PE Redundancy
router ospf 120
nsf
!
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
VSS system
MCEC
31
Add a new Data Center with a single command line
Agg
!
neighbor 4.4.4.4 pw-class cl1
!
!
neighbor 4.4.4.4 pw-class cl1
!
nPE
Agg
nPE
Agg
Agg
IP/MPLS Core
VSL
VSL
Agg
Agg
VSS system
VSS system
VSL
Split horizon between
all neighbors for loop
avoidance
BRKDCT-2011
Want to add a
© 2011 Cisco and/or its affiliates. All rights reserved.
VSS + MEC Leveraged
For Loop Prevention
3rd site? as well
Cisco Public
32
A-VPLS Deployment
Architecture
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
33
A-VPLS Requirements and Deployment
Considerations
Requirements
• A-VPLS requires SIP-400 or ES40+ as the Outgoing Interface
• A-VPLS with SIP-400 requires minimum software release 12.2(33)SXI4
• A-VPLS with ES40+ requires minimum software release 12.2(33)SXJ1
Deployment options:
• A-VPLS can be deployed on the Core Layer
• A separate DCI/Services Layer can be created to extend Datacenter
Domains
• Using Existing aggregation layer to extend Layer 2 domain (using WAN
cards as uplink or a service card)
• Overlapping VLAN’s in DC’s
• Connecting aggregation layer switches without STP
• Prioritizing traffic across DC’s
• Encrypting Layer 2 Inter-DC traffic
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
34
Always Deployed as a Uplink Facing Interface
A-VPLS is supported on SIP400 with GigE, 10GigE and POS SPAs and ES40+ Line Cards on the Catalyst 6500
SIP-400/ES+
WAN Edge
Si
Si
SIP-400/ES+ Card Facing Uplink Only
LAN Cards
DC Core
Si
Si
Aggregation
Si
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Si
Cisco Public
35
Hardware Requirements for A-VPLS and A-VPLS over
GRE
Requires a ES+ with 12.2(33)SXJ1 and SIP400 with at least 12.2(33)SXI4a
Common Capabilities
32,000 Queues
3 level Hierarchical QoS
Dual Rate, 3 Color
Policer
CBWFQ + LLQ + WRED
SIP-400
Traditional WAN interfaces
4-6 Gbps throughput
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
VPLS, VPLSoGRE
A-VPLS, A-VPLSoGRE
IRB
VLAN Translation
ES+
10GE WAN interfaces (2 & 4 ports)
40G throughput
Cisco Public
36
DCI/WAN Use Cases for SIP-400 or ES40+ Line Card
IP Service
Core/WAN Edge
Core/WAN Edge
Si
Si
A-VPLS Virtual
Ethernet Configuration
Si
Si
Si
Si
DC Aggregation
DC Access
DC Aggregation
Si
Si
DC Access
A-VPLS, WAN features: H-QoS,
large number of queues, large buffers
& IPoDWDM
Layer 2 Trunk Link
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
37
DCI/WAN use case with Mixed Platform Data Center
Using ES40+ Line Card
IP Service
WAN Edge
WAN Edge
Si
A-VPLS Virtual-Ethernet
configuration
DC Core
Si
Si
DCI edge
Si
Si
Si
DC Core
Si
Si
DC Aggregation
DC Aggregation
DC Access
DC Access
DC Aggregation
DC Access
A-VPLS, Policy Separation for Layer 2 Extension
Easier to Manage
No change in Existing network, Hybrid Networks
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
38
DCI/WAN Use Cases for SIP-400 or ES40+ Line Card
IP Service
Core/WAN Edge
Core/WAN Edge
Si
Si
Si
Si
A-VPLS Virtual
Ethernet Configuration
Si
Si
DC Aggregation
DC Aggregation
DC Access
Si
Si
DC Access
A-VPLS with Integrated Routing and Bridging
Cheaper and no Changes in the Network topology
L2 Boundary does not extend beyond Aggregation layer
Layer 2 Trunk Link
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
39
A-VPLS Decision Criteria
• Flexible PIN Deployment Option
• Deploy MPLS VPN and A-VPLS for the same VLAN in a single
device
• Support for 4000 VLANS
• 30 DC Support
• Sub-second convergence
• Flow based Load Balancing
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
40
Services
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
41
Overlapping VLAN’s Between DC
VLAN Translation (Current Support of 128 Per Port)
Agg
Agg
nPE
nPE
Agg
Agg
VSL
IP/MPLS Cloud
VSL
Agg
Agg
VLAN
53 VSS
system
VSS system
DC2
DC1
DC1-VLAN ID VPLS
Orange50
Purple
52 <-> 53
VPLS
Orange -Purple
DC2-VLAN ID
50
53
DC-VLAN ID-VPLS Map can be different at different UNIs in a DCI
• Customer Acquires/Interconnects a new DC with overlapping VLAN space (VLAN 52)
• Translations will work for 128 VLAN’s
• VLAN tag cannot be the same across and is translated before A-VPLS
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
42
Sample VLAN Translation Configuration and
Guidelines
Few VLAN Translation guidelines:
1. For the MEC in case of VSS, the vlan mapping is to be done on the
member ports.
2. A VLAN translation configuration is inactive if it is applied to ports that are
not Layer 2 trunks
3. Do not remove the VLAN to which you are translating from the trunk.
4. Based on module, VLAN Translation limit various. Please refer the below
link
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vlans.html#wp1044990
!
interface TenGigabitEthernet2/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-100,300-1000,1500-2999,3001-3128,3200-3600
switchport trunk allowed vlan add 3800-3899
switchport mode trunk
switchport vlan mapping enable
switchport vlan mapping 52 53
!
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
43
Overlapping VLAN Space in the Same DC’s
QinQ
Agg
Agg
nPE
nPE
Agg
Agg
IP/MPLS Cloud
VSL
VSL
Agg
Agg
VSS system
VSS system
DC2
DC1
DC1-VLAN ID
VPLS
51-100 ->101 Orange -Purple
51-100 ->102
VPLS
VPLS
OrangePurple
Orange -Purple
DC2-VLAN ID
101 <-51-100
102 <-52-100
DC1 has Overlapping VLAN ID Space
• Overlapping VLAN tags are Isolated at nPE/DCI using QinQ
• To Provide Flexible service mapping Selective QinQ is required
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
44
Sample QinQ Configuration
C-tag
11
3 9
C-tag
C-tag
C-tag
VFI
U-PE3
N-PE3
VFI
VFI
N-PE4
N-PE1
N-PE (3&4) Configuration
U-PE Configuration
! Same VPLS VFI config as flat VPLS
! Interface connected to CE
! It’s dot1q-tunnel port
interface GigabitEthernet2/13
switchport
switchport access vlan 11
switchport mode dot1q-tunnel
spanning-tree bpdufilter enable
! Attachment circuit has two config options
! Option 1 – dot.1q trunk if it connected to U-PE like N-PE3
! Interface connected to N-PE
! It’s regular dot1q trunk port
interface GigabitEthernet2/47
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
BRKDCT-2011
interface GigabitEthernet5/1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
! Option 2 – dot1q tunnel if it connected to CE directly, like N-PE4
interface GigabitEthernet5/1
switchport
switchport access vlan 11
switchport mode dot1q-tunnel
Spanning-tree bpdufilter enable
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
45
QoS Drivers for WAN/DCI Applications
To differentiate various types of traffic
•
•
•
•
Differentiate based on application or type
Prioritize some traffic to meet latency requirements
Guarantee bandwidth for some traffic during peaks
Protect IGP/LDP/other control packets
To sub-rate traffic going to the cloud
• Meet contracted rate with the SP
To limit traffic inter-site/Inter DC traffic
• Limit the amount of traffic going to each site (EVPL case)
Allow SP Data Centers to offer SLAs to end customers
• Different SLAs for different customers
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
46
Sub-rate Service- Two Level HQOS Policy
WAN Edge
Si
Si
WAN /DCI edge
SP
DC Core
Si
Si
DC Aggregation
Si
Si
HQOS Policy
w/ shaper
Physical port
Traffic is shaped to meet the
contracted rate with the SP
Queues
priority
Egress interface on the DCI edge
needs hierarchical policy
min-bw
police
Aggregate
shaped
rate = x
min-bw
Hierarchical policy is configured
on the port with shaper in the
parent policy
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
min-bw
Cisco Public
47
Sample QoS configuration
!
! HQoS for Multiple VCs
PE1#show policy-map es_inp-vlan_shape-c
!
Policy Map es_inp-vlan_shape-c
PE1#show class-map inp-vlan701
Class inp-vlan700
Class Map match-all inp-vlan701 (id 901)
bandwidth 10 (%)
Match input vlan 701
Class inp-vlan701
!
bandwidth 10 (%)
PE1#show class-map inp-vlan710
Class inp-vlan702
Class Map match-all inp-vlan710 (id 902)
bandwidth 10 (%)
Match input vlan 710
Class inp-vlan703
!
bandwidth 10 (%)
PE1#show policy-map es_inp-vlan_shape
Class inp-vlan704
Policy Map es_inp-vlan_shape
bandwidth 10 (%)
Class class-default
Class inp-vlan705
Average Rate Traffic Shaping
bandwidth 10 (%)
cir 5000000000 (bps)
Class inp-vlan706
service-policy es_inp-vlan_shape-c
bandwidth 10 (%)
!
Class class-default
bandwidth 5 (%)
!
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
48
Need for Encryption
Protect the data transiting the DC’s
Key requirement for Federal and Govt customers
In EU, inter-country traffic needs to be encrypted
Regulations are key drivers
• PCI: Credit card transactions
• HIPAA: Personal health records
• GLBA: Personal financial information
Segments: Financial Services, Health Care, Retail, Govt
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
49
L2
Encryption Scenarios
L3
Single Box Solution
1.
2.
EoMPLS over GRE over IPSec (P2P only) – SIP-400/ES+
A-VPLSoGRE + IPSec
Encrypt
DCI
IP
1
EoMPLsoGREoIPSec
EoMPLSoGREoIPSec
IP
2
VPLSoGRE *
VPLSoGRE *
VPLSoGRE *
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
50
Advanced VPLS over GRE over IPSEC in One Box
with Physical Loopback-Cable for Catalyst 6500
Catalyst 6500
Chassis
LAN Card
VRF
core
Outgoing WAN port
Could be any Ethernet port
VPN-SPA
Incoming VLAN
Can be the
Same
Physical
LAN Card
Crypto
LAN Card
VRF
edge
SIP-400/ES+
VPLS PW
Physical Loopback ports
• Ingres is SIP-400/ES40
• Egress is any port
GRE
To integrate both function in one box:
1. Use VRFs to isolate routing
• One VRF for edge link
• One VRF for Core links
2. Wrap cable to connect SIP-400/ES+ toward VRF
3. Change MAC address on the Interface
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
51
VPN SPA in VSS Mode
WS-IPSEC-3 and WS-SSC600 is supported in VSS mode
from 12.2(33)SXJ1 release
Redundancy is in Hybrid mode
(not NSF/SSO-Aware, instead
of resetting the entire SSC
module only the sessions will
be cleared during a failover)
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
52
Sample Key IPSEC Loopback Configuration
Loopback Cable Configuration
IPSEC Tunnel Configuration
!
!
interface TenGigabitEthernet8/5
interface Tunnel11
mac-address 0050.0509.0509
ip vrf forwarding ipsec_loop
ip vrf forwarding ipsec_loop
ip address 1.0.1.2 255.255.255.0
ip address 13.0.0.2 255.255.255.240
tunnel source Loopback1
logging event link-status
tunnel destination 10.10.10.1
!
tunnel mode ipsec ipv4
interface TenGigabitEthernet9/1
tunnel protection ipsec profile p-vpn
ip address 13.0.0.1 255.255.255.240
crypto engine slot 7/0 inside
!
!
!
interface Tunnel1
ip address 101.0.1.2 255.255.255.0
keepalive 10 3
mpls ip
tunnel source Loopback101
tunnel destination 3.0.0.1
!
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
53
L2
Encryption Scenarios
L3
Multi-Box Solution
1.
2.
Encrypt
802.1AE over EoMPLS (for long P2P distances)
L2VPN (A-VPLSoGRE) + GETVPN
DCI
IP/MPLS
1
802.1AE
EoMPLS
EoMPLSoGRE 802.1AE
EoMPLS
EoMPLSoGRE
2
L3
GETVPN
GETVPN
GETVPN
A-VPLSoGRE
A-VPLSoGRE
A-VPLSoGRE
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
54
Reference Links
DCI CCO main webpage
http://www.cisco.com/en/US/netsol/ns975/index.html
DCI White paper
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_493718.html
Advanced VPLS (A-VPLS) Whitepaper
https://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns224/ns949/ns304/ns975/product_bulletin_c25-602184.html
TechWiseTV and Youtube Videos
http://www.cisco.com/en/US/solutions/ns340/ns339/ns638/ns914/html_TWTV/twtv_episode_69.html
http://www.youtube.com/watch?v=H5f5Q6UgvnQ&feature=related
Configuration guide
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_l2vpn_advvanced.html
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
55
Summary
Cisco Supports multiple Solution Options for Layer 2 extensions
Advanced VPLS supported on the 6500 allows ease of deployment
with simplified configuration and VSS based PE redundancy
Advanced VPLS provides true flow based load balancing
Advanced can be deployed in any place in the network
Advanced VPLS enables VLAN translation, Encryption and H-QOS
services
Advanced VPLS Supported on 6500 provides one of the fastest
converging and scaling solution options
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
56
Complete Your Online
Session Evaluation
Receive 25 Cisco Preferred Access points for each session
evaluation you complete.
Give us your feedback and you could win fabulous prizes. Points are
calculated on a daily basis. Winners will be notified by email after
July 22nd.
Complete your session evaluation online now (open a browser
through our wireless network to access our portal) or visit one of the
Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live and Networkers Virtual
account for access to all session materials, communities, and ondemand and live activities throughout the year. Activate your account
at any internet station or visit www.ciscolivevirtual.com.
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
57
Visit the Cisco Store for
Related Titles
http://theciscostores.com
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
58
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
59
Thank you.
BRKDCT-2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
60
