In the previous articles on MPLS, we have discussed MPLS Layer 3 VPN and the configurations involved. There is another type of MPLS VPN, which is called Layer 2 VPN. As the name implies, Layer 2 VPN doesn’t require any IP addresses from the service provider and it doesn’t require any routing protocol between customer and service provider routers. This is advantageous in that customers don’t need to worry how many routes they advertise to the service provider. Service providers often bill the customer depending on how many routes the customer advertise to the service provider’s MPLS network. From the customer’s perspective, the MPLS Layer 2 VPN is transparent to them.

MPLS Layer 2 VPN is similar in function and configuration as L2TPv3 (Layer 2 Tunnel Protocol Version 3). L2TPv3 is used to tunnel Layer 2 over IP networks and is widely used on the Internet. MPLS Layer 2 VPN functions in the same way but is used in the MPLS environment. These two protocols provide a “pseudo-wire” service, which means that they can emulate point-to-point connection over an IP network.

MPLS Layer 2 VPN has three types of connections, namely:

AToM (any transport over MPLS)—This is a point-to-point service and, as the name implies, AToM can be used in Ethernet, frame-relay, serial and PPP connections.

Interworking—This is a point-to-point service as well and considered an extension to AToM. Interworking is a feature that enables two connections of different handoffs (e.g., Ethernet-serial or POS – Ethernet) to be connected as a point-to-point link.

VPLS (virtual private LAN service)—This is a broadcast service, which means that the MPLS network emulates a Layer 2 switch. Several network devices can be connected into one broadcast domain as if they are connected in one local area network. VPLS is hardware-specific and is only supported on Cisco carrier-grade devices that run IOS-XR.

Interworking and VPLS are not supported in GNS3. We will be doing labs for different types of AToM connections. Here are the diagram and tasks:

  1. Build an MPLS network. Configure OSPF between the service provider devices. Announce their Loopback0 into OSPF. Configure LDP between the SP devices.
  2. Configure Ethernet over MPLS AToM between CUSTA-R1 and CUSTA-R2. Configure IP addresses and verify connectivity.
  3. Configure PPP over MPLS AToM between CUSTA-R1 and CUSTB-R2. Configure IP addresses and verify connectivity.
  4. Configure frame relay over MPLS AToM between CUSTB-R1 and CUSTB-R2. Verify connectivity.

Task 1: Build MPLS network. Configure OSPF between the service provider devices. Announce their Loopback0 into OSPF. Configure LDP between the SP devices.

PE-R1(config)#router ospf 1
PE-R1(config-router)#router-id 11.11.11.11
PE-R1(config-router)#network 11.11.11.11 0.0.0.0 area 0
PE-R1(config-router)#network 13.13.13.0 0.0.0.255 area 0
PE-R1(config-router)#int fa3/0
PE-R1(config-if)#mpls ip
PE-R2(config)#router ospf 1
PE-R2(config-router)#router-id 22.22.22.22
PE-R2(config-router)#network 22.22.22.22 0.0.0.0 area 0
PE-R2(config-router)#network 23.23.23.0 0.0.0.255 area 0
PE-R2(config-router)#int fa2/0
PE-R2(config-if)#mpls ip

PE-R3(config)#router ospf 1
PE-R3(config-router)#router-id 33.33.33.33
PE-R3(config-router)#network 33.33.33.33 0.0.0.0 area 0
PE-R3(config-router)#network 13.13.13.0 0.0.0.255 area 0
PE-R3(config-router)#network 23.23.23.0 0.0.0.255 area 0
PE-R3(config-router)#int fa3/0
PE-R3(config-if)#mpls ip
PE-R3(config-if)#int fa2/0
PE-R3(config-if)#mpls

Let’s verify LDP neighborship and check if PE1 and PE2 have LDP bindings on their Loopback0 IP addresses. It is important to have LDP Bindings for the Loopback IP addresses of PE1 and PE2, otherwise Layer 2 VPN will not work.

PE-R3#show mpls ldp neigh | inc Peer LDP Ident:
    Peer LDP Ident: 22.22.22.22:0; Local LDP Ident 23.23.23.3:0
    Peer LDP Ident: 11.11.11.11:0; Local LDP Ident 23.23.23.3:0

PE-R1#sh mpls forwarding-table
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     Pop tag     23.23.23.0/24     0          Fa3/0      13.13.13.3
17     17          22.22.22.22/32    0          Fa3/0      13.13.13.3

PE-R2#sh mpls forwarding-table
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     Pop tag     13.13.13.0/24     0          Fa2/0      23.23.23.3
17     16          11.11.11.11/32    0          Fa2/0      23.23.23.3

PE-R1#traceroute 22.22.22.22

Type escape sequence to abort.
Tracing the route to 22.22.22.22

  1 13.13.13.3 [MPLS: Label 17 Exp 0] 28 msec 40 msec 40 msec
  2 23.23.23.2 60 msec 40 msec 40 msec

We have confirmed that there are label switch paths to reach 11.11.11.11/32 and 22.22.22.22/32. Let’s proceed to do Task 2.

Task 2: Configure Ethernet over MPLS AToM between CUSTA-R1 and CUSTA-R2. Configure IP addresses and verify connectivity.

PE-R1(config)#pseudowire-class ETHERNET
PE-R1(config-pw-class)#encapsulation mpls
PE-R1(config-pw-class)#int fa0/0
PE-R1(config-if)#no ip address
PE-R1(config-if)#duplex full
PE-R1(config-if)#xconnect 22.22.22.22 102 pw-class ETHERNET
PE-R1(config-if)#no shut

PE-R2(config)#pseudowire-class ETHERNET
PE-R2(config-pw-class)#encapsulation mpls
PE-R2(config-pw-class)#int fa0/0
PE-R2(config-if)#no ip address
PE-R2(config-if)#duplex full
PE-R2(config-if)#xconnect 11.11.11.11 102 pw-class ETHERNET
PE-R2(config-if)# no shut

CUSTA-R1(config)#int fa1/0
CUSTA-R1(config-if)#duplex full
CUSTA-R1(config-if)#ip address 10.1.12.1 255.255.255.0
CUSTA-R1(config-if)#no shut

CUSTA-R2(config)#int fa1/0
CUSTA-R2(config-if)#duplex full
CUSTA-R2(config-if)#ip address 10.1.12.2 255.255.255.0
CUSTA-R2(config-if)#no shut

Now let’s verify what happens to the MPLS forwarding table and then we’ll issue some commands.

PE-R1#sh mpls forwarding-table
Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop
Label  Label or VC   or Tunnel Id      Switched      interface
16     Pop Label     33.33.33.33/32    0             Fa3/0      13.13.13.3
17     17            22.22.22.22/32    0             Fa3/0      13.13.13.3
18     Pop Label     23.23.23.0/24     0             Fa3/0      13.13.13.3
19     No Label      l2ckt(102)        4923          Fa0/0      point2point

PE-R2#sh mpls forwarding-table
Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop
Label  Label or VC   or Tunnel Id      Switched      interface
16     Pop Label     33.33.33.33/32    0             Fa2/0      23.23.23.3
17     16            11.11.11.11/32    0             Fa2/0      23.23.23.3
18     Pop Label     13.13.13.0/24     0             Fa2/0      23.23.23.3
19     No Label      l2ckt(102)        4426          Fa0/0      point2point

PE-R1#sh mpls l2transport vc 102

Local intf     Local circuit              Dest address    VC ID      Status
-------------  -------------------------- --------------- ---------- ----------
Fa0/0          Ethernet                   22.22.22.22     102        UP

When we issue the “show mpls forwarding-table” command, we see that there is a new entry “l2ckt(102).” This is the pseudowire label. Similar to Layer 3 VPN, this pseudowire label makes the connection unique. The “show mpls l2transport vc 102” command indicates that, for VC 102, the traffic needs to go to 22.22.22.22.

Let’s break down the commands we entered above.

pseudowire-class ETHERNET specifies that the pseudo wire class name is ETHERNET.

encapsulation mpls indicates MPLS is the encapsulation. L2TPv3 is another option here.

xconnect 22.22.22.22 102 pw-class ETHERNET is the command that enables Layer 2 VPN on the interface. This basically indicates that all traffic from this interface should be forwarded to PE-R2 22.22.22.22. The configuration on PE-R2 should indicate 11.11.11.11 in the xconnect configuration to establish the Layer 2 VPN connection. 102 is the VC identifier and should be identical on both routers and should be unique on the two PE routers. The pw-class command just calls the pseudowire class ETHERNET. The pseudowire name doesn’t need to match on both routers, as this is locally significant.

Let’s test connectivity between CUSTA-R1 and CUSTA-R2.

CUSTA-R1#ping 10.1.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/64/76 ms
CUSTA-R1#sh cdp neigh
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
CUSTA-R2         Fas 1/0            136        R S I      3640      Fas 1/0
PE-R1            Fas 1/0            146          R        7206VXR   Fas 0/0

Even CDP is showing that CUSTA-R2 is directly connected to CUSTA-R1.

Task 3: Configure PPP over MPLS AToM between CUSTA-R1 and CUSTB-R2. Configure IP addresses and verify connectivity.

PE-R1(config)#pseudowire-class PPP
PE-R1(config-pw-class)#encapsulation mpls
PE-R1(config-pw-class)#int se1/0
PE-R1(config-if)#xconnect 22.22.22.22 201 pw-class PPP
PE-R1(config-if)#encapsulation ppp
PE-R1(config-if)#no shut

PE-R2(config-pw-class)#pseudowire-class PPP
PE-R2(config-pw-class)#encapsulation mpls
PE-R2(config-pw-class)#int se1/0
PE-R2(config-if)#xconnect 11.11.11.11 201 pw-class PPP
PE-R2(config-if-xconn)#encap ppp
PE-R2(config-if)#encapsulation ppp
PE-R2(config-if)#no shut

CUSTA-R1(config)#int se0/0
CUSTA-R1(config-if)#no shut
CUSTA-R1(config-if)#encapsulation ppp
CUSTA-R1(config-if)#ip address 192.168.12.1 255.255.255.0

CUSTA-R2(config)#int se0/0
CUSTA-R2(config-if)#no shut
CUSTA-R2(config-if)#encapsulation pp
CUSTA-R2(config-if)#ip address 192.168.12.2 255.255.255.0

Configuration is similar to the Ethernet AToM configuration. The only difference here is the encapsulation command. PPP authentication can be added to the customer routers if desired. Verify connectivity.

CUSTA-R1#ping 192.168.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/47/72 ms

Task 4: Configure frame relay over MPLS AToM between CUSTB-R1 and CUSTB-R2. Verify connectivity.

The frame-relay Layer 2 VPN configuration will be slightly different from the rest. Instead of declaring a pseudo-wire class, the “connect” command is used. The PE routers will be configured as a frame-relay switch.

PE-R2(config)#frame-relay switching
PE-R2(config)#int se1/1
PE-R2(config-if)#no ip address
PE-R2(config-if)#no shut
PE-R2(config-if)#encap frame-relay IETF
PE-R2(config-if)#frame-relay intf-type dce
PE-R2(config-if)#exit
PE-R2(config)#connect R2-R3 Serial1/1 203 l2transport
PE-R2(config-fr-pw-switching)#xconnect 33.33.33.33 10 encapsulation mpls

PE-R3(config)#frame-relay switching
PE-R3(config)#int se4/0
PE-R3(config-if)#no ip address
PE-R3(config-if)#no shut
PE-R3(config-if)#encapsulation frame-relay ietf
PE-R3(config-if)#frame-relay intf-type dce
PE-R3(config-if)#connect R3-R2 Serial4/0 302 l2transport
PE-R3(config-fr-pw-switching)#xconnect 22.22.22.22 10 encapsulation mpls

CUSTB-R1(config)#int se0/0
CUSTB-R1(config-if)#encapsulation frame-relay ietf
CUSTB-R1(config-if)#no shut
CUSTB-R1(config)#int se0/0.1 point-to-point
CUSTB-R1(config-subif)#ip address 172.16.12.1 255.255.255.0
CUSTB-R1(config-subif)#frame-relay interface-dlci 302
CUSTB-R2(config)#int se0/0
CUSTB-R2(config-if)#encapsulation frame-relay ietf
CUSTB-R2(config-if)#no shut
CUSTB-R2(config-if)#int se0/0.1 point-to-point
CUSTB-R2(config-subif)#ip address 172.16.12.2 255.255.255.0
CUSTB-R2(config-subif)#frame-relay interface-dlci 203

Let’s break down these two commands and understand what they are for.

connect R2-R3 Serial1/1 203 l2transport is basically the equivalent for the pseudo wire class. The Se1/1 is the interface where the succeeding xconnect command will be applied. 203 in this case is the DLCI number. The same value should be configured on the corresponding CE router.

xconnect 22.22.22.22 10 encapsulation mpls is basically the same command as with the Ethernet and PPP examples. The number 10 here should match on both PEs.

Let’s now try and check if frame-relay PVCs are active and whether there is IP reachability between the two customer routers.

CUSTB-R1#sh frame-relay pvc

PVC Statistics for interface Serial0/0 (Frame Relay DTE)

              Active     Inactive      Deleted       Static
  Local          1            0            0            0
  Switched       0            0            0            0
  Unused         0            0            0            0

DLCI = 302, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0.1

  input pkts 0             output pkts 8            in bytes 0
  out bytes 2584           dropped pkts 0           in pkts dropped 0
  out pkts dropped 0                out bytes dropped 0
  in FECN pkts 0           in BECN pkts 0           out FECN pkts 0
  out BECN pkts 0          in DE pkts 0             out DE pkts 0
  out bcast pkts 8         out bcast bytes 2584
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  pvc create time 00:06:52, last time pvc status changed 00:00:39

CUSTB-R2#sh frame-relay pvc

PVC Statistics for interface Serial0/0 (Frame Relay DTE)

              Active     Inactive      Deleted       Static
  Local          1            0            0            0
  Switched       0            0            0            0
  Unused         0            0            0            0

DLCI = 203, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0.1

  input pkts 6             output pkts 1            in bytes 1938
  out bytes 323            dropped pkts 0           in pkts dropped 0
  out pkts dropped 0                out bytes dropped 0
  in FECN pkts 0           in BECN pkts 0           out FECN pkts 0
  out BECN pkts 0          in DE pkts 0             out DE pkts 0
  out bcast pkts 1         out bcast bytes 323
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  pvc create time 00:04:37, last time pvc status changed 00:01:09

CUSTB-R1#ping 172.16.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/46/56 ms

Let’s check the MPLS forwarding tables and the VC status.

PE-R2#show mpls l2transport vc

Local intf     Local circuit              Dest address    VC ID      Status
-------------  -------------------------- --------------- ---------- ----------
Fa0/0          Ethernet                   11.11.11.11     102        UP
Se1/0          PPP                        11.11.11.11     201        UP
Se1/1          FR DLCI 203                33.33.33.33     10         UP

The configured VCs are up and working. That’s it for MPLS Layer 2 VPN. I hope this has been a good read!