E-Access

E-Access is a p2p service just like E-Line, except it spans multiple service providers. Typically Q-in-Q is used to achieve the end-to-end service.

Each service provider provisions its own EPL or xconnect, and hands off the frame at the NNI (the network-to-network interface where both providers connect) with an agreed-upon VLAN tag. The individual EPL of the service provider is called the OVC (Operator Virtual Connection). This term indicates that the xconnect is only for the single operator. (There are two separate OVCs, one operated by each service provider, which combine to make one overall E-Access EPL).

All the indvidual xconnects, or OVCs, combine to produce a single, logical xconnect. The customer sees both devices at either end of the xconnect as directly connected, just like with E-Line. In this way, a customer cannot tell whether their service is actually E-Line (single provider) or E-Access (spanning multiple providers)

Lab Design

Business Case

SP2 has fiber in the ground in Austin Texas. An existing customer wants an EPL service connecting Austin to their DC in Cleveland OH. SP2 does not have fiber in Cleveland OH but they don’t want to lose this customer by telling them they cannot fulfill their request.

SP2 contacts SP1 who has fiber in Cleveland OH. SP2 has a relationship with SP1 already, so SP2 asks if SP1 can provide service to the customer’s Cleveland location, and then transport traffic to the NNI terminated on SP2_PE1.

SP2 agrees (for a fee of course!) and tells SP2 that this will use VLAN 1234 on the NNI connecting to SP2_PE1.

SP2 provisions the xconnect from CE2 to SP2_PE1. SP1 provisions their own xconnect from CE1 to SP1_PE3.

Setup

Because the concept is fairly simple (E-Access is just xconnects, which you’ve seen in E-Line, but stitched together), I will add one more layer of complexity.

The customer will be allowed to use any VLAN they want. This means that traffic will be double-tagged (Q-in-Q) at the NNI.

In the lab, we will use VLAN 100 on the CEs to demonstrate this.

Here is the packet flow:

CE1 originates a frame with an 802.1Q tag of 100
SP1_PE3 pushes the S-tag 1234 ontop of the existing customer tag (C-tag of 100)
SP2_PE1 removes the top-most tag of 1234
CE2 will receive the original frame with only a tag of 100

Here is the beauty of Q-in-Q on NNI ports: Now SP1 and SP2 can use this existing NNI for up to 4094 customer circuits. The customer tag does not matter. Every service gets its own S-tag to differentiate it on the NNI.

Let’s configure the xconnects now. IGP, MPLS, and LDP has already been configured on both SPs. Each SP will have an xconnect with one side the UNI and one side the NNI as in this diagram:

SP1_PE1#
interface GigabitEthernet1
description UNI
 service instance 1 ethernet
  encapsulation dot1q 1-4094
  ! or encapsulation default
  xconnect 3.3.3.3 1 encapsulation mpls

SP1_PE3#
interface GigabitEthernet2
description NNI
 service instance 1234 ethernet
  encapsulation dot1q 1234
  rewrite ingress tag pop 1 symmetric
  xconnect 1.1.1.1 1 encapsulation mpls

SP2_PE1#
interface GigabitEthernet2
description NNI
 service instance 1234 ethernet
  encapsulation dot1q 1234
  rewrite ingress tag pop 1 symmetric
  xconnect 3.3.3.3 1 encapsulation mpls

SP2_PE3#
interface GigabitEthernet1
 description UNI
 service instance 1 ethernet
  encapsulation dot1q 1-4094
  ! or encapsulation default
  xconnect 1.1.1.1 1 encapsulation mpls

On the UNI ports, we match any dot1q tag and transport the frame to the egress PE.

The NNI ports are slightly more complicated. On traffic that is going egress, we need to push 1234 ontop of the existing customer VLAN. On traffic that has arrived ingress from the other SP, we need to pop the S-VLAN of 1234 off the frame, and deliver the original frame to the customer on the other end (with VLAN=100 still there).

The shorthand way to accomplish this is by doing rewrite ingress tag pop 1 symmetric. This command instructs the router to pop the outer most tag off the frame on ingress. The symmetric keyword means that the router will push the specified tag in the encapsulation dot1q command on egress (which is 1234).

Let’s configure the CEs and verify the service works

CE1#
interface GigabitEthernet0/0.100
 encapsulation dot1Q 100
 ip address 10.1.1.1 255.255.255.0

CE2#
interface GigabitEthernet0/0.100
 encapsulation dot1Q 100
 ip address 10.1.1.2 255.255.255.0

CE1#ping 10.1.1.2 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/7 ms

Let’s take a look at pcaps at various stages to look at the dot1q tags. As an exercise, try to write out the dot1q and MPLS labels for a frame originated from CE1 at each step 1-7 as seen below. Then check your work by continuing to read on.

Step 1. CE1 originates a frame

No MPLS label
dot1q = 100

Step 2. SP1_PE1 transports the frame to SP1_PE3, sending it to SP1_P2 which is the next-hop for 3.3.3.3 (PE3)

Top MPLS label = transport label to PE3
Bottom MPLS label=service label for the pseudowire
Customer frame still intact (one 802.1q tag)

Step 3. SP1_P2 pops the top label (PHP) and sends to SP1_PE3

MPLS label = service label for the pseudowire
Customer frame still intact (one 802.1q tag)

Step 4. SP1_PE3 pushes 1234 and sends to SP2_PE1

No MPLS label
Outer dot1q tag = 1234
Inner dot1q tag = 100
Notice that the MAC addresses are the original MACs! SP1_PE3 does not put its own MAC in the source MAC field. It simply “switches” the frame out the service instance

Step 5. SP2_PE1 pops the outer tag and transports the frame to SP2_PE3, pushing two MPLS labels

Top MPLS label = transport label to PE3
Bottom MPLS label = service label for the pseudowire
Customer frame still intact (one 802.1q tag) after popping the S-tag off. But this is not visible in the pcap.