The (Unofficial) CCNP-SP Study Guide
  • About
    • About the Author
    • About This Study Guide
  • MPLS
    • LDP
      • LDP Transport Address
      • LDP Conditional Advertisement
      • LDP Authentication
      • LDP/IGP Sync
      • LDP Session Protection
    • MPLS-TE
      • MPLS-TE Basics, Pt. 1 (TED)
      • MPLS-TE Basics, Pt.2 (RSVP)
      • MPLS-TE Basics, Pt.3 (CSPF)
      • MPLS-TE Basics, Pt.4 (Routing)
      • MPLS-TE Fast Reroute (FRR)
      • MPLS-TE with OSPF
    • Unified MPLS
    • Segment Routing
      • Introduction, Theory Pt.1
      • Introduction, Lab (OSPF) Pt.2
      • Introduction, Lab (ISIS) Pt. 3
      • Multi-Area/Level Segment Routing
      • Segment Routing using BGP
      • Migrating LDP to SR
      • LDP/SR Interworking
      • TI-LFA Pt. 1 (Theory)
      • TI-LFA Pt. 2 (Implementation)
      • TI-LFA Pt. 3 (Node and SRLG Protection)
      • SR-TE Pt. 1 (Overview)
      • SR-TE Pt. 2 (Creating an SR-TE Policy)
      • SR-TE Pt. 3 (Using a PCE)
      • SR-TE Pt. 4 (Automated Steering)
      • SR-TE Pt. 5 (On-Demand Nexthop)
      • SR-TE Pt. 6 (Flex Algo)
    • MPLS OAM
      • Classic Traceroute Behavior in MPLS Networks
      • LSP Ping
      • LSP Traceroute
  • Routing
    • BGP
      • BGP Synchronization
      • BGP Load Sharing (Multipath)
      • An Intuitive Look at Path Attributes
      • AS Path Prepending on XE and XR
      • RPL
    • BGP Security
      • BGP TTL Security, Pt. 1
      • BGP TTL Security, Pt. 2 (IOS-XE)
      • BGP TTL Security, Pt. 3 (IOS-XR)
      • BGP MD5 Authentication
      • BGP Maximum Prefixes
      • BGP RFD (Route Flap Dampening)
      • RTBH
      • Flowspec
      • BGPsec
    • L3VPN
      • An In-Depth Look at RD and RT, Pt. 1
      • An In-Depth Look at RD and RT, Pt. 2
      • An In-Depth Look at RD and RT, Pt. 3
      • An In-Depth Look at RD and RT, Pt. 4
      • Inter-AS L3VPN Pt. 1, Overview
      • Inter-AS L3VPN Pt. 2, Option A
      • Inter-AS L3VPN Pt. 3, Option B
      • Inter-AS L3VPN Pt. 4, Option C
      • CSC (Carrier Supporting Carrier)
      • PE NAT
    • OSPF
      • Type 7 to Type 5 Translation
      • OSPF Authentication
      • Troubleshooting OSPF Adjacencies
      • OSPFv3 LSA Types
      • OSPFv3 LSAs Example (Single Area)
    • ISIS
      • The Potential for Asymmetric Routing with Multi-Area ISIS
      • Interarea Routing is Distance-Vector
      • Basic ISIS - LSPDB
      • Multitopology
      • What is the role of CLNS and CLNP in ISIS?
      • Troubleshooting ISIS Adjacencies
    • IPv6 Transition
      • Overview
      • NAT64
      • 6to4
      • 6RD (IPv6 Rapid Deployment)
      • DS Lite (Dual Stack Lite)
      • MAP (Mapping of Address and Port)
      • Tunneling IPv6 Dynamic Routing Protocols over IPv4
    • Multicast
      • Introduction
      • IP and MAC Addressing
      • Tree Formation and Packet Forwarding
      • IGMP
      • PIM-DM (Dense Mode)
      • PIM-SM (Sparse Mode)
      • PIM-SM SPT Switchover
      • PIM-SM Tunnel Interfaces
      • PIM DR and the Assert Message
      • PIM-SM RP Discovery
      • PIM-BiDir
      • PIM-SSM (Source-Specific Multicast)
      • Interdomain Multicast (PIM-SM)
      • IPv6 Multicast
      • mVPN Introduction
      • mVPN Profile 0
      • mVPN Profile 1
      • Multicast Routing on IOS-XR
  • L2VPN & Ethernet
    • IOS-XE Ethernet Services
      • Service Instances
      • E-Line
      • E-LAN (VPLS)
      • E-Tree
      • E-Access
      • VPLS with BGP Autodiscovery
      • Martini/Kompella Circuits
    • EVPN
      • Introduction to EVPN
      • Learning EVPN VXLAN First
      • E-Line (EVPN VPWS)
      • E-Line (EVPN VPWS) on IOS-XR
      • E-Line (EVPN VPWS) Multi-Homed
      • E-LAN (EVPN Single-Homed)
    • Carrier Ethernet
      • 802.1ah (MAC-in-MAC)
      • 802.3ah (Ethernet OAM)
      • 802.1ag (CFM)
      • Cisco REP (Resilient Ethernet Protocol)
      • ITU G.8032 ERPS (Ethernet Ring Protection Switching)
  • Security
    • CoPP (Control Plane Policing)
    • LPTS (Local Packet Transport Services)
  • Misc
    • QoS
      • QoS Introduction (Part 1)
      • QoS Tools Overview and QoS Models (Part 2)
      • QoS Classification and Marking (Part 3)
      • QoS Queuing/Congestion Management (Part 4)
      • QoS Shaping and Policing (Part 5)
      • QoS for IPv6
      • MPLS QoS Basics
      • MPLS QoS Modes
      • MPLS TE QoS (DS-TE)
      • MPLS TE CBTS/PBTS
    • Automation and Assurance
      • NSO
      • NSO Command Cheat Sheet
      • Intro to YANG/NETCONF
      • YANG In-Depth
      • NETCONF In-Depth
      • RESTCONF
      • Model-Driven Telemetry
      • Automation Tool Comparison
      • Netflow
      • SNMP
    • Virtualization
      • NFV (Network Function Virtualization)
      • OpenStack
    • Transport
      • xPON
      • SONET/SDH
      • WDM
      • 4G and 5G RAN
    • High Availability (HA)
      • NSF/GR
      • NSR
      • NSF/NSR Whitepapers
      • BFD
      • Link Aggregation on IOS-XE
      • Link Aggregation on IOS-XR
    • IOS Software Overview
  • Labs
    • Lab Challenges
      • How to Use These Labs
      • Basic LDP
      • Advanced LDP
      • BGP Security
      • Unified MPLS
      • BGP Fundamentals
      • Ethernet Services
      • L3VPN Extranet
      • Multicast
      • Inter-area OSPF
      • ISIS
      • MPLS-TE
      • Control Plane Policing
      • QoS
Powered by GitBook
On this page
  • EFP
  • Frame manipulation
  • Bridge Domains
  1. L2VPN & Ethernet
  2. IOS-XE Ethernet Services

Service Instances

When configuring L2 services on an IOS-XE router, you use a service instance instead of a subinterface.

A subinterface is a routed port. For example:

int Gi1.100
 encapsulation dot1q 100
 ip add 10.100.100.1 255.255.255.0

A service instance allows you to create L2 services such as cross-connects, bridge domains, VPLS, and allows you do to rewrite operations (pop, translate, push)

A BDI is similar to an SVI on a switch. It is a routed virtual interface that belongs to a bridge domain.

The equivalent of the above configuration with a service instance would look like this:

int Gi1
 service instance 100 ethernet
  encapsulation dot1q 100
  bridge-domain 100
  rewrite ingress tag pop 1 symmetric
int BDI100
 ip address 10.100.100.1 255.255.255.0

If you did not pop the tag, you would need the BDI interface to have encapsulation dot1q 100. This means that all ports in the bridge domain would have to be tagged with 100 though. So it is a little easier to pop each tag on the UNI port, and have the BDI untagged.

When you have an existing service instance on a physical interface, you can no longer create a subinterface with dot1q encapsulation. Instead you would need to do the service instance with a BDI.

This is the message you see if you try to create a dot1q subinterface on a physical port that has an existing service instance:

Router(config)#int gi2.3
Router(config-subif)#encapsulation dot1q 3
%Cannot configure vlan 3 on this interface since VLAN 1 is configured on the EFP service instance.

EFP

This is a good time to mention that EFP (which you saw in the error message above) means Ethernet Flow Point. This name represents the idea that the service instance is not a strict encapsulation of frames, or in other words, an instruction to push a dot1q header on frames, but rather it matches frames with a certain attributes (tags or CoS values) in the L2 header.

For example, encapsulation dot1q 3 will match traffic that is single-tagged with vlan 3, or double-tagged with the first tag as vlan 3. This command is a match statement, instead of an encapsulation instruction. On a dot1q subinterface, the router tags traffic that is originated from itself with the specified tag. But on a service instance it acts like IOS-XR l2transport where it is a match statement.

You can also use ranges to match multiple vlans, such as this:

encapsulation dot1q 1-10,20-22

The default keyword is used to match any frames that don’t match a more specific service instance.

The untagged keyword matches only untagged traffic

You can use cos to match on cos-values

You can use etype to match the ethertype (ipv4, ipv6, or pppoe)

Frame manipulation

Remove the outermost tag

rewrite ingress tag pop 1 symmetric

Remove two tags

rewrite ingress tag pop 2 symmetric

The symmetric keyword means that the tag(s) are removed on ingress, but then pushed on egress. You can only configure this if you do not have a range in your encapsulation matching statement. (This is because the router knows which tag to push upon egress based on the match statement. If you match on a range of tag values, the router doesn't know which one to use when pushing on egress).

Push a vlan tag

rewrite ingress tag push dot1q 2 symmetric

Push two vlan tags

rewrite ingress tag push dot1q 2 second-dot1q 100 symmetric

The symmetric keyword here means that the tag is pushed on ingress, and then removed on egress

Translate 1-to-1, 1-to-2, 2-to-1, 2-to-2

rewrite ingress tag translate 1-to-1 dot1q 200 symmetric

The encapsulation must be a specific VLAN. So if encap dot1q 100 is configured, then frames with 100 are translated to 200 ingress. Because the symmetric keyword is specified, frames with vlan 200 are translated to 100 upon egress.

Bridge Domains

A bridge domain is VLAN-agnositc, meaning that multiple service instances can be in the same bridge domain, and each can have different encapsulation matches and rewrite operations

Multiple service instances on the same interface can belong to the same bridge domain

While INE mentions that the bridge domain must exist, like this:

bridge-domain 10
 exit

I have found this not to be the case. On both CSR1000v and production ASR920, interface service instances can belong to the bridge, and the bridge number does not need to be explicitly defined.

PreviousIOS-XE Ethernet ServicesNextE-Line

Last updated 1 year ago