Service Instances
When configuring L2 services on an IOS-XE router, you use a service instance instead of a subinterface.
A subinterface is a routed port. For example:
A service instance allows you to create L2 services such as cross-connects, bridge domains, VPLS, and allows you do to rewrite operations (pop, translate, push)
A BDI is similar to an SVI on a switch. It is a routed virtual interface that belongs to a bridge domain.
The equivalent of the above configuration with a service instance would look like this:
If you did not pop the tag, you would need the BDI interface to have encapsulation dot1q 100. This means that all ports in the bridge domain would have to be tagged with 100 though. So it is a little easier to pop each tag on the UNI port, and have the BDI untagged.
When you have an existing service instance on a physical interface, you can no longer create a subinterface with dot1q encapsulation. Instead you would need to do the service instance with a BDI.
This is the message you see if you try to create a dot1q subinterface on a physical port that has an existing service instance:
EFP
This is a good time to mention that EFP (which you saw in the error message above) means Ethernet Flow Point. This name represents the idea that the service instance is not a strict encapsulation of frames, or in other words, an instruction to push a dot1q header on frames, but rather it matches frames with a certain attributes (tags or CoS values) in the L2 header.
For example, encapsulation dot1q 3 will match traffic that is single-tagged with vlan 3, or double-tagged with the first tag as vlan 3. This command is a match statement, instead of an encapsulation instruction. On a dot1q subinterface, the router tags traffic that is originated from itself with the specified tag. But on a service instance it acts like IOS-XR l2transport where it is a match statement.
You can also use ranges to match multiple vlans, such as this:
The default keyword is used to match any frames that don’t match a more specific service instance.
The untagged keyword matches only untagged traffic
You can use cos to match on cos-values
You can use etype to match the ethertype (ipv4, ipv6, or pppoe)
Frame manipulation
Remove the outermost tag
Remove two tags
The symmetric keyword means that the tag(s) are removed on ingress, but then pushed on egress. You can only configure this if you do not have a range in your encapsulation matching statement. (This is because the router knows which tag to push upon egress based on the match statement. If you match on a range of tag values, the router doesn't know which one to use when pushing on egress).
Push a vlan tag
Push two vlan tags
The symmetric keyword here means that the tag is pushed on ingress, and then removed on egress
Translate 1-to-1, 1-to-2, 2-to-1, 2-to-2
The encapsulation must be a specific VLAN. So if encap dot1q 100 is configured, then frames with 100 are translated to 200 ingress. Because the symmetric keyword is specified, frames with vlan 200 are translated to 100 upon egress.
Bridge Domains
A bridge domain is VLAN-agnositc, meaning that multiple service instances can be in the same bridge domain, and each can have different encapsulation matches and rewrite operations
Multiple service instances on the same interface can belong to the same bridge domain
While INE mentions that the bridge domain must exist, like this:
I have found this not to be the case. On both CSR1000v and production ASR920, interface service instances can belong to the bridge, and the bridge number does not need to be explicitly defined.
Last updated