Vll and l2vpn

hi,
can anyone explain the difference between, l2vpn and VLL.
regards,
jack

Broadly MPLS L2VPN are categorized in to two different model Virtual Pseudo Wire Service (VPWS) & Virtual Private LAN service (VPLS). VPLS has last mile Ethernet drop at the customer premises. VPLS helps to extend your LAN domain to remote end via service provides WAN.
Please refer below as capsule for L2VPN:
www.sanog.org/resources/sanog7/waris-l2vpn-tutorial.pdf
Regards
Pradip

Similar Messages

Ask the Expert: Packet Capture Capabilities of Cisco Routers and Switches

With Rahul Rammanohar
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about packet capture capabilities of Cisco routers and switches.
In May 2013, we created a video that included packet capture capabilities across multiple Cisco routers and switches. For each product, we began with a discussion about the theory of the capabilities, followed by an explanation of the commands, and we concluded with a demo on real devices. In this Ask the Expert event, you’re encouraged to ask questions about the packet capture capabilities of these Cisco devices:
•       7600/6500: mini protocol analyzer (MPA), ELAM, and Netdr
•       ASR9k: network processor capture
•       7200/ISRs: embedded packet capture
•       Cisco Nexus 7K, 5K, and 3K: Ethanalyzer
•       Cisco Nexus 7K: ELAM
•       CRS: show captured packets
•       ASR1K: embedded packet capture
More Information
Blog URL: Packet Capture Capabilities of Cisco Routers and Switches
Watch the Video: https://supportforums.cisco.com/videos/6226
Hitesh Kumar is a customer support engineer in the High-Touch Technical Services team at Cisco specializing in routing protocols. He has been supporting major service providers and enterprise customers in routing, Multiprotocol Label Switching (MPLS), multicast, and Layer 2 VPN (L2VPN) issues on routing platforms for more than three years. He has more than six years of experience in the IT industry and holds a CCIE certification (number 38757) in service.
Rahul Rammanohar is a technical leader with the High-Touch Technical Support Team in India. He handles escalations in the area of routing protocols and large-scale architectures for devices running Cisco IOS, IOS-XR, and IOS-XE Software. He has been supporting major service providers and large enterprise customers for routing, MPLS, multicast, and L2VPN issues on all routing platforms. He has more than 13 years of experience and holds a CCIE certification (number 13015) in routing/switching and service provider.
Remember to use the rating system to let Hitesh and Rahul know if you have received an adequate response.
Because of the volume expected during this event, Hitesh and Rahul might not be able to answer each question. Remember that you can continue the conversation in the Service Provider, sub-community forum shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

Hello Erick
    Thanks for the topology. The trigger will be different for labelled packet as you would need to mention the values of labels too in the trigger.
     Below are two examples of one or two labels being used, it depends on where you are capturing the packet in mplsvpn scenario which will decide teh number of labels being imposed on the packet.
Trigger for one label. (if the router on which you are capturing the packet PHP is being performed)
VPN label - 5678
Source Address - 111.111.111.111
Destination Address - 123.123.123.123
show platform capture elam trigger dbus others if data = 0 0 0 0x88470162 0xE0000000 0 0 0x00006F6F 0x6F6F 7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
Trigger for two labels. (for other core routers)
IGP label - 1234
VPN label - 5678
Source Address - 111.111.111.111
Destination Address - 123.123.123.123
show platform capture elam trigger dbus others if data = 0 0 0 0x8847004D 0x20000162 0xE0000000 0 0 0x00006F6F 0x6F6F7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf000ffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
    You can check the labels being used (by using show ip cef <> details) and covert their values to hex and change the trigger accordingly.
     I have changed the colors for better understanding. If you notice carefully in the trigger the values for ip address, labels have just been converted to their respective hex values which could be replaced.
     Please let me know if this helps.
Thanks & Regards
Hitesh & Rahul

MPLS L2VPN packet capture

Hi,
I want to capture packet on gi0/0 of PE1 in order to show customer that all his traffic is encapsulated and transmitted by L2VPN (ldp signaling) in his lab.
CE1-----------(g0/1)PE1(g0/0)------------PE2-----------CE2
PE1 and PE2 are Cisco3945 and L2VPN is working well. I tried cisco RITE(Router IP Traffic Export Packet Capture) feature, but the output was not what I expected. I tried both export mode and capture mode. Only LDP hello message I got, looks like RITE is only interested in IP packet. Monitor session wasn't effective as well because it is not a switch.
Is there any other way/workaround to capture customer's traffic encapsulated in L2VPN?
What I did on PE1 when I was trying RITE export mode:
ip traffic-export profile test
bidirectional
interface GigabitEthernet0/2
mac-address e411.5b44.3a6d
interface GigabitEthernet0/2
ip address 10.1.2.1 255.255.255.0
interface GigabitEthernet0/0
ip traffic-export apply test
Gi0/2 connected my PC(10.1.2.2) with wireshark installed.
Many thanks.
Regards,
Jerry Fan

Thanks Shivlu. I tried, but failed. 'monitor capture' is only interested in ipv4 and ipv6. Maybe the IOS in Cisco3945 isn't same as the IOS in Cat6500 or Cisco7600 or GSR/CSR.
See following:
===================================================================
Router_MPS_TEST_A#monitor capture ?
buffer Control Capture Buffers
point   Control Capture Points
Router_MPS_TEST_A#monitor capture po
Router_MPS_TEST_A#monitor capture point ?
associate     Associate capture point with capture buffer
disassociate Dis-associate capture point from capture buffer
ip            IPv4
ipv6          IPv6
start         Enable Capture Point
stop          Disable Capture Point
Router_MPS_TEST_A#monitor capture point ip ?
cef               IPv4 CEF
process-switched Process switched packets
Router_MPS_TEST_A#monitor capture point ip p
Router_MPS_TEST_A#monitor capture point ip process-switched ?
WORD Name of the Capture Point
Router_MPS_TEST_A#monitor capture point ip process-switched test-point ?
both     Inbound and outbound and packets
from-us Packets originating locally
in       Inbound packets
out      Outbound packets
Router_MPS_TEST_A#monitor capture point ip process-switched test-point b
Router_MPS_TEST_A#monitor capture point ip process-switched test-point both ?
Router_MPS_TEST_A#monitor capture point ip process-switched test-point both
===================================================================
At last, I have to insert a switch in the middle of two cisco3945 and configured port span. That worked very well. Anyway, many thanks for your advice.
Jerry Fan

URGENT: MPLS P/ PE support on 7600/Sup720-BXL and 3750 Metro switch

I'm need to design a MPLS network for a Cable Operator.
They will start small with some Cisco CMTS doing MPLS-PE and needing only two devices to aggregate these PE and delivering Services (Internet connection, VoD, ...) , so they will need to work has P/PE.
For that I want to know if it's possible to:
1 - Use 3750 Metro and 7600/Sup720-BXL as P and PE
2 - Who many customers (L2VPN/VLANs and/or L3VPN/VRF) can they support?
Searching in CCO I found these values/features but, need URGENT to check:
1 - sup720-bxl supports P and PE but 3750 only PE?
2 - 3750 supports 1024 VLANs and 8,192 MPLS labels but no values on L3VPN/VRF?
SUP720 supports more than 1000 VRF?
Really need urgent HELP on this design/capabilities for these two devices.
Thanks in advance,
MP
Network Consultant - CCIE

before you even get anywhere close to the numbers of L2/L3 on a 7200 I would seriously consider asking what throughput you can get through a 7200 with MPLS, QOS, L3vpns and L2vpns configured. I have done this testing already but dont think it is appropriate to quote the figures publically.

MPLS L2VPN ASR9K and 7600

Am having problem bringing up mpls l2vpn between asr9k and 7609 router . Below is my config. The interfaces are up, the vc working, but can't ping across.
AS9K
interface GigabitEthernet0/2/0/6.609 l2transport
encapsulation dot1q 609
rewrite ingress tag pop 1 symmetric
mtu 1526
pw-class TST
encapsulation mpls
   transport-mode vlan
xconnect group TST
p2p TST
   interface GigabitEthernet0/6.609
   neighbor 2.2.2.2 pw-id 609
    pw-class TST
7609
interface gig 3/4.609
encapsulation dot1q 609
xconnect 1.1.1.1 609 encapsulation mpls
***OUTPUT FROM ASR9K********
RP/0/RSP0/CPU0#sh l2vpn xconnect pw-class TST detail
Group X,X, state is up; Interworking none
AC: GigabitEthernet0/6.609, state is up
    Type VLAN; Num Ranges: 1
    VLAN ranges: [905, 905]
    MTU 1512; XC ID 0x1040003; interworking none
    Statistics:
      packets: received 735789487, sent 725878036
      bytes: received 405747931393, sent 184926449749
      drops: illegal VLAN 0, illegal length 0
PW: neighbor 2.2.2.2, PW ID 609, state is up ( established )
    PW class ENS, XC ID 0xc0000003
    Encapsulation MPLS, protocol LDP
    Source address 1.1.1.1
    PW type Ethernet VLAN, control word disabled, interworking none
    PW backup disable delay 0 sec
    Sequencing not set
    PW Status TLV in use
      MPLS         Local                          Remote
      Label        17442                          847
      Group ID     0x80003c0                      0x0
      Interface    GigabitEthernet0/6.609     uknown
      MTU          1512                           1512
      Control word disabled                       disabled
      PW type      Ethernet VLAN                  Ethernet VLAN
      VCCV CV type 0x2                            0x2
                   (LSP ping verification)        (LSP ping verification)
      VCCV CC type 0x6                            0x6
                   (router alert label)           (router alert label)
                   (TTL expiry)                   (TTL expiry)
    Incoming Status (PW Status TLV):
      Status code: 0x0 (Up) in Notification message
    Outgoing Status (PW Status TLV):
      Status code: 0x0 (Up) in Notification message
    MIB cpwVcIndex: 3221225475
    Statistics:
      packets: received 725878036, sent 735789487
      bytes: received 184926449749, sent 405747931393
*******7609 OUTPUT*******
Local interface: Gi1/3.609 up, line protocol up, Eth VLAN 609 up
Destination address: 1.1.1.1, VC ID: 609, VC status: up
    Output interface: Gi2/4, imposed label stack {0 151644}******************This is my problem no imposed label on 7609
    Preferred path: not configured
    Default path: active
    Next hop: 10.198.64.21
Create time: 00:00:16, last status change time: 00:00:16
Signaling protocol: LDP, peer 1.1.1.1 up
    Targeted Hello: 2.2.2.2(LDP Id) -> 1.1.1.1, LDP is UP
    Status TLV support (local/remote)   : enabled/supported
      LDP route watch                   : enabled
      Label/status state machine        : established, LruRru
      Last local dataplane   status rcvd: No fault
      Last local SSS circuit status rcvd: No fault
      Last local SSS circuit status sent: No fault
      Last local LDP TLV    status sent: No fault
      Last remote LDP TLV    status rcvd: No fault
      Last remote LDP ADJ    status rcvd: No fault
    MPLS VC labels: local 505, remote 151644
    Group ID: local 0, remote 134218688
    MTU: local 1508, remote 1508
    Remote interface description: GigabitEthernet0_6_.609
Sequencing: receive disabled, send disabled
Control Word: Off (configured: autosense)
SSO Descriptor: 1.1.1.1/609, local label: 505
    SSM segment/switch IDs: 57633/24673 (used), PWID: 28772
VC statistics:
    transit packet totals: receive 3, send 0
    transit byte totals:   receive 216, send 0
    transit packet drops: receive 0, seq error 0, send 0

Hello ogungbenro wale,
Would you be so kind to verify the output form 7600, since the config part does not correspond to VC you provided output for:
interface gig 3/4.609 <=
Local interface: Gi1/3.609 up, line protocol up, Eth VLAN 609 up <=

L2VPN between ASR9000 and ME3800x

Hi,
I'm trying to set up a L2VPN(Vlan Mode) between a trunk port on an ASR9000, and an ME3800x.
The ASR is set up with an EFP:
interface GigabitEthernet0/0/0/19.912 l2transport
encapsulation dot1q 912
rewrite ingress tag pop 1 symmetric
mtu 1618
l2vpn
pw-class VlanMode
encapsulation mpls
transport-mode vlan
xconnect group orkide
    p2p OrkideSurnadal
    interface GigabitEthernet0/0/0/19.912
    neighbor xxx.xxx.xxx.75 pw-id 912
     pw-class VlanMode
On the other side I have terminated the xconnect on an ME3800x:
interface Vlan912
   mtu 1600
   no ip address
   xconnect xxx.xxx.xxx.82 912 encapsulation mpls
end
The VC is UP:
Local intf     Local circuit              Dest address    VC ID      Status
Vl912          Eth VLAN 912               xxx.xxx.xxx.82    912        UP
Is this the correct way to to do this?
I can't get this to work like it should. If I should do this with switches, I would just configure a vlan from end-to-end.
Thanks in advance,
Jan Ove Greger

Hi,
I'm sorry for the confusion, but there is an MPLS network between them.
I tried using VC5/Ethernet mode, and the xconnect is UP again:
Group orkide, XC OrkideSurnadal, state is up; Interworking none
AC: GigabitEthernet0/0/0/19.912, state is up
Type VLAN; Num Ranges: 1
VLAN ranges: [912, 912]
MTU 1600; XC ID 0x40011; interworking none
Statistics:
packets: received 134, sent 12
bytes: received 9112, sent 816
drops: illegal VLAN 0, illegal length 0
PW: neighbor 85.93.224.75, PW ID 912, state is up ( established )
PW class not set, XC ID 0x40011
Encapsulation MPLS, protocol LDP
PW type Ethernet, control word disabled, interworking none
PW backup disable delay 0 sec
Sequencing not set
MPLS         Local                          Remote
Label        16003                          20
Group ID     0x5c0                          0x0
Interface    GigabitEthernet0/0/0/19.912    unknown
MTU          1600                           1600
Control word disabled                       disabled
PW type      Ethernet                       Ethernet
VCCV CV type 0x2                            0x2
(LSP ping verification)        (LSP ping verification)
VCCV CC type 0x6                            0x2
(router alert label)           (router alert label)
(TTL expiry)
MIB cpwVcIndex: 0
Create time: 30/01/2012 19:52:07 (00:04:34 ago)
Last time status changed: 30/01/2012 19:52:07 (00:04:34 ago)
Statistics:
packets: received 12, sent 134
bytes: received 816, sent 9112
But still no connection or mac-adresses on vlan 912 on the trunk of the ME3800x.
For testing we have setup a network 10.33.33.1/24 on vlan 912 of the AC on the ASR. On the trunk port of the ME3800x we have a 3560 where we also have configured 10.33.33.10/24 on vlan 912.
So they should be able to see each other, but they don't...
Regards,
JoG

About L2VPN and BPDU transport

Hi folks,
my topology is like that:
vlan 30 - router A & B - mpls cloud (no vlans) - router C & D - vlan 30
I've created two xconnect tunnels (A-C and B-D), but the first is working, the second is for a cold backup.
How could I use both at the same time? Maybe I've to transport the BPDUs, to loop prevention, but how? Any advice will be appreciated
Regards
Andrea

Andrea, since you are using a L2transport, the PE's would be L3 peers, so do not enable STP between the PE's.
And if you are seeing a designated port then its normal, as each PE will consider itself the root for Vlan which it is transporting to the other side.
Designated-Root role in your topology means a problem, which will signify some one else is the root.
Now coming to your CE, to check STP is working fine or not try to manipulate the STP Bridge priority and see the effect for common Vlans spanning tree root ID. the root ID shoudl be the bridge ID of the switch whose priority you reduced.
Please do let me know if you have any more questions.
HTH-Cheers,
Swaroop

Dsatsource /ODS/Cube for Open PR and Open PO"

Dear Experts
I want to build a report in which I need to show "Open PR and Open PO" but I could not locate these fields in the BW CUBE / ODS / DATASOURCES. Can anybody tell me where I can find these fields..........
Dinesh Sharma

Dear,
There is no specific standard data source is not available to fetch us "Open PO" or "Open PR". first vll talk about PO.
For open PO,
case - 1
         Need to report count of all PO's which are in open status.
Case-2
        Need to report TBQ ( to be delivered Qty ) against each over due PO.
Basically we have - EKKO - HEADER , EKPO - ITEM AND EKET - SCHEDULE LINE ( GRC - GOODS RECEIVED ) is available,
so create a view, take all these three tables EKKO, EKPO and EKET.
EKPO
1     DELIVERY COMPLETED INDICATOR     ELIKZ
1     DELETION INDICATOR IN PD     LOEKZ
1     ARTICLE NUM     MATNR
1     SITE     WERKS
X     PO DOCUMENT NUM     EBELN
     PURCHASING ORDER QUANTITY     MENGE
     PURCHASING ORDER UOM     MEINS
     NET ORDER VAL IN PUR ORDER CURRENCY     NETWR
     NET PRICE IN PURCHASING DOC IN DOC CURRENCY     NETPR
no     PRICE UNIT     PEINH
X     ITEM NUMBER OF PURCHASING DOCUMENT     EBELP
EKKO
     DATE ON WHICH RECORD WAS CREATED      AEDAT
     PURCHASING DOCUMENT DATE     BEDAT
     DELIVERY DATE     EQ_EINDT
     RELEASE INDICATOR PURCHASING DOC     FRGKE
     RELEASE STATUS     FRGZU
0PO_UNIT     PURCHASING DOCUMENT NUM     EBELN
     CURR KEY     WAERS
EKET
     QUANTITY OF GOODS RECEIVED     WEMNG
     PURCHASING DOC NUM     EBELN
     ITEM NUM OF PURCHASING DOC     EBELP
Logic - create a generic DS, by view, FIRST send the data to DSO, there mention a field like TDQ ( to be deliver qty ), TDQ = po qty - goods received qty. -
create a cube above DSO, set a filter, allow only those records who has TDQ <>0, so your cube contains only pending PO.
hope it helped u.
Thanks,

Regarding Creation of Views and Multiple Datasources.

Dear All,
I hv a COreport(Cost Center Report).the data is coming from tables of CO,FI,SD,MM.
The Tables from CO are COEP,COSP,COSS,CSKS,CRHD,CSKU,CRCO,CSKB
The tables from SD are VBRK,KNA1
The Tables from MM are EKKO,LFA1.
The table from FI are SKAT,BKPF,BSIK,BSAK.
1)Can i create a view for these tables?Can a view be called a DS.
2)With these tables i hv Multiple DS's.So can i use Multiple DS's to extract data
3)Can i use FM to extract Data?If i use FM,vll i face errors during Support?
4)Please Guide me how to create Views for these tables and How to handle Multiple Datasources.
Thanks

Noor,
Have you checked suitable business content datasources.
I think you have lot of options
FIrst You need to have a multiple data source
--> Check for suitable business content datasources
--> check whether these details are already available in BW through any means (through other standard datasources to ODS)
--> Create customized extractor finally as a last option
All these tables are atandard and nost probably you would find a standard datasource ( again multiple) I am sure for costing you have standard
Few or more standard datasources or already existing BW objexts with 1 or 2(rarely) customized extractor would do the purpose that you look for,....
Good Luck !!!
Regards
VJ

SPA-1X10GE-L-V2 AND 4-10GBE-WL-XFP SUPPORTED FEATURES

Hello!
I am trying to find documents that prove the following:
4-10GBE-WL-XFP (with CRS-FP40 and XC-L2L3VPN)
SPA-1X10GE-L-V2 (with CRS-MSC-40G-B AND CRS1-SIP-800)
FEATURES NEEDED:
-802.1q encapsulation for L2VPN (EoMPLS & VPLS), L3 and L3VPN
-802.3ad and QinQ for L2VPN (EoMPLS)
-Support complete separation of QoS EXP, TOS, DSCP per interface
-Support complete separation of QoS EXP, TOS, DSCP per VLAN.
I am still researching to see if I can find supporting cisco documents.
Thanks in advance,
Rodrigo

Hi Rashed,
I see that your list includes Cisco Insight Reporter and Cisco Service Control Subscriber Manager. Those are SW pieces which will require some servers to run them. You can review the following documents to have an idea of the SW and HW requirements for the servers required to run those components:
- Insight:
http://www.cisco.com/en/US/docs/cable/serv_exch/serv_control/broadband_app/insight/rel34/install_guide/insight_34_ig.pdf
- Subscriber Manager:
www.cisco.com/en/US/docs/cable/serv_exch/serv_control/broadband_app/rel38x/smug/Installation_and_Upgrading.html
If you have any doubt, I would strongly suggest you to reach out to your local Cisco Acount Team for these type of questions. They will be able to provide you proper support and guidance for these type of inquires.
Best regards.

Dot1q tunneling and security

Hi,
I don't understand how to make to improve the security of dot1q tunneling. If the client makes some errors by example by disabling the spanning-tree on a vlan and he creates a loop between differents sites (L2VPN). What are the safety standards for Q-in-Q to protect the provider ?
Thank you for your help.
Regards.
David

It depends upon which switch you are using , If you are using a L3 capable switch , routing can be done on the switch it self , or if its a pure L2 switch you may have to create VLANs and route using sub-interfaces in the routers.Use these links for more details.
http://cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801cdf50.html#1008908
http://cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a0080161137.html

IOS XR Layer 2 internetworking and layer 2 local switching

I have 12410 with iox 3.6.1 and sip 501 with spa-5GE I want to configure layer 2 vpns for internetworking and layer 2 local switching. I search in the command reference and I didnt find the connect command nor internetwork ip under the PW class. can any one tell me how to configure it

Hi,
Here is an example for local switching:
RP/0/1/CPU0:router(config-if)#l2vpn
RP/0/1/CPU0:router(config-l2vpn)#xconnect group local
RP/0/1/CPU0:router(config-l2vpn-xc)#p2p ac1
RP/0/1/CPU0:router(config-l2vpn-xc-p2p)#interface gi0/3/0/0
RP/0/1/CPU0:router(config-l2vpn-xc-p2p)#interface gi0/3/0/1
RP/0/1/CPU0:router(config-l2vpn-xc-p2p)#commit
RP/0/1/CPU0:router(config-l2vpn-xc-p2p)#end
Any-2-Any connection type required 3.8
HTH
Laurent.

L2VPN on 7600 with 10GE interfaces

It is my understanding that SIP-200/400 or OSMs are required for L2VPN on 7600.
- Is there a way to run L2VPNs on a 7600 having only 10GEs and GEs interfaces? What options are there available for L2 VFIs at these speeds?
-W

My recommendation would be to use the new ES-20 Line cards for L2VPN. SIP-200 and SIP-400 or the OSM dont support 10G and have their own VPN restrictions. ES-20 gives the option of 20 X 1G interfaces or 2 X 10G interfaces per slot and should suit your requirement.

How to terminate a vlan on ASR 9000 and bridge it to a port on asr 9000

hi guys;
so here is another issue i have.
Scenario:
a switch in the north is trunking a VLAN for a client at our central site. The switch in north site is a 3560 and central site node is ASR 9000.
This vlan is extended along with few others to distribution switch (7609) and from there teh same VLAN is trunked to a 2960 device at the same site as that of ASR. The idea is to carry the vlan from teh reote site to teh ASR at our central site and then bridge it to a seperate port on ASR and hook this port up to our fibre patch panel, hence providing a service to the client connecting to us at our northern site and then getting connected to teh internet service provider via teh patch panel.
Since we can not make a port on ASR an access port, i am not sure how we can do the above mentioned interconnect.
please assisst.
regards

Hello Jalal,
Here the configuration example:
interface GigabitEthernet0/0/0/0.100 l2transport
encapsulation dot1q 100
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet0/0/0/1
l2transport
l2vpn
bridge group cust1
bridge-domain cust1
interface GigabitEthernet0/0/0/0.100
interface GigabitEthernet0/0/0/1
GigabitEthernet0/0/0/1 is the access port (untagged).
interface GigabitEthernet0/0/0/0.100 accepts tagged frames with vlan 100.
L2vpn bridge-domain cust1 connects both interfaces together.
GigabitEthernet0/0/0/0.100 has tag rewrite operation. Removing tag on ingress, so sending untagged to GigabitEthernet0/0/0/1, and pushing tag 100 on egress, so untagged frames from gi0/0/0/1 got tagged.
Regards,
/A

Inter-AS L2VPN security concern

hi all,
i want to know what is the security concern when we have Inter-AS L2VPN between two Service Provider as the attached configuration (just one service provider side configuration for the ASBR & PE the other Service Provider is the same pointing to our service provider), and how we can mitigate the risk and what is the most secure option, we need to know the advantage and disadvantage.

Hi Ahmad
Looking at your configuration it seems the setup is as below
CE1_ISP1---------xconnect---PE_ISP1-----ISP1MPLSBB----ASBR_ISP1-----IP_Link---ASBR_ISP2-----ISP2MPLSBB----PE_ISP2------xconnect---CE2_ISP1
Is that correct ?
In my personal opinion from Security Point of View already only the required loopbacks are being allowed which is good to do. And I believe the SNMP Traps and Remote Access to your ASBR would be a protected and limited access.
Apart from these there might be some other standard security features which others can suggest to be taken care of but the above two should be surely taken care of as I think.
Hope this helps you.
Regards
Varma

Vll and l2vpn

Similar Messages

Maybe you are looking for