Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring an Access Pseudowire That Terminates into VRF on the Service Node

Each VPN has its own VPN-specific routing table per VPN site. When an ingress PE router (SN2) receives routes advertised from a directly connected access node (CE2), it checks the received route against the VRF export policy for that VPN. If it matches, the route is converted to VPN-IPv4 format; that is, the route distinguisher is added to the route. This VPN-IPv4 route is advertised to the remote PE routers. It also attaches a route target to each route learned from the directly connected sites, which is based on the value of the configured export target policy of the VRF tables. When an egress PE router receives this route, it checks it against the import policy between the PE routers. If accepted, the route is placed into its bgp.l3vpn.0 table. At the same time, the router checks the route against the VRF import policy for the VPN. If it matches, the route distinguisher is removed from the route, and the route is placed into the VRF table in IPv4 format.

On SN2 and SN1, routes are installed in the VRF based on the import and export VRF policies. OSPF and direct routes from CE2 are installed in the VRF of SN2, which is then converted into IPv4-VPN routes. The routes to be learned over the CE-PE link is defined under protocols in the routing instance. Now, from the other end, the access pseudowire terminates in the VRF of the SN1 device, and the static routing is configured between the access node (CE1) and the service node(SN1). Traffic at this point is handled at the IP level, before it enters the Layer 3 domain. The translation from IP route to IPv4-VPN route happens at SN2.

Figure 1: Pseudowire TerminationPseudowire Termination
  1. To configure the logical tunnel interfaces or the lt-ifls.
  2. To configure appropriate import and export policies.

    Each VPN has its own VPN-specific routing table per VPN site. When an ingress PE router (CE2) receives routes advertised from a directly connected access node, it checks the received route against the VRF export policy for that VPN. If it matches, the route is converted to VPN-IPv4 format; that is, the route distinguisher is added to the route.

    When an egress router receives this route, it checks it against the import policy between the CE routers. If it is accepted, then the route is placed into its bgp.l3vpn.0 table. At the same time, the router checks the route against the VRF import policy for the VPN.

  3. To access the pseudowire configuration on SN1.
  4. To configure the Layer 3 VPN routing instance.

    In Layer 2 domains where service node SN1 interconnects the L2 to L3 domain, you need to activate the vrf-table-label feature to be able to advertise the direct-subnet prefix that corresponds to the lt-ifl toward the Layer 3 domain.

Use the following operational mode commands to verify termination of an access pseudowire into VRF:

  • show l2circuit connections

  • show route table l3vpn_1.inet.0

Related Documentation