Professional Documents
Culture Documents
SPB Workshopv Day 2
SPB Workshopv Day 2
PAT R I C I O M A R T E L O
S O L U T I O N A R C H I T E C T U R E D I R E C TO R
AGENDA DAY 1
Welcome
Collaboration tool
SPB introduction
Data plane
Control plane
Virtual LAB Platform
Hands-on Lab: Setting up the backbone
2 DAY 2
The Service Framework
Hands-on Lab: L2 services
Multicast concepts
VPN Lite and L3 VPN concepts
Hands-on Lab: L3 services
Management concepts
Hands-on Lab: Management
Misc topics
October 21
Spacewalkers Live Starting November 15th !
Check it out !
3 https://conversation.al-
enterprise.com/LP=9084?utm_campaign=2021_Q4_NET_
EML_EN_LW_SessionQ%26A&utm_medium=email&utm_s
ource=Eloqua&elqTrackId=434EFD12A57EB5982CA72E02
53D1FFDC&elq=0fcfad464eff4cb98ff67d95ea5d8a70&elq
aid=22433&elqat=1&elqCampaignId=
October 21
THE SERVICE FRAMEWORK
4
An SPB service represents a VPN, or tenant, and is uniquely identified by its service
identifier, the ISID.
BEB: Backbone Edge Bridge, an SPB node that terminates services.
BCB: Backbone Core Bridge, an SPB node which is used for service transit but that does not
5 directly terminate any service
An SPB service needs only be created, or instantiated, on BEB nodes, not on BCB nodes, and
only on those BEB nodes servicing locations associated to the service.
SPB service membership information is shared across the SPB backbone by way of IS-IS TLVs
such that all SPB nodes have a consistent view of the services which are active on each
BEB. Each node then builds a service database.
October 21
Service Database
66 BVID A B1
B2
ISID 66 66 BVID A B2
66 BVID A B4
66 BVID A B5
B1 B3 B5 77 BVID B B1
6 77 BVID B B5
ISID 66 ISID 66
ISID 77 ISID 77
•B1, B2, B4 and B5 are BEBs because they terminate at least one Service
ISID 66
B4 •B3 is a BCB node because it does not terminate any Service, even though Services may use
it as a transit node
October 21
WHAT ARE SAPS AND SDPS?
Service Access Point: The SAP is a UNI-side logical port which binds a physical
port and specific customer traffic types (untagged, single-tagged, double-
tagged or all) to an SPB service. Multiple SAPs can be associated to the same
physical port thus multiplexing and mapping different customer traffic
7
encapsulations to different SPB services. SAPs can be statically or dynamically
created.
Service Delivery Point: The SDP is an NNI-side logical port which binds an SPB
service to a far-end BEB on which the service is instantiated. SDPs are
dynamically created in the control plane and only for those far-end BEBs with
SAPs for the specific service.
BEB nodes have at least one local SAP
BCB nodes have no local SAPs
October 21
Service Framework
B2
ISID 66
B1 B5
8
SDP X:66 SAP 1:1
SDP Y:77
SAP 2:2
ISID 66 ISID 66
ISID 66
ISID 77 ISID 77
October 21
B4
END-CUSTOMER MAC ADDRESS LEARNING
Within the SPB backbone, B-MAC addresses are learnt in the control plane through IS-IS (no
flood and learn).
End-customer devices however do not run IS-IS. Near-end end-customer MAC addresses are
bound to a SAP port whereas far-end end-customer MAC addresses are bound to SDP ports.
9 This only happens on BEB nodes and not on BCB nodes.
End-customer MAC address learning within a BEB is similar to Ethernet’s except there is no
“flooding”. BUM traffic is replicated either on ingress (head-end replication) or at the fork-
out point (tandem replication). More details in a later module.
October 21
END-CUSTOMER MAC ADDRESS LEARNING
ISID 66 ISID 66
MAC G:G ISID 66 MAC E:E
ISID 77 ISID 77
October 21
B4
MAC D:D
Building an SPB Network
Configuring Services
1.Create services on required BEBs and map to
B2
BVLANs
2.Configure the Service Access Ports
3.Map traffic to services with SAPs
ISID 66
B1 B3 B5
4.No changes required in BCB nodes
11
SAP 1:1
ISID 66 ISID 66 •A Service Access Point (SAP) is a Virtual Port that binds specific traffic to
a Service
•A SAP can be statically defined based on port/tag combination or,
•A SAP can be dynamically created with Network Profiles based on MAC/IP
B4 rules, authentication (e.g. 802.1x) or IoT fingerprinting
ISID 66 •The Service itself can also be dynamically created.
ISID 66 ISID 66
B4
ISID 66
October 21
LAB 2: CONFIGURING A L2 SERVICE
13
1/1/48
1/1/48
BEB2
1/1/53A
1/1/53A
VM5 VM8
1/1/50A
1/1/52A
1/1/52A
VM1 VM3
BEB1 BEB4
14 1/1/48 1/1/50A ISID 1001 1/1/50A 1/1/48
BVLAN 4001
1/1/51A
1/1/51A
1/1/50A
1/1/53A
1/1/54A
VM6 VM7
BEB3
1/1/48
1/1/48 1/1/48
BEB6 BEB7
October 21
VM4
CONFIGURING A L2 SERVICE
OVERVIEW
Services need only be defined on BEBs where the service needs to be delivered
No need to configure services on BCBs or other BEBs that do not terminate the service
The Service ID is locally significant to the BEB and can be different across BEBs
A service is mapped to a specific BVLAN – will use that BVLAN’s SPF
15
ISID and BVLAN that the service is mapped to must match across BEBs
Tasks
Define Service Access Ports (UNI)
Crete SPB service 1 with ISID 1001 and map it to BVLAN 4001
Define SAPs matching on un-tagged traffic
October 21
VM DETAILS
BEB-X BCB
17
Total Ports: 8
SERVICE VERIFICATION
CHECK MESH SDPS
BEB1
BEB1> show service mesh-sdp spb
Legend: * denotes a dynamic object
SPB Mesh-SDP Info
SvcId SdpId Isid FarEnd SysId:BVlan Oper Intf FarEnd SystemName
--------+----------------+---------+--------------------+----+--------+------------------
1 32799:1* 1001 dc08.5610.7429:4001 Up 1/1/54A BEB2
22 1 32807:1* 1001 dc08.5610.8649:4001 Up 1/1/53A BEB3
1 32813:1* 1001 dc08.5610.77e9:4001 Up 1/1/50A BEB4
1 32817:1* 1001 dc08.5610.80f9:4001 Up 1/1/52A BEB5
1 32821:1* 1001 dc08.5610.8559:4001 Up 1/1/51A BEB6
1 32825:1* 1001 dc08.5610.78d9:4001 Up 1/1/53A BEB7
1 32829:1* 1001 dc08.5610.7249:4001 Up 1/1/50A BEB8
Total Mesh-SDPs: 7
October 21
SERVICE VERIFICATION
MAC LEARNING - BEB
BEB1
BEB1> show mac-learning domain spb
Legend: Mac Address: * = address not valid,
25
October 21
L2 MULTICAST CONCEPTS
26
Multicast frames are replicated at the ingress BEB following Unicast Tree
Multicast frames are replicated at the “fork” point, based on Multicast Tree
Type B-MAC Port BVID Out Intf
Site 1 Site 2
31
ISID 10
10.0.0.0/24
OSPF area 0
10.0.3.0/24 10.0.4.0/24
.254 .4
.3 .254
Site 3 Site 4
BEB 3
October 21
BEB 4
L3 FOR CUSTOMER B / VRF B
Site 1 Site 2
32
ISID 20
20.0.0.0/24
OSPF area 0
20.0.3.0/24 20.0.4.0/24
.254 .4
.3 .254
Site 3 Site 4
BEB 3
October 21
BEB 4
L3 FOR CUSTOMER C / VRF C
Site 1 Site 2
33
ISID 30
30.0.0.0/24
OSPF area 0
30.0.3.0/24 30.0.4.0/24
.254 .4
.3 .254
Site 3 Site 4
BEB 3
October 21
BEB 4
Q&A
Site 1 Site 2
35
ISID 10
10.0.0.0/24
IS-IS
10.0.3.0/24 10.0.4.0/24
.254 .4
.3 .254
Site 3 Site 4
BEB 3
October 21
BEB 4
HOW DO WE PROPAGATE ROUTES IN A L3 VPN?
Site 1 Site 2
36
ISID 10
10.0.0.0/24
IS-IS
10.0.3.0/24 10.0.4.0/24
.254 .4
.3 .254
Site 3 Site 4
BEB 3
October 21
BEB 4
WHAT HAPPENS INSIDE VRF A’S ROUTING TABLE?
BEB 1
10.0.1.0/24
37
.254 .1
Site 1
ISID 10
Import far-end IS-IS routes associated
to the customer’s ISID into the 10.0.0.0/24
October 21
VLAN 11
VLAN 1
41
ISID 2
VLAN + SAP ALL IN ONE PORT
VLAN PORT SAP PORT
ISID 1 ISID 1
VLAN 1 VLAN 1
October 21
ip interface vlan_1 address 10.1.2.1/24 vlan 1 ip interface vlan_1 address 10.1.2.1/24 vlan 1
ip interface service_1 address 10.1.1.1/24 service 1 ip interface vlan_11 address 10.1.1.1/24 vlan 11 LATER…
ip interface service_2 address 10.1.3.1/24 service 2 vlan 11 member port 1/1/1 tagged
service access port 1/1/2
service spb 1 sap port 1/1/2:11
ROUTING: PHYSICAL VIEW
SINGLE-PASS TWO-PASS WITH EXTERNAL FRONT-PANEL LOOPBACK
LOOPBACK
VLAN 11
VLAN 11
42
ISID 2
VLAN PORT SAP PORT
VLAN + SAP ALL IN ONE
1/1/1 1/1/2
PORT OR LAG
ISID 1 ISID 1
VLAN 1 VLAN 1
October 21
ip interface vlan_1 address 10.1.2.1/24 vlan 1 ip interface vlan_1 address 10.1.2.1/24 vlan 1
ip interface service_1 address 10.1.1.1/24 service 1 ip interface vlan_11 address 10.1.1.1/24 vlan 11 LATER…
ip interface service_2 address 10.1.3.1/24 service 2 vlan 11 member port 1/1/1 tagged
service access port 1/1/2
service spb 1 sap port 1/1/2:11
Q&A
1/1/48
1/1/48
BEB2
1/1/53A
1/1/53A
VM5 VM8
1/1/50A
1/1/52A
1/1/52A
VM1 VM3
BEB1 BEB4
45 1/1/48 1/1/50A
ISID 1002 1/1/50A 1/1/48
BVLAN 4002
192.168.20.0/24
1/1/51A
1/1/51A
1/1/50A
1/1/53A
1/1/54A
VM6 VM7
BEB3
1/1/48
1/1/48 1/1/48
BEB6 BEB7
October 21
VM4
CONFIGURING A L3VPN SERVICE
OVERVIEW
SITE TEST IP LAN IP WAN IP SITE VLAN TAG DUMMY VLAN TAG
BEB1
no service 1 sap port 1/1/48:0
no service access port 1/1/48
vlan 1009 name "Site_1"
vlan 1009 members port 1/1/48 tagged
interfaces port 1/1/49A loopback
48
service 2 spb isid 1002 bvlan 4002
service access port 1/1/49A
service 2 sap port 1/1/49A:3100
vrf create L3_Service
ip interface "LAN" address 192.168.21.254 mask 255.255.255.0 vlan 1009
ip interface "WAN" address 192.168.20.1 mask 255.255.255.0 vlan 3100 rtr-port port
1/1/49A tagged
ip export all-routes
ip import isid 1002 all-routes
exit
spb ipvpn bind vrf L3_Service isid 1002 gateway 192.168.20.1 all-routes
October 21
CONFIGURING AN L3 SERVICE
BEB2
no service 1 sap port 1/1/48:0
no service access port 1/1/48
vlan 1010 name "Site_2"
vlan 1010 members port 1/1/48 tagged
interfaces port 1/1/49A loopback
49
service 2 spb isid 1002 bvlan 4002
service access port 1/1/49A
service 2 sap port 1/1/49A:3100
vrf create L3_Service
ip interface "LAN" address 192.168.22.254 mask 255.255.255.0 vlan 1010
ip interface "WAN" address 192.168.20.2 mask 255.255.255.0 vlan 3100 rtr-port port
1/1/49A tagged
ip export all-routes
ip import isid 1002 all-routes
exit
spb ipvpn bind vrf L3_Service isid 1002 gateway 192.168.20.2 all-routes
October 21
CONFIGURING AN L3 SERVICE
BEB3
no service 1 sap port 1/1/48:0
no service access port 1/1/48
vlan 1011 name "Site_3"
vlan 1011 members port 1/1/48 tagged
interfaces port 1/1/49A loopback
50
service 2 spb isid 1002 bvlan 4002
service access port 1/1/49A
service 2 sap port 1/1/49A:3100
vrf create L3_Service
ip interface "LAN" address 192.168.23.254 mask 255.255.255.0 vlan 1011
ip interface "WAN" address 192.168.20.3 mask 255.255.255.0 vlan 3100 rtr-port port
1/1/49A tagged
ip export all-routes
ip import isid 1002 all-routes
exit
spb ipvpn bind vrf L3_Service isid 1002 gateway 192.168.20.3 all-routes
October 21
CONFIGURING AN L3 SERVICE
BEB4
no service 1 sap port 1/1/48:0
no service access port 1/1/48
vlan 1012 name "Site_4"
vlan 1012 members port 1/1/48 tagged
interfaces port 1/1/49A loopback
51
service 2 spb isid 1002 bvlan 4002
service access port 1/1/49A
service 2 sap port 1/1/49A:3100
vrf create L3_Service
ip interface "LAN" address 192.168.24.254 mask 255.255.255.0 vlan 1012
ip interface "WAN" address 192.168.20.4 mask 255.255.255.0 vlan 3100 rtr-port port
1/1/49A tagged
ip export all-routes
ip import isid 1002 all-routes
exit
spb ipvpn bind vrf L3_Service isid 1002 gateway 192.168.20.4 all-routes
October 21
CONFIGURING AN L3 SERVICE
BEB5
no service 1 sap port 1/1/48:0
no service access port 1/1/48
vlan 1013 name "Site_5"
vlan 1013 members port 1/1/48 tagged
interfaces port 1/1/49A loopback
52
service 2 spb isid 1002 bvlan 4002
service access port 1/1/49A
service 2 sap port 1/1/49A:3100
vrf create L3_Service
ip interface "LAN" address 192.168.25.254 mask 255.255.255.0 vlan 1013
ip interface "WAN" address 192.168.20.5 mask 255.255.255.0 vlan 3100 rtr-port port
1/1/49A tagged
ip export all-routes
ip import isid 1002 all-routes
exit
spb ipvpn bind vrf L3_Service isid 1002 gateway 192.168.20.5 all-routes
October 21
CONFIGURING AN L3 SERVICE
BEB6
no service 1 sap port 1/1/48:0
no service access port 1/1/48
vlan 1014 name "Site_6"
vlan 1014 members port 1/1/48 tagged
interfaces port 1/1/49A loopback
53
service 2 spb isid 1002 bvlan 4002
service access port 1/1/49A
service 2 sap port 1/1/49A:3100
vrf create L3_Service
ip interface "LAN" address 192.168.26.254 mask 255.255.255.0 vlan 1014
ip interface "WAN" address 192.168.20.6 mask 255.255.255.0 vlan 3100 rtr-port port
1/1/49A tagged
ip export all-routes
ip import isid 1002 all-routes
exit
spb ipvpn bind vrf L3_Service isid 1002 gateway 192.168.20.6 all-routes
October 21
CONFIGURING AN L3 SERVICE
BEB7
no service 1 sap port 1/1/48:0
no service access port 1/1/48
vlan 1015 name "Site_7"
vlan 1015 members port 1/1/48 tagged
interfaces port 1/1/49A loopback
54
service 2 spb isid 1002 bvlan 4002
service access port 1/1/49A
service 2 sap port 1/1/49A:3100
vrf create L3_Service
ip interface "LAN" address 192.168.27.254 mask 255.255.255.0 vlan 1015
ip interface "WAN" address 192.168.20.7 mask 255.255.255.0 vlan 3100 rtr-port port
1/1/49A tagged
ip export all-routes
ip import isid 1002 all-routes
exit
spb ipvpn bind vrf L3_Service isid 1002 gateway 192.168.20.7 all-routes
October 21
CONFIGURING AN L3 SERVICE
BEB8
no service 1 sap port 1/1/48:0
no service access port 1/1/48
vlan 1016 name "Site_8"
vlan 1016 members port 1/1/48 tagged
interfaces port 1/1/49A loopback
55
service 2 spb isid 1002 bvlan 4002
service access port 1/1/49A
service 2 sap port 1/1/49A:3100
vrf create L3_Service
ip interface "LAN" address 192.168.28.254 mask 255.255.255.0 vlan 1016
ip interface "WAN" address 192.168.20.8 mask 255.255.255.0 vlan 3100 rtr-port port
1/1/49A tagged
ip export all-routes
ip import isid 1002 all-routes
exit
spb ipvpn bind vrf L3_Service isid 1002 gateway 192.168.20.8 all-routes
October 21
VERIFYING AN L3 SERVICE
CHECK ROUTES
BEB1
L3_Service::BEB1> show ip routes
In-band management when not all nodes support single pass inline routing:
Create “Management” VRF.
Create “Management” IP interface in Control BVLAN and in “Management” VRF
IP routes and MAC-to-IP mapping advertised through IS-IS – no ARP
60 No flooding: can put all management IP interfaces in same subnet even with many nodes
Route import/export at gateway nodes
October 21
IN-BAND MANAGEMENT EXAMPLE
BEB 1 BEB 3
.1 .3
61
Management BVLAN 4000
172.16.1.0/24
Management VRF
.4
.2
October 21
BEB 2 BEB 4
LAB 4: NETWORK MANAGEMENT
62
172.16.2.100/24
BEB 1 BEB 3
.1 .3
63 Management
OSPF Area 0
BVLAN 4000
172.16.1.0/24
Management VRF
.4
.2
October 21
BEB 2 BEB 4
CONFIGURING IN-BAND NETWORK MANAGEMENT
OVERVIEW
SPB Domain MGMT IP 172.16.1.1/24 172.16.1.2/24 172.16.1.3/24 172.16.1.4/24 172.16.1.5/24 172.16.1.6/24 172.16.1.7/24 172.16.1.8/24
Management Loopback0 172.16.3.1 172.16.3.2 172.16.3.3 172.16.3.4 172.16.3.5 172.16.3.6 172.16.3.7 172.16.3.8
68 BEB4
vrf create Management
ip interface "Management-SPB" address 172.16.1.4 mask 255.255.255.0 vlan 4000
ip interface Loopback0 address 172.16.3.4
ip service all admin-state enable
BEB5
vrf create Management
ip interface "Management-SPB" address 172.16.1.5 mask 255.255.255.0 vlan 4000
ip interface Loopback0 address 172.16.3.5
October 21
69 BEB7
vrf create Management
ip interface "Management-SPB" address 172.16.1.7 mask 255.255.255.0 vlan 4000
ip interface Loopback0 address 172.16.3.7
ip service all admin-state enable
BEB8
vrf create Management
ip interface "Management-SPB" address 172.16.1.8 mask 255.255.255.0 vlan 4000
ip interface Loopback0 address 172.16.3.8
October 21
DC1
DC2
10000 10000
✓ Link Default Metric (regardless bw) = 10
✓ Metric can be modified to reflect link
speed and to influence logical topology: 10000 10000
NNI Ports
• STP is automatically disabled for all BVLANs
• If standard VLANs are configured to run alongside BVLANs on NNI ports, then STP can
be used on those VLANs
73
UNI Ports
• By default, UNI (SAP) ports will tunnel STP BPDUs. This is good when a site LAN
connects to multiple BEBs.
• But we should still be careful to keep all sites as separate STP domains when we share
ISIDs across sites. This could be done with MSTP Regions and Max Hops.
• If each site connects to a single BEB and there are no backdoors, then the SAP can be
configured to discard STP BPDUs.
• Use LBD to avoid loops created with backdoors between sites or multiple connections
to a BEB (see next section)
October 21
LOOPBACK DETECTION
74
Port in switch with highest BridgeID Port in switch with highest BridgeID Port with highest PortID is shut down
is shut down is shut down
✓Faults and miss configurations at the Access Layer can create loops, resulting in
broadcast storms.
✓LBD sends special frames out of LBD-enabled ports on all SAPs and if the frame is
received it concludes there is a loop. When a loop is detected, the port is disabled and a
trap is sent.
October 21
BCB (or transit) nodes do not need to learn end-client MAC addresses
But BEB nodes do
Except, in point-to-point services, because there’s a single possible SDP
By explicitly defining a service as point-to-point, no end-client MAC addresses will be learnt
76
on BEBs either.
This is recommended to improve scalability.
October 21
77
QUESTIONS?
October 21
Spacewalkers Live Starting November 15th !
Check it out !
78
https://www.spacewalkers.com/news/1st-
network-tech-days-taking-off-november-15th/
October 21
THANK YOU!