Cisco SCE2020-4XGBE-SM Configuration Manual page 373

Chapter 13 MPLS/VPN Support
Bypassing Unknown VPNs
In an MPLS network, there may be many VPNs crossing the SCE platform, only a small number of which
require service control functionality. It is necessary for the SCE platform to recognize which VPNs are
not managed.
•
•
Note that the label limit (see
bypassed VPNs.
Each bypassed VPN entry, both upstream and downstream, is removed from the database after a set
period of time (10 minutes). If the entry is still used in the traffic, it will be re-learnt. This allows the
database to remain clean, even if the labels are reused by the routers for different VPNs.
show bypassed VPNs In the show bypassed VPNs command, the age is indicated with each label - the
length of time since it was learned.
Additional MPLS Pattern Support
The MPLS/VPN solution was designed to provide DPI services in MPLS/VPN network. These networks
use BGP protocol as the control plane for the VPNs and LDP protocol for routing. There are complex
networks where the MPLS infrastructure is used not only for VPN and routing, but also for other features
such as traffic engineering (TE) and better fail-over. These features are usually enabled per VRF in the
PE.
The Service Control MPLS/VPN solution does not support VPNs that use other MPLS-related features.
Features such as MPLS-TE or MPLS-FRR (Fast Reroute) are not supported. VPNs for which these
features are enabled can be automatically bypassed in the system, but are not allowed to be configured
in the SM as serviced VPNs. Configuration of these VPNs in the SM might cause misclassification due
to label aliasing.
The following list describes the labels combinations that are supported by the SCE platform and how
each combination is interpreted by the platform:
•
•
•
•
OL-7827-12
The SCE platform automatically bypasses any VPN that is not configured in the SM
The VPNs are bypassed by the SCE platform without any service
Limitations, page
One or more labels upstream, no labels downstream:
Assumed to be non-VPN (see
The SCE platform treats the following IP flows as non-VPN flows, and ignores their labels.
One label upstream, one label downstream:
Assumed to be VPN traffic, in which the P router happens to be the last hop in the upstream.
The label in the downstream is treated as a BGP label, like the regular case. If the BGP label is
known from the SM, then the flow is assigned to the correct subscriber, otherwise, it is treated as a
bypassed VPN.
Two labels upstream, one label downstream:
This is the typical configuration of the system. Of the two upstream labels, one is for BGP and one
for LDP. The downstream label is for BGP only
More than two labels upstream, or more than one label downstream:
These combinations occur when other MPLS-related features are enabled for the VPN. Such VPNs
are not supported and should not be configured in the SM. However, they can be bypassed in the
SCE platform without any service and without harming the service for other VPNs.
13-10)of 57,344 different labels includes labels from the
Non-VPN-Based Subscribers, page
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
Service Control MPLS/VPN Concepts
13-6).
13-7