Supplemental 4: L2VPN and Pseudowires: Ethernet over MPLS

Author: Patrick Luan de Mattos
Category: network-l2
Level: Advanced
Generated: 2026-04-17T21:18:33.201Z

Supplemental Chapter: L2VPN and Pseudowires: Ethernet over MPLS

Serial: 4
Title: L2VPN and Pseudowires: Ethernet over MPLS
Level: Advanced

Introduction

In the modern network landscape, the demand for seamless Layer 2 connectivity across geographically dispersed locations has never been greater. While IP-based routing (Layer 3) is the backbone of most wide-area networks, many applications and legacy systems still rely on Layer 2 constructs like Ethernet. Bridging this gap requires sophisticated solutions that can encapsulate and transport Layer 2 frames over an existing IP or MPLS infrastructure. This chapter delves into the world of Layer 2 Virtual Private Networks (L2VPNs) and the fundamental concept of pseudowires, with a particular focus on Ethernet over MPLS (EoMPLS). We will explore how these technologies enable the extension of Ethernet services across an MPLS core, discuss the signaling mechanisms employed, and examine the evolution towards more advanced solutions like Virtual Private LAN Service (VPLS) and its modern successor, Ethernet VPN (EVPN). Understanding these concepts is crucial for network architects and engineers designing robust, scalable, and secure enterprise networks. While this chapter primarily focuses on the technical underpinnings of these L2VPN technologies, it's important to note that advancements in AI, such as those explored by Anthropic with Claude, are also influencing the cybersecurity landscape. Developers are increasingly aware of potential vulnerabilities, leading to a proactive approach to security. For instance, concerns around anthropic code leak or potential zerosday vulnerabilities necessitate robust network segmentation and secure transport mechanisms, which L2VPNs can help provide.

1. The Need for Layer 2 VPNs

Traditional WAN technologies were often point-to-point leased lines or Frame Relay circuits, inherently providing Layer 2 connectivity. However, the widespread adoption of IP routing and MPLS has led to a more efficient and scalable infrastructure. The challenge arises when organizations need to extend their existing Layer 2 networks (e.g., Ethernet LANs) across this IP/MPLS backbone.

Key drivers for L2VPNs include:

• Extending existing LANs: Connecting multiple sites of an organization as if they were on the same physical Ethernet switch. This is vital for applications that rely on Layer 2 broadcast domains, such as certain legacy applications, distributed file systems, and clustering technologies.
• Supporting applications with Layer 2 dependencies: Some applications are designed to operate within a single Layer 2 broadcast domain and cannot function correctly across Layer 3 boundaries.
• Simplified network design for end-users: For branch offices, L2VPNs can present a simple Ethernet interface, abstracting the complexity of the underlying MPLS core.
• Disaster recovery and business continuity: Enabling rapid failover and seamless operation of critical services across redundant sites.
• Interconnecting data centers: Creating a unified, high-speed, low-latency Layer 2 fabric between geographically separated data centers.

2. Pseudowires: The Foundation of L2VPNs

At the heart of L2VPNs lies the concept of a pseudowire (PW). A pseudowire is essentially a point-to-point connection that emulates a Layer 2 link over an IP or MPLS network. It encapsulates Layer 2 frames (such as Ethernet frames) and transports them between two endpoints across a packet-switched network. The underlying network (typically MPLS) provides the transport mechanism, while the pseudowire protocol defines how the Layer 2 frames are encapsulated and signaled.

A pseudowire consists of:

• Attachment Circuits (ACs): These are the Layer 2 interfaces at the edge of the packet-switched network where the Layer 2 traffic enters and exits the pseudowire. These could be Ethernet ports, VLAN interfaces, or other Layer 2 service types.
• Pseudowire Tunnel: This is the logical path established over the packet-switched network (e.g., MPLS LSPs) that carries the encapsulated Layer 2 traffic between the pseudowire endpoints.
• Pseudowire Control Word (Optional): This is a small header added to the encapsulated packet that can carry information like sequence numbers (for ordering), control flags, and payload type. It's not always mandatory but can be useful for certain applications.

Analogy: Imagine you have two offices in different cities, and you want to connect them with a direct Ethernet cable. However, laying a physical cable is impractical. A pseudowire is like creating a virtual Ethernet cable between them using the existing internet infrastructure. The data travels through the internet, but it's packaged in a way that makes it appear as if it's flowing over a direct link.

3. Ethernet over MPLS (EoMPLS)

EoMPLS is a specific implementation of a pseudowire that carries Ethernet frames over an MPLS network. It's a widely deployed L2VPN technology that allows service providers to offer transparent Layer 2 Ethernet services to their customers across their MPLS backbone.

How EoMPLS Works:

1. Attachment Circuits: At the customer edge (CE) device or provider edge (PE) router connected to the customer, an Ethernet interface serves as the attachment circuit.
2. Encapsulation: When an Ethernet frame arrives at the PE router, it's encapsulated. The specific encapsulation depends on the pseudowire signaling protocol used.
   • MPLS Label Stack: The most common approach is to add an MPLS label stack to the Ethernet frame. This stack typically includes:
     • Tunnel Label: Identifies the specific MPLS LSP between the PE routers.
     • Service Label (or Pseudowire Label): Identifies the specific pseudowire instance between the PE routers. This is crucial for differentiating traffic belonging to different L2VPNs or pseudowires.
   • Ethernet Pseudowire (ePW) Header: A specific header, often defined by RFC 4448 (MPLS-based Ethernet Pseudowire), is prepended to the original Ethernet frame. This header contains information like the pseudowire type and potentially a control word.
3. Transport: The encapsulated packet is then forwarded across the MPLS core network using the established MPLS LSPs. The MPLS core routers (Provider Routers - P routers) only need to look at the outer MPLS label to route the packet.
4. De-encapsulation: At the egress PE router, the MPLS labels and the ePW header are removed, and the original Ethernet frame is delivered to the CE device or the customer's network.

Topology Example for EoMPLS:

+-----------------+         +-----------------+         +-----------------+
| Customer Edge 1 |---------| Provider Edge 1 |---------| Provider Router |
|  (CE1)          |         |  (PE1)          |         |  (P)            |
| Ethernet Port A |         | Ethernet Port x |         | MPLS Core       |
+-----------------+         +-------+---------+         +-----------------+
                                    |
                                    | MPLS LSP (Tunnel Label)
                                    | Service Label (PW)
                                    | Ethernet Frame + ePW Header
                                    |
+-----------------+         +-------+---------+         +-----------------+
| Customer Edge 2 |---------| Provider Edge 2 |---------| Provider Router |
|  (CE2)          |         |  (PE2)          |         |  (P)            |
| Ethernet Port B |         | Ethernet Port y |         | MPLS Core       |
+-----------------+         +-----------------+         +-----------------+

(CE1's Ethernet Port A is virtually connected to CE2's Ethernet Port B via EoMPLS)

Key Characteristics of EoMPLS:

• Point-to-Point: EoMPLS fundamentally establishes a point-to-point Layer 2 connection between two PE routers. This is analogous to a virtual leased line.
• Transparent: It's transparent to the customer's Layer 2 traffic. The customer doesn't need to be aware of the underlying MPLS network.
• Scalability: The MPLS core scales well, allowing for many point-to-point EoMPLS pseudowires to be established between different PE router pairs.
• Traffic Engineering: MPLS Traffic Engineering capabilities can be leveraged to optimize the path of EoMPLS pseudowires.

4. Pseudowire Signaling

To establish and manage pseudowires, a signaling protocol is required. This protocol informs the PE routers about the existence and parameters of the pseudowire, including the attachment circuits and the tunnel endpoints. The two primary signaling protocols used for pseudowires are:

4.1. Label Distribution Protocol (LDP)

LDP is a standard protocol defined by IETF (RFC 5036) used in MPLS networks to distribute labels. For pseudowires, LDP is extended to support the signaling of Layer 2 VPN information.

LDP for Pseudowires (RFC 4447 - Pseudowire Emulation Edge-to-Edge (PWE3) Protocol):

• Label Advertisement: LDP is used to advertise labels between PE routers. For pseudowires, these labels are used to identify specific pseudowires.
• Forwarding Equivalence Class (FEC): LDP uses FECs to group traffic that should be treated identically. For L2VPNs, specific FEC types are defined to represent pseudowires.
• Session Establishment: PE routers establish LDP sessions with each other.
• Pseudowire Establishment: When a pseudowire needs to be established between two PE routers (e.g., PE1 and PE2), PE1 sends an LDP message to PE2 advertising the pseudowire. This message includes information such as:
  • Attachment Circuit (AC) information: Type of Layer 2 service (e.g., Ethernet, VLAN).
  • Pseudowire Label: A unique label allocated by PE1 for this specific pseudowire.
  • Target PE Address: The IP address of the remote PE router.
• Bidirectional Establishment: The process is symmetrical, with PE2 also advertising its side of the pseudowire to PE1.
• Control Word (Optional): LDP can also negotiate the use of a control word for the pseudowire.

CLI Configuration Snippet (Cisco IOS XR - Illustrative):

mpls ldp
!
interface GigabitEthernet0/0/0/1
 description Customer Attachment Circuit
 service-instance 1 ethernet
  encapsulation dot1q 100
  vlan-id 100
  transport mpls
  pw-class ethernet-pw-class
 !
!
mpls l2vpn
 pw-class ethernet-pw-class
  encapsulation ethernet
  protocol ldp
  control-word
 !
 pw-template ethernet-pw-template
  pw-class ethernet-pw-class
  neighbor 192.168.1.2 pw-template ethernet-pw-template
   vc-id 100
 !
!

In this example:

• mpls ldp enables LDP.
• service-instance defines the Layer 2 attachment circuit.
• pw-class defines the pseudowire class with Ethernet encapsulation and LDP signaling.
• neighbor establishes a pseudowire to a specific neighbor (PE2) with a vc-id (Virtual Circuit ID) which is used by LDP to identify the pseudowire.

4.2. Border Gateway Protocol (BGP)

BGP can also be used for pseudowire signaling, particularly in more complex L2VPN scenarios like VPLS and EVPN. BGP offers greater flexibility and scalability for signaling multiple pseudowires and for inter-AS (Autonomous System) L2VPNs.

BGP for Pseudowires (RFC 4364 - BGP/MPLS IP Virtual Private Networks):

BGP uses MP-BGP (Multi-Protocol BGP) extensions to carry L2VPN specific information.

• Route Distinguisher (RD): A 64-bit value prepended to an IP prefix to make it globally unique. In L2VPNs, RDs are used to distinguish VPN-VLANs or VPN-Ethernet-Circuits.
• Route Target (RT): An extended community attribute used to control the import and export of VPN routes between VRFs (Virtual Routing and Forwarding instances) or L2VPNs.
• VPN-IPv4/VPN-IPv6 Address Families: BGP uses specific address families to carry VPN-related routing information.
• L2VPN Network Layer Reachability Information (NLRI): BGP carries NLRI that describes Layer 2 VPN connections. For pseudowires, this includes information about the pseudowire endpoints and the associated labels.

BGP for EoMPLS: While LDP is more commonly used for simple point-to-point EoMPLS, BGP can be employed, especially when integrating with other BGP-based services or when complex policy control is needed. BGP can signal the MPLS labels for the pseudowire, similar to how it signals IP prefixes.

CLI Configuration Snippet (Cisco IOS XR - Illustrative for BGP-signaled PW):

router bgp 65000
 address-family l2vpn evpn
  neighbor 192.168.1.2
   remote-as 65001
   update-source Loopback0
   address-family l2vpn evpn activate
 !
!
l2vpn
 xconnect 192.168.1.2 100 encapsulation mpls
  neighbor 192.168.1.2 pw-id 100
  transport mpls
  encapsulation mpls
 !
!

In this example (more aligned with EVPN but illustrating BGP's role):

• router bgp and address-family l2vpn evpn configure BGP for L2VPN services.
• xconnect establishes a Layer 2 VPN connection.
• neighbor ... pw-id signifies the pseudowire establishment using BGP to signal labels.

5. Virtual Private LAN Service (VPLS)

EoMPLS, being point-to-point, is suitable for connecting two specific sites. However, many enterprises require a multipoint-to-multipoint Layer 2 topology, essentially extending a single Ethernet switch across multiple locations. This is where Virtual Private LAN Service (VPLS) comes in.

VPLS creates a virtual switched Ethernet service over an MPLS network. It allows multiple customer sites to appear as if they are connected to a single, large, virtual Ethernet switch.

Key Concepts in VPLS:

• Provider Network: An MPLS network (core routers - P routers) that transports the traffic.
• Provider Edge (PE) Routers: These routers connect to the customer edge (CE) devices and participate in the VPLS service. Each PE router acts as a port on the virtual switch.
• Attachment Circuits (ACs): The Layer 2 interfaces on the PE routers that connect to the CE devices. These can be Ethernet ports, VLANs, etc.
• Pseudowires (PWs): VPLS uses a mesh of point-to-point pseudowires to connect all PE routers participating in a specific VPLS instance. Each PE router establishes pseudowires to all other PE routers in the same VPLS domain.
• MAC Address Learning: PE routers in a VPLS domain learn the MAC addresses of devices connected to their attachment circuits. This MAC address learning is performed per VPLS instance.
• MAC Address Table: Each PE router maintains a MAC address table for each VPLS instance. When a frame arrives, the PE router looks up the destination MAC address in its VPLS MAC table.
  • If the MAC address is learned on a local attachment circuit, the frame is flooded to all pseudowires and local attachment circuits (similar to a broadcast in a physical LAN).
  • If the MAC address is learned on a specific pseudowire, the frame is forwarded only over that pseudowire.
  • If the MAC address is unknown, the frame is flooded to all pseudowires and local attachment circuits.

Topology Example for VPLS:

+-----------------+         +-----------------+         +-----------------+
| Customer Edge 1 |---------| Provider Edge 1 |---------| Provider Router |
|  (CE1)          |         |  (PE1)          |         |  (P)            |
| Ethernet Port A |         | VPLS AC 1       |         | MPLS Core       |
+-----------------+         +-------+---------+         +-----------------+
                                    |       \
                                    |        \ MPLS PW 1-2
                                    |         \ (Service Label)
                                    |          \
                                    |           +-----------------+
                                    |-----------| Provider Edge 2 |
                                    |           |  (PE2)          |
                                    |           | VPLS AC 2       |
                                    |           +-------+---------+
                                    |                   |
                                    |                   | MPLS PW 2-3
                                    |                   | (Service Label)
                                    |                   |
+-----------------+         +-------+---------+         |
| Customer Edge 3 |---------| Provider Edge 3 |---------+
|  (CE3)          |         |  (PE3)          |
| Ethernet Port C |         | VPLS AC 3       |
+-----------------+         +-----------------+

(CE1, CE2, and CE3 are all on the same virtual Layer 2 broadcast domain)

VPLS Signaling:

VPLS typically uses BGP for signaling. This is because BGP is well-suited for advertising MAC address reachability information across multiple PE routers in a multipoint scenario.

• BGP L2VPN NLRI: BGP carries information about MAC addresses learned on attachment circuits.
• Route Distinguisher (RD) and Route Target (RT): Used to define and manage VPLS instances.
• MAC Advertisement: When a PE router learns a MAC address on an AC, it advertises this MAC address (along with the MPLS label for the pseudowire to that PE) in BGP to other PE routers participating in the same VPLS instance.
• MAC Withdrawal: When a MAC address is no longer reachable, it's withdrawn via BGP.

Split-Horizon Rule in VPLS:

A critical mechanism in VPLS to prevent Layer 2 loops is the split-horizon rule.

• Rule: If a frame is received on a pseudowire, it can only be forwarded out of local attachment circuits, and never out of another pseudowire. Similarly, if a frame is received on a local attachment circuit, it can be forwarded out of pseudowires and other local attachment circuits, but never out of the same attachment circuit it arrived on.

This rule is essential because in a VPLS mesh, a frame could potentially be sent back to its origin if not for this restriction.

CLI Configuration Snippet (Cisco IOS XR - Illustrative for VPLS):

mpls ldp
!
router bgp 65000
 bgp log-neighbor-changes
 neighbor 192.168.1.2
  remote-as 65001
  update-source Loopback0
  address-family ipv4 unicast
   send-community extended
  !
  address-family l2vpn evpn
   route-reflector-client  # Example if PE1 is a route reflector
   send-community extended
  !
 !
!
l2vpn
 vpls 100 customer-vpls
  bgp
  neighbor 192.168.1.2 signaling bgp
  vsi-id 100
  route-distinguisher 65000:100
  route-target import 65000:100
  route-target export 65000:100
  attachment-circuit 1
   interface GigabitEthernet0/0/0/1
   encapsulation dot1q 100
  !
 !
!

In this VPLS configuration:

• BGP is configured for L2VPN EVPN.
• vpls 100 customer-vpls defines a VPLS instance.
• bgp enables BGP signaling for this VPLS.
• neighbor ... signaling bgp specifies the BGP neighbor for signaling.
• route-distinguisher and route-target are crucial for VPLS instance identification and import/export policies.
• attachment-circuit defines the customer-facing interface.

6. Ethernet VPN (EVPN) Replacing VPLS

While VPLS has been a successful L2VPN technology, it has certain limitations, particularly in terms of scalability and its reliance on a full mesh of pseudowires, which can be complex to manage. Ethernet VPN (EVPN) is a newer, more advanced L2VPN solution that addresses these limitations and is rapidly becoming the preferred choice for modern L2VPN deployments. EVPN leverages BGP extensions to provide a more flexible and scalable multipoint Layer 2 forwarding plane.

Key Advantages of EVPN over VPLS:

• Scalability: EVPN uses a route-reflector model for BGP, reducing the number of BGP sessions required compared to the full mesh in VPLS. This significantly improves scalability.
• Flexibility: EVPN supports various Layer 2 forwarding mechanisms, including:
  • MPLS Data Plane (EVPN-MPLS): Similar to VPLS, it uses MPLS pseudowires for data transport.
  • VXLAN Data Plane (EVPN-VXLAN): Uses VXLAN tunnels over an IP underlay, offering greater flexibility and compatibility with cloud environments.
• Optimized MAC Advertisement: EVPN uses BGP to advertise MAC addresses, allowing for more efficient MAC learning and distribution. It also supports Integrated Routing and Bridging (IRB), enabling seamless routing and bridging within the same EVPN instance.
• Active/Active Multihoming: EVPN supports active/active multihoming for customer edge devices, providing increased resilience and bandwidth.
• Selective QinQ: EVPN can efficiently handle complex VLAN tagging scenarios.

EVPN Data Plane Forwarding:

EVPN defines different forwarding behaviors based on the type of BGP update received:

1. MAC Advertisement Route: Advertises MAC address reachability and the associated MPLS label (for EVPN-MPLS) or VNI (Virtual Network Identifier for EVPN-VXLAN).
2. IP Prefix Route: Advertises IP prefixes for integrated routing and bridging scenarios.
3. Inclusive Multicast Ethernet Tag Route: Used for flooding traffic in a VPLS-like manner, ensuring broadcasts, unknown unicasts, and multicasts (BUM) are delivered to all relevant endpoints.
4. Ethernet Auto-Discovery (EAD) Route: Used for discovering VSI (Virtual Switching Instance) membership and for multihoming scenarios.

EVPN Signaling (BGP):

EVPN fundamentally relies on BGP for signaling. It uses specific Address Families and Network Layer Reachability Information (NLRI) to exchange L2VPN information.

• EVPN Address Family: A dedicated address family within MP-BGP carries EVPN-specific NLRI.
• RD and RT: Similar to VPLS, RD and RT are used to define and manage EVPN instances.
• MAC Advertisement: PE routers advertise learned MAC addresses and their corresponding MPLS labels (or VNI) via BGP EVPN NLRI. This allows other PEs to forward traffic directly to the correct destination PE without relying solely on flooding.

Split-Horizon Rule in EVPN:

EVPN also implements split-horizon rules, but they are more nuanced and integrated with BGP attributes. For example, a MAC address learned via a specific BGP update will not be advertised back out on the same pseudowire or VXLAN tunnel from which it was learned.

CLI Configuration Snippet (Cisco IOS XR - Illustrative for EVPN-MPLS):

mpls ldp
!
router bgp 65000
 bgp log-neighbor-changes
 neighbor 192.168.1.2
  remote-as 65001
  update-source Loopback0
  address-family ipv4 unicast
   send-community extended
  !
  address-family l2vpn evpn
   route-reflector-client  # PE1 is a route reflector
   send-community extended
  !
 !
!
l2vpn
 evpn instance 100
  vni 10000
  route-distinguisher 65000:100
  route-target import 65000:100
  route-target export 65000:100
  attachment-circuit 1
   interface GigabitEthernet0/0/0/1
   encapsulation dot1q 100
  !
  mpls
   interface GigabitEthernet0/0/0/1 pw-id 100
   !
  !
 !
!

In this EVPN configuration:

• BGP is configured for the l2vpn evpn address family.
• evpn instance 100 defines an EVPN instance.
• vni is relevant for EVPN-VXLAN, but the concept of instance identification is similar.
• route-distinguisher and route-target are used for instance management.
• attachment-circuit connects to the customer.
• mpls section configures the MPLS transport for the pseudowire associated with this AC.

7. Security Considerations

While L2VPNs offer significant advantages, they also introduce security considerations that must be addressed:

• MAC Address Flooding and Spoofing: In VPLS and EVPN, MAC addresses are learned and advertised. Malicious actors can exploit this by sending frames with spoofed MAC addresses to disrupt traffic or gain unauthorized access. Robust MAC filtering and rate limiting on CE interfaces can mitigate this.
• VLAN Tag Manipulation: If not properly secured, customers could potentially manipulate VLAN tags to gain access to unintended segments. VLAN sealing or private VLAN configurations at the CE can help.
• Broadcast Storms: In VPLS, if the split-horizon rule is misconfigured or bypassed, broadcast storms can occur, leading to network instability. Careful configuration and monitoring are essential.
• Denial of Service (DoS) Attacks: Large volumes of traffic, especially broadcasts, can overwhelm PE routers or consume pseudowire bandwidth. Rate limiting and QoS policies are critical.
• Control Plane Security: The signaling protocols (LDP and BGP) are critical for establishing and maintaining pseudowires. Securing these protocols is paramount.
  • LDP Authentication: Use LDP authentication to prevent rogue LDP speakers from injecting false label information.
  • BGP Security: Implement BGP authentication (e.g., MD5 or TCP-AO) to protect against unauthorized BGP sessions. Route filtering and prefix-based security policies are also important.
• Zero-Day Vulnerabilities: While not directly related to L2VPN protocols themselves, the underlying network infrastructure and operating systems are susceptible to zerosday exploits. A well-designed L2VPN can provide network segmentation, limiting the blast radius of such vulnerabilities. For example, if a zerosday vulnerability is exploited on one segment, a properly segmented L2VPN can prevent the attacker from easily traversing to other critical network segments.
• AI-Related Vulnerabilities: As AI technologies evolve, so do the potential attack vectors. Concerns around anthropic code leak or vulnerabilities in AI coding assistants highlight the need for secure network environments. L2VPNs can help by isolating AI development or deployment environments, limiting exposure. For instance, if a claude code vulnerability were to be discovered, isolating the affected systems within an L2VPN would contain the potential damage.

8. Troubleshooting Guide

Troubleshooting L2VPNs and pseudowires can be complex due to the interplay of Layer 2 and Layer 3 technologies.

Common Issues and Troubleshooting Steps:

1. No Layer 2 Connectivity:

   • Verify Attachment Circuits: Check if the customer-facing interfaces on the CE and PE routers are up and configured correctly (correct encapsulation, VLANs, etc.).
   • Check Pseudowire Status:
     • LDP: show mpls ldp neighbor, show mpls ldp bindings. Look for established sessions and correct label bindings for pseudowires.
     • BGP: show bgp l2vpn evpn summary, show bgp l2vpn evpn. Verify BGP sessions are up and EVPN routes are exchanged.
     • show l2vpn evpn summary (or equivalent command for VPLS/EoMPLS) to check the status of pseudowires.
   • Verify MPLS LSPs: Ensure the underlying MPLS LSPs between PE routers are up and operational. Use ping mpls rport <remote_PE_IP> <tunnel_lsp_id>.
   • Check Encapsulation: Ensure consistent encapsulation (e.g., dot1q, QinQ) on both ends of the attachment circuit and the pseudowire configuration.
   • MAC Address Learning:
     • show mac address-table vlan <vlan_id> (on PE router) to see learned MACs.
     • Verify that MAC addresses are learned on the correct interfaces.

2. Intermittent Connectivity or Packet Loss:

   • MPLS Path Issues: Check for packet loss or high latency on the MPLS LSPs. Use MPLS ping and traceroute tools.
   • Congestion: Monitor interface utilization on PE routers and core routers. Implement QoS policies if necessary.
   • Pseudowire Control Word: If used, ensure its configuration is consistent. Sometimes, disabling the control word can help isolate issues.
   • MTU Mismatch: The MTU on the pseudowire path must be large enough to accommodate the original Ethernet frame plus encapsulation overhead. Ensure MTU is consistent across the path.

3. Layer 2 Loops:

   • Split-Horizon Violation: This is a primary cause. Review VPLS/EVPN split-horizon configurations.
   • MAC Address Flapping: Monitor MAC address tables for rapid changes. This can indicate a loop or instability.
   • Topology Verification: Double-check the physical and logical topology to ensure no unintended Layer 2 loops have been created.

4. Incorrect Traffic Forwarding (e.g., traffic going to wrong site):

   • MAC Address Table Inconsistencies: Verify that MAC addresses are learned and advertised correctly.
   • VPLS/EVPN Instance Mismatch: Ensure that the correct VPLS/EVPN instances are configured on all participating PE routers.
   • Route Distinguisher/Route Target Mismatch: These identifiers are critical for VPLS/EVPN instance identification.
   • MPLS Label Issues: Check for correct MPLS label distribution and usage.

Useful Commands (Illustrative - Cisco IOS XR):

• show mpls ldp neighbor
• show mpls ldp binding
• show ldp session
• show bgp l2vpn evpn summary
• show bgp l2vpn evpn
• show l2vpn evpn summary
• show l2vpn evpn instance <instance_id>
• show l2vpn vpls summary
• show l2vpn vpls instance <instance_id>
• show mpls forwarding-table
• show interfaces <interface_name> extensive
• ping mpls rport <remote_PE_IP> <tunnel_lsp_id> (for MPLS LSP reachability)
• traceroute mpls rport <remote_PE_IP> <tunnel_lsp_id>

9. Exercises

1. EoMPLS Point-to-Point Configuration: Configure a basic point-to-point EoMPLS connection between two PE routers using LDP signaling. Verify connectivity by pinging across the virtual link.
2. VPLS Pseudowire Mesh: Set up a VPLS instance connecting three PE routers. Configure the necessary BGP peering and signaling parameters. Test connectivity by pinging between CE devices attached to different PEs.
3. VPLS Split-Horizon Verification: In your VPLS setup from Exercise 2, intentionally create a scenario that might violate split-horizon (e.g., by misconfiguring forwarding) and observe the behavior. Then, reconfigure correctly and verify the split-horizon rule is enforced.
4. EVPN MAC Advertisement Analysis: Configure an EVPN instance with two PE routers. Send traffic from one CE and capture the BGP EVPN MAC Advertisement routes exchanged between the PEs. Analyze the route contents, including the MAC address, MPLS label, and other attributes.
5. EVPN BUM Traffic Handling: In your EVPN setup, send a broadcast frame from a CE. Use packet captures on the PE routers to observe how the BUM traffic is handled (e.g., via Inclusive Multicast Ethernet Tag routes or flooding mechanisms).
6. Troubleshooting a Broken Pseudowire: Simulate a pseudowire failure (e.g., by shutting down an MPLS LSP or disabling LDP/BGP peering). Use troubleshooting commands to identify the root cause and restore connectivity.
7. MAC Address Learning and Withdrawal: In a VPLS or EVPN setup, observe the MAC address learning process by sending traffic from a new MAC address. Then, simulate the MAC address becoming unreachable and observe its withdrawal from the MAC table and BGP updates.
8. Security: MAC Spoofing Mitigation: In a VPLS/EVPN lab, attempt to spoof a MAC address to gain access to a different VLAN or segment. Implement measures like MAC filtering on the CE interface to prevent this.
9. MTU on L2VPNs: Configure an EoMPLS or VPLS link and try to send large Ethernet frames (e.g., jumbo frames). If it fails, investigate and configure appropriate MTU settings on the PE routers and the MPLS core to accommodate the overhead.
10. EVPN with Integrated Routing and Bridging (IRB): Configure an EVPN instance that also incorporates Layer 3 routing. Send traffic between different subnets connected to different PEs and verify that IRB is functioning correctly, allowing for both bridging and routing within the EVPN fabric.

10. Conclusion

L2VPNs and pseudowires, particularly EoMPLS, VPLS, and the modern EVPN, are indispensable technologies for extending Layer 2 Ethernet services across IP/MPLS networks. They provide the flexibility to connect geographically dispersed sites as if they were on a single LAN, supporting a wide range of applications and network designs. While EoMPLS offers a direct point-to-point emulation, VPLS provides a multipoint-to-multipoint switched service. EVPN represents a significant evolution, offering enhanced scalability, flexibility, and advanced features that make it the preferred solution for contemporary L2VPN deployments. Understanding the underlying pseudowire signaling mechanisms (LDP and BGP), the forwarding behaviors, and the critical split-horizon rule is essential for designing, implementing, and troubleshooting these complex yet powerful networking solutions. As the network landscape continues to evolve, with increasing integration of AI and a constant focus on security, robust L2VPN solutions will remain a cornerstone of enterprise network architecture. The ability to segment networks and securely transport Layer 2 traffic is crucial in mitigating the impact of emerging threats, including potential zerosday exploits and vulnerabilities in AI-driven systems.

This chapter is part of the "From Zero to Network Doctor" open textbook series. All examples are educational and use safe, lab-only environments.