This document details the configuration that is required on the SRX branch and SRX mid-range devices that are acting as Provider Edge (PE) devices to get L2VPN over MPLS.
Configuration on PE1
- Configure interfaces:
- PE interface (interface connecting to MPLS cloud)
set interfaces ge-0/0/0 unit 0 family inet address 2.2.2.1/24
set interfaces ge-0/0/0 unit 0 family mpls
- CE interface (interface connecting to CE devices)
set interfaces ge-0/0/6 encapsulation ethernet-ccc
set interfaces ge-0/0/6 unit 0 family ccc
set interfaces lo0 unit 0 family inet address 10.0.0.2/32
- Enable routing protocols:
set protocols ospf traffic-engineering
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols bgp family l2vpn signaling
set protocols bgp group L2VPN type internal
set protocols bgp group L2VPN local-address 10.0.0.2
set protocols bgp group L2VPN neighbor 10.0.0.1
- Enable MPLS and RSVP:
set protocols mpls label-switched-path TO-LAN-B to 10.0.0.1
set protocols mpls interface ge-0/0/0.0
set protocols rsvp interface ge-0/0/0.0
- Create an L2VPN instance:
set routing-instances L2VPN instance-type l2vpn
set routing-instances L2VPN interface ge-0/0/6.0
set routing-instances L2VPN route-distinguisher 10.0.0.2:100
set routing-instances L2VPN vrf-target target:65000:100
set routing-instances L2VPN protocols l2vpn encapsulation-type ethernet
set routing-instances L2VPN protocols l2vpn site LAN-A site-identifier 2
set routing-instances L2VPN protocols l2vpn site LAN-A interface ge-0/0/6.0 remote-site-id 1
- Enable packet-mode processing.
set security forwarding-options family mpls mode packet-based
Note: PE1 and PE2 are in packet mode. To get this working in flow mode, you need to apply the following firewall filters on ge-0/0/0 (input direction) on both SRX/PE devices.
set firewall family mpls filter For-MPLS term 1 then packet-mode
set interfaces ge-0/0/0 unit 0 family mpls filter input For-MPLS
Configuration on PE2
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1/24
set interfaces ge-0/0/6 encapsulation ethernet-ccc
set interfaces ge-0/0/6 unit 0 family ccc
set interfaces ge-0/0/7 unit 0 family inet address 2.2.2.1/24
set interfaces lo0 unit 0 family inet address 10.0.0.1/32
set routing-options router-id 10.0.0.1
set routing-options autonomous-system 65000
set protocols rsvp interface ge-0/0/0.0
set protocols mpls label-switched-path TO-LAN-A to 10.0.0.2
set protocols mpls interface ge-0/0/0.0
set protocols bgp family l2vpn signaling
set protocols bgp group L2VPN type internal
set protocols bgp group L2VPN local-address 10.0.0.1
set protocols bgp group L2VPN neighbor 10.0.0.2
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set routing-instances L2VPN-1 instance-type l2vpn
set routing-instances L2VPN-1 interface ge-0/0/6.0
set routing-instances L2VPN-1 route-distinguisher 10.0.0.1:100
set routing-instances L2VPN-1 vrf-target target:65000:100
set routing-instances L2VPN-1 protocols l2vpn encapsulation-type ethernet
set routing-instances L2VPN-1 protocols l2vpn site LAN-B site-identifier 1
set routing-instances L2VPN-1 protocols l2vpn site LAB-B interface ge-0/0/6.0 remote-site-id 2
Verification
root@PE-1> show mpls lsp
Ingress LSP: 1 sessions
To From State Rt P ActivePath LSPname
10.0.0.1 10.0.0.2 Up 0 * TO-LAN-A
Total 1 displayed, Up 1, Down 0
Egress LSP: 1 sessions
To From State Rt Style Labelin Labelout LSPname
10.0.0.2 10.0.0.1 Up 0 1 FF 3 - TO-LAN-B
Total 1 displayed, Up 1, Down 0
Transit LSP: 0 sessions
Total 0 displayed, Up 0, Down 0
L2VPN connection status
root@PE-1> show l2vpn connections
Layer-2 VPN connections:
Legend for connection status (St)
EI -- encapsulation invalid NC -- interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE -- interface and instance encaps not same
VC-Dn -- Virtual circuit down NP -- interface hardware not present
CM -- control-word mismatch -> -- only outbound connection is up
CN -- circuit not provisioned <- -- only inbound connection is up
OR -- out of range Up -- operational
OL -- no outgoing label Dn -- down
LD -- local site signaled down CF -- call admission control failure
RD -- remote site signaled down SC -- local and remote site ID collision
LN -- local site not designated LM -- local site ID not minimum designated
RN -- remote site not designated RM -- remote site ID not minimum designated
XX -- unknown connection status IL -- no incoming label
MM -- MTU mismatch MI -- Mesh-Group ID not available
BK -- Backup connection ST -- Standby connection
PF -- Profile parse failure PB -- Profile busy
RS -- remote site standby SN -- Static Neighbor
VM -- VLAN ID mismatch
Legend for interface status
Up -- operational
Dn -- down
Instance: L2VPN
Local site: LAB2 (2)
connection-site Type St Time last up # Up trans
1 rmt Up Jan 29 16:54:43 2014 1
Remote PE: 10.0.0.1, Negotiated control-word: Yes (Null)
Incoming label: 800002, Outgoing label: 800001
Local interface: ge-0/0/6.0, Status: Up, Encapsulation: ETHERNET <<< Make sure that these match with the remote end.
2020-01-29: Updated topology diagram and modified respective configuration accordingly in Solution