Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example: Configuring L2VPN over MPLS

0

0

Article ID: KB28758 KB Last Updated: 29 Jan 2020Version: 2.0
Summary:

This document details the configuration that is required on the SRX branch and SRX mid-range devices that are acting as Provider Edge (PE) devices to get L2VPN over MPLS.

 

Symptoms:

Topology

 

Solution:

Configuration on PE1

  1. Configure interfaces:
  • PE interface (interface connecting to MPLS cloud)
set interfaces ge-0/0/0 unit 0 family inet address 2.2.2.1/24
set interfaces ge-0/0/0 unit 0 family mpls
  • CE interface (interface connecting to CE devices)
set interfaces ge-0/0/6 encapsulation ethernet-ccc
set interfaces ge-0/0/6 unit 0 family ccc
  • Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.2/32
  1. Enable routing protocols:
  • OSPF as IGP

set protocols ospf traffic-engineering
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface lo0.0 passive
  • BGP as EGP and signaling protocol for L2VPN

set protocols bgp family l2vpn signaling
set protocols bgp group L2VPN type internal
set protocols bgp group L2VPN local-address 10.0.0.2
set protocols bgp group L2VPN neighbor 10.0.0.1
  1. Enable MPLS and RSVP:
set protocols mpls label-switched-path TO-LAN-B to 10.0.0.1
set protocols mpls interface ge-0/0/0.0
set protocols rsvp interface ge-0/0/0.0
  1. Create an L2VPN instance:
set routing-instances L2VPN instance-type l2vpn
set routing-instances L2VPN interface ge-0/0/6.0
set routing-instances L2VPN route-distinguisher 10.0.0.2:100
set routing-instances L2VPN vrf-target target:65000:100
set routing-instances L2VPN protocols l2vpn encapsulation-type ethernet
set routing-instances L2VPN protocols l2vpn site LAN-A site-identifier 2
set routing-instances L2VPN protocols l2vpn site LAN-A interface ge-0/0/6.0 remote-site-id 1
  1. Enable packet-mode processing.
set security forwarding-options family mpls mode packet-based

Note: PE1 and PE2 are in packet mode. To get this working in flow mode, you need to apply the following firewall filters on ge-0/0/0 (input direction) on both SRX/PE devices.

set firewall family mpls filter For-MPLS term 1 then packet-mode
set interfaces ge-0/0/0 unit 0 family mpls filter input For-MPLS

Configuration on PE2

set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1/24
set interfaces ge-0/0/6 encapsulation ethernet-ccc
set interfaces ge-0/0/6 unit 0 family ccc
set interfaces ge-0/0/7 unit 0 family inet address 2.2.2.1/24
set interfaces lo0 unit 0 family inet address 10.0.0.1/32
set routing-options router-id 10.0.0.1
set routing-options autonomous-system 65000
set protocols rsvp interface ge-0/0/0.0
set protocols mpls label-switched-path TO-LAN-A to 10.0.0.2
set protocols mpls interface ge-0/0/0.0
set protocols bgp family l2vpn signaling
set protocols bgp group L2VPN type internal
set protocols bgp group L2VPN local-address 10.0.0.1
set protocols bgp group L2VPN neighbor 10.0.0.2
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set routing-instances L2VPN-1 instance-type l2vpn
set routing-instances L2VPN-1 interface ge-0/0/6.0
set routing-instances L2VPN-1 route-distinguisher 10.0.0.1:100
set routing-instances L2VPN-1 vrf-target target:65000:100
set routing-instances L2VPN-1 protocols l2vpn encapsulation-type ethernet
set routing-instances L2VPN-1 protocols l2vpn site LAN-B site-identifier 1
set routing-instances L2VPN-1 protocols l2vpn site LAB-B interface ge-0/0/6.0 remote-site-id 2
Verification
root@PE-1> show mpls lsp
Ingress LSP: 1 sessions
To From State Rt P ActivePath LSPname
10.0.0.1 10.0.0.2 Up 0 * TO-LAN-A
Total 1 displayed, Up 1, Down 0

Egress LSP: 1 sessions
To From State Rt Style Labelin Labelout LSPname
10.0.0.2 10.0.0.1 Up 0 1 FF 3 - TO-LAN-B
Total 1 displayed, Up 1, Down 0

Transit LSP: 0 sessions
Total 0 displayed, Up 0, Down 0
L2VPN connection status

root@PE-1> show l2vpn connections
Layer-2 VPN connections:

Legend for connection status (St)
EI -- encapsulation invalid NC -- interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE -- interface and instance encaps not same
VC-Dn -- Virtual circuit down NP -- interface hardware not present
CM -- control-word mismatch -> -- only outbound connection is up
CN -- circuit not provisioned <- -- only inbound connection is up
OR -- out of range Up -- operational
OL -- no outgoing label Dn -- down
LD -- local site signaled down CF -- call admission control failure
RD -- remote site signaled down SC -- local and remote site ID collision
LN -- local site not designated LM -- local site ID not minimum designated
RN -- remote site not designated RM -- remote site ID not minimum designated
XX -- unknown connection status IL -- no incoming label
MM -- MTU mismatch MI -- Mesh-Group ID not available
BK -- Backup connection ST -- Standby connection
PF -- Profile parse failure PB -- Profile busy
RS -- remote site standby SN -- Static Neighbor
VM -- VLAN ID mismatch

Legend for interface status
Up -- operational
Dn -- down

Instance: L2VPN
Local site: LAB2 (2)
connection-site Type St Time last up # Up trans
1 rmt Up Jan 29 16:54:43 2014 1
Remote PE: 10.0.0.1, Negotiated control-word: Yes (Null)
Incoming label: 800002, Outgoing label: 800001
Local interface: ge-0/0/6.0, Status: Up, Encapsulation: ETHERNET <<< Make sure that these match with the remote end.

 

Modification History:

2020-01-29: Updated topology diagram and modified respective configuration accordingly in Solution

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search