Layer 2 VPN Configuration Guidelines

To configure Layer 2 virtual private network (VPN) functionality, you must enable Layer 2 VPN support on the provider edge (PE) router. You must also configure PE routers to distribute routing information to the other PE routers in the VPN and configure the circuits between the PE routers and the customer edge (CE) routers.

Each Layer 2 VPN is configured under a routing instance of type l2vpn. An l2vpn routing instance can transparently carry Layer 3 traffic across the service provider's network. As with other routing instances, all logical interfaces belonging to a Layer 2 VPN routing instance are listed under that instance.

The configuration of the CE routers is not relevant to the service provider. The CE routers only need to provide appropriate Layer 2 circuits (with appropriate circuit identifiers, such as data-link connection identifier [DLCI], virtual path identifier/virtual channel identifier [VPI/VCI], or virtual local area network identifier [VLAN ID]) to send traffic to the PE router.

To configure Layer 2 VPNs, you include statements at the [edit routing-instances routing-instance-name] hierarchy level:

[edit]

routing-instances {

    routing-instance-name {

        description text;

        instance-type l2vpn;

        interface interface-name;

        route-distinguisher (as-number:id | ip-address:id);

        vrf-export [ policy-name ];

        vrf-import [ policy-name ];

        protocols {

            l2vpn {

                (control-word | no-control-word);

                encapsulation type;

                traceoptions {

                    file filename <replace> <size size> <files number> <nostamp>;

                    flag flag <flag-modifier> <disable>;

                }

                site site-name {

                    site-identifier identifier;

                    interface interface-name {

                        remote-site-id remote-site-id;

                    }

                }

            }

        }

    }

}

For Layer 2 VPNs, only some of the statements in the [edit routing-instances] hierarchy are valid. For the full hierarchy, see the JUNOS Internet Software Configuration Guide: Routing and Routing Protocols.

In addition to these statements, you must configure Multiprotocol Label Switching (MPLS) label-switched paths (LSPs) between the PE routers, internal Border Gateway Protocol (IBGP) sessions between the PE routers, and an interior gateway protocol (IGP) on the PE and provider routers.

By default, Layer 2 VPNs are disabled.

Many of the configuration procedures for Layer 2 VPNs are identical to the procedures for Layer 3 VPNs and VPLS. These procedures are described in detail in Chapter 5, "VPN Configuration Guidelines," on page "VPN Configuration Guidelines" and include the following:

• Enable a Signaling Protocol on the PE Routers
• Configure an IGP on the PE and Provider Routers
• Configure an IBGP Session between PE Routers
• Configure a VPN Routing Instance on the PE Routers
• Configure Graceful Restart

This chapter describes the following tasks that are specific to configuring Layer 2 VPNs:

• Configure the Connections to the Local Site
• Configure CCC Encapsulation on Interfaces
• Configure TCC Encapsulation on Interfaces
• Configure Layer 2 VPN Policing on Interfaces
• Disable the Control Word for Layer 2 VPNs