Ping VPNs and Layer 2 Circuits

For testing purposes, you can ping Layer 2 VPNs, Layer 3 VPNs, and Layer 2 circuits by using the ping mpls command. The ping mpls command helps to verify that a VPN or circuit has been enabled. This command tests the integrity of the VPN or Layer 2 circuit connection between the PE routers. It does not test the connection between a PE router and a CE router.

You issue the ping mpls command from the ingress PE router of the VPN or Layer 2 circuit to the egress PE router of the same VPN or Layer 2 circuit. When you execute the ping command, echo requests are sent as Multiprotocol Label Switching (MPLS) packets.

The payload is a User Datagram Protocol (UDP) packet forwarded to the address 127.0.0.1 and port 3503. The contents of this packet are defined in the Internet draft draft-ietf-mpls-lsp-ping-version.txt, Detecting MPLS Data Plane Failures. The label and interface information for building and sending this information as an MPLS packet is the same as for standard VPN traffic, but the time-to-live (TTL) of the innermost label is set to 1.

When the echo request arrives at the egress PE router, the contents of the packet are checked, and then a reply that contains the correct return is sent by means of UDP. The PE router sending the echo request waits to receive an echo reply after a timeout of 2 seconds (you cannot configure this value).

You must configure MPLS at the [edit protocols mpls] hierarchy level on the egress PE router (the router receiving the MPLS echo packets) to be able to ping the VPN or Layer 2 circuit. You must also configure the address 127.0.0.1/32 on the egress PE router's lo0 interface. If this is not configured, the egress PE router does not have this forwarding entry and therefore simply drops the incoming MPLS pings.

To ping a Layer 2 VPN, use one of the following commands:

• ping mpls l2vpn interface interface-name

You ping an interface configured for the Layer 2 VPN on the egress PE router.

• ping mpls l2vpn instance l2vpn-instance-name local-site-id local-site-id-number remote-site-id remote-site-id-number

You ping a combination of the Layer 2 VPN routing instance name, the local site identifier, and the remote site identifier to test the integrity of the Layer 2 VPN connection (specified by the identifiers) between the ingress and egress PE routers.

To ping a Layer 3 VPN, use the following command:

• ping mpls l3vpn l3vpn-name prefix prefix <count count>

You ping a combination of a IPv4 destination prefix and a Layer 3 VPN name on the egress PE router to test the integrity of the VPN connection between the ingress and egress PE routers. The destination prefix corresponds to a prefix in the Layer 3 VPN. However, the ping tests only whether the prefix is present in a PE router's VRF table. It does not test the connection between a PE router and a CE router.

To ping a Layer 2 circuit, use one of the following commands:

• ping mpls l2circuit interface interface-name

You ping an interface configured for the Layer 2 circuit on the egress PE router.

• ping mpls l2circuit virtual-circuit neighbor <prefix> <virtual-circuit-id>

You ping a combination of the IPv4 prefix and the virtual circuit identifier on the egress PE router to test the integrity of the Layer 2 circuit between the ingress and egress PE routers.

The ping mpls command has the following limitations:

• You cannot ping an Internet Protocol version 6 (IPv6) destination prefix.
• You cannot ping a VPN or Layer 2 circuit from a router that is attempting a graceful restart.
• You cannot ping a VPN or Layer 2 circuit from a logical router.

You can also determine whether an LSP linking two PE routers in a VPN is up by pinging the end point address of the LSP. The command you use to ping an MPLS LSP end point is ping mpls lsp-end-point address. This command tells you what type of LSP (RSVP or LDP) terminates at the address specified and whether that LSP is up or down.

For a detailed description of this command, see the JUNOS Protocols, Class of Service, and System Basics Command Reference.