Example: Configuring MPLS-Based Layer 2 VPNs

 

You can implement an MPLS-based Layer 2 virtual private network (VPN) using Junos OS routing devices to interconnect customer sites with Layer 2 technology. Layer 2 VPNs give customers complete control of their own routing. To support an MPLS-based Layer 2 VPN, you need to add components to the configuration of the two provider edge (PE) routing devices. You do not need to change the configuration of the provider devices.

This example shows how to configure an MPLS-based Layer 2 VPN.

Note

You can configure both an MPLS-based Layer 2 VPN and an MPLS-based Layer 3 VPN on the same device. However, you cannot configure the same customer edge interface to support both a Layer 2 VPN and a Layer 3 VPN. The core interfaces and the loopback interfaces are configured in the same way for Layer 2 VPNs and Layer 3 VPNs.

Requirements

This example uses the following hardware and software components:

  • Junos OS Release 11.1 or later if you are using EX Series switches

  • Two PE routing devices

Before you configure the Layer 2 VPN components, configure the basic components for an MPLS network:

Note

A Layer 2 VPN requires that the PE routing devices be configured using circuit cross-connect (CCC). The provider routing devices are configured in the same way for MPLS using CCC and for IP over MPLS.

Overview and Topology

A Layer 2 VPN provides complete separation between the provider’s network and the customer’s network—that is, the PE devices and the CE devices do not exchange routing information. Some benefits of a Layer 2 VPN are that it is private, secure, and flexible.

This example shows how to configure Layer 2 VPN components on the local and remote PE devices. This example does not include configuring a provider device, because there are no specific Layer 2 VPN components on the provider devices.

In the basic MPLS configuration of the PE devices using a circuit cross-connect (CCC), the PE devices are configured to use an interior gateway protocol (IGP), such as OSPF or IS-IS, as the routing protocol between the MPLS devices and LDP or RSVP as the signaling protocol. Traffic engineering is enabled. A label-switched path (LSP) is configured within the [edit protocols] hierarchy. However, unlike the basic MPLS configuration using a CCC, you do not need to associate the LSP with the customer edge interface. When you are configuring a Layer 2 VPN, you must use BGP signaling. The BGP signaling automates the connections, so manual configuration of the association between the LSP and the customer edge interface is not required.

The following components must be added to the PE routing devices for an MPLS-based Layer 2 VPN:

  • BGP group with family l2vpn signaling

  • Routing instance using instance type l2vpn

  • The physical layer encapsulation type (ethernet) must be specified on the customer edge interface and the encapsulation type must also be specified in the configuration of the routing instance.

Figure 1 illustrates the topology of this MPLS-based Layer 2 VPN.

Figure 1: MPLS-Based Layer 2 VPN
MPLS-Based Layer 2 VPN

Table 1 shows the settings of the customer edge interface on the local CE device.

Table 1: Local CE Routing Device in the MPLS-Based Layer 2 VPN Topology

Property

Settings

Description

Local CE routing device hardware

Routing device

CE1

Customer edge interface

ge-0/0/0 unit 0

family inet

address 10.0.0.2/16

Interface that connects CE1 to PE1.

Table 2 shows the settings of the customer edge interface on the remote CE routing device.

Table 2: Remote CE Routing Device in the MPLS-Based Layer 2 VPN Topology

Property

Settings

Description

Remote CE routing device hardware

Routing device

CE2

Customer edge interface

ge-0/0/0 unit 0

family inet

address 10.0.0.1/16

Interface that connects CE2 to PE2.

Table 3 shows the Layer 2 VPN components of the local PE routing device.

Table 3: Layer 2 VPN Components of the Local PE Routing Device

Property

Settings

Description

Local PE routing device hardware

Routing device

PE1

Customer edge interface

ge-5/0/0

encapsulation ethernet-ccc

unit 0

family ccc

Connects PE1 to CE1.

For the Layer 2 VPN, add ethernet-ccc as the physical layer encapsulation type.

Note: The family ccc should already have been completed as part of the basic MPLS configuration of a PE routing device for circuit cross-connect. It is included here to show what was specified for that portion of the configuration.

Core interface

xe-6/0/0 unit 0

family inet address 10.0.0.60/16

family iso

family mpls

Connects PE1 to P.

Note: This portion of the configuration should already have been completed as part of the basic MPLS configuration. It is included here to show what was specified for that portion of the configuration.

Loopback interface

lo0 unit 0

family inet address 192.0.2.0/24

family iso address 49.0001.2102.2021.0210.00

Note: This portion of the configuration should already have been completed as part of the basic MPLS configuration. It is included here to show what was specified for that portion of the configuration.

BGP

bgp

Added for the Layer 2 VPN configuration.

Routing instance

vpn1

Added for the Layer 2 VPN configuration

Table 4 shows the Layer 2 VPN components of the remote PE routing device.

Table 4: Layer 2 VPN Components of the Remote PE Routing Device

Property

Settings

Description

PE routing device hardware

Routing device

PE2

Customer edge interface

ge-11/0/0

encapsulation ethernet-ccc unit 0

family ccc

Connects PE2 to CE2.

For the Layer 2 VPN, add ethernet-ccc as the physical layer encapsulation type.

Note: The family ccc should already have been completed as part of the basic MPLS configuration of a PE routing device for circuit cross-connect. It is included here to show what was specified for that portion of the configuration.

Core interface

xe-6/0/0

unit 0

family inet

address 10.2.0.61/16 family iso

family mpls

Connects PE2 to P.

Note: This portion of the configuration should already have been completed as part of the basic MPLS configuration. It is included here to show what was specified for that portion of the configuration.

Loopback interface

lo0 unit 0

family inet address 192.0.2.3/24

family iso address 49.0001.2202.2022.0220.00

Note: This portion of the configuration should already have been completed as part of the basic MPLS configuration. It is included here to show what was specified for that portion of the configuration.

BGP

bgp

Added for the Layer 2 VPN configuration.

Routing instance

vpn1

Added for the Layer 2 VPN configuration.

Configuring the Local PE Routing Device

CLI Quick Configuration

To quickly configure the Layer 2 VPN components on the local PE routing device, copy the following commands and paste them into the routing device terminal window:

[edit]

set interfaces ge-5/0/0 encapsulation ethernet-ccc

set protocols bgp group ibgp local-address 192.0.2.0 family l2vpn signaling

set protocols bgp group ibgp type internal

set protocols bgp group ibgp neighbor 192.0.2.3

set routing-instances vpn1 instance-type l2vpn

set routing-instances vpn1 interface ge-5/0/0

set routing-instances vpn1 route-distinguisher 192.0.2.0:21

set routing-instances vpn1 vrf-target target:21:21

set routing-instances vpn1 protocols l2vpn encapsulation-type ethernet

set routing-instances vpn1 protocols l2vpn interface ge-5/0/0.0 description "BETWEEN PE1 AND CE1"

set routing-instances vpn1 protocols l2vpn site JE-V21 site-identifier 21 interface ge-5/0/0 remote-site-id 26

Step-by-Step Procedure

To configure the Layer 2 VPN components on the local PE routing device:

  1. Configure the customer edge interface to use the physical encapsulation type ethernet-ccc:
    [edit]

    user@PE1# set interfaces ge-5/0/0 encapsulation ethernet-ccc
  2. Configure BGP, specifying the loopback address as the local address and enabling family l2vpn signaling:
    [edit protocols bgp]

    user@PE1# set group ibgp local-address 192.0.2.0 family l2vpn signaling
  3. Configure the BGP group, specifying the group name and type:
    [edit protocols bgp]

    user@PE1# set group ibgp type internal
  4. Configure the BGP neighbor, specifying the loopback address of the remote PE routing device as the neighbor’s address:
    [edit protocols bgp]

    user@PE1# set group ibgp neighbor 192.0.2.3/24
  5. Configure the routing instance, specifying the routing-instance name and using l2vpn as the instance type:
    [edit routing-instances]

    user@PE1# set vpn1 instance-type l2vpn
  6. Configure the routing instance to apply to the customer edge interface:
    [edit routing-instances]

    user@PE1# set vpn1 interface ge-5/0/0
  7. Configure the routing instance to use a route distinguisher:
    [edit routing-instances]

    user@PE1# set vpn1 route-distinguisher 192.0.2.0:21
  8. Configure the VPN routing and forwarding (VRF) target of the routing instance:
    [edit routing-instances]

    user@PE1# set vpn1 vrf-target target:21:21
    Note

    You can create more complex policies by explicitly configuring VRF import and export policies using the import and export options. See the Junos OS VPNs Configuration Guide.

  9. Configure the protocols and encapsulation type used by the routing instance:
    [edit routing-instances]

    user@PE1# set vpn1 protocols l2vpn encapsulation-type ethernet
  10. Apply the routing instance to a customer edge interface and specify a description for it:
    [edit routing-instances]

    user@PE1# set vpn1 protocols interface ge-5/0/0.0 description "BETWEEN PE1 AND CE1"
  11. Configure the routing-instance protocols site:
    [edit routing-instances]

    user@PE1# set vpn1 protocols l2vpn site JE-V21 site-identifier 21remote-site-id 26
    Note

    The remote site ID (configured with the remote-site-id statement) corresponds to the site ID (configured with the site-identifier statement) configured on the other PE routing device.

Results

Display the results of the configuration:

user@PE1# show

Configuring the Remote PE Routing Device

CLI Quick Configuration

To quickly configure the Layer 2 VPN components on the remote PE routing device, copy the following commands and paste them into the routing device terminal window:

[edit]

set interfaces ge-11/0/0 encapsulation ethernet-ccc

set protocols bgp group ibgp local-address 192.0.2.3 family l2vpn signaling

set protocols bgp group ibgp type internal

set protocols bgp group ibgp neighbor 192.0.2.0

set routing-instances vpn1 instance-type l2vpn

set routing-instances vpn1 interface ge-11/0/0

set routing-instances vpn1 route-distinguisher 192.0.2.0:21

set routing-instances vpn1 vrf-target target:21:21

set routing-instances vpn1 protocols l2vpn encapsulation-type ethernet

set routing-instances vpn1 protocols l2vpn interface ge-11/0/0.0 description "BETWEEN PE1 AND CE1"

set routing-instances vpn1 protocols l2vpn site T26-VPN1 site-identifier 26 remote-site-id 21

Step-by-Step Procedure

To configure the Layer 2 VPN components on the remote PE routing device:

  1. Configure the customer edge interface to use the physical encapsulation type ethernet-ccc:
    [edit]

    user@PE1# set interfaces ge-11/0/0 encapsulation ethernet-ccc
  2. Configure BGP, specifying the loopback address as the local-address and specifying family l2vpn signaling:
    [edit protocols bgp]

    user@PE2# set group ibgp local-address 192.0.2.3 family l2vpn signaling
  3. Configure the BGP group, specifying the group name and type:
    [edit protocols bgp]

    user@PE2# set group ibgp type internal
  4. Configure the BGP neighbor, specifying the loopback address of the remote PE routing device as the neighbor’s address:
    [edit protocols bgp]

    user@PE2# set group ibgp neighbor 192.0.2.0
  5. Configure the routing instance, specifying the routing-instance name and using l2vpn as the instance-type:
    [edit routing-instances]

    user@PE2# set vpn1 instance-type l2vpn
  6. Configure the routing instance to apply to the customer edge interface:
    [edit routing-instances]

    user@PE2# set vpn1 interface ge-11/0/0.0
  7. Configure the routing instance to use a route distinguisher, using the format ip-address:number:
    [edit routing-instances]

    user@PE2# set vpn1 route-distinguisher 192.0.2.0:21
  8. Configure the VPN routing and forwarding (VRF) target of the routing instance:
    [edit routing-instances]

    user@PE2# set vpn1 vrf-target target:21:21
  9. Configure the protocols and encapsulation type used by the routing instance:
    [edit routing-instances]

    user@PE2# set vpn1 protocols l2vpn encapsulation-type ethernet
  10. Apply the routing instance to a customer edge interface and specify a description for it:
    [edit routing-instances]

    user@PE1# set vpn1 protocols interface ge-11/0/0.0 description "BETWEEN PE1 AND CE1"
  11. Configure the routing-instance protocols site:
    [edit routing-instances]

    user@PE2# set vpn1 protocols l2vpn site T26-VPN1 site-identifier 26 remote-site-id 21
    Note

    The remote site ID (configured with the remote-site-id statement) corresponds to the site ID (configured with the site-identifier statement) configured on the other PE routing device.

Results

Display the results of the configuration:

user@PE2# show

Verification

To confirm that the MPLS-based Layer 2 VPN is working properly, perform these tasks:

Verifying the Layer 2 VPN Connection

Purpose

Verify that the Layer 2 VPN connection is up.

Action

Meaning

The St field in the output shows that the Layer 2 VPN connection to Remote PE (192.0.2.3) is up.

Verifying the Status of MPLS Label-Switched Paths

Purpose

Verify that the MPLS label-switched paths (ingress and egress) are up.

Action

user@PE1> show mpls lsp

Meaning

The State field in the output shows that the Ingress LSP to Remote PE (192.0.2.3) is up, and the Egress LSP from the remote PE routing device to this PE routing device (192.0.2.0) is also up.

Verifying BGP Status

Purpose

Verify that BGP is up.

Action

Meaning

The output shows that the remote PE routing device (192.0.2.3) is listed as the BGP peer and that a protocol session has been established. It also shows the number of packets received from the remote PE routing device (33) and the number of packets sent (34) to the remote PE routing device.

Verifying the Status of the RSVP Sessions

Purpose

Verify that the RSVP sessions (ingress and egress) are up.

Action

Meaning

The output shows that both the ingress RSVP session and the egress RSVP session are up.

Verifying the Routes in the Routing Table

Purpose

On routing device PE 1, use the show route table command to verify that the routing table is populated with the Layer 2 VPN routes used to forward the traffic.

Action

user@PE1> show route table bgp.l2vpn.0
user@PE1> show route table vpn1.l2vpn.0

Meaning

The command show route table bgp.l2vpn.0 displays all Layer 2 VPN routes that have been created on this routing device. The command show route table vpn1.l2vpn.0 shows the Layer 2 VPN routes that have been created for the routing instance vpn1.

Pinging the Layer 2 VPN Connections

Purpose

Verify connectivity.

Action

user@PE1> ping mpls l2vpn interface xe-6/0/0.0 reply-mode ip-udp
user@PE1> ping mpls l2vpn instance vpn1 remote-site-id 26 local-site-id 21 detail

Meaning

The output shows that connectivity is established.