Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring Pseudowire Redundancy in a Mobile Backhaul Scenario

    This example shows how to configure pseudowire redundancy where Layer 2 and Layer 3 segments are interconnected in a mobile backhaul scenario.

    Requirements

    This example can be configured using the following software and hardware components:

    • Junos OS Release 15.1X54–D60 or later
    • ACX5000 routers as the access (A) routers
    • MX Series routers acting as PE routers and transit label-switched routers
    • T Series routers as the core routers

    Note: The PE routers could also be T Series Core Routers but that is not typical. Depending on your scaling requirements, the core routers could also be MX Series 3D Universal Edge Routers or M Series Multiservice Edge Routers. The customer edge (CE) devices could be other routers or switches from Juniper Networks or another vendor.

    No special configuration beyond device initialization is required before configuring this example.

    Overview

    Device CE1 is a simple edge router with an IPv4 interface and a static route pointing to the PE devices. Device A1 establishes two virtual circuits (VCs) toward Device PE1 and Device PE2 by making use of the hot-standby statement. Device PE1 and Device PE2 terminate these VCs and enforce a policy condition over the logical tunnel IPv4 subnet. Device PE3 performs as a Layer 3 VPN provider edge device by having an IPv4 interface in a Layer 3 VPN shared with Device PE1 and Device PE2.

    CLI Quick Configuration shows the configuration for all of the devices in Figure 1.

    The section Step-by-Step Procedure describes the steps on Device A1 and Device PE1.

    Figure 1: Pseudowire Redundancy in a Mobile Backhaul Example Topology

    Pseudowire Redundancy
in a Mobile Backhaul Example Topology

    Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    Device CE1

    set interfaces ge-1/3/3 vlan-tagging
    set interfaces ge-1/3/3 unit 600 vlan-id 600
    set interfaces ge-1/3/3 unit 600 family inet address 10.41.0.104/24
    set interfaces lo0 unit 0 family inet address 192.168.0.104/32 primary
    set interfaces lo0 unit 0 family inet address 192.168.0.104/32 primary
    set protocols ospf area 0.0.0.0 interface ge-1/3/3.600
    set protocols ospf area 0.0.0.0 interface lo0.0
    set routing-options static route 192.168.0.0/8 next-hop 10.41.0.1
    set routing-options static route 10.53.0.0/16 next-hop 10.41.0.1
    set routing-options router-id 192.168.0.104

    Device A1

    set interfaces ge-1/3/0 unit 0 family inet address 10.20.0.100/24
    set interfaces ge-1/3/0 unit 0 family iso
    set interfaces ge-1/3/0 unit 0 family mpls
    set interfaces ge-1/3/1 unit 0 family inet address 10.10.0.100/24
    set interfaces ge-1/3/1 unit 0 family iso
    set interfaces ge-1/3/1 unit 0 family mpls
    set interfaces ge-1/3/2 vlan-tagging
    set interfaces ge-1/3/2 encapsulation vlan-ccc
    set interfaces ge-1/3/2 unit 600 encapsulation vlan-ccc
    set interfaces ge-1/3/2 unit 600 vlan-id 600
    set interfaces ge-1/3/2 unit 600 family ccc
    set interfaces lo0 unit 0 family inet address 192.168.0.100/32 primary
    set interfaces lo0 unit 0 family iso address 49.0002.0192.0168.0100.00
    set routing-options router-id 192.168.0.100
    set routing-options autonomous-system 64510
    set routing-options forwarding-table export pplb
    set protocols rsvp interface ge-1/3/0.0
    set protocols rsvp interface ge-1/3/1.0
    set protocols rsvp interface lo0.0
    set protocols mpls interface ge-1/3/0.0
    set protocols mpls interface ge-1/3/1.0
    set protocols isis interface ge-1/3/0.0
    set protocols isis interface ge-1/3/1.0
    set protocols isis interface lo0.0
    set protocols ldp interface ge-1/3/0.0
    set protocols ldp interface ge-1/3/1.0
    set protocols ldp interface lo0.0
    set protocols l2circuit neighbor 192.168.0.101 interface ge-1/3/2.600 virtual-circuit-id 1
    set protocols l2circuit neighbor 192.168.0.101 interface ge-1/3/2.600 pseudowire-status-tlv
    set protocols l2circuit neighbor 192.168.0.101 interface ge-1/3/2.600 revert-time 10 maximum 60
    set protocols l2circuit neighbor 192.168.0.101 interface ge-1/3/2.600 backup-neighbor 192.168.0.102 virtual-circuit-id 2
    set protocols l2circuit neighbor 192.168.0.101 interface ge-1/3/2.600 backup-neighbor 192.168.0.102 hot-standby
    set policy-options policy-statement pplb then load-balance per-packet

    Device PE1

    set interfaces ge-0/1/1 unit 0 family inet address 10.21.0.101/24
    set interfaces ge-0/1/1 unit 0 family iso
    set interfaces ge-0/1/1 unit 0 family mpls
    set interfaces ge-0/1/2 unit 0 family inet address 10.31.0.101/24
    set interfaces ge-0/1/2 unit 0 family iso
    set interfaces ge-0/1/2 unit 0 family mpls
    set interfaces ge-0/1/3 unit 0 family inet address 10.10.0.101/24
    set interfaces ge-0/1/3 unit 0 family iso
    set interfaces ge-0/1/3 unit 0 family mpls
    set interfaces lt-1/2/0 unit 600 encapsulation vlan-ccc
    set interfaces lt-1/2/0 unit 600 vlan-id 600
    set interfaces lt-1/2/0 unit 600 peer-unit 601
    set interfaces lt-1/2/0 unit 601 encapsulation vlan
    set interfaces lt-1/2/0 unit 601 vlan-id 600
    set interfaces lt-1/2/0 unit 601 peer-unit 600
    set interfaces lt-1/2/0 unit 601 family inet filter input icmp_inet
    set interfaces lt-1/2/0 unit 601 family inet filter output icmp_inet
    set interfaces lt-1/2/0 unit 601 family inet address 10.41.0.101/24 vrrp-group 0 virtual-address 10.41.0.1
    set interfaces lt-1/2/0 unit 601 family inet address 10.41.0.101/24 vrrp-group 0 accept-data
    set interfaces lo0 unit 0 family inet address 192.168.0.101/32 primary
    set interfaces lo0 unit 0 family iso address 49.0002.0192.0168.0003.00
    set interfaces lo0 unit 1 family inet address 192.168.1.101/32
    set routing-options router-id 192.168.0.101
    set routing-options autonomous-system 64511
    set protocols rsvp interface ge-0/1/1.0
    set protocols rsvp interface ge-0/1/2.0
    set protocols rsvp interface ge-0/1/3.0
    set protocols rsvp interface lo0.0
    set protocols mpls label-switched-path to_PE3 to 192.168.0.103
    set protocols mpls label-switched-path to_PE2 to 192.168.0.102
    set protocols mpls interface ge-0/1/1.0
    set protocols mpls interface ge-0/1/2.0
    set protocols mpls interface ge-0/1/3.0
    set protocols bgp local-address 192.168.0.101
    set protocols bgp group ibgp family inet-vpn any
    set protocols bgp group ibgp peer-as 64511
    set protocols bgp group ibgp neighbor 192.168.0.102
    set protocols bgp group ibgp neighbor 192.168.0.103
    set protocols isis interface ge-0/1/1.0
    set protocols isis interface ge-0/1/2.0
    set protocols isis interface ge-0/1/3.0
    set protocols isis interface lo0.0
    set protocols ldp interface ge-0/1/1.0
    set protocols ldp interface ge-0/1/2.0
    set protocols ldp interface ge-0/1/3.0
    set protocols ldp interface lo0.0
    set protocols l2circuit neighbor 192.168.0.100 interface lt-1/2/0.600 virtual-circuit-id 1
    set protocols l2circuit neighbor 192.168.0.100 interface lt-1/2/0.600 pseudowire-status-tlv hot-standby-vc-on
    set policy-options policy-statement l3vpn_export term primary from condition primary
    set policy-options policy-statement l3vpn_export term primary then local-preference add 300
    set policy-options policy-statement l3vpn_export term primary then community set l3vpn
    set policy-options policy-statement l3vpn_export term primary then accept
    set policy-options policy-statement l3vpn_export term standby from condition standby
    set policy-options policy-statement l3vpn_export term standby then local-preference add 30
    set policy-options policy-statement l3vpn_export term standby then community set l3vpn
    set policy-options policy-statement l3vpn_export term standby then accept
    set policy-options policy-statement l3vpn_export term default then community set l3vpn
    set policy-options policy-statement l3vpn_export term default then accept
    set policy-options policy-statement l3vpn_import term 1 from community l3vpn
    set policy-options policy-statement l3vpn_import term 1 then accept
    set policy-options policy-statement l3vpn_import term default then reject
    set policy-options policy-statement ospf_export term 0 from community l3vpn
    set policy-options policy-statement ospf_export term 0 then accept
    set policy-options community l3vpn members target:64511:600
    set policy-options condition primary if-route-exists address-family ccc lt-1/2/0.600
    set policy-options condition primary if-route-exists address-family ccc table mpls.0
    set policy-options condition primary if-route-exists address-family ccc peer-unit 601
    set policy-options condition standby if-route-exists address-family ccc lt-1/2/0.600
    set policy-options condition standby if-route-exists address-family ccc table mpls.0
    set policy-options condition standby if-route-exists address-family ccc standby
    set policy-options condition standby if-route-exists address-family ccc peer-unit 601
    set firewall family inet filter icmp_inet interface-specific
    set firewall family inet filter icmp_inet term 0 from source-address 10.41.0.101/32 except
    set firewall family inet filter icmp_inet term 0 from source-address 10.0.0.0/8
    set firewall family inet filter icmp_inet term 0 from protocol icmp
    set firewall family inet filter icmp_inet term 0 then count icmp_inet
    set firewall family inet filter icmp_inet term 0 then log
    set firewall family inet filter icmp_inet term 0 then accept
    set firewall family inet filter icmp_inet term 1 then accept
    set routing-instances l3vpn instance-type vrf
    set routing-instances l3vpn interface lt-1/2/0.601
    set routing-instances l3vpn interface lo0.1
    set routing-instances l3vpn route-distinguisher 192.168.1.101:64511
    set routing-instances l3vpn vrf-import l3vpn_import
    set routing-instances l3vpn vrf-export l3vpn_export
    set routing-instances l3vpn vrf-table-label
    set routing-instances l3vpn protocols ospf export ospf_export
    set routing-instances l3vpn protocols ospf area 0.0.0.0 lt-1/2/0.601
    set routing-instances l3vpn protocols ospf area 0.0.0.0 lo0.1

    Device PE2

    set interfaces ge-0/3/0 unit 0 family inet address 10.20.0.102/24
    set interfaces ge-0/3/0 unit 0 family iso
    set interfaces ge-0/3/0 unit 0 family mpls
    set interfaces ge-0/3/1 unit 0 family inet address 10.21.0.102/24
    set interfaces ge-0/3/1 unit 0 family iso
    set interfaces ge-0/3/1 unit 0 family mpls
    set interfaces ge-0/3/3 unit 0 family inet address 10.32.0.102/24
    set interfaces ge-0/3/3 unit 0 family iso
    set interfaces ge-0/3/3 unit 0 family mpls
    set interfaces lt-1/2/0 unit 600 encapsulation vlan-ccc
    set interfaces lt-1/2/0 unit 600 vlan-id 600
    set interfaces lt-1/2/0 unit 600 peer-unit 601
    set interfaces lt-1/2/0 unit 601 encapsulation vlan
    set interfaces lt-1/2/0 unit 601 vlan-id 600
    set interfaces lt-1/2/0 unit 601 peer-unit 600
    set interfaces lt-1/2/0 unit 601 family inet filter input icmp_inet
    set interfaces lt-1/2/0 unit 601 family inet filter output icmp_inet
    set interfaces lt-1/2/0 unit 601 family inet address 10.41.0.102/24 vrrp-group 0 virtual-address 10.41.0.1
    set interfaces lt-1/2/0 unit 601 family inet address 10.41.0.102/24 vrrp-group 0 accept-data
    set interfaces lo0 unit 0 family inet address 192.168.0.102/32 primary
    set interfaces lo0 unit 0 family iso address 49.0002.0192.0168.0102.00
    set interfaces lo0 unit 1 family inet address 192.168.1.102/32
    set routing-options router-id 192.168.0.102
    set routing-options autonomous-system 64511
    set protocols rsvp interface ge-0/3/0.0
    set protocols rsvp interface ge-0/3/1.0
    set protocols rsvp interface ge-0/3/3.0
    set protocols rsvp interface lo0.0
    set protocols mpls label-switched-path to_PE1 to 192.168.0.101
    set protocols mpls label-switched-path to_PE3 to 192.168.0.103
    set protocols mpls interface ge-0/3/0.0
    set protocols mpls interface ge-0/3/1.0
    set protocols mpls interface ge-0/3/3.0
    set protocols bgp local-address 192.168.0.102
    set protocols bgp group ibgp family inet-vpn any
    set protocols bgp group ibgp peer-as 64511
    set protocols bgp group ibgp neighbor 192.168.0.101
    set protocols bgp group ibgp neighbor 192.168.0.103
    set protocols isis interface ge-0/3/0.0
    set protocols isis interface ge-0/3/1.0
    set protocols isis interface ge-0/3/3.0
    set protocols isis interface lo0.0
    set protocols ldp interface ge-0/3/0.0
    set protocols ldp interface ge-0/3/1.0
    set protocols ldp interface ge-0/3/3.0
    set protocols ldp interface lo0.0
    set protocols l2circuit neighbor 192.168.0.100 interface lt-1/2/0.600 virtual-circuit-id 2
    set protocols l2circuit neighbor 192.168.0.100 interface lt-1/2/0.600 pseudowire-status-tlv hot-standby-vc-on
    set policy-options policy-statement l3vpn_export term primary from condition primary
    set policy-options policy-statement l3vpn_export term primary then local-preference add 300
    set policy-options policy-statement l3vpn_export term primary then community set l3vpn
    set policy-options policy-statement l3vpn_export term primary then accept
    set policy-options policy-statement l3vpn_export term standby from condition standby
    set policy-options policy-statement l3vpn_export term standby then local-preference add 30
    set policy-options policy-statement l3vpn_export term standby then community set l3vpn
    set policy-options policy-statement l3vpn_export term standby then accept
    set policy-options policy-statement l3vpn_export term default then community set l3vpn
    set policy-options policy-statement l3vpn_export term default then accept
    set policy-options policy-statement l3vpn_import term 1 from community l3vpn
    set policy-options policy-statement l3vpn_import term 1 then accept
    set policy-options policy-statement l3vpn_import term default then reject
    set policy-options policy-statement ospf_export term 0 from community l3vpn
    set policy-options policy-statement ospf_export term 0 then accept
    set policy-options community l3vpn members target:64511:600
    set policy-options condition primary if-route-exists address-family ccc lt-1/2/0.600
    set policy-options condition primary if-route-exists address-family ccc table mpls.0
    set policy-options condition primary if-route-exists address-family ccc peer-unit 601
    set policy-options condition standby if-route-exists address-family ccc lt-1/2/0.600
    set policy-options condition standby if-route-exists address-family ccc table mpls.0
    set policy-options condition standby if-route-exists address-family ccc standby
    set policy-options condition standby if-route-exists address-family ccc peer-unit 601
    set firewall family inet filter icmp_inet interface-specific
    set firewall family inet filter icmp_inet term 0 from source-address 10.41.0.102/32 except
    set firewall family inet filter icmp_inet term 0 from source-address 10.0.0.0/8
    set firewall family inet filter icmp_inet term 0 from protocol icmp
    set firewall family inet filter icmp_inet term 0 then count icmp_inet
    set firewall family inet filter icmp_inet term 0 then log
    set firewall family inet filter icmp_inet term 0 then accept
    set firewall family inet filter icmp_inet term 1 then accept
    set routing-instances l3vpn instance-type vrf
    set routing-instances l3vpn interface lt-1/2/0.601
    set routing-instances l3vpn interface lo0.1
    set routing-instances l3vpn route-distinguisher 192.168.1.102:64511
    set routing-instances l3vpn vrf-import l3vpn_import
    set routing-instances l3vpn vrf-export l3vpn_export
    set routing-instances l3vpn vrf-table-label
    set routing-instances l3vpn protocols ospf export ospf_export
    set routing-instances l3vpn protocols ospf area 0.0.0.0 interface lt-1/2/0.601
    set routing-instances l3vpn protocols ospf area 0.0.0.0 interface lo0.1

    Device PE3

    set interfaces ge-2/0/3 unit 0 family inet address 10.32.0.103/24
    set interfaces ge-2/0/3 unit 0 family iso
    set interfaces ge-2/0/3 unit 0 family mpls
    set interfaces ge-2/0/5 unit 0 family inet address 10.53.0.103/24
    set interfaces ge-2/0/5 unit 0 family mpls
    set interfaces ge-2/1/8 unit 0 family inet address 10.31.0.103/24
    set interfaces ge-2/1/8 unit 0 family iso
    set interfaces ge-2/1/8 unit 0 family mpls
    set interfaces lo0 unit 0 family inet address 192.168.0.103/32 primary
    set interfaces lo0 unit 0 family iso address 49.0002.0192.0168.0103.00
    set interfaces lo0 unit 1 family inet address 192.168.1.103/32
    set routing-options router-id 192.168.0.103
    set routing-options autonomous-system 64511
    set protocols rsvp interface ge-2/0/3.0
    set protocols rsvp interface ge-2/1/8.0
    set protocols rsvp interface lo0.0
    set protocols mpls label-switched-path to_PE1 to 192.168.0.101
    set protocols mpls label-switched-path to_PE2 to 192.168.0.102
    set protocols mpls interface ge-2/0/3.0
    set protocols mpls interface ge-2/1/8.0
    set protocols bgp local-address 192.168.0.103
    set protocols bgp group ibgp family inet-vpn any
    set protocols bgp group ibgp peer-as 64511
    set protocols bgp group ibgp neighbor 192.168.0.101
    set protocols bgp group ibgp neighbor 192.168.0.102
    set protocols isis interface ge-2/0/3.0
    set protocols isis interface ge-2/1/8.0
    set protocols isis interface lo0.0
    set protocols ldp interface ge-2/0/3.0
    set protocols ldp interface ge-2/1/8.0
    set protocols ldp interface lo0.0
    set policy-options policy-statement l3vpn_ospf_export term 0 from protocol direct
    set policy-options policy-statement l3vpn_ospf_export term 0 then accept
    set policy-options policy-statement l3vpn_ospf_import term 0 from protocol bgp
    set policy-options policy-statement l3vpn_ospf_import term 0 from community l3vpn
    set policy-options policy-statement l3vpn_ospf_import term 0 then accept
    set policy-options policy-statement ospf_export term 0 from community l3vpn
    set policy-options policy-statement ospf_export term 0 then accept
    set policy-options community l3vpn members target:64511:600
    set routing-instances l3vpn instance-type vrf
    set routing-instances l3vpn interface ge-2/0/5.0
    set routing-instances l3vpn interface lo0.1
    set routing-instances l3vpn route-distinguisher 192.168.0.103:64511
    set routing-instances l3vpn vrf-target target:64511:600
    set routing-instances l3vpn vrf-table-label
    set routing-instances l3vpn protocols ospf export ospf_export
    set routing-instances l3vpn protocols ospf area 0.0.0.0 interface ge-2/0/5.0
    set routing-instances l3vpn protocols ospf area 0.0.0.0 interface lo0.1

    Device CE2

    set interfaces ge-2/0/8 unit 0 family inet address 10.53.0.105/24
    set interfaces lo0 unit 0 family inet address 192.168.0.105/32 primary
    set protocols ospf area 0.0.0.0 interface ge-2/0/8.0
    set protocols ospf area 0.0.0.0 interface lo0.0
    set routing-options router-id 192.168.0.105

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

    To configure Device A1:

    1. Configure the interfaces.

      Enable MPLS on the core-facing interfaces. The ISO address family is also enabled, because IS-IS is used as the interior gateway protocol (IGP) in the provider network.

      On the customer-facing interface, you do not need to enable MPLS. On this interface, enable CCC encapsulation and address family CCC.

      [edit interfaces]
      user@A1# set ge-1/3/0 unit 0 family inet address 10.20.0.100/24
      user@A1# set ge-1/3/0 unit 0 family iso
      user@A1# set ge-1/3/0 unit 0 family mpls

      user@A1# set ge-1/3/1 unit 0 family inet address 10.10.0.100/24
      user@A1# set ge-1/3/1 unit 0 family iso
      user@A1# set ge-1/3/1 unit 0 family mpls

      user@A1# set ge-1/3/2 vlan-tagging
      user@A1# set ge-1/3/2 encapsulation vlan-ccc
      user@A1# set ge-1/3/2 unit 600 encapsulation vlan-ccc
      user@A1# set ge-1/3/2 unit 600 vlan-id 600
      user@A1# set ge-1/3/2 unit 600 family ccc

      user@A1# set lo0 unit 0 family inet address 192.168.0.100/32 primary
      user@A1# set lo0 unit 0 family iso address 49.0002.0192.0168.0100.00
    2. Configure the RSVP on the core-facing interfaces and on the loopback interface.

      RSVP is used in the Layer 3 domain.

      [edit protocols rsvp]
      user@A1# set interface ge-1/3/0.0
      user@A1# set interface ge-1/3/1.0
      user@A1# set interface lo0.0
    3. Configure LDP on the core-facing interfaces and on the loopback interface.

      LDP is used in Layer 2 domain.

      [edit protocols ldp]
      user@A1# set interface ge-1/3/0.0
      user@A1# set interface ge-1/3/1.0
      user@A1# set interface lo0.0
    4. Configure MPLS on the core-facing interfaces.
      [edit protocols mpls]
      user@A1# set interface ge-1/3/0.0
      user@A1# set interface ge-1/3/1.0
    5. Configure an interior gateway protocol, such as IS-IS or OSPF, on the core-facing interfaces and on the loopback interface.
      [edit protocols isis]
      user@A1# set interface ge-1/3/0.0
      user@A1# set interface ge-1/3/1.0
      user@A1# set interface lo0.0
    6. On the interface that faces the customer edge, configure the Layer 2 circuit.

      Configure the hot-standby statement on those routers with both active and standby virtual circuits (VCs) (Device A1 in our topology). You must include the pseudowire-status-tlv statement on access routers. Without the status TLV signaling, the standby flag cannot be advertised to remote provider edge (PE) devices.

      The revert-time statement and the maximum option must also be configured on access routers. Without the revert-time statement, traffic of all the VCs will not be transitioned to the primary path upon completion of the restoration. If a revert-time delay is defined but a maximum delay is not, then VCs are restored immediately upon the revert timer's expiration. The maximum option allows the VCs to be restored in a scattered fashion rather than all at once.

      [edit protocols l2circuit neighbor 192.168.0.101 interface ge-1/3/2.600]
      user@A1# set virtual-circuit-id 1
      user@A1# set revert-time 10 maximum 60
      user@A1# set backup-neighbor 192.168.0.102 virtual-circuit-id 2
      user@A1# set backup-neighbor 192.168.0.102 hot-standby
    7. To have the unilist next hop get pushed to other access routers, configure per-packet load balancing.
      [edit policy-options policy-statement pplb]
      user@A1# set then load-balance per-packet
    8. Apply the per-packet load balancing policy.
      [edit routing-options forwarding-table]
      user@A1# set export pplb
    9. Configure the autonomous system (AS) ID and the router ID.
      [edit routing-options]
      user@A1# set router-id 192.168.0.100
      user@A1# set autonomous-system 64510

      Similarly, configure any other access devices.

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

    To configure Device PE1:

    1. Configure the interfaces.

      Enable MPLS on the core-facing interfaces.

      [edit interfaces]
      user@PE1# set ge-0/1/1 unit 0 family inet address 10.21.0.101/24
      user@PE1# set ge-0/1/1 unit 0 family iso
      user@PE1# set ge-0/1/1 unit 0 family mpls

      user@PE1# set ge-0/1/2 unit 0 family inet address 10.31.0.101/24
      user@PE1# set ge-0/1/2 unit 0 family iso
      user@PE1# set ge-0/1/2 unit 0 family mpls

      user@PE1# set ge-0/1/3 unit 0 family inet address 10.10.0.101/24
      user@PE1# set ge-0/1/3 unit 0 family iso
      user@PE1# set ge-0/1/3 unit 0 family mpls

      user@PE1# set lo0 unit 0 family inet address 192.168.0.101/32 primary
      user@PE1# set lo0 unit 0 family iso address 49.0002.0192.0168.0003.00
      user@PE1# set lo0 unit 1 family inet address 192.168.1.101/32
    2. On Device PE1 and Device PE2, which are aggregation routers, configure a pair of logical tunnel interfaces to represent LT(x) and LT(y).

      The solution uses logical tunnel (lt-) paired interfaces for stitching the Layer 2 and Layer 3 domains.

      A Layer 2 pseudowire terminates on one of the logical tunnel interfaces, LT(x), defined with the circuit cross-connect (CCC) address family. A Layer 3 VPN terminates the second logical tunnel interface, LT(y), defined with the IPv4 (inet) address family. LT(x) and LT(y) are paired.

      [edit interfaces]
      user@PE1# set lt-1/2/0 unit 600 encapsulation vlan-ccc
      user@PE1# set lt-1/2/0 unit 600 vlan-id 600
      user@PE1# set lt-1/2/0 unit 600 peer-unit 601

      user@PE1# set lt-1/2/0 unit 601 encapsulation vlan
      user@PE1# set lt-1/2/0 unit 601 vlan-id 600
      user@PE1# set lt-1/2/0 unit 601 peer-unit 600
      user@PE1# set lt-1/2/0 unit 601 family inet filter input icmp_inet
      user@PE1# set lt-1/2/0 unit 601 family inet filter output icmp_inet
    3. (Optional) Associate a unique VRRP address with both Device PE1 and Device PE2.

      In this case, both Device PE1 and Device PE2 assume the mastership state for the defined VIP IPv4 address, so no VRRP hello message are exchanged between the routers.

      [edit interfaces lt-1/2/0 unit 601 family inet address 10.41.0.101/24]
      user@PE1# set vrrp-group 0 virtual-address 10.41.0.1
      user@PE1# set vrrp-group 0 accept-data
    4. Configure IS-IS or another IGP.
      [edit protocols isis]
      user@PE1# set interface ge-0/1/1.0
      user@PE1# set interface ge-0/1/2.0
      user@PE1# set interface ge-0/1/3.0
      user@PE1# set interface lo0.0
    5. Configure the MPLS on the core-facing interfaces.
      [edit protocols mpls]
      user@PE1# set interface ge-0/1/1.0
      user@PE1# set interface ge-0/1/2.0
      user@PE1# set interface ge-0/1/3.0
    6. Configure label-switched paths to the other PE devices.

      BGP is a policy-driven protocol, so also configure and apply any needed routing policies. For example, you might want to export static routes into BGP.

      [edit protocols mpls]
      user@PE1# set label-switched-path to_PE3 to 192.168.0.103
      user@PE1# set label-switched-path to_PE2 to 192.168.0.102
    7. Configure LDP on the core-facing interfaces and on the loopback interface.
      [edit protocols ldp]
      user@PE1# set interface ge-0/1/1.0
      user@PE1# set interface ge-0/1/2.0
      user@PE1# set interface ge-0/1/3.0
      user@PE1# set interface lo0.0
    8. Configure RSVP on the core-facing interfaces and on the loopback interface.
      [edit protocols rsvp]
      user@PE1# set interface ge-0/1/1.0
      user@PE1# set interface ge-0/1/2.0
      user@PE1# set interface ge-0/1/3.0
      user@PE1# set interface lo0.0
    9. Configure internal BGP (IBGP).
      [edit protocols bgp]
      user@PE1# set local-address 192.168.0.101
      user@PE1# set group ibgp family inet-vpn any
      user@PE1# set group ibgp peer-as 64511
      user@PE1# set group ibgp neighbor 192.168.0.102
      user@PE1# set group ibgp neighbor 192.168.0.103
    10. Configure the Layer 2 circuit on the logical tunnel interface.

      Configure the hot-standby-vc-on statement if you want a hot standby pseudowire to be established upon arrival of PW_FWD_STDBY status TLV.

      [edit protocols l2circuit neighbor 192.168.0.100 interface lt-1/2/0.600]
      user@PE1# set virtual-circuit-id 1
    11. Define a pair of conditions to be applied to the egress policy defined within the Layer 3 VPN instance.

      In both condition primary and condition standby, the matching route corresponds to the interface lt-1/2/0.600 (y), as this is the format in which egress routes appear in routing table mpls.0 to represent any given pseudowire.

      The difference between these conditions is in the standby attribute. Upon arrival of the PW_FWD_STDBY status TLV to Device PE1 or Device PE2, Junos OS matches condition standby, and in consequence, only term standby within the l3vpn policy will be executed. On the other hand, if the PW_FWD_STDBY status TLV is not present, the policy matches only condition primary, which then executes term primary in the l3vpn policy. Also, for logical tunnel-based CCC services, you must specify the logical tunnel interface, LT(y), that is associated with the logical tunnel CCC interface, LT(x). (See Understanding Pseudowire Redundancy Mobile Backhaul Scenarios.)

      Finally, for CCC-based conditions, Junos OS allows only mpls.0 as the matching routing table. For the address attribute, Junos OS allows only strings with a logical interface unit format (for example, lt-0/0/0.0).

      [edit policy-options condition primary if-route-exists address-family ccc]
      user@PE1# set lt-1/2/0.600
      user@PE1# set table mpls.0
      user@PE1# set peer-unit 601

      [edit policy-options condition standby if-route-exists address-family ccc]
      user@PE1# set lt-1/2/0.600
      user@PE1# set table mpls.0
      user@PE1# set standby
      user@PE1# set peer-unit 601
    12. Configure the Layer 3 VPN export policy.

      If the Layer 2 virtual circuit (VC) is primary, the corresponding provider edge (PE) routing device advertises the attachment circuit’s (AC’s) subnet with the higher local preference. All aggregation PE devices initially advertise the AC’s subnet with the same local preference.

      This routing policy allows a higher local preference value to be advertised if the Layer 2 VC is active.

      [edit policy-options policy-statement l3vpn_export]
      user@PE1# set term primary from condition primary
      user@PE1# set term primary then local-preference add 300
      user@PE1# set term primary then community set l3vpn
      user@PE1# set term primary then accept

      user@PE1# set term standby from condition standby
      user@PE1# set term standby then local-preference add 30
      user@PE1# set term standby then community set l3vpn
      user@PE1# set term standby then accept

      user@PE1# set term default then community set l3vpn
      user@PE1# set term default then accept
    13. Configure the Layer 3 VPN community members.
      [edit policy-options community l3vpn]
      user@PE1# set members target:64511:600
    14. Configure the Layer 3 VPN import policy, based on the Layer 3 VPN community.
      [edit policy-options policy-statement l3vpn_import]
      user@PE1# set term 1 from community l3vpn
      user@PE1# set term 1 then accept
      user@PE1# set term default then reject
    15. Configure OSPF export policy, based on the Layer 3 VPN community.
      [edit policy-options policy-statement ospf_export term 0]
      user@PE1# set from community l3vpn
      user@PE1# set then accept
    16. (Optional) Configure a firewall filter to check the path taken by traffic.
      [edit firewall family inet filter icmp_inet]
      user@PE1# set interface-specific
      user@PE1# set term 0 from source-address 10.41.0.101/32 except
      user@PE1# set term 0 from source-address 10.0.0.0/8
      user@PE1# set term 0 from protocol icmp
      user@PE1# set term 0 then count icmp_inet
      user@PE1# set term 0 then log
      user@PE1# set term 0 then accept
      user@PE1# set term 1 then accept
    17. Configure the routing instance.

      This routing instance is in the Layer 2 domain where Device PE1 and Device PE2 are interconnected to the metro ring over multiaccess media (Ethernet). You must include the vrf-table-label statement on Device PE1 and Device PE2 to enable advertisement of the direct subnet prefix corresponding to the logical tunnel (lt-) interface toward the Layer 3 domain.

      Device PE1 and Device PE2 use OSPF for Layer 3 VPN communication with Device CE1.

      [edit routing-instances l3vpn]
      user@PE1# set instance-type vrf
      user@PE1# set interface lt-1/2/0.601
      user@PE1# set interface lo0.1
      user@PE1# set route-distinguisher 192.168.1.101:64511
      user@PE1# set vrf-import l3vpn_import
      user@PE1# set vrf-export l3vpn_export
      user@PE1# set vrf-table-label
      user@PE1# set protocols ospf export ospf_export
      user@PE1# set protocols ospf area 0.0.0.0 interface lt-1/2/0.601
      user@PE1# set protocols ospf area 0.0.0.0 interface lo0.1
    18. Configure the autonomous system (AS) ID and router ID.
      [edit routing-options]
      user@PE1# set router-id 192.168.0.101
      user@PE1# set autonomous-system 64511

      Similarly, configure Device PE2.

    Results

    From configuration mode, confirm your configuration by entering the show interfaces, show firewall, show protocols, show policy-options, show routing-options, and show routing-instances commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

    Device A1

    user@A1# show interfaces
    ge-1/3/0 {
    unit 0 {
    family inet {
    address 10.20.0.100/24;
    }
    family iso;
    family mpls;
    }
    }
    ge-1/3/1 {
    unit 0 {
    family inet {
    address 10.10.0.100/24;
    }
    family iso;
    family mpls;
    }
    }
    ge-1/3/2 {
    vlan-tagging;
    encapsulation vlan-ccc;
    unit 600 {
    encapsulation vlan-ccc;
    vlan-id 600;
    family ccc;
    }
    }
    lo0 {
    unit 0 {
    family inet {
    address 192.168.0.100/32 {
    primary;
    }
    }
    family iso {
    address 49.0002.0192.0168.0100.00;
    }
    }
    }
    user@A1# show protocols
    rsvp {
    interface ge-1/3/0.0;
    interface ge-1/3/1.0;
    interface lo0.0;
    }
    mpls {
    interface ge-1/3/0.0;
    interface ge-1/3/1.0;
    }
    isis {
    interface ge-1/3/0.0;
    interface ge-1/3/1.0;
    interface lo0.0;
    }
    ldp {
    interface ge-1/3/0.0;
    interface ge-1/3/1.0;
    interface lo0.0;
    }
    l2circuit {
    neighbor 192.168.0.101 {
    interface ge-1/3/2.600 {
    virtual-circuit-id 1;
    pseudowire-status-tlv;
    backup-neighbor 192.168.0.102 {
    virtual-circuit-id 2;
    hot-standby;
    }
    }
    }
    }
    user@A1# show policy-options
    policy-statement pplb {
    then {
    load-balance per-packet;
    }
    }
    user@A1# show routing-options
    autonomous-system 64510;
    router-id 192.168.0.100;
    forwarding-table {
    export pplb;
    }

    Device PE1

    user@PE1# show interfaces
    ge-0/1/1 {
    unit 0 {
    family inet {
    address 10.21.0.101/24;
    }
    family iso;
    family mpls;
    }
    }
    ge-0/1/2 {
    unit 0 {
    family inet {
    address 10.31.0.101/24;
    }
    family iso;
    family mpls;
    }
    }
    ge-0/1/3 {
    unit 0 {
    family inet {
    address 10.10.0.101/24;
    }
    family iso;
    family mpls;
    }
    }
    lt-1/2/0 {
    unit 600 {
    encapsulation vlan-ccc;
    vlan-id 600;
    peer-unit 601;
    }
    unit 601 {
    encapsulation vlan;
    vlan-id 600;
    peer-unit 600;
    family inet {
    filter {
    input icmp_inet;
    output icmp_inet;
    }
    address 10.41.0.101/24 {
    vrrp-group 0 {
    virtual-address 10.41.0.1;
    accept-data;
    }
    }
    }
    }
    }
    lo0 {
    unit 0 {
    family inet {
    address 192.168.0.101/32 {
    primary;
    }
    }
    family iso {
    address 49.0002.0192.0168.0003.00;
    }
    }
    unit 1 {
    family inet {
    address 192.168.1.101/32;
    }
    }
    }
    user@PE1# show firewall
    family inet {
    filter icmp_inet {
    interface-specific;
    term 0 {
    from {
    source-address {
    10.41.0.101/32 except;
    10.0.0.0/8;
    }
    protocol icmp;
    }
    then {
    count icmp_inet;
    log;
    accept;
    }
    }
    term 1 {
    then accept;
    }
    }
    }
    user@PE1# show protocols
    rsvp {
    interface ge-0/1/1.0;
    interface ge-0/1/2.0;
    interface ge-0/1/3.0;
    interface lo0.0;
    }
    mpls {
    label-switched-path to_PE3 {
    to 192.168.0.103;
    }
    label-switched-path to_PE2 {
    to 192.168.0.102;
    }
    interface ge-0/1/1.0;
    interface ge-0/1/2.0;
    interface ge-0/1/3.0;
    }
    bgp {
    local-address 192.168.0.101;
    group ibgp {
    family inet-vpn {
    any;
    }
    peer-as 64511;
    neighbor 192.168.0.102;
    neighbor 192.168.0.103;
    }
    }
    isis {
    interface ge-0/1/1.0;
    interface ge-0/1/2.0;
    interface ge-0/1/3.0;
    interface lo0.0;
    }
    ldp {
    interface ge-0/1/1.0;
    interface ge-0/1/2.0;
    interface ge-0/1/3.0;
    interface lo0.0;
    }
    l2circuit {
    neighbor 192.168.0.100 {
    interface lt-1/2/0.600 {
    virtual-circuit-id 1;
    pseudowire-status-tlv hot-standby-vc-on;
    }
    }
    }
    user@PE1# show policy-options
    policy-statement l3vpn_export {
    term primary {
    from condition primary;
    then {
    local-preference add 300;
    community set l3vpn;
    accept;
    }
    }
    term standby {
    from condition standby;
    then {
    local-preference add 30;
    community set l3vpn;
    accept;
    }
    }
    term default {
    then {
    community set l3vpn;
    accept;
    }
    }
    }
    policy-statement l3vpn_import {
    term 1 {
    from community l3vpn;
    then accept;
    }
    term default {
    then reject;
    }
    }
    policy-statement ospf_export {
    term 0 {
    from community l3vpn;
    then accept;
    }
    }
    community l3vpn members target:64511:600;
    condition primary {
    if-route-exists {
    address-family {
    ccc {
    lt-1/2/0.600;
    table mpls.0;
    peer-unit 601;
    }
    }
    }
    }
    condition standby {
    if-route-exists {
    address-family {
    ccc {
    lt-1/2/0.600;
    table mpls.0;
    standby;
    peer-unit 601;
    }
    }
    }
    }
    user@PE1# show routing-options
    router-id 192.168.0.101;
    autonomous-system 64511;
    user@PE1# show routing-instances
    l3vpn {
    instance-type vrf;
    interface lt-1/2/0.601;
    interface lo0.1;
    route-distinguisher 192.168.1.101:64511;
    vrf-import l3vpn_import;
    vrf-export l3vpn_export;
    vrf-table-label;
    protocols {
    ospf {
    export ospf_export;
    area 0.0.0.0 {
    interface lt-1/2/0.601;
    interface lo0.1;
    }
    }
    }
    }

    If you are done configuring the devices, enter commit from configuration mode.

    Verification

    Confirm that the configuration is working properly.

    Checking Layer 2 Circuits

    Purpose

    Upon Layer 2 virtual circuit (VC) establishment, the output of the show l2circuit connections command shows the active and the hot-standby VC. In addition, control-plane details are shown for the hot-standby VC.

    Action

    From operational mode, enter the show l2circuit connections extensive command.

    user@A1> show l2circuit connections extensive
    Layer-2 Circuit Connections:
    
    Legend for connection status (St)   
    EI -- encapsulation invalid      NP -- interface h/w not present   
    MM -- mtu mismatch               Dn -- down                       
    EM -- encapsulation mismatch     VC-Dn -- Virtual circuit Down    
    CM -- control-word mismatch      Up -- operational                
    VM -- vlan id mismatch           CF -- Call admission control failure
    OL -- no outgoing label          IB -- TDM incompatible bitrate 
    NC -- intf encaps not CCC/TCC    TM -- TDM misconfiguration 
    BK -- Backup Connection          ST -- Standby Connection
    CB -- rcvd cell-bundle size bad  SP -- Static Pseudowire
    LD -- local site signaled down   RS -- remote site standby
    RD -- remote site signaled down  HS -- Hot-standby Connection
    XX -- unknown
    
    Legend for interface status  
    Up -- operational            
    Dn -- down                   
    Neighbor: 192.168.0.101 
        Interface                 Type  St     Time last up          # Up trans
        ge-1/3/2.600(vc 1)        rmt   Up     Jan 24 11:00:26 2013           1
          Remote PE: 192.168.0.101, Negotiated control-word: Yes (Null)
          Incoming label: 299776, Outgoing label: 299776
          Negotiated PW status TLV: Yes
          local PW status code: 0x00000000, Neighbor PW status code: 0x00000000
          Local interface: ge-1/3/2.600, Status: Up, Encapsulation: VLAN
        Connection History:
            Jan 24 11:00:26 2013  status update timer  
            Jan 24 11:00:26 2013  PE route changed     
            Jan 24 11:00:26 2013  Out lbl Update                    299776
            Jan 24 11:00:26 2013  In lbl Update                     299776
            Jan 24 11:00:26 2013  loc intf up                 ge-1/3/2.600
    Neighbor: 192.168.0.102 
        Interface                 Type  St     Time last up          # Up trans
        ge-1/3/2.600(vc 2)        rmt   HS     -----                       ----
          Remote PE: 192.168.0.102, Negotiated control-word: Yes (Null)
          Incoming label: 299792, Outgoing label: 299776
          Negotiated PW status TLV: Yes
          local PW status code: 0x00000020, Neighbor PW status code: 0x00000000
          Local interface: ge-1/3/2.600, Status: Up, Encapsulation: VLAN

    user@PE1> show l2circuit connections extensive
    Layer-2 Circuit Connections:
    
    Legend for connection status (St)   
    EI -- encapsulation invalid      NP -- interface h/w not present   
    MM -- mtu mismatch               Dn -- down                       
    EM -- encapsulation mismatch     VC-Dn -- Virtual circuit Down    
    CM -- control-word mismatch      Up -- operational                
    VM -- vlan id mismatch           CF -- Call admission control failure
    OL -- no outgoing label          IB -- TDM incompatible bitrate 
    NC -- intf encaps not CCC/TCC    TM -- TDM misconfiguration 
    BK -- Backup Connection          ST -- Standby Connection
    CB -- rcvd cell-bundle size bad  SP -- Static Pseudowire
    LD -- local site signaled down   RS -- remote site standby
    RD -- remote site signaled down  HS -- Hot-standby Connection
    XX -- unknown
    
    Legend for interface status  
    Up -- operational            
    Dn -- down                   
    Neighbor: 192.168.0.100 
        Interface                 Type  St     Time last up          # Up trans
        lt-1/2/0.600(vc 1)        rmt   Up     Jan 24 11:06:36 2013           1
          Remote PE: 192.168.0.100, Negotiated control-word: Yes (Null)
          Incoming label: 299776, Outgoing label: 299776
          Negotiated PW status TLV: Yes
          local PW status code: 0x00000000, Neighbor PW status code: 0x00000000
          Local interface: lt-1/2/0.600, Status: Up, Encapsulation: VLAN
        Connection History:
            Jan 24 11:06:36 2013  status update timer  
            Jan 24 11:06:36 2013  PE route changed     
            Jan 24 11:06:36 2013  Out lbl Update                    299776
            Jan 24 11:06:36 2013  In lbl Update                     299776
            Jan 24 11:06:36 2013  loc intf up                 lt-1/2/0.600

    user@PE2> show l2circuit connections extensive
    Layer-2 Circuit Connections:
    
    Legend for connection status (St)   
    EI -- encapsulation invalid      NP -- interface h/w not present   
    MM -- mtu mismatch               Dn -- down                       
    EM -- encapsulation mismatch     VC-Dn -- Virtual circuit Down    
    CM -- control-word mismatch      Up -- operational                
    VM -- vlan id mismatch           CF -- Call admission control failure
    OL -- no outgoing label          IB -- TDM incompatible bitrate 
    NC -- intf encaps not CCC/TCC    TM -- TDM misconfiguration 
    BK -- Backup Connection          ST -- Standby Connection
    CB -- rcvd cell-bundle size bad  SP -- Static Pseudowire
    LD -- local site signaled down   RS -- remote site standby
    RD -- remote site signaled down  HS -- Hot-standby Connection
    XX -- unknown
    
    Legend for interface status  
    Up -- operational            
    Dn -- down                   
    Neighbor: 192.168.0.100 
        Interface                 Type  St     Time last up          # Up trans
        lt-1/2/0.600(vc 2)        rmt   Up     Jan 24 10:55:31 2013           1
          Remote PE: 192.168.0.100, Negotiated control-word: Yes (Null)
          Incoming label: 299776, Outgoing label: 299792
          Negotiated PW status TLV: Yes
          local PW status code: 0x00000000, Neighbor PW status code: 0x00000020
          Local interface: lt-1/2/0.600, Status: Up, Encapsulation: VLAN
        Connection History:
            Jan 24 10:55:31 2013  status update timer  
            Jan 24 10:55:31 2013  PE route changed     
            Jan 24 10:55:31 2013  Out lbl Update                    299792
            Jan 24 10:55:31 2013  In lbl Update                     299776
            Jan 24 10:55:31 2013  loc intf up                 lt-1/2/0.600
    
    

    Meaning

    From the perspective of Device PE1 and Device PE2, a single Layer 2 circuit is established toward access routers, so there is no standby device information in the CLI output of the show l2circuit connections command. Note that no timing and flapping information is provided for the VC acting as the hot-standby. Junos OS allows only these counters to be tracked for the active VC.

    Checking the Policy Conditions

    Purpose

    On the PE devices, verify the state of the different conditions defined as part of the Layer3 VPN's egress policy, where 10.41.0.0/24 corresponds to the logical tunnel (y) subnet.

    Action

    From operational mode, enter the show policy conditions detail command.

    user@PE1> show policy conditions detail
    Configured conditions:
    Condition primary (static), event: Existence of a route in a specific routing table
    Dependent routes:
     10.41.0.0/24, generation 8
     192.168.0.104/32, generation 8
    
    Condition standby (static), event: Existence of a route in a specific routing table
    Dependent routes:
    None
    
    Condition tables:
    Table mpls.0, generation 0, dependencies 0, If-route-exists conditions: primary (static) standby (static)
    Table l3vpn.inet.0, generation 12, dependencies 2
    

    user@PE2> show policy conditions detail
    Configured conditions:
    Condition primary (static), event: Existence of a route in a specific routing table
    Dependent routes:
     10.41.0.0/24, generation 18
    
    Condition standby (static), event: Existence of a route in a specific routing table
    Dependent routes:
     10.41.0.0/24, generation 18
    
    Condition tables:
    Table mpls.0, generation 0, dependencies 0, If-route-exists conditions: primary (static) standby (static)
    Table l3vpn.inet.0, generation 367, dependencies 2
    

    Modified: 2016-11-30