Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring the Common Configuration for MX Series Router Cloud CPE Services

 

Configure the cCPE common configuration on each MX Series router that provides cloud services. Complete the following tasks to configure the cCPE common configuration:

  1. Configuring the Subscriber Access Link on the PE Router for the MX Series Router Cloud CPE Services Common Configuration

  2. Configuring the Layer 2 IRB Interface for the MX Series Router Cloud CPE Services Common Configuration

  3. (Optional) Configuring a Private Subnet on the IRB Interface

  4. Configuring the Bridge Domains for the MX Series Router Cloud CPE Services Common Configuration

  5. Configuring the Firewall Filters and Policers for the MX Series Router Cloud CPE Services Common Configuration

  6. Configuring the VPN Routing Instances for the MX Series Router Cloud CPE Services Common Configuration

  7. Configuring the VRF Import Routing Policies for the MX Series Router Cloud CPE Services Common Configuration

  8. Configuring the VRF Export Routing Policies for the MX Series Router Cloud CPE Services Common Configuration

Configuring the Subscriber Access Link on the PE Router for the MX Series Router Cloud CPE Services Common Configuration

Complete the following tasks to configure the cCPE access link:

  1. Specify the name of the physical interface being used to connect to the subscriber.

    For example:

  2. Configure a description to distinguish the subscriber interface.

  3. Configure the speed of the interface.

  4. Enable CoS hierarchical scheduling on the interface.

  5. Configure the encapsulation type for the interface for flexible Ethernet services.

  6. Enable the reception and transmission of 802.1Q VLAN-tagged frames on the interface.

  7. Configure the link mode for full duplex.

  8. Configure the interface for autonegotiation.

  9. Create a logical interface and configure it with a unique description that identifies the subscriber.

  10. Configure the encapsulation type on the logical interface as Layer 2 Ethernet VLAN bridge encapsulation.

  11. Configure the subscriber VLAN ID that you want to bind to the logical interface.

  12. Verify the configuration.

    user@host> show interfaces ge-1/2/3

Configuring the Layer 2 IRB Interface for the MX Series Router Cloud CPE Services Common Configuration

For the cCPE common configuration, you need to configure the logical interface as an integrated routing and bridging (IRB) interface. For private IP addresses, you can configure multiple addresses on different subnets on the IRB interface. Multiple VPN routes are advertised through the VPN routing protocol, like BGP, to the remote VPN sites. Communication between hosts on different subnets, but the same LAN, goes through the IRB interfaces on the edge router because their gateway addresses are on the IRB interface. To configure the IRB interface:

  1. Configure the logical interface as an IRB interface, and provide a description that identifies the subscriber.

    Be sure to specify the unit number from the physical interface used for the subscriber access link.

  2. Specify a description for the IRB interface that identifies the subscriber.

  3. Specify the IPv4 subnet (subscriber-facing IP address/prefix) for private addresses for the subscriber VPN site.

  4. Specify the bandwidth for the IRB interface.

  5. Review the configuration of the IRB interface.

(Optional) Configuring a Private Subnet on the IRB Interface

If the subscriber has set up multiple private subnets in one site, the IRB interface connecting this subscriber site to the PE router needs to be configured with multiple private subnets.

To configure a private subnet:

Configuring the Bridge Domains for the MX Series Router Cloud CPE Services Common Configuration

To configure the bridge domains for the cCPE common configuration, you need to associate the IRB, the physical interface, and the VLAN with the bridge domain. Configure one bridge domain for each subscriber site. To configure the bridge domain:

  1. Specify the domain name and configure the domain type as bridge.

  2. Define the bridge domain type as bridge.

  3. Associate the subscriber’s VLAN ID with the bridge domain.

  4. Specify the routing interface to include in the bridge domain.

  5. Specify the logical interfaces to include in the bridge domain.

  6. Specify the maximum number of MAC addresses allowed to be learned for the bridge domain, and specify that packets for new source MAC addresses be dropped after the MAC address limit is reached.

  7. Review the configuration of the bridge domain.

Configuring the Firewall Filters and Policers for the MX Series Router Cloud CPE Services Common Configuration

Create a firewall filter and a policer for the bridge domain. Traffic policing is an essential component of network access security designed to minimize the risks of denial of service (DoS) attacks. It enables the control of the maximum rate of traffic sent or received on an interface.

  1. Configure an IPv4 firewall filter for Layer 2 traffic. Configure the filter to track Address Resolution Protocol (ARP) packets. In the following procedure, ARP packets are policed by a policer called ARP-Policer, and counted by a counter called ARP-Count. Ethernet packets using ARP are accepted.
  2. Configure filters for broadcast, multicast, and unicast traffic. In this example, broadcast, multicast, and unicast packets are policed by a policer called BMU-Policer and counted by a counter called BMU-Count. Any other types of packets are discarded.
  3. Configure the ARP policer traffic limits and action to take on nonconforming traffic.
  4. Configure the broadcast, multicast, and unicast policer traffic limits and action to take on nonconforming traffic.
  5. Apply the firewall filters and policers to the bridge domain.
  6. Review the configuration.

Configuring the VPN Routing Instances for the MX Series Router Cloud CPE Services Common Configuration

For the common configuration, you must configure a routing instance that supports Layer 3 VPNs. To configure the routing instance:

  1. Configure a name for the routing instance.
  2. Configure a unique description to identify the routing instance.
  3. Configure the routing instance as a VRF instance.
  4. (Optional-Required only when using IRB interfaces) Associate the Layer 3 interface with the subscriber.
  5. Specify a route distinguisher for the routing instance, enabling you to distinguish which VPN the route belongs to. Each routing instance must have a unique route distinguisher associated with it. The route distinguisher is used to place boundaries around a VPN so that the same IP address prefixes can be used in different VPNs without having them overlap. The format is as-number:id.
  6. Reference the VRF import and export policies.
  7. Map the inner label of a packet to a specific VRF table. This allows examination of the encapsulated IP header. All routes in the VRF configured with this option are advertised with the label allocated per VRF. Note

    vrf-table-label is mandatory when the PE router to customer edge (CE) router connection is over a shared medium.

  8. Review the configuration.

Configuring the VRF Import Routing Policies for the MX Series Router Cloud CPE Services Common Configuration

For the common configuration, you need to specify the VRF import routing policies. The import policy is always based on an IBGP session between the PE routers; therefore, BGP is the protocol used for the import policy. To configure the VRF import routing policies, specify the following options:

  1. Specify the protocol used between the PE routers.
  2. (Optional) If the protocol used between the edge routers is BGP, specify the BGP community.
  3. Specify the match condition actions to take for import routing policies.
  4. Review the configuration of the import policies.

Configuring the VRF Export Routing Policies for the MX Series Router Cloud CPE Services Common Configuration

For the common configuration, you need to specify the VRF export routing policies to other sites that are in the same VPN. The type of policies you define depends on the type of routing protocol that is configured between the PE routers, the cCPE, and the customer edge (CE) router. PE routers always use the IBPG protocol. To configure the VRF export routing policies, specify the following options:

  1. Specify the routing protocol used for routing into the customer’s LAN (between the cCPE and the CE router).
  2. Add the community to IBGP session.
  3. Specify the export routing policies.
  4. (Optional) If the protocol used is BGP, add the subscriber route as a community member.
  5. user@host> show