Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring an MPLS-Based Layer 2 VPN (CLI Procedure)

 

You can configure MPLS-based Layer 2 virtual private networks (VPNs) on EX8200 and EX4500 switches. Some benefits of a Layer 2 VPN are that it is private, secure and flexible. To configure Layer 2 VPN functionality in your MPLS network, you must configure Layer 2 VPN components on the local and remote provider edge (PE) switches.

Note

This topic shows how to add Layer 2 VPN components to a CCC configured on a simple interface. For information on combining Layer 2 VPN components with a tagged VLAN CCC, see Configuring an MPLS-Based VLAN CCC Using a Layer 2 VPN (CLI Procedure) .

Before you configure the Layer 2 VPN components, you must configure the basic components for an MPLS network:

Note

A Layer 2 VPN requires that the PE switches be configured using a circuit cross-connect (CCC).

Configure the Layer 2 VPN components on both PE switches. This procedure describes how to configure one PE switch. Repeat the procedure to configure the remote PE switch.

To configure Layer 2 VPN components on the PE switch:

  1. Configure the customer edge interface to use the physical encapsulation type ethernet-ccc:Note

    The customer edge interface is a simple interface.

    [edit]

    user@switch# set interfaces interface-name encapsulation ethernet-ccc
  2. Configure BGP, specifying the loopback address of this PE switch as the local address and specifying family l2vpn signaling:
    [edit protocols bgp]

    user@switch# set local-address address family l2vpn signaling
  3. Configure the BGP group, specifying the group name and type internal:
    [edit protocols bgp]

    user@switch# set group group-name type internal
  4. Configure the BGP neighbor, specifying the loopback address of the remote PE switch as the neighbor’s address:
    [edit protocols bgp]

    user@switch# set neighbor address
  5. Configure the routing instance, specifying the routing-instance name and using l2vpn as the instance type:
    [edit routing-instances]

    user@switch# set routing-instance-name instance-type l2vpn
  6. Configure the routing instance to apply to the customer edge interface:
    user@switch# set routing-instances routing-instance-name interface interface-name
  7. Configure the routing instance to use a route distinguisher:Note

    Each routing instance that you configure on a PE switch must have a unique route distinguisher associated with it. VPN routing instances musthave a route distinguisher to allow BGP to distinguish between potentially identical network layer reachability information (NLRI) messages received from different VPNs. If you configure different VPN routing instances with the same route distinguisher, the commit fails.

    user@switch# set routing-instances routing-instance-name route-distinguisher ip-address:number
  8. Configure the VPN routing and forwarding (VRF) target of the routing instance:
    [edit routing-instances]

    user@switch# set routing-instance-name vrf-target community
    Note

    If you configure the community option only, default VRF import and export policies are generated that accept and tag routes with the specified target community. You can create more complex policies by explicitly configuring VRF import and export policies using the import and export options. See the Junos OS VPNs Configuration Guide.

  9. Configure the protocols and encapsulation type used by the routing instance:
    [edit routing-instances]

    user@switch# set routing-instance-name protocols l2vpn encapsulation-type ethernet
  10. Apply the routing instance to a customer edge interface and specify a description for it:
    [edit routing-instances]

    user@switch# set routing-instance-name protocols interface interface-name description text
  11. Configure the routing instance protocols site:
    [edit routing-instances]

    user@switch# set routing-instance-name protocols l2vpn site site-name site-identifier identifierremote-site-id identifier
    Note

    The remote site ID (configured with the remote-site-id statement) corresponds to the site ID (configured with the site-identifier statement) configured on the other PE switch.