Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring Provider Edge Link Protection in Layer 3 VPNs

 

In an MPLS service provider network, a customer can have dual-homed CE routers that are connected to the service provider through different PE routers. This setup enables load balancing of traffic in the service provider network. However, this can lead to disruption in traffic if the link between a CE router and a PE router goes down. Hence, a precomputed protection path should be configured such that if a link between a CE router and a PE router goes down, the protection path (also known as the backup path) between the CE router and an alternate PE router can be used.

To configure a path to be a protection path, use the protection statement at the [edit routing-instances instance-name protocols bgp family inet unicast] hierarchy level:

The protection statement indicates that protection is required on prefixes received from the particular neighbor or family. After protection is enabled for a given family, group, or neighbor, protection entries are added for prefixes or next hops received from the given peer.

Note

A protection path can be selected only if the best path has already been installed by BGP in the forwarding table. This is because a protection path cannot be used as the best path.

Note

The option vrf-table-label must be configured under the [routing-instances instance-name] hierarchy for the routers that have protected PE-CE links. This applies to Junos OS Releases 12.3 through 13.2 inclusive.

The protection path selection takes place based on the value of two state flags:

  • The ProtectionPath flag indicates paths requesting protection.

  • The ProtectionCand flag indicates the route entry that can be used as a protection path.

Note
  • Provider edge link protection is configured only for external peers.

  • If provider edge link protection is configured with the equal-external-internal multipath statement, multipath takes precedence over protection.

This example shows how to configure a provider edge protection path that can be used in case of a link failure in an MPLS network.

Requirements

This example uses the following hardware components, software components and configuration options:

  • M Series Multiservice Edge Routers, MX Series 5G Universal Routing Platforms, or T Series Core Routers

  • Junos OS Release 12.3 through 13.2 inclusive

  • The option vrf-table-label must be enabled at the [routing-instances instance-name] hierarchy level for routers with protected PE-CE links.

Overview

The following example shows how to configure provider edge link protection in a Layer 3 VPN.

Topology

In this example, a Layer 3 VPN is set up by configuring three customer edge devices and three service provider edge devices in four autonomous systems. The CE devices are configured in AS 64496, AS 64498, and AS 64499. The PE devices are configured in AS 64497.

Figure 1 shows the topology used in this example.

Figure 1: Provider Edge Link Protection in a Layer 3 VPN
Provider Edge Link Protection in
a Layer 3 VPN

The aim of this example is to protect the provider edge link between Routers PE2 and CE2. Protection is configured on the backup link between Routers PE3 and CE2, such that the traffic can be routed through this link when the PE2-CE2 link goes down.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Router CE1

Router PE1

Router PE2

Router PE3

Router P

Router CE2

Router CE3

Configuring Provider Edge Link Protection in Layer 3 VPNs

Step-by-Step Procedure

The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure provider edge link protection:

  1. Configure the router interfaces.

    Similarly, configure the interfaces on all other routers.

  2. Configure the router ID and autonomous system (AS) number.

    Similarly, configure the router ID and AS number for all other routers. In this example, the router ID is chosen to be identical to the loopback address configured on the router.

  3. Configure MPLS and LDP on all interfaces of Router PE3.

    Similarly, configure other PE routers.

  4. Configure an IGP on the core-facing interfaces of Router PE3.

    Similarly, configure other PE routers.

  5. Configure a policy that exports the routes from the routing table into the forwarding table on Router PE3.

    Similarly, configure other PE routers.

  6. Configure BGP on Router CE2, and include a policy for exporting routes to and from the service provider network.

    Similarly, configure other CE routers.

  7. Configure BGP on Router PE3 for routing within the provider core.

    Similarly, configure other PE routers.

  8. Configure the Layer 3 VPN routing instance on Router PE3.

    Similarly, configure other PE routers.

  9. Configure provider edge link protection on the link between Routers PE3 and CE2.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show routing-options, show policy-options, show protocols , and show routing-instances commands.

If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

user@PE3# show interfaces
user@PE3# show routing-options
user@PE3# show policy-options
user@PE3# show protocols
user@PE3# show routing-instances

Run these commands on all other routers to confirm the configurations. If you are done configuring the routers, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying BGP

Purpose

Verify that BGP is functional in the Layer 3 VPN.

Action

From operational mode on Router PE3, run the show route protocol bgp command.

user@PE3> show route protocol bgp

The output shows all the BGP routes in the routing table of Router PE3. This indicates that BGP is functioning as required.

Similarly, run this command on other routers to check if BGP is operational.

Meaning

BGP is functional in the Layer 3 VPN.

Purpose

Verify that the provider edge link between Routers PE2 and CE2 is protected.

Action

To verify that provider edge link protection is configured correctly:

  1. Confirm that a route on Router CE2 is advertised to Router PE3, directly and through Router PE2.

    If the route is advertised correctly, you will see multiple paths for the route.

    From operational mode on Router PE3, run the show route destination-prefix command.

    user@PE3> show route 192.0.2.6

    The output verifies the presence of multiple paths from Router PE3 to the destination route, 192.0.2.6, on Router CE2. The first path is directly through the PE3-CE2 link (10.1.1.26). The second path is through the provider core and PE2 (10.1.1.17).

  2. Verify that the protection path is correctly configured by confirming that the weight for the active path being protected is 0x1, and the weight for the protection candidate path is 0x4000.

    From operational mode on Router PE3, run the show route destination-prefix extensive command.

    user@PE3> show route 192.0.2.6 extensive

    The output shows that the weight (0x4000) assigned to the PE3-CE2 path is greater than the weight (0x1) assigned to the PE2-CE2 path. This confirms that the PE2-CE2 path is protected by the PE3-CE2 path.

Meaning

The provider edge link between Routers PE2 and CE2 is protected.