Example: Layer 2.5 VPN Configuration
This section contains a configuration example and commands you can issue to verify your Layer 2.5 VPN configuration:
Figure 1: Layer 2.5 VPN Topology Diagram
In Figure 1, ATM is configured between CE1 and PE1 and Frame Relay is configured between PE2 and CE2. To begin the Layer 2 VPN configuration, enable ATM and the corresponding encapsulation on CE1.
Router CE1
[edit]interfacesat-1/1/0 {description "to PE1 at-0/3/0";atm-options {vpi 0 maximum-vcs 2000;}unit 32 {vci 32;encapsulation atm-vc-mux;family inet {address 10.1.1.1/30;}}}
The first provider edge (PE1) router uses ATM TCC encapsulation on the ATM VC connecting to CE1. After this, standard Layer 2 VPN design rules apply. You use MPLS on interfaces pointing toward the core and the edge, establish a Layer 2 VPN BGP peer relationship with PE2, use LDP or Resource Reservation Protocol (RSVP) for traffic traveling through the core, and configure the proper VRF instance. Finally, you create policies for PE1 that will set a private community tag on outbound BGP traffic heading to PE2 and accept incoming traffic that matches similar community traffic from PE2.
Router PE1
[edit]interfaces {at-0/3/0 {description "to CE1 at-1/1/0";atm-options {vpi 0 maximum-vcs 2000;}unit 32 {encapsulation atm-tcc-vc-mux;vci 32;}}so-1/0/0 {description "to P so-1/0/0";unit 0 {family inet {address 192.168.255.86/30;}family mpls;}}lo0 {unit 0 {family inet {address 10.255.255.174/32;}}}}protocols {mpls {interface at-0/3/0.32;interface so-1/0/0.0;}bgp {group my-internal-peers {type internal;local-address 10.255.255.174;family l2vpn {signaling;}neighbor 10.255.255.177;}}ldp {interface so-1/0/0.0;}}policy-options {policy-statement companyA-import {term T1 {from {protocol bgp;community companyA;}then accept;}term Final {then reject;}}policy-statement companyA-export {term T1 {then {community add companyA;accept;}}term Final {then reject;}}community companyA members target:100:1;}routing-instances {companyA {instance-type l2vpn;interface at-0/3/0.32;route-distinguisher 10.255.255.174:1;vrf-import companyA-import;vrf-export companyA-export;protocols {l2vpn {encapsulation-type interworking;site Denver {site-identifier 1;interface at-0/3/0.32 {remote-site-id 2;}}}}}}
On the provider core router (P), you need only enable MPLS and LDP on the interfaces that bridge the gap between the PE routers.
Router P
[edit]interfaces {so-1/0/0 {description "to PE1 so-1/0/0";unit 0 {family inet {address 192.168.255.85/30;}family mpls;}}fe-1/1/0 {description "to PE2 fe-1/1/2";unit 0 {family inet {address 192.168.255.93/30;}family mpls;}}lo0 {unit 0 {family inet {address 10.255.255.173/32;}}}}protocols {mpls {interface so-1/0/0.0;interface fe-1/1/0.0;}ldp {interface so-1/0/0.0;interface fe-1/1/0.0;}}
The PE2 router uses Frame Relay TCC encapsulation on the Frame Relay DLCI connecting to CE2. To establish the Layer 2.5 VPN, follow the same steps you used to configure PE1. You use MPLS on interfaces pointing toward the core and the edge, establish a Layer 2 VPN BGP peer relationship with PE1, use LDP or RSVP for traffic traveling through the core, and configure the proper VRF instance. Finally, you create policies on PE2 that will set a private community tag on outbound BGP traffic heading to PE1 and accept incoming traffic that matches similar community traffic from PE1.
Router PE2
[edit]interfaces {fe-1/1/2 {description "to P fe-1/1/0";unit 0 {family inet {address 192.168.255.94/30;}family mpls;}}so-1/2/1 {description "to CE2 so-1/2/1";dce;encapsulation frame-relay-tcc;unit 600 {encapsulation frame-relay-tcc;dlci 600;}}lo0 {unit 0 {family inet {address 10.255.255.177/32;}}}}protocols {mpls {interface fe-1/1/2.0;interface so-1/2/1.600;}bgp {group my-internal-peers {type internal;local-address 10.255.255.177;family l2vpn {signaling;}neighbor 10.255.255.174;}}}ldp {interface fe-1/1/2.0;}policy-options {policy-statement companyA-import {term T1 {from {protocol bgp;community companyA;}then accept;}term Final {then reject;}}policy-statement companyA-export {term T1 {then {community add companyA;accept;}}term Final {then reject;}}community companyA members target:100:1;}routing-instances {companyA {instance-type l2vpn;interface so-1/2/1.600;route-distinguisher 10.255.255.177:1;vrf-import companyA-import;vrf-export companyA-export;protocols {l2vpn {encapsulation-type interworking;site NewYork {site-identifier 2;interface so-1/2/1.600 {remote-site-id 1;}}}}}}
To complete the Layer 2.5 VPN configuration, enable Frame Relay encapsulation on CE2.
Router CE2
[edit]interfacesso-1/2/1 {description "to PE2 so-1/2/1";encapsulation frame-relay;unit 600 {dlci 600;family inet {address 10.1.1.2/30;}}}
Verifying Your Work
To verify the operational status of your Layer 2.5 VPN, use the following commands:
- show route forwarding-table
- show ldp database
- show l2vpn connections
- show bgp summary
- show route
To view sample output of these commands as used with the configuration example, see the following:
Router PE1 Status
user@PE1> show route forwarding-table <snip>
Routing table:: ccc
MPLS:
Interface.Label Type RtRef Nexthop Type Index NhRef Netif
default perm 0 dscd 10 1
0 user 0 recv 12 2
1 user 0 recv 12 2
100128 user 0 Pop so-1/0/0.0
100128(S=0) user 0 Pop so-1/0/0.0
100129 user 0 Swap 100000 so-1/0/0.0
800001 user 0 ucst 137 1 at-0/3/0.32
at-0/3/0. (CCC) user 0 indr 133 2
Push 800000, Push 100000(top)
so-1/0/0.0
<snip>
user@PE1> show ldp database Input label database, 10.255.255.174:0-10.255.255.173:0
Label Prefix
100002 10.255.255.174/32
100000 10.255.255.177/32
3 10.255.255.173/32
Output label database, 10.255.255.174:0-10.255.255.173:0
Label Prefix
100128 10.255.255.173/32
100129 10.255.255.177/32
3 10.255.255.174/32
user@PE1> show l2vpn connections L2VPN Connections:
Legend for connection status (St) Legend for interface status
OR -- out of range up -- operational
EI -- encapsulation invalid Dn -- down
EM -- encapsulation mismatch NP -- no present
CN -- circuit not present DS -- disabled
OL -- no outgoing label WE -- wrong encapsulation
Dn -- down UN -- uninitialized
VC-Dn -- Virtual circuit down
WE -- intf encaps != instance encaps
-> -- only outbound conn is up
<- -- only inbound conn is up
UP -- operational
XX -- unknown
Instance: companyA
Local site: Denver (1)
connection-site Type St Time last up # Up trans
2 rmt Up Nov 30 08:21:07 2001 1
Local interface: at-0/3/0.32, Status: Up, Encapsulation: INTERWORKING
Remote PE: 10.255.255.177
Incoming label: 800001, Outgoing label: 800000
user@PE1> show bgp summary Groups: 1 Peers: 1 Down peers: 0 Table Tot Paths Act Paths Suppressed History Damp State Pending inet.0 0 0 0 0 0 0 bgp.l2vpn.0 1 1 0 0 0 0 Peer AS InPkt OutPkt OutQ Flaps Last Up/DwnState|#Active/Received/Damped... 10.255.255.177 69 49 45 0 1 19:16 Establ bgp.l2vpn.0: 1/1/0 companyA.l2vpn.0: 1/1/0
user@PE1> show route <snip>
mpls.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0 *[MPLS/0] 1d 18:54:24, metric 1
Receive
1 *[MPLS/0] 1d 18:54:24, metric 1
Receive
100128 *[LDP/9] 00:24:03, metric 1
> via so-1/0/0.0, Pop
100128(S=0) *[LDP/9] 00:24:03, metric 1
> via so-1/0/0.0, Pop
100129 *[LDP/9] 00:24:03, metric 1
> via so-1/0/0.0, Swap 100000
800001 *[L2VPN/7] 00:10:35
> via at-0/3/0.32, Pop [0]
at-0/3/0.32 *[L2VPN/7] 00:10:35
> via so-1/0/0.0, Push 800000, Push 100000(top)
companyA.l2vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1:1:1:1 /96
*[L2VPN/7] 00:19:55
Discard
1:1:2:1 /96
*[BGP/170] 00:06:46, localpref 100, from 10.255.255.177
AS path: I
> via so-1/0/0.0, Push 100000
bgp.l2vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1:1:2:1 /96
*[BGP/170] 00:10:35, localpref 100, from 10.255.255.177
AS path: I
> via so-1/0/0.0, Push 100000
<snip>
Router PE2 Status
user@vpn07> show route forwarding-table <snip> Routing table:: ccc MPLS: Interface.Label Type RtRef Nexthop Type Index NhRef Netif default perm 0 dscd 8 1 0 user 0 recv 10 2 1 user 0 recv 10 2 100002 user 0 Pop fe-1/1/2.0 100002(S=0) user 0 Pop fe-1/1/2.0 100003 user 0 Swap 100002 fe-1/1/2.0 800000 user 0 ucst 60 1 so-1/2/1.0 so-1/2/1. (CCC) user 0 indr 59 2 <snip>
user@vpn07> show ldp database Input label database, 10.255.255.177:0-10.255.255.173:0
Label Prefix
100000 10.255.255.177/32
3 10.255.255.173/32
100002 10.255.255.174/32
Output label database, 10.255.255.177:0-10.255.255.173:0
Label Prefix
100002 10.255.255.173/32
3 10.255.255.177/32
100003 10.255.255.174/32
user@vpn07> show l2vpn connections L2VPN Connections:
Legend for connection status (St) Legend for interface status
OR -- out of range up -- operational
EI -- encapsulation invalid Dn -- down
EM -- encapsulation mismatch NP -- no present
CN -- circuit not present DS -- disabled
OL -- no outgoing label WE -- wrong encapsulation
Dn -- down UN -- uninitialized
VC-Dn -- Virtual circuit down
WE -- intf encaps != instance encaps
-> -- only outbound conn is up
<- -- only inbound conn is up
UP -- operational
XX -- unknown
Instance: companyA
Local site: NewYork (2)
connection-site Type St Time last up # Up trans
1 rmt Up Nov 30 08:21:01 2001 1
Local interface: so-1/2/1.0, Status: Up, Encapsulation: INTERWORKING
Remote PE: 10.255.255.174
Incoming label: 800000, Outgoing label: 800001
user@vpn07> show bgp summary Groups: 1 Peers: 1 Down peers: 0 Table Tot Paths Act Paths Suppressed History Damp State Pending bgp.l2vpn.0 1 1 0 0 0 0 inet.0 0 0 0 0 0 0 Peer AS InPkt OutPkt OutQ Flaps Last Up/DwnState|#Active/Received/Damped... 10.255.255.174 69 45 52 0 0 20:20 Establ bgp.l2vpn.0: 1/1/0 companyA.l2vpn.0: 1/1/0
user@vpn07> show route <snip>
mpls.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0 *[MPLS/0] 02:34:04, metric 1
Receive
1 *[MPLS/0] 02:34:04, metric 1
Receive
100002 *[LDP/9] 00:25:39, metric 1
> via fe-1/1/2.0, Pop
100002(S=0) *[LDP/9] 00:25:39, metric 1
> via fe-1/1/2.0, Pop
100003 *[LDP/9] 00:25:01, metric 1
> via fe-1/1/2.0, Swap 100002
800000 *[L2VPN/7] 00:07:50
> via so-1/2/1.0, Pop [0]
so-1/2/1.0 *[L2VPN/7] 00:07:50
> via fe-1/1/2.0, Push 800001, Push 100002(top)
companyA.l2vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1:1:1:1 /96
*[BGP/170] 00:04:59, localpref 100, from 10.255.255.174
AS path: I
> via fe-1/1/2.0, Push 100002
1:1:2:1 /96
*[L2VPN/7] 00:11:34
Discard
bgp.l2vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1:1:1:1 /96
*[BGP/170] 00:11:38, localpref 100, from 10.255.255.174
AS path: I
> via fe-1/1/2.0, Push 100002
<snip>
Router P Status
user@P> show ldp database Input label database, 10.255.255.173:0-10.255.255.174:0
Label Prefix
100128 10.255.255.173/32
100129 10.255.255.177/32
3 10.255.255.174/32
Output label database, 10.255.255.173:0-10.255.255.174:0
Label Prefix
3 10.255.255.173/32
100000 10.255.255.177/32
100002 10.255.255.174/32
Input label database, 10.255.255.173:0-10.255.255.177:0
Label Prefix
3 10.255.255.177/32
100002 10.255.255.173/32
100003 10.255.255.174/32
Output label database, 10.255.255.173:0-10.255.255.177:0
Label Prefix
3 10.255.255.173/32
100000 10.255.255.177/32
100002 10.255.255.174/32
