Layer 2 VPN Overview

As the need to link different Layer 2 services to one another for expanded service offerings grows, Layer 2 MPLS VPN services are increasingly in demand . This application note provides configuration and verification commands for terminating Layer 2 VPN into Layer 2 VPN using the Layer 2 interworking (iw0) interface. Existing operating system (Junos OS) functionality makes use of a tunnel PIC to loop packets out and back from the Packet Forwarding Engine (PFE), to link together Layer 2 networks. The Layer 2 interworking software interface avoids the need for the Tunnel Services PIC and overcomes the limitation of bandwidth constraints imposed by the Tunnel Services PIC.

Implementing a Layer 2 VPN on a router is similar to implementing a VPN using a Layer 2 technology, such as Asynchronous Transfer Mode (ATM). However, for a Layer 2 VPN on a router, traffic is forwarded to the router in a Layer 2 format. It is carried by Multiprotocol Label Switching (MPLS) over the service provider’s network, and then converted back to Layer 2 format at the receiving site. You can configure different Layer 2 formats at the sending and receiving sites. The security and privacy of an MPLS Layer 2 VPN are equal to those of an ATM or Frame Relay VPN. The service provisioned with Layer 2 VPNs is also known as Virtual Private Wire Service (VPWS).

On a Layer 2 VPN, routing typically occurs on the customer edge (CE) router. The CE router connected to a service provider on a Layer 2 VPN must select the appropriate circuit on which to send traffic. The provider edge (PE) router receiving the traffic sends the traffic across the service provider’s network to the PE router connected to the receiving site. The PE routers do not need to store or process the customer’s routes; they only need to be configured to send data to the appropriate tunnel. For a Layer 2 VPN, customers need to configure their own routers to carry all Layer 3 traffic. The service provider needs to know only how much traffic the Layer 2 VPN will need to carry. The service provider’s routers carry traffic between the customer’s sites using Layer 2 VPN interfaces. The VPN topology is determined by policies configured on the PE routers.

Because Layer 2 VPNs use BGP as the signaling protocol, they have a simpler design and require less overhead than traditional VPNs over Layer 2 circuits. BGP signaling also enables autodiscovery of Layer 2 VPN peers. Layer 2 VPNs are similar to BGP or MPLS VPNs and VPLS in many respects; all three types of services employ BGP for signaling.

Layer 2 VPN Application

Implementing a Layer 2 MPLS VPN includes the following benefits:

Terminating Layer 2 VPN into Layer 2 VPN using the interworking (iw0) software interface eliminates the limitation of bandwidth on the tunnel interfaces used for these configuration scenarios. Instead of using a physical Tunnel PIC for looping the packet received from the Layer 2 VPN to another Layer 2 VPN, Junos OS is used to link both the Layer 2 VPN routes.
Layer 2 VPNs enable the sharing of a provider's core network infrastructure between IP and Layer 2 VPN services, reducing the cost of providing those services. A Layer 2 MPLS VPN allows you to provide Layer 2 VPN service over an existing IP and MPLS backbone.
From a service provider’s point of view, a Layer 2 MPLS VPN allows the use of a single Layer 3 VPNs (such as RFC 2547bis), MPLS traffic engineering, and Differentiated Services (DiffServ).
Service providers do not have to invest in separate Layer 2 equipment to provide Layer 2 VPN service. You can configure the PE router to run any Layer 3 protocol in addition to the Layer 2 protocols. Customers who prefer to maintain control over most of the administration of their own networks might want Layer 2 VPN connections with their service provider instead of a Layer 3 VPN.

Understanding the Layer 2 Interworking Junos OS Interface

Instead of using a physical Tunnel PIC for looping the packet received from the Layer 2 VPN to another Layer 2 VPN, the Layer 2 Interworking interface uses Junos OS to stitch together both Layer 2 VPN routes.

To configure the interworking interface, include the iw0 statement. The iw0 statement is configured at the [edit interfaces] hierarchy level.

[edit interfaces]interface {iw0 {unit 0 {peer 1;}unit 1 {peer 0;}}}

The configuration of an interworking (iw) interface is similar to the configuration of a logical tunnel (lt) interface. In this example, the logical interfaces must be associated with the endpoints of both Layer 2 VPN connections terminating on this router. To make the association, include the interfaces statement and specify iw0 as the interface name. Include the statement at the [edit routing-instances routing-instances-name protocols l2vpn site site-name] hierarchy level for each routing instance. The routing-instances statement is configured at the [edit routing-instances] hierarchy level.

[edit routing-instances]L2VPN-PE1 {instance-type l2vpn;interface iw0.0;route-distinguisher 65000:3;vrf-target target:65000:2;protocols {l2vpn {encapsulation-type ethernet;site CE1 {site-identifier 3;interface iw0.0 {remote-site-id 1;}}}}}L2VPN-PE5 {instance-type l2vpn;interface iw0.1;route-distinguisher 65000:33;vrf-target target:65000:2;protocols {l2vpn {encapsulation-type ethernet;site CE1 {site-identifier 3;interface iw0.1 {remote-site-id 5;}}}}}

In addition to the iw0 interface configuration, Layer 2 interworking l2iw protocols need to be configured. Without the l2iw configuration, the l2iw routes will not be formed, regardless of whether any iw interfaces are present. Within the l2iw protocols, only trace options can be configured in the standard fashion. The minimum configuration necessary for the feature to work is shown below:

protocols{l2iw;}

Layer 2 VPN Overview

Layer 2 VPN Application

Understanding the Layer 2 Interworking Junos OS Interface

Related Topics