Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Interconnecting a Layer 2 Circuit with a Layer 3 VPN

 

This example provides a step-by-step procedure and commands for configuring and verifying a Layer 2 circuit to Layer 3 VPN interconnection. It contains the following sections:

Requirements

This example uses the following hardware and software components:

  • Junos OS Release 9.3 or later

  • 3 MX Series 3D Universal Edge Routers

  • 1 M Series Multiservice Edge Router

  • 1 T Series Core Router

  • 1 EX Series Ethernet Switch

  • 1 J Series Services Routers

Note

This configuration example has been tested using the software release listed and is assumed to work on all later releases.

Overview and Topology

The physical topology of a Layer 2 circuit to Layer 3 VPN interconnection is shown in Figure 1.

Figure 1: Physical Topology of a Layer 2 Circuit to Layer 3 VPN Interconnection
Physical Topology
of a Layer 2 Circuit to Layer 3 VPN Interconnection

The logical topology of a Layer 2 circuit to Layer 3 VPN interconnection is shown in Figure 2.

Figure 2: Logical Topology of a Layer 2 Circuit to Layer 3 VPN Interconnection
Logical Topology of
a Layer 2 Circuit to Layer 3 VPN Interconnection

Configuration

Note

In any configuration session, it is good practice to verify periodically that the configuration can be committed using the commit check command.

In this example, the router being configured is identified using the following command prompts:

  • CE2 identifies the customer edge 2 (CE2) router

  • PE1 identifies the provider edge 1 (PE1) router

  • CE3 identifies the customer edge 3 (CE3) router

  • PE3 identifies the provider edge 3 (PE3) router

  • CE5 identifies the customer edge 5 (CE5) router

  • PE5 identifies the provider edge 5 (PE5) router

This example contains the following procedures:

Configuring PE Router Customer-facing and Loopback Interfaces

Step-by-Step Procedure

To begin building the interconnection, configure the interfaces on the PE routers. If your network contains provider (P) routers, configure the interfaces on the P routers also. This example shows the configuration for Router PE2, Router PE3, and Router PE5.

  1. On Router PE2, configure the ge-1/0/2 interface encapsulation. To configure the interface encapsulation, include the encapsulation statement and specify the ethernet-ccc option (vlan-ccc encapsulation is also supported). Configure the ge-1/0/2.0 logical interface family for circuit cross-connect functionality. To configure the logical interface family, include the family statement and specify the ccc option. The encapsulation should be configured the same way for all routers in the Layer 2 circuit domain.
  2. On Router PE2, configure the lo0.0 interface. Include the family statement and specify the inet option. Include the address statement and specify 2.2.2.2/32 as the loopback IPv4 address.
  3. On Router PE3, configure the ge-1/0/1 interface. Include the family statement and specify the inet option. Include the address statement and specify 90.90.90.1/24 as the interface address for this device.
  4. On Router PE3, configure the lo0.0 loopback interface. Include the family statement and specify the inet option. Include the address statement and specify 3.3.3.3/32 as the loopback IPv4 address for this router.
  5. On Router PE5, configure the ge-2/0/0 interface. Include the family statement and specify the inet option. Include the address statement and specify 80.80.80.1/24 as the interface address.
  6. On Router PE5, configure the lo0.0 interface. Include the family statement and specify the inet option. Include the address statement and specify 5.5.5.5/32 as the loopback IPv4 address for this router.

Configuring Core-facing Interfaces

Step-by-Step Procedure

This procedure describes how to configure the core-facing interfaces on the PE routers. This example does not include all the core-facing interfaces shown in the physical topology illustration. Enable the mpls and inet address families on the core-facing interfaces.

  1. On Router PE2, configure the xe-0/2/0 interface. Include the family statement and specify the inet address family. Include the address statement and specify 10.10.5.1/30 as the interface address. Include the family statement and specify the mpls address family.
  2. On Router PE3, configure the core-facing interfaces. Include the family statement and specify the inet address family. Include the address statement and specify the IPv4 addresses shown in the example as the interface addresses. Include the family statement and specify the mpls address family. In the example, the xe-2/1/0 interface is connected to Router PE5, and the xe-2/2/0 interface is connected to Router PE2.
  3. On Router PE5, configure the xe-0/1/0 interface. Include the family statement and specify the inet address family. Include the address statement and specify 10.10.6.2/30 as the interface address. Include the family statement and specify the mpls address family.

Configuring Protocols

Step-by-Step Procedure

This procedure describes how to configure the protocols used in this example. If your network contains P routers, configure the interfaces on the P routers also.

  1. On Router PE3, enable OSPF as the IGP. Enable the MPLS, LDP, and BGP protocols on all interfaces except fxp.0. LDP is used as the signaling protocol for the Layer 2 circuit to Router PE2 . The following configuration snippet shows the protocol configuration for Router PE3:
  2. On Router PE2, configure the MPLS, OSPF, and LDP protocols.
  3. On Router PE5, enable OSPF as the IGP. Enable the MPLS, RSVP, and BGP protocols on all interfaces except fxp.0. Enable core-facing interfaces with the mpls and inet address families.

Configuring Routing Instances and Layer 2 Circuits

Step-by-Step Procedure

This procedure describes how to configure the Layer 2 circuit and the Layer 3 VPN.

  1. On Router PE2, configure the Layer 2 circuit. Include the l2circuit statement. Include the neighbor statement and specify the loopback IPv4 address of Router PE3 as the neighbor. Include the interface statement and specify ge-1/0/2.0 as the logical interface that is participating in the Layer 2 circuit. Include the virtual-circuit-id statement and specify 100 as the identifier. Include the no-control-word statement for equipment that does not support the control word.
  2. On Router PE3, configure the Layer 2 circuit to Router PE2. Include the l2circuit statement. Include the neighbor statement and specify the loopback IPv4 address of Router PE2 as the neighbor. Include the interface statement and specify lt-1/1/10.0 as the logical tunnel interface that is participating in the Layer 2 circuit. Include the virtual-circuit-id statement and specify 100 as the identifier. Include the no-control-word statement.
  3. On Router PE3, configure the Layer 3 VPN (L3VPN) routing instance to Router PE5 at the [edit routing-instances] hierarchy level. Also configure the BGP peer group at the [edit routing-instances L3VPN protocols] hierarchy level.
  4. On Router PE5, configure the Layer 3 VPN routing instance (L3VPN) at the [edit routing-instances] hierarchy level. Also configure the BGP peer group at the [edit routing-instances L3VPN protocols] hierarchy level.

Configuring the Route Reflector

Step-by-Step Procedure

Although a route reflector is not required to interconnect a Layer 2 circuit with a Layer 3 VPN, this examples uses a route reflector. This procedure shows the relevant portion of the route reflector configuration.

  1. Configure the route reflector with RSVP, MPLS, BGP and OSPF. The route reflector is a BGP peer with the PE routers. Notice that the BGP peer group configuration includes the family statement and specifies the inet-vpn option The inet-vpn option enables BGP to advertise network layer reachability information (NLRI) for the Layer 3 VPN routes. The configuration also includes the family statement and specifies the l2vpn option. The l2vpn option enables BGP to advertise NLRI for the Layer 2 circuit. Layer 2 circuits use the same internal BGP infrastructure as Layer 2 VPNs.

Interconnecting the Layer 2 Circuit with the Layer 3 VPN

Step-by-Step Procedure

Before you can configure the logical tunnel interface in an MX Series router, you must create the tunnel services interface to be used for tunnel services.

  1. Create the tunnel service interface on Router PE3. Include the bandwidth statement at the [edit chassis fpc slot-number pic slot-number tunnel-services] hierarchy level and specify the amount of bandwidth to reserve for tunnel services in gigabits per second.
  2. On Router PE3, configure the lt-1/1/10 logical tunnel interface unit 0.

    Router PE3 is the router that is stitching the Layer 2 circuit to the Layer 3 VPN using the logical tunnel interface. The configuration of the peer unit interfaces is what makes the interconnection.

    Include the encapsulation statement and specify the ethernet-ccc option. Include the peer-unit statement and specify the logical interface unit 1 as the peer tunnel interface. Include the family statement and specify the ccc option.

    Configure the lt-1/1/10 logical interface unit 1 with ethernet encapsulation. Include the peer-unit statement and specify the logical interface unit 0 as the peer tunnel interface. Include the family statement and specify the inet option. Also include the address statement and specify 70.70.70.1/24 as the IPv4 address of the interface.

    Note

    The peering logical interfaces must belong to the same logical tunnel interface derived from the Tunnel Services PIC.

  3. On each router, commit the configuration.

Verifying the Layer 2 Circuit to Layer 3 VPN Interconnection

To verify that the interconnection is working properly, perform these tasks:

Verifying That the Layer 2 Circuit Connection to Router PE3 is Up

Purpose

To verify that the Layer 2 circuit connection from Router PE2 to Router PE3 is Up. To also document the incoming and outgoing LDP labels and the circuit ID used by this Layer 2 circuit connection.

Action

Verify that the Layer 2 circuit connection is up, using the show l2circuit connections command.

user@PE2> show l2circuit connections

Meaning

The output shows that the Layer 2 circuit connection from Router PE2 to Router PE3 is Up and the connection is using the ge-1/0/2.0 interface. Note that the outgoing label is 315264 and the incoming label is 301488, the virtual circuit (VC) identifier is 100 and the encapsulation is ETHERNET.

Verifying LDP Neighbors and Targeted LDP LSPs on Router PE2

Purpose

To verify that Router PE2 has a targeted LDP LSP to Router PE3 and that Router PE2 and Router PE3 are LDP neighbors.

Action

Verify that Router PE2 has a targeted LDP LSP to Router PE3 and that Router PE2 and Router PE3 are LDP neighbors, using the show ldp neighbor command.

user@PE2> show ldp neighbor

Meaning

The output shows that Router PE2 has an LDP neighbor with the IPv4 address of 3.3.3.3. Address 3.3.3.3 is the lo0.0 interface address of Router PE3. Notice that Router PE2 uses the local lo0.0 interface for the LSP.

Verifying that the routers are LDP neighbors also verifies that the targeted LSP is established.

Verifying the Layer 2 Circuit Routes on Router PE2

Purpose

To verify that Router PE2 has a route for the Layer 2 circuit and that the route uses the LDP MPLS label to Router PE3.

Action

Verify that Router PE2 has a route for the Layer 2 circuit and that the route uses the LDP MPLS label to Router PE3, using the show route table mpls.0 command.

user@PE2> show route table mpls.0

Meaning

The output shows that Router PE2 pushes the 315264 outgoing label on the L2CKT route going out interface ge-1/0/2.0. The output also shows that Router PE2 pops the 301488 incoming label on the L2CKT coming from interface ge-1/0/2.0

Verifying That the Layer 2 Circuit Connection to Router PE2 is Up

Purpose

To verify that the Layer 2 circuit connection from Router PE3 to Router PE2 is Up, To also document the incoming and outgoing LDP labels and the circuit ID used by this Layer 2 circuit connection.

Action

Verify that the Layer 2 circuit connection is up, using the show l2circuit connections command.

user@PE3> show l2circuit connections

Meaning

The output shows that the Layer 2 circuit connection from Router PE3 to Router PE2 is Up and the connection is using the logical tunnel (lt) interface. Note that the incoming label is 315264 and the outgoing label is 301488, the virtual circuit (VC) identifier is 100, and that the encapsulation is ETHERNET.

Verifying LDP Neighbors and Targeted LDP LSPs on Router PE3

Purpose

To verify that Router PE3 has a targeted LDP LSP to Router PE2 and that Router PE3 and Router PE2 are LDP neighbors.

Action

Verify that Router PE2 has a targeted LDP LSP to Router PE3 and that Router PE2 and Router PE3 are LDP neighbors, using the show ldp neighbor command.

user@PE2> show ldp neighbor

Meaning

The output shows that Router PE3 has an LDP neighbor with the IPv4 address of 2.2.2.2. Address 2.2.2.2 is the lo0.0 interface address of Router PE2. The output also shows that the interface used on Router PE3 for the LSP is lo0.0. Verifying that the routers are LDP neighbors also verifies that the targeted LSP is established.

Verifying a BGP Peer Session with the Route Reflector on Router PE3

Purpose

To verify that Router PE3 has a peer session established with the route reflector.

Action

Verify that Router PE3 has a peer session established with the route reflector, using the show bgp summary command.

user@PE2> show bgp summary

Meaning

The output shows that Router PE3 has a peer session with the router with the IPv4 address of 7.7.7.7. Address 7.7.7.7 is the lo0.0 interface address of the route reflector. The output also shows that the peer session state is Establ, meaning that the session is established.

Verifying the Layer 3 VPN Routes on Router PE3

Purpose

To verify that Router PE3 has Layer 3 VPN routes to Router CE2, Router CE3, and Router CE5.

Action

Verify that Router PE3 has routes to Router CE2, Router CE3, and Router CE5 in the Layer 3 VPN route table, using the show route table L3VPN.inet.0 command. In this example, L3VPN is the name configured for the routing instance.

user@PE3> show route table L3VPN.inet.0

Meaning

The output shows that Router PE3 has a route to the IPv4 subnetwork address of 70.70.70.0. Address 70.70.70.2 is the interface address of Router CE2. The output shows that Router PE3 has a route to the IPv4 subnetwork address of 80.80.80.0. Address 80.80.80.2 is the interface address of Router CE5. The output shows that Router PE3 has a route to the IPv4 subnetwork address of 90.90.90.0. Address 90.90.90.2 is the interface address of Router CE3.

Verifying the Layer 2 Circuit Routes on Router PE3

Purpose

To verify that Router PE3 has a route to Router PE2 in the Layer 2 circuit route table.

Action

Verify that Router PE3 has a route to Router PE2 in the Layer 2 circuit route table, using the show route table l2circuit.0 command.

user@PE3> show route table l2circuit.0

Meaning

The output shows that Router PE3 has a route to the IPv4 address of 2.2.2.2. Address 2.2.2.2 is the lo0.0 interface address of Router PE2. Note that the VC label is 315264. This label is the same as the incoming MPLS label displayed using the show l2circuit connections command.

Verifying the MPLS Routes on Router PE3

Purpose

To verify that Router PE3 has a route to Router PE2 in the MPLS route table.

Action

Verify Router PE3 has a route to Router PE2 in the MPLS route table, using the show route table mpls.0 command.

user@PE3> show route table mpls.0

Meaning

The output shows that Router PE3 has a route for the Layer 2 circuit and that the route uses the LDP MPLS label to Router PE2. Notice that the 301488 label is the same as the outgoing label displayed on Router PE2 using the show l2circuit connections command.

Verifying Traffic Flow Between Router CE2 and Router CE3

Purpose

To verify that the CE routers can send and receive traffic across the interconnection.

Action

Verify that Router CE2 can send traffic to and receive traffic from Router CE3 across the interconnection, using the ping command.

user@CE2>ping 90.90.90.2

Meaning

The output shows that Router CE2 can send an ICMP request to and receive a response from Router CE3 across the interconnection.

Verifying Traffic Flow Between Router CE2 and Router CE5

Purpose

To verify that the CE routers can send and receive traffic across the interconnection.

Action

Verify that Router CE2 can send traffic to and receive traffic from Router CE5 across the interconnection, using the ping command.

user@CE2>ping 80.80.80.2

Meaning

The output shows that Router CE2 can send an ICMP request to and receive a response from Router CE5 across the interconnection.