Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Connecting Junos Fusion Enterprises Over EVPN-MPLS

 

This configuration example illustrates:

  • how to connect two Junos Fusion Enterprises over a WAN running MPLS.

  • how to configure Layer 3 connectivity between the network segments.

  • how to provide Layer 2 adjacency for endpoints in VLANs across the Junos Fusion Enterprises.

It includes the following sections:

Requirements

This example assumes that the hardware and software required for the example are procured.

To procure hardware, see How to Buy.

All software used in this example or for any Junos Fusion Enterprise can be downloaded from the Junos Fusion Hardware and Software Compatibility Matrices link in the Software Download Center.

Overview and Topology

The topology includes two Junos Fusion Enterprises that are in campus buildings 1 and 2. Both Junos Fusion Enterprises include two aggregation devices and provide access ports using a satellite device cluster. The satellite device cluster in building 1 includes two satellite devices and the satellite device cluster in building 2 includes three satellite devices.

The buildings are connected over a WAN network running MPLS. Every aggregation device is connected to the WAN network and functioning as an MPLS PE device.

This example was validated using the hardware and software components listed in Table 1 and Table 2. The instructions in this network configuration example can be used for any Junos Fusion Enterprise using aggregation devices running Junos OS Release 17.4R1 or later. See Junos Fusion Hardware and Software Compatibility Matrices and Understanding Junos Fusion Enterprise Software and Hardware Requirements for additional information on Junos Fusion Enterprise software version compatibility.

Table 1: Campus Building 1 Hardware and Software Components

Device NameDevice ModelSoftware Version

AD1-Building 1

EX9208

Junos OS Release 17.4R1

AD2-Building 1

EX9208

Junos OS Release 17.4R1

SD-Cluster-Building 1

2 EX4300

Satellite Software 3.3R2.4

Table 2: Campus Building 2 Hardware and Software Components

Device NameDevice ModelSoftware Version

AD1-Building 2

EX9208

Junos OS Release 17.4R1

AD2-Building 2

EX9208

Junos OS Release 17.4R1

SD-Cluster-Building 2

3 EX4300

Satellite Software 3.3R2.4

Figure 1 provides an overview topology diagram of the setup used in this network configuration example.

Figure 1: Topology Diagram
Topology Diagram

This topology includes six VLANs in two Virtual Routing and Forwarding (VRF) instances. VLANs 2 and 3 are located in Building 1 only while VLANs 6 and 7 are located in Building 2 only. VLANs 2, 3, 6, and 7 are all part of VRF1 and are all Layer 3 reachable from both buildings using EVPN Type 5 routes.

VLANs 4 and 5 are in VRF2 in both buildings and are Layer 2 stretched across the campuses. EVPN Type 5 routes are, therefore, not sent to connect the campuses in VRF2 because VRF2 does not have a need for Layer 3 reachability.

Table 3 summarizes the VLANs used in this topology.

Table 3: VLAN Summary

VLANBuildingVirtual Routing and Forwarding Instance

V2

1

VRF1

V3

1

VRF1

V4

1 & 2

VRF2

V5

1 & 2

VRF2

V6

2

VRF1

V7

2

VRF1

Figure 2 illustrates the relationships between the VRFs, IRBs, and VLANs used in this network configuration example.

Figure 2: Layer 3 Network Segmentation
Layer 3 Network
Segmentation

Configuration

To configure this topology, perform these tasks:

Configuring the Junos Fusion Enterprises

This section provides a summary configuration required to deploy Junos Fusion Enterprise in each campus building.

For a detailed example of a Junos Fusion Enterprise implementation, see Example: Enabling Junos Fusion Enterprise on an Enterprise Campus Network.

CLI Quick Configuration

See Appendix: Connecting Junos Fusion Enterprises Using MPLS Quick Configuration Procedure.

Step-by-Step Procedure

To configure the Junos Fusion Enterprise in each campus building:

  1. Configure the satellite device clusters:

    Building1-AD1 Example:

    This step must be performed on each aggregation device.

    For detailed information on satellite device clustering:

  2. Create the redundancy groups. The redundancy groups are needed to enable dual aggregation devices in a Junos Fusion Enterprise topology.

    Building1-AD1 Example:

    For detailed information on the components of redundancy group configuration, see Configuring the Dual Aggregation Device Topology in Configuring or Expanding a Junos Fusion Enterprise.

  3. Perform these steps to ensure the EX4300 switches are converted into satellite devices.
    • Download the satellite software. The satellite software is downloaded to the /var/tmp directory on the aggregation devices in these instructions, but it can also be downloaded to other local and remote locations. See Software Download: Junos Fusion to retrieve the software and Installing Satellite Software and Adding Satellite Devices to the Junos Fusion for information on additional satellite software download options.

    • Enable automatic satellite device conversion:

      Building1-AD1 Example:

    • Associate the satellite software upgrade group with a satellite software image:

      Building1-AD1 Example:

      The upgrade group name in this step is the name of the satellite device cluster.

    A switch must be running a supported version of Junos OS and zeroized before it can be converted into a satellite device. See Preparing a Switch Running Junos OS to Become a Satellite Device before converting a switch into a satellite device.

  4. Enable ICCP and ICL between the aggregation devices.

    Building1-AD1 Example:

    For detailed information on the functions of ICCP and ICL in a Junos Fusion Enterprise using dual aggregation devices, see Configuring the Dual Aggregation Device Topology in Configuring or Expanding a Junos Fusion Enterprise.

  5. Configure an interface or interfaces on the aggregation device into a cascade port to connect the aggregation devices to satellite devices.

    Building1-AD1 Example:

  6. Configure an uplink port policy to define which ports on the satellite devices connect to the aggregation devices and other satellite devices.

    Building1-AD1 Example:

    See Configuring Uplink Port Policies on a Junos Fusion for additional information on uplink port policies.

  7. Repeat these configuration steps from each aggregation device, as needed.

Configuring the Aggregation Devices as MPLS PE Devices and Enabling OSPF as the Routing Protocol

The aggregation devices in the Junos Fusion Enterprises in this topology function as MPLS Provider Edge (PE) devices. IP over MPLS runs in the WAN in this topology, using OSPF as the routing protocol and LDP as the signaling protocol. All WAN-connected interfaces on the aggregation devices, therefore, must enable MPLS, OSPF, and LDP to enable the topology in this network configuration example.

Figure 3 illustrates the MPLS and OSPF topology.

Figure 3: OSPF and MPLS Topology
OSPF and MPLS Topology

CLI Quick Configuration

See Appendix: Connecting Junos Fusion Enterprises Using MPLS Quick Configuration Procedure.

Step-by-Step Procedure

To configure MPLS, OSPF, and LDP on the WAN-facing interfaces:

  1. Configure the loopback interface IP address:

    Building1-AD1 Example

  2. Configure the IP address of the WAN-facing interface:

    Building1-AD1 Example

  3. Enable OSPF on the loopback interface and on the WAN-facing interface. Disable OSPF on the management ethernet interface.

    Building1-AD1 Example

  4. Enable MPLS on the WAN-facing interface.

    Building1-AD1 Example

  5. Enable LDP on the WAN-facing interface.

    Building1-AD1 Example

  6. Repeat these steps for each WAN-facing interface on each aggregation device.

Configuring the MP-BGP Overlay Between the Aggregation Devices

IP connectivity was established between the loopback interfaces of the aggregation devices in the previous section.

MP-BGP connectivity is established in this topology by placing all of the WAN-facing interfaces on the aggregation devices into the same autonomous system. This topology uses iBGP as the BGP type and EVPN for signaling.

Figure 4 illustrates the MP-BGP topology.

Figure 4: MP-BGP Topology
MP-BGP Topology

CLI Quick Configuration

See Appendix: Connecting Junos Fusion Enterprises Using MPLS Quick Configuration Procedure.

Step-by-Step Procedure

To configure MP-BGP in this topology:

  1. Configure the router ID and local BGP address on the aggregation device.

    The router ID and local BGP address match the loopback address that was configured to enable OSPF earlier in this guide to simplify network administration.

    Building1-AD1 Example

  2. Assign the device into the autonomous system (AS). The local AS and the peer AS are the same value in this topology because all of the WAN-facing links are in the same AS.

    Building1-AD1 Example

  3. Create a BGP group and enable IBGP as the BGP type within the group. Enable unicast IP VPN and EVPN signaling within the BGP group.

    Building1-AD1 Example

  4. Configure the AS of the BGP group to match the AS numbers assigned in step 2.

    Configure BGP neighborships in the BGP group by configuring the router ID of each aggregation device as a BGP neighbor.

    Building1-AD1 Example

  5. Repeat these steps on for the WAN-facing interfaces on each aggregation device.

Configuring an EVPN Virtual Switch Instance

Junos Fusion Enterprise supports Virtual Switches and VLAN-aware bundle service. VLAN-aware bundle service provides the ability to map a Virtual Switch to many VLAN IDs (VIDs) and multiple bridge tables, with each bridge table corresponding to a different VLAN.

You can configure an Ethernet VPN (EVPN) with virtual switch support to enable multiple tenants with independent VLANs and subnet spaces within an EVPN instance. Virtual switches provide the ability to extend Ethernet VLANs over a WAN using a single EVPN instance while maintaining data-plane separation between the multiple VLANs associated with that instance. A single EVPN instance can stretch up to 4094 bridge domains defined in a virtual switch to remote sites.

In this section, we complete the following tasks:

  • Define a virtual switch instance.

  • Assign a unique route-distinguisher for this virtual switch instance.

  • Define the MC-LAG BGP peer in the Junos Fusion Enterprise.

  • Define VLANs that are part of the virtual switch instance.

  • Configure VLANs that are Layer 2 stretched across the two Junos Fusion Enterprises in different buildings.

Figure 5 illustrates the Virtual Switch instance that is configured in these steps.

Figure 5: Virtual Switch Instance
Virtual Switch
Instance

CLI Quick Configuration

See Appendix: Connecting Junos Fusion Enterprises Using MPLS Quick Configuration Procedure.

Step-by-Step Procedure

To configure this virtual switch instance:

  1. Create a routing instance that uses the virtual switch instance type. Associate the virtual switch with a route distinguisher and a Virtual Routing and Forwarding (VRF) instance.

    Building 1-AD1 Example

  2. Enable and configure EVPN in the virtual switch.

    This configuration includes two VLANs—VLAN 4 and VLAN 5—that are stretched to carry Layer 2 traffic for both campuses over the WAN. This Layer 2 stretching is configured using the extended-vlan-list option.

    Building 1-AD1 Example

  3. Configure a service ID for the virtual switch. This service ID should match for the virtual switch instances on all aggregation devices.

    Building 1-AD1 Example

  4. Configure the VLANs into the virtual switch instance. Associate the VLANs with IRB interfaces and enable no ARP suppression for each VLAN.

    Building 1-AD1 Example

  5. Create and apply an export routing policy that enables per-packet load balancing for EVPN traffic in the virtual switch instance.

    Building 1-AD1 Example

  6. Enable the aggregation devices to use chained composite next hops to manage ingress EVPN routes.

    Building 1-AD1 Example

  7. Repeat this procedure on each aggregation device.

Configuring Extended Ports into the Routing Instance

Extended ports on satellite devices are typically used to connect endpoint devices into the network. The extended ports are connected to PCs in this network configuration example.

The extended ports are configured into the virtual switch instance—the routing instance named evpn1 that was configured in the previous procedure—and associated with VLANs in this procedure.

Figure 6 illustrates the hosts and the extended ports that are configured in these steps.

Figure 6: Extended Port Configuration
Extended Port Configuration

CLI Quick Configuration

See Appendix: Connecting Junos Fusion Enterprises Using MPLS Quick Configuration Procedure.

Step-by-Step Procedure

To configure the extended ports:

  1. Configure the extended ports into an Ethernet Segment, and enable all active forwarding.

    Building1-AD1 Example

  2. Configure the interface mode—either trunk or access port mode—and associate VLANs with each extended port.

    Building1-AD1 Example

  3. Configure the extended port into the virtual switch routing instance.

    Building1-AD1 Example

  4. Repeat this procedure for each extended port.

Configuring Layer 3 and Network Segmentation

In this topology, Layer 3 segmentation happens by creating two VRF instances, VRF 1 and VRF 2.

VRF 1 contains VLANs 1, 2, 6, and 7. VLANs 1 and 2 are configured in building 1 only and VLANs 6 and 7 are configured in building 2 only. Traffic in VRF 1, therefore, does not have a method to cross the WAN without further configuration. EVPN Type 5 routes, which are often also referred to as IP prefix routes, are used in this example to provide Layer 3 connectivity across the WAN for the VLANs in VRF 1.

VRF 2 contains VLANs 4 and 5. VLANs 4 and 5 operate in both buildings and were layer 2 stretched across the buildings in an earlier step. There is, therefore, no need to configure connectivity across the WAN for the VLANs in VRF 2.

Figure 7 illustrates this layer 3 network segmentation in this example.

Figure 7: Layer 3 Network Segmentation
Layer 3 Network Segmentation

CLI Quick Configuration

See Appendix: Connecting Junos Fusion Enterprises Using MPLS Quick Configuration Procedure.

Step-by-Step Procedure

To configure layer 3 segmentation:

  1. Create and configure the IRB interfaces on the aggregation devices:

    Building1-AD1 Example

  2. Create the VRF instances. Assign the IRB interfaces and the WAN-facing interfaces into the VRF instances.

    Building1-AD1 Example

  3. Configure the route distinguisher and target in each VRF instance. Enable the VRF table label option to ensure efficient handling of traffic using the VRF.

    Configure the community targets for each VRF to match the VRF target in the routing instances.

    Building1-AD1 Example

  4. (Optional. DHCP Relay config only) Configure DHCP Relay within the VRFs.

    Building1-AD1 Example

  5. Enable OSPF within the VRFs. The IRB interfaces and the WAN-facing interfaces must be configured into OSPF in each VRF instance.

    Building1-AD1 Example

  6. Enable EVPN with a routing policy that enables and defines the IP prefixes to send in the type 5 messages sent between the aggregation devices in different buildings.

    This step is configured in VRF 1 only. EVPN type 5 routes are not needed in VRF 2 in this topology.

    Building1-AD1 Example

  7. Repeat this procedure on the other aggregation devices, as needed.

Configuring a DHCP Server

A DHCP server is added to this topology in building 1 using these instructions. The server is connected to both aggregation devices.

CLI Quick Configuration

See Appendix: Connecting Junos Fusion Enterprises Using MPLS Quick Configuration Procedure.

Step-by-Step Procedure

To configure the DHCP server into the network:

Note

The DHCP server configuration matches on both aggregation devices, and is configured using groups in this document.

  1. Apply the group configurations:
    Note

    Additional configuration is required to support configuration synchronization using groups in a Junos Fusion. See Understanding Configuration Synchronization in a Junos Fusion and Enabling Configuration Synchronization Between Aggregation Devices in a Junos Fusion.

  2. Configure the interfaces on the aggregation device that connect to the DHCP server—in this case, ge-0/0/10 and ge-0/0/11—into the DHCP local server group.

    Building 1-AD1 & Building1-AD2 Example

  3. Configure the DHCP address pools for each group.

    Building 1-AD1 & Building1-AD2 Example

  4. Configure the VLAN associations and the IP addresses of each DHCP-server facing interface on the aggregation devices.

    Building 1-AD1 & Building1-AD2 Example

  5. Configure the DHCP-server facing interfaces on the aggregation devices into the OSPF area:

    Building 1-AD1 & Building1-AD2 Example

Configuring 802.1X and MAC RADIUS Authentication

This procedure shows how to enable an authentication order that includes 802.1X and MAC RADIUS for the hosts connected to the extended ports in campus building 1. The configuration assumes a RADIUS server is connected to both aggregation devices in the campus.

Figure 8 illustrates the 802.1X and MAC authentication topology.

Figure 8: 802.1X and MAC Authentication Topology
802.1X and MAC
Authentication Topology

CLI Quick Configuration

See Appendix: Connecting Junos Fusion Enterprises Using MPLS Quick Configuration Procedure.

Step-by-Step Procedure

To configure an authentication order with 802.1X and MAC RADIUS on a host connected to an extended port.

  1. Configure the extended port into an ESI and configure the interface type.

    Building1-AD1 Example

  2. Create the 802.1X access profile. The profile is associated with the extended port interfaces in a later step.

    Building1-AD1 Example

  3. Associate the access profile defined in step 2 with the 802.1X protocol.

    Building1-AD1 Example

  4. Configure the authentication order for each extended port.

    Building1-AD1 Example

  5. Configure the RADIUS server.

    The RADIUS server configuration can vary between servers and the configuration for each RADIUS server option is beyond the scope of this document. The following sample RADIUS server configuration, however, is provided for illustrative purposes.

    Below is a sample RADIUS server configuration file. The file is located in the /etc/freeradius/users directory on the RADIUS server.

Configuring Voice over IP

This procedure shows how to connect a Voice over IP phone to an extended port in campus building 1. The topology includes a PC connected to the phone and includes separate VLANs to differentiate handling of data and voice traffic.

Figure 9 illustrates the Voice over IP topology.

Figure 9: Voice over IP Topology
Voice over IP Topology

CLI Quick Configuration

See Appendix: Connecting Junos Fusion Enterprises Using MPLS Quick Configuration Procedure.

Step-by-Step Procedure

To enable Voice over IP:

  1. Configure the extended port into an ESI and configure the port mode.

    Building1-AD1 Example:

  2. Configure authentication using 802.1X and MAC Radius.

    Building1-AD1 Example:

  3. Configure the RADIUS server to support the voice and data VLANs.

    The RADIUS server configuration options are beyond the scope of this document. The following sample RADIUS server configuration is provided for illustrative purposes only.

    Sample RADIUS Server Configuration to Support Voice over IP and Data VLANs:

  4. Enable LLDP and LLDP-MED on the extended port:

    Building1-AD1 Example

  5. Enable PoE on the extended port:

    Building1-AD1 Example

  6. Create or add the extended port to a routing instance.

    Building1-AD1 Example

  7. Create a data and a voice VLAN in the routing instance, and associate an IRB with each VLAN. Configure the extended port as a Voice over IP interface and associate the extended port with the voice VLAN.

    Building1-AD1 Example

  8. Configure the IRB interfaces into a VRF. Enable DHCP relay and OSPF on the IRB interfaces.

    Building1-AD1 Example

  9. Repeat this procedure on aggregation device 2.

Verification

This section shows the tasks that can be used to verify configuration and operation of the topology configured in this network configuration example.

It includes the following sections:

Verifying that the Satellite Devices are Online

Purpose

Verify that the satellite devices are online.

Action

Enter the show chassis satellite command from the aggregation devices to verify that the satellite devices in that Junos Fusion Enterprise are online.

Building1-AD1 Example:

Verifying the Satellite Device Hardware Models

Purpose

Verify the hardware models of the satellite devices in the Junos Fusion Enterprise.

Action

Enter the show chassis satellite terse command from an aggregation device.

Building1-AD1 Example:

Verifying Cascade and Uplink Port States

Purpose

Verify the state of the cascade and uplink ports in the Junos Fusion Enterprise.

Action

Enter the show chassis satellite interface command from an aggregation device.

Building1-AD1 Example:

Verifying Extended Port Operation

Purpose

Verify that the extended ports are recognized and are operating properly.

Action

Enter the show chassis satellite extended-port command from an aggregation device.

Building1-AD1 Example:

Verifying the Satellite Software Version

Purpose

Verify the satellite software version running on the satellite devices in the Junos Fusion Enterprise.

Action

Enter the show chassis satellite software command from an aggregation device.

Building1-AD1 Example:

Verifying the OSPF State

Purpose

Verifying OSPF state for the interfaces on the aggregation device that are participating in OSPF.

Action

Enter the show ospf neighbor command from an aggregation device.

Building1-AD1 Example:

Verifying the MPLS Protocol Status

Purpose

Verify MPLS operations.

Action

Enter the show ldp session command on an aggregation device to verify MPLS-related information.

Building1-AD1 Example:

Verifying the BGP Neighbor State

Purpose

Verify that BGP is established and operational with all neighbor devices and in all routing tables.

Action

Enter the show bgp summary command from an aggregation device.

Building1-AD1 Example:

Verifying EVPN Type 5 Routes

Purpose

Verifying EVPN Type 5 routes.

Action

Enter the show evpn l3-context VRF-1 extensive command to verify that EVPN type 5 routes are being exported.

Building1-AD1 Example:

Enter the show route table VRF-1.inet.0 protocol direct command to verify which direct routes are in the routing table for the VRF.

Enter the show evpn ip-prefix-database l3-context VRF-1 direction exported extensive command to confirm which routes are being sent as EVPN Type 5 (IP Prefix) routes.

Building1-AD1 Example:

Enter the show route table VRF-1.evpn.0 protocol evpn to view the EVPN Type 5 routes created for exported IP prefixes.

Building1-AD1 Example:

Enter the show route table VRF-1.evpn.0 advertising-protocol bgp 192.168.93.4 extensive command to gather information on EVPN Type 5 route attributes.

Building1-AD1 Example:

Enter the show route table VRF-1.evpn.0 protocol bgp to gather information about EVPN type 5 routes distributed through the EVPN control plane from campus building 1 to campus building 2.

Building2-AD1 Example:

Enter show evpn ip-prefix-database l3-context VRF-1 direction imported extensive for information on EVPN type 5 routes that are selected for import as IP prefixes:

Building2-AD1 Example:

Enter show route table VRF-1.inet.0 protocol evpn to a list of IP routes created for imported EVPN type 5 routes:

Building2-AD1 Example:

Verifying Operation of the EVPN Route Types and MAC Tables

Purpose

Verify operation of the EVPN Route types and MAC tables in the routing instance.

Action

Enter the show route advertising-protocol bgp extensive command from an aggregation device to verify operation of the EVPN route types from the device advertising the BGP routes.

Enter the show route receive-protocol bgp extensive command from an aggregation device to verify operation of the EVPN route types from the device advertising the BGP routes.

Enter the show ethernet-switching table command from an aggregation device to verify the MAC addresses in the forwarding table for the routing instance.

Building1-AD1 Example (Advertising BGP):

Building2-AD1 Example (Receiving BGP):

Verifying DHCP Operations

Purpose

Verify DHCP operations, state, and various other related information.

Action

Enter the following commands to gather pertinent information about DHCP in this topology.

Building1-AD1 Example:

Verifying 802.1X and MAC Authentication

Purpose

Verify 802.1X roles, states, and other information about authentication.

Action

Building1-AD1 Example:

Verifying Voice over IP

Purpose

Verify the Voice over IP configuration, including power consumption, data and voice VLAN associations, 802.1X configuration details, LLDP configuration details, and DHCP Relay bindings.

Action

Enter the following commands from the aggregation device to collect key Voice over IP configuration details.

Building1-AD1 Example: