ON THIS PAGE
Example: Configuring Pseudowire Redundancy in a Mobile Backhaul Scenario
This example shows how to configure pseudowire redundancy where Layer 2 and Layer 3 segments are interconnected in a mobile backhaul scenario.
Requirements
This example can be configured using the following hardware and software components:
Junos OS Release 13.2 or later
ACX5000 line of routers as the access (A) routers
MX Series 5G Universal Routing Platforms or M Series Multiservice Edge Routers for the Provider Edge (PE) Routers
PTX Series Packet Transport Routers acting as transit label-switched routers
T Series Core Routers for the Core Routers
The PE routers could also be T Series Core Routers but that is not typical. Depending on your scaling requirements, the core routers could also be MX Series 5G Universal Routing Platforms or M Series Multiservice Edge Routers. The Customer Edge (CE) devices could be other routers or switches from Juniper Networks or another vendor.
No special configuration beyond device initialization is required before configuring this example.
Overview
Device CE1 is a simple edge router with an IPv4 interface and
a static route pointing to the PE devices. Device A1 establishes two
virtual circuits (VCs) toward Device PE1 and Device PE2 by making
use of the hot-standby statement. Device PE1 and Device
PE2 terminate these VCs and enforce a policy condition over the logical
tunnel IPv4 subnet. Device PE3 performs as a Layer 3 VPN provider
edge device by having an IPv4 interface in a Layer 3 VPN shared with
Device PE1 and Device PE2.
CLI Quick Configuration shows the configuration for all of the devices in Figure 1.
The section Step-by-Step Procedure describes the steps on Device A1 and Device PE1.
Configuration
Procedure
CLI Quick Configuration
To quickly
configure this example, copy the following commands, paste them into
a text file, remove any line breaks, change any details necessary
to match your network configuration, and then copy and paste the commands
into the CLI at the [edit] hierarchy level.
Device CE1
set interfaces ge-1/3/3 vlan-tagging set interfaces ge-1/3/3 unit 600 vlan-id 600 set interfaces ge-1/3/3 unit 600 family inet address 10.41.0.104/24 set interfaces lo0 unit 0 family inet address 192.168.0.104/32 primary set protocols ospf area 0.0.0.0 interface ge-1/3/3.600 set protocols ospf area 0.0.0.0 interface lo0.0 set routing-options static route 192.168.0.0/8 next-hop 10.41.0.1 set routing-options static route 10.53.0.0/16 next-hop 10.41.0.1 set routing-options router-id 192.168.0.104
Device A1
set interfaces ge-1/3/0 unit 0 family inet address 10.20.0.100/24 set interfaces ge-1/3/0 unit 0 family iso set interfaces ge-1/3/0 unit 0 family mpls set interfaces ge-1/3/1 unit 0 family inet address 10.10.0.100/24 set interfaces ge-1/3/1 unit 0 family iso set interfaces ge-1/3/1 unit 0 family mpls set interfaces ge-1/3/2 vlan-tagging set interfaces ge-1/3/2 encapsulation vlan-ccc set interfaces ge-1/3/2 unit 600 encapsulation vlan-ccc set interfaces ge-1/3/2 unit 600 vlan-id 600 set interfaces ge-1/3/2 unit 600 family ccc set interfaces lo0 unit 0 family inet address 192.168.0.100/32 primary set interfaces lo0 unit 0 family iso address 49.0002.0192.0168.0100.00 set routing-options router-id 192.168.0.100 set routing-options autonomous-system 64510 set routing-options forwarding-table export pplb set protocols rsvp interface ge-1/3/0.0 set protocols rsvp interface ge-1/3/1.0 set protocols rsvp interface lo0.0 set protocols mpls interface ge-1/3/0.0 set protocols mpls interface ge-1/3/1.0 set protocols isis interface ge-1/3/0.0 set protocols isis interface ge-1/3/1.0 set protocols isis interface lo0.0 set protocols ldp interface ge-1/3/0.0 set protocols ldp interface ge-1/3/1.0 set protocols ldp interface lo0.0 set protocols l2circuit neighbor 192.168.0.101 interface ge-1/3/2.600 virtual-circuit-id 1 set protocols l2circuit neighbor 192.168.0.101 interface ge-1/3/2.600 pseudowire-status-tlv set protocols l2circuit neighbor 192.168.0.101 interface ge-1/3/2.600 revert-time 10 maximum 60 set protocols l2circuit neighbor 192.168.0.101 interface ge-1/3/2.600 backup-neighbor 192.168.0.102 virtual-circuit-id 2 set protocols l2circuit neighbor 192.168.0.101 interface ge-1/3/2.600 backup-neighbor 192.168.0.102 hot-standby set policy-options policy-statement pplb then load-balance per-packet
Device PE1
set interfaces ge-0/1/1 unit 0 family inet address 10.21.0.101/24 set interfaces ge-0/1/1 unit 0 family iso set interfaces ge-0/1/1 unit 0 family mpls set interfaces ge-0/1/2 unit 0 family inet address 10.31.0.101/24 set interfaces ge-0/1/2 unit 0 family iso set interfaces ge-0/1/2 unit 0 family mpls set interfaces ge-0/1/3 unit 0 family inet address 10.10.0.101/24 set interfaces ge-0/1/3 unit 0 family iso set interfaces ge-0/1/3 unit 0 family mpls set interfaces lt-1/2/0 unit 600 encapsulation vlan-ccc set interfaces lt-1/2/0 unit 600 vlan-id 600 set interfaces lt-1/2/0 unit 600 peer-unit 601 set interfaces lt-1/2/0 unit 601 encapsulation vlan set interfaces lt-1/2/0 unit 601 vlan-id 600 set interfaces lt-1/2/0 unit 601 peer-unit 600 set interfaces lt-1/2/0 unit 601 family inet filter input icmp_inet set interfaces lt-1/2/0 unit 601 family inet filter output icmp_inet set interfaces lt-1/2/0 unit 601 family inet address 10.41.0.101/24 vrrp-group 0 virtual-address 10.41.0.1 set interfaces lt-1/2/0 unit 601 family inet address 10.41.0.101/24 vrrp-group 0 accept-data set interfaces lo0 unit 0 family inet address 192.168.0.101/32 primary set interfaces lo0 unit 0 family iso address 49.0002.0192.0168.0003.00 set interfaces lo0 unit 1 family inet address 192.168.1.101/32 set routing-options router-id 192.168.0.101 set routing-options autonomous-system 64511 set protocols rsvp interface ge-0/1/1.0 set protocols rsvp interface ge-0/1/2.0 set protocols rsvp interface ge-0/1/3.0 set protocols rsvp interface lo0.0 set protocols mpls label-switched-path to_PE3 to 192.168.0.103 set protocols mpls label-switched-path to_PE2 to 192.168.0.102 set protocols mpls interface ge-0/1/1.0 set protocols mpls interface ge-0/1/2.0 set protocols mpls interface ge-0/1/3.0 set protocols bgp local-address 192.168.0.101 set protocols bgp group ibgp family inet-vpn any set protocols bgp group ibgp peer-as 64511 set protocols bgp group ibgp neighbor 192.168.0.102 set protocols bgp group ibgp neighbor 192.168.0.103 set protocols isis interface ge-0/1/1.0 set protocols isis interface ge-0/1/2.0 set protocols isis interface ge-0/1/3.0 set protocols isis interface lo0.0 set protocols ldp interface ge-0/1/1.0 set protocols ldp interface ge-0/1/2.0 set protocols ldp interface ge-0/1/3.0 set protocols ldp interface lo0.0 set protocols l2circuit neighbor 192.168.0.100 interface lt-1/2/0.600 virtual-circuit-id 1 set protocols l2circuit neighbor 192.168.0.100 interface lt-1/2/0.600 pseudowire-status-tlv hot-standby-vc-on set policy-options policy-statement l3vpn_export term primary from condition primary set policy-options policy-statement l3vpn_export term primary then local-preference add 300 set policy-options policy-statement l3vpn_export term primary then community set l3vpn set policy-options policy-statement l3vpn_export term primary then accept set policy-options policy-statement l3vpn_export term standby from condition standby set policy-options policy-statement l3vpn_export term standby then local-preference add 30 set policy-options policy-statement l3vpn_export term standby then community set l3vpn set policy-options policy-statement l3vpn_export term standby then accept set policy-options policy-statement l3vpn_export term default then community set l3vpn set policy-options policy-statement l3vpn_export term default then accept set policy-options policy-statement l3vpn_import term 1 from community l3vpn set policy-options policy-statement l3vpn_import term 1 then accept set policy-options policy-statement l3vpn_import term default then reject set policy-options policy-statement ospf_export term 0 from community l3vpn set policy-options policy-statement ospf_export term 0 then accept set policy-options community l3vpn members target:64511:600 set policy-options condition primary if-route-exists address-family ccc lt-1/2/0.600 set policy-options condition primary if-route-exists address-family ccc table mpls.0 set policy-options condition primary if-route-exists address-family ccc peer-unit 601 set policy-options condition standby if-route-exists address-family ccc lt-1/2/0.600 set policy-options condition standby if-route-exists address-family ccc table mpls.0 set policy-options condition standby if-route-exists address-family ccc standby set policy-options condition standby if-route-exists address-family ccc peer-unit 601 set firewall family inet filter icmp_inet interface-specific set firewall family inet filter icmp_inet term 0 from source-address 10.41.0.101/32 except set firewall family inet filter icmp_inet term 0 from source-address 10.0.0.0/8 set firewall family inet filter icmp_inet term 0 from protocol icmp set firewall family inet filter icmp_inet term 0 then count icmp_inet set firewall family inet filter icmp_inet term 0 then log set firewall family inet filter icmp_inet term 0 then accept set firewall family inet filter icmp_inet term 1 then accept set routing-instances l3vpn instance-type vrf set routing-instances l3vpn interface lt-1/2/0.601 set routing-instances l3vpn interface lo0.1 set routing-instances l3vpn route-distinguisher 192.168.1.101:64511 set routing-instances l3vpn vrf-import l3vpn_import set routing-instances l3vpn vrf-export l3vpn_export set routing-instances l3vpn vrf-table-label set routing-instances l3vpn protocols ospf export ospf_export set routing-instances l3vpn protocols ospf area 0.0.0.0 lt-1/2/0.601 set routing-instances l3vpn protocols ospf area 0.0.0.0 lo0.1
Device PE2
set interfaces ge-0/3/0 unit 0 family inet address 10.20.0.102/24 set interfaces ge-0/3/0 unit 0 family iso set interfaces ge-0/3/0 unit 0 family mpls set interfaces ge-0/3/1 unit 0 family inet address 10.21.0.102/24 set interfaces ge-0/3/1 unit 0 family iso set interfaces ge-0/3/1 unit 0 family mpls set interfaces ge-0/3/3 unit 0 family inet address 10.32.0.102/24 set interfaces ge-0/3/3 unit 0 family iso set interfaces ge-0/3/3 unit 0 family mpls set interfaces lt-1/2/0 unit 600 encapsulation vlan-ccc set interfaces lt-1/2/0 unit 600 vlan-id 600 set interfaces lt-1/2/0 unit 600 peer-unit 601 set interfaces lt-1/2/0 unit 601 encapsulation vlan set interfaces lt-1/2/0 unit 601 vlan-id 600 set interfaces lt-1/2/0 unit 601 peer-unit 600 set interfaces lt-1/2/0 unit 601 family inet filter input icmp_inet set interfaces lt-1/2/0 unit 601 family inet filter output icmp_inet set interfaces lt-1/2/0 unit 601 family inet address 10.41.0.102/24 vrrp-group 0 virtual-address 10.41.0.1 set interfaces lt-1/2/0 unit 601 family inet address 10.41.0.102/24 vrrp-group 0 accept-data set interfaces lo0 unit 0 family inet address 192.168.0.102/32 primary set interfaces lo0 unit 0 family iso address 49.0002.0192.0168.0102.00 set interfaces lo0 unit 1 family inet address 192.168.1.102/32 set routing-options router-id 192.168.0.102 set routing-options autonomous-system 64511 set protocols rsvp interface ge-0/3/0.0 set protocols rsvp interface ge-0/3/1.0 set protocols rsvp interface ge-0/3/3.0 set protocols rsvp interface lo0.0 set protocols mpls label-switched-path to_PE1 to 192.168.0.101 set protocols mpls label-switched-path to_PE3 to 192.168.0.103 set protocols mpls interface ge-0/3/0.0 set protocols mpls interface ge-0/3/1.0 set protocols mpls interface ge-0/3/3.0 set protocols bgp local-address 192.168.0.102 set protocols bgp group ibgp family inet-vpn any set protocols bgp group ibgp peer-as 64511 set protocols bgp group ibgp neighbor 192.168.0.101 set protocols bgp group ibgp neighbor 192.168.0.103 set protocols isis interface ge-0/3/0.0 set protocols isis interface ge-0/3/1.0 set protocols isis interface ge-0/3/3.0 set protocols isis interface lo0.0 set protocols ldp interface ge-0/3/0.0 set protocols ldp interface ge-0/3/1.0 set protocols ldp interface ge-0/3/3.0 set protocols ldp interface lo0.0 set protocols l2circuit neighbor 192.168.0.100 interface lt-1/2/0.600 virtual-circuit-id 2 set protocols l2circuit neighbor 192.168.0.100 interface lt-1/2/0.600 pseudowire-status-tlv hot-standby-vc-on set policy-options policy-statement l3vpn_export term primary from condition primary set policy-options policy-statement l3vpn_export term primary then local-preference add 300 set policy-options policy-statement l3vpn_export term primary then community set l3vpn set policy-options policy-statement l3vpn_export term primary then accept set policy-options policy-statement l3vpn_export term standby from condition standby set policy-options policy-statement l3vpn_export term standby then local-preference add 30 set policy-options policy-statement l3vpn_export term standby then community set l3vpn set policy-options policy-statement l3vpn_export term standby then accept set policy-options policy-statement l3vpn_export term default then community set l3vpn set policy-options policy-statement l3vpn_export term default then accept set policy-options policy-statement l3vpn_import term 1 from community l3vpn set policy-options policy-statement l3vpn_import term 1 then accept set policy-options policy-statement l3vpn_import term default then reject set policy-options policy-statement ospf_export term 0 from community l3vpn set policy-options policy-statement ospf_export term 0 then accept set policy-options community l3vpn members target:64511:600 set policy-options condition primary if-route-exists address-family ccc lt-1/2/0.600 set policy-options condition primary if-route-exists address-family ccc table mpls.0 set policy-options condition primary if-route-exists address-family ccc peer-unit 601 set policy-options condition standby if-route-exists address-family ccc lt-1/2/0.600 set policy-options condition standby if-route-exists address-family ccc table mpls.0 set policy-options condition standby if-route-exists address-family ccc standby set policy-options condition standby if-route-exists address-family ccc peer-unit 601 set firewall family inet filter icmp_inet interface-specific set firewall family inet filter icmp_inet term 0 from source-address 10.41.0.102/32 except set firewall family inet filter icmp_inet term 0 from source-address 10.0.0.0/8 set firewall family inet filter icmp_inet term 0 from protocol icmp set firewall family inet filter icmp_inet term 0 then count icmp_inet set firewall family inet filter icmp_inet term 0 then log set firewall family inet filter icmp_inet term 0 then accept set firewall family inet filter icmp_inet term 1 then accept set routing-instances l3vpn instance-type vrf set routing-instances l3vpn interface lt-1/2/0.601 set routing-instances l3vpn interface lo0.1 set routing-instances l3vpn route-distinguisher 192.168.1.102:64511 set routing-instances l3vpn vrf-import l3vpn_import set routing-instances l3vpn vrf-export l3vpn_export set routing-instances l3vpn vrf-table-label set routing-instances l3vpn protocols ospf export ospf_export set routing-instances l3vpn protocols ospf area 0.0.0.0 interface lt-1/2/0.601 set routing-instances l3vpn protocols ospf area 0.0.0.0 interface lo0.1
Device PE3
set interfaces ge-2/0/3 unit 0 family inet address 10.32.0.103/24 set interfaces ge-2/0/3 unit 0 family iso set interfaces ge-2/0/3 unit 0 family mpls set interfaces ge-2/0/5 unit 0 family inet address 10.53.0.103/24 set interfaces ge-2/0/5 unit 0 family mpls set interfaces ge-2/1/8 unit 0 family inet address 10.31.0.103/24 set interfaces ge-2/1/8 unit 0 family iso set interfaces ge-2/1/8 unit 0 family mpls set interfaces lo0 unit 0 family inet address 192.168.0.103/32 primary set interfaces lo0 unit 0 family iso address 49.0002.0192.0168.0103.00 set interfaces lo0 unit 1 family inet address 192.168.1.103/32 set routing-options router-id 192.168.0.103 set routing-options autonomous-system 64511 set protocols rsvp interface ge-2/0/3.0 set protocols rsvp interface ge-2/1/8.0 set protocols rsvp interface lo0.0 set protocols mpls label-switched-path to_PE1 to 192.168.0.101 set protocols mpls label-switched-path to_PE2 to 192.168.0.102 set protocols mpls interface ge-2/0/3.0 set protocols mpls interface ge-2/1/8.0 set protocols bgp local-address 192.168.0.103 set protocols bgp group ibgp family inet-vpn any set protocols bgp group ibgp peer-as 64511 set protocols bgp group ibgp neighbor 192.168.0.101 set protocols bgp group ibgp neighbor 192.168.0.102 set protocols isis interface ge-2/0/3.0 set protocols isis interface ge-2/1/8.0 set protocols isis interface lo0.0 set protocols ldp interface ge-2/0/3.0 set protocols ldp interface ge-2/1/8.0 set protocols ldp interface lo0.0 set policy-options policy-statement l3vpn_ospf_export term 0 from protocol direct set policy-options policy-statement l3vpn_ospf_export term 0 then accept set policy-options policy-statement l3vpn_ospf_import term 0 from protocol bgp set policy-options policy-statement l3vpn_ospf_import term 0 from community l3vpn set policy-options policy-statement l3vpn_ospf_import term 0 then accept set policy-options policy-statement ospf_export term 0 from community l3vpn set policy-options policy-statement ospf_export term 0 then accept set policy-options community l3vpn members target:64511:600 set routing-instances l3vpn instance-type vrf set routing-instances l3vpn interface ge-2/0/5.0 set routing-instances l3vpn interface lo0.1 set routing-instances l3vpn route-distinguisher 192.168.0.103:64511 set routing-instances l3vpn vrf-target target:64511:600 set routing-instances l3vpn vrf-table-label set routing-instances l3vpn protocols ospf export ospf_export set routing-instances l3vpn protocols ospf area 0.0.0.0 interface ge-2/0/5.0 set routing-instances l3vpn protocols ospf area 0.0.0.0 interface lo0.1
Device CE2
set interfaces ge-2/0/8 unit 0 family inet address 10.53.0.105/24 set interfaces lo0 unit 0 family inet address 192.168.0.105/32 primary set protocols ospf area 0.0.0.0 interface ge-2/0/8.0 set protocols ospf area 0.0.0.0 interface lo0.0 set routing-options router-id 192.168.0.105
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure Device A1:
-
Configure the interfaces.
Enable MPLS on the core-facing interfaces. The ISO address family is also enabled, because IS-IS is used as the interior gateway protocol (IGP) in the provider network.
On the customer-facing interface, you do not need to enable MPLS. On this interface, enable CCC encapsulation and address family CCC.
[edit interfaces] user@A1# set ge-1/3/0 unit 0 family inet address 10.20.0.100/24 user@A1# set ge-1/3/0 unit 0 family iso user@A1# set ge-1/3/0 unit 0 family mpls user@A1# set ge-1/3/1 unit 0 family inet address 10.10.0.100/24 user@A1# set ge-1/3/1 unit 0 family iso user@A1# set ge-1/3/1 unit 0 family mpls user@A1# set ge-1/3/2 vlan-tagging user@A1# set ge-1/3/2 encapsulation vlan-ccc user@A1# set ge-1/3/2 unit 600 encapsulation vlan-ccc user@A1# set ge-1/3/2 unit 600 vlan-id 600 user@A1# set ge-1/3/2 unit 600 family ccc user@A1# set lo0 unit 0 family inet address 192.168.0.100/32 primary user@A1# set lo0 unit 0 family iso address 49.0002.0192.0168.0100.00
-
Configure the RSVP on the core-facing interfaces and on the loopback interface.
RSVP is used in the Layer 3 domain.
[edit protocols rsvp] user@A1# set interface ge-1/3/0.0 user@A1# set interface ge-1/3/1.0 user@A1# set interface lo0.0
-
Configure LDP on the core-facing interfaces and on the loopback interface.
LDP is used in Layer 2 domain.
[edit protocols ldp] user@A1# set interface ge-1/3/0.0 user@A1# set interface ge-1/3/1.0 user@A1# set interface lo0.0
-
Configure MPLS on the core-facing interfaces.
[edit protocols mpls] user@A1# set interface ge-1/3/0.0 user@A1# set interface ge-1/3/1.0
-
Configure an interior gateway protocol, such as IS-IS or OSPF, on the core-facing interfaces and on the loopback interface.
[edit protocols isis] user@A1# set interface ge-1/3/0.0 user@A1# set interface ge-1/3/1.0 user@A1# set interface lo0.0
-
On the interface that faces the customer edge, configure the Layer 2 circuit.
Configure the
hot-standbystatement on those routers with both active and standby virtual circuits (VCs) (Device A1 in our topology). You must include thepseudowire-status-tlvstatement on access routers. Without the status TLV signaling, the standby flag cannot be advertised to remote provider edge (PE) devices.The
revert-timestatement and themaximumoption should also be configured on access routers. Without therevert-timestatement, traffic of all the VCs will not be transitioned to the primary path upon completion of the restoration. If arevert-timedelay is defined but amaximumdelay is not, then VCs are restored immediately upon the revert timer's expiration. The maximum option allows the VCs to be restored in a scattered fashion rather than all at once.[edit protocols l2circuit neighbor 192.168.0.101 interface ge-1/3/2.600] user@A1# set virtual-circuit-id 1 user@A1# set pseudowire-status-tlv user@A1# set revert-time 10 maximum 60 user@A1# set backup-neighbor 192.168.0.102 virtual-circuit-id 2 user@A1# set backup-neighbor 192.168.0.102 hot-standby
-
To have the unilist next hop get pushed to other access routers, configure per-packet load balancing.
[edit policy-options policy-statement pplb] user@A1# set then load-balance per-packet
-
Apply the per-packet load balancing policy.
[edit routing-options forwarding-table] user@A1# set export pplb
-
Configure the autonomous system (AS) ID and the router ID.
[edit routing-options] user@A1# set router-id 192.168.0.100 user@A1# set autonomous-system 64510
Similarly, configure any other access devices.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure Device PE1:
Configure the interfaces.
Enable MPLS on the core-facing interfaces.
[edit interfaces] user@PE1# set ge-0/1/1 unit 0 family inet address 10.21.0.101/24 user@PE1# set ge-0/1/1 unit 0 family iso user@PE1# set ge-0/1/1 unit 0 family mpls user@PE1# set ge-0/1/2 unit 0 family inet address 10.31.0.101/24 user@PE1# set ge-0/1/2 unit 0 family iso user@PE1# set ge-0/1/2 unit 0 family mpls user@PE1# set ge-0/1/3 unit 0 family inet address 10.10.0.101/24 user@PE1# set ge-0/1/3 unit 0 family iso user@PE1# set ge-0/1/3 unit 0 family mpls user@PE1# set lo0 unit 0 family inet address 192.168.0.101/32 primary user@PE1# set lo0 unit 0 family iso address 49.0002.0192.0168.0003.00 user@PE1# set lo0 unit 1 family inet address 192.168.1.101/32
On Device PE1 and Device PE2, which are aggregation routers, configure a pair of logical tunnel interfaces to represent LT(x) and LT(y).
The solution uses logical tunnel (lt-) paired interfaces for stitching the Layer 2 and Layer 3 domains.
A Layer 2 pseudowire terminates on one of the logical tunnel interfaces, LT(x), defined with the circuit cross-connect (CCC) address family. A Layer 3 VPN terminates the second logical tunnel interface, LT(y), defined with the IPv4 (inet) address family. LT(x) and LT(y) are paired.
[edit interfaces] user@PE1# set lt-1/2/0 unit 600 encapsulation vlan-ccc user@PE1# set lt-1/2/0 unit 600 vlan-id 600 user@PE1# set lt-1/2/0 unit 600 peer-unit 601 user@PE1# set lt-1/2/0 unit 601 encapsulation vlan user@PE1# set lt-1/2/0 unit 601 vlan-id 600 user@PE1# set lt-1/2/0 unit 601 peer-unit 600 user@PE1# set lt-1/2/0 unit 601 family inet filter input icmp_inet user@PE1# set lt-1/2/0 unit 601 family inet filter output icmp_inet
(Optional) Associate a unique VRRP address with both Device PE1 and Device PE2.
In this case, both Device PE1 and Device PE2 assume the primary state for the defined VIP IPv4 address, so no VRRP hello message are exchanged between the routers.
[edit interfaces lt-1/2/0 unit 601 family inet address 10.41.0.101/24] user@PE1# set vrrp-group 0 virtual-address 10.41.0.1 user@PE1# set vrrp-group 0 accept-data
Configure IS-IS or another IGP.
[edit protocols isis] user@PE1# set interface ge-0/1/1.0 user@PE1# set interface ge-0/1/2.0 user@PE1# set interface ge-0/1/3.0 user@PE1# set interface lo0.0
Configure the MPLS on the core-facing interfaces.
[edit protocols mpls] user@PE1# set interface ge-0/1/1.0 user@PE1# set interface ge-0/1/2.0 user@PE1# set interface ge-0/1/3.0
Configure label-switched paths to the other PE devices.
BGP is a policy-driven protocol, so also configure and apply any needed routing policies. For example, you might want to export static routes into BGP.
[edit protocols mpls] user@PE1# set label-switched-path to_PE3 to 192.168.0.103 user@PE1# set label-switched-path to_PE2 to 192.168.0.102
Configure LDP on the core-facing interfaces and on the loopback interface.
[edit protocols ldp] user@PE1# set interface ge-0/1/1.0 user@PE1# set interface ge-0/1/2.0 user@PE1# set interface ge-0/1/3.0 user@PE1# set interface lo0.0
Configure RSVP on the core-facing interfaces and on the loopback interface.
[edit protocols rsvp] user@PE1# set interface ge-0/1/1.0 user@PE1# set interface ge-0/1/2.0 user@PE1# set interface ge-0/1/3.0 user@PE1# set interface lo0.0
Configure internal BGP (IBGP).
[edit protocols bgp] user@PE1# set local-address 192.168.0.101 user@PE1# set group ibgp family inet-vpn any user@PE1# set group ibgp peer-as 64511 user@PE1# set group ibgp neighbor 192.168.0.102 user@PE1# set group ibgp neighbor 192.168.0.103
Configure the Layer 2 circuit on the logical tunnel interface.
Configure the
hot-standby-vc-onstatement if you want a hot standby pseudowire to be established upon arrival of PW_FWD_STDBY status TLV.[edit protocols l2circuit neighbor 192.168.0.100 interface lt-1/2/0.600] user@PE1# set virtual-circuit-id 1 user@PE1# set pseudowire-status-tlv hot-standby-vc-on
Define a pair of conditions to be applied to the egress policy defined within the Layer 3 VPN instance.
In both condition
primaryand conditionstandby, the matching route corresponds to the interface lt-1/2/0.600 (y), as this is the format in which egress routes appear in routing table mpls.0 to represent any given pseudowire.The difference between these conditions is in the
standbyattribute. Upon arrival of the PW_FWD_STDBY status TLV to Device PE1 or Device PE2, Junos OS matches conditionstandby, and in consequence, only termstandbywithin thel3vpnpolicy will be executed. On the other hand, if the PW_FWD_STDBY status TLV is not present, the policy only matches conditionprimary, which then executes termprimaryin thel3vpnpolicy. Also, for logical tunnel-based CCC services, you must specify the logical tunnel interface, LT(y), that is associated with the logical tunnel CCC interface, LT(x). (See Understanding Pseudowire Redundancy Mobile Backhaul Scenarios.)Finally, for CCC-based conditions, Junos OS only allows mpls.0 as the matching routing table. For the
addressattribute, Junos OS only allows strings with a logical interface unit format (for example, lt-0/0/0.0).[edit policy-options condition primary if-route-exists address-family ccc] user@PE1# set lt-1/2/0.600 user@PE1# set table mpls.0 user@PE1# set peer-unit 601 [edit policy-options condition standby if-route-exists address-family ccc] user@PE1# set lt-1/2/0.600 user@PE1# set table mpls.0 user@PE1# set standby user@PE1# set peer-unit 601
Configure the Layer 3 VPN export policy.
If the Layer 2 virtual circuit (VC) is primary, the corresponding provider edge (PE) routing device advertises the attachment circuit’s (AC’s) subnet with the higher local preference. All aggregation PE devices initially advertise the AC’s subnet with the same local preference.
This routing policy allows a higher local preference value to be advertised if the Layer 2 VC is active.
[edit policy-options policy-statement l3vpn_export] user@PE1# set term primary from condition primary user@PE1# set term primary then local-preference add 300 user@PE1# set term primary then community set l3vpn user@PE1# set term primary then accept user@PE1# set term standby from condition standby user@PE1# set term standby then local-preference add 30 user@PE1# set term standby then community set l3vpn user@PE1# set term standby then accept user@PE1# set term default then community set l3vpn user@PE1# set term default then accept
Configure the Layer 3 VPN community members.
[edit policy-options community l3vpn] user@PE1# set members target:64511:600
Configure the Layer 3 VPN import policy, based on the Layer 3 VPN community.
[edit policy-options policy-statement l3vpn_import] user@PE1# set term 1 from community l3vpn user@PE1# set term 1 then accept user@PE1# set term default then reject
Configure OSPF export policy, based on the Layer 3 VPN community.
[edit policy-options policy-statement ospf_export term 0] user@PE1# set from community l3vpn user@PE1# set then accept
(Optional) Configure a firewall filter to check the path taken by traffic.
[edit firewall family inet filter icmp_inet] user@PE1# set interface-specific user@PE1# set term 0 from source-address 10.41.0.101/32 except user@PE1# set term 0 from source-address 10.0.0.0/8 user@PE1# set term 0 from protocol icmp user@PE1# set term 0 then count icmp_inet user@PE1# set term 0 then log user@PE1# set term 0 then accept user@PE1# set term 1 then accept
Configure the routing instance.
This routing instance is in the Layer 2 domain where Device PE1 and Device PE2 are interconnected to the metro ring over multiaccess media (Ethernet). You must include the
vrf-table-label' statement on Device PE1 and Device PE2 to enable advertisement of the direct subnet prefix corresponding to the logical tunnel (lt-) interface toward the Layer 3 domain.Device PE1 and Device PE2 use OSPF for Layer 3 VPN communication with Device CE1.
[edit routing-instances l3vpn] user@PE1# set instance-type vrf user@PE1# set interface lt-1/2/0.601 user@PE1# set interface lo0.1 user@PE1# set route-distinguisher 192.168.1.101:64511 user@PE1# set vrf-import l3vpn_import user@PE1# set vrf-export l3vpn_export user@PE1# set vrf-table-label user@PE1# set protocols ospf export ospf_export user@PE1# set protocols ospf area 0.0.0.0 interface lt-1/2/0.601 user@PE1# set protocols ospf area 0.0.0.0 interface lo0.1
Configure the autonomous system (AS) ID and router ID.
[edit routing-options] user@PE1# set router-id 192.168.0.101 user@PE1# set autonomous-system 64511
Similarly, configure Device PE2.
Results
From configuration mode, confirm your configuration
by entering the show interfaces, show firewall, show protocols, show policy-options, show routing-options, and show routing-instances commands. If the output does not display the intended configuration,
repeat the instructions in this example to correct the configuration.
Device A1
user@A1# show interfaces
ge-1/3/0 {
unit 0 {
family inet {
address 10.20.0.100/24;
}
family iso;
family mpls;
}
}
ge-1/3/1 {
unit 0 {
family inet {
address 10.10.0.100/24;
}
family iso;
family mpls;
}
}
ge-1/3/2 {
vlan-tagging;
encapsulation vlan-ccc;
unit 600 {
encapsulation vlan-ccc;
vlan-id 600;
family ccc;
}
}
lo0 {
unit 0 {
family inet {
address 192.168.0.100/32 {
primary;
}
}
family iso {
address 49.0002.0192.0168.0100.00;
}
}
}
user@A1# show protocols
rsvp {
interface ge-1/3/0.0;
interface ge-1/3/1.0;
interface lo0.0;
}
mpls {
interface ge-1/3/0.0;
interface ge-1/3/1.0;
}
isis {
interface ge-1/3/0.0;
interface ge-1/3/1.0;
interface lo0.0;
}
ldp {
interface ge-1/3/0.0;
interface ge-1/3/1.0;
interface lo0.0;
}
l2circuit {
neighbor 192.168.0.101 {
interface ge-1/3/2.600 {
virtual-circuit-id 1;
pseudowire-status-tlv;
backup-neighbor 192.168.0.102 {
virtual-circuit-id 2;
hot-standby;
}
}
}
}
user@A1# show policy-options
policy-statement pplb {
then {
load-balance per-packet;
}
}
user@A1# show routing-options
autonomous-system 64510;
router-id 192.168.0.100;
forwarding-table {
export pplb;
}
Device PE1
user@PE1# show interfaces
ge-0/1/1 {
unit 0 {
family inet {
address 10.21.0.101/24;
}
family iso;
family mpls;
}
}
ge-0/1/2 {
unit 0 {
family inet {
address 10.31.0.101/24;
}
family iso;
family mpls;
}
}
ge-0/1/3 {
unit 0 {
family inet {
address 10.10.0.101/24;
}
family iso;
family mpls;
}
}
lt-1/2/0 {
unit 600 {
encapsulation vlan-ccc;
vlan-id 600;
peer-unit 601;
}
unit 601 {
encapsulation vlan;
vlan-id 600;
peer-unit 600;
family inet {
filter {
input icmp_inet;
output icmp_inet;
}
address 10.41.0.101/24 {
vrrp-group 0 {
virtual-address 10.41.0.1;
accept-data;
}
}
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.0.101/32 {
primary;
}
}
family iso {
address 49.0002.0192.0168.0003.00;
}
}
unit 1 {
family inet {
address 192.168.1.101/32;
}
}
}
user@PE1# show firewall
family inet {
filter icmp_inet {
interface-specific;
term 0 {
from {
source-address {
10.41.0.101/32 except;
10.0.0.0/8;
}
protocol icmp;
}
then {
count icmp_inet;
log;
accept;
}
}
term 1 {
then accept;
}
}
}
user@PE1# show protocols
rsvp {
interface ge-0/1/1.0;
interface ge-0/1/2.0;
interface ge-0/1/3.0;
interface lo0.0;
}
mpls {
label-switched-path to_PE3 {
to 192.168.0.103;
}
label-switched-path to_PE2 {
to 192.168.0.102;
}
interface ge-0/1/1.0;
interface ge-0/1/2.0;
interface ge-0/1/3.0;
}
bgp {
local-address 192.168.0.101;
group ibgp {
family inet-vpn {
any;
}
peer-as 64511;
neighbor 192.168.0.102;
neighbor 192.168.0.103;
}
}
isis {
interface ge-0/1/1.0;
interface ge-0/1/2.0;
interface ge-0/1/3.0;
interface lo0.0;
}
ldp {
interface ge-0/1/1.0;
interface ge-0/1/2.0;
interface ge-0/1/3.0;
interface lo0.0;
}
l2circuit {
neighbor 192.168.0.100 {
interface lt-1/2/0.600 {
virtual-circuit-id 1;
pseudowire-status-tlv hot-standby-vc-on;
}
}
}
user@PE1# show policy-options
policy-statement l3vpn_export {
term primary {
from condition primary;
then {
local-preference add 300;
community set l3vpn;
accept;
}
}
term standby {
from condition standby;
then {
local-preference add 30;
community set l3vpn;
accept;
}
}
term default {
then {
community set l3vpn;
accept;
}
}
}
policy-statement l3vpn_import {
term 1 {
from community l3vpn;
then accept;
}
term default {
then reject;
}
}
policy-statement ospf_export {
term 0 {
from community l3vpn;
then accept;
}
}
community l3vpn members target:64511:600;
condition primary {
if-route-exists {
address-family {
ccc {
lt-1/2/0.600;
table mpls.0;
peer-unit 601;
}
}
}
}
condition standby {
if-route-exists {
address-family {
ccc {
lt-1/2/0.600;
table mpls.0;
standby;
peer-unit 601;
}
}
}
}
user@PE1# show routing-options
router-id 192.168.0.101;
autonomous-system 64511;
user@PE1# show routing-instances
l3vpn {
instance-type vrf;
interface lt-1/2/0.601;
interface lo0.1;
route-distinguisher 192.168.1.101:64511;
vrf-import l3vpn_import;
vrf-export l3vpn_export;
vrf-table-label;
protocols {
ospf {
export ospf_export;
area 0.0.0.0 {
interface lt-1/2/0.601;
interface lo0.1;
}
}
}
}
If you are done configuring the devices, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Checking Layer 2 Circuits
Purpose
Upon Layer 2 virtual circuit (VC) establishment, the
output of the show l2circuit connections command shows
the active and the hot-standby VC. In addition, control-plane details
are shown for the hot-standby VC.
Action
From operational mode, enter the show l2circuit
connections extensive command.
user@A1> show l2circuit connections extensive
Layer-2 Circuit Connections:
Legend for connection status (St)
EI -- encapsulation invalid NP -- interface h/w not present
MM -- mtu mismatch Dn -- down
EM -- encapsulation mismatch VC-Dn -- Virtual circuit Down
CM -- control-word mismatch Up -- operational
VM -- vlan id mismatch CF -- Call admission control failure
OL -- no outgoing label IB -- TDM incompatible bitrate
NC -- intf encaps not CCC/TCC TM -- TDM misconfiguration
BK -- Backup Connection ST -- Standby Connection
CB -- rcvd cell-bundle size bad SP -- Static Pseudowire
LD -- local site signaled down RS -- remote site standby
RD -- remote site signaled down HS -- Hot-standby Connection
XX -- unknown
Legend for interface status
Up -- operational
Dn -- down
Neighbor: 192.168.0.101
Interface Type St Time last up # Up trans
ge-1/3/2.600(vc 1) rmt Up Jan 24 11:00:26 2013 1
Remote PE: 192.168.0.101, Negotiated control-word: Yes (Null)
Incoming label: 299776, Outgoing label: 299776
Negotiated PW status TLV: Yes
local PW status code: 0x00000000, Neighbor PW status code: 0x00000000
Local interface: ge-1/3/2.600, Status: Up, Encapsulation: VLAN
Connection History:
Jan 24 11:00:26 2013 status update timer
Jan 24 11:00:26 2013 PE route changed
Jan 24 11:00:26 2013 Out lbl Update 299776
Jan 24 11:00:26 2013 In lbl Update 299776
Jan 24 11:00:26 2013 loc intf up ge-1/3/2.600
Neighbor: 192.168.0.102
Interface Type St Time last up # Up trans
ge-1/3/2.600(vc 2) rmt HS ----- ----
Remote PE: 192.168.0.102, Negotiated control-word: Yes (Null)
Incoming label: 299792, Outgoing label: 299776
Negotiated PW status TLV: Yes
local PW status code: 0x00000020, Neighbor PW status code: 0x00000000
Local interface: ge-1/3/2.600, Status: Up, Encapsulation: VLAN
user@PE1> show l2circuit connections extensive
Layer-2 Circuit Connections:
Legend for connection status (St)
EI -- encapsulation invalid NP -- interface h/w not present
MM -- mtu mismatch Dn -- down
EM -- encapsulation mismatch VC-Dn -- Virtual circuit Down
CM -- control-word mismatch Up -- operational
VM -- vlan id mismatch CF -- Call admission control failure
OL -- no outgoing label IB -- TDM incompatible bitrate
NC -- intf encaps not CCC/TCC TM -- TDM misconfiguration
BK -- Backup Connection ST -- Standby Connection
CB -- rcvd cell-bundle size bad SP -- Static Pseudowire
LD -- local site signaled down RS -- remote site standby
RD -- remote site signaled down HS -- Hot-standby Connection
XX -- unknown
Legend for interface status
Up -- operational
Dn -- down
Neighbor: 192.168.0.100
Interface Type St Time last up # Up trans
lt-1/2/0.600(vc 1) rmt Up Jan 24 11:06:36 2013 1
Remote PE: 192.168.0.100, Negotiated control-word: Yes (Null)
Incoming label: 299776, Outgoing label: 299776
Negotiated PW status TLV: Yes
local PW status code: 0x00000000, Neighbor PW status code: 0x00000000
Local interface: lt-1/2/0.600, Status: Up, Encapsulation: VLAN
Connection History:
Jan 24 11:06:36 2013 status update timer
Jan 24 11:06:36 2013 PE route changed
Jan 24 11:06:36 2013 Out lbl Update 299776
Jan 24 11:06:36 2013 In lbl Update 299776
Jan 24 11:06:36 2013 loc intf up lt-1/2/0.600
user@PE2> show l2circuit connections extensive
Layer-2 Circuit Connections:
Legend for connection status (St)
EI -- encapsulation invalid NP -- interface h/w not present
MM -- mtu mismatch Dn -- down
EM -- encapsulation mismatch VC-Dn -- Virtual circuit Down
CM -- control-word mismatch Up -- operational
VM -- vlan id mismatch CF -- Call admission control failure
OL -- no outgoing label IB -- TDM incompatible bitrate
NC -- intf encaps not CCC/TCC TM -- TDM misconfiguration
BK -- Backup Connection ST -- Standby Connection
CB -- rcvd cell-bundle size bad SP -- Static Pseudowire
LD -- local site signaled down RS -- remote site standby
RD -- remote site signaled down HS -- Hot-standby Connection
XX -- unknown
Legend for interface status
Up -- operational
Dn -- down
Neighbor: 192.168.0.100
Interface Type St Time last up # Up trans
lt-1/2/0.600(vc 2) rmt Up Jan 24 10:55:31 2013 1
Remote PE: 192.168.0.100, Negotiated control-word: Yes (Null)
Incoming label: 299776, Outgoing label: 299792
Negotiated PW status TLV: Yes
local PW status code: 0x00000000, Neighbor PW status code: 0x00000020
Local interface: lt-1/2/0.600, Status: Up, Encapsulation: VLAN
Connection History:
Jan 24 10:55:31 2013 status update timer
Jan 24 10:55:31 2013 PE route changed
Jan 24 10:55:31 2013 Out lbl Update 299792
Jan 24 10:55:31 2013 In lbl Update 299776
Jan 24 10:55:31 2013 loc intf up lt-1/2/0.600
Meaning
From the perspective of Device PE1 and Device PE2,
a single Layer 2 circuit is established toward access routers, so
there is no standby device information in the CLI output of the show l2circuit connections command. Note that no timing and
flapping information is provided for the VC acting as the hot-standby.
Junos OS only allows these counters to be tracked for the active VC.
Checking the Policy Conditions
Purpose
On the PE devices, verify the state of the different conditions defined as part of the Layer3 VPN's egress policy, where 10.41.0.0/24 corresponds to the logical tunnel (y) subnet.
Action
From operational mode, enter the show policy conditions
detail command.
user@PE1> show policy conditions detail Configured conditions: Condition primary (static), event: Existence of a route in a specific routing table Dependent routes: 10.41.0.0/24, generation 8 192.168.0.104/32, generation 8 Condition standby (static), event: Existence of a route in a specific routing table Dependent routes: None Condition tables: Table mpls.0, generation 0, dependencies 0, If-route-exists conditions: primary (static) standby (static) Table l3vpn.inet.0, generation 12, dependencies 2
user@PE2> show policy conditions detail Configured conditions: Condition primary (static), event: Existence of a route in a specific routing table Dependent routes: 10.41.0.0/24, generation 18 Condition standby (static), event: Existence of a route in a specific routing table Dependent routes: 10.41.0.0/24, generation 18 Condition tables: Table mpls.0, generation 0, dependencies 0, If-route-exists conditions: primary (static) standby (static) Table l3vpn.inet.0, generation 367, dependencies 2