Professional Documents
Culture Documents
A
SH
Junos Layer 2 VPNs
T
NO
15.a
DO
—
Student Guide
Volume 2 of 2
LY
ON
E
US
408-745-2000
www.juniper.net
A
marks are the property of their respective owners.
Junos Layer 2 VPNs Student Guide, Revision 15.a
Copyright © 2016 Juniper Networks, Inc. All rights reserved.
SH
Printed in USA.
Revision History:
Revision 15.a—June 2016
The information in this document is current as of the date listed above.
The information in this document has been carefully verified and is believed to be accurate for software Release 15.1R2.9.
T
Juniper Networks assumes no responsibilities for any inaccuracies that may appear in this document. In no event will Juniper Networks be liable for direct, indirect, special,
exemplary, incidental, or consequential damages resulting from any defect or omission in this document, even if advised of the possibility of such damages.
NO
DO
Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has no known
time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
—
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an agreement
executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and agree to be bound by its
license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper Networks software, may contain
prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should consult the software license for further details.
LY
ON
E
US
AL
RN
TE
IN
Contents
A RE
Chapter 6: Virtual Private LAN Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
SH
Layer 2 MPLS VPNs Versus VPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
BGP VPLS Control Plane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
LDP VPLS Control Plane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23
FEC 129 BGP Autodiscovery Control Plane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-26
Learning and Forwarding Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-32
T
Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-48
NO
Chapter 7: VPLS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
VPLS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
VPLS Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-47
Lab: VPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-60
DO
Chapter 8: Ethernet VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
EVPN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
EVPN Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
EVPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-25
—
EVPN Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-36
Lab: Ethernet VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-58
LY
iv • Contents www.juniper.net
Course Overview
RE
This two-day course is designed to provide students with MPLS-based Layer 2 virtual private network (VPN) knowledge
and configuration examples. The course includes an overview of MPLS Layer 2 VPN concepts, such as BGP Layer 2 VPNs,
LDP Layer 2 circuits, FEC 129 BGP autodiscovery, virtual private LAN service (VPLS), Ethernet VPN (EVPN), and Inter-AS
A
Layer 2 VPNs. This course also covers Junos operating system-specific implementations of Layer 2 VPN instances, VPLS,
and EVPNs. This course is based on the Junos OS Release 15.1R2.9.
SH
Through demonstrations and hands-on labs, students will gain experience in configuring and monitoring the Junos OS
and in device operations.
Intended Audience
This course benefits individuals responsible for configuring and monitoring devices running the Junos OS.
T
Course Level
NO
Junos Layer 2 VPNs (JL2V) is an advanced-level course.
Prerequisites
The prerequisites for this course include the following:
DO
• An intermediate-level networking knowledge and an understanding of OSPF, IS-IS, BGP, and Junos policy;
• Experience configuring MPLS label-switched paths using Junos;
• Introduction to the Junos Operating System (IJOS) course or equivalent;
• Junos Routing Essentials (JRE) course or equivalent;
—
• Junos Service Provider Switching (JSPX) course or equivalent;
• Junos Intermediate Routing (JIR) course or equivalent; and
LY
• Describe the roles of a CE device, PE router, and P router in a BGP Layer 2 VPN.
US
• Explain the flow of control traffic and data traffic for a BGP Layer 2 VPN.
• Configure a BGP Layer 2 VPN and describe the benefits and requirements of over-provisioning.
• Monitor and troubleshoot a BGP Layer 2 VPN.
AL
• Explain the BGP Layer 2 VPN scaling mechanisms and route reflection.
• Describe the Junos OS BGP Layer 2 VPN CoS support.
• Describe the flow of control and data traffic for an LDP Layer 2 circuit.
RN
RE
• Explain the provisioning of CE and PE routers.
• Describe the signaling process of VPLS.
• Describe the learning and forwarding process of VPLS.
A
• Describe the potential loops in a VPLS environment.
SH
• Configure BGP, LDP, and FEC 129 BGP autodiscovery VPLS.
• Troubleshoot VPLS.
• Describe the purpose and features of Ethernet VPN.
• Configure Ethernet VPN.
T
• Monitor and troubleshoot Ethernet VPN.
NO
• Describe the Junos OS support for hierarchical VPN models.
• Describe the Junos OS support for Carrier-of-Carriers VPN Option C.
• Configure the interprovider VPN Option C.
• Describe the Junos OS support for multisegment pseudowire for FEC 129.
DO
• Describe and configure circuit cross-connect (CCC).
—
LY
ON
E
US
AL
RN
TE
IN
RE
Day 1
Chapter 1: Course Introduction
A
Chapter 2: MPLS VPNs
SH
Chapter 3: BGP Layer 2 VPNs
Lab: BGP Layer 2 VPNs
Chapter 4: Layer 2 VPN Scaling and CoS
Lab: Layer 2 VPN Scaling
T
Chapter 5: LDP Layer 2 Circuits
NO
Lab: LDP Layer 2 Circuit and FEC 129 BGP Autodiscovery
Day 2
Chapter 6: Virtual Private LAN Services
Chapter 7: VPLS Configuration
DO
Lab: VPLS
Chapter 8: Ethernet VPN
Lab: EVPN
—
LY
ON
E
US
AL
RN
TE
IN
RE
CLI and GUI Text
Frequently throughout this course, we refer to text that appears in a command-line interface (CLI) or a graphical user
A
interface (GUI). To make the language of these documents easier to read, we distinguish GUI and CLI text from chapter
text according to the following table.
SH
Style Description Usage Example
Franklin Gothic Normal text. Most of what you read in the Lab Guide
and Student Guide.
T
Courier New Console text:
commit complete
• Screen captures
NO
• Noncommand-related Exiting configuration mode
syntax
GUI text elements:
Select File > Open, and then click
• Menu names Configuration.conf in the
DO
Filename text box.
• Text field entry
CLI Input Text that you must enter. lab@San_Jose> show route
GUI Input Select File > Save, and type
config.ini in the Filename field.
E
Finally, this course distinguishes between regular text and syntax variables, and it also distinguishes between syntax
variables where the value is already assigned (defined variables) and syntax variables where you must assign the value
(undefined variables). Note that these styles can be combined with the input style as well.
AL
CLI Undefined Text where the variable’s value is Type set policy policy-name.
the user’s discretion or text where
ping 10.0.x.y
the variable’s value as shown in
GUI Undefined the lab guide might differ from the Select File > Save, and type
TE
RE
Education Services Offerings
You can obtain information on the latest Education Services offerings, course dates, and class locations from the World
A
Wide Web by pointing your Web browser to: http://www.juniper.net/training/education/.
About This Publication
SH
The Junos Layer 2 VPNs Student Guide was developed and tested using software Release 15.1R2.9. Previous and later
versions of software might behave differently so you should always consult the documentation and release notes for the
version of code you are running before reporting errors.
This document is written and maintained by the Juniper Networks Education Services development team. Please send
T
questions and suggestions for improvement to training@juniper.net.
NO
Technical Publications
You can print technical manuals and release notes directly from the Internet in a variety of formats:
• Go to http://www.juniper.net/techpubs/.
• Locate the specific software or hardware release and title you need, and choose the format in which you
DO
want to view or print the document.
Documentation sets and CDs are available through your local Juniper Networks sales office or account representative.
Juniper Networks Support
For technical support, contact Juniper Networks at http://www.juniper.net/customers/support/, or at 1-888-314-JTAC
—
(within the United States) or 408-745-2121 (outside the United States).
LY
ON
E
US
AL
RN
TE
IN
T
NO
Chapter 6: Virtual Private LAN Service
DO
—
LY
ON
E
US
AL
RN
TE
IN
Junos Layer 2 VPNs
A RE
SH
T
NO
DO
—
LY
ON
We Will Discuss:
• The difference between Layer 2 MPLS virtual private networks (VPNs) and virtual private LAN service (VPLS);
E
• The purpose of the provider edge (PE), customer edge (CE), and provider (P) devices;
• Provisioning of CE and PE routers;
US
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
media can be used between PE and CE devices, only two CE devices can interact over a single emulated Layer 2 circuit or
virtual LAN (VLAN). Although this behavior works well as it is, some customers prefer to have their Ethernet media behave
US
like Ethernet so that more than two hosts or routers can interact over the Layer 2 circuit. This need on behalf of the
customer, and other factors, is what led to the development of VPLS.
In both of the Layer 2 point to point VPNs scenarios, you must manually map local Layer 2 circuits on the PE device to the
remote sites. This mapping might be labor intensive and sometimes confusing, especially when designing a full-mesh
network between PE devices. BGP-based Layer 2 VPNs allows for over-provisioning, which eases the process of adding a new
site, however.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
known, an Ethernet frame is sent to all remote sites. If the destination MAC address is known, it is sent directly to the site
that owns it.
US
forwarded out directly connected interfaces or over MPLS label-switched paths (LSPs) across the provider core. This behavior
allows you to not have to manually map Layer 2 circuits to remote sites.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Standards
Two competing RFCs for VPLS exist. One of the remarkable things about these two competing RFCs is that their primary
developers happen to be brothers, Kireeti Kompella (BGP) and Vach Kompella (LDP). The primary difference between the
E
two RFCs is that one uses BGP and one uses LDP for signaling. Currently the Junos operating system supports both LDP and
BGP for signaling, with BGP the preferred solution.
US
The latest standard is the FEC 129 BGP autodiscovery standard defined in RFC 6074. Here the issue of manual provisioning
when using LDP signaling is removed by adding BGP autodiscovery to the LDP signaling solution.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Benefits of BGP
There are a few benefits to using BGP as the signaling protocol for VPLS. For instance, BGP allows for the autodiscovery of
new sites as they are added to a VPLS. When a new site is added to a VPLS, you only need to configure the PE router
E
connected to the new site. All other PE routers discover the new site with the use of the target extended community. Also,
BGP is a very scalable protocol. BGP works well when dealing with large number of routes. Provisioning a VPLS network in a
US
large provider network can be made easier with the use of route reflectors and/or confederations. Finally, BGP was designed
to advertise routes between autonomous systems. Thus, it is inherently possible to build a VPLS across autonomous system
(AS) boundaries.
Based on RFC 2858 (Multiprotocol Extensions for BGP-4), BGP can be extended to carry information for which it was not
AL
originally designed. The BGP draft for VPLS relies on Multiprotocol Border Gateway Protocol (MP-BGP) to carry its routing
information between PE devices.
The RCF 6074 solution that uses BGP for autodiscovery adds some of the benefits of using BGP. It can also support building
VPLS across different AS boundaries. For the LDP part there is support for it by using multisegment FEC 129
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
between the Layer 2 technology used at the provider’s edge and the technologies used in the core. This independence
extends to the upper protocol layers as well, because the provider does not interpret in any way the contents of the Layer 2
US
frames.
Both ends of a VPLS must use the Ethernet technology. Unlike point to point Layer 2 VPNs, each remote site does not need to
be associated with a unique Layer 2 circuit identifier to map traffic to a given site. All mapping will be performed
automatically through the MAC learning function of a PE.
AL
routers forward traffic across the provider’s core using MPLS LSPs. PE routers perform MAC learning and store MACs in a
VPLS-specific MAC table.
Provider Routers
TE
The provider routers do not carry any VPLS state. They simply provide label-switching router (LSR) services to facilitate the
transfer of labeled frames between PE routers.
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
For Ethernet with VLAN tagging, it is required that VLAN IDs be the same at both ends of a VPLS. The VPLS standard allows
US
A RE
SH
T
NO
DO
—
LY
ON
The VRF is also populated with information received from other PE routers in MP-IBGP updates. These updates contain the
remote site’s ID, label base, label, offset, and Layer 2 encapsulation.
The combination of locally provisioned information and Layer 2 VPN network layer reachability information (NLRI) received
from remote PE routers results in a Layer 2 VPN VRF table and an associate MAC table which are used to map traffic to and
RN
A RE
SH
T
NO
DO
—
LY
ON
used for data forwarding. The PE-PE LSPs are not dedicated to any particular service. With label stacking, the same LSP can
be used to support multiple Layer 2 VPN customers while also supporting Layer 3 VPNs and non-VPN traffic.
US
Each PE router must also be configured with MP-BGP to peer to other PE routers having local sites belonging to the same
VPN. These MP-BGP sessions must be configured to support the l2-vpn signaling address family so that they can
send and receive Layer 2 NLRI updates.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
receiving PEs, can determine which label to use to reach the sending PE.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
• CE device identifier (site ID), which must be unique in the context of a specific VPN.
• CE device range, which helps determine the size of the site’s label block and therefore how many remote sites
to which it can connect.
• Logical interfaces associated with this VRF.
AL
Some of the steps outlined in the slide can occur automatically and therefore do not require explicit configuration.
Continued on the next page.
RN
TE
IN
RE
Each VPLS interface must be configured to support family vpls and the appropriate encapsulation. Support
encapsulations are:
• ethernet-vpls:
A
– Standard Ethernet encapsulation; and
– Accepts packets with Tag Protocol Identifier (TPID) values.
SH
• vlan-vpls:
– For VLAN 802.1q tagging; and
– Accepts standard TPID values only.
T
• extended-vlan-vpls:
NO
– 802.1q tagging; and
– Accepts special TPID values: 0x8100, 0x9100, and 0x9901.
• ether-vpls-over-atm-llc:
– Bridges Ethernet and Asynchronous Transfer Mode (ATM) interfaces for Ethernet over ATM (AAL-5);
DO
– RFC 2684; and
– Supported on ATM IQ interfaces only.
—
LY
ON
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
VPLS AFI/SAFI
The graphic on the slide displays the structure of VPLS NLRI. The address family indicator (AFI) and subsequent address
family identifier (SAFI) values of 25 and 65 are shared with Kompella Layer 2 VPN NLRIs.
E
The NLRI consists of the site ID, the label base, and the label block offset, which are used when multiple label blocks are
US
generated for a particular site. Each label block is carried as a separate update when multiple blocks exist.
The circuit status vector (CSV) is a bit vector used to indicate the site’s label range (that is, block size) and to report failures
of a PE router’s local circuits.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
• The Layer 2 encapsulation type (VPLS is the encapsulation type in a VPLS environment).
US
• The Layer 2 maximum transmission unit (MTU) field, which reports the MTU configured on the sending PE
router’s PE-CE link (because fragmentation is not supported in a Layer 2 VPN environment, the receiving PE
router ignores Layer 2 NLRI with MTU values that differ from the PE router’s local VRF interface).
• Control Flags, the slide shows the meaning of the 5 bits that are used for signaling different VPLS options to the
AL
remote PEs.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
The slide also shows how transmit labels are calculated based on the local site ID and the received MP-BGP advertisements
from a remote site. Based on the received advertisement from PE-1, PE-2 sends frames destined for Site 1 using an inner
label of 2003 (label-base-remote + local-site-id – label-block-offset). The outer MPLS label used for transmission is 200,
based on the existing MPLS LSP from PE-2 to PE-1.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
automatically which VPLS instances are running on other PE router by using the target extended community.
US
connections between sites are created automatically. The PE device learns the MAC addresses during the forwarding
process with the help of the VPN tunnel interfaces.
VPN Policy
RN
VPN policy using route target communities to filter and accept label blocks from remote PE routers results in a VPLS
topology.
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
1000). PE-3 computes the same label value (1000) as the label it expects to receive on traffic sent by CE-A1.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
As shown on the diagram on the slide, the remote PE router (PE-2) uses the input label value advertised by PE-1 as its output
US
label when forwarding traffic associated with this FEC to PE-1. Although not shown on the slide, you can assume that PE-2
has also advertised an input label to PE-1, and that PE-1 pushes this label when sending traffic (for this connection) to PE-2.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
• Group ID (optional): Used to group a set of labels together that relate to a particular port or tunnel. Makes
withdrawal of labels easier when there is a failure of a port and there are many VPN labels associated with that
same port.
RN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
peers will advertise their interest in VPLS instances to each other, possibly using route reflectors for more scalability.
US
Once the remote PEs are discovered the next phase is to establish targeted LDP session to each other. In the LDP session
the exchange of the FEC 129 and its associated label is accomplished.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Extended Communities
Important additions to BGP autodiscovery route are two extended communities.
• l2vpn-id: Globally unique Layer 2 VPN / VPLS identifier;
AL
• Route targets: Policy tool to control which PEs are capable of learning about VPLS instance. Multiple route
targets can be used for more complex topologies like hub-and-spoke.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
The BGP pseudowire route format is shown above. The AGI is equal to the l2vpn-id value, the SAII is the router-id of the
advertising PE, and the TAII is the router-id of the receiving PE.
Route Installation.
AL
Local generated BGP autodiscovery routes are installed in the instance.l2vpn.0 table. Also, BGP pseudowire routes
accepted from remote PEs are installed into this table.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
An easy way to see the FEC 129 label information is seen when using the show ldp database command.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
tunnel interface is created within the Tunnel Services PIC. The VPN tunnel interface is not used for forwarding traffic inbound
from the local CE device. The VPN tunnel interface’s use is described on the next slide.
US
1. An Ethernet frame arrives on interface fe-0/1/0.600. Because the interface is configured as part of a VPLS,
the Ethernet framing is not stripped from the Layer 3 packet inside.
2. The Internet Processor II (or equivalent route lookup ASIC) can learn (if not already known) the local CE device’s
MAC address from the Ethernet header’s source address. Because of this learning process, an entry is stored in
AL
the vpn-name.vpls forwarding table (MAC table) with its associated next hop. This entry is used to forward
traffic to the local CE device as MPLS-encapsulated frames arrive from the core (shown on next slide).
3. The Internet Processor II performs a forwarding lookup for this Ethernet frame using the vpn-name.vpls
RN
table. If the destination MAC address is not known, the Internet Processor II uses a flood route in the forwarding
table, which causes the frame to be flooded to all sites except for the site where the frame originally came from.
In the case described in the slide, there is a specific entry for the destination MAC address so the frame is
encapsulated in two MPLS headers and passed to the outgoing interface.
TE
4. The MPLS-encapsulated Ethernet frame is forwarded to the remote site across the core network by means of
the MPLS LSP built between PE devices.
IN
A RE
SH
T
NO
DO
—
LY
ON
1. Because of penultimate-hop popping (PHP), an Ethernet frame encapsulated by a single MPLS header arrives
US
processor does a pop operation based on the mpls.0 table, no other Internet Processor II functions can be
performed. By passing the resulting Ethernet frame through the VPN tunnel interface, the Internet Processor II
is given a second chance to perform another function on the frame (that is, MAC address learning).
RN
RE
3. The Internet Processor II can learn (if not already known) the remote CE device’s MAC address from the
Ethernet headers source address. Because of this learning process, an entry is stored in the vpn-name.vpls
forwarding table with its associated next hop and MPLS encapsulation. The Internet Processor II knows in which
VPLS forwarding table to store the new entry based upon which VPN tunnel interface the packet arrives from.
A
This entry is used to forward traffic to the remote CE device as Ethernet frames arrive from the local CE device
(shown on previous slide).
SH
4. The Internet Processor II performs a forwarding lookup for this Ethernet frame using the vpn-name.vpls
table. If the destination MAC address is not known, the Internet Processor II uses the default route in the
forwarding table, which causes the Internet Processor II to flood the frame to all local sites but not to any
remote sites. In the case described in the slide, there is a specific entry for the destination MAC address so the
frame is passed to the appropriate outgoing interface.
T
NO
DO
—
LY
ON
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Ethernet segment. This slide shows CE-A1 sending an ARP request frame on VLAN 600. The frame arrives on PE-1 VPLS
interface with a broadcast destination MAC address.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
When the destination MAC address of a received Ethernet frame is unknown or is broadcast from a CE device, the Ethernet
frame is duplicated and sent to all remote PE routers for the VPLS. The flooding behavior is based on a default route in the
VPLS forwarding table, vpn-name.vpls.
AL
A RE
SH
T
NO
DO
—
LY
ON
PE Router Forwarding
The slide summarizes the forwarding and learning behavior of a PE router.
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
to learning PE-1’s label block. The packet is essentially passed through the VPN tunnel interface so that a second lookup can
occur.
US
Frame. Based on the newly learned MAC address, a dynamically generated route/MAC entry is placed into the
vpn-name.vpls. The new route table entry is a route to the MAC address of CE-A1 with an LSP next hop (push-push
operation based on VCT learned from PE-1). Second, the PE routers perform a lookup in the vpn-name.vpls table.
Because the frame is a broadcast frame that arrived from the provider core, the frame is flooded to all attached CE devices.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
When the unlabeled Ethernet frame returns from VPN tunnel interface (Tunnel Services PIC), PE-1 learns the MAC address
for CE-A3 from source address of Ethernet Frame. Based on the newly learned MAC address a dynamically generated route
entry is placed into the vpn-name.vpls. The new route table entry is a route to the MAC address of CE-A3 with an LSP
next-hop (push-push operation based on label block learned from PE-1). Second, PE-1 performs a lookup in the
vpn-name.vpls table. Because the MAC address of CE-A1 was learned earlier, which caused a route to CE-A1 to be
AL
A RE
SH
T
NO
DO
—
LY
ON
When the unlabeled Ethernet frame returns from VPN tunnel interface (Tunnel Services PIC), PE-1 learns the MAC address
for CE-A3 from source address of Ethernet Frame. Based on the newly learned MAC address a dynamically generated route
entry is placed into the vpn-name.vpls. The new route table entry is a route to the MAC address of CE-A3 with an LSP
next-hop (push-push operation based on label block learned from PE-1). Second, PE-1 performs a lookup in the
vpn-name.vpls table. Because the MAC address of CE-A1 was learned earlier, which caused a route to CE-A1 to be
AL
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
BUM Replication
Broadcast, unicast with unknown destination, and multicast (BUM) traffic is replicated and flooded solely by the ingress PE
by default. This behavior can put a tremendous burden on the PE if it happens to be services several hundred VPLS
E
instances. point to multipoint LSPs can be used specifically for the purpose of carrying BUM traffic. When using a point to
multipoint LSP for this purpose, the ingress PE only needs to send 1 copy of the BUM traffic into the core. The downstream
US
routers along the LSP will perform replication of the traffic. To notify remote PEs that a point to multipoint LSP will be used for
BUM forwarding, the ingress PE re-advertises all label blocks along with the Provider Multicast Service Interface (PMSI)
Tunnel attribute which carries the RSVP session identification information.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Split Horizon
US
One of the flooding rules of VPLS is that a router cannot flood a packet from a remote PE router to another remote PE router.
Although this behavior causes a need for the full mesh, it helps eliminate the need for a spanning tree protocol in the
provider core.
AL
A RE
SH
T
NO
DO
—
LY
ON
Loops
The slide highlights the topic we discuss next.
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
then a Layer 2 loop is possible. To prevent Layer 2 data from looping between the CE and PE with redundant links you must
configure either a spanning tree protocol between PE and CE, active and backup links on the PE, Ethernet Ring Protection
US
A RE
SH
T
NO
DO
—
LY
ON
Multihomed CE
The slide shows a potential loop situation that can occur when there are links between a single CE multiple PEs. If CE-A2 is a
router operating at Layer 3, then there should be no Layer 2 loop possible. However, if CE-A2 is a Layer 2 switch then a
E
Layer 2 loop is possible. To prevent Layer 2 data from looping between the CE and two PEs you must configure either a
spanning tree protocol between PEs and CE, BGP multihoming, or a primary and backup neighbor.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
We Discussed:
• The difference between Layer 2 MPLS VPNs and VPLS;
E
A RE
SH
T
NO
DO
—
LY
ON
Review Questions
1.
E
2.
US
3.
AL
RN
TE
IN
RE
1.
A Layer 2 VPN is point to point in nature while a VPLS is point to multipoint.
2.
A
Adding and removing sites from a BGP VPLS requires the configuration of only one PE. All other PEs will automatically discover the
added or removed site.
SH
3.
For point-to-point connections MAC address learning is not needed as all incoming traffic can be sent across the single point-to-point
interface. For VPLS, the interface is similar to point-to-multipoint and then choices need to be made. Only if address is not known
flooding to all remote PEs is useful, if MAC address is learned traffic forwarding can be optimized by sending it to specific PE only
T
where MAC address resides.
NO
DO
—
LY
ON
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
E
US
AL
RN
TE
IN
T
NO
Chapter 7: VPLS Configuration
DO
—
LY
ON
E
US
AL
RN
TE
IN
Junos Layer 2 VPNs
RE
A
SH
T
NO
DO
—
LY
ON
We Will Discuss:
• Virtual private LAN service (VPLS) configuration, and
E
• VPLS troubleshooting.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
VPLS Configuration
The slide lists the topics we will discuss. We discuss the highlighted topic first.
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
All customer edge (CE) and provider edge (PE) router interfaces use 10.0.12.0/24 addresses. The drawings show only the
interfaces’ subnet and host IDs. Loopback addresses are assigned from the 192.168/16 address block.
US
The core interior gateway protocol (IGP) is Open Shortest Path First (OSPF), and a single area (Area 0) is configured. Because
the examples in this class do not rely on the functionality of the Constrained Shortest Path First (CSPF) algorithm, traffic
engineering extensions need not be enabled.
RSVP is deployed as the MPLS signaling protocol, and label-switched paths (LSPs) are configured between all three PE
AL
routers.
A multiprotocol IBGP(MP-IBGP) peering session is configured between the loopback addresses of the PE routers. The
l2-vpn signaling and inet unicast address families are configured.
RN
The goal of this network is to provide point-to-multipoint connectivity between the three CE routers shown. This network is
considered a full-mesh application because the resulting configuration readily accommodates additional sites with
any-to-any connectivity.
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Interface Configuration
This slide provides an example of Gigabit Ethernet interface configurations for use with VPLS.
E
When using vlan-tagging, only VLAN IDs 512-4094 are available for VPLS encapsulation. If you use extended-vlan-tagging
VLAN IDs 1-4094 are available for VPLS encapsulation. All logical unit levels might also be configured for family vpls,
US
but in later versions of the Junos operating system, this configuration is optional.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Layer 3 VPN VRF instance, you must assign a route distinguisher, list the VRF interfaces, and link the instance with a
vrf-target community or VRF import and export policies. You also must configure local site properties under the [edit
US
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
This vpn-a instance is associated with a single logical interface (ge-1/0/5.515). Additional interfaces can be listed if the
customer wants to be multihomed.
You can link the VPLS VRF table to either VRF import and export policies or a vrf-target statement, which is used to
match and add route target communities.
AL
The local site properties are configured under the protocols portion of the VPLS instance. These parameters were discussed
in the previous page.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
The Junos OS does not support all of RFC 4762. When enabling LDP signaling for a VPLS routing instance, network engineers
US
To enable LDP signaling for the set of PE routers participating in the same VPLS routing instance, you need to use the
vpls-id statement configured at the [edit routing-instances routing-instance-name protocols
vpls] hierarchy level to configure the same VPLS identifier on each of the PE routers. The VPLS identifier must be globally
RN
unique. When each VPLS routing instance (domain) has a unique VPLS identifier, it is possible to configure multiple VPLS
routing instances between a given pair of PE routers.
LDP signaling requires that you configure a full mesh LDP session between the PE routers in the same VPLS routing
instance. Neighboring PE routers are statically configured. Tunnels are created between the neighboring PE routers to
TE
aggregate traffic from one PE router to another. Pseudowires are then signaled to demultiplex traffic between VPLS routing
instances. These PE routers exchange the pseudowire label, the MPLS label that acts as the VPLS pseudowire demultiplexer
field, by using LDP FECs. Tunnels based on both MPLS and generic routing encapsulation (GRE) are supported.
IN
A RE
SH
T
NO
DO
—
LY
ON
The output of the show bgp summary command shows that the BGP autodiscovery routes show up in the bgp.l2vpn.0
US
table based on matching route target. From there they are copied into the instance.l2vpn.0 table.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
The l2vpn-id uniquely identifies the VPLS instance. As targeted LDP is used after the BGP autodiscovery process, LDP
needs to be enabled on the loopback interface.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
Since Junos 12.3 it is possible to enable both the designated forwarder path selection algorithm and the standard BGP path
selection algorithm on the PE and RR routers. To enable this feature
• Run Junos OS Release 12.3 or higher on all PE and RR routers.
• Specify unique route-distinguisher on each PE router that is a member of a L2VPN or VPLS deployment.
RN
Configure the l2vpn-use-bgp-rules command on all PE and RR routers. This statement can be globally configured at
the [edit protocols bgp path-selection] hierarchy. It can also be configured at the routing-instance level.
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
BGP Solution
In the example topology, CE-B is a Layer 2 switch that is multihomed to both PE2 and PE3. This redundant topology causes a
potential Layer 2 loop. Luckily, because BGP is used to signal the VPLS, BGP’s normal route selection process will almost
E
completely prevent a loop from occurring. To allow BGP to prevent the potential loop, you must configure the following on
PE2 and PE3:
US
except for the BGP next-hop and route distinguisher. When the remote PE, PE1, receives the 2 sets of label blocks from PE2
and PE3, PE1 will go through its normal route selection process to determine one set of routes (label blocks) to use for
forwarding. The example in the slide shows that you can affect which label blocks will be chosen by modifying the BGP local
preference and set the site-preference (default is 100). In this case, because the label blocks from PE2 are more preferred
RN
(Local Preference is 300), PE2 will be chosen as the designated forwarder for the site. PE3 will not forward or learn on its
ge-1/0/5.515 interface until PE2 withdraws its label block advertisements (PE2’s ge-1/0/4 interface fails). The
multi-homing command is used to prevent a corner case loop that can occur when BGP connectivity to the core is lost
by PE3, it could assume that PE2 is no longer advertising its label blocks and then assume the role of designated forwarder.
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Single Pseudowire
Looking at the slide, you can see that PE1 has received advertisement from both PE2 and PE3. Because each advertisement
represents site 2 of the VPLS, PE1 will only chose 1 advertisement to use for forwarding. The output of the show vpls
E
connection command shows that there is a single pseudowire established to connect site 1 to site 2. If the PE-CE
interface on PE2 fails, there will be a short period of time that is required to establish a new pseudowire to connect site 1 to
US
site 2. Wouldn’t it be nice if a pre-established pseudowire was available between PE1 and PE3 on hot standby? The next few
slides discusses how to get quicker failover times by slightly modifying the solution shown on this slide.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Control Flags
The best-site feature described in the next few slides makes use of the 3 bits of the control flags in the Layer2-info
community advertised along with a site’s label blocks.
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Dummy Sites
To configure the best-site feature, each instance of a VPLS must have a single site added. The slide shows the
configuration of PE2 and PE3 but PE1 would need to have a similar configuration (in the future slides you will see that PE1 is
E
configured with site 991). This “dummy” site will be configured with no interfaces as well as the best-site statement.
Since this site has no interfaces, it is impossible for the site to go down (it is always up). The PE routers will advertise two
US
types of label blocks; one set for the real sites and one advertisement for the dummy site. Another optional statement that
should be configured is the mac-flush statement. This will allow a PE to request that another PE flushes (removes) all MAC
entries that were learned from the requesting site. As mentioned earlier, a flush request is signaled when the previous label
block’s Layer2 Info community had the flush bit set to 1 and then a matching but updated label block is received which has
the flush bit set to 0 (it is the transition from 1 to 0 that causes a flush).
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
output that there is no connectivity between site 1 and 2 but this is not true. It turns out that there only has to be a single
pseudowire established between VPLS instances to provide connectivity between the sites of two PEs. All sites of a VPLS
US
instance can use the single pseudowire for data transport. On the slide, you can see that there is a pseudowire between site
991 and 992 (also available for site1 to site 2 data transport between PE1 and PE2) and between 991 and 993 (also
available for site1 to site 2 data transport between PE1 and PE3). These sites were chosen for the establishment of the
pseudowires because they were advertised with the best site bit set (because we configured the best-site setting). Now
just because the pseudowires are available doesn’t mean they are being used. The next few slides show how a PE1
AL
determines which of the two pseudowires it will actually use to pass user data over to site 2.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Before Failure
After the establishment of the pseudowires and before any link failures, PE1 must choose which pseudowire it will use to
forward user data to site 2. The slide shows that both PE2 and PE3 have each advertised a label block representing site 2.
E
Since the advertisement from PE2 has a higher BGP local preference (300), it is PE2’s label block that is chosen to reach
site 2. The pseudowire between PE1 and PE3 will go unused yet remain available in the case of failure. However, PE3 has set
US
A RE
SH
T
NO
DO
—
LY
ON
from PE2 and can now immediately start sending user data over the site 991 to site 993 pseudowire. PE3 reacts to this
advertisement by enabling the ge-1/0/5 interface for forwarding and also re-advertising its own label block to PE1 and PE2.
US
The advertisement from PE3 will have the flush bit set (which does not cause a flush on the remote PEs).
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
LDP Solution
To prevent a Layer 2 forwarding loop in this scenario when using an LDP VPLS, special configuration is made on PE1.
Assuming that the desired primary forwarding path is between PE1 and PE2 with PE3 acting as a backup. In the VPLS
E
configuration for PE1, PE2 would be listed as a neighbor and PE3 would be listed as a backup neighbor in the event of PE2
failure. PE2 and PE3 would be configured as normal. In PE1’s configuration, it is also possible to configure PE3 in standby
US
mode. In that case, PE1 and PE3 would establish a pseudowire between one another even when PE2 is available. Although,
PE3 would send broadcast, unicast unknown, multicast (BUM) and so forth to PE1, PE1 will not learn or forward any traffic to
or from PE3 while PE2 is available.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
Primary Interface
It is possible to configure the PE to monitor its own VPLS interfaces, allowing only one interface to be primary and active at
any one time. A benefit of this feature is that there is no requirement to run a spanning tree protocol and yet the PE behaves
E
similarly. To use this feature, you must list each interface connected to the site under the site-level configuration. Finally, you
must specify an active interface. If you specify a particular interface as the active interface then that interface will be used by
US
the PE for learning and forwarding for the site. All other interfaces will not forward or learn during this period. If the active
interface goes down then one of the other configured interfaces will take over as active. Once the primary comes back up, it
will again become the active forwarder. For non-revertive behavior, set the active interface to any. There might be packet loss
during the failover from one interface to another, however the main concern is Layer 2 loop prevention.
AL
RE
The same configuration options also exist for LDP VPLS, and FEC 129 BGP autodiscovery VPLS.
For LDP VLS see the example configuration below.
[edit routing-instances vpn3]
A
lab@mxB-1# show
instance-type vpls;
SH
interface ge-1/0/4.515;
interface ge-1/0/5.515;
interface ge-1/0/6.515;
protocols {
vpls {
T
site 1 {
active-interface primary ge-1/0/4.515;
NO
}
vpls-id 100;
neighbor 193.168.2.2;
}
}
DO
For FEC 129 BGP autodiscovery VPLS look at the configuration example below:
lab@mxB-1> show configuration routing-instances vpn4
instance-type vpls;
interface ge-0/0/1.0; —
interface ge-0/0/2.0;
route-distinguisher 1:1;
l2vpn-id l2vpn-id:1:1;
vrf-target target:1:1;
LY
protocols {
vpls {
multi-homing {
site 1 {
ON
identifier 1;
active-interface {
primary ge-0/0/1.0;
}
interface ge-0/0/1.0;
E
}
}
US
}
}
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Link Aggregation
The configuration example shows the use of a link aggregation group (LAG) to prevent a Layer 2 loop. Instead of two separate
1 Gbps interfaces, it is possible bind them together to make the 2 interfaces logically appear as a single 2 Gbps interfaces to
E
the PE and CE involved. Not only will this configuration allow for Layer 2 loop prevention, it will also double the customer’s
access speed to the network.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
perspective of PE1). PE1 acts as the RPL owner and controls the state of the RPL. During normal operation with no failures
(idle state), the RPL owner places the RPL in the blocking state, which results in a loop-free topology. If a link failure occurs
US
somewhere on the ring, the RPL owner places the RPL in a forwarding state until the failed link is repaired. Once the failed
link is repaired, the Junos OS acts in a revertive manner, returning the RPL to the blocking state.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
interfaces that belong to several different VPLS routing instances, not just one. The slide shows the use of a Layer 2 control
routing instance to ensure that no loop exists between the PE and CE. For the topology to work properly, the CE (Layer 2
US
switch) should also be configured for a spanning tree protocol. Use the show spanning-tree interface
routing-instance instance-name command to view the forwarding and blocking state of the interfaces.
user@PE1> show spanning-tree interface routing-instance l2-control
...
AL
A RE
SH
T
NO
DO
—
LY
ON
address. The base interface is the interface where the MAC address was first learned and stable on for at least
300s. If the MAC address frequently moves between the base interface and second interface, this second
interface will be disabled as it considered the source of the loop.
• Statistical approach: Secondary approach if the MAC address cannot be associated with base interface (base
RN
interface is null). Statistics of the MAC moves between interfaces learned and is used to disable the interface
considered the source of the loop.
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
• cooloff-time: Timer (default 30 seconds) that starts when interface gets disabled. During this time other
MAC moves in the VPLS instance are ignored, and no other interfaces in the VPLS instance are disabled.
US
To verify MAC move loop prevention you can use the following commands show vpls mac-move-action, show
l2-learning mac-move-buffer, show vpls mac-table extensive. To verify if interface is disabled use
show interface interface-name command.
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
Stitch Configuration
The example on the slide shows the stitching of a BGP Layer 2 VPN (L2VPN) to a VPLS. On the terminating PE, there should
be a separate routing instance for both the L2VPN and the VPLS. Instead of specifying a physical interface in the L2VPN
E
routing instance, notice that lt-1/0/10.1 is used. The interface configuration for lt-1/0/10.1 uses vlan-ccc encapsulation as
expected. Also, the peer interface, lt-1/0/10.0 uses vlan-vpls encapsulation. The last step to the stitching process is to add
US
A RE
SH
T
NO
DO
—
LY
ON
types there must be a single border router that has a full mesh of BGP sessions to the PEs in the BGP-based network (unless
route reflection or confederations are used) and a full mesh of LDP sessions to the PEs participating in the LDP VPLS. The
US
border router, PE3, has a single media access control (MAC) table that it uses to learn and forward for both VPLS types. With
interworking, the concept of mesh groups has been introduced. In the example in the slide, the BGP session mesh will fall
into one mesh group (the default mesh group) and the LDP session mesh will fall into another mesh group. When BUM traffic
arrives from one mesh group, it will be flooded to all CE interfaces as well as all mesh groups for the VPLS except for the one
from which the frame arrived. Essentially, the flooding behavior considers a mesh group to be just another CE interface.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
receivers. This reduces bandwidth usage to sites that are not interested in these multicast streams.
US
To enable it, configure pim-snooping at the [edit routing-instance name protocols] hierarchy level.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
label-switched interfaces (LSIs) are used instead. This command has very similar restrictions to the vrf-table-label
command.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
LSI Interface
The label-switched interfaces (LSIs) replace the use of the VPN tunnel interfaces inside the forwarding table of the router,
but all the forwarding concepts stay the same. In other words, a unique LSI interface is still created for every remote site and
E
The use of the LSI interface does have a few limitations. The forwarding rate is limited on a per LSI basis and his variable per
router type. When using tunnel services, the forwarding rate can be increased by adding more Tunnel PICs to the router (or
enabling them on an MX Series Ethernet Services router).
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
If the MAC table limit is reached, new MAC addresses can no longer be added to the table. Eventually the oldest MAC
US
addresses are removed from the MAC address table automatically. The removal of MAC addresses frees space in the table,
allowing new entries to be added. However, as long as the table is full, new MAC addresses are not learned however traffic
will continue to be forwarded using the process of flooding by default. You can also specify to have the router drop traffic to
unknown destinations when the MAC table is full.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
You can limit the number of MAC addresses learned from each interface configured for a VPLS routing instance.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
that many of the advertised labels will go unused. To minimize the wasted label allocations you can configure a lower
label-block size. However, a lower label block size will force the PE to advertise many routes to represent the full set of sites.
US
If your concern is to keep the number of route advertisement low, then set the label block size higher. The default is 8.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Rate Limits
A policer can be used to rate limit traffic that is being flooded. Rate limiting can be configured for all traffic or from certain MAC
addresses if matched in the from statement:
E
[edit]
US
routing protocol packets might be sent to other CEs and could be rate limited by the policer!.
A RE
SH
T
NO
DO
—
LY
ON
...
You will usually add interfaces to a VPLS that have similar VLAN tagging as all of the other sites/interfaces that belong to the
VPLS. However, there may come a time when there is a need to add an interface that uses different VLAN tagging that the
rest of the VPLS. The slide shows that when no vlan-id statement is configured for the VPLS, you must configure VLAN
RN
map statements to translate (or normalize) between the dissimilar VLAN tags.
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
PE-CE interfaces that are configured with VLAN of 515 will be treated as normal. For PE-CE interfaces with dissimilar VLAN
tags (i.e. not singly tagged with 515), the router will automatically perform the appropriate push, pop, and swap operations
US
as shown in the slide. Things will work consistently if all VPLS instances for a customer are configured with the same VLAN
ID. In the example, all frames transmitted towards the core will be sent encapsulated in a single VLAN tag of 515. Also, all of
the receiving PE routers are expecting to receive only single tagged packets (VLAN ID 515) from the remote PE routers.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
configured with the vlan-id none statement. For PE-CE interfaces with any VLAN tags (i.e. not untagged), the router will
automatically perform the appropriate push and pop operations as shown in the slide. Things will work consistently if all
US
VPLS instances for a customer are configured with the same setting. In the example, all frames transmitted towards the core
will be sent encapsulated in no VLAN tags. Also, all of the receiving PE routers are expecting to receive no VLAN tags on
packets received from the remote PE routers.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
vlan-tags Statement
For VPLS that uses a dual stack VLAN, translation configuration can be made easier by adding the vlan-tags statement to
your VPLS instances. In the slide, all of the VPLS instances (on PE1, PE2, and PE3) for this customer have been configured
E
with the same vlan-tags statement. PE-CE interfaces that are configured with same inner and outer VLAN IDs will be
treated as normal. For PE-CE interfaces with dissimilar VLAN tags (i.e. not dual tagged with 300 and 515), the router will
US
automatically perform the appropriate push, pop, and swap operations as shown in the slide. Things will work consistently if
all VPLS instances for a customer are configured with the same VLAN ID. In the example, all frames transmitted towards the
core will be sent encapsulated in a two VLAN tags of 300 and 515. Also, all of the receiving PE routers are expecting to
similarly tagged packets from the remote PE routers.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Learning so far has been performed solely based on received source MAC addresses. VLAN IDs have not been taken into
consideration while learning.
US
The vlan-id all statement performs no translation and also changes the learning behavior of a bridge domain. In all of
the cases discussed so far (including a VPLS with no vlan-id statement configured) it has been assumed that all PE-CE
interfaces of a VPLS were part of the same broadcast domain. What if your customer wants VPLS service that allows the
ability to have 100s or 1000s of broadcast domains (VLANs) between sites? Will you have to configure 100s or 1000s of
AL
VPLS instances? Configuring 1000s of VPLS instances on each PE would be one option, or you could configure a single VPLS
instance on each PE and use the vlan-id all statement. With this statement configured learning and flooding is based
on the combination of both source MAC address and inner VLAN ID. Packets received on PE-CE interfaces are sent to remote
PE with their inner VLAN tags unchanged (outer VLAN tags are popped). Packets received from the core can only be sent out
RN
PE-CE interfaces that have similar inner VLAN tags as those on the packet being transmitted.
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
VPLS Troubleshooting
The slide highlights the topic we discuss next.
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
status (see next slide). The legend will help you interpret the status code for each VPLS.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
the 3 sites should be able to communicate with each other with no problems. You should not be alarmed when you see a
status of LM for the site 3 to site 2 connection. When two or more sites are configured under one VPLS instance, the site with
US
the lowest site ID will form the connection to the remote site. All other sites in the local VPLS instance, will use that same
connection (pseudowire) to forward and learn. Remember, all of the sites configured under the same VPLS routing instance
are also using the same, single MAC table.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Flood Routes
To determine the current flooding behavior of the VPLS, use the show vpls flood command. This command will help you
determine which interfaces are being used to learn and forward. If you have configured an active interface for a multihomed
E
PE, this command is great to help determine which interface is currently active.
US
Why are there so many flood routes? You should normally expect to see 3 flood routes in the VPLS forwarding table. The
flooding behavior on a PE is based upon the interface that BUM traffic arrives on. If BUM traffic arrives from a locally connect
CE, then the traffic needs to be flooded to all local CEs (except the one the traffic came from) and to all remote PEs. If BUM
traffic arrives from a remote PE, then the traffic needs to be flooded to only local CEs, not to any remote PE (because of PE
full-mesh). If BUM traffic arrives from the Routing Engine (RE), then the traffic needs to be flooded to all local CEs and to all
AL
remote PEs. There should be a flood route for each of the three scenarios.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
VPLS Statistics
The following fields are present in the output of the statistics command:
E
vt-fpc/pic/port.nnnnn, where nnnnn is a dynamically generated virtual port used to transport and
receive packets from other PE routers in the VPLS domain.
• Index: Number associated with the next hop.
• Remote provider edge router: Address of the remote PE router.
AL
A RE
SH
T
NO
DO
—
LY
ON
VPLS NLRI
This screen capture shows the contents the vpn-name.l2vpn.0 table. This table displays all received label blocks from
remote sites that have the correct target community attached.
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
Highlighted are the hex values of the l2vpn-id, the advertising PE’s router-id, and the receiving PE’s router-id. These 3
US
items help to uniquely identify the VPLS connection for a given VPLS instance.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
popped and the resulting Ethernet frame forwarded to the VPN tunnel interface, vt-1/0/10.1049091.
US
It also shows the reverse direction, packets that arrive from the VPN tunnel interface vt-1/0/10.1049091 are sent to the
remote PE with a double push operation.The top label 299920 identifies the LSP towards the PE, the inner label 800001 is
unique for the VPLS connection.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
stack that will be used when forwarded traffic to a particular MAC address.
US
AL
RN
TE
IN
RE
A
SH
T
NO
DO
—
LY
ON
We Discussed:
• Virtual private LAN service (VPLS) configuration, and
E
• VPLS troubleshooting.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Review Questions
1.
E
2.
US
3.
AL
4.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Lab: VPLS
The slide provides the objective for this lab.
E
US
AL
RN
TE
IN
RE
1.
To prevent a layer 2 loop when a CE is multihomed to a single PE, you must configure either primary/backup link, LAG, ERP, or a
spanning tree protocol.
A
2.
To prevent a layer 2 loop when a CE is multihomed to multiple PEs, you must use BGP for signaling which automatically prevents a
SH
loop or when using LDP for VPLS signaling specify a neighbor and a backup neighbor.
3.
When tunnel services are not available (no Tunnel PIC) the command no-tunnel-services can be enabled to use LSI interfaces instead
of vt interfaces.
T
4.
NO
The flooding behavior on a PE is based upon the interface that BUM traffic arrives on. If BUM traffic arrives from a locally connect
CE, then the traffic needs to be flooded to all local CEs (except the one the traffic came from) and to all remote PEs. If BUM traffic
arrives from a remote PE, then the traffic needs to be flooded to only local CEs, not to any remote PE (because of PE full-mesh). If
BUM traffic arrives from the RE, then the traffic needs to be flooded to all local CEs and to all remote PEs. There should be a flood
route for each of the 3 scenarios.
DO
—
LY
ON
E
US
AL
RN
TE
IN
RE
A
SH
T
NO
DO
—
LY
ON
E
US
AL
RN
TE
IN
T
NO
Chapter 8: Ethernet VPN
DO
—
LY
ON
E
US
AL
RN
TE
IN
Junos Layer 2 VPNs
A RE
SH
T
NO
DO
—
LY
ON
We Will Discuss:
• The operation of Ethernet VPNs;
E
A RE
SH
T
NO
DO
—
LY
ON
EVPN Overview
The slide lists the topics we will discuss. We discuss the highlighted topic first.
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
implementations.
US
• Address learning: MAC address learning is now done in the control plane using MP-BGP. This allows for better
control and greater scalability.One of the advantages is decreased need for forwarding traffic towards unknown
unicast addresses, as MAC addresses are shared among PEs as soon as a PE locally learns a MAC address.
• Redundancy: The option for Active/Active forwarding is great improvement, it allows for optimal utilization of
links in both the core and the access layer.
AL
• Traffic optimization: VPLS has major issues with optimal traffic forwarding, especially with regard to Layer 3
flows. As a result of a much better integration between Layer 2 and Layer 3 in EVPN traffic flows can be much
more efficient from a end-to-end standpoint. Features like ARP/ND proxy, and default gateway synchronization
RN
allow traffic to exit and enter at the nearest PE router, instead of having to potentially cross intra-DC links
multiple times (tromboning).
Continued on the next page.
TE
IN
RE
• Provisioning: EVPN can use the same interface for Layer 2 and Layer 3 traffic. The RFC 7432 also suggests
some other provisioning features that not yet have been implemented in Junos, for example dynamic
assignment of ESI.
• Data plane options: VPLS is only supported using MPLS encapsulation. For EVPN other encapsulation options
A
are possible, although not always implemented by vendors. An alternative for MPLS encapsulation that is very
popular in data centers is VXLAN. This is also supported by Juniper MX Series, as well as Juniper QFX Series.
SH
VXLAN is out of the scope of this course and is covered in the Advanced Data Center Switching (ADCX) course.
T
NO
DO
—
LY
ON
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Provider Routers
The provider routers do not carry any EVPN state. They simply provide label-switching router services to facilitate the transfer
RN
A RE
SH
T
NO
DO
—
LY
ON
Ethernet Segment
US
When a customer site (device or network) is connected to one or more PEs via a set of Ethernet links, then that set of
Ethernet links is called an Ethernet segment (ES).
A unique non-zero identifier that identifies an Ethernet segment is called an Ethernet segment identifier (ESI). Multihomed
CEs (active/active or active/standby) require a unique ESI for the links. Both PEs need to use the same unique ESI when
connected to the same CE device.
RN
Single-homed CE devices do not require an ESI as they by default attain the reserved value of
0x00:00:00:00:00:00:00:00:00:00. The MAX-ESI value of 0x:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF is also reserved.
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
EVPN Operation
The slide lists the topic we will discuss next.
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
integration.
US
The other signaling requirements for the provider’s core are same as before, so IGP for reachability and MPLS LSPs for
forwarding of labeled frames between PEs. Either LDP or RSVP can be used to establish LSPs across the provider core.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
1. Ethernet autodiscovery route: Only advertised by PE that is part of multihomed CE (same ESI). There are two
different type of Ethernet autodiscovery routes, and each has their own format and functionality:
US
a. A-D Route per ESI: Used for MAC address mass withdraw to speed up convergence after link failure, and
prevents BUM traffic loops between PEs mulithomed to same CE device (split horizon); and
b. A-D Route per EVI: Used to enable active/active load balancing to PEs connected to multihomed CE
(aliasing).
AL
2. MAC and MAC/IP route: Advertised to indicate reachability to the MAC or MAC/IP address. The MAC/IP address
advertisements are optional and used when Layer 3 functionality is required (i.e., routing).
3. Inclusive Multicast Ethernet tag route: Used to enable ingress replication for forwarding BUM traffic between
RN
PEs.
4. Ethernet Segment route: Only advertised, and accepted by PEs connected to a multihomed CE (same ESI). It
provides information for the Designated Forwarder (DF) election, which prevents traffic duplication and BUM
loops towards the CE device.
TE
A RE
SH
T
NO
DO
—
LY
ON
Once a EVPN PE has learned a local MAC/(IP) address, it advertises this address using MP-BGP to the other PEs that are part
of the EVI. The route type is 2, and it is called the MAC/IP advertisement route.
The diagram shows the format and fields of the type 2 route. Junos uses the per instance label allocation which means that
AL
the same label can be used to reach all addresses in a given instance.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
for this BUM traffic is learned per PE from the route type 3, inclusive multicast Ethernet tag route.
US
The diagram shows the format of the inclusive multicast Ethernet tag route.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
mode the CE device needs to be connected to the PEs using an aggregated Ethernet interface (LAG).
US
To prevent duplicate packets arriving at the CE the two PEs hold a designated forwarder (DF) election. The designated
forwarder is elected per EVI using route type 4, and allows only the DF router to forward BUM traffic arriving from the
provider’s core.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
This ES-Import route-target is dynamically created based on the value of the ESI. So only the PE routers who share the same
ESI will accept them into their routing tables. The algorithm used for the DF election allows different DFs per EVI to enable
US
A RE
SH
T
NO
DO
—
LY
ON
To prevent looping of BUM traffic back to the multihomed CE, the split horizon feature was developed. The DF router inspects
US
any BUM traffic to see if this traffic didn’t originate on the same ESI segment as it would be forwarded on. The only PE that
can cause this issue is the non-DF router for this ESI. So the non-DF router will add the split horizon label (route type 1)
learned from the DF of the ESI when forwarding traffic from a given ESI.The DF router checks to see if there is any split
horizon label in the BUM traffic received, and if there is a match with its local ESI the BUM traffic will not be forwarded across
that ESI.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
community also indicates what type of redundancy mode is used for this given ESI: single-active (1) or active-active (0).
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
always be forwarded from the CE device on the same single link, This means that only a single PE will learn the MAC/IP
information and the remote PEs only learn the destination from that single PE. To overcome this issue the aliasing feature is
US
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
Single-Active Redundancy
Besides the Active/Active forwarding, which typically is preferred, EVPN also supports the Active/Standby forwarding, where
there is only 1 active PE, and the others are just for backup purposes. In single-active redundancy mode the connection
E
between the PEs and the CE can not be a LAG interface. Only one of the links from the CE can be active.
US
In single-active mode the split horizon feature is still advised to be implemented so no BUM traffic loops occur during change
over or startup (both PEs think they are the DF).
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
MAC Moves
In modern data centers, VM mobility is an important feature for workload optimization, high availability, and design flexibility.
If a VM moves from one DC to another DC its associated MAC/IP addresses also move.
E
How can the EVPN cope with these MAC address location changes?
US
previous DC where the VM was located. When the “old” PE sees the new update it will withdraw its type 3 advertisement.
The RFC 7432 specifies a new extended community (MAC mobility) but this is not supported by Junos at this time.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
receive this withdraw of the route, can now easily remove all the forwarding entries towards this ESI from this specific PE. A
single type 1 route withdraw can therefore update the next hops of thousands of MAC address routes.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
The table shows the different EVPN learned labels and their usage in the data plane.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
By default any IRB interface added to the EVI is advertised (MAC/IP type 2) to the other PEs in the EVPN. The
evpn-default-gateway extended community is attached to these advertisements to indicate that these addresses
should be installed as a default gateway address. If any PE receives a local ARP requests for any MAC/IP route with this
community than proxy ARP/ND should be performed. This results in more efficient traffic flows as the Layer 3 routing can
AL
now be done on the nearest local PE, instead of possibly having to go across the EVPN. to reach the default gateway address.
This is a form of a distributed default gateway function. Multiple PEs share the default gateway function for a given MAC/IP
combination.
The default gateway synchronization can be done in two ways:
RN
• Dynamic: MAC address of type 2 routes with evpn-default-gateway community is installed as a local
peer gateway. Required if MAC address of IRB interfaces are not identical. If VM moves from one DC to another,
its ARP has not changed and it is still looking for the MAC address of the default gateway for which it initially
ARPed. To make sure MAC entry works, all PEs must install it as peer gateway, so VM can route via nearest local
TE
PE.
• Manual: If you configure all the IRB interfaces with the same MAC/IP address information than no need for
dynamic advertisements as information is already known. This is recommended practice as it does not need
IN
A RE
SH
T
NO
DO
—
LY
ON
IRB interfaces are placed in both a EVI and L3VPN instance (vrf). Whenever a new local MAC/IP address is learned this will
US
be advertised to the remote PEs in the EVI, as a type 2 route. At the same time this will result in the advertisement of a /32
host route for that IP address in the L3VPN instance. This allows the L3 routing to learn exactly where specific hosts are
located, include VM mobility, and results in efficient flow forwarding across the network.
A given PE will actually learn the same IP route twice, once via the EVI (type 3 MAC/IP) and via the host route in the L3VPN.
The EVPN route is always preferred over the host route in that case. There might be PEs that are part of the L3VPN but not a
AL
member of the EVI. They will use the host route to route towards the EVI for that specific IP address.
So ingress traffic is optimized using the type 3 and host route distribution inside the EVI / L3VPN service. Egress traffic is
optimized using the default gateway synchronization so that traffic can leave using the nearest PE device in the EVI.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
EVPN Configuration
The slide lists the topic we will discuss next.
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
The CE interface addressing uses the 10.0.20.0/24 addresses. The IRB interfaces on all PE use the 10.0.20.1/24 address.
The IGP in the provider’s core is OSPF using a single area 0 configuration. Traffic engineering extensions are not required as
US
A RE
SH
T
NO
DO
—
LY
ON
To support optimal load balancing for the L3VPN, a load balancing policy (LB) is configured and applied on the forwarding
US
table.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
• The interface that connects to the multihomed CE needs a unique non-zero ESI value. Remember this must be
US
the same on both PEs involved in the multihoming setup. Here the ESI value of
00:01:02:03:04:05:06:07:08:09 is used.
• The interface that connects to the multihomed CE must have the redundancy mode set. By default the
redundancy mode is all-active, but single-active is also possible.
AL
• For Active/Active forwarding the connection between PE-CE must a be LAG interface. To “trick” the CE device
into thinking its LAG interface is connected to the same device. Both PEs must use the same lacp
system-id (00:00:00:00:00:01 in this example). Full MC-LAG is not required in this setup.
Notice that the same MAC/IP address is used on the IRB interface on this PE2 as is configured on PE1.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
For all EVPN instances the route-distinguisher must be unique, and therefore type 1 (based on loopback IP address) is highly
US
recommended.
To enable Layer 3 routing, the IRB interface is added to the EVPN instance (irb.620, in this example).
To enable dynamic default gateway synchronization the default-gateway advertise option is configured. If you prefer
the recommended practice of manual default gateway synchronization use the default-gateway do-not-advertise
AL
command. Remember from the previous slide we manually configured both the IP and MAC address on the IRB interface.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
configured.
US
The VLAN aware bundle is actually the preferred way of using EVPNs as it is much less provisioning to do add/move/
changes. So even if you start out with only 1 VLAN, it might be useful to configure VLAN aware bundle interface for your EVI.
The VLANs in the VLAN aware bundle service interface share the same EVI but each retains its own broadcast domain.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
• The evpn-pplb policy is configured and applied on the forwarding table to enable maximum load balancing
US
A RE
SH
T
NO
DO
—
LY
ON
The vrf-table-label is recommended for the L3VPN instance in this kind of EVPN setup as often no routes are learned
US
A RE
SH
T
NO
DO
—
LY
ON
EVPN Troubleshooting
The slide lists the topic we will discuss next.
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
The specific VRF tables L3VPN.inet.0 and EVPN.evpn.0 show that some routes already have been exchanged.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
The interface ge-1/0/4.620 connected to CE-A shows that the ESI is 0 as it is a single-homed CE.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
It also shows the discovery of a multihomed segment (ESI: 00:01:02:03:04:05:06:07:08:09), the PEs connected to this ESI,
US
the aliasing label, and the redundancy mode for this ESI.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
It shows the ae0.620 interface with it’s ESI value, and indicates that this ESI is in all-active redundancy mode.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
The new information here is that on PEs part of the multihomed CE setup you can see the result of the designated forwarder
election, and it easily shows the split-horizon label.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
dynamically attached to the route that advertises the redundancy mode (all-active) and the split horizon label (300911).
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
If you already know which MAC address you need, use the evpn-mac-address option as part of your show command.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
L3 VPN service.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
IRB being advertised with is own unique MAC address to all remote PEs. Upon receipt of this route, it will add the MAC
address as a peer-gateway-macs entry.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Just a reminder the recommended option is to manually synchronize your default gateway by configuring identical IP/MAC
US
address on the IRBs for the PEs used as default gateway, and use the default-gateway do-not-advertise option,
in the EVI.
If you use this method the output of the show evpn peer-gateway-macs (VLAN based service interface) or show
bridge peer-gateway-macs (VLAN aware bundle service interface) command is empty, and that is what is expected in
this case.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
(301024). This label will be used as the inner label if PE2 (or PE3) needs to send BUM traffic towards PE1.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
used).
US
Only the PEs involved in the ESI will accept this route, as they are the only one with the correct (hidden, dynamically created)
import policy that matches this es-import-target:1-2-3-4-5-6 value.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
The 10.0.20.1/32 address is the default gateway address from the IRB interfaces. It shows a local entry (preferred), and a
US
EVPN learned entry for PE2. PE2 did not have the identical MAC/IP combination and therefore was advertised and accepted
as a possible route towards 10.0.20.1.
Notice that the 10.0.0.20.12 route has many next hops; this is because of the aliasing feature that allows forwarding to both
PEs.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
• show bridge mac-table bridge-domain VLAN instance EVI_Name (VLAN bundle aware
service interface).
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
known.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
We Discussed:
• EVPN operations;
E
A RE
SH
T
NO
DO
—
LY
ON
Review Questions
1.
E
2.
US
3.
4. .
AL
RN
TE
IN
RE
1.
The purpose of an ESI is to identify a set of links connected to a site (CE). This is essential for the support of active/active and active/
standby multihoming. The reserved values are 0x00:00:00:00:00:00:00:00:00:00 for single-homed interfaces, and
A
0xFF:FF:FF:FF:FF:FF:FF:FF:FF:FF for max-ESI.
2.
SH
The aliasing feature allows optimal load balancing to all-active PEs for a given ESI regardless if the MAC/IP information was learned
from one or both PEs.
3.
The inclusive multicast Ethernet tag route (type 3) is needed to provide label information to forward BUM traffic, using ingress
T
replication, towards a single-homed CE from a remote PE.
NO
4.
To advertise MAC and IP addresses the EVI needs to have Layer 3 interface added to its configuration. In Junos these are the IRB
interfaces. Only then can ARP learning take place, and will IP addresses be learned.
DO
—
LY
ON
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
• Content Explorer: Junos OS and ScreenOS software feature information to find the right software release and
hardware platform for your network.
• Feature Explorer: Technical documentation for Junos OS-based products by product, task, and software
release, and downloadable documentation PDFs.
AL
• Learning Bytes: Concise tips and instructions on specific features and functions of Juniper technologies.
• Installation and configuration courses: Over 60 free Web-based training courses on product installation and
configuration (just choose eLearning under Delivery Modality).
RN
• J-Net Forum: Training, certification, and career topics to discuss with your peers.
• Juniper Networks Certification Program: Complete details on the certification program, including tracks, exam
details, promotions, and how to get started.
TE
• Technical courses: A complete list of instructor-led, hands-on courses and self-paced, eLearning courses.
• Translation tools: Several online translation tools to help simplify migration tasks.
IN
www.juniper.net
Junos Layer 2 VPNs
A RE
SH
T
NO
DO
—
LY
ON
E
US
AL
RN
TE
IN
www.juniper.net
A RE
SH
Junos Layer 2 VPNs
T
NO
Appendix A: Interprovider Backbones for Layer 2 VPNs
DO
—
LY
ON
E
US
AL
RN
TE
IN
Junos Layer 2 VPNs
A RE
SH
T
NO
DO
—
LY
ON
We Will Discuss:
• Junos operating system support for carrier of carriers;
E
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
Carrier-of-Carriers Model
This model allows service provider A to offer a IP backbone service to the customer, another service provider. Assume the
customer is a new service provider that has a point of presence (POP) in a few sparse locations with no backbone network to
E
interconnect those POPs. The customer (the new service provider) can purchase the carrier-of-carriers service from the
service provider A to interconnect its sites making the customer network appear as a single autonomous system (AS) without
US
service provider A having to carry the external routes learned by the customer. The details of this model are discussed in the
subsequent slides.
Interprovider VPN
AL
This model allows for a Layer 3 VPN, BGP Layer 2 VPN, BGP virtual private LAN service (VPLS), or BGP Ethernet VPN to extend
between autonomous system or service providers.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Carrier-of-Carriers VPN
This model is a combination of the two models discussed on the previous slide. In this model, the customers of service
provider A will be providing VPN service to its own customers. The details of this model are described in subsequent slides.
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Option A
RFC 4364 describes three methods of providing multiple AS backbones. Option A is the least scalable of the options. This
option requires that the autonomous system boundary routers (ASBRs) maintain separate VPN routing and forwarding tables
E
and store all of the associated L2VPN routes for every one of its customers. For VPLS deployments it also means that the
ASBR routers need to learn MAC addresses (data plane). So it creates scalability bottlenecks for both control plane (L2VPN
US
routes) and data plane (MAC addresses) resources. Although this option is supported by the Junos OS, it is not a
recommended solution.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Option B
With option B, the ASBRs does not need to maintain separate VPN instances for each VPN. However, the ASBR will still have
to keep L2VPN routes in a single routing table, bgp.l2vpn.0 for L2VPN routes. Through an EBGP session between one
E
another, the ASBRs will then exchange L2VPN routes as label routes. The EBGP advertised labels are used stitch together
the label-switched paths (LSPs) that terminate between provider edge (PE) and ASBR. For VPLS deployments there is also no
US
A RE
SH
T
NO
DO
—
LY
ON
Option C
This option is generally accepted as the most scalable solution for interprovider VPNs. This option allows the PE routers in
different autonomous systems to exchange VPN routes (Layer 3 VPN, BGP Layer 2 VPN, or BGP VPLS) using a multihop BGP
E
session. The ASBRs do not need to store any VPN routes in this case. Instead, the ASBRs will exchange the internal networks
of each service provider (most importantly the loopback addresses of the PEs) using labeled IP version 4 (IPv4) routes. The
US
labels associated with the internal networks will be used to stitch together the MPLS LSPs that exist between PE and ASBR in
the service provider networks.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
routers and normally consist of at least the customer’s /32 loopback addresses. The provider’s PE routers do not carry the
customer’s external routes (C-external), which is a critical aspect of the overall scalability of this model.
US
Customer Routers
The customer’s routers must maintain both C-internal and C-external routes. External routes are those learned from the
customer’s downstream subscribers and are now stored in site-specific VRF tables. Unlike the previous examples, the
AL
support of VPN routes requires that LSPs be established between customer PE and CE routers. These can be established
using either RSVP or LDP. The use of LSP-based forwarding within the customer networks accommodates private/local use
addressing.
RN
ASBRs
ASBRs can be PE or CE routers and are used to connect with other autonomous systems. ASBRs advertise labeled routes
between autonomous systems and maintain switching tables that allow them to stitch together LSPs existing in adjacent
networks.
TE
RE
The presence of VPN-related labels results in the need to support three levels of label stacking in the provider and customer
networks. In the case of PE-1, the three labels have the following functions:
1. The bottom label is the VPN label assigned using MP-BGP. This label does not change as the packet is
forwarded.
A
2. The middle label is assigned by the downstream ASBR (CE-1, in the case of PE-1) and is used by the ASBR to
SH
associate the packet with the LSP leading to the next ASBR in the path.
3. The top label associates the packet with the LSP connecting PE-1 to CE-1 and is assigned by RSVP or LDP.
Because an LSP must be established across AS boundaries to interconnect customer PE routers, labels must be
communicated along with the NLRI advertised by ASBRs. Although a protocol such as LDP could be used for this purpose,
T
the Junos OS currently supports MP-BGP for this purpose.
RFC 3107, Carrying Label Information in BGP-4, specifies labeled routes. Labeled route advertisements use SAFI 4 and
NO
differ from VPN-labeled routes in that there is no route distinguisher or route target communities in the advertised NLRI.
Simply put, labeled routes allow the binding of an MPLS label to the advertised IPv4 NLRI. ASBRs use the advertised labels
to build MPLS switching tables that result in an end-to-end LSP spanning multiple autonomous networks.
Within an AS, labeled routes are sent using MP-IBGP while MP-EBGP is used across AS boundaries.
DO
—
LY
ON
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
As with the previous application, the customer’s CE routers use EBGP with labeled-unicast NLRI to exchange labeled
routes with the provider’s PE routers. The use of labeled routes allows the provider to extend its LSPs to the customer CE
router and thereby eliminate the need to carry customer internal routes in its P routers.
AL
backbone for the purposes of exchanging external routes. In this case, the routes are exchanged using MP-BGP and are
labeled VPN routes.
To improve scalability, the customer networks can use route reflection. The two route reflectors peer using MP-EBGP. A
command called no-nexthop-change is required to tell the route reflectors to pass—unchanged—the third party next
TE
RE
The details of the signaling exchanges shown on the slide are:
1. The IGP at customer Site 2 exchanges internal reachability with CE-2. L2VPN routes are not sent to PE-3.
2. CE-2 selectively advertises Site 2’s internal routes to the provider’s PE-3 router using MP-EBGP with support of
A
labeled-unicast routes. The route to PE-4 is sent with a label value used to associate packets with the LSP
to PE-4 in Site 2 (1020 in this example).
SH
3. PE-3 houses Site 2’s internal routes in a VRF table and uses MP-IBGP to send labeled VPN-IPv4 routes to PE-2.
The route to PE-4 is assigned Label 1001 in this example.
4. PE-2 uses MP-EBGP to send Site 2’s internal routes to CE-1. Because PE-2 has changed the BGP next hop (as is
always the case with ASBRs), it must assign a new label to the prefix advertised (Label 1007 in this example).
T
5. After receiving the labeled route, CE-1 distributes Site 2’s internal routes to PE-1 using MP-IBGP. Unlike the
carrier-of-carriers application, this exchange involves labeled-unicast routes, and therefore requires MP-IBGP.
NO
Because CE-1 is also an ASBR, it rewrites the BGP next hop and must therefore assign a new label (Label 1020
in this example).
At this point, the ASBRs (PE-1 and PE-4) establish an MP-EBGP multihop session through the provider’s backbone. This BGP
session is tunneled through the LSP in the provider’s network and is used to carry labeled VPN routes.
DO
6. PE-4 connects via L2VPN to one of its subscribers. The circuit information can now be advertised to other
members of this L2VPN.
7. The L2VPN route information is now advertised to PE-1 using the MP-EBGP session established at Step 5. This
NLRI advertisement includes the VPN label that PE-4 expects to receive for routes associated with this
particular L2VPN instance. —
8. PE-1 can bring the Layer 2 connection up after learning the L2VPN route information from PE4.
.
LY
ON
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
assigned by CE-1 (to associate the packet with the LSP to PE-4). In this one-hop LSP example, PHP results in the
absence of a third RSVP/LSP label used to associate the frame with the LSP between PE and CE routers.
3. CE-1 receives the labeled frame and swaps the top label.
RN
4. PE-2 receives the labeled frame and swaps the top label with the value received from PE-3 while also pushing the
MPLS label (Label 1008 in this example) onto the stack.
5. The P router pops the top label (PHP) so that PE-3 receives a frame with only two labels.
6. PE-3 also performs a swap on the top label before forwarding the frame to CE-2.
TE
RE
7. Being the penultimate router for the LSP to PE-4, CE-2 pops the label stack and sends the resulting VRF-labeled
frame to PE-4.
8. PE-4 pops the L2VPN label and consults the corresponding VPN table to perform a lookup on the now unlabeled
A
frame.
9. The native frame is forwarded out PE-4’s L2VPN interface towards the subscriber to which it is addressed.
SH
T
NO
DO
—
LY
ON
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
The provider’s network is assigned AS 65512. It already has established an LSP between PE-2 and PE-3 using RSVP. The PE
US
routers have a L2VPN instance configured, along with the necessary L2VPN target and route distinguishers. PE-2 and PE-3
function as ASBRs in this application.
Policy on CE Routers
AL
The CE routers are configured to run MP-EBGP (family inet labeled-unicast) with the PE routers and have a policy
in place to ensure that only internal prefixes are advertised to the provider’s PE routers.
A multihop MP-EBGP session is configured between the PE-1 and PE-4, because the customer networks are assigned
different AS numbers. The subscriber L2VPN route is advertised as a labeled-VPN route by PE-4 to PE-1 using this MP-EBGP
session. Customer routers CE-1 and CE-2 also function as ASBRs in this example
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
PE-1 Configuration
This slide shows the key aspects of PE-1’s configuration. Family labeled-unicast is configured for its MP-IBGP session
to CE-1, and family inet-vpn is configured for the multihop MP-EBGP session to PE-4.
E
US
resolve-vpn
The resolve-vpn option causes PE-1 to copy the labeled-unicast routes it receives from CE-1 into inet.3, which
allows VPN routes to resolve through the interprovider LSPs. Without this option, all the VPN routes received would be
hidden, due to unusable next hops.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
CE-1 Configuration
This slide displays key portions of the configuration on CE-1. RSVP is enabled, and an LSP is defined back to PE-1 (not
shown). The MP-IBGP session to PE-1 has the labeled-unicast family configured. This configuration is needed so that
E
CE-1 can include labeled-unicast routes along with the advertisements for Site 2’s internal routes.
US
CE-1 also has an MP-EBGP session configured for its connection to PE-2. This session must also support
labeled-unicast routes.
The following policy is applied to CE-1’s MP-EBGP session to PE-2. This policy ensures that Site 1 sends only internal routes
to the provider:
AL
then accept;
}
term 3 {
then reject;
}
TE
}.
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
The labeled-unicast routes received by PE-1 are copied into the main routing table (inet.0) as well as the inet.3
table. This copying is the result of the resolve-vpn option on PE-1 and is critical to the operation of this network.
US
Normally, VPN routes must resolve to an LSP that terminates on the egress PE router. Because PE-1 does not have an LSP
terminating directly on PE-4, the VPN routes are unusable without the labeled-unicast entries to the remote PE routers
in inet.3, which indicate a multinetwork LSP between PE-1 and PE-4 exists.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
stack (VPN-label—300080—302400).
US
The top label is popped by the provider P router (PHP), such that PE-3 receives a packet with a two-level label stack. PE-3
swaps the top label with the value assigned to the LSP to PE-4 by CE-2. PE-3’s label operation is shown here:
user@pe-3> show route table mpls.0
...
299904 *[VPN/170] 19:07:27
RN
RE
A
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
• P routers only maintain the internal routes from its own AS (AS-internal);
• PE routers maintain the internal routes from its own AS (AS-internal), the loopback address from the other AS
US
ASBR Routers
The ASBR routers interconnect the providers. To ensure that the L2VPN traffic is sent labeled across the interprovider link
labeled-unicast routes are exchanged across the EBGP session.
RN
CE Routers
CE routers are unaware of the interprovider setup so just as for single provider L2VPNs they only care about their own circuit
information and their local routing (if used at all).
TE
RE
The presence of L2VPN related labels results in the need to support three levels of label stacking in the provider networks. In
the case of PE-1, the three labels have the following functions:
1. The bottom label is the L2VPN label assigned using multihop MP-EBGP. This label does not change as the
A
packet is forwarded.
2. The middle label is assigned by the downstream ASBR1 and is used by the ASBR1 to associate the packet with
SH
the LSP leading to the remote PE This is a labeled unicast learned label.
3. The top label associates the packet with the LSP connecting PE1 to ASBR1 and is assigned by RSVP or LDP.
Because an LSP must be established across AS boundaries to interconnect customer PE routers, labels must be communicated
along with the NLRI advertised by ASBRs. Although a protocol such as LDP could be used for this purpose, the Junos OS
T
currently supports MP-BGP for this purpose.
RFC 3107, Carrying Label Information in BGP-4, specifies labeled routes. Labeled route advertisements use SAFI 4 and differ
NO
from VPN-labeled routes in that there is no route distinguisher or route target communities in the advertised NLRI. Simply put,
labeled routes allow the binding of an MPLS label to the advertised IPv4 NLRI. ASBRs use the advertised labels to build MPLS
switching tables that result in an end-to-end LSP spanning multiple autonomous networks.
Within an AS, labeled routes are sent using MP-IBGP while MP-EBGP is used across AS boundaries.
DO
—
LY
ON
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
The ASBR routers use EBGP with labeled-unicast NLRI to exchange labeled routes across the interprovider connection.
The use of labeled routes allow the providers to extend its LSPs to each other by also carrying the loopback addresses of the
PEs from the other AS.
AL
addresses.
A RE
SH
T
NO
DO
—
LY
ON
second label (2007) assigned by ASBR1 (to associate the packet with the extended LSP to PE2). The top label
(1020) is pushed to use the LDP LSP to reach ASBR1.
3. P1 receives the labeled frame and pops the top label (PHP).
RN
4. ASBR1 receives the labeled frame and swaps the top label with the value received from ASBR2 (2007 -->2008)
5. ASBR2 receives the labeled frame and swaps the top label with the value of the LDP LSP towards PE2 (2008 -->
1010).
Continued on next page.
TE
IN
RE
6. Being the penultimate router for the LDP LSP to PE2, P2 pops the label stack and sends the resulting
L2VPN-labeled frame to PE2.
7. PE2 pops the L2VPN label and consults the corresponding table to forward the traffic out of the correct
A
CE-facing interface.
8. The native frame is forwarded out PE2’s L2VPN interface towards the subscriber to which it is addressed.
SH
T
NO
DO
—
LY
ON
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Within each provider’s network the IGP and LDP protocols already have been configured so that within each AS there is an
US
policy in place to ensure that only internal PEs loopback prefixes are advertised to the other provider’s ASBR.
AS numbers. The L2VPN NLRI is advertised as a labeled-VPN route by PE2 to PE1 using this MP-EBGP session.
IN
A RE
SH
T
NO
DO
—
LY
ON
PE1 Configuration
This slide shows the key aspects of PE1’s configuration. Family labeled-unicast is configured for its MP-IBGP session to
ASBR1, and family l2vpn signaling is configured for the multihop MP-EBGP session to PE2.
E
US
resolve-vpn
The resolve-vpn option causes PE1 to copy the labeled-unicast routes it receives from ASBR1 into inet.3, which
allows L2VPN routes to resolve through the interprovider LSPs. Without this option, all the VPN routes received would be
hidden, due to unusable next hops.
AL
The slide also shows the L2VPN routing-instance configuration that is identical as used for single provider BGP L2VPNs.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
ASBR1 Configuration
This slide shows the key aspects of ASBR1’s configuration. Family labeled-unicast is configured for its MP-IBGP
session to ASBR1, and for its MP-EBGP session to ASBR2.
E
Notice the export policy called internals that contains the local PE’s loopback addresses.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
The labeled-unicast routes received by PE1 are copied into the main routing table (inet.0) as well as the inet.3
table. This copying is the result of the resolve-vpn option on PE1 and is critical to the operation of this network. Normally,
US
L2VPN routes must resolve to an LSP that terminates on the egress PE router. Because PE1 does not have an LSP
terminating directly on PE2, the VPN routes are unusable without the labeled-unicast entries to the remote PE routers
in inet.3, which indicates that a multinetwork LSP between PE1 and PE2 exists.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
• Label 800001 (L2VPN label received from PE2 across MP-EBGP session);
US
• Label 300224 (Label received from the labeled unicast MP-IBGP session with ASBR1); and
• 299792 = Top label (Label received from P1 router using the LDP protocol).
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
L2VPN Status
This slide shows how to verify if the interprovider L2VPN connection is up and running.
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Multisegment Pseudowires
This slide highlights the topic we discuss next.
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
end-to-end reachability from PE to PE, but only visibility to the end of the individual segment. This allows greater scalability
and path control across administrative or interprovider boundaries.
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
• Single segment pseudowire (SS-PW): A pseudowire setup unchanged between two PEs.
• Multisegment pseudowire (MS-PW): A set of two or more pseudowire segments that function as a single
US
point-to-point pseudowire. Each end must terminate on the T-PE. Up to 254 segments can be combined into a
multisegment pseudowire.
• Pseudowire terminating provider edge (T-PE): A PE where the customer facing interface is connected. There
must be a T-PE at the begin and end of the multisegment pseudowire.
AL
• Pseudowire switching provider edge (S-PE): A PE capable of switching the control and data plane of the
pseudowire segments into a mutlisegment pseudowire. The S-PE allow for exact path control across the
administrative domains, or across providers. By limiting the S-PEs, it also offers greater scalability.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
configuring the S-PE as the route reflectors. The multisegment pseudowire autodiscovery uses a new BGP address family
(AFI 25, SAFI 6).
US
multisegment pseudowire. The use of an active and passive T-PE ensures that the same set of S-PEs are used in both
directions for the setup of the multisegment pseudowires. The active T-PE is the one with the highest source attachment
individual identifier (SAII) which is determined by configuration.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Provider Networks
The provider network needs to be MPLS-enabled so that end-to-end LSPs exist between the different PEs.
E
The S-PEs must have BGP sessions between them. In an interprovider scenario this means multihop E-BGP sessions using
family l2vpn autodiscovery-mspw to discover the path between the two T-PEs.
.The S-PE and it’s local T-PE need to have a I-BGP session using family l2vpn autodiscovery-mspw.
Route Reflectors
RN
A RE
SH
T
NO
DO
—
LY
ON
1 = 2001), and the outer label is the LDP LSP towards S-PE1 (1020).
3. The P router in AS100 provides PHP for the LDP LSP and therefore pops the top label.
4. The S-PE1 router provides the segment switching function by swapping the segment 1 label (2001) for the
RN
6. The P router in AS200 provides PHP for the LDP LSP and therefore pops the top label.
7. The T-PE2 router pops the segment 3 label (2003) and forwards towards CE-A2 device.
IN
A RE
SH
T
NO
DO
—
LY
ON
The site 1 network uses AS65201 and has LDP LSP reachability between PEs. The site 2 network uses AS65202 and also
US
has LDP LSP reachability between its PEs. There is no IGP reachability between the two provider networks. LDP is enabled
between the two provider networks to enable targeted LDP sessions. To make loopbacks reachable between S-PE1 and
S-PE1 static routes are used in this example.
FEC129 BGP autodiscovery for multisegment pseudowires (family l2vpn autodiscovery-mspw) is configured on
the sessions between the T-PE and S-PE (I-BGP), and between the S-PEs (multihop E-BGP).
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
T-PE1 Configuration
This slide shows an example of a T-PE configuration. The family l2vpn autodiscovery-mspw is configured on the
I-BGP session toward the local S-PE router.
E
The routing instance is configured for FEC129 BGP autodiscovery as for a single segment pseudowire with one important
US
difference. The format of the attachment identifier is different, as a type 2 Attachment circuit identifier (AII) is required for
multisegment pseudowires. The format of the type 2 AII is:
• Global_ID: global identification, which is usually the AS number
• Prefix; IPv4 address, which is usually the router ID
AL
A RE
SH
T
NO
DO
—
LY
ON
S-PE1 Configuration
This slide shows an example of a S-PE configuration. The family l2vpn autodiscovery-mspw is configured on the
I-BGP session toward the local T-PE router, and on the multihop E-BGP session towards the other providers S-PE.
E
The static route is needed to be able to setup the E-BGP session to the loopback address of the remote S-PE.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
• Segment 1 (T-PE1 ,<--> S-PE1); it learned the route from the local T-PE1 (193.168.12.2)
US
193:168.12.2:200:200:0.0.0.200:1 AD2;and
• Segment 2 (S-PE1 <--> S-PE2); it learned the route from the remote S-PE2 (193.168.2.2)
193.168.2.2:200:200:0.0.0.200:2 AD2.
The format of the FEC 129 BGP autodiscovery multisegment pseudowire routes is:
AL
A RE
SH
T
NO
DO
—
LY
ON
• The inner label is 299952 as is learned via the I-BGP session using the family l2vpn
US
autodiscovery-mspw, and identifies the first segment of the multisegment pseudowire (T-PE1 <--> S-PE1).
• The top label is 299776 which identifies the LDP LSP towards the loopback of S-PE1.
The second output is from the mpls.0 table on S-PE1 and shows the segment switching operation between segment 1
(T-PE1 <--> S-PE1) and the next segment 2 (S-PE1 <--> S-PE2) of the multisegment pseudowire. Note the top label was
AL
A RE
SH
T
NO
DO
—
LY
ON
A RE
SH
T
NO
DO
—
LY
ON
We Discussed:
• Junos operating system support for carrier of carriers;
E
A RE
SH
T
NO
DO
—
LY
ON
Review Questions
1.
E
2.
US
3.
AL
.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
.
US
AL
RN
TE
IN
RE
1.
In a carrier-of-carrier application the customer routers maintain both customer internal and external routes (non-VPN). In an
interprovider VPN, except for the ASBRs connected to VPN sites, the customer routers maintain customer internal routes only
A
2.
The three interprovider VPN options are A (back to back VPNs), option B (single VPN table on ASBRs), and option C (greatest
SH
scalability, no VPN routes on ASBRs).
3.
The T-PE router is at the begin and end of a multisegment pseudowire and connects directly to the CE device. The S-PE router
switches between different segments to let the multisegment pseudowire function as a single end-to-end pseudowire. S-PEs do not
T
have connections to CE devices.
NO
DO
—
LY
ON
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
E
US
AL
RN
TE
IN
T
NO
Appendix B: Circuit Cross-Connects
DO
—
LY
ON
E
US
AL
RN
TE
IN
Junos Layer 2 VPNs
A RE
SH
T
NO
DO
—
LY
ON
We Will Discuss:
• Configuring CCC Layer 2 switching;
E
A RE
SH
T
NO
DO
—
LY
ON
Circuit Cross-Connect
The slide lists the topics we will discuss. We discuss the highlighted topic first.
E
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Data Link Control (HDLC) interface, or an MPLS LSP. Using CCC, packets from the source circuit are delivered to the
destination circuit with, at most, the Layer 2 address being changed. No other processing—such as header checksums,
US
Cross-Connect Types
CCC circuits fall into two categories: logical interfaces, which include DLCIs, VCs, and PPP and Cisco HDLC interfaces; and
AL
LSPs. The two circuit categories provide the following three types of cross-connect:
• Layer 2 switching: Cross-connects between logical interfaces provide what is essentially Layer 2 switching. The
interfaces that you connect must be of the same type. This type of switching can also be used to direct traffic
to/from P2MP LSPs.
RN
• MPLS tunneling: Cross-connects between interfaces and LSPs allow you to connect two distant interface
circuits of the same type by creating MPLS tunnels that use LSPs as the conduit.
• LSP stitching: Cross-connects between LSPs provide a way to stitch together two LSPs, including paths that fall
TE
A RE
SH
T
NO
DO
—
LY
ON
arriving at one interface can be sent out another interface on the same device.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Configuration Example
In the configuration example above you see the configuration that makes traffic arriving at logical interface ge-0/0/1.0, exit
logical interface ge-0/0/2.0 and vice versa (bidirectional). In this case the Layer 2 switching is between two similar
E
interfaces that use Ethernet VLANs with the same VLAN ID (610).
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Interface Tunneling
CCC requires that you have 2 dedicated LSPs to accommodate transmit and receive traffic for every CCC connection
configuration. This is because CCC does not support label stacking like Layer 2 circuits, Layer 2 VPNs and VPLS. This is one
E
of the primary reasons that CCC is not a scalable solution for larger networks. CCC allows you to connect two ATM, Frame
Relay, PPP, Ethernet, or Cisco HDLC access links using an MPLS tunnel. Layer 2 packets are essentially bridged from end to
US
end in this configuration. In the figure on the slide, MPLS LSPs connect two Ethernet networks across an IP cloud. The
Ethernet interface on the R1 expects a VLAN value of 610 (on whatever path is enabled on that interface). R3 will also
transmit and receive using VLAN 610 (on whatever path is enabled on the output interface). The IP backbone between the
two routers has two LSPs—one in each direction—that connect the two PE routers. When the packets come in to R1 destined
to the network attached to R3, R1 places an MPLS header on the packets and transmit them down the LSP. Once the
AL
packets reaches R3, the MPLS headers are stripped off, and the packet are forwarded out the CE facing interface.
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
Configuration Example
The configuration examples on the slide show that the receive LSP on one router is the transmit LSP on the other router. The
names referenced are the names of the transmit or receive LSPs displayed when you issue the show mpls lsp command.
E
To configure LSP tunnel cross-connects, you must also configure the CCC encapsulation on the ingress and egress router’s
US
unit 610 {
encapsulation vlan-ccc;
vlan-id 610;
}
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
LSP Stitching
Another use of CCC is to stitch two separate label-switched paths (LSPs) together into one seamless LSP end-to-end.
E
The stitching is unidirectional only, so you must stitch for each direction separately, which requires 2 different connections if
you want bidirectional traffic flows.
US
A RE
SH
T
NO
DO
—
LY
ON
Configuration Example
The configuration example on the slide shows two distinct connections. One in the direction R1 towards R3, which stitches
the LSP-1 and LSP-2 together. Another one in the opposite direction R3 towards R1, which stitches the LSP-3 and LSP-4
E
together. Make sure you understand the direction of the stitched LSPs as it is important to configure the correct
transmit-lsp and receive-lsp.
US
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
CCC Drawbacks
The following list details some of the drawbacks of CCC:
E
• CE and PE router configuration can be complex, especially during adds, moves, and changes. The customer
must coordinate with the service provider.
US
• Each data-link connection identifier (DLCI)/PVC requires a dedicated set of MPLS LSPs. There can be no sharing
of the LSP when using CCC.
• CCC as a Layer 2 VPN solution is only appropriate for small numbers of individual private connections.
Interface types must be the same at all CE device locations. For instance, if Frame Relay is used at one VPN site then Frame
AL
Relay must be used at all other sites. However, the Junos OS has a feature called translational cross-connect (TCC) that can
be used when there are different interfaces types at the CE locations
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
We Discussed:
• Configuring CCC Layer 2 switching;
E
A RE
SH
T
NO
DO
—
LY
ON
Review Questions
1.
E
2.
US
3.
AL
RN
TE
IN
A RE
SH
T
NO
DO
—
LY
ON
RE
1.
The requirement for Layer 2 switching are to configure the interfaces with the appropriate Layer 2 encapsulation, enable protocols
mpls, and configure the connection between the two interfaces.
A
2.
There are 2 LSPs required as CCC doesn’t support label stacking so for each virtual circuit that you want to transport across the core
SH
you’ll need a separate transmit and a receive LSP.
3.
The command to display the operational status of a CCC circuit is show connections.
T
NO
DO
—
LY
ON
E
US
AL
RN
TE
IN
RE
A
SH
T
NO
DO
—
LY
ON
E
US
AL
RN
TE
IN
RE
AAL5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ATM Adaptation Layer 5
A
AFI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Address Family Identifier
ANSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .American National Standards Institute
SH
ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Address Resolution Protocol
AS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .autonomous system
ASBR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .autonomous system boundary routers
ATM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Asynchronous Transfer Mode
BECN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .backward explicit congestion notification
T
BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Border Gateway Protocol
BUM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . broadcast, unknown unicast, and multicast
NO
CapEx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .capital expenses
CCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . circuit cross-connect
CE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . customer edge
CIR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .committed information rate
Cisco HDLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cisco High-Level Data Link Control
CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .command-line interface
DO
CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . class-of-service
CRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cyclic redundancy check
CSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Constrained Shortest Path First
CSV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . circuit status vector
DCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .data communication equipment
—
DE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Discard Eligibility Bit
DF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designated Forwarder
DLCI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .data-link connection identifier
ERP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ethernet Ring Protection
LY
ES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Ethernet segment
ESI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Ethernet segment identifier
EVI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EVPN Instance
FEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . forwarding equivalence class
ON
PE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . provider edge
RE
PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .penultimate-hop popping
PLP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . packet loss priority
PMSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Provider Multicast Service Interface
POP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . point of presence
PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Point-to-Point Protocol
A
PVC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . permanent virtual connection
RDI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . remote defect indication
SH
RE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Routing Engine
RED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . random early detection
RPL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ring protection link
SAFI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . subsequent address family identifier
SAII . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . source attachment individual identifier
T
SLA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .service-level agreement
SNAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . subnetwork attachment point
NO
TCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . translational cross-connect
TED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . traffic engineering database
TPID. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tag Protocol Identifier
TTL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . time-to-live
VC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Virtual Chassis
DO
VCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Virtual Chassis identifier
VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .virtual LAN
VPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .virtual private LAN service
VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . virtual private network
VR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . virtual router
VRF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VPN route and forwarding
—
WRR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . weighted round-robin
LY
ON
E
US
AL
RN
TE
IN