Configuring Layer 2 VPNs

Previous page
Table of content
Next page

To configure Layer 2 VPN functionality, you must enable Layer 2 VPN support on the PE router. You must also configure PE routers to distribute routing information to the other PE routers in the VPN and configure the circuits between the PE routers and the CE routers. Each Layer 2 VPN is configured under a routing instance of type l2vpn . An l2vpn routing instance can transparently carry Layer 3 traffic across the service provider's network. As with other routing instances, all logical interfaces belonging to a Layer 2 VPN routing instance are listed under that instance. The configuration of the CE routers is not relevant to the service provider. The CE routers need to provide only the appropriate Layer 2 circuits to send traffic to the PE router.

To configure Layer 2 VPNs, you include the following statements: 

 [edit routing-instances  routing-instance-name  ]  description  text  ; instance-type l2vpn; interface  interface-name  ; route-distinguisher (  as-number:id   ip-address:id  ); vrf-export [  policy-names  ]; vrf-import [  policy-names  ]; protocols {   l2vpn {     encapsulation-type  type  traceoptions {       file  filename  <replace> <size  size>  <files  number  > <nostamp>;       flag  flag  <  flag-modifier  > <disable>;     }     site  site-name  {       site-identifier  identifier  ;       interface  interface-name  {         remote-site-id remote-site-id;       }     }   } }

In addition, you must configure MPLS LSPs between the PE routers, IBGP sessions between the PE routers, and an IGP on the PE and provider routers.

By default, Layer 2 VPNs are disabled.

For Layer 2 VPNs to function, you configure MPLS LSPs between the PE routers using either the LDP or RSVP.

To use LDP to configure the MPLS LSPs, perform the following steps on the PE and provider routers:

  1. Configure LDP on the interfaces in the core of the service provider's network. You need to configure LDP only on the interfaces between PE routers or between PE and provider routers. You can think of these as the " core - facing " interfaces. 

     [edit protocols]  ldp {   interface  interface-name  ; }

  2. Configure the MPLS address family on the interfaces on which you enable LDP (that is, on the interfaces you configured in Step 1): 

     [edit interfaces]  interface-name  {   unit  logical-unit-number  {     family mpls;   } }

  3. Configure OSPF or IS-IS on each PE and provider router. You configure these protocols at the master instance of the routing protocol, not within the routing instance used for the VPN.

    To configure OSPF, include the ospf statement. At a minimum, you must configure a backbone area on at least one of the router's interfaces. 

     [edit protocols]  ospf {   area 0.0.0.0 {     interface  interface-name  ;   } }

To configure IS-IS, include the isis statement and configure the loopback interface and ISO family. At a minimum, you must enable IS-IS on the router, configure a network entity title (NET) on one of the router's interfaces (preferably the loopback interface, lo0 ), and configure the ISO family on all interfaces on which you want IS-IS to run. When you enable IS-IS, Level 1 and Level 2 are enabled by default. The following is the minimum IS-IS configuration. In the address statement, address is the NET. 

 [edit]  interfaces {   lo0 {     unit  logical-unit-number  {       family iso {         address  address  ;       }     }   }  type-fpc/pic/port  {     unit  logical-unit-number  {       family iso ;     }   } } protocols {   isis {     interface all;   } }

To configure the MPLS LSPs using RSVP, perform the following steps:

  1. On each PE router, configure traffic engineering. To do this, you must configure an IGP that supports traffic engineering (either IS-IS or OSPF) and enable traffic engineering support for that protocol. For IS-IS, traffic engineering support is enabled by default. To enable OSPF traffic engineering support, include the traffic-engineering statement: 

     [edit protocols ospf]  traffic-engineering;

  2. On each PE and provider router, enable RSVP on the router interfaces that participate in the LSP. On the PE router, these are the interfaces that are the ingress and egress points to the LSP. On the provider router, these are the interfaces that connect the LSP between the PE routers. To configure RSVP on the PE and provider routers, include one interface statement for each interface on which you are enabling RSVP. 

     [edit rsvp]  interface  interface-name  ;

  3. On each PE router, configure an MPLS LSP to the PE router that is the LSP's egress point by including the label-switched - path and interface statements. In the to statement, specify the address of the LSP's egress point, which is an address on the remote PE router. In the interface statement, specify the name of the interface (both the physical and logical portions). Include one interface statement for the interface associated with the LSP. 

     [edit mpls]  label-switched-path  path-name  {   to  ip-address  ; } interface  interface-name  ;

    You must also configure family mpls and family inet when configuring the logical interface: 

     [edit interfaces  interface-name  unit  logical-unit-   number  ] family inet; family mpls;

  4. On all provider routers that participate in the LSP, enable MPLS by including one interface statement for each connection to the LSP: 

     [edit mpls]  interface  interface-name  ;

  5. Enable MPLS on the interface between the PE and CE routers by including the interface statement. Doing this allows the PE router to assign an MPLS label to traffic entering the LSP or to remove the label from traffic exiting the LSP. 

     [edit mpls]  interface  interface-name  ;

To allow the PE and provider routers to exchange routing information, you must either configure an IGP on all these routers or you must configure static routes. You configure the IGP on the master instance of the routing protocol process ( rpd ) (that is, at the [edit protocols] hierarchy level), not within the routing instance used for the Layer 2 VPN (that is, not at the [edit routing-instances] hierarchy level). When you configure the PE router, do not configure any summarization of the PE router's loopback addresses at the area boundary. Each PE router's loopback address should appear as a separate route.

You must configure an IBGP session between PE routers to allow these routers to exchange information about Layer 2 VPNs, particularly information about sites connected to Layer 2 VPNs. The PE routers rely on this information to determine which labels to use for traffic destined for remote sites. To enable an IBGP session between the PE routers, include the family l2vpn statement when configuring IBGP in the master instance to indicate that the IBGP session is for the Layer 2 VPN: 

 [edit protocols]  bgp {   group  group-name  {     type internal;     local-address  ip-address  ;     family l2vpn {       unicast;     }     neighbor  ip-address  ;   } }

The IP address in the local-address statement is the same as the address configured in the to statement at the [edit protocols mpls label-switched-path lsp-path-name ] hierarchy level on the remote PE router. The IBGP session uses this address as the source in the peering session. The IP address in the neighbor statement is the loopback address of the neighboring PE router. If you are using RSVP signaling, this IP address is the same address you specify in the to statement at the [edit mpls label-switched-path] hierarchy level when you configure the MPLS LSP.

To configure routing instances for Layer 2 VPNs, include the routing-instances statement. You configure Layer 2 VPN routing instances only on the PE routers. The instance-type , interface , route-distinguisher , vrf-export , and vrf-import statements are required for the Layer 2 VPN to function. 

 [edit]  routing-instances {  routing-instance-name  {     description  text  ;     instance-type l2vpn;     interface  interface-name  ;     route-distinguisher (  as-number:   id   ip-address:   id  );     vrf-export [  policy-names  ]     vrf-import [  policy-names  ]   } }

To provide a textual description for the routing instance, include the description statement. To enable Layer 2 VPN routing on a PE router, include the instance-type statement, specifying the instance type as l2vpn .

On each PE router, you must configure the interfaces over which the Layer 2 VPN traffic travels between PE and CE routers by including the interface statement. You should specify both the physical and logical portions of the interface name, in the format physical . logical . If you do not specify the logical portion of the interface name, is set by default. A logical interface can be associated with only one routing instance.

You need to specify a circuit cross-connect (CCC) encapsulation type for each PE-router-to-CE-router interface running a Layer 2 VPN. This encapsulation type should match the encapsulation type configured under the routing instance. To configure the CCC encapsulation type, include the following statements: 

 [edit]  interfaces {  interface name  {     encapsulation-type  ccc-encapsulation-type  ;     unit  unit number  {       encapsulation  ccc-encapsulation-type  ;     }   } }

You can run both standard Frame Relay and CCC Frame Relay on the same device. If you specify Frame Relay encapsulation ( frame-relay-ccc ) for the interface, you should also configure the encapsulation at the [edit interfaces interface name unit unit-number ] hierarchy level as frame-relay-ccc . Otherwise, the logical interface unit defaults to standard Frame Relay. The CCC encapsulation type can be atm-aal5-ccc , atm- cell -ccc , cisco-hdlc-ccc , ethernet-vlan-ccc , frame-relay-ccc , or ppp-ccc .

To configure different encapsulation types at different Layer 2 VPN sites, you need to use one of the following encapsulation types: atm-aal5-tcc , atm-cell-tcc , cisco-hdlc-tcc , frame-relay-tcc , or ppp-tcc .

Each routing instance that you configure on a PE router must have a unique route distinguisher associated with it. The route distinguisher is used to place bounds around a VPN so that the same IP address prefixes can be used in different VPNs without overlapping. To configure a route distinguisher on a PE router, include the route-distinguisher statement. The route distinguisher is a 6-byte value that you can specify in one of the following formats:

  • as-number : number , where as-number is an AS number (a 2-byte value), and number is any 4-byte value. The AS number can be in the range 1 through 65,535. We recommend that you use an IANA assigned, nonprivate AS number, preferably the ISP's own or the customer's own AS number.

  • ip-address : number , where ip-address is an IP address (a 4-byte value), and number is any 2-byte value. The IP address can be any globally unique unicast address. We recommend that you use the address that you configure in the router-id statement, which is a nonprivate address in your assigned prefix range.

For each local site, the PE router advertises a set of VPN labels to the other PE routers servicing the Layer 2 VPN. The VPN labels comprise a single block of contiguous labels; however, to allow for reprovisioning, more than one such block can be advertised. Each label block consists of a label base, a range (the size of the block), and a remote site ID that identifies the sequence of remote sites that connect to the local site using this label block (the remote site ID is the first site identifier in the sequence). The encapsulation type is also advertised along with the label block.

All the Layer 2 circuits provisioned for a local site are listed as the set of logical interfaces (using the interface statement) within the site statement. On each PE router, you must configure each site that has a circuit to the PE router by including the site statement: 

 [edit routing-instances  routing-instance-name  protocols  l2vpn] site  site-name  {   site-identifier  identifier  ;   interface  interface-name  {     remote-site-id  remote-site-id  ;   } }

The encapsulation type you configure at each Layer 2 VPN site varies depending on which Layer 2 protocol you choose to configure. You need to use the same protocol at each Layer 2 VPN site if you configure ethernet-vlan as the encapsulation type. You do not need to use the same protocol at each Layer 2 VPN site if you configure an encapsulation type of atm-aal5 , atm-cell , cisco-hdlc , frame-relay , or ppp . If you configure different protocols at your Layer 2 VPN sites, you need to configure a different type of CCC encapsulation. To configure the Layer 2 protocol accepted by the PE router, specify the encapsulation type by including the encapsulation-type statement at the [edit routing-instances routing-instance-name protocols l2vpn] hierarchy level.

To trace Layer 2 VPN protocol traffic, include the traceoptions statement: 

 [edit routing-instances  routing-instance-name  protocols  l2vpn] traceoptions {   file  filename  <replace> <size  size>  <files  number  > <nostamp>;   flag  flag  <  flag-modifier  > <disable>; }

You can specify the following Layer 2-specific flags in the Layer 2 VPN traceoptions statement:

  • all All Layer 2 VPN options

  • connections Layer 2 VPN connections (events and state changes)

  • error Error conditions

  • nlri Layer 2 VPN advertisements received or sent using BGP

  • route Routing information

  • topology Layer 2 VPN topology changes caused by reconfiguration or advertisements received from other PE routers using BGP


Previous page
Table of content
Next page
Juniper Networks Field Guide and Reference
Juniper Networks Field Guide and Reference
ISBN: 0321122445
EAN: 2147483647
Year: 2002
Pages: 185
Authors: Aviva Garrett, Gary Drenan, Cris Morris, Juniperu00ae Networks
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Mastering Delphi 7
Information Dashboard Design: The Effective Visual Communication of Data
Ruby Cookbook (Cookbooks (OReilly))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy