To configure Layer 2 VPN functionality, you must enable Layer 2 VPN support on the PE router. You must also configure PE routers to distribute routing information to the other PE routers in the VPN and configure the circuits between the PE routers and the CE routers. Each Layer 2 VPN is configured under a routing instance of type l2vpn . An l2vpn routing instance can transparently carry Layer 3 traffic across the service provider's network. As with other routing instances, all logical interfaces belonging to a Layer 2 VPN routing instance are listed under that instance. The configuration of the CE routers is not relevant to the service provider. The CE routers need to provide only the appropriate Layer 2 circuits to send traffic to the PE router. To configure Layer 2 VPNs, you include the following statements: [edit routing-instances routing-instance-name ] description text ; instance-type l2vpn; interface interface-name ; route-distinguisher ( as-number:id ip-address:id ); vrf-export [ policy-names ]; vrf-import [ policy-names ]; protocols { l2vpn { encapsulation-type type traceoptions { file filename <replace> <size size> <files number > <nostamp>; flag flag < flag-modifier > <disable>; } site site-name { site-identifier identifier ; interface interface-name { remote-site-id remote-site-id; } } } } In addition, you must configure MPLS LSPs between the PE routers, IBGP sessions between the PE routers, and an IGP on the PE and provider routers. By default, Layer 2 VPNs are disabled. For Layer 2 VPNs to function, you configure MPLS LSPs between the PE routers using either the LDP or RSVP. To use LDP to configure the MPLS LSPs, perform the following steps on the PE and provider routers:
To configure IS-IS, include the isis statement and configure the loopback interface and ISO family. At a minimum, you must enable IS-IS on the router, configure a network entity title (NET) on one of the router's interfaces (preferably the loopback interface, lo0 ), and configure the ISO family on all interfaces on which you want IS-IS to run. When you enable IS-IS, Level 1 and Level 2 are enabled by default. The following is the minimum IS-IS configuration. In the address statement, address is the NET. [edit] interfaces { lo0 { unit logical-unit-number { family iso { address address ; } } } type-fpc/pic/port { unit logical-unit-number { family iso ; } } } protocols { isis { interface all; } } To configure the MPLS LSPs using RSVP, perform the following steps:
To allow the PE and provider routers to exchange routing information, you must either configure an IGP on all these routers or you must configure static routes. You configure the IGP on the master instance of the routing protocol process ( rpd ) (that is, at the [edit protocols] hierarchy level), not within the routing instance used for the Layer 2 VPN (that is, not at the [edit routing-instances] hierarchy level). When you configure the PE router, do not configure any summarization of the PE router's loopback addresses at the area boundary. Each PE router's loopback address should appear as a separate route. You must configure an IBGP session between PE routers to allow these routers to exchange information about Layer 2 VPNs, particularly information about sites connected to Layer 2 VPNs. The PE routers rely on this information to determine which labels to use for traffic destined for remote sites. To enable an IBGP session between the PE routers, include the family l2vpn statement when configuring IBGP in the master instance to indicate that the IBGP session is for the Layer 2 VPN: [edit protocols] bgp { group group-name { type internal; local-address ip-address ; family l2vpn { unicast; } neighbor ip-address ; } } The IP address in the local-address statement is the same as the address configured in the to statement at the [edit protocols mpls label-switched-path lsp-path-name ] hierarchy level on the remote PE router. The IBGP session uses this address as the source in the peering session. The IP address in the neighbor statement is the loopback address of the neighboring PE router. If you are using RSVP signaling, this IP address is the same address you specify in the to statement at the [edit mpls label-switched-path] hierarchy level when you configure the MPLS LSP. To configure routing instances for Layer 2 VPNs, include the routing-instances statement. You configure Layer 2 VPN routing instances only on the PE routers. The instance-type , interface , route-distinguisher , vrf-export , and vrf-import statements are required for the Layer 2 VPN to function. [edit] routing-instances { routing-instance-name { description text ; instance-type l2vpn; interface interface-name ; route-distinguisher ( as-number: id ip-address: id ); vrf-export [ policy-names ] vrf-import [ policy-names ] } } To provide a textual description for the routing instance, include the description statement. To enable Layer 2 VPN routing on a PE router, include the instance-type statement, specifying the instance type as l2vpn . On each PE router, you must configure the interfaces over which the Layer 2 VPN traffic travels between PE and CE routers by including the interface statement. You should specify both the physical and logical portions of the interface name, in the format physical . logical . If you do not specify the logical portion of the interface name, is set by default. A logical interface can be associated with only one routing instance. You need to specify a circuit cross-connect (CCC) encapsulation type for each PE-router-to-CE-router interface running a Layer 2 VPN. This encapsulation type should match the encapsulation type configured under the routing instance. To configure the CCC encapsulation type, include the following statements: [edit] interfaces { interface name { encapsulation-type ccc-encapsulation-type ; unit unit number { encapsulation ccc-encapsulation-type ; } } } You can run both standard Frame Relay and CCC Frame Relay on the same device. If you specify Frame Relay encapsulation ( frame-relay-ccc ) for the interface, you should also configure the encapsulation at the [edit interfaces interface name unit unit-number ] hierarchy level as frame-relay-ccc . Otherwise, the logical interface unit defaults to standard Frame Relay. The CCC encapsulation type can be atm-aal5-ccc , atm- cell -ccc , cisco-hdlc-ccc , ethernet-vlan-ccc , frame-relay-ccc , or ppp-ccc . To configure different encapsulation types at different Layer 2 VPN sites, you need to use one of the following encapsulation types: atm-aal5-tcc , atm-cell-tcc , cisco-hdlc-tcc , frame-relay-tcc , or ppp-tcc . Each routing instance that you configure on a PE router must have a unique route distinguisher associated with it. The route distinguisher is used to place bounds around a VPN so that the same IP address prefixes can be used in different VPNs without overlapping. To configure a route distinguisher on a PE router, include the route-distinguisher statement. The route distinguisher is a 6-byte value that you can specify in one of the following formats:
For each local site, the PE router advertises a set of VPN labels to the other PE routers servicing the Layer 2 VPN. The VPN labels comprise a single block of contiguous labels; however, to allow for reprovisioning, more than one such block can be advertised. Each label block consists of a label base, a range (the size of the block), and a remote site ID that identifies the sequence of remote sites that connect to the local site using this label block (the remote site ID is the first site identifier in the sequence). The encapsulation type is also advertised along with the label block. All the Layer 2 circuits provisioned for a local site are listed as the set of logical interfaces (using the interface statement) within the site statement. On each PE router, you must configure each site that has a circuit to the PE router by including the site statement: [edit routing-instances routing-instance-name protocols l2vpn] site site-name { site-identifier identifier ; interface interface-name { remote-site-id remote-site-id ; } } The encapsulation type you configure at each Layer 2 VPN site varies depending on which Layer 2 protocol you choose to configure. You need to use the same protocol at each Layer 2 VPN site if you configure ethernet-vlan as the encapsulation type. You do not need to use the same protocol at each Layer 2 VPN site if you configure an encapsulation type of atm-aal5 , atm-cell , cisco-hdlc , frame-relay , or ppp . If you configure different protocols at your Layer 2 VPN sites, you need to configure a different type of CCC encapsulation. To configure the Layer 2 protocol accepted by the PE router, specify the encapsulation type by including the encapsulation-type statement at the [edit routing-instances routing-instance-name protocols l2vpn] hierarchy level. To trace Layer 2 VPN protocol traffic, include the traceoptions statement: [edit routing-instances routing-instance-name protocols l2vpn] traceoptions { file filename <replace> <size size> <files number > <nostamp>; flag flag < flag-modifier > <disable>; } You can specify the following Layer 2-specific flags in the Layer 2 VPN traceoptions statement:
|